mac80211: Fix race between ieee80211_rx_bss_put and lookup routines.

The put routine first decrements the users counter and then (if it is zero) locks the sta_bss_lock and removes one from the list and the hash. Thus, any of ieee80211_sta_config_auth, ieee80211_rx_bss_get or ieee80211_rx_mesh_bss_get can race with it by finding a bss that is about to get kfree-ed. Using atomic_dec_and_lock in ieee80211_rx_bss_put takes care of this race. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
git-mirror · Apr 24, 2008 · 1ebebea · 1ebebea
1 parent d1d8f44
commit 1ebebea
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
@@ -2248,10 +2248,13 @@ static void ieee80211_rx_bss_put(struct net_device *dev,
 				 struct ieee80211_sta_bss *bss)
 {
 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
-	if (!atomic_dec_and_test(&bss->users))
+
+	local_bh_disable();
+	if (!atomic_dec_and_lock(&bss->users, &local->sta_bss_lock)) {
+		local_bh_enable();
 		return;
+	}
 
-	spin_lock_bh(&local->sta_bss_lock);
 	__ieee80211_rx_bss_hash_del(dev, bss);
 	list_del(&bss->list);
 	spin_unlock_bh(&local->sta_bss_lock);