- 30 Sep, 2015 1 commit
-
-
Bob Copeland authored
commit 3633ebeb upstream. We already set a station to be associated when peering completes, both in user space and in the kernel. Thus we should always have an associated sta before sending data frames to that station. Failure to check assoc state can cause crashes in the lower-level driver due to transmitting unicast data frames before driver sta structures (e.g. ampdu state in ath9k) are initialized. This occurred when forwarding in the presence of fixed mesh paths: frames were transmitted to stations with whom we hadn't yet completed peering. Reported-by:
Alexis Green <agreen@cococorp.com> Tested-by:
Jesse Jones <jjones@cococorp.com> Signed-off-by:
Bob Copeland <me@bobcopeland.com> Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
Jiri Slaby <jslaby@suse.cz>
-
- 12 Mar, 2015 1 commit
-
-
Jouni Malinen authored
commit 9c1c98a3 upstream. The current minstrel_ht rate control behavior is somewhat optimistic in trying to find optimum TX rate. While this is usually fine for normal Data frames, there are cases where a more conservative set of retry parameters would be beneficial to make the connection more robust. EAPOL frames are critical to the authentication and especially the EAPOL-Key message 4/4 (the last message in the 4-way handshake) is important to get through to the AP. If that message is lost, the only recovery mechanism in many cases is to reassociate with the AP and start from scratch. This can often be avoided by trying to send the frame with more conservative rate and/or with more link layer retries. In most cases, minstrel_ht is currently using the initial EAPOL-Key frames for probing higher rates and this results in only five link layer transmission attempts (one at high(ish) MCS and four at MCS0). While this works with most APs, it looks like there are some deployed APs that may have issues with the EAPOL frames using HT MCS immediately after association. Similarly, there may be issues in cases where the signal strength or radio environment is not good enough to be able to get frames through even at couple of MCS 0 tries. The best approach for this would likely to be to reduce the TX rate for the last rate (3rd rate parameter in the set) to a low basic rate (say, 6 Mbps on 5 GHz and 2 or 5.5 Mbps on 2.4 GHz), but doing that cleanly requires some more effort. For now, we can start with a simple one-liner that forces the minimum rate to be used for EAPOL frames similarly how the TX rate is selected for the IEEE 802.11 Management frames. This does result in a small extra latency added to the cases where the AP would be able to receive the higher rate, but taken into account how small number of EAPOL frames are used, this is likely to be insignificant. A future optimization in the minstrel_ht design can also allow this patch to be reverted to get back to the more optimized initial TX rate. It should also be noted that many drivers that do not use minstrel as the rate control algorithm are already doing similar workarounds by forcing the lowest TX rate to be used for EAPOL frames. Reported-by:
Linus Torvalds <torvalds@linux-foundation.org> Tested-by:
Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by:
-
- 19 Aug, 2014 1 commit
-
-
Johannes Berg authored
commit 08b99399 upstream. This reverts commit 277d916f as it was at least breaking iwlwifi by setting the IEEE80211_TX_CTL_NO_PS_BUFFER flag in all kinds of interface modes, not only for AP mode where it is appropriate. To avoid reintroducing the original problem, explicitly check for probe request frames in the multicast buffering code. Fixes: 277d916f ("mac80211: move "bufferable MMPDU" check to fix AP mode scan") Signed-off-by:
-
- 15 May, 2014 1 commit
-
-
Michael Braun authored
commit 112c44b2 upstream. commit de74a1d9 "mac80211: fix WPA with VLAN on AP side with ps-sta" fixed an issue where queued multicast packets would be sent out encrypted with the key of an other bss. commit "7cbf9d01" "mac80211: fix oops on mesh PS broadcast forwarding" essentially reverted it, because vif.type cannot be AP_VLAN due to the check to vif.type in ieee80211_get_buffered_bc before. As the later commit intended to fix the MESH case, fix it by checking for IFTYPE_AP instead of IFTYPE_AP_VLAN. Fixes: 7cbf9d01 ("mac80211: fix oops on mesh PS broadcast forwarding") Signed-off-by:
Michael Braun <michael-dev@fami-braun.de> Signed-off-by:
-
- 22 Mar, 2014 1 commit
-
-
Emmanuel Grumbach authored
commit 1d147bfa upstream. There is a race between the TX path and the STA wakeup: while a station is sleeping, mac80211 buffers frames until it wakes up, then the frames are transmitted. However, the RX and TX path are concurrent, so the packet indicating wakeup can be processed while a packet is being transmitted. This can lead to a situation where the buffered frames list is emptied on the one side, while a frame is being added on the other side, as the station is still seen as sleeping in the TX path. As a result, the newly added frame will not be send anytime soon. It might be sent much later (and out of order) when the station goes to sleep and wakes up the next time. Additionally, it can lead to the crash below. Fix all this by synchronising both paths with a new lock. Both path are not fastpath since they handle PS situations. In a later patch we'll remove the extra skb queue locks to reduce locking overhead. BUG: unable to handle kernel NULL pointer dereference at 000000b0 IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211] *pde = 00000000 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1 EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211] EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000 ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: ffff0ff0 DR7: 00000400 Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000) iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9 Stack: e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0 ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210 ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002 Call Trace: [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211] [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211] [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211] [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211] [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211] [<c149ef70>] dev_hard_start_xmit+0x450/0x950 [<c14b9aa9>] sch_direct_xmit+0xa9/0x250 [<c14b9c9b>] __qdisc_run+0x4b/0x150 [<c149f732>] dev_queue_xmit+0x2c2/0xca0 Reported-by:
Yaara Rozenblum <yaara.rozenblum@intel.com> Signed-off-by:
Emmanuel Grumbach <emmanuel.grumbach@intel.com> Reviewed-by:
Stanislaw Gruszka <sgruszka@redhat.com> [reword commit log, use a separate lock] Signed-off-by:
-
- 22 Feb, 2014 1 commit
-
-
Johannes Berg authored
commit 338f977f upstream. The "new" fragmentation code (since my rewrite almost 5 years ago) erroneously sets skb->len rather than using skb_trim() to adjust the length of the first fragment after copying out all the others. This leaves the skb tail pointer pointing to after where the data originally ended, and thus causes the encryption MIC to be written at that point, rather than where it belongs: immediately after the data. The impact of this is that if software encryption is done, then a) encryption doesn't work for the first fragment, the connection becomes unusable as the first fragment will never be properly verified at the receiver, the MIC is practically guaranteed to be wrong b) we leak up to 8 bytes of plaintext (!) of the packet out into the air This is only mitigated by the fact that many devices are capable of doing encryption in hardware, in which case this can't happen as the tail pointer is irrelevant in that case. Additionally, fragmentation is not used very frequently and would normally have to be configured manually. Fix this by using skb_trim() properly. Fixes: 2de8e0d9 ("mac80211: rewrite fragmentation") Reported-by:
Jouni Malinen <j@w1.fi> Signed-off-by:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
- 15 Jan, 2014 1 commit
-
-
Felix Fietkau authored
commit 277d916f upstream. The check needs to apply to both multicast and unicast packets, otherwise probe requests on AP mode scans are sent through the multicast buffer queue, which adds long delays (often longer than the scanning interval). Signed-off-by:
Felix Fietkau <nbd@openwrt.org> Signed-off-by:
-
- 30 Sep, 2013 1 commit
-
-
Felix Fietkau authored
This allows calls for clients in AP_VLANs (e.g. for 4-addr) to succeed Cc: stable@vger.kernel.org Signed-off-by:
-
- 23 Aug, 2013 1 commit
-
-
Bob Copeland authored
According to 802.11-2012 9.3.2.10, paragraph 4, QoS data frames with a group address in the Address 1 field have sequence numbers allocated from the same counter as non-QoS data and management frames. Without this flag, some drivers may not assign sequence numbers, and in rare cases frames might get dropped. Set the control flag accordingly. Signed-off-by:
Bob Copeland <bob@cozybit.com> Signed-off-by:
-
- 12 Aug, 2013 1 commit
-
-
Johannes Berg authored
A lot of drivers check the frame protocol for ETH_P_PAE, for various reasons (like making those more reliable). Add a new flags bitmap to the TX control info and a new flag indicating the control port protocol is in use to let all drivers also apply such logic to other control port protocols, should they be configured. Also use the new flag in the iwlwifi drivers. Signed-off-by:
-
- 01 Aug, 2013 2 commits
-
-
Simon Wunderlich authored
The count field in CSA must be decremented with each beacon transmitted. This patch implements the functionality for drivers using ieee80211_beacon_get(). Other drivers must call back manually after reaching count == 0. This patch also contains the handling and finish worker for the channel switch command, and mac80211/chanctx code to allow to change a channel definition of an active channel context. Signed-off-by:
Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by:
Mathias Kretschmer <mathias.kretschmer@fokus.fraunhofer.de> [small cleanups, catch identical chandef] Signed-off-by:
-
Fabio Baltieri authored
Change mac80211 LED trigger code to use the generic led_trigger_blink_oneshot() API for transmit and receive activity indication. This gives a better feedback to the user, as with the new API each activity event results in a visible blink, while a constant traffic results in a continuous blink at constant rate. Signed-off-by:
Fabio Baltieri <fabio.baltieri@gmail.com> [fix LED disabled build error] Signed-off-by:
-
- 16 Jul, 2013 3 commits
-
-
Johannes Berg authored
When a driver (like hwsim) uses HW queue control an active monitor vif needs to be used for the queues, make the code do that. Otherwise we'd bail out and drop the frames. Signed-off-by: -
Simon Wunderlich authored
The various components accessing the bitrates table must use consider the used channel bandwidth to select only available rates or calculate the bitrate correctly. There are some rates in reduced bandwidth modes which can't be represented as multiples of 500kbps, like 2.25 MBit/s in 5 MHz mode. The standard suggests to round up to the next multiple of 500kbps, just do that in mac80211 as well. Signed-off-by:
Johannes Berg <johannes@sipsolutions.net>
-
Simon Wunderlich authored
according to IEEE 802.11-2012 section 18, various timings change when using 5 MHz and 10 MHz. Reflect this by using a "shift" when calculating durations. Signed-off-by:
-
- 03 Jun, 2013 1 commit
-
-
Thomas Pedersen authored
nl80211 has already verified the mesh TTL on setting the mesh config, so no need to check it again in mac80211. Signed-off-by:
Thomas Pedersen <thomas@cozybit.com> Signed-off-by:
-
- 29 May, 2013 1 commit
-
-
Johannes Berg authored
If the driver advertised support for a CAB queue, then we should put all multicast frames there, otherwise sending them can be racy with clients going to sleep while we TX a frame. To avoid this, always TX multicast frames on the multicast queue. It seems like even drivers not using the queue framework might want to do this which would mean also moving the IEEE80211_TX_CTL_SEND_AFTER_DTIM flag assignment, but it also seems that drivers behave differently here so that just moving it wouldn't be a good idea. It'd be better to modify those drivers to use the queue framework. Signed-off-by:
-
- 22 Apr, 2013 1 commit
-
-
Felix Fietkau authored
Allow rate control modules to pass a rate selection table to mac80211 and the driver. This allows drivers to fetch the most recent rate selection from the sta pointer for already buffered frames. This allows rate control to respond faster to sudden link changes and it is also a step towards adding minstrel_ht support to drivers like iwlwifi. When a driver sets IEEE80211_HW_SUPPORTS_RC_TABLE, mac80211 will not fill info->control.rates with rates from the rate table (to preserve explicit overrides by the rate control module). The driver then explicitly calls ieee80211_get_tx_rates to merge overrides from info->control.rates with defaults from the sta rate table. Signed-off-by:
-
- 16 Apr, 2013 3 commits
-
-
Felix Fietkau authored
The rates[0] CTS and RTS flags are only set after rate control has been called, so minstrel cannot use them to for setting the number of retries. This patch adds two new flags to explicitly indicate RTS/CTS use. Signed-off-by:
-
Felix Fietkau authored
Currently the code always copies the configured MCS mask (even if it is set to default), but only uses it if legacy rates were also masked out. Fix this by adding a flag that tracks whether the configured MCS mask is set to default or not. Optimize the code further by storing a pointer to the configured rate mask in txrc instead of using memcpy. Signed-off-by:
-
Karl Beldan authored
Handle VHT rates like HT ones, otherwise we easily trigger the pre-HT rates WARN_ON(rc_rate->idx >= sband->n_bitrates) which will set rc_rate->idx to -1. Signed-off-by:
Karl Beldan <karl.beldan@rivierawaves.com> Signed-off-by:
-
- 11 Apr, 2013 1 commit
-
-
Karl Beldan authored
When the 1st rate control entry is a pre-HT rate we want to set rts_cts_rate_idx "as the fastest basic rate that is not faster than the data rate"(code comments). But in case some bss allowed rate indexes are lower than the lowest bss basic rate, if the rate control selects a rate among the formers for its 1st rate control entry, rts_cts_rate_idx remains 0 and is not a basic rate index. This commit sets rts_cts_rate_idx to the lowest bss basic rate index in this situation. Note that the code assumes that lowest indexes == lowest bitrates. Signed-off-by:
-
- 28 Mar, 2013 1 commit
-
-
Simon Horman authored
Add a new constant ETH_P_802_3_MIN, the minimum ethernet type for an 802.3 frame. Frames with a lower value in the ethernet type field are Ethernet II. Also update all the users of this value that David Miller and I could find to use the new constant. Also correct a bug in util.c. The comparison with ETH_P_802_3_MIN should be >= not >. As suggested by Jesse Gross. Compile tested only. Cc: David Miller <davem@davemloft.net> Cc: Jesse Gross <jesse@nicira.com> Cc: Karsten Keil <isdn@linux-pingi.de> Cc: John W. Linville <linville@tuxdriver.com> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: Bart De Schuymer <bart.de.schuymer@pandora.be> Cc: Stephen Hemminger <stephen@networkplumber.org> Cc: Patrick McHardy <kaber@trash.net> Cc: Marcel Holtmann <marcel@holtmann.org> Cc: Gustavo Padovan <gustavo@padovan.org> Cc: Johan Hedberg <johan.hedberg@gmail.com> Cc: linux-bluetooth@vger.kernel.org Cc: netfilter-devel@vger.kernel.org Cc: bridge@lists.linux-foundation.org Cc: linux-wireless@...
