From: Johannes Berg <johannes.berg@xxxxxxxxx> Noticed by looking at the code: if packets are being processed while we clear the WANT_START bit, they might see it clear and queue up on tid_tx->pending. If the driver rejects the new aggregation session then, we leak the packet. Cc: stable@xxxxxxxxxxxxxxx Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> --- net/mac80211/agg-tx.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- a/net/mac80211/agg-tx.c 2011-11-29 17:23:40.000000000 +0100 +++ b/net/mac80211/agg-tx.c 2011-11-29 17:48:16.000000000 +0100 @@ -324,14 +324,19 @@ void ieee80211_tx_ba_session_handle_star */ ieee80211_stop_queue_agg(local, tid); - clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state); - /* - * make sure no packets are being processed to get - * valid starting sequence number + * Make sure no packets are being processed. This ensures that + * a) we have a valid starting sequence number and it's really + * the next frame and that + * b) there's no packet that sees WANT_START cleared and queues + * up on tid_tx->pending which would cause us to lose it if + * the driver rejects the session and probably confuse the + * driver otherwise. */ synchronize_net(); + clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state); + start_seq_num = sta->tid_seq[tid] >> 4; ret = drv_ampdu_action(local, sdata, IEEE80211_AMPDU_TX_START, -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html