diff options
Diffstat (limited to 'net-wireless/compat-wireless/files/4099-2.6.32-rc7-mac80211-security-fixes.patch')
-rw-r--r-- | net-wireless/compat-wireless/files/4099-2.6.32-rc7-mac80211-security-fixes.patch | 159 |
1 files changed, 0 insertions, 159 deletions
diff --git a/net-wireless/compat-wireless/files/4099-2.6.32-rc7-mac80211-security-fixes.patch b/net-wireless/compat-wireless/files/4099-2.6.32-rc7-mac80211-security-fixes.patch deleted file mode 100644 index 754e1c28..00000000 --- a/net-wireless/compat-wireless/files/4099-2.6.32-rc7-mac80211-security-fixes.patch +++ /dev/null @@ -1,159 +0,0 @@ -Johannes Berg (2): - mac80211: fix two remote exploits - mac80211: fix spurious delBA handling - - drivers/net/wireless/iwlwifi/iwl-tx.c | 10 +++++++++- - include/net/mac80211.h | 6 ++++++ - net/mac80211/agg-rx.c | 4 ---- - net/mac80211/agg-tx.c | 17 ++++++++--------- - net/mac80211/ht.c | 8 +++----- - net/mac80211/ieee80211_i.h | 2 ++ - 6 files changed, 28 insertions(+), 19 deletions(-) - -diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c -index fb9bcfa..b7e196e 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-tx.c -+++ b/drivers/net/wireless/iwlwifi/iwl-tx.c -@@ -1277,8 +1277,16 @@ int iwl_tx_agg_stop(struct iwl_priv *priv , const u8 *ra, u16 tid) - return -ENXIO; - } - -+ if (priv->stations[sta_id].tid[tid].agg.state == -+ IWL_EMPTYING_HW_QUEUE_ADDBA) { -+ IWL_DEBUG_HT(priv, "AGG stop before setup done\n"); -+ ieee80211_stop_tx_ba_cb_irqsafe(priv->hw, ra, tid); -+ priv->stations[sta_id].tid[tid].agg.state = IWL_AGG_OFF; -+ return 0; -+ } -+ - if (priv->stations[sta_id].tid[tid].agg.state != IWL_AGG_ON) -- IWL_WARN(priv, "Stopping AGG while state not IWL_AGG_ON\n"); -+ IWL_WARN(priv, "Stopping AGG while state not ON or starting\n"); - - tid_data = &priv->stations[sta_id].tid[tid]; - ssn = (tid_data->seq_number & IEEE80211_SCTL_SEQ) >> 4; -diff --git a/include/net/mac80211.h b/include/net/mac80211.h -index c75b960..998c30f 100644 ---- a/include/net/mac80211.h -+++ b/include/net/mac80211.h -@@ -1283,6 +1283,12 @@ enum ieee80211_filter_flags { - * - * These flags are used with the ampdu_action() callback in - * &struct ieee80211_ops to indicate which action is needed. -+ * -+ * Note that drivers MUST be able to deal with a TX aggregation -+ * session being stopped even before they OK'ed starting it by -+ * calling ieee80211_start_tx_ba_cb(_irqsafe), because the peer -+ * might receive the addBA frame and send a delBA right away! -+ * - * @IEEE80211_AMPDU_RX_START: start Rx aggregation - * @IEEE80211_AMPDU_RX_STOP: stop Rx aggregation - * @IEEE80211_AMPDU_TX_START: start Tx aggregation -diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c -index bc064d7..ce8e0e7 100644 ---- a/net/mac80211/agg-rx.c -+++ b/net/mac80211/agg-rx.c -@@ -85,10 +85,6 @@ void ieee80211_sta_stop_rx_ba_session(struct ieee80211_sub_if_data *sdata, u8 *r - struct ieee80211_local *local = sdata->local; - struct sta_info *sta; - -- /* stop HW Rx aggregation. ampdu_action existence -- * already verified in session init so we add the BUG_ON */ -- BUG_ON(!local->ops->ampdu_action); -- - rcu_read_lock(); - - sta = sta_info_get(local, ra); -diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c -index 206fd82..89e238b 100644 ---- a/net/mac80211/agg-tx.c -+++ b/net/mac80211/agg-tx.c -@@ -123,13 +123,18 @@ void ieee80211_send_bar(struct ieee80211_sub_if_data *sdata, u8 *ra, u16 tid, u1 - ieee80211_tx_skb(sdata, skb, 0); - } - --static int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, -- enum ieee80211_back_parties initiator) -+int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, -+ enum ieee80211_back_parties initiator) - { - struct ieee80211_local *local = sta->local; - int ret; - u8 *state; - -+#ifdef CONFIG_MAC80211_HT_DEBUG -+ printk(KERN_DEBUG "Tx BA session stop requested for %pM tid %u\n", -+ sta->sta.addr, tid); -+#endif /* CONFIG_MAC80211_HT_DEBUG */ -+ - state = &sta->ampdu_mlme.tid_state_tx[tid]; - - if (*state == HT_AGG_STATE_OPERATIONAL) -@@ -143,7 +148,6 @@ static int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, - - /* HW shall not deny going back to legacy */ - if (WARN_ON(ret)) { -- *state = HT_AGG_STATE_OPERATIONAL; - /* - * We may have pending packets get stuck in this case... - * Not bothering with a workaround for now. -@@ -525,11 +529,6 @@ int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, - goto unlock; - } - --#ifdef CONFIG_MAC80211_HT_DEBUG -- printk(KERN_DEBUG "Tx BA session stop requested for %pM tid %u\n", -- sta->sta.addr, tid); --#endif /* CONFIG_MAC80211_HT_DEBUG */ -- - ret = ___ieee80211_stop_tx_ba_session(sta, tid, initiator); - - unlock: -@@ -545,7 +544,7 @@ int ieee80211_stop_tx_ba_session(struct ieee80211_hw *hw, - struct sta_info *sta; - int ret = 0; - -- if (WARN_ON(!local->ops->ampdu_action)) -+ if (!local->ops->ampdu_action) - return -EINVAL; - - if (tid >= STA_TID_NUM) -diff --git a/net/mac80211/ht.c b/net/mac80211/ht.c -index 48ef1a2..cdc58e6 100644 ---- a/net/mac80211/ht.c -+++ b/net/mac80211/ht.c -@@ -141,7 +141,6 @@ void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata, - struct sta_info *sta, - struct ieee80211_mgmt *mgmt, size_t len) - { -- struct ieee80211_local *local = sdata->local; - u16 tid, params; - u16 initiator; - -@@ -161,10 +160,9 @@ void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata, - WLAN_BACK_INITIATOR, 0); - else { /* WLAN_BACK_RECIPIENT */ - spin_lock_bh(&sta->lock); -- sta->ampdu_mlme.tid_state_tx[tid] = -- HT_AGG_STATE_OPERATIONAL; -+ if (sta->ampdu_mlme.tid_state_tx[tid] & HT_ADDBA_REQUESTED_MSK) -+ ___ieee80211_stop_tx_ba_session(sta, tid, -+ WLAN_BACK_RECIPIENT); - spin_unlock_bh(&sta->lock); -- ieee80211_stop_tx_ba_session(&local->hw, sta->sta.addr, tid, -- WLAN_BACK_RECIPIENT); - } - } -diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h -index a910bf1..10d316e 100644 ---- a/net/mac80211/ieee80211_i.h -+++ b/net/mac80211/ieee80211_i.h -@@ -1091,6 +1091,8 @@ void ieee80211_process_addba_request(struct ieee80211_local *local, - - int __ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, - enum ieee80211_back_parties initiator); -+int ___ieee80211_stop_tx_ba_session(struct sta_info *sta, u16 tid, -+ enum ieee80211_back_parties initiator); - - /* Spectrum management */ - void ieee80211_process_measurement_req(struct ieee80211_sub_if_data *sdata, |