06 Feb, 2015
1 commit
-
commit 0fa7b39131576dd1baa6ca17fca53c65d7f62249 upstream.
In case userspace attempts to obtain key information for or delete a
unicast key, this is currently erroneously rejected unless the driver
sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it
was never noticed.Fix that, and while at it fix a potential memory leak: the error path
in the get_key() function was placed after allocating a message but
didn't free it - move it to a better place. Luckily admin permissions
are needed to call this operation.Fixes: e31b82136d1ad ("cfg80211/mac80211: allow per-station GTKs")
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
28 Jan, 2015
4 commits
-
commit 08f6f147773b23b765b94633a8eaa82e7defcf4c upstream.
The VHT supported channel width field is a two bit integer, not a
bitfield. cfg80211_chandef_usable() was interpreting it incorrectly and
ended up rejecting 160 MHz channel width if the driver indicated support
for both 160 and 80+80 MHz channels.Fixes: 3d9d1d6656a73 ("nl80211/cfg80211: support VHT channel configuration")
(however, no real drivers had 160 MHz support it until 3.16)
Signed-off-by: Jouni Malinen
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman -
commit 34f05f543f02350e920bddb7660ffdd4697aaf60 upstream.
In the already-set and intersect case of a driver-hint, the previous
wiphy regdomain was not freed before being reset with a copy of the
cfg80211 regdomain.Signed-off-by: Arik Nemtsov
Acked-by: Luis R. Rodriguez
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman -
commit 70dcec5a488a7b81779190ac8089475fe4b8b962 upstream.
This can happen and there is no point in added more
detection code lower in the stack. Catching these in one
single point (cfg80211) is enough. Stop WARNING about this
case.This fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=89001Fixes: 2f1c6c572d7b ("cfg80211: process non country IE conflicting first")
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman -
commit f89f46cf3a23d8d7c98f924a461fd931e1331746 upstream.
If the userspace passes a malformed sched scan request (or a net
detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH
attribute without any nested matchsets, a NULL pointer dereference
will occur. Fix this by checking that we do have matchsets in our
array before trying to access it.BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
IP: [] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
PGD 865c067 PUD 865b067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat]
CPU: 2 PID: 2442 Comm: iw Tainted: G O 3.17.2 #31
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000
RIP: 0010:[] [] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
RSP: 0018:ffff880008d838d0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0
RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019
R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00
R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388
FS: 00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0
Stack:
ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0
0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948
ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000
Call Trace:
[] ? nla_parse+0xb9/0x120
[] nl80211_set_wowlan+0x75e/0x960 [cfg80211]
[] ? mark_held_locks+0x75/0xa0
[] genl_family_rcv_msg+0x18b/0x360
[] ? trace_hardirqs_on+0xd/0x10
[] genl_rcv_msg+0x84/0xc0
[] ? genl_family_rcv_msg+0x360/0x360
[] netlink_rcv_skb+0xa9/0xd0
[] genl_rcv+0x28/0x40
[] netlink_unicast+0x105/0x180
[] netlink_sendmsg+0x34f/0x7a0
[] ? kvm_clock_read+0x27/0x40
[] sock_sendmsg+0x8d/0xc0
[] ? might_fault+0xb9/0xc0
[] ? might_fault+0x5e/0xc0
[] ? verify_iovec+0x56/0xe0
[] ___sys_sendmsg+0x3d0/0x3e0
[] ? sched_clock_cpu+0x98/0xd0
[] ? __do_page_fault+0x254/0x580
[] ? up_read+0x1f/0x40
[] ? __do_page_fault+0x254/0x580
[] ? __fget_light+0x13d/0x160
[] __sys_sendmsg+0x42/0x80
[] SyS_sendmsg+0x12/0x20
[] system_call_fastpath+0x16/0x1bFixes: ea73cbce4e1f ("nl80211: fix scheduled scan RSSI matchset attribute confusion")
Signed-off-by: Luciano Coelho
Signed-off-by: Johannes Berg
Signed-off-by: Greg Kroah-Hartman
28 Oct, 2014
1 commit
-
…ernel/git/jberg/mac80211
Johannes Berg <johannes@sipsolutions.net> says:
"Here are a few fixes for the wireless stack: one fixes the
RTS rate, one for a debugfs file, one to return the correct
channel to userspace, a sanity check for a userspace value
and the remaining two are just documentation fixes."Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 Oct, 2014
1 commit
-
In kernel we have %*pE specifier to print an escaped buffer. All users
now switched to that approach.This fixes a bug as well. The current implementation wrongly prints
octal numbers: only two first digits are used in case when 3 are
required and the rest of the string ends up cut off.Additionally by default the \f, \v, \a, and \e are escaped to their
alphabetic representation. It's safe to do since it is currently used
for messaging only.Signed-off-by: Andy Shevchenko
Cc: "John W . Linville"
Cc: Johannes Berg
Cc: Greg Kroah-Hartman
Cc: Joe Perches
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Oct, 2014
1 commit
-
The nl80211 channel switch count attribute
(NL80211_ATTR_CH_SWITCH_COUNT) is specified as u32, but the
specification uses u8 for the counter. To make sure strange things
don't happen without informing the user, sanity check the value and
return -EINVAL if it doesn't fit in u8.Signed-off-by: Luciano Coelho
Signed-off-by: Johannes Berg
27 Sep, 2014
1 commit
-
…inville/wireless-next
John W. Linville says:
====================
pull request: wireless-next 2014-09-22Please pull this batch of updates intended for the 3.18 stream...
For the mac80211 bits, Johannes says:
"This time, I have some rate minstrel improvements, support for a very
small feature from CCX that Steinar reverse-engineered, dynamic ACK
timeout support, a number of changes for TDLS, early support for radio
resource measurement and many fixes. Also, I'm changing a number of
places to clear key memory when it's freed and Intel claims copyright
for code they developed."For the bluetooth bits, Johan says:
"Here are some more patches intended for 3.18. Most of them are cleanups
or fixes for SMP. The only exception is a fix for BR/EDR L2CAP fixed
channels which should now work better together with the L2CAP
information request procedure."For the iwlwifi bits, Emmanuel says:
"I fix here dvm which was broken by my last pull request. Arik
continues to work on TDLS and Luca solved a few issues in CT-Kill. Eyal
keeps digging into rate scaling code, more to come soon. Besides this,
nothing really special here."Beyond that, there are the usual big batches of updates to ath9k, b43,
mwifiex, and wil6210 as well as a handful of other bits here and there.
Also, rtlwifi gets some btcoexist attention from Larry.Please let me know if there are problems!
====================Had to adjust the wil6210 code to comply with Joe Perches's recent
change in net-next to make the netdev_*() routines return void instead
of 'int'.Signed-off-by: David S. Miller <davem@davemloft.net>
24 Sep, 2014
1 commit
-
Conflicts:
arch/mips/net/bpf_jit.c
drivers/net/can/flexcan.cBoth the flexcan and MIPS bpf_jit conflicts were cases of simple
overlapping changes.Signed-off-by: David S. Miller
16 Sep, 2014
1 commit
-
…nux/kernel/git/jberg/mac80211-next
Johannes Berg <johannes@sipsolutions.net> says:
"This time, I have some rate minstrel improvements, support for a very
small feature from CCX that Steinar reverse-engineered, dynamic ACK
timeout support, a number of changes for TDLS, early support for radio
resource measurement and many fixes. Also, I'm changing a number of
places to clear key memory when it's freed and Intel claims copyright
for code they developed."Conflicts:
net/mac80211/iface.cSigned-off-by: John W. Linville <linville@tuxdriver.com>
11 Sep, 2014
7 commits
-
Add feature bits to indicate device support for
static-smps and dynamic-smps modes.Add a new NL80211_ATTR_SMPS_MODE attribue to allow
configuring the smps mode to be used by the ap
(e.g. configuring to ap to dynamic smps mode will
reduce power consumption while having minor effect
on throughput)Signed-off-by: Eliad Peller
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
Userspace might need to know what queues are configured
for uapsd (e.g. for setting proper default values in tspecs).Add this bitmap to the association event (inside wmm
nested attribute)Add additional parameter to cfg80211_rx_assoc_resp,
and update its callers.Signed-off-by: Eliad Peller
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
Add nl80211 and driver API to validate, add and delete traffic
streams with appropriate settings.The API calls for userspace doing the action frame handshake
with the peer, and then allows only to set up the parameters
in the driver. To avoid setting up a session only to tear it
down again, the validate API is provided, but the real usage
later can still fail so userspace must be prepared for that.Signed-off-by: Johannes Berg
-
Clear any nl80211 messages that might contain keys after
processing them to avoid leaving their data in memory
"forever" after they've been freed.Signed-off-by: Johannes Berg
-
There's no need to put the values on the stack, just pass a
pointer to the data in the nl80211 message. This reduces stack
usage and avoids potential issues with putting sensitive data
on the stack.Signed-off-by: Johannes Berg
-
When freeing the keys stored for wireless extensions, clear the memory
to avoid having the key material stick around in memory "forever".
Similarly, when userspace overwrites a key, actually clear it instead
of just setting the key length to zero.Signed-off-by: Johannes Berg
-
When freeing the connect keys, clear the memory to avoid
having the key material stick around in memory "forever".Signed-off-by: Johannes Berg
05 Sep, 2014
5 commits
-
Enable ACK timeout estimation algorithm (dynack) using mac80211
set_coverage_class API. Dynack is activated passing coverage class equals to -1
to lower drivers and it is automatically disabled setting valid value for
coverage class.
Define NL80211_ATTR_WIPHY_DYN_ACK flag attribute to enable dynack from
userspace. In order to activate dynack NL80211_FEATURE_ACKTO_ESTIMATION feature
flag must be set by lower drivers to indicate dynack capability.Signed-off-by: Lorenzo Bianconi
Signed-off-by: Johannes Berg -
The regdom intersection code simply tries intersecting
each rule of the source with each rule of the target.Since the resulting intersections are not observed
as a whole, this can result in multiple overlapping/duplicate
entries.Make the rule addition a bit more smarter, by looking
for rules that can be contained within other rules,
and adding only extended ones.Signed-off-by: Eliad Peller
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
Add a flag attribute to use in associations, for tagging the target
connection as supporting RRM. It is the responsibility of upper
layers to set this flag only if both the underlying device, and the
target network indeed support RRM.
To be used in ASSOCIATE and CONNECT commands.Signed-off-by: Assaf Krauss
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
Our legal structure changed at some point (see wikipedia), but
we forgot to immediately switch over to the new copyright
notice.For files that we have modified in the time since the change,
add the proper copyright notice now.Signed-off-by: Johannes Berg
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg -
…nux/kernel/git/jberg/mac80211-next
Johannes Berg <johannes@sipsolutions.net> says:
"Not that much content this time. Some RCU cleanups, crypto
performance improvements, and various patches all over,
rather than listing them one might as well look into the
git log instead."Signed-off-by: John W. Linville <linville@tuxdriver.com>
Conflicts:
drivers/net/wireless/ath/wil6210/wmi.c
03 Sep, 2014
1 commit
-
In testmode and vendor command reply/event SKBs we use the
skb cb data to store nl80211 parameters between allocation
and sending. This causes the code for CONFIG_NETLINK_MMAP
to get confused, because it takes ownership of the skb cb
data when the SKB is handed off to netlink, and it doesn't
explicitly clear it.Clear the skb cb explicitly when we're done and before it
gets passed to netlink to avoid this issue.Cc: stable@vger.kernel.org [this goes way back]
Reported-by: Assaf Azulay
Reported-by: David Spinadel
Signed-off-by: Johannes Berg
26 Aug, 2014
5 commits
-
When using the cfg80211_inform_bss[_width]() functions drivers
cannot currently indicate whether the data was received in a
beacon or probe response. Fix that by passing a new enum that
indicates such (or unknown).For good measure, use it in ath6kl.
Acked-by: Kalle Valo [ath6kl]
Acked-by: Arend van Spriel [brcmfmac]
Signed-off-by: Johannes Berg -
There are a few possible cases of where BSS data came from:
1) only a beacon has been received
2) only a probe response has been received
3) the driver didn't report what it received (this happens when
using cfg80211_inform_bss[_width]())
4) both probe response and beacon data has been receivedUnfortunately, in the userspace API, a few things weren't there:
a) there was no way to differentiate cases 1) and 4) above
without comparing the data of the IEs
b) the TSF was always from the last frame, instead of being
exposed for beacon/probe response separately like IEsFix this by
i) exporting a new flag attribute that indicates whether or
not probe response data has been received - this addresses (a)
ii) exporting a BEACON_TSF attribute that holds the beacon's TSF
if a beacon has been received
iii) not exporting the beacon attributes in case (3) above as that
would just lead userspace into thinking the data actually came
from a beacon when that isn't clearTo implement this, track inside the IEs struct whether or not it
(definitely) came from a beacon.Reported-by: William Seto
Signed-off-by: Johannes Berg -
This reverts commit dda444d52496aa8ddc501561bca580f1374a96a9.
Channel switching code has been reworked and
improved significantly since the time original
locking issues were found.Signed-off-by: Michal Kazior
Signed-off-by: Johannes Berg -
In the cfg80211_rx_mgmt(), parameter @gfp was used for the memory allocation.
But, memory get allocated under spin_lock_bh(), this implies atomic context.
So, one can't use GFP_KERNEL, only variants with no __GFP_WAIT. Actually, in all
occurrences GFP_ATOMIC is used (wil6210 use GFP_KERNEL by mistake),
and it should be this way or warning triggered in the memory allocation code.Remove @gfp parameter as no actual choice exist, and use hard coded
GFP_ATOMIC for memory allocation.Signed-off-by: Vladimir Kondratiev
Signed-off-by: Johannes Berg -
Currently it can send regulatory domain change notification before any
NEW_WIPHY notification. Moreover, if rfill_register() fails, calling
wiphy_unregister() will send a DEL_WIPHY though no NEW_WIPHY had been
sent previously.Thus reordering so it properly notifies NEW_WIPHY before any other.
Signed-off-by: Tomasz Bursztyka
Signed-off-by: John W. Linville
25 Jul, 2014
1 commit
-
Conflicts:
net/mac80211/cfg.cSigned-off-by: John W. Linville
23 Jul, 2014
1 commit
21 Jul, 2014
2 commits
-
Since "wireless-regdb: remove antenna gain" was merged in the
wireless-regdb tree, the awk script parser has been incompatible
with the 'official' regulatory database. This fixes that up.
Without this change the max EIRP is set to 0 making 802.11 devices
useless.The fragile nature of the awk parser must be replaced, but ideas
over how to do that in the most scalable way are being reviewed.
In the meantime update the documentation for CFG80211_INTERNAL_REGDB
so folks are aware of expectations for now.Reported-by: John Walker
Reported-by: Krishna Chaitanya
Signed-off-by: Luis R. Rodriguez
Signed-off-by: Johannes Berg -
Some VHT TDLS peers (Google Nexus 5) include the VHT-AID IE in their
TDLS setup request/response. Usermode passes this aid as the station
aid, causing it to fail verifiction, since this happens in the
"set_station" stage. Make an exception for the TDLS use-case.Signed-off-by: Arik Nemtsov
Reviewed-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg
18 Jul, 2014
1 commit
-
tsc can be NULL (mac80211 currently always passes NULL),
resulting in NULL-dereference. check before copying it.Cc: stable@vger.kernel.org
Signed-off-by: Eliad Peller
Signed-off-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg
11 Jul, 2014
1 commit
26 Jun, 2014
1 commit
-
Driver is now responsible for veryfing if the
switch is possible.Since this is inherently tricky driver may decide
to disconnect an interface later with
cfg80211_stop_iface().This doesn't mean driver can accept everything. It
should do it's best to verify requests and reject
them as soon as possible.Signed-off-by: Michal Kazior
Signed-off-by: Johannes Berg
24 Jun, 2014
1 commit
-
The non-split wiphy state shouldn't be increased in size
so move the new set_qos_map command into the split if
statement.Cc: stable@vger.kernel.org (3.14+)
Fixes: fa9ffc745610 ("cfg80211: Add support for QoS mapping")
Reviewed-by: Emmanuel Grumbach
Signed-off-by: Johannes Berg
23 Jun, 2014
3 commits
-
The TDLS initiator is set once during link setup. If determines the
address ordering in the link identifier IE.Fix dependent drivers - mwifiex and mac80211.
Signed-off-by: Arik Nemtsov
Signed-off-by: Johannes Berg -
MAX_JIFFY_OFFSET has no meaning when calculating the
elapsed jiffies, as jiffies run out until ULONG_MAX.This miscalculation results in erroneous values
in case of a wrap-around.Signed-off-by: Eliad Peller
Signed-off-by: Johannes Berg -
This reverts commit 8eca1fb692cc9557f386eddce75c300a3855d11a.
Felix notes that this broke regulatory, leaving channel 12 open for AP
operation in the US regulatory domain where it isn't permitted.Link: http://mid.gmane.org/53A6C0FF.9090104@openwrt.org
Reported-by: Felix Fietkau
Signed-off-by: Johannes Berg