cfg80211: Fix race in bss timeout

It is quite possible to run into a race in bss timeout where the drivers see the bss entry just before notifying cfg80211 of a roaming event but it got timed out by the time rdev->event_work got scehduled from cfg80211_wq. This would result in the following WARN-ON() along with the failure to notify the user space of the roaming. The other situation which is happening with ath6kl that runs into issue is when the driver reports roam to same AP event where the AP bss entry already got expired. To fix this, move cfg80211_get_bss() from __cfg80211_roamed() to cfg80211_roamed(). [158645.538384] WARNING: at net/wireless/sme.c:586 __cfg80211_roamed+0xc2/0x1b1() [158645.538810] Call Trace: [158645.538838] [<c1033527>] warn_slowpath_common+0x65/0x7a [158645.538917] [<c14cfacf>] ? __cfg80211_roamed+0xc2/0x1b1 [158645.538946] [<c103354b>] warn_slowpath_null+0xf/0x13 [158645.539055] [<c14cfacf>] __cfg80211_roamed+0xc2/0x1b1 [158645.539086] [<c14beb5b>] cfg80211_process_rdev_events+0x153/0x1cc [158645.539166] [<c14bd57b>] cfg80211_event_work+0x26/0x36 [158645.539195] [<c10482ae>] process_one_work+0x219/0x38b [158645.539273] [<c14bd555>] ? wiphy_new+0x419/0x419 [158645.539301] [<c10486cb>] worker_thread+0xf6/0x1bf [158645.539379] [<c10485d5>] ? rescuer_thread+0x1b5/0x1b5 [158645.539407] [<c104b3e2>] kthread+0x62/0x67 [158645.539484] [<c104b380>] ? __init_kthread_worker+0x42/0x42 [158645.539514] [<c151309a>] kernel_thread_helper+0x6/0xd Reported-by: Kalle Valo <kvalo@qca.qualcomm.com> Signed-off-by: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com> 2011-12-08 03:58:47 -0500
committer: John W. Linville <linville@tuxdriver.com> 2011-12-13 15:30:28 -0500
commit: adbde344dc12514d68620afae8d34035e72544b1 (patch)
tree: d3685186492aaef49a0373f82a1087c15b5cea86 /include/net/cfg80211.h
parent: fb03c5eb8c0bbf4561cb5aa72e0a9546e9574661 (diff)
1 files changed, 26 insertions, 0 deletions
diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h
index 3de1c39d03e5..150c0ee714c2 100644
--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -3064,6 +3064,32 @@ void cfg80211_roamed(struct net_device *dev,
                     const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp);
 /**
+ * cfg80211_roamed_bss - notify cfg80211 of roaming
+ *
+ * @dev: network device
+ * @bss: entry of bss to which STA got roamed
+ * @req_ie: association request IEs (maybe be %NULL)
+ * @req_ie_len: association request IEs length
+ * @resp_ie: association response IEs (may be %NULL)
+ * @resp_ie_len: assoc response IEs length
+ * @gfp: allocation flags
+ *
+ * This is just a wrapper to notify cfg80211 of roaming event with driver
+ * passing bss to avoid a race in timeout of the bss entry. It should be
+ * called by the underlying driver whenever it roamed from one AP to another
+ * while connected. Drivers which have roaming implemented in firmware
+ * may use this function to avoid a race in bss entry timeout where the bss
+ * entry of the new AP is seen in the driver, but gets timed out by the time
+ * it is accessed in __cfg80211_roamed() due to delay in scheduling
+ * rdev->event_work. In case of any failures, the reference is released
+ * either in cfg80211_roamed_bss() or in __cfg80211_romed(), Otherwise,
+ * it will be released while diconneting from the current bss.
+ */
+void cfg80211_roamed_bss(struct net_device *dev, struct cfg80211_bss *bss,
+                         const u8 *req_ie, size_t req_ie_len,
+                         const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp);
+/**
 * cfg80211_disconnected - notify cfg80211 that connection was dropped
 *
 * @dev: network device
author	Vasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>	2011-12-08 03:58:47 -0500
committer	John W. Linville <linville@tuxdriver.com>	2011-12-13 15:30:28 -0500
commit	adbde344dc12514d68620afae8d34035e72544b1 (patch)
tree	d3685186492aaef49a0373f82a1087c15b5cea86 /include/net/cfg80211.h
parent	fb03c5eb8c0bbf4561cb5aa72e0a9546e9574661 (diff)

diff --git a/include/net/cfg80211.h b/include/net/cfg80211.h index 3de1c39d03e5..150c0ee714c2 100644 --- a/include/net/cfg80211.h +++ b/include/net/cfg80211.h
@@ -3064,6 +3064,32 @@ void cfg80211_roamed(struct net_device *dev,
3064	const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp);	3064	const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp);
3065		3065
3066	/**	3066	/**
		3067	* cfg80211_roamed_bss - notify cfg80211 of roaming
		3068	*
		3069	* @dev: network device
		3070	* @bss: entry of bss to which STA got roamed
		3071	* @req_ie: association request IEs (maybe be %NULL)
		3072	* @req_ie_len: association request IEs length
		3073	* @resp_ie: association response IEs (may be %NULL)
		3074	* @resp_ie_len: assoc response IEs length
		3075	* @gfp: allocation flags
		3076	*
		3077	* This is just a wrapper to notify cfg80211 of roaming event with driver
		3078	* passing bss to avoid a race in timeout of the bss entry. It should be
		3079	* called by the underlying driver whenever it roamed from one AP to another
		3080	* while connected. Drivers which have roaming implemented in firmware
		3081	* may use this function to avoid a race in bss entry timeout where the bss
		3082	* entry of the new AP is seen in the driver, but gets timed out by the time
		3083	* it is accessed in __cfg80211_roamed() due to delay in scheduling
		3084	* rdev->event_work. In case of any failures, the reference is released
		3085	* either in cfg80211_roamed_bss() or in __cfg80211_romed(), Otherwise,
		3086	* it will be released while diconneting from the current bss.
		3087	*/
		3088	void cfg80211_roamed_bss(struct net_device dev, struct cfg80211_bss bss,
		3089	const u8 *req_ie, size_t req_ie_len,
		3090	const u8 *resp_ie, size_t resp_ie_len, gfp_t gfp);
		3091
		3092	/**
3067	* cfg80211_disconnected - notify cfg80211 that connection was dropped	3093	* cfg80211_disconnected - notify cfg80211 that connection was dropped
3068	*	3094	*
3069	* @dev: network device	3095	* @dev: network device