Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e562078a authored by Ben Greear's avatar Ben Greear Committed by Johannes Berg
Browse files

mac80211: Ensure tid_start_tx is protected by sta->lock 



All accesses of the tid_start_tx lock should be protected
by sta->lock if there is any chance that another thread
could still be accessing the sta object.

Signed-off-by: default avatarBen Greear <greearb@candelatech.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 661eb381

net/mac80211/ht.c

+3 −1
Original line number Diff line number Diff line
@@ -281,13 +281,14 @@ void ieee80211_ba_session_work(struct work_struct *work) 
				sta, tid, WLAN_BACK_RECIPIENT,

				WLAN_REASON_UNSPECIFIED, true);



		spin_lock_bh(&sta->lock);



		tid_tx = sta->ampdu_mlme.tid_start_tx[tid];

		if (tid_tx) {

			/*

			 * Assign it over to the normal tid_tx array

			 * where it "goes live".

			 */

			spin_lock_bh(&sta->lock);



			sta->ampdu_mlme.tid_start_tx[tid] = NULL;

			/* could there be a race? */
@@ -300,6 +301,7 @@ void ieee80211_ba_session_work(struct work_struct *work) 
			ieee80211_tx_ba_session_handle_start(sta, tid);

			continue;

		}

		spin_unlock_bh(&sta->lock);



		tid_tx = rcu_dereference_protected_tid_tx(sta, tid);

		if (tid_tx && test_and_clear_bit(HT_AGG_STATE_WANT_STOP,

net/mac80211/sta_info.h

+1 −0
Original line number Diff line number Diff line
@@ -203,6 +203,7 @@ struct tid_ampdu_rx { 
 *	driver requested to close until the work for it runs

 * @mtx: mutex to protect all TX data (except non-NULL assignments

 *	to tid_tx[idx], which are protected by the sta spinlock)

 *	tid_start_tx is also protected by sta->lock.

 */

struct sta_ampdu_mlme {

	struct mutex mtx;