From 0f6b3f597daab2254614e2773e322e73fb1b6f4b Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 20 Jun 2012 20:11:33 +0200 Subject: [PATCH] mac80211: fix double-start of remain-on-channel When a remain-on-channel item is deleted, we remove it from the list and then start the next item. However, if it wasn't actually the first item then calling ieee80211_start_next_roc() is wrong as it will start the first item -- even if that was already started. Fix the two places that do this and add a warning to prevent the problem from reoccurring. Reported-by: Eliad Peller Signed-off-by: Johannes Berg --- net/mac80211/cfg.c | 3 ++- net/mac80211/offchannel.c | 6 +++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index a6abcd47343..03aff23c70f 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -2362,7 +2362,8 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local, list_del(&found->list); - ieee80211_start_next_roc(local); + if (found->started) + ieee80211_start_next_roc(local); mutex_unlock(&local->mtx); ieee80211_roc_notify_destroy(found); diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c index febce7fb7bb..7f93626ddc6 100644 --- a/net/mac80211/offchannel.c +++ b/net/mac80211/offchannel.c @@ -262,6 +262,9 @@ void ieee80211_start_next_roc(struct ieee80211_local *local) roc = list_first_entry(&local->roc_list, struct ieee80211_roc_work, list); + if (WARN_ON_ONCE(roc->started)) + return; + if (local->ops->remain_on_channel) { int ret, duration = roc->duration; @@ -377,7 +380,8 @@ void ieee80211_sw_roc_work(struct work_struct *work) ieee80211_recalc_idle(local); - ieee80211_start_next_roc(local); + if (roc->started) + ieee80211_start_next_roc(local); } out_unlock: -- 2.41.0