> > From: Johannes Berg <johannes.berg@xxxxxxxxx> > > Noticed by looking at the code: if packets are > being processed while we clear the WANT_START > bit, they might see it clear and queue up on > tid_tx->pending. If the driver rejects the new > aggregation session then, we leak the packet. > > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Johannes Berg <johannes.berg@xxxxxxxxx> > --- > net/mac80211/agg-tx.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > --- a/net/mac80211/agg-tx.c 2011-11-29 17:23:40.000000000 +0100 > +++ b/net/mac80211/agg-tx.c 2011-11-29 17:48:16.000000000 +0100 > @@ -324,14 +324,19 @@ void ieee80211_tx_ba_session_handle_star > */ > ieee80211_stop_queue_agg(local, tid); > > - clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state); > - > /* > - * make sure no packets are being processed to get > - * valid starting sequence number > + * Make sure no packets are being processed. This ensures that > + * a) we have a valid starting sequence number and it's really > + * the next frame and that > + * b) there's no packet that sees WANT_START cleared and queues > + * up on tid_tx->pending which would cause us to lose it if > + * the driver rejects the session and probably confuse the > + * driver otherwise. > */ > synchronize_net(); > > + clear_bit(HT_AGG_STATE_WANT_START, &tid_tx->state); > + > start_seq_num = sta->tid_seq[tid] >> 4; > > ret = drv_ampdu_action(local, sdata, IEEE80211_AMPDU_TX_START, > Yeah, that sounds reasonable to me. Although I would be glad to test it :-) --------------------------------------------------------------------- Intel Israel (74) Limited This e-mail and any attachments may contain confidential material for the sole use of the intended recipient(s). Any review or distribution by others is strictly prohibited. If you are not the intended recipient, please contact the sender and delete all copies. ��.n��������+%������w��{.n�����{���zW����ܨ}���Ơz�j:+v�����w����ޙ��&�)ߡ�a����z�ޗ���ݢj��w�f