We send direct probe to broadcast address, as some APs do not respond to
unicast PROBE frames when unassociated. Broadcast frames are not acked,
so we can not use that for trigger MLME state machine, but we need to
use old timeout mechanism.

This fixes authentication timed out like below:

[ 1024.671974] wlan6: authenticate with 54:e6:fc:98:63:fe
[ 1024.694125] wlan6: direct probe to 54:e6:fc:98:63:fe (try 1/3)
[ 1024.695450] wlan6: direct probe to 54:e6:fc:98:63:fe (try 2/3)
[ 1024.700586] wlan6: send auth to 54:e6:fc:98:63:fe (try 3/3)
[ 1024.701441] wlan6: authentication with 54:e6:fc:98:63:fe timed out

With fix, we have:

[ 4524.198978] wlan6: authenticate with 54:e6:fc:98:63:fe
[ 4524.220692] wlan6: direct probe to 54:e6:fc:98:63:fe (try 1/3)
[ 4524.421784] wlan6: send auth to 54:e6:fc:98:63:fe (try 2/3)
[ 4524.423272] wlan6: authenticated
[ 4524.423811] wlan6: associate with 54:e6:fc:98:63:fe (try 1/3)
[ 4524.427492] wlan6: RX AssocResp from 54:e6:fc:98:63:fe (capab=0x431 status=0 aid=1)

Cc: stable@vger.kernel.org # 3.9
Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Even if the frame isn't transmitted to the AP, we need to
report it to cfg80211 so the state there can be updated
correctly.
Reported-by: NJouni Malinen <j@w1.fi>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

When an HT AP is advertising channel switch in a beacon, it
doesn't (and shouldn't, according to 802.11-2012 Table 8-20)
include a secondary channel offset element. The only possible
interpretation is that the previous secondary channel offset
remains valid, so use that when switching channel based only
on beacon information.

VHT requires the Wide Bandwidth Channel Switch subelement to
be present in the Channel Switch Wrapper element, so the code
for that is probably ok (see 802.11ac Draft 4, 8.4.2.165.)
Reported-by: NSujith Manoharan <c_manoha@qca.qualcomm.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Since commit 12e7f517,
IEEE80211_SDATA_DISCONNECT_RESUME no longer worked as
it would simply never be tested. Restore a bit of the
code removed there and in 9b7d72c1
to make it work again.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Some driver implementations need to know whether mandatory
admission control is required by the AP for some ACs. Add
a parameter to the TX queue parameters indicating this.

As there's currently no support for admission control in
mac80211's AP implementation, it's only ever set for the
client implementation.
Signed-off-by: NAlexander Bondar <alexander.bondar@intel.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Currently, mac80211 assumes that connection monitor offload
for BSS station implies that the device:
- sends periodic keep alive packets to associated AP
- monitors missed beacons
- actively probes the AP in case of missed beacons

In case of poor connection conditions it expects the function
ieee80211_connection_loss() to be called by driver. However,
some devices implement connection monitor offload excluding
active AP probing.

To allow them to call ieee80211_beacon_loss() cleanly, remove
the warning there and thus allow them to use mac80211 for the
AP probing even if connection monitor offload is supported.
Signed-off-by: NAlexander Bondar <alexander.bondar@intel.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Parse and react to the wide bandwidth channel switch element
in beacons/action frames. Finding the element was done in a
previous patch (it has different positions in beacons/action
frames), now handle it. If there's something wrong with it
simply disconnect.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

VHT introduces multiple IEs that need to be parsed for a
wide bandwidth channel switch. Two are (currently) needed
in mac80211:
 * wide bandwidth channel switch element
 * channel switch wrapper element

The former is contained in the latter for beacons and probe
responses, but not for the spectrum management action frames
so the IE parser needs a new argument to differentiate them.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Handle the (public) extended channel switch announcement
action frames. Parts of the data in these frames isn't
really in IEs, but put it into the elems struct anyway
to simplify the handling.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Add support for the secondary channel offset IE in channel
switch announcements. This is necessary for proper handling
of CSA on HT access points.

For this to work it is also necessary to convert everything
here to use chandef structs instead of just channels. The
driver updates aren't really correct though. In particular,
the TI wl18xx driver update can't possibly be right since
it just ignores the new channel width for lack of firmware
API.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Support extended channel switch when the operating
class is one of the global operating classes as
defined in Annex E of 802.11-2012. If it isn't,
disconnect from the AP instead.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

CSA action frame content should be processed as variable IEs
rather than fixed to make it extensible. Unify the code and
process them just like CSA in beacons to make it easier to
extend for HT/VHT.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

The field is otherwise reserved, so we shouldn't read
and reject it, though any sane system will probably
have to set it to 0 anyway.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

If authentication (or association with FT) is requested by
userspace, mac80211 currently doesn't tell cfg80211 that it
disconnected from the AP. That leaves inconsistent state:
cfg80211 thinks it's connected while mac80211 thinks it's
not. Typically this won't last long, as soon as mac80211
reports the new association to cfg80211 the old one goes
away. If, however, the new authentication or association
doesn't succeed, then cfg80211 will forever think the old
one still exists and will refuse attempts to authenticate
or associate with the AP it thinks it's connected to.

Anders reported that this leads to it taking a very long
time to reconnect to a network, or never even succeeding.
I tested this with an AP hacked to never respond to auth
frames, and one that works, and with just those two the
system never recovers because one won't work and cfg80211
thinks it's connected to the other so refuses connections
to it.

To fix this, simply make mac80211 tell cfg80211 when it is
no longer connected to the old AP, while authenticating or
associating to a new one.

Cc: stable@vger.kernel.org
Reported-by: NAnders Kaseorg <andersk@mit.edu>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Advertise STBC capabilities and MCS rates even if the AP
doesn't support them. This has always been the right thing
to do, but used to be problematic with some APs. Now WFA
testing requires this so re-enable it, problematic APs
would then presumably not pass the test and be fixed.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

The netdev queues should always represent the state that
the driver gave them, so fiddling with them isn't really
appropriate in the mlme code. Also, since we stop queues
for flushing now, this really isn't necessary any more.

As the scan/offchannel code has also been modified to no
longer do this a while ago, remove the outdated smp_mb()
and comments about it.

While at it, also add a pair of braces that was missing.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

It's unlikely that an AP requires WMM mandatory admission control
for all access categories, and if it does then we still transmit
on the background AC without requesting admission. However, avoid
using uAPSD in this case since the implementation could run into
issues and might use other ACs etc.
Signed-off-by: NAlexander Bondar <alexander.bondar@intel.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Instead of open-coding the accesses and length check do
the length check in the IE parser and assign a struct
pointer for use in the remaining code.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

It's always just one byte, so check for that and
remove the length field from the parser struct.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

It's always just one byte, so check for that and
remove the length field from the parser struct.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

I don't think we should send the events unless it was actually
a beacon that was lost...not just any probe of an AP.
Signed-off-by: NBen Greear <greearb@candelatech.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Drivers that don't use chanctxes cannot perform VHT association because
they still use a "backward compatibility" pair of {ieee80211_channel,
nl80211_channel_type} in ieee80211_conf and ieee80211_local.
Signed-off-by: NKarl Beldan <karl.beldan@rivierawaves.com>
[fix kernel-doc]
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

mac80211 currently sets uAPSD parameters to have VO AC trigger-
and delivery-enabled, with maximum service period length.

Allow drivers to change these default settings since different
uAPSD client implementations may handle errors differently and
be able to recover from some errors.

Note: some APs may not function correctly if one or all ACs are
trigger- and delivery-enabled, see
http://thread.gmane.org/gmane.linux.kernel.wireless.general/93577.
We retested with this AP and later firmware doesn't have this
bug any more.
Signed-off-by: NAlexander Bondar <alexander.bondar@intel.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

I found another crash when deleting lots of virtual stations
in a congested environment.  I think the problem is that
the ieee80211_mlme_notify_scan_completed could call
ieee80211_restart_sta_timer for a stopped interface
that was about to be deleted.

