summaryrefslogtreecommitdiff
path: root/net/mac80211
AgeCommit message (Collapse)AuthorFilesLines
2012-11-26mac80211: fix remain-on-channel (non-)cancellingJohannes Berg1-2/+0
Felix Liao reported that when an interface is set DOWN while another interface is executing a ROC, the warning in ieee80211_start_next_roc() (about the first item on the list having started already) triggers. This is because ieee80211_roc_purge() calls it even if it never actually changed the list of ROC items. To fix this, simply remove the function call. If it is needed then it will be done by the ieee80211_sw_roc_work() function when the ROC item that is being removed while active is cleaned up. Cc: stable@vger.kernel.org Reported-by: Felix Liao <Felix.Liao@watchguard.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-11-19Merge branch 'for-john' of ↵John W. Linville1-4/+4
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-11-14Merge branch 'for-john' of ↵John W. Linville8-9/+35
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-11-13mac80211: deinitialize ibss-internals after emptiness checkSimon Wunderlich1-4/+4
The check whether the IBSS is active and can be removed should be performed before deinitializing the fields used for the check/search. Otherwise, the configured BSS will not be found and removed properly. To make it more clear for the future, rename sdata->u.ibss to the local pointer ifibss which is used within the checks. This behaviour was introduced by f3209bea110cade12e2b133da8b8499689cb0e2e ("mac80211: fix IBSS teardown race") Cc: stable@vger.kernel.org Cc: Ignacy Gawedzki <i@lri.fr> Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-10mac80211: call skb_dequeue/ieee80211_free_txskb instead of __skb_queue_purgeFelix Fietkau4-6/+20
Fixes more wifi status skb leaks, leading to hostapd/wpa_supplicant hangs. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-09mac80211: don't send null data packet when not associatedJohannes Berg1-0/+2
On resume or firmware recovery, mac80211 sends a null data packet to see if the AP is still around and hasn't disconnected us. However, it always does this even if it wasn't even connected before, leading to a warning in the new channel context code. Fix this by checking that it's associated. Cc: stable@vger.kernel.org Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-09mac80211: fix memory leak in device registration error pathJohannes Berg1-2/+4
If the cipher suites need to be allocated, but this allocation fails, this leaks the internal scan request. Fix that by going to the correct error handling label. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-11-05mac80211: sync acccess to tx_filtered/ps_tx_buf queuesArik Nemtsov1-0/+5
These are accessed without a lock when ending STA PSM. If the sta_cleanup timer accesses these lists at the same time, we might crash. This may fix some mysterious crashes we had during ieee80211_sta_ps_deliver_wakeup. Cc: stable@vger.kernel.org Signed-off-by: Arik Nemtsov <arik@wizery.com> Signed-off-by: Ido Yariv <ido@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-31mac80211: init sched_scan_iesDavid Spinadel1-1/+1
In case that there is an unsupported band, the ie will be unallocated and the free will crash. Cc: stable@vger.kernel.org Signed-off-by: David Spinadel <david.spinadel@intel.com> Reviewed-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-31mac80211: do not call ieee80211_configure_filter if no interfaces are upFelix Fietkau1-0/+3
Drivers are not expected to handle it before drv_start has been called. It will be called again after an interface has been brought up. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-29Merge branch 'for-john' of ↵John W. Linville3-26/+92
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-10-26mac80211: make sure data is accessible in EAPOL checkJohannes Berg1-8/+10
The code to allow EAPOL frames even when the station isn't yet marked associated needs to check that the incoming frame is long enough and due to paged RX it also can't assume skb->data contains the right data, it must use skb_copy_bits(). Fix this to avoid using data that doesn't really exist. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26mac80211: verify that skb data is presentJohannes Berg1-1/+31
A number of places in the mesh code don't check that the frame data is present and in the skb header when trying to access. Add those checks and the necessary pskb_may_pull() calls. This prevents accessing data that doesn't actually exist. To do this, export ieee80211_get_mesh_hdrlen() to be able to use it in mac80211. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26mac80211: check management frame header lengthJohannes Berg1-4/+8
Due to pskb_may_pull() checking the skb length, all non-management frames are checked on input whether their 802.11 header is fully present. Also add that check for management frames and remove a check that is now duplicate. This prevents accessing skb data beyond the frame end. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-26mac80211: fix SSID copy on IBSS JOINAntonio Quartulli1-1/+1
The 'ssid' field of the cfg80211_ibss_params is a u8 pointer and its length is likely to be less than IEEE80211_MAX_SSID_LEN most of the time. This patch fixes the ssid copy in ieee80211_ibss_join() by using the SSID length to prevent it from reading beyond the string. Cc: stable@vger.kernel.org Signed-off-by: Antonio Quartulli <ordex@autistici.org> [rewrapped commit message, small rewording] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: don't inspect Sequence Control field on control framesJavier Cardona1-0/+4
Per IEEE Std. 802.11-2012, Sec 8.2.4.4.1, the sequence Control field is not present in control frames. We noticed this problem when processing Block Ack Requests. Cc: stable@vger.kernel.org Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Javier Lopez <jlopex@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: Don't drop frames received with mesh ttl == 1Javier Cardona1-1/+1
Prior this fix, those frames were not received, nor forwarded. Fix this to receive and not forward. Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-25mac80211: Only process mesh config header on frames that RA_MATCHJavier Cardona1-4/+2
Doing otherwise is wrong, and may wreak havoc on the mpp tables, specially if the frame is encrypted. Cc: stable@vger.kernel.org Reported-by: Chaoxing Lin <Chaoxing.Lin@ultra-3eti.com> Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-24mac80211: use blacklist for duplicate IE checkJohannes Berg1-7/+35
Instead of the current whitelist which accepts duplicates only for the quiet and vendor IEs, use a blacklist of all IEs (that we currently parse) that can't be duplicated. This avoids detecting a beacon as corrupt in the future when new IEs are added that can be duplicated. Cc: stable@vger.kernel.org Signed-off-by: Paul Stewart <pstew@chromium.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-17Merge branch 'for-john' of ↵John W. Linville2-15/+31
git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
2012-10-17mac80211: connect with HT20 if HT40 is not permittedJohannes Berg1-10/+20
Some changes to fix issues with HT40 APs in Korea and follow-up changes to allow using HT40 even if the local regulatory database disallows it caused issues with iwlwifi (and could cause issues with other devices); iwlwifi firmware would assert if you tried to connect to an AP that has an invalid configuration (e.g. using HT40- on channel 140.) Fix this, while avoiding the "Korean AP" issue by disabling HT40 and advertising HT20 to the AP when connecting. Cc: stable@vger.kernel.org [3.6] Reported-by: Florian Reitmeir <florian@reitmeir.org> Tested-by: Florian Reitmeir <florian@reitmeir.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-15mac80211: use ieee80211_free_txskb in a few more placesFelix Fietkau3-5/+5
Free tx status skbs when draining power save buffers, pending frames, or when tearing down a vif. Fixes remaining conditions that can lead to hostapd/wpa_supplicant hangs when running out of socket write memory. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@vger.kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-15mac80211: check if key has TKIP type before updating IVStanislaw Gruszka1-1/+2
This patch fix corruption which can manifest itself by following crash when switching on rfkill switch with rt2x00 driver: https://bugzilla.redhat.com/attachment.cgi?id=615362 Pointer key->u.ccmp.tfm of group key get corrupted in: ieee80211_rx_h_michael_mic_verify(): /* update IV in key information to be able to detect replays */ rx->key->u.tkip.rx[rx->security_idx].iv32 = rx->tkip_iv32; rx->key->u.tkip.rx[rx->security_idx].iv16 = rx->tkip_iv16; because rt2x00 always set RX_FLAG_MMIC_STRIPPED, even if key is not TKIP. We already check type of the key in different path in ieee80211_rx_h_michael_mic_verify() function, so adding additional check here is reasonable. Cc: stable@vger.kernel.org # 3.0+ Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-15cfg80211/mac80211: avoid state mishmash on deauthStanislaw Gruszka1-2/+3
Avoid situation when we are on associate state in mac80211 and on disassociate state in cfg80211. This can results on crash during modules unload (like showed on this thread: http://marc.info/?t=134373976300001&r=1&w=2) and possibly other problems. Reported-by: Pedro Francisco <pedrogfrancisco@gmail.com> Cc: stable@vger.kernel.org Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-10-15Merge remote-tracking branch 'wireless/master' into mac80211Johannes Berg29-697/+1122
2012-10-08mac80211: use ieee80211_free_txskb to fix possible skb leaksFelix Fietkau2-12/+14
A few places free skbs using dev_kfree_skb even though they're called after ieee80211_subif_start_xmit might have cloned it for tracking tx status. Use ieee80211_free_txskb here to prevent skb leaks. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@vger.kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-08mac80211: call drv_get_tsf() in sleepable contextThomas Pedersen1-2/+1
The call to drv_get/set_tsf() was put on the workqueue to perform tsf adjustments since that function might sleep. However it ended up inside a spinlock, whose critical section must be atomic. Do tsf adjustment outside the spinlock instead, and get rid of a warning. Signed-off-by: Thomas Pedersen <thomas@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-10-01mac80211: Fix FC masking in BIP AAD generationJouni Malinen1-3/+8
The bits used in the mask were off-by-one and ended up masking PwrMgt, MoreData, Protected fields instead of Retry, PwrMgt, MoreData. Fix this and to mask the correct fields. While doing so, convert the code to mask the full FC using IEEE80211_FCTL_* defines similarly to how CCMP AAD is built. Since BIP is used only with broadcast/multicast management frames, the Retry field is always 0 in these frames. The Protected field is also zero to maintain backwards compatibility. As such, the incorrect mask here does not really cause any problems for valid frames. In theory, an invalid BIP frame with Retry or Protected field set to 1 could be rejected because of BIP validation. However, no such frame should show up with standard compliant implementations, so this does not cause problems in normal BIP use. Signed-off-by: Jouni Malinen <j@w1.fi> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-21mac80211: don't send delBA on addBA failureJohannes Berg1-1/+1
There's no reason to send a delBA when the peer refused our addBA, so change that. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-21mac80211: don't send delBA when removing stationsJohannes Berg1-1/+1
When a station is removed and we stop the aggregation sessions, it's not useful to send delBA since this is due to us or the station disassociating or dropping the connection in some other way, so change that. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-21mac80211: don't send delBA before disassocJohannes Berg1-1/+1
When we disassociate, it's not really useful to send delBA action frames since we're going to send disassoc/deauth anyway, so change that. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-20mac80211: fix IBSS auth TX debug messageSylvain Roger Rieunier1-1/+1
In the IBSS auth TX debug message the BSSID and DA address are reversed, fix that. Signed-off-by: Sylvain Roger Rieunier <sylvain.roger.rieunier@gmail.com> [reword commit message and make it fit 72 cols] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-19cfg80211: constify name parameter to add_virtual_intfJohannes Berg1-1/+2
The name can't be modified by the driver, make it const. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-19mac80211: make reset debugfs depend on CONFIG_PMJohannes Berg1-0/+4
The suspend/resume code depends on CONFIG_PM, so the reset debugfs file can only be made available if that is enabled. Fengguang Wu's zero-day build testing found this. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-14mac80211: allow re-open the blocked peer link in meshChun-Yeow Yeoh1-1/+2
Peer link which is blocked using the "iw mesh0 station set <MAC addr> plink_action block" is previously not able to re-open using "iw mesh0 station set <MAC addr> plink_action open". This patch is intended to solve this. If the station plink state remains at OPN_SNT once open, try block and open again should solve this problem. Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-14mac80211: change locking around ieee80211_recalc_smpsJohannes Berg4-8/+5
Make the function acquire the necessary mutex itself to simplify the callers. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-14mac80211: handle power constraint/country IE betterJohannes Berg3-22/+72
Currently, mac80211 uses the power constraint IE, and reduces the regulatory max TX power by it. This can cause issues if the AP is advertising a large power constraint value matching a high TX power in its country IE, for example in this case: ... Country: US Environment: Indoor/Outdoor ... Channels [157 - 157] @ 30 dBm ... Power constraint: 13 dB ... What happened here is that our local regulatory TX power is 15 dBm, and gets reduced by 13 dB so we end up with only 2 dBm effective TX power, which is way too low. Instead, handle the country IE/power constraint IE combined and restrict our TX power to the max of the regulatory power and the maximum power advertised by the AP, in this case 17 dBm (= 30 dBm - 13 dB). Also print a message when this happens to let the user know and help us debug issues with it. Reported-by: Carl A. Cook <CACook@quantum-equities.com> Tested-by: Carl A. Cook <CACook@quantum-equities.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-11mac80211: remove unneeded CONFIG_PM ifdefJohannes Berg1-13/+0
The functions are only called if CONFIG_PM is set as the callers are under an ifdef, so there's no need to also define no-op functions. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-10mac80211: validate skb->dev in the tx status pathFelix Fietkau1-18/+30
skb->dev might contain a stale reference to a device that was already deleted, and using it unchecked can lead to invalid pointer accesses. Since this is only used for nl80211 tx, iterate over active interfaces to find a match for skb->dev, and discard the tx status if the device is gone. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-10mac80211: use call_rcu() on sta deletionEliad Peller3-57/+81
mac80211 calls synchronize_rcu() on sta deletion, which increase the roaming time significantly. Convert it into a call_rcu() mechanism, in order to avoid blocking. Since some of the cleanup functions might sleep, schedule from the call_rcu callback a new work that will do the actual cleanup. In order to make sure the cleanup occurs before the interface went down, flush local->workqueue on ieee80211_do_stop(). Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com> Signed-off-by: Eliad Peller <eliad@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-10mac80211: add key flag for management keysJohannes Berg2-1/+33
Mark keys that might be used to receive management frames so drivers can fall back on software crypto for them if they don't support hardware offload. As the new flag is only set correctly for RX keys and the existing IEEE80211_KEY_FLAG_SW_MGMT flag can only affect TX, also rename the latter to IEEE80211_KEY_FLAG_SW_MGMT_TX. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-07mac80211: reply to AUTH with DEAUTH if sta allocation fails in IBSSAntonio Quartulli1-1/+32
Whenever a host gets an AUTH frame it first allocates a new station and then replies with another AUTH frame. However, if sta allocations fails the host should send a DEAUTH frame instead to tell the other end that something went wrong. Signed-off-by: Antonio Quartulli <ordex@autistici.org> [reword commit message a bit] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-07mac80211: move ieee80211_send_deauth_disassoc outside mlme codeAntonio Quartulli3-50/+54
Move ieee80211_send_deauth_disassoc() to util.c to make it available for the rest of the mac80211 code. Signed-off-by: Antonio Quartulli <ordex@autistici.org> [reword commit message] Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-07net/mac80211/scan.c: removes unnecessary semicolonPeter Senna Tschudin1-1/+1
removes unnecessary semicolon Found by Coccinelle: http://coccinelle.lip6.fr/ Signed-off-by: Peter Senna Tschudin <peter.senna@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-06mac80211: refactor set_channel_typeMichal Kazior1-19/+48
Split functionality for further reuse. Will prevent code duplication when channel context channel_type merging is introduced. Signed-off-by: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-06mac80211: use synchronize_net() on key destroyingEliad Peller1-1/+1
__ieee80211_key_destroy() calls synchronize_rcu() in order to sync the tx path before destroying the key. However, synching the tx path can be done with synchronize_net() as well, which is usually faster (the timing might be important for roaming scenarios). Signed-off-by: Eliad Peller <eliad@wizery.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-06mac80211: check power constraint IE size when parsingJohannes Berg3-10/+6
The power constraint IE is always a single byte so check the size when parsing instead of later. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-06Merge remote-tracking branch 'wireless-next/master' into mac80211-nextJohannes Berg3-34/+33
2012-09-06mac80211: disconnect if channel switch failsJohannes Berg2-18/+38
Disconnect from the AP if channel switching in the driver failed or if the new channel is unavailable. Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2012-09-06mac80211: don't hang on to sched_scan_iesJohannes Berg2-26/+14
There's no need to keep a copy of the scheduled scan IEs after the driver has been told, if it requires a copy it must make one. Therefore, we can move sched_scan_ies into the function. Signed-off-by: Johannes Berg <johannes.berg@intel.com>