From owner-svn-src-releng@FreeBSD.ORG Tue Dec 10 19:22:03 2013 Return-Path: Delivered-To: svn-src-releng@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 45CC374E; Tue, 10 Dec 2013 19:22:03 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 31FC11819; Tue, 10 Dec 2013 19:22:03 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id rBAJM3XP080961; Tue, 10 Dec 2013 19:22:03 GMT (envelope-from gavin@svn.freebsd.org) Received: (from gavin@localhost) by svn.freebsd.org (8.14.7/8.14.7/Submit) id rBAJM2BJ080958; Tue, 10 Dec 2013 19:22:02 GMT (envelope-from gavin@svn.freebsd.org) Message-Id: <201312101922.rBAJM2BJ080958@svn.freebsd.org> From: Gavin Atkinson Date: Tue, 10 Dec 2013 19:22:02 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r259188 - releng/10.0/sys/net80211 X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-releng@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the release engineering / security commits to the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Dec 2013 19:22:03 -0000 Author: gavin Date: Tue Dec 10 19:22:02 2013 New Revision: 259188 URL: http://svnweb.freebsd.org/changeset/base/259188 Log: Merge r259175 from stable/10 (head r257065 by adrian): Fix a use-after-free node reference issue when waiting for a return from a management frame transmission. Approved by: re (glebius) Modified: releng/10.0/sys/net80211/ieee80211_output.c releng/10.0/sys/net80211/ieee80211_proto.c releng/10.0/sys/net80211/ieee80211_proto.h Directory Properties: releng/10.0/ (props changed) Modified: releng/10.0/sys/net80211/ieee80211_output.c ============================================================================== --- releng/10.0/sys/net80211/ieee80211_output.c Tue Dec 10 19:17:31 2013 (r259187) +++ releng/10.0/sys/net80211/ieee80211_output.c Tue Dec 10 19:22:02 2013 (r259188) @@ -2736,20 +2736,35 @@ ieee80211_alloc_cts(struct ieee80211com static void ieee80211_tx_mgt_timeout(void *arg) { - struct ieee80211_node *ni = arg; - struct ieee80211vap *vap = ni->ni_vap; + struct ieee80211vap *vap = arg; + IEEE80211_LOCK(vap->iv_ic); if (vap->iv_state != IEEE80211_S_INIT && (vap->iv_ic->ic_flags & IEEE80211_F_SCAN) == 0) { /* * NB: it's safe to specify a timeout as the reason here; * it'll only be used in the right state. */ - ieee80211_new_state(vap, IEEE80211_S_SCAN, + ieee80211_new_state_locked(vap, IEEE80211_S_SCAN, IEEE80211_SCAN_FAIL_TIMEOUT); } + IEEE80211_UNLOCK(vap->iv_ic); } +/* + * This is the callback set on net80211-sourced transmitted + * authentication request frames. + * + * This does a couple of things: + * + * + If the frame transmitted was a success, it schedules a future + * event which will transition the interface to scan. + * If a state transition _then_ occurs before that event occurs, + * said state transition will cancel this callout. + * + * + If the frame transmit was a failure, it immediately schedules + * the transition back to scan. + */ static void ieee80211_tx_mgt_cb(struct ieee80211_node *ni, void *arg, int status) { @@ -2767,10 +2782,11 @@ ieee80211_tx_mgt_cb(struct ieee80211_nod * * XXX what happens if !acked but response shows up before callback? */ - if (vap->iv_state == ostate) + if (vap->iv_state == ostate) { callout_reset(&vap->iv_mgtsend, status == 0 ? IEEE80211_TRANS_WAIT*hz : 0, - ieee80211_tx_mgt_timeout, ni); + ieee80211_tx_mgt_timeout, vap); + } } static void Modified: releng/10.0/sys/net80211/ieee80211_proto.c ============================================================================== --- releng/10.0/sys/net80211/ieee80211_proto.c Tue Dec 10 19:17:31 2013 (r259187) +++ releng/10.0/sys/net80211/ieee80211_proto.c Tue Dec 10 19:22:02 2013 (r259188) @@ -107,8 +107,6 @@ static void update_promisc(void *, int); static void update_channel(void *, int); static void update_chw(void *, int); static void ieee80211_newstate_cb(void *, int); -static int ieee80211_new_state_locked(struct ieee80211vap *, - enum ieee80211_state, int); static int null_raw_xmit(struct ieee80211_node *ni, struct mbuf *m, @@ -1834,7 +1832,7 @@ done: * is usually a mistake and indicates lack of proper integration * with the net80211 layer. */ -static int +int ieee80211_new_state_locked(struct ieee80211vap *vap, enum ieee80211_state nstate, int arg) { Modified: releng/10.0/sys/net80211/ieee80211_proto.h ============================================================================== --- releng/10.0/sys/net80211/ieee80211_proto.h Tue Dec 10 19:17:31 2013 (r259187) +++ releng/10.0/sys/net80211/ieee80211_proto.h Tue Dec 10 19:22:02 2013 (r259188) @@ -332,6 +332,8 @@ void ieee80211_dturbo_switch(struct ieee void ieee80211_swbmiss(void *arg); void ieee80211_beacon_miss(struct ieee80211com *); int ieee80211_new_state(struct ieee80211vap *, enum ieee80211_state, int); +int ieee80211_new_state_locked(struct ieee80211vap *, enum ieee80211_state, + int); void ieee80211_print_essid(const uint8_t *, int); void ieee80211_dump_pkt(struct ieee80211com *, const uint8_t *, int, int, int);