1. 01 12月, 2009 2 次提交
    • J
      mac80211: fix spurious delBA handling · 827d42c9
      Johannes Berg 提交于
      Lennert Buytenhek noticed that delBA handling in mac80211
      was broken and has remotely triggerable problems, some of
      which are due to some code shuffling I did that ended up
      changing the order in which things were done -- this was
      
        commit d75636ef
        Author: Johannes Berg <johannes@sipsolutions.net>
        Date:   Tue Feb 10 21:25:53 2009 +0100
      
          mac80211: RX aggregation: clean up stop session
      
      and other parts were already present in the original
      
        commit d92684e6
        Author: Ron Rindjunsky <ron.rindjunsky@intel.com>
        Date:   Mon Jan 28 14:07:22 2008 +0200
      
            mac80211: A-MPDU Tx add delBA from recipient support
      
      The first problem is that I moved a BUG_ON before various
      checks -- thereby making it possible to hit. As the comment
      indicates, the BUG_ON can be removed since the ampdu_action
      callback must already exist when the state is != IDLE.
      
      The second problem isn't easily exploitable but there's a
      race condition due to unconditionally setting the state to
      OPERATIONAL when a delBA frame is received, even when no
      aggregation session was ever initiated. All the drivers
      accept stopping the session even then, but that opens a
      race window where crashes could happen before the driver
      accepts it. Right now, a WARN_ON may happen with non-HT
      drivers, while the race opens only for HT drivers.
      
      For this case, there are two things necessary to fix it:
       1) don't process spurious delBA frames, and be more careful
          about the session state; don't drop the lock
      
       2) HT drivers need to be prepared to handle a session stop
          even before the session was really started -- this is
          true for all drivers (that support aggregation) but
          iwlwifi which can be fixed easily. The other HT drivers
          (ath9k and ar9170) are behaving properly already.
      Reported-by: NLennert Buytenhek <buytenh@marvell.com>
      Cc: stable@kernel.org
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      827d42c9
    • J
      mac80211: fix two remote exploits · 4253119a
      Johannes Berg 提交于
      Lennert Buytenhek noticed a remotely triggerable problem
      in mac80211, which is due to some code shuffling I did
      that ended up changing the order in which things were
      done -- this was in
      
        commit d75636ef
        Author: Johannes Berg <johannes@sipsolutions.net>
        Date:   Tue Feb 10 21:25:53 2009 +0100
      
          mac80211: RX aggregation: clean up stop session
      
      The problem is that the BUG_ON moved before the various
      checks, and as such can be triggered.
      
      As the comment indicates, the BUG_ON can be removed since
      the ampdu_action callback must already exist when the
      state is OPERATIONAL.
      
      A similar code path leads to a WARN_ON in
      ieee80211_stop_tx_ba_session, which can also be removed.
      
      Cc: stable@kernel.org [2.6.29+]
      Cc: Lennert Buytenhek <buytenh@marvell.com>
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      4253119a
  2. 19 11月, 2009 1 次提交
    • J
      mac80211: fix addba timer (again...) · 8ade0082
      Johannes Berg 提交于
      commit 2171abc5
        Author: Johannes Berg <johannes@sipsolutions.net>
        Date:   Thu Oct 29 08:34:00 2009 +0100
      
            mac80211: fix addba timer
      
      left a problem in there, even if the timer was
      never started it could be deleted and then added.
      
      Linus pointed out that del_timer_sync() isn't
      actually needed if we make the timer able to
      deal with no longer being needed when it gets
      queued _while_ we're in the locked section that
      also deletes it. For that the timer function only
      needs to check the HT_ADDBA_RECEIVED_MSK bit as
      well as the HT_ADDBA_REQUESTED_MSK bit, only if
      the former is clear should it do anything.
      
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      8ade0082
  3. 31 10月, 2009 1 次提交
  4. 14 8月, 2009 1 次提交
    • L
      mac80211: fix panic when splicing unprepared TIDs · 416fbdff
      Luis R. Rodriguez 提交于
      We splice skbs from the pending queue for a TID
      onto the local pending queue when tearing down a
      block ack request. This is not necessary unless we
      actually have received a request to start a block ack
      request (rate control, for example). If we never received
      that request we should not be splicing the tid pending
      queue as it would be null, causing a panic.
      
      Not sure yet how exactly we allowed through a call when the
      tid state does not have at least HT_ADDBA_REQUESTED_MSK set,
      that will require some further review as it is not quite
      obvious.
      
      For more information see the bug report:
      
      http://bugzilla.kernel.org/show_bug.cgi?id=13922
      
      This fixes this oops:
      
      BUG: unable to handle kernel NULL pointer dereference at 00000030
      IP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
      *pdpt = 0000000002d1e001 *pde = 0000000000000000
      Thread overran stack, or stack corrupted
      Oops: 0000 [#1] SMP
      last sysfs file: /sys/module/aes_generic/initstate
      Modules linked in: <bleh>
      
      Pid: 0, comm: swapper Not tainted (2.6.31-rc5-wl #2) Dell DV051
      EIP: 0060:[<f8806c70>] EFLAGS: 00010292 CPU: 0
      EIP is at ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
      EAX: 00000030 EBX: 0000004c ECX: 00000003 EDX: 00000000
      ESI: c1c98000 EDI: f745a1c0 EBP: c076be58 ESP: c076be38
       DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      Process swapper (pid: 0, ti=c076a000 task=c0709160 task.ti=c076a000)
      Stack: <bleh2>
      Call Trace:
       [<f8806edb>] ? ieee80211_stop_tx_ba_cb+0xab/0x150 [mac80211]
       [<f8802f1e>] ? ieee80211_tasklet_handler+0xce/0x110 [mac80211]
       [<c04862ff>] ? net_rx_action+0xef/0x1d0
       [<c0149378>] ? tasklet_action+0x58/0xc0
       [<c014a0f2>] ? __do_softirq+0xc2/0x190
       [<c018eb48>] ? handle_IRQ_event+0x58/0x140
       [<c01205fe>] ? ack_apic_level+0x7e/0x270
       [<c014a1fd>] ? do_softirq+0x3d/0x40
       [<c014a345>] ? irq_exit+0x65/0x90
       [<c010a6af>] ? do_IRQ+0x4f/0xc0
       [<c014a35d>] ? irq_exit+0x7d/0x90
       [<c011d547>] ? smp_apic_timer_interrupt+0x57/0x90
       [<c01094a9>] ? common_interrupt+0x29/0x30
       [<c010fd9e>] ? mwait_idle+0xbe/0x100
       [<c0107e42>] ? cpu_idle+0x52/0x90
       [<c054b1a5>] ? rest_init+0x55/0x60
       [<c077492d>] ? start_kernel+0x315/0x37d
       [<c07743ce>] ? unknown_bootoption+0x0/0x1f9
       [<c0774099>] ? i386_start_kernel+0x79/0x81
      Code: <bleh3>
      EIP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] SS:ESP 0068:c076be38
      CR2: 0000000000000030
      
      Cc: stable@kernel.org
      Testedy-by: NJack Lau <jackelectronics@hotmail.com>
      Signed-off-by: NLuis R. Rodriguez <lrodriguez@atheros.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      416fbdff
  5. 25 7月, 2009 1 次提交
  6. 11 6月, 2009 1 次提交
  7. 07 5月, 2009 1 次提交
  8. 28 3月, 2009 4 次提交
    • J
      mac80211/iwlwifi: move virtual A-MDPU queue bookkeeping to iwlwifi · e4e72fb4
      Johannes Berg 提交于
      This patch removes all the virtual A-MPDU-queue bookkeeping from
      mac80211. Curiously, iwlwifi already does its own bookkeeping, so
      it doesn't require much changes except where it needs to handle
      starting and stopping the queues in mac80211.
      
      To handle the queue stop/wake properly, we rewrite the software
      queue number for aggregation frames and internally to iwlwifi keep
      track of the queues that map into the same AC queue, and only talk
      to mac80211 about the AC queue. The implementation requires calling
      two new functions, iwl_stop_queue and iwl_wake_queue instead of the
      mac80211 counterparts.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Cc: Reinette Chattre <reinette.chatre@intel.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      e4e72fb4
    • J
      mac80211: fix aggregation to not require queue stop · cd8ffc80
      Johannes Berg 提交于
      Instead of stopping the entire AC queue when enabling aggregation
      (which was only done for hardware with aggregation queues) buffer
      the packets for each station, and release them to the pending skb
      queue once aggregation is turned on successfully.
      
      We get a little more code, but it becomes conceptually simpler and
      we can remove the entire virtual queue mechanism from mac80211 in
      a follow-up patch.
      
      This changes how mac80211 behaves towards drivers that support
      aggregation but have no hardware queues -- those drivers will now
      not be handed packets while the aggregation session is being
      established, but only after it has been fully established.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      cd8ffc80
    • J
      mac80211: unify and fix TX aggregation start · b1720231
      Johannes Berg 提交于
      When TX aggregation becomes operational, we do a number of steps:
       1) print a debug message
       2) wake the virtual queue
       3) notify the driver
      
      Unfortunately, 1) and 3) are only done if the driver is first to
      reply to the aggregation request, it is, however, possible that the
      remote station replies before the driver! Thus, unify the code for
      this and call the new function ieee80211_agg_tx_operational in both
      places where TX aggregation can become operational.
      
      Additionally, rename the driver notification from
      IEEE80211_AMPDU_TX_RESUME to IEEE80211_AMPDU_TX_OPERATIONAL.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      b1720231
    • S
      mac80211: Tear down aggregation sessions for suspend/resume · 722f069a
      Sujith 提交于
      When the driver has been notified with a STA_REMOVE, it tears down
      the internal ADDBA state. On resume, trying to initiate aggregation would
      fail because mac80211 has not cleared the operational state for that <TID,STA>.
      This can be fixed by tearing down the existing sessions on a suspend.
      
