@@ -314,7 +314,8 @@ static void cfg80211_process_events(stru
ev->cr.req_ie, ev->cr.req_ie_len,
ev->cr.resp_ie, ev->cr.resp_ie_len,
ev->cr.status,
- ev->cr.status == WLAN_STATUS_SUCCESS);
+ ev->cr.status == WLAN_STATUS_SUCCESS,
+ NULL);
break;
case EVENT_ROAMED:
__cfg80211_roamed(wdev, ev->rm.bssid,
@@ -127,6 +127,11 @@ static inline struct cfg80211_internal_b
return container_of(pub, struct cfg80211_internal_bss, pub);
}
+static inline void cfg80211_ref_bss(struct cfg80211_internal_bss *bss)
+{
+ kref_get(&bss->ref);
+}
+
static inline void cfg80211_hold_bss(struct cfg80211_internal_bss *bss)
{
atomic_inc(&bss->hold);
@@ -323,7 +328,8 @@ void cfg80211_mlme_down(struct cfg80211_
void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
const u8 *req_ie, size_t req_ie_len,
const u8 *resp_ie, size_t resp_ie_len,
- u16 status, bool wextev);
+ u16 status, bool wextev,
+ struct cfg80211_bss *bss);
/* SME */
int __cfg80211_connect(struct cfg80211_registered_device *rdev,
@@ -61,7 +61,7 @@ void cfg80211_send_rx_assoc(struct net_d
struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;
u8 *ie = mgmt->u.assoc_resp.variable;
int i, ieoffs = offsetof(struct ieee80211_mgmt, u.assoc_resp.variable);
- bool done;
+ struct cfg80211_internal_bss *bss = NULL;
wdev_lock(wdev);
@@ -69,22 +69,32 @@ void cfg80211_send_rx_assoc(struct net_d
nl80211_send_rx_assoc(rdev, dev, buf, len, GFP_KERNEL);
- __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,
- status_code,
- status_code == WLAN_STATUS_SUCCESS);
-
if (status_code == WLAN_STATUS_SUCCESS) {
- for (i = 0; wdev->current_bss && i < MAX_AUTH_BSSES; i++) {
- if (wdev->auth_bsses[i] == wdev->current_bss) {
- cfg80211_unhold_bss(wdev->auth_bsses[i]);
- cfg80211_put_bss(&wdev->auth_bsses[i]->pub);
+ for (i = 0; i < MAX_AUTH_BSSES; i++) {
+ if (!wdev->auth_bsses[i])
+ continue;
+ if (memcmp(wdev->auth_bsses[i]->pub.bssid, mgmt->bssid,
+ ETH_ALEN) == 0) {
+ bss = wdev->auth_bsses[i];
wdev->auth_bsses[i] = NULL;
- done = true;
+ /* additional reference to drop hold */
+ cfg80211_ref_bss(bss);
break;
}
}
- WARN_ON(!done);
+ WARN_ON(!bss);
+ }
+
+ /* this consumes one bss reference (unless bss is NULL) */
+ __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,
+ status_code,
+ status_code == WLAN_STATUS_SUCCESS,
+ bss ? &bss->pub : NULL);
+ /* drop hold now, and also reference acquired above */
+ if (bss) {
+ cfg80211_unhold_bss(bss);
+ cfg80211_put_bss(&bss->pub);
}
wdev_unlock(wdev);
@@ -144,7 +154,7 @@ static void __cfg80211_send_deauth(struc
} else if (wdev->sme_state == CFG80211_SME_CONNECTING) {
__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,
WLAN_STATUS_UNSPECIFIED_FAILURE,
- false);
+ false, NULL);
}
}
@@ -241,7 +251,7 @@ void cfg80211_send_auth_timeout(struct n
if (wdev->sme_state == CFG80211_SME_CONNECTING)
__cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,
WLAN_STATUS_UNSPECIFIED_FAILURE,
- false);
+ false, NULL);
for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {
if (wdev->authtry_bsses[i] &&
@@ -275,7 +285,7 @@ void cfg80211_send_assoc_timeout(struct
if (wdev->sme_state == CFG80211_SME_CONNECTING)
__cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,
WLAN_STATUS_UNSPECIFIED_FAILURE,
- false);
+ false, NULL);
for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {
if (wdev->auth_bsses[i] &&
@@ -182,7 +182,7 @@ void cfg80211_conn_work(struct work_stru
