[PATCH] mac80211: fix iff_promiscs, iff_allmultis race

When we update the counters iff_promiscs and iff_allmultis in struct ieee80211_local we have no common lock held to protect them. The problem is that the update to each counter may not be atomic, so we could end up with iff_promiscs == -1 in unfortunate conditions. To fix it, use atomic_t values. It doesn't matter whether the two counters are updated together atomically or not, if there are two invocations of set_multicast_list we will end up with multiple configure_filter() invocations of which the latter will always be correct. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>

[PATCH] mac80211: fix iff_promiscs, iff_allmultis race
When we update the counters iff_promiscs and iff_allmultis in struct ieee80211_local we have no common lock held to protect them. The problem is that the update to each counter may not be atomic, so we could end up with iff_promiscs == -1 in unfortunate conditions. To fix it, use atomic_t values. It doesn't matter whether the two counters are updated together atomically or not, if there are two invocations of set_multicast_list we will end up with multiple configure_filter() invocations of which the latter will always be correct. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
53918994 · Johannes Berg · David S. Miller · 50741ae0 · 53918994 · 53918994
Commit 53918994 authored Sep 26, 2007 by Johannes Berg Committed by David S. Miller Oct 10, 2007
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 10 deletions

net/mac80211/ieee80211.c net/mac80211/ieee80211.c +6 -6

net/mac80211/ieee80211_i.h net/mac80211/ieee80211_i.h +2 -3

net/mac80211/rx.c net/mac80211/rx.c +2 -1

No files found.
--- a/net/mac80211/ieee80211.c
+++ b/net/mac80211/ieee80211.c
@@ -59,10 +59,10 @@ static void ieee80211_configure_filter(struct ieee80211_local *local)
 	unsigned int changed_flags;
 	unsigned int new_flags = 0;
-	if (local->iff_promiscs)
+	if (atomic_read(&local->iff_promiscs))
 		new_flags |= FIF_PROMISC_IN_BSS;
-	if (local->iff_allmultis)
+	if (atomic_read(&local->iff_allmultis))
 		new_flags |= FIF_ALLMULTI;
 	if (local->monitors)
@@ -521,17 +521,17 @@ static void ieee80211_set_multicast_list(struct net_device *dev)
 	if (allmulti != sdata_allmulti) {
 		if (dev->flags & IFF_ALLMULTI)
-			local->iff_allmultis++;
+			atomic_inc(&local->iff_allmultis);
 		else
-			local->iff_allmultis--;
+			atomic_dec(&local->iff_allmultis);
 		sdata->flags ^= IEEE80211_SDATA_ALLMULTI;
 	}
 	if (promisc != sdata_promisc) {
 		if (dev->flags & IFF_PROMISC)
-			local->iff_promiscs++;
+			atomic_inc(&local->iff_promiscs);
 		else
-			local->iff_promiscs--;
+			atomic_dec(&local->iff_promiscs);
 		sdata->flags ^= IEEE80211_SDATA_PROMISC;
 	}

--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -444,9 +444,8 @@ struct ieee80211_local {
 	struct ieee80211_tx_stored_packet pending_packet[NUM_TX_DATA_QUEUES];
 	struct tasklet_struct tx_pending_tasklet;
-	int mc_count;	/* total count of multicast entries in all interfaces */
+	/* number of interfaces with corresponding IFF_ flags */
-	int iff_allmultis, iff_promiscs;
+	atomic_t iff_allmultis, iff_promiscs;
-			/* number of interfaces with corresponding IFF_ flags */
 	struct rate_control_ref *rate_ctrl;

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1531,7 +1531,8 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	skb = rx.skb;
 	if (sta && !(sta->flags & (WLAN_STA_WDS | WLAN_STA_ASSOC_AP)) &&
-	    !local->iff_promiscs && !is_multicast_ether_addr(hdr->addr1)) {
+	    !atomic_read(&local->iff_promiscs) &&
+	    !is_multicast_ether_addr(hdr->addr1)) {
 		rx.flags |= IEEE80211_TXRXD_RXRA_MATCH;
 		ieee80211_invoke_rx_handlers(local, local->rx_handlers, &rx,
 					     rx.sta);