Merge 3.7-rc6 into char-misc-next

author: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-11-16 21:21:36 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2012-11-16 21:21:36 -0500
commit: 98c4514ff6e3072288770db66f91bdb15af8b433 (patch)
tree: eb5f2541e70d27144720e1735b463471025908f0 /net/mac80211
parent: 644a9d3b66e6983c2c1f3b24c3006d49b184c871 (diff)
parent: f4a75d2eb7b1e2206094b901be09adb31ba63681 (diff)
10 files changed, 127 insertions, 35 deletions
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 05f3a313db88..7371f676cf41 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2594,6 +2594,9 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
                else
                        local->probe_req_reg--;
+                if (!local->open_count)
+                        break;
                ieee80211_queue_work(&local->hw, &local->reconfig_filter);
                break;
        default:
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 5f3620f0bc0a..bf87c70ac6c5 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1108,7 +1108,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
        sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
        sdata->u.ibss.ibss_join_req = jiffies;
-        memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);
+        memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
        sdata->u.ibss.ssid_len = params->ssid_len;
        mutex_unlock(&sdata->u.ibss.mtx);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 8c804550465b..156e5835e37f 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1314,6 +1314,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
                                         struct net_device *dev);
 netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
                                       struct net_device *dev);
+void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
+                              struct sk_buff_head *skbs);
 /* HT */
 void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index c80c4490351c..f57f597972f8 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -871,8 +871,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
                                local->hw.wiphy->cipher_suites,
                                sizeof(u32) * local->hw.wiphy->n_cipher_suites,
                                GFP_KERNEL);
-                        if (!suites)
+                        if (!suites) {
-                                return -ENOMEM;
+                                result = -ENOMEM;
+                                goto fail_wiphy_register;
+                        }
                        for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) {
                                u32 suite = local->hw.wiphy->cipher_suites[r];
                                if (suite == WLAN_CIPHER_SUITE_WEP40 ||
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 61c621e9273f..00ade7feb2e3 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -531,6 +531,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
                if (ieee80211_is_action(hdr->frame_control)) {
                        u8 category;
+                        /* make sure category field is present */
+                        if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
+                                return RX_DROP_MONITOR;
                        mgmt = (struct ieee80211_mgmt *)hdr;
                        category = mgmt->u.action.category;
                        if (category != WLAN_CATEGORY_MESH_ACTION &&
@@ -883,14 +888,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
                 */
                if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
                    ieee80211_is_data_present(hdr->frame_control)) {
-                        u16 ethertype;
+                        unsigned int hdrlen;
-                        u8 *payload;
+                        __be16 ethertype;
-                        payload = rx->skb->data +
+                        hdrlen = ieee80211_hdrlen(hdr->frame_control);
-                                ieee80211_hdrlen(hdr->frame_control);
-                        ethertype = (payload[6] << 8) | payload[7];
+                        if (rx->skb->len < hdrlen + 8)
-                        if (cpu_to_be16(ethertype) ==
+                                return RX_DROP_MONITOR;
-                            rx->sdata->control_port_protocol)
+                        skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
+                        if (ethertype == rx->sdata->control_port_protocol)
                                return RX_CONTINUE;
                }
@@ -1462,11 +1469,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
        hdr = (struct ieee80211_hdr *)rx->skb->data;
        fc = hdr->frame_control;
+        if (ieee80211_is_ctl(fc))
+                return RX_CONTINUE;
        sc = le16_to_cpu(hdr->seq_ctrl);
        frag = sc & IEEE80211_SCTL_FRAG;
        if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
-                   (rx->skb)->len < 24 ||
                   is_multicast_ether_addr(hdr->addr1))) {
                /* not fragmented */
                goto out;
@@ -1889,6 +1899,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
        hdr = (struct ieee80211_hdr *) skb->data;
        hdrlen = ieee80211_hdrlen(hdr->frame_control);
+        /* make sure fixed part of mesh header is there, also checks skb len */
+        if (!pskb_may_pull(rx->skb, hdrlen + 6))
+                return RX_DROP_MONITOR;
+        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
+        /* make sure full mesh header is there, also checks skb len */
+        if (!pskb_may_pull(rx->skb,
+                           hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
+                return RX_DROP_MONITOR;
+        /* reload pointers */
+        hdr = (struct ieee80211_hdr *) skb->data;
        mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
        /* frame is in RMC, don't forward */
@@ -1897,7 +1921,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
            mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
                return RX_DROP_MONITOR;
-        if (!ieee80211_is_data(hdr->frame_control))
+        if (!ieee80211_is_data(hdr->frame_control) ||
+            !(status->rx_flags & IEEE80211_RX_RA_MATCH))
                return RX_CONTINUE;
        if (!mesh_hdr->ttl)
@@ -1911,9 +1936,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
                if (is_multicast_ether_addr(hdr->addr1)) {
                        mpp_addr = hdr->addr3;
                        proxied_addr = mesh_hdr->eaddr1;
-                } else {
+                } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
+                        /* has_a4 already checked in ieee80211_rx_mesh_check */
                        mpp_addr = hdr->addr4;
                        proxied_addr = mesh_hdr->eaddr2;
+                } else {
+                        return RX_DROP_MONITOR;
                }
                rcu_read_lock();
@@ -1941,12 +1969,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
        }
        skb_set_queue_mapping(skb, q);
-        if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
-                goto out;
        if (!--mesh_hdr->ttl) {
                IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
-                return RX_DROP_MONITOR;
+                goto out;
        }
        if (!ifmsh->mshcfg.dot11MeshForwarding)
@@ -2353,6 +2378,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                }
                break;
        case WLAN_CATEGORY_SELF_PROTECTED:
+                if (len < (IEEE80211_MIN_ACTION_SIZE +
+                           sizeof(mgmt->u.action.u.self_prot.action_code)))
+                        break;
                switch (mgmt->u.action.u.self_prot.action_code) {
                case WLAN_SP_MESH_PEERING_OPEN:
                case WLAN_SP_MESH_PEERING_CLOSE:
@@ -2371,6 +2400,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                }
                break;
        case WLAN_CATEGORY_MESH_ACTION:
+                if (len < (IEEE80211_MIN_ACTION_SIZE +
+                           sizeof(mgmt->u.action.u.mesh_action.action_code)))
+                        break;
                if (!ieee80211_vif_is_mesh(&sdata->vif))
                        break;
                if (mesh_action_is_path_sel(mgmt) &&
@@ -2913,10 +2946,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
        if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
                local->dot11ReceivedFragmentCount++;
-        if (ieee80211_is_mgmt(fc))
+        if (ieee80211_is_mgmt(fc)) {
-                err = skb_linearize(skb);
+                /* drop frame if too short for header */
-        else
+                if (skb->len < ieee80211_hdrlen(fc))
+                        err = -ENOBUFS;
+                else
+                        err = skb_linearize(skb);
+        } else {
                err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
+        }
        if (err) {
                dev_kfree_skb(skb);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index c4cdbde24fd3..43e60b5a7546 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -917,7 +917,7 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
                                       struct cfg80211_sched_scan_request *req)
 {
        struct ieee80211_local *local = sdata->local;
-        struct ieee80211_sched_scan_ies sched_scan_ies;
+        struct ieee80211_sched_scan_ies sched_scan_ies = {};
        int ret, i;
        mutex_lock(&local->mtx);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 0a4e4c04db89..d2eb64e12353 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -117,8 +117,8 @@ static void free_sta_work(struct work_struct *wk)
        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
                local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);
-                __skb_queue_purge(&sta->ps_tx_buf[ac]);
+                ieee80211_purge_tx_queue(&local->hw, &sta->ps_tx_buf[ac]);
-                __skb_queue_purge(&sta->tx_filtered[ac]);
+                ieee80211_purge_tx_queue(&local->hw, &sta->tx_filtered[ac]);
        }
 #ifdef CONFIG_MAC80211_MESH
@@ -141,7 +141,7 @@ static void free_sta_work(struct work_struct *wk)
                tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);
                if (!tid_tx)
                        continue;
-                __skb_queue_purge(&tid_tx->pending);
+                ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
                kfree(tid_tx);
        }
@@ -961,6 +961,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
        struct ieee80211_local *local = sdata->local;
        struct sk_buff_head pending;
        int filtered = 0, buffered = 0, ac;
+        unsigned long flags;
        clear_sta_flag(sta, WLAN_STA_SP);
@@ -976,12 +977,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
        for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
                int count = skb_queue_len(&pending), tmp;
+                spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
                skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
+                spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
                tmp = skb_queue_len(&pending);
                filtered += tmp - count;
                count = tmp;
+                spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
                skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
+                spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
                tmp = skb_queue_len(&pending);
                buffered += tmp - count;
        }
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 3af0cc4130f1..101eb88a2b78 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -668,3 +668,12 @@ void ieee80211_free_txskb(struct ieee80211_hw *hw, struct sk_buff *skb)
        dev_kfree_skb_any(skb);
 }
 EXPORT_SYMBOL(ieee80211_free_txskb);
+void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
+                              struct sk_buff_head *skbs)
+{
+        struct sk_buff *skb;
+        while ((skb = __skb_dequeue(skbs)))
+                ieee80211_free_txskb(hw, skb);
+}
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c9bf83f36657..b858ebe41fda 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1358,7 +1358,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
                if (tx->skb)
                        ieee80211_free_txskb(&tx->local->hw, tx->skb);
                else
-                        __skb_queue_purge(&tx->skbs);
+                        ieee80211_purge_tx_queue(&tx->local->hw, &tx->skbs);
                return -1;
        } else if (unlikely(res == TX_QUEUED)) {
                I802_DEBUG_INC(tx->local->tx_handlers_queued);
@@ -2120,10 +2120,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
 */
 void ieee80211_clear_tx_pending(struct ieee80211_local *local)
 {
+        struct sk_buff *skb;
        int i;
-        for (i = 0; i < local->hw.queues; i++)
+        for (i = 0; i < local->hw.queues; i++) {
-                skb_queue_purge(&local->pending[i]);
+                while ((skb = skb_dequeue(&local->pending[i])) != NULL)
+                        ieee80211_free_txskb(&local->hw, skb);
+        }
 }
 /*
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 94e586873979..0151ae33c4cd 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -643,13 +643,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
                        break;
                }
-                if (id != WLAN_EID_VENDOR_SPECIFIC &&
+                switch (id) {
-                    id != WLAN_EID_QUIET &&
+                case WLAN_EID_SSID:
-                    test_bit(id, seen_elems)) {
+                case WLAN_EID_SUPP_RATES:
-                        elems->parse_error = true;
+                case WLAN_EID_FH_PARAMS:
-                        left -= elen;
+                case WLAN_EID_DS_PARAMS:
-                        pos += elen;
+                case WLAN_EID_CF_PARAMS:
-                        continue;
+                case WLAN_EID_TIM:
+                case WLAN_EID_IBSS_PARAMS:
+                case WLAN_EID_CHALLENGE:
+                case WLAN_EID_RSN:
+                case WLAN_EID_ERP_INFO:
+                case WLAN_EID_EXT_SUPP_RATES:
+                case WLAN_EID_HT_CAPABILITY:
+                case WLAN_EID_HT_OPERATION:
+                case WLAN_EID_VHT_CAPABILITY:
+                case WLAN_EID_VHT_OPERATION:
+                case WLAN_EID_MESH_ID:
+                case WLAN_EID_MESH_CONFIG:
+                case WLAN_EID_PEER_MGMT:
+                case WLAN_EID_PREQ:
+                case WLAN_EID_PREP:
+                case WLAN_EID_PERR:
+                case WLAN_EID_RANN:
+                case WLAN_EID_CHANNEL_SWITCH:
+                case WLAN_EID_EXT_CHANSWITCH_ANN:
+                case WLAN_EID_COUNTRY:
+                case WLAN_EID_PWR_CONSTRAINT:
+                case WLAN_EID_TIMEOUT_INTERVAL:
+                        if (test_bit(id, seen_elems)) {
+                                elems->parse_error = true;
+                                left -= elen;
+                                pos += elen;
+                                continue;
+                        }
+                        break;
                }
                if (calc_crc && id < 64 && (filter & (1ULL << id)))
@@ -1463,6 +1491,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
                list_for_each_entry(sdata, &local->interfaces, list) {
                        if (sdata->vif.type != NL80211_IFTYPE_STATION)
                                continue;
+                        if (!sdata->u.mgd.associated)
+                                continue;
                        ieee80211_send_nullfunc(local, sdata, 0);
                }
author	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2012-11-16 21:21:36 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2012-11-16 21:21:36 -0500
commit	98c4514ff6e3072288770db66f91bdb15af8b433 (patch)
tree	eb5f2541e70d27144720e1735b463471025908f0 /net/mac80211
parent	644a9d3b66e6983c2c1f3b24c3006d49b184c871 (diff)
parent	f4a75d2eb7b1e2206094b901be09adb31ba63681 (diff)

diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 05f3a313db88..7371f676cf41 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c
@@ -2594,6 +2594,9 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
2594	else	2594	else
2595	local->probe_req_reg--;	2595	local->probe_req_reg--;
2596		2596
		2597	if (!local->open_count)
		2598	break;
		2599
2597	ieee80211_queue_work(&local->hw, &local->reconfig_filter);	2600	ieee80211_queue_work(&local->hw, &local->reconfig_filter);
2598	break;	2601	break;
2599	default:	2602	default:


diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c index 5f3620f0bc0a..bf87c70ac6c5 100644 --- a/net/mac80211/ibss.c +++ b/net/mac80211/ibss.c
@@ -1108,7 +1108,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
1108	sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;	1108	sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
1109	sdata->u.ibss.ibss_join_req = jiffies;	1109	sdata->u.ibss.ibss_join_req = jiffies;
1110		1110
1111	memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN);	1111	memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
1112	sdata->u.ibss.ssid_len = params->ssid_len;	1112	sdata->u.ibss.ssid_len = params->ssid_len;
1113		1113
1114	mutex_unlock(&sdata->u.ibss.mtx);	1114	mutex_unlock(&sdata->u.ibss.mtx);


diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 8c804550465b..156e5835e37f 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h
@@ -1314,6 +1314,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
1314	struct net_device *dev);	1314	struct net_device *dev);
1315	netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,	1315	netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
1316	struct net_device *dev);	1316	struct net_device *dev);
		1317	void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
		1318	struct sk_buff_head *skbs);
1317		1319
1318	/* HT */	1320	/* HT */
1319	void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,	1321	void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,


diff --git a/net/mac80211/main.c b/net/mac80211/main.c index c80c4490351c..f57f597972f8 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c
@@ -871,8 +871,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
871	local->hw.wiphy->cipher_suites,	871	local->hw.wiphy->cipher_suites,
872	sizeof(u32) * local->hw.wiphy->n_cipher_suites,	872	sizeof(u32) * local->hw.wiphy->n_cipher_suites,
873	GFP_KERNEL);	873	GFP_KERNEL);
874	if (!suites)	874	if (!suites) {
875	return -ENOMEM;	875	result = -ENOMEM;
		876	goto fail_wiphy_register;
		877	}
876	for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) {	878	for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) {
877	u32 suite = local->hw.wiphy->cipher_suites[r];	879	u32 suite = local->hw.wiphy->cipher_suites[r];
878	if (suite == WLAN_CIPHER_SUITE_WEP40 \|\|	880	if (suite == WLAN_CIPHER_SUITE_WEP40 \|\|


diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 61c621e9273f..00ade7feb2e3 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c
@@ -531,6 +531,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
531		531
532	if (ieee80211_is_action(hdr->frame_control)) {	532	if (ieee80211_is_action(hdr->frame_control)) {
533	u8 category;	533	u8 category;
		534
		535	/* make sure category field is present */
		536	if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
		537	return RX_DROP_MONITOR;
		538
534	mgmt = (struct ieee80211_mgmt *)hdr;	539	mgmt = (struct ieee80211_mgmt *)hdr;
535	category = mgmt->u.action.category;	540	category = mgmt->u.action.category;
536	if (category != WLAN_CATEGORY_MESH_ACTION &&	541	if (category != WLAN_CATEGORY_MESH_ACTION &&
@@ -883,14 +888,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
883	*/	888	*/
884	if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&	889	if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
885	ieee80211_is_data_present(hdr->frame_control)) {	890	ieee80211_is_data_present(hdr->frame_control)) {
886	u16 ethertype;	891	unsigned int hdrlen;
887	u8 *payload;	892	__be16 ethertype;
888		893
889	payload = rx->skb->data +	894	hdrlen = ieee80211_hdrlen(hdr->frame_control);
890	ieee80211_hdrlen(hdr->frame_control);	895
891	ethertype = (payload[6] << 8) \| payload[7];	896	if (rx->skb->len < hdrlen + 8)
892	if (cpu_to_be16(ethertype) ==	897	return RX_DROP_MONITOR;
893	rx->sdata->control_port_protocol)	898
		899	skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
		900	if (ethertype == rx->sdata->control_port_protocol)
894	return RX_CONTINUE;	901	return RX_CONTINUE;
895	}	902	}
896		903
@@ -1462,11 +1469,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1462		1469
1463	hdr = (struct ieee80211_hdr *)rx->skb->data;	1470	hdr = (struct ieee80211_hdr *)rx->skb->data;
1464	fc = hdr->frame_control;	1471	fc = hdr->frame_control;
		1472
		1473	if (ieee80211_is_ctl(fc))
		1474	return RX_CONTINUE;
		1475
1465	sc = le16_to_cpu(hdr->seq_ctrl);	1476	sc = le16_to_cpu(hdr->seq_ctrl);
1466	frag = sc & IEEE80211_SCTL_FRAG;	1477	frag = sc & IEEE80211_SCTL_FRAG;
1467		1478
1468	if (likely((!ieee80211_has_morefrags(fc) && frag == 0) \|\|	1479	if (likely((!ieee80211_has_morefrags(fc) && frag == 0) \|\|
1469	(rx->skb)->len < 24 \|\|
1470	is_multicast_ether_addr(hdr->addr1))) {	1480	is_multicast_ether_addr(hdr->addr1))) {
1471	/* not fragmented */	1481	/* not fragmented */
1472	goto out;	1482	goto out;
@@ -1889,6 +1899,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1889		1899
1890	hdr = (struct ieee80211_hdr *) skb->data;	1900	hdr = (struct ieee80211_hdr *) skb->data;
1891	hdrlen = ieee80211_hdrlen(hdr->frame_control);	1901	hdrlen = ieee80211_hdrlen(hdr->frame_control);
		1902
		1903	/* make sure fixed part of mesh header is there, also checks skb len */
		1904	if (!pskb_may_pull(rx->skb, hdrlen + 6))
		1905	return RX_DROP_MONITOR;
		1906
		1907	mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
		1908
		1909	/* make sure full mesh header is there, also checks skb len */
		1910	if (!pskb_may_pull(rx->skb,
		1911	hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
		1912	return RX_DROP_MONITOR;
		1913
		1914	/* reload pointers */
		1915	hdr = (struct ieee80211_hdr *) skb->data;
1892	mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);	1916	mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1893		1917
1894	/* frame is in RMC, don't forward */	1918	/* frame is in RMC, don't forward */
@@ -1897,7 +1921,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1897	mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))	1921	mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
1898	return RX_DROP_MONITOR;	1922	return RX_DROP_MONITOR;
1899		1923
1900	if (!ieee80211_is_data(hdr->frame_control))	1924	if (!ieee80211_is_data(hdr->frame_control) \|\|
		1925	!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1901	return RX_CONTINUE;	1926	return RX_CONTINUE;
1902		1927
1903	if (!mesh_hdr->ttl)	1928	if (!mesh_hdr->ttl)
@@ -1911,9 +1936,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1911	if (is_multicast_ether_addr(hdr->addr1)) {	1936	if (is_multicast_ether_addr(hdr->addr1)) {
1912	mpp_addr = hdr->addr3;	1937	mpp_addr = hdr->addr3;
1913	proxied_addr = mesh_hdr->eaddr1;	1938	proxied_addr = mesh_hdr->eaddr1;
1914	} else {	1939	} else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
		1940	/* has_a4 already checked in ieee80211_rx_mesh_check */
1915	mpp_addr = hdr->addr4;	1941	mpp_addr = hdr->addr4;
1916	proxied_addr = mesh_hdr->eaddr2;	1942	proxied_addr = mesh_hdr->eaddr2;
		1943	} else {
		1944	return RX_DROP_MONITOR;
1917	}	1945	}
1918		1946
1919	rcu_read_lock();	1947	rcu_read_lock();
@@ -1941,12 +1969,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1941	}	1969	}
1942	skb_set_queue_mapping(skb, q);	1970	skb_set_queue_mapping(skb, q);
1943		1971
1944	if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1945	goto out;
1946
1947	if (!--mesh_hdr->ttl) {	1972	if (!--mesh_hdr->ttl) {
1948	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);	1973	IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
1949	return RX_DROP_MONITOR;	1974	goto out;
1950	}	1975	}
1951		1976
1952	if (!ifmsh->mshcfg.dot11MeshForwarding)	1977	if (!ifmsh->mshcfg.dot11MeshForwarding)
@@ -2353,6 +2378,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2353	}	2378	}
2354	break;	2379	break;
2355	case WLAN_CATEGORY_SELF_PROTECTED:	2380	case WLAN_CATEGORY_SELF_PROTECTED:
		2381	if (len < (IEEE80211_MIN_ACTION_SIZE +
		2382	sizeof(mgmt->u.action.u.self_prot.action_code)))
		2383	break;
		2384
2356	switch (mgmt->u.action.u.self_prot.action_code) {	2385	switch (mgmt->u.action.u.self_prot.action_code) {
2357	case WLAN_SP_MESH_PEERING_OPEN:	2386	case WLAN_SP_MESH_PEERING_OPEN:
2358	case WLAN_SP_MESH_PEERING_CLOSE:	2387	case WLAN_SP_MESH_PEERING_CLOSE:
@@ -2371,6 +2400,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2371	}	2400	}
2372	break;	2401	break;
2373	case WLAN_CATEGORY_MESH_ACTION:	2402	case WLAN_CATEGORY_MESH_ACTION:
		2403	if (len < (IEEE80211_MIN_ACTION_SIZE +
		2404	sizeof(mgmt->u.action.u.mesh_action.action_code)))
		2405	break;
		2406
2374	if (!ieee80211_vif_is_mesh(&sdata->vif))	2407	if (!ieee80211_vif_is_mesh(&sdata->vif))
2375	break;	2408	break;
2376	if (mesh_action_is_path_sel(mgmt) &&	2409	if (mesh_action_is_path_sel(mgmt) &&
@@ -2913,10 +2946,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
2913	if (ieee80211_is_data(fc) \|\| ieee80211_is_mgmt(fc))	2946	if (ieee80211_is_data(fc) \|\| ieee80211_is_mgmt(fc))
2914	local->dot11ReceivedFragmentCount++;	2947	local->dot11ReceivedFragmentCount++;
2915		2948
2916	if (ieee80211_is_mgmt(fc))	2949	if (ieee80211_is_mgmt(fc)) {
2917	err = skb_linearize(skb);	2950	/* drop frame if too short for header */
2918	else	2951	if (skb->len < ieee80211_hdrlen(fc))
		2952	err = -ENOBUFS;
		2953	else
		2954	err = skb_linearize(skb);
		2955	} else {
2919	err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));	2956	err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
		2957	}
2920		2958
2921	if (err) {	2959	if (err) {
2922	dev_kfree_skb(skb);	2960	dev_kfree_skb(skb);


diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c index c4cdbde24fd3..43e60b5a7546 100644 --- a/net/mac80211/scan.c +++ b/net/mac80211/scan.c
@@ -917,7 +917,7 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
917	struct cfg80211_sched_scan_request *req)	917	struct cfg80211_sched_scan_request *req)
918	{	918	{
919	struct ieee80211_local *local = sdata->local;	919	struct ieee80211_local *local = sdata->local;
920	struct ieee80211_sched_scan_ies sched_scan_ies;	920	struct ieee80211_sched_scan_ies sched_scan_ies = {};
921	int ret, i;	921	int ret, i;
922		922
923	mutex_lock(&local->mtx);	923	mutex_lock(&local->mtx);


diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c index 0a4e4c04db89..d2eb64e12353 100644 --- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c
@@ -117,8 +117,8 @@ static void free_sta_work(struct work_struct *wk)
117		117
118	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {	118	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
119	local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);	119	local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);
120	__skb_queue_purge(&sta->ps_tx_buf[ac]);	120	ieee80211_purge_tx_queue(&local->hw, &sta->ps_tx_buf[ac]);
121	__skb_queue_purge(&sta->tx_filtered[ac]);	121	ieee80211_purge_tx_queue(&local->hw, &sta->tx_filtered[ac]);
122	}	122	}
123		123
124	#ifdef CONFIG_MAC80211_MESH	124	#ifdef CONFIG_MAC80211_MESH
@@ -141,7 +141,7 @@ static void free_sta_work(struct work_struct *wk)
141	tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);	141	tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);
142	if (!tid_tx)	142	if (!tid_tx)
143	continue;	143	continue;
144	__skb_queue_purge(&tid_tx->pending);	144	ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
145	kfree(tid_tx);	145	kfree(tid_tx);
146	}	146	}
147		147
@@ -961,6 +961,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
961	struct ieee80211_local *local = sdata->local;	961	struct ieee80211_local *local = sdata->local;
962	struct sk_buff_head pending;	962	struct sk_buff_head pending;
963	int filtered = 0, buffered = 0, ac;	963	int filtered = 0, buffered = 0, ac;
		964	unsigned long flags;
964		965
965	clear_sta_flag(sta, WLAN_STA_SP);	966	clear_sta_flag(sta, WLAN_STA_SP);
966		967
@@ -976,12 +977,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
976	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {	977	for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
977	int count = skb_queue_len(&pending), tmp;	978	int count = skb_queue_len(&pending), tmp;
978		979
		980	spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
979	skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);	981	skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
		982	spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
980	tmp = skb_queue_len(&pending);	983	tmp = skb_queue_len(&pending);
981	filtered += tmp - count;	984	filtered += tmp - count;
982	count = tmp;	985	count = tmp;
983		986
		987	spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
984	skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);	988	skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
		989	spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
985	tmp = skb_queue_len(&pending);	990	tmp = skb_queue_len(&pending);
986	buffered += tmp - count;	991	buffered += tmp - count;
987	}	992	}


diff --git a/net/mac80211/status.c b/net/mac80211/status.c index 3af0cc4130f1..101eb88a2b78 100644 --- a/net/mac80211/status.c +++ b/net/mac80211/status.c
@@ -668,3 +668,12 @@ void ieee80211_free_txskb(struct ieee80211_hw hw, struct sk_buff skb)
668	dev_kfree_skb_any(skb);	668	dev_kfree_skb_any(skb);
669	}	669	}
670	EXPORT_SYMBOL(ieee80211_free_txskb);	670	EXPORT_SYMBOL(ieee80211_free_txskb);
		671
		672	void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
		673	struct sk_buff_head *skbs)
		674	{
		675	struct sk_buff *skb;
		676
		677	while ((skb = __skb_dequeue(skbs)))
		678	ieee80211_free_txskb(hw, skb);
		679	}


diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index c9bf83f36657..b858ebe41fda 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c
@@ -1358,7 +1358,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
1358	if (tx->skb)	1358	if (tx->skb)
1359	ieee80211_free_txskb(&tx->local->hw, tx->skb);	1359	ieee80211_free_txskb(&tx->local->hw, tx->skb);
1360	else	1360	else
1361	__skb_queue_purge(&tx->skbs);	1361	ieee80211_purge_tx_queue(&tx->local->hw, &tx->skbs);
1362	return -1;	1362	return -1;
1363	} else if (unlikely(res == TX_QUEUED)) {	1363	} else if (unlikely(res == TX_QUEUED)) {
1364	I802_DEBUG_INC(tx->local->tx_handlers_queued);	1364	I802_DEBUG_INC(tx->local->tx_handlers_queued);
@@ -2120,10 +2120,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
2120	*/	2120	*/
2121	void ieee80211_clear_tx_pending(struct ieee80211_local *local)	2121	void ieee80211_clear_tx_pending(struct ieee80211_local *local)
2122	{	2122	{
		2123	struct sk_buff *skb;
2123	int i;	2124	int i;
2124		2125
2125	for (i = 0; i < local->hw.queues; i++)	2126	for (i = 0; i < local->hw.queues; i++) {
2126	skb_queue_purge(&local->pending[i]);	2127	while ((skb = skb_dequeue(&local->pending[i])) != NULL)
		2128	ieee80211_free_txskb(&local->hw, skb);
		2129	}
2127	}	2130	}
2128		2131
2129	/*	2132	/*


diff --git a/net/mac80211/util.c b/net/mac80211/util.c index 94e586873979..0151ae33c4cd 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c
@@ -643,13 +643,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
643	break;	643	break;
644	}	644	}
645		645
646	if (id != WLAN_EID_VENDOR_SPECIFIC &&	646	switch (id) {
647	id != WLAN_EID_QUIET &&	647	case WLAN_EID_SSID:
648	test_bit(id, seen_elems)) {	648	case WLAN_EID_SUPP_RATES:
649	elems->parse_error = true;	649	case WLAN_EID_FH_PARAMS:
650	left -= elen;	650	case WLAN_EID_DS_PARAMS:
651	pos += elen;	651	case WLAN_EID_CF_PARAMS:
652	continue;	652	case WLAN_EID_TIM:
		653	case WLAN_EID_IBSS_PARAMS:
		654	case WLAN_EID_CHALLENGE:
		655	case WLAN_EID_RSN:
		656	case WLAN_EID_ERP_INFO:
		657	case WLAN_EID_EXT_SUPP_RATES:
		658	case WLAN_EID_HT_CAPABILITY:
		659	case WLAN_EID_HT_OPERATION:
		660	case WLAN_EID_VHT_CAPABILITY:
		661	case WLAN_EID_VHT_OPERATION:
		662	case WLAN_EID_MESH_ID:
		663	case WLAN_EID_MESH_CONFIG:
		664	case WLAN_EID_PEER_MGMT:
		665	case WLAN_EID_PREQ:
		666	case WLAN_EID_PREP:
		667	case WLAN_EID_PERR:
		668	case WLAN_EID_RANN:
		669	case WLAN_EID_CHANNEL_SWITCH:
		670	case WLAN_EID_EXT_CHANSWITCH_ANN:
		671	case WLAN_EID_COUNTRY:
		672	case WLAN_EID_PWR_CONSTRAINT:
		673	case WLAN_EID_TIMEOUT_INTERVAL:
		674	if (test_bit(id, seen_elems)) {
		675	elems->parse_error = true;
		676	left -= elen;
		677	pos += elen;
		678	continue;
		679	}
		680	break;
653	}	681	}
654		682
655	if (calc_crc && id < 64 && (filter & (1ULL << id)))	683	if (calc_crc && id < 64 && (filter & (1ULL << id)))
@@ -1463,6 +1491,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
1463	list_for_each_entry(sdata, &local->interfaces, list) {	1491	list_for_each_entry(sdata, &local->interfaces, list) {
1464	if (sdata->vif.type != NL80211_IFTYPE_STATION)	1492	if (sdata->vif.type != NL80211_IFTYPE_STATION)
1465	continue;	1493	continue;
		1494	if (!sdata->u.mgd.associated)
		1495	continue;
1466		1496
1467	ieee80211_send_nullfunc(local, sdata, 0);	1497	ieee80211_send_nullfunc(local, sdata, 0);
1468	}	1498	}