mac80211: fix another key non-race

The code here is only not racy because all the
places that assign the pointers it uses are
holding the sta_mtx as well as the key_mtx and
so can't race against this because this code
holds the sta_mtx. But that's not intuitive,
so fix it to hold the key_mtx.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index f05244dc773e09edb9e220689c9a1928744d5c4d..cba8309e9aceb295b31a0444ce2bb34efb9e9c44 100644 (file)
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -652,10 +652,12 @@ static int __must_check __sta_info_destroy(struct sta_info *sta)
        if (ret)
                return ret;
 
+       mutex_lock(&local->key_mtx);
        for (i = 0; i < NUM_DEFAULT_KEYS; i++)
-               ieee80211_key_free(local, sta->gtk[i]);
+               __ieee80211_key_free(sta->gtk[i]);
        if (sta->ptk)
-               ieee80211_key_free(local, sta->ptk);
+               __ieee80211_key_free(sta->ptk);
+       mutex_unlock(&local->key_mtx);
 
        sta->dead = true;