Return-path: <linux-wireless-owner@vger.kernel.org>
Received: from smtp-out.google.com ([74.125.121.35]:53630 "EHLO
	smtp-out.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1751422Ab0GARVe (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Thu, 1 Jul 2010 13:21:34 -0400
Received: from wpaz1.hot.corp.google.com (wpaz1.hot.corp.google.com [172.24.198.65])
	by smtp-out.google.com with ESMTP id o61HLWfd004475
	for <linux-wireless@vger.kernel.org>; Thu, 1 Jul 2010 10:21:32 -0700
Received: from iwn7 (iwn7.prod.google.com [10.241.68.71])
	by wpaz1.hot.corp.google.com with ESMTP id o61HLQXZ009705
	for <linux-wireless@vger.kernel.org>; Thu, 1 Jul 2010 10:21:31 -0700
Received: by iwn7 with SMTP id 7so3200416iwn.33
        for <linux-wireless@vger.kernel.org>; Thu, 01 Jul 2010 10:21:31 -0700 (PDT)
MIME-Version: 1.0
Date: Thu, 1 Jul 2010 10:21:31 -0700
Message-ID: <AANLkTilV1t1737ciSPyyETeBEcN_QXsYxgEwpZIIucR2@mail.gmail.com>
Subject: [PATCH 2.6.34] mac80211: Fix auth retries if AP sends temporary
	deauth
From: Paul Stewart <pstew@google.com>
To: Johannes Berg <johannes@sipsolutions.net>
Cc: linux-wireless@vger.kernel.org,
	Michael Wu <flamingice@sourmilk.net>,
	Jiri Benc <jbenc@suse.cz>,
	"John W. Linville" <linville@tuxdriver.com>
Content-Type: text/plain; charset=ISO-8859-1
Sender: linux-wireless-owner@vger.kernel.org
List-ID: <linux-wireless.vger.kernel.org>

This bypasses destruction of BSS state if a temporary DEAUTH packet is
received while performing an AUTH.  This will allow the retry mechanism
(which runs regardless of this patch) to succeed, since we do not remove
the BSS state which is required to complete authentication on the client
side in cfg80211_send_rx_auth().

The specific case handled here is "Previous authentication no longer
valid", which is usually generated by an AP if the AP still has saved
state of the STA being authenticated.  Usually a retry will be successful.

Signed-off-by: Paul Stewart <pstew@google.com>
---
net/mac80211/work.c |   21 ++++++++++++++++++++-
 1 files changed, 20 insertions(+), 1 deletions(-)

diff --git a/net/mac80211/work.c b/net/mac80211/work.c
index 15e1ba9..800929e 100644
--- a/net/mac80211/work.c
+++ b/net/mac80211/work.c
@@ -1006,7 +1006,7 @@ ieee80211_rx_result
ieee80211_work_rx_mgmt(struct ieee80211_sub_if_data *sdata,
 	struct ieee80211_local *local = sdata->local;
 	struct ieee80211_mgmt *mgmt;
 	struct ieee80211_work *wk;
-	u16 fc;
+	u16 fc, reason_code;

 	if (skb->len < 24)
 		return RX_DROP_MONITOR;
@@ -1030,6 +1030,25 @@ ieee80211_rx_result
ieee80211_work_rx_mgmt(struct ieee80211_sub_if_data *sdata,
 			skb_queue_tail(&local->work_skb_queue, skb);
 			ieee80211_queue_work(&local->hw, &local->work_work);
 			return RX_QUEUED;
+		case IEEE80211_STYPE_DEAUTH:
+			/*
+			 * If we get sent a DEAUTH while we are
+			 * actively trying to authenticate to this
+			 * station, we shoot ourselves in the foot if
+			 * we fall through using RX_CONTINUE and allow
+			 * the bss context to disappear
+			 * (ieee80211_sta_rx_mgmt()).  This is
+			 * especially true if the reason for the
+			 * DEAUTH was a negative but temporary direct
+			 * response to an AUTH attempt. Let the retry
+			 * mechanism run its course instead.
+			 */
+                        reason_code = le16_to_cpu(mgmt->u.deauth.reason_code);
+			if (wk->type == IEEE80211_WORK_AUTH &&
+                            reason_code == WLAN_REASON_PREV_AUTH_NOT_VALID) {
+				return RX_DROP_MONITOR;
+			}
+			break;
 		}
 	}