From: Johannes Berg <johannes@sipsolutions.net>
Date: Wed, 26 Sep 2007 13:19:47 +0000 (+0200)
Subject: [PATCH] mac80211: fix iff_promiscs, iff_allmultis race
X-Git-Tag: v3.12-rc1~26468^2~296
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=53918994b7c8c3bf0af5f641e1f299856799d883;p=kernel%2Fkernel-generic.git

[PATCH] mac80211: fix iff_promiscs, iff_allmultis race

When we update the counters iff_promiscs and iff_allmultis
in struct ieee80211_local we have no common lock held to
protect them. The problem is that the update to each counter
may not be atomic, so we could end up with iff_promiscs == -1
in unfortunate conditions. To fix it, use atomic_t values.
It doesn't matter whether the two counters are updated
together atomically or not, if there are two invocations
of set_multicast_list we will end up with multiple
configure_filter() invocations of which the latter will always
be correct.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---

diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c
index b118053..2501bff 100644
--- a/net/mac80211/ieee80211.c
+++ b/net/mac80211/ieee80211.c
@@ -59,10 +59,10 @@ static void ieee80211_configure_filter(struct ieee80211_local *local)
 	unsigned int changed_flags;
 	unsigned int new_flags = 0;
 
-	if (local->iff_promiscs)
+	if (atomic_read(&local->iff_promiscs))
 		new_flags |= FIF_PROMISC_IN_BSS;
 
-	if (local->iff_allmultis)
+	if (atomic_read(&local->iff_allmultis))
 		new_flags |= FIF_ALLMULTI;
 
 	if (local->monitors)
@@ -521,17 +521,17 @@ static void ieee80211_set_multicast_list(struct net_device *dev)
 
 	if (allmulti != sdata_allmulti) {
 		if (dev->flags & IFF_ALLMULTI)
-			local->iff_allmultis++;
+			atomic_inc(&local->iff_allmultis);
 		else
-			local->iff_allmultis--;
+			atomic_dec(&local->iff_allmultis);
 		sdata->flags ^= IEEE80211_SDATA_ALLMULTI;
 	}
 
 	if (promisc != sdata_promisc) {
 		if (dev->flags & IFF_PROMISC)
-			local->iff_promiscs++;
+			atomic_inc(&local->iff_promiscs);
 		else
-			local->iff_promiscs--;
+			atomic_dec(&local->iff_promiscs);
 		sdata->flags ^= IEEE80211_SDATA_PROMISC;
 	}
 
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 32d19bb..38e0a46 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -444,9 +444,8 @@ struct ieee80211_local {
 	struct ieee80211_tx_stored_packet pending_packet[NUM_TX_DATA_QUEUES];
 	struct tasklet_struct tx_pending_tasklet;
 
-	int mc_count;	/* total count of multicast entries in all interfaces */
-	int iff_allmultis, iff_promiscs;
-			/* number of interfaces with corresponding IFF_ flags */
+	/* number of interfaces with corresponding IFF_ flags */
+	atomic_t iff_allmultis, iff_promiscs;
 
 	struct rate_control_ref *rate_ctrl;
 
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 34adc52..03635fb 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1531,7 +1531,8 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb,
 	skb = rx.skb;
 
 	if (sta && !(sta->flags & (WLAN_STA_WDS | WLAN_STA_ASSOC_AP)) &&
-	    !local->iff_promiscs && !is_multicast_ether_addr(hdr->addr1)) {
+	    !atomic_read(&local->iff_promiscs) &&
+	    !is_multicast_ether_addr(hdr->addr1)) {
 		rx.flags |= IEEE80211_TXRXD_RXRA_MATCH;
 		ieee80211_invoke_rx_handlers(local, local->rx_handlers, &rx,
 					     rx.sta);