[RFC] mac80211: Ensure tid_start_tx is protected by sta->lock.

Commit Message

Ben Greear June 12, 2013, 8:20 p.m. UTC

From: Ben Greear <greearb@candelatech.com>

I believe this is more correct, though it did not fix the
memory leak I was chasing when I found this code.

Signed-off-by: Ben Greear <greearb@candelatech.com>
---
 net/mac80211/ht.c       |    5 ++++-
 net/mac80211/sta_info.h |    1 +
 2 files changed, 5 insertions(+), 1 deletions(-)

Comments

Johannes Berg June 12, 2013, 8:47 p.m. UTC | #1

On Wed, 2013-06-12 at 13:20 -0700, greearb@candelatech.com wrote:

> I believe this is more correct, though it did not fix the
> memory leak I was chasing when I found this code.

That description could use some work :-)

> +		spin_lock_bh(&sta->lock);
> +
>  		tid_tx = sta->ampdu_mlme.tid_start_tx[tid];
>  		if (tid_tx) {
>  			/*
>  			 * Assign it over to the normal tid_tx array
>  			 * where it "goes live".
>  			 */
> -			spin_lock_bh(&sta->lock);
>  
>  			sta->ampdu_mlme.tid_start_tx[tid] = NULL;
>  			/* could there be a race? */
> @@ -301,6 +302,8 @@ void ieee80211_ba_session_work(struct work_struct *work)
>  
>  			ieee80211_tx_ba_session_handle_start(sta, tid);
>  			continue;
> +		} else {
> +			spin_unlock_bh(&sta->lock);
>  		}
>  

You could just put the unlock after the if block, given the continue in
it, I think I'd prefer that.

>  		tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
> diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
> index c509423..0f85418 100644
> --- a/net/mac80211/sta_info.h
> +++ b/net/mac80211/sta_info.h
> @@ -204,6 +204,7 @@ struct tid_ampdu_rx {
>   *	driver requested to close until the work for it runs
>   * @mtx: mutex to protect all TX data (except non-NULL assignments
>   *	to tid_tx[idx], which are protected by the sta spinlock)
> + *      tid_start_tx is also protected by sta->lock.

That should be a tab.

johannes

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c
index 0db25d4..c6256b4 100644
--- a/net/mac80211/ht.c
+++ b/net/mac80211/ht.c
@@ -283,13 +283,14 @@  void ieee80211_ba_session_work(struct work_struct *work)
 				sta, tid, WLAN_BACK_RECIPIENT,
 				WLAN_REASON_UNSPECIFIED, true);
 
+		spin_lock_bh(&sta->lock);
+
 		tid_tx = sta->ampdu_mlme.tid_start_tx[tid];
 		if (tid_tx) {
 			/*
 			 * Assign it over to the normal tid_tx array
 			 * where it "goes live".
 			 */
-			spin_lock_bh(&sta->lock);
 
 			sta->ampdu_mlme.tid_start_tx[tid] = NULL;
 			/* could there be a race? */
@@ -301,6 +302,8 @@  void ieee80211_ba_session_work(struct work_struct *work)
 
 			ieee80211_tx_ba_session_handle_start(sta, tid);
 			continue;
+		} else {
+			spin_unlock_bh(&sta->lock);
 		}
 
 		tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
index c509423..0f85418 100644
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -204,6 +204,7 @@  struct tid_ampdu_rx {
  *	driver requested to close until the work for it runs
  * @mtx: mutex to protect all TX data (except non-NULL assignments
  *	to tid_tx[idx], which are protected by the sta spinlock)
+ *      tid_start_tx is also protected by sta->lock.
  */
 struct sta_ampdu_mlme {
 	struct mutex mtx;