Key locking simplification removed key->sdata != NULL verification from
ieee80211_key_free(). While that is fine for most use cases, there is one
path where this function can be called with an unlinked key (i.e.,
key->sdata == NULL && key->local == NULL). This results in a NULL pointer
dereference with the current implementation. This is known to happen at
least with FT protocol when wpa_supplicant tries to configure the key
before association.

Avoid the issue by passing in the local pointer to
ieee80211_key_free(). In addition, do not clear the key from hw_accel
or debugfs if it has not yet been added. At least the hw_accel one could
trigger another NULL pointer dereference.
Signed-off-by: NJouni Malinen <j@w1.fi>
Reviewed-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

In AP mode, there is no need to notify the driver about QoS
changes for the monitor interface that is created. The warning
in ieee80211_bss_info_change_notify() would be hit otherwise.
Signed-off-by: NSujith <Sujith.Manoharan@atheros.com>
Acked-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

I just had the following:
WARNING: at drivers/net/wireless/iwlwifi/iwl-agn-tx.c:574 iwlagn_tx_skb+0x1576/0x15f0 [iwlagn]()
Call Trace:
 <IRQ>  [<ffffffff8105c5df>] warn_slowpath_common+0x7f/0xc0
 [<ffffffff8105c63a>] warn_slowpath_null+0x1a/0x20
 [<ffffffffa0290b46>] iwlagn_tx_skb+0x1576/0x15f0 [iwlagn]
 [<ffffffffa027076c>] iwl_mac_tx+0x5c/0x260 [iwlagn]
 [<ffffffffa01bdf5b>] __ieee80211_tx+0x10b/0x1a0 [mac80211]
 [<ffffffffa01bfb86>] ieee80211_tx_pending+0x186/0x2d0 [mac80211]
 [<ffffffff81062ea5>] tasklet_action+0x125/0x130
 [<ffffffff810634a6>] __do_softirq+0x106/0x270
 [<ffffffff8100c09c>] call_softirq+0x1c/0x30
iwlagn 0000:02:00.0: Attempting to modify non-existing station 107

Note that 107 == 0x6b which is slab poison.

The reason is that mac80211 passed a freed station
pointer to mac80211, because as it happened iwlwifi
reset itself while mac80211 was disconnecting from
the network.

It turns out that we do take care to look up the
station pointer in ieee80211_tx_pending_skb, but
then don't use it, which obviously is a bug. Fix
this by removing the ieee80211_tx_h_sta handler
and assigning the station pointer directly.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

When wireless extensions are used to control
an encrypted IBSS, we erroneously can try to
set the default management key. Fix this.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Another remnant of the previous key locking scheme
needs to be removed -- this causes a warning
otherwise as ieee80211_set_default_mgmt_key will
acquire a mutex.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

The "rd" variable isn't needed any more since 4f366c5d
"wireless: only use alpha2 regulatory information from country IE"
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

The intent was to free "msp->ratelist" here.  "msp->sample_table" is
always NULL at this point.
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

"It's not problematic if minstrel gets feedback for rates that it
doesn't have in its list, it should just ignore it. - Felix"
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
Cc: Felix Fietkau <nbd@openwrt.org>

If sta is NULL, we will have problems long before we get here...
Reported-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
Cc: Felix Fietkau <nbd@openwrt.org>

IBSS has never had locking, instead relying on some
memory barriers etc. That's hard to get right, and
I think we had it wrong too until the previous patch.
Since this is not performance sensitive, it doesn't
make sense to have the maintenance overhead of that,
so add proper locking.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Bob reported a lockdep complaint originating in
the mac80211 IBSS code due to the common work
struct patch. The reason is that the IBSS and
station mode code have different locking orders
for the cfg80211 wdev lock and the work struct
(where "locking" implies running/canceling).

Fix this by simply not canceling the work in
the IBSS code, it is not necessary since when
the REQ_RUN bit is cleared, the work will run
without effect if it runs. When the interface
is set down, it is flushed anyway, so there's
no concern about it running after memory has
been invalidated either.

This fixes
https://bugzilla.kernel.org/show_bug.cgi?id=16419

Additionally, looking into this I noticed that
there's a small window while the IBSS is torn
down in which the work may be rescheduled and
the REQ_RUN bit be set again after leave() has
cleared it when a scan finishes at exactly the
same time. Avoid that by setting the ssid_len
to zero before clearing REQ_RUN which signals
to the scan finish code that this interface is
not active.
Reported-by: NBob Copeland <me@bobcopeland.com>
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

When WEP is not available, we should reject shared
key authentication because it could never succeed.
Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

device_add() is called before adding the phy to the cfg80211 device
list.

So if a userspace program uses sysfs uevents to detect new phy
devices, and queries nl80211 to get phy info, it can get ENODEV even
though the phy exists in sysfs.

An easy workaround is to hold the cfg80211 mutex until the phy is
present in sysfs/cfg80211/debugfs.
Signed-off-by: NMaxime Bizon <mbizon@freebox.fr>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Change the enable_ertm param to disable_ertm and default value to 0. That
means that L2CAP Extended features are enabled by default now.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

memmory -> memory
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Implemented frame reassembly implementation for reassembling fragments
received from stream.
Signed-off-by: NSuraj Sumangala <suraj@atheros.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Modified packet based reassembly function hci_recv_fragment() to use
hci_reassembly()
Signed-off-by: NSuraj Sumangala <suraj@atheros.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Implements feature to reassemble received HCI frames from any input stream
Signed-off-by: NSuraj Sumangala <suraj@atheros.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Additional reassembly buffer to keep track of stream reasembly
Signed-off-by: NSuraj Sumangala <suraj@atheros.com>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

We did some changes on the L2CAP configuration process and its behaviour
is bit different now. That justifies a updated on the L2CAP version.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Copyright for the time I worked on L2CAP during the Google Summer of Code
program.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Purely a cosmetic change, it doesn't change the code flow.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Probably a typo error. We were using the wrong struct to get size.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

The extended L2CAP features requires that one should initiate a
ConfigReq after send the ConnectionRsp. This patch changes the behaviour
of the configuration process of our stack.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

L2CAP only deals with ACL links. EINVAL should be returned otherwise.
Signed-off-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Signed-off-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Signed-off-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

When the socket is in a bad state EBADFD is more appropriate then EINVAL.
Signed-off-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

When we try to send a message bigger than the outgoing MTU value
EMSGSIZE (message too long) should be returned.
Signed-off-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

It doesn't make sense to have a return value since we always set it
to 0.
Signed-off-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Return a proper error value if socket is already connected.
Signed-off-by: NJoão Paulo Rechi Vita <jprvita@profusion.mobi>
Acked-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Now we also check if can push skb userspace just after receive a new
skb instead of only wait the l2cap_busy_work wake up from time to time
to check the local busy condition.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

backlog queue is the canonical mechanism to avoid race conditions due
interrupts in bottom half context. After the socket lock is released the
net core take care of push all skb in its backlog queue.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Using a lock to deal with the ERTM race condition - interruption with
new data from the hci layer - is wrong. We should use the native skb
backlog queue.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

If such event happens we shall reply with a Command Reject, because we are
not expecting any configure request.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

When mode is mandatory we shall not send connect request and report this
to the userspace as well.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

Since now we have checks for the supported mode before on
l2cap_info_rsp we can remove the check for it here.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>

If our mode is Basic Mode we have to refuse any ConfigRsp that proposes
a different mode.
Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>