mac80211: fix double-start of remain-on-channel

When a remain-on-channel item is deleted, we remove it
from the list and then start the next item. However,
if it wasn't actually the first item then calling
ieee80211_start_next_roc() is wrong as it will start
the first item -- even if that was already started.

Fix the two places that do this and add a warning to
prevent the problem from reoccurring.

Reported-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index a6abcd4..03aff23 100644 (file)
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2362,7 +2362,8 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local,
 
                list_del(&found->list);
 
-               ieee80211_start_next_roc(local);
+               if (found->started)
+                       ieee80211_start_next_roc(local);
                mutex_unlock(&local->mtx);
 
                ieee80211_roc_notify_destroy(found);

diff --git a/net/mac80211/offchannel.c b/net/mac80211/offchannel.c
index febce7f..7f93626 100644 (file)
--- a/net/mac80211/offchannel.c
+++ b/net/mac80211/offchannel.c
@@ -262,6 +262,9 @@ void ieee80211_start_next_roc(struct ieee80211_local *local)
        roc = list_first_entry(&local->roc_list, struct ieee80211_roc_work,
                               list);
 
+       if (WARN_ON_ONCE(roc->started))
+               return;
+
        if (local->ops->remain_on_channel) {
                int ret, duration = roc->duration;
 
@@ -377,7 +380,8 @@ void ieee80211_sw_roc_work(struct work_struct *work)
 
                ieee80211_recalc_idle(local);
 
-               ieee80211_start_next_roc(local);
+               if (roc->started)
+                       ieee80211_start_next_roc(local);
        }
 
  out_unlock: