mac80211: safely free beacon in ieee80211_if_reinit
authorJohannes Berg <johannes@sipsolutions.net>
Mon, 25 Feb 2008 15:27:42 +0000 (16:27 +0100)
committerJohn W. Linville <linville@tuxdriver.com>
Fri, 29 Feb 2008 20:42:00 +0000 (15:42 -0500)
If ieee80211_if_reinit() is called from ieee80211_unregister_hw()
then it is possible that the driver will still request a beacon
(it is allowed to until ieee80211_unregister_hw() has returned.)
This means we need to use an RCU-protected write to the beacon
information even in this function.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/ieee80211_iface.c

index f66f1ddc3fda0d11200548350cd286b48593ff42..0d6824bca92b8211606fd653cf5612d83f13b6a7 100644 (file)
@@ -193,6 +193,7 @@ void ieee80211_if_reinit(struct net_device *dev)
                /* Remove all virtual interfaces that use this BSS
                 * as their sdata->bss */
                struct ieee80211_sub_if_data *tsdata, *n;
+               struct beacon_data *beacon;
 
                list_for_each_entry_safe(tsdata, n, &local->interfaces, list) {
                        if (tsdata != sdata && tsdata->bss == &sdata->u.ap) {
@@ -210,7 +211,10 @@ void ieee80211_if_reinit(struct net_device *dev)
                        }
                }
 
-               kfree(sdata->u.ap.beacon);
+               beacon = sdata->u.ap.beacon;
+               rcu_assign_pointer(sdata->u.ap.beacon, NULL);
+               synchronize_rcu();
+               kfree(beacon);
 
                while ((skb = skb_dequeue(&sdata->u.ap.ps_bc_buf))) {
                        local->total_ps_buffered--;