diff --git a/kernel.spec b/kernel.spec index cb52b690b..8abd851b8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -54,7 +54,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -805,6 +805,8 @@ Patch21225: pci-Rework-ASPM-disable-code.patch Patch21226: pci-crs-blacklist.patch +Patch21227: mac80211-fix-work-removal-on-deauth-request.patch + # compat-wireless patches Patch50000: compat-wireless-config-fixups.patch Patch50001: compat-wireless-change-CONFIG_IWLAGN-CONFIG_IWLWIFI.patch @@ -1489,6 +1491,8 @@ ApplyPatch proc-fix-null-pointer-deref-in-proc_pid_permission.patch #rhbz 782681 ApplyPatch proc-clean-up-and-fix-proc-pid-mem-handling.patch +ApplyPatch mac80211-fix-work-removal-on-deauth-request.patch + # END OF PATCH APPLICATIONS %endif @@ -1556,6 +1560,7 @@ ApplyPatch compat-wireless-change-CONFIG_IWLAGN-CONFIG_IWLWIFI.patch ApplyPatch compat-wireless-pr_fmt-warning-avoidance.patch ApplyPatch compat-wireless-rtl8192cu-Fix-WARNING-on-suspend-resume.patch ApplyPatch mac80211-fix-rx-key-NULL-ptr-deref-in-promiscuous-mode.patch +ApplyPatch mac80211-fix-work-removal-on-deauth-request.patch #rhbz 731365, 773271 ApplyPatch mac80211_offchannel_rework_revert.patch @@ -2264,6 +2269,9 @@ fi # and build. %changelog +* Fri Jan 20 2012 Josh Boyer +- Add mac80211 deauth fix pointed out by Stanislaw Gruszka + * Thu Jan 19 2012 Dave Jones 3.2.1-1 - Rebase to Linux 3.2.1 diff --git a/mac80211-fix-work-removal-on-deauth-request.patch b/mac80211-fix-work-removal-on-deauth-request.patch new file mode 100644 index 000000000..60b91d3cf --- /dev/null +++ b/mac80211-fix-work-removal-on-deauth-request.patch @@ -0,0 +1,154 @@ +Path: news.gmane.org!not-for-mail +From: Johannes Berg +Newsgroups: gmane.linux.kernel.wireless.general +Subject: [PATCH 3.3] mac80211: fix work removal on deauth request +Date: Wed, 18 Jan 2012 14:10:25 +0100 +Lines: 107 +Approved: news@gmane.org +Message-ID: <1326892225.4778.5.camel@jlt3.sipsolutions.net> +NNTP-Posting-Host: lo.gmane.org +Mime-Version: 1.0 +Content-Type: text/plain; charset="UTF-8" +Content-Transfer-Encoding: 7bit +X-Trace: dough.gmane.org 1326892249 18013 80.91.229.12 (18 Jan 2012 13:10:49 GMT) +X-Complaints-To: usenet@dough.gmane.org +NNTP-Posting-Date: Wed, 18 Jan 2012 13:10:49 +0000 (UTC) +Cc: linux-wireless , + Pontus Fuchs +To: John Linville +Original-X-From: linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org Wed Jan 18 14:10:44 2012 +Return-path: +Envelope-to: glkwg-linux-wireless-1dZseelyfdZg9hUCZPvPmw@public.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by lo.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1RnVHo-00044l-Aq + for glkwg-linux-wireless-1dZseelyfdZg9hUCZPvPmw@public.gmane.org; Wed, 18 Jan 2012 14:10:44 +0100 +Original-Received: (majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org) by vger.kernel.org via listexpand + id S1757410Ab2ARNK3 (ORCPT + ); + Wed, 18 Jan 2012 08:10:29 -0500 +Original-Received: from he.sipsolutions.net ([78.46.109.217]:45023 "EHLO + sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1754365Ab2ARNK2 (ORCPT + ); + Wed, 18 Jan 2012 08:10:28 -0500 +Original-Received: by sipsolutions.net with esmtpsa (TLS1.0:RSA_AES_256_CBC_SHA1:32) + (Exim 4.77) + (envelope-from ) + id 1RnVHW-0004hf-Lx; Wed, 18 Jan 2012 14:10:26 +0100 +X-Mailer: Evolution 2.30.3 +Original-Sender: linux-wireless-owner-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-wireless-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Xref: news.gmane.org gmane.linux.kernel.wireless.general:84095 +Archived-At: + +From: Johannes Berg + +When deauth is requested while an auth or assoc +work item is in progress, we currently delete it +without regard for any state it might need to +clean up. Fix it by cleaning up for those items. + +In the case Pontus found, the problem manifested +itself as such: + +authenticate with 00:23:69:aa:dd:7b (try 1) +authenticated +failed to insert Dummy STA entry for the AP (error -17) +deauthenticating from 00:23:69:aa:dd:7b by local choice (reason=2) + +It could also happen differently if the driver +uses the tx_sync callback. + +We can't just call the ->done() method of the work +items because that will lock up due to the locking +in cfg80211. This fix isn't very clean, but that +seems acceptable since I have patches pending to +remove this code completely. + +Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +Reported-by: Pontus Fuchs +Tested-by: Pontus Fuchs +Signed-off-by: Johannes Berg +--- + net/mac80211/mlme.c | 38 +++++++++++++++++++++++++++----------- + 1 file changed, 27 insertions(+), 11 deletions(-) + +--- a/net/mac80211/mlme.c 2012-01-18 14:04:33.000000000 +0100 ++++ b/net/mac80211/mlme.c 2012-01-18 14:04:34.000000000 +0100 +@@ -2750,7 +2750,6 @@ int ieee80211_mgd_deauth(struct ieee8021 + { + struct ieee80211_local *local = sdata->local; + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; +- struct ieee80211_work *wk; + u8 bssid[ETH_ALEN]; + bool assoc_bss = false; + +@@ -2763,30 +2762,47 @@ int ieee80211_mgd_deauth(struct ieee8021 + assoc_bss = true; + } else { + bool not_auth_yet = false; ++ struct ieee80211_work *tmp, *wk = NULL; + + mutex_unlock(&ifmgd->mtx); + + mutex_lock(&local->mtx); +- list_for_each_entry(wk, &local->work_list, list) { +- if (wk->sdata != sdata) ++ list_for_each_entry(tmp, &local->work_list, list) { ++ if (tmp->sdata != sdata) + continue; + +- if (wk->type != IEEE80211_WORK_DIRECT_PROBE && +- wk->type != IEEE80211_WORK_AUTH && +- wk->type != IEEE80211_WORK_ASSOC && +- wk->type != IEEE80211_WORK_ASSOC_BEACON_WAIT) ++ if (tmp->type != IEEE80211_WORK_DIRECT_PROBE && ++ tmp->type != IEEE80211_WORK_AUTH && ++ tmp->type != IEEE80211_WORK_ASSOC && ++ tmp->type != IEEE80211_WORK_ASSOC_BEACON_WAIT) + continue; + +- if (memcmp(req->bss->bssid, wk->filter_ta, ETH_ALEN)) ++ if (memcmp(req->bss->bssid, tmp->filter_ta, ETH_ALEN)) + continue; + +- not_auth_yet = wk->type == IEEE80211_WORK_DIRECT_PROBE; +- list_del_rcu(&wk->list); +- free_work(wk); ++ not_auth_yet = tmp->type == IEEE80211_WORK_DIRECT_PROBE; ++ list_del_rcu(&tmp->list); ++ synchronize_rcu(); ++ wk = tmp; + break; + } + mutex_unlock(&local->mtx); + ++ if (wk && wk->type == IEEE80211_WORK_ASSOC) { ++ /* clean up dummy sta & TX sync */ ++ sta_info_destroy_addr(wk->sdata, wk->filter_ta); ++ if (wk->assoc.synced) ++ drv_finish_tx_sync(local, wk->sdata, ++ wk->filter_ta, ++ IEEE80211_TX_SYNC_ASSOC); ++ } else if (wk && wk->type == IEEE80211_WORK_AUTH) { ++ if (wk->probe_auth.synced) ++ drv_finish_tx_sync(local, wk->sdata, ++ wk->filter_ta, ++ IEEE80211_TX_SYNC_AUTH); ++ } ++ kfree(wk); ++ + /* + * If somebody requests authentication and we haven't + * sent out an auth frame yet there's no need to send + + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +