--- /dev/null
+From c4a9fafc77a5318f5ed26c509bbcddf03e18c201 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 17 Oct 2012 13:56:19 +0200
+Subject: cfg80211: fix antenna gain handling
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit c4a9fafc77a5318f5ed26c509bbcddf03e18c201 upstream.
+
+No driver initializes chan->max_antenna_gain to something sensible, and
+the only place where it is being used right now is inside ath9k. This
+leads to ath9k potentially using less tx power than it can use, which can
+decrease performance/range in some rare cases.
+
+Rather than going through every single driver, this patch initializes
+chan->orig_mag in wiphy_register(), ignoring whatever value the driver
+left in there. If a driver for some reason wishes to limit it independent
+from regulatory rulesets, it can do so internally.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -506,8 +506,7 @@ int wiphy_register(struct wiphy *wiphy)
+ for (i = 0; i < sband->n_channels; i++) {
+ sband->channels[i].orig_flags =
+ sband->channels[i].flags;
+- sband->channels[i].orig_mag =
+- sband->channels[i].max_antenna_gain;
++ sband->channels[i].orig_mag = INT_MAX;
+ sband->channels[i].orig_mpwr =
+ sband->channels[i].max_power;
+ sband->channels[i].band = band;
--- /dev/null
+From f7fbf70ee9db6da6033ae50d100e017ac1f26555 Mon Sep 17 00:00:00 2001
+From: Javier Cardona <javier@cozybit.com>
+Date: Thu, 25 Oct 2012 11:10:18 -0700
+Subject: mac80211: don't inspect Sequence Control field on control frames
+
+From: Javier Cardona <javier@cozybit.com>
+
+commit f7fbf70ee9db6da6033ae50d100e017ac1f26555 upstream.
+
+Per IEEE Std. 802.11-2012, Sec 8.2.4.4.1, the sequence Control field is
+not present in control frames. We noticed this problem when processing
+Block Ack Requests.
+
+Signed-off-by: Javier Cardona <javier@cozybit.com>
+Signed-off-by: Javier Lopez <jlopex@cozybit.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1422,6 +1422,10 @@ ieee80211_rx_h_defragment(struct ieee802
+
+ hdr = (struct ieee80211_hdr *)rx->skb->data;
+ fc = hdr->frame_control;
++
++ if (ieee80211_is_ctl(fc))
++ return RX_CONTINUE;
++
+ sc = le16_to_cpu(hdr->seq_ctrl);
+ frag = sc & IEEE80211_SCTL_FRAG;
+
--- /dev/null
+From 555cb715be8ef98b8ec362b23dfc254d432a35b1 Mon Sep 17 00:00:00 2001
+From: Javier Cardona <javier@cozybit.com>
+Date: Wed, 24 Oct 2012 12:43:30 -0700
+Subject: mac80211: Only process mesh config header on frames that RA_MATCH
+
+From: Javier Cardona <javier@cozybit.com>
+
+commit 555cb715be8ef98b8ec362b23dfc254d432a35b1 upstream.
+
+Doing otherwise is wrong, and may wreak havoc on the mpp tables,
+specially if the frame is encrypted.
+
+Reported-by: Chaoxing Lin <Chaoxing.Lin@ultra-3eti.com>
+Signed-off-by: Javier Cardona <javier@cozybit.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1857,7 +1857,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
+ return RX_DROP_MONITOR;
+
+- if (!ieee80211_is_data(hdr->frame_control))
++ if (!ieee80211_is_data(hdr->frame_control) ||
++ !(status->rx_flags & IEEE80211_RX_RA_MATCH))
+ return RX_CONTINUE;
+
+ if (!mesh_hdr->ttl)
+@@ -1901,9 +1902,6 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ }
+ skb_set_queue_mapping(skb, q);
+
+- if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
+- goto out;
+-
+ if (!--mesh_hdr->ttl) {
+ IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
+ return RX_DROP_MONITOR;
--- /dev/null
+From 9690fb169b433a66485c808e4fc352b8a0f8d866 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 24 Oct 2012 14:19:53 +0200
+Subject: mac80211: use blacklist for duplicate IE check
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 9690fb169b433a66485c808e4fc352b8a0f8d866 upstream.
+
+Instead of the current whitelist which accepts duplicates
+only for the quiet and vendor IEs, use a blacklist of all
+IEs (that we currently parse) that can't be duplicated.
+
+This avoids detecting a beacon as corrupt in the future
+when new IEs are added that can be duplicated.
+
+Signed-off-by: Paul Stewart <pstew@chromium.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/util.c | 42 +++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 35 insertions(+), 7 deletions(-)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -637,13 +637,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start
+ break;
+ }
+
+- if (id != WLAN_EID_VENDOR_SPECIFIC &&
+- id != WLAN_EID_QUIET &&
+- test_bit(id, seen_elems)) {
+- elems->parse_error = true;
+- left -= elen;
+- pos += elen;
+- continue;
++ switch (id) {
++ case WLAN_EID_SSID:
++ case WLAN_EID_SUPP_RATES:
++ case WLAN_EID_FH_PARAMS:
++ case WLAN_EID_DS_PARAMS:
++ case WLAN_EID_CF_PARAMS:
++ case WLAN_EID_TIM:
++ case WLAN_EID_IBSS_PARAMS:
++ case WLAN_EID_CHALLENGE:
++ case WLAN_EID_RSN:
++ case WLAN_EID_ERP_INFO:
++ case WLAN_EID_EXT_SUPP_RATES:
++ case WLAN_EID_HT_CAPABILITY:
++ case WLAN_EID_HT_OPERATION:
++ case WLAN_EID_VHT_CAPABILITY:
++ case WLAN_EID_VHT_OPERATION:
++ case WLAN_EID_MESH_ID:
++ case WLAN_EID_MESH_CONFIG:
++ case WLAN_EID_PEER_MGMT:
++ case WLAN_EID_PREQ:
++ case WLAN_EID_PREP:
++ case WLAN_EID_PERR:
++ case WLAN_EID_RANN:
++ case WLAN_EID_CHANNEL_SWITCH:
++ case WLAN_EID_EXT_CHANSWITCH_ANN:
++ case WLAN_EID_COUNTRY:
++ case WLAN_EID_PWR_CONSTRAINT:
++ case WLAN_EID_TIMEOUT_INTERVAL:
++ if (test_bit(id, seen_elems)) {
++ elems->parse_error = true;
++ left -= elen;
++ pos += elen;
++ continue;
++ }
++ break;
+ }
+
+ if (calc_crc && id < 64 && (filter & (1ULL << id)))
iscsi-target-fix-missed-wakeup-race-in-tx-thread.patch
target-fix-incorrect-usage-of-nested-irq-spinlocks-in-abort_task-path.patch
target-re-add-explict-zeroing-of-inquiry-bounce-buffer-memory.patch
+cfg80211-fix-antenna-gain-handling.patch
+wireless-drop-invalid-mesh-address-extension-frames.patch
+mac80211-use-blacklist-for-duplicate-ie-check.patch
+mac80211-only-process-mesh-config-header-on-frames-that-ra_match.patch
+mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch
--- /dev/null
+From 7dd111e8ee10cc6816669eabcad3334447673236 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 25 Oct 2012 21:51:59 +0200
+Subject: wireless: drop invalid mesh address extension frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 7dd111e8ee10cc6816669eabcad3334447673236 upstream.
+
+The mesh header can have address extension by a 4th
+or a 5th and 6th address, but never both. Drop such
+frames in 802.11 -> 802.3 conversion along with any
+frames that have the wrong extension.
+
+Reviewed-by: Javier Cardona <javier@cozybit.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -312,18 +312,15 @@ EXPORT_SYMBOL(ieee80211_get_hdrlen_from_
+ static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
+ {
+ int ae = meshhdr->flags & MESH_FLAGS_AE;
+- /* 7.1.3.5a.2 */
++ /* 802.11-2012, 8.2.4.7.3 */
+ switch (ae) {
++ default:
+ case 0:
+ return 6;
+ case MESH_FLAGS_AE_A4:
+ return 12;
+ case MESH_FLAGS_AE_A5_A6:
+ return 18;
+- case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
+- return 24;
+- default:
+- return 6;
+ }
+ }
+
+@@ -373,6 +370,8 @@ int ieee80211_data_to_8023(struct sk_buf
+ /* make sure meshdr->flags is on the linear part */
+ if (!pskb_may_pull(skb, hdrlen + 1))
+ return -1;
++ if (meshdr->flags & MESH_FLAGS_AE_A4)
++ return -1;
+ if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
+ skb_copy_bits(skb, hdrlen +
+ offsetof(struct ieee80211s_hdr, eaddr1),
+@@ -397,6 +396,8 @@ int ieee80211_data_to_8023(struct sk_buf
+ /* make sure meshdr->flags is on the linear part */
+ if (!pskb_may_pull(skb, hdrlen + 1))
+ return -1;
++ if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
++ return -1;
+ if (meshdr->flags & MESH_FLAGS_AE_A4)
+ skb_copy_bits(skb, hdrlen +
+ offsetof(struct ieee80211s_hdr, eaddr1),
projects / thirdparty / kernel / stable-queue.git / commitdiff