      Also, the driver can initiate a new BA session when suspend is in progress.
      This is fixed by marking the station as being in suspend state and
      denying ADDBA requests for such STAs.
      Signed-off-by: NSujith <Sujith.Manoharan@atheros.com>
      Acked-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      722f069a
  9. 28 2月, 2009 2 次提交
    • J
      mac80211: split IBSS/managed code · 46900298
      Johannes Berg 提交于
      This patch splits out the ibss code and data from managed (station) mode.
      The reason to do this is to better separate the state machines, and have
      the code be contained better so it gets easier to determine what exactly
      a given change will affect, that in turn makes it easier to understand.
      
      This is quite some churn, especially because I split sdata->u.sta into
      sdata->u.mgd and sdata->u.ibss, but I think it's easier to maintain that
      way. I've also shuffled around some code -- null function sending is only
      applicable to managed interfaces so put that into that file, some other
      functions are needed from various places so put them into util, and also
      rearranged the prototypes in ieee80211_i.h accordingly.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      46900298
    • J
      mac80211: fix aggregation for hardware with ampdu queues · 96f5e66e
      Johannes Berg 提交于
      Hardware with AMPDU queues currently has broken aggregation.
      
      This patch fixes it by making all A-MPDUs go over the regular AC queues,
      but keeping track of the hardware queues in mac80211. As a first rough
      version, it actually stops the AC queue for extended periods of time,
      which can be removed by adding buffering internal to mac80211, but is
      currently not a huge problem because people rarely use multiple TIDs
      that are in the same AC (and iwlwifi currently doesn't operate as AP).
      
      This is a short-term fix, my current medium-term plan, which I hope to
      execute soon as well, but am not sure can finish before .30, looks like
      this:
       1) rework the internal queuing layer in mac80211 that we use for
          fragments if the driver stopped queue in the middle of a fragmented
          frame to be able to queue more frames at once (rather than just a
          single frame with its fragments)
       2) instead of stopping the entire AC queue, queue up the frames in a
          per-station/per-TID queue during aggregation session initiation,
          when the session has come up take all those frames and put them
          onto the queue from 1)
       3) push the ampdu queue layer abstraction this patch introduces in
          mac80211 into the driver, and remove the virtual queue stuff from
          mac80211 again
      
      This plan will probably also affect ath9k in that mac80211 queues the
      frames instead of passing them down, even when there are no ampdu queues.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      96f5e66e
  10. 14 2月, 2009 6 次提交
  11. 30 1月, 2009 4 次提交
  12. 13 1月, 2009 1 次提交
  13. 20 12月, 2008 1 次提交
  14. 26 11月, 2008 1 次提交
  15. 11 11月, 2008 1 次提交
  16. 01 11月, 2008 3 次提交
    • S
      mac80211: Re-enable aggregation · 8b30b1fe
      Sujith 提交于
      Wireless HW without any dedicated queues for aggregation
      do not need the ampdu_queues mechanism present right now
      in mac80211. Since mac80211 is still incomplete wrt TX MQ
      changes, do not allow aggregation sessions for drivers that
      set ampdu_queues.
      
      This is only an interim hack until Intel fixes the requeue issue.
      Signed-off-by: NSujith <Sujith.Manoharan@atheros.com>
      Signed-off-by: NLuis Rodriguez <Luis.Rodriguez@Atheros.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      8b30b1fe
    • J
      mac80211: rewrite HT handling · ae5eb026
      Johannes Berg 提交于
      The HT handling has the following deficiencies, which I've
      (partially) fixed:
       * it always uses the AP info even if there is no AP,
         hence has no chance of working as an AP
       * it pretends to be HW config, but really is per-BSS
       * channel sanity checking is left to the drivers
       * it generally lets the driver control too much
      
      HT enabling is still wrong with this patch if you have more than
      one virtual STA mode interface, but that never happens currently.
      Once WDS, IBSS or AP/VLAN gets HT capabilities, it will also be
      wrong, see the comment in ieee80211_enable_ht().
      
      Additionally, this fixes a number of bugs:
       * mac80211: ieee80211_set_disassoc doesn't notify the driver any
                   more since the refactoring
       * iwl-agn-rs: always uses the HT capabilities from the wrong stuff
                     mac80211 gives it rather than the actual peer STA
       * ath9k: a number of bugs resulting from the broken HT API
      
      I'm not entirely happy with putting the HT capabilities into
      struct ieee80211_sta as restricted to our own HT TX capabilities,
      but I see no cleaner solution for now.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      ae5eb026
    • J
      802.11: clean up/fix HT support · d9fe60de
      Johannes Berg 提交于
      This patch cleans up a number of things:
       * the unusable definition of the HT capabilities/HT information
         information elements
       * variable names that are hard to understand
       * mac80211: move ieee80211_handle_ht to ht.c and remove the unused
                   enable_ht parameter
       * mac80211: fix bug with MCS rate 32 in ieee80211_handle_ht
       * mac80211: fix bug with casting the result of ieee80211_bss_get_ie
                   to an information element _contents_ rather than the
                   whole element, add size checking (another out-of-bounds
                   access bug fixed!)
       * mac80211: remove some unused return values in favour of BUG_ON
                   checking
       * a few minor other things
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      d9fe60de
  17. 28 10月, 2008 1 次提交
  18. 16 9月, 2008 2 次提交
  19. 12 9月, 2008 4 次提交