14 Sep, 2011
1 commit
-
Since my commit 34e895075e21be3e21e71d6317440d1ee7969ad0
("mac80211: allow station add/remove to sleep") there is
a race in mac80211 when it clears the TIM bit because a
sleeping station disconnected, the spinlock isn't held
around the relevant code any more. Use the right API to
acquire the spinlock correctly.Cc: stable@kernel.org [2.6.34+]
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
23 Aug, 2011
1 commit
-
Do not call ->suspend, ->resume methods after we unregister wiphy. Also
delete sta_clanup timer after we finish wiphy unregister to avoid this:WARNING: at lib/debugobjects.c:262 debug_print_object+0x85/0xa0()
Hardware name: 6369CTO
ODEBUG: free active (active state 0) object type: timer_list hint: sta_info_cleanup+0x0/0x180 [mac80211]
Modules linked in: aes_i586 aes_generic fuse bridge stp llc autofs4 sunrpc cpufreq_ondemand acpi_cpufreq mperf ext2 dm_mod uinput thinkpad_acpi hwmon sg arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00lib mac80211 cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support e1000e ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom yenta_socket ahci libahci pata_acpi ata_generic ata_piix i915 drm_kms_helper drm i2c_algo_bit video [last unloaded: microcode]
Pid: 5663, comm: pm-hibernate Not tainted 3.1.0-rc1-wl+ #19
Call Trace:
[] warn_slowpath_common+0x6d/0xa0
[] ? debug_print_object+0x85/0xa0
[] ? debug_print_object+0x85/0xa0
[] warn_slowpath_fmt+0x2e/0x30
[] debug_print_object+0x85/0xa0
[] ? sta_info_alloc+0x1a0/0x1a0 [mac80211]
[] debug_check_no_obj_freed+0xe2/0x180
[] kfree+0x8b/0x150
[] cfg80211_dev_free+0x7e/0x90 [cfg80211]
[] wiphy_dev_release+0xd/0x10 [cfg80211]
[] device_release+0x19/0x80
[] kobject_release+0x7a/0x1c0
[] ? rtnl_unlock+0x8/0x10
[] ? wiphy_resume+0x6b/0x80 [cfg80211]
[] ? kobject_del+0x30/0x30
[] kref_put+0x2d/0x60
[] kobject_put+0x1d/0x50
[] ? mutex_lock+0x14/0x40
[] put_device+0xf/0x20
[] dpm_resume+0xca/0x160
[] hibernation_snapshot+0xcd/0x260
[] ? freeze_processes+0x3f/0x90
[] hibernate+0xcb/0x1e0
[] ? pm_async_store+0x40/0x40
[] state_store+0xa0/0xb0
[] ? pm_async_store+0x40/0x40
[] kobj_attr_store+0x20/0x30
[] sysfs_write_file+0x94/0xf0
[] vfs_write+0x9a/0x160
[] ? sysfs_open_file+0x200/0x200
[] sys_write+0x3d/0x70
[] sysenter_do_call+0x12/0x28Cc: stable@kernel.org
Signed-off-by: Stanislaw Gruszka
Signed-off-by: John W. Linville
28 Jul, 2011
1 commit
-
After the last patch, We are left in a state in which only drivers calling
ether_setup have IFF_TX_SKB_SHARING set (we assume that drivers touching real
hardware call ether_setup for their net_devices and don't hold any state in
their skbs. There are a handful of drivers that violate this assumption of
course, and need to be fixed up. This patch identifies those drivers, and marks
them as not being able to support the safe transmission of skbs by clearning the
IFF_TX_SKB_SHARING flag in priv_flagsSigned-off-by: Neil Horman
CC: Karsten Keil
CC: "David S. Miller"
CC: Jay Vosburgh
CC: Andy Gospodarek
CC: Patrick McHardy
CC: Krzysztof Halasa
CC: "John W. Linville"
CC: Greg Kroah-Hartman
CC: Marcel Holtmann
CC: Johannes Berg
Signed-off-by: David S. Miller
26 Jul, 2011
1 commit
-
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial: (43 commits)
fs: Merge split strings
treewide: fix potentially dangerous trailing ';' in #defined values/expressions
uwb: Fix misspelling of neighbourhood in comment
net, netfilter: Remove redundant goto in ebt_ulog_packet
trivial: don't touch files that are removed in the staging tree
lib/vsprintf: replace link to Draft by final RFC number
doc: Kconfig: `to be' -> `be'
doc: Kconfig: Typo: square -> squared
doc: Konfig: Documentation/power/{pm => apm-acpi}.txt
drivers/net: static should be at beginning of declaration
drivers/media: static should be at beginning of declaration
drivers/i2c: static should be at beginning of declaration
XTENSA: static should be at beginning of declaration
SH: static should be at beginning of declaration
MIPS: static should be at beginning of declaration
ARM: static should be at beginning of declaration
rcu: treewide: Do not use rcu_read_lock_held when calling rcu_dereference_check
Update my e-mail address
PCIe ASPM: forcedly -> forcibly
gma500: push through device driver tree
...Fix up trivial conflicts:
- arch/arm/mach-ep93xx/dma-m2p.c (deleted)
- drivers/gpio/gpio-ep93xx.c (renamed and context nearby)
- drivers/net/r8169.c (just context changes)
21 Jul, 2011
3 commits
-
All these are instances of
#define NAME value;
or
#define NAME(params_opt) value;These of course fail to build when used in contexts like
if(foo $OP NAME)
