mac80211: update to version 4.19.23-1
This updates mac80211 to backports version 4.19.23-1 which includes all the stable fixes from kernel 4.19.23. The removed patches are included in this version. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>v19.07.3_mercusys_ac12_duma
Hauke Mehrtens
5 years ago
parent
c8a30172f8
commit
d48a8ed40d
@ -1,27 +0,0 @@
|
||||
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
|
||||
Date: Fri, 2 Nov 2018 21:49:55 +0100
|
||||
Subject: [PATCH] ath9k: dynack: use authentication messages for 'late' ack
|
||||
|
||||
In order to properly support dynack in ad-hoc mode running
|
||||
wpa_supplicant, take into account authentication frames for
|
||||
'late ack' detection. This patch has been tested on devices
|
||||
mounted on offshore high-voltage stations connected through
|
||||
~24Km link
|
||||
|
||||
Reported-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
||||
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
||||
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
|
||||
---
|
||||
|
||||
--- a/drivers/net/wireless/ath/ath9k/dynack.c
|
||||
+++ b/drivers/net/wireless/ath/ath9k/dynack.c
|
||||
@@ -187,7 +187,8 @@ void ath_dynack_sample_tx_ts(struct ath_
|
||||
/* late ACK */
|
||||
if (ts->ts_status & ATH9K_TXERR_XRETRY) {
|
||||
if (ieee80211_is_assoc_req(hdr->frame_control) ||
|
||||
- ieee80211_is_assoc_resp(hdr->frame_control)) {
|
||||
+ ieee80211_is_assoc_resp(hdr->frame_control) ||
|
||||
+ ieee80211_is_auth(hdr->frame_control)) {
|
||||
ath_dbg(common, DYNACK, "late ack\n");
|
||||
ath9k_hw_setslottime(ah, (LATEACK_TO - 3) / 2);
|
||||
ath9k_hw_set_ack_timeout(ah, LATEACK_TO);
|
||||
@ -1,33 +0,0 @@
|
||||
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
|
||||
Date: Fri, 2 Nov 2018 21:49:57 +0100
|
||||
Subject: [PATCH] ath9k: dynack: check da->enabled first in sampling
|
||||
routines
|
||||
|
||||
Check da->enabled flag first in ath_dynack_sample_tx_ts and
|
||||
ath_dynack_sample_ack_ts routines in order to avoid useless
|
||||
processing
|
||||
|
||||
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
||||
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
|
||||
---
|
||||
|
||||
--- a/drivers/net/wireless/ath/ath9k/dynack.c
|
||||
+++ b/drivers/net/wireless/ath/ath9k/dynack.c
|
||||
@@ -178,7 +178,7 @@ void ath_dynack_sample_tx_ts(struct ath_
|
||||
u32 dur = ts->duration;
|
||||
u8 ridx;
|
||||
|
||||
- if ((info->flags & IEEE80211_TX_CTL_NO_ACK) || !da->enabled)
|
||||
+ if (!da->enabled || (info->flags & IEEE80211_TX_CTL_NO_ACK))
|
||||
return;
|
||||
|
||||
spin_lock_bh(&da->qlock);
|
||||
@@ -251,7 +251,7 @@ void ath_dynack_sample_ack_ts(struct ath
|
||||
struct ath_common *common = ath9k_hw_common(ah);
|
||||
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
|
||||
|
||||
- if (!ath_dynack_bssidmask(ah, hdr->addr1) || !da->enabled)
|
||||
+ if (!da->enabled || !ath_dynack_bssidmask(ah, hdr->addr1))
|
||||
return;
|
||||
|
||||
spin_lock_bh(&da->qlock);
|
||||
@ -1,139 +0,0 @@
|
||||
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
|
||||
Date: Fri, 2 Nov 2018 21:49:58 +0100
|
||||
Subject: [PATCH] ath9k: dynack: make ewma estimation faster
|
||||
|
||||
In order to make propagation time estimation faster,
|
||||
use current sample as ewma output value during 'late ack'
|
||||
tracking
|
||||
|
||||
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
|
||||
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
|
||||
---
|
||||
|
||||
--- a/drivers/net/wireless/ath/ath9k/ath9k.h
|
||||
+++ b/drivers/net/wireless/ath/ath9k/ath9k.h
|
||||
@@ -274,7 +274,7 @@ struct ath_node {
|
||||
#endif
|
||||
u8 key_idx[4];
|
||||
|
||||
- u32 ackto;
|
||||
+ int ackto;
|
||||
struct list_head list;
|
||||
};
|
||||
|
||||
--- a/drivers/net/wireless/ath/ath9k/dynack.c
|
||||
+++ b/drivers/net/wireless/ath/ath9k/dynack.c
|
||||
@@ -29,9 +29,13 @@
|
||||
* ath_dynack_ewma - EWMA (Exponentially Weighted Moving Average) calculation
|
||||
*
|
||||
*/
|
||||
-static inline u32 ath_dynack_ewma(u32 old, u32 new)
|
||||
+static inline int ath_dynack_ewma(int old, int new)
|
||||
{
|
||||
- return (new * (EWMA_DIV - EWMA_LEVEL) + old * EWMA_LEVEL) / EWMA_DIV;
|
||||
+ if (old > 0)
|
||||
+ return (new * (EWMA_DIV - EWMA_LEVEL) +
|
||||
+ old * EWMA_LEVEL) / EWMA_DIV;
|
||||
+ else
|
||||
+ return new;
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -82,10 +86,10 @@ static inline bool ath_dynack_bssidmask(
|
||||
*/
|
||||
static void ath_dynack_compute_ackto(struct ath_hw *ah)
|
||||
{
|
||||
- struct ath_node *an;
|
||||
- u32 to = 0;
|
||||
- struct ath_dynack *da = &ah->dynack;
|
||||
struct ath_common *common = ath9k_hw_common(ah);
|
||||
+ struct ath_dynack *da = &ah->dynack;
|
||||
+ struct ath_node *an;
|
||||
+ int to = 0;
|
||||
|
||||
list_for_each_entry(an, &da->nodes, list)
|
||||
if (an->ackto > to)
|
||||
@@ -144,7 +148,8 @@ static void ath_dynack_compute_to(struct
|
||||
an->ackto = ath_dynack_ewma(an->ackto,
|
||||
ackto);
|
||||
ath_dbg(ath9k_hw_common(ah), DYNACK,
|
||||
- "%pM to %u\n", dst, an->ackto);
|
||||
+ "%pM to %d [%u]\n", dst,
|
||||
+ an->ackto, ackto);
|
||||
if (time_is_before_jiffies(da->lto)) {
|
||||
ath_dynack_compute_ackto(ah);
|
||||
da->lto = jiffies + COMPUTE_TO;
|
||||
@@ -166,10 +171,12 @@ static void ath_dynack_compute_to(struct
|
||||
* @ah: ath hw
|
||||
* @skb: socket buffer
|
||||
* @ts: tx status info
|
||||
+ * @sta: station pointer
|
||||
*
|
||||
*/
|
||||
void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb,
|
||||
- struct ath_tx_status *ts)
|
||||
+ struct ath_tx_status *ts,
|
||||
+ struct ieee80211_sta *sta)
|
||||
{
|
||||
struct ieee80211_hdr *hdr;
|
||||
struct ath_dynack *da = &ah->dynack;
|
||||
@@ -191,9 +198,16 @@ void ath_dynack_sample_tx_ts(struct ath_
|
||||
ieee80211_is_assoc_resp(hdr->frame_control) ||
|
||||
ieee80211_is_auth(hdr->frame_control)) {
|
||||
ath_dbg(common, DYNACK, "late ack\n");
|
||||
+
|
||||
ath9k_hw_setslottime(ah, (LATEACK_TO - 3) / 2);
|
||||
ath9k_hw_set_ack_timeout(ah, LATEACK_TO);
|
||||
ath9k_hw_set_cts_timeout(ah, LATEACK_TO);
|
||||
+ if (sta) {
|
||||
+ struct ath_node *an;
|
||||
+
|
||||
+ an = (struct ath_node *)sta->drv_priv;
|
||||
+ an->ackto = -1;
|
||||
+ }
|
||||
da->lto = jiffies + LATEACK_DELAY;
|
||||
}
|
||||
|
||||
--- a/drivers/net/wireless/ath/ath9k/dynack.h
|
||||
+++ b/drivers/net/wireless/ath/ath9k/dynack.h
|
||||
@@ -86,7 +86,8 @@ void ath_dynack_node_deinit(struct ath_h
|
||||
void ath_dynack_init(struct ath_hw *ah);
|
||||
void ath_dynack_sample_ack_ts(struct ath_hw *ah, struct sk_buff *skb, u32 ts);
|
||||
void ath_dynack_sample_tx_ts(struct ath_hw *ah, struct sk_buff *skb,
|
||||
- struct ath_tx_status *ts);
|
||||
+ struct ath_tx_status *ts,
|
||||
+ struct ieee80211_sta *sta);
|
||||
#else
|
||||
static inline void ath_dynack_init(struct ath_hw *ah) {}
|
||||
static inline void ath_dynack_node_init(struct ath_hw *ah,
|
||||
@@ -97,7 +98,8 @@ static inline void ath_dynack_sample_ack
|
||||
struct sk_buff *skb, u32 ts) {}
|
||||
static inline void ath_dynack_sample_tx_ts(struct ath_hw *ah,
|
||||
struct sk_buff *skb,
|
||||
- struct ath_tx_status *ts) {}
|
||||
+ struct ath_tx_status *ts,
|
||||
+ struct ieee80211_sta *sta) {}
|
||||
#endif
|
||||
|
||||
#endif /* DYNACK_H */
|
||||
--- a/drivers/net/wireless/ath/ath9k/xmit.c
|
||||
+++ b/drivers/net/wireless/ath/ath9k/xmit.c
|
||||
@@ -629,7 +629,7 @@ static void ath_tx_complete_aggr(struct
|
||||
if (bf == bf->bf_lastbf)
|
||||
ath_dynack_sample_tx_ts(sc->sc_ah,
|
||||
bf->bf_mpdu,
|
||||
- ts);
|
||||
+ ts, sta);
|
||||
}
|
||||
|
||||
ath_tx_complete_buf(sc, bf, txq, &bf_head, sta, ts,
|
||||
@@ -773,7 +773,8 @@ static void ath_tx_process_buffer(struct
|
||||
memcpy(info->control.rates, bf->rates,
|
||||
sizeof(info->control.rates));
|
||||
ath_tx_rc_status(sc, bf, ts, 1, txok ? 0 : 1, txok);
|
||||
- ath_dynack_sample_tx_ts(sc->sc_ah, bf->bf_mpdu, ts);
|
||||
+ ath_dynack_sample_tx_ts(sc->sc_ah, bf->bf_mpdu, ts,
|
||||
+ sta);
|
||||
}
|
||||
ath_tx_complete_buf(sc, bf, txq, bf_head, sta, ts, txok);
|
||||
} else
|
||||
@ -1,41 +0,0 @@
|
||||
From 3401d42c7ea2d064d15c66698ff8eb96553179ce Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
|
||||
Date: Fri, 26 Oct 2018 12:50:39 +0200
|
||||
Subject: [PATCH] brcmutil: really fix decoding channel info for 160 MHz
|
||||
bandwidth
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Previous commit /adding/ support for 160 MHz chanspecs was incomplete.
|
||||
It didn't set bandwidth info and didn't extract control channel info. As
|
||||
the result it was also using uninitialized "sb" var.
|
||||
|
||||
This change has been tested for two chanspecs found to be reported by
|
||||
some devices/firmwares:
|
||||
1) 60/160 (0xee32)
|
||||
Before: chnum:50 control_ch_num:36
|
||||
After: chnum:50 control_ch_num:60
|
||||
2) 120/160 (0xed72)
|
||||
Before: chnum:114 control_ch_num:100
|
||||
After: chnum:114 control_ch_num:120
|
||||
|
||||
Fixes: 330994e8e8ec ("brcmfmac: fix for proper support of 160MHz bandwidth")
|
||||
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmutil/d11.c
|
||||
@@ -193,6 +193,9 @@ static void brcmu_d11ac_decchspec(struct
|
||||
}
|
||||
break;
|
||||
case BRCMU_CHSPEC_D11AC_BW_160:
|
||||
+ ch->bw = BRCMU_CHAN_BW_160;
|
||||
+ ch->sb = brcmu_maskget16(ch->chspec, BRCMU_CHSPEC_D11AC_SB_MASK,
|
||||
+ BRCMU_CHSPEC_D11AC_SB_SHIFT);
|
||||
switch (ch->sb) {
|
||||
case BRCMU_CHAN_SB_LLL:
|
||||
ch->control_ch_num -= CH_70MHZ_APART;
|
||||
@ -1,110 +0,0 @@
|
||||
From b72c51a58e6d63ef673ac96b8ab5bc98799c5f7b Mon Sep 17 00:00:00 2001
|
||||
From: Lyude Paul <lyude@redhat.com>
|
||||
Date: Sat, 24 Nov 2018 17:57:05 -0500
|
||||
Subject: [PATCH] brcmfmac: Fix out of bounds memory access during fw load
|
||||
|
||||
I ended up tracking down some rather nasty issues with f2fs (and other
|
||||
