[PATCH] nl80211: Clear preq NL handle after Unsbcsribe mgmt

Ouden.Biz Lin ouden.biz at gmail.com
Tue Dec 14 06:17:26 PST 2021 

Dear Sir,

> diff --git a/src/drivers/driver_nl80211.c b/src/drivers/driver_nl80211.c
>       if (is_ap_interface(nlmode)) {
>               nl80211_mgmt_unsubscribe(bss, "start AP");
> +             if (bss->nl_preq) {
> +                     wpa_printf(MSG_DEBUG, "nl80211: Disable Probe Request "
> +                                "reporting nl_preq=%p", bss->nl_preq);
> +                     nl80211_destroy_eloop_handle(&bss->nl_preq, 0);
> +             }
> /* Setup additional AP mode functionality if needed */
> if (nl80211_setup_ap(bss))
> return -1;

nl80211: Unsubscribe mgmt frames handle 0x8888dd655d343e09 (start AP)
nl80211: Setup AP(wlan0) - device_ap_sme=0 use_monitor=0
device_ap_sme=0, is_ap=1, in_deinit=0, static_ap=0
nl80211: Disable Probe Request reporting nl_preq=0x8888dd655d347269

When device_ap_sme=0, nl80211_setup_ap() will call
wpa_driver_nl80211_probe_req_report(bss, 0) first.
If bss->nl_preq is not cleared.

nl80211: Unsubscribe mgmt frames handle 0x8888ded86cffee09 (start AP)
nl80211: Setup AP(wlan0) - device_ap_sme=1 use_monitor=0
nl80211: Probe Request reporting already on! nl_preq=0x8888ded86cf619f9

However, in device_ap_sme=1, no one will handle it.
If we call wpa_driver_nl80211_probe_req_report(bss, 0), it will not work.

So, regardless of device_ap_sme, if it always need to clear nl_preq first,
I will refine the patch to nl80211_setup_ap().

@@ -5574,8 +5574,11 @@ static int nl80211_setup_ap(struct i802_bss *bss)
         * devices that include the AP SME, in the other case (unless using
         * monitor iface) we'll get it through the nl_mgmt socket instead.
         */
-       if (!drv->device_ap_sme)
-               wpa_driver_nl80211_probe_req_report(bss, 0);
+       if (bss->nl_preq) {
+               wpa_printf(MSG_DEBUG, "nl80211: Disable Probe Request "
+                          "reporting nl_preq=%p", bss->nl_preq);
+               nl80211_destroy_eloop_handle(&bss->nl_preq, 0);
+       }

> Is it clear that this really works in all cases? What wuld happen if
> wpa_driver_nl80211_deinit() were to call
> wpa_driver_nl80211_probe_req_report(bss, 0) after this? Wouldn't that
> end up dereferencing an invalid pointer?

In wpa_driver_nl80211_deinit(), if bss->nl_preq exists, call
wpa_driver_nl80211_probe_req_report(bss, 0).
Therefore, after wpa_driver_nl80211_deinit(), bss->nl_preq is clear
(null pointer).
Also, wpa_driver_nl80211_probe_req_report(bss, 0) is valid only when
bss->nl_preq exists.

So, I think it works in all situations.
Does it satisfy your question?

Thank you.

More information about the Hostap mailing list