aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211
diff options
context:
space:
mode:
Diffstat (limited to 'net/mac80211')
-rw-r--r--net/mac80211/cfg.c3
-rw-r--r--net/mac80211/ibss.c10
-rw-r--r--net/mac80211/ieee80211_i.h2
-rw-r--r--net/mac80211/iface.c2
-rw-r--r--net/mac80211/main.c6
-rw-r--r--net/mac80211/mlme.c35
-rw-r--r--net/mac80211/rx.c74
-rw-r--r--net/mac80211/scan.c2
-rw-r--r--net/mac80211/sta_info.c15
-rw-r--r--net/mac80211/status.c9
-rw-r--r--net/mac80211/tx.c9
-rw-r--r--net/mac80211/util.c48
-rw-r--r--net/mac80211/wpa.c14
13 files changed, 169 insertions, 60 deletions
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index 05f3a313db88..7371f676cf41 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -2594,6 +2594,9 @@ static void ieee80211_mgmt_frame_register(struct wiphy *wiphy,
2594 else 2594 else
2595 local->probe_req_reg--; 2595 local->probe_req_reg--;
2596 2596
2597 if (!local->open_count)
2598 break;
2599
2597 ieee80211_queue_work(&local->hw, &local->reconfig_filter); 2600 ieee80211_queue_work(&local->hw, &local->reconfig_filter);
2598 break; 2601 break;
2599 default: 2602 default:
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index 5f3620f0bc0a..c21e33d1abd0 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1108,7 +1108,7 @@ int ieee80211_ibss_join(struct ieee80211_sub_if_data *sdata,
1108 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH; 1108 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
1109 sdata->u.ibss.ibss_join_req = jiffies; 1109 sdata->u.ibss.ibss_join_req = jiffies;
1110 1110
1111 memcpy(sdata->u.ibss.ssid, params->ssid, IEEE80211_MAX_SSID_LEN); 1111 memcpy(sdata->u.ibss.ssid, params->ssid, params->ssid_len);
1112 sdata->u.ibss.ssid_len = params->ssid_len; 1112 sdata->u.ibss.ssid_len = params->ssid_len;
1113 1113
1114 mutex_unlock(&sdata->u.ibss.mtx); 1114 mutex_unlock(&sdata->u.ibss.mtx);
@@ -1151,10 +1151,6 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
1151 1151
1152 mutex_lock(&sdata->u.ibss.mtx); 1152 mutex_lock(&sdata->u.ibss.mtx);
1153 1153
1154 sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH;
1155 memset(sdata->u.ibss.bssid, 0, ETH_ALEN);
1156 sdata->u.ibss.ssid_len = 0;
1157
1158 active_ibss = ieee80211_sta_active_ibss(sdata); 1154 active_ibss = ieee80211_sta_active_ibss(sdata);
1159 1155
1160 if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) { 1156 if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) {
@@ -1175,6 +1171,10 @@ int ieee80211_ibss_leave(struct ieee80211_sub_if_data *sdata)
1175 } 1171 }
1176 } 1172 }
1177 1173
1174 ifibss->state = IEEE80211_IBSS_MLME_SEARCH;
1175 memset(ifibss->bssid, 0, ETH_ALEN);
1176 ifibss->ssid_len = 0;
1177
1178 sta_info_flush(sdata->local, sdata); 1178 sta_info_flush(sdata->local, sdata);
1179 1179
1180 spin_lock_bh(&ifibss->incomplete_lock); 1180 spin_lock_bh(&ifibss->incomplete_lock);
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index 8c804550465b..156e5835e37f 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -1314,6 +1314,8 @@ netdev_tx_t ieee80211_monitor_start_xmit(struct sk_buff *skb,
1314 struct net_device *dev); 1314 struct net_device *dev);
1315netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb, 1315netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
1316 struct net_device *dev); 1316 struct net_device *dev);
1317void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
1318 struct sk_buff_head *skbs);
1317 1319
1318/* HT */ 1320/* HT */
1319void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata, 1321void ieee80211_apply_htcap_overrides(struct ieee80211_sub_if_data *sdata,
diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
index 6f8a73c64fb3..7de7717ad67d 100644
--- a/net/mac80211/iface.c
+++ b/net/mac80211/iface.c
@@ -853,7 +853,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata,
853 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 853 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
854 if (info->control.vif == &sdata->vif) { 854 if (info->control.vif == &sdata->vif) {
855 __skb_unlink(skb, &local->pending[i]); 855 __skb_unlink(skb, &local->pending[i]);
856 dev_kfree_skb_irq(skb); 856 ieee80211_free_txskb(&local->hw, skb);
857 } 857 }
858 } 858 }
859 } 859 }
diff --git a/net/mac80211/main.c b/net/mac80211/main.c
index c80c4490351c..f57f597972f8 100644
--- a/net/mac80211/main.c
+++ b/net/mac80211/main.c
@@ -871,8 +871,10 @@ int ieee80211_register_hw(struct ieee80211_hw *hw)
871 local->hw.wiphy->cipher_suites, 871 local->hw.wiphy->cipher_suites,
872 sizeof(u32) * local->hw.wiphy->n_cipher_suites, 872 sizeof(u32) * local->hw.wiphy->n_cipher_suites,
873 GFP_KERNEL); 873 GFP_KERNEL);
874 if (!suites) 874 if (!suites) {
875 return -ENOMEM; 875 result = -ENOMEM;
876 goto fail_wiphy_register;
877 }
876 for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) { 878 for (r = 0; r < local->hw.wiphy->n_cipher_suites; r++) {
877 u32 suite = local->hw.wiphy->cipher_suites[r]; 879 u32 suite = local->hw.wiphy->cipher_suites[r];
878 if (suite == WLAN_CIPHER_SUITE_WEP40 || 880 if (suite == WLAN_CIPHER_SUITE_WEP40 ||
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index e714ed8bb198..1b7eed252fe9 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -3099,22 +3099,32 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata,
3099 ht_cfreq, ht_oper->primary_chan, 3099 ht_cfreq, ht_oper->primary_chan,
3100 cbss->channel->band); 3100 cbss->channel->band);
3101 ht_oper = NULL; 3101 ht_oper = NULL;
3102 } else {
3103 channel_type = NL80211_CHAN_HT20;
3102 } 3104 }
3103 } 3105 }
3104 3106
3105 if (ht_oper) { 3107 if (ht_oper && sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) {
3106 channel_type = NL80211_CHAN_HT20; 3108 /*
3109 * cfg80211 already verified that the channel itself can
3110 * be used, but it didn't check that we can do the right
3111 * HT type, so do that here as well. If HT40 isn't allowed
3112 * on this channel, disable 40 MHz operation.
3113 */
3107 3114
3108 if (sband->ht_cap.cap & IEEE80211_HT_CAP_SUP_WIDTH_20_40) { 3115 switch (ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET) {
3109 switch (ht_oper->ht_param & 3116 case IEEE80211_HT_PARAM_CHA_SEC_ABOVE:
3110 IEEE80211_HT_PARAM_CHA_SEC_OFFSET) { 3117 if (cbss->channel->flags & IEEE80211_CHAN_NO_HT40PLUS)
3111 case IEEE80211_HT_PARAM_CHA_SEC_ABOVE: 3118 ifmgd->flags |= IEEE80211_STA_DISABLE_40MHZ;
3119 else
3112 channel_type = NL80211_CHAN_HT40PLUS; 3120 channel_type = NL80211_CHAN_HT40PLUS;
3113 break; 3121 break;
3114 case IEEE80211_HT_PARAM_CHA_SEC_BELOW: 3122 case IEEE80211_HT_PARAM_CHA_SEC_BELOW:
3123 if (cbss->channel->flags & IEEE80211_CHAN_NO_HT40MINUS)
3124 ifmgd->flags |= IEEE80211_STA_DISABLE_40MHZ;
3125 else
3115 channel_type = NL80211_CHAN_HT40MINUS; 3126 channel_type = NL80211_CHAN_HT40MINUS;
3116 break; 3127 break;
3117 }
3118 } 3128 }
3119 } 3129 }
3120 3130
@@ -3549,6 +3559,7 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
3549{ 3559{
3550 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; 3560 struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
3551 u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN]; 3561 u8 frame_buf[IEEE80211_DEAUTH_FRAME_LEN];
3562 bool tx = !req->local_state_change;
3552 3563
3553 mutex_lock(&ifmgd->mtx); 3564 mutex_lock(&ifmgd->mtx);
3554 3565
@@ -3565,12 +3576,12 @@ int ieee80211_mgd_deauth(struct ieee80211_sub_if_data *sdata,
3565 if (ifmgd->associated && 3576 if (ifmgd->associated &&
3566 ether_addr_equal(ifmgd->associated->bssid, req->bssid)) { 3577 ether_addr_equal(ifmgd->associated->bssid, req->bssid)) {
3567 ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH, 3578 ieee80211_set_disassoc(sdata, IEEE80211_STYPE_DEAUTH,
3568 req->reason_code, true, frame_buf); 3579 req->reason_code, tx, frame_buf);
3569 } else { 3580 } else {
3570 drv_mgd_prepare_tx(sdata->local, sdata); 3581 drv_mgd_prepare_tx(sdata->local, sdata);
3571 ieee80211_send_deauth_disassoc(sdata, req->bssid, 3582 ieee80211_send_deauth_disassoc(sdata, req->bssid,
3572 IEEE80211_STYPE_DEAUTH, 3583 IEEE80211_STYPE_DEAUTH,
3573 req->reason_code, true, 3584 req->reason_code, tx,
3574 frame_buf); 3585 frame_buf);
3575 } 3586 }
3576 3587
diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c
index 61c621e9273f..00ade7feb2e3 100644
--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -531,6 +531,11 @@ ieee80211_rx_mesh_check(struct ieee80211_rx_data *rx)
531 531
532 if (ieee80211_is_action(hdr->frame_control)) { 532 if (ieee80211_is_action(hdr->frame_control)) {
533 u8 category; 533 u8 category;
534
535 /* make sure category field is present */
536 if (rx->skb->len < IEEE80211_MIN_ACTION_SIZE)
537 return RX_DROP_MONITOR;
538
534 mgmt = (struct ieee80211_mgmt *)hdr; 539 mgmt = (struct ieee80211_mgmt *)hdr;
535 category = mgmt->u.action.category; 540 category = mgmt->u.action.category;
536 if (category != WLAN_CATEGORY_MESH_ACTION && 541 if (category != WLAN_CATEGORY_MESH_ACTION &&
@@ -883,14 +888,16 @@ ieee80211_rx_h_check(struct ieee80211_rx_data *rx)
883 */ 888 */
884 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION && 889 if (rx->sta && rx->sdata->vif.type == NL80211_IFTYPE_STATION &&
885 ieee80211_is_data_present(hdr->frame_control)) { 890 ieee80211_is_data_present(hdr->frame_control)) {
886 u16 ethertype; 891 unsigned int hdrlen;
887 u8 *payload; 892 __be16 ethertype;
888 893
889 payload = rx->skb->data + 894 hdrlen = ieee80211_hdrlen(hdr->frame_control);
890 ieee80211_hdrlen(hdr->frame_control); 895
891 ethertype = (payload[6] << 8) | payload[7]; 896 if (rx->skb->len < hdrlen + 8)
892 if (cpu_to_be16(ethertype) == 897 return RX_DROP_MONITOR;
893 rx->sdata->control_port_protocol) 898
899 skb_copy_bits(rx->skb, hdrlen + 6, &ethertype, 2);
900 if (ethertype == rx->sdata->control_port_protocol)
894 return RX_CONTINUE; 901 return RX_CONTINUE;
895 } 902 }
896 903
@@ -1462,11 +1469,14 @@ ieee80211_rx_h_defragment(struct ieee80211_rx_data *rx)
1462 1469
1463 hdr = (struct ieee80211_hdr *)rx->skb->data; 1470 hdr = (struct ieee80211_hdr *)rx->skb->data;
1464 fc = hdr->frame_control; 1471 fc = hdr->frame_control;
1472
1473 if (ieee80211_is_ctl(fc))
1474 return RX_CONTINUE;
1475
1465 sc = le16_to_cpu(hdr->seq_ctrl); 1476 sc = le16_to_cpu(hdr->seq_ctrl);
1466 frag = sc & IEEE80211_SCTL_FRAG; 1477 frag = sc & IEEE80211_SCTL_FRAG;
1467 1478
1468 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || 1479 if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
1469 (rx->skb)->len < 24 ||
1470 is_multicast_ether_addr(hdr->addr1))) { 1480 is_multicast_ether_addr(hdr->addr1))) {
1471 /* not fragmented */ 1481 /* not fragmented */
1472 goto out; 1482 goto out;
@@ -1889,6 +1899,20 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1889 1899
1890 hdr = (struct ieee80211_hdr *) skb->data; 1900 hdr = (struct ieee80211_hdr *) skb->data;
1891 hdrlen = ieee80211_hdrlen(hdr->frame_control); 1901 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1902
1903 /* make sure fixed part of mesh header is there, also checks skb len */
1904 if (!pskb_may_pull(rx->skb, hdrlen + 6))
1905 return RX_DROP_MONITOR;
1906
1907 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1908
1909 /* make sure full mesh header is there, also checks skb len */
1910 if (!pskb_may_pull(rx->skb,
1911 hdrlen + ieee80211_get_mesh_hdrlen(mesh_hdr)))
1912 return RX_DROP_MONITOR;
1913
1914 /* reload pointers */
1915 hdr = (struct ieee80211_hdr *) skb->data;
1892 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen); 1916 mesh_hdr = (struct ieee80211s_hdr *) (skb->data + hdrlen);
1893 1917
1894 /* frame is in RMC, don't forward */ 1918 /* frame is in RMC, don't forward */
@@ -1897,7 +1921,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1897 mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata)) 1921 mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
1898 return RX_DROP_MONITOR; 1922 return RX_DROP_MONITOR;
1899 1923
1900 if (!ieee80211_is_data(hdr->frame_control)) 1924 if (!ieee80211_is_data(hdr->frame_control) ||
1925 !(status->rx_flags & IEEE80211_RX_RA_MATCH))
1901 return RX_CONTINUE; 1926 return RX_CONTINUE;
1902 1927
1903 if (!mesh_hdr->ttl) 1928 if (!mesh_hdr->ttl)
@@ -1911,9 +1936,12 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1911 if (is_multicast_ether_addr(hdr->addr1)) { 1936 if (is_multicast_ether_addr(hdr->addr1)) {
1912 mpp_addr = hdr->addr3; 1937 mpp_addr = hdr->addr3;
1913 proxied_addr = mesh_hdr->eaddr1; 1938 proxied_addr = mesh_hdr->eaddr1;
1914 } else { 1939 } else if (mesh_hdr->flags & MESH_FLAGS_AE_A5_A6) {
1940 /* has_a4 already checked in ieee80211_rx_mesh_check */
1915 mpp_addr = hdr->addr4; 1941 mpp_addr = hdr->addr4;
1916 proxied_addr = mesh_hdr->eaddr2; 1942 proxied_addr = mesh_hdr->eaddr2;
1943 } else {
1944 return RX_DROP_MONITOR;
1917 } 1945 }
1918 1946
1919 rcu_read_lock(); 1947 rcu_read_lock();
@@ -1941,12 +1969,9 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx)
1941 } 1969 }
1942 skb_set_queue_mapping(skb, q); 1970 skb_set_queue_mapping(skb, q);
1943 1971
1944 if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
1945 goto out;
1946
1947 if (!--mesh_hdr->ttl) { 1972 if (!--mesh_hdr->ttl) {
1948 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl); 1973 IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
1949 return RX_DROP_MONITOR; 1974 goto out;
1950 } 1975 }
1951 1976
1952 if (!ifmsh->mshcfg.dot11MeshForwarding) 1977 if (!ifmsh->mshcfg.dot11MeshForwarding)
@@ -2353,6 +2378,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2353 } 2378 }
2354 break; 2379 break;
2355 case WLAN_CATEGORY_SELF_PROTECTED: 2380 case WLAN_CATEGORY_SELF_PROTECTED:
2381 if (len < (IEEE80211_MIN_ACTION_SIZE +
2382 sizeof(mgmt->u.action.u.self_prot.action_code)))
2383 break;
2384
2356 switch (mgmt->u.action.u.self_prot.action_code) { 2385 switch (mgmt->u.action.u.self_prot.action_code) {
2357 case WLAN_SP_MESH_PEERING_OPEN: 2386 case WLAN_SP_MESH_PEERING_OPEN:
2358 case WLAN_SP_MESH_PEERING_CLOSE: 2387 case WLAN_SP_MESH_PEERING_CLOSE:
@@ -2371,6 +2400,10 @@ ieee80211_rx_h_action(struct ieee80211_rx_data *rx)
2371 } 2400 }
2372 break; 2401 break;
2373 case WLAN_CATEGORY_MESH_ACTION: 2402 case WLAN_CATEGORY_MESH_ACTION:
2403 if (len < (IEEE80211_MIN_ACTION_SIZE +
2404 sizeof(mgmt->u.action.u.mesh_action.action_code)))
2405 break;
2406
2374 if (!ieee80211_vif_is_mesh(&sdata->vif)) 2407 if (!ieee80211_vif_is_mesh(&sdata->vif))
2375 break; 2408 break;
2376 if (mesh_action_is_path_sel(mgmt) && 2409 if (mesh_action_is_path_sel(mgmt) &&
@@ -2913,10 +2946,15 @@ static void __ieee80211_rx_handle_packet(struct ieee80211_hw *hw,
2913 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc)) 2946 if (ieee80211_is_data(fc) || ieee80211_is_mgmt(fc))
2914 local->dot11ReceivedFragmentCount++; 2947 local->dot11ReceivedFragmentCount++;
2915 2948
2916 if (ieee80211_is_mgmt(fc)) 2949 if (ieee80211_is_mgmt(fc)) {
2917 err = skb_linearize(skb); 2950 /* drop frame if too short for header */
2918 else 2951 if (skb->len < ieee80211_hdrlen(fc))
2952 err = -ENOBUFS;
2953 else
2954 err = skb_linearize(skb);
2955 } else {
2919 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc)); 2956 err = !pskb_may_pull(skb, ieee80211_hdrlen(fc));
2957 }
2920 2958
2921 if (err) { 2959 if (err) {
2922 dev_kfree_skb(skb); 2960 dev_kfree_skb(skb);
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index c4cdbde24fd3..43e60b5a7546 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -917,7 +917,7 @@ int ieee80211_request_sched_scan_start(struct ieee80211_sub_if_data *sdata,
917 struct cfg80211_sched_scan_request *req) 917 struct cfg80211_sched_scan_request *req)
918{ 918{
919 struct ieee80211_local *local = sdata->local; 919 struct ieee80211_local *local = sdata->local;
920 struct ieee80211_sched_scan_ies sched_scan_ies; 920 struct ieee80211_sched_scan_ies sched_scan_ies = {};
921 int ret, i; 921 int ret, i;
922 922
923 mutex_lock(&local->mtx); 923 mutex_lock(&local->mtx);
diff --git a/net/mac80211/sta_info.c b/net/mac80211/sta_info.c
index 797dd36a220d..d2eb64e12353 100644
--- a/net/mac80211/sta_info.c
+++ b/net/mac80211/sta_info.c
@@ -117,8 +117,8 @@ static void free_sta_work(struct work_struct *wk)
117 117
118 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { 118 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
119 local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]); 119 local->total_ps_buffered -= skb_queue_len(&sta->ps_tx_buf[ac]);
120 __skb_queue_purge(&sta->ps_tx_buf[ac]); 120 ieee80211_purge_tx_queue(&local->hw, &sta->ps_tx_buf[ac]);
121 __skb_queue_purge(&sta->tx_filtered[ac]); 121 ieee80211_purge_tx_queue(&local->hw, &sta->tx_filtered[ac]);
122 } 122 }
123 123
124#ifdef CONFIG_MAC80211_MESH 124#ifdef CONFIG_MAC80211_MESH
@@ -141,7 +141,7 @@ static void free_sta_work(struct work_struct *wk)
141 tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]); 141 tid_tx = rcu_dereference_raw(sta->ampdu_mlme.tid_tx[i]);
142 if (!tid_tx) 142 if (!tid_tx)
143 continue; 143 continue;
144 __skb_queue_purge(&tid_tx->pending); 144 ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
145 kfree(tid_tx); 145 kfree(tid_tx);
146 } 146 }
147 147
@@ -650,7 +650,7 @@ static bool sta_info_cleanup_expire_buffered_ac(struct ieee80211_local *local,
650 */ 650 */
651 if (!skb) 651 if (!skb)
652 break; 652 break;
653 dev_kfree_skb(skb); 653 ieee80211_free_txskb(&local->hw, skb);
654 } 654 }
655 655
656 /* 656 /*
@@ -679,7 +679,7 @@ static bool sta_info_cleanup_expire_buffered_ac(struct ieee80211_local *local,
679 local->total_ps_buffered--; 679 local->total_ps_buffered--;
680 ps_dbg(sta->sdata, "Buffered frame expired (STA %pM)\n", 680 ps_dbg(sta->sdata, "Buffered frame expired (STA %pM)\n",
681 sta->sta.addr); 681 sta->sta.addr);
682 dev_kfree_skb(skb); 682 ieee80211_free_txskb(&local->hw, skb);
683 } 683 }
684 684
685 /* 685 /*
@@ -961,6 +961,7 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
961 struct ieee80211_local *local = sdata->local; 961 struct ieee80211_local *local = sdata->local;
962 struct sk_buff_head pending; 962 struct sk_buff_head pending;
963 int filtered = 0, buffered = 0, ac; 963 int filtered = 0, buffered = 0, ac;
964 unsigned long flags;
964 965
965 clear_sta_flag(sta, WLAN_STA_SP); 966 clear_sta_flag(sta, WLAN_STA_SP);
966 967
@@ -976,12 +977,16 @@ void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
976 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) { 977 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
977 int count = skb_queue_len(&pending), tmp; 978 int count = skb_queue_len(&pending), tmp;
978 979
980 spin_lock_irqsave(&sta->tx_filtered[ac].lock, flags);
979 skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending); 981 skb_queue_splice_tail_init(&sta->tx_filtered[ac], &pending);
982 spin_unlock_irqrestore(&sta->tx_filtered[ac].lock, flags);
980 tmp = skb_queue_len(&pending); 983 tmp = skb_queue_len(&pending);
981 filtered += tmp - count; 984 filtered += tmp - count;
982 count = tmp; 985 count = tmp;
983 986
987 spin_lock_irqsave(&sta->ps_tx_buf[ac].lock, flags);
984 skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending); 988 skb_queue_splice_tail_init(&sta->ps_tx_buf[ac], &pending);
989 spin_unlock_irqrestore(&sta->ps_tx_buf[ac].lock, flags);
985 tmp = skb_queue_len(&pending); 990 tmp = skb_queue_len(&pending);
986 buffered += tmp - count; 991 buffered += tmp - count;
987 } 992 }
diff --git a/net/mac80211/status.c b/net/mac80211/status.c
index 3af0cc4130f1..101eb88a2b78 100644
--- a/net/mac80211/status.c
+++ b/net/mac80211/status.c
@@ -668,3 +668,12 @@ void ieee80211_free_txskb(struct ieee80211_hw *hw, struct sk_buff *skb)
668 dev_kfree_skb_any(skb); 668 dev_kfree_skb_any(skb);
669} 669}
670EXPORT_SYMBOL(ieee80211_free_txskb); 670EXPORT_SYMBOL(ieee80211_free_txskb);
671
672void ieee80211_purge_tx_queue(struct ieee80211_hw *hw,
673 struct sk_buff_head *skbs)
674{
675 struct sk_buff *skb;
676
677 while ((skb = __skb_dequeue(skbs)))
678 ieee80211_free_txskb(hw, skb);
679}
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index c9bf83f36657..b858ebe41fda 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1358,7 +1358,7 @@ static int invoke_tx_handlers(struct ieee80211_tx_data *tx)
1358 if (tx->skb) 1358 if (tx->skb)
1359 ieee80211_free_txskb(&tx->local->hw, tx->skb); 1359 ieee80211_free_txskb(&tx->local->hw, tx->skb);
1360 else 1360 else
1361 __skb_queue_purge(&tx->skbs); 1361 ieee80211_purge_tx_queue(&tx->local->hw, &tx->skbs);
1362 return -1; 1362 return -1;
1363 } else if (unlikely(res == TX_QUEUED)) { 1363 } else if (unlikely(res == TX_QUEUED)) {
1364 I802_DEBUG_INC(tx->local->tx_handlers_queued); 1364 I802_DEBUG_INC(tx->local->tx_handlers_queued);
@@ -2120,10 +2120,13 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
2120 */ 2120 */
2121void ieee80211_clear_tx_pending(struct ieee80211_local *local) 2121void ieee80211_clear_tx_pending(struct ieee80211_local *local)
2122{ 2122{
2123 struct sk_buff *skb;
2123 int i; 2124 int i;
2124 2125
2125 for (i = 0; i < local->hw.queues; i++) 2126 for (i = 0; i < local->hw.queues; i++) {
2126 skb_queue_purge(&local->pending[i]); 2127 while ((skb = skb_dequeue(&local->pending[i])) != NULL)
2128 ieee80211_free_txskb(&local->hw, skb);
2129 }
2127} 2130}
2128 2131
2129/* 2132/*
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index 22ca35054dd0..0151ae33c4cd 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -406,7 +406,7 @@ void ieee80211_add_pending_skb(struct ieee80211_local *local,
406 int queue = info->hw_queue; 406 int queue = info->hw_queue;
407 407
408 if (WARN_ON(!info->control.vif)) { 408 if (WARN_ON(!info->control.vif)) {
409 kfree_skb(skb); 409 ieee80211_free_txskb(&local->hw, skb);
410 return; 410 return;
411 } 411 }
412 412
@@ -431,7 +431,7 @@ void ieee80211_add_pending_skbs_fn(struct ieee80211_local *local,
431 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); 431 struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
432 432
433 if (WARN_ON(!info->control.vif)) { 433 if (WARN_ON(!info->control.vif)) {
434 kfree_skb(skb); 434 ieee80211_free_txskb(&local->hw, skb);
435 continue; 435 continue;
436 } 436 }
437 437
@@ -643,13 +643,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start, size_t len,
643 break; 643 break;
644 } 644 }
645 645
646 if (id != WLAN_EID_VENDOR_SPECIFIC && 646 switch (id) {
647 id != WLAN_EID_QUIET && 647 case WLAN_EID_SSID:
648 test_bit(id, seen_elems)) { 648 case WLAN_EID_SUPP_RATES:
649 elems->parse_error = true; 649 case WLAN_EID_FH_PARAMS:
650 left -= elen; 650 case WLAN_EID_DS_PARAMS:
651 pos += elen; 651 case WLAN_EID_CF_PARAMS:
652 continue; 652 case WLAN_EID_TIM:
653 case WLAN_EID_IBSS_PARAMS:
654 case WLAN_EID_CHALLENGE:
655 case WLAN_EID_RSN:
656 case WLAN_EID_ERP_INFO:
657 case WLAN_EID_EXT_SUPP_RATES:
658 case WLAN_EID_HT_CAPABILITY:
659 case WLAN_EID_HT_OPERATION:
660 case WLAN_EID_VHT_CAPABILITY:
661 case WLAN_EID_VHT_OPERATION:
662 case WLAN_EID_MESH_ID:
663 case WLAN_EID_MESH_CONFIG:
664 case WLAN_EID_PEER_MGMT:
665 case WLAN_EID_PREQ:
666 case WLAN_EID_PREP:
667 case WLAN_EID_PERR:
668 case WLAN_EID_RANN:
669 case WLAN_EID_CHANNEL_SWITCH:
670 case WLAN_EID_EXT_CHANSWITCH_ANN:
671 case WLAN_EID_COUNTRY:
672 case WLAN_EID_PWR_CONSTRAINT:
673 case WLAN_EID_TIMEOUT_INTERVAL:
674 if (test_bit(id, seen_elems)) {
675 elems->parse_error = true;
676 left -= elen;
677 pos += elen;
678 continue;
679 }
680 break;
653 } 681 }
654 682
655 if (calc_crc && id < 64 && (filter & (1ULL << id))) 683 if (calc_crc && id < 64 && (filter & (1ULL << id)))
@@ -1463,6 +1491,8 @@ int ieee80211_reconfig(struct ieee80211_local *local)
1463 list_for_each_entry(sdata, &local->interfaces, list) { 1491 list_for_each_entry(sdata, &local->interfaces, list) {
1464 if (sdata->vif.type != NL80211_IFTYPE_STATION) 1492 if (sdata->vif.type != NL80211_IFTYPE_STATION)
1465 continue; 1493 continue;
1494 if (!sdata->u.mgd.associated)
1495 continue;
1466 1496
1467 ieee80211_send_nullfunc(local, sdata, 0); 1497 ieee80211_send_nullfunc(local, sdata, 0);
1468 } 1498 }
diff --git a/net/mac80211/wpa.c b/net/mac80211/wpa.c
index bdb53aba888e..8bd2f5c6a56e 100644
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
@@ -106,7 +106,8 @@ ieee80211_rx_h_michael_mic_verify(struct ieee80211_rx_data *rx)
106 if (status->flag & RX_FLAG_MMIC_ERROR) 106 if (status->flag & RX_FLAG_MMIC_ERROR)
107 goto mic_fail; 107 goto mic_fail;
108 108
109 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key) 109 if (!(status->flag & RX_FLAG_IV_STRIPPED) && rx->key &&
110 rx->key->conf.cipher == WLAN_CIPHER_SUITE_TKIP)
110 goto update_iv; 111 goto update_iv;
111 112
112 return RX_CONTINUE; 113 return RX_CONTINUE;
@@ -545,14 +546,19 @@ ieee80211_crypto_ccmp_decrypt(struct ieee80211_rx_data *rx)
545 546
546static void bip_aad(struct sk_buff *skb, u8 *aad) 547static void bip_aad(struct sk_buff *skb, u8 *aad)
547{ 548{
549 __le16 mask_fc;
550 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
551
548 /* BIP AAD: FC(masked) || A1 || A2 || A3 */ 552 /* BIP AAD: FC(masked) || A1 || A2 || A3 */
549 553
550 /* FC type/subtype */ 554 /* FC type/subtype */
551 aad[0] = skb->data[0];
552 /* Mask FC Retry, PwrMgt, MoreData flags to zero */ 555 /* Mask FC Retry, PwrMgt, MoreData flags to zero */
553 aad[1] = skb->data[1] & ~(BIT(4) | BIT(5) | BIT(6)); 556 mask_fc = hdr->frame_control;
557 mask_fc &= ~cpu_to_le16(IEEE80211_FCTL_RETRY | IEEE80211_FCTL_PM |
558 IEEE80211_FCTL_MOREDATA);
559 put_unaligned(mask_fc, (__le16 *) &aad[0]);
554 /* A1 || A2 || A3 */ 560 /* A1 || A2 || A3 */
555 memcpy(aad + 2, skb->data + 4, 3 * ETH_ALEN); 561 memcpy(aad + 2, &hdr->addr1, 3 * ETH_ALEN);
556} 562}
557 563
558 564
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-01 16:00:15 -0500