5 files changed, 22 insertions, 7 deletions

diff --git a/net/mac80211/debugfs_key.c b/net/mac80211/debugfs_key.c
index 97c9e46e859e..fa5e76e658ef 100644
--- a/net/mac80211/debugfs_key.c
+++ b/net/mac80211/debugfs_key.c
@@ -143,7 +143,7 @@ static ssize_t key_rx_spec_read(struct file *file, char __user *userbuf,
                 len = p - buf;
                 break;
         case ALG_CCMP:
-                for (i = 0; i < NUM_RX_DATA_QUEUES; i++) {
+                for (i = 0; i < NUM_RX_DATA_QUEUES + 1; i++) {
                         rpn = key->u.ccmp.rx_pn[i];
                         p += scnprintf(p, sizeof(buf)+buf-p,
                                        "%02x%02x%02x%02x%02x%02x\n",
diff --git a/net/mac80211/key.c b/net/mac80211/key.c
index d0d9001a4a6a..50d1cff23d8e 100644
--- a/net/mac80211/key.c
+++ b/net/mac80211/key.c
@@ -273,7 +273,7 @@ struct ieee80211_key *ieee80211_key_alloc(enum ieee80211_key_alg alg,
                 key->conf.iv_len = CCMP_HDR_LEN;
                 key->conf.icv_len = CCMP_MIC_LEN;
                 if (seq) {
-                        for (i = 0; i < NUM_RX_DATA_QUEUES; i++)
+                        for (i = 0; i < NUM_RX_DATA_QUEUES + 1; i++)
                                 for (j = 0; j < CCMP_PN_LEN; j++)
                                         key->u.ccmp.rx_pn[i][j] =
                                                 seq[CCMP_PN_LEN - j - 1];
diff --git a/net/mac80211/key.h b/net/mac80211/key.h
index 9996e3be6e63..a3849fa3fce8 100644
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
@@ -77,7 +77,13 @@ struct ieee80211_key {
                 } tkip;
                 struct {
                         u8 tx_pn[6];
-                        u8 rx_pn[NUM_RX_DATA_QUEUES][6];
+                        /*
+                         * Last received packet number. The first
+                         * NUM_RX_DATA_QUEUES counters are used with Data
+                         * frames and the last counter is used with Robust
+                         * Management frames.
+                         */
+                        u8 rx_pn[NUM_RX_DATA_QUEUES + 1][6];
                         struct crypto_cipher *tfm;
                         u32 replays; /* dot11RSNAStatsCCMPReplays */
                         /* scratch buffers for virt_to_page() (crypto API) */
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 1594ebe80a4f..1f76352caa9e 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1267,11 +1267,13 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
                                                  rx->queue, &(rx->skb));
                 if (rx->key && rx->key->conf.alg == ALG_CCMP &&
                     ieee80211_has_protected(fc)) {
+                        int queue = ieee80211_is_mgmt(fc) ?
+                                NUM_RX_DATA_QUEUES : rx->queue;
                         /* Store CCMP PN so that we can verify that the next
                          * fragment has a sequential PN value. */
                         entry->ccmp = 1;
                         memcpy(entry->last_pn,
-                               rx->key->u.ccmp.rx_pn[rx->queue],
+                               rx->key->u.ccmp.rx_pn[queue],
                                CCMP_PN_LEN);
                 }
                 return RX_QUEUED;
@@ -1291,6 +1293,7 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
         if (entry->ccmp) {
                 int i;
                 u8 pn[CCMP_PN_LEN], *rpn;
+                int queue;
                 if (!rx->key || rx->key->conf.alg != ALG_CCMP)
                         return RX_DROP_UNUSABLE;
                 memcpy(pn, entry->last_pn, CCMP_PN_LEN);
@@ -1299,7 +1302,9 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
                         if (pn[i])
                                 break;
                 }
-                rpn = rx->key->u.ccmp.rx_pn[rx->queue];
+                queue = ieee80211_is_mgmt(fc) ?
+                        NUM_RX_DATA_QUEUES : rx->queue;
+                rpn = rx->key->u.ccmp.rx_pn[queue];
                 if (memcmp(pn, rpn, CCMP_PN_LEN))
                         return RX_DROP_UNUSABLE;
                 memcpy(entry->last_pn, pn, CCMP_PN_LEN);
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index 0adbcc941ac9..a14e67707476 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -436,6 +436,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
         struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
         u8 pn[CCMP_PN_LEN];
         int data_len;
+        int queue;
 
         hdrlen = ieee80211_hdrlen(hdr->frame_control);
 
@@ -453,7 +454,10 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
 
         ccmp_hdr2pn(pn, skb->data + hdrlen);
 
-        if (memcmp(pn, key->u.ccmp.rx_pn[rx->queue], CCMP_PN_LEN) <= 0) {
+        queue = ieee80211_is_mgmt(hdr->frame_control) ?
+                NUM_RX_DATA_QUEUES : rx->queue;
+
+        if (memcmp(pn, key->u.ccmp.rx_pn[queue], CCMP_PN_LEN) <= 0) {
                 key->u.ccmp.replays++;
                 return RX_DROP_UNUSABLE;
         }
@@ -470,7 +474,7 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
                         return RX_DROP_UNUSABLE;
         }
 
-        memcpy(key->u.ccmp.rx_pn[rx->queue], pn, CCMP_PN_LEN);
+        memcpy(key->u.ccmp.rx_pn[queue], pn, CCMP_PN_LEN);
 
         /* Remove CCMP header and MIC */
         skb_trim(skb, skb->len - CCMP_MIC_LEN);