mac80211: fix deauth race
authorJohannes Berg <johannes@sipsolutions.net>
Sat, 6 Feb 2010 14:20:13 +0000 (15:20 +0100)
committerJohn W. Linville <linville@tuxdriver.com>
Mon, 8 Feb 2010 21:50:59 +0000 (16:50 -0500)
When userspace requests a deauth while the
authentication work is pending in the auth
(not probe) state, we do not properly abort
the work and then things get confused.

Fix that and also improve the checks here
to include the correct virtual interface,
just in case two virtual interfaces would
ever try to connect to the same BSS.

Also fix a bug -- need to use list_del_rcu
instead of just list_del to free a work
item.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
net/mac80211/mlme.c

index ac9429e8d72b0bc8e650c424d26dce01ff1b8d7f..7a7921476582a57f196fbfea44637e8a7a8a25a6 100644 (file)
@@ -1995,12 +1995,18 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
 
                mutex_lock(&local->work_mtx);
                list_for_each_entry(wk, &local->work_list, list) {
-                       if (wk->type != IEEE80211_WORK_DIRECT_PROBE)
+                       if (wk->sdata != sdata)
                                continue;
+
+                       if (wk->type != IEEE80211_WORK_DIRECT_PROBE &&
+                           wk->type != IEEE80211_WORK_AUTH)
+                               continue;
+
                        if (memcmp(req->bss->bssid, wk->filter_ta, ETH_ALEN))
                                continue;
-                       not_auth_yet = true;
-                       list_del(&wk->list);
+
+                       not_auth_yet = wk->type == IEEE80211_WORK_DIRECT_PROBE;
+                       list_del_rcu(&wk->list);
                        free_work(wk);
                        break;
                }