filesystem modules) constantly crashing on my kernel down to a
|
||||
combination of out of bounds memory accesses, one of which was coming
|
||||
from brcmfmac during module load:
|
||||
|
||||
[ 30.891382] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4356-sdio for chip BCM4356/2
|
||||
[ 30.894437] ==================================================================
|
||||
[ 30.901581] BUG: KASAN: global-out-of-bounds in brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
|
||||
[ 30.909935] Read of size 1 at addr ffff2000024865df by task kworker/6:2/387
|
||||
[ 30.916805]
|
||||
[ 30.918261] CPU: 6 PID: 387 Comm: kworker/6:2 Tainted: G O 4.20.0-rc3Lyude-Test+ #19
|
||||
[ 30.927251] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018
|
||||
[ 30.935964] Workqueue: events brcmf_driver_register [brcmfmac]
|
||||
[ 30.941641] Call trace:
|
||||
[ 30.944058] dump_backtrace+0x0/0x3e8
|
||||
[ 30.947676] show_stack+0x14/0x20
|
||||
[ 30.950968] dump_stack+0x130/0x1c4
|
||||
[ 30.954406] print_address_description+0x60/0x25c
|
||||
[ 30.959066] kasan_report+0x1b4/0x368
|
||||
[ 30.962683] __asan_report_load1_noabort+0x18/0x20
|
||||
[ 30.967547] brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
|
||||
[ 30.967639] brcmf_sdio_probe+0x163c/0x2050 [brcmfmac]
|
||||
[ 30.978035] brcmf_ops_sdio_probe+0x598/0xa08 [brcmfmac]
|
||||
[ 30.983254] sdio_bus_probe+0x190/0x398
|
||||
[ 30.983270] really_probe+0x2a0/0xa70
|
||||
[ 30.983296] driver_probe_device+0x1b4/0x2d8
|
||||
[ 30.994901] __driver_attach+0x200/0x280
|
||||
[ 30.994914] bus_for_each_dev+0x10c/0x1a8
|
||||
[ 30.994925] driver_attach+0x38/0x50
|
||||
[ 30.994935] bus_add_driver+0x330/0x608
|
||||
[ 30.994953] driver_register+0x140/0x388
|
||||
[ 31.013965] sdio_register_driver+0x74/0xa0
|
||||
[ 31.014076] brcmf_sdio_register+0x14/0x60 [brcmfmac]
|
||||
[ 31.023177] brcmf_driver_register+0xc/0x18 [brcmfmac]
|
||||
[ 31.023209] process_one_work+0x654/0x1080
|
||||
[ 31.032266] worker_thread+0x4f0/0x1308
|
||||
[ 31.032286] kthread+0x2a8/0x320
|
||||
[ 31.039254] ret_from_fork+0x10/0x1c
|
||||
[ 31.039269]
|
||||
[ 31.044226] The buggy address belongs to the variable:
|
||||
[ 31.044351] brcmf_firmware_path+0x11f/0xfffffffffffd3b40 [brcmfmac]
|
||||
[ 31.055601]
|
||||
[ 31.057031] Memory state around the buggy address:
|
||||
[ 31.061800] ffff200002486480: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
|
||||
[ 31.068983] ffff200002486500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
[ 31.068993] >ffff200002486580: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
|
||||
[ 31.068999] ^
|
||||
[ 31.069017] ffff200002486600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
||||
[ 31.096521] ffff200002486680: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
|
||||
[ 31.096528] ==================================================================
|
||||
[ 31.096533] Disabling lock debugging due to kernel taint
|
||||
|
||||
It appears that when trying to determine the length of the string in the
|
||||
alternate firmware path, we make the mistake of not handling the case
|
||||
where the firmware path is empty correctly. Since strlen(mp_path) can
|
||||
return 0, we'll end up accessing mp_path[-1] when the firmware_path
|
||||
isn't provided through the module arguments.
|
||||
|
||||
So, fix this by just setting the end char to '\0' by default, and only
|
||||
changing it if we have a non-zero length. Additionally, use strnlen()
|
||||
with BRCMF_FW_ALTPATH_LEN instead of strlen() just to be extra safe.
|
||||
|
||||
Fixes: 2baa3aaee27f ("brcmfmac: introduce brcmf_fw_alloc_request() function")
|
||||
Cc: Hante Meuleman <hante.meuleman@broadcom.com>
|
||||
Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
|
||||
Cc: Franky Lin <franky.lin@broadcom.com>
|
||||
Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
|
||||
Cc: Kalle Valo <kvalo@codeaurora.org>
|
||||
Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
|
||||
Cc: Himanshu Jha <himanshujha199640@gmail.com>
|
||||
Cc: Dan Haab <dhaab@luxul.com>
|
||||
Cc: Jia-Shyr Chuang <saint.chuang@cypress.com>
|
||||
Cc: Ian Molton <ian@mnementh.co.uk>
|
||||
Cc: <stable@vger.kernel.org> # v4.17+
|
||||
Signed-off-by: Lyude Paul <lyude@redhat.com>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
.../net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 8 ++++++--
|
||||
1 file changed, 6 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
|
||||
@@ -708,8 +708,9 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
|
||||
struct brcmf_fw_request *fwreq;
|
||||
char chipname[12];
|
||||
const char *mp_path;
|
||||
+ size_t mp_path_len;
|
||||
u32 i, j;
|
||||
- char end;
|
||||
+ char end = '\0';
|
||||
size_t reqsz;
|
||||
|
||||
for (i = 0; i < table_size; i++) {
|
||||
@@ -734,7 +735,10 @@ brcmf_fw_alloc_request(u32 chip, u32 chi
|
||||
mapping_table[i].fw_base, chipname);
|
||||
|
||||
mp_path = brcmf_mp_global.firmware_path;
|
||||
- end = mp_path[strlen(mp_path) - 1];
|
||||
+ mp_path_len = strnlen(mp_path, BRCMF_FW_ALTPATH_LEN);
|
||||
+ if (mp_path_len)
|
||||
+ end = mp_path[mp_path_len - 1];
|
||||
+
|
||||
fwreq->n_items = n_fwnames;
|
||||
|
||||
for (j = 0; j < n_fwnames; j++) {
|
||||
@ -1,68 +0,0 @@
|
||||
From 8c892df41500469729e0d662816300196e4f463d Mon Sep 17 00:00:00 2001
|
||||
From: Stijn Tintel <stijn@linux-ipv6.be>
|
||||
Date: Tue, 4 Dec 2018 20:29:05 +0200
|
||||
Subject: [PATCH] brcmfmac: fix roamoff=1 modparam
|
||||
|
||||
When the update_connect_param callback is set, nl80211 expects the flag
|
||||
WIPHY_FLAG_SUPPORTS_FW_ROAM to be set as well. However, this flag is
|
||||
only set when modparam roamoff=0, while the callback is set
|
||||
unconditionally. Since commit 7f9a3e150ec7 this causes a warning in
|
||||
wiphy_register, which breaks brcmfmac.
|
||||
|
||||
Disable the update_connect_param callback when roamoff=0 to fix this.
|
||||
|
||||
Fixes: 7f9a3e150ec7 ("nl80211: Update ERP info using NL80211_CMD_UPDATE_CONNECT_PARAMS")
|
||||
Cc: Stable <stable@vger.kernel.org> # 4.19+
|
||||
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
|
||||
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
|
||||
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
|
||||
---
|
||||
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 11 +++++++++--
|
||||
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.h | 2 +-
|
||||
.../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 2 +-
|
||||
3 files changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
|
||||
@@ -5188,10 +5188,17 @@ static struct cfg80211_ops brcmf_cfg8021
|
||||
.del_pmk = brcmf_cfg80211_del_pmk,
|
||||
};
|
||||
|
||||
-struct cfg80211_ops *brcmf_cfg80211_get_ops(void)
|
||||
+struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings)
|
||||
{
|
||||
- return kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
|
||||
+ struct cfg80211_ops *ops;
|
||||
+
|
||||
+ ops = kmemdup(&brcmf_cfg80211_ops, sizeof(brcmf_cfg80211_ops),
|
||||
GFP_KERNEL);
|
||||
+
|
||||
+ if (ops && settings->roamoff)
|
||||
+ ops->update_connect_params = NULL;
|
||||
+
|
||||
+ return ops;
|
||||
}
|
||||
|
||||
struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
|
||||
@@ -404,7 +404,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
|
||||
void brcmf_cfg80211_detach(struct brcmf_cfg80211_info *cfg);
|
||||
s32 brcmf_cfg80211_up(struct net_device *ndev);
|
||||
s32 brcmf_cfg80211_down(struct net_device *ndev);
|
||||
-struct cfg80211_ops *brcmf_cfg80211_get_ops(void);
|
||||
+struct cfg80211_ops *brcmf_cfg80211_get_ops(struct brcmf_mp_device *settings);
|
||||
enum nl80211_iftype brcmf_cfg80211_get_iftype(struct brcmf_if *ifp);
|
||||
|
||||
struct brcmf_cfg80211_vif *brcmf_alloc_vif(struct brcmf_cfg80211_info *cfg,
|
||||
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
|
||||
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
|
||||
@@ -1151,7 +1151,7 @@ int brcmf_attach(struct device *dev, str
|
||||
|
||||
brcmf_dbg(TRACE, "Enter\n");
|
||||
|
||||
- ops = brcmf_cfg80211_get_ops();
|
||||
+ ops = brcmf_cfg80211_get_ops(settings);
|
||||
if (!ops)
|
||||
return -ENOMEM;
|
||||
|
||||
@ -1,31 +0,0 @@
|
||||
From: Sara Sharon <sara.sharon@intel.com>
|
||||
Date: Thu, 11 Oct 2018 14:21:21 +0200
|
||||
Subject: [PATCH] mac80211: free skb fraglist before freeing the skb
|
||||
|
||||
mac80211 uses the frag list to build AMSDU. When freeing
|
||||
the skb, it may not be really freed, since someone is still
|
||||
holding a reference to it.
|
||||
In that case, when TCP skb is being retransmitted, the
|
||||
pointer to the frag list is being reused, while the data
|
||||
in there is no longer valid.
|
||||
Since we will never get frag list from the network stack,
|
||||
as mac80211 doesn't advertise the capability, we can safely
|
||||
free and nullify it before releasing the SKB.
|
||||
|
||||
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
|
||||
---
|
||||
|
||||
--- a/net/mac80211/status.c
|
||||
+++ b/net/mac80211/status.c
|
||||
@@ -558,6 +558,11 @@ static void ieee80211_report_used_skb(st
|
||||
}
|
||||
|
||||
ieee80211_led_tx(local);
|
||||
+
|
||||
+ if (skb_has_frag_list(skb)) {
|
||||
+ kfree_skb_list(skb_shinfo(skb)->frag_list);
|
||||
+ skb_shinfo(skb)->frag_list = NULL;
|
||||
+ }
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1,26 +0,0 @@
|
||||
From: Felix Fietkau <nbd@nbd.name>
|
||||
Date: Tue, 13 Nov 2018 20:29:03 +0100
|
||||
Subject: [PATCH] mac80211: ignore tx status for PS stations in
|
||||
ieee80211_tx_status_ext
|
||||
|
||||
Make it behave like regular ieee80211_tx_status calls, except for the lack of
|
||||
filtered frame processing.
|
||||
This fixes spurious low-ack triggered disconnections with powersave clients
|
||||
connected to an AP.
|
||||
|
||||
Fixes: f027c2aca0cf4 ("mac80211: add ieee80211_tx_status_noskb")
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
---
|
||||
|
||||
--- a/net/mac80211/status.c
|
||||
+++ b/net/mac80211/status.c
|
||||
@@ -984,6 +984,8 @@ void ieee80211_tx_status_ext(struct ieee
|
||||
/* Track when last TDLS packet was ACKed */
|
||||
if (test_sta_flag(sta, WLAN_STA_TDLS_PEER_AUTH))
|
||||
sta->status_stats.last_tdls_pkt_time = jiffies;
|
||||
+ } else if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
|
||||
+ return;
|
||||
} else {
|
||||
ieee80211_lost_packet(sta, info);
|
||||
}
|
||||
@ -1,28 +0,0 @@
|
||||
From: Felix Fietkau <nbd@nbd.name>
|
||||
Date: Wed, 28 Nov 2018 22:36:06 +0100
|
||||
Subject: [PATCH] mac80211: fix reordering of buffered broadcast packets
|
||||
|
||||
If the buffered broadcast queue contains packets, letting new packets bypass
|
||||
that queue can lead to heavy reordering, since the driver is probably throttling
|
||||
transmission of buffered multicast packets after beacons.
|
||||
|
||||
Keep buffering packets until the buffer has been cleared (and no client
|
||||
is in powersave mode).
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
---
|
||||
|
||||
--- a/net/mac80211/tx.c
|
||||
+++ b/net/mac80211/tx.c
|
||||
@@ -439,8 +439,8 @@ ieee80211_tx_h_multicast_ps_buf(struct i
|
||||
if (ieee80211_hw_check(&tx->local->hw, QUEUE_CONTROL))
|
||||
info->hw_queue = tx->sdata->vif.cab_queue;
|
||||
|
||||
- /* no stations in PS mode */
|
||||
- if (!atomic_read(&ps->num_sta_ps))
|
||||
+ /* no stations in PS mode and no buffered packets */
|
||||
+ if (!atomic_read(&ps->num_sta_ps) && skb_queue_empty(&ps->bc_buf))
|
||||
return TX_CONTINUE;
|
||||
|
||||
info->flags |= IEEE80211_TX_CTL_SEND_AFTER_DTIM;
|
||||
@ -1,60 +0,0 @@
|
||||
From a50e5fb8db83c5b57392204c21ea6c5c4ccefde6 Mon Sep 17 00:00:00 2001
|
||||
From: Sara Sharon <sara.sharon@intel.com>
|
||||
Date: Sat, 15 Dec 2018 11:03:10 +0200
|
||||
Subject: [PATCH 1/3] mac80211: fix a kernel panic when TXing after TXQ
|
||||
teardown
|
||||
|
||||
Recently TXQ teardown was moved earlier in ieee80211_unregister_hw(),
|
||||
to avoid a use-after-free of the netdev data. However, interfaces
|
||||
aren't fully removed at the point, and cfg80211_shutdown_all_interfaces
|
||||
can for example, TX a deauth frame. Move the TXQ teardown to the
|
||||
point between cfg80211_shutdown_all_interfaces and the free of
|
||||
netdev queues, so we can be sure they are torn down before netdev
|
||||
is freed, but after there is no ongoing TX.
|
||||
|
||||
Fixes: 77cfaf52eca5 ("mac80211: Run TXQ teardown code before de-registering interfaces")
|
||||
Signed-off-by: Sara Sharon <sara.sharon@intel.com>
|
||||
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
net/mac80211/iface.c | 3 +++
|
||||
net/mac80211/main.c | 2 --
|
||||
2 files changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/net/mac80211/iface.c
|
||||
+++ b/net/mac80211/iface.c
|
||||
@@ -7,6 +7,7 @@
|
||||
* Copyright 2008, Johannes Berg <johannes@sipsolutions.net>
|
||||
* Copyright 2013-2014 Intel Mobile Communications GmbH
|
||||
* Copyright (c) 2016 Intel Deutschland GmbH
|
||||
+ * Copyright (C) 2018 Intel Corporation
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
@@ -2035,6 +2036,8 @@ void ieee80211_remove_interfaces(struct
|
||||
WARN(local->open_count, "%s: open count remains %d\n",
|
||||
wiphy_name(local->hw.wiphy), local->open_count);
|
||||
|
||||
+ ieee80211_txq_teardown_flows(local);
|
||||
+
|
||||
mutex_lock(&local->iflist_mtx);
|
||||
list_for_each_entry_safe(sdata, tmp, &local->interfaces, list) {
|
||||
list_del(&sdata->list);
|
||||
--- a/net/mac80211/main.c
|
||||
+++ b/net/mac80211/main.c
|
||||
@@ -1200,7 +1200,6 @@ int ieee80211_register_hw(struct ieee802
|
||||
rtnl_unlock();
|
||||
ieee80211_led_exit(local);
|
||||
ieee80211_wep_free(local);
|
||||
- ieee80211_txq_teardown_flows(local);
|
||||
fail_flows:
|
||||
destroy_workqueue(local->workqueue);
|
||||
fail_workqueue:
|
||||
@@ -1226,7 +1225,6 @@ void ieee80211_unregister_hw(struct ieee
|
||||
#if IS_ENABLED(__disabled__CONFIG_IPV6)
|
||||
unregister_inet6addr_notifier(&local->ifa6_notifier);
|
||||
#endif
|
||||
- ieee80211_txq_teardown_flows(local);
|
||||
|
||||
rtnl_lock();
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From d350a0f431189517b1af0dbbb605c273231a8966 Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Berg <johannes.berg@intel.com>
|
||||
Date: Sat, 15 Dec 2018 11:03:22 +0200
|
||||
Subject: [PATCH 2/3] nl80211: fix memory leak if validate_pae_over_nl80211()
|
||||
fails
|
||||
|
||||
If validate_pae_over_nl80211() were to fail in nl80211_crypto_settings(),
|
||||
we might leak the 'connkeys' allocation. Fix this.
