Commit 73350424 authored by Johannes Berg's avatar Johannes Berg

cfg80211: pmsr: fix abort locking

When we destroy the interface we already hold the wdev->mtx
while calling cfg80211_pmsr_wdev_down(), which assumes this
isn't true and flushes the worker that takes the lock, thus
leading to a deadlock.

Fix this by refactoring the worker and calling its code in
cfg80211_pmsr_wdev_down() directly.

We still need to flush the work later to make sure it's not
still running and will crash, but it will not do anything.

Fixes: 9bb7e0f2 ("cfg80211: add peer measurement with FTM initiator API")
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 0acd9928
...@@ -1068,6 +1068,8 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync) ...@@ -1068,6 +1068,8 @@ static void __cfg80211_unregister_wdev(struct wireless_dev *wdev, bool sync)
ASSERT_RTNL(); ASSERT_RTNL();
flush_work(&wdev->pmsr_free_wk);
nl80211_notify_iface(rdev, wdev, NL80211_CMD_DEL_INTERFACE); nl80211_notify_iface(rdev, wdev, NL80211_CMD_DEL_INTERFACE);
list_del_rcu(&wdev->list); list_del_rcu(&wdev->list);
......
...@@ -529,14 +529,14 @@ void cfg80211_pmsr_report(struct wireless_dev *wdev, ...@@ -529,14 +529,14 @@ void cfg80211_pmsr_report(struct wireless_dev *wdev,
} }
EXPORT_SYMBOL_GPL(cfg80211_pmsr_report); EXPORT_SYMBOL_GPL(cfg80211_pmsr_report);
void cfg80211_pmsr_free_wk(struct work_struct *work) static void cfg80211_pmsr_process_abort(struct wireless_dev *wdev)
{ {
struct wireless_dev *wdev = container_of(work, struct wireless_dev,
pmsr_free_wk);
struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy); struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
struct cfg80211_pmsr_request *req, *tmp; struct cfg80211_pmsr_request *req, *tmp;
LIST_HEAD(free_list); LIST_HEAD(free_list);
lockdep_assert_held(&wdev->mtx);
spin_lock_bh(&wdev->pmsr_lock); spin_lock_bh(&wdev->pmsr_lock);
list_for_each_entry_safe(req, tmp, &wdev->pmsr_list, list) { list_for_each_entry_safe(req, tmp, &wdev->pmsr_list, list) {
if (req->nl_portid) if (req->nl_portid)
...@@ -546,14 +546,22 @@ void cfg80211_pmsr_free_wk(struct work_struct *work) ...@@ -546,14 +546,22 @@ void cfg80211_pmsr_free_wk(struct work_struct *work)
spin_unlock_bh(&wdev->pmsr_lock); spin_unlock_bh(&wdev->pmsr_lock);
list_for_each_entry_safe(req, tmp, &free_list, list) { list_for_each_entry_safe(req, tmp, &free_list, list) {
wdev_lock(wdev);
rdev_abort_pmsr(rdev, wdev, req); rdev_abort_pmsr(rdev, wdev, req);
wdev_unlock(wdev);
kfree(req); kfree(req);
} }
} }
void cfg80211_pmsr_free_wk(struct work_struct *work)
{
struct wireless_dev *wdev = container_of(work, struct wireless_dev,
pmsr_free_wk);
wdev_lock(wdev);
cfg80211_pmsr_process_abort(wdev);
wdev_unlock(wdev);
}
void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
{ {
struct cfg80211_pmsr_request *req; struct cfg80211_pmsr_request *req;
...@@ -567,8 +575,8 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev) ...@@ -567,8 +575,8 @@ void cfg80211_pmsr_wdev_down(struct wireless_dev *wdev)
spin_unlock_bh(&wdev->pmsr_lock); spin_unlock_bh(&wdev->pmsr_lock);
if (found) if (found)
schedule_work(&wdev->pmsr_free_wk); cfg80211_pmsr_process_abort(wdev);
flush_work(&wdev->pmsr_free_wk);
WARN_ON(!list_empty(&wdev->pmsr_list)); WARN_ON(!list_empty(&wdev->pmsr_list));
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment