Linux kernel source tree https://git.amat.us/linux/atom/net/wireless?h=v3.13.2 2013-12-16T11:06:43Z 2013-12-16T11:06:43Z Johannes Berg johannes.berg@intel.com 2013-12-16T11:04:36Z urn:sha1:bd02cd2549cfcdfc57cb5ce57ffc3feb94f70575 Evan Huus found (by fuzzing in wireshark) that the radiotap iterator code can access beyond the length of the buffer if the first bitmap claims an extension but then there's no data at all. Fix this. Cc: stable@vger.kernel.org Reported-by: Evan Huus <eapache@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-12-05T14:00:29Z Ujjal Roy royujjal@gmail.com 2013-12-04T11:57:34Z urn:sha1:4c4d684a55fc01dac6bee696efc56b96d0e6c03a cfg80211 allows re-association in managed mode and if a user wants to re-associate to the same AP network after the time period of IEEE80211_SCAN_RESULT_EXPIRE, cfg80211 warns with the following message on receiving the connect result event. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 13984 at net/wireless/sme.c:658 __cfg80211_connect_result+0x3a6/0x3e0 [cfg80211]() Call Trace: [<ffffffff81747a41>] dump_stack+0x46/0x58 [<ffffffff81045847>] warn_slowpath_common+0x87/0xb0 [<ffffffff81045885>] warn_slowpath_null+0x15/0x20 [<ffffffffa05345f6>] __cfg80211_connect_result+0x3a6/0x3e0 [cfg80211] [<ffffffff8107168b>] ? update_rq_clock+0x2b/0x50 [<ffffffff81078c01>] ? update_curr+0x1/0x160 [<ffffffffa05133d2>] cfg80211_process_wdev_events+0xb2/0x1c0 [cfg80211] [<ffffffff81079303>] ? pick_next_task_fair+0x63/0x170 [<ffffffffa0513518>] cfg80211_process_rdev_events+0x38/0x90 [cfg80211] [<ffffffffa050f03d>] cfg80211_event_work+0x1d/0x30 [cfg80211] [<ffffffff8105f21f>] process_one_work+0x17f/0x420 [<ffffffff8105f90a>] worker_thread+0x11a/0x370 [<ffffffff8105f7f0>] ? rescuer_thread+0x2f0/0x2f0 [<ffffffff8106638b>] kthread+0xbb/0xc0 [<ffffffff810662d0>] ? kthread_create_on_node+0x120/0x120 [<ffffffff817574bc>] ret_from_fork+0x7c/0xb0 [<ffffffff810662d0>] ? kthread_create_on_node+0x120/0x120 ---[ end trace 61f3bddc9c4981f7 ]--- The reason is that, in connect result event cfg80211 unholds the BSS to which the device is associated (and was held so far). So, for the event with status successful, when cfg80211 wants to get that BSS from the device's BSS list it gets a NULL BSS because the BSS has been expired and unheld already. Fix it by reshuffling the code. Signed-off-by: Ujjal Roy <royujjal@gmail.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-12-02T10:53:44Z Simon Wunderlich sw@simonwunderlich.de 2013-11-26T15:07:26Z urn:sha1:dda444d52496aa8ddc501561bca580f1374a96a9 The channel switch announcement code has some major locking problems which can cause a deadlock in worst case. A series of fixes has been proposed, but these are non-trivial and need to be tested first. Therefore disable CSA completely for 3.13. Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-11-25T15:54:26Z Felix Fietkau nbd@openwrt.org 2013-11-20T18:40:41Z urn:sha1:1b09cd82d8c479700ef6185665839d1020b02519 Fixes wpa_supplicant p2p_find on 5GHz-only devices Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-11-25T15:50:11Z Johannes Berg johannes.berg@intel.com 2013-11-17T09:37:34Z urn:sha1:9f16d84ad73ea04145a5dc85c8f1067915b37eea Due to nl80211 API breakage, 5/10 MHz support is broken for all drivers. Fixing it requires adding new API, but that can't be done as a bugfix commit since that would require either updating all APIs in the trees needing the bugfix or cause different kernels to have incompatible API. Therefore, just disable 5/10 MHz support for all drivers. Cc: stable@vger.kernel.org [3.12] Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-11-25T15:50:07Z Johannes Berg johannes.berg@intel.com 2013-10-25T09:16:58Z urn:sha1:7fa322c878d70e38675f50e17acdce7fa3f5ac8c Coverity pointed out that we might dereference NULL later if nla_nest_start() returns a failure. This isn't really true since we'd bomb out before, but we should check the return value directly, so do that. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-11-25T15:50:06Z Johannes Berg johannes.berg@intel.com 2013-10-25T09:15:12Z urn:sha1:9fe271af7d4de96471c5aaee2f4d0d1576050497 Coverity pointed out that in the (practically impossible) error case we leak the message - fix this. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-11-25T15:50:05Z Johannes Berg johannes.berg@intel.com 2013-10-25T09:05:22Z urn:sha1:ae917c9f55862691e31b84de7ec29bedcb83971c Coverity pointed out that in a few functions we don't check the return value of the nla_put_*() calls. Most of these are fairly harmless because the input isn't very dynamic and controlled by the kernel, but the pattern is simply wrong, so fix this. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-11-25T15:50:02Z Simon Wunderlich sw@simonwunderlich.de 2013-10-30T15:09:33Z urn:sha1:1fe4517cebc35ef900fa483d19c3090681f3c7bc The wext internal chandefs for ibss should be created using the cfg80211_chandef_create() functions. Initializing fields manually is error-prone. Reported-by: Dirk Gouders <dirk@gouders.net> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 2013-11-19T21:39:06Z Johannes Berg johannes.berg@intel.com 2013-11-19T14:19:39Z urn:sha1:2a94fe48f32ccf7321450a2cc07f2b724a444e5b Register generic netlink multicast groups as an array with the family and give them contiguous group IDs. Then instead of passing the global group ID to the various functions that send messages, pass the ID relative to the family - for most families that's just 0 because the only have one group. This avoids the list_head and ID in each group, adding a new field for the mcast group ID offset to the family. At the same time, this allows us to prevent abusing groups again like the quota and dropmon code did, since we can now check that a family only uses a group it owns. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>