1
Commit Graph

334421 Commits

Author SHA1 Message Date
Johannes Berg
6bdd253f63 mac80211: fix remain-on-channel (non-)cancelling
Felix Liao reported that when an interface is set DOWN
while another interface is executing a ROC, the warning
in ieee80211_start_next_roc() (about the first item on
the list having started already) triggers.

This is because ieee80211_roc_purge() calls it even if
it never actually changed the list of ROC items. To fix
this, simply remove the function call. If it is needed
then it will be done by the ieee80211_sw_roc_work()
function when the ROC item that is being removed while
active is cleaned up.

Cc: stable@vger.kernel.org
Reported-by: Felix Liao <Felix.Liao@watchguard.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-26 14:41:40 -05:00
John W. Linville
53c5251366 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes 2012-11-26 14:25:22 -05:00
Emmanuel Grumbach
5edd0b946a iwlwifi: fix the basic CCK rates calculation
Fix a copy paste error in iwl_calc_basic_rates which leads
to a wrong calculation of CCK basic rates.

Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-21 11:31:21 +01:00
John W. Linville
400e020892 This is the first pull request for 3.7 NFC fixes.
We mostly have pn533 fixes here, 2 memory leaks and an early unlocking fix.
 Moreover, we also have an LLCP adapter linked list insertion fix.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.12 (GNU/Linux)
 
 iQIcBAABAgAGBQJQqsIuAAoJEIqAPN1PVmxKUw0P/2fYq6o8GjVGFxb7QSKGR9bC
 ONL5HydZyoT7rFD5iMUtoWzCG3ZWsoOM3h/iIG7BTUqFXCZ+yc1rZZak+X+/+h6g
 ZwzEgcnryf84obVTerybiWPKokIDSoVKfWQswIVXOhJf26zTb66cx5uwRtD/94J1
 DdfwHNlBSWw38lXQIr3CdLypGh5Hy/zH+4fBwHGXw0CGj2JmbRYqxs3W5cHBuxq6
 Q2XkfyDlU3SwsjuC+nbs4EoYz4nY098VBVtsWImEXXVBvahPyAv+FiaLtv0FkBAh
 1fHYkZoCaL2K78aSQVE8+tzVwtWrdt8E5LVlozmgjMFrgl4S2m9NsQb+kRSFpqNM
 iv1nq5mdGevjJXr409q6jpvMd3Oir2ww9jk2YqWR20Tx06++/xGFgMPufcoF/6el
 V2RlFxhDCyY09je92rOHQfLfhv8xQGYQOotQEHM0bnwXsOLggbZBv64HZy1qQJMI
 97KULAvP39ltss2ru7w/qxn26lmiaLtFcEQC8PfT0bacqne8Vle29+rat9nKeSjo
 JtX+D/kAug94DV5mnBjwvvURmCQ0leaNCKpjG3eSAaFtsMhMj3jdVrAQ/v5ouLpl
 ePWcSwMyf4f6jPCyB3Sfui76fe3mA3d6iZj921Uya25orN7EGOxcF79Ms94GP4sG
 Ph6dAh/xSZrP+0MU9D8f
 =w+Jg
 -----END PGP SIGNATURE-----

Merge tag 'nfc-fixes-3.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo/nfc-3.0

Samuel says:

"This is the first pull request for 3.7 NFC fixes.

We mostly have pn533 fixes here, 2 memory leaks and an early unlocking fix.
Moreover, we also have an LLCP adapter linked list insertion fix."

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-20 13:08:14 -05:00
Thierry Escande
5b412fd11c NFC: Fix pn533 target mode memory leak
In target mode, sent sk_buff were not freed in pn533_tm_send_complete

Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-20 00:09:26 +01:00
Waldemar Rymarkiewicz
70418e6efc NFC: pn533: Fix mem leak in pn533_in_dep_link_up
cmd is allocated in pn533_dep_link_up and passed as an arg to
pn533_send_cmd_frame_async together with a complete cb.

arg is passed to the cb and must be kfreed there.

Signed-off-by: Waldemar Rymarkiewicz <waldemar.rymarkiewicz@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-20 00:09:26 +01:00
Szymon Janc
770f750bc2 NFC: pn533: Fix use after free
cmd was freed in pn533_dep_link_up regardless of
pn533_send_cmd_frame_async return code. Cmd is passed as argument to
pn533_in_dep_link_up_complete callback and should be freed there.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-20 00:09:26 +01:00
Szymon Janc
60ad07ab6b NFC: pn533: Fix missing lock while operating on commands list
In pn533_wq_cmd command was removed from list without cmd_lock held
(race with pn533_send_cmd_frame_async) which could lead to list
corruption. Delete command from list before releasing lock.

Signed-off-by: Szymon Janc <szymon.janc@tieto.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-20 00:09:25 +01:00
Thierry Escande
16a78e9fed NFC: Fix nfc_llcp_local chained list insertion
list_add was called with swapped parameters

Signed-off-by: Thierry Escande <thierry.escande@linux.intel.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
2012-11-20 00:09:25 +01:00
John W. Linville
65210946f3 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes 2012-11-19 14:38:12 -05:00
John W. Linville
e56108d927 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2012-11-19 14:37:43 -05:00
Sujith Manoharan
da8fb123b0 ath9k_hw: Fix regression in device reset
Commit "ath9k: improve suspend/resume reliability" broke ath9k_htc
and bringing up the device would hang indefinitely. Fix this.

Cc: stable@vger.kernel.org
Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-19 10:23:42 -05:00
Emmanuel Grumbach
e1b69fdf33 iwlwifi: don't WARN when a non empty queue is disabled
This can happen when we shut down suddenly an interface.

Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-18 11:51:09 +01:00
Johannes Berg
38c1a01cf1 wireless: add back sysfs directory
commit 35b2a113cb broke (at least)
Fedora's networking scripts, they check for the existence of the
wireless directory. As the files aren't used, add the directory
back and not the files. Also do it for both drivers based on the
old wireless extensions and cfg80211, regardless of whether the
compat code for wext is built into cfg80211 or not.

Cc: stable@vger.kernel.org [3.6]
Reported-by: Dave Airlie <airlied@gmail.com>
Reported-by: Bill Nottingham <notting@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-16 21:37:52 +01:00
Bing Zhao
dd321acddc mwifiex: report error to MMC core if we cannot suspend
When host_sleep_config command fails we should return error to
MMC core to indicate the failure for our device.

The misspelled variable is also removed as it's redundant.

Cc: "3.0+" <stable@vger.kernel.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-16 14:52:25 -05:00
Bing Zhao
b1a47aa5e1 mwifiex: fix system hang issue in cmd timeout error case
Reported by Tim Shepard:
I was seeing sporadic failures (wedgeups), and the majority of those
failures I saw printed the printouts in mwifiex_cmd_timeout_func with
cmd = 0xe5 which is CMD_802_11_HS_CFG_ENH.  When this happens, two
minutes later I get notified that the rtcwake thread is blocked, like
this:
      INFO: task rtcwake:3495 blocked for more than 120 seconds.

To get the hung thread unblocked we wake up the cmd wait queue and
cancel the ioctl.

Cc: "3.4+" <stable@vger.kernel.org>
Reported-by: Tim Shepard <shep@laptop.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-16 14:52:25 -05:00
Albert Pool
a485e827f0 rtlwifi: rtl8192cu: Add new USB ID
This is an ISY IWL 2000. Probably a clone of Belkin F7D1102 050d:1102.
Its FCC ID is the same.

Signed-off-by: Albert Pool <albertpool@solcon.nl>
Cc: stable@vger.kernel.org
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-16 14:52:24 -05:00
Hauke Mehrtens
d61f978b8f brcmfmac: fix typo in CONFIG_BRCMISCAN
The old ifdef CONFIG_BRCMFISCAN looks wrong to me and it makes more
sense when CONFIG_BRCMISCAN is used.
This patch was just compile tested by me, but not runtime tested.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Franky Lin <frankyl@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-14 14:25:44 -05:00
John W. Linville
485f2b7f5f Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth 2012-11-14 14:17:58 -05:00
John W. Linville
e734207fee Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes 2012-11-14 14:16:54 -05:00
John W. Linville
bd2a813074 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2012-11-14 14:15:43 -05:00
Johannes Berg
04baaa27b4 iwlwifi: fix monitor mode FCS flag
When the firmware is in SNIFFER mode, it leaves
the FCS at the end of frame. Not telling mac80211
means it won't add the right flag to the radiotap
header and that confuses wireshark.

Since mac80211 doesn't have a per-packet flag, set
the HW flag dynamically. This works as the monitor
vif can only be present in the driver by itself.

This fixes a regression introduced by my

commit 5789772641
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri May 11 10:53:18 2012 +0200

    iwlwifi: support explicit monitor interface

Cc: stable@vger.kernel.org [3.5+]
Reported-by: MARK PHILLIPS <mark.phillips@virgin.net>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-14 11:08:38 +01:00
Simon Wunderlich
b78a4932f5 mac80211: deinitialize ibss-internals after emptiness check
The check whether the IBSS is active and can be removed should be
performed before deinitializing the fields used for the check/search.
Otherwise, the configured BSS will not be found and removed properly.

To make it more clear for the future, rename sdata->u.ibss to the
local pointer ifibss which is used within the checks.

This behaviour was introduced by
f3209bea11
("mac80211: fix IBSS teardown race")

Cc: stable@vger.kernel.org
Cc: Ignacy Gawedzki <i@lri.fr>
Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-13 21:35:07 +01:00
Johannes Berg
43c771a196 wireless: allow 40 MHz on world roaming channels 12/13
When in world roaming mode, allow 40 MHz to be used
on channels 12 and 13 so that an AP that is, e.g.,
using HT40+ on channel 9 (in the UK) can be used.

Cc: stable@vger.kernel.org
Reported-by: Eddie Chapman <eddie@ehuk.net>
Tested-by: Eddie Chapman <eddie@ehuk.net>
Acked-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-12 16:26:06 +01:00
Felix Fietkau
1f98ab7fef mac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purge
Fixes more wifi status skb leaks, leading to hostapd/wpa_supplicant hangs.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-10 21:26:28 +01:00
Johannes Berg
20f544eea0 mac80211: don't send null data packet when not associated
On resume or firmware recovery, mac80211 sends a null
data packet to see if the AP is still around and hasn't
disconnected us. However, it always does this even if
it wasn't even connected before, leading to a warning
in the new channel context code. Fix this by checking
that it's associated.

Cc: stable@vger.kernel.org
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-09 17:31:47 +01:00
Johan Hedberg
482049f757 Bluetooth: Fix memory leak when removing a UUID
When removing a UUID from the list in the remove_uuid() function we must
also kfree the entry in addition to removing it from the list.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
2012-11-09 16:45:37 +01:00
Marcos Chaparro
acd9454433 Bluetooth: ath3k: Add support for VAIO VPCEH [0489:e027]
Added Atheros AR3011 internal bluetooth device found in Sony VAIO VPCEH to the
devices list.
Before this, the bluetooth module was identified as an Foxconn / Hai bluetooth
device [0489:e027], now it claims to be an AtherosAR3011 Bluetooth
[0cf3:3005].

T:  Bus=01 Lev=02 Prnt=02 Port=04 Cnt=02 Dev#=  4 Spd=12   MxCh= 0
D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=0489 ProdID=e027 Rev= 0.01
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms

Signed-off-by: Marcos Chaparro <marcos@mrkindustries.com.ar>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
2012-11-09 16:45:37 +01:00
Marcel Holtmann
fbe96d6ff9 Bluetooth: Notify about device registration before power on
It is important that the monitor interface gets notified about
a new device before its power on procedure has been started.

For some reason that is no longer working as expected and the power
on procedure runs first. It is safe to just notify about device
registration and trigger the power on procedure afterwards.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
2012-11-09 16:45:37 +01:00
Paulo Sérgio
896ea28ea8 Bluetooth: Fix error status when pairing fails
When pairing fails due to wrong confirm value, the management layer
doesn't report a proper error status. It sends
MGMT_STATUS_CONNECT_FAILED instead of MGMT_STATUS_AUTH_FAILED.

Most of management functions that receive a status as a parameter
expects for it to be encoded as a HCI status. But when a SMP pairing
fails, the SMP layer sends the SMP reason as the error status to the
management layer.

This commit maps all SMP reasons to HCI_ERROR_AUTH_FAILURE, which will
be converted to MGMT_STATUS_AUTH_FAILED in the management layer.

Reported-by: Claudio Takahasi <claudio.takahasi@openbossa.org>
Reviewed-by: João Paulo Rechi Vita <jprvita@openbossa.org>
Signed-off-by: Paulo Sérgio <paulo.sergio@openbossa.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
2012-11-09 16:45:37 +01:00
Johan Hedberg
476e44cb19 Bluetooth: Fix having bogus entries in mgmt_read_index_list reply
The mgmt_read_index_list uses one loop to calculate the max needed size
of its response with the help of an upper-bound of the controller count.
The second loop is more strict as it checks for HCI_SETUP (which might
have gotten set after the first loop) and could result in some indexes
being skipped. Because of this the function needs to readjust the event
length and index count after filling in the response array.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Cc: stable@vger.kernel.org
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
2012-11-09 16:45:37 +01:00
Johannes Berg
cfff2f999d mac80211: fix memory leak in device registration error path
If the cipher suites need to be allocated, but this
allocation fails, this leaks the internal scan request.
Fix that by going to the correct error handling label.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-09 09:48:43 +01:00
Johannes Berg
31df3bb78b iwlwifi: use ieee80211_free_txskb
To let mac80211 clean up any TX information when
a frame is dropped, use ieee80211_free_txskb().

Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-07 09:18:43 +01:00
Johannes Berg
7c34158231 iwlwifi: handle DMA mapping failures
The RX replenish code doesn't handle DMA mapping failures,
which will cause issues if there actually is a failure. This
was reported by Shuah Khan who found a DMA mapping framework
warning ("device driver failed to check map error").

Cc: stable@vger.kernel.org
Reported-by: Shuah Khan <shuah.khan@hp.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-05 16:08:58 +01:00
Arik Nemtsov
987c285c2a mac80211: sync acccess to tx_filtered/ps_tx_buf queues
These are accessed without a lock when ending STA PSM. If the
sta_cleanup timer accesses these lists at the same time, we might crash.

This may fix some mysterious crashes we had during
ieee80211_sta_ps_deliver_wakeup.

Cc: stable@vger.kernel.org
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-05 14:19:55 +01:00
David Spinadel
bca1e29fb5 mac80211: init sched_scan_ies
In case that there is an unsupported band, the ie will be
unallocated and the free will crash.

Cc: stable@vger.kernel.org
Signed-off-by: David Spinadel <david.spinadel@intel.com>
Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-31 17:04:18 +01:00
Felix Fietkau
35f5149ead mac80211: do not call ieee80211_configure_filter if no interfaces are up
Drivers are not expected to handle it before drv_start has been called. It
will be called again after an interface has been brought up.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-31 16:53:34 +01:00
Sven Eckelmann
6fe7cc71bb ath9k: Test for TID only in BlockAcks while checking tx status
The ath9k xmit functions for AMPDUs can send frames as non-aggregate in case
only one frame is currently available. The client will then answer using a
normal Ack instead of a BlockAck. This acknowledgement has no TID stored and
therefore the hardware is not able to provide us the corresponding TID.

The TID set by the hardware in the tx status descriptor has to be seen as
undefined and not as a valid TID value for normal acknowledgements. Doing
otherwise results in a massive amount of retransmissions and stalls of
connections.

Users may experience low bandwidth and complete connection stalls in
environments with transfers using multiple TIDs.

This regression was introduced in b11b160def
("ath9k: validate the TID in the tx status information").

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Cc: stable@vger.kernel.org
Acked-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-30 15:58:54 -04:00
Stanislaw Gruszka
bf7e1abe43 rt2800: validate step value for temperature compensation
Some hardware has correct (!= 0xff) value of tssi_bounds[4] in the
EEPROM, but step is equal to 0xff. This results on ridiculous delta
calculations and completely broke TX power settings.