|
||||
|
||||
Fixes: 64bf3d4bc2b0 ("nl80211: Add CONTROL_PORT_OVER_NL80211 attribute")
|
||||
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
|
||||
---
|
||||
net/wireless/nl80211.c | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/net/wireless/nl80211.c
|
||||
+++ b/net/wireless/nl80211.c
|
||||
@@ -9002,8 +9002,10 @@ static int nl80211_join_ibss(struct sk_b
|
||||
if (info->attrs[NL80211_ATTR_CONTROL_PORT_OVER_NL80211]) {
|
||||
int r = validate_pae_over_nl80211(rdev, info);
|
||||
|
||||
- if (r < 0)
|
||||
+ if (r < 0) {
|
||||
+ kzfree(connkeys);
|
||||
return r;
|
||||
+ }
|
||||
|
||||
ibss.control_port_over_nl80211 = true;
|
||||
}
|
||||
@ -1,48 +0,0 @@
|
||||
From: Felix Fietkau <nbd@nbd.name>
|
||||
Date: Mon, 28 Jan 2019 13:16:45 +0100
|
||||
Subject: [PATCH] mac80211: ensure that management tx skbs have encryption
|
||||
tailroom
|
||||
|
||||
Some drivers use IEEE80211_KEY_FLAG_SW_MGMT_TX to indicate that management
|
||||
frames need to be software encrypted. Since normal data packets are still
|
||||
encrypted by the hardware, crypto_tx_tailroom_needed_cnt gets decremented
|
||||
after key upload. This can lead to passing skbs to ccmp_encrypt_skb, which
|
||||
don't have the needed tailroom for software encryption.
|
||||
|
||||
Change the code to add tailroom for encrypted management packets, even if
|
||||
crypto_tx_tailroom_needed_cnt is 0.
|
||||
|
||||
Cc: stable@vger.kernel.org
|
||||
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
||||
---
|
||||
|
||||
--- a/net/mac80211/tx.c
|
||||
+++ b/net/mac80211/tx.c
|
||||
@@ -1912,9 +1912,16 @@ static int ieee80211_skb_resize(struct i
|
||||
int head_need, bool may_encrypt)
|
||||
{
|
||||
struct ieee80211_local *local = sdata->local;
|
||||
+ struct ieee80211_hdr *hdr;
|
||||
+ bool enc_tailroom;
|
||||
int tail_need = 0;
|
||||
|
||||
- if (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt) {
|
||||
+ hdr = (struct ieee80211_hdr *) skb->data;
|
||||
+ enc_tailroom = may_encrypt &&
|
||||
+ (sdata->crypto_tx_tailroom_needed_cnt ||
|
||||
+ ieee80211_is_mgmt(hdr->frame_control));
|
||||
+
|
||||
+ if (enc_tailroom) {
|
||||
tail_need = IEEE80211_ENCRYPT_TAILROOM;
|
||||
tail_need -= skb_tailroom(skb);
|
||||
tail_need = max_t(int, tail_need, 0);
|
||||
@@ -1922,8 +1929,7 @@ static int ieee80211_skb_resize(struct i
|
||||
|
||||
if (skb_cloned(skb) &&
|
||||
(!ieee80211_hw_check(&local->hw, SUPPORTS_CLONED_SKBS) ||
|
||||
- !skb_clone_writable(skb, ETH_HLEN) ||
|
||||
- (may_encrypt && sdata->crypto_tx_tailroom_needed_cnt)))
|
||||
+ !skb_clone_writable(skb, ETH_HLEN) || enc_tailroom))
|
||||
I802_DEBUG_INC(local->tx_expand_skb_head_cloned);
|
||||
else if (head_need || tail_need)
|
||||
I802_DEBUG_INC(local->tx_expand_skb_head);
|
||||
Loading…
Reference in New Issue