--- /dev/null
+--- a/main.c
++++ b/main.c
+@@ -497,7 +497,7 @@ int acx_free_mechanics(acx_device_t *ade
+
+ int acx_init_ieee80211(acx_device_t *adev, struct ieee80211_hw *hw)
+ {
+- hw->flags &= ~IEEE80211_HW_RX_INCLUDES_FCS;
++ __clear_bit(IEEE80211_HW_RX_INCLUDES_FCS, hw->flags);
+ hw->queues = 1;
+ hw->wiphy->max_scan_ssids = 1;
+
+@@ -525,14 +525,14 @@ int acx_init_ieee80211(acx_device_t *ade
+ /* We base signal quality on winlevel approach of previous driver
+ * TODO OW 20100615 This should into a common init code
+ */
+- hw->flags |= IEEE80211_HW_SIGNAL_UNSPEC;
++ __set_bit(IEEE80211_HW_SIGNAL_UNSPEC, hw->flags);
+ hw->max_signal = 100;
+
+ if (IS_ACX100(adev)) {
+- adev->hw->wiphy->bands[IEEE80211_BAND_2GHZ] =
++ adev->hw->wiphy->bands[NL80211_BAND_2GHZ] =
+ &acx100_band_2GHz;
+ } else if (IS_ACX111(adev))
+- adev->hw->wiphy->bands[IEEE80211_BAND_2GHZ] =
++ adev->hw->wiphy->bands[NL80211_BAND_2GHZ] =
+ &acx111_band_2GHz;
+ else {
+ log(L_ANY, "Error: Unknown device");
+@@ -945,8 +945,8 @@ void acx_op_configure_filter(struct ieee
+ changed_flags, *total_flags);
+
+ /* OWI TODO: Set also FIF_PROBE_REQ ? */
+- *total_flags &= (FIF_PROMISC_IN_BSS | FIF_ALLMULTI | FIF_FCSFAIL
+- | FIF_CONTROL | FIF_OTHER_BSS);
++ *total_flags &= (FIF_ALLMULTI | FIF_FCSFAIL | FIF_CONTROL
++ | FIF_OTHER_BSS);
+
+ logf1(L_DEBUG, "2: *total_flags=0x%08x\n", *total_flags);
+
+@@ -1045,9 +1045,10 @@ void acx_op_tx(struct ieee80211_hw *hw,
+ }
+
+ int acx_op_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+- struct cfg80211_scan_request *req)
++ struct ieee80211_scan_request *hw_req)
+ {
+ acx_device_t *adev = hw2adev(hw);
++ struct cfg80211_scan_request *req = &hw_req->req;
+ struct sk_buff *skb;
+ size_t ssid_len = 0;
+ u8 *ssid = NULL;
+@@ -1082,7 +1083,7 @@ int acx_op_hw_scan(struct ieee80211_hw *
+ goto out;
+ }
+ #else
+- skb = ieee80211_probereq_get(adev->hw, adev->vif, ssid, ssid_len,
++ skb = ieee80211_probereq_get(adev->hw, vif->addr, ssid, ssid_len,
+ req->ie_len);
+ if (!skb) {
+ ret = -ENOMEM;
+--- a/main.h
++++ b/main.h
+@@ -62,7 +62,7 @@ void acx_op_tx(struct ieee80211_hw *hw,
+ #endif
+
+ int acx_op_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
+- struct cfg80211_scan_request *req);
++ struct ieee80211_scan_request *req);
+
+ int acx_recover_hw(acx_device_t *adev);
+
+--- a/cardsetting.c
++++ b/cardsetting.c
+@@ -159,7 +159,7 @@ int acx_set_channel(acx_device_t *adev,
+ int res = 0;
+
+ adev->rx_status.freq = freq;
+- adev->rx_status.band = IEEE80211_BAND_2GHZ;
++ adev->rx_status.band = NL80211_BAND_2GHZ;
+
+ adev->channel = channel;
+
+++ /dev/null
-diff --git a/main.c b/main.c
-index bfec856..3c482d9 100644
---- a/main.c
-+++ b/main.c
-@@ -497,7 +497,7 @@ int acx_free_mechanics(acx_device_t *adev)
-
- int acx_init_ieee80211(acx_device_t *adev, struct ieee80211_hw *hw)
- {
-- hw->flags &= ~IEEE80211_HW_RX_INCLUDES_FCS;
-+ __clear_bit(IEEE80211_HW_RX_INCLUDES_FCS, hw->flags);
- hw->queues = 1;
- hw->wiphy->max_scan_ssids = 1;
-
-@@ -525,7 +525,7 @@ int acx_init_ieee80211(acx_device_t *adev, struct ieee80211_hw *hw)
- /* We base signal quality on winlevel approach of previous driver
- * TODO OW 20100615 This should into a common init code
- */
-- hw->flags |= IEEE80211_HW_SIGNAL_UNSPEC;
-+ __set_bit(IEEE80211_HW_SIGNAL_UNSPEC, hw->flags);
- hw->max_signal = 100;
-
- if (IS_ACX100(adev)) {
-@@ -945,8 +945,8 @@ void acx_op_configure_filter(struct ieee80211_hw *hw,
- changed_flags, *total_flags);
-
- /* OWI TODO: Set also FIF_PROBE_REQ ? */
-- *total_flags &= (FIF_PROMISC_IN_BSS | FIF_ALLMULTI | FIF_FCSFAIL
-- | FIF_CONTROL | FIF_OTHER_BSS);
-+ *total_flags &= (FIF_ALLMULTI | FIF_FCSFAIL | FIF_CONTROL
-+ | FIF_OTHER_BSS);
-
- logf1(L_DEBUG, "2: *total_flags=0x%08x\n", *total_flags);
-
-@@ -1045,9 +1045,10 @@ void acx_op_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
- }
-
- int acx_op_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
-- struct cfg80211_scan_request *req)
-+ struct ieee80211_scan_request *hw_req)
- {
- acx_device_t *adev = hw2adev(hw);
-+ struct cfg80211_scan_request *req = &hw_req->req;
- struct sk_buff *skb;
- size_t ssid_len = 0;
- u8 *ssid = NULL;
-@@ -1082,7 +1083,7 @@ int acx_op_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
- goto out;
- }
- #else
-- skb = ieee80211_probereq_get(adev->hw, adev->vif, ssid, ssid_len,
-+ skb = ieee80211_probereq_get(adev->hw, vif->addr, ssid, ssid_len,
- req->ie_len);
- if (!skb) {
- ret = -ENOMEM;
-diff --git a/main.h b/main.h
-index 293f5c8..84ecb9a 100644
---- a/main.h
-+++ b/main.h
-@@ -62,7 +62,7 @@ void acx_op_tx(struct ieee80211_hw *hw, struct ieee80211_tx_control *control,
- #endif
-
- int acx_op_hw_scan(struct ieee80211_hw *hw, struct ieee80211_vif *vif,
-- struct cfg80211_scan_request *req);
-+ struct ieee80211_scan_request *req);
-
- int acx_recover_hw(acx_device_t *adev);
-
PKG_NAME:=mac80211
-PKG_VERSION:=2016-01-10
+PKG_VERSION:=2016-05-12
PKG_RELEASE:=1
PKG_SOURCE_URL:=http://mirror2.openwrt.org/sources
PKG_BACKPORT_VERSION:=
-PKG_MD5SUM:=be5fae2e8d6f7490f9b073374fb895ba
+PKG_MD5SUM:=2142cf38509896dca108624e7c193611
PKG_SOURCE:=compat-wireless-$(PKG_VERSION)$(PKG_BACKPORT_VERSION).tar.bz2
PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/compat-wireless-$(PKG_VERSION)
define KernelPackage/lib80211
$(call KernelPackage/mac80211/Default)
TITLE:=802.11 Networking stack
- DEPENDS:=+kmod-cfg80211
+ DEPENDS:=+kmod-cfg80211 +kmod-crypto-hash
FILES:= \
$(PKG_BUILD_DIR)/net/wireless/lib80211.ko \
$(PKG_BUILD_DIR)/net/wireless/lib80211_crypt_wep.ko \
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Thu, 28 Jan 2016 15:16:35 +0100
-Subject: [PATCH] backports: add skb_free_frag()
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/backport-include/linux/skbuff.h
-+++ b/backport-include/linux/skbuff.h
-@@ -300,4 +300,11 @@ int skb_ensure_writable(struct sk_buff *
-
- #endif /* LINUX_VERSION_CODE < KERNEL_VERSION(3,19,0) */
-
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(4,2,0)
-+static inline void skb_free_frag(void *data)
-+{
-+ put_page(virt_to_head_page(data));
-+}
-+#endif
-+
- #endif /* __BACKPORT_SKBUFF_H */
--- /dev/null
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 14 May 2016 16:39:35 +0200
+Subject: [PATCH] header: backport GENL_UNS_ADMIN_PERM
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+ create mode 100644 backport-include/uapi/linux/genetlink.h
+
+--- /dev/null
++++ b/backport-include/uapi/linux/genetlink.h
+@@ -0,0 +1,10 @@
++#ifndef __COMPAT_UAPI_LINUX_GENETLINK_H
++#define __COMPAT_UAPI_LINUX_GENETLINK_H
++
++#include_next <uapi/linux/genetlink.h>
++
++#ifndef GENL_UNS_ADMIN_PERM
++#define GENL_UNS_ADMIN_PERM GENL_ADMIN_PERM
++#endif
++
++#endif
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Thu, 28 Jan 2016 15:19:22 +0100
-Subject: [PATCH] backports: add napi_alloc_frag
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/backport-include/linux/netdevice.h
-+++ b/backport-include/linux/netdevice.h
-@@ -232,6 +232,10 @@ static inline void backport_unregister_n
- #define unregister_netdevice_many LINUX_BACKPORT(unregister_netdevice_many)
- #endif
-
-+#if LINUX_VERSION_CODE < KERNEL_VERSION(3,19,0)
-+#define napi_alloc_frag netdev_alloc_frag
-+#endif
-+
- /*
- * Complicated way of saying: We only backport netdev_rss_key stuff on kernels
- * that either already have net_get_random_once() (>= 3.13) or where we've been
--- /dev/null
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 14 May 2016 16:40:16 +0200
+Subject: [PATCH] header: backport nla_put_u64_64bit and nla_put_64bit
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/backport-include/net/netlink.h
++++ b/backport-include/net/netlink.h
+@@ -189,4 +189,148 @@ static inline __le64 nla_get_le64(const
+ }
+ #endif /* < 4.4 */
+
++
++#if LINUX_VERSION_CODE < KERNEL_VERSION(4,7,0)
++
++/**
++ * nla_need_padding_for_64bit - test 64-bit alignment of the next attribute
++ * @skb: socket buffer the message is stored in
++ *
++ * Return true if padding is needed to align the next attribute (nla_data()) to
++ * a 64-bit aligned area.
++ */
++static inline bool nla_need_padding_for_64bit(struct sk_buff *skb)
++{
++#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
++ /* The nlattr header is 4 bytes in size, that's why we test
++ * if the skb->data _is_ aligned. A NOP attribute, plus
++ * nlattr header for next attribute, will make nla_data()
++ * 8-byte aligned.
++ */
++ if (IS_ALIGNED((unsigned long)skb_tail_pointer(skb), 8))
++ return true;
++#endif
++ return false;
++}
++
++/**
++ * nla_align_64bit - 64-bit align the nla_data() of next attribute
++ * @skb: socket buffer the message is stored in
++ * @padattr: attribute type for the padding
++ *
++ * Conditionally emit a padding netlink attribute in order to make
++ * the next attribute we emit have a 64-bit aligned nla_data() area.
++ * This will only be done in architectures which do not have
++ * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS defined.
++ *
++ * Returns zero on success or a negative error code.
++ */
++static inline int nla_align_64bit(struct sk_buff *skb, int padattr)
++{
++ if (nla_need_padding_for_64bit(skb) &&
++ !nla_reserve(skb, padattr, 0))
++ return -EMSGSIZE;
++
++ return 0;
++}
++
++/**
++ * __nla_reserve_64bit - reserve room for attribute on the skb and align it
++ * @skb: socket buffer to reserve room on
++ * @attrtype: attribute type
++ * @attrlen: length of attribute payload
++ * @padattr: attribute type for the padding
++ *
++ * Adds a netlink attribute header to a socket buffer and reserves
++ * room for the payload but does not copy it. It also ensure that this
++ * attribute will have a 64-bit aligned nla_data() area.
++ *
++ * The caller is responsible to ensure that the skb provides enough
++ * tailroom for the attribute header and payload.
++ */
++static inline struct nlattr *__nla_reserve_64bit(struct sk_buff *skb, int attrtype,
++ int attrlen, int padattr)
++{
++ if (nla_need_padding_for_64bit(skb))
++ nla_align_64bit(skb, padattr);
++
++ return __nla_reserve(skb, attrtype, attrlen);
++}
++
++/**
++ * __nla_put_64bit - Add a netlink attribute to a socket buffer and align it
++ * @skb: socket buffer to add attribute to
++ * @attrtype: attribute type
++ * @attrlen: length of attribute payload
++ * @data: head of attribute payload
++ * @padattr: attribute type for the padding
++ *
++ * The caller is responsible to ensure that the skb provides enough
++ * tailroom for the attribute header and payload.
++ */
++static inline void __nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen,
++ const void *data, int padattr)
++{
++ struct nlattr *nla;
++
++ nla = __nla_reserve_64bit(skb, attrtype, attrlen, padattr);
++ memcpy(nla_data(nla), data, attrlen);
++}
++
++/**
++ * nla_total_size_64bit - total length of attribute including padding
++ * @payload: length of payload
++ */
++static inline int nla_total_size_64bit(int payload)
++{
++ return NLA_ALIGN(nla_attr_size(payload))
++#ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
++ + NLA_ALIGN(nla_attr_size(0))
++#endif
++ ;
++}
++
++/**
++ * nla_put_64bit - Add a netlink attribute to a socket buffer and align it
++ * @skb: socket buffer to add attribute to
++ * @attrtype: attribute type
++ * @attrlen: length of attribute payload
++ * @data: head of attribute payload
++ * @padattr: attribute type for the padding
++ *
++ * Returns -EMSGSIZE if the tailroom of the skb is insufficient to store
++ * the attribute header and payload.
++ */
++static inline int nla_put_64bit(struct sk_buff *skb, int attrtype, int attrlen,
++ const void *data, int padattr)
++{
++ size_t len;
++
++ if (nla_need_padding_for_64bit(skb))
++ len = nla_total_size_64bit(attrlen);
++ else
++ len = nla_total_size(attrlen);
++ if (unlikely(skb_tailroom(skb) < len))
++ return -EMSGSIZE;
++
++ __nla_put_64bit(skb, attrtype, attrlen, data, padattr);
++ return 0;
++}
++
++/**
++ * nla_put_u64_64bit - Add a u64 netlink attribute to a skb and align it
++ * @skb: socket buffer to add attribute to
++ * @attrtype: attribute type
++ * @value: numeric value
++ * @padattr: attribute type for the padding
++ */
++static inline int nla_put_u64_64bit(struct sk_buff *skb, int attrtype,
++ u64 value, int padattr)
++{
++ return nla_put_64bit(skb, attrtype, sizeof(u64), &value, padattr);
++}
++
++
++#endif /* LINUX_VERSION_CODE < KERNEL_VERSION(4,7,0) */
++
+ #endif /* __BACKPORT_NET_NETLINK_H */
--- /dev/null
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 14 May 2016 16:44:57 +0200
+Subject: [PATCH] compat: bump rhashtable backport version due to API changes
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/compat/Kconfig
++++ b/compat/Kconfig
+@@ -139,7 +139,7 @@ config BPAUTO_BUILD_WANT_DEV_COREDUMP
+ config BPAUTO_RHASHTABLE
+ bool
+ # current API of rhashtable was introduced in version 4.1
+- depends on KERNEL_4_1
++ depends on KERNEL_4_7
+ # not very nice - but better than always having it
+ default y if MAC80211
+ #h-file linux/rhashtable.h
--- a/.local-symbols
+++ b/.local-symbols
-@@ -476,44 +476,6 @@ USB_IPHETH=
+@@ -481,45 +481,6 @@ USB_IPHETH=
USB_SIERRA_NET=
USB_VL600=
USB_NET_CH9200=
-BCMA_DRIVER_PCI=
-BCMA_DRIVER_PCI_HOSTMODE=
-BCMA_DRIVER_MIPS=
+-BCMA_PFLASH=
-BCMA_SFLASH=
-BCMA_NFLASH=
-BCMA_DRIVER_GMAC_CMN=
return (bus->chipco.dev ? bus->chipco.dev : bus->pcicore.dev);
#else
return bus->chipco.dev;
-@@ -4903,7 +4903,7 @@ static int b43_wireless_core_init(struct
+@@ -4901,7 +4901,7 @@ static int b43_wireless_core_init(struct
}
if (sprom->boardflags_lo & B43_BFL_XTAL_NOSLOW)
hf |= B43_HF_DSCRQ; /* Disable slowclock requests from ucode. */
+++ /dev/null
---- a/compat/compat-3.6.c
-+++ b/compat/compat-3.6.c
-@@ -147,17 +147,3 @@ int sg_alloc_table_from_pages(struct sg_
- return 0;
- }
- EXPORT_SYMBOL_GPL(sg_alloc_table_from_pages);
--
--/* whoopsie ! */
--#ifndef CONFIG_COMMON_CLK
--int clk_enable(struct clk *clk)
--{
-- return 0;
--}
--EXPORT_SYMBOL_GPL(clk_enable);
--
--void clk_disable(struct clk *clk)
--{
--}
--EXPORT_SYMBOL_GPL(clk_disable);
--#endif
#include "aes_ccm.h"
-void ieee80211_aes_ccm_encrypt(struct crypto_aead *tfm, u8 *b_0, u8 *aad,
-- u8 *data, size_t data_len, u8 *mic,
-- size_t mic_len)
+static void aes_ccm_prepare(struct crypto_cipher *tfm, u8 *b_0, u8 *aad, u8 *s_0,
+ u8 *a, u8 *b)
- {
-- struct scatterlist sg[3];
++{
+ int i;
+
+ crypto_cipher_encrypt_one(tfm, b, b_0);
+ for (i = 0; i < AES_BLOCK_SIZE; i++)
+ aad[i] ^= b[i];
+ crypto_cipher_encrypt_one(tfm, a, aad);
-
-- char aead_req_data[sizeof(struct aead_request) +
-- crypto_aead_reqsize(tfm)]
-- __aligned(__alignof__(struct aead_request));
-- struct aead_request *aead_req = (void *) aead_req_data;
++
+ /* Mask out bits from auth-only-b_0 */
+ b_0[0] &= 0x07;
-
-- memset(aead_req, 0, sizeof(aead_req_data));
++
+ /* S_0 is used to encrypt T (= MIC) */
+ b_0[14] = 0;
+ b_0[15] = 0;
+ crypto_cipher_encrypt_one(tfm, s_0, b_0);
+}
-
-- sg_init_table(sg, 3);
-- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
-- sg_set_buf(&sg[1], data, data_len);
-- sg_set_buf(&sg[2], mic, mic_len);
-
-- aead_request_set_tfm(aead_req, tfm);
-- aead_request_set_crypt(aead_req, sg, sg, data_len, b_0);
-- aead_request_set_ad(aead_req, sg[0].length);
++
++
+void ieee80211_aes_ccm_encrypt(struct crypto_cipher *tfm, u8 *b_0, u8 *aad,
-+ u8 *data, size_t data_len, u8 *mic,
-+ size_t mic_len)
-+{
+ u8 *data, size_t data_len, u8 *mic,
+ size_t mic_len)
+ {
+- struct scatterlist sg[3];
+ int i, j, last_len, num_blocks;
+ u8 b[AES_BLOCK_SIZE];
+ u8 s_0[AES_BLOCK_SIZE];
+ u8 e[AES_BLOCK_SIZE];
+ u8 *pos, *cpos;
-+
+
+- char aead_req_data[sizeof(struct aead_request) +
+- crypto_aead_reqsize(tfm)]
+- __aligned(__alignof__(struct aead_request));
+- struct aead_request *aead_req = (void *) aead_req_data;
+ num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_SIZE);
+ last_len = data_len % AES_BLOCK_SIZE;
+ aes_ccm_prepare(tfm, b_0, aad, s_0, b, b);
-+
+
+- memset(aead_req, 0, sizeof(aead_req_data));
+ /* Process payload blocks */
+ pos = data;
+ cpos = data;
+ for (j = 1; j <= num_blocks; j++) {
+ int blen = (j == num_blocks && last_len) ?
+ last_len : AES_BLOCK_SIZE;
-+
+
+- sg_init_table(sg, 3);
+- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
+- sg_set_buf(&sg[1], data, data_len);
+- sg_set_buf(&sg[2], mic, mic_len);
+ /* Authentication followed by encryption */
+ for (i = 0; i < blen; i++)
+ b[i] ^= pos[i];
+ crypto_cipher_encrypt_one(tfm, b, b);
-+
+
+- aead_request_set_tfm(aead_req, tfm);
+- aead_request_set_crypt(aead_req, sg, sg, data_len, b_0);
+- aead_request_set_ad(aead_req, sg[0].length);
+ b_0[14] = (j >> 8) & 0xff;
+ b_0[15] = j & 0xff;
+ crypto_cipher_encrypt_one(tfm, e, b_0);
- crypto_aead_reqsize(tfm)]
- __aligned(__alignof__(struct aead_request));
- struct aead_request *aead_req = (void *) aead_req_data;
--
-- if (data_len == 0)
-- return -EINVAL;
--
-- memset(aead_req, 0, sizeof(aead_req_data));
--
-- sg_init_table(sg, 3);
-- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
-- sg_set_buf(&sg[1], data, data_len);
-- sg_set_buf(&sg[2], mic, mic_len);
--
-- aead_request_set_tfm(aead_req, tfm);
-- aead_request_set_crypt(aead_req, sg, sg, data_len + mic_len, b_0);
-- aead_request_set_ad(aead_req, sg[0].length);
+ int i, j, last_len, num_blocks;
+ u8 *pos, *cpos;
+ u8 a[AES_BLOCK_SIZE];
+ u8 b[AES_BLOCK_SIZE];
+ u8 s_0[AES_BLOCK_SIZE];
-+
+
+- if (data_len == 0)
+- return -EINVAL;
+ num_blocks = DIV_ROUND_UP(data_len, AES_BLOCK_SIZE);
+ last_len = data_len % AES_BLOCK_SIZE;
+ aes_ccm_prepare(tfm, b_0, aad, s_0, a, b);
-+
+
+- memset(aead_req, 0, sizeof(aead_req_data));
+ /* Process payload blocks */
+ cpos = data;
+ pos = data;
+ for (j = 1; j <= num_blocks; j++) {
+ int blen = (j == num_blocks && last_len) ?
+ last_len : AES_BLOCK_SIZE;
-+
+
+- sg_init_table(sg, 3);
+- sg_set_buf(&sg[0], &aad[2], be16_to_cpup((__be16 *)aad));
+- sg_set_buf(&sg[1], data, data_len);
+- sg_set_buf(&sg[2], mic, mic_len);
+ /* Decryption followed by authentication */
+ b_0[14] = (j >> 8) & 0xff;
+ b_0[15] = j & 0xff;
+ }
+ crypto_cipher_encrypt_one(tfm, a, a);
+ }
-+
+
+- aead_request_set_tfm(aead_req, tfm);
+- aead_request_set_crypt(aead_req, sg, sg, data_len + mic_len, b_0);
+- aead_request_set_ad(aead_req, sg[0].length);
+ for (i = 0; i < mic_len; i++) {
+ if ((mic[i] ^ s_0[i]) != a[i])
+ return -1;
{
- struct crypto_aead *tfm;
- int err;
-+ struct crypto_cipher *tfm;
-
+-
- tfm = crypto_alloc_aead("ccm(aes)", 0, CRYPTO_ALG_ASYNC);
- if (IS_ERR(tfm))
- return tfm;
--
++ struct crypto_cipher *tfm;
+
- err = crypto_aead_setkey(tfm, key, key_len);
- if (err)
- goto free_aead;
#endif /* AES_GMAC_H */
--- a/net/mac80211/key.h
+++ b/net/mac80211/key.h
-@@ -84,7 +84,7 @@ struct ieee80211_key {
+@@ -88,7 +88,7 @@ struct ieee80211_key {
* Management frames.
*/
u8 rx_pn[IEEE80211_NUM_TIDS + 1][IEEE80211_CCMP_PN_LEN];
struct {
--- a/net/mac80211/wpa.c
+++ b/net/mac80211/wpa.c
-@@ -307,7 +307,8 @@ ieee80211_crypto_tkip_decrypt(struct iee
+@@ -304,7 +304,8 @@ ieee80211_crypto_tkip_decrypt(struct iee
}
{
__le16 mask_fc;
int a4_included, mgmt;
-@@ -337,14 +338,8 @@ static void ccmp_special_blocks(struct s
+@@ -334,14 +335,8 @@ static void ccmp_special_blocks(struct s
else
qos_tid = 0;
/* Nonce: Nonce Flags | A2 | PN
* Nonce Flags: Priority (b0..b3) | Management (b4) | Reserved (b5..b7)
-@@ -352,6 +347,8 @@ static void ccmp_special_blocks(struct s
+@@ -349,6 +344,8 @@ static void ccmp_special_blocks(struct s
b_0[1] = qos_tid | (mgmt << 4);
memcpy(&b_0[2], hdr->addr2, ETH_ALEN);
memcpy(&b_0[8], pn, IEEE80211_CCMP_PN_LEN);
/* AAD (extra authenticate-only data) / masked 802.11 header
* FC | A1 | A2 | A3 | SC | [A4] | [QC] */
-@@ -463,7 +460,7 @@ static int ccmp_encrypt_skb(struct ieee8
+@@ -460,7 +457,7 @@ static int ccmp_encrypt_skb(struct ieee8
return 0;
pos += IEEE80211_CCMP_HDR_LEN;
ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, b_0, aad, pos, len,
skb_put(skb, mic_len), mic_len);
-@@ -534,7 +531,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee
+@@ -537,7 +534,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee
u8 aad[2 * AES_BLOCK_SIZE];
u8 b_0[AES_BLOCK_SIZE];
/* hardware didn't decrypt/verify MIC */
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
-@@ -846,7 +846,6 @@ static int ieee80211_stop_ap(struct wiph
+@@ -850,7 +850,6 @@ static int ieee80211_stop_ap(struct wiph
sdata->u.ap.driver_smps_mode = IEEE80211_SMPS_OFF;
__sta_info_flush(sdata, true);
static int ieee80211_ifa6_changed(struct notifier_block *nb,
unsigned long data, void *arg)
{
-@@ -1087,14 +1087,14 @@ int ieee80211_register_hw(struct ieee802
+@@ -1089,14 +1089,14 @@ int ieee80211_register_hw(struct ieee802
rtnl_unlock();
local->ifa6_notifier.notifier_call = ieee80211_ifa6_changed;
result = register_inet6addr_notifier(&local->ifa6_notifier);
if (result)
-@@ -1103,13 +1103,13 @@ int ieee80211_register_hw(struct ieee802
+@@ -1105,13 +1105,13 @@ int ieee80211_register_hw(struct ieee802
return 0;
fail_ifa:
#endif
rtnl_lock();
-@@ -1137,10 +1137,10 @@ void ieee80211_unregister_hw(struct ieee
+@@ -1139,10 +1139,10 @@ void ieee80211_unregister_hw(struct ieee
tasklet_kill(&local->tx_pending_tasklet);
tasklet_kill(&local->tasklet);
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
-@@ -1999,7 +1999,7 @@ static int ieee80211_scan(struct wiphy *
+@@ -2008,7 +2008,7 @@ static int ieee80211_scan(struct wiphy *
* the frames sent while scanning on other channel will be
* lost)
*/
--- /dev/null
+From: Felix Fietkau <nbd@nbd.name>
+Date: Sat, 14 May 2016 14:51:02 +0200
+Subject: [PATCH] Revert "ath9k: interpret requested txpower in EIRP
+ domain"
+
+This reverts commit 71f5137bf010c6faffab50c0ec15374c59c4a411.
+---
+
+--- a/drivers/net/wireless/ath/ath9k/hw.c
++++ b/drivers/net/wireless/ath/ath9k/hw.c
+@@ -2914,7 +2914,8 @@ void ath9k_hw_apply_txpower(struct ath_h
+ {
+ struct ath_regulatory *reg = ath9k_hw_regulatory(ah);
+ struct ieee80211_channel *channel;
+- int chan_pwr, new_pwr;
++ int chan_pwr, new_pwr, max_gain;
++ int ant_gain, ant_reduction = 0;
+
+ if (!chan)
+ return;
+@@ -2922,10 +2923,15 @@ void ath9k_hw_apply_txpower(struct ath_h
+ channel = chan->chan;
+ chan_pwr = min_t(int, channel->max_power * 2, MAX_RATE_POWER);
+ new_pwr = min_t(int, chan_pwr, reg->power_limit);
++ max_gain = chan_pwr - new_pwr + channel->max_antenna_gain * 2;
++
++ ant_gain = get_antenna_gain(ah, chan);
++ if (ant_gain > max_gain)
++ ant_reduction = ant_gain - max_gain;
+
+ ah->eep_ops->set_txpower(ah, chan,
+ ath9k_regd_get_ctl(reg, chan),
+- get_antenna_gain(ah, chan), new_pwr, test);
++ ant_reduction, new_pwr, test);
+ }
+
+ void ath9k_hw_set_txpowerlimit(struct ath_hw *ah, u32 limit, bool test)
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Thu, 14 Jan 2016 03:14:03 +0100
-Subject: [PATCH] ath9k_hw: add low power tx gain table for AR953x
-
-Used in some newer TP-Link AR9533 devices.
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/ar9003_hw.c
-+++ b/drivers/net/wireless/ath/ath9k/ar9003_hw.c
-@@ -698,6 +698,9 @@ static void ar9003_tx_gain_table_mode2(s
- else if (AR_SREV_9340(ah))
- INIT_INI_ARRAY(&ah->iniModesTxGain,
- ar9340Modes_low_ob_db_tx_gain_table_1p0);
-+ else if (AR_SREV_9531_11(ah))
-+ INIT_INI_ARRAY(&ah->iniModesTxGain,
-+ qca953x_1p1_modes_no_xpa_low_power_tx_gain_table);
- else if (AR_SREV_9485_11_OR_LATER(ah))
- INIT_INI_ARRAY(&ah->iniModesTxGain,
- ar9485Modes_low_ob_db_tx_gain_1_1);
---- a/drivers/net/wireless/ath/ath9k/ar953x_initvals.h
-+++ b/drivers/net/wireless/ath/ath9k/ar953x_initvals.h
-@@ -757,6 +757,71 @@ static const u32 qca953x_1p1_modes_xpa_t
- {0x00016448, 0x6c927a70},
- };
-
-+static const u32 qca953x_1p1_modes_no_xpa_low_power_tx_gain_table[][2] = {
-+ /* Addr allmodes */
-+ {0x0000a2dc, 0xfff55592},
-+ {0x0000a2e0, 0xfff99924},
-+ {0x0000a2e4, 0xfffe1e00},
-+ {0x0000a2e8, 0xffffe000},
-+ {0x0000a410, 0x000050d6},
-+ {0x0000a500, 0x00000069},
-+ {0x0000a504, 0x0400006b},
-+ {0x0000a508, 0x0800006d},
-+ {0x0000a50c, 0x0c000269},
-+ {0x0000a510, 0x1000026b},
-+ {0x0000a514, 0x1400026d},
-+ {0x0000a518, 0x18000669},
-+ {0x0000a51c, 0x1c00066b},
-+ {0x0000a520, 0x1d000a68},
-+ {0x0000a524, 0x21000a6a},
-+ {0x0000a528, 0x25000a6c},
-+ {0x0000a52c, 0x29000a6e},
-+ {0x0000a530, 0x2d0012a9},
-+ {0x0000a534, 0x310012ab},
-+ {0x0000a538, 0x350012ad},
-+ {0x0000a53c, 0x39001b0a},
-+ {0x0000a540, 0x3d001b0c},
-+ {0x0000a544, 0x41001b0e},
-+ {0x0000a548, 0x43001bae},
-+ {0x0000a54c, 0x45001914},
-+ {0x0000a550, 0x47001916},
-+ {0x0000a554, 0x49001b96},
-+ {0x0000a558, 0x49001b96},
-+ {0x0000a55c, 0x49001b96},
-+ {0x0000a560, 0x49001b96},
-+ {0x0000a564, 0x49001b96},
-+ {0x0000a568, 0x49001b96},
-+ {0x0000a56c, 0x49001b96},
-+ {0x0000a570, 0x49001b96},
-+ {0x0000a574, 0x49001b96},
-+ {0x0000a578, 0x49001b96},
-+ {0x0000a57c, 0x49001b96},
-+ {0x0000a600, 0x00000000},
-+ {0x0000a604, 0x00000000},
-+ {0x0000a608, 0x00000000},
-+ {0x0000a60c, 0x00000000},
-+ {0x0000a610, 0x00000000},
-+ {0x0000a614, 0x00000000},
-+ {0x0000a618, 0x00804201},
-+ {0x0000a61c, 0x01408201},
-+ {0x0000a620, 0x01408502},
-+ {0x0000a624, 0x01408502},
-+ {0x0000a628, 0x01408502},
-+ {0x0000a62c, 0x01408502},
-+ {0x0000a630, 0x01408502},
-+ {0x0000a634, 0x01408502},
-+ {0x0000a638, 0x01408502},
-+ {0x0000a63c, 0x01408502},
-+ {0x0000b2dc, 0xfff55592},
-+ {0x0000b2e0, 0xfff99924},
-+ {0x0000b2e4, 0xfffe1e00},
-+ {0x0000b2e8, 0xffffe000},
-+ {0x00016044, 0x044922db},
-+ {0x00016048, 0x6c927a70},
-+ {0x00016444, 0x044922db},
-+ {0x00016448, 0x6c927a70},
-+};
-+
- static const u32 qca953x_2p0_baseband_core[][2] = {
- /* Addr allmodes */
- {0x00009800, 0xafe68e30},
--- /dev/null
+From: Bob Copeland <me@bobcopeland.com>
+Date: Sun, 15 May 2016 13:19:16 -0400
+Subject: [PATCH] mac80211: mesh: flush mesh paths unconditionally
+
+Currently, the mesh paths associated with a nexthop station are cleaned
+up in the following code path:
+
+ __sta_info_destroy_part1
+ synchronize_net()
+ __sta_info_destroy_part2
+ -> cleanup_single_sta
+ -> mesh_sta_cleanup
+ -> mesh_plink_deactivate
+ -> mesh_path_flush_by_nexthop
+
+However, there are a couple of problems here:
+
+1) the paths aren't flushed at all if the MPM is running in userspace
+ (e.g. when using wpa_supplicant or authsae)
+
+2) there is no synchronize_rcu between removing the path and readers
+ accessing the nexthop, which means the following race is possible:
+
+CPU0 CPU1
+~~~~ ~~~~
+ sta_info_destroy_part1()
+ synchronize_net()
+rcu_read_lock()
+mesh_nexthop_resolve()
+ mpath = mesh_path_lookup()
+ [...] -> mesh_path_flush_by_nexthop()
+ sta = rcu_dereference(
+ mpath->next_hop)
+ kfree(sta)
+ access sta <-- CRASH
+
+Fix both of these by unconditionally flushing paths before destroying
+the sta, and by adding a synchronize_net() after path flush to ensure
+no active readers can still dereference the sta.
+
+Fixes this crash:
+
+[ 348.529295] BUG: unable to handle kernel paging request at 00020040
+[ 348.530014] IP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
+[ 348.530014] *pde = 00000000
+[ 348.530014] Oops: 0000 [#1] PREEMPT
+[ 348.530014] Modules linked in: drbg ansi_cprng ctr ccm ppp_generic slhc ipt_MASQUERADE nf_nat_masquerade_ipv4 8021q ]
+[ 348.530014] CPU: 0 PID: 20597 Comm: wget Tainted: G O 4.6.0-rc5-wt=V1 #1
+[ 348.530014] Hardware name: To Be Filled By O.E.M./To be filled by O.E.M., BIOS 080016 11/07/2014
+[ 348.530014] task: f64fa280 ti: f4f9c000 task.ti: f4f9c000
+[ 348.530014] EIP: 0060:[<f929245d>] EFLAGS: 00010246 CPU: 0
+[ 348.530014] EIP is at ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211]
+[ 348.530014] EAX: f4ce63e0 EBX: 00000088 ECX: f3788416 EDX: 00020008
+[ 348.530014] ESI: 00000000 EDI: 00000088 EBP: f6409a4c ESP: f6409a40
+[ 348.530014] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
+[ 348.530014] CR0: 80050033 CR2: 00020040 CR3: 33190000 CR4: 00000690
+[ 348.530014] Stack:
+[ 348.530014] 00000000 f4ce63e0 f5f9bd80 f6409a64 f9291d80 0000ce67 f5d51e00 f4ce63e0
+[ 348.530014] f3788416 f6409a80 f9291dc1 f4ce8320 f4ce63e0 f5d51e00 f4ce63e0 f4ce8320
+[ 348.530014] f6409a98 f9277f6f 00000000 00000000 0000007c 00000000 f6409b2c f9278dd1
+[ 348.530014] Call Trace:
+[ 348.530014] [<f9291d80>] mesh_nexthop_lookup+0xbb/0xc8 [mac80211]
+[ 348.530014] [<f9291dc1>] mesh_nexthop_resolve+0x34/0xd8 [mac80211]
+[ 348.530014] [<f9277f6f>] ieee80211_xmit+0x92/0xc1 [mac80211]
+[ 348.530014] [<f9278dd1>] __ieee80211_subif_start_xmit+0x807/0x83c [mac80211]
+[ 348.530014] [<c04df012>] ? sch_direct_xmit+0xd7/0x1b3
+[ 348.530014] [<c022a8c6>] ? __local_bh_enable_ip+0x5d/0x7b
+[ 348.530014] [<f956870c>] ? nf_nat_ipv4_out+0x4c/0xd0 [nf_nat_ipv4]
+[ 348.530014] [<f957e036>] ? iptable_nat_ipv4_fn+0xf/0xf [iptable_nat]
+[ 348.530014] [<c04c6f45>] ? netif_skb_features+0x14d/0x30a
+[ 348.530014] [<f9278e10>] ieee80211_subif_start_xmit+0xa/0xe [mac80211]
+[ 348.530014] [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
+[ 348.530014] [<c04c7261>] ? validate_xmit_skb.isra.120.part.121+0x10/0x253
+[ 348.530014] [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
+[ 348.530014] [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
+[ 348.530014] [<c04c7cfb>] dev_queue_xmit+0xa/0xc
+[ 348.530014] [<f91bfc7a>] batadv_send_skb_packet+0xd6/0xec [batman_adv]
+[ 348.530014] [<f91bfdc4>] batadv_send_unicast_skb+0x15/0x4a [batman_adv]
+[ 348.530014] [<f91b5938>] batadv_dat_send_data+0x27e/0x310 [batman_adv]
+[ 348.530014] [<f91c30b5>] ? batadv_tt_global_hash_find.isra.11+0x8/0xa [batman_adv]
+[ 348.530014] [<f91b63f3>] batadv_dat_snoop_outgoing_arp_request+0x208/0x23d [batman_adv]
+[ 348.530014] [<f91c0cd9>] batadv_interface_tx+0x206/0x385 [batman_adv]
+[ 348.530014] [<c04c769c>] dev_hard_start_xmit+0x1f8/0x267
+[ 348.530014] [<c04c7261>] ? validate_xmit_skb.isra.120.part.121+0x10/0x253
+[ 348.530014] [<c04defc6>] sch_direct_xmit+0x8b/0x1b3
+[ 348.530014] [<c04c7a9c>] __dev_queue_xmit+0x2c8/0x513
+[ 348.530014] [<f80cbd2a>] ? igb_xmit_frame+0x57/0x72 [igb]
+[ 348.530014] [<c04c7cfb>] dev_queue_xmit+0xa/0xc
+[ 348.530014] [<f843a326>] br_dev_queue_push_xmit+0xeb/0xfb [bridge]
+[ 348.530014] [<f843a35f>] br_forward_finish+0x29/0x74 [bridge]
+[ 348.530014] [<f843a23b>] ? deliver_clone+0x3b/0x3b [bridge]
+[ 348.530014] [<f843a714>] __br_forward+0x89/0xe7 [bridge]
+[ 348.530014] [<f843a336>] ? br_dev_queue_push_xmit+0xfb/0xfb [bridge]
+[ 348.530014] [<f843a234>] deliver_clone+0x34/0x3b [bridge]
+[ 348.530014] [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
+[ 348.530014] [<f843a66d>] br_flood+0x77/0x95 [bridge]
+[ 348.530014] [<f843a809>] br_flood_forward+0x13/0x1a [bridge]
+[ 348.530014] [<f843a68b>] ? br_flood+0x95/0x95 [bridge]
+[ 348.530014] [<f843b877>] br_handle_frame_finish+0x392/0x3db [bridge]
+[ 348.530014] [<c04e9b2b>] ? nf_iterate+0x2b/0x6b
+[ 348.530014] [<f843baa6>] br_handle_frame+0x1e6/0x240 [bridge]
+[ 348.530014] [<f843b4e5>] ? br_handle_local_finish+0x6a/0x6a [bridge]
+[ 348.530014] [<c04c4ba0>] __netif_receive_skb_core+0x43a/0x66b
+[ 348.530014] [<f843b8c0>] ? br_handle_frame_finish+0x3db/0x3db [bridge]
+[ 348.530014] [<c023cea4>] ? resched_curr+0x19/0x37
+[ 348.530014] [<c0240707>] ? check_preempt_wakeup+0xbf/0xfe
+[ 348.530014] [<c0255dec>] ? ktime_get_with_offset+0x5c/0xfc
+[ 348.530014] [<c04c4fc1>] __netif_receive_skb+0x47/0x55
+[ 348.530014] [<c04c57ba>] netif_receive_skb_internal+0x40/0x5a
+[ 348.530014] [<c04c61ef>] napi_gro_receive+0x3a/0x94
+[ 348.530014] [<f80ce8d5>] igb_poll+0x6fd/0x9ad [igb]
+[ 348.530014] [<c0242bd8>] ? swake_up_locked+0x14/0x26
+[ 348.530014] [<c04c5d29>] net_rx_action+0xde/0x250
+[ 348.530014] [<c022a743>] __do_softirq+0x8a/0x163
+[ 348.530014] [<c022a6b9>] ? __hrtimer_tasklet_trampoline+0x19/0x19
+[ 348.530014] [<c021100f>] do_softirq_own_stack+0x26/0x2c
+[ 348.530014] <IRQ>
+[ 348.530014] [<c022a957>] irq_exit+0x31/0x6f
+[ 348.530014] [<c0210eb2>] do_IRQ+0x8d/0xa0
+[ 348.530014] [<c058152c>] common_interrupt+0x2c/0x40
+[ 348.530014] Code: e7 8c 00 66 81 ff 88 00 75 12 85 d2 75 0e b2 c3 b8 83 e9 29 f9 e8 a7 5f f9 c6 eb 74 66 81 e3 8c 005
+[ 348.530014] EIP: [<f929245d>] ieee80211_mps_set_frame_flags+0x40/0xaa [mac80211] SS:ESP 0068:f6409a40
+[ 348.530014] CR2: 0000000000020040
+[ 348.530014] ---[ end trace 48556ac26779732e ]---
+[ 348.530014] Kernel panic - not syncing: Fatal exception in interrupt
+[ 348.530014] Kernel Offset: disabled
+
+Cc: stable@vger.kernel.org
+Reported-by: Fred Veldini <fred.veldini@gmail.com>
+Tested-by: Fred Veldini <fred.veldini@gmail.com>
+Signed-off-by: Bob Copeland <me@bobcopeland.com>
+---
+
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -161,6 +161,10 @@ void mesh_sta_cleanup(struct sta_info *s
+ del_timer_sync(&sta->mesh->plink_timer);
+ }
+
++ /* make sure no readers can access nexthop sta from here on */
++ mesh_path_flush_by_nexthop(sta);
++ synchronize_net();
++
+ if (changed)
+ ieee80211_mbss_info_change_notify(sdata, changed);
+ }
+++ /dev/null
-From: Eli Cooper <elicooper@gmx.com>
-Date: Thu, 14 Jan 2016 00:07:12 +0800
-Subject: [PATCH] rt2x00: fix monitor mode regression
-
-Since commit df1404650ccbfeb76a84f301f22316be0d00a864 monitor mode for rt2x00
-has been made effectively useless because the hardware filter is configured to
-drop packets whose intended recipient is not the device, regardless of the
-presence of monitor mode interfaces.
-
-This patch fixes this regression by adding explicit monitor mode support, and
-configuring the hardware filter accordingly.
-
-Signed-off-by: Eli Cooper <elicooper@gmx.com>
----
-
---- a/drivers/net/wireless/ralink/rt2x00/rt2400pci.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2400pci.c
-@@ -273,8 +273,10 @@ static void rt2400pci_config_filter(stru
- !(filter_flags & FIF_PLCPFAIL));
- rt2x00_set_field32(®, RXCSR0_DROP_CONTROL,
- !(filter_flags & FIF_CONTROL));
-- rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME, 1);
-+ rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME,
-+ !rt2x00dev->is_monitoring);
- rt2x00_set_field32(®, RXCSR0_DROP_TODS,
-+ !rt2x00dev->is_monitoring &&
- !rt2x00dev->intf_ap_count);
- rt2x00_set_field32(®, RXCSR0_DROP_VERSION_ERROR, 1);
- rt2x00mmio_register_write(rt2x00dev, RXCSR0, reg);
---- a/drivers/net/wireless/ralink/rt2x00/rt2500pci.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2500pci.c
-@@ -274,8 +274,10 @@ static void rt2500pci_config_filter(stru
- !(filter_flags & FIF_PLCPFAIL));
- rt2x00_set_field32(®, RXCSR0_DROP_CONTROL,
- !(filter_flags & FIF_CONTROL));
-- rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME, 1);
-+ rt2x00_set_field32(®, RXCSR0_DROP_NOT_TO_ME,
-+ !rt2x00dev->is_monitoring);
- rt2x00_set_field32(®, RXCSR0_DROP_TODS,
-+ !rt2x00dev->is_monitoring &&
- !rt2x00dev->intf_ap_count);
- rt2x00_set_field32(®, RXCSR0_DROP_VERSION_ERROR, 1);
- rt2x00_set_field32(®, RXCSR0_DROP_MCAST,
---- a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c
-@@ -437,8 +437,10 @@ static void rt2500usb_config_filter(stru
- !(filter_flags & FIF_PLCPFAIL));
- rt2x00_set_field16(®, TXRX_CSR2_DROP_CONTROL,
- !(filter_flags & FIF_CONTROL));
-- rt2x00_set_field16(®, TXRX_CSR2_DROP_NOT_TO_ME, 1);
-+ rt2x00_set_field16(®, TXRX_CSR2_DROP_NOT_TO_ME,
-+ !rt2x00dev->is_monitoring);
- rt2x00_set_field16(®, TXRX_CSR2_DROP_TODS,
-+ !rt2x00dev->is_monitoring &&
- !rt2x00dev->intf_ap_count);
- rt2x00_set_field16(®, TXRX_CSR2_DROP_VERSION_ERROR, 1);
- rt2x00_set_field16(®, TXRX_CSR2_DROP_MULTICAST,
---- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c
-@@ -1490,7 +1490,8 @@ void rt2800_config_filter(struct rt2x00_
- !(filter_flags & FIF_FCSFAIL));
- rt2x00_set_field32(®, RX_FILTER_CFG_DROP_PHY_ERROR,
- !(filter_flags & FIF_PLCPFAIL));
-- rt2x00_set_field32(®, RX_FILTER_CFG_DROP_NOT_TO_ME, 1);
-+ rt2x00_set_field32(®, RX_FILTER_CFG_DROP_NOT_TO_ME,
-+ !rt2x00dev->is_monitoring);
- rt2x00_set_field32(®, RX_FILTER_CFG_DROP_NOT_MY_BSSD, 0);
- rt2x00_set_field32(®, RX_FILTER_CFG_DROP_VER_ERROR, 1);
- rt2x00_set_field32(®, RX_FILTER_CFG_DROP_MULTICAST,
---- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
-@@ -844,11 +844,13 @@ struct rt2x00_dev {
- * - Open sta interface count.
- * - Association count.
- * - Beaconing enabled count.
-+ * - Whether the device is monitoring.
- */
- unsigned int intf_ap_count;
- unsigned int intf_sta_count;
- unsigned int intf_associated;
- unsigned int intf_beaconing;
-+ bool is_monitoring;
-
- /*
- * Interface combinations
---- a/drivers/net/wireless/ralink/rt2x00/rt2x00config.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00config.c
-@@ -244,6 +244,16 @@ void rt2x00lib_config(struct rt2x00_dev
- (ieee80211_flags & IEEE80211_CONF_CHANGE_PS))
- cancel_delayed_work_sync(&rt2x00dev->autowakeup_work);
-
-+ if (ieee80211_flags & IEEE80211_CONF_CHANGE_MONITOR) {
-+ if (conf->flags & IEEE80211_CONF_MONITOR) {
-+ rt2x00_dbg(rt2x00dev, "Monitor mode is enabled\n");
-+ rt2x00dev->is_monitoring = true;
-+ } else {
-+ rt2x00_dbg(rt2x00dev, "Monitor mode is disabled\n");
-+ rt2x00dev->is_monitoring = false;
-+ }
-+ }
-+
- /*
- * Start configuration.
- */
---- a/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00dev.c
-@@ -1204,6 +1204,7 @@ int rt2x00lib_start(struct rt2x00_dev *r
- rt2x00dev->intf_ap_count = 0;
- rt2x00dev->intf_sta_count = 0;
- rt2x00dev->intf_associated = 0;
-+ rt2x00dev->is_monitoring = false;
-
- /* Enable the radio */
- retval = rt2x00lib_enable_radio(rt2x00dev);
---- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
-@@ -385,11 +385,6 @@ void rt2x00mac_configure_filter(struct i
- *total_flags |= FIF_PSPOLL;
- }
-
-- /*
-- * Check if there is any work left for us.
-- */
-- if (rt2x00dev->packet_filter == *total_flags)
-- return;
- rt2x00dev->packet_filter = *total_flags;
-
- rt2x00dev->ops->lib->config_filter(rt2x00dev, *total_flags);
---- a/drivers/net/wireless/ralink/rt2x00/rt61pci.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt61pci.c
-@@ -530,8 +530,10 @@ static void rt61pci_config_filter(struct
- !(filter_flags & FIF_PLCPFAIL));
- rt2x00_set_field32(®, TXRX_CSR0_DROP_CONTROL,
- !(filter_flags & (FIF_CONTROL | FIF_PSPOLL)));
-- rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME, 1);
-+ rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME,
-+ !rt2x00dev->is_monitoring);
- rt2x00_set_field32(®, TXRX_CSR0_DROP_TO_DS,
-+ !rt2x00dev->is_monitoring &&
- !rt2x00dev->intf_ap_count);
- rt2x00_set_field32(®, TXRX_CSR0_DROP_VERSION_ERROR, 1);
- rt2x00_set_field32(®, TXRX_CSR0_DROP_MULTICAST,
---- a/drivers/net/wireless/ralink/rt2x00/rt73usb.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt73usb.c
-@@ -480,8 +480,10 @@ static void rt73usb_config_filter(struct
- !(filter_flags & FIF_PLCPFAIL));
- rt2x00_set_field32(®, TXRX_CSR0_DROP_CONTROL,
- !(filter_flags & (FIF_CONTROL | FIF_PSPOLL)));
-- rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME, 1);
-+ rt2x00_set_field32(®, TXRX_CSR0_DROP_NOT_TO_ME,
-+ !rt2x00dev->is_monitoring);
- rt2x00_set_field32(®, TXRX_CSR0_DROP_TO_DS,
-+ !rt2x00dev->is_monitoring &&
- !rt2x00dev->intf_ap_count);
- rt2x00_set_field32(®, TXRX_CSR0_DROP_VERSION_ERROR, 1);
- rt2x00_set_field32(®, TXRX_CSR0_DROP_MULTICAST,
+++ /dev/null
-From: Miaoqing Pan <miaoqing@codeaurora.org>
-Date: Fri, 15 Jan 2016 18:17:17 +0800
-Subject: [PATCH] ath9k: avoid ANI restart if no trigger
-
-Fixes commit 54da20d83f0e ("ath9k_hw: improve ANI processing and rx desensitizing parameters")
-
-Call ath9k_ani_restart() only when the phy error rate reach the
-ANI immunity threshold. Sync the logic with internal code base.
-
-Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/ani.c
-+++ b/drivers/net/wireless/ath/ath9k/ani.c
-@@ -444,14 +444,16 @@ void ath9k_hw_ani_monitor(struct ath_hw
- ofdmPhyErrRate < ah->config.ofdm_trig_low) {
- ath9k_hw_ani_lower_immunity(ah);
- aniState->ofdmsTurn = !aniState->ofdmsTurn;
-+ ath9k_ani_restart(ah);
- } else if (ofdmPhyErrRate > ah->config.ofdm_trig_high) {
- ath9k_hw_ani_ofdm_err_trigger(ah);
- aniState->ofdmsTurn = false;
-+ ath9k_ani_restart(ah);
- } else if (cckPhyErrRate > ah->config.cck_trig_high) {
- ath9k_hw_ani_cck_err_trigger(ah);
- aniState->ofdmsTurn = true;
-+ ath9k_ani_restart(ah);
- }
-- ath9k_ani_restart(ah);
- }
- }
- EXPORT_SYMBOL(ath9k_hw_ani_monitor);
+++ /dev/null
-From: Miaoqing Pan <miaoqing@codeaurora.org>
-Date: Fri, 15 Jan 2016 18:17:18 +0800
-Subject: [PATCH] ath9k: clean up ANI per-channel pointer checking
-
-commit c24bd3620c50 ("ath9k: Do not maintain ANI state per-channel")
-removed per-channel handling, the code to check 'curchan' also
-should be removed as never used.
-
-Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/ani.c
-+++ b/drivers/net/wireless/ath/ath9k/ani.c
-@@ -126,12 +126,8 @@ static void ath9k_hw_update_mibstats(str
-
- static void ath9k_ani_restart(struct ath_hw *ah)
- {
-- struct ar5416AniState *aniState;
--
-- if (!ah->curchan)
-- return;
-+ struct ar5416AniState *aniState = &ah->ani;
-
-- aniState = &ah->ani;
- aniState->listenTime = 0;
-
- ENABLE_REGWRITE_BUFFER(ah);
-@@ -221,12 +217,7 @@ static void ath9k_hw_set_ofdm_nil(struct
-
- static void ath9k_hw_ani_ofdm_err_trigger(struct ath_hw *ah)
- {
-- struct ar5416AniState *aniState;
--
-- if (!ah->curchan)
-- return;
--
-- aniState = &ah->ani;
-+ struct ar5416AniState *aniState = &ah->ani;
-
- if (aniState->ofdmNoiseImmunityLevel < ATH9K_ANI_OFDM_MAX_LEVEL)
- ath9k_hw_set_ofdm_nil(ah, aniState->ofdmNoiseImmunityLevel + 1, false);
-@@ -281,12 +272,7 @@ static void ath9k_hw_set_cck_nil(struct
-
- static void ath9k_hw_ani_cck_err_trigger(struct ath_hw *ah)
- {
-- struct ar5416AniState *aniState;
--
-- if (!ah->curchan)
-- return;
--
-- aniState = &ah->ani;
-+ struct ar5416AniState *aniState = &ah->ani;
-
- if (aniState->cckNoiseImmunityLevel < ATH9K_ANI_CCK_MAX_LEVEL)
- ath9k_hw_set_cck_nil(ah, aniState->cckNoiseImmunityLevel + 1,
-@@ -299,9 +285,7 @@ static void ath9k_hw_ani_cck_err_trigger
- */
- static void ath9k_hw_ani_lower_immunity(struct ath_hw *ah)
- {
-- struct ar5416AniState *aniState;
--
-- aniState = &ah->ani;
-+ struct ar5416AniState *aniState = &ah->ani;
-
- /* lower OFDM noise immunity */
- if (aniState->ofdmNoiseImmunityLevel > 0 &&
-@@ -329,7 +313,7 @@ void ath9k_ani_reset(struct ath_hw *ah,
- struct ath_common *common = ath9k_hw_common(ah);
- int ofdm_nil, cck_nil;
-
-- if (!ah->curchan)
-+ if (!chan)
- return;
-
- BUG_ON(aniState == NULL);
-@@ -416,14 +400,10 @@ static bool ath9k_hw_ani_read_counters(s
-
- void ath9k_hw_ani_monitor(struct ath_hw *ah, struct ath9k_channel *chan)
- {
-- struct ar5416AniState *aniState;
-+ struct ar5416AniState *aniState = &ah->ani;
- struct ath_common *common = ath9k_hw_common(ah);
- u32 ofdmPhyErrRate, cckPhyErrRate;
-
-- if (!ah->curchan)
-- return;
--
-- aniState = &ah->ani;
- if (!ath9k_hw_ani_read_counters(ah))
- return;
-
+++ /dev/null
-From: Miaoqing Pan <miaoqing@codeaurora.org>
-Date: Fri, 15 Jan 2016 18:17:19 +0800
-Subject: [PATCH] ath9k: do not reset while BB panic(0x4000409) on ar9561
-
-BB panic(0x4000409) observed while AP enabling/disabling
-bursting.
