From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Johannes Berg <johannes.berg@intel.com>,
"John W. Linville" <linville@tuxdriver.com>
Subject: [28/38] cfg80211: dont get expired BSSes
Date: Fri, 06 Aug 2010 11:30:49 -0700 [thread overview]
Message-ID: <20100806183202.509051537@clark.site> (raw)
In-Reply-To: <20100806183250.GA23019@kroah.com>
2.6.35-stable review patch. If anyone has any objections, please let us know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit ccb6c1360f8dd43303c659db718e7e0b24175db5 upstream.
When kernel-internal users use cfg80211_get_bss()
to get a reference to a BSS struct, they may end
up getting one that would have been removed from
the list if there had been any userspace access
to the list. This leads to inconsistencies and
problems.
Fix it by making cfg80211_get_bss() ignore BSSes
that cfg80211_bss_expire() would remove.
Fixes http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2180
Reported-by: Jiajia Zheng <jiajia.zheng@intel.com>
Tested-by: Jiajia Zheng <jiajia.zheng@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/wireless/scan.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -275,6 +275,7 @@ struct cfg80211_bss *cfg80211_get_bss(st
{
struct cfg80211_registered_device *dev = wiphy_to_dev(wiphy);
struct cfg80211_internal_bss *bss, *res = NULL;
+ unsigned long now = jiffies;
spin_lock_bh(&dev->bss_lock);
@@ -283,6 +284,10 @@ struct cfg80211_bss *cfg80211_get_bss(st
continue;
if (channel && bss->pub.channel != channel)
continue;
+ /* Don't get expired BSS structs */
+ if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) &&
+ !atomic_read(&bss->hold))
+ continue;
if (is_bss(&bss->pub, bssid, ssid, ssid_len)) {
res = bss;
kref_get(&res->ref);
next prev parent reply other threads:[~2010-08-06 18:38 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-06 18:32 [00/38] 2.6.35.1-stable review Greg KH
2010-08-06 18:30 ` [01/38] PARISC: led.c - fix potential stack overflow in led_proc_write() Greg KH
2010-08-06 18:30 ` [02/38] arm/imx/gpio: add spinlock protection Greg KH
2010-08-06 18:30 ` [03/38] block_dev: always serialize exclusive open attempts Greg KH
2010-08-06 18:30 ` [04/38] parisc: pass through \t to early (iodc) console Greg KH
2010-08-06 18:30 ` [05/38] amd64_edac: Fix DCT base address selector Greg KH
2010-08-06 18:30 ` [06/38] amd64_edac: Correct scrub rate setting Greg KH
2010-08-06 18:30 ` [07/38] amd64_edac: Fix operator precendence error Greg KH
2010-08-06 18:30 ` [08/38] arp_notify: allow drivers to explicitly request a notification event Greg KH
2010-08-06 18:30 ` [09/38] xen: netfront: explicitly generate arp_notify event after migration Greg KH
2010-08-10 13:07 ` Ian Campbell
2010-08-11 19:43 ` Greg KH
2010-08-06 18:30 ` [10/38] e1000e: dont inadvertently re-set INTX_DISABLE Greg KH
2010-08-06 18:30 ` [11/38] e1000e: 82577/82578 PHY register access issues Greg KH
2010-08-06 18:30 ` [12/38] 9p: strlen() doesnt count the terminator Greg KH
2010-08-06 18:30 ` [13/38] igb: Use only a single Tx queue in SR-IOV mode Greg KH
2010-08-06 18:30 ` [14/38] ath9k: enable serialize_regmode for non-PCIE AR9160 Greg KH
2010-08-06 18:30 ` [15/38] ath9k: fix a potential buffer leak in the STA teardown path Greg KH
2010-08-06 18:30 ` [16/38] ath9k_hw: prevent a fast channel change after a rx DMA stuck issue Greg KH
2010-08-06 18:30 ` [17/38] ath9k_hw: fix a sign error in the IQ calibration code Greg KH
2010-08-06 18:30 ` [18/38] ath9k_hw: fix an off-by-one error in the PDADC boundaries calculation Greg KH
2010-08-06 18:30 ` [19/38] ath9k: fix retry count for A-MPDU rate control status reports Greg KH
2010-08-06 18:30 ` [20/38] ath9k: fix a buffer leak in A-MPDU completion Greg KH
2010-08-06 18:30 ` [21/38] ath9k: another fix for the A-MPDU buffer leak Greg KH
2010-08-06 18:30 ` [22/38] ath9k: fix TSF after reset on AR913x Greg KH
2010-08-06 18:30 ` [23/38] ath9k: fix yet another buffer leak in the tx aggregation code Greg KH
2010-08-06 18:30 ` [24/38] ath9k_hw: fix antenna diversity on AR9285 Greg KH
2010-08-06 18:30 ` [25/38] iwlwifi: fix scan abort Greg KH
2010-08-06 18:30 ` [26/38] ssb: Handle alternate SSPROM location Greg KH
2010-08-06 18:30 ` [27/38] cfg80211: ignore spurious deauth Greg KH
2010-08-06 18:30 ` Greg KH [this message]
2010-08-06 18:30 ` [29/38] mac80211: avoid scheduling while atomic in mesh_rx_plink_frame Greg KH
2010-08-06 18:30 ` [30/38] CRED: Fix RCU warning due to previous patch fixing __task_cred()s checks Greg KH
2010-08-06 18:30 ` [31/38] SCSI: enclosure: fix error path - actually return ERR_PTR() on error Greg KH
2010-08-06 18:30 ` [32/38] xen: drop xen_sched_clock in favour of using plain wallclock time Greg KH
2010-08-06 18:30 ` [33/38] drm/radeon: add new pci ids Greg KH
2010-08-06 18:30 ` [34/38] drm/radeon: fall back to GTT if bo creation/validation in VRAM fails Greg KH
2010-08-06 18:30 ` [35/38] drm/radeon/kms/r7xx: add workaround for hw issue with HDP flush Greg KH
2010-08-06 18:30 ` [36/38] drm/radeon/kms: handle the case of no active displays properly in the bandwidth code Greg KH
2010-08-06 18:30 ` [37/38] drm/i915: Unset cursor if out-of-bounds upon mode change (v4) Greg KH
2010-08-06 18:30 ` [38/38] drm/i915: Check overlay stride errata for i830 and i845 Greg KH
2010-08-06 19:14 ` [00/38] 2.6.35.1-stable review Thomas Backlund
2010-08-06 19:16 ` Greg KH
2010-08-11 19:51 ` [stable] " Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100806183202.509051537@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=johannes.berg@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox