summaryrefslogtreecommitdiff
path: root/net/mac80211
AgeCommit message (Collapse)AuthorFilesLines
2010-03-13Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds4-13/+35
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (108 commits) bridge: ensure to unlock in error path in br_multicast_query(). drivers/net/tulip/eeprom.c: fix bogus "(null)" in tulip init messages sky2: Avoid rtnl_unlock without rtnl_lock ipv6: Send netlink notification when DAD fails drivers/net/tg3.c: change the field used with the TG3_FLAG_10_100_ONLY constant ipconfig: Handle devices which take some time to come up. mac80211: Fix memory leak in ieee80211_if_write() mac80211: Fix (dynamic) power save entry ipw2200: use kmalloc for large local variables ath5k: read eeprom IQ calibration values correctly for G mode ath5k: fix I/Q calibration (for real) ath5k: fix TSF reset ath5k: use fixed antenna for tx descriptors libipw: split ieee->networks into small pieces mac80211: Fix sta_mtx unlocking on insert STA failure path rt2x00: remove KSEG1ADDR define from rt2x00soc.h net: add ColdFire support to the smc91x driver asix: fix setting mac address for AX88772 ipv6 ip6_tunnel: eliminate unused recursion field from ip6_tnl{}. net: Fix dev_mc_add() ...
2010-03-10mac80211: Fix memory leak in ieee80211_if_write()Eric Dumazet1-3/+7
Fix memory leak and use kmalloc() instead of kzalloc() as we are going to overwrite the allocated buffer. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-03-10mac80211: Fix (dynamic) power save entryJuuso Oikarinen1-5/+8
Currently hardware with !IEEE80211_HW_PS_NULLFUNC_STACK and IEEE80211_HW_REPORTS_TX_ACK_STATUS will never enter PSM due to the conditions in the power save entry functions. Fix those conditions. Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-03-10mac80211: Fix sta_mtx unlocking on insert STA failure pathJouni Malinen1-0/+1
Commit 34e895075e21be3e21e71d6317440d1ee7969ad0 introduced sta_mtx locking into sta_info_insert() (now sta_info_insert_rcu), but forgot to unlock this mutex on one of the error paths. Fix this by adding the missing mutex_unlock() call for the case where STA insert fails due to an entry existing already. This may happen at least in AP mode when a STA roams between two BSSes (vifs). Signed-off-by: Jouni Malinen <j@w1.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-03-08Merge branch 'for-next' into for-linusJiri Kosina1-1/+1
Conflicts: Documentation/filesystems/proc.txt arch/arm/mach-u300/include/mach/debug-macro.S drivers/net/qlge/qlge_ethtool.c drivers/net/qlge/qlge_main.c drivers/net/typhoon.c
2010-03-03mac80211: Fix HT rate control configurationSujith2-3/+5
Handling HT configuration changes involved setting the channel with the new HT parameters and then issuing a rate_update() notification to the driver. This behavior changed after the off-channel changes. Now, the channel is not updated with the new HT params in enable_ht() - instead, it is now done when the scan work terminates. This results in the driver depending on stale information, defaulting to non-HT mode always. Fix this by passing the new channel type to the driver. Cc: stable@kernel.org Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-03-02mac80211: Fix reassociation processing (within ESS roaming)Jouni Malinen1-2/+14
Commit e1dd33f60ced091114e4aacf141e0d03b88d3e13 changed cfg80211 to allow association commands while in associated state to enable support for roaming within an ESS. However, this was not enough to resolve all cases with mac80211 which needs some additional handling of the reassociation case to clear internal state with the BSS that was in use previously. This patch makes ieee80211_mgd_assoc() accept a valid reassociation command and clean the association state with the previous BSS. This fixes roaming between BSSes in an ESS when using wpa_supplicant with -Dnl80211. Signed-off-by: Jouni Malinen <j@w1.fi> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-27Merge branch 'master' of ↵David S. Miller2-1/+6
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6
2010-02-26mac80211: fix direct probe loop on ieee80211_work_purgeJuuso Oikarinen1-0/+1
If authentication has already been performed when the WLAN interface is stopped, (sometimes) the ieee80211_work_purge would corrupt some ieee80211_work-structures. The outcome is this (cleaned up): [ 2252.398681] WARNING: at net/mac80211/work.c:995 ieee80211_work_purge [ 2252.466430] Backtrace: [ 2252.529266] (ieee80211_work_purge+0x0/0xcc [mac80211]) [ 2252.546875] (ieee80211_stop+0x0/0x4c0 [mac80211]) Additionally, one would get this, going on regarless of the WLAN interface state, going on forever: [ 2252.859985] wlan0: direct probe to 00:90:4c:60:04:00 (try -996717525) [ 2253.055419] wlan0: direct probe to 00:90:4c:60:04:00 (try -996717524) [ 2253.250610] wlan0: direct probe to 00:90:4c:60:04:00 (try -996717523) [ 2253.446014] wlan0: direct probe to 00:90:4c:60:04:00 (try -996717522) [ 2253.641357] wlan0: direct probe to 00:90:4c:60:04:00 (try -996717521) Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-26mac80211: use listen interval 5 as defaultHelmut Schaa1-1/+5
Currently if a driver does not set hw.max_listen_interval a listen interval of 1 is negotiated with the AP. Thus, the AP could drop buffered frames for us after just one beacon interval which can easily happen with the current powersave and scan implementation. To avoid this issue increase the default interval to 5 which should be a reasonable safe default. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-26Merge branch 'master' of ↵John W. Linville1-0/+3
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 Conflicts: drivers/net/wireless/iwlwifi/iwl-core.h net/mac80211/rate.c
2010-02-25Merge branch 'master' of ↵David S. Miller6-45/+157
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 Conflicts: drivers/net/wireless/iwlwifi/iwl-core.h drivers/net/wireless/rt2x00/rt2800pci.c
2010-02-16mac80211: split ieee80211_drop_unencryptedJohannes Berg1-4/+18
Currently, ieee80211_drop_unencrypted is called from management and data frame context, and the different contexts pass different frames. This could lead to it processing an 802.3 frame as an 802.11 frame when MFP is enabled. Move the MFP part of ieee80211_drop_unencrypted into a new function that is only called for mgmt frames. Cc: Jouni Malinen <j@w1.fi> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-15cfg80211/mac80211: allow registering for and sending action framesJouni Malinen5-14/+88
This implements a new command to register for action frames that userspace wants to handle instead of the in-kernel rejection. It is then responsible for rejecting ones that it decided not to handle. There is no unregistration, but the socket can be closed for that. Frames that are not registered for will not be forwarded to userspace and will be rejected by the kernel, the cfg80211 API helps implementing that. Additionally, this patch adds a new command that allows doing action frame transmission from userspace. It can be used either to exchange action frames on the current operational channel (e.g., with the AP with which we are currently associated) or to exchange off-channel Public Action frames with the remain-on-channel command. Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-15mac80211: reject unhandled action framesJohannes Berg1-33/+57
802.11-2007 7.3.1.11 mandates that we need to reject action frames we don't handle by setting the 0x80 bit in the category and returning them to the sender, so do that. In AP mode, hostapd is responsible for this. Additionally, drop completely malformed action frames or ones that should've been encrypted as unusable, userspace shouldn't see those. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-15mac80211: fix netdev renameJohannes Berg1-1/+1
Fix a copy bug introduced by commit 47846c9b0c10808d9337d2e7d09361f3e0a0a71a Author: Johannes Berg <johannes@sipsolutions.net> Date: Wed Nov 25 17:46:19 2009 +0100 mac80211: reduce reliance on netdev This manifested itself only in debug messages and in the debugfs rename failure that would always happen due to trying to rename the dir over itself. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Tested-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-14mac80211: Fix error introduced in netdev_mc_count() changes.David S. Miller1-1/+1
Commit 4cd24eaf0c6ee7f0242e34ee77ec899f255e66b5 ("net: use netdev_mc_count and netdev_mc_empty when appropriate") added this hunk to net/mac80211/iface.c: __dev_addr_unsync(&local->mc_list, &local->mc_count, - &dev->mc_list, &dev->mc_count); + &dev->mc_list, dev->mc_count); which is definitely not correct, introduced a warning (reported by Stephen Rothwell): net/mac80211/iface.c: In function 'ieee80211_stop': net/mac80211/iface.c:416: warning: passing argument 4 of '__dev_addr_unsync' makes pointer from integer without a cast include/linux/netdevice.h:1967: note: expected 'int *' but argument is of type 'int' and is thus reverted here. Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-14Merge branch 'master' of ↵David S. Miller1-0/+3
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 Conflicts: net/mac80211/rate.c
2010-02-14Merge branch 'master' of ↵David S. Miller19-529/+649
ssh://master.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6
2010-02-14Merge branch 'master' of ↵David S. Miller1-0/+3
ssh://master.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
2010-02-12mac80211: fix handling of null-rate control in rate_control_get_rateJuuso Oikarinen1-0/+3
For hardware with IEEE80211_HW_HAS_RATE_CONTROL the rate controller is not initialized. However, calling functions such as ieee80211_beacon_get result in the rate_control_get_rate function getting called, which is accessing (in this case uninitialized) rate control structures unconditionally. Fix by exiting the function before setting the rates for HW with IEEE80211_HW_HAS_RATE_CONTROL set. The initialization of the ieee80211_tx_info struct is intentionally still executed. Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Kalle Valo <kalle.valo@nokia.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-12net: use netdev_mc_count and netdev_mc_empty when appropriateJiri Pirko1-1/+1
This patch replaces dev->mc_count in all drivers (hopefully I didn't miss anything). Used spatch and did small tweaks and conding style changes when it was suitable. Jirka Signed-off-by: Jiri Pirko <jpirko@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-10mac80211: Deny TX BA session requests during disassociationSujith3-1/+15
In associated state, when bringing an interface down, existing BA sessions are torn down. When this is in progress, nothing prevents mac80211 from accepting another BA session start request. Use a new station flag to fix this. Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-10Merge branch 'master' of ↵David S. Miller2-9/+11
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
2010-02-09mac80211: Retry null data frame for power save.Vivek Natarajan3-7/+31
Even if the null data frame is not acked by the AP, mac80211 goes into power save. This might lead to loss of frames from the AP. Prevent this by restarting dynamic_ps_timer when ack is not received for null data frames. Cc: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-09tree-wide: Assorted spelling fixesDaniel Mack1-1/+1
In particular, several occurances of funny versions of 'success', 'unknown', 'therefore', 'acknowledge', 'argument', 'achieve', 'address', 'beginning', 'desirable', 'separate' and 'necessary' are fixed. Signed-off-by: Daniel Mack <daniel@caiaq.de> Cc: Joe Perches <joe@perches.com> Cc: Junio C Hamano <gitster@pobox.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
2010-02-08mac80211: Reset dynamic ps timer in Rx path.Vivek Natarajan1-0/+8
The current mac80211 implementation enables power save if there is no Tx traffic for a specific timeout. Hence, PS is triggered even if there is a continuous Rx only traffic(like UDP) going on. This makes the drivers to wait on the tim bit in the next beacon to awake which leads to redundant sleep-wake cycles. Fix this by restarting the dynamic ps timer on receiving every data packet. Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com> CC: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: make rate_control_alloc staticAndres Salomon2-6/+3
rate_control_alloc is not used by anything outside of ieee80211_init_rate_ctrl_alg. Both are in rate.c; there's no reason to make rate_control_alloc visible outside of it. Signed-off-by: Andres Salomon <dilinger@collabora.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: remove get_tx_stats() driver opKalle Valo2-31/+0
get_tx_stats() driver operation is not currently used anywhere in mac80211 and there are no plans to use it in the not-so-near future. So it can go without anyone missing it. Signed-off-by: Kalle Valo <kalle.valo@iki.fi> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: fix deauth raceJohannes Berg1-3/+9
When userspace requests a deauth while the authentication work is pending in the auth (not probe) state, we do not properly abort the work and then things get confused. Fix that and also improve the checks here to include the correct virtual interface, just in case two virtual interfaces would ever try to connect to the same BSS. Also fix a bug -- need to use list_del_rcu instead of just list_del to free a work item. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: fix bss_conf.dtim_periodJohannes Berg1-0/+2
In AP mode, the only mode where the parameter is supposed to be valid, we never assign it! Fix that to allow drivers to avoid parsing the TIM IE for the value. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: Added a new debugfs file for reading channel_typeBenoit Papillault1-0/+33
This file helps debugging HT channels since it displays if we are on ht20 or ht40+/ht40- Signed-off-by: Benoit Papillault <benoit.papillault@free.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: tear down all agg queues when restart/reconfig hwWey-Yi Guy1-0/+8
When there is a need to restart/reconfig hw, tear down all the aggregation queues and let the mac80211 and driver get in-sync to have the opportunity to re-establish the aggregation queues again. Need to wait until driver re-establish all the station information before tear down the aggregation queues, driver(at least iwlwifi driver) will reject the stop aggregation queue request if station is not ready. But also need to make sure the aggregation queues are tear down before waking up the queues, so mac80211 will not sending frames with aggregation bit set. Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: allow station add/remove to sleepJohannes Berg13-464/+511
Many drivers would like to sleep during station addition and removal, and currently have a high complexity there from not being able to. This introduces two new callbacks sta_add() and sta_remove() that drivers can implement instead of using sta_notify() and that can sleep, and the new sta_add() callback is also allowed to fail. The reason we didn't do this previously is that the IBSS code wants to insert stations from the RX path, which is a tasklet, so cannot sleep. This patch will keep the station allocation in that path, but moves adding the station to the driver out of line. Since the addition can now fail, we can have IBSS peer structs the driver rejected -- in that case we still talk to the station but never tell the driver about it in the control.sta pointer. If there will ever be a driver that has a low limit on the number of stations and that cannot talk to any stations that are not known to it, we need to do come up with a new strategy of handling larger IBSSs, maybe quicker expiry or rejecting peers. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: don't probe if we have probe responseJohannes Berg1-5/+5
We can now easily determine whether we already have probe response information for the BSS we are asked to connect to, in which case there's little point in probing the BSS again. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08wireless: update radiotap parserJohannes Berg1-4/+5
Upstream radiotap has adopted the namespace proposal David Young made and I then took care of, for which I had adapted the radiotap parser as a library outside the kernel. This brings the in-kernel parser up to speed. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08Merge branch 'master' of ↵John W. Linville3-10/+21
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 Conflicts: net/mac80211/scan.c
2010-02-08mac80211: fix deferred hardware scan requestsJohannes Berg1-8/+10
Reinette found the reason for the warnings that happened occasionally when a hw-offloaded scan finished; her description of the problem: mac80211 will defer the handling of scan requests if it is busy with management work at the time. The scan requests are deferred and run after the work has completed. When this occurs there are currently two problems. * The scan request for hardware scan is not fully populated with the band and channels to scan not initialized. * When the scan is queued the state is not correctly updated to reflect that a scan is in progress. The problem here is that when the driver completes the scan and calls ieee80211_scan_completed() a warning will be triggered since mac80211 was not aware that a scan was in progress. The reason is that the queued scan work will start the hw scan right away when the hw_scan_req struct has already been allocated. However, in the first pass it will not have been filled, which happens at the same time as setting the bits. To fix this, simply move the allocation after the pending work test as well, so that the first iteration of the scan work will call __ieee80211_start_scan() even in the hardware scan case. Bug-identified-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-08mac80211: Fix probe request filtering in IBSS modeBenoit Papillault1-1/+1
We only reply to probe request if either the requested SSID is the broadcast SSID or if the requested SSID matches our own SSID. This latter case was not properly handled since we were replying to different SSID with the same length as our own SSID. Signed-off-by: Benoit Papillault <benoit.papillault@free.fr> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-04Merge branch 'master' of ↵David S. Miller17-172/+201
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6
2010-02-01mac80211: Don't call rate control when HW handles itVasanthakumar1-0/+4
Rate control should not be called to update the tx status when HW does the RC. Signed-off-by: Vasanthakumar <vasanth@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-01mac80211: fix sta lookup with AP VLAN interfaces and injected framesFelix Fietkau1-0/+2
When injecting frames, mac80211 currently looks for the first AP interface that matches the source address of the injected frame. This breaks when such a frame is directed at a STA that has been moved to a VLAN. This patch fixes it by using sta_info_get_bss instead of sta_info_get, which also finds stations belonging to a VLAN interface of the same BSS as the AP interface. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-01mac80211: fix monitor mode tx radiotap header handlingFelix Fietkau1-2/+4
When an injected frame gets buffered for a powersave STA or filtered and retransmitted, mac80211 attempts to parse the radiotap header again, which doesn't work because it's gone at that point. This patch adds a new flag for checking the availability of a radiotap header, so that it only attempts to parse it once, reusing the tx info on the next call to ieee80211_tx(). This fixes severe issues with rekeying in AP mode. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-01mac80211: fix sta lookup for received action frames on an AP VLANFelix Fietkau1-2/+2
When looking for a matching interface, __ieee80211_rx_handle_packet loops over all active interfaces, looking for matching stations. Because AP VLAN interfaces are not processed as part of this loop, it needs to use sta_info_get_bss instead of sta_info_get in order to find a STA that has been moved to a VLAN. This fixes issues with aggregation setup/teardown. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-01mac80211: reduce stack usage in sta_agg_status_read()Pavel Roskin1-11/+13
Use a more compact and readable format for "agg_status" to reduce the stack frame to less than 1024 bytes. Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-02-01mac80211: reduce stack usage in sta_ht_capa_read()Pavel Roskin1-1/+1
The maximal size of the "ht_capa" file is 430 bytes. In most cases, it's much shorter. Use a 512 byte long buffer. 1024 bytes is too much and causes a warning with CONFIG_FRAME_WARN=1024. Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-01-28Merge branch 'master' of ↵David S. Miller1-1/+1
master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
2010-01-28Merge branch 'master' of ↵David S. Miller1-1/+1
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
2010-01-26mac80211: wait for beacon before enabling powersaveJohannes Berg2-7/+24
Because DTIM information is required for powersave but is only conveyed in beacons, wait for a beacon before enabling powersave, and change the way the information is conveyed to the driver accordingly. mwl8k doesn't currently seem to implement PS but requires the DTIM period in a different way; after talking to Lennert we agreed to just have mwl8k do the parsing itself in the finalize_join work. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Acked-by: Lennert Buytenhek <buytenh@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-01-26mac80211: fix NULL pointer dereference when ftrace is enabledZhu Yi1-1/+1
I got below kernel oops when I try to bring down the network interface if ftrace is enabled. The root cause is drv_ampdu_action() is passed with a NULL ssn pointer in the BA session tear down case. We need to check and avoid dereferencing it in trace entry assignment. BUG: unable to handle kernel NULL pointer dereference Modules linked in: at (null) IP: [<f98fe02a>] ftrace_raw_event_drv_ampdu_action+0x10a/0x160 [mac80211] *pde = 00000000 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC [...] Call Trace: [<f98fdf20>] ? ftrace_raw_event_drv_ampdu_action+0x0/0x160 [mac80211] [<f98dac4c>] ? __ieee80211_stop_rx_ba_session+0xfc/0x220 [mac80211] [<f98d97fb>] ? ieee80211_sta_tear_down_BA_sessions+0x3b/0x50 [mac80211] [<f98dc6f6>] ? ieee80211_set_disassoc+0xe6/0x230 [mac80211] [<f98dc6ac>] ? ieee80211_set_disassoc+0x9c/0x230 [mac80211] [<f98dcbb8>] ? ieee80211_mgd_deauth+0x158/0x170 [mac80211] [<f98e4bdb>] ? ieee80211_deauth+0x1b/0x20 [mac80211] [<f8987f49>] ? __cfg80211_mlme_deauth+0xe9/0x120 [cfg80211] [<f898b870>] ? __cfg80211_disconnect+0x170/0x1d0 [cfg80211] Cc: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>