mac80211: fix various problems in ibss code

There are a few problems in the IBSS code:
 a) it tries to activate interfaces that are down after scanning
 b) it crashes after scanning on an IBSS iface that isn't active
 c) since the ssid_len is used as a flag, need to make it visible
    only after all other settings are set, this helps protect
    against b)

For b), we get a system crash:

wlan0: Creating new IBSS network, BSSID ce:f9:88:76:1e:4d
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<...>] ieee80211_sta_find_ibss+0x294/0x37d [mac80211]
Call Trace:
 [<...>] ieee80211_ibss_notify_scan_completed+0x0/0x88 [mac80211]

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 6030e003180cca92f1dcbf70e7af5217eb4405e7..895f4854760caa6243740fbb8e0ebeb0ccd4a1d2 100644 (file)
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -786,8 +786,12 @@ void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local)
 
        mutex_lock(&local->iflist_mtx);
        list_for_each_entry(sdata, &local->interfaces, list) {
+               if (!netif_running(sdata->dev))
+                       continue;
                if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
                        continue;
+               if (!sdata->u.ibss.ssid_len)
+                       continue;
                sdata->u.ibss.last_scan_completed = jiffies;
                ieee80211_sta_find_ibss(sdata);
        }
@@ -827,9 +831,6 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
 {
        struct sk_buff *skb;
 
-       memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
-       sdata->u.ibss.ssid_len = params->ssid_len;
-
        if (params->bssid) {
                memcpy(sdata->u.ibss.bssid, params->bssid, ETH_ALEN);
                sdata->u.ibss.fixed_bssid = true;
@@ -859,6 +860,17 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
        sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
        sdata->u.ibss.ibss_join_req = jiffies;
 
+       memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
+
+       /*
+        * The ssid_len setting below is used to see whether
+        * we are active, and we need all other settings
+        * before that may get visible.
+        */
+       mb();
+
+       sdata->u.ibss.ssid_len = params->ssid_len;
+
        set_bit(IEEE80211_IBSS_REQ_RUN, &sdata->u.ibss.request);
        queue_work(sdata->local->hw.workqueue, &sdata->u.ibss.work);