Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit df7fc0f9 authored by Johannes Berg's avatar Johannes Berg Committed by John W. Linville
Browse files

cfg80211: keep track of current_bss for userspace SME 



When a userspace SME is active, we're currently not
keeping track of the BSS properly for reporting the
current link and for internal use. Additionally, it
looks like there is a possible BSS leak in that the
BSS never gets removed from auth_bsses[]. To fix it,
pass the BSS struct to __cfg80211_connect_result in
this case.

Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 97af7432

net/wireless/core.c

+2 −1
Original line number Diff line number Diff line
@@ -314,7 +314,8 @@ static void cfg80211_process_events(struct wireless_dev *wdev) 
				ev->cr.req_ie, ev->cr.req_ie_len,

				ev->cr.resp_ie, ev->cr.resp_ie_len,

				ev->cr.status,

				ev->cr.status == WLAN_STATUS_SUCCESS);

				ev->cr.status == WLAN_STATUS_SUCCESS,

				NULL);

			break;

		case EVENT_ROAMED:

			__cfg80211_roamed(wdev, ev->rm.bssid,

net/wireless/core.h

+7 −1
Original line number Diff line number Diff line
@@ -127,6 +127,11 @@ static inline struct cfg80211_internal_bss *bss_from_pub(struct cfg80211_bss *pu 
	return container_of(pub, struct cfg80211_internal_bss, pub);

}



static inline void cfg80211_ref_bss(struct cfg80211_internal_bss *bss)

{

	kref_get(&bss->ref);

}



static inline void cfg80211_hold_bss(struct cfg80211_internal_bss *bss)

{

	atomic_inc(&bss->hold);
@@ -323,7 +328,8 @@ void cfg80211_mlme_down(struct cfg80211_registered_device *rdev, 
void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,

			       const u8 *req_ie, size_t req_ie_len,

			       const u8 *resp_ie, size_t resp_ie_len,

			       u16 status, bool wextev);

			       u16 status, bool wextev,

			       struct cfg80211_bss *bss);



/* SME */

int __cfg80211_connect(struct cfg80211_registered_device *rdev,

net/wireless/mlme.c

+24 −14
Original line number Diff line number Diff line
@@ -61,7 +61,7 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len) 
	struct ieee80211_mgmt *mgmt = (struct ieee80211_mgmt *)buf;

	u8 *ie = mgmt->u.assoc_resp.variable;

	int i, ieoffs = offsetof(struct ieee80211_mgmt, u.assoc_resp.variable);

	bool done;

	struct cfg80211_internal_bss *bss = NULL;



	wdev_lock(wdev);
@@ -69,22 +69,32 @@ void cfg80211_send_rx_assoc(struct net_device *dev, const u8 *buf, size_t len) 


	nl80211_send_rx_assoc(rdev, dev, buf, len, GFP_KERNEL);



	__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,

				  status_code,

				  status_code == WLAN_STATUS_SUCCESS);



	if (status_code == WLAN_STATUS_SUCCESS) {

		for (i = 0; wdev->current_bss && i < MAX_AUTH_BSSES; i++) {

			if (wdev->auth_bsses[i] == wdev->current_bss) {

				cfg80211_unhold_bss(wdev->auth_bsses[i]);

				cfg80211_put_bss(&wdev->auth_bsses[i]->pub);

		for (i = 0; i < MAX_AUTH_BSSES; i++) {

			if (!wdev->auth_bsses[i])

				continue;

			if (memcmp(wdev->auth_bsses[i]->pub.bssid, mgmt->bssid,

				   ETH_ALEN) == 0) {

				bss = wdev->auth_bsses[i];

				wdev->auth_bsses[i] = NULL;

				done = true;

				/* additional reference to drop hold */

				cfg80211_ref_bss(bss);

				break;

			}

		}



		WARN_ON(!done);

		WARN_ON(!bss);

	}



	/* this consumes one bss reference (unless bss is NULL) */

	__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, ie, len - ieoffs,

				  status_code,

				  status_code == WLAN_STATUS_SUCCESS,

				  bss ? &bss->pub : NULL);

	/* drop hold now, and also reference acquired above */

	if (bss) {

		cfg80211_unhold_bss(bss);

		cfg80211_put_bss(&bss->pub);

	}



	wdev_unlock(wdev);
@@ -144,7 +154,7 @@ static void __cfg80211_send_deauth(struct net_device *dev, 
	} else if (wdev->sme_state == CFG80211_SME_CONNECTING) {

		__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,

					  WLAN_STATUS_UNSPECIFIED_FAILURE,

					  false);

					  false, NULL);

