mac80211: move 4-addr sta pointer clearing before synchronize_rcu()

The pointer should be cleared before synchronize_rcu() so that the consequently dead station won't be found by any lookups in the TX or RX paths. Also check that the station is actually the one being removed, the check is not needed because each 4-addr VLAN can only have a single station and non-4-addr VLANs always have a NULL pointer there, but the code is clearer this way (and we avoid the memory write.) Signed-off-by: Johannes Berg <johannes.berg@intel.com>
git-mirror · Dec 16, 2013 · a710c81 · a710c81
1 parent 1ddbbb0
commit a710c81
Showing 1 changed file with 4 additions and 3 deletions.
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
@@ -875,6 +875,10 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
 
 	drv_sta_pre_rcu_remove(local, sta->sdata, sta);
 
+	if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN &&
+	    rcu_access_pointer(sdata->u.vlan.sta) == sta)
+		RCU_INIT_POINTER(sdata->u.vlan.sta, NULL);
+
 	/* this always calls synchronize_net() */
 	ieee80211_free_sta_keys(local, sta);
 
@@ -883,9 +887,6 @@ int __must_check __sta_info_destroy(struct sta_info *sta)
 	local->num_sta--;
 	local->sta_generation++;
 
-	if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
-		RCU_INIT_POINTER(sdata->u.vlan.sta, NULL);
-
 	while (sta->sta_state > IEEE80211_STA_NONE) {
 		ret = sta_info_move_state(sta, sta->sta_state - 1);
 		if (ret) {