Add mac80211 deauth fix pointed out by Stanislaw Gruszka

kernel.spec

@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -805,6 +805,8 @@ Patch21225: pci-Rework-ASPM-disable-code.patch
 
 Patch21226: pci-crs-blacklist.patch
 
+Patch21227: mac80211-fix-work-removal-on-deauth-request.patch
+
 # compat-wireless patches
 Patch50000: compat-wireless-config-fixups.patch
 Patch50001: compat-wireless-change-CONFIG_IWLAGN-CONFIG_IWLWIFI.patch
@@ -1489,6 +1491,8 @@ ApplyPatch proc-fix-null-pointer-deref-in-proc_pid_permission.patch
 #rhbz 782681
 ApplyPatch proc-clean-up-and-fix-proc-pid-mem-handling.patch
 
+ApplyPatch mac80211-fix-work-removal-on-deauth-request.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1556,6 +1560,7 @@ ApplyPatch compat-wireless-change-CONFIG_IWLAGN-CONFIG_IWLWIFI.patch
 ApplyPatch compat-wireless-pr_fmt-warning-avoidance.patch
 ApplyPatch compat-wireless-rtl8192cu-Fix-WARNING-on-suspend-resume.patch
 ApplyPatch mac80211-fix-rx-key-NULL-ptr-deref-in-promiscuous-mode.patch
+ApplyPatch mac80211-fix-work-removal-on-deauth-request.patch
 
 #rhbz 731365, 773271
 ApplyPatch mac80211_offchannel_rework_revert.patch
@@ -2264,6 +2269,9 @@ fi
 # and build.
 
 %changelog
+* Fri Jan 20 2012 Josh Boyer <jwboyer@redhat.com>
+- Add mac80211 deauth fix pointed out by Stanislaw Gruszka
+
 * Thu Jan 19 2012 Dave Jones <davej@redhat.com> 3.2.1-1
 - Rebase to Linux 3.2.1
 

