cfg80211: fix BSS double-unlinking

commit 3207390a8b58bfc1335750f91cf6783c48ca19ca upstream.

When multiple interfaces are actively trying
to associate with the same BSS, they may both
find that the BSS isn't there and then try to
unlink it. This can cause errors since the
unlinking code can't currently deal with items
that have already been unlinked.

Normally this doesn't happen as most people
don't try to use multiple station interfaces
that associate at the same time too.

Fix this by using the list entry as a flag to
see if the item is still on a list.

Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Hun-Kyi Wynn <hkwynn@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 5ca8c7180141d8dc9bc43d607eb26395cd0268bf..503ebb86ba1836f5d2c8709c75bae5eff83c5de6 100644 (file)
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -650,14 +650,14 @@ void cfg80211_unlink_bss(struct wiphy *wiphy, struct cfg80211_bss *pub)
        bss = container_of(pub, struct cfg80211_internal_bss, pub);
 
        spin_lock_bh(&dev->bss_lock);
+       if (!list_empty(&bss->list)) {
+               list_del_init(&bss->list);
+               dev->bss_generation++;
+               rb_erase(&bss->rbn, &dev->bss_tree);
 
-       list_del(&bss->list);
-       dev->bss_generation++;
-       rb_erase(&bss->rbn, &dev->bss_tree);
-
+               kref_put(&bss->ref, bss_release);
+       }
        spin_unlock_bh(&dev->bss_lock);
-
-       kref_put(&bss->ref, bss_release);
 }
 EXPORT_SYMBOL(cfg80211_unlink_bss);