5 files changed, 103 insertions, 15 deletions
diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index c163d0a149f4..98258b7341e3 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -332,14 +332,16 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
                IEEE80211_QUEUE_STOP_REASON_AGGREGATION);
        spin_unlock(&local->ampdu_lock);
-        spin_unlock_bh(&sta->lock);
-        /* send an addBA request */
+        /* prepare tid data */
        sta->ampdu_mlme.dialog_token_allocator++;
        sta->ampdu_mlme.tid_tx[tid]->dialog_token =
                        sta->ampdu_mlme.dialog_token_allocator;
        sta->ampdu_mlme.tid_tx[tid]->ssn = start_seq_num;
+        spin_unlock_bh(&sta->lock);
+        /* send AddBA request */
        ieee80211_send_addba_request(sdata, pubsta->addr, tid,
                         sta->ampdu_mlme.tid_tx[tid]->dialog_token,
                         sta->ampdu_mlme.tid_tx[tid]->ssn,
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 5d218c530a4e..32be11e4c4d9 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -5,7 +5,7 @@
 #include <linux/nl80211.h>
 #include "ieee80211_i.h"
-enum ieee80211_chan_mode
+static enum ieee80211_chan_mode
 __ieee80211_get_channel_mode(struct ieee80211_local *local,
                             struct ieee80211_sub_if_data *ignore)
 {
diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h
index 4f2271316650..9c1da0809160 100644
--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -349,7 +349,7 @@ static inline int drv_get_survey(struct ieee80211_local *local, int idx,
                                struct survey_info *survey)
 {
        int ret = -EOPNOTSUPP;
-        if (local->ops->conf_tx)
+        if (local->ops->get_survey)
                ret = local->ops->get_survey(&local->hw, idx, survey);
        /* trace_drv_get_survey(local, idx, survey, ret); */
        return ret;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 0839c4e8fd2e..f803f8b72a93 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1692,14 +1692,52 @@ static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
                        rma = ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
                        break;
                case IEEE80211_STYPE_ACTION:
-                        if (mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)
+                        switch (mgmt->u.action.category) {
+                        case WLAN_CATEGORY_BACK: {
+                                struct ieee80211_local *local = sdata->local;
+                                int len = skb->len;
+                                struct sta_info *sta;
+                                rcu_read_lock();
+                                sta = sta_info_get(sdata, mgmt->sa);
+                                if (!sta) {
+                                        rcu_read_unlock();
+                                        break;
+                                }
+                                local_bh_disable();
+                                switch (mgmt->u.action.u.addba_req.action_code) {
+                                case WLAN_ACTION_ADDBA_REQ:
+                                        if (len < (IEEE80211_MIN_ACTION_SIZE +
+                                                   sizeof(mgmt->u.action.u.addba_req)))
+                                                break;
+                                        ieee80211_process_addba_request(local, sta, mgmt, len);
+                                        break;
+                                case WLAN_ACTION_ADDBA_RESP:
+                                        if (len < (IEEE80211_MIN_ACTION_SIZE +
+                                                   sizeof(mgmt->u.action.u.addba_resp)))
+                                                break;
+                                        ieee80211_process_addba_resp(local, sta, mgmt, len);
+                                        break;
+                                case WLAN_ACTION_DELBA:
+                                        if (len < (IEEE80211_MIN_ACTION_SIZE +
+                                                   sizeof(mgmt->u.action.u.delba)))
+                                                break;
+                                        ieee80211_process_delba(sdata, sta, mgmt, len);
+                                        break;
+                                }
+                                local_bh_enable();
+                                rcu_read_unlock();
                                break;
+                                }
-                        ieee80211_sta_process_chanswitch(sdata,
+                        case WLAN_CATEGORY_SPECTRUM_MGMT:
-                                        &mgmt->u.action.u.chan_switch.sw_elem,
+                                ieee80211_sta_process_chanswitch(sdata,
-                                        (void *)ifmgd->associated->priv,
+                                                &mgmt->u.action.u.chan_switch.sw_elem,
-                                        rx_status->mactime);
+                                                (void *)ifmgd->associated->priv,
-                        break;
+                                                rx_status->mactime);
+                                break;
+                        }
                }
                mutex_unlock(&ifmgd->mtx);
@@ -1722,9 +1760,45 @@ static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
        mutex_unlock(&ifmgd->mtx);
        if (skb->len >= 24 + 2 /* mgmt + deauth reason */ &&
-            (fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_DEAUTH)
+            (fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_DEAUTH) {
-                cfg80211_send_deauth(sdata->dev, (u8 *)mgmt, skb->len);
+                struct ieee80211_local *local = sdata->local;
+                struct ieee80211_work *wk;
+                mutex_lock(&local->work_mtx);
+                list_for_each_entry(wk, &local->work_list, list) {
+                        if (wk->sdata != sdata)
+                                continue;
+                        if (wk->type != IEEE80211_WORK_ASSOC)
+                                continue;
+                        if (memcmp(mgmt->bssid, wk->filter_ta, ETH_ALEN))
+                                continue;
+                        if (memcmp(mgmt->sa, wk->filter_ta, ETH_ALEN))
+                                continue;
+                        /*
+                         * Printing the message only here means we can't
+                         * spuriously print it, but it also means that it
+                         * won't be printed when the frame comes in before
+                         * we even tried to associate or in similar cases.
+                         *
+                         * Ultimately, I suspect cfg80211 should print the
+                         * messages instead.
+                         */
+                        printk(KERN_DEBUG
+                               "%s: deauthenticated from %pM (Reason: %u)\n",
+                               sdata->name, mgmt->bssid,
+                               le16_to_cpu(mgmt->u.deauth.reason_code));
+                        list_del_rcu(&wk->list);
+                        free_work(wk);
+                        break;
+                }
+                mutex_unlock(&local->work_mtx);
+                cfg80211_send_deauth(sdata->dev, (u8 *)mgmt, skb->len);
+        }
 out:
        kfree_skb(skb);
 }
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 6e2a7bcd8cb8..be9abc2e6348 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -1818,17 +1818,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx, struct sk_buff_head *frames)
                return RX_CONTINUE;
        if (ieee80211_is_back_req(bar->frame_control)) {
+                struct {
+                        __le16 control, start_seq_num;
+                } __packed bar_data;
                if (!rx->sta)
                        return RX_DROP_MONITOR;
+                if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
+                                  &bar_data, sizeof(bar_data)))
+                        return RX_DROP_MONITOR;
                spin_lock(&rx->sta->lock);
-                tid = le16_to_cpu(bar->control) >> 12;
+                tid = le16_to_cpu(bar_data.control) >> 12;
                if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
                        spin_unlock(&rx->sta->lock);
                        return RX_DROP_MONITOR;
                }
                tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
-                start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;
+                start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
                /* reset session timer */
                if (tid_agg_rx->timeout)
@@ -1935,6 +1944,9 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
                if (len < IEEE80211_MIN_ACTION_SIZE + 1)
                        break;
+                if (sdata->vif.type == NL80211_IFTYPE_STATION)
+                        return ieee80211_sta_rx_mgmt(sdata, rx->skb);
                switch (mgmt->u.action.u.addba_req.action_code) {
                case WLAN_ACTION_ADDBA_REQ:
                        if (len < (IEEE80211_MIN_ACTION_SIZE +

diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c index c163d0a149f4..98258b7341e3 100644 --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c
@@ -332,14 +332,16 @@ int ieee80211_start_tx_ba_session(struct ieee80211_sta *pubsta, u16 tid)
332	IEEE80211_QUEUE_STOP_REASON_AGGREGATION);	332	IEEE80211_QUEUE_STOP_REASON_AGGREGATION);
333		333
334	spin_unlock(&local->ampdu_lock);	334	spin_unlock(&local->ampdu_lock);
335	spin_unlock_bh(&sta->lock);
336		335
337	/* send an addBA request */	336	/* prepare tid data */
338	sta->ampdu_mlme.dialog_token_allocator++;	337	sta->ampdu_mlme.dialog_token_allocator++;
339	sta->ampdu_mlme.tid_tx[tid]->dialog_token =	338	sta->ampdu_mlme.tid_tx[tid]->dialog_token =
340	sta->ampdu_mlme.dialog_token_allocator;	339	sta->ampdu_mlme.dialog_token_allocator;
341	sta->ampdu_mlme.tid_tx[tid]->ssn = start_seq_num;	340	sta->ampdu_mlme.tid_tx[tid]->ssn = start_seq_num;
342		341
		342	spin_unlock_bh(&sta->lock);
		343
		344	/* send AddBA request */
343	ieee80211_send_addba_request(sdata, pubsta->addr, tid,	345	ieee80211_send_addba_request(sdata, pubsta->addr, tid,
344	sta->ampdu_mlme.tid_tx[tid]->dialog_token,	346	sta->ampdu_mlme.tid_tx[tid]->dialog_token,
345	sta->ampdu_mlme.tid_tx[tid]->ssn,	347	sta->ampdu_mlme.tid_tx[tid]->ssn,


diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index 5d218c530a4e..32be11e4c4d9 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c
@@ -5,7 +5,7 @@
5	#include <linux/nl80211.h>	5	#include <linux/nl80211.h>
6	#include "ieee80211_i.h"	6	#include "ieee80211_i.h"
7		7
8	enum ieee80211_chan_mode	8	static enum ieee80211_chan_mode
9	__ieee80211_get_channel_mode(struct ieee80211_local *local,	9	__ieee80211_get_channel_mode(struct ieee80211_local *local,
10	struct ieee80211_sub_if_data *ignore)	10	struct ieee80211_sub_if_data *ignore)
11	{	11	{


diff --git a/net/mac80211/driver-ops.h b/net/mac80211/driver-ops.h index 4f2271316650..9c1da0809160 100644 --- a/net/mac80211/driver-ops.h +++ b/net/mac80211/driver-ops.h
@@ -349,7 +349,7 @@ static inline int drv_get_survey(struct ieee80211_local *local, int idx,
349	struct survey_info *survey)	349	struct survey_info *survey)
350	{	350	{
351	int ret = -EOPNOTSUPP;	351	int ret = -EOPNOTSUPP;
352	if (local->ops->conf_tx)	352	if (local->ops->get_survey)
353	ret = local->ops->get_survey(&local->hw, idx, survey);	353	ret = local->ops->get_survey(&local->hw, idx, survey);
354	/* trace_drv_get_survey(local, idx, survey, ret); */	354	/* trace_drv_get_survey(local, idx, survey, ret); */
355	return ret;	355	return ret;


diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 0839c4e8fd2e..f803f8b72a93 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c
@@ -1692,14 +1692,52 @@ static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
1692	rma = ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);	1692	rma = ieee80211_rx_mgmt_disassoc(sdata, mgmt, skb->len);
1693	break;	1693	break;
1694	case IEEE80211_STYPE_ACTION:	1694	case IEEE80211_STYPE_ACTION:
1695	if (mgmt->u.action.category != WLAN_CATEGORY_SPECTRUM_MGMT)	1695	switch (mgmt->u.action.category) {
		1696	case WLAN_CATEGORY_BACK: {
		1697	struct ieee80211_local *local = sdata->local;
		1698	int len = skb->len;
		1699	struct sta_info *sta;
		1700
		1701	rcu_read_lock();
		1702	sta = sta_info_get(sdata, mgmt->sa);
		1703	if (!sta) {
		1704	rcu_read_unlock();
		1705	break;
		1706	}
		1707
		1708	local_bh_disable();
		1709
		1710	switch (mgmt->u.action.u.addba_req.action_code) {
		1711	case WLAN_ACTION_ADDBA_REQ:
		1712	if (len < (IEEE80211_MIN_ACTION_SIZE +
		1713	sizeof(mgmt->u.action.u.addba_req)))
		1714	break;
		1715	ieee80211_process_addba_request(local, sta, mgmt, len);
		1716	break;
		1717	case WLAN_ACTION_ADDBA_RESP:
		1718	if (len < (IEEE80211_MIN_ACTION_SIZE +
		1719	sizeof(mgmt->u.action.u.addba_resp)))
		1720	break;
		1721	ieee80211_process_addba_resp(local, sta, mgmt, len);
		1722	break;
		1723	case WLAN_ACTION_DELBA:
		1724	if (len < (IEEE80211_MIN_ACTION_SIZE +
		1725	sizeof(mgmt->u.action.u.delba)))
		1726	break;
		1727	ieee80211_process_delba(sdata, sta, mgmt, len);
		1728	break;
		1729	}
		1730	local_bh_enable();
		1731	rcu_read_unlock();
1696	break;	1732	break;
1697		1733	}
1698	ieee80211_sta_process_chanswitch(sdata,	1734	case WLAN_CATEGORY_SPECTRUM_MGMT:
1699	&mgmt->u.action.u.chan_switch.sw_elem,	1735	ieee80211_sta_process_chanswitch(sdata,
1700	(void *)ifmgd->associated->priv,	1736	&mgmt->u.action.u.chan_switch.sw_elem,
1701	rx_status->mactime);	1737	(void *)ifmgd->associated->priv,
1702	break;	1738	rx_status->mactime);
		1739	break;
		1740	}
1703	}	1741	}
1704	mutex_unlock(&ifmgd->mtx);	1742	mutex_unlock(&ifmgd->mtx);
1705		1743
@@ -1722,9 +1760,45 @@ static void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata,
1722	mutex_unlock(&ifmgd->mtx);	1760	mutex_unlock(&ifmgd->mtx);
1723		1761
1724	if (skb->len >= 24 + 2 /* mgmt + deauth reason */ &&	1762	if (skb->len >= 24 + 2 /* mgmt + deauth reason */ &&
1725	(fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_DEAUTH)	1763	(fc & IEEE80211_FCTL_STYPE) == IEEE80211_STYPE_DEAUTH) {
1726	cfg80211_send_deauth(sdata->dev, (u8 *)mgmt, skb->len);	1764	struct ieee80211_local *local = sdata->local;
		1765	struct ieee80211_work *wk;
		1766
		1767	mutex_lock(&local->work_mtx);
		1768	list_for_each_entry(wk, &local->work_list, list) {
		1769	if (wk->sdata != sdata)
		1770	continue;
		1771
		1772	if (wk->type != IEEE80211_WORK_ASSOC)
		1773	continue;
		1774
		1775	if (memcmp(mgmt->bssid, wk->filter_ta, ETH_ALEN))
		1776	continue;
		1777	if (memcmp(mgmt->sa, wk->filter_ta, ETH_ALEN))
		1778	continue;
1727		1779
		1780	/*
		1781	* Printing the message only here means we can't
		1782	* spuriously print it, but it also means that it
		1783	* won't be printed when the frame comes in before
		1784	* we even tried to associate or in similar cases.
		1785	*
		1786	* Ultimately, I suspect cfg80211 should print the
		1787	* messages instead.
		1788	*/
		1789	printk(KERN_DEBUG
		1790	"%s: deauthenticated from %pM (Reason: %u)\n",
		1791	sdata->name, mgmt->bssid,
		1792	le16_to_cpu(mgmt->u.deauth.reason_code));
		1793
		1794	list_del_rcu(&wk->list);
		1795	free_work(wk);
		1796	break;
		1797	}
		1798	mutex_unlock(&local->work_mtx);
		1799
		1800	cfg80211_send_deauth(sdata->dev, (u8 *)mgmt, skb->len);
		1801	}
1728	out:	1802	out:
1729	kfree_skb(skb);	1803	kfree_skb(skb);
1730	}	1804	}


diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 6e2a7bcd8cb8..be9abc2e6348 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c
@@ -1818,17 +1818,26 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data rx, struct sk_buff_head frames)
1818	return RX_CONTINUE;	1818	return RX_CONTINUE;
1819		1819
1820	if (ieee80211_is_back_req(bar->frame_control)) {	1820	if (ieee80211_is_back_req(bar->frame_control)) {
		1821	struct {
		1822	__le16 control, start_seq_num;
		1823	} __packed bar_data;
		1824
1821	if (!rx->sta)	1825	if (!rx->sta)
1822	return RX_DROP_MONITOR;	1826	return RX_DROP_MONITOR;
		1827
		1828	if (skb_copy_bits(skb, offsetof(struct ieee80211_bar, control),
		1829	&bar_data, sizeof(bar_data)))
		1830	return RX_DROP_MONITOR;
		1831
1823	spin_lock(&rx->sta->lock);	1832	spin_lock(&rx->sta->lock);
1824	tid = le16_to_cpu(bar->control) >> 12;	1833	tid = le16_to_cpu(bar_data.control) >> 12;
1825	if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {	1834	if (!rx->sta->ampdu_mlme.tid_active_rx[tid]) {
1826	spin_unlock(&rx->sta->lock);	1835	spin_unlock(&rx->sta->lock);
1827	return RX_DROP_MONITOR;	1836	return RX_DROP_MONITOR;
1828	}	1837	}
1829	tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];	1838	tid_agg_rx = rx->sta->ampdu_mlme.tid_rx[tid];
1830		1839
1831	start_seq_num = le16_to_cpu(bar->start_seq_num) >> 4;	1840	start_seq_num = le16_to_cpu(bar_data.start_seq_num) >> 4;
1832		1841
1833	/* reset session timer */	1842	/* reset session timer */
1834	if (tid_agg_rx->timeout)	1843	if (tid_agg_rx->timeout)
@@ -1935,6 +1944,9 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
1935	if (len < IEEE80211_MIN_ACTION_SIZE + 1)	1944	if (len < IEEE80211_MIN_ACTION_SIZE + 1)
1936	break;	1945	break;
1937		1946
		1947	if (sdata->vif.type == NL80211_IFTYPE_STATION)
		1948	return ieee80211_sta_rx_mgmt(sdata, rx->skb);
		1949
1938	switch (mgmt->u.action.u.addba_req.action_code) {	1950	switch (mgmt->u.action.u.addba_req.action_code) {
1939	case WLAN_ACTION_ADDBA_REQ:	1951	case WLAN_ACTION_ADDBA_REQ:
1940	if (len < (IEEE80211_MIN_ACTION_SIZE +	1952	if (len < (IEEE80211_MIN_ACTION_SIZE +