-
-Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
-+++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
-@@ -2071,7 +2071,8 @@ void ar9003_hw_attach_phy_ops(struct ath
- * to be disabled.
- *
- * 0x04000409: Packet stuck on receive.
-- * Full chip reset is required for all chips except AR9340.
-+ * Full chip reset is required for all chips except
-+ * AR9340, AR9531 and AR9561.
- */
-
- /*
-@@ -2100,7 +2101,7 @@ bool ar9003_hw_bb_watchdog_check(struct
- case 0x04000b09:
- return true;
- case 0x04000409:
-- if (AR_SREV_9340(ah) || AR_SREV_9531(ah))
-+ if (AR_SREV_9340(ah) || AR_SREV_9531(ah) || AR_SREV_9561(ah))
- return false;
- else
- return true;
+++ /dev/null
-From: Miaoqing Pan <miaoqing@codeaurora.org>
-Date: Fri, 15 Jan 2016 18:17:20 +0800
-Subject: [PATCH] ath9k: fix inconsistent use of tab and space in
- indentation
-
-Minor changes for indenting.
-
-Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
-+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
-@@ -5485,11 +5485,11 @@ unsigned int ar9003_get_paprd_scale_fact
- AR9300_PAPRD_SCALE_1);
- else {
- if (chan->channel >= 5700)
-- return MS(le32_to_cpu(eep->modalHeader5G.papdRateMaskHt20),
-- AR9300_PAPRD_SCALE_1);
-+ return MS(le32_to_cpu(eep->modalHeader5G.papdRateMaskHt20),
-+ AR9300_PAPRD_SCALE_1);
- else if (chan->channel >= 5400)
- return MS(le32_to_cpu(eep->modalHeader5G.papdRateMaskHt40),
-- AR9300_PAPRD_SCALE_2);
-+ AR9300_PAPRD_SCALE_2);
- else
- return MS(le32_to_cpu(eep->modalHeader5G.papdRateMaskHt40),
- AR9300_PAPRD_SCALE_1);
+++ /dev/null
-From: Miaoqing Pan <miaoqing@codeaurora.org>
-Date: Fri, 15 Jan 2016 18:17:21 +0800
-Subject: [PATCH] ath9k: fix data bus error on ar9300 and ar9580
-
-One crash issue be found on ar9300: RTC_RC reg read leads crash, leading
-the data bus error, due to RTC_RC reg write not happen properly.
-
-Warm Reset trigger in continuous beacon stuck for one of the customer for
-other chip, noticed the MAC was stuck in RTC reset. After analysis noticed
-DMA did not complete when RTC was put in reset.
-
-So, before resetting the MAC need to make sure there are no pending DMA
-transactions because this reset does not reset all parts of the chip.
-
-The 12th and 11th bit of MAC _DMA_CFG register used to do that.
- 12 cfg_halt_ack 0x0
- 0 DMA has not yet halted
- 1 DMA has halted
- 11 cfg_halt_req 0x0
- 0 DMA logic operates normally
- 1 Request DMA logic to stop so software can reset the MAC
-
-The Bit [12] of this register indicates when the halt has taken effect or
-not. the DMA halt IS NOT recoverable; once software sets bit [11] to
-request a DMA halt, software must wait for bit [12] to be set and reset
-the MAC.
-
-So, the same thing we implemented for ar9580 chip.
-
-Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/hw.c
-+++ b/drivers/net/wireless/ath/ath9k/hw.c
-@@ -1368,6 +1368,16 @@ static bool ath9k_hw_set_reset(struct at
- if (ath9k_hw_mci_is_enabled(ah))
- ar9003_mci_check_gpm_offset(ah);
-
-+ /* DMA HALT added to resolve ar9300 and ar9580 bus error during
-+ * RTC_RC reg read
-+ */
-+ if (AR_SREV_9300(ah) || AR_SREV_9580(ah)) {
-+ REG_SET_BIT(ah, AR_CFG, AR_CFG_HALT_REQ);
-+ ath9k_hw_wait(ah, AR_CFG, AR_CFG_HALT_ACK, AR_CFG_HALT_ACK,
-+ 20 * AH_WAIT_TIMEOUT);
-+ REG_CLR_BIT(ah, AR_CFG, AR_CFG_HALT_REQ);
-+ }
-+
- REG_WRITE(ah, AR_RTC_RC, rst_flags);
-
- REGWRITE_BUFFER_FLUSH(ah);
---- a/drivers/net/wireless/ath/ath9k/reg.h
-+++ b/drivers/net/wireless/ath/ath9k/reg.h
-@@ -34,8 +34,10 @@
- #define AR_CFG_SWRG 0x00000010
- #define AR_CFG_AP_ADHOC_INDICATION 0x00000020
- #define AR_CFG_PHOK 0x00000100
--#define AR_CFG_CLK_GATE_DIS 0x00000400
- #define AR_CFG_EEBS 0x00000200
-+#define AR_CFG_CLK_GATE_DIS 0x00000400
-+#define AR_CFG_HALT_REQ 0x00000800
-+#define AR_CFG_HALT_ACK 0x00001000
- #define AR_CFG_PCI_MASTER_REQ_Q_THRESH 0x00060000
- #define AR_CFG_PCI_MASTER_REQ_Q_THRESH_S 17
-
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Fri, 15 Jan 2016 15:59:45 +0100
-Subject: [PATCH] brcmfmac: add missing include
-
-linux/module.h is required for defining module parameters
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-@@ -17,6 +17,7 @@
- #include <linux/kernel.h>
- #include <linux/string.h>
- #include <linux/netdevice.h>
-+#include <linux/module.h>
- #include <brcmu_wifi.h>
- #include <brcmu_utils.h>
- #include "core.h"
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Tue, 19 Jan 2016 12:39:24 +0100
-Subject: [PATCH] brcmfmac: fix sdio sg table alloc crash
-
-With commit 7d34b0560567 ("brcmfmac: Move all module parameters to
-one place") a bug was introduced causing a null pointer exception.
-This patch fixes the bug by initializing the sg table till after
-the settings have been initialized.
-
-Fixes: 7d34b0560567 ("brcmfmac: Move all module parameters to one place")
-Reported-by: Marc Zyngier <marc.zyngier@arm.com>
-Tested-by: Marc Zyngier <marc.zyngier@arm.com>
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
-@@ -879,11 +879,24 @@ int brcmf_sdiod_abort(struct brcmf_sdio_
- return 0;
- }
-
--static void brcmf_sdiod_sgtable_alloc(struct brcmf_sdio_dev *sdiodev)
-+void brcmf_sdiod_sgtable_alloc(struct brcmf_sdio_dev *sdiodev)
- {
-+ struct sdio_func *func;
-+ struct mmc_host *host;
-+ uint max_blocks;
- uint nents;
- int err;
-
-+ func = sdiodev->func[2];
-+ host = func->card->host;
-+ sdiodev->sg_support = host->max_segs > 1;
-+ max_blocks = min_t(uint, host->max_blk_count, 511u);
-+ sdiodev->max_request_size = min_t(uint, host->max_req_size,
-+ max_blocks * func->cur_blksize);
-+ sdiodev->max_segment_count = min_t(uint, host->max_segs,
-+ SG_MAX_SINGLE_ALLOC);
-+ sdiodev->max_segment_size = host->max_seg_size;
-+
- if (!sdiodev->sg_support)
- return;
-
-@@ -1021,9 +1034,6 @@ static void brcmf_sdiod_host_fixup(struc
-
- static int brcmf_sdiod_probe(struct brcmf_sdio_dev *sdiodev)
- {
-- struct sdio_func *func;
-- struct mmc_host *host;
-- uint max_blocks;
- int ret = 0;
-
- sdiodev->num_funcs = 2;
-@@ -1054,26 +1064,6 @@ static int brcmf_sdiod_probe(struct brcm
- goto out;
- }
-
-- /*
-- * determine host related variables after brcmf_sdiod_probe()
-- * as func->cur_blksize is properly set and F2 init has been
-- * completed successfully.
-- */
-- func = sdiodev->func[2];
-- host = func->card->host;
-- sdiodev->sg_support = host->max_segs > 1;
-- max_blocks = min_t(uint, host->max_blk_count, 511u);
-- sdiodev->max_request_size = min_t(uint, host->max_req_size,
-- max_blocks * func->cur_blksize);
-- sdiodev->max_segment_count = min_t(uint, host->max_segs,
-- SG_MAX_SINGLE_ALLOC);
-- sdiodev->max_segment_size = host->max_seg_size;
--
-- /* allocate scatter-gather table. sg support
-- * will be disabled upon allocation failure.
-- */
-- brcmf_sdiod_sgtable_alloc(sdiodev);
--
- ret = brcmf_sdiod_freezer_attach(sdiodev);
- if (ret)
- goto out;
-@@ -1084,7 +1074,7 @@ static int brcmf_sdiod_probe(struct brcm
- ret = -ENODEV;
- goto out;
- }
-- brcmf_sdiod_host_fixup(host);
-+ brcmf_sdiod_host_fixup(sdiodev->func[2]->card->host);
- out:
- if (ret)
- brcmf_sdiod_remove(sdiodev);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -4114,6 +4114,11 @@ struct brcmf_sdio *brcmf_sdio_probe(stru
- goto fail;
- }
-
-+ /* allocate scatter-gather table. sg support
-+ * will be disabled upon allocation failure.
-+ */
-+ brcmf_sdiod_sgtable_alloc(bus->sdiodev);
-+
- /* Query the F2 block size, set roundup accordingly */
- bus->blocksize = bus->sdiodev->func[2]->cur_blksize;
- bus->roundup = min(max_roundup, bus->blocksize);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.h
-@@ -342,6 +342,7 @@ int brcmf_sdiod_ramrw(struct brcmf_sdio_
-
- /* Issue an abort to the specified function */
- int brcmf_sdiod_abort(struct brcmf_sdio_dev *sdiodev, uint fn);
-+void brcmf_sdiod_sgtable_alloc(struct brcmf_sdio_dev *sdiodev);
- void brcmf_sdiod_change_state(struct brcmf_sdio_dev *sdiodev,
- enum brcmf_sdiod_state state);
- #ifdef CONFIG_PM_SLEEP
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Thu, 21 Jan 2016 16:28:44 +0100
-Subject: [PATCH] ath9k_hw: ignore eeprom magic mismatch on flash based devices
-
-Many AR913x based devices (maybe others too) do not have a valid EEPROM
-magic in their calibration data partition.
