linux.git/net/wireless, branch v3.19-rc2 Linux kernel source tree cfg80211: correctly check ad-hoc channels 2014-12-12T12:40:38+00:00 Arik Nemtsov arik@wizery.com 2014-12-03T16:08:17+00:00 185076d6db7b0320fd7669732923179f9a4d068b Ad-hoc requires beaconing for regulatory purposes. Validate that the channel is valid for beaconing, and not only enabled. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Reviewed-by: Luis R. Rodriguez <mcgrof@suse.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
Ad-hoc requires beaconing for regulatory purposes. Validate that the
channel is valid for beaconing, and not only enabled.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
cfg80211: don't WARN about two consecutive Country IE hint 2014-12-12T12:29:02+00:00 Emmanuel Grumbach emmanuel.grumbach@intel.com 2014-12-02T07:53:25+00:00 70dcec5a488a7b81779190ac8089475fe4b8b962 This can happen and there is no point in added more detection code lower in the stack. Catching these in one single point (cfg80211) is enough. Stop WARNING about this case. This fixes: https://bugzilla.kernel.org/show_bug.cgi?id=89001 Cc: stable@vger.kernel.org Fixes: 2f1c6c572d7b ("cfg80211: process non country IE conflicting first") Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
This can happen and there is no point in added more
detection code lower in the stack. Catching these in one
single point (cfg80211) is enough. Stop WARNING about this
case.

This fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=89001

Cc: stable@vger.kernel.org
Fixes: 2f1c6c572d7b ("cfg80211: process non country IE conflicting first")
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
nl80211: check matches array length before acessing it 2014-12-12T11:33:25+00:00 Luciano Coelho luciano.coelho@intel.com 2014-12-01T09:32:09+00:00 f89f46cf3a23d8d7c98f924a461fd931e1331746 If the userspace passes a malformed sched scan request (or a net detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH attribute without any nested matchsets, a NULL pointer dereference will occur. Fix this by checking that we do have matchsets in our array before trying to access it. BUG: unable to handle kernel NULL pointer dereference at 0000000000000024 IP: [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211] PGD 865c067 PUD 865b067 PMD 0 Oops: 0002 [#1] SMP Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat] CPU: 2 PID: 2442 Comm: iw Tainted: G O 3.17.2 #31 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000 RIP: 0010:[<ffffffffa002fd69>] [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211] RSP: 0018:ffff880008d838d0 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0 RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019 R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00 R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388 FS: 00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0 Stack: ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0 0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948 ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000 Call Trace: [<ffffffff814689c9>] ? nla_parse+0xb9/0x120 [<ffffffffa00306de>] nl80211_set_wowlan+0x75e/0x960 [cfg80211] [<ffffffff810bf3d5>] ? mark_held_locks+0x75/0xa0 [<ffffffff8161a77b>] genl_family_rcv_msg+0x18b/0x360 [<ffffffff810bf66d>] ? trace_hardirqs_on+0xd/0x10 [<ffffffff8161a9d4>] genl_rcv_msg+0x84/0xc0 [<ffffffff8161a950>] ? genl_family_rcv_msg+0x360/0x360 [<ffffffff81618e79>] netlink_rcv_skb+0xa9/0xd0 [<ffffffff81619458>] genl_rcv+0x28/0x40 [<ffffffff816184a5>] netlink_unicast+0x105/0x180 [<ffffffff8161886f>] netlink_sendmsg+0x34f/0x7a0 [<ffffffff8105a097>] ? kvm_clock_read+0x27/0x40 [<ffffffff815c644d>] sock_sendmsg+0x8d/0xc0 [<ffffffff811a75c9>] ? might_fault+0xb9/0xc0 [<ffffffff811a756e>] ? might_fault+0x5e/0xc0 [<ffffffff815d5d26>] ? verify_iovec+0x56/0xe0 [<ffffffff815c73e0>] ___sys_sendmsg+0x3d0/0x3e0 [<ffffffff810a7be8>] ? sched_clock_cpu+0x98/0xd0 [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580 [<ffffffff810bb39f>] ? up_read+0x1f/0x40 [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580 [<ffffffff812146ed>] ? __fget_light+0x13d/0x160 [<ffffffff815c7b02>] __sys_sendmsg+0x42/0x80 [<ffffffff815c7b52>] SyS_sendmsg+0x12/0x20 [<ffffffff81751f69>] system_call_fastpath+0x16/0x1b Fixes: ea73cbce4e1f ("nl80211: fix scheduled scan RSSI matchset attribute confusion") Cc: stable@vger.kernel.org [3.15+] Signed-off-by: Luciano Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
If the userspace passes a malformed sched scan request (or a net
detect wowlan configuration) by adding a NL80211_ATTR_SCHED_SCAN_MATCH
attribute without any nested matchsets, a NULL pointer dereference
will occur.  Fix this by checking that we do have matchsets in our
array before trying to access it.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000024
IP: [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
PGD 865c067 PUD 865b067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in: iwlmvm(O) iwlwifi(O) mac80211(O) cfg80211(O) compat(O) [last unloaded: compat]
CPU: 2 PID: 2442 Comm: iw Tainted: G           O   3.17.2 #31
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
task: ffff880013800790 ti: ffff880008d80000 task.ti: ffff880008d80000
RIP: 0010:[<ffffffffa002fd69>]  [<ffffffffa002fd69>] nl80211_parse_sched_scan.part.67+0x6e9/0x900 [cfg80211]
RSP: 0018:ffff880008d838d0  EFLAGS: 00010293
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 000000000000143c RSI: 0000000000000000 RDI: ffff880008ee8dd0
RBP: ffff880008d83948 R08: 0000000000000002 R09: 0000000000000019
R10: ffff88001d1b3c40 R11: 0000000000000002 R12: ffff880019e85e00
R13: 00000000fffffed4 R14: ffff880009757800 R15: 0000000000001388
FS:  00007fa3b6d13700(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000024 CR3: 0000000008670000 CR4: 00000000000006e0
Stack:
 ffff880009757800 ffff880000000001 0000000000000000 ffff880008ee84e0
 0000000000000000 ffff880009757800 00000000fffffed4 ffff880008d83948
 ffffffff814689c9 ffff880009757800 ffff880008ee8000 0000000000000000
Call Trace:
 [<ffffffff814689c9>] ? nla_parse+0xb9/0x120
 [<ffffffffa00306de>] nl80211_set_wowlan+0x75e/0x960 [cfg80211]
 [<ffffffff810bf3d5>] ? mark_held_locks+0x75/0xa0
 [<ffffffff8161a77b>] genl_family_rcv_msg+0x18b/0x360
 [<ffffffff810bf66d>] ? trace_hardirqs_on+0xd/0x10
 [<ffffffff8161a9d4>] genl_rcv_msg+0x84/0xc0
 [<ffffffff8161a950>] ? genl_family_rcv_msg+0x360/0x360
 [<ffffffff81618e79>] netlink_rcv_skb+0xa9/0xd0
 [<ffffffff81619458>] genl_rcv+0x28/0x40
 [<ffffffff816184a5>] netlink_unicast+0x105/0x180
 [<ffffffff8161886f>] netlink_sendmsg+0x34f/0x7a0
 [<ffffffff8105a097>] ? kvm_clock_read+0x27/0x40
 [<ffffffff815c644d>] sock_sendmsg+0x8d/0xc0
 [<ffffffff811a75c9>] ? might_fault+0xb9/0xc0
 [<ffffffff811a756e>] ? might_fault+0x5e/0xc0
 [<ffffffff815d5d26>] ? verify_iovec+0x56/0xe0
 [<ffffffff815c73e0>] ___sys_sendmsg+0x3d0/0x3e0
 [<ffffffff810a7be8>] ? sched_clock_cpu+0x98/0xd0
 [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580
 [<ffffffff810bb39f>] ? up_read+0x1f/0x40
 [<ffffffff810611b4>] ? __do_page_fault+0x254/0x580
 [<ffffffff812146ed>] ? __fget_light+0x13d/0x160
 [<ffffffff815c7b02>] __sys_sendmsg+0x42/0x80
 [<ffffffff815c7b52>] SyS_sendmsg+0x12/0x20
 [<ffffffff81751f69>] system_call_fastpath+0x16/0x1b

Fixes: ea73cbce4e1f ("nl80211: fix scheduled scan RSSI matchset attribute confusion")
Cc: stable@vger.kernel.org [3.15+]
Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
cfg80211: avoid mem leak on driver hint set 2014-12-12T11:25:33+00:00 Arik Nemtsov arik@wizery.com 2014-12-04T10:22:16+00:00 34f05f543f02350e920bddb7660ffdd4697aaf60 In the already-set and intersect case of a driver-hint, the previous wiphy regdomain was not freed before being reset with a copy of the cfg80211 regdomain. Cc: stable@vger.kernel.org Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Acked-by: Luis R. Rodriguez <mcgrof@suse.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
In the already-set and intersect case of a driver-hint, the previous
wiphy regdomain was not freed before being reset with a copy of the
cfg80211 regdomain.

Cc: stable@vger.kernel.org
Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Acked-by: Luis R. Rodriguez <mcgrof@suse.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
cfg80211: Fix 160 MHz channels with 80+80 and 160 MHz drivers 2014-12-12T11:18:47+00:00 Jouni Malinen jouni@qca.qualcomm.com 2014-12-11T21:48:55+00:00 08f6f147773b23b765b94633a8eaa82e7defcf4c The VHT supported channel width field is a two bit integer, not a bitfield. cfg80211_chandef_usable() was interpreting it incorrectly and ended up rejecting 160 MHz channel width if the driver indicated support for both 160 and 80+80 MHz channels. Cc: stable@vger.kernel.org (3.16+) Fixes: 3d9d1d6656a73 ("nl80211/cfg80211: support VHT channel configuration") (however, no real drivers had 160 MHz support it until 3.16) Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
The VHT supported channel width field is a two bit integer, not a
bitfield. cfg80211_chandef_usable() was interpreting it incorrectly and
ended up rejecting 160 MHz channel width if the driver indicated support
for both 160 and 80+80 MHz channels.

Cc: stable@vger.kernel.org (3.16+)
Fixes: 3d9d1d6656a73 ("nl80211/cfg80211: support VHT channel configuration")
       (however, no real drivers had 160 MHz support it until 3.16)
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
cfg80211: remove unneeded initialisations in nl80211_set_reg 2014-11-28T13:54:31+00:00 Johannes Berg johannes.berg@intel.com 2014-11-28T13:54:31+00:00 ea372c5452651f1b65ee817cd3409d63f0699b35 Some variables are assigned unconditionally, remove their initialisations to help avoid introducing errors later. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
Some variables are assigned unconditionally, remove their
initialisations to help avoid introducing errors later.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
cfg80211: leave invalid channels on regdomain change 2014-11-28T13:33:41+00:00 Arik Nemtsov arik@wizery.com 2014-11-27T07:44:55+00:00 ad932f046fbe9839479350e7b88082a7d1dea498 When the regulatory settings change, some channels might become invalid. Disconnect interfaces acting on these channels, after giving userspace code a grace period to leave them. This mode is currently opt-in, and not all interface operating modes are supported for regulatory-enforcement checks. A wiphy that wishes to use the new enforcement code must specify an appropriate regulatory flag, and all its supported interface modes must be supported by the checking code. Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com> Reviewed-by: Luis R. Rodriguez <mcgrof@suse.com> [fix some indentation, typos] Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
When the regulatory settings change, some channels might become invalid.
Disconnect interfaces acting on these channels, after giving userspace
code a grace period to leave them.

This mode is currently opt-in, and not all interface operating modes are
supported for regulatory-enforcement checks. A wiphy that wishes to use
the new enforcement code must specify an appropriate regulatory flag,
and all its supported interface modes must be supported by the checking
code.

Signed-off-by: Arik Nemtsov <arikx.nemtsov@intel.com>
Reviewed-by: Luis R. Rodriguez <mcgrof@suse.com>
[fix some indentation, typos]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
cfg80211: make WEXT compatibility unselectable 2014-11-28T11:21:34+00:00 Johannes Berg johannes.berg@intel.com 2014-11-28T11:14:06+00:00 24a0aa212ee2dbe44360288684478d76a8e20a0a This option has been marked for deprecation and removal for a little more than two years, but it's not been very clearly signalled since it was always possible to just select it. Make it unselectable now to signal anyone who's still using it after all this time more clearly. They can still get it back, but only by patching the kernel. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
This option has been marked for deprecation and removal for
a little more than two years, but it's not been very clearly
signalled since it was always possible to just select it.

Make it unselectable now to signal anyone who's still using
it after all this time more clearly. They can still get it
back, but only by patching the kernel.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
nl80211: don't crash sending invalid chandef 2014-11-27T16:27:52+00:00 Johannes Berg johannes.berg@intel.com 2014-11-27T16:26:56+00:00 601555cd75ddfc2b95ebbb5eb1224c6a995e8203 One of the cases for an invalid channel definition is that the channel pointer is NULL, in which case the warning is a bit late since we'll dereference the pointer. Bail out of the function upon warning about this. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
One of the cases for an invalid channel definition is that
the channel pointer is NULL, in which case the warning is
a bit late since we'll dereference the pointer. Bail out
of the function upon warning about this.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
cfg80211: clean up beacon loss CQM event 2014-11-26T19:56:42+00:00 Johannes Berg johannes.berg@intel.com 2014-11-26T11:42:02+00:00 98f0334263f177dd22ca7c685cde04b47cc57b05 Having it as a sub-event for RSSI thresholds is very ugly, but luckily no userspace actually uses the events yet. Move the event to its own function call internally and to its own event attribute in nl80211. Signed-off-by: Johannes Berg <johannes.berg@intel.com> 
Having it as a sub-event for RSSI thresholds is very ugly,
but luckily no userspace actually uses the events yet.

Move the event to its own function call internally and to
its own event attribute in nl80211.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>