With the following patch I am unable to reproduce the
crash.
Signed-off-by: NBen Greear <greearb@candelatech.com>
[move check, also make the same change in mesh]
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Add P2P NoA settings for STA mode.
Signed-off-by: NJanusz Dziedzic <janusz.dziedzic@tieto.com>
[fix docs]
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Use ieee80211_p2p_noa_attr structure during
P2P_PS (oppps) detection.
Signed-off-by: NJanusz Dziedzic <janusz.dziedzic@tieto.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

On loaded systems with lots of VIFs, I see lots of beacon
timeouts, even though the connection to the AP is very
good.  Allow tuning the beacon-loss-count variable to
give the system longer to process beacons if the user
prefers.
Signed-off-by: NBen Greear <greearb@candelatech.com>
[add the number of beacons to the message]
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Sometimes queues are flushed in the middle of
operation, which can lead to driver issues.
Stop queues temporarily, while flushing, to
avoid transmitting new packets while they are
being flushed.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

There are a number of situations in which mac80211 only
really needs to flush queues for one virtual interface,
and in fact during this frames might be transmitted on
other virtual interfaces. Calculate and pass a queue
bitmap to the driver so it knows which queues to flush.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Remove not used any longer suspend/resume code.
Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Support the cfg80211 API to override VHT capabilities
on association.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

The VHT MCSes we advertise to the AP were supposed to
be restricted to the AP, but due to a bug in the logic
mac80211 will advertise rates to the AP that aren't
even supported by the local device. To fix this skip
any adjustment if the NSS isn't supported at all.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Some mlme work structs are not cancelled on disassociation
nor interface deletion, which leads to them running after
the memory has been freed

There is not a clean way to cancel these in the disassociation
logic because they must be canceled outside of the ifmgd->mtx
lock, so just cancel them in mgd_stop logic that tears down
the station.

This fixes the crashes we see in 3.7.9+.  The crash stack
trace itself isn't so helpful, but this warning gives
more useful info:

WARNING: at /home/greearb/git/linux-3.7.dev.y/lib/debugobjects.c:261 debug_print_object+0x7c/0x8d()
ODEBUG: free active (active state 0) object type: work_struct hint: ieee80211_sta_monitor_work+0x0/0x14 [mac80211]
Modules linked in: [...]
Pid: 14743, comm: iw Tainted: G         C O 3.7.9+ #11
Call Trace:
 [<ffffffff81087ef8>] warn_slowpath_common+0x80/0x98
 [<ffffffff81087fa4>] warn_slowpath_fmt+0x41/0x43
 [<ffffffff812a2608>] debug_print_object+0x7c/0x8d
 [<ffffffff812a2bca>] debug_check_no_obj_freed+0x95/0x1c3
 [<ffffffff8114cc69>] slab_free_hook+0x70/0x79
 [<ffffffff8114ea3e>] kfree+0x62/0xb7
 [<ffffffff8149f465>] netdev_release+0x39/0x3e
 [<ffffffff8136ad67>] device_release+0x52/0x8a
 [<ffffffff812937db>] kobject_release+0x121/0x158
 [<ffffffff81293612>] kobject_put+0x4c/0x50
 [<ffffffff8148f0d7>] netdev_run_todo+0x25c/0x27e

Cc: stable@vger.kernel.org
Signed-off-by: NBen Greear <greearb@candelatech.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Re-order the quiesce code so that timers are always
stopped before work-items are flushed. This was not
the problem I saw, but I think it may still be more
correct.
Signed-off-by: NBen Greear <greearb@candelatech.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Even when connecting to an AP that doesn't support VHT,
and even when the local device doesn't support it either,
the downgrade message gets printed. Suppress the message
if HT and/or VHT is disabled.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Make all the parsed IE pointers const, and propagate
the change to all the users etc.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

A while ago, I made the mac80211 station code never change
the channel type after association. This solved a number of
issues but is ultimately wrong, we should react if the AP
changes the HT operation IE and switches bandwidth. One of
the issues is that we associate as HT40 capable, but if the
AP ever switches to 40 MHz we won't be able to receive such
frames because we never set our channel to 40 MHz.

This addresses this and VHT operation changes. If there's a
change that is incompatible with our setup, e.g. if the AP
decides to change the channel entirely (and for some reason
we still hear the beacon) we'll just disconnect.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

The next patch will need it further up in the file, so
move it unchanged now.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

The channel use is confusing, some uses the channel
context and some the bss_conf.chandef. The latter is
fine, so get rid of the channel context part.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>

Having HT/VHT operation IEs but not capability IEs
leads to a strange situation where we configure the
channel to an HT or VHT bandwidth and then can't
actually use it. Prevent this by checking that the
HT and VHT capability IEs are present as well as
the operation IEs; if not, disable HT and/or VHT.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>