mac80211: safely free beacon in ieee80211_if_reinit

If ieee80211_if_reinit() is called from ieee80211_unregister_hw() then it is possible that the driver will still request a beacon (it is allowed to until ieee80211_unregister_hw() has returned.) This means we need to use an RCU-protected write to the beacon information even in this function. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
git-mirror · Feb 29, 2008 · e6a5ddf · e6a5ddf
1 parent 2485f71
commit e6a5ddf
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/net/mac80211/ieee80211_iface.c b/net/mac80211/ieee80211_iface.c
@@ -193,6 +193,7 @@ void ieee80211_if_reinit(struct net_device *dev)
 		/* Remove all virtual interfaces that use this BSS
 		 * as their sdata->bss */
 		struct ieee80211_sub_if_data *tsdata, *n;
+		struct beacon_data *beacon;
 
 		list_for_each_entry_safe(tsdata, n, &local->interfaces, list) {
 			if (tsdata != sdata && tsdata->bss == &sdata->u.ap) {
@@ -210,7 +211,10 @@ void ieee80211_if_reinit(struct net_device *dev)
 			}
 		}
 
-		kfree(sdata->u.ap.beacon);
+		beacon = sdata->u.ap.beacon;
+		rcu_assign_pointer(sdata->u.ap.beacon, NULL);
+		synchronize_rcu();
+		kfree(beacon);
 
 		while ((skb = skb_dequeue(&sdata->u.ap.ps_bc_buf))) {
 			local->total_ps_buffered--;