cfg80211: keep track of current_bss for userspace SME
Johannes Berg [Wed, 29 Jul 2009 09:23:49 +0000 (11:23 +0200)]
When a userspace SME is active, we're currently not
keeping track of the BSS properly for reporting the
current link and for internal use. Additionally, it
looks like there is a possible BSS leak in that the
BSS never gets removed from auth_bsses[]. To fix it,
pass the BSS struct to __cfg80211_connect_result in
this case.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

net/wireless/core.c
net/wireless/core.h
net/wireless/mlme.c
net/wireless/sme.c

index f9fee65..755cdf1 100644 (file)
@@ -314,7 +314,8 @@ static void cfg80211_process_events(struct wireless_dev *wdev)
                                ev->cr.req_ie, ev->cr.req_ie_len,
                                ev->cr.resp_ie, ev->cr.resp_ie_len,
                                ev->cr.status,
-                               ev->cr.status == WLAN_STATUS_SUCCESS);
+                               ev->cr.status == WLAN_STATUS_SUCCESS,
+                               NULL);
                        break;
                case EVENT_ROAMED:
                        __cfg80211_roamed(wdev, ev->rm.bssid,
index 6d903c1..325c17e 100644 (file)
@@ -127,6 +127,11 @@ static inline struct cfg80211_internal_bss *bss_from_pub(struct cfg80211_bss *pu
        return container_of(pub, struct cfg80211_internal_bss, pub);
 }
 
+static inline void cfg80211_ref_bss(struct cfg80211_internal_bss *bss)
+{
+       kref_get(&bss->ref);
+}
+
 static inline void cfg80211_hold_bss(struct cfg80211_internal_bss *bss)
 {
        atomic_inc(&bss->hold);
@@ -323,7 +328,8 @@ void cfg80211_mlme_down(struct cfg80211_registered_device *rdev,
 void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                               const u8 *req_ie, size_t req_ie_len,
                               const u8 *resp_ie, size_t resp_ie_len,
-                              u16 status, bool wextev);
+                              u16 status, bool wextev,
+                              struct cfg80211_bss *bss);
 
 /* SME */
 int __cfg80211_connect(struct cfg80211_registered_device *rdev,
index 097a87d..525e8e2 100644 (file)
@@ -61,7 +61,7 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
        struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;
        u8 *ie = mgmt->u.assoc_resp.variable;
        int i, ieoffs = offsetof(struct ieee80211_mgmt, u.assoc_resp.variable);
-       bool done;
+       struct cfg80211_internal_bss *bss = NULL;
 
        wdev_lock(wdev);
 
@@ -69,22 +69,32 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
 
        nl80211_send_rx_assoc(rdev, dev, buf, len, GFP_KERNEL);
 
-       __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,
-                                 status_code,
-                                 status_code == WLAN_STATUS_SUCCESS);
-
        if (status_code == WLAN_STATUS_SUCCESS) {
-               for (i = 0; wdev->current_bss && i < MAX_AUTH_BSSES; i++) {
-                       if (wdev->auth_bsses[i] == wdev->current_bss) {
-                               cfg80211_unhold_bss(wdev->auth_bsses[i]);
-                               cfg80211_put_bss(&wdev->auth_bsses[i]->pub);
+               for (i = 0; i < MAX_AUTH_BSSES; i++) {
+                       if (!wdev->auth_bsses[i])
+                               continue;
+                       if (memcmp(wdev->auth_bsses[i]->pub.bssid, mgmt->bssid,
+                                  ETH_ALEN) == 0) {
+                               bss = wdev->auth_bsses[i];
                                wdev->auth_bsses[i] = NULL;
-                               done = true;
+                               /* additional reference to drop hold */
+                               cfg80211_ref_bss(bss);
                                break;
                        }
                }
 
-               WARN_ON(!done);
+               WARN_ON(!bss);
+       }
+
+       /* this consumes one bss reference (unless bss is NULL) */
+       __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,
+                                 status_code,
+                                 status_code == WLAN_STATUS_SUCCESS,
+                                 bss ? &bss->pub : NULL);
+       /* drop hold now, and also reference acquired above */
+       if (bss) {
+               cfg80211_unhold_bss(bss);
+               cfg80211_put_bss(&bss->pub);
        }
 
        wdev_unlock(wdev);
@@ -144,7 +154,7 @@ static void __cfg80211_send_deauth(struct net_device *dev,
        } else if (wdev->sme_state == CFG80211_SME_CONNECTING) {
                __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,
                                          WLAN_STATUS_UNSPECIFIED_FAILURE,
-                                         false);
+                                         false, NULL);
        }
 }
 
