tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
mac80211: RCU-ify STA info structure access
This makes access to the STA hash table/list use RCU to protect
against freeing of items. However, it's not a true RCU, the
copy step is missing: whenever somebody changes a STA item it
is simply updated. This is an existing race condition that is
now somewhat understandable.
This patch also fixes the race key freeing vs. STA destruction
by making sure that sta_info_destroy() is always called under
RTNL and frees the key.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
authored by
Johannes Berg
and committed by
John W. Linville
d0709a65
5cf121c3
+707
-492
+18
-13
drivers/net/wireless/iwlwifi/iwl-3945-rs.c
+18
-13
drivers/net/wireless/iwlwifi/iwl-3945-rs.c
···
471
471
return;
472
472
}
473
473
474
+
rcu_read_lock();
475
+
474
476
sta = sta_info_get(local, hdr->addr1);
475
477
if (!sta || !sta->rate_ctrl_priv) {
476
-
if (sta)
477
-
sta_info_put(sta);
478
+
rcu_read_unlock();
478
479
IWL_DEBUG_RATE("leave: No STA priv data to update!\n");
479
480
return;
480
481
}
···
548
547
549
548
spin_unlock_irqrestore(&rs_sta->lock, flags);
550
549
551
-
sta_info_put(sta);
550
+
rcu_read_unlock();
552
551
553
552
IWL_DEBUG_RATE("leave\n");
554
553
···
659
658
660
659
IWL_DEBUG_RATE("enter\n");
661
660
661
+
rcu_read_lock();
662
+
662
663
sta = sta_info_get(local, hdr->addr1);
663
664
664
665
/* Send management frames and broadcast/multicast data using lowest
···
671
668
!sta || !sta->rate_ctrl_priv) {
672
669
IWL_DEBUG_RATE("leave: No STA priv data to update!\n");
673
670
sel->rate = rate_lowest(local, band, sta);
674
-
if (sta)
675
-
sta_info_put(sta);
671
+
rcu_read_unlock();
676
672
return;
677
673
}
678
674
···
813
811
else
814
812
sta->txrate_idx = sta->last_txrate_idx;
815
813
816
-
sta_info_put(sta);
814
+
rcu_read_unlock();
817
815
818
816
IWL_DEBUG_RATE("leave: %d\n", index);
819
817
···
845
843
unsigned long now = jiffies;
846
844
u32 max_time = 0;
847
845
846
+
rcu_read_lock();
847
+
848
848
sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr);
849
849
if (!sta || !sta->rate_ctrl_priv) {
850
-
if (sta) {
851
-
sta_info_put(sta);
850
+
if (sta)
852
851
IWL_DEBUG_RATE("leave - no private rate data!\n");
853
-
} else
852
+
else
854
853
IWL_DEBUG_RATE("leave - no station!\n");
854
+
rcu_read_unlock();
855
855
return sprintf(buf, "station %d not found\n", sta_id);
856
856
}
857
857
···
894
890
i = j;
895
891
}
896
892
spin_unlock_irqrestore(&rs_sta->lock, flags);
897
-
sta_info_put(sta);
893
+
rcu_read_unlock();
898
894
899
895
/* Display the average rate of all samples taken.
900
896
*
···
931
927
return;
932
928
}
933
929
930
+
rcu_read_lock();
931
+
934
932
sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr);
935
933
if (!sta || !sta->rate_ctrl_priv) {
936
-
if (sta)
937
-
sta_info_put(sta);
938
934
IWL_DEBUG_RATE("leave - no private rate data!\n");
935
+
rcu_read_unlock();
939
936
return;
940
937
}
941
938
···
963
958
break;
964
959
}
965
960
966
-
sta_info_put(sta);
961
+
rcu_read_unlock();
967
962
spin_unlock_irqrestore(&rs_sta->lock, flags);
968
963
969
964
rssi = priv->last_rx_rssi;
+15
-12
drivers/net/wireless/iwlwifi/iwl-4965-rs.c
+15
-12
drivers/net/wireless/iwlwifi/iwl-4965-rs.c
···
847
847
if (retries > 15)
848
848
retries = 15;
849
849
850
+
rcu_read_lock();
850
851
851
852
sta = sta_info_get(local, hdr->addr1);
852
853
853
854
if (!sta || !sta->rate_ctrl_priv) {
854
-
if (sta)
855
-
sta_info_put(sta);
855
+
rcu_read_unlock();
856
856
return;
857
857
}
858
858
···
891
891
if ((rs_index < 0) || (rs_index >= IWL_RATE_COUNT)) {
892
892
IWL_DEBUG_RATE("bad rate index at: %d rate 0x%X\n",
893
893
rs_index, tx_mcs.rate_n_flags);
894
-
sta_info_put(sta);
894
+
rcu_read_unlock();
895
895
return;
896
896
}
897
897
···
909
909
IWL_DEBUG_RATE("initial rate does not match 0x%x 0x%x\n",
910
910
tx_mcs.rate_n_flags,
911
911
le32_to_cpu(table->rs_table[0].rate_n_flags));
912
-
sta_info_put(sta);
912
+
rcu_read_unlock();
913
913
return;
914
914
}
915
915
···
1025
1025
1026
1026
/* See if there's a better rate or modulation mode to try. */
1027
1027
rs_rate_scale_perform(priv, dev, hdr, sta);
1028
-
sta_info_put(sta);
1028
+
rcu_read_unlock();
1029
1029
return;
1030
1030
}
1031
1031
···
2219
2219
2220
2220
IWL_DEBUG_RATE_LIMIT("rate scale calculate new rate for skb\n");
2221
2221
2222
+
rcu_read_lock();
2223
+
2222
2224
sta = sta_info_get(local, hdr->addr1);
2223
2225
2224
2226
/* Send management frames and broadcast/multicast data using lowest
···
2229
2227
if (!ieee80211_is_data(fc) || is_multicast_ether_addr(hdr->addr1) ||
2230
2228
!sta || !sta->rate_ctrl_priv) {
2231
2229
sel->rate = rate_lowest(local, sband, sta);
2232
-
if (sta)
2233
-
sta_info_put(sta);
2230
+
rcu_read_unlock();
2234
2231
return;
2235
2232
}
2236
2233
···
2262
2261
sel->rate = rate_lowest(local, sband, sta);
2263
2262
return;
2264
2263
}
2265
-
sta_info_put(sta);
2264
+
rcu_read_unlock();
2266
2265
2267
2266
sel->rate = &priv->ieee_rates[i];
2268
2267
}
···
2736
2735
u32 max_time = 0;
2737
2736
u8 lq_type, antenna;
2738
2737
2738
+
rcu_read_lock();
2739
+
2739
2740
sta = sta_info_get(local, priv->stations[sta_id].sta.sta.addr);
2740
2741
if (!sta || !sta->rate_ctrl_priv) {
2741
-
if (sta) {
2742
-
sta_info_put(sta);
2742
+
if (sta)
2743
2743
IWL_DEBUG_RATE("leave - no private rate data!\n");
2744
-
} else
2744
+
else
2745
2745
IWL_DEBUG_RATE("leave - no station!\n");
2746
+
rcu_read_unlock();
2746
2747
return sprintf(buf, "station %d not found\n", sta_id);
2747
2748
}
2748
2749
···
2811
2808
"active_search %d rate index %d\n", lq_type, antenna,
2812
2809
lq_sta->search_better_tbl, sta->last_txrate_idx);
2813
2810
2814
-
sta_info_put(sta);
2811
+
rcu_read_unlock();
2815
2812
return cnt;
2816
2813
}
2817
2814
+58
-56
net/mac80211/cfg.c
+58
-56
net/mac80211/cfg.c
···
136
136
struct ieee80211_sub_if_data *sdata;
137
137
struct sta_info *sta = NULL;
138
138
enum ieee80211_key_alg alg;
139
-
int ret;
140
139
struct ieee80211_key *key;
141
140
142
141
sdata = IEEE80211_DEV_TO_SUB_IF(dev);
···
169
170
170
171
ieee80211_key_link(key, sdata, sta);
171
172
172
-
ret = 0;
173
-
174
-
if (sta)
175
-
sta_info_put(sta);
176
-
177
-
return ret;
173
+
return 0;
178
174
}
179
175
180
176
static int ieee80211_del_key(struct wiphy *wiphy, struct net_device *dev,
···
178
184
struct ieee80211_sub_if_data *sdata;
179
185
struct sta_info *sta;
180
186
int ret;
181
-
struct ieee80211_key *key;
182
187
183
188
sdata = IEEE80211_DEV_TO_SUB_IF(dev);
184
189
···
188
195
189
196
ret = 0;
190
197
if (sta->key) {
191
-
key = sta->key;
192
-
ieee80211_key_free(key);
198
+
ieee80211_key_free(sta->key);
193
199
WARN_ON(sta->key);
194
200
} else
195
201
ret = -ENOENT;
196
202
197
-
sta_info_put(sta);
198
203
return ret;
199
204
}
200
205
201
206
if (!sdata->keys[key_idx])
202
207
return -ENOENT;
203
208
204
-
key = sdata->keys[key_idx];
205
-
ieee80211_key_free(key);
209
+
ieee80211_key_free(sdata->keys[key_idx]);
206
210
WARN_ON(sdata->keys[key_idx]);
207
211
208
212
return 0;
···
282
292
err = 0;
283
293
284
294
out:
285
-
if (sta)
286
-
sta_info_put(sta);
287
295
return err;
288
296
}
289
297
···
299
311
300
312
static void sta_set_sinfo(struct sta_info *sta, struct station_info *sinfo)
301
313
{
302
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
314
+
struct ieee80211_sub_if_data *sdata = sta->sdata;
303
315
304
316
sinfo->filled = STATION_INFO_INACTIVE_TIME |
305
317
STATION_INFO_RX_BYTES |
···
328
340
{
329
341
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
330
342
struct sta_info *sta;
343
+
int ret = -ENOENT;
344
+
345
+
rcu_read_lock();
331
346
332
347
sta = sta_info_get_by_idx(local, idx, dev);
333
-
if (!sta)
334
-
return -ENOENT;
348
+
if (sta) {
349
+
ret = 0;
350
+
memcpy(mac, sta->addr, ETH_ALEN);
351
+
sta_set_sinfo(sta, sinfo);
352
+
}
335
353
336
-
memcpy(mac, sta->addr, ETH_ALEN);
337
-
sta_set_sinfo(sta, sinfo);
338
-
sta_info_put(sta);
354
+
rcu_read_unlock();
339
355
340
-
return 0;
356
+
return ret;
341
357
}
342
358
343
359
static int ieee80211_get_station(struct wiphy *wiphy, struct net_device *dev,
···
349
357
{
350
358
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
351
359
struct sta_info *sta;
360
+
int ret = -ENOENT;
352
361
353
-
sta = sta_info_get(local, mac);
354
-
if (!sta)
355
-
return -ENOENT;
362
+
rcu_read_lock();
356
363
357
364
/* XXX: verify sta->dev == dev */
358
-
sta_set_sinfo(sta, sinfo);
359
-
sta_info_put(sta);
360
365
361
-
return 0;
366
+
sta = sta_info_get(local, mac);
367
+
if (sta) {
368
+
ret = 0;
369
+
sta_set_sinfo(sta, sinfo);
370
+
}
371
+
372
+
rcu_read_unlock();
373
+
374
+
return ret;
362
375
}
363
376
364
377
/*
···
556
559
msg->xid_info[1] = 1; /* LLC types/classes: Type 1 LLC */
557
560
msg->xid_info[2] = 0; /* XID sender's receive window size (RW) */
558
561
559
-
skb->dev = sta->dev;
560
-
skb->protocol = eth_type_trans(skb, sta->dev);
562
+
skb->dev = sta->sdata->dev;
563
+
skb->protocol = eth_type_trans(skb, sta->sdata->dev);
561
564
memset(skb->cb, 0, sizeof(skb->cb));
562
565
netif_rx(skb);
563
566
}
···
569
572
u32 rates;
570
573
int i, j;
571
574
struct ieee80211_supported_band *sband;
572
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
575
+
struct ieee80211_sub_if_data *sdata = sta->sdata;
573
576
574
577
if (params->station_flags & STATION_FLAG_CHANGED) {
575
578
sta->flags &= ~WLAN_STA_AUTHORIZED;
···
641
644
sdata = IEEE80211_DEV_TO_SUB_IF(dev);
642
645
643
646
if (ieee80211_vif_is_mesh(&sdata->vif))
644
-
sta = mesh_plink_add(mac, DEFAULT_RATES, dev);
647
+
sta = mesh_plink_add(mac, DEFAULT_RATES, sdata);
645
648
else
646
-
sta = sta_info_add(local, dev, mac, GFP_KERNEL);
649
+
sta = sta_info_add(sdata, mac);
647
650
648
651
if (IS_ERR(sta))
649
652
return PTR_ERR(sta);
650
653
651
-
sta->dev = sdata->dev;
652
654
if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN ||
653
655
sdata->vif.type == IEEE80211_IF_TYPE_AP)
654
656
ieee80211_send_layer2_update(sta);
···
658
662
659
663
rate_control_rate_init(sta, local);
660
664
661
-
sta_info_put(sta);
662
-
663
665
return 0;
664
666
}
665
667
666
668
static int ieee80211_del_station(struct wiphy *wiphy, struct net_device *dev,
667
669
u8 *mac)
668
670
{
669
-
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
671
+
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
672
+
struct ieee80211_local *local = sdata->local;
670
673
struct sta_info *sta;
671
674
672
675
if (mac) {
···
674
679
if (!sta)
675
680
return -ENOENT;
676
681
677
-
sta_info_free(sta);
678
-
sta_info_put(sta);
682
+
sta_info_unlink(&sta);
683
+
684
+
if (sta) {
685
+
synchronize_rcu();
686
+
sta_info_destroy(sta);
687
+
}
679
688
} else
680
-
sta_info_flush(local, dev);
689
+
sta_info_flush(local, sdata);
681
690
682
691
return 0;
683
692
}
···
700
701
if (!sta)
701
702
return -ENOENT;
702
703
703
-
if (params->vlan && params->vlan != sta->dev) {
704
+
if (params->vlan && params->vlan != sta->sdata->dev) {
704
705
vlansdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
705
706
706
707
if (vlansdata->vif.type != IEEE80211_IF_TYPE_VLAN ||
707
708
vlansdata->vif.type != IEEE80211_IF_TYPE_AP)
708
709
return -EINVAL;
709
710
710
-
sta->dev = params->vlan;
711
+
sta->sdata = IEEE80211_DEV_TO_SUB_IF(params->vlan);
711
712
ieee80211_send_layer2_update(sta);
712
713
}
713
714
714
715
sta_apply_parameters(local, sta, params);
715
-
716
-
sta_info_put(sta);
717
716
718
717
return 0;
719
718
}
···
732
735
if (sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT)
733
736
return -ENOTSUPP;
734
737
738
+
rcu_read_lock();
735
739
sta = sta_info_get(local, next_hop);
736
-
if (!sta)
740
+
if (!sta) {
741
+
rcu_read_unlock();
737
742
return -ENOENT;
743
+
}
738
744
739
745
err = mesh_path_add(dst, dev);
740
-
if (err)
746
+
if (err) {
747
+
rcu_read_unlock();
741
748
return err;
749
+
}
742
750
743
-
rcu_read_lock();
744
751
mpath = mesh_path_lookup(dst, dev);
745
752
if (!mpath) {
746
753
rcu_read_unlock();
747
-
sta_info_put(sta);
748
754
return -ENXIO;
749
755
}
750
756
mesh_path_fix_nexthop(mpath, sta);
751
-
sta_info_put(sta);
757
+
752
758
rcu_read_unlock();
753
759
return 0;
754
760
}
···
760
760
u8 *dst)
761
761
{
762
762
if (dst)
763
-
return mesh_path_del(dst, dev);
763
+
return mesh_path_del(dst, dev, false);
764
764
765
765
mesh_path_flush(dev);
766
766
return 0;
···
781
781
if (sdata->vif.type != IEEE80211_IF_TYPE_MESH_POINT)
782
782
return -ENOTSUPP;
783
783
784
-
sta = sta_info_get(local, next_hop);
785
-
if (!sta)
786
-
return -ENOENT;
787
-
788
784
rcu_read_lock();
785
+
786
+
sta = sta_info_get(local, next_hop);
787
+
if (!sta) {
788
+
rcu_read_unlock();
789
+
return -ENOENT;
790
+
}
791
+
789
792
mpath = mesh_path_lookup(dst, dev);
790
793
if (!mpath) {
791
794
rcu_read_unlock();
792
-
sta_info_put(sta);
793
795
return -ENOENT;
794
796
}
795
797
796
798
mesh_path_fix_nexthop(mpath, sta);
797
-
sta_info_put(sta);
799
+
798
800
rcu_read_unlock();
799
801
return 0;
800
802
}
+2
-2
net/mac80211/debugfs_sta.c
+2
-2
net/mac80211/debugfs_sta.c
···
51
51
STA_OPS(name)
52
52
53
53
STA_FILE(aid, aid, D);
54
-
STA_FILE(dev, dev->name, S);
54
+
STA_FILE(dev, sdata->dev->name, S);
55
55
STA_FILE(rx_packets, rx_packets, LU);
56
56
STA_FILE(tx_packets, tx_packets, LU);
57
57
STA_FILE(rx_bytes, rx_bytes, LU);
···
200
200
const char __user *user_buf, size_t count, loff_t *ppos)
201
201
{
202
202
struct sta_info *sta = file->private_data;
203
-
struct net_device *dev = sta->dev;
203
+
struct net_device *dev = sta->sdata->dev;
204
204
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
205
205
struct ieee80211_hw *hw = &local->hw;
206
206
u8 *da = sta->addr;
+2
net/mac80211/debugfs_sta.h
+2
net/mac80211/debugfs_sta.h
+52
-26
net/mac80211/ieee80211.c
+52
-26
net/mac80211/ieee80211.c
···
375
375
376
376
sdata = IEEE80211_DEV_TO_SUB_IF(dev);
377
377
378
-
list_for_each_entry(sta, &local->sta_list, list) {
379
-
if (sta->dev == dev)
378
+
rcu_read_lock();
379
+
380
+
list_for_each_entry_rcu(sta, &local->sta_list, list) {
381
+
if (sta->sdata == sdata)
380
382
for (i = 0; i < STA_TID_NUM; i++)
381
-
ieee80211_sta_stop_rx_ba_session(sta->dev,
383
+
ieee80211_sta_stop_rx_ba_session(sdata->dev,
382
384
sta->addr, i,
383
385
WLAN_BACK_RECIPIENT,
384
386
WLAN_REASON_QSTA_LEAVE_QBSS);
385
387
}
388
+
389
+
rcu_read_unlock();
386
390
387
391
netif_stop_queue(dev);
388
392
···
453
449
netif_tx_unlock_bh(local->mdev);
454
450
break;
455
451
case IEEE80211_IF_TYPE_MESH_POINT:
456
-
sta_info_flush(local, dev);
452
+
sta_info_flush(local, sdata);
457
453
/* fall through */
458
454
case IEEE80211_IF_TYPE_STA:
459
455
case IEEE80211_IF_TYPE_IBSS:
···
526
522
print_mac(mac, ra), tid);
527
523
#endif /* CONFIG_MAC80211_HT_DEBUG */
528
524
525
+
rcu_read_lock();
526
+
529
527
sta = sta_info_get(local, ra);
530
528
if (!sta) {
531
529
printk(KERN_DEBUG "Could not find the station\n");
530
+
rcu_read_unlock();
532
531
return -ENOENT;
533
532
}
534
533
···
571
564
spin_unlock_bh(&local->mdev->queue_lock);
572
565
goto start_ba_exit;
573
566
}
574
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
567
+
sdata = sta->sdata;
575
568
576
569
/* Ok, the Addba frame hasn't been sent yet, but if the driver calls the
577
570
* call back right away, it must see that the flow has begun */
···
608
601
sta->ampdu_mlme.dialog_token_allocator;
609
602
sta->ampdu_mlme.tid_tx[tid].ssn = start_seq_num;
610
603
611
-
ieee80211_send_addba_request(sta->dev, ra, tid,
604
+
ieee80211_send_addba_request(sta->sdata->dev, ra, tid,
612
605
sta->ampdu_mlme.tid_tx[tid].dialog_token,
613
606
sta->ampdu_mlme.tid_tx[tid].ssn,
614
607
0x40, 5000);
···
621
614
622
615
start_ba_exit:
623
616
spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
624
-
sta_info_put(sta);
617
+
rcu_read_unlock();
625
618
return ret;
626
619
}
627
620
EXPORT_SYMBOL(ieee80211_start_tx_ba_session);
···
644
637
print_mac(mac, ra), tid);
645
638
#endif /* CONFIG_MAC80211_HT_DEBUG */
646
639
640
+
rcu_read_lock();
647
641
sta = sta_info_get(local, ra);
648
-
if (!sta)
642
+
if (!sta) {
643
+
rcu_read_unlock();
649
644
return -ENOENT;
645
+
}
650
646
651
647
/* check if the TID is in aggregation */
652
648
state = &sta->ampdu_mlme.tid_tx[tid].state;
···
683
673
684
674
stop_BA_exit:
685
675
spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
686
-
sta_info_put(sta);
676
+
rcu_read_unlock();
687
677
return ret;
688
678
}
689
679
EXPORT_SYMBOL(ieee80211_stop_tx_ba_session);
···
701
691
return;
702
692
}
703
693
694
+
rcu_read_lock();
704
695
sta = sta_info_get(local, ra);
705
696
if (!sta) {
697
+
rcu_read_unlock();
706
698
printk(KERN_DEBUG "Could not find station: %s\n",
707
699
print_mac(mac, ra));
708
700
return;
···
717
705
printk(KERN_DEBUG "addBA was not requested yet, state is %d\n",
718
706
*state);
719
707
spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
720
-
sta_info_put(sta);
708
+
rcu_read_unlock();
721
709
return;
722
710
}
723
711
···
730
718
ieee80211_wake_queue(hw, sta->tid_to_tx_q[tid]);
731
719
}
732
720
spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
733
-
sta_info_put(sta);
721
+
rcu_read_unlock();
734
722
}
735
723
EXPORT_SYMBOL(ieee80211_start_tx_ba_cb);
736
724
···
751
739
printk(KERN_DEBUG "Stop a BA session requested on DA %s tid %d\n",
752
740
print_mac(mac, ra), tid);
753
741
742
+
rcu_read_lock();
754
743
sta = sta_info_get(local, ra);
755
744
if (!sta) {
756
745
printk(KERN_DEBUG "Could not find station: %s\n",
757
746
print_mac(mac, ra));
747
+
rcu_read_unlock();
758
748
return;
759
749
}
760
750
state = &sta->ampdu_mlme.tid_tx[tid].state;
···
764
750
spin_lock_bh(&sta->ampdu_mlme.ampdu_tx);
765
751
if ((*state & HT_AGG_STATE_REQ_STOP_BA_MSK) == 0) {
766
752
printk(KERN_DEBUG "unexpected callback to A-MPDU stop\n");
767
-
sta_info_put(sta);
768
753
spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
754
+
rcu_read_unlock();
769
755
return;
770
756
}
771
757
772
758
if (*state & HT_AGG_STATE_INITIATOR_MSK)
773
-
ieee80211_send_delba(sta->dev, ra, tid,
759
+
ieee80211_send_delba(sta->sdata->dev, ra, tid,
774
760
WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE);
775
761
776
762
agg_queue = sta->tid_to_tx_q[tid];
···
791
777
sta->ampdu_mlme.tid_tx[tid].addba_req_num = 0;
792
778
spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
793
779
794
-
sta_info_put(sta);
780
+
rcu_read_unlock();
795
781
}
796
782
EXPORT_SYMBOL(ieee80211_stop_tx_ba_cb);
797
783
···
901
887
struct sta_info *sta;
902
888
DECLARE_MAC_BUF(mac);
903
889
890
+
might_sleep();
891
+
904
892
if (compare_ether_addr(remote_addr, sdata->u.wds.remote_addr) == 0)
905
893
return 0;
906
894
895
+
rcu_read_lock();
896
+
907
897
/* Create STA entry for the new peer */
908
-
sta = sta_info_add(local, dev, remote_addr, GFP_KERNEL);
909
-
if (IS_ERR(sta))
898
+
sta = sta_info_add(sdata, remote_addr);
899
+
if (IS_ERR(sta)) {
900
+
rcu_read_unlock();
910
901
return PTR_ERR(sta);
902
+
}
911
903
912
904
sta->flags |= WLAN_STA_AUTHORIZED;
913
905
914
-
sta_info_put(sta);
915
-
916
906
/* Remove STA entry for the old peer */
917
907
sta = sta_info_get(local, sdata->u.wds.remote_addr);
918
-
if (sta) {
919
-
sta_info_free(sta);
920
-
sta_info_put(sta);
921
-
} else {
908
+
if (sta)
909
+
sta_info_unlink(&sta);
910
+
else
922
911
printk(KERN_DEBUG "%s: could not find STA entry for WDS link "
923
912
"peer %s\n",
924
913
dev->name, print_mac(mac, sdata->u.wds.remote_addr));
925
-
}
926
914
927
915
/* Update WDS link data */
928
916
memcpy(&sdata->u.wds.remote_addr, remote_addr, ETH_ALEN);
917
+
918
+
rcu_read_unlock();
919
+
920
+
if (sta) {
921
+
synchronize_rcu();
922
+
sta_info_destroy(sta);
923
+
}
929
924
930
925
return 0;
931
926
}
···
1353
1330
return;
1354
1331
}
1355
1332
1333
+
rcu_read_lock();
1334
+
1356
1335
if (status->excessive_retries) {
1357
1336
struct sta_info *sta;
1358
1337
sta = sta_info_get(local, hdr->addr1);
···
1368
1343
status->flags |= IEEE80211_TX_STATUS_TX_FILTERED;
1369
1344
ieee80211_handle_filtered_frame(local, sta,
1370
1345
skb, status);
1371
-
sta_info_put(sta);
1346
+
rcu_read_unlock();
1372
1347
return;
1373
1348
}
1374
-
sta_info_put(sta);
1375
1349
}
1376
1350
}
1377
1351
···
1380
1356
if (sta) {
1381
1357
ieee80211_handle_filtered_frame(local, sta, skb,
1382
1358
status);
1383
-
sta_info_put(sta);
1359
+
rcu_read_unlock();
1384
1360
return;
1385
1361
}
1386
1362
} else
1387
1363
rate_control_tx_status(local->mdev, skb, status);
1364
+
1365
+
rcu_read_unlock();
1388
1366
1389
1367
ieee80211_led_tx(local, 0);
1390
1368
+10
-3
net/mac80211/ieee80211_i.h
+10
-3
net/mac80211/ieee80211_i.h
···
574
574
unsigned int filter_flags; /* FIF_* */
575
575
struct iw_statistics wstats;
576
576
u8 wstats_flags;
577
+
bool tim_in_locked_section; /* see ieee80211_beacon_get() */
577
578
int tx_headroom; /* required headroom for hardware/radiotap */
578
579
579
580
enum {
···
592
591
struct sk_buff_head skb_queue;
593
592
struct sk_buff_head skb_queue_unreliable;
594
593
595
-
/* Station data structures */
596
-
rwlock_t sta_lock; /* protects STA data structures */
597
-
int num_sta; /* number of stations in sta_list */
594
+
/* Station data */
595
+
/*
596
+
* The lock only protects the list, hash, timer and counter
597
+
* against manipulation, reads are done in RCU. Additionally,
598
+
* the lock protects each BSS's TIM bitmap and a few items
599
+
* in a STA info structure.
600
+
*/
601
+
spinlock_t sta_lock;
602
+
unsigned long num_sta;
598
603
struct list_head sta_list;
599
604
struct sta_info *sta_hash[STA_HASH_SIZE];
600
605
struct timer_list sta_cleanup;
+8
-3
net/mac80211/ieee80211_iface.c
+8
-3
net/mac80211/ieee80211_iface.c
···
240
240
break;
241
241
}
242
242
case IEEE80211_IF_TYPE_WDS:
243
+
rcu_read_lock();
243
244
sta = sta_info_get(local, sdata->u.wds.remote_addr);
244
245
if (sta) {
245
-
sta_info_free(sta);
246
-
sta_info_put(sta);
246
+
sta_info_unlink(&sta);
247
247
} else {
248
248
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
249
249
printk(KERN_DEBUG "%s: Someone had deleted my STA "
250
250
"entry for the WDS link\n", dev->name);
251
251
#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
252
+
}
253
+
rcu_read_unlock();
254
+
if (sta) {
255
+
synchronize_rcu();
256
+
sta_info_destroy(sta);
252
257
}
253
258
break;
254
259
case IEEE80211_IF_TYPE_MESH_POINT:
···
280
275
}
281
276
282
277
/* remove all STAs that are bound to this virtual interface */
283
-
sta_info_flush(local, dev);
278
+
sta_info_flush(local, sdata);
284
279
285
280
memset(&sdata->u, 0, sizeof(sdata->u));
286
281
ieee80211_if_sdata_init(sdata);
+15
-27
net/mac80211/ieee80211_ioctl.c
+15
-27
net/mac80211/ieee80211_ioctl.c
···
33
33
size_t key_len)
34
34
{
35
35
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
36
-
int ret;
37
-
struct sta_info *sta = NULL;
36
+
struct sta_info *sta;
38
37
struct ieee80211_key *key;
39
38
struct ieee80211_sub_if_data *sdata;
40
39
···
50
51
key = sdata->keys[idx];
51
52
} else {
52
53
sta = sta_info_get(local, sta_addr);
53
-
if (!sta) {
54
-
ret = -ENOENT;
55
-
key = NULL;
56
-
goto err_out;
57
-
}
58
-
54
+
if (!sta)
55
+
return -ENOENT;
59
56
key = sta->key;
60
57
}
61
58
62
59
if (!key)
63
-
ret = -ENOENT;
64
-
else
65
-
ret = 0;
60
+
return -ENOENT;
61
+
62
+
ieee80211_key_free(key);
63
+
return 0;
66
64
} else {
67
65
key = ieee80211_key_alloc(alg, idx, key_len, _key);
68
66
if (!key)
69
67
return -ENOMEM;
68
+
69
+
sta = NULL;
70
70
71
71
if (!is_broadcast_ether_addr(sta_addr)) {
72
72
set_tx_key = 0;
···
76
78
* work around this.
77
79
*/
78
80
if (idx != 0 && alg != ALG_WEP) {
79
-
ret = -EINVAL;
80
-
goto err_out;
81
+
ieee80211_key_free(key);
82
+
return -EINVAL;
81
83
}
82
84
83
85
sta = sta_info_get(local, sta_addr);
84
86
if (!sta) {
85
-
ret = -ENOENT;
86
-
goto err_out;
87
+
ieee80211_key_free(key);
88
+
return -ENOENT;
87
89
}
88
90
}
89
91
···
91
93
92
94
if (set_tx_key || (!sta && !sdata->default_key && key))
93
95
ieee80211_set_default_key(sdata, idx);
94
-
95
-
/* don't free key later */
96
-
key = NULL;
97
-
98
-
ret = 0;
99
96
}
100
97
101
-
err_out:
102
-
if (sta)
103
-
sta_info_put(sta);
104
-
ieee80211_key_free(key);
105
-
return ret;
98
+
return 0;
106
99
}
107
100
108
101
static int ieee80211_ioctl_siwgenie(struct net_device *dev,
···
614
625
else
615
626
rate->value = 0;
616
627
rate->value *= 100000;
617
-
sta_info_put(sta);
628
+
618
629
return 0;
619
630
}
620
631
···
989
1000
wstats->qual.qual = sta->last_signal;
990
1001
wstats->qual.noise = sta->last_noise;
991
1002
wstats->qual.updated = local->wstats_flags;
992
-
sta_info_put(sta);
993
1003
}
994
1004
return wstats;
995
1005
}
+5
-3
net/mac80211/ieee80211_rate.c
+5
-3
net/mac80211/ieee80211_rate.c
···
170
170
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
171
171
struct rate_control_ref *ref = local->rate_ctrl;
172
172
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
173
-
struct sta_info *sta = sta_info_get(local, hdr->addr1);
173
+
struct sta_info *sta;
174
174
int i;
175
+
176
+
rcu_read_lock();
177
+
sta = sta_info_get(local, hdr->addr1);
175
178
176
179
memset(sel, 0, sizeof(struct rate_selection));
177
180
···
193
190
}
194
191
}
195
192
196
-
if (sta)
197
-
sta_info_put(sta);
193
+
rcu_read_unlock();
198
194
}
199
195
200
196
struct rate_control_ref *rate_control_get(struct rate_control_ref *ref)
+1
net/mac80211/ieee80211_rate.h
+1
net/mac80211/ieee80211_rate.h
+85
-38
net/mac80211/ieee80211_sta.c
+85
-38
net/mac80211/ieee80211_sta.c
···
24
24
#include <linux/wireless.h>
25
25
#include <linux/random.h>
26
26
#include <linux/etherdevice.h>
27
+
#include <linux/rtnetlink.h>
27
28
#include <net/iw_handler.h>
28
29
#include <asm/types.h>
29
30
···
846
845
847
846
ifsta->state = IEEE80211_ASSOCIATED;
848
847
848
+
rcu_read_lock();
849
+
849
850
sta = sta_info_get(local, ifsta->bssid);
850
851
if (!sta) {
851
852
printk(KERN_DEBUG "%s: No STA entry for own AP %s\n",
···
863
860
"range\n",
864
861
dev->name, print_mac(mac, ifsta->bssid));
865
862
disassoc = 1;
866
-
sta_info_free(sta);
863
+
sta_info_unlink(&sta);
867
864
} else
868
865
ieee80211_send_probe_req(dev, ifsta->bssid,
869
866
local->scan_ssid,
···
879
876
ifsta->ssid_len);
880
877
}
881
878
}
882
-
sta_info_put(sta);
883
879
}
880
+
881
+
rcu_read_unlock();
882
+
883
+
if (disassoc && sta) {
884
+
synchronize_rcu();
885
+
rtnl_lock();
886
+
sta_info_destroy(sta);
887
+
rtnl_unlock();
888
+
}
889
+
884
890
if (disassoc) {
885
891
ifsta->state = IEEE80211_DISABLED;
886
892
ieee80211_set_associated(dev, ifsta, 0);
···
1115
1103
int ret = -EOPNOTSUPP;
1116
1104
DECLARE_MAC_BUF(mac);
1117
1105
1106
+
rcu_read_lock();
1107
+
1118
1108
sta = sta_info_get(local, mgmt->sa);
1119
-
if (!sta)
1109
+
if (!sta) {
1110
+
rcu_read_unlock();
1120
1111
return;
1112
+
}
1121
1113
1122
1114
/* extract session parameters from addba request frame */
1123
1115
dialog_token = mgmt->u.action.u.addba_req.dialog_token;
···
1213
1197
spin_unlock_bh(&sta->ampdu_mlme.ampdu_rx);
1214
1198
1215
1199
end_no_lock:
1216
-
ieee80211_send_addba_resp(sta->dev, sta->addr, tid, dialog_token,
1217
-
status, 1, buf_size, timeout);
1218
-
sta_info_put(sta);
1200
+
ieee80211_send_addba_resp(sta->sdata->dev, sta->addr, tid,
1201
+
dialog_token, status, 1, buf_size, timeout);
1202
+
rcu_read_unlock();
1219
1203
}
1220
1204
1221
1205
static void ieee80211_sta_process_addba_resp(struct net_device *dev,
···
1229
1213
u16 tid;
1230
1214
u8 *state;
1231
1215
1216
+
rcu_read_lock();
1217
+
1232
1218
sta = sta_info_get(local, mgmt->sa);
1233
-
if (!sta)
1219
+
if (!sta) {
1220
+
rcu_read_unlock();
1234
1221
return;
1222
+
}
1235
1223
1236
1224
capab = le16_to_cpu(mgmt->u.action.u.addba_resp.capab);
1237
1225
tid = (capab & IEEE80211_ADDBA_PARAM_TID_MASK) >> 2;
···
1250
1230
#ifdef CONFIG_MAC80211_HT_DEBUG
1251
1231
printk(KERN_DEBUG "wrong addBA response token, tid %d\n", tid);
1252
1232
#endif /* CONFIG_MAC80211_HT_DEBUG */
1253
-
sta_info_put(sta);
1233
+
rcu_read_unlock();
1254
1234
return;
1255
1235
}
1256
1236
···
1264
1244
spin_unlock_bh(&sta->ampdu_mlme.ampdu_tx);
1265
1245
printk(KERN_DEBUG "state not HT_ADDBA_REQUESTED_MSK:"
1266
1246
"%d\n", *state);
1267
-
sta_info_put(sta);
1247
+
rcu_read_unlock();
1268
1248
return;
1269
1249
}
1270
1250
···
1291
1271
ieee80211_stop_tx_ba_session(hw, sta->addr, tid,
1292
1272
WLAN_BACK_INITIATOR);
1293
1273
}
1294
-
sta_info_put(sta);
1274
+
rcu_read_unlock();
1295
1275
}
1296
1276
1297
1277
void ieee80211_send_delba(struct net_device *dev, const u8 *da, u16 tid,
···
1346
1326
struct sta_info *sta;
1347
1327
int ret, i;
1348
1328
1329
+
rcu_read_lock();
1330
+
1349
1331
sta = sta_info_get(local, ra);
1350
-
if (!sta)
1332
+
if (!sta) {
1333
+
rcu_read_unlock();
1351
1334
return;
1335
+
}
1352
1336
1353
1337
/* check if TID is in operational state */
1354
1338
spin_lock_bh(&sta->ampdu_mlme.ampdu_rx);
1355
1339
if (sta->ampdu_mlme.tid_rx[tid].state
1356
1340
!= HT_AGG_STATE_OPERATIONAL) {
1357
1341
spin_unlock_bh(&sta->ampdu_mlme.ampdu_rx);
1358
-
sta_info_put(sta);
1342
+
rcu_read_unlock();
1359
1343
return;
1360
1344
}
1361
1345
sta->ampdu_mlme.tid_rx[tid].state =
···
1398
1374
kfree(sta->ampdu_mlme.tid_rx[tid].reorder_buf);
1399
1375
1400
1376
sta->ampdu_mlme.tid_rx[tid].state = HT_AGG_STATE_IDLE;
1401
-
sta_info_put(sta);
1377
+
rcu_read_unlock();
1402
1378
}
1403
1379
1404
1380
···
1411
1387
u16 initiator;
1412
1388
DECLARE_MAC_BUF(mac);
1413
1389
1390
+
rcu_read_lock();
1391
+
1414
1392
sta = sta_info_get(local, mgmt->sa);
1415
-
if (!sta)
1393
+
if (!sta) {
1394
+
rcu_read_unlock();
1416
1395
return;
1396
+
}
1417
1397
1418
1398
params = le16_to_cpu(mgmt->u.action.u.delba.params);
1419
1399
tid = (params & IEEE80211_DELBA_PARAM_TID_MASK) >> 12;
···
1442
1414
ieee80211_stop_tx_ba_session(&local->hw, sta->addr, tid,
1443
1415
WLAN_BACK_RECIPIENT);
1444
1416
}
1445
-
sta_info_put(sta);
1417
+
rcu_read_unlock();
1446
1418
}
1447
1419
1448
1420
/*
···
1465
1437
struct sta_info *sta;
1466
1438
u8 *state;
1467
1439
1440
+
rcu_read_lock();
1441
+
1468
1442
sta = sta_info_get(local, temp_sta->addr);
1469
-
if (!sta)
1443
+
if (!sta) {
1444
+
rcu_read_unlock();
1470
1445
return;
1446
+
}
1471
1447
1472
1448
state = &sta->ampdu_mlme.tid_tx[tid].state;
1473
1449
/* check if the TID waits for addBA response */
···
1493
1461
WLAN_BACK_INITIATOR);
1494
1462
1495
1463
timer_expired_exit:
1496
-
sta_info_put(sta);
1464
+
rcu_read_unlock();
1497
1465
}
1498
1466
1499
1467
/*
···
1513
1481
timer_to_tid[0]);
1514
1482
1515
1483
printk(KERN_DEBUG "rx session timer expired on tid %d\n", (u16)*ptid);
1516
-
ieee80211_sta_stop_rx_ba_session(sta->dev, sta->addr, (u16)*ptid,
1517
-
WLAN_BACK_TIMER,
1484
+
ieee80211_sta_stop_rx_ba_session(sta->sdata->dev, sta->addr,
1485
+
(u16)*ptid, WLAN_BACK_TIMER,
1518
1486
WLAN_REASON_QSTA_TIMEOUT);
1519
1487
}
1520
1488
···
1823
1791
if (ifsta->assocresp_ies)
1824
1792
memcpy(ifsta->assocresp_ies, pos, ifsta->assocresp_ies_len);
1825
1793
1794
+
rcu_read_lock();
1795
+
1826
1796
/* Add STA entry for the AP */
1827
1797
sta = sta_info_get(local, ifsta->bssid);
1828
1798
if (!sta) {
1829
1799
struct ieee80211_sta_bss *bss;
1830
-
sta = sta_info_add(local, dev, ifsta->bssid, GFP_KERNEL);
1800
+
1801
+
sta = sta_info_add(sdata, ifsta->bssid);
1831
1802
if (IS_ERR(sta)) {
1832
1803
printk(KERN_DEBUG "%s: failed to add STA entry for the"
1833
1804
" AP (error %ld)\n", dev->name, PTR_ERR(sta));
1805
+
rcu_read_unlock();
1834
1806
return;
1835
1807
}
1836
1808
bss = ieee80211_rx_bss_get(dev, ifsta->bssid,
···
1848
1812
}
1849
1813
}
1850
1814
1851
-
sta->dev = dev;
1852
1815
sta->flags |= WLAN_STA_AUTH | WLAN_STA_ASSOC | WLAN_STA_ASSOC_AP |
1853
1816
WLAN_STA_AUTHORIZED;
1854
1817
···
1918
1883
bss_conf->aid = aid;
1919
1884
ieee80211_set_associated(dev, ifsta, 1);
1920
1885
1921
-
sta_info_put(sta);
1886
+
rcu_read_unlock();
1922
1887
1923
1888
ieee80211_associated(dev, ifsta);
1924
1889
}
···
2364
2329
mesh_peer_accepts_plinks(&elems, dev));
2365
2330
}
2366
2331
2332
+
rcu_read_lock();
2333
+
2367
2334
if (sdata->vif.type == IEEE80211_IF_TYPE_IBSS && elems.supp_rates &&
2368
2335
memcmp(mgmt->bssid, sdata->u.sta.bssid, ETH_ALEN) == 0 &&
2369
2336
(sta = sta_info_get(local, mgmt->sa))) {
···
2391
2354
(unsigned long long) supp_rates,
2392
2355
(unsigned long long) sta->supp_rates[rx_status->band]);
2393
2356
}
2394
-
sta_info_put(sta);
2395
2357
}
2358
+
2359
+
rcu_read_unlock();
2396
2360
2397
2361
if (elems.ds_params && elems.ds_params_len == 1)
2398
2362
freq = ieee80211_channel_to_frequency(elems.ds_params[0]);
···
2588
2550
"local TSF - IBSS merge with BSSID %s\n",
2589
2551
dev->name, print_mac(mac, mgmt->bssid));
2590
2552
ieee80211_sta_join_ibss(dev, &sdata->u.sta, bss);
2553
+
rcu_read_lock();
2591
2554
ieee80211_ibss_add_sta(dev, NULL,
2592
2555
mgmt->bssid, mgmt->sa);
2556
+
rcu_read_unlock();
2593
2557
}
2594
2558
}
2595
2559
···
2933
2893
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
2934
2894
int active = 0;
2935
2895
struct sta_info *sta;
2896
+
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
2936
2897
2937
-
read_lock_bh(&local->sta_lock);
2938
-
list_for_each_entry(sta, &local->sta_list, list) {
2939
-
if (sta->dev == dev &&
2898
+
rcu_read_lock();
2899
+
2900
+
list_for_each_entry_rcu(sta, &local->sta_list, list) {
2901
+
if (sta->sdata == sdata &&
2940
2902
time_after(sta->last_rx + IEEE80211_IBSS_MERGE_INTERVAL,
2941
2903
jiffies)) {
2942
2904
active++;
2943
2905
break;
2944
2906
}
2945
2907
}
2946
-
read_unlock_bh(&local->sta_lock);
2908
+
2909
+
rcu_read_unlock();
2947
2910
2948
2911
return active;
2949
2912
}
···
2958
2915
struct sta_info *sta, *tmp;
2959
2916
LIST_HEAD(tmp_list);
2960
2917
DECLARE_MAC_BUF(mac);
2918
+
unsigned long flags;
2961
2919
2962
-
write_lock_bh(&local->sta_lock);
2920
+
spin_lock_irqsave(&local->sta_lock, flags);
2963
2921
list_for_each_entry_safe(sta, tmp, &local->sta_list, list)
2964
2922
if (time_after(jiffies, sta->last_rx + exp_time)) {
2965
2923
printk(KERN_DEBUG "%s: expiring inactive STA %s\n",
2966
2924
dev->name, print_mac(mac, sta->addr));
2967
-
__sta_info_get(sta);
2968
-
sta_info_remove(sta);
2969
-
list_add(&sta->list, &tmp_list);
2925
+
sta_info_unlink(&sta);
2926
+
if (sta)
2927
+
list_add(&sta->list, &tmp_list);
2970
2928
}
2971
-
write_unlock_bh(&local->sta_lock);
2929
+
spin_unlock_irqrestore(&local->sta_lock, flags);
2972
2930
2973
-
list_for_each_entry_safe(sta, tmp, &tmp_list, list) {
2974
-
sta_info_free(sta);
2975
-
sta_info_put(sta);
2976
-
}
2931
+
synchronize_rcu();
2932
+
2933
+
rtnl_lock();
2934
+
list_for_each_entry_safe(sta, tmp, &tmp_list, list)
2935
+
sta_info_destroy(sta);
2936
+
rtnl_unlock();
2977
2937
}
2978
2938
2979
2939
···
4023
3977
}
4024
3978
4025
3979
3980
+
/* must be called under RCU read lock */
4026
3981
struct sta_info * ieee80211_ibss_add_sta(struct net_device *dev,
4027
3982
struct sk_buff *skb, u8 *bssid,
4028
3983
u8 *addr)
···
4046
3999
printk(KERN_DEBUG "%s: Adding new IBSS station %s (dev=%s)\n",
4047
4000
wiphy_name(local->hw.wiphy), print_mac(mac, addr), dev->name);
4048
4001
4049
-
sta = sta_info_add(local, dev, addr, GFP_ATOMIC);
4002
+
sta = sta_info_add(sdata, addr);
4050
4003
if (IS_ERR(sta))
4051
4004
return NULL;
4052
4005
···
4057
4010
4058
4011
rate_control_rate_init(sta, local);
4059
4012
4060
-
return sta; /* caller will call sta_info_put() */
4013
+
return sta;
4061
4014
}
4062
4015
4063
4016
+7
-1
net/mac80211/key.c
+7
-1
net/mac80211/key.c
···
240
240
if (sdata->vif.type == IEEE80211_IF_TYPE_STA) {
241
241
struct sta_info *ap;
242
242
243
+
rcu_read_lock();
244
+
243
245
/* same here, the AP could be using QoS */
244
246
ap = sta_info_get(key->local, key->sdata->u.sta.bssid);
245
247
if (ap) {
246
248
if (ap->flags & WLAN_STA_WME)
247
249
key->conf.flags |=
248
250
IEEE80211_KEY_FLAG_WMM_STA;
249
-
sta_info_put(ap);
250
251
}
252
+
253
+
rcu_read_unlock();
251
254
}
252
255
}
253
256
···
293
290
__ieee80211_key_replace(key->sdata, key->sta,
294
291
key, NULL);
295
292
293
+
/*
294
+
* Do NOT remove this without looking at sta_info_destroy()
295
+
*/
296
296
synchronize_rcu();
297
297
298
298
/*
+2
-3
net/mac80211/mesh.c
+2
-3
net/mac80211/mesh.c
···
83
83
/**
84
84
* mesh_accept_plinks_update: update accepting_plink in local mesh beacons
85
85
*
86
-
* @dev: mesh interface in which mesh beacons are going to be updated
86
+
* @sdata: mesh interface in which mesh beacons are going to be updated
87
87
*/
88
-
void mesh_accept_plinks_update(struct net_device *dev)
88
+
void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata)
89
89
{
90
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
91
90
bool free_plinks;
92
91
93
92
/* In case mesh_plink_free_count > 0 and mesh_plinktbl_capacity == 0,
+9
-7
net/mac80211/mesh.h
+9
-7
net/mac80211/mesh.h
···
65
65
* @state_lock: mesh pat state lock
66
66
*
67
67
*
68
-
* The combination of dst and dev is unique in the mesh path table. A reference
69
-
* to the next_hop sta will be kept and in case this sta is removed, the
70
-
* mesh_path structure must be also removed or substitued in a rcu safe way
68
+
* The combination of dst and dev is unique in the mesh path table. Since the
69
+
* next_hop STA is only protected by RCU as well, deleting the STA must also
70
+
* remove/substitute the mesh_path structure and wait until that is no longer
71
+
* reachable before destroying the STA completely.
71
72
*/
72
73
struct mesh_path {
73
74
u8 dst[ETH_ALEN];
···
231
230
bool add);
232
231
bool mesh_peer_accepts_plinks(struct ieee802_11_elems *ie,
233
232
struct net_device *dev);
234
-
void mesh_accept_plinks_update(struct net_device *dev);
235
-
struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates, struct net_device *dev);
233
+
void mesh_accept_plinks_update(struct ieee80211_sub_if_data *sdata);
234
+
struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates,
235
+
struct ieee80211_sub_if_data *sdata);
236
236
void mesh_plink_broken(struct sta_info *sta);
237
237
void mesh_plink_deactivate(struct sta_info *sta);
238
238
int mesh_plink_open(struct sta_info *sta);
···
256
254
void mesh_path_tx_pending(struct mesh_path *mpath);
257
255
int mesh_pathtbl_init(void);
258
256
void mesh_pathtbl_unregister(void);
259
-
int mesh_path_del(u8 *addr, struct net_device *dev);
257
+
int mesh_path_del(u8 *addr, struct net_device *dev, bool force);
260
258
void mesh_path_timer(unsigned long data);
261
259
void mesh_path_flush_by_nexthop(struct sta_info *sta);
262
260
void mesh_path_discard_frame(struct sk_buff *skb, struct net_device *dev);
···
272
270
273
271
static inline bool mesh_plink_availables(struct ieee80211_sub_if_data *sdata)
274
272
{
275
-
return (min(mesh_plink_free_count(sdata),
273
+
return (min_t(long, mesh_plink_free_count(sdata),
276
274
MESH_MAX_PLINKS - sdata->local->num_sta)) > 0;
277
275
}
278
276
+1
-5
net/mac80211/mesh_hwmp.c
+1
-5
net/mac80211/mesh_hwmp.c
···
294
294
orig_metric = PREP_IE_METRIC(hwmp_ie);
295
295
break;
296
296
default:
297
-
sta_info_put(sta);
298
297
rcu_read_unlock();
299
298
return 0;
300
299
}
···
329
330
mpath = mesh_path_lookup(orig_addr, dev);
330
331
if (!mpath) {
331
332
rcu_read_unlock();
332
-
sta_info_put(sta);
333
333
return 0;
334
334
}
335
335
spin_lock_bh(&mpath->state_lock);
···
370
372
mpath = mesh_path_lookup(ta, dev);
371
373
if (!mpath) {
372
374
rcu_read_unlock();
373
-
sta_info_put(sta);
374
375
return 0;
375
376
}
376
377
spin_lock_bh(&mpath->state_lock);
···
388
391
spin_unlock_bh(&mpath->state_lock);
389
392
}
390
393
391
-
sta_info_put(sta);
392
394
rcu_read_unlock();
393
395
394
396
return process ? new_metric : 0;
···
857
861
endmpathtimer:
858
862
rcu_read_unlock();
859
863
if (delete)
860
-
mesh_path_del(mpath->dst, mpath->dev);
864
+
mesh_path_del(mpath->dst, mpath->dev, false);
861
865
}
+14
-16
net/mac80211/mesh_pathtbl.c
+14
-16
net/mac80211/mesh_pathtbl.c
···
55
55
*/
56
56
void mesh_path_assign_nexthop(struct mesh_path *mpath, struct sta_info *sta)
57
57
{
58
-
__sta_info_get(sta);
59
-
if (mpath->next_hop)
60
-
sta_info_put(mpath->next_hop);
61
-
mpath->next_hop = sta;
58
+
rcu_assign_pointer(mpath->next_hop, sta);
62
59
}
63
60
64
61
···
233
236
struct mesh_path *mpath;
234
237
struct mpath_node *node;
235
238
struct hlist_node *p;
236
-
struct net_device *dev = sta->dev;
239
+
struct net_device *dev = sta->sdata->dev;
237
240
int i;
238
241
239
242
rcu_read_lock();
···
263
266
*
264
267
* RCU notes: this function is called when a mesh plink transitions from ESTAB
265
268
* to any other state, since ESTAB state is the only one that allows path
266
-
* creation. This will happen before the sta can be freed (since we hold
267
-
* a reference to it) so any reader in a rcu read block will be protected
268
-
* against the plink dissapearing.
269
+
* creation. This will happen before the sta can be freed (because
270
+
* sta_info_destroy() calls this) so any reader in a rcu read block will be
271
+
* protected against the plink disappearing.
269
272
*/
270
273
void mesh_path_flush_by_nexthop(struct sta_info *sta)
271
274
{
···
277
280
for_each_mesh_entry(mesh_paths, p, node, i) {
278
281
mpath = node->mpath;
279
282
if (mpath->next_hop == sta)
280
-
mesh_path_del(mpath->dst, mpath->dev);
283
+
mesh_path_del(mpath->dst, mpath->dev, true);
281
284
}
282
285
}
283
286
···
291
294
for_each_mesh_entry(mesh_paths, p, node, i) {
292
295
mpath = node->mpath;
293
296
if (mpath->dev == dev)
294
-
mesh_path_del(mpath->dst, mpath->dev);
297
+
mesh_path_del(mpath->dst, mpath->dev, false);
295
298
}
296
299
}
297
300
···
300
303
struct mpath_node *node = container_of(rp, struct mpath_node, rcu);
301
304
struct ieee80211_sub_if_data *sdata =
302
305
IEEE80211_DEV_TO_SUB_IF(node->mpath->dev);
303
-
if (node->mpath->next_hop)
304
-
sta_info_put(node->mpath->next_hop);
306
+
307
+
rcu_assign_pointer(node->mpath->next_hop, NULL);
305
308
atomic_dec(&sdata->u.sta.mpaths);
306
309
kfree(node->mpath);
307
310
kfree(node);
···
316
319
* Returns: 0 if succesful
317
320
*
318
321
* State: if the path is being resolved, the deletion will be postponed until
319
-
* the path resolution completes or times out.
322
+
* the path resolution completes or times out, unless the force parameter
323
+
* is given.
320
324
*/
321
-
int mesh_path_del(u8 *addr, struct net_device *dev)
325
+
int mesh_path_del(u8 *addr, struct net_device *dev, bool force)
322
326
{
323
327
struct mesh_path *mpath;
324
328
struct mpath_node *node;
···
338
340
if (mpath->dev == dev &&
339
341
memcmp(addr, mpath->dst, ETH_ALEN) == 0) {
340
342
spin_lock_bh(&mpath->state_lock);
341
-
if (mpath->flags & MESH_PATH_RESOLVING) {
343
+
if (!force && mpath->flags & MESH_PATH_RESOLVING) {
342
344
mpath->flags |= MESH_PATH_DELETE;
343
345
} else {
344
346
mpath->flags |= MESH_PATH_RESOLVING;
···
508
510
time_after(jiffies,
509
511
mpath->exp_time + MESH_PATH_EXPIRE)) {
510
512
spin_unlock_bh(&mpath->state_lock);
511
-
mesh_path_del(mpath->dst, mpath->dev);
513
+
mesh_path_del(mpath->dst, mpath->dev, false);
512
514
} else
513
515
spin_unlock_bh(&mpath->state_lock);
514
516
}
+52
-49
net/mac80211/mesh_plink.c
+52
-49
net/mac80211/mesh_plink.c
···
65
65
void mesh_plink_inc_estab_count(struct ieee80211_sub_if_data *sdata)
66
66
{
67
67
atomic_inc(&sdata->u.sta.mshstats.estab_plinks);
68
-
mesh_accept_plinks_update(sdata->dev);
68
+
mesh_accept_plinks_update(sdata);
69
69
}
70
70
71
71
static inline
72
72
void mesh_plink_dec_estab_count(struct ieee80211_sub_if_data *sdata)
73
73
{
74
74
atomic_dec(&sdata->u.sta.mshstats.estab_plinks);
75
-
mesh_accept_plinks_update(sdata->dev);
75
+
mesh_accept_plinks_update(sdata);
76
76
}
77
77
78
78
/**
···
99
99
*
100
100
* Returns: non-NULL on success, ERR_PTR() on error.
101
101
*/
102
-
struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates, struct net_device *dev)
102
+
struct sta_info *mesh_plink_add(u8 *hw_addr, u64 rates,
103
+
struct ieee80211_sub_if_data *sdata)
103
104
{
104
-
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
105
+
struct ieee80211_local *local = sdata->local;
105
106
struct sta_info *sta;
106
107
107
-
if (memcmp(hw_addr, dev->dev_addr, ETH_ALEN) == 0)
108
+
if (compare_ether_addr(hw_addr, sdata->dev->dev_addr) == 0)
108
109
/* never add ourselves as neighbours */
109
110
return ERR_PTR(-EINVAL);
110
111
···
115
114
if (local->num_sta >= MESH_MAX_PLINKS)
116
115
return ERR_PTR(-ENOSPC);
117
116
118
-
sta = sta_info_add(local, dev, hw_addr, GFP_KERNEL);
117
+
sta = sta_info_add(sdata, hw_addr);
119
118
if (IS_ERR(sta))
120
119
return sta;
121
120
···
126
125
sta->supp_rates[local->hw.conf.channel->band] = rates;
127
126
rate_control_rate_init(sta, local);
128
127
129
-
mesh_accept_plinks_update(dev);
128
+
mesh_accept_plinks_update(sdata);
130
129
131
130
return sta;
132
131
}
···
142
141
*/
143
142
static void __mesh_plink_deactivate(struct sta_info *sta)
144
143
{
145
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
144
+
struct ieee80211_sub_if_data *sdata = sta->sdata;
145
+
146
146
if (sta->plink_state == ESTAB)
147
147
mesh_plink_dec_estab_count(sdata);
148
148
sta->plink_state = BLOCKED;
···
248
246
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
249
247
struct sta_info *sta;
250
248
249
+
rcu_read_lock();
250
+
251
251
sta = sta_info_get(local, hw_addr);
252
252
if (!sta) {
253
-
sta = mesh_plink_add(hw_addr, rates, dev);
254
-
if (IS_ERR(sta))
253
+
sta = mesh_plink_add(hw_addr, rates, sdata);
254
+
if (IS_ERR(sta)) {
255
+
rcu_read_unlock();
255
256
return;
257
+
}
256
258
}
257
259
258
260
sta->last_rx = jiffies;
···
266
260
sdata->u.sta.mshcfg.auto_open_plinks)
267
261
mesh_plink_open(sta);
268
262
269
-
sta_info_put(sta);
263
+
rcu_read_unlock();
270
264
}
271
265
272
266
static void mesh_plink_timer(unsigned long data)
···
279
273
DECLARE_MAC_BUF(mac);
280
274
#endif
281
275
276
+
/*
277
+
* This STA is valid because sta_info_destroy() will
278
+
* del_timer_sync() this timer after having made sure
279
+
* it cannot be readded (by deleting the plink.)
280
+
*/
282
281
sta = (struct sta_info *) data;
283
282
284
283
spin_lock_bh(&sta->plink_lock);
···
297
286
reason = 0;
298
287
llid = sta->llid;
299
288
plid = sta->plid;
300
-
dev = sta->dev;
301
-
sdata = IEEE80211_DEV_TO_SUB_IF(dev);
289
+
sdata = sta->sdata;
290
+
dev = sdata->dev;
302
291
303
292
switch (sta->plink_state) {
304
293
case OPN_RCVD:
···
313
302
sta->plink_timeout = sta->plink_timeout +
314
303
rand % sta->plink_timeout;
315
304
++sta->plink_retries;
316
-
if (!mod_plink_timer(sta, sta->plink_timeout))
317
-
__sta_info_get(sta);
305
+
mod_plink_timer(sta, sta->plink_timeout);
318
306
spin_unlock_bh(&sta->plink_lock);
319
307
mesh_plink_frame_tx(dev, PLINK_OPEN, sta->addr, llid,
320
308
0, 0);
···
326
316
if (!reason)
327
317
reason = cpu_to_le16(MESH_CONFIRM_TIMEOUT);
328
318
sta->plink_state = HOLDING;
329
-
if (!mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata)))
330
-
__sta_info_get(sta);
319
+
mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
331
320
spin_unlock_bh(&sta->plink_lock);
332
321
mesh_plink_frame_tx(dev, PLINK_CLOSE, sta->addr, llid, plid,
333
322
reason);
334
323
break;
335
324
case HOLDING:
336
325
/* holding timer */
337
-
if (del_timer(&sta->plink_timer))
338
-
sta_info_put(sta);
326
+
del_timer(&sta->plink_timer);
339
327
mesh_plink_fsm_restart(sta);
340
328
spin_unlock_bh(&sta->plink_lock);
341
329
break;
···
341
333
spin_unlock_bh(&sta->plink_lock);
342
334
break;
343
335
}
344
-
345
-
sta_info_put(sta);
346
336
}
347
337
348
338
static inline void mesh_plink_timer_set(struct sta_info *sta, int timeout)
···
349
343
sta->plink_timer.data = (unsigned long) sta;
350
344
sta->plink_timer.function = mesh_plink_timer;
351
345
sta->plink_timeout = timeout;
352
-
__sta_info_get(sta);
353
346
add_timer(&sta->plink_timer);
354
347
}
355
348
356
349
int mesh_plink_open(struct sta_info *sta)
357
350
{
358
351
__le16 llid;
359
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
352
+
struct ieee80211_sub_if_data *sdata = sta->sdata;
360
353
#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
361
354
DECLARE_MAC_BUF(mac);
362
355
#endif
···
365
360
sta->llid = llid;
366
361
if (sta->plink_state != LISTEN) {
367
362
spin_unlock_bh(&sta->plink_lock);
368
-
sta_info_put(sta);
369
363
return -EBUSY;
370
364
}
371
365
sta->plink_state = OPN_SNT;
···
373
369
mpl_dbg("Mesh plink: starting establishment with %s\n",
374
370
print_mac(mac, sta->addr));
375
371
376
-
return mesh_plink_frame_tx(sta->dev, PLINK_OPEN, sta->addr, llid, 0, 0);
372
+
return mesh_plink_frame_tx(sdata->dev, PLINK_OPEN,
373
+
sta->addr, llid, 0, 0);
377
374
}
378
375
379
376
void mesh_plink_block(struct sta_info *sta)
···
391
386
392
387
int mesh_plink_close(struct sta_info *sta)
393
388
{
394
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
389
+
struct ieee80211_sub_if_data *sdata = sta->sdata;
395
390
int llid, plid, reason;
396
391
#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
397
392
DECLARE_MAC_BUF(mac);
···
406
401
if (sta->plink_state == LISTEN || sta->plink_state == BLOCKED) {
407
402
mesh_plink_fsm_restart(sta);
408
403
spin_unlock_bh(&sta->plink_lock);
409
-
sta_info_put(sta);
410
404
return 0;
411
405
} else if (sta->plink_state == ESTAB) {
412
406
__mesh_plink_deactivate(sta);
413
407
/* The timer should not be running */
414
-
if (!mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata)))
415
-
__sta_info_get(sta);
408
+
mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
416
409
} else if (!mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata)))
417
410
sta->ignore_plink_timer = true;
418
411
···
418
415
llid = sta->llid;
419
416
plid = sta->plid;
420
417
spin_unlock_bh(&sta->plink_lock);
421
-
mesh_plink_frame_tx(sta->dev, PLINK_CLOSE, sta->addr, llid, plid,
422
-
reason);
418
+
mesh_plink_frame_tx(sta->sdata->dev, PLINK_CLOSE, sta->addr, llid,
419
+
plid, reason);
423
420
return 0;
424
421
}
425
422
426
423
void mesh_rx_plink_frame(struct net_device *dev, struct ieee80211_mgmt *mgmt,
427
424
size_t len, struct ieee80211_rx_status *rx_status)
428
425
{
429
-
struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
426
+
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
427
+
struct ieee80211_local *local = sdata->local;
430
428
struct ieee802_11_elems elems;
431
429
struct sta_info *sta;
432
430
enum plink_event event;
···
439
435
#ifdef CONFIG_MAC80211_VERBOSE_MPL_DEBUG
440
436
DECLARE_MAC_BUF(mac);
441
437
#endif
442
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
443
438
444
439
if (is_multicast_ether_addr(mgmt->da)) {
445
440
mpl_dbg("Mesh plink: ignore frame from multicast address");
···
477
474
if (ftype == PLINK_CONFIRM || (ftype == PLINK_CLOSE && ie_len == 7))
478
475
memcpy(&llid, PLINK_GET_PLID(elems.peer_link), 2);
479
476
477
+
rcu_read_lock();
478
+
480
479
sta = sta_info_get(local, mgmt->sa);
481
480
if (!sta && ftype != PLINK_OPEN) {
482
481
mpl_dbg("Mesh plink: cls or cnf from unknown peer\n");
482
+
rcu_read_unlock();
483
483
return;
484
484
}
485
485
486
486
if (sta && sta->plink_state == BLOCKED) {
487
-
sta_info_put(sta);
487
+
rcu_read_unlock();
488
488
return;
489
489
}
490
490
···
511
505
u64 rates;
512
506
if (!mesh_plink_free_count(sdata)) {
513
507
mpl_dbg("Mesh plink error: no more free plinks\n");
508
+
rcu_read_unlock();
514
509
return;
515
510
}
516
511
517
512
rates = ieee80211_sta_get_rates(local, &elems, rx_status->band);
518
-
sta = mesh_plink_add(mgmt->sa, rates, dev);
513
+
sta = mesh_plink_add(mgmt->sa, rates, sdata);
519
514
if (IS_ERR(sta)) {
520
515
mpl_dbg("Mesh plink error: plink table full\n");
516
+
rcu_read_unlock();
521
517
return;
522
518
}
523
519
event = OPN_ACPT;
···
529
521
switch (ftype) {
530
522
case PLINK_OPEN:
531
523
if (!mesh_plink_free_count(sdata) ||
532
-
(sta->plid && sta->plid != plid))
524
+
(sta->plid && sta->plid != plid))
533
525
event = OPN_IGNR;
534
526
else
535
527
event = OPN_ACPT;
536
528
break;
537
529
case PLINK_CONFIRM:
538
530
if (!mesh_plink_free_count(sdata) ||
539
-
(sta->llid != llid || sta->plid != plid))
531
+
(sta->llid != llid || sta->plid != plid))
540
532
event = CNF_IGNR;
541
533
else
542
534
event = CNF_ACPT;
···
563
555
default:
564
556
mpl_dbg("Mesh plink: unknown frame subtype\n");
565
557
spin_unlock_bh(&sta->plink_lock);
566
-
sta_info_put(sta);
558
+
rcu_read_unlock();
567
559
return;
568
560
}
569
561
}
···
667
659
plid, 0);
668
660
break;
669
661
case CNF_ACPT:
670
-
if (del_timer(&sta->plink_timer))
671
-
sta_info_put(sta);
662
+
del_timer(&sta->plink_timer);
672
663
sta->plink_state = ESTAB;
673
664
mesh_plink_inc_estab_count(sdata);
674
665
spin_unlock_bh(&sta->plink_lock);
···
700
693
plid, reason);
701
694
break;
702
695
case OPN_ACPT:
703
-
if (del_timer(&sta->plink_timer))
704
-
sta_info_put(sta);
696
+
del_timer(&sta->plink_timer);
705
697
sta->plink_state = ESTAB;
706
698
mesh_plink_inc_estab_count(sdata);
707
699
spin_unlock_bh(&sta->plink_lock);
···
723
717
__mesh_plink_deactivate(sta);
724
718
sta->plink_state = HOLDING;
725
719
llid = sta->llid;
726
-
if (!mod_plink_timer(sta,
727
-
dot11MeshHoldingTimeout(sdata)))
728
-
__sta_info_get(sta);
720
+
mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata));
729
721
spin_unlock_bh(&sta->plink_lock);
730
722
mesh_plink_frame_tx(dev, PLINK_CLOSE, sta->addr, llid,
731
723
plid, reason);
···
742
738
case HOLDING:
743
739
switch (event) {
744
740
case CLS_ACPT:
745
-
if (del_timer(&sta->plink_timer)) {
741
+
if (del_timer(&sta->plink_timer))
746
742
sta->ignore_plink_timer = 1;
747
-
sta_info_put(sta);
748
-
}
749
743
mesh_plink_fsm_restart(sta);
750
744
spin_unlock_bh(&sta->plink_lock);
751
745
break;
···
768
766
spin_unlock_bh(&sta->plink_lock);
769
767
break;
770
768
}
771
-
sta_info_put(sta);
769
+
770
+
rcu_read_unlock();
772
771
}
+14
-11
net/mac80211/rc80211_pid_algo.c
+14
-11
net/mac80211/rc80211_pid_algo.c
···
77
77
int cur_sorted, new_sorted, probe, tmp, n_bitrates, band;
78
78
int cur = sta->txrate_idx;
79
79
80
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
80
+
sdata = sta->sdata;
81
81
sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
82
82
band = sband->band;
83
83
n_bitrates = sband->n_bitrates;
···
149
149
struct sta_info *sta)
150
150
{
151
151
#ifdef CONFIG_MAC80211_MESH
152
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
152
+
struct ieee80211_sub_if_data *sdata = sta->sdata;
153
153
#endif
154
154
struct rc_pid_sta_info *spinfo = sta->rate_ctrl_priv;
155
155
struct rc_pid_rateinfo *rinfo = pinfo->rinfo;
···
249
249
unsigned long period;
250
250
struct ieee80211_supported_band *sband;
251
251
252
+
rcu_read_lock();
253
+
252
254
sta = sta_info_get(local, hdr->addr1);
253
255
sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
254
256
255
257
if (!sta)
256
-
return;
258
+
goto unlock;
257
259
258
260
/* Don't update the state if we're not controlling the rate. */
259
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
261
+
sdata = sta->sdata;
260
262
