* [PATCH] mac80211: fix deauth race
@ 2010-02-06 14:10 Johannes Berg
2010-02-06 14:20 ` [PATCH v2] " Johannes Berg
0 siblings, 1 reply; 2+ messages in thread
From: Johannes Berg @ 2010-02-06 14:10 UTC (permalink / raw)
To: linville; +Cc: linux-wireless
When userspace requests a deauth while the
authentication work is pending in the auth
(not probe) state, we do not properly abort
the work and then things get confused.
Fix that and also improve the checks here
to include the correct virtual interface,
just in case two virtual interfaces would
ever try to connect to the same BSS.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---
net/mac80211/mlme.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- wireless-testing.orig/net/mac80211/mlme.c 2010-02-06 15:07:37.000000000 +0100
+++ wireless-testing/net/mac80211/mlme.c 2010-02-06 15:07:43.000000000 +0100
@@ -2007,11 +2007,17 @@ int ieee80211_mgd_deauth(struct ieee8021
mutex_lock(&local->work_mtx);
list_for_each_entry(wk, &local->work_list, list) {
- if (wk->type != IEEE80211_WORK_DIRECT_PROBE)
+ if (wk->sdata != sdata)
continue;
+
+ if (wk->type != IEEE80211_WORK_DIRECT_PROBE &&
+ wk->type != IEEE80211_WORK_AUTH)
+ continue;
+
if (memcmp(req->bss->bssid, wk->filter_ta, ETH_ALEN))
continue;
- not_auth_yet = true;
+
+ not_auth_yet = wk->type == IEEE80211_WORK_DIRECT_PROBE;
list_del(&wk->list);
free_work(wk);
break;
^ permalink raw reply [flat|nested] 2+ messages in thread
* [PATCH v2] mac80211: fix deauth race
2010-02-06 14:10 [PATCH] mac80211: fix deauth race Johannes Berg
@ 2010-02-06 14:20 ` Johannes Berg
0 siblings, 0 replies; 2+ messages in thread
From: Johannes Berg @ 2010-02-06 14:20 UTC (permalink / raw)
To: linville; +Cc: linux-wireless
When userspace requests a deauth while the
authentication work is pending in the auth
(not probe) state, we do not properly abort
the work and then things get confused.
Fix that and also improve the checks here
to include the correct virtual interface,
just in case two virtual interfaces would
ever try to connect to the same BSS.
Also fix a bug -- need to use list_del_rcu
instead of just list_del to free a work
item.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
---
net/mac80211/mlme.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- wireless-testing.orig/net/mac80211/mlme.c 2010-02-06 15:07:37.000000000 +0100
+++ wireless-testing/net/mac80211/mlme.c 2010-02-06 15:18:58.000000000 +0100
@@ -2007,12 +2007,18 @@ int ieee80211_mgd_deauth(struct ieee8021
mutex_lock(&local->work_mtx);
list_for_each_entry(wk, &local->work_list, list) {
- if (wk->type != IEEE80211_WORK_DIRECT_PROBE)
+ if (wk->sdata != sdata)
continue;
+
+ if (wk->type != IEEE80211_WORK_DIRECT_PROBE &&
+ wk->type != IEEE80211_WORK_AUTH)
+ continue;
+
if (memcmp(req->bss->bssid, wk->filter_ta, ETH_ALEN))
continue;
- not_auth_yet = true;
- list_del(&wk->list);
+
+ not_auth_yet = wk->type == IEEE80211_WORK_DIRECT_PROBE;
+ list_del_rcu(&wk->list);
free_work(wk);
break;
}
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-02-06 14:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-02-06 14:10 [PATCH] mac80211: fix deauth race Johannes Berg
2010-02-06 14:20 ` [PATCH v2] " Johannes Berg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox