Commit b83f4e15 authored by Tomas Winkler's avatar Tomas Winkler Committed by John W. Linville

mac80211: fix deadlock in sta->lock

This patch fixes a deadlock of sta->lock use, occurring while changing
tx aggregation states, as dev_queue_xmit end up in new function
test_and_clear_sta_flags that uses that lock thus leading to deadlock
Signed-off-by: default avatarTomas Winkler <tomas.winkler@intel.com>
Signed-off-by: default avatarRon Rindjunsky <ron.rindjunsky@intel.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 747cf5e9
...@@ -589,8 +589,8 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid) ...@@ -589,8 +589,8 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
sta = sta_info_get(local, ra); sta = sta_info_get(local, ra);
if (!sta) { if (!sta) {
printk(KERN_DEBUG "Could not find the station\n"); printk(KERN_DEBUG "Could not find the station\n");
rcu_read_unlock(); ret = -ENOENT;
return -ENOENT; goto exit;
} }
spin_lock_bh(&sta->lock); spin_lock_bh(&sta->lock);
...@@ -598,7 +598,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid) ...@@ -598,7 +598,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
/* we have tried too many times, receiver does not want A-MPDU */ /* we have tried too many times, receiver does not want A-MPDU */
if (sta->ampdu_mlme.addba_req_num[tid] > HT_AGG_MAX_RETRIES) { if (sta->ampdu_mlme.addba_req_num[tid] > HT_AGG_MAX_RETRIES) {
ret = -EBUSY; ret = -EBUSY;
goto start_ba_exit; goto err_unlock_sta;
} }
state = &sta->ampdu_mlme.tid_state_tx[tid]; state = &sta->ampdu_mlme.tid_state_tx[tid];
...@@ -609,7 +609,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid) ...@@ -609,7 +609,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
"idle on tid %u\n", tid); "idle on tid %u\n", tid);
#endif /* CONFIG_MAC80211_HT_DEBUG */ #endif /* CONFIG_MAC80211_HT_DEBUG */
ret = -EAGAIN; ret = -EAGAIN;
goto start_ba_exit; goto err_unlock_sta;
} }
/* prepare A-MPDU MLME for Tx aggregation */ /* prepare A-MPDU MLME for Tx aggregation */
...@@ -620,7 +620,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid) ...@@ -620,7 +620,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
printk(KERN_ERR "allocate tx mlme to tid %d failed\n", printk(KERN_ERR "allocate tx mlme to tid %d failed\n",
tid); tid);
ret = -ENOMEM; ret = -ENOMEM;
goto start_ba_exit; goto err_unlock_sta;
} }
/* Tx timer */ /* Tx timer */
sta->ampdu_mlme.tid_tx[tid]->addba_resp_timer.function = sta->ampdu_mlme.tid_tx[tid]->addba_resp_timer.function =
...@@ -643,7 +643,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid) ...@@ -643,7 +643,7 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
printk(KERN_DEBUG "BA request denied - queue unavailable for" printk(KERN_DEBUG "BA request denied - queue unavailable for"
" tid %d\n", tid); " tid %d\n", tid);
#endif /* CONFIG_MAC80211_HT_DEBUG */ #endif /* CONFIG_MAC80211_HT_DEBUG */
goto start_ba_err; goto err_unlock_queue;
} }
sdata = sta->sdata; sdata = sta->sdata;
...@@ -665,12 +665,13 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid) ...@@ -665,12 +665,13 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
" tid %d\n", tid); " tid %d\n", tid);
#endif /* CONFIG_MAC80211_HT_DEBUG */ #endif /* CONFIG_MAC80211_HT_DEBUG */
*state = HT_AGG_STATE_IDLE; *state = HT_AGG_STATE_IDLE;
goto start_ba_err; goto err_unlock_queue;
} }
/* Will put all the packets in the new SW queue */ /* Will put all the packets in the new SW queue */
ieee80211_requeue(local, ieee802_1d_to_ac[tid]); ieee80211_requeue(local, ieee802_1d_to_ac[tid]);
spin_unlock_bh(&local->mdev->queue_lock); spin_unlock_bh(&local->mdev->queue_lock);
spin_unlock_bh(&sta->lock);
/* send an addBA request */ /* send an addBA request */
sta->ampdu_mlme.dialog_token_allocator++; sta->ampdu_mlme.dialog_token_allocator++;
...@@ -678,25 +679,26 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid) ...@@ -678,25 +679,26 @@ int ieee80211_start_tx_ba_session(struct ieee80211_hw *hw, u8 *ra, u16 tid)
sta->ampdu_mlme.dialog_token_allocator; sta->ampdu_mlme.dialog_token_allocator;
sta->ampdu_mlme.tid_tx[tid]->ssn = start_seq_num; sta->ampdu_mlme.tid_tx[tid]->ssn = start_seq_num;
ieee80211_send_addba_request(sta->sdata->dev, ra, tid, ieee80211_send_addba_request(sta->sdata->dev, ra, tid,
sta->ampdu_mlme.tid_tx[tid]->dialog_token, sta->ampdu_mlme.tid_tx[tid]->dialog_token,
sta->ampdu_mlme.tid_tx[tid]->ssn, sta->ampdu_mlme.tid_tx[tid]->ssn,
0x40, 5000); 0x40, 5000);
/* activate the timer for the recipient's addBA response */ /* activate the timer for the recipient's addBA response */
sta->ampdu_mlme.tid_tx[tid]->addba_resp_timer.expires = sta->ampdu_mlme.tid_tx[tid]->addba_resp_timer.expires =
jiffies + ADDBA_RESP_INTERVAL; jiffies + ADDBA_RESP_INTERVAL;
add_timer(&sta->ampdu_mlme.tid_tx[tid]->addba_resp_timer); add_timer(&sta->ampdu_mlme.tid_tx[tid]->addba_resp_timer);
printk(KERN_DEBUG "activated addBA response timer on tid %d\n", tid); printk(KERN_DEBUG "activated addBA response timer on tid %d\n", tid);
goto start_ba_exit; goto exit;
start_ba_err: err_unlock_queue:
kfree(sta->ampdu_mlme.tid_tx[tid]); kfree(sta->ampdu_mlme.tid_tx[tid]);
sta->ampdu_mlme.tid_tx[tid] = NULL; sta->ampdu_mlme.tid_tx[tid] = NULL;
spin_unlock_bh(&local->mdev->queue_lock); spin_unlock_bh(&local->mdev->queue_lock);
ret = -EBUSY; ret = -EBUSY;
start_ba_exit: err_unlock_sta:
spin_unlock_bh(&sta->lock); spin_unlock_bh(&sta->lock);
exit:
rcu_read_unlock(); rcu_read_unlock();
return ret; return ret;
} }
...@@ -835,10 +837,11 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u8 tid) ...@@ -835,10 +837,11 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u8 tid)
} }
state = &sta->ampdu_mlme.tid_state_tx[tid]; state = &sta->ampdu_mlme.tid_state_tx[tid];
spin_lock_bh(&sta->lock); /* NOTE: no need to use sta->lock in this state check, as
* ieee80211_stop_tx_ba_session will let only
* one stop call to pass through per sta/tid */
if ((*state & HT_AGG_STATE_REQ_STOP_BA_MSK) == 0) { if ((*state & HT_AGG_STATE_REQ_STOP_BA_MSK) == 0) {
printk(KERN_DEBUG "unexpected callback to A-MPDU stop\n"); printk(KERN_DEBUG "unexpected callback to A-MPDU stop\n");
spin_unlock_bh(&sta->lock);
rcu_read_unlock(); rcu_read_unlock();
return; return;
} }
...@@ -861,6 +864,7 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u8 tid) ...@@ -861,6 +864,7 @@ void ieee80211_stop_tx_ba_cb(struct ieee80211_hw *hw, u8 *ra, u8 tid)
* ieee80211_wake_queue is not used here as this queue is not * ieee80211_wake_queue is not used here as this queue is not
* necessarily stopped */ * necessarily stopped */
netif_schedule(local->mdev); netif_schedule(local->mdev);
spin_lock_bh(&sta->lock);
*state = HT_AGG_STATE_IDLE; *state = HT_AGG_STATE_IDLE;
sta->ampdu_mlme.addba_req_num[tid] = 0; sta->ampdu_mlme.addba_req_num[tid] = 0;
kfree(sta->ampdu_mlme.tid_tx[tid]); kfree(sta->ampdu_mlme.tid_tx[tid]);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment