Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 987c285c authored by Arik Nemtsov's avatar Arik Nemtsov Committed by Johannes Berg
Browse files

mac80211: sync acccess to tx_filtered/ps_tx_buf queues 



These are accessed without a lock when ending STA PSM. If the
sta_cleanup timer accesses these lists at the same time, we might crash.

This may fix some mysterious crashes we had during
ieee80211_sta_ps_deliver_wakeup.

Cc: stable@vger.kernel.org
Signed-off-by: default avatarArik Nemtsov <arik@wizery.com>
Signed-off-by: default avatarIdo Yariv <ido@wizery.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent bca1e29f

net/mac80211/sta_info.c

+5 −0
Original line number Diff line number Diff line
@@ -961,6 +961,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta) 
	struct ieee80211_local *local = sdata->local;

	struct sk_buff_head pending;

	int filtered = 0, buffered = 0, ac;

	unsigned long flags;



	clear_sta_flag(sta, WLAN_STA_SP);
@@ -976,12 +977,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta) 
	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {

		int count = skb_queue_len(&pending), tmp;



		spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);

		skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);

		spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);

		tmp = skb_queue_len(&pending);

		filtered += tmp - count;

		count = tmp;



		spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);

		skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);

		spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);

		tmp = skb_queue_len(&pending);

		buffered += tmp - count;

	}