projects / openwrt / staging / jow.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
mac80211: add a few upstream fixes
[openwrt/staging/jow.git] / package / kernel / mac80211 / patches / 300-pending_work.patch
1 commit 31959d8df39319e32c6d5ba9c135727be90cfad7
2 Author: Michal Kazior <michal.kazior@tieto.com>
3 Date: Fri Mar 7 08:09:38 2014 +0100
4
5 mac80211: fix possible NULL dereference
6
7 If chanctx is missing on a given vif then the band
8 is assumed to be 2GHz. However if hw doesn't
9 support 2GHz band then mac80211 ended up with a
10 NULL dereference.
11
12 This fixes a splat:
13
14 [ 4605.207223] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
15 [ 4605.210789] IP: [<ffffffffa07b5635>] ieee80211_parse_bitrates+0x65/0x110 [mac80211]
16
17 The splat was preceeded by WARN_ON(!chanctx_conf)
18 in ieee80211_get_sdata_band().
19
20 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
21
22 commit 6c5a3ffa0a2d22c091a2717f427259bacf77ac5e
23 Author: Michael Braun <michael-dev@fami-braun.de>
24 Date: Thu Mar 6 15:08:43 2014 +0100
25
26 mac80211: fix WPA with VLAN on AP side with ps-sta again
27
28 commit de74a1d9032f4d37ea453ad2a647e1aff4cd2591
29 "mac80211: fix WPA with VLAN on AP side with ps-sta"
30 fixed an issue where queued multicast packets would
31 be sent out encrypted with the key of an other bss.
32
33 commit "7cbf9d017dbb5e3276de7d527925d42d4c11e732"
34 "mac80211: fix oops on mesh PS broadcast forwarding"
35 essentially reverted it, because vif.type cannot be AP_VLAN
36 due to the check to vif.type in ieee80211_get_buffered_bc before.
37
38 As the later commit intended to fix the MESH case, fix it
39 by checking for IFTYPE_AP instead of IFTYPE_AP_VLAN.
40
41 Fixes: 7cbf9d017dbb
42 Cc: <stable@vger.kernel.org> # 3.10.x
43 Cc: <stable@vger.kernel.org> # 3.11.x
44 Cc: <stable@vger.kernel.org> # 3.12.x
45 Cc: <stable@vger.kernel.org> # 3.13.x
46 Cc: <linux-wireless@vger.kernel.org>
47 Cc: <projekt-wlan@fem.tu-ilmenau.de>
48 Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
49
50 commit 9d6ab9bdb9b368a6cf9519f0f92509b5b2c297ec
51 Author: Johannes Berg <johannes.berg@intel.com>
52 Date: Mon Mar 3 14:19:08 2014 +0100
53
54 cfg80211: remove racy beacon_interval assignment
55
56 In case of AP mode, the beacon interval is already reset to
57 zero inside cfg80211_stop_ap(), and in the other modes it
58 isn't relevant. Remove the assignment to remove a potential
59 race since the assignment isn't properly locked.
60
61 Reported-by: Michal Kazior <michal.kazior@tieto.com>
62 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
63
64 commit 1abdeca3c6fb9cf1f84f85e78ed8d1c33bd69db0
65 Author: Felix Fietkau <nbd@openwrt.org>
66 Date: Fri Feb 28 18:52:56 2014 +0100
67
68 ath9k_hw: tweak noise immunity thresholds for older chipsets
69
70 Older chipsets are more sensitive to high PHY error counts, and the
71 current noise immunity thresholds were based on tests run at QCA with
72 newer chipsets.
73
74 This patch brings back the values from the old ANI implementation for
75 old chipsets, and it also disables weak signal detection on an earlier
76 noise immunity level, to improve overall radio stability on affected
77 devices.
78
79 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
80
81 commit 431e506da5953adc3b65af25f4b90873d528c115
82 Author: Felix Fietkau <nbd@openwrt.org>
83 Date: Fri Feb 28 18:44:13 2014 +0100
84
85 ath9k_hw: toggle weak signal detection in AP mode on older chipsets
86
87 The commit 80b4205b "ath9k: Fix OFDM weak signal detection for AP mode"
88 prevented weak signal detection changes from taking effect in AP mode on
89 all chipsets, claiming it is "not allowed".
90
91 The main reason for not disabling weak signal detection in AP mode is
92 that typically beacon RSSI is used to track whether it is needed to
93 boost range, and this is unavailable in AP mode for obvious reasons.
94
95 The problem with not disabling weak signal detection is that older
96 chipsets are very sensitive to high PHY error counts. When faced with
97 heavy noise, this can lead to an excessive amount of "Failed to stop
98 TX DMA" errors in the field.
99
100 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
101
102 commit 98d1a6c5b14688ed030e81b889f607be308e0df9
103 Author: Felix Fietkau <nbd@openwrt.org>
104 Date: Mon Feb 24 22:20:32 2014 +0100
105
106 ath9k: fix invalid descriptor discarding
107
108 Only set sc->rx.discard_next to rx_stats->rs_more when actually
109 discarding the current descriptor.
110
111 Also, fix a detection of broken descriptors:
112 First the code checks if the current descriptor is not done.
113 Then it checks if the next descriptor is done.
114 Add a check that afterwards checks the first descriptor again, because
115 it might have been completed in the mean time.
116
117 This fixes a regression introduced in
118 commit 723e711356b5a8a95728a890e254e8b0d47b55cf
119 "ath9k: fix handling of broken descriptors"
120
121 Cc: stable@vger.kernel.org
122 Reported-by: Marco André Dinis <marcoandredinis@gmail.com>
123 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
124
125 commit 52a46300e782fe6994466523eb2b0b59091ea59f
126 Author: Felix Fietkau <nbd@openwrt.org>
127 Date: Mon Feb 24 11:43:50 2014 +0100
128
129 ath9k: reduce baseband hang detection false positive rate
130
131 Check if the baseband state remains stable, and add a small delay
132 between register reads.
133
134 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
135
136 commit 118945bb12082e9d4edddc868d88143164e0f440
137 Author: Felix Fietkau <nbd@openwrt.org>
138 Date: Sat Feb 22 14:55:23 2014 +0100
139
140 ath5k: set SURVEY_INFO_IN_USE on get_survey
141
142 Only one channel is returned - the one currently being used.
143
144 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
145
146 commit ee41f72476e1ea44283dfe1cbf75b9543a1e15c8
147 Author: Felix Fietkau <nbd@openwrt.org>
148 Date: Sat Feb 22 14:44:52 2014 +0100
149
150 ath9k: make some hardware reset log messages debug-only
151
152 On some chips, baseband watchdog hangs are more common than others, and
153 the driver has support for handling them.
154 Interrupts even after a watchdog hang are also quite common, so there's
155 not much point in spamming the user's logfiles.
156
157 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
158
159 commit b14fbb554fc65a2e0b5c41a319269b0350f187e7
160 Author: Felix Fietkau <nbd@openwrt.org>
161 Date: Sat Feb 22 14:35:25 2014 +0100
162
163 ath9k: do not set half/quarter channel flags in AR_PHY_MODE
164
165 5/10 MHz channel bandwidth is configured via the PLL clock, instead of
166 the AR_PHY_MODE register. Using that register is AR93xx specific, and
167 makes the mode incompatible with earlier chipsets.
168
169 In some early versions, these flags were apparently applied at the wrong
170 point in time and thus did not cause connectivity issues, however now
171 they are causing problems, as pointed out in this OpenWrt ticket:
172
173 https://dev.openwrt.org/ticket/14916
174
175 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
176
177 commit 0f1cb7be2551b30b02cd54c897e0e29e483cfda5
178 Author: Felix Fietkau <nbd@openwrt.org>
179 Date: Sat Feb 22 13:43:29 2014 +0100
180
181 ath9k: fix ps-poll responses under a-mpdu sessions
182
183 When passing tx frames to the U-APSD queue for powersave poll responses,
184 the ath_atx_tid pointer needs to be passed to ath_tx_setup_buffer for
185 proper sequence number accounting.
186
187 This fixes high latency and connection stability issues with ath9k
188 running as AP and a few kinds of mobile phones as client, when PS-Poll
189 is heavily used
190
191 Cc: stable@vger.kernel.org
192 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
193
194 commit d5d87a37bbd6066b2c3c5d0bd0fe2a6e2ea45cc5
195 Author: Felix Fietkau <nbd@openwrt.org>
196 Date: Fri Feb 21 11:39:59 2014 +0100
197
198 ath9k: list more reset causes in debugfs
199
200 Number of MAC hangs and stuck beacons were missing
201
202 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
203
204 commit d84856012e0f10fe598a5ad3b7b869397a089e07
205 Author: Johannes Berg <johannes.berg@intel.com>
206 Date: Thu Feb 20 11:19:58 2014 +0100
207
208 mac80211: fix station wakeup powersave race
209
210 Consider the following (relatively unlikely) scenario:
211 1) station goes to sleep while frames are buffered in driver
212 2) driver blocks wakeup (until no more frames are buffered)
213 3) station wakes up again
214 4) driver unblocks wakeup
215
216 In this case, the current mac80211 code will do the following:
217 1) WLAN_STA_PS_STA set
218 2) WLAN_STA_PS_DRIVER set
219 3) - nothing -
220 4) WLAN_STA_PS_DRIVER cleared
221
222 As a result, no frames will be delivered to the client, even
223 though it is awake, until it sends another frame to us that
224 triggers ieee80211_sta_ps_deliver_wakeup() in sta_ps_end().
225
226 Since we now take the PS spinlock, we can fix this while at
227 the same time removing the complexity with the pending skb
228 queue function. This was broken since my commit 50a9432daeec
229 ("mac80211: fix powersaving clients races") due to removing
230 the clearing of WLAN_STA_PS_STA in the RX path.
231
232 While at it, fix a cleanup path issue when a station is
233 removed while the driver is still blocking its wakeup.
234
235 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
236
237 commit 798f2786602cbe93e6b928299614aa36ebf50692
238 Author: Johannes Berg <johannes.berg@intel.com>
239 Date: Mon Feb 17 20:49:03 2014 +0100
240
241 mac80211: insert stations before adding to driver
242
243 There's a race condition in mac80211 because we add stations
244 to the internal lists after adding them to the driver, which
245 means that (for example) the following can happen:
246 1. a station connects and is added
247 2. first, it is added to the driver
248 3. then, it is added to the mac80211 lists
249
250 If the station goes to sleep between steps 2 and 3, and the
251 firmware/hardware records it as being asleep, mac80211 will
252 never instruct the driver to wake it up again as it never
253 realized it went to sleep since the RX path discarded the
254 frame as a "spurious class 3 frame", no station entry was
255 present yet.
256
257 Fix this by adding the station in software first, and only
258 then adding it to the driver. That way, any state that the
259 driver changes will be reflected properly in mac80211's
260 station state. The problematic part is the roll-back if the
261 driver fails to add the station, in that case a bit more is
262 needed. To not make that overly complex prevent starting BA
263 sessions in the meantime.
264
265 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
266
267 commit b9ba6a520cb07ab3aa7aaaf9ce4a0bc7a6bc06fe
268 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
269 Date: Thu Feb 20 09:22:11 2014 +0200
270
271 mac80211: fix AP powersave TX vs. wakeup race
272
273 There is a race between the TX path and the STA wakeup: while
274 a station is sleeping, mac80211 buffers frames until it wakes
275 up, then the frames are transmitted. However, the RX and TX
276 path are concurrent, so the packet indicating wakeup can be
277 processed while a packet is being transmitted.
278
279 This can lead to a situation where the buffered frames list
280 is emptied on the one side, while a frame is being added on
281 the other side, as the station is still seen as sleeping in
282 the TX path.
283
284 As a result, the newly added frame will not be send anytime
285 soon. It might be sent much later (and out of order) when the
286 station goes to sleep and wakes up the next time.
287
288 Additionally, it can lead to the crash below.
289
290 Fix all this by synchronising both paths with a new lock.
291 Both path are not fastpath since they handle PS situations.
292
293 In a later patch we'll remove the extra skb queue locks to
294 reduce locking overhead.
295
296 BUG: unable to handle kernel
297 NULL pointer dereference at 000000b0
298 IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
299 *pde = 00000000
300 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
301 EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1
302 EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
303 EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
304 ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
305 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
306 CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
307 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
308 DR6: ffff0ff0 DR7: 00000400
309 Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
310 iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
311 Stack:
312 e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
313 ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
314 ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
315 Call Trace:
316 [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211]
317 [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211]
318 [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211]
319 [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211]
320 [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
321 [<c149ef70>] dev_hard_start_xmit+0x450/0x950
322 [<c14b9aa9>] sch_direct_xmit+0xa9/0x250
323 [<c14b9c9b>] __qdisc_run+0x4b/0x150
324 [<c149f732>] dev_queue_xmit+0x2c2/0xca0
325
326 Cc: stable@vger.kernel.org
327 Reported-by: Yaara Rozenblum <yaara.rozenblum@intel.com>
328 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
329 Reviewed-by: Stanislaw Gruszka <sgruszka@redhat.com>
330 [reword commit log, use a separate lock]
331 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
332
333 commit 80e419de0dff38436b30d363311c625766193f86
334 Author: Inbal Hacohen <Inbal.Hacohen@intel.com>
335 Date: Wed Feb 12 09:32:27 2014 +0200
336
337 cfg80211: bugfix in regulatory user hint process
338
339 After processing hint_user, we would want to schedule the
340 timeout work only if we are actually waiting to CRDA. This happens
341 when the status is not "IGNORE" nor "ALREADY_SET".
342
343 Signed-off-by: Inbal Hacohen <Inbal.Hacohen@intel.com>
344 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
345
346 commit 6514c93afede55284e2cb63359aadedb85884c80
347 Author: Jouni Malinen <jouni@qca.qualcomm.com>
348 Date: Tue Feb 18 20:41:08 2014 +0200
349
350 ath9k: Enable U-APSD AP mode support
351
352 mac80211 handles the actual operations, so ath9k can just indicate
353 support for this. Based on initial tests, this combination seems to
354 work fine.
355
356 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
357
358 commit a63caf0a357ad5c1f08d6b7827dc76c451445017
359 Author: Stanislaw Gruszka <sgruszka@redhat.com>
360 Date: Wed Feb 19 13:15:17 2014 +0100
361
362 ath9k: protect tid->sched check
363
364 We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That
365 is race condition which can result of doing list_del(&tid->list) twice
366 (second time with poisoned list node) and cause crash like shown below:
367
368 [424271.637220] BUG: unable to handle kernel paging request at 00100104
369 [424271.637328] IP: [<f90fc072>] ath_tx_aggr_sleep+0x62/0xe0 [ath9k]
370 ...
371 [424271.639953] Call Trace:
372 [424271.639998] [<f90f6900>] ? ath9k_get_survey+0x110/0x110 [ath9k]
373 [424271.640083] [<f90f6942>] ath9k_sta_notify+0x42/0x50 [ath9k]
374 [424271.640177] [<f809cfef>] sta_ps_start+0x8f/0x1c0 [mac80211]
375 [424271.640258] [<c10f730e>] ? free_compound_page+0x2e/0x40
376 [424271.640346] [<f809e915>] ieee80211_rx_handlers+0x9d5/0x2340 [mac80211]
377 [424271.640437] [<c112f048>] ? kmem_cache_free+0x1d8/0x1f0
378 [424271.640510] [<c1345a84>] ? kfree_skbmem+0x34/0x90
379 [424271.640578] [<c10fc23c>] ? put_page+0x2c/0x40
380 [424271.640640] [<c1345a84>] ? kfree_skbmem+0x34/0x90
381 [424271.640706] [<c1345a84>] ? kfree_skbmem+0x34/0x90
382 [424271.640787] [<f809dde3>] ? ieee80211_rx_handlers_result+0x73/0x1d0 [mac80211]
383 [424271.640897] [<f80a07a0>] ieee80211_prepare_and_rx_handle+0x520/0xad0 [mac80211]
384 [424271.641009] [<f809e22d>] ? ieee80211_rx_handlers+0x2ed/0x2340 [mac80211]
385 [424271.641104] [<c13846ce>] ? ip_output+0x7e/0xd0
386 [424271.641182] [<f80a1057>] ieee80211_rx+0x307/0x7c0 [mac80211]
387 [424271.641266] [<f90fa6ee>] ath_rx_tasklet+0x88e/0xf70 [ath9k]
388 [424271.641358] [<f80a0f2c>] ? ieee80211_rx+0x1dc/0x7c0 [mac80211]
389 [424271.641445] [<f90f82db>] ath9k_tasklet+0xcb/0x130 [ath9k]
390
391 Bug report:
392 https://bugzilla.kernel.org/show_bug.cgi?id=70551
393
394 Reported-and-tested-by: Max Sydorenko <maxim.stargazer@gmail.com>
395 Cc: stable@vger.kernel.org
396 Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
397
398 commit 82ed9e3ccc02797df2ffe4b78127c4cd5f799a41
399 Author: Felix Fietkau <nbd@openwrt.org>
400 Date: Tue Feb 11 15:54:13 2014 +0100
401
402 mac80211: send control port protocol frames to the VO queue
403
404 Improves reliability of wifi connections with WPA, since authentication
405 frames are prioritized over normal traffic and also typically exempt
406 from aggregation.
407
408 Cc: stable@vger.kernel.org
409 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
410
411 commit d4426800f71e972feaa33e04c5801fc730627bdd
412 Author: Stanislaw Gruszka <stf_xl@wp.pl>
413 Date: Mon Feb 10 22:38:28 2014 +0100
414
415 rtl8187: fix regression on MIPS without coherent DMA
416
417 This patch fixes regression caused by commit a16dad77634 "MIPS: Fix
418 potencial corruption". That commit fixes one corruption scenario in
419 cost of adding another one, which actually start to cause crashes
420 on Yeeloong laptop when rtl8187 driver is used.
421
422 For correct DMA read operation on machines without DMA coherence, kernel
423 have to invalidate cache, such it will refill later with new data that
424 device wrote to memory, when that data is needed to process. We can only
425 invalidate full cache line. Hence when cache line includes both dma
426 buffer and some other data (written in cache, but not yet in main
427 memory), the other data can not hit memory due to invalidation. That
428 happen on rtl8187 where struct rtl8187_priv fields are located just
429 before and after small buffers that are passed to USB layer and DMA
430 is performed on them.
431
432 To fix the problem we align buffers and reserve space after them to make
433 them match cache line.
434
435 This patch does not resolve all possible MIPS problems entirely, for
436 that we have to assure that we always map cache aligned buffers for DMA,
437 what can be complex or even not possible. But patch fixes visible and
438 reproducible regression and seems other possible corruptions do not
439 happen in practice, since Yeeloong laptop works stable without rtl8187
440 driver.
441
442 Bug report:
443 https://bugzilla.kernel.org/show_bug.cgi?id=54391
444
445 Reported-by: Petr Pisar <petr.pisar@atlas.cz>
446 Bisected-by: Tom Li <biergaizi2009@gmail.com>
447 Reported-and-tested-by: Tom Li <biergaizi2009@gmail.com>
448 Cc: stable@vger.kernel.org
449 Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
450
451 commit e2f141d67ad1e7fe10aaab61811e8a409dfb2442
452 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
453 Date: Fri Feb 7 10:29:55 2014 +0530
454
455 ath9k: Calculate IQ-CAL median
456
457 This patch adds a routine to calculate the median IQ correction
458 values for AR955x, which is used for outlier detection.
459 The normal method which is used for all other chips is
460 bypassed for AR955x.
461
462 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
463
464 commit c52a6fce0820c8d0687443ab86058ae03b478c8f
465 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
466 Date: Fri Feb 7 10:29:54 2014 +0530
467
468 ath9k: Expand the IQ coefficient array
469
470 This will be used for storing data for mutiple
471 IQ calibration runs, for AR955x.
472
473 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
474
475 commit 034969ff5c2b6431d10e07c1938f0b916da85cc3
476 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
477 Date: Fri Feb 7 10:29:53 2014 +0530
478
479 ath9k: Modify IQ calibration for AR955x
480
481 IQ calibration post-processing for AR955x is different
482 from other chips - instead of just doing it as part
483 of AGC calibration once, it is triggered 3 times and
484 a median is determined. This patch adds initial support
485 for changing the calibration behavior for AR955x.
486
487 Also, to simplify things, a helper routine to issue/poll
488 AGC calibration is used.
489
490 For non-AR955x chips, the iqcal_idx (which will be used
491 in subsequent patches) is set to zero.
492
493 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
494
495 commit 9b1ed6454e6f3511f24266be99b4e403f243f6a8
496 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
497 Date: Fri Feb 7 10:29:52 2014 +0530
498
499 ath9k: Fix magnitude/phase calculation
500
501 Incorrect values are programmed in the registers
502 containing the IQ correction coefficients by the IQ-CAL
503 post-processing code. Fix this.
504
505 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
506
507 commit 36f93484f96f79171dcecb67c5ef0c3de22531a6
508 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
509 Date: Fri Feb 7 10:29:51 2014 +0530
510
511 ath9k: Rename ar9003_hw_tx_iqcal_load_avg_2_passes
512
513 Use ar9003_hw_tx_iq_cal_outlier_detection instead.
514
515 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
516
517 commit 3af09a7f5d21dd5fd15b973ce6a91a575da30417
518 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
519 Date: Fri Feb 7 10:29:50 2014 +0530
520
521 ath9k: Check explicitly for IQ calibration
522
523 In chips like AR955x, the initvals contain the information
524 whether IQ calibration is to be done in the HW when an
525 AGC calibration is triggered. Check if IQ-CAL is enabled
526 in the initvals before flagging 'txiqcal_done' as true.
527
528 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
529
530 commit cb4969634b93c4643a32cc3fbd27d2b288b25771
531 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
532 Date: Fri Feb 7 10:29:49 2014 +0530
533
534 ath9k: Fix IQ cal post processing for SoC
535
536 Calibration data is not reused for SoC chips, so
537 call ar9003_hw_tx_iq_cal_post_proc() with the correct
538 argument. The 'is_reusable' flag is currently used
539 only for PC-OEM chips, but it makes things clearer to
540 specify it explicity.
541
542 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
543
544 commit e138e0ef9560c46ce93dbb22a728a57888e94d1c
545 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
546 Date: Mon Feb 3 13:31:37 2014 +0530
547
548 ath9k: Fix TX power calculation
549
550 The commit, "ath9k_hw: Fix incorrect Tx control power in AR9003 template"
551 fixed the incorrect values in the eeprom templates, but if
552 boards have already been calibrated with incorrect values,
553 they would still be using the wrong TX power. Fix this by assigning
554 a default value in such cases.
555
556 Cc: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
557 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
558
559 commit b9f268b5b01331c3c82179abca551429450e9417
560 Author: Michal Kazior <michal.kazior@tieto.com>
561 Date: Wed Jan 29 14:22:27 2014 +0100
562
563 cfg80211: consider existing DFS interfaces
564
565 It was possible to break interface combinations in
566 the following way:
567
568 combo 1: iftype = AP, num_ifaces = 2, num_chans = 2,
569 combo 2: iftype = AP, num_ifaces = 1, num_chans = 1, radar = HT20
570
571 With the above interface combinations it was
572 possible to:
573
574 step 1. start AP on DFS channel by matching combo 2
575 step 2. start AP on non-DFS channel by matching combo 1
576
577 This was possible beacuse (step 2) did not consider
578 if other interfaces require radar detection.
579
580 The patch changes how cfg80211 tracks channels -
581 instead of channel itself now a complete chandef
582 is stored.
583
584 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
585 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
586
587 commit bc9c62f5f511cc395c62dbf4cdd437f23db53b28
588 Author: Antonio Quartulli <antonio@open-mesh.com>
589 Date: Wed Jan 29 17:53:43 2014 +0100
590
591 cfg80211: fix channel configuration in IBSS join
592
593 When receiving an IBSS_JOINED event select the BSS object
594 based on the {bssid, channel} couple rather than the bssid
595 only.
596 With the current approach if another cell having the same
597 BSSID (but using a different channel) exists then cfg80211
598 picks up the wrong BSS object.
599 The result is a mismatching channel configuration between
600 cfg80211 and the driver, that can lead to any sort of
601 problem.
602
603 The issue can be triggered by having an IBSS sitting on
604 given channel and then asking the driver to create a new
605 cell using the same BSSID but with a different frequency.
606 By passing the channel to cfg80211_get_bss() we can solve
607 this ambiguity and retrieve/create the correct BSS object.
608 All the users of cfg80211_ibss_joined() have been changed
609 accordingly.
610
611 Moreover WARN when cfg80211_ibss_joined() gets a NULL
612 channel as argument and remove a bogus call of the same
613 function in ath6kl (it does not make sense to call
614 cfg80211_ibss_joined() with a zero BSSID on ibss-leave).
615
616 Cc: Kalle Valo <kvalo@qca.qualcomm.com>
617 Cc: Arend van Spriel <arend@broadcom.com>
618 Cc: Bing Zhao <bzhao@marvell.com>
619 Cc: Jussi Kivilinna <jussi.kivilinna@iki.fi>
620 Cc: libertas-dev@lists.infradead.org
621 Acked-by: Kalle Valo <kvalo@qca.qualcomm.com>
622 Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
623 [minor code cleanup in ath6kl]
624 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
625
626 commit 7e0c41cb41f215aba2c39b1c237bb4d42ec49a85
627 Author: Johannes Berg <johannes.berg@intel.com>
628 Date: Fri Jan 24 14:41:44 2014 +0100
629
630 mac80211: fix bufferable MMPDU RX handling
631
632 Action, disassoc and deauth frames are bufferable, and as such don't
633 have the PM bit in the frame control field reserved which means we
634 need to react to the bit when receiving in such a frame.
635
636 Fix this by introducing a new helper ieee80211_is_bufferable_mmpdu()
637 and using it for the RX path that currently ignores the PM bit in
638 any non-data frames for doze->wake transitions, but listens to it in
639 all frames for wake->doze transitions, both of which are wrong.
640
641 Also use the new helper in the TX path to clean up the code.
642
643 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
644
645 commit fc0df6d2343636e3f48a069330d5b972e3d8659d
646 Author: Janusz Dziedzic <janusz.dziedzic@tieto.com>
647 Date: Fri Jan 24 14:29:21 2014 +0100
648
649 cfg80211: set preset_chandef after channel switch
650
651 Set preset_chandef in channel switch notification.
652 In other case we will have old preset_chandef.
653
654 Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
655 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
656
657 commit cdec895e2344987ff171cece96e25d7407a3ebf6
658 Author: Simon Wunderlich <simon@open-mesh.com>
659 Date: Fri Jan 24 23:48:29 2014 +0100
660
661 mac80211: send ibss probe responses with noack flag
662
663 Responding to probe requests for scanning clients will often create
664 excessive retries, as it happens quite often that the scanning client
665 already left the channel. Therefore do it like hostapd and send probe
666 responses for wildcard SSID only once by using the noack flag.
667
668 Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
669 [fix typo & 'wildcard SSID' in commit log]
670 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
671
672 commit 0b865d1e6b9c05052adae9315df7cb195dc60c3b
673 Author: Luciano Coelho <luciano.coelho@intel.com>
674 Date: Tue Jan 28 17:09:08 2014 +0200
675
676 mac80211: ibss: remove unnecessary call to release channel
677
678 The ieee80211_vif_use_channel() function calls
679 ieee80211_vif_release_channel(), so there's no need to call it
680 explicitly in __ieee80211_sta_join_ibss().
681
682 Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
683 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
684
685 commit e1b6c17e971f0a51ff86c2dac2584c63cd999cd7
686 Author: Michal Kazior <michal.kazior@tieto.com>
687 Date: Wed Jan 29 07:56:21 2014 +0100
688
689 mac80211: add missing CSA locking
690
691 The patch adds a missing sdata lock and adds a few
692 lockdeps for easier maintenance.
693
694 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
695 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
696
697 commit ad17ba7d14d225b109b73c177cd446afb8050598
698 Author: Michal Kazior <michal.kazior@tieto.com>
699 Date: Wed Jan 29 07:56:20 2014 +0100
700
701 mac80211: fix sdata->radar_required locking
702
703 radar_required setting wasn't protected by
704 local->mtx in some places. This should prevent
705 from scanning/radar detection/roc colliding.
706
707 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
708 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
709
710 commit 5fcd5f1808813a3d9e502fd756e01bee8a79c85d
711 Author: Michal Kazior <michal.kazior@tieto.com>
712 Date: Wed Jan 29 07:56:19 2014 +0100
713
714 mac80211: move csa_active setting in STA CSA
715
716 The sdata->vif.csa_active could be left set after,
717 e.g. channel context constraints check fail in STA
718 mode leaving the interface in a strange state for
719 a brief period of time until it is disconnected.
720 This was harmless but ugly.
721
722 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
723 Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
724 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
725
726 commit e486da4b7eed71821c6b4c1bb9ac62ffd3ab13e9
727 Author: Michal Kazior <michal.kazior@tieto.com>
728 Date: Wed Jan 29 07:56:18 2014 +0100
729
730 mac80211: fix possible memory leak on AP CSA failure
731
732 If CSA for AP interface failed and the interface
733 was not stopped afterwards another CSA request
734 would leak sdata->u.ap.next_beacon.
735
736 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
737 Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
738 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
739
740 commit 3a77ba08940682bf3d52cf14f980337324af9d4a
741 Author: Johannes Berg <johannes.berg@intel.com>
742 Date: Sat Feb 1 00:33:29 2014 +0100
743
744 mac80211: fix fragmentation code, particularly for encryption
745
746 The "new" fragmentation code (since my rewrite almost 5 years ago)
747 erroneously sets skb->len rather than using skb_trim() to adjust
748 the length of the first fragment after copying out all the others.
749 This leaves the skb tail pointer pointing to after where the data
750 originally ended, and thus causes the encryption MIC to be written
751 at that point, rather than where it belongs: immediately after the
752 data.
753
754 The impact of this is that if software encryption is done, then
755 a) encryption doesn't work for the first fragment, the connection
756 becomes unusable as the first fragment will never be properly
757 verified at the receiver, the MIC is practically guaranteed to
758 be wrong
759 b) we leak up to 8 bytes of plaintext (!) of the packet out into
760 the air
761
762 This is only mitigated by the fact that many devices are capable
763 of doing encryption in hardware, in which case this can't happen
764 as the tail pointer is irrelevant in that case. Additionally,
765 fragmentation is not used very frequently and would normally have
766 to be configured manually.
767
768 Fix this by using skb_trim() properly.
769
770 Cc: stable@vger.kernel.org
771 Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
772 Reported-by: Jouni Malinen <j@w1.fi>
773 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
774
775 commit de5f242e0c10e841017e37eb8c38974a642dbca8
776 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
777 Date: Tue Jan 28 06:21:59 2014 +0530
778
779 ath9k: Fix build error on ARM
780
781 Use mdelay instead of udelay to fix this error:
782
783 ERROR: "__bad_udelay" [drivers/net/wireless/ath/ath9k/ath9k_hw.ko] undefined!
784 make[1]: *** [__modpost] Error 1
785 make: *** [modules] Error 2
786
787 Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
788 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
789
790 commit 8e3ea7a51dfc61810fcefd947f6edcf61125252a
791 Author: Geert Uytterhoeven <geert@linux-m68k.org>
792 Date: Sun Jan 26 11:53:21 2014 +0100
793
794 ath9k: Fix uninitialized variable in ath9k_has_tx_pending()
795
796 drivers/net/wireless/ath/ath9k/main.c: In function ‘ath9k_has_tx_pending’:
797 drivers/net/wireless/ath/ath9k/main.c:1869: warning: ‘npend’ may be used uninitialized in this function
798
799 Introduced by commit 10e2318103f5941aa70c318afe34bc41f1b98529 ("ath9k:
800 optimize ath9k_flush").
801
802 Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
803
804 commit a4a634a6937ebdd827fa58e8fcdb8ca49a3769f6
805 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
806 Date: Mon Jan 27 11:07:42 2014 +0200
807
808 mac80211: release the channel in error path in start_ap
809
810 When the driver cannot start the AP or when the assignement
811 of the beacon goes wrong, we need to unassign the vif.
812
813 Cc: stable@vger.kernel.org
814 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
815 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
816
817 commit dfb6889a75c601aedb7450b7e606668e77da6679
818 Author: Johannes Berg <johannes.berg@intel.com>
819 Date: Wed Jan 22 11:14:19 2014 +0200
820
821 cfg80211: send scan results from work queue
822
823 Due to the previous commit, when a scan finishes, it is in theory
824 possible to hit the following sequence:
825 1. interface starts being removed
826 2. scan is cancelled by driver and cfg80211 is notified
827 3. scan done work is scheduled
828 4. interface is removed completely, rdev->scan_req is freed,
829 event sent to userspace but scan done work remains pending
830 5. new scan is requested on another virtual interface
831 6. scan done work runs, freeing the still-running scan
832
833 To fix this situation, hang on to the scan done message and block
834 new scans while that is the case, and only send the message from
835 the work function, regardless of whether the scan_req is already
836 freed from interface removal. This makes step 5 above impossible
837 and changes step 6 to be
838 5. scan done work runs, sending the scan done message
839
840 As this can't work for wext, so we send the message immediately,
841 but this shouldn't be an issue since we still return -EBUSY.
842
843 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
844
845 commit 45b7ab41fc08627d9a8428cb413d5d84662a9707
846 Author: Johannes Berg <johannes.berg@intel.com>
847 Date: Wed Jan 22 11:14:18 2014 +0200
848
849 cfg80211: fix scan done race
850
851 When an interface/wdev is removed, any ongoing scan should be
852 cancelled by the driver. This will make it call cfg80211, which
853 only queues a work struct. If interface/wdev removal is quick
854 enough, this can leave the scan request pending and processed
855 only after the interface is gone, causing a use-after-free.
856
857 Fix this by making sure the scan request is not pending after
858 the interface is destroyed. We can't flush or cancel the work
859 item due to locking concerns, but when it'll run it shouldn't
860 find anything to do. This leaves a potential issue, if a new
861 scan gets requested before the work runs, it prematurely stops
862 the running scan, potentially causing another crash. I'll fix
863 that in the next patch.
864
865 This was particularly observed with P2P_DEVICE wdevs, likely
866 because freeing them is quicker than freeing netdevs.
867
868 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
869 Fixes: 4a58e7c38443 ("cfg80211: don't "leak" uncompleted scans")
870 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
871
872 commit ae04fa489ab31b5a10d3cc8399f52761175d4321
873 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
874 Date: Thu Jan 23 14:28:16 2014 +0200
875
876 mac80211: avoid deadlock revealed by lockdep
877
878 sdata->u.ap.request_smps_work can’t be flushed synchronously
879 under wdev_lock(wdev) since ieee80211_request_smps_ap_work
880 itself locks the same lock.
881 While at it, reset the driver_smps_mode when the ap is
882 stopped to its default: OFF.
883
884 This solves:
885
886 ======================================================
887 [ INFO: possible circular locking dependency detected ]
888 3.12.0-ipeer+ #2 Tainted: G O
889 -------------------------------------------------------
890 rmmod/2867 is trying to acquire lock:
891 ((&sdata->u.ap.request_smps_work)){+.+...}, at: [<c105b8d0>] flush_work+0x0/0x90
892
893 but task is already holding lock:
894 (&wdev->mtx){+.+.+.}, at: [<f9b32626>] cfg80211_stop_ap+0x26/0x230 [cfg80211]
895
896 which lock already depends on the new lock.
897
898 the existing dependency chain (in reverse order) is:
899
900 -> #1 (&wdev->mtx){+.+.+.}:
901 [<c10aefa9>] lock_acquire+0x79/0xe0
902 [<c1607a1a>] mutex_lock_nested+0x4a/0x360
903 [<fb06288b>] ieee80211_request_smps_ap_work+0x2b/0x50 [mac80211]
904 [<c105cdd8>] process_one_work+0x198/0x450
905 [<c105d469>] worker_thread+0xf9/0x320
906 [<c10669ff>] kthread+0x9f/0xb0
907 [<c1613397>] ret_from_kernel_thread+0x1b/0x28
908
909 -> #0 ((&sdata->u.ap.request_smps_work)){+.+...}:
910 [<c10ae9df>] __lock_acquire+0x183f/0x1910
911 [<c10aefa9>] lock_acquire+0x79/0xe0
912 [<c105b917>] flush_work+0x47/0x90
913 [<c105d867>] __cancel_work_timer+0x67/0xe0
914 [<c105d90f>] cancel_work_sync+0xf/0x20
915 [<fb0765cc>] ieee80211_stop_ap+0x8c/0x340 [mac80211]
916 [<f9b3268c>] cfg80211_stop_ap+0x8c/0x230 [cfg80211]
917 [<f9b0d8f9>] cfg80211_leave+0x79/0x100 [cfg80211]
918 [<f9b0da72>] cfg80211_netdev_notifier_call+0xf2/0x4f0 [cfg80211]
919 [<c160f2c9>] notifier_call_chain+0x59/0x130
920 [<c106c6de>] __raw_notifier_call_chain+0x1e/0x30
921 [<c106c70f>] raw_notifier_call_chain+0x1f/0x30
922 [<c14f8213>] call_netdevice_notifiers_info+0x33/0x70
923 [<c14f8263>] call_netdevice_notifiers+0x13/0x20
924 [<c14f82a4>] __dev_close_many+0x34/0xb0
925 [<c14f83fe>] dev_close_many+0x6e/0xc0
926 [<c14f9c77>] rollback_registered_many+0xa7/0x1f0
927 [<c14f9dd4>] unregister_netdevice_many+0x14/0x60
928 [<fb06f4d9>] ieee80211_remove_interfaces+0xe9/0x170 [mac80211]
929 [<fb055116>] ieee80211_unregister_hw+0x56/0x110 [mac80211]
930 [<fa3e9396>] iwl_op_mode_mvm_stop+0x26/0xe0 [iwlmvm]
931 [<f9b9d8ca>] _iwl_op_mode_stop+0x3a/0x70 [iwlwifi]
932 [<f9b9d96f>] iwl_opmode_deregister+0x6f/0x90 [iwlwifi]
933 [<fa405179>] __exit_compat+0xd/0x19 [iwlmvm]
934 [<c10b8bf9>] SyS_delete_module+0x179/0x2b0
935 [<c1613421>] sysenter_do_call+0x12/0x32
936
937 Fixes: 687da132234f ("mac80211: implement SMPS for AP")
938 Cc: <stable@vger.kernel.org> [3.13]
939 Reported-by: Ilan Peer <ilan.peer@intel.com>
940 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
941 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
942
943 commit 178b205e96217164fd7c30113464250d0b6f5eca
944 Author: Johannes Berg <johannes.berg@intel.com>
945 Date: Thu Jan 23 16:32:29 2014 +0100
946
947 cfg80211: re-enable 5/10 MHz support
948
949 Unfortunately I forgot this during the merge window, but the
950 patch seems small enough to go in as a fix. The userspace API
951 bug that was the reason for disabling it has long been fixed.
952
953 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
954
955 commit 110a1c79acda14edc83b7c8dc5af9c7ddd23eb61
956 Author: Pontus Fuchs <pontus.fuchs@gmail.com>
957 Date: Thu Jan 16 15:00:40 2014 +0100
958
959 nl80211: Reset split_start when netlink skb is exhausted
960
961 When the netlink skb is exhausted split_start is left set. In the
962 subsequent retry, with a larger buffer, the dump is continued from the
963 failing point instead of from the beginning.
964
965 This was causing my rt28xx based USB dongle to now show up when
966 running "iw list" with an old iw version without split dump support.
967
968 Cc: stable@vger.kernel.org
969 Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps")
970 Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
971 [avoid the entire workaround when state->split is set]
972 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
973
974 commit b4c31b45ffc7ef110fa9ecc34d7878fe7c5b9da4
975 Author: Eliad Peller <eliad@wizery.com>
976 Date: Sun Jan 12 11:06:37 2014 +0200
977
978 mac80211: move roc cookie assignment earlier
979
980 ieee80211_start_roc_work() might add a new roc
981 to existing roc, and tell cfg80211 it has already
982 started.
983
984 However, this might happen before the roc cookie
985 was set, resulting in REMAIN_ON_CHANNEL (started)
986 event with null cookie. Consequently, it can make
987 wpa_supplicant go out of sync.
988
989 Fix it by setting the roc cookie earlier.
990
991 Cc: stable@vger.kernel.org
992 Signed-off-by: Eliad Peller <eliad@wizery.com>
993 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
994
995 commit cfdc9157bfd7bcf88ab4dae08873a9907eba984c
996 Author: Johannes Berg <johannes.berg@intel.com>
997 Date: Fri Jan 24 14:06:29 2014 +0100
998
999 nl80211: send event when AP operation is stopped
1000
1001 There are a few cases, e.g. suspend, where an AP interface is
1002 stopped by the kernel rather than by userspace request, most
1003 commonly when suspending. To let userspace know about this,
1004 send the NL80211_CMD_STOP_AP command as an event every time
1005 an AP interface is stopped. This also happens when userspace
1006 did in fact request the AP stop, but that's not a problem.
1007
1008 For full-MAC drivers this may need to be extended to also
1009 cover cases where the device stopped the AP operation for
1010 some reason, this a bit more complicated because then all
1011 cfg80211 state also needs to be reset; such API is not part
1012 of this patch.
1013
1014 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1015
1016 commit d5d567eda7704f190379ca852a8f9a4112e3eee3
1017 Author: Johannes Berg <johannes.berg@intel.com>
1018 Date: Thu Jan 23 16:20:29 2014 +0100
1019
1020 mac80211: add length check in ieee80211_is_robust_mgmt_frame()
1021
1022 A few places weren't checking that the frame passed to the
1023 function actually has enough data even though the function
1024 clearly documents it must have a payload byte. Make this
1025 safer by changing the function to take an skb and checking
1026 the length inside. The old version is preserved for now as
1027 the rtl* drivers use it and don't have a correct skb.
1028
1029 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1030
1031 commit f8f6d212a047fc65c7d3442dfc038f65517236fc
1032 Author: Johannes Berg <johannes.berg@intel.com>
1033 Date: Fri Jan 24 10:53:53 2014 +0100
1034
1035 nl80211: fix scheduled scan RSSI matchset attribute confusion
1036
1037 The scheduled scan matchsets were intended to be a list of filters,
1038 with the found BSS having to pass at least one of them to be passed
1039 to the host. When the RSSI attribute was added, however, this was
1040 broken and currently wpa_supplicant adds that attribute in its own
1041 matchset; however, it doesn't intend that to mean that anything
1042 that passes the RSSI filter should be passed to the host, instead
1043 it wants it to mean that everything needs to also have higher RSSI.
1044
1045 This is semantically problematic because we have a list of filters
1046 like [ SSID1, SSID2, SSID3, RSSI ] with no real indication which
1047 one should be OR'ed and which one AND'ed.
1048
1049 To fix this, move the RSSI filter attribute into each matchset. As
1050 we need to stay backward compatible, treat a matchset with only the
1051 RSSI attribute as a "default RSSI filter" for all other matchsets,
1052 but only if there are other matchsets (an RSSI-only matchset by
1053 itself is still desirable.)
1054
1055 To make driver implementation easier, keep a global min_rssi_thold
1056 for the entire request as well. The only affected driver is ath6kl.
1057
1058 I found this when I looked into the code after Raja Mani submitted
1059 a patch fixing the n_match_sets calculation to disregard the RSSI,
1060 but that patch didn't address the semantic issue.
1061
1062 Reported-by: Raja Mani <rmani@qti.qualcomm.com>
1063 Acked-by: Luciano Coelho <luciano.coelho@intel.com>
1064 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1065
1066 commit de553e8545e65a6dc4e45f43df7e1443d4291922
1067 Author: Johannes Berg <johannes.berg@intel.com>
1068 Date: Fri Jan 24 10:17:47 2014 +0100
1069
1070 nl80211: check nla_parse() return values
1071
1072 If there's a policy, then nla_parse() return values must be
1073 checked, otherwise the policy is useless and there's nothing
1074 that ensures the attributes are actually what we expect them
1075 to be.
1076
1077 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1078
1079 commit 652204a0733e9e1c54661d6f9d36e2e1e3b22bb1
1080 Author: Karl Beldan <karl.beldan@rivierawaves.com>
1081 Date: Thu Jan 23 20:06:34 2014 +0100
1082
1083 mac80211: send {ADD,DEL}BA on AC_VO like other mgmt frames, as per spec
1084
1085 ATM, {ADD,DEL}BA and BAR frames are sent on the AC matching the TID of
1086 the BA parameters. In the discussion [1] about this patch, Johannes
1087 recalled that it fixed some races with the DELBA and indeed this
1088 behavior was introduced in [2].
1089 While [2] is right for the BARs, the part queueing the {ADD,DEL}BAs on
1090 their BA params TID AC violates the spec and is more a workaround for
1091 some drivers. Helmut expressed some concerns wrt such drivers, in
1092 particular DELBAs in rt2x00.
1093
1094 ATM, DELBAs are sent after a driver has called (hence "purposely")
1095 ieee80211_start_tx_ba_cb_irqsafe and Johannes and Emmanuel gave some
1096 details wrt intentions behind the split of the IEEE80211_AMPDU_TX_STOP_*
1097 given to the driver ampdu_action supposed to call this function, which
1098 could prove handy to people trying to do the right thing in faulty
1099 drivers (if their fw/hw don't get in their way).
1100
1101 [1] http://mid.gmane.org/1390391564-18481-1-git-send-email-karl.beldan@gmail.com
1102 [2] Commit: cf6bb79ad828 ("mac80211: Use appropriate TID for sending BAR, ADDBA and DELBA frames")
1103
1104 Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
1105 Cc: Helmut Schaa <helmut.schaa@googlemail.com>
1106 Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
1107 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1108 --- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
1109 +++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
1110 @@ -790,7 +790,7 @@ void ath6kl_cfg80211_connect_event(struc
1111 if (nw_type & ADHOC_NETWORK) {
1112 ath6kl_dbg(ATH6KL_DBG_WLAN_CFG, "ad-hoc %s selected\n",
1113 nw_type & ADHOC_CREATOR ? "creator" : "joiner");
1114 - cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
1115 + cfg80211_ibss_joined(vif->ndev, bssid, chan, GFP_KERNEL);
1116 cfg80211_put_bss(ar->wiphy, bss);
1117 return;
1118 }
1119 @@ -861,13 +861,9 @@ void ath6kl_cfg80211_disconnect_event(st
1120 }
1121
1122 if (vif->nw_type & ADHOC_NETWORK) {
1123 - if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC) {
1124 + if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC)
1125 ath6kl_dbg(ATH6KL_DBG_WLAN_CFG,
1126 "%s: ath6k not in ibss mode\n", __func__);
1127 - return;
1128 - }
1129 - memset(bssid, 0, ETH_ALEN);
1130 - cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
1131 return;
1132 }
1133
1134 @@ -3256,6 +3252,15 @@ static int ath6kl_cfg80211_sscan_start(s
1135 struct ath6kl_vif *vif = netdev_priv(dev);
1136 u16 interval;
1137 int ret, rssi_thold;
1138 + int n_match_sets = request->n_match_sets;
1139 +
1140 + /*
1141 + * If there's a matchset w/o an SSID, then assume it's just for
1142 + * the RSSI (nothing else is currently supported) and ignore it.
1143 + * The device only supports a global RSSI filter that we set below.
1144 + */
1145 + if (n_match_sets == 1 && !request->match_sets[0].ssid.ssid_len)
1146 + n_match_sets = 0;
1147
1148 if (ar->state != ATH6KL_STATE_ON)
1149 return -EIO;
1150 @@ -3268,11 +3273,11 @@ static int ath6kl_cfg80211_sscan_start(s
1151 ret = ath6kl_set_probed_ssids(ar, vif, request->ssids,
1152 request->n_ssids,
1153 request->match_sets,
1154 - request->n_match_sets);
1155 + n_match_sets);
1156 if (ret < 0)
1157 return ret;
1158
1159 - if (!request->n_match_sets) {
1160 + if (!n_match_sets) {
1161 ret = ath6kl_wmi_bssfilter_cmd(ar->wmi, vif->fw_vif_idx,
1162 ALL_BSS_FILTER, 0);
1163 if (ret < 0)
1164 @@ -3286,12 +3291,12 @@ static int ath6kl_cfg80211_sscan_start(s
1165
1166 if (test_bit(ATH6KL_FW_CAPABILITY_RSSI_SCAN_THOLD,
1167 ar->fw_capabilities)) {
1168 - if (request->rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
1169 + if (request->min_rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
1170 rssi_thold = 0;
1171 - else if (request->rssi_thold < -127)
1172 + else if (request->min_rssi_thold < -127)
1173 rssi_thold = -127;
1174 else
1175 - rssi_thold = request->rssi_thold;
1176 + rssi_thold = request->min_rssi_thold;
1177
1178 ret = ath6kl_wmi_set_rssi_filter_cmd(ar->wmi, vif->fw_vif_idx,
1179 rssi_thold);
1180 --- a/drivers/net/wireless/ath/ath9k/hw.c
1181 +++ b/drivers/net/wireless/ath/ath9k/hw.c
1182 @@ -1316,7 +1316,7 @@ static bool ath9k_hw_set_reset(struct at
1183 if (AR_SREV_9300_20_OR_LATER(ah))
1184 udelay(50);
1185 else if (AR_SREV_9100(ah))
1186 - udelay(10000);
1187 + mdelay(10);
1188 else
1189 udelay(100);
1190
1191 @@ -1534,7 +1534,7 @@ EXPORT_SYMBOL(ath9k_hw_check_nav);
1192 bool ath9k_hw_check_alive(struct ath_hw *ah)
1193 {
1194 int count = 50;
1195 - u32 reg;
1196 + u32 reg, last_val;
1197
1198 if (AR_SREV_9300(ah))
1199 return !ath9k_hw_detect_mac_hang(ah);
1200 @@ -1542,9 +1542,13 @@ bool ath9k_hw_check_alive(struct ath_hw
1201 if (AR_SREV_9285_12_OR_LATER(ah))
1202 return true;
1203
1204 + last_val = REG_READ(ah, AR_OBS_BUS_1);
1205 do {
1206 reg = REG_READ(ah, AR_OBS_BUS_1);
1207 + if (reg != last_val)
1208 + return true;
1209
1210 + last_val = reg;
1211 if ((reg & 0x7E7FFFEF) == 0x00702400)
1212 continue;
1213
1214 @@ -1556,6 +1560,8 @@ bool ath9k_hw_check_alive(struct ath_hw
1215 default:
1216 return true;
1217 }
1218 +
1219 + udelay(1);
1220 } while (count-- > 0);
1221
1222 return false;
1223 @@ -2051,9 +2057,8 @@ static bool ath9k_hw_set_power_awake(str
1224
1225 REG_SET_BIT(ah, AR_RTC_FORCE_WAKE,
1226 AR_RTC_FORCE_WAKE_EN);
1227 -
1228 if (AR_SREV_9100(ah))
1229 - udelay(10000);
1230 + mdelay(10);
1231 else
1232 udelay(50);
1233
1234 --- a/drivers/net/wireless/ath/ath9k/main.c
1235 +++ b/drivers/net/wireless/ath/ath9k/main.c
1236 @@ -451,7 +451,7 @@ void ath9k_tasklet(unsigned long data)
1237 * interrupts are enabled in the reset routine.
1238 */
1239 atomic_inc(&ah->intr_ref_cnt);
1240 - ath_dbg(common, ANY, "FATAL: Skipping interrupts\n");
1241 + ath_dbg(common, RESET, "FATAL: Skipping interrupts\n");
1242 goto out;
1243 }
1244
1245 @@ -471,7 +471,7 @@ void ath9k_tasklet(unsigned long data)
1246 * interrupts are enabled in the reset routine.
1247 */
1248 atomic_inc(&ah->intr_ref_cnt);
1249 - ath_dbg(common, ANY,
1250 + ath_dbg(common, RESET,
1251 "BB_WATCHDOG: Skipping interrupts\n");
1252 goto out;
1253 }
1254 @@ -484,7 +484,7 @@ void ath9k_tasklet(unsigned long data)
1255 type = RESET_TYPE_TX_GTT;
1256 ath9k_queue_reset(sc, type);
1257 atomic_inc(&ah->intr_ref_cnt);
1258 - ath_dbg(common, ANY,
1259 + ath_dbg(common, RESET,
1260 "GTT: Skipping interrupts\n");
1261 goto out;
1262 }
1263 @@ -1866,7 +1866,7 @@ static void ath9k_set_coverage_class(str
1264
1265 static bool ath9k_has_tx_pending(struct ath_softc *sc)
1266 {
1267 - int i, npend;
1268 + int i, npend = 0;
1269
1270 for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
1271 if (!ATH_TXQ_SETUP(sc, i))
1272 --- a/drivers/net/wireless/iwlwifi/mvm/scan.c
1273 +++ b/drivers/net/wireless/iwlwifi/mvm/scan.c
1274 @@ -595,6 +595,9 @@ static void iwl_scan_offload_build_ssid(
1275 * config match list.
1276 */
1277 for (i = 0; i < req->n_match_sets && i < PROBE_OPTION_MAX; i++) {
1278 + /* skip empty SSID matchsets */
1279 + if (!req->match_sets[i].ssid.ssid_len)
1280 + continue;
1281 scan->direct_scan[i].id = WLAN_EID_SSID;
1282 scan->direct_scan[i].len = req->match_sets[i].ssid.ssid_len;
1283 memcpy(scan->direct_scan[i].ssid, req->match_sets[i].ssid.ssid,
1284 --- a/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
1285 +++ b/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
1286 @@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80
1287 /* During testing, hdr was NULL */
1288 return false;
1289 }
1290 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1291 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1292 (ieee80211_has_protected(hdr->frame_control)))
1293 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1294 else
1295 --- a/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
1296 +++ b/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
1297 @@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80
1298 /* In testing, hdr was NULL here */
1299 return false;
1300 }
1301 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1302 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1303 (ieee80211_has_protected(hdr->frame_control)))
1304 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1305 else
1306 --- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
1307 +++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
1308 @@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80
1309 /* during testing, hdr was NULL here */
1310 return false;
1311 }
1312 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1313 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1314 (ieee80211_has_protected(hdr->frame_control)))
1315 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1316 else
1317 --- a/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
1318 +++ b/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
1319 @@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee
1320 /* during testing, hdr could be NULL here */
1321 return false;
1322 }
1323 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1324 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1325 (ieee80211_has_protected(hdr->frame_control)))
1326 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1327 else
1328 --- a/include/linux/ieee80211.h
1329 +++ b/include/linux/ieee80211.h
1330 @@ -597,6 +597,20 @@ static inline int ieee80211_is_qos_nullf
1331 }
1332
1333 /**
1334 + * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU
1335 + * @fc: frame control field in little-endian byteorder
1336 + */
1337 +static inline bool ieee80211_is_bufferable_mmpdu(__le16 fc)
1338 +{
1339 + /* IEEE 802.11-2012, definition of "bufferable management frame";
1340 + * note that this ignores the IBSS special case. */
1341 + return ieee80211_is_mgmt(fc) &&
1342 + (ieee80211_is_action(fc) ||
1343 + ieee80211_is_disassoc(fc) ||
1344 + ieee80211_is_deauth(fc));
1345 +}
1346 +
1347 +/**
1348 * ieee80211_is_first_frag - check if IEEE80211_SCTL_FRAG is not set
1349 * @seq_ctrl: frame sequence control bytes in little-endian byteorder
1350 */
1351 @@ -2192,10 +2206,10 @@ static inline u8 *ieee80211_get_DA(struc
1352 }
1353
1354 /**
1355 - * ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
1356 + * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
1357 * @hdr: the frame (buffer must include at least the first octet of payload)
1358 */
1359 -static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
1360 +static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
1361 {
1362 if (ieee80211_is_disassoc(hdr->frame_control) ||
1363 ieee80211_is_deauth(hdr->frame_control))
1364 @@ -2224,6 +2238,17 @@ static inline bool ieee80211_is_robust_m
1365 }
1366
1367 /**
1368 + * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
1369 + * @skb: the skb containing the frame, length will be checked
1370 + */
1371 +static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
1372 +{
1373 + if (skb->len < 25)
1374 + return false;
1375 + return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
1376 +}
1377 +
1378 +/**
1379 * ieee80211_is_public_action - check if frame is a public action frame
1380 * @hdr: the frame
1381 * @len: length of the frame
1382 --- a/include/net/cfg80211.h
1383 +++ b/include/net/cfg80211.h
1384 @@ -1395,9 +1395,11 @@ struct cfg80211_scan_request {
1385 * struct cfg80211_match_set - sets of attributes to match
1386 *
1387 * @ssid: SSID to be matched
1388 + * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
1389 */
1390 struct cfg80211_match_set {
1391 struct cfg80211_ssid ssid;
1392 + s32 rssi_thold;
1393 };
1394
1395 /**
1396 @@ -1420,7 +1422,8 @@ struct cfg80211_match_set {
1397 * @dev: the interface
1398 * @scan_start: start time of the scheduled scan
1399 * @channels: channels to scan
1400 - * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
1401 + * @min_rssi_thold: for drivers only supporting a single threshold, this
1402 + * contains the minimum over all matchsets
1403 */
1404 struct cfg80211_sched_scan_request {
1405 struct cfg80211_ssid *ssids;
1406 @@ -1433,7 +1436,7 @@ struct cfg80211_sched_scan_request {
1407 u32 flags;
1408 struct cfg80211_match_set *match_sets;
1409 int n_match_sets;
1410 - s32 rssi_thold;
1411 + s32 min_rssi_thold;
1412
1413 /* internal */
1414 struct wiphy *wiphy;
1415 @@ -3130,8 +3133,8 @@ struct cfg80211_cached_keys;
1416 * @identifier: (private) Identifier used in nl80211 to identify this
1417 * wireless device if it has no netdev
1418 * @current_bss: (private) Used by the internal configuration code
1419 - * @channel: (private) Used by the internal configuration code to track
1420 - * the user-set AP, monitor and WDS channel
1421 + * @chandef: (private) Used by the internal configuration code to track
1422 + * the user-set channel definition.
1423 * @preset_chandef: (private) Used by the internal configuration code to
1424 * track the channel to be used for AP later
1425 * @bssid: (private) Used by the internal configuration code
1426 @@ -3195,9 +3198,7 @@ struct wireless_dev {
1427
1428 struct cfg80211_internal_bss *current_bss; /* associated / joined */
1429 struct cfg80211_chan_def preset_chandef;
1430 -
1431 - /* for AP and mesh channel tracking */
1432 - struct ieee80211_channel *channel;
1433 + struct cfg80211_chan_def chandef;
1434
1435 bool ibss_fixed;
1436 bool ibss_dfs_possible;
1437 @@ -3879,6 +3880,7 @@ void cfg80211_michael_mic_failure(struct
1438 *
1439 * @dev: network device
1440 * @bssid: the BSSID of the IBSS joined
1441 + * @channel: the channel of the IBSS joined
1442 * @gfp: allocation flags
1443 *
1444 * This function notifies cfg80211 that the device joined an IBSS or
1445 @@ -3888,7 +3890,8 @@ void cfg80211_michael_mic_failure(struct
1446 * with the locally generated beacon -- this guarantees that there is
1447 * always a scan result for this IBSS. cfg80211 will handle the rest.
1448 */
1449 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp);
1450 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
1451 + struct ieee80211_channel *channel, gfp_t gfp);
1452
1453 /**
1454 * cfg80211_notify_new_candidate - notify cfg80211 of a new mesh peer candidate
1455 --- a/include/uapi/linux/nl80211.h
1456 +++ b/include/uapi/linux/nl80211.h
1457 @@ -2442,9 +2442,15 @@ enum nl80211_reg_rule_attr {
1458 * enum nl80211_sched_scan_match_attr - scheduled scan match attributes
1459 * @__NL80211_SCHED_SCAN_MATCH_ATTR_INVALID: attribute number 0 is reserved
1460 * @NL80211_SCHED_SCAN_MATCH_ATTR_SSID: SSID to be used for matching,
1461 - * only report BSS with matching SSID.
1462 + * only report BSS with matching SSID.
1463 * @NL80211_SCHED_SCAN_MATCH_ATTR_RSSI: RSSI threshold (in dBm) for reporting a
1464 - * BSS in scan results. Filtering is turned off if not specified.
1465 + * BSS in scan results. Filtering is turned off if not specified. Note that
1466 + * if this attribute is in a match set of its own, then it is treated as
1467 + * the default value for all matchsets with an SSID, rather than being a
1468 + * matchset of its own without an RSSI filter. This is due to problems with
1469 + * how this API was implemented in the past. Also, due to the same problem,
1470 + * the only way to create a matchset with only an RSSI filter (with this
1471 + * attribute) is if there's only a single matchset with the RSSI attribute.
1472 * @NL80211_SCHED_SCAN_MATCH_ATTR_MAX: highest scheduled scan filter
1473 * attribute number currently defined
1474 * @__NL80211_SCHED_SCAN_MATCH_ATTR_AFTER_LAST: internal use
1475 --- a/net/mac80211/agg-tx.c
1476 +++ b/net/mac80211/agg-tx.c
1477 @@ -107,7 +107,7 @@ static void ieee80211_send_addba_request
1478 mgmt->u.action.u.addba_req.start_seq_num =
1479 cpu_to_le16(start_seq_num << 4);
1480
1481 - ieee80211_tx_skb_tid(sdata, skb, tid);
1482 + ieee80211_tx_skb(sdata, skb);
1483 }
1484
1485 void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
1486 --- a/net/mac80211/cfg.c
1487 +++ b/net/mac80211/cfg.c
1488 @@ -970,9 +970,9 @@ static int ieee80211_start_ap(struct wip
1489 /* TODO: make hostapd tell us what it wants */
1490 sdata->smps_mode = IEEE80211_SMPS_OFF;
1491 sdata->needed_rx_chains = sdata->local->rx_chains;
1492 - sdata->radar_required = params->radar_required;
1493
1494 mutex_lock(&local->mtx);
1495 + sdata->radar_required = params->radar_required;
1496 err = ieee80211_vif_use_channel(sdata, &params->chandef,
1497 IEEE80211_CHANCTX_SHARED);
1498 mutex_unlock(&local->mtx);
1499 @@ -1021,8 +1021,10 @@ static int ieee80211_start_ap(struct wip
1500 IEEE80211_P2P_OPPPS_ENABLE_BIT;
1501
1502 err = ieee80211_assign_beacon(sdata, &params->beacon);
1503 - if (err < 0)
1504 + if (err < 0) {
1505 + ieee80211_vif_release_channel(sdata);
1506 return err;
1507 + }
1508 changed |= err;
1509
1510 err = drv_start_ap(sdata->local, sdata);
1511 @@ -1032,6 +1034,7 @@ static int ieee80211_start_ap(struct wip
1512 if (old)
1513 kfree_rcu(old, rcu_head);
1514 RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
1515 + ieee80211_vif_release_channel(sdata);
1516 return err;
1517 }
1518
1519 @@ -1053,6 +1056,7 @@ static int ieee80211_change_beacon(struc
1520 int err;
1521
1522 sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1523 + sdata_assert_lock(sdata);
1524
1525 /* don't allow changing the beacon while CSA is in place - offset
1526 * of channel switch counter may change
1527 @@ -1080,6 +1084,8 @@ static int ieee80211_stop_ap(struct wiph
1528 struct probe_resp *old_probe_resp;
1529 struct cfg80211_chan_def chandef;
1530
1531 + sdata_assert_lock(sdata);
1532 +
1533 old_beacon = sdata_dereference(sdata->u.ap.beacon, sdata);
1534 if (!old_beacon)
1535 return -ENOENT;
1536 @@ -1090,8 +1096,6 @@ static int ieee80211_stop_ap(struct wiph
1537 kfree(sdata->u.ap.next_beacon);
1538 sdata->u.ap.next_beacon = NULL;
1539
1540 - cancel_work_sync(&sdata->u.ap.request_smps_work);
1541 -
1542 /* turn off carrier for this interface and dependent VLANs */
1543 list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
1544 netif_carrier_off(vlan->dev);
1545 @@ -1103,6 +1107,7 @@ static int ieee80211_stop_ap(struct wiph
1546 kfree_rcu(old_beacon, rcu_head);
1547 if (old_probe_resp)
1548 kfree_rcu(old_probe_resp, rcu_head);
1549 + sdata->u.ap.driver_smps_mode = IEEE80211_SMPS_OFF;
1550
1551 __sta_info_flush(sdata, true);
1552 ieee80211_free_keys(sdata, true);
1553 @@ -1988,6 +1993,9 @@ static int ieee80211_change_bss(struct w
1554
1555 band = ieee80211_get_sdata_band(sdata);
1556
1557 + if (WARN_ON(!wiphy->bands[band]))
1558 + return -EINVAL;
1559 +
1560 if (params->use_cts_prot >= 0) {
1561 sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
1562 changed |= BSS_CHANGED_ERP_CTS_PROT;
1563 @@ -2638,6 +2646,24 @@ static int ieee80211_start_roc_work(stru
1564 INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work);
1565 INIT_LIST_HEAD(&roc->dependents);
1566
1567 + /*
1568 + * cookie is either the roc cookie (for normal roc)
1569 + * or the SKB (for mgmt TX)
1570 + */
1571 + if (!txskb) {
1572 + /* local->mtx protects this */
1573 + local->roc_cookie_counter++;
1574 + roc->cookie = local->roc_cookie_counter;
1575 + /* wow, you wrapped 64 bits ... more likely a bug */
1576 + if (WARN_ON(roc->cookie == 0)) {
1577 + roc->cookie = 1;
1578 + local->roc_cookie_counter++;
1579 + }
1580 + *cookie = roc->cookie;
1581 + } else {
1582 + *cookie = (unsigned long)txskb;
1583 + }
1584 +
1585 /* if there's one pending or we're scanning, queue this one */
1586 if (!list_empty(&local->roc_list) ||
1587 local->scanning || local->radar_detect_enabled)
1588 @@ -2772,24 +2798,6 @@ static int ieee80211_start_roc_work(stru
1589 if (!queued)
1590 list_add_tail(&roc->list, &local->roc_list);
1591
1592 - /*
1593 - * cookie is either the roc cookie (for normal roc)
1594 - * or the SKB (for mgmt TX)
1595 - */
1596 - if (!txskb) {
1597 - /* local->mtx protects this */
1598 - local->roc_cookie_counter++;
1599 - roc->cookie = local->roc_cookie_counter;
1600 - /* wow, you wrapped 64 bits ... more likely a bug */
1601 - if (WARN_ON(roc->cookie == 0)) {
1602 - roc->cookie = 1;
1603 - local->roc_cookie_counter++;
1604 - }
1605 - *cookie = roc->cookie;
1606 - } else {
1607 - *cookie = (unsigned long)txskb;
1608 - }
1609 -
1610 return 0;
1611 }
1612
1613 @@ -3004,8 +3012,10 @@ void ieee80211_csa_finalize_work(struct
1614 if (!ieee80211_sdata_running(sdata))
1615 goto unlock;
1616
1617 - sdata->radar_required = sdata->csa_radar_required;
1618 + sdata_assert_lock(sdata);
1619 +
1620 mutex_lock(&local->mtx);
1621 + sdata->radar_required = sdata->csa_radar_required;
1622 err = ieee80211_vif_change_channel(sdata, &changed);
1623 mutex_unlock(&local->mtx);
1624 if (WARN_ON(err < 0))
1625 @@ -3022,13 +3032,13 @@ void ieee80211_csa_finalize_work(struct
1626 switch (sdata->vif.type) {
1627 case NL80211_IFTYPE_AP:
1628 err = ieee80211_assign_beacon(sdata, sdata->u.ap.next_beacon);
1629 + kfree(sdata->u.ap.next_beacon);
1630 + sdata->u.ap.next_beacon = NULL;
1631 +
1632 if (err < 0)
1633 goto unlock;
1634
1635 changed |= err;
1636 - kfree(sdata->u.ap.next_beacon);
1637 - sdata->u.ap.next_beacon = NULL;
1638 -
1639 ieee80211_bss_info_change_notify(sdata, err);
1640 break;
1641 case NL80211_IFTYPE_ADHOC:
1642 @@ -3066,7 +3076,7 @@ int ieee80211_channel_switch(struct wiph
1643 struct ieee80211_if_mesh __maybe_unused *ifmsh;
1644 int err, num_chanctx;
1645
1646 - lockdep_assert_held(&sdata->wdev.mtx);
1647 + sdata_assert_lock(sdata);
1648
1649 if (!list_empty(&local->roc_list) || local->scanning)
1650 return -EBUSY;
1651 --- a/net/mac80211/ht.c
1652 +++ b/net/mac80211/ht.c
1653 @@ -375,7 +375,7 @@ void ieee80211_send_delba(struct ieee802
1654 mgmt->u.action.u.delba.params = cpu_to_le16(params);
1655 mgmt->u.action.u.delba.reason_code = cpu_to_le16(reason_code);
1656
1657 - ieee80211_tx_skb_tid(sdata, skb, tid);
1658 + ieee80211_tx_skb(sdata, skb);
1659 }
1660
1661 void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
1662 @@ -466,7 +466,9 @@ void ieee80211_request_smps_ap_work(stru
1663 u.ap.request_smps_work);
1664
1665 sdata_lock(sdata);
1666 - __ieee80211_request_smps_ap(sdata, sdata->u.ap.driver_smps_mode);
1667 + if (sdata_dereference(sdata->u.ap.beacon, sdata))
1668 + __ieee80211_request_smps_ap(sdata,
1669 + sdata->u.ap.driver_smps_mode);
1670 sdata_unlock(sdata);
1671 }
1672
1673 --- a/net/mac80211/iface.c
1674 +++ b/net/mac80211/iface.c
1675 @@ -770,12 +770,19 @@ static void ieee80211_do_stop(struct iee
1676
1677 ieee80211_roc_purge(local, sdata);
1678
1679 - if (sdata->vif.type == NL80211_IFTYPE_STATION)
1680 + switch (sdata->vif.type) {
1681 + case NL80211_IFTYPE_STATION:
1682 ieee80211_mgd_stop(sdata);
1683 -
1684 - if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
1685 + break;
1686 + case NL80211_IFTYPE_ADHOC:
1687 ieee80211_ibss_stop(sdata);
1688 -
1689 + break;
1690 + case NL80211_IFTYPE_AP:
1691 + cancel_work_sync(&sdata->u.ap.request_smps_work);
1692 + break;
1693 + default:
1694 + break;
1695 + }
1696
1697 /*
1698 * Remove all stations associated with this interface.
1699 @@ -827,7 +834,9 @@ static void ieee80211_do_stop(struct iee
1700 cancel_work_sync(&local->dynamic_ps_enable_work);
1701
1702 cancel_work_sync(&sdata->recalc_smps);
1703 + sdata_lock(sdata);
1704 sdata->vif.csa_active = false;
1705 + sdata_unlock(sdata);
1706 cancel_work_sync(&sdata->csa_finalize_work);
1707
1708 cancel_delayed_work_sync(&sdata->dfs_cac_timer_work);
1709 --- a/net/mac80211/rx.c
1710 +++ b/net/mac80211/rx.c
1711 @@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_m
1712 {
1713 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1714
1715 - if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
1716 + if (is_multicast_ether_addr(hdr->addr1))
1717 return 0;
1718
1719 - return ieee80211_is_robust_mgmt_frame(hdr);
1720 + return ieee80211_is_robust_mgmt_frame(skb);
1721 }
1722
1723
1724 @@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust
1725 {
1726 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1727
1728 - if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
1729 + if (!is_multicast_ether_addr(hdr->addr1))
1730 return 0;
1731
1732 - return ieee80211_is_robust_mgmt_frame(hdr);
1733 + return ieee80211_is_robust_mgmt_frame(skb);
1734 }
1735
1736
1737 @@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(str
1738 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
1739 return -1;
1740
1741 - if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
1742 + if (!ieee80211_is_robust_mgmt_frame(skb))
1743 return -1; /* not a robust management frame */
1744
1745 mmie = (struct ieee80211_mmie *)
1746 @@ -1128,6 +1128,13 @@ static void sta_ps_end(struct sta_info *
1747 sta->sta.addr, sta->sta.aid);
1748
1749 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1750 + /*
1751 + * Clear the flag only if the other one is still set
1752 + * so that the TX path won't start TX'ing new frames
1753 + * directly ... In the case that the driver flag isn't
1754 + * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1755 + */
1756 + clear_sta_flag(sta, WLAN_STA_PS_STA);
1757 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1758 sta->sta.addr, sta->sta.aid);
1759 return;
1760 @@ -1311,18 +1318,15 @@ ieee80211_rx_h_sta_process(struct ieee80
1761 !ieee80211_has_morefrags(hdr->frame_control) &&
1762 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1763 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1764 - rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1765 + rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1766 + /* PM bit is only checked in frames where it isn't reserved,
1767 + * in AP mode it's reserved in non-bufferable management frames
1768 + * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
1769 + */
1770 + (!ieee80211_is_mgmt(hdr->frame_control) ||
1771 + ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
1772 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1773 - /*
1774 - * Ignore doze->wake transitions that are
1775 - * indicated by non-data frames, the standard
1776 - * is unclear here, but for example going to
1777 - * PS mode and then scanning would cause a
1778 - * doze->wake transition for the probe request,
1779 - * and that is clearly undesirable.
1780 - */
1781 - if (ieee80211_is_data(hdr->frame_control) &&
1782 - !ieee80211_has_pm(hdr->frame_control))
1783 + if (!ieee80211_has_pm(hdr->frame_control))
1784 sta_ps_end(sta);
1785 } else {
1786 if (ieee80211_has_pm(hdr->frame_control))
1787 @@ -1845,8 +1849,7 @@ static int ieee80211_drop_unencrypted_mg
1788 * having configured keys.
1789 */
1790 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
1791 - ieee80211_is_robust_mgmt_frame(
1792 - (struct ieee80211_hdr *) rx->skb->data)))
1793 + ieee80211_is_robust_mgmt_frame(rx->skb)))
1794 return -EACCES;
1795 }
1796
1797 --- a/net/mac80211/tx.c
1798 +++ b/net/mac80211/tx.c
1799 @@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc,
1800 if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
1801 return 0;
1802
1803 - if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
1804 - skb->data))
1805 + if (!ieee80211_is_robust_mgmt_frame(skb))
1806 return 0;
1807
1808 return 1;
1809 @@ -478,6 +477,20 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
1810 sta->sta.addr, sta->sta.aid, ac);
1811 if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
1812 purge_old_ps_buffers(tx->local);
1813 +
1814 + /* sync with ieee80211_sta_ps_deliver_wakeup */
1815 + spin_lock(&sta->ps_lock);
1816 + /*
1817 + * STA woke up the meantime and all the frames on ps_tx_buf have
1818 + * been queued to pending queue. No reordering can happen, go
1819 + * ahead and Tx the packet.
1820 + */
1821 + if (!test_sta_flag(sta, WLAN_STA_PS_STA) &&
1822 + !test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1823 + spin_unlock(&sta->ps_lock);
1824 + return TX_CONTINUE;
1825 + }
1826 +
1827 if (skb_queue_len(&sta->ps_tx_buf[ac]) >= STA_MAX_TX_BUFFER) {
1828 struct sk_buff *old = skb_dequeue(&sta->ps_tx_buf[ac]);
1829 ps_dbg(tx->sdata,
1830 @@ -492,6 +505,7 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
1831 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
1832 info->flags &= ~IEEE80211_TX_TEMPORARY_FLAGS;
1833 skb_queue_tail(&sta->ps_tx_buf[ac], tx->skb);
1834 + spin_unlock(&sta->ps_lock);
1835
1836 if (!timer_pending(&local->sta_cleanup))
1837 mod_timer(&local->sta_cleanup,
1838 @@ -525,9 +539,7 @@ ieee80211_tx_h_ps_buf(struct ieee80211_t
1839
1840 /* only deauth, disassoc and action are bufferable MMPDUs */
1841 if (ieee80211_is_mgmt(hdr->frame_control) &&
1842 - !ieee80211_is_deauth(hdr->frame_control) &&
1843 - !ieee80211_is_disassoc(hdr->frame_control) &&
1844 - !ieee80211_is_action(hdr->frame_control)) {
1845 + !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
1846 if (tx->flags & IEEE80211_TX_UNICAST)
1847 info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
1848 return TX_CONTINUE;
1849 @@ -567,7 +579,7 @@ ieee80211_tx_h_select_key(struct ieee802
1850 tx->key = key;
1851 else if (ieee80211_is_mgmt(hdr->frame_control) &&
1852 is_multicast_ether_addr(hdr->addr1) &&
1853 - ieee80211_is_robust_mgmt_frame(hdr) &&
1854 + ieee80211_is_robust_mgmt_frame(tx->skb) &&
1855 (key = rcu_dereference(tx->sdata->default_mgmt_key)))
1856 tx->key = key;
1857 else if (is_multicast_ether_addr(hdr->addr1) &&
1858 @@ -582,12 +594,12 @@ ieee80211_tx_h_select_key(struct ieee802
1859 tx->key = NULL;
1860 else if (tx->skb->protocol == tx->sdata->control_port_protocol)
1861 tx->key = NULL;
1862 - else if (ieee80211_is_robust_mgmt_frame(hdr) &&
1863 + else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
1864 !(ieee80211_is_action(hdr->frame_control) &&
1865 tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
1866 tx->key = NULL;
1867 else if (ieee80211_is_mgmt(hdr->frame_control) &&
1868 - !ieee80211_is_robust_mgmt_frame(hdr))
1869 + !ieee80211_is_robust_mgmt_frame(tx->skb))
1870 tx->key = NULL;
1871 else {
1872 I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
1873 @@ -878,7 +890,7 @@ static int ieee80211_fragment(struct iee
1874 }
1875
1876 /* adjust first fragment's length */
1877 - skb->len = hdrlen + per_fragm;
1878 + skb_trim(skb, hdrlen + per_fragm);
1879 return 0;
1880 }
1881
1882 @@ -2900,7 +2912,7 @@ ieee80211_get_buffered_bc(struct ieee802
1883 cpu_to_le16(IEEE80211_FCTL_MOREDATA);
1884 }
1885
1886 - if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1887 + if (sdata->vif.type == NL80211_IFTYPE_AP)
1888 sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
1889 if (!ieee80211_tx_prepare(sdata, &tx, skb))
1890 break;
1891 --- a/net/mac80211/wpa.c
1892 +++ b/net/mac80211/wpa.c
1893 @@ -499,7 +499,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee
1894 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1895
1896 if (!ieee80211_is_data(hdr->frame_control) &&
1897 - !ieee80211_is_robust_mgmt_frame(hdr))
1898 + !ieee80211_is_robust_mgmt_frame(skb))
1899 return RX_CONTINUE;
1900
1901 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
1902 --- a/net/wireless/ap.c
1903 +++ b/net/wireless/ap.c
1904 @@ -27,9 +27,10 @@ static int __cfg80211_stop_ap(struct cfg
1905 err = rdev_stop_ap(rdev, dev);
1906 if (!err) {
1907 wdev->beacon_interval = 0;
1908 - wdev->channel = NULL;
1909 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
1910 wdev->ssid_len = 0;
1911 rdev_set_qos_map(rdev, dev, NULL);
1912 + nl80211_send_ap_stopped(wdev);
1913 }
1914
1915 return err;
1916 --- a/net/wireless/core.c
1917 +++ b/net/wireless/core.c
1918 @@ -203,8 +203,11 @@ void cfg80211_stop_p2p_device(struct cfg
1919
1920 rdev->opencount--;
1921
1922 - WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1923 - !rdev->scan_req->notified);
1924 + if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1925 + if (WARN_ON(!rdev->scan_req->notified))
1926 + rdev->scan_req->aborted = true;
1927 + ___cfg80211_scan_done(rdev, false);
1928 + }
1929 }
1930
1931 static int cfg80211_rfkill_set_block(void *data, bool blocked)
1932 @@ -447,9 +450,6 @@ int wiphy_register(struct wiphy *wiphy)
1933 int i;
1934 u16 ifmodes = wiphy->interface_modes;
1935
1936 - /* support for 5/10 MHz is broken due to nl80211 API mess - disable */
1937 - wiphy->flags &= ~WIPHY_FLAG_SUPPORTS_5_10_MHZ;
1938 -
1939 /*
1940 * There are major locking problems in nl80211/mac80211 for CSA,
1941 * disable for all drivers until this has been reworked.
