___ieee80211_stop_tx_ba_session first deletes the tx aggregation session timer and afterwards clears HT_AGG_STATE_OPERATIONAL. Hence, there is a small time window where the tx path can call mod_timer after del_timer_sync. When ieee80211_start_tx_ba_session runs before the timer the call to init_timer will cause a BUG_ON: [ 97.760000] Kernel bug detected[001]: [ 97.760000] Cpu 0 [ 97.760000] $ 0 : 00000000 00000000 00000001 000000e6 [ 97.760000] $ 4 : 8035791c 80f96008 ffffb100 00000001 [ 97.760000] $ 8 : 00000000 2e310000 00000002 89130205 [ 97.760000] $12 : ccdc43e0 00000000 80f30000 00000000 [ 97.760000] $16 : 803571e0 8189398c 00000031 81823e18 [ 97.760000] $20 : fffffffe 801da144 801da154 80203b38 [ 97.760000] $24 : 00000000 8000d1ac [ 97.760000] $28 : 81822000 81823e08 80204110 8001e3f8 [ 97.760000] Hi : 0000000a [ 97.760000] Lo : 0000000c [ 97.760000] epc : 8001e3ec cascade+0x6c/0xac [ 97.760000] Not tainted [ 97.760000] ra : 8001e3f8 cascade+0x78/0xac [ 97.760000] Status: 1000e402 KERNEL EXL [ 97.760000] Cause : 10800034 [ 97.760000] PrId : 0001964c (MIPS 24Kc) [ 97.760000] Modules linked in: rt2800pci rt2800lib rt2x00soc rt2x00pci rt2x00lib mac80211 crc_itu_t crc_ccitt cfg80211 compat arc4 button_hotplug gpio_buttons input_polldev input_core [ 97.760000] Process ksoftirqd/0 (pid: 3, threadinfo=81822000, task=81818860, tls=00000000) [ 97.760000] Stack : 0000000c 8000d1ac 00802000 00000005 818939b8 8189398c 803571e0 00000000 [ 97.760000] 00000001 80360000 80200000 8001e53c 80200000 00000100 00000009 80350000 [ 97.760000] 80350000 80203b38 80204110 800197e4 80357084 00000025 00000001 00000100 [ 97.760000] 00000008 80350000 80350000 80019b94 80201760 801a1e58 00000000 8000f958 [ 97.760000] 1000e403 00000000 80350000 80350000 00000000 00000001 00000000 00000000 [ 97.760000] ... [ 97.760000] Call Trace: [ 97.760000] [<8001e3ec>] cascade+0x6c/0xac [ 97.760000] [<8001e53c>] run_timer_softirq+0x80/0x1ec [ 97.760000] [<80019b94>] __do_softirq+0xac/0x15c [ 97.760000] [<80019cbc>] run_ksoftirqd+0x78/0x110 [ 97.760000] [<8002ba7c>] kthread+0x80/0x88 [ 97.760000] [<800032f0>] kernel_thread_helper+0x10/0x18 [ 97.760000] [ 97.760000] [ 97.760000] Code: 00541024 02021026 0002102b [ 97.760000] 0c00788c 02002021 02202821 8e310000 54b3fff7 With kernel object debugging enabled: ODEBUG: init active (active state 0) object type: timer_list hint: ieee80211_stop_tx_ba_session+0xc0/0x110 [mac80211] Fix this by first clearing HT_AGG_STATE_OPERATIONAL and then deleting the session timer. Signed-off-by: Helmut Schaa <helmut.schaa@xxxxxxxxxxxxxx> --- Johannes, I'm not 100% sure if the fix is correct but I wasn't able to reproduce the BUG_ON anymore with it. Thanks, Helmut net/mac80211/agg-tx.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index 5b7053c..c44410a 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -189,9 +189,6 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, sta->sta.addr, tid); #endif /* CONFIG_MAC80211_HT_DEBUG */ - del_timer_sync(&tid_tx->addba_resp_timer); - del_timer_sync(&tid_tx->session_timer); - /* * After this packets are no longer handed right through * to the driver but are put onto tid_tx->pending instead, @@ -199,6 +196,9 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, */ clear_bit(HT_AGG_STATE_OPERATIONAL, &tid_tx->state); + del_timer_sync(&tid_tx->addba_resp_timer); + del_timer_sync(&tid_tx->session_timer); + /* * There might be a few packets being processed right now (on * another CPU) that have already gotten past the aggregation -- 1.7.7 -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
