Hi!
From: Linus Lüssing ll@simonwunderlich.de
commit e2d4a80f93fcfaf72e2e20daf6a28e39c3b90677 upstream.
This patch fixes this issue by re-checking if mpath is about to be free'd and if so bails out of re-arming the timer.
--- a/net/mac80211/mesh_hwmp.c +++ b/net/mac80211/mesh_hwmp.c @@ -1088,7 +1088,14 @@ void mesh_path_start_discovery(struct ie mesh_path_sel_frame_tx(MPATH_PREQ, 0, sdata->vif.addr, ifmsh->sn, target_flags, mpath->dst, mpath->sn, da, 0, ttl, lifetime, 0, ifmsh->preq_id++, sdata);
- spin_lock_bh(&mpath->state_lock);
- if (mpath->flags & MESH_PATH_DELETED) {
spin_unlock_bh(&mpath->state_lock);goto enddiscovery;- } mod_timer(&mpath->timer, jiffies + mpath->discovery_timeout);
- spin_unlock_bh(&mpath->state_lock);
enddiscovery: rcu_read_unlock();
This made brain freeze for a while. AFAICT it can be rewritten as:
+ spin_lock_bh(&mpath->state_lock); + if (!(mpath->flags & MESH_PATH_DELETED)) mod_timer(&mpath->timer, jiffies + mpath->discovery_timeout); + spin_unlock_bh(&mpath->state_lock);
...?
Best regards, Pavel