15 Mar, 2014
1 commit
-
Conflicts:
drivers/net/usb/r8152.c
drivers/net/xen-netback/netback.cBoth the r8152 and netback conflicts were simple overlapping
changes.Signed-off-by: David S. Miller
14 Mar, 2014
1 commit
-
…wireless-next into for-davem
Conflicts:
drivers/net/wireless/ath/ath9k/recv.c
08 Mar, 2014
1 commit
-
…wireless into for-davem
06 Mar, 2014
1 commit
-
Conflicts:
drivers/net/wireless/ath/ath9k/recv.c
drivers/net/wireless/mwifiex/pcie.c
net/ipv6/sit.cThe SIT driver conflict consists of a bug fix being done by hand
in 'net' (missing u64_stats_init()) whilst in 'net-next' a helper
was created (netdev_alloc_pcpu_stats()) which takes care of this.The two wireless conflicts were overlapping changes.
Signed-off-by: David S. Miller
05 Mar, 2014
2 commits
-
Avoid leaking data by sending uninitialized memory and setting an
invalid (non-zero) fragment number (the sequence number is ignored
anyway) by setting the seq_ctrl field to zero.Cc: stable@vger.kernel.org
Fixes: 3f52b7e328c5 ("mac80211: mesh power save basics")
Fixes: ce662b44ce22 ("mac80211: send (QoS) Null if no buffered frames")
Reviewed-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
Conflicts:
drivers/net/wireless/ath/ath9k/recv.c
drivers/net/wireless/mwifiex/pcie.c
04 Mar, 2014
1 commit
-
…wireless into for-davem
03 Mar, 2014
1 commit
-
When calculating the current max bw required for
a channel context, we didn't consider the virtual
monitor interface, resulting in its channel context
being narrower than configured.This broke monitor mode with iwlmvm, which uses the
minimal width.Reported-by: Ido Yariv
Signed-off-by: Eliad Peller
Signed-off-by: Johannes Berg
28 Feb, 2014
2 commits
-
…wireless into for-davem
-
When a VHT network uses 20 or 40 MHz as per the HT operation
information, the channel center frequency segment 0 field in
the VHT operation information is reserved, so ignore it.This fixes association with such networks when the AP puts 0
into the field, previously we'd disconnect due to an invalid
channel with the message
wlan0: AP VHT information is invalid, disable VHTCc: stable@vger.kernel.org
Fixes: f2d9d270c15ae ("mac80211: support VHT association")
Reported-by: Tim Nelson
Signed-off-by: Johannes Berg
24 Feb, 2014
1 commit
-
The MLME code in mac80211 must track whether or not the AP changed
bandwidth, but if there's no change while tracking it shouldn't do
anything, otherwise regulatory updates can make it impossible to
connect to certain APs if the regulatory database doesn't match the
information from the AP. See the precise scenario described in the
code.This still leaves some possible problems with CSA or if the AP
actually changed bandwidth, but those cases are less common and
won't completely prevent using it.This fixes https://bugzilla.kernel.org/show_bug.cgi?id=70881
Cc: stable@vger.kernel.org
Reported-and-tested-by: Nate Carlson
Signed-off-by: Johannes Berg
21 Feb, 2014
3 commits
-
Error codes returned by cfg80211_chandef_dfs_required() are ignored
when trying to join an IBSS. Fix this by printing an error and
returning.Signed-off-by: Luciano Coelho
Signed-off-by: Johannes Berg -
Previously we were warning and using automatic when a driver sent an
update request with SMPS off. This patch makes it possible for
drivers to disable SMPS at runtime, for whatever reason.Signed-off-by: Luciano Coelho
Signed-off-by: Johannes Berg -
…wireless-next into for-davem
20 Feb, 2014
6 commits
-
In order to solve races with sched_scan_stop, it is necessary
for the driver to be able to return an error to propagate that
to cfg80211 so it doesn't send an event.Reviewed-by: Alexander Bondar
Signed-off-by: Johannes Berg -
While framing the TDLS Setup Confirmation frame, the driver needs to
know if the TDLS peer is VHT/HT/WMM capable and thus shall construct
the VHT/HT operation / WMM parameter elements accordingly. Supplicant
determines if the TDLS peer is VHT/HT/WMM capable based on the
presence of the respective IEs in the received TDLS Setup Response frame.The host driver should not need to parse the received TDLS Response
frame and thus, should be able to rely on the supplicant to indicate
the capability of the peer through additional flags while transmitting
the TDLS Setup Confirmation frame through tdls_mgmt operations.Signed-off-by: Sunil Dutt Undekari
Signed-off-by: Johannes Berg -
Consider the following (relatively unlikely) scenario:
1) station goes to sleep while frames are buffered in driver
2) driver blocks wakeup (until no more frames are buffered)
3) station wakes up again
4) driver unblocks wakeupIn this case, the current mac80211 code will do the following:
1) WLAN_STA_PS_STA set
2) WLAN_STA_PS_DRIVER set
3) - nothing -
4) WLAN_STA_PS_DRIVER clearedAs a result, no frames will be delivered to the client, even
though it is awake, until it sends another frame to us that
triggers ieee80211_sta_ps_deliver_wakeup() in sta_ps_end().Since we now take the PS spinlock, we can fix this while at
the same time removing the complexity with the pending skb
queue function. This was broken since my commit 50a9432daeec
("mac80211: fix powersaving clients races") due to removing
the clearing of WLAN_STA_PS_STA in the RX path.While at it, fix a cleanup path issue when a station is
removed while the driver is still blocking its wakeup.Signed-off-by: Johannes Berg
-
There's a race condition in mac80211 because we add stations
to the internal lists after adding them to the driver, which
means that (for example) the following can happen:
1. a station connects and is added
2. first, it is added to the driver
3. then, it is added to the mac80211 listsIf the station goes to sleep between steps 2 and 3, and the
firmware/hardware records it as being asleep, mac80211 will
never instruct the driver to wake it up again as it never
realized it went to sleep since the RX path discarded the
frame as a "spurious class 3 frame", no station entry was
present yet.Fix this by adding the station in software first, and only
then adding it to the driver. That way, any state that the
driver changes will be reflected properly in mac80211's
station state. The problematic part is the roll-back if the
driver fails to add the station, in that case a bit more is
needed. To not make that overly complex prevent starting BA
sessions in the meantime.Signed-off-by: Johannes Berg
-
There is a race between the TX path and the STA wakeup: while
a station is sleeping, mac80211 buffers frames until it wakes
up, then the frames are transmitted. However, the RX and TX
path are concurrent, so the packet indicating wakeup can be
processed while a packet is being transmitted.This can lead to a situation where the buffered frames list
is emptied on the one side, while a frame is being added on
the other side, as the station is still seen as sleeping in
the TX path.As a result, the newly added frame will not be send anytime
soon. It might be sent much later (and out of order) when the
station goes to sleep and wakes up the next time.Additionally, it can lead to the crash below.
Fix all this by synchronising both paths with a new lock.
Both path are not fastpath since they handle PS situations.In a later patch we'll remove the extra skb queue locks to
reduce locking overhead.BUG: unable to handle kernel
NULL pointer dereference at 000000b0
IP: [] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
*pde = 00000000
Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
EIP: 0060:[] EFLAGS: 00210282 CPU: 1
EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: ffff0ff0 DR7: 00000400
Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
Stack:
e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
Call Trace:
[] ieee80211_free_txskb+0x15/0x20 [mac80211]
[] invoke_tx_handlers+0x1661/0x1780 [mac80211]
[] ieee80211_tx+0x75/0x100 [mac80211]
[] ieee80211_xmit+0x8f/0xc0 [mac80211]
[] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
[] dev_hard_start_xmit+0x450/0x950
[] sch_direct_xmit+0xa9/0x250
[] __qdisc_run+0x4b/0x150
[] dev_queue_xmit+0x2c2/0xca0Cc: stable@vger.kernel.org
Reported-by: Yaara Rozenblum
Signed-off-by: Emmanuel Grumbach
Reviewed-by: Stanislaw Gruszka
[reword commit log, use a separate lock]
Signed-off-by: Johannes Berg
17 Feb, 2014
1 commit
-
Add a new argument for ndo_select_queue() callback that passes a
fallback handler. This gets invoked through netdev_pick_tx();
fallback handler is currently __netdev_pick_tx() as most drivers
invoke this function within their customized implementation in
case for skbs that don't need any special handling. This fallback
handler can then be replaced on other call-sites with different
queue selection methods (e.g. in packet sockets, pktgen etc).This also has the nice side-effect that __netdev_pick_tx() is
then only invoked from netdev_pick_tx() and export of that
function to modules can be undone.Suggested-by: David S. Miller
Signed-off-by: Daniel Borkmann
Signed-off-by: David S. Miller
14 Feb, 2014
1 commit
13 Feb, 2014
1 commit
-
NAPI was originally added to mac80211 a long time ago (by John in
commit 4e6cbfd09c66 in July 2010), but then removed years later
(by Stanislaw in commit 30c97120c6c7 in February 2013). No driver
ever used it, so that was fine.Now I'm adding support for NAPI to our driver, so add some code
to mac80211 again to support NAPI. John was originally wrapping
some (but not nearly all NAPI-related functions), but that doesn't
scale very well with the number of functions that are there, some
of which are even only inlines. Thus, instead of doing that, let
the drivers manage the NAPI struct, except for napi_add() which is
needed so mac80211 knows how to call napi_gro_receive().Also remove some no longer needed definitions that were left when
NAPI support was removed.Reviewed-by: Emmanuel Grumbach
Reviewed-by: Eyal Shapira
Signed-off-by: Johannes Berg
12 Feb, 2014
3 commits
-
Create a function to return a descriptive string for each reason code,
and print that in addition to the numeric value in the kernel log. These
codes are easily found on popular search engines, but one is generally
not able to access the internet when dealing with wireless connectivity
issues.Signed-off-by: Calvin Owens
[use 'unknown' rather than 'invalid' since more valid codes exist]
Signed-off-by: Johannes Berg -
There's no need to start iterating the list only to break on the
first item, just use !list_empty() and also simplify the whole
conditional into a single expression.Signed-off-by: Johannes Berg
-
Improves reliability of wifi connections with WPA, since authentication
frames are prioritized over normal traffic and also typically exempt
from aggregation.Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau
Signed-off-by: Johannes Berg
11 Feb, 2014
5 commits
-
Remove size of SSID IE from the IE buffer in scan and
sched scan, since this IE isn't added to this buffer.Reviewed-by: Eliad Peller
Reviewed-by: Emmanuel Grumbach
Reviewed-by: Alexander Bondar
Signed-off-by: David Spinadel
Signed-off-by: Johannes Berg -
In case ieee80211_prep_connection() fails to dereference
sdata->vif.chanctx_conf, the function returns and doesn't
free new_sta. fixed.Signed-off-by: Eytan Lifshitz
Signed-off-by: Johannes Berg -
In case we were not suspended, the reconfig function returns without
configuring the scheduled scan.Signed-off-by: Arik Nemtsov
Signed-off-by: Johannes Berg -
Add beacon_loss debugfs file that emulates
ieee80211_beacon_loss call from the driver.This can be used for various testing scenarios.
Signed-off-by: Eliad Peller
Signed-off-by: Johannes Berg -
In case of beacon_loss with IEEE80211_HW_CONNECTION_MONITOR
device, mac80211 probes the ap (and disconnects on timeout)
but ignores the ack.If we already got an ack, there's no reason to continue
disconnecting. this can help devices that supports
IEEE80211_HW_CONNECTION_MONITOR only partially (e.g. take
care of keep alives, but does not probe the ap.In case the device wants to disconnect without probing,
it can just call ieee80211_connection_loss.Signed-off-by: Eliad Peller
Signed-off-by: Johannes Berg
06 Feb, 2014
9 commits
-
We already have a band variable, so the new one is just
shadowing it, but the existing one already holds the
same value so just remove the inner one.Signed-off-by: Johannes Berg
-
During channel context assignment, the interface should
be found by interface iteration, so we need to assign the
pointer before the channel context.Reported-by: Emmanuel Grumbach
Tested-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
The "new" fragmentation code (since my rewrite almost 5 years ago)
erroneously sets skb->len rather than using skb_trim() to adjust
the length of the first fragment after copying out all the others.
This leaves the skb tail pointer pointing to after where the data
originally ended, and thus causes the encryption MIC to be written
at that point, rather than where it belongs: immediately after the
data.The impact of this is that if software encryption is done, then
a) encryption doesn't work for the first fragment, the connection
becomes unusable as the first fragment will never be properly
verified at the receiver, the MIC is practically guaranteed to
be wrong
b) we leak up to 8 bytes of plaintext (!) of the packet out into
the airThis is only mitigated by the fact that many devices are capable
of doing encryption in hardware, in which case this can't happen
as the tail pointer is irrelevant in that case. Additionally,
fragmentation is not used very frequently and would normally have
to be configured manually.Fix this by using skb_trim() properly.
