Commit Graph

311 Commits

Author SHA1 Message Date
Johannes Berg
cd3468bad9 cfg80211: add two missing NULL pointer checks
These pointers can be NULL, the is_mesh() case isn't
ever hit in the current kernel, but cmp_ies() can be
hit under certain conditions.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29, 2.6.30]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:21 -04:00
Christian Lamparter
9e81eccf19 cfg80211: double free in __cfg80211_scan_done
This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
	/*
	 * the driver was unloaded recently and
	 * therefore dev_get_by_index will return NULL!
	 */
        if (!dev)
                goto out;
	[...]
	rdev->scan_req = NULL; /* not executed... */
	[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:44 -04:00
Niko Jokinen
6c95e2a2f0 nl80211: Memory leak fixed
Potential memory leak via msg pointer in nl80211_get_key() function.

Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:42 -04:00
Johannes Berg
2dce4c2b5f cfg80211: fix refcount leak
The code in cfg80211's cfg80211_bss_update erroneously
grabs a reference to the BSS, which means that it will
never be freed.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29, 2.6.30]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-07 12:55:28 -04:00
Jiri Slaby
1f5fc70a25 Wireless: nl80211, fix lock imbalance
Don't forget to unlock cfg80211_mutex in one fail path of
nl80211_set_wiphy.

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-07 12:55:25 -04:00
Johannes Berg
a97f4424fb cfg80211: validate station settings
When I disallowed interfering with stations on non-AP interfaces,
I not only forget mesh but also managed interfaces which need
this for the authorized flag. Let's actually validate everything
properly.

This fixes an nl80211 regression introduced by the interfering,
under which wpa_supplicant -Dnl80211 could not properly connect.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-19 11:50:24 -04:00
Andrey Yurovsky
9a5e8bbc8f cfg80211: allow setting station parameters in mesh
Mesh Point interfaces can also set parameters, for example plink_open is
used to manually establish peer links from user-space (currently via
iw).  Add Mesh Point to the check in nl80211_set_station.

Signed-off-by: Andrey Yurovsky <andrey@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-19 11:50:24 -04:00
Andrey Yurovsky
155cc9e4b1 cfg80211: allow adding/deleting stations on mesh
Commit b2a151a288 added a check that prevents adding or deleting
stations on non-AP interfaces.  Adding and deleting stations is
supported for Mesh Point interfaces, so add Mesh Point to that check as
well.

Signed-off-by: Andrey Yurovsky <andrey@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-19 11:50:23 -04:00
Johannes Berg
2f0accc135 cfg80211: fix rfkill locking problem
rfkill currently requires a global lock within the
rfkill_register() function, and holds that lock over
calls to the set_block() methods. This means that we
cannot hold a lock around rfkill_register() that we
also require in set_block(), directly or indirectly.
Fix cfg80211 to register rfkill outside the block
locked by its global lock. Much of what cfg80211 does
in the locked block doesn't need to be locked anyway.

Reported-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-10 13:28:41 -04:00
Luis R. Rodriguez
558f6d3229 cfg80211: fix for duplicate response for driver reg request
As Pavel puts userspace can be stupid and should not
cause kernel crashes. In this case Pavel was able to
find a crash here but unable to reproduce. Either way
lets deal with this.

This should fix:

