mac80211: fix AP/VLAN PS buffer race
authorJohannes Berg <johannes.berg@intel.com>
Tue, 20 Sep 2011 15:40:51 +0000 (17:40 +0200)
committerJohn W. Linville <linville@tuxdriver.com>
Wed, 21 Sep 2011 20:19:41 +0000 (16:19 -0400)
When an AP interface is removed without the
AP/VLAN interfaces having been removed before
already, the AP-VLAN interface might still
have sleeping stations and buffer multicast
frames which will happen on the AP interface.
Thus, we need to remove AP/VLAN interfaces
before purging buffered broadcast frames.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/iface.c

index eaa80a3d412b156d21804b3e0656d205b36fb1c0..4116a7542b6b51af584dad4c6a22e264caa6fa18 100644 (file)
@@ -460,17 +460,15 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
                synchronize_rcu();
                kfree(old_beacon);
 
-               /* free all potentially still buffered bcast frames */
-               while ((skb = skb_dequeue(&sdata->u.ap.ps_bc_buf))) {
-                       local->total_ps_buffered--;
-                       dev_kfree_skb(skb);
-               }
-
                /* down all dependent devices, that is VLANs */
                list_for_each_entry_safe(vlan, tmpsdata, &sdata->u.ap.vlans,
                                         u.vlan.list)
                        dev_close(vlan->dev);
                WARN_ON(!list_empty(&sdata->u.ap.vlans));
+
+               /* free all potentially still buffered bcast frames */
+               local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps_bc_buf);
+               skb_queue_purge(&sdata->u.ap.ps_bc_buf);
        }
 
        if (going_down)