if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) {
261
263
sta->txrate_idx = sdata->bss->max_ratectrl_rateidx;
262
-
return;
264
+
goto unlock;
263
265
}
264
266
265
267
/* Ignore all frames that were sent with a different rate than the rate
266
268
* we currently advise mac80211 to use. */
267
269
if (status->control.tx_rate != &sband->bitrates[sta->txrate_idx])
268
-
goto ignore;
270
+
goto unlock;
269
271
270
272
spinfo = sta->rate_ctrl_priv;
271
273
spinfo->tx_num_xmit++;
···
305
303
if (time_after(jiffies, spinfo->last_sample + period))
306
304
rate_control_pid_sample(pinfo, local, sta);
307
305
308
-
ignore:
309
-
sta_info_put(sta);
306
+
unlock:
307
+
rcu_read_unlock();
310
308
}
311
309
312
310
static void rate_control_pid_get_rate(void *priv, struct net_device *dev,
···
321
319
int rateidx;
322
320
u16 fc;
323
321
322
+
rcu_read_lock();
323
+
324
324
sta = sta_info_get(local, hdr->addr1);
325
325
326
326
/* Send management frames and broadcast/multicast data using lowest
···
331
327
if ((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA ||
332
328
is_multicast_ether_addr(hdr->addr1) || !sta) {
333
329
sel->rate = rate_lowest(local, sband, sta);
334
-
if (sta)
335
-
sta_info_put(sta);
330
+
rcu_read_unlock();
336
331
return;
337
332
}
338
333
···
347
344
348
345
sta->last_txrate_idx = rateidx;
349
346
350
-
sta_info_put(sta);
347
+
rcu_read_unlock();
351
348
352
349
sel->rate = &sband->bitrates[rateidx];
353
350
+11
-7
net/mac80211/rc80211_simple.c
+11
-7
net/mac80211/rc80211_simple.c
···
40
40
int i = sta->txrate_idx;
41
41
int maxrate;
42
42
43
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
43
+
sdata = sta->sdata;
44
44
if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) {
45
45
/* forced unicast rate - do not change STA rate */
46
46
return;
···
70
70
struct ieee80211_supported_band *sband;
71
71
int i = sta->txrate_idx;
72
72
73
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
73
+
sdata = sta->sdata;
74
74
if (sdata->bss && sdata->bss->force_unicast_rateidx > -1) {
75
75
/* forced unicast rate - do not change STA rate */
76
76
return;
···
118
118
struct sta_info *sta;
119
119
struct sta_rate_control *srctrl;
120
120
121
+
rcu_read_lock();
122
+
121
123
sta = sta_info_get(local, hdr->addr1);
122
124
123
125
if (!sta)
124
-
return;
126
+
goto unlock;
125
127
126
128
srctrl = sta->rate_ctrl_priv;
127
129
srctrl->tx_num_xmit++;
···
193
191
}
194
192
}
195
193
196
-
sta_info_put(sta);
194
+
unlock:
195
+
rcu_read_unlock();
197
196
}
198
197
199
198
···
211
208
int rateidx;
212
209
u16 fc;
213
210
211
+
rcu_read_lock();
212
+
214
213
sta = sta_info_get(local, hdr->addr1);
215
214
216
215
/* Send management frames and broadcast/multicast data using lowest
···
221
216
if ((fc & IEEE80211_FCTL_FTYPE) != IEEE80211_FTYPE_DATA ||
222
217
is_multicast_ether_addr(hdr->addr1) || !sta) {
223
218
sel->rate = rate_lowest(local, sband, sta);
224
-
if (sta)
225
-
sta_info_put(sta);
219
+
rcu_read_unlock();
226
220
return;
227
221
}
228
222
···
237
233
238
234
sta->last_txrate_idx = rateidx;
239
235
240
-
sta_info_put(sta);
236
+
rcu_read_unlock();
241
237
242
238
sel->rate = &sband->bitrates[rateidx];
243
239
}
+8
-16
net/mac80211/rx.c
+8
-16
net/mac80211/rx.c
···
631
631
struct ieee80211_sub_if_data *sdata;
632
632
DECLARE_MAC_BUF(mac);
633
633
634
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
634
+
sdata = sta->sdata;
635
635
636
636
if (sdata->bss)
637
637
atomic_inc(&sdata->bss->num_sta_ps);
···
652
652
struct ieee80211_tx_packet_data *pkt_data;
653
653
DECLARE_MAC_BUF(mac);
654
654
655
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
655
+
sdata = sta->sdata;
656
656
657
657
if (sdata->bss)
658
658
atomic_dec(&sdata->bss->num_sta_ps);
···
1287
1287
"multicast frame\n", dev->name);
1288
1288
} else {
1289
1289
dsta = sta_info_get(local, skb->data);
1290
-
if (dsta && dsta->dev == dev) {
1290
+
if (dsta && dsta->sdata->dev == dev) {
1291
1291
/*
1292
1292
* The destination station is associated to
1293
1293
* this AP (in this VLAN), so send the frame
···
1297
1297
xmit_skb = skb;
1298
1298
skb = NULL;
1299
1299
}
1300
-
if (dsta)
1301
-
sta_info_put(dsta);
1302
1300
}
1303
1301
}
1304
1302
···
1903
1905
1904
1906
rx.sta = sta_info_get(local, hdr->addr2);
1905
1907
if (rx.sta) {
1906
-
rx.dev = rx.sta->dev;
1907
-
rx.sdata = IEEE80211_DEV_TO_SUB_IF(rx.dev);
1908
+
rx.sdata = rx.sta->sdata;
1909
+
rx.dev = rx.sta->sdata->dev;
1908
1910
}
1909
1911
1910
1912
if ((status->flag & RX_FLAG_MMIC_ERROR)) {
1911
1913
ieee80211_rx_michael_mic_report(local->mdev, hdr, &rx);
1912
-
goto end;
1914
+
return;
1913
1915
}
1914
1916
1915
1917
if (unlikely(local->sta_sw_scanning || local->sta_hw_scanning))
···
1968
1970
ieee80211_invoke_rx_handlers(prev, &rx, skb);
1969
1971
} else
1970
1972
dev_kfree_skb(skb);
1971
-
1972
-
end:
1973
-
if (rx.sta)
1974
-
sta_info_put(rx.sta);
1975
1973
}
1976
1974
1977
1975
#define SEQ_MODULO 0x1000
···
2144
2150
/* if this mpdu is fragmented - terminate rx aggregation session */
2145
2151
sc = le16_to_cpu(hdr->seq_ctrl);
2146
2152
if (sc & IEEE80211_SCTL_FRAG) {
2147
-
ieee80211_sta_stop_rx_ba_session(sta->dev, sta->addr,
2153
+
ieee80211_sta_stop_rx_ba_session(sta->sdata->dev, sta->addr,
2148
2154
tid, 0, WLAN_REASON_QSTA_REQUIRE_SETUP);
2149
2155
ret = 1;
2150
2156
goto end_reorder;
···
2154
2160
mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4;
2155
2161
ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb,
2156
2162
mpdu_seq_num, 0);
2157
-
end_reorder:
2158
-
if (sta)
2159
-
sta_info_put(sta);
2163
+
end_reorder:
2160
2164
return ret;
2161
2165
}
2162
2166
+244
-151
net/mac80211/sta_info.c
+244
-151
net/mac80211/sta_info.c
···
15
15
#include <linux/skbuff.h>
16
16
#include <linux/if_arp.h>
17
17
#include <linux/timer.h>
18
+
#include <linux/rtnetlink.h>
18
19
19
20
#include <net/mac80211.h>
20
21
#include "ieee80211_i.h"
···
24
23
#include "debugfs_sta.h"
25
24
#include "mesh.h"
26
25
27
-
/* Caller must hold local->sta_lock */
28
-
static void sta_info_hash_add(struct ieee80211_local *local,
29
-
struct sta_info *sta)
30
-
{
31
-
sta->hnext = local->sta_hash[STA_HASH(sta->addr)];
32
-
local->sta_hash[STA_HASH(sta->addr)] = sta;
33
-
}
34
-
26
+
/**
27
+
* DOC: STA information lifetime rules
28
+
*
29
+
* STA info structures (&struct sta_info) are managed in a hash table
30
+
* for faster lookup and a list for iteration. They are managed using
31
+
* RCU, i.e. access to the list and hash table is protected by RCU.
32
+
*
33
+
* STA info structures are always "alive" when they are added with
34
+
* @sta_info_add() [this may be changed in the future to allow allocating
35
+
* outside of a critical section!], they are then added to the hash
36
+
* table and list. Therefore, @sta_info_add() must also be RCU protected,
37
+
* also, the caller of @sta_info_add() cannot assume that it owns the
38
+
* structure.
39
+
*
40
+
* Because there are debugfs entries for each station, and adding those
41
+
* must be able to sleep, it is also possible to "pin" a station entry,
42
+
* that means it can be removed from the hash table but not be freed.
43
+
* See the comment in @__sta_info_unlink() for more information.
44
+
*
45
+
* In order to remove a STA info structure, the caller needs to first
46
+
* unlink it (@sta_info_unlink()) from the list and hash tables and
47
+
* then wait for an RCU synchronisation before it can be freed. Due to
48
+
* the pinning and the possibility of multiple callers trying to remove
49
+
* the same STA info at the same time, @sta_info_unlink() can clear the
50
+
* STA info pointer it is passed to indicate that the STA info is owned
51
+
* by somebody else now.
52
+
*
53
+
* If @sta_info_unlink() did not clear the pointer then the caller owns
54
+
* the STA info structure now and is responsible of destroying it with
55
+
* a call to @sta_info_destroy(), not before RCU synchronisation, of
56
+
* course. Note that sta_info_destroy() must be protected by the RTNL.
57
+
*
58
+
* In all other cases, there is no concept of ownership on a STA entry,
59
+
* each structure is owned by the global hash table/list until it is
60
+
* removed. All users of the structure need to be RCU protected so that
61
+
* the structure won't be freed before they are done using it.
62
+
*/
35
63
36
64
/* Caller must hold local->sta_lock */
37
65
static int sta_info_hash_del(struct ieee80211_local *local,
···
72
42
if (!s)
73
43
return -ENOENT;
74
44
if (s == sta) {
75
-
local->sta_hash[STA_HASH(sta->addr)] = s->hnext;
45
+
rcu_assign_pointer(local->sta_hash[STA_HASH(sta->addr)],
46
+
s->hnext);
76
47
return 0;
77
48
}
78
49
79
50
while (s->hnext && s->hnext != sta)
80
51
s = s->hnext;
81
52
if (s->hnext) {
82
-
s->hnext = sta->hnext;
53
+
rcu_assign_pointer(s->hnext, sta->hnext);
83
54
return 0;
84
55
}
85
56
86
57
return -ENOENT;
87
58
}
88
59
89
-
/* must hold local->sta_lock */
60
+
/* protected by RCU */
90
61
static struct sta_info *__sta_info_find(struct ieee80211_local *local,
91
62
u8 *addr)
92
63
{
93
64
struct sta_info *sta;
94
65
95
-
sta = local->sta_hash[STA_HASH(addr)];
66
+
sta = rcu_dereference(local->sta_hash[STA_HASH(addr)]);
96
67
while (sta) {
97
68
if (compare_ether_addr(sta->addr, addr) == 0)
98
69
break;
99
-
sta = sta->hnext;
70
+
sta = rcu_dereference(sta->hnext);
100
71
}
101
72
return sta;
102
73
}
103
74
104
75
struct sta_info *sta_info_get(struct ieee80211_local *local, u8 *addr)
105
76
{
106
-
struct sta_info *sta;
107
-
108
-
read_lock_bh(&local->sta_lock);
109
-
sta = __sta_info_find(local, addr);
110
-
if (sta)
111
-
__sta_info_get(sta);
112
-
read_unlock_bh(&local->sta_lock);
113
-
114
-
return sta;
77
+
return __sta_info_find(local, addr);
115
78
}
116
79
EXPORT_SYMBOL(sta_info_get);
117
80
···
114
91
struct sta_info *sta;
115
92
int i = 0;
116
93
117
-
read_lock_bh(&local->sta_lock);
118
-
list_for_each_entry(sta, &local->sta_list, list) {
94
+
list_for_each_entry_rcu(sta, &local->sta_list, list) {
119
95
if (i < idx) {
120
96
++i;
121
97
continue;
122
-
} else if (!dev || dev == sta->dev) {
123
-
__sta_info_get(sta);
124
-
read_unlock_bh(&local->sta_lock);
98
+
} else if (!dev || dev == sta->sdata->dev) {
125
99
return sta;
126
100
}
127
101
}
128
-
read_unlock_bh(&local->sta_lock);
129
102
130
103
return NULL;
131
104
}
132
105
133
-
static void sta_info_release(struct kref *kref)
106
+
void sta_info_destroy(struct sta_info *sta)
134
107
{
135
-
struct sta_info *sta = container_of(kref, struct sta_info, kref);
136
108
struct ieee80211_local *local = sta->local;
137
109
struct sk_buff *skb;
138
110
int i;
139
111
140
-
/* free sta structure; it has already been removed from
141
-
* hash table etc. external structures. Make sure that all
142
-
* buffered frames are release (one might have been added
143
-
* after sta_info_free() was called). */
112
+
ASSERT_RTNL();
113
+
might_sleep();
114
+
115
+
rate_control_remove_sta_debugfs(sta);
116
+
ieee80211_sta_debugfs_remove(sta);
117
+
118
+
#ifdef CONFIG_MAC80211_MESH
119
+
if (ieee80211_vif_is_mesh(&sta->sdata->vif))
120
+
mesh_plink_deactivate(sta);
121
+
#endif
122
+
123
+
/*
124
+
* NOTE: This will call synchronize_rcu() internally to
125
+
* make sure no key references can be in use. We rely on
126
+
* that here for the mesh code!
127
+
*/
128
+
ieee80211_key_free(sta->key);
129
+
WARN_ON(sta->key);
130
+
131
+
#ifdef CONFIG_MAC80211_MESH
132
+
if (ieee80211_vif_is_mesh(&sta->sdata->vif))
133
+
del_timer_sync(&sta->plink_timer);
134
+
#endif
135
+
144
136
while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) {
145
137
local->total_ps_buffered--;
146
138
dev_kfree_skb_any(skb);
147
139
}
148
-
while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) {
140
+
141
+
while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL)
149
142
dev_kfree_skb_any(skb);
150
-
}
143
+
151
144
for (i = 0; i < STA_TID_NUM; i++) {
152
145
del_timer_sync(&sta->ampdu_mlme.tid_rx[i].session_timer);
153
146
del_timer_sync(&sta->ampdu_mlme.tid_tx[i].addba_resp_timer);
154
147
}
155
148
rate_control_free_sta(sta->rate_ctrl, sta->rate_ctrl_priv);
156
149
rate_control_put(sta->rate_ctrl);
150
+
157
151
kfree(sta);
158
152
}
159
153
160
154
161
-
void sta_info_put(struct sta_info *sta)
155
+
/* Caller must hold local->sta_lock */
156
+
static void sta_info_hash_add(struct ieee80211_local *local,
157
+
struct sta_info *sta)
162
158
{
163
-
kref_put(&sta->kref, sta_info_release);
159
+
sta->hnext = local->sta_hash[STA_HASH(sta->addr)];
160
+
rcu_assign_pointer(local->sta_hash[STA_HASH(sta->addr)], sta);
164
161
}
165
-
EXPORT_SYMBOL(sta_info_put);
166
162
167
-
168
-
struct sta_info *sta_info_add(struct ieee80211_local *local,
169
-
struct net_device *dev, u8 *addr, gfp_t gfp)
163
+
struct sta_info *sta_info_add(struct ieee80211_sub_if_data *sdata,
164
+
u8 *addr)
170
165
{
166
+
struct ieee80211_local *local = sdata->local;
171
167
struct sta_info *sta;
172
168
int i;
173
169
DECLARE_MAC_BUF(mac);
170
+
unsigned long flags;
174
171
175
-
sta = kzalloc(sizeof(*sta), gfp);
172
+
sta = kzalloc(sizeof(*sta), GFP_ATOMIC);
176
173
if (!sta)
177
174
return ERR_PTR(-ENOMEM);
178
175
179
-
kref_init(&sta->kref);
176
+
memcpy(sta->addr, addr, ETH_ALEN);
177
+
sta->local = local;
178
+
sta->sdata = sdata;
180
179
181
180
sta->rate_ctrl = rate_control_get(local->rate_ctrl);
182
-
sta->rate_ctrl_priv = rate_control_alloc_sta(sta->rate_ctrl, gfp);
181
+
sta->rate_ctrl_priv = rate_control_alloc_sta(sta->rate_ctrl,
182
+
GFP_ATOMIC);
183
183
if (!sta->rate_ctrl_priv) {
184
184
rate_control_put(sta->rate_ctrl);
185
185
kfree(sta);
186
186
return ERR_PTR(-ENOMEM);
187
187
}
188
188
189
-
memcpy(sta->addr, addr, ETH_ALEN);
190
-
sta->local = local;
191
-
sta->dev = dev;
192
189
spin_lock_init(&sta->ampdu_mlme.ampdu_rx);
193
190
spin_lock_init(&sta->ampdu_mlme.ampdu_tx);
194
191
for (i = 0; i < STA_TID_NUM; i++) {
···
233
190
}
234
191
skb_queue_head_init(&sta->ps_tx_buf);
235
192
skb_queue_head_init(&sta->tx_filtered);
236
-
write_lock_bh(&local->sta_lock);
237
-
/* mark sta as used (by caller) */
238
-
__sta_info_get(sta);
193
+
spin_lock_irqsave(&local->sta_lock, flags);
239
194
/* check if STA exists already */
240
195
if (__sta_info_find(local, addr)) {
241
-
write_unlock_bh(&local->sta_lock);
242
-
sta_info_put(sta);
196
+
spin_unlock_irqrestore(&local->sta_lock, flags);
243
197
return ERR_PTR(-EEXIST);
244
198
}
245
199
list_add(&sta->list, &local->sta_list);
246
200
local->num_sta++;
247
201
sta_info_hash_add(local, sta);
248
-
if (local->ops->sta_notify) {
249
-
struct ieee80211_sub_if_data *sdata;
250
202
251
-
sdata = IEEE80211_DEV_TO_SUB_IF(dev);
203
+
/* notify driver */
204
+
if (local->ops->sta_notify) {
252
205
if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN)
253
206
sdata = sdata->u.vlan.ap;
254
207
255
208
local->ops->sta_notify(local_to_hw(local), &sdata->vif,
256
209
STA_NOTIFY_ADD, addr);
257
210
}
258
-
write_unlock_bh(&local->sta_lock);
211
+
212
+
spin_unlock_irqrestore(&local->sta_lock, flags);
259
213
260
214
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
261
215
printk(KERN_DEBUG "%s: Added STA %s\n",
···
292
252
{
293
253
if (bss)
294
254
__bss_tim_set(bss, sta->aid);
295
-
if (sta->local->ops->set_tim)
255
+
if (sta->local->ops->set_tim) {
256
+
sta->local->tim_in_locked_section = true;
296
257
sta->local->ops->set_tim(local_to_hw(sta->local), sta->aid, 1);
258
+
sta->local->tim_in_locked_section = false;
259
+
}
297
260
}
298
261
299
262
void sta_info_set_tim_bit(struct sta_info *sta)
300
263
{
301
-
struct ieee80211_sub_if_data *sdata;
264
+
unsigned long flags;
302
265
303
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
304
-
305
-
read_lock_bh(&sta->local->sta_lock);
306
-
__sta_info_set_tim_bit(sdata->bss, sta);
307
-
read_unlock_bh(&sta->local->sta_lock);
266
+
spin_lock_irqsave(&sta->local->sta_lock, flags);
267
+
__sta_info_set_tim_bit(sta->sdata->bss, sta);
268
+
spin_unlock_irqrestore(&sta->local->sta_lock, flags);
308
269
}
309
270
310
271
static void __sta_info_clear_tim_bit(struct ieee80211_if_ap *bss,
···
313
272
{
314
273
if (bss)
315
274
__bss_tim_clear(bss, sta->aid);
316
-
if (sta->local->ops->set_tim)
275
+
if (sta->local->ops->set_tim) {
276
+
sta->local->tim_in_locked_section = true;
317
277
sta->local->ops->set_tim(local_to_hw(sta->local), sta->aid, 0);
278
+
sta->local->tim_in_locked_section = false;
279
+
}
318
280
}
319
281
320
282
void sta_info_clear_tim_bit(struct sta_info *sta)
321
283
{
322
-
struct ieee80211_sub_if_data *sdata;
284
+
unsigned long flags;
323
285
324
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
325
-
326
-
read_lock_bh(&sta->local->sta_lock);
327
-
__sta_info_clear_tim_bit(sdata->bss, sta);
328
-
read_unlock_bh(&sta->local->sta_lock);
286
+
spin_lock_irqsave(&sta->local->sta_lock, flags);
287
+
__sta_info_clear_tim_bit(sta->sdata->bss, sta);
288
+
spin_unlock_irqrestore(&sta->local->sta_lock, flags);
329
289
}
330
290
331
-
/* Caller must hold local->sta_lock */
332
-
void sta_info_remove(struct sta_info *sta)
291
+
/*
292
+
* See comment in __sta_info_unlink,
293
+
* caller must hold local->sta_lock.
294
+
*/
295
+
static void __sta_info_pin(struct sta_info *sta)
333
296
{
334
-
struct ieee80211_local *local = sta->local;
335
-
struct ieee80211_sub_if_data *sdata;
297
+
WARN_ON(sta->pin_status != STA_INFO_PIN_STAT_NORMAL);
298
+
sta->pin_status = STA_INFO_PIN_STAT_PINNED;
299
+
}
336
300
337
-
/* don't do anything if we've been removed already */
338
-
if (sta_info_hash_del(local, sta))
301
+
/*
302
+
* See comment in __sta_info_unlink, returns sta if it
303
+
* needs to be destroyed.
304
+
*/
305
+
static struct sta_info *__sta_info_unpin(struct sta_info *sta)
306
+
{
307
+
struct sta_info *ret = NULL;
308
+
unsigned long flags;
309
+
310
+
spin_lock_irqsave(&sta->local->sta_lock, flags);
311
+
WARN_ON(sta->pin_status != STA_INFO_PIN_STAT_DESTROY &&
312
+
sta->pin_status != STA_INFO_PIN_STAT_PINNED);
313
+
if (sta->pin_status == STA_INFO_PIN_STAT_DESTROY)
314
+
ret = sta;
315
+
sta->pin_status = STA_INFO_PIN_STAT_NORMAL;
316
+
spin_unlock_irqrestore(&sta->local->sta_lock, flags);
317
+
318
+
return ret;
319
+
}
320
+
321
+
static void __sta_info_unlink(struct sta_info **sta)
322
+
{
323
+
struct ieee80211_local *local = (*sta)->local;
324
+
struct ieee80211_sub_if_data *sdata = (*sta)->sdata;
325
+
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
326
+
DECLARE_MAC_BUF(mbuf);
327
+
#endif
328
+
/*
329
+
* pull caller's reference if we're already gone.
330
+
*/
331
+
if (sta_info_hash_del(local, *sta)) {
332
+
*sta = NULL;
339
333
return;
334
+
}
340
335
341
-
list_del(&sta->list);
342
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
343
-
if (sta->flags & WLAN_STA_PS) {
344
-
sta->flags &= ~WLAN_STA_PS;
336
+
/*
337
+
* Also pull caller's reference if the STA is pinned by the
338
+
* task that is adding the debugfs entries. In that case, we
339
+
* leave the STA "to be freed".
340
+
*
341
+
* The rules are not trivial, but not too complex either:
342
+
* (1) pin_status is only modified under the sta_lock
343
+
* (2) sta_info_debugfs_add_work() will set the status
344
+
* to PINNED when it found an item that needs a new
345
+
* debugfs directory created. In that case, that item
346
+
* must not be freed although all *RCU* users are done
347
+
* with it. Hence, we tell the caller of _unlink()
348
+
* that the item is already gone (as can happen when
349
+
* two tasks try to unlink/destroy at the same time)
350
+
* (3) We set the pin_status to DESTROY here when we
351
+
* find such an item.
352
+
* (4) sta_info_debugfs_add_work() will reset the pin_status
353
+
* from PINNED to NORMAL when it is done with the item,
354
+
* but will check for DESTROY before resetting it in
355
+
* which case it will free the item.
356
+
*/
357
+
if ((*sta)->pin_status == STA_INFO_PIN_STAT_PINNED) {
358
+
(*sta)->pin_status = STA_INFO_PIN_STAT_DESTROY;
359
+
*sta = NULL;
360
+
return;
361
+
}
362
+
363
+
list_del(&(*sta)->list);
364
+
365
+
if ((*sta)->flags & WLAN_STA_PS) {
366
+
(*sta)->flags &= ~WLAN_STA_PS;
345
367
if (sdata->bss)
346
368
atomic_dec(&sdata->bss->num_sta_ps);
347
-
__sta_info_clear_tim_bit(sdata->bss, sta);
369
+
__sta_info_clear_tim_bit(sdata->bss, *sta);
348
370
}
371
+
349
372
local->num_sta--;
350
373
351
-
if (ieee80211_vif_is_mesh(&sdata->vif))
352
-
mesh_accept_plinks_update(sdata->dev);
353
-
}
354
-
355
-
void sta_info_free(struct sta_info *sta)
356
-
{
357
-
struct sk_buff *skb;
358
-
struct ieee80211_local *local = sta->local;
359
-
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
360
-
361
-
DECLARE_MAC_BUF(mac);
362
-
363
-
might_sleep();
364
-
365
-
write_lock_bh(&local->sta_lock);
366
-
sta_info_remove(sta);
367
-
write_unlock_bh(&local->sta_lock);
368
-
369
-
if (ieee80211_vif_is_mesh(&sdata->vif))
370
-
mesh_plink_deactivate(sta);
371
-
372
-
while ((skb = skb_dequeue(&sta->ps_tx_buf)) != NULL) {
373
-
local->total_ps_buffered--;
374
-
dev_kfree_skb(skb);
375
-
}
376
-
while ((skb = skb_dequeue(&sta->tx_filtered)) != NULL) {
377
-
dev_kfree_skb(skb);
378
-
}
379
-
380
-
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
381
-
printk(KERN_DEBUG "%s: Removed STA %s\n",
382
-
wiphy_name(local->hw.wiphy), print_mac(mac, sta->addr));
383
-
#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
384
-
385
-
ieee80211_key_free(sta->key);
386
-
WARN_ON(sta->key);
387
-
388
374
if (local->ops->sta_notify) {
389
-
390
375
if (sdata->vif.type == IEEE80211_IF_TYPE_VLAN)
391
376
sdata = sdata->u.vlan.ap;
392
377
393
378
local->ops->sta_notify(local_to_hw(local), &sdata->vif,
394
-
STA_NOTIFY_REMOVE, sta->addr);
379
+
STA_NOTIFY_REMOVE, (*sta)->addr);
395
380
}
396
381
397
-
rate_control_remove_sta_debugfs(sta);
398
-
ieee80211_sta_debugfs_remove(sta);
382
+
if (ieee80211_vif_is_mesh(&sdata->vif)) {
383
+
mesh_accept_plinks_update(sdata);
384
+
#ifdef CONFIG_MAC80211_MESH
385
+
del_timer(&(*sta)->plink_timer);
386
+
#endif
387
+
}
399
388
400
-
sta_info_put(sta);
389
+
#ifdef CONFIG_MAC80211_VERBOSE_DEBUG
390
+
printk(KERN_DEBUG "%s: Removed STA %s\n",
391
+
wiphy_name(local->hw.wiphy), print_mac(mbuf, (*sta)->addr));
392
+
#endif /* CONFIG_MAC80211_VERBOSE_DEBUG */
401
393
}
402
394
395
+
void sta_info_unlink(struct sta_info **sta)
396
+
{
397
+
struct ieee80211_local *local = (*sta)->local;
398
+
unsigned long flags;
399
+
400
+
spin_lock_irqsave(&local->sta_lock, flags);
401
+
__sta_info_unlink(sta);
402
+
spin_unlock_irqrestore(&local->sta_lock, flags);
403
+
}
403
404
404
405
static inline int sta_info_buffer_expired(struct ieee80211_local *local,
405
406
struct sta_info *sta,
···
487
404
if (!skb)
488
405
break;
489
406
490
-
sdata = IEEE80211_DEV_TO_SUB_IF(sta->dev);
407
+
sdata = sta->sdata;
491
408
local->total_ps_buffered--;
492
409
printk(KERN_DEBUG "Buffered frame expired (STA "
493
410
"%s)\n", print_mac(mac, sta->addr));
···
504
421