-
- 25 Mar, 2013 2 commits
-
-
Karl Beldan authored
Drivers that don't use chanctxes cannot perform VHT association because they still use a "backward compatibility" pair of {ieee80211_channel, nl80211_channel_type} in ieee80211_conf and ieee80211_local. Signed-off-by: -
Johannes Berg authored
Instead of having an SKB all the time, use a beacon_data struct with just the information required. This also allows removing a synchronize_rcu() and using kfree_rcu() instead. Signed-off-by:
-
- 18 Mar, 2013 1 commit
-
-
Johannes Berg authored
Sometimes queues are flushed in the middle of operation, which can lead to driver issues. Stop queues temporarily, while flushing, to avoid transmitting new packets while they are being flushed. Signed-off-by:
-
- 07 Mar, 2013 1 commit
-
-
Johannes Berg authored
Make the TX bytes/packets counters race-free by keeping them per AC so concurrent TX on queues can't cause lost or wrong updates. This works since each station belongs to a single interface. While at it also make the bytes counters 64-bit. Signed-off-by:
-
- 01 Mar, 2013 1 commit
-
-
Marco Porsch authored
Introduced with de74a1d9 "mac80211: fix WPA with VLAN on AP side with ps-sta". Apparently overwrites the sdata pointer with non-valid data in the case of mesh. Fix this by checking for IFTYPE_AP_VLAN. Signed-off-by:
Marco Porsch <marco@cozybit.com> Signed-off-by:
-
- 28 Feb, 2013 1 commit
-
-
Tejun Heo authored
Convert to the much saner new idr interface. Signed-off-by:
Tejun Heo <tj@kernel.org> Acked-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
- 26 Feb, 2013 1 commit
-
-
Seth Forshee authored
Commit 6c17b77b (mac80211: Fix tx queue handling during scans) contains a bug that causes off-channel frames to get queued when they should be handed down to the driver for transmit. Prevent this from happening. Reported-by:
Fabio Rossi <rossi.f@inwind.it> Signed-off-by:
Seth Forshee <seth.forshee@canonical.com> Signed-off-by:
-
- 25 Feb, 2013 2 commits
-
-
Chun-Yeow Yeoh authored
Unicast frame with unknown forwarding information always trigger the path discovery assuming destination is always located inside the MBSS. This patch allows the forwarding to look for mesh gate if path discovery inside the MBSS has failed. Reported-by:
Cedric Voncken <cedric.voncken@acksys.fr> Signed-off-by:
Chun-Yeow Yeoh <yeohchunyeow@gmail.com> Signed-off-by:
-
Johannes Berg authored
The ieee80211_beacon_add_tim() function might be called by drivers with BHs enabled, which causes a potential deadlock if TX happens at the same time and attempts to lock the tim_lock as well. Use spin_lock_bh to fix it. Signed-off-by:
-
- 15 Feb, 2013 5 commits
-
-
Johannes Berg authored
There's various code with strange indentation, questionable loop and locking constructs, etc. The bigger change is moving the "sdata" argument to the first argument of all functions, like all other mac80211 functions that have one. Signed-off-by: -
Thomas Pedersen authored
Previously, the entire mesh beacon would be generated each time the beacon timer fired. Instead generate a beacon head and tail (so the TIM can easily be inserted when mesh power save is on) when starting a mesh or the MBSS parameters change. Also add a mutex for protecting beacon updates and preventing leaks. Signed-off-by:
-
Johannes Berg authored
There's no need to use _irqsave() as the lock is never used in interrupt context. This also fixes a problem in the iwlwifi MVM driver that calls spin_unlock_bh() within its set_tim() callback. Signed-off-by: -
Johannes Berg authored
In my commit 1672c0e3 ("mac80211: start auth/assoc timeout on frame status") I broke auth/assoc timeout handling: in case we wait for the TX status, it now leaves the timeout field set to 0, which is a valid time and can compare as being before now ("jiffies"). Thus, if the work struct runs for some other reason, the auth/assoc is treated as having timed out. Fix this by introducing a separate "timeout_started" variable that tracks whether the timeout has started and is checked before timing out. Additionally, for proper TX status handling the change requires that the skb->dev pointer is set up for all the frames, so set it up for all frames in mac80211. Reported-by:
Wojciech Dubowik <Wojciech.Dubowik@neratec.com> Tested-by:
-
Michael Braun authored
When sending a broadcast while at least on of the connected stations is sleeping, it gets queued and send after a DTIM beacon is sent. If the packet was to be sent on a vlan interface, the vif used for dequeing from the per-bss queue does not hold the per-vlan sdata. The correct sdata is required to use the correct per-vlan broadcast/multicast key. This patch fixes this by restoring the per-vlan sdata using the skb->dev entry. Signed-off-by:
-
- 11 Feb, 2013 1 commit
-
-
Seth Forshee authored
Scans currently work by stopping the netdev tx queues but leaving the mac80211 queues active. This stops the flow of incoming packets while still allowing mac80211 to transmit nullfunc and probe request frames to facilitate scanning. However, the driver may try to wake the mac80211 queues while in this state, which will also wake the netdev queues. To prevent this, add a new queue stop reason, IEEE80211_QUEUE_STOP_REASON_OFFCHANNEL, to be used when stopping the tx queues for off-channel operation. This prevents the netdev queues from waking when a driver wakes the mac80211 queues. This also stops all frames from being transmitted, even those meant to be sent off-channel. Add a new tx control flag, IEEE80211_TX_CTL_OFFCHAN_TX_OK, which allows frames to be transmitted when the queues are stopped only for the off-channel stop reason. Update all locations transmitting off-channel frames to use this flag. Signed-off-by:
-
- 04 Feb, 2013 2 commits
-
-
Marco Porsch authored
Add routines to - maintain a PS mode for each peer and a non-peer PS mode - indicate own PS mode in transmitted frames - track neighbor STAs power modes - buffer frames when neighbors are in PS mode - add TIM and Awake Window IE to beacons - release frames in Mesh Peer Service Periods Add local_pm to sta_info to represent the link-specific power mode at this station towards the remote station. When a peer link is established, use the default power mode stored in mesh config. Update the PS status if the peering status of a neighbor changes. Maintain a mesh power mode for non-peer mesh STAs. Set the non-peer power mode to active mode during peering. Authenticated mesh peering is currently not working when either node is configured to be in power save mode. Indicate the current power mode in transmitted frames. Use QoS Nulls to indicate mesh power mode transitions. For performance reasons, calls to the function setting the frame flags are placed in HWMP routing routines, as there the STA pointer is already available. Add peer_pm to sta_info to represent the peer's link-specific power mode towards the local station. Add nonpeer_pm to represent the peer's power mode towards all non-peer stations. Track power modes based on received frames. Add the ps_data structure to ieee80211_if_mesh (for TIM map, PS neighbor counter and group-addressed frame buffer). Set WLAN_STA_PS flag for STA in PS mode to use the unicast frame buffering routines in the tx path. Update num_sta_ps to buffer and release group-addressed frames after DTIM beacons. Announce the awake window duration in beacons if in light or deep sleep mode towards any peer or non-peer. Create a TIM IE similarly to AP mode and add it to mesh beacons. Parse received Awake Window IEs and check TIM IEs for buffered frames. Release frames towards peers in mesh Peer Service Periods. Use the corresponding trigger frames and monitor the MPSP status. Append a QoS Null as trigger frame if neccessary to properly end the MPSP. Currently, in HT channels MPSPs behave imperfectly and show large delay spikes and frame losses. Signed-off-by:
Ivan Bezyazychnyy <ivan.bezyazychnyy@gmail.com> Signed-off-by:
Mike Krinkin <krinkin.m.u@gmail.com> Signed-off-by:
Max Filippov <jcmvbkbc@gmail.com> Signed-off-by:
-
Johannes Berg authored
When we had a connection for WoWLAN and after resume it needed to be disconnected, the previous commit enabled sending a deauth frame to the AP. This frame would not go through on MFP-enabled networks as the key for it is marked tainted before the frame is transmitted. Allow a tainted key to be used for deauth frames. Worst case, we'll use a wrong key because the PTK was rekeyed while suspended, but more likely the PTK is still fine and the taint flag really only applies to the GTK(s). Signed-off-by:
-
