22 Sep, 2011
1 commit
-
Incorrect variable was used in validating the akm_suites array from
NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
validation of the array length (we only have room for
NL80211_MAX_NR_AKM_SUITES).This can result in a buffer write overflow for stack variables with
arbitrary data from user space. The nl80211 commands using the affected
functionality require GENL_ADMIN_PERM, so this is only exposed to admin
users.Cc: stable@kernel.org
Signed-off-by: Jouni Malinen
Signed-off-by: John W. Linville
17 Sep, 2011
2 commits
-
The scan request received from cfg80211_connect do not
have proper rate mast. So the probe request sent on each
channel do not have proper the supported rates ie.Cc: stable@kernel.org
Reviewed-by: Johannes Berg
Signed-off-by: Rajkumar Manoharan
Signed-off-by: John W. Linville -
During the association, the regulatory is updated by country IE
that reaps the previously found beacons. The impact is that
after a STA disconnects *or* when for any reason a regulatory
domain change happens the beacon hint flag is not cleared
therefore preventing future beacon hints to be learned.
This is important as a regulatory domain change or a restore
of regulatory settings would set back the passive scan and no-ibss
flags on the channel. This is the right place to do this given that
it covers any regulatory domain change.Cc: stable@kernel.org
Reviewed-by: Luis R. Rodriguez
Signed-off-by: Rajkumar Manoharan
Acked-by: Luis R. Rodriguez
Signed-off-by: John W. Linville
23 Aug, 2011
1 commit
-
Do not call ->suspend, ->resume methods after we unregister wiphy. Also
delete sta_clanup timer after we finish wiphy unregister to avoid this:WARNING: at lib/debugobjects.c:262 debug_print_object+0x85/0xa0()
Hardware name: 6369CTO
ODEBUG: free active (active state 0) object type: timer_list hint: sta_info_cleanup+0x0/0x180 [mac80211]
Modules linked in: aes_i586 aes_generic fuse bridge stp llc autofs4 sunrpc cpufreq_ondemand acpi_cpufreq mperf ext2 dm_mod uinput thinkpad_acpi hwmon sg arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00lib mac80211 cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support e1000e ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom yenta_socket ahci libahci pata_acpi ata_generic ata_piix i915 drm_kms_helper drm i2c_algo_bit video [last unloaded: microcode]
Pid: 5663, comm: pm-hibernate Not tainted 3.1.0-rc1-wl+ #19
Call Trace:
[] warn_slowpath_common+0x6d/0xa0
[] ? debug_print_object+0x85/0xa0
[] ? debug_print_object+0x85/0xa0
[] warn_slowpath_fmt+0x2e/0x30
[] debug_print_object+0x85/0xa0
[] ? sta_info_alloc+0x1a0/0x1a0 [mac80211]
[] debug_check_no_obj_freed+0xe2/0x180
[] kfree+0x8b/0x150
[] cfg80211_dev_free+0x7e/0x90 [cfg80211]
[] wiphy_dev_release+0xd/0x10 [cfg80211]
[] device_release+0x19/0x80
[] kobject_release+0x7a/0x1c0
[] ? rtnl_unlock+0x8/0x10
[] ? wiphy_resume+0x6b/0x80 [cfg80211]
[] ? kobject_del+0x30/0x30
[] kref_put+0x2d/0x60
[] kobject_put+0x1d/0x50
[] ? mutex_lock+0x14/0x40
[] put_device+0xf/0x20
[] dpm_resume+0xca/0x160
[] hibernation_snapshot+0xcd/0x260
[] ? freeze_processes+0x3f/0x90
[] hibernate+0xcb/0x1e0
[] ? pm_async_store+0x40/0x40
[] state_store+0xa0/0xb0
[] ? pm_async_store+0x40/0x40
[] kobj_attr_store+0x20/0x30
[] sysfs_write_file+0x94/0xf0
[] vfs_write+0x9a/0x160
[] ? sysfs_open_file+0x200/0x200
[] sys_write+0x3d/0x70
[] sysenter_do_call+0x12/0x28Cc: stable@kernel.org
Signed-off-by: Stanislaw Gruszka
Signed-off-by: John W. Linville
02 Aug, 2011
1 commit
-
The test is off by one so we'd read past the end of the
wiphy->bands[] array on the next line.Signed-off-by: Dan Carpenter
Signed-off-by: John W. Linville
27 Jul, 2011
2 commits
-
Just a typo fix changing regulaotry to regulatory.