-
-Fixes: 6fa658fd5ab2 ("ath9k: Simplify and fix eeprom endianness swapping")
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/eeprom.c
-+++ b/drivers/net/wireless/ath/ath9k/eeprom.c
-@@ -150,18 +150,18 @@ int ath9k_hw_nvram_swap_data(struct ath_
- return -EIO;
- }
-
-- if (magic == AR5416_EEPROM_MAGIC) {
-- *swap_needed = false;
-- } else if (swab16(magic) == AR5416_EEPROM_MAGIC) {
-+ *swap_needed = false;
-+ if (swab16(magic) == AR5416_EEPROM_MAGIC) {
- if (ah->ah_flags & AH_NO_EEP_SWAP) {
- ath_info(common,
- "Ignoring endianness difference in EEPROM magic bytes.\n");
--
-- *swap_needed = false;
- } else {
- *swap_needed = true;
- }
-- } else {
-+ } else if (magic != AR5416_EEPROM_MAGIC) {
-+ if (ath9k_hw_use_flash(ah))
-+ return 0;
-+
- ath_err(common,
- "Invalid EEPROM Magic (0x%04x).\n", magic);
- return -EINVAL;
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Fri, 22 Jan 2016 01:05:56 +0100
-Subject: [PATCH] ath9k: do not limit the number of DFS interfaces to 1
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/init.c
-+++ b/drivers/net/wireless/ath/ath9k/init.c
-@@ -751,14 +751,6 @@ static const struct ieee80211_iface_comb
-
- #endif /* CPTCFG_ATH9K_CHANNEL_CONTEXT */
-
--static const struct ieee80211_iface_limit if_dfs_limits[] = {
-- { .max = 1, .types = BIT(NL80211_IFTYPE_AP) |
--#ifdef CPTCFG_MAC80211_MESH
-- BIT(NL80211_IFTYPE_MESH_POINT) |
--#endif
-- BIT(NL80211_IFTYPE_ADHOC) },
--};
--
- static const struct ieee80211_iface_combination if_comb[] = {
- {
- .limits = if_limits,
-@@ -766,6 +758,11 @@ static const struct ieee80211_iface_comb
- .max_interfaces = 2048,
- .num_different_channels = 1,
- .beacon_int_infra_match = true,
-+#ifdef CPTCFG_ATH9K_DFS_CERTIFIED
-+ .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) |
-+ BIT(NL80211_CHAN_WIDTH_20) |
-+ BIT(NL80211_CHAN_WIDTH_40),
-+#endif
- },
- {
- .limits = wds_limits,
-@@ -774,18 +771,6 @@ static const struct ieee80211_iface_comb
- .num_different_channels = 1,
- .beacon_int_infra_match = true,
- },
--#ifdef CPTCFG_ATH9K_DFS_CERTIFIED
-- {
-- .limits = if_dfs_limits,
-- .n_limits = ARRAY_SIZE(if_dfs_limits),
-- .max_interfaces = 1,
-- .num_different_channels = 1,
-- .beacon_int_infra_match = true,
-- .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) |
-- BIT(NL80211_CHAN_WIDTH_20) |
-- BIT(NL80211_CHAN_WIDTH_40),
-- }
--#endif
- };
-
- #ifdef CPTCFG_ATH9K_CHANNEL_CONTEXT
+++ /dev/null
-From: Michal Kazior <michal.kazior@tieto.com>
-Date: Thu, 21 Jan 2016 14:23:07 +0100
-Subject: [PATCH] mac80211: fix txq queue related crashes
-
-The driver can access the queue simultanously
-while mac80211 tears down the interface. Without
-spinlock protection this could lead to corrupting
-sk_buff_head and subsequently to an invalid
-pointer dereference.
-
-Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
-Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
----
-
---- a/net/mac80211/iface.c
-+++ b/net/mac80211/iface.c
-@@ -977,7 +977,10 @@ static void ieee80211_do_stop(struct iee
- if (sdata->vif.txq) {
- struct txq_info *txqi = to_txq_info(sdata->vif.txq);
-
-+ spin_lock_bh(&txqi->queue.lock);
- ieee80211_purge_tx_queue(&local->hw, &txqi->queue);
-+ spin_unlock_bh(&txqi->queue.lock);
-+
- atomic_set(&sdata->txqs_len[txqi->txq.ac], 0);
- }
-
+++ /dev/null
-From: Michal Kazior <michal.kazior@tieto.com>
-Date: Mon, 25 Jan 2016 14:43:24 +0100
-Subject: [PATCH] mac80211: fix unnecessary frame drops in mesh fwding
-
-The ieee80211_queue_stopped() expects hw queue
-number but it was given raw WMM AC number instead.
-
-This could cause frame drops and problems with
-traffic in some cases - most notably if driver
-doesn't map AC numbers to queue numbers 1:1 and
-uses ieee80211_stop_queues() and
-ieee80211_wake_queue() only without ever calling
-ieee80211_wake_queues().
-
-On ath10k it was possible to hit this problem in
-the following case:
-
- 1. wlan0 uses queue 0
- (ath10k maps queues per vif)
- 2. offchannel uses queue 15
- 3. queues 1-14 are unused
- 4. ieee80211_stop_queues()
- 5. ieee80211_wake_queue(q=0)
- 6. ieee80211_wake_queue(q=15)
- (other queues are not woken up because both
- driver and mac80211 know other queues are
- unused)
- 7. ieee80211_rx_h_mesh_fwding()
- 8. ieee80211_select_queue_80211() returns 2
- 9. ieee80211_queue_stopped(q=2) returns true
- 10. frame is dropped (oops!)
-
-Fixes: d3c1597b8d1b ("mac80211: fix forwarded mesh frame queue mapping")
-Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2235,7 +2235,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
- struct ieee80211_local *local = rx->local;
- struct ieee80211_sub_if_data *sdata = rx->sdata;
- struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh;
-- u16 q, hdrlen;
-+ u16 ac, q, hdrlen;
-
- hdr = (struct ieee80211_hdr *) skb->data;
- hdrlen = ieee80211_hdrlen(hdr->frame_control);
-@@ -2304,7 +2304,8 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
- ether_addr_equal(sdata->vif.addr, hdr->addr3))
- return RX_CONTINUE;
-
-- q = ieee80211_select_queue_80211(sdata, skb, hdr);
-+ ac = ieee80211_select_queue_80211(sdata, skb, hdr);
-+ q = sdata->vif.hw_queue[ac];
- if (ieee80211_queue_stopped(&local->hw, q)) {
- IEEE80211_IFSTA_MESH_CTR_INC(ifmsh, dropped_frames_congestion);
- return RX_DROP_MONITOR;
+++ /dev/null
-From: Sachin Kulkarni <Sachin.Kulkarni@imgtec.com>
-Date: Tue, 12 Jan 2016 14:30:19 +0530
-Subject: [PATCH] mac80211: Requeue work after scan complete for all VIF
- types.
-
-During a sw scan ieee80211_iface_work ignores work items for all vifs.
-However after the scan complete work is requeued only for STA, ADHOC
-and MESH iftypes.
-
-This occasionally results in event processing getting delayed/not
-processed for iftype AP when it coexists with a STA. This can result
-in data halt and eventually disconnection on the AP interface.
-
-Signed-off-by: Sachin Kulkarni <Sachin.Kulkarni@imgtec.com>
-Cc: linux-wireless@vger.kernel.org
-Cc: johannes@sipsolutions.net
----
-
---- a/net/mac80211/ibss.c
-+++ b/net/mac80211/ibss.c
-@@ -1731,7 +1731,6 @@ void ieee80211_ibss_notify_scan_complete
- if (sdata->vif.type != NL80211_IFTYPE_ADHOC)
- continue;
- sdata->u.ibss.last_scan_completed = jiffies;
-- ieee80211_queue_work(&local->hw, &sdata->work);
- }
- mutex_unlock(&local->iflist_mtx);
- }
---- a/net/mac80211/mesh.c
-+++ b/net/mac80211/mesh.c
-@@ -1369,17 +1369,6 @@ out:
- sdata_unlock(sdata);
- }
-
--void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local)
--{
-- struct ieee80211_sub_if_data *sdata;
--
-- rcu_read_lock();
-- list_for_each_entry_rcu(sdata, &local->interfaces, list)
-- if (ieee80211_vif_is_mesh(&sdata->vif) &&
-- ieee80211_sdata_running(sdata))
-- ieee80211_queue_work(&local->hw, &sdata->work);
-- rcu_read_unlock();
--}
-
- void ieee80211_mesh_init_sdata(struct ieee80211_sub_if_data *sdata)
- {
---- a/net/mac80211/mesh.h
-+++ b/net/mac80211/mesh.h
-@@ -362,14 +362,10 @@ static inline bool mesh_path_sel_is_hwmp
- return sdata->u.mesh.mesh_pp_id == IEEE80211_PATH_PROTOCOL_HWMP;
- }
-
--void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local);
--
- void mesh_path_flush_by_iface(struct ieee80211_sub_if_data *sdata);
- void mesh_sync_adjust_tbtt(struct ieee80211_sub_if_data *sdata);
- void ieee80211s_stop(void);
- #else
--static inline void
--ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local) {}
- static inline bool mesh_path_sel_is_hwmp(struct ieee80211_sub_if_data *sdata)
- { return false; }
- static inline void mesh_path_flush_by_iface(struct ieee80211_sub_if_data *sdata)
---- a/net/mac80211/mlme.c
-+++ b/net/mac80211/mlme.c
-@@ -3978,8 +3978,6 @@ static void ieee80211_restart_sta_timer(
- if (!ieee80211_hw_check(&sdata->local->hw, CONNECTION_MONITOR))
- ieee80211_queue_work(&sdata->local->hw,
- &sdata->u.mgd.monitor_work);
-- /* and do all the other regular work too */
-- ieee80211_queue_work(&sdata->local->hw, &sdata->work);
- }
- }
-
---- a/net/mac80211/scan.c
-+++ b/net/mac80211/scan.c
-@@ -314,6 +314,7 @@ static void __ieee80211_scan_completed(s
- bool was_scanning = local->scanning;
- struct cfg80211_scan_request *scan_req;
- struct ieee80211_sub_if_data *scan_sdata;
-+ struct ieee80211_sub_if_data *sdata;
-
- lockdep_assert_held(&local->mtx);
-
-@@ -373,7 +374,15 @@ static void __ieee80211_scan_completed(s
-
- ieee80211_mlme_notify_scan_completed(local);
- ieee80211_ibss_notify_scan_completed(local);
-- ieee80211_mesh_notify_scan_completed(local);
-+
-+ /* Requeue all the work that might have been ignored while
-+ * the scan was in progress
-+ */
-+ list_for_each_entry_rcu(sdata, &local->interfaces, list) {
-+ if (ieee80211_sdata_running(sdata))
-+ ieee80211_queue_work(&sdata->local->hw, &sdata->work);
-+ }
-+
- if (was_scanning)
- ieee80211_start_next_roc(local);
- }
+++ /dev/null
-From: Sara Sharon <sara.sharon@intel.com>
-Date: Mon, 25 Jan 2016 15:46:35 +0200
-Subject: [PATCH] mac80211: fix ibss scan parameters
-
-When joining IBSS a full scan should be initiated in order to search
-for existing cell, unless the fixed_channel parameter was set.