struct ieee80211_local *local = (struct ieee80211_local *) data;
505
422
struct sta_info *sta;
506
423
507
-
read_lock_bh(&local->sta_lock);
508
-
list_for_each_entry(sta, &local->sta_list, list) {
509
-
__sta_info_get(sta);
424
+
rcu_read_lock();
425
+
list_for_each_entry_rcu(sta, &local->sta_list, list)
510
426
sta_info_cleanup_expire_buffered(local, sta);
511
-
sta_info_put(sta);
512
-
}
513
-
read_unlock_bh(&local->sta_lock);
427
+
rcu_read_unlock();
514
428
515
429
local->sta_cleanup.expires =
516
430
round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
···
515
435
}
516
436
517
437
#ifdef CONFIG_MAC80211_DEBUGFS
518
-
static void sta_info_debugfs_add_task(struct work_struct *work)
438
+
static void sta_info_debugfs_add_work(struct work_struct *work)
519
439
{
520
440
struct ieee80211_local *local =
521
441
container_of(work, struct ieee80211_local, sta_debugfs_add);
522
442
struct sta_info *sta, *tmp;
443
+
unsigned long flags;
523
444
524
445
while (1) {
525
446
sta = NULL;
526
-
read_lock_bh(&local->sta_lock);
447
+
448
+
spin_lock_irqsave(&local->sta_lock, flags);
527
449
list_for_each_entry(tmp, &local->sta_list, list) {
528
450
if (!tmp->debugfs.dir) {
529
451
sta = tmp;
530
-
__sta_info_get(sta);
452
+
__sta_info_pin(sta);
531
453
break;
532
454
}
533
455
}
534
-
read_unlock_bh(&local->sta_lock);
456
+
spin_unlock_irqrestore(&local->sta_lock, flags);
535
457
536
458
if (!sta)
537
459
break;
538
460
539
461
ieee80211_sta_debugfs_add(sta);
540
462
rate_control_add_sta_debugfs(sta);
541
-
sta_info_put(sta);
463
+
464
+
sta = __sta_info_unpin(sta);
465
+
466
+
if (sta) {
467
+
synchronize_rcu();
468
+
sta_info_destroy(sta);
469
+
}
542
470
}
543
471
}
544
472
#endif
545
473
546
474
void sta_info_init(struct ieee80211_local *local)
547
475
{
548
-
rwlock_init(&local->sta_lock);
476
+
spin_lock_init(&local->sta_lock);
549
477
INIT_LIST_HEAD(&local->sta_list);
550
478
551
479
setup_timer(&local->sta_cleanup, sta_info_cleanup,
···
562
474
round_jiffies(jiffies + STA_INFO_CLEANUP_INTERVAL);
563
475
564
476
#ifdef CONFIG_MAC80211_DEBUGFS
565
-
INIT_WORK(&local->sta_debugfs_add, sta_info_debugfs_add_task);
477
+
INIT_WORK(&local->sta_debugfs_add, sta_info_debugfs_add_work);
566
478
#endif
567
479
}
568
480
···
581
493
/**
582
494
* sta_info_flush - flush matching STA entries from the STA table
583
495
* @local: local interface data
584
-
* @dev: matching rule for the net device (sta->dev) or %NULL to match all STAs
496
+
* @sdata: matching rule for the net device (sta->dev) or %NULL to match all STAs
585
497
*/
586
-
void sta_info_flush(struct ieee80211_local *local, struct net_device *dev)
498
+
void sta_info_flush(struct ieee80211_local *local,
499
+
struct ieee80211_sub_if_data *sdata)
587
500
{
588
501
struct sta_info *sta, *tmp;
589
502
LIST_HEAD(tmp_list);
503
+
unsigned long flags;
590
504
591
-
write_lock_bh(&local->sta_lock);
592
-
list_for_each_entry_safe(sta, tmp, &local->sta_list, list)
593
-
if (!dev || dev == sta->dev) {
594
-
__sta_info_get(sta);
595
-
sta_info_remove(sta);
596
-
list_add_tail(&sta->list, &tmp_list);
505
+
might_sleep();
506
+
507
+
spin_lock_irqsave(&local->sta_lock, flags);
508
+
list_for_each_entry_safe(sta, tmp, &local->sta_list, list) {
509
+
if (!sdata || sdata == sta->sdata) {
510
+
__sta_info_unlink(&sta);
511
+
if (sta)
512
+
list_add_tail(&sta->list, &tmp_list);
597
513
}
598
-
write_unlock_bh(&local->sta_lock);
599
-
600
-
list_for_each_entry_safe(sta, tmp, &tmp_list, list) {
601
-
sta_info_free(sta);
602
-
sta_info_put(sta);
603
514
}
515
+
spin_unlock_irqrestore(&local->sta_lock, flags);
516
+
517
+
synchronize_rcu();
518
+
519
+
list_for_each_entry_safe(sta, tmp, &tmp_list, list)
520
+
sta_info_destroy(sta);
604
521
}
+42
-19
net/mac80211/sta_info.h
+42
-19
net/mac80211/sta_info.h
···
12
12
#include <linux/list.h>
13
13
#include <linux/types.h>
14
14
#include <linux/if_ether.h>
15
-
#include <linux/kref.h>
16
15
#include "ieee80211_key.h"
17
16
18
17
/**
···
133
134
u8 dialog_token_allocator;
134
135
};
135
136
137
+
138
+
/* see __sta_info_unlink */
139
+
#define STA_INFO_PIN_STAT_NORMAL 0
140
+
#define STA_INFO_PIN_STAT_PINNED 1
141
+
#define STA_INFO_PIN_STAT_DESTROY 2
142
+
143
+
136
144
struct sta_info {
137
-
struct kref kref;
138
145
struct list_head list;
139
146
struct sta_info *hnext; /* next entry in hash table list */
140
147
···
171
166
/* last rates used to send a frame to this STA */
172
167
int last_txrate_idx, last_nonerp_txrate_idx;
173
168
174
-
struct net_device *dev; /* which net device is this station associated
175
-
* to */
169
+
/* sub_if_data this sta belongs to */
170
+
struct ieee80211_sub_if_data *sdata;
176
171
177
172
struct ieee80211_key *key;
178
173
···
203
198
#endif /* CONFIG_MAC80211_DEBUG_COUNTERS */
204
199
205
200
u16 listen_interval;
201
+
202
+
/*
203
+
* for use by the internal lifetime management,
204
+
* see __sta_info_unlink
205
+
*/
206
+
u8 pin_status;
206
207
207
208
struct ieee80211_ht_info ht_info; /* 802.11n HT capabilities
208
209
of this STA */
···
273
262
*/
274
263
#define STA_INFO_CLEANUP_INTERVAL (10 * HZ)
275
264
276
-
static inline void __sta_info_get(struct sta_info *sta)
277
-
{
278
-
kref_get(&sta->kref);
279
-
}
280
-
281
-
struct sta_info * sta_info_get(struct ieee80211_local *local, u8 *addr);
265
+
/*
266
+
* Get a STA info, must have be under RCU read lock.
267
+
*/
268
+
struct sta_info *sta_info_get(struct ieee80211_local *local, u8 *addr);
269
+
/*
270
+
* Get STA info by index, BROKEN!
271
+
*/
282
272
struct sta_info *sta_info_get_by_idx(struct ieee80211_local *local, int idx,
283
273
struct net_device *dev);
284
-
void sta_info_put(struct sta_info *sta);
285
-
struct sta_info *sta_info_add(struct ieee80211_local *local,
286
-
struct net_device *dev, u8 *addr, gfp_t gfp);
287
-
void sta_info_remove(struct sta_info *sta);
288
-
void sta_info_free(struct sta_info *sta);
274
+
/*
275
+
* Add a new STA info, must be under RCU read lock
276
+
* because otherwise the returned reference isn't
277
+
* necessarily valid long enough.
278
+
*/
279
+
struct sta_info *sta_info_add(struct ieee80211_sub_if_data *sdata,
280
+
u8 *addr);
281
+
/*
282
+
* Unlink a STA info from the hash table/list.
283
+
* This can NULL the STA pointer if somebody else
284
+
* has already unlinked it.
285
+
*/
286
+
void sta_info_unlink(struct sta_info **sta);
287
+
288
+
void sta_info_destroy(struct sta_info *sta);
289
+
void sta_info_set_tim_bit(struct sta_info *sta);
290
+
void sta_info_clear_tim_bit(struct sta_info *sta);
291
+
289
292
void sta_info_init(struct ieee80211_local *local);
290
293
int sta_info_start(struct ieee80211_local *local);
291
294
void sta_info_stop(struct ieee80211_local *local);
292
-
void sta_info_flush(struct ieee80211_local *local, struct net_device *dev);
293
-
294
-
void sta_info_set_tim_bit(struct sta_info *sta);
295
-
void sta_info_clear_tim_bit(struct sta_info *sta);
295
+
void sta_info_flush(struct ieee80211_local *local,
296
+
struct ieee80211_sub_if_data *sdata);
296
297
297
298
#endif /* STA_INFO_H */
+26
-22
net/mac80211/tx.c
+26
-22
net/mac80211/tx.c
···
327
327
}
328
328
total += skb_queue_len(&ap->ps_bc_buf);
329
329
}
330
-
rcu_read_unlock();
331
330
332
-
read_lock_bh(&local->sta_lock);
333
-
list_for_each_entry(sta, &local->sta_list, list) {
331
+
list_for_each_entry_rcu(sta, &local->sta_list, list) {
334
332
skb = skb_dequeue(&sta->ps_tx_buf);
335
333
if (skb) {
336
334
purged++;
···
336
338
}
337
339
total += skb_queue_len(&sta->ps_tx_buf);
338
340
}
339
-
read_unlock_bh(&local->sta_lock);
341
+
342
+
rcu_read_unlock();
340
343
341
344
local->total_ps_buffered = total;
342
345
printk(KERN_DEBUG "%s: PS buffers full - purged %d frames\n",
···
1140
1141
return 0;
1141
1142
}
1142
1143
1144
+
rcu_read_lock();
1145
+
1143
1146
/* initialises tx */
1144
1147
res_prepare = __ieee80211_tx_prepare(&tx, skb, dev, control);
1145
1148
1146
1149
if (res_prepare == TX_DROP) {
1147
1150
dev_kfree_skb(skb);
1151
+
rcu_read_unlock();
1148
1152
return 0;
1149
1153
}
1150
-
1151
-
/*
1152
-
* key references are protected using RCU and this requires that
1153
-
* we are in a read-site RCU section during receive processing
1154
-
*/
1155
-
rcu_read_lock();
1156
1154
1157
1155
sta = tx.sta;
1158
1156
tx.channel = local->hw.conf.channel;
···
1162
1166
}
1163
1167
1164
1168
skb = tx.skb; /* handlers are allowed to change skb */
1165
-
1166
-
if (sta)
1167
-
sta_info_put(sta);
1168
1169
1169
1170
if (unlikely(res == TX_DROP)) {
1170
1171
I802_DEBUG_INC(local->tx_handlers_drop);
···
1482
1489
* in AP mode)
1483
1490
*/
1484
1491
if (!is_multicast_ether_addr(hdr.addr1)) {
1492
+
rcu_read_lock();
1485
1493
sta = sta_info_get(local, hdr.addr1);
1486
-
if (sta) {
1494
+
if (sta)
1487
1495
sta_flags = sta->flags;
1488
-
sta_info_put(sta);
1489
-
}
1496
+
rcu_read_unlock();
1490
1497
}
1491
1498
1492
1499
/* receiver is QoS enabled, use a QoS type frame */
···
1715
1722
1716
1723
/* Generate bitmap for TIM only if there are any STAs in power save
1717
1724
* mode. */
1718
-
read_lock_bh(&local->sta_lock);
1719
1725
if (atomic_read(&bss->num_sta_ps) > 0)
1720
1726
/* in the hope that this is faster than
1721
1727
* checking byte-for-byte */
···
1765
1773
*pos++ = aid0; /* Bitmap control */
1766
1774
*pos++ = 0; /* Part Virt Bitmap */
1767
1775
}
1768
-
read_unlock_bh(&local->sta_lock);
1769
1776
}
1770
1777
1771
1778
struct sk_buff *ieee80211_beacon_get(struct ieee80211_hw *hw,
···
1812
1821
ieee80211_include_sequence(sdata,
1813
1822
(struct ieee80211_hdr *)skb->data);
1814
1823
1815
-
ieee80211_beacon_add_tim(local, ap, skb, beacon);
1824
+
/*
1825
+
* Not very nice, but we want to allow the driver to call
1826
+
* ieee80211_beacon_get() as a response to the set_tim()
1827
+
* callback. That, however, is already invoked under the
1828
+
* sta_lock to guarantee consistent and race-free update
1829
+
* of the tim bitmap in mac80211 and the driver.
1830
+
*/
1831
+
if (local->tim_in_locked_section) {
1832
+
ieee80211_beacon_add_tim(local, ap, skb, beacon);
1833
+
} else {
1834
+
unsigned long flags;
1835
+
1836
+
spin_lock_irqsave(&local->sta_lock, flags);
1837
+
ieee80211_beacon_add_tim(local, ap, skb, beacon);
1838
+
spin_unlock_irqrestore(&local->sta_lock, flags);
1839
+
}
1816
1840
1817
1841
if (beacon->tail)
1818
1842
memcpy(skb_put(skb, beacon->tail_len),
···
1971
1965
rcu_read_unlock();
1972
1966
return NULL;
1973
1967
}
1974
-
rcu_read_unlock();
1975
1968
1976
1969
if (bss->dtim_count != 0)
1977
1970
return NULL; /* send buffered bc/mc only after DTIM beacon */
···
2015
2010
skb = NULL;
2016
2011
}
2017
2012
2018
-
if (sta)
2019
-
sta_info_put(sta);
2013
+
rcu_read_unlock();
2020
2014
2021
2015
return skb;
2022
2016
}
+6
-2
net/mac80211/wme.c
+6
-2
net/mac80211/wme.c
···
153
153
154
154
if (pkt_data->flags & IEEE80211_TXPD_REQUEUE) {
155
155
queue = pkt_data->queue;
156
+
rcu_read_lock();
156
157
sta = sta_info_get(local, hdr->addr1);
157
158
tid = skb->priority & QOS_CONTROL_TAG1D_MASK;
158
159
if (sta) {
···
165
164
} else {
166
165
pkt_data->flags &= ~IEEE80211_TXPD_AMPDU;
167
166
}
168
-
sta_info_put(sta);
169
167
}
168
+
rcu_read_unlock();
170
169
skb_queue_tail(&q->requeued[queue], skb);
171
170
qd->q.qlen++;
172
171
return 0;
···
188
187
p++;
189
188
*p = 0;
190
189
190
+
rcu_read_lock();
191
+
191
192
sta = sta_info_get(local, hdr->addr1);
192
193
if (sta) {
193
194
int ampdu_queue = sta->tid_to_tx_q[tid];
···
200
197
} else {
201
198
pkt_data->flags &= ~IEEE80211_TXPD_AMPDU;
202
199
}
203
-
sta_info_put(sta);
204
200
}
201
+
202
+
rcu_read_unlock();
205
203
}
206
204
207
205
if (unlikely(queue >= local->hw.queues)) {