Commit d971650e authored by David S. Miller's avatar David S. Miller
Browse files

Merge tag 'mac80211-for-net-2021-12-14' of... 

Merge tag 'mac80211-for-net-2021-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211



Johannes Berg says:

====================
A fairly large number of fixes this time:
 * fix a station info memory leak on insert collisions
 * a rate control fix for retransmissions
 * two aggregation setup fixes
 * reload current regdomain when reloading database
 * a locking fix in regulatory work
 * a probe request allocation size fix in mac80211
 * apply TCP vs. aggregation (sk pacing) on mesh
 * fix ordering of channel context update vs. station
   state
 * set up skb->dev for mesh forwarding properly
 * track QoS data frames only for admission control to
   avoid out-of-bounds read (found by syzbot)
 * validate extended element ID vs. existing data to
   avoid out-of-bounds read (found by syzbot)
 * fix locking in mac80211 aggregation TX setup
 * fix traffic stall after HW restart when TXQs are used
 * fix ordering of reconfig/restart after HW restart
 * fix interface type for extended aggregation capability
   lookup
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents a41c4d96 13dee10b

net/mac80211/agg-rx.c

+3 −2
Original line number Diff line number Diff line
@@ -9,7 +9,7 @@ 
 * Copyright 2007, Michael Wu <flamingice@sourmilk.net>

 * Copyright 2007-2010, Intel Corporation

 * Copyright(c) 2015-2017 Intel Deutschland GmbH

 * Copyright (C) 2018-2020 Intel Corporation

 * Copyright (C) 2018-2021 Intel Corporation

 */



/**
@@ -191,7 +191,8 @@ static void ieee80211_add_addbaext(struct ieee80211_sub_if_data *sdata, 
	sband = ieee80211_get_sband(sdata);

	if (!sband)

		return;

	he_cap = ieee80211_get_he_iftype_cap(sband, sdata->vif.type);

	he_cap = ieee80211_get_he_iftype_cap(sband,

					     ieee80211_vif_type_p2p(&sdata->vif));

	if (!he_cap)

		return;

net/mac80211/agg-tx.c

+11 −5
Original line number Diff line number Diff line
@@ -9,7 +9,7 @@ 
 * Copyright 2007, Michael Wu <flamingice@sourmilk.net>

 * Copyright 2007-2010, Intel Corporation

 * Copyright(c) 2015-2017 Intel Deutschland GmbH

 * Copyright (C) 2018 - 2020 Intel Corporation

 * Copyright (C) 2018 - 2021 Intel Corporation

 */



#include <linux/ieee80211.h>
@@ -106,7 +106,7 @@ static void ieee80211_send_addba_request(struct ieee80211_sub_if_data *sdata, 
	mgmt->u.action.u.addba_req.start_seq_num =

					cpu_to_le16(start_seq_num << 4);



	ieee80211_tx_skb(sdata, skb);

	ieee80211_tx_skb_tid(sdata, skb, tid);

}



void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
@@ -213,6 +213,8 @@ ieee80211_agg_start_txq(struct sta_info *sta, int tid, bool enable) 
	struct ieee80211_txq *txq = sta->sta.txq[tid];

	struct txq_info *txqi;



	lockdep_assert_held(&sta->ampdu_mlme.mtx);



	if (!txq)

		return;
@@ -290,7 +292,6 @@ static void ieee80211_remove_tid_tx(struct sta_info *sta, int tid) 
	ieee80211_assign_tid_tx(sta, tid, NULL);



	ieee80211_agg_splice_finish(sta->sdata, tid);

	ieee80211_agg_start_txq(sta, tid, false);



	kfree_rcu(tid_tx, rcu_head);

}
@@ -480,8 +481,7 @@ static void ieee80211_send_addba_with_timeout(struct sta_info *sta, 


	/* send AddBA request */

	ieee80211_send_addba_request(sdata, sta->sta.addr, tid,

				     tid_tx->dialog_token,

				     sta->tid_seq[tid] >> 4,

				     tid_tx->dialog_token, tid_tx->ssn,

				     buf_size, tid_tx->timeout);



	WARN_ON(test_and_set_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state));
@@ -523,6 +523,7 @@ void ieee80211_tx_ba_session_handle_start(struct sta_info *sta, int tid) 


	params.ssn = sta->tid_seq[tid] >> 4;

	ret = drv_ampdu_action(local, sdata, &params);

	tid_tx->ssn = params.ssn;

	if (ret == IEEE80211_AMPDU_TX_START_DELAY_ADDBA) {

		return;

	} else if (ret == IEEE80211_AMPDU_TX_START_IMMEDIATE) {
@@ -889,6 +890,7 @@ void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid, 
{

	struct ieee80211_sub_if_data *sdata = sta->sdata;

	bool send_delba = false;

	bool start_txq = false;



	ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n",

	       sta->sta.addr, tid);
@@ -906,10 +908,14 @@ void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid, 
		send_delba = true;



	ieee80211_remove_tid_tx(sta, tid);

	start_txq = true;



 unlock_sta:

	spin_unlock_bh(&sta->lock);



	if (start_txq)

		ieee80211_agg_start_txq(sta, tid, false);



	if (send_delba)

		ieee80211_send_delba(sdata, sta->sta.addr, tid,

			WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE);

net/mac80211/driver-ops.h

+4 −1
Original line number Diff line number Diff line
@@ -1219,8 +1219,11 @@ static inline void drv_wake_tx_queue(struct ieee80211_local *local, 
{

	struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);



	if (local->in_reconfig)

	/* In reconfig don't transmit now, but mark for waking later */

	if (local->in_reconfig) {

		set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txq->flags);

		return;

	}



	if (!check_sdata_in_driver(sdata))

		return;

net/mac80211/mlme.c

+10 −3
Original line number Diff line number Diff line
@@ -2452,11 +2452,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata, 
					   u16 tx_time)

{

	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;

	u16 tid = ieee80211_get_tid(hdr);

	int ac = ieee80211_ac_from_tid(tid);

	struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];

	u16 tid;

	int ac;

	struct ieee80211_sta_tx_tspec *tx_tspec;

	unsigned long now = jiffies;



	if (!ieee80211_is_data_qos(hdr->frame_control))

		return;



	tid = ieee80211_get_tid(hdr);

	ac = ieee80211_ac_from_tid(tid);

	tx_tspec = &ifmgd->tx_tspec[ac];



	if (likely(!tx_tspec->admitted_time))

		return;

net/mac80211/rx.c

+1 −0
Original line number Diff line number Diff line
@@ -2944,6 +2944,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80211_rx_data *rx) 
	if (!fwd_skb)

		goto out;



	fwd_skb->dev = sdata->dev;

	fwd_hdr =  (struct ieee80211_hdr *) fwd_skb->data;

	fwd_hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_RETRY);

	info = IEEE80211_SKB_CB(fwd_skb);