1. 09 12月, 2010 1 次提交
    • H
      mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs · 7e244707
      Helmut Schaa 提交于
      mac80211 doesn't handle shared skbs correctly at the moment. As a result
      a possible resize can trigger a BUG in pskb_expand_head.
      
      [  676.030000] Kernel bug detected[#1]:
      [  676.030000] Cpu 0
      [  676.030000] $ 0   : 00000000 00000000 819662ff 00000002
      [  676.030000] $ 4   : 81966200 00000020 00000000 00000020
      [  676.030000] $ 8   : 819662e0 800043c0 00000002 00020000
      [  676.030000] $12   : 3b9aca00 00000000 00000000 00470000
      [  676.030000] $16   : 80ea2000 00000000 00000000 00000000
      [  676.030000] $20   : 818aa200 80ea2018 80ea2000 00000008
      [  676.030000] $24   : 00000002 800ace5c
      [  676.030000] $28   : 8199a000 8199bd20 81938f88 80f180d4
      [  676.030000] Hi    : 0000026e
      [  676.030000] Lo    : 0000757e
      [  676.030000] epc   : 801245e4 pskb_expand_head+0x44/0x1d8
      [  676.030000]     Not tainted
      [  676.030000] ra    : 80f180d4 ieee80211_skb_resize+0xb0/0x114 [mac80211]
      [  676.030000] Status: 1000a403    KERNEL EXL IE
      [  676.030000] Cause : 10800024
      [  676.030000] PrId  : 0001964c (MIPS 24Kc)
      [  676.030000] Modules linked in: mac80211_hwsim rt2800lib rt2x00soc rt2x00pci rt2x00lib mac80211 crc_itu_t crc_ccitt cfg80211 compat arc4 aes_generic deflate ecb cbc [last unloaded: rt2800pci]
      [  676.030000] Process kpktgend_0 (pid: 97, threadinfo=8199a000, task=81879f48, tls=00000000)
      [  676.030000] Stack : ffffffff 00000000 00000000 00000014 00000004 80ea2000 00000000 00000000
      [  676.030000]         818aa200 80f180d4 ffffffff 0000000a 81879f78 81879f48 81879f48 00000018
      [  676.030000]         81966246 80ea2000 818432e0 80f1a420 80203050 81814d98 00000001 81879f48
      [  676.030000]         81879f48 00000018 81966246 818432e0 0000001a 8199bdd4 0000001c 80f1b72c
      [  676.030000]         80203020 8001292c 80ef4aa2 7f10b55d 801ab5b8 81879f48 00000188 80005c90
      [  676.030000]         ...
      [  676.030000] Call Trace:
      [  676.030000] [<801245e4>] pskb_expand_head+0x44/0x1d8
      [  676.030000] [<80f180d4>] ieee80211_skb_resize+0xb0/0x114 [mac80211]
      [  676.030000] [<80f1a420>] ieee80211_xmit+0x150/0x22c [mac80211]
      [  676.030000] [<80f1b72c>] ieee80211_subif_start_xmit+0x6f4/0x73c [mac80211]
      [  676.030000] [<8014361c>] pktgen_thread_worker+0xfac/0x16f8
      [  676.030000] [<8002ebe8>] kthread+0x7c/0x88
      [  676.030000] [<80008e0c>] kernel_thread_helper+0x10/0x18
      [  676.030000]
      [  676.030000]
      [  676.030000] Code: 24020001  10620005  2502001f <0200000d> 0804917a  00000000  2502001f  00441023  00531021
      
      Fix this by making a local copy of shared skbs prior to mangeling them.
      To avoid copying the skb unnecessarily move the skb_copy call below the
      checks that don't need write access to the skb.
      
      Also, move the assignment of nh_pos and h_pos below the skb_copy to point
      to the correct skb.
      
      It would be possible to avoid another resize of the copied skb by using
      skb_copy_expand instead of skb_copy but that would make the patch more
      complex. Also, shared skbs are a corner case right now, so the resize
      shouldn't matter much.
      