1942 @@ -795,8 +795,6 @@ void cfg80211_leave(struct cfg80211_regi
1943 default:
1944 break;
1945 }
1946 -
1947 - wdev->beacon_interval = 0;
1948 }
1949
1950 static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
1951 @@ -875,8 +873,11 @@ static int cfg80211_netdev_notifier_call
1952 break;
1953 case NETDEV_DOWN:
1954 cfg80211_update_iface_num(rdev, wdev->iftype, -1);
1955 - WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1956 - !rdev->scan_req->notified);
1957 + if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1958 + if (WARN_ON(!rdev->scan_req->notified))
1959 + rdev->scan_req->aborted = true;
1960 + ___cfg80211_scan_done(rdev, false);
1961 + }
1962
1963 if (WARN_ON(rdev->sched_scan_req &&
1964 rdev->sched_scan_req->dev == wdev->netdev)) {
1965 --- a/net/wireless/core.h
1966 +++ b/net/wireless/core.h
1967 @@ -62,6 +62,7 @@ struct cfg80211_registered_device {
1968 struct rb_root bss_tree;
1969 u32 bss_generation;
1970 struct cfg80211_scan_request *scan_req; /* protected by RTNL */
1971 + struct sk_buff *scan_msg;
1972 struct cfg80211_sched_scan_request *sched_scan_req;
1973 unsigned long suspend_at;
1974 struct work_struct scan_done_wk;
1975 @@ -210,6 +211,7 @@ struct cfg80211_event {
1976 } dc;
1977 struct {
1978 u8 bssid[ETH_ALEN];
1979 + struct ieee80211_channel *channel;
1980 } ij;
1981 };
1982 };
1983 @@ -257,7 +259,8 @@ int __cfg80211_leave_ibss(struct cfg8021
1984 struct net_device *dev, bool nowext);
1985 int cfg80211_leave_ibss(struct cfg80211_registered_device *rdev,
1986 struct net_device *dev, bool nowext);
1987 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid);
1988 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
1989 + struct ieee80211_channel *channel);
1990 int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
1991 struct wireless_dev *wdev);
1992
1993 @@ -361,7 +364,8 @@ int cfg80211_validate_key_settings(struc
1994 struct key_params *params, int key_idx,
1995 bool pairwise, const u8 *mac_addr);
1996 void __cfg80211_scan_done(struct work_struct *wk);
1997 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev);
1998 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
1999 + bool send_message);
2000 void __cfg80211_sched_scan_results(struct work_struct *wk);
2001 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
2002 bool driver_initiated);
2003 @@ -441,7 +445,8 @@ static inline unsigned int elapsed_jiffi
2004 void
2005 cfg80211_get_chan_state(struct wireless_dev *wdev,
2006 struct ieee80211_channel **chan,
2007 - enum cfg80211_chan_mode *chanmode);
2008 + enum cfg80211_chan_mode *chanmode,
2009 + u8 *radar_detect);
2010
2011 int cfg80211_set_monitor_channel(struct cfg80211_registered_device *rdev,
2012 struct cfg80211_chan_def *chandef);
2013 --- a/net/wireless/nl80211.c
2014 +++ b/net/wireless/nl80211.c
2015 @@ -1723,9 +1723,10 @@ static int nl80211_dump_wiphy(struct sk_
2016 * We can then retry with the larger buffer.
2017 */
2018 if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2019 - !skb->len &&
2020 + !skb->len && !state->split &&
2021 cb->min_dump_alloc < 4096) {
2022 cb->min_dump_alloc = 4096;
2023 + state->split_start = 0;
2024 rtnl_unlock();
2025 return 1;
2026 }
2027 @@ -2047,10 +2048,12 @@ static int nl80211_set_wiphy(struct sk_b
2028 nla_for_each_nested(nl_txq_params,
2029 info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2030 rem_txq_params) {
2031 - nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2032 - nla_data(nl_txq_params),
2033 - nla_len(nl_txq_params),
2034 - txq_params_policy);
2035 + result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2036 + nla_data(nl_txq_params),
2037 + nla_len(nl_txq_params),
2038 + txq_params_policy);
2039 + if (result)
2040 + goto bad_res;
2041 result = parse_txq_params(tb, &txq_params);
2042 if (result)
2043 goto bad_res;
2044 @@ -3289,7 +3292,7 @@ static int nl80211_start_ap(struct sk_bu
2045 if (!err) {
2046 wdev->preset_chandef = params.chandef;
2047 wdev->beacon_interval = params.beacon_interval;
2048 - wdev->channel = params.chandef.chan;
2049 + wdev->chandef = params.chandef;
2050 wdev->ssid_len = params.ssid_len;
2051 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
2052 }
2053 @@ -5210,9 +5213,11 @@ static int nl80211_set_reg(struct sk_buf
2054
2055 nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
2056 rem_reg_rules) {
2057 - nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
2058 - nla_data(nl_reg_rule), nla_len(nl_reg_rule),
2059 - reg_rule_policy);
2060 + r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
2061 + nla_data(nl_reg_rule), nla_len(nl_reg_rule),
2062 + reg_rule_policy);
2063 + if (r)
2064 + goto bad_reg;
2065 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
2066 if (r)
2067 goto bad_reg;
2068 @@ -5277,7 +5282,7 @@ static int nl80211_trigger_scan(struct s
2069 if (!rdev->ops->scan)
2070 return -EOPNOTSUPP;
2071
2072 - if (rdev->scan_req) {
2073 + if (rdev->scan_req || rdev->scan_msg) {
2074 err = -EBUSY;
2075 goto unlock;
2076 }
2077 @@ -5475,6 +5480,7 @@ static int nl80211_start_sched_scan(stru
2078 enum ieee80211_band band;
2079 size_t ie_len;
2080 struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
2081 + s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
2082
2083 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
2084 !rdev->ops->sched_scan_start)
2085 @@ -5509,11 +5515,40 @@ static int nl80211_start_sched_scan(stru
2086 if (n_ssids > wiphy->max_sched_scan_ssids)
2087 return -EINVAL;
2088
2089 - if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
2090 + /*
2091 + * First, count the number of 'real' matchsets. Due to an issue with
2092 + * the old implementation, matchsets containing only the RSSI attribute
2093 + * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
2094 + * RSSI for all matchsets, rather than their own matchset for reporting
2095 + * all APs with a strong RSSI. This is needed to be compatible with
2096 + * older userspace that treated a matchset with only the RSSI as the
2097 + * global RSSI for all other matchsets - if there are other matchsets.
2098 + */
2099 + if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
2100 nla_for_each_nested(attr,
2101 info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
2102 - tmp)
2103 - n_match_sets++;
2104 + tmp) {
2105 + struct nlattr *rssi;
2106 +
2107 + err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
2108 + nla_data(attr), nla_len(attr),
2109 + nl80211_match_policy);
2110 + if (err)
2111 + return err;
2112 + /* add other standalone attributes here */
2113 + if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
2114 + n_match_sets++;
2115 + continue;
2116 + }
2117 + rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
2118 + if (rssi)
2119 + default_match_rssi = nla_get_s32(rssi);
2120 + }
2121 + }
2122 +
2123 + /* However, if there's no other matchset, add the RSSI one */
2124 + if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
2125 + n_match_sets = 1;
2126
2127 if (n_match_sets > wiphy->max_match_sets)
2128 return -EINVAL;
2129 @@ -5634,11 +5669,22 @@ static int nl80211_start_sched_scan(stru
2130 tmp) {
2131 struct nlattr *ssid, *rssi;
2132
2133 - nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
2134 - nla_data(attr), nla_len(attr),
2135 - nl80211_match_policy);
2136 + err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
2137 + nla_data(attr), nla_len(attr),
2138 + nl80211_match_policy);
2139 + if (err)
2140 + goto out_free;
2141 ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
2142 if (ssid) {
2143 + if (WARN_ON(i >= n_match_sets)) {
2144 + /* this indicates a programming error,
2145 + * the loop above should have verified
2146 + * things properly
2147 + */
2148 + err = -EINVAL;
2149 + goto out_free;
2150 + }
2151 +
2152 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
2153 err = -EINVAL;
2154 goto out_free;
2155 @@ -5647,15 +5693,28 @@ static int nl80211_start_sched_scan(stru
2156 nla_data(ssid), nla_len(ssid));
2157 request->match_sets[i].ssid.ssid_len =
2158 nla_len(ssid);
2159 + /* special attribute - old implemenation w/a */
2160 + request->match_sets[i].rssi_thold =
2161 + default_match_rssi;
2162 + rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
2163 + if (rssi)
2164 + request->match_sets[i].rssi_thold =
2165 + nla_get_s32(rssi);
2166 }
2167 - rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
2168 - if (rssi)
2169 - request->rssi_thold = nla_get_u32(rssi);
2170 - else
2171 - request->rssi_thold =
2172 - NL80211_SCAN_RSSI_THOLD_OFF;
2173 i++;
2174 }
2175 +
2176 + /* there was no other matchset, so the RSSI one is alone */
2177 + if (i == 0)
2178 + request->match_sets[0].rssi_thold = default_match_rssi;
2179 +
2180 + request->min_rssi_thold = INT_MAX;
2181 + for (i = 0; i < n_match_sets; i++)
2182 + request->min_rssi_thold =
2183 + min(request->match_sets[i].rssi_thold,
2184 + request->min_rssi_thold);
2185 + } else {
2186 + request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
2187 }
2188
2189 if (info->attrs[NL80211_ATTR_IE]) {
2190 @@ -5751,7 +5810,7 @@ static int nl80211_start_radar_detection
2191
2192 err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
2193 if (!err) {
2194 - wdev->channel = chandef.chan;
2195 + wdev->chandef = chandef;
2196 wdev->cac_started = true;
2197 wdev->cac_start_time = jiffies;
2198 }
2199 @@ -7502,16 +7561,19 @@ static int nl80211_set_tx_bitrate_mask(s
2200 * directly to the enum ieee80211_band values used in cfg80211.
2201 */
2202 BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
2203 - nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
2204 - {
2205 + nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
2206 enum ieee80211_band band = nla_type(tx_rates);
2207 + int err;
2208 +
2209 if (band < 0 || band >= IEEE80211_NUM_BANDS)
2210 return -EINVAL;
2211 sband = rdev->wiphy.bands[band];
2212 if (sband == NULL)
2213 return -EINVAL;
2214 - nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
2215 - nla_len(tx_rates), nl80211_txattr_policy);
2216 + err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
2217 + nla_len(tx_rates), nl80211_txattr_policy);
2218 + if (err)
2219 + return err;
2220 if (tb[NL80211_TXRATE_LEGACY]) {
2221 mask.control[band].legacy = rateset_to_mask(
2222 sband,
2223 @@ -10054,40 +10116,31 @@ void nl80211_send_scan_start(struct cfg8
2224 NL80211_MCGRP_SCAN, GFP_KERNEL);
2225 }
2226
2227 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
2228 - struct wireless_dev *wdev)
2229 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
2230 + struct wireless_dev *wdev, bool aborted)
2231 {
2232 struct sk_buff *msg;
2233
2234 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2235 if (!msg)
2236 - return;
2237 + return NULL;
2238
2239 if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
2240 - NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
2241 + aborted ? NL80211_CMD_SCAN_ABORTED :
2242 + NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
2243 nlmsg_free(msg);
2244 - return;
2245 + return NULL;
2246 }
2247
2248 - genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
2249 - NL80211_MCGRP_SCAN, GFP_KERNEL);
2250 + return msg;
2251 }
2252
2253 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
2254 - struct wireless_dev *wdev)
2255 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
2256 + struct sk_buff *msg)
2257 {
2258 - struct sk_buff *msg;
2259 -
2260 - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2261 if (!msg)
2262 return;
2263
2264 - if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
2265 - NL80211_CMD_SCAN_ABORTED) < 0) {
2266 - nlmsg_free(msg);
2267 - return;
2268 - }
2269 -
2270 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
2271 NL80211_MCGRP_SCAN, GFP_KERNEL);
2272 }
2273 @@ -11158,7 +11211,8 @@ void cfg80211_ch_switch_notify(struct ne
2274 wdev->iftype != NL80211_IFTYPE_MESH_POINT))
2275 return;
2276
2277 - wdev->channel = chandef->chan;
2278 + wdev->chandef = *chandef;
2279 + wdev->preset_chandef = *chandef;
2280 nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
2281 }
2282 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
2283 @@ -11673,6 +11727,35 @@ void cfg80211_crit_proto_stopped(struct
2284 }
2285 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
2286
2287 +void nl80211_send_ap_stopped(struct wireless_dev *wdev)
2288 +{
2289 + struct wiphy *wiphy = wdev->wiphy;
2290 + struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
2291 + struct sk_buff *msg;
2292 + void *hdr;
2293 +
2294 + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2295 + if (!msg)
2296 + return;
2297 +
2298 + hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
2299 + if (!hdr)
2300 + goto out;
2301 +
2302 + if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2303 + nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
2304 + nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
2305 + goto out;
2306 +
2307 + genlmsg_end(msg, hdr);
2308 +
2309 + genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
2310 + NL80211_MCGRP_MLME, GFP_KERNEL);
2311 + return;
2312 + out:
2313 + nlmsg_free(msg);
2314 +}
2315 +
2316 /* initialisation/exit functions */
2317
2318 int nl80211_init(void)
2319 --- a/net/wireless/nl80211.h
2320 +++ b/net/wireless/nl80211.h
2321 @@ -8,10 +8,10 @@ void nl80211_exit(void);
2322 void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev);
2323 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
2324 struct wireless_dev *wdev);
2325 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
2326 - struct wireless_dev *wdev);
2327 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
2328 - struct wireless_dev *wdev);
2329 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
2330 + struct wireless_dev *wdev, bool aborted);
2331 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
2332 + struct sk_buff *msg);
2333 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
2334 struct net_device *netdev, u32 cmd);
2335 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
2336 @@ -74,6 +74,8 @@ nl80211_radar_notify(struct cfg80211_reg
2337 enum nl80211_radar_event event,
2338 struct net_device *netdev, gfp_t gfp);
2339
2340 +void nl80211_send_ap_stopped(struct wireless_dev *wdev);
2341 +
2342 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev);
2343
2344 #endif /* __NET_WIRELESS_NL80211_H */
2345 --- a/net/wireless/scan.c
2346 +++ b/net/wireless/scan.c
2347 @@ -161,18 +161,25 @@ static void __cfg80211_bss_expire(struct
2348 dev->bss_generation++;
2349 }
2350
2351 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
2352 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
2353 + bool send_message)
2354 {
2355 struct cfg80211_scan_request *request;
2356 struct wireless_dev *wdev;
2357 + struct sk_buff *msg;
2358 #ifdef CPTCFG_CFG80211_WEXT
2359 union iwreq_data wrqu;
2360 #endif
2361
2362 ASSERT_RTNL();
2363
2364 - request = rdev->scan_req;
2365 + if (rdev->scan_msg) {
2366 + nl80211_send_scan_result(rdev, rdev->scan_msg);
2367 + rdev->scan_msg = NULL;
2368 + return;
2369 + }
2370
2371 + request = rdev->scan_req;
2372 if (!request)
2373 return;
2374
2375 @@ -186,18 +193,16 @@ void ___cfg80211_scan_done(struct cfg802
2376 if (wdev->netdev)
2377 cfg80211_sme_scan_done(wdev->netdev);
2378
2379 - if (request->aborted) {
2380 - nl80211_send_scan_aborted(rdev, wdev);
2381 - } else {
2382 - if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
2383 - /* flush entries from previous scans */
2384 - spin_lock_bh(&rdev->bss_lock);
2385 - __cfg80211_bss_expire(rdev, request->scan_start);
2386 - spin_unlock_bh(&rdev->bss_lock);
2387 - }
2388 - nl80211_send_scan_done(rdev, wdev);
2389 + if (!request->aborted &&
2390 + request->flags & NL80211_SCAN_FLAG_FLUSH) {
2391 + /* flush entries from previous scans */
2392 + spin_lock_bh(&rdev->bss_lock);
2393 + __cfg80211_bss_expire(rdev, request->scan_start);
2394 + spin_unlock_bh(&rdev->bss_lock);
2395 }
2396
2397 + msg = nl80211_build_scan_msg(rdev, wdev, request->aborted);
2398 +
2399 #ifdef CPTCFG_CFG80211_WEXT
2400 if (wdev->netdev && !request->aborted) {
2401 memset(&wrqu, 0, sizeof(wrqu));
2402 @@ -211,6 +216,11 @@ void ___cfg80211_scan_done(struct cfg802
2403
2404 rdev->scan_req = NULL;
2405 kfree(request);
2406 +
2407 + if (!send_message)
2408 + rdev->scan_msg = msg;
2409 + else
2410 + nl80211_send_scan_result(rdev, msg);
2411 }
2412
2413 void __cfg80211_scan_done(struct work_struct *wk)
2414 @@ -221,7 +231,7 @@ void __cfg80211_scan_done(struct work_st
2415 scan_done_wk);
2416
2417 rtnl_lock();
2418 - ___cfg80211_scan_done(rdev);
2419 + ___cfg80211_scan_done(rdev, true);
2420 rtnl_unlock();
2421 }
2422
2423 @@ -1079,7 +1089,7 @@ int cfg80211_wext_siwscan(struct net_dev
2424 if (IS_ERR(rdev))
2425 return PTR_ERR(rdev);
2426
2427 - if (rdev->scan_req) {
2428 + if (rdev->scan_req || rdev->scan_msg) {
2429 err = -EBUSY;
2430 goto out;
2431 }
2432 @@ -1481,7 +1491,7 @@ int cfg80211_wext_giwscan(struct net_dev
2433 if (IS_ERR(rdev))
2434 return PTR_ERR(rdev);
2435
2436 - if (rdev->scan_req)
2437 + if (rdev->scan_req || rdev->scan_msg)
2438 return -EAGAIN;
2439
2440 res = ieee80211_scan_results(rdev, info, extra, data->length);
2441 --- a/net/wireless/sme.c
2442 +++ b/net/wireless/sme.c
2443 @@ -67,7 +67,7 @@ static int cfg80211_conn_scan(struct wir
2444 ASSERT_RDEV_LOCK(rdev);
2445 ASSERT_WDEV_LOCK(wdev);
2446
2447 - if (rdev->scan_req)
2448 + if (rdev->scan_req || rdev->scan_msg)
2449 return -EBUSY;
2450
2451 if (wdev->conn->params.channel)
2452 --- a/net/mac80211/mlme.c
2453 +++ b/net/mac80211/mlme.c
2454 @@ -1001,7 +1001,6 @@ ieee80211_sta_process_chanswitch(struct
2455 }
2456
2457 ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
2458 - sdata->vif.csa_active = true;
2459
2460 mutex_lock(&local->chanctx_mtx);
2461 if (local->use_chanctx) {
2462 @@ -1039,6 +1038,7 @@ ieee80211_sta_process_chanswitch(struct
2463 mutex_unlock(&local->chanctx_mtx);
2464
2465 sdata->csa_chandef = csa_ie.chandef;
2466 + sdata->vif.csa_active = true;
2467
2468 if (csa_ie.mode)
2469 ieee80211_stop_queues_by_reason(&local->hw,
2470 --- a/net/mac80211/chan.c
2471 +++ b/net/mac80211/chan.c
2472 @@ -196,6 +196,8 @@ static bool ieee80211_is_radar_required(
2473 {
2474 struct ieee80211_sub_if_data *sdata;
2475
2476 + lockdep_assert_held(&local->mtx);
2477 +
2478 rcu_read_lock();
2479 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2480 if (sdata->radar_required) {
2481 --- a/net/mac80211/ibss.c
2482 +++ b/net/mac80211/ibss.c
2483 @@ -294,7 +294,6 @@ static void __ieee80211_sta_join_ibss(st
2484 }
2485
2486 mutex_lock(&local->mtx);
2487 - ieee80211_vif_release_channel(sdata);
2488 if (ieee80211_vif_use_channel(sdata, &chandef,
2489 ifibss->fixed_channel ?
