[thirdparty/kernel/stable-queue.git] / releases / 2.6.36.2 / cfg80211-fix-bss-double-unlinking.patch

From 3207390a8b58bfc1335750f91cf6783c48ca19ca Mon Sep 17 00:00:00 2001
From: Johannes Berg <johannes.berg@intel.com>
Date: Wed, 6 Oct 2010 21:18:04 +0200
Subject: cfg80211: fix BSS double-unlinking

From: Johannes Berg <johannes.berg@intel.com>

commit 3207390a8b58bfc1335750f91cf6783c48ca19ca upstream.

When multiple interfaces are actively trying
to associate with the same BSS, they may both
find that the BSS isn't there and then try to
unlink it. This can cause errors since the
unlinking code can't currently deal with items
that have already been unlinked.

Normally this doesn't happen as most people
don't try to use multiple station interfaces
that associate at the same time too.

Fix this by using the list entry as a flag to
see if the item is still on a list.

Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Hun-Kyi Wynn <hkwynn@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

---
 net/wireless/scan.c |   12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -650,14 +650,14 @@ void cfg80211_unlink_bss(struct wiphy *w
 	bss = container_of(pub, struct cfg80211_internal_bss, pub);
 
 	spin_lock_bh(&dev->bss_lock);
+	if (!list_empty(&bss->list)) {
+		list_del_init(&bss->list);
+		dev->bss_generation++;
+		rb_erase(&bss->rbn, &dev->bss_tree);
 
-	list_del(&bss->list);
-	dev->bss_generation++;
-	rb_erase(&bss->rbn, &dev->bss_tree);
-
+		kref_put(&bss->ref, bss_release);
+	}
 	spin_unlock_bh(&dev->bss_lock);
-
-	kref_put(&bss->ref, bss_release);
 }
 EXPORT_SYMBOL(cfg80211_unlink_bss);
Commit	Line	Data
ad522180 GKH	1	From 3207390a8b58bfc1335750f91cf6783c48ca19ca Mon Sep 17 00:00:00 2001
	2	From: Johannes Berg <johannes.berg@intel.com>
	3	Date: Wed, 6 Oct 2010 21:18:04 +0200
	4	Subject: cfg80211: fix BSS double-unlinking
	5
	6	From: Johannes Berg <johannes.berg@intel.com>
	7
	8	commit 3207390a8b58bfc1335750f91cf6783c48ca19ca upstream.
	9
	10	When multiple interfaces are actively trying
	11	to associate with the same BSS, they may both
	12	find that the BSS isn't there and then try to
	13	unlink it. This can cause errors since the
	14	unlinking code can't currently deal with items
	15	that have already been unlinked.
	16
	17	Normally this doesn't happen as most people
	18	don't try to use multiple station interfaces
	19	that associate at the same time too.
	20
	21	Fix this by using the list entry as a flag to
	22	see if the item is still on a list.
	23
	24	Reported-by: Ben Greear <greearb@candelatech.com>
	25	Tested-by: Hun-Kyi Wynn <hkwynn@candelatech.com>
	26	Signed-off-by: Johannes Berg <johannes.berg@intel.com>
	27	Signed-off-by: John W. Linville <linville@tuxdriver.com>
	28	Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
	29
	30	---
	31	net/wireless/scan.c \| 12 ++++++------
	32	1 file changed, 6 insertions(+), 6 deletions(-)
	33
	34	--- a/net/wireless/scan.c
	35	+++ b/net/wireless/scan.c
	36	@@ -650,14 +650,14 @@ void cfg80211_unlink_bss(struct wiphy *w
	37	bss = container_of(pub, struct cfg80211_internal_bss, pub);
	38
	39	spin_lock_bh(&dev->bss_lock);
	40	+ if (!list_empty(&bss->list)) {
	41	+ list_del_init(&bss->list);
	42	+ dev->bss_generation++;
	43	+ rb_erase(&bss->rbn, &dev->bss_tree);
	44
	45	- list_del(&bss->list);
	46	- dev->bss_generation++;
	47	- rb_erase(&bss->rbn, &dev->bss_tree);
	48	-
	49	+ kref_put(&bss->ref, bss_release);
	50	+ }
	51	spin_unlock_bh(&dev->bss_lock);
	52	-
	53	- kref_put(&bss->ref, bss_release);
	54	}
	55	EXPORT_SYMBOL(cfg80211_unlink_bss);
	56