Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4f3eb0ba authored by Helmut Schaa's avatar Helmut Schaa Committed by John W. Linville
Browse files

mac80211: Move num_sta_ps counter decrement after synchronize_rcu 



Unted the assumption that the sta struct is still accessible before the
synchronize_rcu call we should move the num_sta_ps counter decrement
after synchronize_rcu to avoid incorrect decrements if num_sta_ps.

Signed-off-by: default avatarHelmut Schaa <helmut.schaa@googlemail.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 19468413

net/mac80211/sta_info.c

+9 −9
Original line number Diff line number Diff line
@@ -750,15 +750,6 @@ int __must_check __sta_info_destroy(struct sta_info *sta) 


	sta->dead = true;



	if (test_sta_flag(sta, WLAN_STA_PS_STA)) {

		BUG_ON(!sdata->bss);



		clear_sta_flag(sta, WLAN_STA_PS_STA);



		atomic_dec(&sdata->bss->num_sta_ps);

		sta_info_recalc_tim(sta);

	}



	local->num_sta--;

	local->sta_generation++;
@@ -790,6 +781,15 @@ int __must_check __sta_info_destroy(struct sta_info *sta) 
	 */

	synchronize_rcu();



	if (test_sta_flag(sta, WLAN_STA_PS_STA)) {

		BUG_ON(!sdata->bss);



		clear_sta_flag(sta, WLAN_STA_PS_STA);



		atomic_dec(&sdata->bss->num_sta_ps);

		sta_info_recalc_tim(sta);

	}



	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {

		local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);

		__skb_queue_purge(&sta->ps_tx_buf[ac]);