From b7413430d4d2a6168e68231d9f93763047b6d60c Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 11 Sep 2008 00:01:50 +0200 Subject: [PATCH] mac80211: fix work race When we stop an interface, the work on it may still be pending or running. We do cancel the timer, but we do not currently protect against the work struct. The race is very unlikely to hit -- it'll happen only when the driver is using mac80211's workqueue to run long-running tasks and the sta/mesh works are delayed for quite a bit. This patch fixes it by cancelling the work explicitly. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/main.c | 8 ++++++++ net/mac80211/mesh.c | 9 +++++++++ 2 files changed, 17 insertions(+) diff --git a/net/mac80211/main.c b/net/mac80211/main.c index 522fe617648..ebdec7106d6 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -547,6 +547,14 @@ static int ieee80211_stop(struct net_device *dev) sdata->u.sta.state = IEEE80211_STA_MLME_DISABLED; memset(sdata->u.sta.bssid, 0, ETH_ALEN); del_timer_sync(&sdata->u.sta.timer); + /* + * If the timer fired while we waited for it, it will have + * requeued the work. Now the work will be running again + * but will not rearm the timer again because it checks + * whether the interface is running, which, at this point, + * it no longer is. + */ + cancel_work_sync(&sdata->u.sta.work); /* * When we get here, the interface is marked down. * Call synchronize_rcu() to wait for the RX path diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c index 9e47725cc59..a0141f5ff18 100644 --- a/net/mac80211/mesh.c +++ b/net/mac80211/mesh.c @@ -448,6 +448,15 @@ void ieee80211_start_mesh(struct ieee80211_sub_if_data *sdata) void ieee80211_stop_mesh(struct ieee80211_sub_if_data *sdata) { del_timer_sync(&sdata->u.mesh.housekeeping_timer); + /* + * If the timer fired while we waited for it, it will have + * requeued the work. Now the work will be running again + * but will not rearm the timer again because it checks + * whether the interface is running, which, at this point, + * it no longer is. + */ + cancel_work_sync(&sdata->u.mesh.work); + /* * When we get here, the interface is marked down. * Call synchronize_rcu() to wait for the RX path -- 2.41.1