wdev->conn->params.bssid,
NULL, 0, NULL, 0,
WLAN_STATUS_UNSPECIFIED_FAILURE,
- false);
+ false, NULL);
wdev_unlock(wdev);
}
@@ -247,7 +247,7 @@ static void __cfg80211_sme_scan_done(str
wdev->conn->params.bssid,
NULL, 0, NULL, 0,
WLAN_STATUS_UNSPECIFIED_FAILURE,
- false);
+ false, NULL);
}
}
@@ -305,7 +305,7 @@ void cfg80211_sme_rx_auth(struct net_dev
schedule_work(&rdev->conn_work);
} else if (status_code != WLAN_STATUS_SUCCESS) {
__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,
- status_code, false);
+ status_code, false, NULL);
} else if (wdev->sme_state == CFG80211_SME_CONNECTING &&
wdev->conn->state == CFG80211_CONN_AUTHENTICATING) {
wdev->conn->state = CFG80211_CONN_ASSOCIATE_NEXT;
@@ -316,10 +316,10 @@ void cfg80211_sme_rx_auth(struct net_dev
void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
const u8 *req_ie, size_t req_ie_len,
const u8 *resp_ie, size_t resp_ie_len,
- u16 status, bool wextev)
+ u16 status, bool wextev,
+ struct cfg80211_bss *bss)
{
struct wireless_dev *wdev = dev->ieee80211_ptr;
- struct cfg80211_bss *bss;
#ifdef CONFIG_WIRELESS_EXT
union iwreq_data wrqu;
#endif
@@ -361,6 +361,12 @@ void __cfg80211_connect_result(struct ne
}
#endif
+ if (wdev->current_bss) {
+ cfg80211_unhold_bss(wdev->current_bss);
+ cfg80211_put_bss(&wdev->current_bss->pub);
+ wdev->current_bss = NULL;
+ }
+
if (status == WLAN_STATUS_SUCCESS &&
wdev->sme_state == CFG80211_SME_IDLE)
goto success;
@@ -368,12 +374,6 @@ void __cfg80211_connect_result(struct ne
if (wdev->sme_state != CFG80211_SME_CONNECTING)
return;
- if (wdev->current_bss) {
- cfg80211_unhold_bss(wdev->current_bss);
- cfg80211_put_bss(&wdev->current_bss->pub);
- wdev->current_bss = NULL;
- }
-
if (wdev->conn)
wdev->conn->state = CFG80211_CONN_IDLE;
@@ -386,10 +386,12 @@ void __cfg80211_connect_result(struct ne
return;
}
- bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
- wdev->ssid, wdev->ssid_len,
- WLAN_CAPABILITY_ESS,
- WLAN_CAPABILITY_ESS);
+ success:
+ if (!bss)
+ bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
+ wdev->ssid, wdev->ssid_len,
+ WLAN_CAPABILITY_ESS,
+ WLAN_CAPABILITY_ESS);
if (WARN_ON(!bss))
return;
@@ -397,7 +399,6 @@ void __cfg80211_connect_result(struct ne
cfg80211_hold_bss(bss_from_pub(bss));
wdev->current_bss = bss_from_pub(bss);
- success:
wdev->sme_state = CFG80211_SME_CONNECTED;
cfg80211_upload_connect_keys(wdev);
}
@@ -788,7 +789,7 @@ int __cfg80211_disconnect(struct cfg8021
else if (wdev->sme_state == CFG80211_SME_CONNECTING)
__cfg80211_connect_result(dev, NULL, NULL, 0, NULL, 0,
WLAN_STATUS_UNSPECIFIED_FAILURE,
- wextev);
+ wextev, NULL);
return 0;
}
When a userspace SME is active, we're currently not keeping track of the BSS properly for reporting the current link and for internal use. Additionally, it looks like there is a possible BSS leak in that the BSS never gets removed from auth_bsses[]. To fix it, pass the BSS struct to __cfg80211_connect_result in this case. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> --- v2: hold already is a counter, so no race necessary net/wireless/core.c | 3 ++- net/wireless/core.h | 8 +++++++- net/wireless/mlme.c | 38 ++++++++++++++++++++++++-------------- net/wireless/sme.c | 35 ++++++++++++++++++----------------- 4 files changed, 51 insertions(+), 33 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-wireless" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html