diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-04-05 15:26:57 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-04-05 15:26:57 -0400 |
| commit | d14f5b810b49c7dbd1a01be1c6d3641d46090080 (patch) | |
| tree | b201a1cf14c455b919ecb7d4a6631134d5815703 /net/wireless/scan.c | |
| parent | b2a8b4b81966094703088a7bc76a313af841924d (diff) | |
| parent | 738faca34335cd1d5d87fa7c58703139c7fa15bd (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (27 commits)
ipv6: Don't pass invalid dst_entry pointer to dst_release().
mlx4: fix kfree on error path in new_steering_entry()
tcp: len check is unnecessarily devastating, change to WARN_ON
sctp: malloc enough room for asconf-ack chunk
sctp: fix auth_hmacs field's length of struct sctp_cookie
net: Fix dev dev_ethtool_get_rx_csum() for forced NETIF_F_RXCSUM
usbnet: use eth%d name for known ethernet devices
starfire: clean up dma_addr_t size test
iwlegacy: fix bugs in change_interface
carl9170: Fix tx aggregation problems with some clients
iwl3945: disable hw scan by default
wireless: rt2x00: rt2800usb.c add and identify ids
iwl3945: do not deprecate software scan
mac80211: fix aggregation frame release during timeout
cfg80211: fix BSS double-unlinking (continued)
cfg80211:: fix possible NULL pointer dereference
mac80211: fix possible NULL pointer dereference
mac80211: fix NULL pointer dereference in ieee80211_key_alloc()
ath9k: fix a chip wakeup related crash in ath9k_start
mac80211: fix a crash in minstrel_ht in HT mode with no supported MCS rates
...
Diffstat (limited to 'net/wireless/scan.c')
| -rw-r--r-- | net/wireless/scan.c | 31 |
1 files changed, 21 insertions, 10 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index ea427f418f64..fbf6f33ae4d0 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c | |||
| @@ -124,6 +124,15 @@ void cfg80211_bss_age(struct cfg80211_registered_device *dev, | |||
| 124 | } | 124 | } |
| 125 | 125 | ||
| 126 | /* must hold dev->bss_lock! */ | 126 | /* must hold dev->bss_lock! */ |
| 127 | static void __cfg80211_unlink_bss(struct cfg80211_registered_device *dev, | ||
| 128 | struct cfg80211_internal_bss *bss) | ||
| 129 | { | ||
| 130 | list_del_init(&bss->list); | ||
| 131 | rb_erase(&bss->rbn, &dev->bss_tree); | ||
| 132 | kref_put(&bss->ref, bss_release); | ||
| 133 | } | ||
| 134 | |||
| 135 | /* must hold dev->bss_lock! */ | ||
| 127 | void cfg80211_bss_expire(struct cfg80211_registered_device *dev) | 136 | void cfg80211_bss_expire(struct cfg80211_registered_device *dev) |
| 128 | { | 137 | { |
| 129 | struct cfg80211_internal_bss *bss, *tmp; | 138 | struct cfg80211_internal_bss *bss, *tmp; |
| @@ -134,9 +143,7 @@ void cfg80211_bss_expire(struct cfg80211_registered_device *dev) | |||
| 134 | continue; | 143 | continue; |
| 135 | if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE)) | 144 | if (!time_after(jiffies, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE)) |
| 136 | continue; | 145 | continue; |
| 137 | list_del(&bss->list); | 146 | __cfg80211_unlink_bss(dev, bss); |
| 138 | rb_erase(&bss->rbn, &dev->bss_tree); | ||
| 139 | kref_put(&bss->ref, bss_release); | ||
| 140 | expired = true; | 147 | expired = true; |
| 141 | } | 148 | } |
| 142 | 149 | ||
| @@ -585,16 +592,23 @@ cfg80211_inform_bss_frame(struct wiphy *wiphy, | |||
| 585 | struct cfg80211_internal_bss *res; | 592 | struct cfg80211_internal_bss *res; |
| 586 | size_t ielen = len - offsetof(struct ieee80211_mgmt, | 593 | size_t ielen = len - offsetof(struct ieee80211_mgmt, |
| 587 | u.probe_resp.variable); | 594 | u.probe_resp.variable); |
| 588 | size_t privsz = wiphy->bss_priv_size; | 595 | size_t privsz; |
| 596 | |||
| 597 | if (WARN_ON(!mgmt)) | ||
| 598 | return NULL; | ||
| 599 | |||
| 600 | if (WARN_ON(!wiphy)) | ||
| 601 | return NULL; | ||
| 589 | 602 | ||
| 590 | if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && | 603 | if (WARN_ON(wiphy->signal_type == CFG80211_SIGNAL_TYPE_UNSPEC && |
| 591 | (signal < 0 || signal > 100))) | 604 | (signal < 0 || signal > 100))) |
| 592 | return NULL; | 605 | return NULL; |
| 593 | 606 | ||
| 594 | if (WARN_ON(!mgmt || !wiphy || | 607 | if (WARN_ON(len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) |
| 595 | len < offsetof(struct ieee80211_mgmt, u.probe_resp.variable))) | ||
| 596 | return NULL; | 608 | return NULL; |
| 597 | 609 | ||
| 610 | privsz = wiphy->bss_priv_size; | ||
| 611 | |||
| 598 | res = kzalloc(sizeof(*res) + privsz + ielen, gfp); | 612 | res = kzalloc(sizeof(*res) + privsz + ielen, gfp); |
| 599 | if (!res) | 613 | if (!res) |
| 600 | return NULL; | 614 | return NULL; |
| @@ -662,11 +676,8 @@ void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub) | |||
| 662 | 676 | ||
| 663 | spin_lock_bh(&dev->bss_lock); | 677 | spin_lock_bh(&dev->bss_lock); |
| 664 | if (!list_empty(&bss->list)) { | 678 | if (!list_empty(&bss->list)) { |
| 665 | list_del_init(&bss->list); | 679 | __cfg80211_unlink_bss(dev, bss); |
| 666 | dev->bss_generation++; | 680 | dev->bss_generation++; |
| 667 | rb_erase(&bss->rbn, &dev->bss_tree); | ||
| 668 | |||
| 669 | kref_put(&bss->ref, bss_release); | ||
| 670 | } | 681 | } |
| 671 | spin_unlock_bh(&dev->bss_lock); | 682 | spin_unlock_bh(&dev->bss_lock); |
| 672 | } | 683 | } |