Cc: stable@vger.kernel.org
Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
Reported-by: Jouni Malinen
Signed-off-by: Johannes Berg -
Currently, when a station leaves an IBSS network, the
corresponding BSS is not dropped from cfg80211 if there are
other active stations in the network. But, the small
window that is present when trying to determine a station's
status based on IEEE80211_IBSS_MERGE_INTERVAL introduces
a race.Instead of trying to keep the BSS, always remove it when
leaving an IBSS network. There is not much benefit to retain
the BSS entry since it will be added with a subsequent join
operation.This fixes an issue where a dangling BSS entry causes ath9k
to wait for a beacon indefinitely.Cc:
Reported-by: Simon Wunderlich
Signed-off-by: Sujith Manoharan
Signed-off-by: Johannes Berg -
When the driver cannot start the AP or when the assignement
of the beacon goes wrong, we need to unassign the vif.Cc: stable@vger.kernel.org
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
sdata->u.ap.request_smps_work can’t be flushed synchronously
under wdev_lock(wdev) since ieee80211_request_smps_ap_work
itself locks the same lock.
While at it, reset the driver_smps_mode when the ap is
stopped to its default: OFF.This solves:
======================================================
[ INFO: possible circular locking dependency detected ]
3.12.0-ipeer+ #2 Tainted: G O
-------------------------------------------------------
rmmod/2867 is trying to acquire lock:
((&sdata->u.ap.request_smps_work)){+.+...}, at: [] flush_work+0x0/0x90but task is already holding lock:
(&wdev->mtx){+.+.+.}, at: [] cfg80211_stop_ap+0x26/0x230 [cfg80211]which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&wdev->mtx){+.+.+.}:
[] lock_acquire+0x79/0xe0
[] mutex_lock_nested+0x4a/0x360
[] ieee80211_request_smps_ap_work+0x2b/0x50 [mac80211]
[] process_one_work+0x198/0x450
[] worker_thread+0xf9/0x320
[] kthread+0x9f/0xb0
[] ret_from_kernel_thread+0x1b/0x28-> #0 ((&sdata->u.ap.request_smps_work)){+.+...}:
[] __lock_acquire+0x183f/0x1910
[] lock_acquire+0x79/0xe0
[] flush_work+0x47/0x90
[] __cancel_work_timer+0x67/0xe0
[] cancel_work_sync+0xf/0x20
[] ieee80211_stop_ap+0x8c/0x340 [mac80211]
[] cfg80211_stop_ap+0x8c/0x230 [cfg80211]
[] cfg80211_leave+0x79/0x100 [cfg80211]
[] cfg80211_netdev_notifier_call+0xf2/0x4f0 [cfg80211]
[] notifier_call_chain+0x59/0x130
[] __raw_notifier_call_chain+0x1e/0x30
[] raw_notifier_call_chain+0x1f/0x30
[] call_netdevice_notifiers_info+0x33/0x70
[] call_netdevice_notifiers+0x13/0x20
[] __dev_close_many+0x34/0xb0
[] dev_close_many+0x6e/0xc0
[] rollback_registered_many+0xa7/0x1f0
[] unregister_netdevice_many+0x14/0x60
[] ieee80211_remove_interfaces+0xe9/0x170 [mac80211]
[] ieee80211_unregister_hw+0x56/0x110 [mac80211]
[] iwl_op_mode_mvm_stop+0x26/0xe0 [iwlmvm]
[] _iwl_op_mode_stop+0x3a/0x70 [iwlwifi]
[] iwl_opmode_deregister+0x6f/0x90 [iwlwifi]
[] __exit_compat+0xd/0x19 [iwlmvm]
[] SyS_delete_module+0x179/0x2b0
[] sysenter_do_call+0x12/0x32Fixes: 687da132234f ("mac80211: implement SMPS for AP")
Cc: [3.13]
Reported-by: Ilan Peer
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
ieee80211_start_roc_work() might add a new roc
to existing roc, and tell cfg80211 it has already
started.However, this might happen before the roc cookie
was set, resulting in REMAIN_ON_CHANNEL (started)
event with null cookie. Consequently, it can make
wpa_supplicant go out of sync.Fix it by setting the roc cookie earlier.
Cc: stable@vger.kernel.org
Signed-off-by: Eliad Peller
Signed-off-by: Johannes Berg -
This capabilities weren't propagated to the radiotap header.
We don't set here the VHT_KNOWN / MCS_HAVE flag because not
all the low level drivers will know how to properly flag
the frames, hence the low level driver will be in charge
of setting IEEE80211_RADIOTAP_MCS_HAVE_FEC,
IEEE80211_RADIOTAP_MCS_HAVE_STBC and / or
IEEE80211_RADIOTAP_VHT_KNOWN_STBC according to its
capabilities.Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
ieee80211_rx_status.flags is full. Define a new vht_flag
variable to be able to set more VHT related flags and make
room in flags.Signed-off-by: Emmanuel Grumbach
Acked-by: Kalle Valo [ath10k]
Signed-off-by: Johannes Berg
