From a10605e599a7873417043fe2bb559abe719f8a1a Mon Sep 17 00:00:00 2001 From: Zhu Yi Date: Thu, 22 Nov 2007 11:10:22 +0800 Subject: mac80211: free ifsta->extra_ie and clear IEEE80211_STA_PRIVACY_INVOKED I'm not sure if this is best choice, someone might have better solutions. But this patch fixed the connection problem when switching from a WPA enabled AP (using wpa_supplicant) to an open AP (using iwconfig). The root cause is when we connect to a WPA enabled AP, wpa_supplicant sets the ifsta->extra_ie thru SIOCSIWGENIE. But if we stop wpa_supplicant and connect to an open AP with iwconfig, there is no way to clear the extra_ie so that mac80211 keeps connecting with that. Someone could argue wpa_supplicant should clear the extra_ie during its shutdown. But mac80211 should also handle the unexpected shutdown case (ie. killall -9 wpa_supplicant). On Wed, 2007-11-21 at 16:19 +0100, Johannes Berg wrote: > Yeah. Can you amend the patch to also clear the > IEEE80211_STA_PRIVACY_INVOKED flag? Signed-off-by: Zhu Yi Acked-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/ieee80211.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c index e0ee65a969b..8f11c97f13d 100644 --- a/net/mac80211/ieee80211.c +++ b/net/mac80211/ieee80211.c @@ -334,6 +334,11 @@ static int ieee80211_stop(struct net_device *dev) cancel_delayed_work(&local->scan_work); } flush_workqueue(local->hw.workqueue); + + sdata->u.sta.flags &= ~IEEE80211_STA_PRIVACY_INVOKED; + kfree(sdata->u.sta.extra_ie); + sdata->u.sta.extra_ie = NULL; + sdata->u.sta.extra_ie_len = 0; /* fall through */ default: conf.if_id = dev->ifindex; -- cgit v1.2.3 From 01e1f045e65b683fe7203b1e16a915bbb94c15fe Mon Sep 17 00:00:00 2001 From: Daniel Drake Date: Thu, 22 Nov 2007 22:03:42 +0000 Subject: ieee80211: fix unaligned access in ieee80211_copy_snap There is no guarantee that data+SNAP_SIZE will reside on an even numbered address, so doing a 16 bit read will cause an unaligned access in some situations. Based on a patch from Jun Sun. Signed-off-by: Daniel Drake Signed-off-by: John W. Linville --- net/ieee80211/ieee80211_tx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ieee80211/ieee80211_tx.c b/net/ieee80211/ieee80211_tx.c index a4c3c51140a..6d06f1385e2 100644 --- a/net/ieee80211/ieee80211_tx.c +++ b/net/ieee80211/ieee80211_tx.c @@ -144,7 +144,8 @@ static int ieee80211_copy_snap(u8 * data, u16 h_proto) snap->oui[1] = oui[1]; snap->oui[2] = oui[2]; - *(u16 *) (data + SNAP_SIZE) = htons(h_proto); + h_proto = htons(h_proto); + memcpy(data + SNAP_SIZE, &h_proto, sizeof(u16)); return SNAP_SIZE + sizeof(u16); } -- cgit v1.2.3 From 8b393f1dc76acbe65a97a4e51f8144f4a65fa1c9 Mon Sep 17 00:00:00 2001 From: Michael Wu Date: Wed, 28 Nov 2007 01:57:08 -0500 Subject: mac80211: Fix behavior of ieee80211_open and ieee80211_close This patch fixes: - Incorrect calls to ieee80211_hw_config when the radiotap flag is set. - Failure to actually unset the radiotap flag when all monitors are down. - Failure to call ieee80211_hw_config after successful interface start. Signed-off-by: Michael Wu Acked-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/ieee80211.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c index 8f11c97f13d..0dc114c4ef2 100644 --- a/net/mac80211/ieee80211.c +++ b/net/mac80211/ieee80211.c @@ -216,6 +216,7 @@ static int ieee80211_open(struct net_device *dev) res = local->ops->start(local_to_hw(local)); if (res) return res; + ieee80211_hw_config(local); } switch (sdata->type) { @@ -232,7 +233,6 @@ static int ieee80211_open(struct net_device *dev) netif_tx_unlock_bh(local->mdev); local->hw.conf.flags |= IEEE80211_CONF_RADIOTAP; - ieee80211_hw_config(local); } break; case IEEE80211_IF_TYPE_STA: @@ -311,8 +311,7 @@ static int ieee80211_stop(struct net_device *dev) ieee80211_configure_filter(local); netif_tx_unlock_bh(local->mdev); - local->hw.conf.flags |= IEEE80211_CONF_RADIOTAP; - ieee80211_hw_config(local); + local->hw.conf.flags &= ~IEEE80211_CONF_RADIOTAP; } break; case IEEE80211_IF_TYPE_STA: -- cgit v1.2.3 From 8312512e81ab16d845b49d1ec695fad1c72f19f6 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 28 Nov 2007 11:07:57 +0100 Subject: mac80211: drop unencrypted frames if encryption is expected This patch fixes a regression I (most likely) introduced, namely that unencrypted frames are right now accepted even if we have a key for that specific sender. That has very bad security implications. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 428a9fcf57d..00f908d9275 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -997,7 +997,7 @@ ieee80211_rx_h_drop_unencrypted(struct ieee80211_txrx_data *rx) if (unlikely(!(rx->fc & IEEE80211_FCTL_PROTECTED) && (rx->fc & IEEE80211_FCTL_FTYPE) == IEEE80211_FTYPE_DATA && (rx->fc & IEEE80211_FCTL_STYPE) != IEEE80211_STYPE_NULLFUNC && - rx->sdata->drop_unencrypted && + (rx->key || rx->sdata->drop_unencrypted) && (rx->sdata->eapol == 0 || !ieee80211_is_eapol(rx->skb)))) { if (net_ratelimit()) printk(KERN_DEBUG "%s: RX non-WEP frame, but expected " -- cgit v1.2.3 From 7f4c534178722ac9ffb4feae3a4d54e3fbe3f22c Mon Sep 17 00:00:00 2001 From: Michael Buesch Date: Wed, 28 Nov 2007 17:49:34 +0100 Subject: rfkill: fix double-mutex-locking rfkill_toggle_radio is called from functions where rfkill->mutex is already aquired. Remove the lock from rfkill_toggle_radio() and add it to the only calling function that calls it without the lock held. Signed-off-by: Michael Buesch Acked-by: Ivo van Doorn Signed-off-by: John W. Linville --- net/rfkill/rfkill.c | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/net/rfkill/rfkill.c b/net/rfkill/rfkill.c index 73d60a30712..4469a7be006 100644 --- a/net/rfkill/rfkill.c +++ b/net/rfkill/rfkill.c @@ -60,11 +60,7 @@ static void rfkill_led_trigger(struct rfkill *rfkill, static int rfkill_toggle_radio(struct rfkill *rfkill, enum rfkill_state state) { - int retval; - - retval = mutex_lock_interruptible(&rfkill->mutex); - if (retval) - return retval; + int retval = 0; if (state != rfkill->state) { retval = rfkill->toggle_radio(rfkill->data, state); @@ -74,7 +70,6 @@ static int rfkill_toggle_radio(struct rfkill *rfkill, } } - mutex_unlock(&rfkill->mutex); return retval; } @@ -158,12 +153,13 @@ static ssize_t rfkill_state_store(struct device *dev, if (!capable(CAP_NET_ADMIN)) return -EPERM; + if (mutex_lock_interruptible(&rfkill->mutex)) + return -ERESTARTSYS; error = rfkill_toggle_radio(rfkill, state ? RFKILL_STATE_ON : RFKILL_STATE_OFF); - if (error) - return error; + mutex_unlock(&rfkill->mutex); - return count; + return error ? error : count; } static ssize_t rfkill_claim_show(struct device *dev, -- cgit v1.2.3 From 53cb4791c156908ae634de31949f7f25f8de002b Mon Sep 17 00:00:00 2001 From: Adel Gadllah Date: Thu, 29 Nov 2007 17:09:41 +0100 Subject: mac80211: rate limit wep decrypt failed messages The attached patch rate limits "WEP decrypt failed (ICV)" to avoid flooding the logfiles. Signed-off-by: Adel Gadllah Signed-off-by: John W. Linville --- net/mac80211/wep.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/mac80211/wep.c b/net/mac80211/wep.c index 9bf0e1cc530..b5f3413403b 100644 --- a/net/mac80211/wep.c +++ b/net/mac80211/wep.c @@ -265,7 +265,8 @@ int ieee80211_wep_decrypt(struct ieee80211_local *local, struct sk_buff *skb, if (ieee80211_wep_decrypt_data(local->wep_rx_tfm, rc4key, klen, skb->data + hdrlen + WEP_IV_LEN, len)) { - printk(KERN_DEBUG "WEP decrypt failed (ICV)\n"); + if (net_ratelimit()) + printk(KERN_DEBUG "WEP decrypt failed (ICV)\n"); ret = -1; } -- cgit v1.2.3