Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e6a5ddf2 authored by Johannes Berg's avatar Johannes Berg Committed by John W. Linville
Browse files

mac80211: safely free beacon in ieee80211_if_reinit 



If ieee80211_if_reinit() is called from ieee80211_unregister_hw()
then it is possible that the driver will still request a beacon
(it is allowed to until ieee80211_unregister_hw() has returned.)
This means we need to use an RCU-protected write to the beacon
information even in this function.

Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 2485f710

net/mac80211/ieee80211_iface.c

+5 −1
Original line number Diff line number Diff line
@@ -193,6 +193,7 @@ void ieee80211_if_reinit(struct net_device *dev) 
		/* Remove all virtual interfaces that use this BSS

		 * as their sdata->bss */

		struct ieee80211_sub_if_data *tsdata, *n;

		struct beacon_data *beacon;



		list_for_each_entry_safe(tsdata, n, &local->interfaces, list) {

			if (tsdata != sdata && tsdata->bss == &sdata->u.ap) {
@@ -210,7 +211,10 @@ void ieee80211_if_reinit(struct net_device *dev) 
			}

		}



		kfree(sdata->u.ap.beacon);

		beacon = sdata->u.ap.beacon;

		rcu_assign_pointer(sdata->u.ap.beacon, NULL);

		synchronize_rcu();

		kfree(beacon);



		while ((skb = skb_dequeue(&sdata->u.ap.ps_bc_buf))) {

			local->total_ps_buffered--;