2490 IEEE80211_CHANCTX_SHARED :
2491 @@ -303,6 +302,7 @@ static void __ieee80211_sta_join_ibss(st
2492 mutex_unlock(&local->mtx);
2493 return;
2494 }
2495 + sdata->radar_required = radar_required;
2496 mutex_unlock(&local->mtx);
2497
2498 memcpy(ifibss->bssid, bssid, ETH_ALEN);
2499 @@ -318,7 +318,6 @@ static void __ieee80211_sta_join_ibss(st
2500 rcu_assign_pointer(ifibss->presp, presp);
2501 mgmt = (void *)presp->head;
2502
2503 - sdata->radar_required = radar_required;
2504 sdata->vif.bss_conf.enable_beacon = true;
2505 sdata->vif.bss_conf.beacon_int = beacon_int;
2506 sdata->vif.bss_conf.basic_rates = basic_rates;
2507 @@ -386,7 +385,7 @@ static void __ieee80211_sta_join_ibss(st
2508 presp->head_len, 0, GFP_KERNEL);
2509 cfg80211_put_bss(local->hw.wiphy, bss);
2510 netif_carrier_on(sdata->dev);
2511 - cfg80211_ibss_joined(sdata->dev, ifibss->bssid, GFP_KERNEL);
2512 + cfg80211_ibss_joined(sdata->dev, ifibss->bssid, chan, GFP_KERNEL);
2513 }
2514
2515 static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
2516 @@ -802,6 +801,8 @@ ieee80211_ibss_process_chanswitch(struct
2517 int err;
2518 u32 sta_flags;
2519
2520 + sdata_assert_lock(sdata);
2521 +
2522 sta_flags = IEEE80211_STA_DISABLE_VHT;
2523 switch (ifibss->chandef.width) {
2524 case NL80211_CHAN_WIDTH_5:
2525 @@ -1471,6 +1472,11 @@ static void ieee80211_rx_mgmt_probe_req(
2526 memcpy(((struct ieee80211_mgmt *) skb->data)->da, mgmt->sa, ETH_ALEN);
2527 ibss_dbg(sdata, "Sending ProbeResp to %pM\n", mgmt->sa);
2528 IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2529 +
2530 + /* avoid excessive retries for probe request to wildcard SSIDs */
2531 + if (pos[1] == 0)
2532 + IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_NO_ACK;
2533 +
2534 ieee80211_tx_skb(sdata, skb);
2535 }
2536
2537 --- a/net/mac80211/mesh.c
2538 +++ b/net/mac80211/mesh.c
2539 @@ -872,6 +872,8 @@ ieee80211_mesh_process_chnswitch(struct
2540 if (!ifmsh->mesh_id)
2541 return false;
2542
2543 + sdata_assert_lock(sdata);
2544 +
2545 sta_flags = IEEE80211_STA_DISABLE_VHT;
2546 switch (sdata->vif.bss_conf.chandef.width) {
2547 case NL80211_CHAN_WIDTH_20_NOHT:
2548 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2549 +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2550 @@ -4658,6 +4658,7 @@ brcmf_notify_connect_status(struct brcmf
2551 struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
2552 struct net_device *ndev = ifp->ndev;
2553 struct brcmf_cfg80211_profile *profile = &ifp->vif->profile;
2554 + struct ieee80211_channel *chan;
2555 s32 err = 0;
2556
2557 if (ifp->vif->mode == WL_MODE_AP) {
2558 @@ -4665,9 +4666,10 @@ brcmf_notify_connect_status(struct brcmf
2559 } else if (brcmf_is_linkup(e)) {
2560 brcmf_dbg(CONN, "Linkup\n");
2561 if (brcmf_is_ibssmode(ifp->vif)) {
2562 + chan = ieee80211_get_channel(cfg->wiphy, cfg->channel);
2563 memcpy(profile->bssid, e->addr, ETH_ALEN);
2564 wl_inform_ibss(cfg, ndev, e->addr);
2565 - cfg80211_ibss_joined(ndev, e->addr, GFP_KERNEL);
2566 + cfg80211_ibss_joined(ndev, e->addr, chan, GFP_KERNEL);
2567 clear_bit(BRCMF_VIF_STATUS_CONNECTING,
2568 &ifp->vif->sme_state);
2569 set_bit(BRCMF_VIF_STATUS_CONNECTED,
2570 --- a/drivers/net/wireless/libertas/cfg.c
2571 +++ b/drivers/net/wireless/libertas/cfg.c
2572 @@ -1766,7 +1766,8 @@ static void lbs_join_post(struct lbs_pri
2573 memcpy(priv->wdev->ssid, params->ssid, params->ssid_len);
2574 priv->wdev->ssid_len = params->ssid_len;
2575
2576 - cfg80211_ibss_joined(priv->dev, bssid, GFP_KERNEL);
2577 + cfg80211_ibss_joined(priv->dev, bssid, params->chandef.chan,
2578 + GFP_KERNEL);
2579
2580 /* TODO: consider doing this at MACREG_INT_CODE_LINK_SENSED time */
2581 priv->connect_status = LBS_CONNECTED;
2582 --- a/drivers/net/wireless/mwifiex/cfg80211.c
2583 +++ b/drivers/net/wireless/mwifiex/cfg80211.c
2584 @@ -1881,7 +1881,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy
2585 params->privacy);
2586 done:
2587 if (!ret) {
2588 - cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid, GFP_KERNEL);
2589 + cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid,
2590 + params->chandef.chan, GFP_KERNEL);
2591 dev_dbg(priv->adapter->dev,
2592 "info: joined/created adhoc network with bssid"
2593 " %pM successfully\n", priv->cfg_bssid);
2594 --- a/drivers/net/wireless/rndis_wlan.c
2595 +++ b/drivers/net/wireless/rndis_wlan.c
2596 @@ -2835,7 +2835,9 @@ static void rndis_wlan_do_link_up_work(s
2597 bssid, req_ie, req_ie_len,
2598 resp_ie, resp_ie_len, GFP_KERNEL);
2599 } else if (priv->infra_mode == NDIS_80211_INFRA_ADHOC)
2600 - cfg80211_ibss_joined(usbdev->net, bssid, GFP_KERNEL);
2601 + cfg80211_ibss_joined(usbdev->net, bssid,
2602 + get_current_channel(usbdev, NULL),
2603 + GFP_KERNEL);
2604
2605 kfree(info);
2606
2607 --- a/net/wireless/ibss.c
2608 +++ b/net/wireless/ibss.c
2609 @@ -14,7 +14,8 @@
2610 #include "rdev-ops.h"
2611
2612
2613 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
2614 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2615 + struct ieee80211_channel *channel)
2616 {
2617 struct wireless_dev *wdev = dev->ieee80211_ptr;
2618 struct cfg80211_bss *bss;
2619 @@ -28,8 +29,7 @@ void __cfg80211_ibss_joined(struct net_d
2620 if (!wdev->ssid_len)
2621 return;
2622
2623 - bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
2624 - wdev->ssid, wdev->ssid_len,
2625 + bss = cfg80211_get_bss(wdev->wiphy, channel, bssid, NULL, 0,
2626 WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_IBSS);
2627
2628 if (WARN_ON(!bss))
2629 @@ -54,21 +54,26 @@ void __cfg80211_ibss_joined(struct net_d
2630 #endif
2631 }
2632
2633 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
2634 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2635 + struct ieee80211_channel *channel, gfp_t gfp)
2636 {
2637 struct wireless_dev *wdev = dev->ieee80211_ptr;
2638 struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
2639 struct cfg80211_event *ev;
2640 unsigned long flags;
2641
2642 - trace_cfg80211_ibss_joined(dev, bssid);
2643 + trace_cfg80211_ibss_joined(dev, bssid, channel);
2644 +
2645 + if (WARN_ON(!channel))
2646 + return;
2647
2648 ev = kzalloc(sizeof(*ev), gfp);
2649 if (!ev)
2650 return;
2651
2652 ev->type = EVENT_IBSS_JOINED;
2653 - memcpy(ev->cr.bssid, bssid, ETH_ALEN);
2654 + memcpy(ev->ij.bssid, bssid, ETH_ALEN);
2655 + ev->ij.channel = channel;
2656
2657 spin_lock_irqsave(&wdev->event_lock, flags);
2658 list_add_tail(&ev->list, &wdev->event_list);
2659 @@ -117,6 +122,7 @@ int __cfg80211_join_ibss(struct cfg80211
2660
2661 wdev->ibss_fixed = params->channel_fixed;
2662 wdev->ibss_dfs_possible = params->userspace_handles_dfs;
2663 + wdev->chandef = params->chandef;
2664 #ifdef CPTCFG_CFG80211_WEXT
2665 wdev->wext.ibss.chandef = params->chandef;
2666 #endif
2667 @@ -200,6 +206,7 @@ static void __cfg80211_clear_ibss(struct
2668
2669 wdev->current_bss = NULL;
2670 wdev->ssid_len = 0;
2671 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2672 #ifdef CPTCFG_CFG80211_WEXT
2673 if (!nowext)
2674 wdev->wext.ibss.ssid_len = 0;
2675 --- a/net/wireless/trace.h
2676 +++ b/net/wireless/trace.h
2677 @@ -2278,11 +2278,6 @@ DECLARE_EVENT_CLASS(cfg80211_rx_evt,
2678 TP_printk(NETDEV_PR_FMT ", " MAC_PR_FMT, NETDEV_PR_ARG, MAC_PR_ARG(addr))
2679 );
2680
2681 -DEFINE_EVENT(cfg80211_rx_evt, cfg80211_ibss_joined,
2682 - TP_PROTO(struct net_device *netdev, const u8 *addr),
2683 - TP_ARGS(netdev, addr)
2684 -);
2685 -
2686 DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_spurious_frame,
2687 TP_PROTO(struct net_device *netdev, const u8 *addr),
2688 TP_ARGS(netdev, addr)
2689 @@ -2293,6 +2288,24 @@ DEFINE_EVENT(cfg80211_rx_evt, cfg80211_r
2690 TP_ARGS(netdev, addr)
2691 );
2692
2693 +TRACE_EVENT(cfg80211_ibss_joined,
2694 + TP_PROTO(struct net_device *netdev, const u8 *bssid,
2695 + struct ieee80211_channel *channel),
2696 + TP_ARGS(netdev, bssid, channel),
2697 + TP_STRUCT__entry(
2698 + NETDEV_ENTRY
2699 + MAC_ENTRY(bssid)
2700 + CHAN_ENTRY
2701 + ),
2702 + TP_fast_assign(
2703 + NETDEV_ASSIGN;
2704 + MAC_ASSIGN(bssid, bssid);
2705 + CHAN_ASSIGN(channel);
2706 + ),
2707 + TP_printk(NETDEV_PR_FMT ", bssid: " MAC_PR_FMT ", " CHAN_PR_FMT,
2708 + NETDEV_PR_ARG, MAC_PR_ARG(bssid), CHAN_PR_ARG)
2709 +);
2710 +
2711 TRACE_EVENT(cfg80211_probe_status,
2712 TP_PROTO(struct net_device *netdev, const u8 *addr, u64 cookie,
2713 bool acked),
2714 --- a/net/wireless/util.c
2715 +++ b/net/wireless/util.c
2716 @@ -820,7 +820,8 @@ void cfg80211_process_wdev_events(struct
2717 ev->dc.reason, true);
2718 break;
2719 case EVENT_IBSS_JOINED:
2720 - __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid);
2721 + __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid,
2722 + ev->ij.channel);
2723 break;
2724 }
2725 wdev_unlock(wdev);
2726 @@ -1356,7 +1357,7 @@ int cfg80211_can_use_iftype_chan(struct
2727 */
2728 mutex_lock_nested(&wdev_iter->mtx, 1);
2729 __acquire(wdev_iter->mtx);
2730 - cfg80211_get_chan_state(wdev_iter, &ch, &chmode);
2731 + cfg80211_get_chan_state(wdev_iter, &ch, &chmode, &radar_detect);
2732 wdev_unlock(wdev_iter);
2733
2734 switch (chmode) {
2735 --- a/net/wireless/chan.c
2736 +++ b/net/wireless/chan.c
2737 @@ -642,7 +642,8 @@ int cfg80211_set_monitor_channel(struct
2738 void
2739 cfg80211_get_chan_state(struct wireless_dev *wdev,
2740 struct ieee80211_channel **chan,
2741 - enum cfg80211_chan_mode *chanmode)
2742 + enum cfg80211_chan_mode *chanmode,
2743 + u8 *radar_detect)
2744 {
2745 *chan = NULL;
2746 *chanmode = CHAN_MODE_UNDEFINED;
2747 @@ -660,6 +661,11 @@ cfg80211_get_chan_state(struct wireless_
2748 !wdev->ibss_dfs_possible)
2749 ? CHAN_MODE_SHARED
2750 : CHAN_MODE_EXCLUSIVE;
2751 +
2752 + /* consider worst-case - IBSS can try to return to the
2753 + * original user-specified channel as creator */
2754 + if (wdev->ibss_dfs_possible)
2755 + *radar_detect |= BIT(wdev->chandef.width);
2756 return;
2757 }
2758 break;
2759 @@ -674,17 +680,26 @@ cfg80211_get_chan_state(struct wireless_
2760 case NL80211_IFTYPE_AP:
2761 case NL80211_IFTYPE_P2P_GO:
2762 if (wdev->cac_started) {
2763 - *chan = wdev->channel;
2764 + *chan = wdev->chandef.chan;
2765 *chanmode = CHAN_MODE_SHARED;
2766 + *radar_detect |= BIT(wdev->chandef.width);
2767 } else if (wdev->beacon_interval) {
2768 - *chan = wdev->channel;
2769 + *chan = wdev->chandef.chan;
2770 *chanmode = CHAN_MODE_SHARED;
2771 +
2772 + if (cfg80211_chandef_dfs_required(wdev->wiphy,
2773 + &wdev->chandef))
2774 + *radar_detect |= BIT(wdev->chandef.width);
2775 }
2776 return;
2777 case NL80211_IFTYPE_MESH_POINT:
2778 if (wdev->mesh_id_len) {
2779 - *chan = wdev->channel;
2780 + *chan = wdev->chandef.chan;
2781 *chanmode = CHAN_MODE_SHARED;
2782 +
2783 + if (cfg80211_chandef_dfs_required(wdev->wiphy,
2784 + &wdev->chandef))
2785 + *radar_detect |= BIT(wdev->chandef.width);
2786 }
2787 return;
2788 case NL80211_IFTYPE_MONITOR:
2789 --- a/net/wireless/mesh.c
2790 +++ b/net/wireless/mesh.c
2791 @@ -195,7 +195,7 @@ int __cfg80211_join_mesh(struct cfg80211
2792 if (!err) {
2793 memcpy(wdev->ssid, setup->mesh_id, setup->mesh_id_len);
2794 wdev->mesh_id_len = setup->mesh_id_len;
2795 - wdev->channel = setup->chandef.chan;
2796 + wdev->chandef = setup->chandef;
2797 }
2798
2799 return err;
2800 @@ -244,7 +244,7 @@ int cfg80211_set_mesh_channel(struct cfg
2801 err = rdev_libertas_set_mesh_channel(rdev, wdev->netdev,
2802 chandef->chan);
2803 if (!err)
2804 - wdev->channel = chandef->chan;
2805 + wdev->chandef = *chandef;
2806
2807 return err;
2808 }
2809 @@ -276,7 +276,7 @@ static int __cfg80211_leave_mesh(struct
2810 err = rdev_leave_mesh(rdev, dev);
2811 if (!err) {
2812 wdev->mesh_id_len = 0;
2813 - wdev->channel = NULL;
2814 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2815 rdev_set_qos_map(rdev, dev, NULL);
2816 }
2817
2818 --- a/net/wireless/mlme.c
2819 +++ b/net/wireless/mlme.c
2820 @@ -772,7 +772,7 @@ void cfg80211_cac_event(struct net_devic
2821 if (WARN_ON(!wdev->cac_started))
2822 return;
2823
2824 - if (WARN_ON(!wdev->channel))
2825 + if (WARN_ON(!wdev->chandef.chan))
2826 return;
2827
2828 switch (event) {
2829 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2830 +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2831 @@ -5065,6 +5065,10 @@ static u16 ar9003_hw_get_max_edge_power(
2832 break;
2833 }
2834 }
2835 +
2836 + if (is2GHz && !twiceMaxEdgePower)
2837 + twiceMaxEdgePower = 60;
2838 +
2839 return twiceMaxEdgePower;
2840 }
2841
2842 --- a/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2843 +++ b/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2844 @@ -23,10 +23,11 @@
2845 #define MAX_MEASUREMENT MAX_IQCAL_MEASUREMENT
2846 #define MAX_MAG_DELTA 11
2847 #define MAX_PHS_DELTA 10
2848 +#define MAXIQCAL 3
2849
2850 struct coeff {
2851 - int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2852 - int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2853 + int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2854 + int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2855 int iqc_coeff[2];
2856 };
2857
2858 @@ -800,7 +801,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2859 if (q_q_coff > 63)
2860 q_q_coff = 63;
2861
2862 - iqc_coeff[0] = (q_q_coff * 128) + q_i_coff;
2863 + iqc_coeff[0] = (q_q_coff * 128) + (0x7f & q_i_coff);
2864
2865 ath_dbg(common, CALIBRATE, "tx chain %d: iq corr coeff=%x\n",
2866 chain_idx, iqc_coeff[0]);
2867 @@ -831,7 +832,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2868 if (q_q_coff > 63)
2869 q_q_coff = 63;
2870
2871 - iqc_coeff[1] = (q_q_coff * 128) + q_i_coff;
2872 + iqc_coeff[1] = (q_q_coff * 128) + (0x7f & q_i_coff);
2873
2874 ath_dbg(common, CALIBRATE, "rx chain %d: iq corr coeff=%x\n",
2875 chain_idx, iqc_coeff[1]);
2876 @@ -839,7 +840,8 @@ static bool ar9003_hw_calc_iq_corr(struc
2877 return true;
2878 }
2879
2880 -static void ar9003_hw_detect_outlier(int *mp_coeff, int nmeasurement,
2881 +static void ar9003_hw_detect_outlier(int mp_coeff[][MAXIQCAL],
2882 + int nmeasurement,
2883 int max_delta)
2884 {
2885 int mp_max = -64, max_idx = 0;
2886 @@ -848,20 +850,20 @@ static void ar9003_hw_detect_outlier(int
2887
2888 /* find min/max mismatch across all calibrated gains */
2889 for (i = 0; i < nmeasurement; i++) {
2890 - if (mp_coeff[i] > mp_max) {
2891 - mp_max = mp_coeff[i];
2892 + if (mp_coeff[i][0] > mp_max) {
2893 + mp_max = mp_coeff[i][0];
2894 max_idx = i;
2895 - } else if (mp_coeff[i] < mp_min) {
2896 - mp_min = mp_coeff[i];
2897 + } else if (mp_coeff[i][0] < mp_min) {
2898 + mp_min = mp_coeff[i][0];
2899 min_idx = i;
2900 }
2901 }
2902
2903 /* find average (exclude max abs value) */
2904 for (i = 0; i < nmeasurement; i++) {
2905 - if ((abs(mp_coeff[i]) < abs(mp_max)) ||
2906 - (abs(mp_coeff[i]) < abs(mp_min))) {
2907 - mp_avg += mp_coeff[i];
2908 + if ((abs(mp_coeff[i][0]) < abs(mp_max)) ||
2909 + (abs(mp_coeff[i][0]) < abs(mp_min))) {
2910 + mp_avg += mp_coeff[i][0];
2911 mp_count++;
2912 }
2913 }
2914 @@ -873,7 +875,7 @@ static void ar9003_hw_detect_outlier(int
2915 if (mp_count)
2916 mp_avg /= mp_count;
2917 else
2918 - mp_avg = mp_coeff[nmeasurement - 1];
2919 + mp_avg = mp_coeff[nmeasurement - 1][0];
2920
2921 /* detect outlier */
2922 if (abs(mp_max - mp_min) > max_delta) {
2923 @@ -882,15 +884,16 @@ static void ar9003_hw_detect_outlier(int
2924 else
2925 outlier_idx = min_idx;
2926
2927 - mp_coeff[outlier_idx] = mp_avg;
2928 + mp_coeff[outlier_idx][0] = mp_avg;
2929 }
2930 }
2931
2932 -static void ar9003_hw_tx_iqcal_load_avg_2_passes(struct ath_hw *ah,
2933 - struct coeff *coeff,
2934 - bool is_reusable)
2935 +static void ar9003_hw_tx_iq_cal_outlier_detection(struct ath_hw *ah,
2936 + struct coeff *coeff,
2937 + bool is_reusable)
2938 {
2939 int i, im, nmeasurement;
2940 + int magnitude, phase;
2941 u32 tx_corr_coeff[MAX_MEASUREMENT][AR9300_MAX_CHAINS];
2942 struct ath9k_hw_cal_data *caldata = ah->caldata;
2943
2944 @@ -920,21 +923,30 @@ static void ar9003_hw_tx_iqcal_load_avg_
2945 if (nmeasurement > MAX_MEASUREMENT)
2946 nmeasurement = MAX_MEASUREMENT;
2947
2948 - /* detect outlier only if nmeasurement > 1 */
2949 - if (nmeasurement > 1) {
2950 - /* Detect magnitude outlier */
2951 - ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2952 - nmeasurement, MAX_MAG_DELTA);
2953 -
2954 - /* Detect phase outlier */
2955 - ar9003_hw_detect_outlier(coeff->phs_coeff[i],
2956 - nmeasurement, MAX_PHS_DELTA);
2957 + /*
2958 + * Skip normal outlier detection for AR9550.