------------[ cut here ]------------
kernel BUG at /home/proski/src/linux-2.6/net/wireless/reg.c:2132!
Oops: Exception in kernel mode, sig: 5 [#1]
PowerMac
Modules linked in: ath5k ath [last unloaded: scsi_wait_scan]
NIP: c02f3eac LR: c02f3d08 CTR: 00000000
REGS: ef107aa0 TRAP: 0700   Not tainted  (2.6.30-rc8-wl)
MSR: 00029032 <EE,ME,CE,IR,DR>  CR: 88002442  XER: 20000000
TASK = ef84acb0[834] 'crda' THREAD: ef106000
GPR00: ef953840 ef107b50 ef84acb0 ef1380bc 00000006 c035a5c8 ef107b90 c035a5c8
GPR08: 00080005 efb68980 c0445628 ef130004 28002422 10019ce0 10012d3c 00000001
GPR16: 1070b2ac 00000005 48023558 1070b380 4802304c 00000000 ef107ddc c035a5c8
GPR24: ef107b78 c0443350 ef8bcb00 00000005 ef138080 c04a6a70 c04a0000 ef8bcb00
NIP [c02f3eac] set_regdom+0x4c4/0x4ec
LR [c02f3d08] set_regdom+0x320/0x4ec
Call Trace:
[ef107b50] [c02f3d08] set_regdom+0x320/0x4ec (unreliable)
[ef107b70] [c02f9d10] nl80211_set_reg+0x140/0x2d0
[ef107bc0] [c02aa2b8] genl_rcv_msg+0x204/0x228
[ef107c10] [c02a97cc] netlink_rcv_skb+0xe8/0x10c
[ef107c30] [c02aa094] genl_rcv+0x3c/0x5c
[ef107c40] [c02a9050] netlink_unicast+0x308/0x36c
[ef107c80] [c02a92bc] netlink_sendmsg+0x208/0x2f0
[ef107cd0] [c0282048] sock_sendmsg+0xac/0xe4
[ef107db0] [c02822b4] sys_sendmsg+0x234/0x2d8
[ef107f00] [c0283a88] sys_socketcall+0x108/0x258
[ef107f40] [c0012790] ret_from_syscall+0x0/0x38

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-10 13:28:37 -04:00
Luis R. Rodriguez
60fd2b6701 cfg80211: make ieee80211_get_mesh_hdrlen() static
Fixes spares warning:
net/wireless/util.c:261:5: warning:
symbol 'ieee80211_get_mesh_hdrlen' was not declared. Should it be static?

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:06:15 -04:00
Johannes Berg
1f87f7d3a3 cfg80211: add rfkill support
To be easier on drivers and users, have cfg80211 register an
rfkill structure that drivers can access. When soft-killed,
simply take down all interfaces; when hard-killed the driver
needs to notify us and we will take down the interfaces
after the fact. While rfkilled, interfaces cannot be set UP.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:06:14 -04:00
Johannes Berg
7643a2c3fc cfg80211: move txpower wext from mac80211
This patch introduces new cfg80211 API to set the TX power
via cfg80211, puts the wext code into cfg80211 and updates
mac80211 to use all that. The -ENETDOWN bits are a hack but
will go away soon.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:06:14 -04:00
Bob Copeland
0f6399c4c5 nl80211: use GFP_ATOMIC for michael mic failure message
nl80211_michael_mic_failure can be called in atomic context but
does a GFP_KERNEL allocation.  Fixes the error below:

[  126.793225] BUG: sleeping function called from invalid context at mm/slab.c:3055
[  126.793234] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper
[  126.793241] 2 locks held by swapper/0:
[  126.793246]  #0:  (&sc->rxbuflock){+.-.+.}, at: [<f94e1b46>] ath5k_tasklet_rx+0x34/0x55e [ath5k]
[  126.793294]  #1:  (rcu_read_lock){.+.+.+}, at: [<f92872f3>] __ieee80211_rx+0x7e/0x563 [mac80211]
[  126.793342] Pid: 0, comm: swapper Not tainted 2.6.30-rc7-wl #124
[  126.793347] Call Trace:
[  126.793361]  [<c014499d>] ? __debug_show_held_locks+0x1e/0x20
[  126.793380]  [<c011e9a3>] __might_sleep+0x100/0x107
[  126.793386]  [<c018ea99>] kmem_cache_alloc+0x35/0x170
[  126.793393]  [<c02e8bb1>] ? __alloc_skb+0x2e/0x117
[  126.793397]  [<c014517d>] ? mark_held_locks+0x43/0x5b
[  126.793402]  [<c02e8bb1>] __alloc_skb+0x2e/0x117
[  126.793419]  [<f851a836>] nl80211_michael_mic_failure+0x2a/0x1fa [cfg80211]
[  126.793425]  [<c01453b8>] ? trace_hardirqs_on_caller+0xf6/0x130
[  126.793430]  [<c01453fd>] ? trace_hardirqs_on+0xb/0xd
[  126.793444]  [<f851b2b8>] cfg80211_michael_mic_failure+0x30/0x38 [cfg80211]
[  126.793463]  [<f928bf69>] mac80211_ev_michael_mic_failure+0xfd/0x108 [mac80211]
[  126.793480]  [<f9279fbd>] ieee80211_rx_h_michael_mic_verify+0xd4/0x117 [mac80211]
[  126.793499]  [<f9285ef3>] ieee80211_invoke_rx_handlers+0xdde/0x1963 [mac80211]
[  126.793505]  [<c0107152>] ? sched_clock+0x3f/0x64
[  126.793511]  [<c0107152>] ? sched_clock+0x3f/0x64
[  126.793516]  [<c01445d7>] ? trace_hardirqs_off+0xb/0xd
[  126.793521]  [<c0107152>] ? sched_clock+0x3f/0x64
[  126.793526]  [<c0146454>] ? __lock_acquire+0x62c/0x1271
[  126.793545]  [<f9286fbb>] __ieee80211_rx_handle_packet+0x543/0x564 [mac80211]
[  126.793564]  [<f9287757>] __ieee80211_rx+0x4e2/0x563 [mac80211]
[  126.793577]  [<f94e1ff6>] ath5k_tasklet_rx+0x4e4/0x55e [ath5k]
[  126.793583]  [<c0102b54>] ? restore_nocheck_notrace+0x0/0xe
[  126.793589]  [<c0129aa2>] tasklet_action+0x92/0xe5
[  126.793594]  [<c0129f22>] __do_softirq+0xb1/0x182
[  126.793599]  [<c012a023>] do_softirq+0x30/0x48
[  126.793603]  [<c012a19b>] irq_exit+0x3d/0x74
[  126.793609]  [<c0358016>] do_IRQ+0x76/0x8c
[  126.793613]  [<c010312e>] common_interrupt+0x2e/0x34
[  126.793618]  [<c014007b>] ? timer_list_show+0x277/0x939
[  126.793630]  [<f88eb321>] ? acpi_idle_enter_bm+0x266/0x291 [processor]
[  126.793636]  [<c02d00f6>] cpuidle_idle_call+0x6a/0x9c
[  126.793640]  [<c0101cc8>] cpu_idle+0x53/0x87
[  126.793645]  [<c0344510>] rest_init+0x6c/0x6e
[  126.793651]  [<c04dd74d>] start_kernel+0x286/0x28b
[  126.793656]  [<c04dd037>] __init_begin+0x37/0x3c

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:06:13 -04:00
Luis R. Rodriguez
729e9c7663 cfg80211: fix for duplicate userspace replies
This fixes an incorrect assumption (BUG_ON) made in
cfg80211 when handling country IE regulatory requests.
The assumption was that we won't try to call_crda()
twice for the same event and therefore we will not
recieve two replies through nl80211 for the regulatory
request. As it turns out it is true we don't call_crda()
twice for the same event, however, kobject_uevent_env()
*might* send the udev event twice and/or userspace can
simply process the udev event twice. We remove the BUG_ON()
and simply ignore the duplicate request.

For details refer to this thread:

http://marc.info/?l=linux-wireless&m=124149987921337&w=2

Cc: stable@kernel.org
Reported-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:05:12 -04:00
Johannes Berg
034d655ee7 cfg80211: disallow interfering with stations on non-AP (part 2)
On non-AP interfaces userspace has no business interfering with
the station management, this can confuse mac80211 (and other
drivers probably wouldn't support it anyway). Allow adding and
removing stations only on AP interfaces.

