From: Johannes Berg Date: Tue, 5 Oct 2010 19:40:33 +0000 (+0200) Subject: mac80211: delete AddBA response timer X-Git-Tag: v2.6.36-rc8~17^2~1^2~1 X-Git-Url: http://bbs.cooldavid.org/git/?a=commitdiff_plain;h=44271488b91c9eecf249e075a1805dd887e222d2;p=net-next-2.6.git mac80211: delete AddBA response timer We never delete the addBA response timer, which is typically fine, but if the station it belongs to is deleted very quickly after starting the BA session, before the peer had a chance to reply, the timer may fire after the station struct has been freed already. Therefore, we need to delete the timer in a suitable spot -- best when the session is being stopped (which will happen even then) in which case the delete will be a no-op most of the time. I've reproduced the scenario and tested the fix. This fixes the crash reported at http://mid.gmane.org/4CAB6F96.6090701@candelatech.com Cc: stable@kernel.org Reported-by: Ben Greear Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index c893f236ace..8f23401832b 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -175,6 +175,8 @@ int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, set_bit(HT_AGG_STATE_STOPPING, &tid_tx->state); + del_timer_sync(&tid_tx->addba_resp_timer); + /* * After this packets are no longer handed right through * to the driver but are put onto tid_tx->pending instead,