2959 + */
2960 + if (!AR_SREV_9550(ah)) {
2961 + /* detect outlier only if nmeasurement > 1 */
2962 + if (nmeasurement > 1) {
2963 + /* Detect magnitude outlier */
2964 + ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2965 + nmeasurement,
2966 + MAX_MAG_DELTA);
2967 +
2968 + /* Detect phase outlier */
2969 + ar9003_hw_detect_outlier(coeff->phs_coeff[i],
2970 + nmeasurement,
2971 + MAX_PHS_DELTA);
2972 + }
2973 }
2974
2975 for (im = 0; im < nmeasurement; im++) {
2976 + magnitude = coeff->mag_coeff[i][im][0];
2977 + phase = coeff->phs_coeff[i][im][0];
2978
2979 - coeff->iqc_coeff[0] = (coeff->mag_coeff[i][im] & 0x7f) |
2980 - ((coeff->phs_coeff[i][im] & 0x7f) << 7);
2981 + coeff->iqc_coeff[0] =
2982 + (phase & 0x7f) | ((magnitude & 0x7f) << 7);
2983
2984 if ((im % 2) == 0)
2985 REG_RMW_FIELD(ah, tx_corr_coeff[im][i],
2986 @@ -991,7 +1003,63 @@ static bool ar9003_hw_tx_iq_cal_run(stru
2987 return true;
2988 }
2989
2990 -static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah, bool is_reusable)
2991 +static void __ar955x_tx_iq_cal_sort(struct ath_hw *ah,
2992 + struct coeff *coeff,
2993 + int i, int nmeasurement)
2994 +{
2995 + struct ath_common *common = ath9k_hw_common(ah);
2996 + int im, ix, iy, temp;
2997 +
2998 + for (im = 0; im < nmeasurement; im++) {
2999 + for (ix = 0; ix < MAXIQCAL - 1; ix++) {
3000 + for (iy = ix + 1; iy <= MAXIQCAL - 1; iy++) {
3001 + if (coeff->mag_coeff[i][im][iy] <
3002 + coeff->mag_coeff[i][im][ix]) {
3003 + temp = coeff->mag_coeff[i][im][ix];
3004 + coeff->mag_coeff[i][im][ix] =
3005 + coeff->mag_coeff[i][im][iy];
3006 + coeff->mag_coeff[i][im][iy] = temp;
3007 + }
3008 + if (coeff->phs_coeff[i][im][iy] <
3009 + coeff->phs_coeff[i][im][ix]) {
3010 + temp = coeff->phs_coeff[i][im][ix];
3011 + coeff->phs_coeff[i][im][ix] =
3012 + coeff->phs_coeff[i][im][iy];
3013 + coeff->phs_coeff[i][im][iy] = temp;
3014 + }
3015 + }
3016 + }
3017 + coeff->mag_coeff[i][im][0] = coeff->mag_coeff[i][im][MAXIQCAL / 2];
3018 + coeff->phs_coeff[i][im][0] = coeff->phs_coeff[i][im][MAXIQCAL / 2];
3019 +
3020 + ath_dbg(common, CALIBRATE,
3021 + "IQCAL: Median [ch%d][gain%d]: mag = %d phase = %d\n",
3022 + i, im,
3023 + coeff->mag_coeff[i][im][0],
3024 + coeff->phs_coeff[i][im][0]);
3025 + }
3026 +}
3027 +
3028 +static bool ar955x_tx_iq_cal_median(struct ath_hw *ah,
3029 + struct coeff *coeff,
3030 + int iqcal_idx,
3031 + int nmeasurement)
3032 +{
3033 + int i;
3034 +
3035 + if ((iqcal_idx + 1) != MAXIQCAL)
3036 + return false;
3037 +
3038 + for (i = 0; i < AR9300_MAX_CHAINS; i++) {
3039 + __ar955x_tx_iq_cal_sort(ah, coeff, i, nmeasurement);
3040 + }
3041 +
3042 + return true;
3043 +}
3044 +
3045 +static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah,
3046 + int iqcal_idx,
3047 + bool is_reusable)
3048 {
3049 struct ath_common *common = ath9k_hw_common(ah);
3050 const u32 txiqcal_status[AR9300_MAX_CHAINS] = {
3051 @@ -1004,10 +1072,11 @@ static void ar9003_hw_tx_iq_cal_post_pro
3052 AR_PHY_CHAN_INFO_TAB_1,
3053 AR_PHY_CHAN_INFO_TAB_2,
3054 };
3055 - struct coeff coeff;
3056 + static struct coeff coeff;
3057 s32 iq_res[6];
3058 int i, im, j;
3059 - int nmeasurement;
3060 + int nmeasurement = 0;
3061 + bool outlier_detect = true;
3062
3063 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
3064 if (!(ah->txchainmask & (1 << i)))
3065 @@ -1065,17 +1134,23 @@ static void ar9003_hw_tx_iq_cal_post_pro
3066 goto tx_iqcal_fail;
3067 }
3068
3069 - coeff.mag_coeff[i][im] = coeff.iqc_coeff[0] & 0x7f;
3070 - coeff.phs_coeff[i][im] =
3071 + coeff.phs_coeff[i][im][iqcal_idx] =
3072 + coeff.iqc_coeff[0] & 0x7f;
3073 + coeff.mag_coeff[i][im][iqcal_idx] =
3074 (coeff.iqc_coeff[0] >> 7) & 0x7f;
3075
3076 - if (coeff.mag_coeff[i][im] > 63)
3077 - coeff.mag_coeff[i][im] -= 128;
3078 - if (coeff.phs_coeff[i][im] > 63)
3079 - coeff.phs_coeff[i][im] -= 128;
3080 + if (coeff.mag_coeff[i][im][iqcal_idx] > 63)
3081 + coeff.mag_coeff[i][im][iqcal_idx] -= 128;
3082 + if (coeff.phs_coeff[i][im][iqcal_idx] > 63)
3083 + coeff.phs_coeff[i][im][iqcal_idx] -= 128;
3084 }
3085 }
3086 - ar9003_hw_tx_iqcal_load_avg_2_passes(ah, &coeff, is_reusable);
3087 +
3088 + if (AR_SREV_9550(ah))
3089 + outlier_detect = ar955x_tx_iq_cal_median(ah, &coeff,
3090 + iqcal_idx, nmeasurement);
3091 + if (outlier_detect)
3092 + ar9003_hw_tx_iq_cal_outlier_detection(ah, &coeff, is_reusable);
3093
3094 return;
3095
3096 @@ -1409,7 +1484,7 @@ skip_tx_iqcal:
3097 }
3098
3099 if (txiqcal_done)
3100 - ar9003_hw_tx_iq_cal_post_proc(ah, is_reusable);
3101 + ar9003_hw_tx_iq_cal_post_proc(ah, 0, is_reusable);
3102 else if (caldata && test_bit(TXIQCAL_DONE, &caldata->cal_flags))
3103 ar9003_hw_tx_iq_cal_reload(ah);
3104
3105 @@ -1455,14 +1530,38 @@ skip_tx_iqcal:
3106 return true;
3107 }
3108
3109 +static bool do_ar9003_agc_cal(struct ath_hw *ah)
3110 +{
3111 + struct ath_common *common = ath9k_hw_common(ah);
3112 + bool status;
3113 +
3114 + REG_WRITE(ah, AR_PHY_AGC_CONTROL,
3115 + REG_READ(ah, AR_PHY_AGC_CONTROL) |
3116 + AR_PHY_AGC_CONTROL_CAL);
3117 +
3118 + status = ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
3119 + AR_PHY_AGC_CONTROL_CAL,
3120 + 0, AH_WAIT_TIMEOUT);
3121 + if (!status) {
3122 + ath_dbg(common, CALIBRATE,
3123 + "offset calibration failed to complete in %d ms,"
3124 + "noisy environment?\n",
3125 + AH_WAIT_TIMEOUT / 1000);
3126 + return false;
3127 + }
3128 +
3129 + return true;
3130 +}
3131 +
3132 static bool ar9003_hw_init_cal_soc(struct ath_hw *ah,
3133 struct ath9k_channel *chan)
3134 {
3135 struct ath_common *common = ath9k_hw_common(ah);
3136 struct ath9k_hw_cal_data *caldata = ah->caldata;
3137 bool txiqcal_done = false;
3138 - bool is_reusable = true, status = true;
3139 + bool status = true;
3140 bool run_agc_cal = false, sep_iq_cal = false;
3141 + int i = 0;
3142
3143 /* Use chip chainmask only for calibration */
3144 ar9003_hw_set_chain_masks(ah, ah->caps.rx_chainmask, ah->caps.tx_chainmask);
3145 @@ -1485,7 +1584,12 @@ static bool ar9003_hw_init_cal_soc(struc
3146 * AGC calibration. Specifically, AR9550 in SoC chips.
3147 */
3148 if (ah->enabled_cals & TX_IQ_ON_AGC_CAL) {
3149 - txiqcal_done = true;
3150 + if (REG_READ_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_0,
3151 + AR_PHY_TX_IQCAL_CONTROL_0_ENABLE_TXIQ_CAL)) {
3152 + txiqcal_done = true;
3153 + } else {
3154 + txiqcal_done = false;
3155 + }
3156 run_agc_cal = true;
3157 } else {
3158 sep_iq_cal = true;
3159 @@ -1512,27 +1616,37 @@ skip_tx_iqcal:
3160 if (AR_SREV_9330_11(ah))
3161 ar9003_hw_manual_peak_cal(ah, 0, IS_CHAN_2GHZ(chan));
3162
3163 - /* Calibrate the AGC */
3164 - REG_WRITE(ah, AR_PHY_AGC_CONTROL,
3165 - REG_READ(ah, AR_PHY_AGC_CONTROL) |
3166 - AR_PHY_AGC_CONTROL_CAL);
3167 -
3168 - /* Poll for offset calibration complete */
3169 - status = ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
3170 - AR_PHY_AGC_CONTROL_CAL,
3171 - 0, AH_WAIT_TIMEOUT);
3172 - }
3173 + /*
3174 + * For non-AR9550 chips, we just trigger AGC calibration
3175 + * in the HW, poll for completion and then process
3176 + * the results.
3177 + *
3178 + * For AR955x, we run it multiple times and use
3179 + * median IQ correction.
3180 + */
3181 + if (!AR_SREV_9550(ah)) {
3182 + status = do_ar9003_agc_cal(ah);
3183 + if (!status)
3184 + return false;
3185
3186 - if (!status) {
3187 - ath_dbg(common, CALIBRATE,
3188 - "offset calibration failed to complete in %d ms; noisy environment?\n",
3189 - AH_WAIT_TIMEOUT / 1000);
3190 - return false;
3191 + if (txiqcal_done)
3192 + ar9003_hw_tx_iq_cal_post_proc(ah, 0, false);
3193 + } else {
3194 + if (!txiqcal_done) {
3195 + status = do_ar9003_agc_cal(ah);
3196 + if (!status)
3197 + return false;
3198 + } else {
3199 + for (i = 0; i < MAXIQCAL; i++) {
3200 + status = do_ar9003_agc_cal(ah);
3201 + if (!status)
3202 + return false;
3203 + ar9003_hw_tx_iq_cal_post_proc(ah, i, false);
3204 + }
3205 + }
3206 + }
3207 }
3208
3209 - if (txiqcal_done)
3210 - ar9003_hw_tx_iq_cal_post_proc(ah, is_reusable);
3211 -
3212 /* Revert chainmask to runtime parameters */
3213 ar9003_hw_set_chain_masks(ah, ah->rxchainmask, ah->txchainmask);
3214
3215 --- a/drivers/net/wireless/rtl818x/rtl8187/rtl8187.h
3216 +++ b/drivers/net/wireless/rtl818x/rtl8187/rtl8187.h
3217 @@ -15,6 +15,8 @@
3218 #ifndef RTL8187_H
3219 #define RTL8187_H
3220
3221 +#include <linux/cache.h>
3222 +
3223 #include "rtl818x.h"
3224 #include "leds.h"
3225
3226 @@ -139,7 +141,10 @@ struct rtl8187_priv {
3227 u8 aifsn[4];
3228 u8 rfkill_mask;
3229 struct {
3230 - __le64 buf;
3231 + union {
3232 + __le64 buf;
3233 + u8 dummy1[L1_CACHE_BYTES];
3234 + } ____cacheline_aligned;
3235 struct sk_buff_head queue;
3236 } b_tx_status; /* This queue is used by both -b and non-b devices */
3237 struct mutex io_mutex;
3238 @@ -147,7 +152,8 @@ struct rtl8187_priv {
3239 u8 bits8;
3240 __le16 bits16;
3241 __le32 bits32;
3242 - } *io_dmabuf;
3243 + u8 dummy2[L1_CACHE_BYTES];
3244 + } *io_dmabuf ____cacheline_aligned;
3245 bool rfkill_off;
3246 u16 seqno;
3247 };
3248 --- a/net/mac80211/wme.c
3249 +++ b/net/mac80211/wme.c
3250 @@ -154,6 +154,11 @@ u16 ieee80211_select_queue(struct ieee80
3251 return IEEE80211_AC_BE;
3252 }
3253
3254 + if (skb->protocol == sdata->control_port_protocol) {
3255 + skb->priority = 7;
3256 + return ieee80211_downgrade_queue(sdata, skb);
3257 + }
3258 +
3259 /* use the data classifier to determine what 802.1d tag the
3260 * data frame has */
3261 rcu_read_lock();
3262 --- a/drivers/net/wireless/ath/ath9k/xmit.c
3263 +++ b/drivers/net/wireless/ath/ath9k/xmit.c
3264 @@ -1444,14 +1444,16 @@ void ath_tx_aggr_sleep(struct ieee80211_
3265 for (tidno = 0, tid = &an->tid[tidno];
3266 tidno < IEEE80211_NUM_TIDS; tidno++, tid++) {
3267
3268 - if (!tid->sched)
3269 - continue;
3270 -
3271 ac = tid->ac;
3272 txq = ac->txq;
3273
3274 ath_txq_lock(sc, txq);
3275
3276 + if (!tid->sched) {
3277 + ath_txq_unlock(sc, txq);
3278 + continue;
3279 + }
3280 +
3281 buffered = ath_tid_has_buffered(tid);
3282
3283 tid->sched = false;
3284 @@ -2184,14 +2186,15 @@ int ath_tx_start(struct ieee80211_hw *hw
3285 txq->stopped = true;
3286 }
3287
3288 + if (txctl->an)
3289 + tid = ath_get_skb_tid(sc, txctl->an, skb);
3290 +
3291 if (info->flags & IEEE80211_TX_CTL_PS_RESPONSE) {
3292 ath_txq_unlock(sc, txq);
3293 txq = sc->tx.uapsdq;
3294 ath_txq_lock(sc, txq);
3295 } else if (txctl->an &&
3296 ieee80211_is_data_present(hdr->frame_control)) {
3297 - tid = ath_get_skb_tid(sc, txctl->an, skb);
3298 -
3299 WARN_ON(tid->ac->txq != txctl->txq);
3300
3301 if (info->flags & IEEE80211_TX_CTL_CLEAR_PS_FILT)
3302 --- a/drivers/net/wireless/ath/ath9k/init.c
3303 +++ b/drivers/net/wireless/ath/ath9k/init.c
3304 @@ -943,6 +943,7 @@ static void ath9k_set_hw_capab(struct at
3305 hw->wiphy->flags |= WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
3306 hw->wiphy->flags |= WIPHY_FLAG_SUPPORTS_5_10_MHZ;
3307 hw->wiphy->flags |= WIPHY_FLAG_HAS_CHANNEL_SWITCH;
3308 + hw->wiphy->flags |= WIPHY_FLAG_AP_UAPSD;
3309
3310 hw->queues = 4;
3311 hw->max_rates = 4;
3312 --- a/net/mac80211/ieee80211_i.h
3313 +++ b/net/mac80211/ieee80211_i.h
3314 @@ -1700,14 +1700,8 @@ void ieee80211_stop_queue_by_reason(stru
3315 void ieee80211_propagate_queue_wake(struct ieee80211_local *local, int queue);
3316 void ieee80211_add_pending_skb(struct ieee80211_local *local,
3317 struct sk_buff *skb);
3318 -void ieee80211_add_pending_skbs_fn(struct ieee80211_local *local,
3319 - struct sk_buff_head *skbs,
3320 - void (*fn)(void *data), void *data);
3321 -static inline void ieee80211_add_pending_skbs(struct ieee80211_local *local,
3322 - struct sk_buff_head *skbs)
3323 -{
3324 - ieee80211_add_pending_skbs_fn(local, skbs, NULL, NULL);
3325 -}
3326 +void ieee80211_add_pending_skbs(struct ieee80211_local *local,
3327 + struct sk_buff_head *skbs);
3328 void ieee80211_flush_queues(struct ieee80211_local *local,
3329 struct ieee80211_sub_if_data *sdata);
3330
3331 --- a/net/mac80211/sta_info.c
3332 +++ b/net/mac80211/sta_info.c
3333 @@ -91,7 +91,7 @@ static int sta_info_hash_del(struct ieee
3334 return -ENOENT;
3335 }
3336
3337 -static void cleanup_single_sta(struct sta_info *sta)
3338 +static void __cleanup_single_sta(struct sta_info *sta)
3339 {
3340 int ac, i;
3341 struct tid_ampdu_tx *tid_tx;
3342 @@ -99,7 +99,8 @@ static void cleanup_single_sta(struct st
3343 struct ieee80211_local *local = sdata->local;
3344 struct ps_data *ps;
3345
3346 - if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
3347 + if (test_sta_flag(sta, WLAN_STA_PS_STA) ||
3348 + test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
3349 if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
3350 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
3351 ps = &sdata->bss->ps;
3352 @@ -109,6 +110,7 @@ static void cleanup_single_sta(struct st
3353 return;
3354
3355 clear_sta_flag(sta, WLAN_STA_PS_STA);
3356 + clear_sta_flag(sta, WLAN_STA_PS_DRIVER);
3357
3358 atomic_dec(&ps->num_sta_ps);
3359 sta_info_recalc_tim(sta);
3360 @@ -139,7 +141,14 @@ static void cleanup_single_sta(struct st
3361 ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
3362 kfree(tid_tx);
3363 }
3364 +}
3365
3366 +static void cleanup_single_sta(struct sta_info *sta)
3367 +{
3368 + struct ieee80211_sub_if_data *sdata = sta->sdata;
3369 + struct ieee80211_local *local = sdata->local;
3370 +
3371 + __cleanup_single_sta(sta);
3372 sta_info_free(local, sta);
3373 }
3374
3375 @@ -330,6 +339,7 @@ struct sta_info *sta_info_alloc(struct i
3376 rcu_read_unlock();
3377
3378 spin_lock_init(&sta->lock);
3379 + spin_lock_init(&sta->ps_lock);
3380 INIT_WORK(&sta->drv_unblock_wk, sta_unblock);
3381 INIT_WORK(&sta->ampdu_mlme.work, ieee80211_ba_session_work);
3382 mutex_init(&sta->ampdu_mlme.mtx);
3383 @@ -487,21 +497,26 @@ static int sta_info_insert_finish(struct
3384 goto out_err;
3385 }
3386
3387 - /* notify driver */
3388 - err = sta_info_insert_drv_state(local, sdata, sta);
3389 - if (err)
3390 - goto out_err;
3391 -
3392 local->num_sta++;
3393 local->sta_generation++;
3394 smp_mb();
3395
3396 + /* simplify things and don't accept BA sessions yet */
3397 + set_sta_flag(sta, WLAN_STA_BLOCK_BA);
3398 +
3399 /* make the station visible */
3400 sta_info_hash_add(local, sta);
3401
3402 list_add_rcu(&sta->list, &local->sta_list);
3403
3404 + /* notify driver */
3405 + err = sta_info_insert_drv_state(local, sdata, sta);
3406 + if (err)
3407 + goto out_remove;
3408 +
3409 set_sta_flag(sta, WLAN_STA_INSERTED);
3410 + /* accept BA sessions now */
3411 + clear_sta_flag(sta, WLAN_STA_BLOCK_BA);
3412
3413 ieee80211_recalc_min_chandef(sdata);
3414 ieee80211_sta_debugfs_add(sta);
3415 @@ -522,6 +537,12 @@ static int sta_info_insert_finish(struct
3416 mesh_accept_plinks_update(sdata);
3417
3418 return 0;
3419 + out_remove:
3420 + sta_info_hash_del(local, sta);
3421 + list_del_rcu(&sta->list);
3422 + local->num_sta--;
3423 + synchronize_net();
3424 + __cleanup_single_sta(sta);
3425 out_err:
3426 mutex_unlock(&local->sta_mtx);
3427 rcu_read_lock();
3428 @@ -1071,10 +1092,14 @@ struct ieee80211_sta *ieee80211_find_sta
3429 }
3430 EXPORT_SYMBOL(ieee80211_find_sta);
3431
3432 -static void clear_sta_ps_flags(void *_sta)
3433 +/* powersave support code */
3434 +void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
3435 {
3436 - struct sta_info *sta = _sta;
3437 struct ieee80211_sub_if_data *sdata = sta->sdata;
3438 + struct ieee80211_local *local = sdata->local;
3439 + struct sk_buff_head pending;
3440 + int filtered = 0, buffered = 0, ac;
3441 + unsigned long flags;
3442 struct ps_data *ps;
3443
3444 if (sdata->vif.type == NL80211_IFTYPE_AP ||
3445 @@ -1085,20 +1110,6 @@ static void clear_sta_ps_flags(void *_st
3446 else
3447 return;
3448
3449 - clear_sta_flag(sta, WLAN_STA_PS_DRIVER);
3450 - if (test_and_clear_sta_flag(sta, WLAN_STA_PS_STA))
3451 - atomic_dec(&ps->num_sta_ps);
3452 -}
3453 -
3454 -/* powersave support code */
3455 -void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
3456 -{
3457 - struct ieee80211_sub_if_data *sdata = sta->sdata;
3458 - struct ieee80211_local *local = sdata->local;
3459 - struct sk_buff_head pending;
3460 - int filtered = 0, buffered = 0, ac;
3461 - unsigned long flags;
3462 -
3463 clear_sta_flag(sta, WLAN_STA_SP);
3464
3465 BUILD_BUG_ON(BITS_TO_LONGS(IEEE80211_NUM_TIDS) > 1);
3466 @@ -1109,6 +1120,8 @@ void ieee80211_sta_ps_deliver_wakeup(str
3467
3468 skb_queue_head_init(&pending);
3469
3470 + /* sync with ieee80211_tx_h_unicast_ps_buf */
3471 + spin_lock(&sta->ps_lock);
3472 /* Send all buffered frames to the station */
3473 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3474 int count = skb_queue_len(&pending), tmp;
3475 @@ -1127,7 +1140,12 @@ void ieee80211_sta_ps_deliver_wakeup(str
3476 buffered += tmp - count;
3477 }
3478
3479 - ieee80211_add_pending_skbs_fn(local, &pending, clear_sta_ps_flags, sta);
3480 + ieee80211_add_pending_skbs(local, &pending);
3481 + clear_sta_flag(sta, WLAN_STA_PS_DRIVER);
3482 + clear_sta_flag(sta, WLAN_STA_PS_STA);
3483 + spin_unlock(&sta->ps_lock);
3484 +
3485 + atomic_dec(&ps->num_sta_ps);
3486
3487 /* This station just woke up and isn't aware of our SMPS state */
3488 if (!ieee80211_smps_is_restrictive(sta->known_smps_mode,
3489 --- a/net/mac80211/sta_info.h
3490 +++ b/net/mac80211/sta_info.h
3491 @@ -267,6 +267,7 @@ struct ieee80211_tx_latency_stat {
3492 * @drv_unblock_wk: used for driver PS unblocking
3493 * @listen_interval: listen interval of this station, when we're acting as AP
3494 * @_flags: STA flags, see &enum ieee80211_sta_info_flags, do not use directly
3495 + * @ps_lock: used for powersave (when mac80211 is the AP) related locking
3496 * @ps_tx_buf: buffers (per AC) of frames to transmit to this station
3497 * when it leaves power saving state or polls
3498 * @tx_filtered: buffers (per AC) of frames we already tried to
3499 @@ -356,10 +357,8 @@ struct sta_info {
3500 /* use the accessors defined below */
3501 unsigned long _flags;
3502
3503 - /*
3504 - * STA powersave frame queues, no more than the internal
3505 - * locking required.
