From 4334ec8518cec3f7a4feeb3dacb46acfb24904d4 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 2 Feb 2011 16:58:06 +0100 Subject: mac80211: fix TX status cookie in HW offload case When the off-channel TX is done with remain-on-channel offloaded to hardware, the reported cookie is wrong as in that case we shouldn't use the SKB as the cookie but need to instead use the corresponding r-o-c cookie (XOR'ed with 2 to prevent API mismatches). Fix this by keeping track of the hw_roc_skb pointer just for the status processing and use the correct cookie to report in this case. We can't use the hw_roc_skb pointer itself because it is NULL'ed when the frame is transmitted to prevent it being used twice. This fixes a bug where the P2P state machine in the supplicant gets stuck because it never gets a correct result for its transmitted frame. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/cfg.c | 2 ++ net/mac80211/ieee80211_i.h | 2 +- net/mac80211/status.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) (limited to 'net') diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 4bc8a92..9cd73b1 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1822,6 +1822,7 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct net_device *dev, *cookie ^= 2; IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_TX_OFFCHAN; local->hw_roc_skb = skb; + local->hw_roc_skb_for_status = skb; mutex_unlock(&local->mtx); return 0; @@ -1875,6 +1876,7 @@ static int ieee80211_mgmt_tx_cancel_wait(struct wiphy *wiphy, if (ret == 0) { kfree_skb(local->hw_roc_skb); local->hw_roc_skb = NULL; + local->hw_roc_skb_for_status = NULL; } mutex_unlock(&local->mtx); diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index c47d7c0..533fd32 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -953,7 +953,7 @@ struct ieee80211_local { struct ieee80211_channel *hw_roc_channel; struct net_device *hw_roc_dev; - struct sk_buff *hw_roc_skb; + struct sk_buff *hw_roc_skb, *hw_roc_skb_for_status; struct work_struct hw_roc_start, hw_roc_done; enum nl80211_channel_type hw_roc_channel_type; unsigned int hw_roc_duration; diff --git a/net/mac80211/status.c b/net/mac80211/status.c index 38a7972..071ac95 100644 --- a/net/mac80211/status.c +++ b/net/mac80211/status.c @@ -323,6 +323,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb) if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) { struct ieee80211_work *wk; + u64 cookie = (unsigned long)skb; rcu_read_lock(); list_for_each_entry_rcu(wk, &local->work_list, list) { @@ -334,8 +335,12 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb) break; } rcu_read_unlock(); + if (local->hw_roc_skb_for_status == skb) { + cookie = local->hw_roc_cookie ^ 2; + local->hw_roc_skb_for_status = NULL; + } cfg80211_mgmt_tx_status( - skb->dev, (unsigned long) skb, skb->data, skb->len, + skb->dev, cookie, skb->data, skb->len, !!(info->flags & IEEE80211_TX_STAT_ACK), GFP_ATOMIC); } -- cgit v1.1 From fc7c976dc7a565213393ce700d4a6105f037bf20 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 7 Feb 2011 12:05:00 +0100 Subject: mac80211: fix the skb cloned check in the tx path Using skb_header_cloned to check if it's safe to write to the skb is not enough - mac80211 also touches the tailroom of the skb. Initially this check was only used to increase a counter, however this commit changed the code to also skip skb data reallocation if no extra head/tailroom was needed: commit 4cd06a344db752f513437138953af191cbe9a691 mac80211: skip unnecessary pskb_expand_head calls It added a regression at least with iwl3945, which is fixed by this patch. Reported-by: Dmitry Torokhov Signed-off-by: Felix Fietkau Tested-by: Dmitry Torokhov Signed-off-by: John W. Linville --- net/mac80211/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'net') diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index b64b42b..b0beaa5 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -1547,7 +1547,7 @@ static int ieee80211_skb_resize(struct ieee80211_local *local, skb_orphan(skb); } - if (skb_header_cloned(skb)) + if (skb_cloned(skb)) I802_DEBUG_INC(local->tx_expand_skb_head_cloned); else if (head_need || tail_need) I802_DEBUG_INC(local->tx_expand_skb_head); -- cgit v1.1 From a7b545f7fe753ca3dc1b51ca57f90cd59d974e44 Mon Sep 17 00:00:00 2001 From: Eliad Peller Date: Tue, 8 Feb 2011 18:43:19 +0200 Subject: mac80211: add missing locking in ieee80211_reconfig When suspending an associated system, and then resuming, the station vif is being reconfigured without taking the sdata->u.mgd.mtx lock, which results in the following warning: WARNING: at net/mac80211/mlme.c:101 ieee80211_ap_probereq_get+0x58/0xb8 [mac80211]() Modules linked in: wl12xx_sdio wl12xx firmware_class crc7 mac80211 cfg80211 [last unloaded: crc7] Backtrace: [] (dump_backtrace+0x0/0x118) from [] (dump_stack+0x20/0x24) r7:00000000 r6:bf12d6ec r5:bf154aac r4:00000065 [] (dump_stack+0x0/0x24) from [] (warn_slowpath_common+0x5c/0x74) [] (warn_slowpath_common+0x0/0x74) from [] (warn_slowpath_null+0x2c/0x34) r9:000024ff r8:cd006460 r7:00000001 r6:00000000 r5:00000000 r4:cf1394a0 [] (warn_slowpath_null+0x0/0x34) from [] (ieee80211_ap_probereq_get+0x58/0xb8 [mac80211]) [] (ieee80211_ap_probereq_get+0x0/0xb8 [mac80211]) from [] (wl1271_cmd_build_ap_probe_req+0x30/0xf8 [wl12xx]) r4:cd007440 [] (wl1271_cmd_build_ap_probe_req+0x0/0xf8 [wl12xx]) from [] (wl1271_op_bss_info_changed+0x4c4/0x808 [wl12xx]) r5:cd007440 r4:000003b4 [] (wl1271_op_bss_info_changed+0x0/0x808 [wl12xx]) from [] (ieee80211_bss_info_change_notify+0x1a4/0x1f8 [mac80211]) [] (ieee80211_bss_info_change_notify+0x0/0x1f8 [mac80211]) from [] (ieee80211_reconfig+0x4d0/0x668 [mac80211]) r8:cf0eeea4 r7:cd00671c r6:00000000 r5:cd006460 r4:cf1394a0 [] (ieee80211_reconfig+0x0/0x668 [mac80211]) from [] (ieee80211_resume+0x60/0x70 [mac80211]) [] (ieee80211_resume+0x0/0x70 [mac80211]) from [] (wiphy_resume+0x6c/0x7c [cfg80211]) r5:cd006248 r4:cd006110 [] (wiphy_resume+0x0/0x7c [cfg80211]) from [] (legacy_resume+0x38/0x70) r7:00000000 r6:00000000 r5:cd006248 r4:cd0062fc [] (legacy_resume+0x0/0x70) from [] (device_resume+0x168/0x1a0) r8:c04ca8d8 r7:cd00627c r6:00000010 r5:cd006248 r4:cd0062fc [] (device_resume+0x0/0x1a0) from [] (dpm_resume_end+0xf8/0x3bc) r7:00000000 r6:00000005 r5:cd006248 r4:cd0062fc [] (dpm_resume_end+0x0/0x3bc) from [] (suspend_devices_and_enter+0x1b0/0x204) [] (suspend_devices_and_enter+0x0/0x204) from [] (enter_state+0xf0/0x148) r7:c037e978 r6:00000003 r5:c043d807 r4:00000000 [] (enter_state+0x0/0x148) from [] (state_store+0xa4/0xcc) r7:c037e978 r6:00000003 r5:00000003 r4:c043d807 [] (state_store+0x0/0xcc) from [] (kobj_attr_store+0x20/0x24) [] (kobj_attr_store+0x0/0x24) from [] (sysfs_write_file+0x11c/0x150) [] (sysfs_write_file+0x0/0x150) from [] (vfs_write+0xc0/0x14c) [] (vfs_write+0x0/0x14c) from [] (sys_write+0x4c/0x78) r8:40126000 r7:00000004 r6:cf1a7c80 r5:00000000 r4:00000000 [] (sys_write+0x0/0x78) from [] (ret_fast_syscall+0x0/0x30) r8:c00502c8 r7:00000004 r6:403525e8 r5:40126000 r4:00000004 Signed-off-by: Eliad Peller Signed-off-by: John W. Linville --- net/mac80211/util.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net') diff --git a/net/mac80211/util.c b/net/mac80211/util.c index cf68700..d036597 100644 --- a/net/mac80211/util.c +++ b/net/mac80211/util.c @@ -1210,7 +1210,9 @@ int ieee80211_reconfig(struct ieee80211_local *local) switch (sdata->vif.type) { case NL80211_IFTYPE_STATION: changed |= BSS_CHANGED_ASSOC; + mutex_lock(&sdata->u.mgd.mtx); ieee80211_bss_info_change_notify(sdata, changed); + mutex_unlock(&sdata->u.mgd.mtx); break; case NL80211_IFTYPE_ADHOC: changed |= BSS_CHANGED_IBSS; -- cgit v1.1 From 840af824b2bf9194ea596e0ddc7aa05066794ca1 Mon Sep 17 00:00:00 2001 From: Vladislav P Date: Mon, 14 Feb 2011 15:21:50 -0200 Subject: Bluetooth: Release BTM while sleeping to avoid deadlock Signed-off-by: Vladislav P Signed-off-by: Gustavo F. Padovan --- net/bluetooth/rfcomm/tty.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net') diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index 2575c2d..d7b9af4 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -727,7 +727,9 @@ static int rfcomm_tty_open(struct tty_struct *tty, struct file *filp) break; } + tty_unlock(); schedule(); + tty_lock(); } set_current_state(TASK_RUNNING); remove_wait_queue(&dev->wait, &wait); -- cgit v1.1 From 05e7c99136554789e4cc060a63334ccaa08ad62d Mon Sep 17 00:00:00 2001 From: Stanislaw Gruszka Date: Fri, 18 Feb 2011 09:05:08 +0100 Subject: mac80211: fix conn_mon_timer running after disassociate Low level driver could pass rx frames to us after disassociate, what can lead to run conn_mon_timer by ieee80211_sta_rx_notify(). That is obviously wrong, but nothing happens until we unload modules and resources are used after free. If kernel debugging is enabled following warning could be observed: WARNING: at lib/debugobjects.c:259 debug_print_object+0x65/0x70() Hardware name: HP xw8600 Workstation ODEBUG: free active (active state 0) object type: timer_list Modules linked in: iwlagn(-) iwlcore mac80211 cfg80211 aes_x86_64 aes_generic fuse cpufreq_ondemand acpi_cpufreq freq_table mperf xt_physdev ipt_REJECT nf_conntrack_ipv4 nf_defrag_ipv4 iptable_filter ip_tables ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables ipv6 ext3 jbd dm_mirror dm_region_hash dm_log dm_mod uinput hp_wmi sparse_keymap sg wmi arc4 microcode serio_raw ecb tg3 shpchp rfkill ext4 mbcache jbd2 sr_mod cdrom sd_mod crc_t10dif firewire_ohci firewire_core crc_itu_t mptsas mptscsih mptbase scsi_transport_sas ahci libahci pata_acpi ata_generic ata_piix floppy nouveau ttm drm_kms_helper drm i2c_algo_bit i2c_core video [last unloaded: cfg80211] Pid: 13827, comm: rmmod Tainted: G W 2.6.38-rc4-wl+ #22 Call Trace: [] ? warn_slowpath_common+0x7f/0xc0 [] ? warn_slowpath_fmt+0x46/0x50 [] ? debug_print_object+0x65/0x70 [] ? debug_check_no_obj_freed+0x125/0x210 [] ? debug_check_no_locks_freed+0xf7/0x170 [] ? kfree+0xc2/0x2f0 [] ? netdev_release+0x45/0x60 [] ? device_release+0x27/0xa0 [] ? kobject_release+0x8d/0x1a0 [] ? kobject_release+0x0/0x1a0 [] ? kref_put+0x37/0x70 [] ? kobject_put+0x27/0x60 [] ? netdev_run_todo+0x1ab/0x270 [] ? rtnl_unlock+0xe/0x10 [] ? ieee80211_unregister_hw+0x58/0x120 [mac80211] [] ? iwl_pci_remove+0xdb/0x22a [iwlagn] [] ? pci_device_remove+0x52/0x120 [] ? __device_release_driver+0x75/0xe0 [] ? driver_detach+0xd8/0xe0 [] ? bus_remove_driver+0x91/0x100 [] ? driver_unregister+0x62/0xa0 [] ? pci_unregister_driver+0x44/0xa0 [] ? iwl_exit+0x15/0x1c [iwlagn] [] ? sys_delete_module+0x1a2/0x270 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] ? system_call_fastpath+0x16/0x1b Acked-by: Johannes Berg Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville --- net/mac80211/mlme.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'net') diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 45fbb9e..c9ceb4d 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -1033,6 +1033,12 @@ void ieee80211_sta_rx_notify(struct ieee80211_sub_if_data *sdata, if (is_multicast_ether_addr(hdr->addr1)) return; + /* + * In case we receive frames after disassociation. + */ + if (!sdata->u.mgd.associated) + return; + ieee80211_sta_reset_conn_monitor(sdata); } -- cgit v1.1