      Cc: Johannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NHelmut Schaa <helmut.schaa@googlemail.com>
      Cc: stable@kernel.org
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      7e244707
  2. 07 12月, 2010 1 次提交
  3. 30 11月, 2010 1 次提交
    • J
      mac80211: Fix frame injection using non-AP vif · 7dff3125
      Jouni Malinen 提交于
      In order for frame injection to work properly for some use cases
      (e.g., finding the station entry and keys for encryption), mac80211
      needs to find the correct sdata entry. This works when the main vif
      is in AP mode, but commit a2c1e3da
      broke this particular use case for station main vif. While this type of
      injection is quite unusual operation, it has some uses and we should fix
      it. Do this by changing the monitor vif sdata selection to allow station
      vif to be selected instead of limiting it to just AP vifs. We still need
      to skip some iftypes to avoid selecting unsuitable vif for injection.
      Signed-off-by: NJouni Malinen <jouni.malinen@atheros.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      7dff3125
  4. 17 11月, 2010 2 次提交
  5. 07 10月, 2010 1 次提交
  6. 06 10月, 2010 1 次提交
  7. 15 9月, 2010 1 次提交
  8. 28 8月, 2010 3 次提交
  9. 26 8月, 2010 2 次提交
  10. 17 8月, 2010 1 次提交
  11. 29 7月, 2010 1 次提交
  12. 27 7月, 2010 1 次提交
    • J
      mac80211: fix sta assignment · ec25acc4
      Johannes Berg 提交于
      I just had the following:
      WARNING: at drivers/net/wireless/iwlwifi/iwl-agn-tx.c:574 iwlagn_tx_skb+0x1576/0x15f0 [iwlagn]()
      Call Trace:
       <IRQ>  [<ffffffff8105c5df>] warn_slowpath_common+0x7f/0xc0
       [<ffffffff8105c63a>] warn_slowpath_null+0x1a/0x20
       [<ffffffffa0290b46>] iwlagn_tx_skb+0x1576/0x15f0 [iwlagn]
       [<ffffffffa027076c>] iwl_mac_tx+0x5c/0x260 [iwlagn]
       [<ffffffffa01bdf5b>] __ieee80211_tx+0x10b/0x1a0 [mac80211]
       [<ffffffffa01bfb86>] ieee80211_tx_pending+0x186/0x2d0 [mac80211]
       [<ffffffff81062ea5>] tasklet_action+0x125/0x130
       [<ffffffff810634a6>] __do_softirq+0x106/0x270
       [<ffffffff8100c09c>] call_softirq+0x1c/0x30
      iwlagn 0000:02:00.0: Attempting to modify non-existing station 107
      
      Note that 107 == 0x6b which is slab poison.
      
      The reason is that mac80211 passed a freed station
      pointer to mac80211, because as it happened iwlwifi
      reset itself while mac80211 was disconnecting from
      the network.
      
      It turns out that we do take care to look up the
      station pointer in ieee80211_tx_pending_skb, but
      then don't use it, which obviously is a bug. Fix
      this by removing the ieee80211_tx_h_sta handler
      and assigning the station pointer directly.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      ec25acc4
  13. 15 6月, 2010 2 次提交
  14. 08 5月, 2010 1 次提交
  15. 28 4月, 2010 1 次提交
    • S
      mac80211: fix rts threshold check · a2c40249
      Shanyu Zhao 提交于
      Currently whenever rts thresold is set, every packet will use RTS
      protection no matter its size exceeds the threshold or not. This is
      due to a bug in the rts threshold check.
      	if (len > tx->local->hw.wiphy->rts_threshold) {
      		txrc.rts = rts = true;
      	}
      Basically it is comparing an int (len) and a u32 (rts_threshold),
      and the variable len is assigned as:
      	len = min_t(int, tx->skb->len + FCS_LEN,
      			 tx->local->hw.wiphy->frag_threshold);
      However, when frag_threshold is "-1", len is always "-1", which is
      0xffffffff therefore rts is always set to true.
      
      CC: stable@kernel.org
      Signed-off-by: NShanyu Zhao <shanyu.zhao@intel.com>
      Reviewed-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      a2c40249
  16. 20 4月, 2010 1 次提交
  17. 08 4月, 2010 1 次提交
  18. 01 4月, 2010 1 次提交
    • J
      mac80211: Fix BIP to be used only with group-addressed frames · ecbcd324
      Jouni Malinen 提交于
      BIP (part of IEEE 802.11w) is only supposed to be used with
      group-addressed frames. We ended up picking it as a default mechanism
      for every management whenever we did not have a STA entry for the
      destination (e.g., for Probe Response to a STA that is not
      associated). While the extra MMIE in the end of management frames
      should not break frames completed in most cases, there is no point in
      doing this. Fix key selection to pick the default management key only
      if the frame is sent to multicast/broadcast address and the frame is a
      robust management frame.
      Signed-off-by: NJouni Malinen <j@w1.fi>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      ecbcd324
  19. 31 3月, 2010 1 次提交
    • J
      mac80211: move netdev queue enabling to correct spot · 7236fe29
      Johannes Berg 提交于
      "mac80211: fix skb buffering issue" still left a race
      between enabling the hardware queues and the virtual
      interface queues. In hindsight it's totally obvious
      that enabling the netdev queues for a hardware queue
      when the hardware queue is enabled is wrong, because
      it could well possible that we can fill the hw queue
      with packets we already have pending. Thus, we must
      only enable the netdev queues once all the pending
      packets have been processed and sent off to the device.
      
      In testing, I haven't been able to trigger this race
      condition, but it's clearly there, possibly only when
      aggregation is being enabled.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Cc: stable@kernel.org
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      7236fe29
  20. 25 3月, 2010 1 次提交
  21. 09 2月, 2010 2 次提交
    • J
      mac80211: allow station add/remove to sleep · 34e89507
      Johannes Berg 提交于
      Many drivers would like to sleep during station
      addition and removal, and currently have a high
      complexity there from not being able to.
      
      This introduces two new callbacks sta_add() and
      sta_remove() that drivers can implement instead
      of using sta_notify() and that can sleep, and
      the new sta_add() callback is also allowed to
      fail.
      
      The reason we didn't do this previously is that
      the IBSS code wants to insert stations from the
      RX path, which is a tasklet, so cannot sleep.
      This patch will keep the station allocation in
      that path, but moves adding the station to the
      driver out of line. Since the addition can now
      fail, we can have IBSS peer structs the driver
      rejected -- in that case we still talk to the
      station but never tell the driver about it in
      the control.sta pointer. If there will ever be
      a driver that has a low limit on the number of
      stations and that cannot talk to any stations
      that are not known to it, we need to do come up
      with a new strategy of handling larger IBSSs,
      maybe quicker expiry or rejecting peers.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      34e89507
    • J
      wireless: update radiotap parser · 33e5a2f7
      Johannes Berg 提交于
      Upstream radiotap has adopted the namespace
      proposal David Young made and I then took care
      of, for which I had adapted the radiotap parser
      as a library outside the kernel. This brings
      the in-kernel parser up to speed.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      33e5a2f7
  22. 02 2月, 2010 2 次提交
  23. 26 1月, 2010 1 次提交
    • J
      mac80211: fix sw crypto · 382b1655
      Johannes Berg 提交于
      What a stupid mistake. In
      
          commit 813d7669
          Author: Johannes Berg <johannes@sipsolutions.net>
          Date:   Sun Jan 17 01:47:58 2010 +0100
      
              mac80211: move control.hw_key assignment
      
      I inserted code testing the wrong flags field,
      which means that the test is almost always true
      (it's really testing for the peer's WMM support)
      and thus the later parts of the stack assume hw
      crypto will be done even if that's not true.
      
      Obviously, that broke software crypto. Maxim
      said so specifically, and Jochen probably uses
      some cipher that iwl3945 doesn't support in
      hardware, which might also explain that Maxim
      reports that even hw crypto is broken.
      
      Fix this to test the right flags field.
      Reported-by: NMaxim Levitsky <maximlevitsky@gmail.com>
      Reported-by: NJochen Friedrich <jochen@scram.de>
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      382b1655
  24. 24 1月, 2010 1 次提交
  25. 23 1月, 2010 1 次提交
  26. 20 1月, 2010 4 次提交
  27. 13 1月, 2010 4 次提交
    • K
      mac80211: check uapsd state for dynamic power save · 0c74211d
      Kalle Valo 提交于
      To make U-APSD client mode effective, we must not wake up from dynamic power
      save when transmitting frames. So if dynamic power save is enabled, it needs
      check the queue the transmitted packet is in and decide if we need to wake
      up or not.
      
      In a perfect world, where all packets would have correct QoS tags, U-APSD
      enabled queues should not trigger wakeup from power save. But in the real
      world, where very few packets have correct QoS tags, this won't work. For
      example, if only voip class has U-APSD enabled and we send a packet in voip
      class, but the packets we receive are in best effort class, we would receive
      the packets with the legacy power save method. And that would increase
      latencies too much from a voip application point of view.
      
      The workaround is to enable U-APSD for all qeueus and still use dynamic ps
      wakeup for all other queues except voip. That way we can still save power
      with a voip application and not sacrifice latency. Normal traffic (in
      background, best effort or video class) would still trigger wakeup from
      dynamic power save.
      Signed-off-by: NKalle Valo <kalle.valo@nokia.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      0c74211d
    • K
      mac80211: create tx handler for dynamic ps · 5c1b98a5
      Kalle Valo 提交于
      Currently dynamic ps check is in ieee80211_xmit(), but it's cleaner
      to have a separate tx handler for this. Also this is a prerequisite for
      U-APSD client mode which needs to know the queue frame is in.
      
      Also need_dynamic_ps() function is embedded to the tx handler.
      
      No functional changes expect that the code is run in a later phase than
      originally.
      Signed-off-by: NKalle Valo <kalle.valo@nokia.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      5c1b98a5
    • F
      mac80211: do not transmit frames on unconfigured 4-addr vlan interfaces · 3f0e0b22
      Felix Fietkau 提交于
      If frames are transmitted on 4-addr ap vlan interfaces with no station,
      they end up being transmitted unencrypted, even if the ap interface
      uses WPA. This patch add some sanity checking to make sure that this
      does not happen.
      Signed-off-by: NFelix Fietkau <nbd@openwrt.org>
      Cc: stable@kernel.org
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      3f0e0b22
    • K
      mac80211: create Probe Request template · 05e54ea6
      Kalle Valo 提交于
      Certain type of hardware, for example wl1251 and wl1271, need a template
      for the Probe Request. Create a function ieee80211_probereq_get() which
      creates the template and drivers send it to hardware.
      Signed-off-by: NKalle Valo <kalle.valo@nokia.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      05e54ea6