summaryrefslogtreecommitdiffstats
path: root/net/mac80211
AgeCommit message (Collapse)AuthorFilesLines
2012-01-24mac80211: set bss_conf.idle when vif is connectedEliad Peller1-0/+1
__ieee80211_recalc_idle() iterates through the vifs, sets bss_conf.idle = true if they are disconnected, and increases "count" if they are not (which later gets evaluated in order to determine whether the device is idle). However, the loop doesn't set bss_conf.idle = false (along with increasing "count"), causing the device idle state and the vif idle state to get out of sync in some cases. Signed-off-by: Eliad Peller <eliad@wizery.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-24mac80211: update oper_channel on ibss joinEliad Peller1-0/+1
Commit 13c40c5 ("mac80211: Add HT operation modes for IBSS") broke ibss operation by mistakenly removing the local->oper_channel update (causing ibss to start on the wrong channel). fix it. Signed-off-by: Eliad Peller <eliad@wizery.com> Acked-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-18mac80211: fix work removal on deauth requestJohannes Berg1-11/+27
When deauth is requested while an auth or assoc work item is in progress, we currently delete it without regard for any state it might need to clean up. Fix it by cleaning up for those items. In the case Pontus found, the problem manifested itself as such: authenticate with 00:23:69:aa:dd:7b (try 1) authenticated failed to insert Dummy STA entry for the AP (error -17) deauthenticating from 00:23:69:aa:dd:7b by local choice (reason=2) It could also happen differently if the driver uses the tx_sync callback. We can't just call the ->done() method of the work items because that will lock up due to the locking in cfg80211. This fix isn't very clean, but that seems acceptable since I have patches pending to remove this code completely. Cc: stable@vger.kernel.org Reported-by: Pontus Fuchs <pontus.fuchs@gmail.com> Tested-by: Pontus Fuchs <pontus.fuchs@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-18mac80211: Use the right headroom size for mesh mgmt framesJavier Cardona2-6/+6
Use local->tx_headroom instad of local->hw.extra_tx_headroom. local->tx_headroom is the max of hw.extra_tx_headroom required by the driver and the headroom required by mac80211 for status reporting. On drivers where hw.extra_tx_headroom is smaller than what mac80211 requires (e.g. ath5k), we would not reserve sufficient buffer space to report tx status. Also, don't reserve local->tx_headroom + local->hw.extra_tx_headroom. Reported-by: Simon Morgenthaler <s.morgenthaler@students.unibe.ch> Reported-by: Kai Scharwies <kai@scharwies.de> Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-18mac80211: fix debugfs key->station symlinkJohannes Berg1-3/+4
Since stations moved into a virtual interface subdirectory, this link has been broken. Fix it. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-17mac80211: Fix possible race between sta_unblock and network softirqHelmut Schaa1-2/+4
All other code paths in sta_unblock synchronize with the network softirq by using local_bh_disable/enable. Do the same around ieee80211_sta_ps_deliver_wakeup. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-16mac80211: fix tx->skb NULL pointer dereferenceYoni Divinsky3-9/+22
In function ieee80211_tx_h_encrypt the var info was initialized from tx->skb, since the fucntion is called after the function ieee80211_tx_h_fragment tx->skb is not valid anymore. Signed-off-by: Yoni Divinsky <yoni.divinsky@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-16Net, mac80211: Fix resource leak in ieee80211_rx_h_mesh_fwding()Jesper Juhl1-0/+1
We may leak the 'fwd_skb' we skb_copy() in ieee80211_rx_h_mesh_fwding() if we take the 'else' branch in the 'if' statement just below. If we take that branch we'll end up returning from the function and since we've not assigned 'fwd_skb' to anything at that point, we leak it when the variable goes out of scope. The simple fix seems to be to just kfree_skb(fwd_skb); just before we return. That is what this patch does. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-13mac80211: fix no-op authorized transitionsJohannes Berg1-1/+1
When userspace attempts to authorize a station that is already authorized, nothing happens as you'd expect. Similarly, when it unauthorizes a station that is associated, nothing happens. However, when it unauthorizes a station that isn't even associated yet, we erroneously try to move the station to associated. This seems to happen occasionally as a result of a race when wpa_supplicant attempts to unauthorize the port in managed mode. Particularly with my new patches to keep stations, it can then move a station into ASSOCIATED state before we have really associated, which is really confusing. I introduced this bug in "mac80211: refactor station state transitions" Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-12net: reintroduce missing rcu_assign_pointer() callsEric Dumazet4-7/+7
commit a9b3cd7f32 (rcu: convert uses of rcu_assign_pointer(x, NULL) to RCU_INIT_POINTER) did a lot of incorrect changes, since it did a complete conversion of rcu_assign_pointer(x, y) to RCU_INIT_POINTER(x, y). We miss needed barriers, even on x86, when y is not NULL. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Stephen Hemminger <shemminger@vyatta.com> CC: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2012-01-11mac80211: fix rx->key NULL pointer dereference in promiscuous modeStanislaw Gruszka1-1/+1
Since: commit 816c04fe7ef01dd9649f5ccfe796474db8708be5 Author: Christian Lamparter <chunkeey@googlemail.com> Date: Sat Apr 30 15:24:30 2011 +0200 mac80211: consolidate MIC failure report handling is possible to that we dereference rx->key == NULL when driver set RX_FLAG_MMIC_STRIPPED and not RX_FLAG_IV_STRIPPED and we are in promiscuous mode. This happen with rt73usb and rt61pci at least. Before the commit we always check rx->key against NULL, so I assume fix should be done in mac80211 (also mic_fail path has similar check). References: https://bugzilla.redhat.com/show_bug.cgi?id=769766 http://rt2x00.serialmonkey.com/pipermail/users_rt2x00.serialmonkey.com/2012-January/004395.html Cc: stable@vger.kernel.org # 3.0+ Reported-by: Stuart D Gathman <stuart@gathman.org> Reported-by: Kai Wohlfahrt <kai.scorpio@gmail.com> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-05Merge branch 'master' of ↵John W. Linville7-52/+19
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem Conflicts: drivers/net/wireless/b43legacy/dma.c
2012-01-04mac80211: remove dead codeMohammed Shafi Shajakhan2-19/+0
ieee80211_offchannel_enable_all_ps function is no longer used and looks like its logic is extensively handled in ieee80211_offchannel_stop_vifs Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04mac80211: Call driver commands after drv_start in mac80211 restart codeYogesh Ashok Powar1-10/+9
Ideally, hardware/firmware initialization is complete after the drv_start routine. In mac80211 restart code (ieee80211_reconfig), defer calling the driver commands i.e. setup fragmentation threshold, rts threshold and coverage class till drv_start routine is called. Signed-off-by: Nishant Sarmukadam <nishants@marvell.com> Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com> v2: Removed extra blank line added. Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04mac80211: use RCU read locks for sta_info_getMohammed Shafi Shajakhan1-0/+2
this is being recently introduced by the commit a85e1d55974646a442d95911e3f7d7a891ea9ac5 Cc: Paul Stewart <pstew@google.com> Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04mac80211: fix kernel panic in IBSS due to a regressionMohammed Shafi Shajakhan1-1/+4
kernel panic occurs when we create an IBSS mode and leave it for sometime without any joiner and this is introduced by the commit ec2b774e7c91094d8c00de579646f1162b87b01e where we don't put proper braces for 'list_for_each_entry_safe' and we pass an invalid 'sta' pointer to __sta_info_destroy EIP is at __list_add+0xe/0xa0 EAX: f3b63db4 EBX: 00000000 ECX: eab88c1c EDX: 00000000 ESI: 00000000 EDI: 00000246 EBP: f3b63d80 ESP: f3b63d58 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process kworker/u:2 (pid: 198, ti=f3b62000 task=f3afbea0 task.ti=f3b62000) Stack: 00000000 00000000 f9ef9821 00000000 00000000 eab88c30 f3b63d80 c017f623 eab88bf0 eab88bf0 f3b63dd0 c066f925 00000000 00000002 00000000 f9ef9821 f3b63da0 c0180a2b eab88c1c eab88c30 00000002 f3afbea0 eab88bf4 f3b63db4 Call Trace: [<f9ef9821>] ? __ieee80211_stop_tx_ba_session+0x31/0x60 [mac80211] [<c017f623>] ? debug_mutex_add_waiter+0x23/0x60 [<c066f925>] __mutex_lock_common+0xd5/0x390 [<f9ef9821>] ? __ieee80211_stop_tx_ba_session+0x31/0x60 [mac80211] [<c0180a2b>] ? trace_hardirqs_off+0xb/0x10 [<c066fd37>] mutex_lock_nested+0x47/0x60 [<f9ef9821>] ? __ieee80211_stop_tx_ba_session+0x31/0x60 [mac80211] [<f9ef9821>] __ieee80211_stop_tx_ba_session+0x31/0x60 [mac80211] [<f9ef8989>] ieee80211_sta_tear_down_BA_sessions+0x39/0x60 [mac80211] [<f9ef1a67>] __sta_info_destroy+0x57/0x780 [mac80211] [<f9ef2223>] ieee80211_sta_expire+0x93/0xb0 [mac80211] [<f9efc8f6>] ieee80211_ibss_work+0x2d6/0x530 [mac80211] Cc: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04mac80211: fix scan state machineMohammed Shafi Shajakhan1-1/+1