(Reconcile this w/ previous version of patch posted with same
subject... -- JWL)

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:05:10 -04:00
Johannes Berg
8fc0fee092 cfg80211: use key size constants
Instead of hardcoding the key length for validation, use the
constants Zhu Yi recently added and add one for AES_CMAC too.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:05:10 -04:00
Johannes Berg
362a415dce nl80211: bounce scan request back to userspace
When a scan finishes only the program that asked for it
knows what kind of scan it was; let's tell everybody else
about the scan parameters as well so they can evaluate
the result of the scan better. Also helps with debugging.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:05:10 -04:00
Johannes Berg
51b50fbeb5 cfg80211: validate AID of stations being added
We have some validation code in mac80211 but said code will
force an invalid AID to 0 which isn't a valid AID either;
instead require a valid AID (1-2007) to be passed in from
userspace in cfg80211 already. Also move the code before
the race comment since it can only be executed during STA
addition and thus is not racy.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-06-03 14:05:10 -04:00
David S. Miller
079e24ed80 nl80211: Eliminate reference to BUS_ID_SIZE.
It's going away.  Just leave the constant "20" here so that
behavior doesn't change.

Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-26 21:15:00 -07:00
David S. Miller
c649c0e31d Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
Conflicts:
	drivers/net/wireless/ath/ath5k/phy.c
	drivers/net/wireless/iwlwifi/iwl-agn.c
	drivers/net/wireless/iwlwifi/iwl3945-base.c
2009-05-25 01:42:21 -07:00
David S. Miller
45ea4ea2af Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2009-05-25 00:38:24 -07:00
Zhu Yi
e31a16d6f6 wireless: move some utility functions from mac80211 to cfg80211
The patch moves some utility functions from mac80211 to cfg80211.
Because these functions are doing generic 802.11 operations so they
are not mac80211 specific. The moving allows some fullmac drivers
to be also benefit from these utility functions.

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: Samuel Ortiz <samuel.ortiz@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-22 14:06:02 -04:00
Johannes Berg
8705782582 wext: remove atomic requirement for wireless stats
The requirement for wireless stats to be atomic is now mostly
artificial since we hold the rtnl _and_ the dev_base_lock for
iterating the device list. Doing that is not required, just the
rtnl is sufficient (and the rtnl is required for other reasons
outlined in commit "wext: fix get_wireless_stats locking").

This will fix http://bugzilla.kernel.org/show_bug.cgi?id=13344
and make things easier for drivers.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-22 14:05:59 -04:00
Michał Mirosław
0d63cbb535 wireless: Use genl_register_family_with_ops()
Use genl_register_family_with_ops() instead of a copy.

Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-21 16:50:25 -07:00
Luis R. Rodriguez
bbcf3f0277 cfg80211: warn when wiphy_apply_custom_regulatory() does nothing
Device drivers using wiphy_apply_custom_regulatory() want some
regulatory settings applied to their wiphy, if no bands were
configured on the wiphy then something went wrong.

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:37 -04:00
Pavel Roskin
e43e820c9c cfg80211: fix compile error with CONFIG_CFG80211_DEBUGFS
If CONFIG_CFG80211_DEBUGFS is enabled and CONFIG_MAC80211_DEBUGFS is
not, compilation fails in net/wireless/debugfs.c:

net/wireless/debugfs.c: In function 'cfg80211_debugfs_drv_add':
net/wireless/debugfs.c:117: error: 'struct cfg80211_registered_device'
has no member named 'debugfs'

The debugfs filed is needed if and only if CONFIG_CFG80211_DEBUGFS is
enabled, so use that instead of CONFIG_MAC80211_DEBUGFS.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:32 -04:00
Luis R. Rodriguez
61405e9778 cfg80211: fix in nl80211_set_reg()
There is a race on access to last_request and its alpha2
through reg_is_valid_request() and us possibly processing
first another regulatory request on another CPU. We avoid
this improbably race by locking with the cfg80211_mutex as
we should have done in the first place. While at it add
the assert on locking on reg_is_valid_request().

Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:32 -04:00
Luis R. Rodriguez
d0e18f833d cfg80211: cleanup return calls on nl80211_set_reg()
This has no functional change, but it will make the race
fix easier to spot in my next patch.

Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:31 -04:00
Luis R. Rodriguez
4776c6e7f6 cfg80211: return immediately if num reg rules > NL80211_MAX_SUPP_REG_RULES
This has no functional change except we save a kfree(rd) and
allows us to clean this code up a bit after this. We do
avoid an unnecessary kfree(NULL) but calling that was OK too.

Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:31 -04:00
Johannes Berg
e3da574a0d cfg80211: allow wext to remove keys that don't exist
Some applications using wireless extensions expect to be able to
remove a key that doesn't exist. One example is wpa_supplicant
which doesn't actually change behaviour when running into an
error while trying to do that, but it prints an error message
which users interpret as wpa_supplicant having problems.

The safe thing to do is not change the behaviour of wireless
extensions any more, so when the driver reports -ENOENT let
the wext bridge code return success to userspace. To guarantee
this, also document that drivers should return -ENOENT when the
key doesn't exist.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:30 -04:00
David Kilroy
3dcf670baf cfg80211: mark ops as pointer to const
This allows drivers to mark their cfg80211_ops tables const.

Signed-off-by: David Kilroy <kilroyd@googlemail.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:27 -04:00
Jouni Malinen
9f26a95221 nl80211: Validate NL80211_ATTR_KEY_SEQ length
Validate RSC (NL80211_ATTR_KEY_SEQ) length in nl80211/cfg80211 instead
of having to do this in all the drivers.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:25 -04:00
Luis R. Rodriguez
80a3511d70 cfg80211: add debugfs HT40 allow map
Here's a screenshot of what this looks like with ath9k:

mcgrof@pogo /debug/ieee80211/phy0 $ cat ht40allow_map
2412 HT40  +
2417 HT40  +
2422 HT40  +
2427 HT40  +
2432 HT40 -+
2437 HT40 -+
2442 HT40 -+
2447 HT40 -
2452 HT40 -
2457 HT40 -
2462 HT40 -
2467 Disabled
2472 Disabled
2484 Disabled
5180 HT40  +
5200 HT40 -+
5220 HT40 -+
5240 HT40 -+
5260 HT40 -+
5280 HT40 -+
5300 HT40 -+
5320 HT40 -
5500 HT40  +
5520 HT40 -+
5540 HT40 -+
5560 HT40 -+
5580 HT40 -+
5600 HT40 -+
5620 HT40 -+
5640 HT40 -+
5660 HT40 -+
5680 HT40 -+
5700 HT40 -
5745 HT40  +
5765 HT40 -+
5785 HT40 -+
5805 HT40 -+
5825 HT40 -

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:23 -04:00
Luis R. Rodriguez
1ac61302dc mac80211/cfg80211: move wiphy specific debugfs entries to cfg80211
This moves the cfg80211 specific stuff to new cfg80211 debugfs
entries. Non-mac80211 will also get these entries now. There were
only 4 which we take:

rts_threshold
fragmentation_threshold
short_retry_limit
long_retry_limit

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:23 -04:00
Luis R. Rodriguez
294196ab22 cfg80211: check allowed channel type upon userspace requests
Thanks to nl80211 userspace can be very specific upon device
configuration. Before processing the request for the new HT40
channel types (HT40- or HT40+) we need to ensure we can use them
regulatory-wise. This wasn't required with wireless extensions as
specifying the channel type wasn't not available and configuration
was done towards the end implicitly upon association or reception
of beacons from the AP. For the new nl80211 we have to check this
when configuring the interfaces explicitly.

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:23 -04:00
Luis R. Rodriguez
689da1b3b8 wireless: rename IEEE80211_CHAN_NO_FAT_* to HT40-/+
This is more consistent with our nl80211 naming convention
for HT40-/+.

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:22 -04:00
Luis R. Rodriguez
038659e7c6 cfg80211: Process regulatory max bandwidth checks for HT40
We are not correctly listening to the regulatory max bandwidth
settings. To actually make use of it we need to redesign things
a bit. This patch does the work for that. We do this to so we
can obey to regulatory rules accordingly for use of HT40.

We end up dealing with HT40 by having two passes for each channel.

The first check will see if a 20 MHz channel fits into the channel's
center freq on a given frequency range. We check for a 20 MHz
banwidth channel as that is the maximum an individual channel
will use, at least for now. The first pass will go ahead and
check if the regulatory rule for that given center of frequency
allows 40 MHz bandwidths and we use this to determine whether
or not the channel supports HT40 or not. So to support HT40 you'll
need at a regulatory rule that allows you to use 40 MHz channels
but you're channel must also be enabled and support 20 MHz by itself.

The second pass is done after we do the regulatory checks over
an device's supported channel list. On each channel we'll check
if the control channel and the extension both:

 o exist
 o are enabled
 o regulatory allows 40 MHz bandwidth on its frequency range

This work allows allows us to idependently check for HT40- and
HT40+.

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:46:22 -04:00
Luis R. Rodriguez
5078b2e32a cfg80211: fix race between core hint and driver's custom apply
Its possible for cfg80211 to have scheduled the work and for
the global workqueue to not have kicked in prior to a cfg80211
driver's regulatory hint or wiphy_apply_custom_regulatory().

Although this is very unlikely its possible and should fix
this race. When this race would happen you are expected to have
hit a null pointer dereference panic.

Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Tested-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:29:54 -04:00
Johannes Berg
88f16db7a2 wext: verify buffer size for SIOCSIWENCODEEXT
Another design flaw in wireless extensions (is anybody
surprised?) in the way it handles the iw_encode_ext
structure: The structure is part of the 'extra' memory
but contains the key length explicitly, instead of it
just being the length of the extra buffer - size of
the struct and using the explicit key length only for
the get operation (which only writes it).

Therefore, we have this layout:

extra: +-------------------------+
       | struct iw_encode_ext  { |
       |     ...                 |
       |     u16 key_len;        |
       |     u8 key[0];          |
       | };                      |
       +-------------------------+
       | key material            |
       +-------------------------+

Now, all drivers I checked use ext->key_len without
checking that both key_len and the struct fit into the
extra buffer that has been copied from userspace. This
leads to a buffer overrun while reading that buffer,
depending on the driver it may be possible to specify
arbitrary key_len or it may need to be a proper length
for the key algorithm specified.

Thankfully, this is only exploitable by root, but root
can actually cause a segfault or use kernel memory as
a key (which you can even get back with siocgiwencode
or siocgiwencodeext from the key buffer).

Fix this by verifying that key_len fits into the buffer
along with struct iw_encode_ext.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:07:50 -04:00
Pablo Neira Ayuso
fd2120ca0d net: use NLMSG_DEFAULT_SIZE in nlmsg_new() allocations
nlmsg_new() adds the size of the netlink header to the value
that has been passed as parameter. If NLMSG_GOODSIZE is selected,
we request an allocation of one memory page plus the size of the
header. Instead, NLMSG_DEFAULT_SIZE should be used since it
already substracts the size of the Netlink header.

I have the impression that the similar naming in both constant
is error prone when using it with nlmsg_new(). This is already
documented in include/net/netlink.h

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-19 15:36:16 -07:00
Johannes Berg
f7eef3563c wext: remove seq_start/stop sparse annotations
Even though they are true, they cause sparse to complain
because it doesn't see the __acquires(dev_base_lock) on
dev_seq_start() because it is only added to the function
in net/core/dev.c, not the header file. To keep track of
the nesting correctly we should probably annotate those
functions publically, but for now let's just remove the
annotation I added to wext.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-13 15:44:40 -04:00
Jouni Malinen
faa8fdc853 nl80211: Add RSC configuration for new keys
When setting a key with NL80211_CMD_NEW_KEY, we should allow the key
sequence number (RSC) to be set in order to allow replay protection to
work correctly for group keys. This patch documents this use for
nl80211 and adds the couple of missing pieces in nl80211/cfg80211 and
mac80211 to support this. In addition, WEXT SIOCSIWENCODEEXT compat
processing in cfg80211 is extended to handle the RSC (this was already
specified in WEXT, but just not implemented in cfg80211/mac80211).

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-13 15:44:39 -04:00
Jouni Malinen
3f77316c6b nl80211: Add IEEE 802.1X PAE control for station mode
Add a new NL80211_ATTR_CONTROL_PORT flag for NL80211_CMD_ASSOCIATE to
allow user space to indicate that it will control the IEEE 802.1X port
in station mode. Previously, mac80211 was always marking the port
authorized in station mode. This was enough when drop_unencrypted flag
was set. However, drop_unencrypted can currently be controlled only
with WEXT and the current nl80211 design does not allow fully secure
configuration. Fix this by providing a mechanism for user space to
control the IEEE 802.1X port in station mode (i.e., do the same that
we are already doing in AP mode).

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-13 15:44:37 -04:00
Johannes Berg
eccb8e8f0c nl80211: improve station flags handling
It is currently not possible to modify station flags, but that
capability would be very useful. This patch introduces a new
nl80211 attribute that contains a set/mask for station flags,
and updates the internal API (and mac80211) to mirror that.

The new attribute is parsed before falling back to the old so
that userspace can specify both (if it can) to work on all
kernels.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-13 15:44:35 -04:00
Jouni Malinen
0e46724a48 nl80211: Validate MFP flag type when parsing STA flags
NL80211_STA_FLAG_MFP was forgotten from sta_flags_policy. The previous
version added the flag due to the loop used in parse_station_flags,
but the proper behavior would be to allow nla_parse_nested() to go
through the policy for all flags.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-13 15:44:33 -04:00
Johannes Berg
08645126dd cfg80211: implement wext key handling
Move key handling wireless extension ioctls from mac80211 to cfg80211
so that all drivers that implement the cfg80211 operations get wext
compatibility.

Note that this drops the SIOCGIWENCODE ioctl support for getting
IW_ENCODE_RESTRICTED/IW_ENCODE_OPEN. This means that iwconfig will
no longer report "Security mode:open" or "Security mode:restricted"
for mac80211. However, what we displayed there (the authentication
algo used) was actually wrong -- linux/wireless.h states that this
setting is meant to differentiate between "Refuse non-encoded packets"
and "Accept non-encoded packets".

(Combined with "cfg80211: fix a couple of bugs with key ioctls". -- JWL)

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-13 15:44:32 -04:00
Johannes Berg
7be69c0b9a wext: fix get_wireless_stats locking
Currently, get_wireless_stats is racy by _design_. This is
because it returns a buffer, which needs to be statically
allocated since it cannot be freed if it was allocated
dynamically. Also, SIOCGIWSTATS and /proc/net/wireless use
no common lock, and /proc/net/wireless accesses are not
synchronised against each other. This is a design flaw in
get_wireless_stats since the beginning.

This patch fixes it by wrapping /proc/net/wireless accesses
with the RTNL so they are protected against each other and
SIOCGIWSTATS. The more correct method of fixing this would
be to pass in the buffer instead of returning it and have
the caller take care of synchronisation of the buffer, but
even then most drivers probably assume that their callback
is protected by the RTNL like all other wext callbacks.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-11 15:24:07 -04:00
Johannes Berg
e80cf8537a cfg80211: disallow interfering with stations on non-AP
On non-AP interfaces userspace has no business interfering with
the station management, this can confuse mac80211 (and other
drivers probably wouldn't support it anyway). Allow adding and
removing stations only on AP interfaces.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-11 15:24:07 -04:00
Johannes Berg
cbe8fa9c5e cfg80211: put wext data into substructure
To make it more apparent in the code what is for wext
only (and needs to be #ifdef'ed) put all the info for
wext into a substruct in each wireless_dev.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-11 15:24:07 -04:00