1. 21 Dec, 2009 2 commits
    • Johannes Berg's avatar
      mac80211: reduce reliance on netdev · 47846c9b
      Johannes Berg authored
      
      
      For bluetooth 3, we will most likely not have
      a netdev for a virtual interface (sdata), so
      prepare for that by reducing the reliance on
      having a netdev. This patch moves the name
      and address fields into the sdata struct and
      uses them from there all over. Some work is
      needed to keep them sync'ed, but that's not
      a lot of work and in slow paths anyway.
      
      In doing so, this also reduces the number of
      pointer dereferences in many places, because
      of things like sdata->dev->dev_addr becoming
      sdata->vif.addr.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      47846c9b
    • Johannes Berg's avatar
      mac80211: make station management completely depend on vif · abe60632
      Johannes Berg authored
      
      
      The station management currently uses the virtual
      interface, but you cannot add the same station to
      multiple virtual interfaces if you're communicating
      with it in multiple ways.
      
      This restriction should be lifted so that in the
      future we can, for instance, support bluetooth 3
      with an access point that mac80211 is already
      associated to.
      
      We can do that by requiring all sta_info_get users
      to provide the virtual interface and making the RX
      code aware that an address may match more than one
      station struct. Thanks to the previous patches this
      one isn't all that large and except for the RX and
      TX status paths changes has low complexity.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      abe60632
  2. 04 Dec, 2009 2 commits
  3. 30 Nov, 2009 2 commits
    • Johannes Berg's avatar
      mac80211: fix spurious delBA handling · 827d42c9
      Johannes Berg authored
      Lennert Buytenhek noticed that delBA handling in mac80211
      was broken and has remotely triggerable problems, some of
      which are due to some code shuffling I did that ended up
      changing the order in which things were done -- this was
      
        commit d75636ef
        Author: Johannes Berg <johannes@sipsolutions.net>
        Date:   Tue Feb 10 21:25:53 2009 +0100
      
          mac80211: RX aggregation: clean up stop session
      
      and other parts were already present in the original
      
        commit d92684e6
      
      
        Author: Ron Rindjunsky <ron.rindjunsky@intel.com>
        Date:   Mon Jan 28 14:07:22 2008 +0200
      
            mac80211: A-MPDU Tx add delBA from recipient support
      
      The first problem is that I moved a BUG_ON before various
      checks -- thereby making it possible to hit. As the comment
      indicates, the BUG_ON can be removed since the ampdu_action
      callback must already exist when the state is != IDLE.
      
      The second problem isn't easily exploitable but there's a
      race condition due to unconditionally setting the state to
      OPERATIONAL when a delBA frame is received, even when no
      aggregation session was ever initiated. All the drivers
      accept stopping the session even then, but that opens a
      race window where crashes could happen before the driver
      accepts it. Right now, a WARN_ON may happen with non-HT
      drivers, while the race opens only for HT drivers.
      
      For this case, there are two things necessary to fix it:
       1) don't process spurious delBA frames, and be more careful
          about the session state; don't drop the lock
      
       2) HT drivers need to be prepared to handle a session stop
          even before the session was really started -- this is
          true for all drivers (that support aggregation) but
          iwlwifi which can be fixed easily. The other HT drivers
          (ath9k and ar9170) are behaving properly already.
      Reported-by: default avatarLennert Buytenhek <buytenh@marvell.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      827d42c9
    • Johannes Berg's avatar
      mac80211: fix two remote exploits · 4253119a
      Johannes Berg authored
      Lennert Buytenhek noticed a remotely triggerable problem
      in mac80211, which is due to some code shuffling I did
      that ended up changing the order in which things were
      done -- this was in
      
        commit d75636ef
      
      
        Author: Johannes Berg <johannes@sipsolutions.net>
        Date:   Tue Feb 10 21:25:53 2009 +0100
      
          mac80211: RX aggregation: clean up stop session
      
      The problem is that the BUG_ON moved before the various
      checks, and as such can be triggered.
      
      As the comment indicates, the BUG_ON can be removed since
      the ampdu_action callback must already exist when the
      state is OPERATIONAL.
      
      A similar code path leads to a WARN_ON in
      ieee80211_stop_tx_ba_session, which can also be removed.
      
      Cc: stable@kernel.org [2.6.29+]
      Cc: Lennert Buytenhek <buytenh@marvell.com>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      4253119a
  4. 29 Nov, 2009 1 commit
  5. 28 Nov, 2009 4 commits
  6. 25 Nov, 2009 1 commit
  7. 23 Nov, 2009 3 commits
  8. 19 Nov, 2009 7 commits
  9. 18 Nov, 2009 15 commits
  10. 16 Nov, 2009 1 commit
  11. 13 Nov, 2009 2 commits