mac80211-fix-work-removal-on-deauth-request.patch

@@ -0,0 +1,154 @@
+Path: news.gmane.org!not-for-mail
+From: Johannes Berg <johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org>
+Newsgroups: gmane.linux.kernel.wireless.general
+Subject: [PATCH 3.3] mac80211: fix work removal on deauth request
+Date: Wed, 18 Jan 2012 14:10:25 +0100
+Lines: 107
+Approved: news@gmane.org
+Message-ID: <1326892225.4778.5.camel@jlt3.sipsolutions.net>
+NNTP-Posting-Host: lo.gmane.org
+Mime-Version: 1.0
+Content-Type: text/plain; charset="UTF-8"
+Content-Transfer-Encoding: 7bit
+X-Trace: dough.gmane.org 1326892249 18013 80.91.229.12 (18 Jan 2012 13:10:49 GMT)
+X-Complaints-To: usenet@dough.gmane.org
+NNTP-Posting-Date: Wed, 18 Jan 2012 13:10:49 +0000 (UTC)
+Cc: linux-wireless <linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
+	Pontus Fuchs <pontus.fuchs-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
+To: John Linville <linville-2XuSBdqkA4R54TAoqtyWWQ@public.gmane.org>
+Original-X-From: linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Wed Jan 18 14:10:44 2012
+Return-path: <linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
+Envelope-to: glkwg-linux-wireless-1dZseelyfdZg9hUCZPvPmw@public.gmane.org
+Original-Received: from vger.kernel.org ([209.132.180.67])
+	by lo.gmane.org with esmtp (Exim 4.69)
+	(envelope-from <linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>)
+	id 1RnVHo-00044l-Aq
+	for glkwg-linux-wireless-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Wed, 18 Jan 2012 14:10:44 +0100
+Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand
+	id S1757410Ab2ARNK3 (ORCPT
+	<rfc822;glkwg-linux-wireless@m.gmane.org>);
+	Wed, 18 Jan 2012 08:10:29 -0500
+Original-Received: from he.sipsolutions.net ([78.46.109.217]:45023 "EHLO
+	sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
+	with ESMTP id S1754365Ab2ARNK2 (ORCPT
+	<rfc822;linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>);
+	Wed, 18 Jan 2012 08:10:28 -0500
+Original-Received: by sipsolutions.net with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32)
+	(Exim 4.77)
+	(envelope-from <johannes-cdvu00un1VgdHxzADdlk8Q@public.gmane.org>)
+	id 1RnVHW-0004hf-Lx; Wed, 18 Jan 2012 14:10:26 +0100
+X-Mailer: Evolution 2.30.3 
+Original-Sender: linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+Precedence: bulk
+List-ID: <linux-wireless.vger.kernel.org>
+X-Mailing-List: linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+Xref: news.gmane.org gmane.linux.kernel.wireless.general:84095
+Archived-At: <http://permalink.gmane.org/gmane.linux.kernel.wireless.general/84095>
+
+From: Johannes Berg <johannes.berg-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+
+When deauth is requested while an auth or assoc
+work item is in progress, we currently delete it
+without regard for any state it might need to
+clean up. Fix it by cleaning up for those items.
+
+In the case Pontus found, the problem manifested
+itself as such:
+
+authenticate with 00:23:69:aa:dd:7b (try 1)
+authenticated
+failed to insert Dummy STA entry for the AP (error -17)
+deauthenticating from 00:23:69:aa:dd:7b by local choice (reason=2)
+
+It could also happen differently if the driver
+uses the tx_sync callback.
+
+We can't just call the ->done() method of the work
+items because that will lock up due to the locking
+in cfg80211. This fix isn't very clean, but that
+seems acceptable since I have patches pending to
+remove this code completely.
+
+Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+Reported-by: Pontus Fuchs <pontus.fuchs-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
+Tested-by: Pontus Fuchs <pontus.fuchs-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
+Signed-off-by: Johannes Berg <johannes.berg-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
+---
+ net/mac80211/mlme.c |   38 +++++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+--- a/net/mac80211/mlme.c	2012-01-18 14:04:33.000000000 +0100
++++ b/net/mac80211/mlme.c	2012-01-18 14:04:34.000000000 +0100
+@@ -2750,7 +2750,6 @@ int ieee80211_mgd_deauth(struct ieee8021
+ {
+ 	struct ieee80211_local *local = sdata->local;
+ 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
+-	struct ieee80211_work *wk;
+ 	u8 bssid[ETH_ALEN];
+ 	bool assoc_bss = false;
+ 
+@@ -2763,30 +2762,47 @@ int ieee80211_mgd_deauth(struct ieee8021
+ 		assoc_bss = true;
+ 	} else {
+ 		bool not_auth_yet = false;
++		struct ieee80211_work *tmp, *wk = NULL;
+ 
+ 		mutex_unlock(&ifmgd->mtx);
+ 
+ 		mutex_lock(&local->mtx);
+-		list_for_each_entry(wk, &local->work_list, list) {
+-			if (wk->sdata != sdata)
++		list_for_each_entry(tmp, &local->work_list, list) {
++			if (tmp->sdata != sdata)
+ 				continue;
+ 
+-			if (wk->type != IEEE80211_WORK_DIRECT_PROBE &&
+-			    wk->type != IEEE80211_WORK_AUTH &&
+-			    wk->type != IEEE80211_WORK_ASSOC &&
+-			    wk->type != IEEE80211_WORK_ASSOC_BEACON_WAIT)
++			if (tmp->type != IEEE80211_WORK_DIRECT_PROBE &&
++			    tmp->type != IEEE80211_WORK_AUTH &&
++			    tmp->type != IEEE80211_WORK_ASSOC &&
++			    tmp->type != IEEE80211_WORK_ASSOC_BEACON_WAIT)
+ 				continue;
+ 
+-			if (memcmp(req->bss->bssid, wk->filter_ta, ETH_ALEN))
++			if (memcmp(req->bss->bssid, tmp->filter_ta, ETH_ALEN))
+ 				continue;
+ 
+-			not_auth_yet = wk->type == IEEE80211_WORK_DIRECT_PROBE;
+-			list_del_rcu(&wk->list);
+-			free_work(wk);
++			not_auth_yet = tmp->type == IEEE80211_WORK_DIRECT_PROBE;
++			list_del_rcu(&tmp->list);
++			synchronize_rcu();
++			wk = tmp;
+ 			break;
+ 		}
+ 		mutex_unlock(&local->mtx);
+ 
++		if (wk && wk->type == IEEE80211_WORK_ASSOC) {
++			/* clean up dummy sta & TX sync */
++			sta_info_destroy_addr(wk->sdata, wk->filter_ta);
++			if (wk->assoc.synced)
++				drv_finish_tx_sync(local, wk->sdata,
++						   wk->filter_ta,
++						   IEEE80211_TX_SYNC_ASSOC);
++		} else if (wk && wk->type == IEEE80211_WORK_AUTH) {
++			if (wk->probe_auth.synced)
++				drv_finish_tx_sync(local, wk->sdata,
++						   wk->filter_ta,
++						   IEEE80211_TX_SYNC_AUTH);
++		}
++		kfree(wk);
++
+ 		/*
+ 		 * If somebody requests authentication and we haven't
+ 		 * sent out an auth frame yet there's no need to send
+
+
+--
+To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
+the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
+More majordomo info at  http://vger.kernel.org/majordomo-info.html
+