1. 28 Jun, 2016 1 commit
    • Jouni Malinen's avatar
      mac80211: Fix mesh estab_plinks counting in STA removal case · 126e7557
      Jouni Malinen authored
      If a user space program (e.g., wpa_supplicant) deletes a STA entry that
      is currently in NL80211_PLINK_ESTAB state, the number of established
      plinks counter was not decremented and this could result in rejecting
      new plink establishment before really hitting the real maximum plink
      limit. For !user_mpm case, this decrementation is handled by
      mesh_plink_deactive().
      
      Fix this by decrementing estab_plinks on STA deletion
      (mesh_sta_cleanup() gets called from there) so that the counter has a
      correct value and the Beacon frame advertisement in Mesh Configuration
      element shows the proper value for capability to accept additional
      peers.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      126e7557
  2. 31 May, 2016 2 commits
    • Felix Fietkau's avatar
      mac80211: fix fast_tx header alignment · 6fe04128
      Felix Fietkau authored
      The header field is defined as u8[] but also accessed as struct
      ieee80211_hdr. Enforce an alignment of 2 to prevent unnecessary
      unaligned accesses, which can be very harmful for performance on many
      platforms.
      
      Fixes: e495c247 ("mac80211: extend fast-xmit for more ciphers")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6fe04128
    • Bob Copeland's avatar
      mac80211: mesh: flush mesh paths unconditionally · fe7a7c57
      Bob Copeland authored
      Currently, the mesh paths associated with a nexthop station are cleaned
      up in the following code path:
      
          __sta_info_destroy_part1
          synchronize_net()
          __sta_info_destroy_part2
           -> cleanup_single_sta
             -> mesh_sta_cleanup
               -> mesh_plink_deactivate
                 -> mesh_path_flush_by_nexthop
      
      However, there are a couple of problems here:
      
      1) the paths aren't flushed at all if the MPM is running in userspace
         (e.g. when using wpa_supplicant or authsae)
      
      2) there is no synchronize_rcu between removing the path and readers
         accessing the nexthop, which means the following race is possible:
      
      CPU0                            CPU1
      ~~~~                            ~~~~
                                      sta_info_destroy_part1()
                                      synchronize_net()
      rcu_read_lock()
      mesh_nexthop_resolve()
        mpath = mesh_path_lookup()
                                      [...] -> mesh_path_flush_by_nexthop()
        sta = rcu_dereference(
          mpath->next_hop)
                                      kfree(sta)
        access sta <-- CRASH
      
      Fix both of these by unconditionally flushing paths before destroying
      the sta, and by adding a synchronize_net() after path flush to ensure
      no active readers can still dereference the sta.
      
      Fixes this crash:
      
      [  348.529295] BUG: unable to handle kernel paging request at 00020040
      [  348.530014] IP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
      [  348.530014] *pde = 00000000
      [  348.530014] Oops: 0000 [#1] PREEMPT
      [  348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
      [  348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G           O 4.6.0-rc5-wt=V1 #1
      [  348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016  11/07/2014
      [  348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000
      [  348.530014] EIP: 0060:[<f929245d>] EFLAGS: 00010246 CPU: 0
      [  348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
      [  348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008
      [  348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40
      [  348.530014]  DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
      [  348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690
      [  348.530014] Stack:
      [  348.530014]  00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
      [  348.530014]  f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
      [  348.530014]  f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
      [  348.530014] Call Trace:
      [  348.530014]  [<f9291d80>] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
      [  348.530014]  [<f9291dc1>] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
      [  348.530014]  [<f9277f6f>] ieee80211_xmit+0x92/0xc1 [mac80211]
      [  348.530014]  [<f9278dd1>] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
      [  348.530014]  [<c04df012>] ? sch_direct_xmit+0xd7/0x1b3
      [  348.530014]  [<c022a8c6>] ? __local_bh_enable_ip+0x5d/0x7b
      [  348.530014]  [<f956870c>] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
      [  348.530014]  [<f957e036>] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
      [  348.530014]  [<c04c6f45>] ? netif_skb_features+0x14d/0x30a
      [  348.530014]  [<f9278e10>] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
      [  348.530014]  [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
      [  348.530014]  [<c04c7261>] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
      [  348.530014]  [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
      [  348.530014]  [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
      [  348.530014]  [<c04c7cfb>] dev_queue_xmit+0xa/0xc
      [  348.530014]  [<f91bfc7a>] batadv_send_skb_packet+0xd6/0xec [batman_adv]
      [  348.530014]  [<f91bfdc4>] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
      [  348.530014]  [<f91b5938>] batadv_dat_send_data+0x27e/0x310 [batman_adv]
      [  348.530014]  [<f91c30b5>] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
      [  348.530014]  [<f91b63f3>] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
      [  348.530014]  [<f91c0cd9>] batadv_interface_tx+0x206/0x385 [batman_adv]
      [  348.530014]  [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
      [  348.530014]  [<c04c7261>] ?  validate_xmit_skb.isra.120.part.121+0x10/0x253
      [  348.530014]  [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
      [  348.530014]  [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
      [  348.530014]  [<f80cbd2a>] ? igb_xmit_frame+0x57/0x72 [igb]
      [  348.530014]  [<c04c7cfb>] dev_queue_xmit+0xa/0xc
      [  348.530014]  [<f843a326>] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
      [  348.530014]  [<f843a35f>] br_forward_finish+0x29/0x74 [bridge]
      [  348.530014]  [<f843a23b>] ? deliver_clone+0x3b/0x3b [bridge]
      [  348.530014]  [<f843a714>] __br_forward+0x89/0xe7 [bridge]
      [  348.530014]  [<f843a336>] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
      [  348.530014]  [<f843a234>] deliver_clone+0x34/0x3b [bridge]
      [  348.530014]  [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
      [  348.530014]  [<f843a66d>] br_flood+0x77/0x95 [bridge]
      [  348.530014]  [<f843a809>] br_flood_forward+0x13/0x1a [bridge]
      [  348.530014]  [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
      [  348.530014]  [<f843b877>] br_handle_frame_finish+0x392/0x3db [bridge]
      [  348.530014]  [<c04e9b2b>] ? nf_iterate+0x2b/0x6b
      [  348.530014]  [<f843baa6>] br_handle_frame+0x1e6/0x240 [bridge]
      [  348.530014]  [<f843b4e5>] ? br_handle_local_finish+0x6a/0x6a [bridge]
      [  348.530014]  [<c04c4ba0>] __netif_receive_skb_core+0x43a/0x66b
      [  348.530014]  [<f843b8c0>] ? br_handle_frame_finish+0x3db/0x3db [bridge]
      [  348.530014]  [<c023cea4>] ? resched_curr+0x19/0x37
      [  348.530014]  [<c0240707>] ? check_preempt_wakeup+0xbf/0xfe
      [  348.530014]  [<c0255dec>] ? ktime_get_with_offset+0x5c/0xfc
      [  348.530014]  [<c04c4fc1>] __netif_receive_skb+0x47/0x55
      [  348.530014]  [<c04c57ba>] netif_receive_skb_internal+0x40/0x5a
      [  348.530014]  [<c04c61ef>] napi_gro_receive+0x3a/0x94
      [  348.530014]  [<f80ce8d5>] igb_poll+0x6fd/0x9ad [igb]
      [  348.530014]  [<c0242bd8>] ? swake_up_locked+0x14/0x26
      [  348.530014]  [<c04c5d29>] net_rx_action+0xde/0x250
      [  348.530014]  [<c022a743>] __do_softirq+0x8a/0x163
      [  348.530014]  [<c022a6b9>] ? __hrtimer_tasklet_trampoline+0x19/0x19
      [  348.530014]  [<c021100f>] do_softirq_own_stack+0x26/0x2c
      [  348.530014]  <IRQ>
      [  348.530014]  [<c022a957>] irq_exit+0x31/0x6f
      [  348.530014]  [<c0210eb2>] do_IRQ+0x8d/0xa0
      [  348.530014]  [<c058152c>] common_interrupt+0x2c/0x40
      [  348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
      [  348.530014] EIP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40
      [  348.530014] CR2: 0000000000020040
      [  348.530014] ---[ end trace 48556ac26779732e ]---
      [  348.530014] Kernel panic - not syncing: Fatal exception in interrupt
      [  348.530014] Kernel Offset: disabled
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarFred Veldini <fred.veldini@gmail.com>
      Tested-by: default avatarFred Veldini <fred.veldini@gmail.com>
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      fe7a7c57
  3. 12 May, 2016 3 commits
  4. 27 Apr, 2016 1 commit
  5. 12 Apr, 2016 1 commit
  6. 06 Apr, 2016 13 commits
  7. 05 Apr, 2016 19 commits
    • Bob Copeland's avatar
      mac80211: mesh: flush paths outside of plink lock · e596af82
      Bob Copeland authored
      Lockdep warned of a lock dependency between the mesh_plink lock
      and the internal lock for the rhashtable.  The problem is that
      the rhashtable code uses a spin lock with softirqs enabled, while
      mesh_plink_timer executes a walk (to flush paths on a state change)
      inside a softirq with the plink lock held.
      
      This leads to the following deadlock if the timer fires while rht
      lock is held on this CPU, and plink lock is held on another CPU:
      
         CPU0                         CPU1
         ----                         ----
         lock(&(&ht->lock)->rlock);
                                      local_irq_disable();
                                      lock(&(&sta->mesh->plink_lock)->rlock);
                                      lock(&(&ht->lock)->rlock);
         <Interrupt>
         lock(&(&sta->mesh->plink_lock)->rlock);
         *** DEADLOCK ***
      
      Fix by waiting until we drop the plink lock to flush paths.
      
      Fixes: d48a1b7cd439 ("mac80211: mesh: convert path table to rhashtable")
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      e596af82
    • Bob Copeland's avatar
      mac80211: mesh: fix cleanup for mesh pathtable · 0371a08f
      Bob Copeland authored
      The mesh path table needs to be around for the entire time the
      interface is in mesh mode, as users can perform an mpath dump
      at any time.  The existing path table lifetime is instead tied
      to the mesh BSS which can cause crashes when different MBSSes
      are joined in the context of a single interface, or when the
      path table is dumped when no MBSS is joined.
      
      Introduce a new function to perform the final teardown of the
      interface and perform path table cleanup there.  We already
      free the individual path elements when the leaving the mesh
      so no additional cleanup is needed there.  This fixes the
      following crash:
      
      [   47.753026] BUG: unable to handle kernel paging request at fffffff0
      [   47.753026] IP: [<c0239765>] kthread_data+0xa/0xe
      [   47.753026] *pde = 00741067 *pte = 00000000
      [   47.753026] Oops: 0000 [#4] PREEMPT
      [   47.753026] Modules linked in: ppp_generic slhc 8021q garp mrp sch_fq_codel iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat ip_tables ath9k_htc ath5k 8139too ath10k_pci ath10k_core arc4 ath9k ath9k_common ath9k_hw mac80211 ath cfg80211 cpufreq_powersave br_netfilter bridge stp llc ipw usb_wwan sierra_net usbnet af_alg natsemi via_rhine mii iTCO_wdt iTCO_vendor_support gpio_ich sierra coretemp pcspkr i2c_i801 lpc_ich ata_generic ata_piix libata ide_pci_generic piix e1000e igb i2c_algo_bit ptp pps_core [last unloaded: 8139too]
      [   47.753026] CPU: 0 PID: 12 Comm: kworker/u2:1 Tainted: G      D W       4.5.0-wt-V3 #6
      [   47.753026] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016  11/07/2014
      [   47.753026] task: f645a0c0 ti: f6462000 task.ti: f6462000
      [   47.753026] EIP: 0060:[<c0239765>] EFLAGS: 00010002 CPU: 0
      [   47.753026] EIP is at kthread_data+0xa/0xe
      [   47.753026] EAX: 00000000 EBX: 00000000 ECX: 00000000 EDX: 00000000
      [   47.753026] ESI: f645a0c0 EDI: f645a2fc EBP: f6463a80 ESP: f6463a78
      [   47.753026]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
      [   47.753026] CR0: 8005003b CR2: 00000014 CR3: 353e5000 CR4: 00000690
      [   47.753026] Stack:
      [   47.753026]  c0236866 00000000 f6463aac c05768b4 00000009 f6463ba8 f6463ab0 c0247010
      [   47.753026]  00000000 f645a0c0 f6464000 00000009 f6463ba8 f6463ab8 c0576eb2 f645a0c0
      [   47.753026]  f6463aec c0228be4 c06335a4 f6463adc f6463ad0 c06c06d4 f6463ae4 c02471b0
      [   47.753026] Call Trace:
      [   47.753026]  [<c0236866>] ? wq_worker_sleeping+0xb/0x78
      [   47.753026]  [<c05768b4>] __schedule+0xda/0x587
      [   47.753026]  [<c0247010>] ? vprintk_default+0x12/0x14
      [   47.753026]  [<c0576eb2>] schedule+0x72/0x89
      [   47.753026]  [<c0228be4>] do_exit+0xb8/0x71d
      [   47.753026]  [<c02471b0>] ? kmsg_dump+0xa9/0xae
      [   47.753026]  [<c0203576>] oops_end+0x69/0x70
      [   47.753026]  [<c021dcdb>] no_context+0x1bb/0x1c5
      [   47.753026]  [<c021de1b>] __bad_area_nosemaphore+0x136/0x140
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c021de32>] bad_area_nosemaphore+0xd/0x10
      [   47.753026]  [<c021e0a1>] __do_page_fault+0x26c/0x320
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c021e2fa>] do_page_fault+0xb/0xd
      [   47.753026]  [<c05798f8>] error_code+0x58/0x60
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c0239765>] ? kthread_data+0xa/0xe
      [   47.753026]  [<c0236866>] ? wq_worker_sleeping+0xb/0x78
      [   47.753026]  [<c05768b4>] __schedule+0xda/0x587
      [   47.753026]  [<c0247010>] ? vprintk_default+0x12/0x14
      [   47.753026]  [<c0576eb2>] schedule+0x72/0x89
      [   47.753026]  [<c0228be4>] do_exit+0xb8/0x71d
      [   47.753026]  [<c02471b0>] ? kmsg_dump+0xa9/0xae
      [   47.753026]  [<c0203576>] oops_end+0x69/0x70
      [   47.753026]  [<c021dcdb>] no_context+0x1bb/0x1c5
      [   47.753026]  [<c021de1b>] __bad_area_nosemaphore+0x136/0x140
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c021de32>] bad_area_nosemaphore+0xd/0x10
      [   47.753026]  [<c021e0a1>] __do_page_fault+0x26c/0x320
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c021e2fa>] do_page_fault+0xb/0xd
      [   47.753026]  [<c05798f8>] error_code+0x58/0x60
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c0239765>] ? kthread_data+0xa/0xe
      [   47.753026]  [<c0236866>] ? wq_worker_sleeping+0xb/0x78
      [   47.753026]  [<c05768b4>] __schedule+0xda/0x587
      [   47.753026]  [<c0391e32>] ? put_io_context_active+0x6d/0x95
      [   47.753026]  [<c0576eb2>] schedule+0x72/0x89
      [   47.753026]  [<c02291f8>] do_exit+0x6cc/0x71d
      [   47.753026]  [<c0203576>] oops_end+0x69/0x70
      [   47.753026]  [<c021dcdb>] no_context+0x1bb/0x1c5
      [   47.753026]  [<c021de1b>] __bad_area_nosemaphore+0x136/0x140
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c021de32>] bad_area_nosemaphore+0xd/0x10
      [   47.753026]  [<c021e0a1>] __do_page_fault+0x26c/0x320
      [   47.753026]  [<c03b9160>] ? debug_smp_processor_id+0x12/0x16
      [   47.753026]  [<c02015e2>] ? __switch_to+0x24/0x40e
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c021e2fa>] do_page_fault+0xb/0xd
      [   47.753026]  [<c05798f8>] error_code+0x58/0x60
      [   47.753026]  [<c021e2ef>] ? vmalloc_sync_all+0x19a/0x19a
      [   47.753026]  [<c03b59d2>] ? rhashtable_walk_init+0x5c/0x93
      [   47.753026]  [<f9843221>] mesh_path_tbl_expire.isra.24+0x19/0x82 [mac80211]
      [   47.753026]  [<f984408b>] mesh_path_expire+0x11/0x1f [mac80211]
      [   47.753026]  [<f9842bb7>] ieee80211_mesh_work+0x73/0x1a9 [mac80211]
      [   47.753026]  [<f98207d1>] ieee80211_iface_work+0x2ff/0x311 [mac80211]
      [   47.753026]  [<c0235fa3>] process_one_work+0x14b/0x24e
      [   47.753026]  [<c0236313>] worker_thread+0x249/0x343
      [   47.753026]  [<c02360ca>] ? process_scheduled_works+0x24/0x24
      [   47.753026]  [<c0239359>] kthread+0x9e/0xa3
      [   47.753026]  [<c0578e50>] ret_from_kernel_thread+0x20/0x40
      [   47.753026]  [<c02392bb>] ? kthread_parkme+0x18/0x18
      [   47.753026] Code: 6b c0 85 c0 75 05 e8 fb 74 fc ff 89 f8 84 c0 75 08 8d 45 e8 e8 34 dd 33 00 83 c4 28 5b 5e 5f 5d c3 55 8b 80 10 02 00 00 89 e5 5d <8b> 40 f0 c3 55 b9 04 00 00 00 89 e5 52 8b 90 10 02 00 00 8d 45
      [   47.753026] EIP: [<c0239765>] kthread_data+0xa/0xe SS:ESP 0068:f6463a78
      [   47.753026] CR2: 00000000fffffff0
      [   47.753026] ---[ end trace 867ca0bdd0767790 ]---
      
