Re: [PATCH] mac80211: check if the ps_buf skb queue hasn't been drained

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2014-02-20 at 08:18 +0200, Emmanuel Grumbach wrote:
> There is a race between the Tx path and the STA wake up
> flow.
> If a station is asleep, mac80211 buffers frames, but up to
> a certain limit. When this limit is reached, mac80211 begins
> to drop the oldest buffered frames. This is done in the Tx
> path.
> When a station wakes up, mac80211 will go over the buffered
> frames list and send them.
> Since these two flows can run concurrently, we can get to a
> situation where the buffered frame list is emptied after the
> Tx path checked the length of the list. In that case the Tx
> path would get a NULL skb and crash.

I think you should rewrite the commit log - the real fix now isn't
really that it can't crash any more, I'd see that as a side effect of
the below:

> This is only a noisy consequence of another bigger issue:
> since ieee80211_tx_h_unicast_ps_buf is not synced against
> ieee80211_sta_ps_deliver_wakeup, Tx path could think that
> the STA is still sleeping and put the packet on the PS skb
> list while in fact the STA is awake already. In this case,
> the frame would sit on the PS skb list until the next time
> the STA wakes up and then, it'd be sent out of order.


> @@ -486,6 +499,7 @@ ieee80211_tx_h_unicast_ps_buf(struct ieee80211_tx_data *tx)
>  			ieee80211_free_txskb(&local->hw, old);
>  		} else
>  			tx->local->total_ps_buffered++;
> +		spin_unlock(&sta->lock);

That needs to be after adding the frame to the queue.

johannes

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]