--- /dev/null
+From 30b2f0be23fb40e58d0ad2caf8702c2a44cda2e1 Mon Sep 17 00:00:00 2001
+From: Thomas Pedersen <thomas@adapt-ip.com>
+Date: Mon, 13 Jan 2020 21:59:40 -0800
+Subject: mac80211: add ieee80211_is_any_nullfunc()
+
+From: Thomas Pedersen <thomas@adapt-ip.com>
+
+commit 30b2f0be23fb40e58d0ad2caf8702c2a44cda2e1 upstream.
+
+commit 08a5bdde3812 ("mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED")
+Fixed a bug where we failed to take into account a
+nullfunc frame can be either non-QoS or QoS. It turns out
+there is at least one more bug in
+ieee80211_sta_tx_notify(), introduced in
+commit 7b6ddeaf27ec ("mac80211: use QoS NDP for AP probing"),
+where we forgot to check for the QoS variant and so
+assumed the QoS nullfunc frame never went out
+
+Fix this by adding a helper ieee80211_is_any_nullfunc()
+which consolidates the check for non-QoS and QoS nullfunc
+frames. Replace existing compound conditionals and add a
+couple more missing checks for QoS variant.
+
+Signed-off-by: Thomas Pedersen <thomas@adapt-ip.com>
+Link: https://lore.kernel.org/r/20200114055940.18502-3-thomas@adapt-ip.com
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/ieee80211.h | 9 +++++++++
+ net/mac80211/mlme.c | 2 +-
+ net/mac80211/rx.c | 8 +++-----
+ net/mac80211/status.c | 5 ++---
+ net/mac80211/tx.c | 2 +-
+ 5 files changed, 16 insertions(+), 10 deletions(-)
+
+--- a/include/linux/ieee80211.h
++++ b/include/linux/ieee80211.h
+@@ -620,6 +620,15 @@ static inline bool ieee80211_is_qos_null
+ }
+
+ /**
++ * ieee80211_is_any_nullfunc - check if frame is regular or QoS nullfunc frame
++ * @fc: frame control bytes in little-endian byteorder
++ */
++static inline bool ieee80211_is_any_nullfunc(__le16 fc)
++{
++ return (ieee80211_is_nullfunc(fc) || ieee80211_is_qos_nullfunc(fc));
++}
++
++/**
+ * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU
+ * @fc: frame control field in little-endian byteorder
+ */
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2277,7 +2277,7 @@ void ieee80211_sta_tx_notify(struct ieee
+ if (!ieee80211_is_data(hdr->frame_control))
+ return;
+
+- if (ieee80211_is_nullfunc(hdr->frame_control) &&
++ if (ieee80211_is_any_nullfunc(hdr->frame_control) &&
+ sdata->u.mgd.probe_send_count > 0) {
+ if (ack)
+ ieee80211_sta_reset_conn_monitor(sdata);
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1231,8 +1231,7 @@ ieee80211_rx_h_check_dup(struct ieee8021
+ return RX_CONTINUE;
+
+ if (ieee80211_is_ctl(hdr->frame_control) ||
+- ieee80211_is_nullfunc(hdr->frame_control) ||
+- ieee80211_is_qos_nullfunc(hdr->frame_control) ||
++ ieee80211_is_any_nullfunc(hdr->frame_control) ||
+ is_multicast_ether_addr(hdr->addr1))
+ return RX_CONTINUE;
+
+@@ -1617,8 +1616,7 @@ ieee80211_rx_h_sta_process(struct ieee80
+ * Drop (qos-)data::nullfunc frames silently, since they
+ * are used only to control station power saving mode.
+ */
+- if (ieee80211_is_nullfunc(hdr->frame_control) ||
+- ieee80211_is_qos_nullfunc(hdr->frame_control)) {
++ if (ieee80211_is_any_nullfunc(hdr->frame_control)) {
+ I802_DEBUG_INC(rx->local->rx_handlers_drop_nullfunc);
+
+ /*
+@@ -2112,7 +2110,7 @@ static int ieee80211_drop_unencrypted(st
+
+ /* Drop unencrypted frames if key is set. */
+ if (unlikely(!ieee80211_has_protected(fc) &&
+- !ieee80211_is_nullfunc(fc) &&
++ !ieee80211_is_any_nullfunc(fc) &&
+ ieee80211_is_data(fc) && rx->key))
+ return -EACCES;
+
+--- a/net/mac80211/status.c
++++ b/net/mac80211/status.c
+@@ -480,8 +480,7 @@ static void ieee80211_report_ack_skb(str
+ rcu_read_lock();
+ sdata = ieee80211_sdata_from_skb(local, skb);
+ if (sdata) {
+- if (ieee80211_is_nullfunc(hdr->frame_control) ||
+- ieee80211_is_qos_nullfunc(hdr->frame_control))
++ if (ieee80211_is_any_nullfunc(hdr->frame_control))
+ cfg80211_probe_status(sdata->dev, hdr->addr1,
+ cookie, acked,
+ GFP_ATOMIC);
+@@ -914,7 +913,7 @@ void ieee80211_tx_status(struct ieee8021
+ I802_DEBUG_INC(local->dot11FailedCount);
+ }
+
+- if (ieee80211_is_nullfunc(fc) && ieee80211_has_pm(fc) &&
++ if (ieee80211_is_any_nullfunc(fc) && ieee80211_has_pm(fc) &&
+ ieee80211_hw_check(&local->hw, REPORTS_TX_ACK_STATUS) &&
+ !(info->flags & IEEE80211_TX_CTL_INJECTED) &&
+ local->ps_sdata && !(local->scanning)) {
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -294,7 +294,7 @@ ieee80211_tx_h_check_assoc(struct ieee80
+ if (unlikely(test_bit(SCAN_SW_SCANNING, &tx->local->scanning)) &&
+ test_bit(SDATA_STATE_OFFCHANNEL, &tx->sdata->state) &&
+ !ieee80211_is_probe_req(hdr->frame_control) &&
+- !ieee80211_is_nullfunc(hdr->frame_control))
++ !ieee80211_is_any_nullfunc(hdr->frame_control))
+ /*
+ * When software scanning only nullfunc frames (to notify
+ * the sleep state to the AP) and probe requests (for the
projects / thirdparty / kernel / stable-queue.git / commitdiff
