cfg80211: keep track of current_bss for userspace SME

When a userspace SME is active, we're currently not keeping track of the BSS properly for reporting the current link and for internal use. Additionally, it looks like there is a possible BSS leak in that the BSS never gets removed from auth_bsses[]. To fix it, pass the BSS struct to __cfg80211_connect_result in this case. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-29 11:23:49 +02:00 · 2009-07-29 11:23:49 +02:00 · df7fc0f973
commit df7fc0f973
parent 97af743207
4 changed files with 51 additions and 33 deletions
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@ -314,7 +314,8 @@ static void cfg80211_process_events(struct wireless_dev *wdev)
 				ev->cr.req_ie, ev->cr.req_ie_len,
 				ev->cr.resp_ie, ev->cr.resp_ie_len,
 				ev->cr.status,
-				ev->cr.status == WLAN_STATUS_SUCCESS);
+				ev->cr.status == WLAN_STATUS_SUCCESS,
 				NULL);
 			break;
 		case EVENT_ROAMED:
 			__cfg80211_roamed(wdev, ev->rm.bssid,
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@ -127,6 +127,11 @@ static inline struct cfg80211_internal_bss *bss_from_pub(struct cfg80211_bss *pu
 	return container_of(pub, struct cfg80211_internal_bss, pub);
 }
 static inline void cfg80211_ref_bss(struct cfg80211_internal_bss *bss)
 {
 	kref_get(&bss->ref);
 }
 static inline void cfg80211_hold_bss(struct cfg80211_internal_bss *bss)
 {
 	atomic_inc(&bss->hold);
@ -323,7 +328,8 @@ void cfg80211_mlme_down(struct cfg80211_registered_device *rdev,
 void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 			       const u8 *req_ie, size_t req_ie_len,
 			       const u8 *resp_ie, size_t resp_ie_len,
-			       u16 status, bool wextev);
+			       u16 status, bool wextev,
 			       struct cfg80211_bss *bss);
 /* SME */
 int __cfg80211_connect(struct cfg80211_registered_device *rdev,
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@ -61,7 +61,7 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
 	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;
 	u8 *ie = mgmt->u.assoc_resp.variable;
 	int i, ieoffs = offsetof(struct ieee80211_mgmt, u.assoc_resp.variable);
-	bool done;
+	struct cfg80211_internal_bss *bss = NULL;
 	wdev_lock(wdev);
@ -69,22 +69,32 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len)
 	nl80211_send_rx_assoc(rdev, dev, buf, len, GFP_KERNEL);
 	__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,
 				  status_code,
 				  status_code == WLAN_STATUS_SUCCESS);
 	if (status_code == WLAN_STATUS_SUCCESS) {
-		for (i = 0; wdev->current_bss && i < MAX_AUTH_BSSES; i++) {
+		for (i = 0; i < MAX_AUTH_BSSES; i++) {
-			if (wdev->auth_bsses[i] == wdev->current_bss) {
+			if (!wdev->auth_bsses[i])
-				cfg80211_unhold_bss(wdev->auth_bsses[i]);
+				continue;
-				cfg80211_put_bss(&wdev->auth_bsses[i]->pub);
+			if (memcmp(wdev->auth_bsses[i]->pub.bssid, mgmt->bssid,
 				   ETH_ALEN) == 0) {
 				bss = wdev->auth_bsses[i];
 				wdev->auth_bsses[i] = NULL;
-				done = true;
+				/* additional reference to drop hold */
 				cfg80211_ref_bss(bss);
 				break;
 			}
 		}
-		WARN_ON(!done);
+		WARN_ON(!bss);
 	}
 	/* this consumes one bss reference (unless bss is NULL) */
 	__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,
 				  status_code,
 				  status_code == WLAN_STATUS_SUCCESS,
 				  bss ? &bss->pub : NULL);
 	/* drop hold now, and also reference acquired above */
 	if (bss) {
 		cfg80211_unhold_bss(bss);
 		cfg80211_put_bss(&bss->pub);
 	}
 	wdev_unlock(wdev);
@ -144,7 +154,7 @@ static void __cfg80211_send_deauth(struct net_device *dev,
 	} else if (wdev->sme_state == CFG80211_SME_CONNECTING) {
 		__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,
 					  WLAN_STATUS_UNSPECIFIED_FAILURE,
-					  false);
+					  false, NULL);
 	}
 }
@ -241,7 +251,7 @@ void cfg80211_send_auth_timeout(struct net_device *dev, const u8 *addr)
 	if (wdev->sme_state == CFG80211_SME_CONNECTING)
 		__cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,
 					  WLAN_STATUS_UNSPECIFIED_FAILURE,
-					  false);
+					  false, NULL);
 	for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {
 		if (wdev->authtry_bsses[i] &&
@ -275,7 +285,7 @@ void cfg80211_send_assoc_timeout(struct net_device *dev, const u8 *addr)
 	if (wdev->sme_state == CFG80211_SME_CONNECTING)
 		__cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,
 					  WLAN_STATUS_UNSPECIFIED_FAILURE,
-					  false);
+					  false, NULL);
 	for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {
 		if (wdev->auth_bsses[i] &&
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@ -182,7 +182,7 @@ void cfg80211_conn_work(struct work_struct *work)
 					wdev->conn->params.bssid,
 					NULL, 0, NULL, 0,
 					WLAN_STATUS_UNSPECIFIED_FAILURE,
-					false);
+					false, NULL);
 		wdev_unlock(wdev);
 	}
@ -247,7 +247,7 @@ static void __cfg80211_sme_scan_done(struct net_device *dev)
 					wdev->conn->params.bssid,
 					NULL, 0, NULL, 0,
 					WLAN_STATUS_UNSPECIFIED_FAILURE,
-					false);
+					false, NULL);
 	}
 }
@ -305,7 +305,7 @@ void cfg80211_sme_rx_auth(struct net_device *dev,
 		schedule_work(&rdev->conn_work);
 	} else if (status_code != WLAN_STATUS_SUCCESS) {
 		__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,
-					  status_code, false);
+					  status_code, false, NULL);
 	} else if (wdev->sme_state == CFG80211_SME_CONNECTING &&
 		 wdev->conn->state == CFG80211_CONN_AUTHENTICATING) {
 		wdev->conn->state = CFG80211_CONN_ASSOCIATE_NEXT;
@ -316,10 +316,10 @@ void cfg80211_sme_rx_auth(struct net_device *dev,
 void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 			       const u8 *req_ie, size_t req_ie_len,
 			       const u8 *resp_ie, size_t resp_ie_len,
-			       u16 status, bool wextev)
+			       u16 status, bool wextev,
 			       struct cfg80211_bss *bss)
 {
 	struct wireless_dev *wdev = dev->ieee80211_ptr;
 	struct cfg80211_bss *bss;
 #ifdef CONFIG_WIRELESS_EXT
 	union iwreq_data wrqu;
 #endif
@ -361,6 +361,12 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 	}
 #endif
 	if (wdev->current_bss) {
 		cfg80211_unhold_bss(wdev->current_bss);
 		cfg80211_put_bss(&wdev->current_bss->pub);
 		wdev->current_bss = NULL;
 	}
 	if (status == WLAN_STATUS_SUCCESS &&
 	    wdev->sme_state == CFG80211_SME_IDLE)
 		goto success;
@ -368,12 +374,6 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 	if (wdev->sme_state != CFG80211_SME_CONNECTING)
 		return;
 	if (wdev->current_bss) {
 		cfg80211_unhold_bss(wdev->current_bss);
 		cfg80211_put_bss(&wdev->current_bss->pub);
 		wdev->current_bss = NULL;
 	}
 	if (wdev->conn)
 		wdev->conn->state = CFG80211_CONN_IDLE;
@ -386,10 +386,12 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 		return;
 	}
-	bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
+ success:
-			       wdev->ssid, wdev->ssid_len,
+	if (!bss)
-			       WLAN_CAPABILITY_ESS,
+		bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
-			       WLAN_CAPABILITY_ESS);
+				       wdev->ssid, wdev->ssid_len,
 				       WLAN_CAPABILITY_ESS,
 				       WLAN_CAPABILITY_ESS);
 	if (WARN_ON(!bss))
 		return;
@ -397,7 +399,6 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,
 	cfg80211_hold_bss(bss_from_pub(bss));
 	wdev->current_bss = bss_from_pub(bss);
 success:
 	wdev->sme_state = CFG80211_SME_CONNECTED;
 	cfg80211_upload_connect_keys(wdev);
 }
@ -788,7 +789,7 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev,
 	else if (wdev->sme_state == CFG80211_SME_CONNECTING)
 		__cfg80211_connect_result(dev, NULL, NULL, 0, NULL, 0,
 					  WLAN_STATUS_UNSPECIFIED_FAILURE,
-					  wextev);
+					  wextev, NULL);
 	return 0;
 }