• Johannes Berg's avatar
    mac80211: fix TX aggregation start/stop callback race · fd500b35
    Johannes Berg authored
    [ Upstream commit 7a7c0a64 ]
    
    When starting or stopping an aggregation session, one of the steps
    is that the driver calls back to mac80211 that the start/stop can
    proceed. This is handled by queueing up a fake SKB and processing
    it from the normal iface/sdata work. Since this isn't flushed when
    disassociating, the following race is possible:
    
     * associate
     * start aggregation session
     * driver callback
     * disassociate
     * associate again to the same AP
     * callback processing runs, leading to a WARN_ON() that
       the TID hadn't requested aggregation
    
    If the second association isn't to the same AP, there would only
    be a message printed ("Could not find station: <addr>"), but the
    same race could happen.
    
    Fix this by not going the whole detour with a fake SKB etc. but
    simply looking up the aggregation session in the driver callback,
    marking it with a START_CB/STOP_CB bit and then scheduling the
    regular aggregation work that will now process these bits as well.
    This also simplifies the code and gets rid of the whole problem
    with allocation failures of said skb, which could have left the
    session in limbo.
    Reported-by: default avatarJouni Malinen <j@w1.fi>
    Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    fd500b35
sta_info.h 25.1 KB