From: Johannes Berg <johannes.berg@xxxxxxxxx> We never delete the addBA response timer, which is typically fine, but if the station it belongs to is deleted very quickly after starting the BA session, before the peer had a chance to reply, the timer may fire after the station struct has been freed already. Therefore, we need to delete the timer in a suitable spot -- best when the session is being stopped (which will happen even then) in which case the delete will be a no-op most of the time. I've reproduced the scenario and tested the fix. Cc: stable@xxxxxxxxxx Reported-by: Ben Greear <greearb@xxxxxxxxxxxxxxx> Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> --- This might be applicable to stable, but the code has changed significantly, I'd appreciate any help analysing and backporting it. net/mac80211/agg-tx.c | 2 ++ 1 file changed, 2 insertions(+) --- wireless-testing.orig/net/mac80211/agg-tx.c 2010-10-05 21:00:59.000000000 +0200 +++ wireless-testing/net/mac80211/agg-tx.c 2010-10-05 21:01:11.000000000 +0200 @@ -176,6 +176,8 @@ int ___ieee80211_stop_tx_ba_session(stru set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); + del_timer_sync(&tid_tx->addba_resp_timer); + /* * After this packets are no longer handed right through * to the driver but are put onto tid_tx->pending instead, -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