	}

}
@@ -241,7 +251,7 @@ void cfg80211_send_auth_timeout(struct net_device *dev, const u8 *addr) 
	if (wdev->sme_state == CFG80211_SME_CONNECTING)

		__cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,

					  WLAN_STATUS_UNSPECIFIED_FAILURE,

					  false);

					  false, NULL);



	for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {

		if (wdev->authtry_bsses[i] &&
@@ -275,7 +285,7 @@ void cfg80211_send_assoc_timeout(struct net_device *dev, const u8 *addr) 
	if (wdev->sme_state == CFG80211_SME_CONNECTING)

		__cfg80211_connect_result(dev, addr, NULL, 0, NULL, 0,

					  WLAN_STATUS_UNSPECIFIED_FAILURE,

					  false);

					  false, NULL);



	for (i = 0; addr && i < MAX_AUTH_BSSES; i++) {

		if (wdev->auth_bsses[i] &&

net/wireless/sme.c

+18 −17
Original line number Diff line number Diff line
@@ -182,7 +182,7 @@ void cfg80211_conn_work(struct work_struct *work) 
					wdev->conn->params.bssid,

					NULL, 0, NULL, 0,

					WLAN_STATUS_UNSPECIFIED_FAILURE,

					false);

					false, NULL);

		wdev_unlock(wdev);

	}
@@ -247,7 +247,7 @@ static void __cfg80211_sme_scan_done(struct net_device *dev) 
					wdev->conn->params.bssid,

					NULL, 0, NULL, 0,

					WLAN_STATUS_UNSPECIFIED_FAILURE,

					false);

					false, NULL);

	}

}
@@ -305,7 +305,7 @@ void cfg80211_sme_rx_auth(struct net_device *dev, 
		schedule_work(&rdev->conn_work);

	} else if (status_code != WLAN_STATUS_SUCCESS) {

		__cfg80211_connect_result(dev, mgmt->bssid, NULL, 0, NULL, 0,

					  status_code, false);

					  status_code, false, NULL);

	} else if (wdev->sme_state == CFG80211_SME_CONNECTING &&

		 wdev->conn->state == CFG80211_CONN_AUTHENTICATING) {

		wdev->conn->state = CFG80211_CONN_ASSOCIATE_NEXT;
@@ -316,10 +316,10 @@ void cfg80211_sme_rx_auth(struct net_device *dev, 
void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid,

			       const u8 *req_ie, size_t req_ie_len,

			       const u8 *resp_ie, size_t resp_ie_len,

			       u16 status, bool wextev)

			       u16 status, bool wextev,

			       struct cfg80211_bss *bss)

{

	struct wireless_dev *wdev = dev->ieee80211_ptr;

	struct cfg80211_bss *bss;

#ifdef CONFIG_WIRELESS_EXT

	union iwreq_data wrqu;

#endif
@@ -361,6 +361,12 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, 
	}

#endif



	if (wdev->current_bss) {

		cfg80211_unhold_bss(wdev->current_bss);

		cfg80211_put_bss(&wdev->current_bss->pub);

		wdev->current_bss = NULL;

	}



	if (status == WLAN_STATUS_SUCCESS &&

	    wdev->sme_state == CFG80211_SME_IDLE)

		goto success;
@@ -368,12 +374,6 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, 
	if (wdev->sme_state != CFG80211_SME_CONNECTING)

		return;



	if (wdev->current_bss) {

		cfg80211_unhold_bss(wdev->current_bss);

		cfg80211_put_bss(&wdev->current_bss->pub);

		wdev->current_bss = NULL;

	}



	if (wdev->conn)

		wdev->conn->state = CFG80211_CONN_IDLE;
@@ -386,6 +386,8 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, 
		return;

	}



 success:

	if (!bss)

		bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,

				       wdev->ssid, wdev->ssid_len,

				       WLAN_CAPABILITY_ESS,
@@ -397,7 +399,6 @@ void __cfg80211_connect_result(struct net_device *dev, const u8 *bssid, 
	cfg80211_hold_bss(bss_from_pub(bss));

	wdev->current_bss = bss_from_pub(bss);



 success:

	wdev->sme_state = CFG80211_SME_CONNECTED;

	cfg80211_upload_connect_keys(wdev);

}
@@ -788,7 +789,7 @@ int __cfg80211_disconnect(struct cfg80211_registered_device *rdev, 
	else if (wdev->sme_state == CFG80211_SME_CONNECTING)

		__cfg80211_connect_result(dev, NULL, NULL, 0, NULL, 0,

					  WLAN_STATUS_UNSPECIFIED_FAILURE,

					  wextev);

					  wextev, NULL);



	return 0;

}