Signed-off-by: Mihai Moldovan
CC: John W. Linville
CC: Mohammed Shafi
Signed-off-by: John W. Linville -
At the beginning of wiphy_update_regulatory() a check is performed
whether the request is to be ignored. Then the request is sent to
the driver nevertheless. This happens even if last_request points
to NULL, leading to a crash in the driver:[] (lbs_set_11d_domain_info+0x28/0x1e4 [libertas]) from [] (wiphy_update_regulatory+0x4d0/0x4f4)
[] (wiphy_update_regulatory+0x4d0/0x4f4) from [] (wiphy_register+0x354/0x420)
[] (wiphy_register+0x354/0x420) from [] (lbs_cfg_register+0x80/0x164 [libertas])
[] (lbs_cfg_register+0x80/0x164 [libertas]) from [] (lbs_start_card+0x20/0x88 [libertas])
[] (lbs_start_card+0x20/0x88 [libertas]) from [] (if_sdio_probe+0x898/0x9c0 [libertas_sdio])Fix this by returning early. Also remove the out: label as it is
not any longer needed.Signed-off-by: Sven Neumann
Cc: linux-wireless@vger.kernel.org
Cc: Johannes Berg
Cc: Daniel Mack
Cc: stable@kernel.org
Signed-off-by: John W. Linville
21 Jul, 2011
2 commits
-
commit 58389c69150e6032504dfcd3edca6b1975c8b5bc
Author: Johannes Berg
Date: Mon Jul 18 18:08:35 2011 +0200cfg80211: allow userspace to control supported rates in scan
made single-band cards crash since it would always
access all wiphy->bands[]. Fix this and reject any
attempts in the new helper ieee80211_get_ratemask()
to do the same, rejecting rates configuration for
unsupported bands.Reported-by: Pavel Roskin
Tested-by: Pavel Roskin
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
cfg80211_netdev_notifier_call() is configuring psm in case
of NL80211_IFTYPE_STATION interface type (on NETDEV_UP).
do the same for NL80211_IFTYPE_P2P_CLIENT interface type.Signed-off-by: Eliad Peller
Reviewed-by: Johannes Berg
Signed-off-by: John W. Linville
20 Jul, 2011
1 commit
-
Some P2P scans are not allowed to advertise
11b rates, but that is a rather special case
so instead of having that, allow userspace
to request the rate sets (per band) that are
advertised in scan probe request frames.Since it's needed in two places now, factor
out some common code parsing a rate array.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
16 Jul, 2011
3 commits
-
Some chips may support different lengths of user-supplied IEs with a
single scheduled scan command than with a single normal scan command.To support this, this patch creates a separate hardware description
element that describes the maximum size of user-supplied information
element data supported in scheduled scans.Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville -
Some chips can scan more SSIDs with a single scheduled scan command
than with a single normal scan command (eg. wl12xx chips).To support this, this patch creates a separate hardware description
element that describes the amount of SSIDs supported in scheduled
scans.Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville -
Since we now have the necessary API in place to support
GTK rekeying, applications will need to know whether it
is supported by a device. Add a pseudo-trigger that is
used only to advertise that capability. Also, add some
new triggers that match what iwlagn devices can do.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
12 Jul, 2011
1 commit
-
Conflicts:
drivers/net/wireless/ath/ath5k/sysfs.c
net/bluetooth/l2cap_core.c
net/mac80211/wpa.c
08 Jul, 2011
1 commit
-
If we try to stop a scheduled scan while it is not running, we should
return -ENOENT instead of simply ignoring the command and returning
success. This is more consistent with other parts of the code.Reported-by: Johannes Berg
Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville
07 Jul, 2011
1 commit
-
In certain circumstances, like WoWLAN scenarios,
devices may implement (partial) GTK rekeying on
the device to avoid waking up the host for it.In order to successfully go through GTK rekeying,
the KEK, KCK and the replay counter are required.Add API to let the supplicant hand the parameters
to the driver which may store it for future GTK
rekey operations.Note that, of course, if GTK rekeying is done by
the device, the EAP frame must not be passed up
to userspace, instead a rekey event needs to be
sent to let userspace update its replay counter.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
06 Jul, 2011
2 commits
-
If the 'driver_initiated' function argument to
__cfg80211_stop_sched_scan() is not 0 then we'll return an
uninitialized 'err' from the function.Signed-off-by: Jesper Juhl
Signed-off-by: John W. Linville -
There was a deadlock when rfkill-blocking a wireless interface,
because we were locking the rdev mutex on NETDEV_GOING_DOWN to stop
sched_scans that were eventually running. The rfkill block code was
already holding a mutex under rdev:kernel: =======================================================
kernel: [ INFO: possible circular locking dependency detected ]
kernel: 3.0.0-rc1-00049-g1fa7b6a #57
kernel: -------------------------------------------------------
kernel: kworker/0:1/4525 is trying to acquire lock:
kernel: (&rdev->mtx){+.+.+.}, at: [] cfg80211_netdev_notifier_call+0x131/0x5b0
kernel:
kernel: but task is already holding lock:
kernel: (&rdev->devlist_mtx){+.+.+.}, at: [] cfg80211_rfkill_set_block+0x4f/0xa0
kernel:
kernel: which lock already depends on the new lock.To fix this, add a new mutex specifically for sched_scan, to protect
the sched_scan_req element in the rdev struct, instead of using the
global rdev mutex.Reported-by: Duane Griffin
Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville
29 Jun, 2011
1 commit
-
Conflicts:
drivers/net/wireless/iwlwifi/iwl-tx.c
28 Jun, 2011
1 commit
-
Sometimes when reporting a MIC failure rx->key may be unset. This
code path is hit when receiving a packet meant for a multicast
address, and decryption is performed in HW.Fortunately, the failing key_idx is not used for anything up to
(and including) usermode, so we allow ourselves to drop it on the
way up when a key cannot be retrieved.Signed-off-by: Arik Nemtsov
Cc: stable@kernel.org
Signed-off-by: John W. Linville
23 Jun, 2011
1 commit
-
Use the new consistent dump feature from (generic) netlink
to advertise when dumps are incomplete.Readers may note that this does not initialize the
rdev->bss_generation counter to a non-zero value. This is
still OK since the value is modified only under spinlock
when the list is modified. Since the dump code holds the
spinlock, the value will either be > 0 already, or the
list will still be empty in which case a consistent dump
will actually be made (and be empty).Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
11 Jun, 2011
2 commits
-
Downsteram DEAUTH messages do not refer to a current authentication
attempt -- AUTH responses do. Therefore we should not allow DEAUTH
from an AP to void state for an AUTH attempt in progress.Signed-off-by: Paul Stewart
Signed-off-by: John W. Linville -
Conflicts:
drivers/net/wireless/iwlwifi/iwl-agn-rxon.c
drivers/net/wireless/rtlwifi/pci.c
08 Jun, 2011
2 commits
-
When one of the SSID's length passed in a scan or sched_scan request
is larger than 255, there will be an overflow in the u8 that is used
to store the length before checking. This causes the check to fail
and we overrun the buffer when copying the SSID.Fix this by checking the nl80211 attribute length before copying it to
the struct.This is a follow up for the previous commit
208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
entirely.Reported-by: Ido Yariv
Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville
02 Jun, 2011
3 commits
-
The channel survey information will be empy for
disabled channels so simply discard those entries.Signed-off-by: Luis R. Rodriguez
Signed-off-by: John W. Linville -
This adds dump support to testmode. The testmode
dump support in nl80211 requires using two of the
six cb->args, the rest can be used by the driver
to figure out where the dump position is at or to
store other data across invocations.Signed-off-by: Wey-Yi Guy
Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville -
Commit 0a35d36 ("cfg80211: Use capability info to detect mesh beacons")
assumed that probe response with both ESS and IBSS bits cleared
means that the frame was sent by a mesh sta.However, these capabilities are also being used in the p2p_find phase,
and the mesh-validation broke it.Rename the WLAN_CAPABILITY_IS_MBSS macro, and verify that mesh ies
exist before assuming this frame was sent by a mesh sta.Signed-off-by: Eliad Peller
Signed-off-by: John W. Linville
28 May, 2011
1 commit
27 May, 2011
1 commit
-
In both trigger_scan and sched_scan operations, we were checking for
the SSID length before assigning the value correctly. Since the
memory was just kzalloc'ed, the check was always failing and SSID with
over 32 characters were allowed to go through.This was causing a buffer overflow when copying the actual SSID to the
proper place.This bug has been there since 2.6.29-rc4.
Cc: stable@kernel.org
Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville
25 May, 2011
1 commit
20 May, 2011
1 commit
-
Some stack variables (name *ssid and *channel) are only used to define
the size of the memory block that needs to be allocated for the
request structure in the nl80211_trigger_scan() and
nl80211_start_sched_scan() functions.This is unnecessary because the sizes of the actual elements in the
structure can be used instead.Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville
19 May, 2011
1 commit
-
cfg80211 scan code adds separate BSS entries if the same BSS shows up
on multiple channels. However, sme implementation does not use the
frequency when fetching the BSS entry. Fix this by adding channel
information to cfg80211_roamed() and include it in cfg80211_get_bss()
calls.Please note that drivers using cfg80211_roamed() need to be modified to
fully implement this fix. This commit includes only minimal changes to
avoid compilation issues; it maintains the old (broken) behavior for
most drivers. ath6kl was the only one that I could test, so I updated
it to provide the operating frequency in the roamed event.Signed-off-by: Jouni Malinen
Signed-off-by: John W. Linville
17 May, 2011
4 commits
-
…wireless-next-2.6 into for-davem
Conflicts:
drivers/net/wireless/iwlwifi/iwl-agn-tx.c
net/mac80211/sta_info.h -
Currently the devices that have already stripped IEEE 802.11
header from the AMSDU SKB can not use ieee80211_amsdu_to_8023s
routine. This patch enhances ieee80211_amsdu_to_8023s() API by
changing mandatory removing of IEEE 802.11 header from AMSDU
to optional.Signed-off-by: Yogesh Ashok Powar
Signed-off-by: Bing Zhao
Signed-off-by: John W. Linville -
These definitions need to be exposed now that we can set the peer link
states via NL80211_ATTR_STA_PLINK_STATE. They were already being
(opaquely) reported by NL80211_STA_INFO_PLINK_STATE.Signed-off-by: Javier Cardona
Signed-off-by: John W. Linville -
Add the ability to advertise interface combinations in nl80211.
This allows the driver to indicate what the combinations are
that it supports. "Combinations" of just a single interface are
implicit, as previously. Note that cfg80211 will enforce that
the restrictions are met, but not for all drivers yet (once all
drivers are updated, we can remove the flag and enforce for all).When no combinations are actually supported, an empty list will
be exported so that userspace can know if the kernel exported
this info or not (although it isn't clear to me what tools using
the info should do if the kernel didn't export it).Since some interface types are purely virtual/software and don't
fit the restrictions, those are exposed in a new list of pure SW
types, not subject to restrictions. This mainly exists to handle
AP-VLAN and monitor interfaces in mac80211.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
13 May, 2011
2 commits
-
When sched_scan_stopped was called by the driver, mac80211 calls
cfg80211, which in turn was calling mac80211 back with a flag
"driver_initiated". This flag was used so that mac80211 would do the
necessary cleanup but would not call the driver. This was enough to
prevent the bounce back between the driver and mac80211, but not
between mac80211 and cfg80211.To fix this, we now do the cleanup in mac80211 before calling
cfg80211. To help with locking issues, the workqueue was moved from
cfg80211 to mac80211.Reported-by: Johannes Berg
Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville -
Multiple virtual AP interfaces can currently try
to use different beacon intervals, but that just
leads to problems since it won't actually be done
that way by drivers. Return an error in this case
to make sure it won't be done wrong.Also, ignore attempts to change the DTIM period
or beacon interval during the lifetime of the BSS.Signed-off-by: Johannes Berg
Signed-off-by: John W. Linville
12 May, 2011
1 commit
-
Introduce NL80211_ATTR_SCHED_SCAN_INTERVAL as a required attribute for
NL80211_CMD_START_SCHED_SCAN. This value informs the driver at which
intervals the scheduled scan cycles should be executed.Signed-off-by: Luciano Coelho
Signed-off-by: John W. Linville