wifi: mac80211: fix race in mesh sequence number assignment
authorFelix Fietkau <nbd@nbd.name>
Tue, 14 Mar 2023 09:59:51 +0000 (10:59 +0100)
committerJohannes Berg <johannes.berg@intel.com>
Wed, 22 Mar 2023 12:31:18 +0000 (13:31 +0100)
Since the sequence number is shared across different tx queues, it needs
to be atomic in order to avoid accidental duplicate assignment

Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20230314095956.62085-2-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
net/mac80211/ieee80211_i.h
net/mac80211/mesh.c

index b2535614483ef557f1e2110375d98a6122a42818..04017d5c435a127636d8d5c48fa5952d5c343e62 100644 (file)
@@ -696,7 +696,7 @@ struct ieee80211_if_mesh {
        struct mesh_stats mshstats;
        struct mesh_config mshcfg;
        atomic_t estab_plinks;
-       u32 mesh_seqnum;
+       atomic_t mesh_seqnum;
        bool accepting_plinks;
        int num_gates;
        struct beacon_data __rcu *beacon;
index 5a99b8f6e465ff6b5f29907c839f4eaabae16152..0608ed4158315268997eb6856dec36f6125b755d 100644 (file)
@@ -752,10 +752,8 @@ unsigned int ieee80211_new_mesh_header(struct ieee80211_sub_if_data *sdata,
 
        meshhdr->ttl = sdata->u.mesh.mshcfg.dot11MeshTTL;
 
-       /* FIXME: racy -- TX on multiple queues can be concurrent */
-       put_unaligned(cpu_to_le32(sdata->u.mesh.mesh_seqnum), &meshhdr->seqnum);
-       sdata->u.mesh.mesh_seqnum++;
-
+       put_unaligned_le32(atomic_inc_return(&sdata->u.mesh.mesh_seqnum),
+                          &meshhdr->seqnum);
        if (addr4or5 && !addr6) {
                meshhdr->flags |= MESH_FLAGS_AE_A4;
                memcpy(meshhdr->eaddr1, addr4or5, ETH_ALEN);