3506 - */
3507 + /* STA powersave lock and frame queues */
3508 + spinlock_t ps_lock;
3509 struct sk_buff_head ps_tx_buf[IEEE80211_NUM_ACS];
3510 struct sk_buff_head tx_filtered[IEEE80211_NUM_ACS];
3511 unsigned long driver_buffered_tids;
3512 --- a/net/mac80211/util.c
3513 +++ b/net/mac80211/util.c
3514 @@ -435,9 +435,8 @@ void ieee80211_add_pending_skb(struct ie
3515 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
3516 }
3517
3518 -void ieee80211_add_pending_skbs_fn(struct ieee80211_local *local,
3519 - struct sk_buff_head *skbs,
3520 - void (*fn)(void *data), void *data)
3521 +void ieee80211_add_pending_skbs(struct ieee80211_local *local,
3522 + struct sk_buff_head *skbs)
3523 {
3524 struct ieee80211_hw *hw = &local->hw;
3525 struct sk_buff *skb;
3526 @@ -461,9 +460,6 @@ void ieee80211_add_pending_skbs_fn(struc
3527 __skb_queue_tail(&local->pending[queue], skb);
3528 }
3529
3530 - if (fn)
3531 - fn(data);
3532 -
3533 for (i = 0; i < hw->queues; i++)
3534 __ieee80211_wake_queue(hw, i,
3535 IEEE80211_QUEUE_STOP_REASON_SKB_ADD);
3536 --- a/net/wireless/reg.c
3537 +++ b/net/wireless/reg.c
3538 @@ -1700,7 +1700,7 @@ static void reg_process_hint(struct regu
3539 return;
3540 case NL80211_REGDOM_SET_BY_USER:
3541 treatment = reg_process_hint_user(reg_request);
3542 - if (treatment == REG_REQ_OK ||
3543 + if (treatment == REG_REQ_IGNORE ||
3544 treatment == REG_REQ_ALREADY_SET)
3545 return;
3546 schedule_delayed_work(&reg_timeout, msecs_to_jiffies(3142));
3547 --- a/drivers/net/wireless/ath/ath9k/debug.c
3548 +++ b/drivers/net/wireless/ath/ath9k/debug.c
3549 @@ -866,6 +866,12 @@ static ssize_t read_file_reset(struct fi
3550 "%17s: %2d\n", "PLL RX Hang",
3551 sc->debug.stats.reset[RESET_TYPE_PLL_HANG]);
3552 len += scnprintf(buf + len, sizeof(buf) - len,
3553 + "%17s: %2d\n", "MAC Hang",
3554 + sc->debug.stats.reset[RESET_TYPE_MAC_HANG]);
3555 + len += scnprintf(buf + len, sizeof(buf) - len,
3556 + "%17s: %2d\n", "Stuck Beacon",
3557 + sc->debug.stats.reset[RESET_TYPE_BEACON_STUCK]);
3558 + len += scnprintf(buf + len, sizeof(buf) - len,
3559 "%17s: %2d\n", "MCI Reset",
3560 sc->debug.stats.reset[RESET_TYPE_MCI]);
3561
3562 --- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
3563 +++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
3564 @@ -868,10 +868,6 @@ static void ar9003_hw_set_rfmode(struct
3565
3566 if (IS_CHAN_A_FAST_CLOCK(ah, chan))
3567 rfMode |= (AR_PHY_MODE_DYNAMIC | AR_PHY_MODE_DYN_CCK_DISABLE);
3568 - if (IS_CHAN_QUARTER_RATE(chan))
3569 - rfMode |= AR_PHY_MODE_QUARTER;
3570 - if (IS_CHAN_HALF_RATE(chan))
3571 - rfMode |= AR_PHY_MODE_HALF;
3572
3573 if (rfMode & (AR_PHY_MODE_QUARTER | AR_PHY_MODE_HALF))
3574 REG_RMW_FIELD(ah, AR_PHY_FRAME_CTL,
3575 --- a/drivers/net/wireless/ath/ath5k/mac80211-ops.c
3576 +++ b/drivers/net/wireless/ath/ath5k/mac80211-ops.c
3577 @@ -706,6 +706,7 @@ ath5k_get_survey(struct ieee80211_hw *hw
3578 survey->channel = conf->chandef.chan;
3579 survey->noise = ah->ah_noise_floor;
3580 survey->filled = SURVEY_INFO_NOISE_DBM |
3581 + SURVEY_INFO_IN_USE |
3582 SURVEY_INFO_CHANNEL_TIME |
3583 SURVEY_INFO_CHANNEL_TIME_BUSY |
3584 SURVEY_INFO_CHANNEL_TIME_RX |
3585 --- a/drivers/net/wireless/ath/ath9k/recv.c
3586 +++ b/drivers/net/wireless/ath/ath9k/recv.c
3587 @@ -732,11 +732,18 @@ static struct ath_rxbuf *ath_get_next_rx
3588 return NULL;
3589
3590 /*
3591 - * mark descriptor as zero-length and set the 'more'
3592 - * flag to ensure that both buffers get discarded
3593 + * Re-check previous descriptor, in case it has been filled
3594 + * in the mean time.
3595 */
3596 - rs->rs_datalen = 0;
3597 - rs->rs_more = true;
3598 + ret = ath9k_hw_rxprocdesc(ah, ds, rs);
3599 + if (ret == -EINPROGRESS) {
3600 + /*
3601 + * mark descriptor as zero-length and set the 'more'
3602 + * flag to ensure that both buffers get discarded
3603 + */
3604 + rs->rs_datalen = 0;
3605 + rs->rs_more = true;
3606 + }
3607 }
3608
3609 list_del(&bf->list);
3610 @@ -985,32 +992,32 @@ static int ath9k_rx_skb_preprocess(struc
3611 struct ath_common *common = ath9k_hw_common(ah);
3612 struct ieee80211_hdr *hdr;
3613 bool discard_current = sc->rx.discard_next;
3614 - int ret = 0;
3615
3616 /*
3617 * Discard corrupt descriptors which are marked in
3618 * ath_get_next_rx_buf().
3619 */
3620 - sc->rx.discard_next = rx_stats->rs_more;
3621 if (discard_current)
3622 - return -EINVAL;
3623 + goto corrupt;
3624 +
3625 + sc->rx.discard_next = false;
3626
3627 /*
3628 * Discard zero-length packets.
3629 */
3630 if (!rx_stats->rs_datalen) {
3631 RX_STAT_INC(rx_len_err);
3632 - return -EINVAL;
3633 + goto corrupt;
3634 }
3635
3636 - /*
3637 - * rs_status follows rs_datalen so if rs_datalen is too large
3638 - * we can take a hint that hardware corrupted it, so ignore
3639 - * those frames.
3640 - */
3641 + /*
3642 + * rs_status follows rs_datalen so if rs_datalen is too large
3643 + * we can take a hint that hardware corrupted it, so ignore
3644 + * those frames.
3645 + */
3646 if (rx_stats->rs_datalen > (common->rx_bufsize - ah->caps.rx_status_len)) {
3647 RX_STAT_INC(rx_len_err);
3648 - return -EINVAL;
3649 + goto corrupt;
3650 }
3651
3652 /* Only use status info from the last fragment */
3653 @@ -1024,10 +1031,8 @@ static int ath9k_rx_skb_preprocess(struc
3654 * This is different from the other corrupt descriptor
3655 * condition handled above.
3656 */
3657 - if (rx_stats->rs_status & ATH9K_RXERR_CORRUPT_DESC) {
3658 - ret = -EINVAL;
3659 - goto exit;
3660 - }
3661 + if (rx_stats->rs_status & ATH9K_RXERR_CORRUPT_DESC)
3662 + goto corrupt;
3663
3664 hdr = (struct ieee80211_hdr *) (skb->data + ah->caps.rx_status_len);
3665
3666 @@ -1043,18 +1048,15 @@ static int ath9k_rx_skb_preprocess(struc
3667 if (ath_process_fft(sc, hdr, rx_stats, rx_status->mactime))
3668 RX_STAT_INC(rx_spectral);
3669
3670 - ret = -EINVAL;
3671 - goto exit;
3672 + return -EINVAL;
3673 }
3674
3675 /*
3676 * everything but the rate is checked here, the rate check is done
3677 * separately to avoid doing two lookups for a rate for each frame.
3678 */
3679 - if (!ath9k_rx_accept(common, hdr, rx_status, rx_stats, decrypt_error)) {
3680 - ret = -EINVAL;
3681 - goto exit;
3682 - }
3683 + if (!ath9k_rx_accept(common, hdr, rx_status, rx_stats, decrypt_error))
3684 + return -EINVAL;
3685
3686 if (ath_is_mybeacon(common, hdr)) {
3687 RX_STAT_INC(rx_beacons);
3688 @@ -1064,15 +1066,11 @@ static int ath9k_rx_skb_preprocess(struc
3689 /*
3690 * This shouldn't happen, but have a safety check anyway.
3691 */
3692 - if (WARN_ON(!ah->curchan)) {
3693 - ret = -EINVAL;
3694 - goto exit;
3695 - }
3696 + if (WARN_ON(!ah->curchan))
3697 + return -EINVAL;
3698
3699 - if (ath9k_process_rate(common, hw, rx_stats, rx_status)) {
3700 - ret =-EINVAL;
3701 - goto exit;
3702 - }
3703 + if (ath9k_process_rate(common, hw, rx_stats, rx_status))
3704 + return -EINVAL;
3705
3706 ath9k_process_rssi(common, hw, rx_stats, rx_status);
3707
3708 @@ -1087,9 +1085,11 @@ static int ath9k_rx_skb_preprocess(struc
3709 sc->rx.num_pkts++;
3710 #endif
3711
3712 -exit:
3713 - sc->rx.discard_next = false;
3714 - return ret;
3715 + return 0;
3716 +
3717 +corrupt:
3718 + sc->rx.discard_next = rx_stats->rs_more;
3719 + return -EINVAL;
3720 }
3721
3722 static void ath9k_rx_skb_postprocess(struct ath_common *common,
3723 --- a/drivers/net/wireless/ath/ath9k/ani.c
3724 +++ b/drivers/net/wireless/ath/ath9k/ani.c
3725 @@ -176,16 +176,26 @@ static void ath9k_hw_set_ofdm_nil(struct
3726 if (ah->opmode == NL80211_IFTYPE_STATION &&
3727 BEACON_RSSI(ah) <= ATH9K_ANI_RSSI_THR_HIGH)
3728 weak_sig = true;
3729 -
3730 /*
3731 - * OFDM Weak signal detection is always enabled for AP mode.
3732 + * Newer chipsets are better at dealing with high PHY error counts -
3733 + * keep weak signal detection enabled when no RSSI threshold is
3734 + * available to determine if it is needed (mode != STA)
3735 */
3736 - if (ah->opmode != NL80211_IFTYPE_AP &&
3737 - aniState->ofdmWeakSigDetect != weak_sig) {
3738 - ath9k_hw_ani_control(ah,
3739 - ATH9K_ANI_OFDM_WEAK_SIGNAL_DETECTION,
3740 - entry_ofdm->ofdm_weak_signal_on);
3741 - }
3742 + else if (AR_SREV_9300_20_OR_LATER(ah) &&
3743 + ah->opmode != NL80211_IFTYPE_STATION)
3744 + weak_sig = true;
3745 +
3746 + /* Older chipsets are more sensitive to high PHY error counts */
3747 + else if (!AR_SREV_9300_20_OR_LATER(ah) &&
3748 + aniState->ofdmNoiseImmunityLevel >= 8)
3749 + weak_sig = false;
3750 +
3751 + if (aniState->ofdmWeakSigDetect != weak_sig)
3752 + ath9k_hw_ani_control(ah, ATH9K_ANI_OFDM_WEAK_SIGNAL_DETECTION,
3753 + weak_sig);
3754 +
3755 + if (!AR_SREV_9300_20_OR_LATER(ah))
3756 + return;
3757
3758 if (aniState->ofdmNoiseImmunityLevel >= ATH9K_ANI_OFDM_DEF_LEVEL) {
3759 ah->config.ofdm_trig_high = ATH9K_ANI_OFDM_TRIG_HIGH;
3760 @@ -483,10 +493,17 @@ void ath9k_hw_ani_init(struct ath_hw *ah
3761
3762 ath_dbg(common, ANI, "Initialize ANI\n");
3763
3764 - ah->config.ofdm_trig_high = ATH9K_ANI_OFDM_TRIG_HIGH;
3765 - ah->config.ofdm_trig_low = ATH9K_ANI_OFDM_TRIG_LOW;
3766 - ah->config.cck_trig_high = ATH9K_ANI_CCK_TRIG_HIGH;
3767 - ah->config.cck_trig_low = ATH9K_ANI_CCK_TRIG_LOW;
3768 + if (AR_SREV_9300_20_OR_LATER(ah)) {
3769 + ah->config.ofdm_trig_high = ATH9K_ANI_OFDM_TRIG_HIGH;
3770 + ah->config.ofdm_trig_low = ATH9K_ANI_OFDM_TRIG_LOW;
3771 + ah->config.cck_trig_high = ATH9K_ANI_CCK_TRIG_HIGH;
3772 + ah->config.cck_trig_low = ATH9K_ANI_CCK_TRIG_LOW;
3773 + } else {
3774 + ah->config.ofdm_trig_high = ATH9K_ANI_OFDM_TRIG_HIGH_OLD;
3775 + ah->config.ofdm_trig_low = ATH9K_ANI_OFDM_TRIG_LOW_OLD;
3776 + ah->config.cck_trig_high = ATH9K_ANI_CCK_TRIG_HIGH_OLD;
3777 + ah->config.cck_trig_low = ATH9K_ANI_CCK_TRIG_LOW_OLD;
3778 + }
3779
3780 ani->spurImmunityLevel = ATH9K_ANI_SPUR_IMMUNE_LVL;
3781 ani->firstepLevel = ATH9K_ANI_FIRSTEP_LVL;
3782 --- a/drivers/net/wireless/ath/ath9k/ani.h
3783 +++ b/drivers/net/wireless/ath/ath9k/ani.h
3784 @@ -22,12 +22,16 @@
3785 /* units are errors per second */
3786 #define ATH9K_ANI_OFDM_TRIG_HIGH 3500
3787 #define ATH9K_ANI_OFDM_TRIG_HIGH_BELOW_INI 1000
3788 +#define ATH9K_ANI_OFDM_TRIG_HIGH_OLD 500
3789
3790 #define ATH9K_ANI_OFDM_TRIG_LOW 400
3791 #define ATH9K_ANI_OFDM_TRIG_LOW_ABOVE_INI 900
3792 +#define ATH9K_ANI_OFDM_TRIG_LOW_OLD 200
3793
3794 #define ATH9K_ANI_CCK_TRIG_HIGH 600
3795 +#define ATH9K_ANI_CCK_TRIG_HIGH_OLD 200
3796 #define ATH9K_ANI_CCK_TRIG_LOW 300
3797 +#define ATH9K_ANI_CCK_TRIG_LOW_OLD 100
3798
3799 #define ATH9K_ANI_SPUR_IMMUNE_LVL 3
3800 #define ATH9K_ANI_FIRSTEP_LVL 2
Staging tree of Jo-Philipp Wich