On Fri, Mar 7, 2014 at 1:19 PM, Michal Kazior <michal.kazior@xxxxxxxxx> wrote: > Channel context refcount is protected by > chanctx_mtx. Accessing the value without holding > the mutex is racy. RCU section didn't guarantee > anything here. > > Theoretically ieee80211_channel_switch() could > fail to see refcount change and read "1" instead > of, e.g. "2". This means mac80211 could accept CSA > even though it shouldn't have. > > Signed-off-by: Michal Kazior <michal.kazior@xxxxxxxxx> > --- [...] > @@ -3233,23 +3233,23 @@ int ieee80211_channel_switch(struct wiphy *wiphy, struct net_device *dev, > &sdata->vif.bss_conf.chandef)) > return -EINVAL; > > - rcu_read_lock(); > + mutex_lock(&local->chanctx_mtx); > chanctx_conf = rcu_dereference(sdata->vif.chanctx_conf); this should probably be rcu_dereference_protected now? Eliad. -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