while(bar $OP NAME)
and may silently generate the wrong code in contexts such as
foo = NAME + 1; /* foo = value; + 1; */
bar = NAME - 1; /* bar = value; - 1; */
baz = NAME & quux; /* baz = value; & quux; */Reported on comp.lang.c,
Message-ID:
Initial analysis of the dangers provided by Keith Thompson in that thread.There are many more instances of more complicated macros having unnecessary
trailing semicolons, but this pile seems to be all of the cases of simple
values suffering from the problem. (Thus things that are likely to be found
in one of the contexts above, more complicated ones aren't.)Signed-off-by: Phil Carmody
Signed-off-by: Jiri Kosina -
ieee80211_stop_rx_ba_session() was calling sta_info_get()
without rcu locking, and the return value was not
checked.
This resulted in the following panic:[] (ieee80211_stop_rx_ba_session+0x0/0x60 [mac80211])
[] (wl1271_event_handle+0x0/0xdc8 [wl12xx])
[] (wl1271_irq+0x0/0x4a0 [wl12xx])
[] (irq_thread+0x0/0x254)
[] (kthread+0x0/0x8c)Signed-off-by: Eliad Peller
Reviewed-by: Johannes Berg
Signed-off-by: John W. Linville -
In P2P client mode, the GO (AP) to connect to might
have periods of time where it is not available due
to powersave. To allow the driver to sync with it
and send frames to the GO only when it is available
add a new callback tx_sync (and the corresponding
finish_tx_sync). These callbacks can sleep unlike
the actual TX.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
20 Jul, 2011
1 commit
-
Scanning currently uses the TX rate mask to
restrict the rate set, which is bogus. Make
it use the new set of rates from userspace.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
19 Jul, 2011
1 commit
-
Add tx_conf array to save the current tx queues
configuration, and reconfig it on resume (ieee80211_reconfig).On resume, the driver is being reconfigured. Without
reconfiguring the tx queues as well, the driver might
configure the device to use wrong ac params (e.g. ps-poll
instead of uapsd).Signed-off-by: Eliad Peller
Signed-off-by: John W. Linville
16 Jul, 2011
3 commits
-
When suspending with all netdevs down, the device
is stopped but we still call a number of driver
callbacks that the driver might not expect. The
same happens during resume, we might call a few
callbacks without starting the driver. Fix this
by checking open_count around more things and
exiting quickly if it is 0.Also, while at this I noticed that the coverage
class isn't reprogrammed after resume, so add
that.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
ieee80211_iter_keys() currently returns keys in
the backward order they were installed in, which
is a bit confusing. Add them to the tail of the
key list to make sure iterations go in the same
order that keys were originally installed in.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
When the driver wants to pre-program the TKIP
RX phase 1 key, it needs to be able to obtain
it for the peer's TA. Add API to allow it to
generate it.The generation uses a dummy on-stack context
since it doesn't know the RX queue.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
14 Jul, 2011
2 commits
-
In WoWLAN, devices may use crypto keys for TX/RX
and could also implement GTK rekeying. If the
driver isn't able to retrieve replay counters and
similar information from the device upon resume,
or if the device isn't responsive due to platform
issues, it isn't safe to keep the connection up
as GTK rekey messages from during the sleep time
could be replayed against it.The only protection against that is disconnecting
from the AP. Modifying mac80211 to do that while
it is resuming would be very complex and invasive
in the case that the driver requires a reconfig,
so do it after it has resumed completely. In that
case, however, packets might be replayed since it
can then only happen after TX/RX are up again, so
mark keys for interfaces that need to disconnect
as "tainted" and drop all packets that are sent
or received with those keys.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
is_valid_ether_addr itself checks for is_zero_ether_addr
Signed-off-by: Mohammed Shafi Shajakhan
Signed-off-by: John W. Linville
12 Jul, 2011
3 commits
-
We don't have multiple RX queues, so there's no use
in allocating multiple, use alloc_netdev_mqs() to
allocate multiple TX but only one RX queue.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
mac80211 maintains a running average of the RSSI when a STA
is associated to an AP. Report threshold events to any driver
that has registered callbacks for getting RSSI measurements.Implement callbacks in mac80211 so that driver can set thresholds.
Add callbacks in mac80211 which is invoked when an RSSI threshold
event occurs.mac80211: add tracing to rssi_reports api and remove extraneous fn argument
mac80211: scale up rssi thresholds from driver by 16 before storingSigned-off-by: Meenakshi Venkataraman
Signed-off-by: Wey-Yi Guy
Signed-off-by: John W. Linville -
Conflicts:
drivers/net/wireless/ath/ath5k/sysfs.c
net/bluetooth/l2cap_core.c
net/mac80211/wpa.c
11 Jul, 2011
1 commit
-
Sync with Linus' tree to be able to apply pending patches that
are based on newer code already present upstream.
09 Jul, 2011
1 commit
-
Since ca5ecddf (rcu: define __rcu address space modifier for sparse)
rcu_dereference_check use rcu_read_lock_held as a part of condition
automatically so callers do not have to do that as well.Signed-off-by: Michal Hocko
Acked-by: Paul E. McKenney
Signed-off-by: Jiri Kosina
08 Jul, 2011
10 commits
-
A panic was observed when the device is failed to resume properly,
and there are no running interfaces. ieee80211_reconfig tries
to restart STA timers on unassociated state.Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan
Signed-off-by: John W. Linville -
In order to support pre-populating the P1K cache in
iwlwifi hardware for WoWLAN, we need to calculate
the P1K for the current IV32. Allow drivers to get
the P1K for any given IV32 instead of for a given
packet, but keep the packet-based version around as
an inline.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
In order to implement GTK rekeying, the device needs
to be able to encrypt frames with the right PN/IV and
check the PN/IV in RX frames. To be able to tell it
about all those counters, we need to be able to get
them from mac80211, this adds the required API.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
The current rx->queue value is slightly confusing.
It is set to 16 on non-QoS frames, including data,
and then used for sequence number and PN/IV checks.
Until recently, we had a TKIP IV checking bug that
had been introduced in 2008 to fix a seqno issue.
Before that, we always used TID 0 for checking the
PN or IV on non-QoS packets.Go back to the old status for PN/IV checks using
the TID 0 counter for non-QoS by splitting up the
rx->queue value into "seqno_idx" and "security_idx"
in order to avoid confusion in the future. They
each have special rules on the value used for non-
QoS data frames.Since the handling is now unified, also revert the
special TKIP handling from my patch
"mac80211: fix TKIP replay vulnerability".Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
mac80211 has a defnition of AES_BLOCK_SIZE and
multiple definitions of AES_BLOCK_LEN. Remove
them all and use crypto/aes.h.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
Just like TKIP and CCMP, CMAC has the PN race.
It might not actually be possible to hit it now
since there aren't multiple ACs for management
frames, but fix it anyway.Also move scratch buffers onto the stack.
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
Since we can process multiple packets at the
same time for different ACs, but the PN is
allocated from a single counter, we need to
use an atomic value there. Use atomic64_t to
make this cheaper on 64-bit platforms, other
platforms will support this through software
emulation, see lib/atomic64.c.We also need to use an on-stack scratch buf
so that multiple packets won't corrupt each
others scratch buffers.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
Our current TKIP code races against itself on TX
since we can process multiple packets at the same
time on different ACs, but they all share the TX
context for TKIP. This can lead to bad IVs etc.Also, the crypto offload helper code just obtains
the P1K/P2K from the cache, and can update it as
well, but there's no guarantee that packets are
really processed in order.To fix these issues, first introduce a spinlock
that will protect the IV16/IV32 values in the TX
context. This first step makes sure that we don't
assign the same IV multiple times or get confused
in other ways.Secondly, change the way the P1K cache works. I
add a field "p1k_iv32" that stores the value of
the IV32 when the P1K was last recomputed, and
if different from the last time, then a new P1K
is recomputed. This can cause the P1K computation
to flip back and forth if packets are processed
out of order. All this also happens under the new
spinlock.Finally, because there are argument differences,
split up the ieee80211_get_tkip_key() API into
ieee80211_get_tkip_p1k() and ieee80211_get_tkip_p2k()
and give them the correct arguments.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
Unlike CCMP, the presence or absence of the QoS
field doesn't change the encryption, only the
TID is used. When no QoS field is present, zero
is used as the TID value. This means that it is
possible for an attacker to take a QoS packet
with TID 0 and replay it as a non-QoS packet.Unfortunately, mac80211 uses different IVs for
checking the validity of the packet's TKIP IV
when it checks TID 0 and when it checks non-QoS
packets. This means it is vulnerable to this
replay attack.To fix this, use the same replay counter for
TID 0 and non-QoS packets by overriding the
rx->queue value to 0 if it is 16 (non-QoS).This is a minimal fix for now. I caused this
issue incommit 1411f9b531f0a910cd1c85a337737c1e6ffbae6a
Author: Johannes Berg
Date: Thu Jul 10 10:11:02 2008 +0200mac80211: fix RX sequence number check
while fixing a sequence number issue (there,
a separate counter needs to be used).Cc: stable@kernel.org
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
We were not allocating memory for the IEs passed in the scheduled_scan
request and this was causing memory corruption (buffer overflow).Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville
07 Jul, 2011
2 commits
-
This adds the necessary mac80211 APIs to support
GTK rekey offload, mirroring the functionality
from cfg80211.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
When in suspend/wowlan, devices might implement crypto
offload differently (more features), and might require
reprogramming keys for the WoWLAN (as it is the case
for Intel devices that use another uCode image). Thus
allow the driver to iterate all keys in this context.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
06 Jul, 2011
3 commits
-
If the driver can't support WoWLAN in the current
state, this patch allows it to return 1 from the
suspend callback to do the normal deconfiguration
instead of using suspend/resume calls. Note that
if it does this, resume won't be called.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
mlme.c
l.757 ieee80211_dynamic_ps_enable_work(11)
variable dereferenced before check 'sdata'mesh_pathtbl.c
l.650 mesh_path_del(20) double lock 'bottom_half'
l.663 mesh_path_del(33) double unlock 'bottom_half'Signed-off-by: Christian Lamparter
Signed-off-by: John W. Linville -
Based on inputs from Johannes Berg
from http://article.gmane.org/gmane.linux.kernel.wireless.general/68193
and http://article.gmane.org/gmane.linux.kernel.wireless.general/71702In xmit path, devices that do full hardware crypto (including
MMIC and ICV) need no tailroom. For such devices, tailroom
reservation can be skipped if all the keys are programmed into
the hardware (i.e software crypto is not used for any of the
keys) and none of the keys wants software to generate Michael
MIC and IV.v2: Added check for IV along with MMIC.
Reported-by: Fabio Rossi
Tested-by: Fabio Rossi
Signed-off-by: Mohammed Shafi Shajakhan
Cc: Mohammed Shafi Shajakhanv3: Fixing races to avoid WARNING: at net/mac80211/wpa.c:397
ccmp_encrypt_skb+0xc4/0x1f0
Reported-by: Andreas Hartmann
Tested-by: Andreas Hartmannv4: Added links with message ID
Signed-off-by: Yogesh Ashok Powar
Signed-off-by: John W. Linville
30 Jun, 2011
1 commit
-
Add a memeber to the ieee80211_sta structure to indicate whether the STA
supports WME.Signed-off-by: Arik Nemtsov
Signed-off-by: John W. Linville
29 Jun, 2011
1 commit
-
Conflicts:
drivers/net/wireless/iwlwifi/iwl-tx.c
28 Jun, 2011
4 commits
-
Use the tx_frames_pending() driver callback to determine if Tx frames are
pending for its internal queues. If so postpone the dynamic PS timeout
to avoid interrupting Tx traffic.The commit e8306f989483e4b97a8b37dd268de6c8c6f35e75 enabled this
behavior for drivers with IEEE80211_HW_PS_NULLFUNC_STACK. We enable this
for all drivers supporting dynamic PS.This patch helps improve performance in noisy environments.
Signed-off-by: Arik Nemtsov
Signed-off-by: John W. Linville -
Do not send DS Channel parameter for directed probe requests
in order to maximize the chance that we get a response. Some
badly-behaved APs don't respond when this parameter is included.Signed-off-by: Paul Stewart
Reviewed-by: Johannes Berg
Signed-off-by: John W. Linville -
When forming a Rx BA session, sometimes the ADDBA response gets lost.
This leads to a situation where the session is configured locally, but
doesn't exist on the remote side. Subsequent ADDBA requests are declined
by mac80211.Fix this by assuming the session state of the initiator is the correct
one. When receiving an unexpected ADDBA request on a TID with an active
Rx BA session, delete the existing one and establish a new session.Signed-off-by: Arik Nemtsov
Acked-by: Johannes Berg
Signed-off-by: John W. Linville -
Advertise only user-requested bitrates in a HW scan.
Note that the hw_scan API doesn't currently have a
way of asking for a specific probe request bitrate,
so we might end up using a bitrate that we don't
advertise as supported. I'll fix that later.Also add a hexdump printk to hwsim to verify this.
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
