[Prism54-devel] [Bug 103] New: Bogus locking in mgt_mlme_answer()
bugzilla-daemon at mcgrof.com
bugzilla-daemon at mcgrof.com
Sat Jul 31 22:36:30 UTC 2004
http://prism54.org/cgi-bin/bugzilla/show_bug.cgi?id=103
Summary: Bogus locking in mgt_mlme_answer()
Product: prim54
Version: 1.2
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Device Driver
AssignedTo: prism54-devel at prism54.org
ReportedBy: vda at port.imtp.ilyichevsk.odessa.ua
oid_mgt.c
=========
/* This will tell you if you are allowed to answer a mlme(ex) request .*/
int
mgt_mlme_answer(islpci_private *priv)
{
u32 mlmeautolevel;
/* Acquire a read lock because if we are in a mode change, it's
* possible to answer true, while the card is leaving master to managed
* mode. Answering to a mlme in this situation could hang the card.
*/
down_read(&priv->mib_sem);
mlmeautolevel =
le32_to_cpu(*(u32 *) priv->mib[DOT11_OID_MLMEAUTOLEVEL]);
up_read(&priv->mib_sem);
return ((priv->iw_mode == IW_MODE_MASTER) &&
(mlmeautolevel >= DOT11_MLME_INTERMEDIATE));
}
==========
This is bogus. Another thread might start messing with
priv->mib[DOT11_OID_MLMEAUTOLEVEL] right after we do up_read().
Locking must be moved into callers of this function. Obvously they
call it now with no locking whatsoever, or else they should've
deadlocked right away.
There is only one caller, actually:
static void
handle_request(islpci_private *priv, struct obj_mlme *mlme, enum oid_num_t oid)
{
if (((mlme->state == DOT11_STATE_AUTHING) ||
(mlme->state == DOT11_STATE_ASSOCING))
&& mgt_mlme_answer(priv)) {
/* Someone is requesting auth and we must respond. Just send back
* the trap with error code set accordingly.
*/
mlme->code = prism54_mac_accept(&priv->acl,
mlme->address) ? 0 : 1;
mgt_set_request(priv, oid, 0, mlme);
}
}
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the Prism54-devel
mailing list