Commit 33ddd81e authored by Johannes Berg's avatar Johannes Berg

mac80211: properly free requested-but-not-started TX agg sessions

When deleting a station or otherwise tearing down all aggregation
sessions, make sure to delete requested but not yet started ones,
to avoid the following scenario:

 * session is requested, added to tid_start_tx[]
 * ieee80211_ba_session_work() runs, gets past BLOCK_BA check
 * ieee80211_sta_tear_down_BA_sessions() runs, locks &sta->ampdu_mlme.mtx,
   e.g. while deleting the station - deleting all active sessions
 * ieee80211_ba_session_work() continues since tear down flushes it, and
   calls ieee80211_tx_ba_session_handle_start() for the new session, arms
   the timer for it
 * station deletion continues to __cleanup_single_sta() and frees the
   session struct, while the timer is armed
Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
parent 67bd5238
......@@ -330,6 +330,11 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid,
spin_lock_bh(&sta->lock);
/* free struct pending for start, if present */
tid_tx = sta->ampdu_mlme.tid_start_tx[tid];
kfree(tid_tx);
sta->ampdu_mlme.tid_start_tx[tid] = NULL;
tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
if (!tid_tx) {
spin_unlock_bh(&sta->lock);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment