From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Nov 2012 13:50:29 +0000 (+0100)
Subject: 3.6-stable patches
X-Git-Tag: v3.0.52~42
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2d1c27902e26a4c58d1a31b4db021aa8f4d690ec;p=thirdparty%2Fkernel%2Fstable-queue.git

3.6-stable patches

added patches:
	cfg80211-fix-antenna-gain-handling.patch
	mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch
	mac80211-only-process-mesh-config-header-on-frames-that-ra_match.patch
	mac80211-use-blacklist-for-duplicate-ie-check.patch
	wireless-drop-invalid-mesh-address-extension-frames.patch
---

diff --git a/queue-3.6/cfg80211-fix-antenna-gain-handling.patch b/queue-3.6/cfg80211-fix-antenna-gain-handling.patch
new file mode 100644
index 00000000000..4f061148ca7
--- /dev/null
+++ b/queue-3.6/cfg80211-fix-antenna-gain-handling.patch
@@ -0,0 +1,39 @@
+From c4a9fafc77a5318f5ed26c509bbcddf03e18c201 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 17 Oct 2012 13:56:19 +0200
+Subject: cfg80211: fix antenna gain handling
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit c4a9fafc77a5318f5ed26c509bbcddf03e18c201 upstream.
+
+No driver initializes chan->max_antenna_gain to something sensible, and
+the only place where it is being used right now is inside ath9k. This
+leads to ath9k potentially using less tx power than it can use, which can
+decrease performance/range in some rare cases.
+
+Rather than going through every single driver, this patch initializes
+chan->orig_mag in wiphy_register(), ignoring whatever value the driver
+left in there. If a driver for some reason wishes to limit it independent
+from regulatory rulesets, it can do so internally.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/core.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/wireless/core.c
++++ b/net/wireless/core.c
+@@ -506,8 +506,7 @@ int wiphy_register(struct wiphy *wiphy)
+ 		for (i = 0; i < sband->n_channels; i++) {
+ 			sband->channels[i].orig_flags =
+ 				sband->channels[i].flags;
+-			sband->channels[i].orig_mag =
+-				sband->channels[i].max_antenna_gain;
++			sband->channels[i].orig_mag = INT_MAX;
+ 			sband->channels[i].orig_mpwr =
+ 				sband->channels[i].max_power;
+ 			sband->channels[i].band = band;
diff --git a/queue-3.6/mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch b/queue-3.6/mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch
new file mode 100644
index 00000000000..17165f646e0
--- /dev/null
+++ b/queue-3.6/mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch
@@ -0,0 +1,35 @@
+From f7fbf70ee9db6da6033ae50d100e017ac1f26555 Mon Sep 17 00:00:00 2001
+From: Javier Cardona <javier@cozybit.com>
+Date: Thu, 25 Oct 2012 11:10:18 -0700
+Subject: mac80211: don't inspect Sequence Control field on control frames
+
+From: Javier Cardona <javier@cozybit.com>
+
+commit f7fbf70ee9db6da6033ae50d100e017ac1f26555 upstream.
+
+Per IEEE Std. 802.11-2012, Sec 8.2.4.4.1, the sequence Control field is
+not present in control frames.  We noticed this problem when processing
+Block Ack Requests.
+
+Signed-off-by: Javier Cardona <javier@cozybit.com>
+Signed-off-by: Javier Lopez <jlopex@cozybit.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1422,6 +1422,10 @@ ieee80211_rx_h_defragment(struct ieee802
+ 
+ 	hdr = (struct ieee80211_hdr *)rx->skb->data;
+ 	fc = hdr->frame_control;
++
++	if (ieee80211_is_ctl(fc))
++		return RX_CONTINUE;
++
+ 	sc = le16_to_cpu(hdr->seq_ctrl);
+ 	frag = sc & IEEE80211_SCTL_FRAG;
+ 
diff --git a/queue-3.6/mac80211-only-process-mesh-config-header-on-frames-that-ra_match.patch b/queue-3.6/mac80211-only-process-mesh-config-header-on-frames-that-ra_match.patch
new file mode 100644
index 00000000000..d1f636f6a07
--- /dev/null
+++ b/queue-3.6/mac80211-only-process-mesh-config-header-on-frames-that-ra_match.patch
@@ -0,0 +1,43 @@
+From 555cb715be8ef98b8ec362b23dfc254d432a35b1 Mon Sep 17 00:00:00 2001
+From: Javier Cardona <javier@cozybit.com>
+Date: Wed, 24 Oct 2012 12:43:30 -0700
+Subject: mac80211: Only process mesh config header on frames that RA_MATCH
+
+From: Javier Cardona <javier@cozybit.com>
+
+commit 555cb715be8ef98b8ec362b23dfc254d432a35b1 upstream.
+
+Doing otherwise is wrong, and may wreak havoc on the mpp tables,
+specially if the frame is encrypted.
+
+Reported-by: Chaoxing Lin <Chaoxing.Lin@ultra-3eti.com>
+Signed-off-by: Javier Cardona <javier@cozybit.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1857,7 +1857,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ 	    mesh_rmc_check(hdr->addr3, mesh_hdr, rx->sdata))
+ 		return RX_DROP_MONITOR;
+ 
+-	if (!ieee80211_is_data(hdr->frame_control))
++	if (!ieee80211_is_data(hdr->frame_control) ||
++	    !(status->rx_flags & IEEE80211_RX_RA_MATCH))
+ 		return RX_CONTINUE;
+ 
+ 	if (!mesh_hdr->ttl)
+@@ -1901,9 +1902,6 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
+ 	}
+ 	skb_set_queue_mapping(skb, q);
+ 
+-	if (!(status->rx_flags & IEEE80211_RX_RA_MATCH))
+-		goto out;
+-
+ 	if (!--mesh_hdr->ttl) {
+ 		IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_ttl);
+ 		return RX_DROP_MONITOR;
diff --git a/queue-3.6/mac80211-use-blacklist-for-duplicate-ie-check.patch b/queue-3.6/mac80211-use-blacklist-for-duplicate-ie-check.patch
new file mode 100644
index 00000000000..51869d10f58
--- /dev/null
+++ b/queue-3.6/mac80211-use-blacklist-for-duplicate-ie-check.patch
@@ -0,0 +1,75 @@
+From 9690fb169b433a66485c808e4fc352b8a0f8d866 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 24 Oct 2012 14:19:53 +0200
+Subject: mac80211: use blacklist for duplicate IE check
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 9690fb169b433a66485c808e4fc352b8a0f8d866 upstream.
+
+Instead of the current whitelist which accepts duplicates
+only for the quiet and vendor IEs, use a blacklist of all
+IEs (that we currently parse) that can't be duplicated.
+
+This avoids detecting a beacon as corrupt in the future
+when new IEs are added that can be duplicated.
+
+Signed-off-by: Paul Stewart <pstew@chromium.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/util.c |   42 +++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 35 insertions(+), 7 deletions(-)
+
+--- a/net/mac80211/util.c
++++ b/net/mac80211/util.c
+@@ -637,13 +637,41 @@ u32 ieee802_11_parse_elems_crc(u8 *start
+ 			break;
+ 		}
+ 
+-		if (id != WLAN_EID_VENDOR_SPECIFIC &&
+-		    id != WLAN_EID_QUIET &&
+-		    test_bit(id, seen_elems)) {
+-			elems->parse_error = true;
+-			left -= elen;
+-			pos += elen;
+-			continue;
++		switch (id) {
++		case WLAN_EID_SSID:
++		case WLAN_EID_SUPP_RATES:
++		case WLAN_EID_FH_PARAMS:
++		case WLAN_EID_DS_PARAMS:
++		case WLAN_EID_CF_PARAMS:
++		case WLAN_EID_TIM:
++		case WLAN_EID_IBSS_PARAMS:
++		case WLAN_EID_CHALLENGE:
++		case WLAN_EID_RSN:
++		case WLAN_EID_ERP_INFO:
++		case WLAN_EID_EXT_SUPP_RATES:
++		case WLAN_EID_HT_CAPABILITY:
++		case WLAN_EID_HT_OPERATION:
++		case WLAN_EID_VHT_CAPABILITY:
++		case WLAN_EID_VHT_OPERATION:
++		case WLAN_EID_MESH_ID:
++		case WLAN_EID_MESH_CONFIG:
++		case WLAN_EID_PEER_MGMT:
++		case WLAN_EID_PREQ:
++		case WLAN_EID_PREP:
++		case WLAN_EID_PERR:
++		case WLAN_EID_RANN:
++		case WLAN_EID_CHANNEL_SWITCH:
++		case WLAN_EID_EXT_CHANSWITCH_ANN:
++		case WLAN_EID_COUNTRY:
++		case WLAN_EID_PWR_CONSTRAINT:
++		case WLAN_EID_TIMEOUT_INTERVAL:
++			if (test_bit(id, seen_elems)) {
++				elems->parse_error = true;
++				left -= elen;
++				pos += elen;
++				continue;
++			}
++			break;
+ 		}
+ 
+ 		if (calc_crc && id < 64 && (filter & (1ULL << id)))
diff --git a/queue-3.6/series b/queue-3.6/series
index 761725a7105..dd2ade67310 100644
--- a/queue-3.6/series
+++ b/queue-3.6/series
@@ -10,3 +10,8 @@ target-avoid-integer-overflow-in-se_dev_align_max_sectors.patch
 iscsi-target-fix-missed-wakeup-race-in-tx-thread.patch
 target-fix-incorrect-usage-of-nested-irq-spinlocks-in-abort_task-path.patch
 target-re-add-explict-zeroing-of-inquiry-bounce-buffer-memory.patch
+cfg80211-fix-antenna-gain-handling.patch
+wireless-drop-invalid-mesh-address-extension-frames.patch
+mac80211-use-blacklist-for-duplicate-ie-check.patch
+mac80211-only-process-mesh-config-header-on-frames-that-ra_match.patch
+mac80211-don-t-inspect-sequence-control-field-on-control-frames.patch
diff --git a/queue-3.6/wireless-drop-invalid-mesh-address-extension-frames.patch b/queue-3.6/wireless-drop-invalid-mesh-address-extension-frames.patch
new file mode 100644
index 00000000000..f46e85349e7
--- /dev/null
+++ b/queue-3.6/wireless-drop-invalid-mesh-address-extension-frames.patch
@@ -0,0 +1,63 @@
+From 7dd111e8ee10cc6816669eabcad3334447673236 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 25 Oct 2012 21:51:59 +0200
+Subject: wireless: drop invalid mesh address extension frames
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 7dd111e8ee10cc6816669eabcad3334447673236 upstream.
+
+The mesh header can have address extension by a 4th
+or a 5th and 6th address, but never both. Drop such
+frames in 802.11 -> 802.3 conversion along with any
+frames that have the wrong extension.
+
+Reviewed-by: Javier Cardona <javier@cozybit.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/util.c |   11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/wireless/util.c
++++ b/net/wireless/util.c
+@@ -312,18 +312,15 @@ EXPORT_SYMBOL(ieee80211_get_hdrlen_from_
+ static int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
+ {
+ 	int ae = meshhdr->flags & MESH_FLAGS_AE;
+-	/* 7.1.3.5a.2 */
++	/* 802.11-2012, 8.2.4.7.3 */
+ 	switch (ae) {
++	default:
+ 	case 0:
+ 		return 6;
+ 	case MESH_FLAGS_AE_A4:
+ 		return 12;
+ 	case MESH_FLAGS_AE_A5_A6:
+ 		return 18;
+-	case (MESH_FLAGS_AE_A4 | MESH_FLAGS_AE_A5_A6):
+-		return 24;
+-	default:
+-		return 6;
+ 	}
+ }
+ 
+@@ -373,6 +370,8 @@ int ieee80211_data_to_8023(struct sk_buf
+ 			/* make sure meshdr->flags is on the linear part */
+ 			if (!pskb_may_pull(skb, hdrlen + 1))
+ 				return -1;
++			if (meshdr->flags & MESH_FLAGS_AE_A4)
++				return -1;
+ 			if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
+ 				skb_copy_bits(skb, hdrlen +
+ 					offsetof(struct ieee80211s_hdr, eaddr1),
+@@ -397,6 +396,8 @@ int ieee80211_data_to_8023(struct sk_buf
+ 			/* make sure meshdr->flags is on the linear part */
+ 			if (!pskb_may_pull(skb, hdrlen + 1))
+ 				return -1;
++			if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
++				return -1;
+ 			if (meshdr->flags & MESH_FLAGS_AE_A4)
+ 				skb_copy_bits(skb, hdrlen +
+ 					offsetof(struct ieee80211s_hdr, eaddr1),