diff options
| author | Johannes Berg <johannes.berg@intel.com> | 2014-01-22 04:14:19 -0500 |
|---|---|---|
| committer | Johannes Berg <johannes.berg@intel.com> | 2014-02-06 03:55:19 -0500 |
| commit | f9d15d162b3acf28f85b3ac05c4883e5ed588d28 (patch) | |
| tree | 1c78c9fd0d81302190738d2778db000f9506e4fa /net/wireless/scan.c | |
| parent | a617302c531eaf497ccd02a61d380efc119ba999 (diff) | |
cfg80211: send scan results from work queue
Due to the previous commit, when a scan finishes, it is in theory
possible to hit the following sequence:
1. interface starts being removed
2. scan is cancelled by driver and cfg80211 is notified
3. scan done work is scheduled
4. interface is removed completely, rdev->scan_req is freed,
event sent to userspace but scan done work remains pending
5. new scan is requested on another virtual interface
6. scan done work runs, freeing the still-running scan
To fix this situation, hang on to the scan done message and block
new scans while that is the case, and only send the message from
the work function, regardless of whether the scan_req is already
freed from interface removal. This makes step 5 above impossible
and changes step 6 to be
5. scan done work runs, sending the scan done message
As this can't work for wext, so we send the message immediately,
but this shouldn't be an issue since we still return -EBUSY.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Diffstat (limited to 'net/wireless/scan.c')
| -rw-r--r-- | net/wireless/scan.c | 40 |
1 files changed, 25 insertions, 15 deletions
diff --git a/net/wireless/scan.c b/net/wireless/scan.c index b528e31da2cf..d1ed4aebbbb7 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c | |||
| @@ -161,18 +161,25 @@ static void __cfg80211_bss_expire(struct cfg80211_registered_device *dev, | |||
| 161 | dev->bss_generation++; | 161 | dev->bss_generation++; |
| 162 | } | 162 | } |
| 163 | 163 | ||
| 164 | void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev) | 164 | void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, |
| 165 | bool send_message) | ||
| 165 | { | 166 | { |
| 166 | struct cfg80211_scan_request *request; | 167 | struct cfg80211_scan_request *request; |
| 167 | struct wireless_dev *wdev; | 168 | struct wireless_dev *wdev; |
| 169 | struct sk_buff *msg; | ||
| 168 | #ifdef CONFIG_CFG80211_WEXT | 170 | #ifdef CONFIG_CFG80211_WEXT |
| 169 | union iwreq_data wrqu; | 171 | union iwreq_data wrqu; |
| 170 | #endif | 172 | #endif |
| 171 | 173 | ||
| 172 | ASSERT_RTNL(); | 174 | ASSERT_RTNL(); |
| 173 | 175 | ||
| 174 | request = rdev->scan_req; | 176 | if (rdev->scan_msg) { |
| 177 | nl80211_send_scan_result(rdev, rdev->scan_msg); | ||
| 178 | rdev->scan_msg = NULL; | ||
| 179 | return; | ||
| 180 | } | ||
| 175 | 181 | ||
| 182 | request = rdev->scan_req; | ||
| 176 | if (!request) | 183 | if (!request) |
| 177 | return; | 184 | return; |
| 178 | 185 | ||
| @@ -186,18 +193,16 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev) | |||
| 186 | if (wdev->netdev) | 193 | if (wdev->netdev) |
| 187 | cfg80211_sme_scan_done(wdev->netdev); | 194 | cfg80211_sme_scan_done(wdev->netdev); |
| 188 | 195 | ||
| 189 | if (request->aborted) { | 196 | if (!request->aborted && |
| 190 | nl80211_send_scan_aborted(rdev, wdev); | 197 | request->flags & NL80211_SCAN_FLAG_FLUSH) { |
| 191 | } else { | 198 | /* flush entries from previous scans */ |
| 192 | if (request->flags & NL80211_SCAN_FLAG_FLUSH) { | 199 | spin_lock_bh(&rdev->bss_lock); |
| 193 | /* flush entries from previous scans */ | 200 | __cfg80211_bss_expire(rdev, request->scan_start); |
| 194 | spin_lock_bh(&rdev->bss_lock); | 201 | spin_unlock_bh(&rdev->bss_lock); |
| 195 | __cfg80211_bss_expire(rdev, request->scan_start); | ||
| 196 | spin_unlock_bh(&rdev->bss_lock); | ||
| 197 | } | ||
| 198 | nl80211_send_scan_done(rdev, wdev); | ||
| 199 | } | 202 | } |
| 200 | 203 | ||
| 204 | msg = nl80211_build_scan_msg(rdev, wdev, request->aborted); | ||
| 205 | |||
| 201 | #ifdef CONFIG_CFG80211_WEXT | 206 | #ifdef CONFIG_CFG80211_WEXT |
| 202 | if (wdev->netdev && !request->aborted) { | 207 | if (wdev->netdev && !request->aborted) { |
| 203 | memset(&wrqu, 0, sizeof(wrqu)); | 208 | memset(&wrqu, 0, sizeof(wrqu)); |
| @@ -211,6 +216,11 @@ void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev) | |||
| 211 | 216 | ||
| 212 | rdev->scan_req = NULL; | 217 | rdev->scan_req = NULL; |
| 213 | kfree(request); | 218 | kfree(request); |
| 219 | |||
| 220 | if (!send_message) | ||
| 221 | rdev->scan_msg = msg; | ||
| 222 | else | ||
| 223 | nl80211_send_scan_result(rdev, msg); | ||
| 214 | } | 224 | } |
| 215 | 225 | ||
| 216 | void __cfg80211_scan_done(struct work_struct *wk) | 226 | void __cfg80211_scan_done(struct work_struct *wk) |
| @@ -221,7 +231,7 @@ void __cfg80211_scan_done(struct work_struct *wk) | |||
| 221 | scan_done_wk); | 231 | scan_done_wk); |
| 222 | 232 | ||
| 223 | rtnl_lock(); | 233 | rtnl_lock(); |
| 224 | ___cfg80211_scan_done(rdev); | 234 | ___cfg80211_scan_done(rdev, true); |
| 225 | rtnl_unlock(); | 235 | rtnl_unlock(); |
| 226 | } | 236 | } |
| 227 | 237 | ||
| @@ -1079,7 +1089,7 @@ int cfg80211_wext_siwscan(struct net_device *dev, | |||
| 1079 | if (IS_ERR(rdev)) | 1089 | if (IS_ERR(rdev)) |
| 1080 | return PTR_ERR(rdev); | 1090 | return PTR_ERR(rdev); |
| 1081 | 1091 | ||
| 1082 | if (rdev->scan_req) { | 1092 | if (rdev->scan_req || rdev->scan_msg) { |
| 1083 | err = -EBUSY; | 1093 | err = -EBUSY; |
| 1084 | goto out; | 1094 | goto out; |
| 1085 | } | 1095 | } |
| @@ -1481,7 +1491,7 @@ int cfg80211_wext_giwscan(struct net_device *dev, | |||
| 1481 | if (IS_ERR(rdev)) | 1491 | if (IS_ERR(rdev)) |
| 1482 | return PTR_ERR(rdev); | 1492 | return PTR_ERR(rdev); |
| 1483 | 1493 | ||
| 1484 | if (rdev->scan_req) | 1494 | if (rdev->scan_req || rdev->scan_msg) |
| 1485 | return -EAGAIN; | 1495 | return -EAGAIN; |
| 1486 | 1496 | ||
| 1487 | res = ieee80211_scan_results(rdev, info, extra, data->length); | 1497 | res = ieee80211_scan_results(rdev, info, extra, data->length); |