Reported-and-tested-by: Pavel Lucik <pavel.lucik@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-30 15:58:54 -04:00
Felix Fietkau
8c6e30936a ath9k: fix stale pointers potentially causing access to free'd skbs
bf->bf_next is only while buffers are chained as part of an A-MPDU
in the tx queue. When a tid queue is flushed (e.g. on tearing down
an aggregation session), frames can be enqueued again as normal
transmission, without bf_next being cleared. This can lead to the
old pointer being dereferenced again later.

This patch might fix crashes and "Failed to stop TX DMA!" messages.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-29 14:18:21 -04:00
John W. Linville
efec22b468 Merge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 2012-10-29 14:14:48 -04:00
Johannes Berg
6dbda2d00d mac80211: make sure data is accessible in EAPOL check
The code to allow EAPOL frames even when the station
isn't yet marked associated needs to check that the
incoming frame is long enough and due to paged RX it
also can't assume skb->data contains the right data,
it must use skb_copy_bits(). Fix this to avoid using
data that doesn't really exist.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26 22:52:42 +02:00
Johannes Berg
9b395bc3be mac80211: verify that skb data is present
A number of places in the mesh code don't check that
the frame data is present and in the skb header when
trying to access. Add those checks and the necessary
pskb_may_pull() calls. This prevents accessing data
that doesn't actually exist.

To do this, export ieee80211_get_mesh_hdrlen() to be
able to use it in mac80211.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26 22:52:42 +02:00
Johannes Berg
4a4f1a5808 mac80211: check management frame header length
Due to pskb_may_pull() checking the skb length, all
non-management frames are checked on input whether
their 802.11 header is fully present. Also add that
check for management frames and remove a check that
is now duplicate. This prevents accessing skb data
beyond the frame end.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26 22:52:41 +02:00
Johannes Berg
7dd111e8ee wireless: drop invalid mesh address extension frames
The mesh header can have address extension by a 4th
or a 5th and 6th address, but never both. Drop such
frames in 802.11 -> 802.3 conversion along with any
frames that have the wrong extension.

Cc: stable@vger.kernel.org
Reviewed-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26 22:52:41 +02:00
Antonio Quartulli
badecb001a mac80211: fix SSID copy on IBSS JOIN
The 'ssid' field of the cfg80211_ibss_params is a u8 pointer and
its length is likely to be less than IEEE80211_MAX_SSID_LEN most
of the time.

This patch fixes the ssid copy in ieee80211_ibss_join() by using
the SSID length to prevent it from reading beyond the string.

Cc: stable@vger.kernel.org
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
[rewrapped commit message, small rewording]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26 22:52:18 +02:00
Javier Cardona
f7fbf70ee9 mac80211: don't inspect Sequence Control field on control frames
Per IEEE Std. 802.11-2012, Sec 8.2.4.4.1, the sequence Control field is
not present in control frames.  We noticed this problem when processing
Block Ack Requests.

Cc: stable@vger.kernel.org
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Javier Lopez <jlopex@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25 21:54:41 +02:00
Javier Cardona
2ac64cd17f mac80211: Don't drop frames received with mesh ttl == 1
Prior this fix, those frames were not received, nor forwarded.  Fix
this to receive and not forward.

Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25 13:52:20 +02:00
Javier Cardona
555cb715be mac80211: Only process mesh config header on frames that RA_MATCH
Doing otherwise is wrong, and may wreak havoc on the mpp tables,
specially if the frame is encrypted.

Cc: stable@vger.kernel.org
Reported-by: Chaoxing Lin <Chaoxing.Lin@ultra-3eti.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25 13:51:29 +02:00
Larry Finger
f89ff6441d b43: Fix oops on unload when firmware not found
When b43 fails to find firmware when loaded, a subsequent unload will
oops due to calling ieee80211_unregister_hw() when the corresponding
register call was never made.

Commit 2d838bb608 fixed the same problem
for b43legacy.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Tested-by: Markus Kanet <dvmailing@gmx.eu>
Cc: Stable <stable@vger.kernel.org> [V3.3.0+ (the patch will need to be refactored)]
Cc: Markus Kanet <dvmailing@gmx.eu>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-24 13:18:09 -04:00