From: Helmut Schaa Date: Fri, 27 Jan 2012 10:02:53 +0000 (+0100) Subject: mac80211: Move num_sta_ps counter decrement after synchronize_rcu X-Git-Tag: firefly_0821_release~3680^2~3338^2~112^2~367 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=4f3eb0ba4817e55e1b5b2f63fcf3f266c328fc1a;p=firefly-linux-kernel-4.4.55.git mac80211: Move num_sta_ps counter decrement after synchronize_rcu Unted the assumption that the sta struct is still accessible before the synchronize_rcu call we should move the num_sta_ps counter decrement after synchronize_rcu to avoid incorrect decrements if num_sta_ps. Signed-off-by: Helmut Schaa Signed-off-by: John W. Linville --- diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 1fb4770a7d13..fa0823892b2d 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -750,15 +750,6 @@ int __must_check __sta_info_destroy(struct sta_info *sta) sta->dead = true; - if (test_sta_flag(sta, WLAN_STA_PS_STA)) { - BUG_ON(!sdata->bss); - - clear_sta_flag(sta, WLAN_STA_PS_STA); - - atomic_dec(&sdata->bss->num_sta_ps); - sta_info_recalc_tim(sta); - } - local->num_sta--; local->sta_generation++; @@ -790,6 +781,15 @@ int __must_check __sta_info_destroy(struct sta_info *sta) */ synchronize_rcu(); + if (test_sta_flag(sta, WLAN_STA_PS_STA)) { + BUG_ON(!sdata->bss); + + clear_sta_flag(sta, WLAN_STA_PS_STA); + + atomic_dec(&sdata->bss->num_sta_ps); + sta_info_recalc_tim(sta); + } + for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]); __skb_queue_purge(&sta->ps_tx_buf[ac]);