@@ -241,7 +251,7 @@ void cfg80211_send_auth_timeout(struct net_device *dev, const u8 *addr)
        if (wdev->sme_state == CFG80211_SME_CONNECTING)
                __cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,
                                          WLAN_STATUS_UNSPECIFIED_FAILURE,
-                                         false);
+                                         false, NULL);
 
        for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {
                if (wdev->authtry_bsses[i] &&
@@ -275,7 +285,7 @@ void cfg80211_send_assoc_timeout(struct net_device *dev, const u8 *addr)
        if (wdev->sme_state == CFG80211_SME_CONNECTING)
                __cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,
                                          WLAN_STATUS_UNSPECIFIED_FAILURE,
-                                         false);
+                                         false, NULL);
 
        for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {
                if (wdev->auth_bsses[i] &&
index d2b5d4c..3728d2b 100644 (file)
@@ -182,7 +182,7 @@ void cfg80211_conn_work(struct work_struct *work)
                                        wdev->conn->params.bssid,
                                        NULL, 0, NULL, 0,
                                        WLAN_STATUS_UNSPECIFIED_FAILURE,
-                                       false);
+                                       false, NULL);
                wdev_unlock(wdev);
        }
 
@@ -247,7 +247,7 @@ static void __cfg80211_sme_scan_done(struct net_device *dev)
                                        wdev->conn->params.bssid,
                                        NULL, 0, NULL, 0,
                                        WLAN_STATUS_UNSPECIFIED_FAILURE,
-                                       false);
+                                       false, NULL);
        }
 }
 
@@ -305,7 +305,7 @@ void cfg80211_sme_rx_auth(struct net_device *dev,
                schedule_work(&rdev->conn_work);
        } else if (status_code != WLAN_STATUS_SUCCESS) {
                __cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,
-                                         status_code, false);
+                                         status_code, false, NULL);
        } else if (wdev->sme_state == CFG80211_SME_CONNECTING &&
                 wdev->conn->state == CFG80211_CONN_AUTHENTICATING) {
                wdev->conn->state = CFG80211_CONN_ASSOCIATE_NEXT;
@@ -316,10 +316,10 @@ void cfg80211_sme_rx_auth(struct net_device *dev,
 void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                               const u8 *req_ie, size_t req_ie_len,
                               const u8 *resp_ie, size_t resp_ie_len,
-                              u16 status, bool wextev)
+                              u16 status, bool wextev,
+                              struct cfg80211_bss *bss)
 {
        struct wireless_dev *wdev = dev->ieee80211_ptr;
-       struct cfg80211_bss *bss;
 #ifdef CONFIG_WIRELESS_EXT
        union iwreq_data wrqu;
 #endif
@@ -361,6 +361,12 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
        }
 #endif
 
+       if (wdev->current_bss) {
+               cfg80211_unhold_bss(wdev->current_bss);
+               cfg80211_put_bss(&wdev->current_bss->pub);
+               wdev->current_bss = NULL;
+       }
+
        if (status == WLAN_STATUS_SUCCESS &&
            wdev->sme_state == CFG80211_SME_IDLE)
                goto success;
@@ -368,12 +374,6 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
        if (wdev->sme_state != CFG80211_SME_CONNECTING)
                return;
 
-       if (wdev->current_bss) {
-               cfg80211_unhold_bss(wdev->current_bss);
-               cfg80211_put_bss(&wdev->current_bss->pub);
-               wdev->current_bss = NULL;
-       }
-
        if (wdev->conn)
                wdev->conn->state = CFG80211_CONN_IDLE;
 
@@ -386,10 +386,12 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
                return;
        }
 
-       bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
-                              wdev->ssid, wdev->ssid_len,
-                              WLAN_CAPABILITY_ESS,
-                              WLAN_CAPABILITY_ESS);
+ success:
+       if (!bss)
+               bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
+                                      wdev->ssid, wdev->ssid_len,
+                                      WLAN_CAPABILITY_ESS,
+                                      WLAN_CAPABILITY_ESS);
 
        if (WARN_ON(!bss))
                return;
@@ -397,7 +399,6 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
        cfg80211_hold_bss(bss_from_pub(bss));
        wdev->current_bss = bss_from_pub(bss);
 
- success:
        wdev->sme_state = CFG80211_SME_CONNECTED;
        cfg80211_upload_connect_keys(wdev);
 }
@@ -788,7 +789,7 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev,
        else if (wdev->sme_state == CFG80211_SME_CONNECTING)
                __cfg80211_connect_result(dev, NULL, NULL, 0, NULL, 0,
                                          WLAN_STATUS_UNSPECIFIED_FAILURE,
-                                         wextev);
+                                         wextev, NULL);
 
        return 0;
 }