diff options
author | Johannes Berg <johannes.berg@intel.com> | 2010-10-05 21:40:33 +0200 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2010-10-06 15:58:29 -0400 |
commit | 44271488b91c9eecf249e075a1805dd887e222d2 (patch) | |
tree | 7c0bb66a9ac50d2f583f4020847d6f7c69563b44 | |
parent | 918df629d6a558ab9eb53350493f618812239a4c (diff) |
mac80211: delete AddBA response timermaster-2010-10-06
We never delete the addBA response timer, which
is typically fine, but if the station it belongs
to is deleted very quickly after starting the BA
session, before the peer had a chance to reply,
the timer may fire after the station struct has
been freed already. Therefore, we need to delete
the timer in a suitable spot -- best when the
session is being stopped (which will happen even
then) in which case the delete will be a no-op
most of the time.
I've reproduced the scenario and tested the fix.
This fixes the crash reported at
http://mid.gmane.org/4CAB6F96.6090701@candelatech.com
Cc: stable@kernel.org
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | net/mac80211/agg-tx.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index c893f236acea..8f23401832b7 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -175,6 +175,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); + del_timer_sync(&tid_tx->addba_resp_timer); + /* * After this packets are no longer handed right through * to the driver but are put onto tid_tx->pending instead, |