aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211
Commit message (Collapse)AuthorAge
* Merge branch 'master' of ↵John W. Linville2014-12-08
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
| * mac80211: minstrel_ht: fix a crash in rate sortingFelix Fietkau2014-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The commit 5935839ad73583781b8bbe8d91412f6826e218a4 "mac80211: improve minstrel_ht rate sorting by throughput & probability" introduced a crash on rate sorting that occurs when the rate added to the sorting array is faster than all the previous rates. Due to an off-by-one error, it reads the rate index from tp_list[-1], which contains uninitialized stack garbage, and then uses the resulting index for accessing the group rate stats, leading to a crash if the garbage value is big enough. Cc: Thomas Huehn <thomas@net.t-labs.tu-berlin.de> Reported-by: Jouni Malinen <j@w1.fi> Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-nextJohn W. Linville2014-12-04
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Johannes Berg <johannes@sipsolutions.net> says: "This time I have Felix's no-status rate control work, which will allow drivers to work better with rate control even if they don't have perfect status reporting. In addition to this, a small hwsim fix from Patrik, one of the regulatory patches from Arik, and a number of cleanups and fixes I did myself. Of note is a patch where I disable CFG80211_WEXT so that compatibility is no longer selectable - this is intended as a wake-up call for anyone who's still using it, and is still easily worked around (it's a one-line patch) before we fully remove the code as well in the future." Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | mac80211: add ieee80211_tx_status_noskbFelix Fietkau2014-11-28
| | | | | | | | | | | | | | | | | | | | | | | | This can be used by drivers that cannot reliably map tx status information onto specific skbs. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac0211: add a helper function for fixing up tx status ratesFelix Fietkau2014-11-28
| | | | | | | | | | | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: pass tx info to ieee80211_lost_packet instead of an skbFelix Fietkau2014-11-28
| | | | | | | | | | | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: minstrel_ht: switch to .tx_status_noskbFelix Fietkau2014-11-28
| | | | | | | | | | | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: minstrel: switch to .tx_status_noskbFelix Fietkau2014-11-28
| | | | | | | | | | | | | | | Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add tx_status_noskb to rate_control_opsFelix Fietkau2014-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | This op works like .tx_status, except it does not need access to the skb. This will be used by drivers that cannot match tx status information to specific packets. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: minstrel_ht: move aggregation check to .get_rate()Felix Fietkau2014-11-28
| | | | | | | | | | | | | | | | | | | | | Preparation for adding a no-skb tx status path Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add more missing checks for VHT tx ratesFelix Fietkau2014-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes a crash on attempting to calculate the frame duration for a VHT packet (which needs to be handled by hw/driver instead). Reported-by: Jouni Malinen <j@w1.fi> Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: copy chandef from AP vif to VLANsFelix Fietkau2014-11-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of keeping track of all those special cases where VLAN interfaces have no bss_conf.chandef, just make sure they have the same as the AP interface they belong to. Among others, this fixes a crash getting a VLAN's channel from userspace since a NULL channel is returned as a good result (return value 0) for VLANs since the commit below. Cc: stable@vger.kernel.org [3.18 only] Fixes: c12bc4885f4b3 ("mac80211: return the vif's chandef in ieee80211_cfg_get_channel()") Signed-off-by: Felix Fietkau <nbd@openwrt.org> [rewrite commit log] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | cfg80211: clean up beacon loss CQM eventJohannes Berg2014-11-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Having it as a sub-event for RSSI thresholds is very ugly, but luckily no userspace actually uses the events yet. Move the event to its own function call internally and to its own event attribute in nl80211. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: check if channels allow 80 MHz for VHT probe requestsJohannes Berg2014-11-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | If there are no channels allowing 80 MHz to be used, then the station isn't really VHT capable even if the driver and device support it in general. In this case, exclude the VHT capability IE from probe request frames. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: disable 80+80/160 in VHT correctlyJohannes Berg2014-11-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The supported bandwidth field is a two-bit field, not a bitmap, so treat it accordingly when disabling 80+80 or 160 MHz. Note that we can only advertise "80+80 and 160" or "160", not "80+80" by itself, so disabling 160 also disables 80+80. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* | | Merge tag 'mac80211-next-for-john-2014-11-20' of ↵John W. Linville2014-11-20
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next Johannes Berg <johannes@sipsolutions.net> says: "It has been a while since my last pull request, so we accumulated another relatively large set of changes: * TDLS off-channel support set from Arik/Liad, with some support patches I did * custom regulatory fixes from Arik * minstrel VHT fix (and a small optimisation) from Felix * add back radiotap vendor namespace support (myself) * random MAC address scanning for cfg80211/mac80211/hwsim (myself) * CSA improvements (Luca) * WoWLAN Net Detect (wake on network found) support (Luca) * and lots of other smaller changes from many people" Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | mac80211: minstrel_ht: add a small optimization to minstrel_aggr_checkFelix Fietkau2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | Check the queue mapping earlier, skb->queue_mapping is more likely than skb->data to still be in d-cache. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: notify drivers on sta rate table changesJohannes Berg2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | This allows drivers with a firmware or chip-based rate lookup table to use the most recent default rate selection without having to get it from per-packet data or explicit ieee80211_get_tx_rate calls Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: skip legacy rate mask handling for VHT ratesFelix Fietkau2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | The rate mask code currently assumes that a rate is legacy if IEEE80211_TX_RC_MCS is not set. This might be the cause of bogus VHT rates being reported with minstrel_ht. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: don't allow 40MHz tx rates in case of 20MHz chandefEliad Peller2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When 20MHz chandef is used, 40MHz rates shouldn't be used (by the rate-control algorithm), even if the sta ht capabilities indicate support for it. Signed-off-by: Eliad Peller <eliadx.peller@intel.com> Singed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: allow drivers to support NL80211_SCAN_FLAG_RANDOM_ADDRJohannes Berg2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | Allow drivers to support NL80211_SCAN_FLAG_RANDOM_ADDR with software based scanning and generate a random MAC address for them for every scan request with the flag. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: rcu-ify scan and scheduled scan request pointersJohannes Berg2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | In order to use the scan and scheduled scan request pointers during RX to check for randomisation, make them accessible using RCU. Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: remove redundant checkEliad Peller2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | local->scan_req was tested in the previous line, so it can't be NULL. Signed-off-by: Eliad Peller <eliadx.peller@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: synchronously reserve TID per stationLiad Kaufman2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In TDLS (e.g., TDLS off-channel) there is a requirement for some drivers to supply an unused TID between the AP and the device to the FW, to allow sending PTI requests and to allow the FW to aggregate on a specific TID for better throughput. To ensure that the allocated TID is indeed unused, this patch introduces an API for blocking the driver from TXing on that TID. Signed-off-by: Liad Kaufman <liad.kaufman@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add specific-queue flushing supportLiad Kaufman2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | If the HW supports IEEE80211_HW_QUEUE_CONTROL, allow flushing only specific queues rather than all of them. Signed-off-by: Liad Kaufman <liad.kaufman@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add TDLS channel-switch Rx flowArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When receiving a TDLS channel switch request or response, parse the frame and call a new tdls_recv_channel_switch op in the low level driver with the parsed data. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: introduce TDLS channel switch opsArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Implement the cfg80211 TDLS channel switch ops and introduce new mac80211 ones for low-level drivers. Verify low-level driver support for the new ops when using the relevant wiphy feature bit. Also verify the peer supports channel switching before passing the command down. Add a new STA flag to track the off-channel state with the TDLS peer and make sure to cancel the channel-switch if the peer STA is unexpectedly removed. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add parsing of TDLS specific IEsArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | These are used in TDLS channel switching code. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: prepare TDLS mgmt code for channel-switch templatesArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Split the data-generating from the Tx-sending functionality, as we do not want to send templates to the lower driver. Also add an optional chandef argument to the data-generating portion. It will be used for channel-switch templates. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: track AP and peer STA TDLS chan-switch supportArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The AP or peer can prohibit TDLS channel switch via a bit in the extended capabilities IE. Parse the IE and track this bit. Set an appropriate STA flag if both the AP and peer STA support TDLS channel-switching. Add the new STA flag and the missing TDLS_INITIATOR to debugfs. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | cfg/mac80211: define TDLS channel switch feature bitArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Define some related TDLS protocol constants and advertise channel switch support in the extended-capabilities IE when the feature bit is defined. Actually supporting TDLS channel-switching also requires support for some new nl80211 commands, to be introduced by future patches. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add BSS coex IE to TDLS setup framesArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | Add the BSS coex IE in case we support HT40 channels, as mandated by section 8.5.13 in IEEE802.11 2012. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add supported channels IE during TDLS setupArik Nemtsov2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This information element is mandatory in case TDLS channel-switching is to be supported. The channels given are ones supported and allowed to be active in the current regulatory setting. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add function to create data frame template including keyJohannes Berg2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For some TDLS channel switch implementations data frames need to be sent by the firmware based on a template. This template should be created by mac80211, and thus needs to properly be built from an 802.3 frame into an 802.11 frame. In addition, the device will need the key information so the select_key handler needs to be run. However, the driver/device will be responsible for all of the crypto encapsulation, as the sequence numbers etc. cannot be built by the host anyway in this case since it's a template to be used multiple times. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: factor out 802.11 header building codeJohannes Berg2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Factor out the 802.11 header building code from the xmit function to be able to use it separately in a later commit. While at it, fix up some documentation. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: move skb info band assignment outJohannes Berg2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Instead of passing the band as a parameter to ieee80211_xmit() and ieee80211_tx(), move it outside of the two functions while making sure info->band is set up before calling them. This removes the parameter and simplifies the follow commit. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: retransmit TDLS teardown packet through AP if not ACKedLiad Kaufman2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since the TDLS peer station might not receive the teardown packet (e.g., when in PS), this makes sure the packet is retransmitted - this time through the AP - if the TDLS peer didn't ACK the packet. Signed-off-by: Liad Kaufman <liad.kaufman@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add option for setting skb flags before xmitLiad Kaufman2014-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | Allows setting of an skb's flags - if needed - when calling ieee80211_subif_start_xmit(). Signed-off-by: Liad Kaufman <liad.kaufman@intel.com> Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: refactor duplicate detectionJohannes Berg2014-11-11
| | | | | | | | | | | | | | | | | | | | | Put duplicate detection into its own RX handler, and separate out the conditions a bit to make the code more readable. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add back support for radiotap vendor namespace dataJohannes Berg2014-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Radiotap vendor namespace data might still be useful, but we reverted it because it used too much space in the RX status. Put it back, but address the space problem by using a single bit only and putting everything else into the skb->data. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | cfg80211/mac80211: allow any interface to send channel switch notificationsLuciano Coelho2014-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For multi-vif channel switches, we want to send NL80211_CMD_CH_SWITCH_NOTIFY to the userspace to let it decide whether other interfaces need to be moved as well. This is needed when we want a P2P GO interface to follow the channel of a station, for example. Modify the code so that all interfaces can send CSA notifications. Additionally, send notifications for STA CSA as well. Signed-off-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: send channel switch started notificationsLuciano Coelho2014-11-10
| | | | | | | | | | | | | | | | | | | | | | | | Send a channel switch notification to userspace when a channel switch is requested or when we react to a remote CSA. Signed-off-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: add device_timestamp to the drv_pre_channel_switch traceLuciano Coelho2014-11-10
| | | | | | | | | | | | | | | | | | | | | | | | The device_timestamp value was left out of the event trace for drv_pre_channel_switch by mistake. Add it. Signed-off-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * | mac80211: fix order of setting ch_switch and drv_pre_channel_switch callLuciano Coelho2014-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There was a mistake when merging commit 6d027bcc (mac80211: add pre_channel_switch driver operation) for upstream. The assignment of the values in the ch_switch structure came below the call to drv_pre_channel_switch. Fix the order. Fixes: 6d027bcc (mac80211: add pre_channel_switch driver operation) Signed-off-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
* | | Merge commit '4e6ce4dc7ce71d0886908d55129d5d6482a27ff9' of ↵John W. Linville2014-11-19
|\ \ \ | |/ / |/| / | |/ git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless
| * mac80211: Fix regression that triggers a kernel BUG with CCMPRonald Wahl2014-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 7ec7c4a9a686c608315739ab6a2b0527a240883c (mac80211: port CCMP to cryptoapi's CCM driver) introduced a regression when decrypting empty packets (data_len == 0). This will lead to backtraces like: (scatterwalk_start) from [<c01312f4>] (scatterwalk_map_and_copy+0x2c/0xa8) (scatterwalk_map_and_copy) from [<c013a5a0>] (crypto_ccm_decrypt+0x7c/0x25c) (crypto_ccm_decrypt) from [<c032886c>] (ieee80211_aes_ccm_decrypt+0x160/0x170) (ieee80211_aes_ccm_decrypt) from [<c031c628>] (ieee80211_crypto_ccmp_decrypt+0x1ac/0x238) (ieee80211_crypto_ccmp_decrypt) from [<c032ef28>] (ieee80211_rx_handlers+0x870/0x1d24) (ieee80211_rx_handlers) from [<c0330c7c>] (ieee80211_prepare_and_rx_handle+0x8a0/0x91c) (ieee80211_prepare_and_rx_handle) from [<c0331260>] (ieee80211_rx+0x568/0x730) (ieee80211_rx) from [<c01d3054>] (__carl9170_rx+0x94c/0xa20) (__carl9170_rx) from [<c01d3324>] (carl9170_rx_stream+0x1fc/0x320) (carl9170_rx_stream) from [<c01cbccc>] (carl9170_usb_tasklet+0x80/0xc8) (carl9170_usb_tasklet) from [<c00199dc>] (tasklet_hi_action+0x88/0xcc) (tasklet_hi_action) from [<c00193c8>] (__do_softirq+0xcc/0x200) (__do_softirq) from [<c0019734>] (irq_exit+0x80/0xe0) (irq_exit) from [<c0009c10>] (handle_IRQ+0x64/0x80) (handle_IRQ) from [<c000c3a0>] (__irq_svc+0x40/0x4c) (__irq_svc) from [<c0009d44>] (arch_cpu_idle+0x2c/0x34) Such packets can appear for example when using the carl9170 wireless driver because hardware sometimes generates garbage when the internal FIFO overruns. This patch adds an additional length check. Cc: stable@vger.kernel.org Fixes: 7ec7c4a9a686 ("mac80211: port CCMP to cryptoapi's CCM driver") Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Ronald Wahl <ronald.wahl@raritan.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * mac80211: fix use-after-free in defragmentationJohannes Berg2014-11-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Upon receiving the last fragment, all but the first fragment are freed, but the multicast check for statistics at the end of the function refers to the current skb (the last fragment) causing a use-after-free bug. Since multicast frames cannot be fragmented and we check for this early in the function, just modify that check to also do the accounting to fix the issue. Cc: stable@vger.kernel.org Reported-by: Yosef Khyal <yosefx.khyal@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * mac80211: properly flush delayed scan work on interface removalJohannes Berg2014-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an interface is deleted, an ongoing hardware scan is canceled and the driver must abort the scan, at the very least reporting completion while the interface is removed. However, if it scheduled the work that might only run after everything is said and done, which leads to cfg80211 warning that the scan isn't reported as finished yet; this is no fault of the driver, it already did, but mac80211 hasn't processed it. To fix this situation, flush the delayed work when the interface being removed is the one that was executing the scan. Cc: stable@vger.kernel.org Reported-by: Sujith Manoharan <sujith@msujith.org> Tested-by: Sujith Manoharan <sujith@msujith.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * mac80211: schedule the actual switch of the station before CSA count 0Luciano Coelho2014-10-29
| | | | | | | | | | | | | | | | | | | | | | Due to the time it takes to process the beacon that started the CSA process, we may be late for the switch if we try to reach exactly beacon 0. To avoid that, use count - 1 when calculating the switch time. Cc: stable@vger.kernel.org Reported-by: Jouni Malinen <j@w1.fi> Signed-off-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
| * mac80211: use secondary channel offset IE also beacons during CSALuciano Coelho2014-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If we are switching from an HT40+ to an HT40- channel (or vice-versa), we need the secondary channel offset IE to specify what is the post-CSA offset to be used. This applies both to beacons and to probe responses. In ieee80211_parse_ch_switch_ie() we were ignoring this IE from beacons and using the *current* HT information IE instead. This was causing us to use the same offset as before the switch. Fix that by using the secondary channel offset IE also for beacons and don't ever use the pre-switch offset. Additionally, remove the "beacon" argument from ieee80211_parse_ch_switch_ie(), since it's not needed anymore. Cc: stable@vger.kernel.org Reported-by: Jouni Malinen <j@w1.fi> Signed-off-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>