      Fixes: 3b302ada7f0a ("mac80211: mesh: move path tables into if_mesh")
      Reported-by: default avatarFred Veldini <fred.veldini@gmail.com>
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      0371a08f
    • Bob Copeland's avatar
      mac80211: mesh: fix mesh path kerneldoc · 68bb54b4
      Bob Copeland authored
      Several of the mesh path fields are undocumented and some
      of the documentation is no longer correct or relevant after
      the switch to rhashtable.  Clean up the kernel doc
      accordingly and reorder some fields to match the structure
      layout.
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      68bb54b4
    • Bob Copeland's avatar
      mac80211: mesh: reorder structure members · 3257523b
      Bob Copeland authored
      Reduce padding waste in struct mesh_table and struct rmc_entry by
      moving the smaller fields to the end.
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      3257523b
    • Bob Copeland's avatar
      mac80211: mesh: embed gates hlist head directly · 18b27ff7
      Bob Copeland authored
      Since we have converted the mesh path tables to rhashtable, we are
      no longer swapping out the entire mesh_pathtbl pointer with RCU.
      As a result, we no longer need indirection to the hlist head for
      the gates list and can simply embed it, saving a pair of
      pointer-sized allocations.
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      18b27ff7
    • Bob Copeland's avatar
      mac80211: mesh: use hlist for rmc cache · 47a0489c
      Bob Copeland authored
      The RMC cache has 256 list heads plus a u32, which puts it at the
      unfortunate size of 4104 bytes with padding.  kmalloc() will then
      round this up to the next power-of-two, so we wind up actually
      using two pages here where most of the second is wasted.
      
      Switch to hlist heads here to reduce the structure size down to
      fit within a page.
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      47a0489c
    • Bob Copeland's avatar
      mac80211: mesh: handle failed alloc for rmc cache · 0aa7fabb
      Bob Copeland authored
      In the unlikely case that mesh_rmc_init() fails with -ENOMEM,
      the rmc pointer will be left as NULL but the interface is still
      operational because ieee80211_mesh_init_sdata() is not allowed
      to fail.
      
      If this happens, we would blindly dereference rmc when checking
      whether a multicast frame is in the cache.  Instead just drop the
      frames in the forwarding path.
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      0aa7fabb
    • Bob Copeland's avatar
      mac80211: mesh: fix crash in mesh_path_timer · 74932959
      Bob Copeland authored
      The mesh_path_reclaim() function, called from an rcu callback, cancels
      the mesh_path_timer associated with a mesh path.  Unfortunately, this
      call can happen much later, perhaps after the hash table itself is
      destroyed.
      
      Such a situation led to the following crash in mesh_path_send_to_gates()
      when dereferencing the tbl pointer:
      
      [   23.901661] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      [   23.905516] IP: [<ffffffff814c910b>] mesh_path_send_to_gates+0x2b/0x740
      [   23.908757] PGD 99ca067 PUD 99c4067 PMD 0
      [   23.910789] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      [   23.913485] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.5.0-rc6-wt+ #43
      [   23.916675] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Debian-1.8.2-1 04/01/2014
      [   23.920471] task: ffffffff81685500 ti: ffffffff81678000 task.ti: ffffffff81678000
      [   23.922619] RIP: 0010:[<ffffffff814c910b>]  [<ffffffff814c910b>] mesh_path_send_to_gates+0x2b/0x740
      [   23.925237] RSP: 0018:ffff88000b403d30  EFLAGS: 00010286
      [   23.926739] RAX: 0000000000000000 RBX: ffff880009bc0d20 RCX: 0000000000000102
      [   23.928796] RDX: 000000000000002e RSI: 0000000000000001 RDI: ffff880009bc0d20
      [   23.930895] RBP: ffff88000b403e18 R08: 0000000000000001 R09: 0000000000000001
      [   23.932917] R10: 0000000000000000 R11: 0000000000000001 R12: ffff880009c20940
      [   23.936370] R13: ffff880009bc0e70 R14: ffff880009c21c40 R15: ffff880009bc0d20
      [   23.939823] FS:  0000000000000000(0000) GS:ffff88000b400000(0000) knlGS:0000000000000000
      [   23.943688] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   23.946429] CR2: 0000000000000008 CR3: 00000000099c5000 CR4: 00000000000006b0
      [   23.949861] Stack:
      [   23.950840]  000000000000002e ffff880009c20940 ffff88000b403da8 ffffffff8109e551
      [   23.954467]  ffffffff82711be2 000000000000002e 0000000000000000 ffffffff8166a5f5
      [   23.958141]  0000000000685ce8 0000000000000246 ffff880009bc0d20 ffff880009c20940
      [   23.961801] Call Trace:
      [   23.962987]  <IRQ>
      [   23.963963]  [<ffffffff8109e551>] ? vprintk_emit+0x351/0x5e0
      [   23.966782]  [<ffffffff8109e8ff>] ? vprintk_default+0x1f/0x30
      [   23.969529]  [<ffffffff810ffa41>] ? printk+0x48/0x50
      [   23.971956]  [<ffffffff814ceef3>] mesh_path_timer+0x133/0x160
      [   23.974707]  [<ffffffff814cedc0>] ? mesh_nexthop_resolve+0x230/0x230
      [   23.977775]  [<ffffffff810b04ee>] call_timer_fn+0xce/0x330
      [   23.980448]  [<ffffffff810b0425>] ? call_timer_fn+0x5/0x330
      [   23.983126]  [<ffffffff814cedc0>] ? mesh_nexthop_resolve+0x230/0x230
      [   23.986091]  [<ffffffff810b097c>] run_timer_softirq+0x22c/0x390
      
      Instead of cancelling in the RCU callback, set a new flag to prevent the
      timer from being rearmed, and then cancel the timer synchronously when
      freeing the mesh path.  This leaves mesh_path_reclaim() doing nothing
      but kfree, so switch to kfree_rcu().
      
      Fixes: 3b302ada7f0a ("mac80211: mesh: move path tables into if_mesh")
      Signed-off-by: default avatarBob Copeland <me@bobcopeland.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      74932959
    • Ayala Beker's avatar
      mac80211: track and tell driver about GO client P2P PS abilities · 52cfa1d6
      Ayala Beker authored
      Legacy clients don't support P2P power save mechanism, and thus if a P2P GO
      has a legacy client connected to it, it should disable P2P PS mechanisms.
      Let the driver know about this with a new bss_conf parameter.
      Signed-off-by: default avatarAyala Beker <ayala.beker@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      52cfa1d6
    • Johannes Berg's avatar
      mac80211: avoid useless memory write on each frame RX · b100e5d6
      Johannes Berg authored
      In the likely case that probe_count is 0, don't write to the
      memory there.
      
      Also use ifmgd consistently in the function, instead of using
      sdata->u.mgd as well.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      b100e5d6
    • Johannes Berg's avatar
      mac80211: fix cipher scheme function name · 2c61cf9c
      Johannes Berg authored
      The code is only used with iwlwifi, but still should have proper
      mac80211 naming scheme; fix that.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      2c61cf9c
    • Johannes Berg's avatar
      mac80211: clean up station flags debugfs · c84387d2
      Johannes Berg authored
      Avoid the really strange %s%s%s expression, use an array
      of flag names and check that all flags are present.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      c84387d2
    • Johannes Berg's avatar
      mac80211: don't start dynamic PS timer if not needed · 602fae42
      Johannes Berg authored
      If the device implements dynamic PS itself, there's no need
      to ever start the dynamic powersave timer on RX.
      
      While at it, fix up some indentation in this code.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      602fae42
    • Johannes Berg's avatar
      mac80211: remove sta_info debugfs sub-struct · fc4a25c5
      Johannes Berg authored
      Since the previous patch, the struct only has a single member,
      so remove the struct and leave just the single member.
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      fc4a25c5
    • Mohammed Shafi Shajakhan's avatar
      mac80211: Remove unused variable in per STA debugfs struct · 96f321c9
      Mohammed Shafi Shajakhan authored
      Remove unused variable in per STA debugfs structure, 'commit 34e89507
      ("mac80211: allow station add/remove to sleep")' removed the only user of
      'add_has_run'.
      Signed-off-by: default avatarMohammed Shafi Shajakhan <mohammed@qti.qualcomm.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      96f321c9
    • Sara Sharon's avatar
      mac80211: enable starting BA session with custom timeout · 1e0bbeba
      Sara Sharon authored
      Currently the debugfs entry for starting aggregation session
      starts it with timeout of 5 seconds. Allow opening a session
      with a custom timeout (according to spec 0 is no timeout).
      while at it, refactor the function and remove the magic numbers.
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      1e0bbeba
    • Sara Sharon's avatar
      mac80211: add NETIF_F_RXCSUM to features white list · e0352123
      Sara Sharon authored
      NETIF_F_RXCSUM is not in the white list, though some
      drivers may want to set it in order to enable seeing the
      actual RX checksum status in ethtool.
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      e0352123
    • Emmanuel Grumbach's avatar
      mac80211: Set global RRM capability · f278ce4f
      Emmanuel Grumbach authored
      Allow publishing RRM capabilities for features that are not
      HW dependent.
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      f278ce4f
    • Felix Fietkau's avatar
      mac80211: minstrel_ht: improve sample rate skip logic · 06171e9c
      Felix Fietkau authored
      There were a few issues that were slowing down the process of finding
      the optimal rate, especially on devices with multi-rate retry
      limitations:
      
      When max_tp_rate[0] was slower than max_tp_rate[1], the code did not
      sample max_tp_rate[1], which would often allow it to switch places with
      max_tp_rate[0] (e.g. if only the first sampling attempts were bad, but the
      rate is otherwise good).
      
      Also, sample attempts of rates between max_tp_rate[0] and [1] were being
      ignored in this case, because the code only checked if the rate was
      slower than [1].
      
      Fix this by checking against the fastest / second fastest max_tp_rate
      instead of assuming a specific order between the two.
      
      In my tests this patch significantly reduces the time until minstrel_ht
      finds the optimal rate right after assoc
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      06171e9c