aboutsummaryrefslogtreecommitdiffstats
path: root/net/mac80211
Commit message (Collapse)AuthorAge
* Merge branch 'master' of ↵David S. Miller2010-01-19
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * mac80211: fix sign error in pid controllerBob Copeland2010-01-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While testing the pid rate controller in mac80211_hwsim, I noticed that once the controller reached 54 Mbit rates, it would fail to lower the rate when necessary. The debug log shows: 1945 186786 pf_sample 50 3534 3577 50 My interpretation is that the fixed point scaling of the target error value (pf) is incorrect: the error value of 50 compared to a target of 14 case should result in a scaling value of (14-50) = -36 * 256 or -9216, but instead it is (14 * 256)-50, or 3534. Correct this by doing fixed point scaling after subtraction. Signed-off-by: Bob Copeland <me@bobcopeland.com> Acked-by: Stefano Brivio <stefano.brivio@polimi.it> Acked-by: Mattias Nissler <mattias.nissler@gmx.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: check that ieee80211_set_power_mgmt only handles STA interfaces.Benoit Papillault2010-01-15
| | | | | | | | | | | | | | | | | | | | | | ieee80211_set_power_mgmt is meant for STA interfaces only. Moreover, since sdata->u.mgd.mtx is only initialized for STA interfaces, using this code for any other type of interface (like creating a monitor interface) will result in a oops. Cc: stable@kernel.org Signed-off-by: Benoit Papillault <benoit.papillault@free.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | Merge branch 'master' of ↵David S. Miller2010-01-13
|\| | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * mac80211: fix queue selection for data frames on monitor interfacesFelix Fietkau2010-01-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When ieee80211_monitor_select_queue encounters data frames, it selects the WMM AC based on skb->priority and assumes that skb->priority contains a valid 802.1d tag. However this assumption is incorrect, since ieee80211_select_queue has not been called at this point. If skb->priority > 7, an array overrun occurs, which could lead to invalid values, resulting in crashes in the tx path. Fix this by setting skb->priority based on the 802.11 header for QoS frames and using the default AC for all non-QoS frames. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix endian errorJohannes Berg2010-01-08
| | | | | | | | | | | | | | | | | | I forgot to convert the radiotap length to CPU endian, which sparse found thankfully. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: add missing sanity checks for action framesFelix Fietkau2010-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | Various missing sanity checks caused rejected action frames to be interpreted as channel switch announcements, which can cause a client mode interface to switch away from its operating channel, thereby losing connectivity. This patch ensures that only spectrum management action frames are processed by the CSA handling function and prevents rejected action frames from getting processed by the MLME code. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix queue selection for packets injected via monitor interfaceLennert Buytenhek2010-01-08
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit 'mac80211: fix skb buffering issue' added an ->ndo_select_queue() for monitor interfaces which can end up dereferencing ieee802_1d_to_ac[] beyond the end of the array for injected data packets (as skb->priority isn't guaranteed to be zero or within [0:7]), which then triggers the WARN_ON in net/core/dev.c:dev_cap_txqueue(). Fix this by always setting the priority to zero on injected data frames. Signed-off-by: Lennert Buytenhek <buytenh@marvell.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * Revert "mac80211: replace netif_tx_{start,stop,wake}_all_queues"John W. Linville2010-01-06
| | | | | | | | | | | | | | | | | | This reverts commit 53623f1a09c7a7d23b74f0f7d93dba0ebde1006b. This was inadvertantly missed in "mac80211: fix skb buffering issue", and is required with that patch to restore proper queue operation. Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix-up build breakage in 2.6.33John W. Linville2010-01-06
| | | | | | | | | | | | | | | | "mac80211: fix skb buffering issue" is based on what will become 2.6.34, so it includes an incompatible usage of sta_info_get. This patch will need to be effectively reverted when merging for 2.6.34. Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix skb buffering issueJohannes Berg2010-01-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since I removed the master netdev, we've been keeping internal queues only, and even before that we never told the networking stack above the virtual interfaces about congestion. This means that packets are queued in mac80211 and the upper layers never know, possibly leading to memory exhaustion and other problems. This patch makes all interfaces multiqueue and uses ndo_select_queue to put the packets into queues per AC. Additionally, when the driver stops a queue, we now stop all corresponding queues for the virtual interfaces as well. The injection case will use VO by default for non-data frames, and BE for data frames, but downgrade any data frames according to ACM. It needs to be fleshed out in the future to allow chosing the queue/AC in radiotap. Reported-by: Lennert Buytenhek <buytenh@marvell.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org [2.6.32] Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | Merge branch 'master' of ↵David S. Miller2009-12-29
|\| | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * mac80211: fix propagation of failed hardware reconfigurationsLuis R. Rodriguez2009-12-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mac80211 does not propagate failed hardware reconfiguration requests. For suspend and resume this is important due to all the possible issues that can come out of the suspend <-> resume cycle. Not propagating the error means cfg80211 will assume the resume for the device went through fine and mac80211 will continue on trying to poke at the hardware, enable timers, queue work, and so on for a device which is completley unfunctional. The least we can do is to propagate device start issues and warn when this occurs upon resume. A side effect of this patch is we also now propagate the start errors upon harware reconfigurations (non-suspend), but this should also be desirable anyway, there is not point in continuing to reconfigure a device if mac80211 was unable to start the device. For further details refer to the thread: http://marc.info/?t=126151038700001&r=1&w=2 Cc: stable@kernel.org Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix race with suspend and dynamic_ps_disable_workLuis R. Rodriguez2009-12-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When mac80211 suspends it calls a driver's suspend callback as a last step and after that the driver assumes no calls will be made to it until we resume and its start callback is kicked. If such calls are made, however, suspend can end up throwing hardware in an unexpected state and making the device unusable upon resume. Fix this by preventing mac80211 to schedule dynamic_ps_disable_work by checking for when mac80211 starts to suspend and starts quiescing. Frames should be allowed to go through though as that is part of the quiescing steps and we do not flush the mac80211 workqueue since it was already done towards the beginning of suspend cycle. The other mac80211 issue will be hanled in the next patch. For further details see refer to the thread: http://marc.info/?t=126144866100001&r=1&w=2 Cc: stable@kernel.org Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix ibss join with fixed-bssidFelix Fietkau2009-12-28
| | | | | | | | | | | | | | | | | | | | | | | | | | When fixed bssid is requested when joining an ibss network, incoming beacons that match the configured bssid cause mac80211 to create new sta entries, even before the ibss interface is in joined state. When that happens, it fails to bring up the interface entirely, because it checks for existing sta entries before joining. This patch fixes this bug by refusing to create sta info entries before the interface is fully operational. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | Merge branch 'master' of ↵David S. Miller2009-12-21
|\| | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * mac80211: fix WMM AP settings applicationJohannes Berg2009-12-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My commit 77fdaa12cea26c204cc12c312fe40bc0f3dcdfd8 Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Jul 7 03:45:17 2009 +0200 mac80211: rework MLME for multiple authentications inadvertedly broke WMM because it removed, along with a bunch of other now useless initialisations, the line initialising sdata->u.mgd.wmm_last_param_set to -1 which would make it adopt any WMM parameter set. If, as is usually the case, the AP uses WMM parameter set sequence number zero, we'd never update it until the AP changes the sequence number. Add the missing initialisation back to get the WMM settings from the AP applied locally. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org [2.6.31+] Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: fix peer HT capabilitiesJohannes Berg2009-12-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I noticed yesterday, because Jeff had noticed a speed regression, cf. bug http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2138 that the SM PS settings for peers were wrong. Instead of overwriting the SM PS settings with the local bits, we need to keep the remote bits. The bug was part of the original HT code from over two years ago, but unfortunately nobody noticed that it makes no sense -- we shouldn't be overwriting the peer's setting with our own but rather keep it intact when masking the peer capabilities with our own. While fixing that, I noticed that the masking of capabilities is completely useless for most of the bits, so also fix those other bits. Finally, I also noticed that PSMP_SUPPORT no longer exists in the final 802.11n version, so also remove that. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: Add define for TX headroom reserved by mac80211 itself.Gertjan van Wingerde2009-12-14
| | | | | | | | | | | | | | | | | | | | | | Add a definition of the amount of TX headroom reserved by mac80211 itself for its own purposes. Also add BUILD_BUG_ON to validate the value. This define can then be used by drivers to request additional TX headroom in the most efficient manner. Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | Merge branch 'master' of /home/davem/src/GIT/linux-2.6/David S. Miller2009-12-11
|\ \ | |/ |/| | | | | Conflicts: include/net/tcp.h
| * Merge branch 'for-linus' of ↵Linus Torvalds2009-12-09
| |\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (42 commits) tree-wide: fix misspelling of "definition" in comments reiserfs: fix misspelling of "journaled" doc: Fix a typo in slub.txt. inotify: remove superfluous return code check hdlc: spelling fix in find_pvc() comment doc: fix regulator docs cut-and-pasteism mtd: Fix comment in Kconfig doc: Fix IRQ chip docs tree-wide: fix assorted typos all over the place drivers/ata/libata-sff.c: comment spelling fixes fix typos/grammos in Documentation/edac.txt sysctl: add missing comments fs/debugfs/inode.c: fix comment typos sgivwfb: Make use of ARRAY_SIZE. sky2: fix sky2_link_down copy/paste comment error tree-wide: fix typos "couter" -> "counter" tree-wide: fix typos "offest" -> "offset" fix kerneldoc for set_irq_msi() spidev: fix double "of of" in comment comment typo fix: sybsystem -> subsystem ...
| | * Merge branch 'for-next' into for-linusJiri Kosina2009-12-07
| | |\ | | | | | | | | | | | | | | | | | | | | Conflicts: kernel/irq/chip.c
| | | * tree-wide: fix assorted typos all over the placeAndré Goddard Rosa2009-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | That is "success", "unknown", "through", "performance", "[re|un]mapping" , "access", "default", "reasonable", "[con]currently", "temperature" , "channel", "[un]used", "application", "example","hierarchy", "therefore" , "[over|under]flow", "contiguous", "threshold", "enough" and others. Signed-off-by: André Goddard Rosa <andre.goddard@gmail.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
* | | | mac80211: Revert 'Use correct sign for mesh active path refresh'Javier Cardona2009-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The patch ("mac80211: Use correct sign for mesh active path refresh.") was actually a bug. Reverted it and improved the explanation of how mesh path refresh works. Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Andrey Yurovsky <andrey@cozybit.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | mac80211: Fixed bug in mesh portal pathsJavier Cardona2009-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Paths to mesh portals were being timed out immediately after each use in intermediate forwarding nodes. mppath->exp_time is set to the expiration time so assigning it to jiffies was marking the path as expired. Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Andrey Yurovsky <andrey@cozybit.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | net/mac80211: Correct size given to memsetJulia Lawall2009-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Memset should be given the size of the structure, not the size of the pointer. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ type T; T *x; expression E; @@ memset(x, E, sizeof( + * x)) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | wireless: correctly report signal value for IEEE80211_HW_SIGNAL_UNSPECJohn W. Linville2009-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This part was missed in "cfg80211: implement get_wireless_stats", probably because sta_set_sinfo already existed and was only handling dBm signals. Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | mac80211: Fix bug in computing crc over dynamic IEs in beaconVasanthakumar Thiagarajan2009-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On a 32-bit machine, BIT() macro does not give the required bit value if the bit is mroe than 31. In ieee802_11_parse_elems_crc(), BIT() is suppossed to get the bit value more than 31 (42 (id of ERP_INFO_IE), 37 (CHANNEL_SWITCH_IE), (42), 32 (POWER_CONSTRAINT_IE), 45 (HT_CAP_IE), 61 (HT_INFO_IE)). As we do not get the required bit value for the above IEs, crc over these IEs are never calculated, so any dynamic change in these IEs after the association is not really handled on 32-bit platforms. This patch fixes this issue. Cc: stable@kernel.org Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | mac80211: Fix dynamic power save for scanning.Vivek Natarajan2009-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Not only ps_sdata but also IEEE80211_CONF_PS is to be considered before restoring PS in scan_ps_disable(). For instance, when ps_sdata is set but CONF_PS is not set just because the dynamic timer is still running, a sw scan leads to setting of CONF_PS in scan_ps_disable instead of restarting the dynamic PS timer. Also for the above case, a null data frame is to be sent after returning to operating channel which was not happening with the current implementation. This patch fixes this too. Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com> Reviewed-by: Kalle Valo <kalle.valo@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | mac80211: recalculate idle later in MLMEJohannes Berg2009-12-07
|/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | hwsim testing has revealed that when the MLME recalculates the idle state of the device, it sometimes does so before sending the final deauthentication or disassociation frame. This patch changes the place where the idle state is recalculated, but of course driver transmit is typically asynchronous while configuration is expected to be synchronous, so it doesn't fix all possible cases yet. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | mac80211: fix reorder buffer releaseJohannes Berg2009-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | My patch "mac80211: correctly place aMPDU RX reorder code" uses an skb queue for MPDUs that were released from the buffer. I intentially didn't initialise and use the skb queue's spinlock, but in this place forgot that the code variant that doesn't touch the spinlock is needed. Thanks to Christian Lamparter for quickly spotting the bug in the backtrace Reinette reported. Reported-by: Reinette Chatre <reinette.chatre@intel.com> Bug-identified-by: Christian Lamparter <chunkeey@googlemail.com> Tested-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | Merge branch 'master' of ↵David S. Miller2009-12-04
|\ \ \ | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6
| * | | mac80211: Fix TX status reporting for injected data framesJouni Malinen2009-12-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | An earlier optimization on removing unnecessary traffic on cooked monitor interfaces ("mac80211: reduce the amount of unnecessary traffic on cooked monitor interfaces ") ended up removing quite a bit more than just unnecessary traffic. It was not supposed to remove TX status reporting for injected frames, but ended up doing it by checking the injected flag in skb->cb only after that field had been cleared with memset.. Fix this by taking a local copy of the injected flag before skb->cb is cleared. This broke user space applications that depend on getting TX status notifications for injected data frames. For example, STA inactivity poll from hostapd did not work and ended up kicking out stations even if they were still present. Signed-off-by: Jouni Malinen <j@w1.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: log more data when tracingJohannes Berg2009-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enable logging of more configuration data when tracing is enabled. Except for the channel frequency this is only useful with the binary trace format, but that can be recorded and replayed with trace-cmd and I will be working on a plugin that reports all the information. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: correctly place aMPDU RX reorder codeJohannes Berg2009-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As indicated by the comment, the aMPDU RX reorder code should logically be after ieee80211_rx_h_check(). The previous patch moved the code there, and this patch now hooks it up in that place by introducing a list of skbs that are then processed by the remaining handlers. The list may be empty if the function is buffering the skb to release it later. The only change needed to the RX data is that the crypto handler needs to clear the key that may be set from a previous loop iteration, and that not everything can be in the rx flags now. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: move aMPDU RX reorder codeJohannes Berg2009-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This code should be part of RX handlers, so move it to the place where it belongs without changing it. A follow-up patch will do the changes to hook it up. The sole purpose of this code move is to make the other patch readable, it doesn't change the code at all except that it now requires a different static function declaration (which will go away too). Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: move cmntr flag out of rx flagsJohannes Berg2009-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The RX flags should soon be used only for flags that cannot change within an a-MPDU, so move the cooked monitor flag into the RX status flags. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: Speedup ieee80211_remove_interfaces()Eric Dumazet2009-11-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Speedup ieee80211_remove_interfaces() by factorizing synchronize_rcu() calls Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | Merge branch 'master' of ↵David S. Miller2009-12-02
|\ \ \ \ | | |/ / | |/| | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: net/mac80211/ht.c
| * | | mac80211: fix spurious delBA handlingJohannes Berg2009-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Lennert Buytenhek noticed that delBA handling in mac80211 was broken and has remotely triggerable problems, some of which are due to some code shuffling I did that ended up changing the order in which things were done -- this was commit d75636ef9c1af224f1097941879d5a8db7cd04e5 Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Feb 10 21:25:53 2009 +0100 mac80211: RX aggregation: clean up stop session and other parts were already present in the original commit d92684e66091c0f0101819619b315b4bb8b5bcc5 Author: Ron Rindjunsky <ron.rindjunsky@intel.com> Date: Mon Jan 28 14:07:22 2008 +0200 mac80211: A-MPDU Tx add delBA from recipient support The first problem is that I moved a BUG_ON before various checks -- thereby making it possible to hit. As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is != IDLE. The second problem isn't easily exploitable but there's a race condition due to unconditionally setting the state to OPERATIONAL when a delBA frame is received, even when no aggregation session was ever initiated. All the drivers accept stopping the session even then, but that opens a race window where crashes could happen before the driver accepts it. Right now, a WARN_ON may happen with non-HT drivers, while the race opens only for HT drivers. For this case, there are two things necessary to fix it: 1) don't process spurious delBA frames, and be more careful about the session state; don't drop the lock 2) HT drivers need to be prepared to handle a session stop even before the session was really started -- this is true for all drivers (that support aggregation) but iwlwifi which can be fixed easily. The other HT drivers (ath9k and ar9170) are behaving properly already. Reported-by: Lennert Buytenhek <buytenh@marvell.com> Cc: stable@kernel.org Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: fix two remote exploitsJohannes Berg2009-11-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Lennert Buytenhek noticed a remotely triggerable problem in mac80211, which is due to some code shuffling I did that ended up changing the order in which things were done -- this was in commit d75636ef9c1af224f1097941879d5a8db7cd04e5 Author: Johannes Berg <johannes@sipsolutions.net> Date: Tue Feb 10 21:25:53 2009 +0100 mac80211: RX aggregation: clean up stop session The problem is that the BUG_ON moved before the various checks, and as such can be triggered. As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is OPERATIONAL. A similar code path leads to a WARN_ON in ieee80211_stop_tx_ba_session, which can also be removed. Cc: stable@kernel.org [2.6.29+] Cc: Lennert Buytenhek <buytenh@marvell.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | | net: Move && and || to end of previous lineJoe Perches2009-11-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Not including net/atm/ Compiled tested x86 allyesconfig only Added a > 80 column line or two, which I ignored. Existing checkpatch plaints willfully, cheerfully ignored. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | Merge branch 'master' of ↵David S. Miller2009-11-29
|\| | | | |/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: drivers/ieee802154/fakehard.c drivers/net/e1000e/ich8lan.c drivers/net/e1000e/phy.c drivers/net/netxen/netxen_nic_init.c drivers/net/wireless/ath/ath9k/main.c
| * | Merge branch 'master' of ↵David S. Miller2009-11-23
| |\ \ | | |/ | |/| | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| | * mac80211: fix resumeJohannes Berg2009-11-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When mac80211 resumes, it currently first sets suspended to false so the driver can start doing things and we can receive frames. However, if we actually receive frames then it can end up starting some work which adds timers and then later runs into a BUG_ON in the timer code because it tries add_timer() on a pending timer. Fix this by keeping track of the resuming process by introducing a new variable 'resuming' which gets set to true early on instead of setting 'suspended' to false, and allow queueing work but not receiving frames while resuming. Reported-by: Maxim Levitsky <maximlevitsky@gmail.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * mac80211: fix addba timer (again...)Johannes Berg2009-11-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 2171abc58644e09dbba546d91366b12743115396 Author: Johannes Berg <johannes@sipsolutions.net> Date: Thu Oct 29 08:34:00 2009 +0100 mac80211: fix addba timer left a problem in there, even if the timer was never started it could be deleted and then added. Linus pointed out that del_timer_sync() isn't actually needed if we make the timer able to deal with no longer being needed when it gets queued _while_ we're in the locked section that also deletes it. For that the timer function only needs to check the HT_ADDBA_RECEIVED_MSK bit as well as the HT_ADDBA_REQUESTED_MSK bit, only if the former is clear should it do anything. Cc: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | Merge branch 'master' of ↵David S. Miller2009-11-24
|\ \ \ | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6
| * | | mac80211: Fix missing kernel-doc notationJaswinder Singh Rajput2009-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix the following htmldocs warnings: Warning(net/mac80211/sta_info.h:322): No description found for parameter 'drv_unblock_wk' Warning(net/mac80211/sta_info.h:322): No description found for parameter 'drv_unblock_wk' Signed-off-by: Jaswinder Singh Rajput <jaswinderrajput@gmail.com> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: John W. Linville <linville@tuxdriver.com> Cc: Randy Dunlap <randy.dunlap@oracle.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: fix rcu lockingJohannes Berg2009-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a missing rcu_read_unlock() before jumping out of the ieee80211_change_station() function in the error case. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: remove dead struct memberJohannes Berg2009-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ieee80211_local.wstats is a remnant from the days when we still had to worry about wireless extensions in mac80211 -- it can be removed. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>