when we run high bandwidth UDP traffic and we trigger a scan, the scan state machine seems to be looping in SUSPEND->RESUME->DECISION->SUSPEND and SET_CHANNEL seems to be never called as 'tx_empty' is never true while running UDP traffic. fix this by settting SET_CHANNEL state when we get into RESUME state. Cc: Leela Kella <leela@qca.qualcomm.com> Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04mac80211: always clear SDATA_STATE_OFFCHANNEL flagEliad Peller1-1/+3
If the vif is stopped while it is offchannel (e.g. right after p2p negotiation) the SDATA_STATE_OFFCHANNEL flag is never get cleared, resulting in various bad effects (e.g. GO can't start beaconing). Fix it by clearing the SDATA_STATE_OFFCHANNEL flag even if the vif is stopped. Signed-off-by: Eliad Peller <eliad@wizery.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-04mac80211: Remove superfluous ieee80211_rx_h_remove_qos_controlHelmut Schaa1-20/+0
This seems to not serve any purpose anymore, at least all frame processing afterwards seems to be able to deal with QoS frames. So, let's save the expensive memmove and just leave the QoS header in the 802.11 frame for further processing. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2012-01-03Merge branch 'master' of ↵John W. Linville6-5/+111
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem Conflicts: drivers/net/wireless/b43/dma.c drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c
2011-12-21mac80211: Keep skb->piority for relayed frames in AP modeHelmut Schaa1-1/+6
When mac80211 relays a frame from STA1 to STA2 in AP mode it will get re-classified in the tx path. Unfortunately the frame protocol field is always set to ETH_P_8023 while the classification only kicks in for ETH_P_IP. Hence, a high priority frame from STA1 will be send to STA2 as best effort. Instead of running classification on the frame just use the same priority as STA1 did. Do this by adding 256 to the skb->priority to allow cfg80211_classify8021d to shortcut frame classification. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-21mac80211: ibss should not purge clients it is not responsible forMarek Lindner1-0/+3
The IBSS merge code calls ieee80211_sta_expire() with a relatively short expire timeout that purges other clients prematurely. The expire function has to check that only the clients belonging to the vif in question are purged. Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-19net: fix assignment of 0/1 to bool variables.Rusty Russell2-3/+3
DaveM said: Please, this kind of stuff rots forever and not using bool properly drives me crazy. Joe Perches <joe@perches.com> gave me the spatch script: @@ bool b; @@ -b = 0 +b = false @@ bool b; @@ -b = 1 +b = true I merely installed coccinelle, read the documentation and took credit. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2011-12-19mac80211: Fixing sparse warning at sta_info.cYogesh Ashok Powar1-2/+7
The commit 42624d4913a00219a8fdbb4bafd634d1d843be85 created following sparse warning >net/mac80211/sta_info.c:965:24: warning: incorrect type in assignment (different address spaces) >net/mac80211/sta_info.c:965:24: expected struct tid_ampdu_tx *tid_tx >net/mac80211/sta_info.c:965:24: got struct tid_ampdu_tx [noderef] <asn:4>*<noident> Making use of rcu_dereference_protected to fix the problem. V2: - Replacing rcu_dereference with rcu_dereference_protected as suggested by Johannes. - Adding mutex_lock/unlock to satisfy the condition at rcu_dereference_protected Cc: Nishant Sarmukadam <nishants@marvell.com> Reported-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-19mac80211: handle SMPS action framesJohannes Berg1-0/+58
When a peer changes SMPS state we should update rate control so it doesn't have to detect it by itself. It can't detect "dynamic" mode anyway since that just requires rts-cts handshaking. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-19cfg80211: Return beacon loss count in stationPaul Stewart3-1/+13
If station info contains a beacon loss count, return it to userspace. Signed-off-by: Paul Stewart <pstew@chromium.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-19mac80211: split addba retries in timeNikolay Martynov2-1/+24
Currently code allows three (HT_AGG_MAX_RETRIES) unanswered addba requests. When this limit is reached aggregation is turned off for given TID permanently. This doesn't seem right: three requests is not that much, some 'blackout' can happen, but effect of it affects whole connection indefinitely. This patch increases number of retries to 15. Also, when there have been 3 or more retries it splits further retries apart by 15 seconds instead of sending them in very short period of time. Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: Fix power save in change interfaceMohammed Shafi Shajakhan1-0/+1
we found that power save is not getting enabled when we do change interface in this order STA->IBSS->STA. this is because ieee80211_setup_sdata clears type-dependent union Reported-by: Leela Kella <leela@qca.qualcomm.com> Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: remove an unnecessary paraenthesisMohammed Shafi Shajakhan1-1/+1
Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: Use appropriate TID for sending BAR, ADDBA and DELBA framesHelmut Schaa4-8/+17
Currently BAR, ADDBA and DELBA frames are always sent using AC_VO. If the TID for which a BA session is established is assigned to a different queue BAR, ADDBA and DELBA frames can "overtake" frames of the according BA session. Hence, always put BA session related frames into the same queue as the BA sessions data frames. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: reduce station management complexityJohannes Berg3-203/+63
Now that IBSS no longer needs to insert stations from atomic context, we can get rid of all the special cases for that, and even get rid of the sta_lock (though it needs to stay as tim_lock.) This makes the station management code much more straight-forward. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: delay IBSS station insertionJohannes Berg4-57/+140
In order to notify drivers and simplify the station management code, defer IBSS station insertion to a work item and don't do it directly while receiving a frame. This increases the complexity in IBSS a little bit, but it's pretty straight forward and it allows us to reduce the station management complexity (next patch) considerably. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: make address arguments to sta_info_alloc constJohannes Berg2-2/+2
No real changes, just note that they are const. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: count authorized stations per BSSJohannes Berg4-16/+20
Currently, each AP interface will send multicast traffic if any interface has a station entry even if that station entry is allocated only. With the new station state management we can easily fix it by adding a counter that counts each authorized station only and send multicast traffic only when the correct interface has at least one authorized station. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: refactor station state transitionsJohannes Berg8-30/+172
Station entries can have various states, the most important ones being auth, assoc and authorized. This patch prepares us for telling the driver about these states, we don't want to confuse drivers with strange transitions, so with this we enforce that they move in the right order between them (back and forth); some transitions might happen before the driver even knows about the station, but at least runtime transitions will be ordered correctly. As a consequence, IBSS and MESH stations will now have the ASSOC flag set (so they can transition to AUTHORIZED), and we can get rid of a special case in TX processing. When freeing a station, unwind the state so that other parts of the code (or drivers later) can rely on the transitions. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: use station mutex in configurationJohannes Berg1-6/+6
There's no need to use RCU here, we can just lock the station mutex instead. This allows the code to sleep, which is necessary for later patches. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15mac80211: remove duplicate TDLS peer verificationJohannes Berg1-14/+0
This is already checked in cfg80211, so no need to repeat the checks here. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-15cfg80211: validate nl80211 station handling betterJohannes Berg1-0/+8
The nl80211 station handling code is a bit messy and doesn't do a lot of validation. It seems like this could be an issue for drivers that don't use mac80211 to validate everything. As cfg80211 doesn't keep station state, move the validation of allowing supported_rates to change for TDLS only in station mode to mac80211. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14mac80211: free skb on error path of ieee80211_ibss_join()Simon Wunderlich1-0/+1
Our new return also created a memleak. The skb should be freed before returning an error. Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-14Merge branch 'master' of ↵John W. Linville1-45/+41
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless Conflicts: drivers/net/wireless/iwlwifi/iwl-agn.c
2011-12-13mac80211: don't check sdata_running in vif notifierEliad Peller1-4/+1
The ip address of the vif can be set even before the vif is up. requiring the vif to be up in the vif notifier makes the notifer ignore this event, which causes wrong arp filter configuration later on. Reported-by: Eyal Shapira <eyal@wizery.com> Signed-off-by: Eliad Peller <eliad@wizery.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-13mac80211: configure BSS_CHANGED_ARP_FILTER on reconfigurationEliad Peller1-1/+2
Configure arp filtering on sta reconfiguration. Signed-off-by: Eliad Peller <eliad@wizery.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-13mac80211: Do not request FIF_BCN_PRBRESP_PROMISC for HW scan.Dmitry TARNYAGIN1-3/+3
ieee80211_configure_filter code used local->scanning as a boolean value when it was a bit mask. Bits SCAN_COMPLETED, SCAN_ABORTED should not set FIF_BCN_PRBRESP_PROMISC filter. SCAN_HW_SCANNING should not set FIF_BCN_PRBRESP_PROMISC either, as there is no explicit filter configuration request from scan code. If a driver requires FIF_BCN_PRBRESP_PROMISC mode during HW scanning, it's up to the driver to temporary enable it. Similar mistake was fixed also in ieee80211_hw_config (power configuration code). Verified-by: Vitaly Wool <vitaly.wool@sonyericsson.com> Signed-off-by: Dmitry Tarnyagin <dmitry.tarnyagin@stericsson.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-13mac80211: Make use of ieee80211_is_* functions in tx status pathHelmut Schaa1-10/+5
Use ieee80211_is_data, ieee80211_is_mgmt and ieee80211_is_first_frag in the tx status path. This makes the code easier to read and allows us to remove two local variables: frag and type. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-13mac80211: Purge A-MPDU TX queues before station destructionsYogesh Ashok Powar2-0/+27
When a station leaves suddenly while ampdu traffic to that station is still running, there is a possibility that the ampdu pending queues are not freed due to a race condition leading to memory leaks. In '__sta_info_destroy' when we attempt to destroy the ampdu sessions in 'ieee80211_sta_tear_down_BA_sessions', the driver calls 'ieee80211_stop_tx_ba_cb_irqsafe' to delete the ampdu structures (tid_tx) and splice the pending queues and this job gets queued in sdata workqueue. However, the sta entry can get destroyed before the above work gets scheduled and hence the race. Purging the queues and freeing the tid_tx to avoid the leak. The better solution would be to fix the race, but that can be taken up in a separate patch. Signed-off-by: Nishant Sarmukadam <nishants@marvell.com> Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-13mac80211: unlock on error path in ieee80211_ibss_join()Dan Carpenter1-1/+3
We recently introduced a new return here but it needs an unlock first. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-07mac80211: fix another race in aggregation startJohannes Berg1-45/+41
Emmanuel noticed that when mac80211 stops the queues for aggregation that can leave a packet pending. This packet will be given to the driver after the AMPDU callback, but as a non-aggregated packet which messes up the sequence number etc. I also noticed by looking at the code that if packets are being processed while we clear the WANT_START bit, they might see it cleared already and queue up on tid_tx->pending. If the driver then rejects the new aggregation session we leak the packet. Fix both of these issues by changing this code to not stop the queues at all. Instead, let packets queue up on the tid_tx->pending queue instead of letting them get to the driver, and add code to recover properly in case the driver rejects the session. (The patch looks large because it has to move two functions to before their new use.) Cc: stable@vger.kernel.org Reported-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-06mac80211: Remove WARN_ON in apply-ht-override logic.Ben Greear1-1/+3
AP interfaces routinely call this logic, so just silently return when this happens instead of splatting the kernel logs. Reported-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: Ben Greear <greearb@candelatech.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-06mac80211: accept public action frames with mismatched BSSIDJohannes Berg1-3/+10
Arik's patch "mac80211: allow action frames with unknown BSSID in GO mode" allowed any action frames in P2P mode to go through, but only to cooked monitor interfaces as the IEEE80211_RX_RA_MATCH was still cleared. As a result my no-monitor patches broke invitation responses. Instead of allowing any action frames in P2P GO mode to go through with a wrong BSSID like that patch did, allow all public action frames. They will never be processed by mac80211, but can be reported via nl80211 then. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-12-06mac80211: fix retransmitJohannes Berg1-1/+4
This fixes another regression from my "pass all fragments to driver at once" patches -- if the packet is being retransmitted then we don't go through all handlers, but we still need to move it to the skbs list, otherwise we run into the first warning in __ieee80211_tx() and leak the skb. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>