mwifiex: fix incomplete scan in case of IE parsing error

bingz · linvjw · commit 8a7d7cbf7b5f · 2013-01-30T14:13:09.000-05:00
A scan request is split into multiple scan commands queued in
scan_pending_q. Each scan command will be sent to firmware and
its response is handlded one after another.

If any error is detected while parsing IE in command response
buffer the remaining data will be ignored and error is returned.

We should check if there is any more scan commands pending in
the queue before returning error. This ensures that we will call
cfg80211_scan_done if this is the last scan command, or send
next scan command in scan_pending_q to firmware.

Cc: "3.6+" &lt;stable@vger.kernel.org&gt;
Signed-off-by: Bing Zhao &lt;bzhao@marvell.com&gt;
Signed-off-by: Amitkumar Karwar &lt;akarwar@marvell.com&gt;
Signed-off-by: John W. Linville &lt;linville@tuxdriver.com&gt;
diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c
@@ -1563,7 +1563,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
 		dev_err(adapter->dev, "SCAN_RESP: too many AP returned (%d)\n",
 			scan_rsp->number_of_sets);
 		ret = -1;
-		goto done;
+		goto check_next_scan;
 	}
 
 	bytes_left = le16_to_cpu(scan_rsp->bss_descript_size);
@@ -1634,7 +1634,8 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
 		if (!beacon_size || beacon_size > bytes_left) {
 			bss_info += bytes_left;
 			bytes_left = 0;
-			return -1;
+			ret = -1;
+			goto check_next_scan;
 		}
 
 		/* Initialize the current working beacon pointer for this BSS
@@ -1690,7 +1691,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
 				dev_err(priv->adapter->dev,
 					"%s: bytes left < IE length\n",
 					__func__);
-				goto done;
+				goto check_next_scan;
 			}
 			if (element_id == WLAN_EID_DS_PARAMS) {
 				channel = *(current_ptr + sizeof(struct ieee_types_header));
@@ -1753,6 +1754,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
 		}
 	}
 
+check_next_scan:
 	spin_lock_irqsave(&adapter->scan_pending_q_lock, flags);
 	if (list_empty(&adapter->scan_pending_q)) {
 		spin_unlock_irqrestore(&adapter->scan_pending_q_lock, flags);
@@ -1813,7 +1815,6 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,
 		}
 	}
 
-done:
 	return ret;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -1563,7 +1563,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,`
`1563`	`1563`	`dev_err(adapter->dev, "SCAN_RESP: too many AP returned (%d)\n",`
`1564`	`1564`	`scan_rsp->number_of_sets);`
`1565`	`1565`	`ret = -1;`
`1566`		`- goto done;`
	`1566`	`+ goto check_next_scan;`
`1567`	`1567`	`}`
`1568`	`1568`
`1569`	`1569`	`bytes_left = le16_to_cpu(scan_rsp->bss_descript_size);`
`@@ -1634,7 +1634,8 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,`
`1634`	`1634`	`if (!beacon_size \|\| beacon_size > bytes_left) {`
`1635`	`1635`	`bss_info += bytes_left;`
`1636`	`1636`	`bytes_left = 0;`
`1637`		`- return -1;`
	`1637`	`+ ret = -1;`
	`1638`	`+ goto check_next_scan;`
`1638`	`1639`	`}`
`1639`	`1640`
`1640`	`1641`	`/* Initialize the current working beacon pointer for this BSS`
`@@ -1690,7 +1691,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,`
`1690`	`1691`	`dev_err(priv->adapter->dev,`
`1691`	`1692`	`"%s: bytes left < IE length\n",`
`1692`	`1693`	`__func__);`
`1693`		`- goto done;`
	`1694`	`+ goto check_next_scan;`
`1694`	`1695`	`}`
`1695`	`1696`	`if (element_id == WLAN_EID_DS_PARAMS) {`
`1696`	`1697`	`channel = *(current_ptr + sizeof(struct ieee_types_header));`
`@@ -1753,6 +1754,7 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,`
`1753`	`1754`	`}`
`1754`	`1755`	`}`
`1755`	`1756`
	`1757`	`+check_next_scan:`
`1756`	`1758`	`spin_lock_irqsave(&adapter->scan_pending_q_lock, flags);`
`1757`	`1759`	`if (list_empty(&adapter->scan_pending_q)) {`
`1758`	`1760`	`spin_unlock_irqrestore(&adapter->scan_pending_q_lock, flags);`
`@@ -1813,7 +1815,6 @@ int mwifiex_ret_802_11_scan(struct mwifiex_private *priv,`
`1813`	`1815`	`}`
`1814`	`1816`	`}`
`1815`	`1817`
`1816`		`-done:`
`1817`	`1818`	`return ret;`
`1818`	`1819`	`}`
`1819`	`1820`