summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJohannes Berg <johannes.berg@intel.com>2012-02-25 21:48:08 +0100
committerJohn W. Linville <linville@tuxdriver.com>2012-02-27 14:06:42 -0500
commit54e4ffb2abb3c086637cbc75a2bfe55a8ce987c8 (patch)
tree85ffa4a2295970bb5b1ea7601544fa03a2fc2f4b
parentfda82417884eecd9f2c8b4e6bb2039def0da7ec4 (diff)
downloadop-kernel-dev-54e4ffb2abb3c086637cbc75a2bfe55a8ce987c8.zip
op-kernel-dev-54e4ffb2abb3c086637cbc75a2bfe55a8ce987c8.tar.gz
mac80211: fix auth/assoc data & timer leak
When removing an interface while it is in the process of authenticating or associating, we leak the auth_data or assoc_data, and leave the timer pending. The timer then crashes the system when it fires as its data is gone. Fix this by explicitly deleting all the data when the interface is removed. This uncovered another bug -- this problem should have been detected by the sta_info_flush() warning but that function doesn't ever return non-zero, I'll fix that in a separate patch. Reported-by: Hieu Nguyen <hieux.c.nguyen@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r--net/mac80211/ieee80211_i.h1
-rw-r--r--net/mac80211/iface.c2
-rw-r--r--net/mac80211/mlme.c13
3 files changed, 16 insertions, 0 deletions
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 67aed1e..4a722b1 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1178,6 +1178,7 @@ void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
struct sk_buff *skb);
void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata);
void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata);
+void ieee80211_mgd_teardown(struct ieee80211_sub_if_data *sdata);
/* IBSS code */
void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local);
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 6b3cd65..60b240c 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -644,6 +644,8 @@ static void ieee80211_teardown_sdata(struct net_device *dev)
if (ieee80211_vif_is_mesh(&sdata->vif))
mesh_rmc_free(sdata);
+ else if (sdata->vif.type == NL80211_IFTYPE_STATION)
+ ieee80211_mgd_teardown(sdata);
flushed = sta_info_flush(local, sdata);
WARN_ON(flushed);
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 1495fb9..0c220e1 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3513,6 +3513,19 @@ int ieee80211_mgd_disassoc(struct ieee80211_sub_if_data *sdata,
return 0;
}
+void ieee80211_mgd_teardown(struct ieee80211_sub_if_data *sdata)
+{
+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+
+ mutex_lock(&ifmgd->mtx);
+ if (ifmgd->assoc_data)
+ ieee80211_destroy_assoc_data(sdata, false);
+ if (ifmgd->auth_data)
+ ieee80211_destroy_auth_data(sdata, false);
+ del_timer_sync(&ifmgd->timer);
+ mutex_unlock(&ifmgd->mtx);
+}
+
void ieee80211_cqm_rssi_notify(struct ieee80211_vif *vif,
enum nl80211_cqm_rssi_threshold_event rssi_event,
gfp_t gfp)
OpenPOWER on IntegriCloud