-A default channel to create the IBSS on if no cell was found is
-provided as well.
-However - a scan is initiated only on the default channel provided
-regardless of whether ifibss->fixed_channel is set or not, with the
-obvious result of the cell not joining existing IBSS cell that is
-on another channel.
-
-Fixes: 76bed0f43b27 ("mac80211: IBSS fix scan request")
-Signed-off-by: Sara Sharon <sara.sharon@intel.com>
-Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
----
-
---- a/net/mac80211/ibss.c
-+++ b/net/mac80211/ibss.c
-@@ -7,6 +7,7 @@
- * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
- * Copyright 2009, Johannes Berg <johannes@sipsolutions.net>
- * Copyright 2013-2014 Intel Mobile Communications GmbH
-+ * Copyright(c) 2016 Intel Deutschland GmbH
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
-@@ -1483,14 +1484,21 @@ static void ieee80211_sta_find_ibss(stru
-
- sdata_info(sdata, "Trigger new scan to find an IBSS to join\n");
-
-- num = ieee80211_ibss_setup_scan_channels(local->hw.wiphy,
-- &ifibss->chandef,
-- channels,
-- ARRAY_SIZE(channels));
- scan_width = cfg80211_chandef_to_scan_width(&ifibss->chandef);
-- ieee80211_request_ibss_scan(sdata, ifibss->ssid,
-- ifibss->ssid_len, channels, num,
-- scan_width);
-+
-+ if (ifibss->fixed_channel) {
-+ num = ieee80211_ibss_setup_scan_channels(local->hw.wiphy,
-+ &ifibss->chandef,
-+ channels,
-+ ARRAY_SIZE(channels));
-+ ieee80211_request_ibss_scan(sdata, ifibss->ssid,
-+ ifibss->ssid_len, channels,
-+ num, scan_width);
-+ } else {
-+ ieee80211_request_ibss_scan(sdata, ifibss->ssid,
-+ ifibss->ssid_len, NULL,
-+ 0, scan_width);
-+ }
- } else {
- int interval = IEEE80211_SCAN_INTERVAL;
-
+++ /dev/null
-From: Chris Bainbridge <chris.bainbridge@gmail.com>
-Date: Wed, 27 Jan 2016 15:46:18 +0000
-Subject: [PATCH] net/mac80211/agg-rx.c: fix use of uninitialised values
-
-Use kzalloc instead of kmalloc for struct tid_ampdu_rx. Fixes:
-
-[ 7.976605] UBSAN: Undefined behaviour in net/mac80211/rx.c:932:29
-[ 7.976608] load of value 2 is not a valid value for type '_Bool'
-[ 7.976611] CPU: 3 PID: 1134 Comm: kworker/u16:7 Not tainted 4.5.0-rc1+ #265
-[ 7.976613] Hardware name: Apple Inc. MacBookPro10,2/Mac-AFD8A9D944EA4843, BIOS MBP102.88Z.0106.B0A.1509130955 09/13/2015
-[ 7.976616] Workqueue: phy0 rt2x00usb_work_rxdone
-[ 7.976619] 0000000000000004 ffff880254a7ba50 ffffffff8181d866 0000000000000007
-[ 7.976622] ffff880254a7ba78 ffff880254a7ba68 ffffffff8188422d ffffffff8379b500
-[ 7.976626] ffff880254a7bab8 ffffffff81884747 0000000000000202 0000000348620032
-[ 7.976629] Call Trace:
-[ 7.976633] [<ffffffff8181d866>] dump_stack+0x45/0x5f
-[ 7.976637] [<ffffffff8188422d>] ubsan_epilogue+0xd/0x40
-[ 7.976642] [<ffffffff81884747>] __ubsan_handle_load_invalid_value+0x67/0x70
-[ 7.976646] [<ffffffff82227b4d>] ieee80211_sta_reorder_release.isra.16+0x5ed/0x730
-[ 7.976650] [<ffffffff8222ca14>] ieee80211_prepare_and_rx_handle+0xd04/0x1c00
-[ 7.976654] [<ffffffff81cb27ce>] ? usb_hcd_map_urb_for_dma+0x65e/0x960
-[ 7.976659] [<ffffffff8222db03>] __ieee80211_rx_handle_packet+0x1f3/0x750
-[ 7.976663] [<ffffffff8222e4a7>] ieee80211_rx_napi+0x447/0x990
-[ 7.976667] [<ffffffff81c5fb85>] rt2x00lib_rxdone+0x305/0xbd0
-[ 7.976670] [<ffffffff811ac23f>] ? dequeue_task_fair+0x64f/0x1de0
-[ 7.976674] [<ffffffff811a1516>] ? sched_clock_cpu+0xe6/0x150
-[ 7.976678] [<ffffffff81c6c45c>] rt2x00usb_work_rxdone+0x7c/0x140
-[ 7.976682] [<ffffffff8117aef6>] process_one_work+0x226/0x860
-[ 7.976686] [<ffffffff8117b58c>] worker_thread+0x5c/0x680
-[ 7.976690] [<ffffffff8117b530>] ? process_one_work+0x860/0x860
-[ 7.976693] [<ffffffff81184f86>] kthread+0xf6/0x150
-[ 7.976697] [<ffffffff81184e90>] ? kthread_worker_fn+0x310/0x310
-[ 7.976700] [<ffffffff822a94df>] ret_from_fork+0x3f/0x70
-[ 7.976703] [<ffffffff81184e90>] ? kthread_worker_fn+0x310/0x310
-
-Link: https://lkml.org/lkml/2016/1/26/230
-Signed-off-by: Chris Bainbridge <chris.bainbridge@gmail.com>
----
-
---- a/net/mac80211/agg-rx.c
-+++ b/net/mac80211/agg-rx.c
-@@ -327,7 +327,7 @@ void __ieee80211_start_rx_ba_session(str
- }
-
- /* prepare A-MPDU MLME for Rx aggregation */
-- tid_agg_rx = kmalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL);
-+ tid_agg_rx = kzalloc(sizeof(struct tid_ampdu_rx), GFP_KERNEL);
- if (!tid_agg_rx)
- goto end;
-
+++ /dev/null
-From: Konstantin Khlebnikov <koct9i@gmail.com>
-Date: Fri, 29 Jan 2016 11:35:12 +0300
-Subject: [PATCH] mac80211: minstrel_ht: fix out-of-bound in
- minstrel_ht_set_best_prob_rate
-
-Patch fixes this splat
-
-BUG: KASAN: slab-out-of-bounds in minstrel_ht_update_stats.isra.7+0x6e1/0x9e0
-[mac80211] at addr ffff8800cee640f4 Read of size 4 by task swapper/3/0
-
-Signed-off-by: Konstantin Khlebnikov <koct9i@gmail.com>
-Link: http://lkml.kernel.org/r/CALYGNiNyJhSaVnE35qS6UCGaSb2Dx1_i5HcRavuOX14oTz2P+w@mail.gmail.com
----
-
---- a/net/mac80211/rc80211_minstrel_ht.c
-+++ b/net/mac80211/rc80211_minstrel_ht.c
-@@ -414,15 +414,16 @@ minstrel_ht_set_best_prob_rate(struct mi
- (max_tp_group != MINSTREL_CCK_GROUP))
- return;
-
-+ max_gpr_group = mg->max_group_prob_rate / MCS_GROUP_RATES;
-+ max_gpr_idx = mg->max_group_prob_rate % MCS_GROUP_RATES;
-+ max_gpr_prob = mi->groups[max_gpr_group].rates[max_gpr_idx].prob_ewma;
-+
- if (mrs->prob_ewma > MINSTREL_FRAC(75, 100)) {
- cur_tp_avg = minstrel_ht_get_tp_avg(mi, cur_group, cur_idx,
- mrs->prob_ewma);
- if (cur_tp_avg > tmp_tp_avg)
- mi->max_prob_rate = index;
-
-- max_gpr_group = mg->max_group_prob_rate / MCS_GROUP_RATES;
-- max_gpr_idx = mg->max_group_prob_rate % MCS_GROUP_RATES;
-- max_gpr_prob = mi->groups[max_gpr_group].rates[max_gpr_idx].prob_ewma;
- max_gpr_tp_avg = minstrel_ht_get_tp_avg(mi, max_gpr_group,
- max_gpr_idx,
- max_gpr_prob);
-@@ -431,7 +432,7 @@ minstrel_ht_set_best_prob_rate(struct mi
- } else {
- if (mrs->prob_ewma > tmp_prob)
- mi->max_prob_rate = index;
-- if (mrs->prob_ewma > mg->rates[mg->max_group_prob_rate].prob_ewma)
-+ if (mrs->prob_ewma > max_gpr_prob)
- mg->max_group_prob_rate = index;
- }
- }
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Tue, 2 Feb 2016 14:39:08 +0100
-Subject: [PATCH] mac80211: move A-MSDU skb_linearize call to
- ieee80211_amsdu_to_8023s
-
-Prepararation for zero-copy A-MSDU support with page fragment SKBs
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2203,9 +2203,6 @@ ieee80211_rx_h_amsdu(struct ieee80211_rx
- skb->dev = dev;
- __skb_queue_head_init(&frame_list);
-
-- if (skb_linearize(skb))
-- return RX_DROP_UNUSABLE;
--
- ieee80211_amsdu_to_8023s(skb, &frame_list, dev->dev_addr,
- rx->sdata->vif.type,
- rx->local->hw.extra_tx_headroom, true);
---- a/net/wireless/util.c
-+++ b/net/wireless/util.c
-@@ -657,6 +657,9 @@ void ieee80211_amsdu_to_8023s(struct sk_
- int remaining, err;
- u8 dst[ETH_ALEN], src[ETH_ALEN];
-
-+ if (skb_linearize(skb))
-+ goto out;
-+
- if (has_80211_header) {
- err = ieee80211_data_to_8023(skb, addr, iftype);
- if (err)
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Tue, 2 Feb 2016 14:39:09 +0100
-Subject: [PATCH] cfg80211: add function for 802.3 conversion with separate
- output buffer
-
-Use skb_copy_bits in preparation for allowing fragmented skbs
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/wireless/util.c
-+++ b/net/wireless/util.c
-@@ -393,9 +393,9 @@ unsigned int ieee80211_get_hdrlen_from_s
- }
- EXPORT_SYMBOL(ieee80211_get_hdrlen_from_skb);
-
--unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
-+static unsigned int __ieee80211_get_mesh_hdrlen(u8 flags)
- {
-- int ae = meshhdr->flags & MESH_FLAGS_AE;
-+ int ae = flags & MESH_FLAGS_AE;
- /* 802.11-2012, 8.2.4.7.3 */
- switch (ae) {
- default:
-@@ -407,21 +407,31 @@ unsigned int ieee80211_get_mesh_hdrlen(s
- return 18;
- }
- }
-+
-+unsigned int ieee80211_get_mesh_hdrlen(struct ieee80211s_hdr *meshhdr)
-+{
-+ return __ieee80211_get_mesh_hdrlen(meshhdr->flags);
-+}
- EXPORT_SYMBOL(ieee80211_get_mesh_hdrlen);
-
--int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
-- enum nl80211_iftype iftype)
-+static int __ieee80211_data_to_8023(struct sk_buff *skb, struct ethhdr *ehdr,
-+ const u8 *addr, enum nl80211_iftype iftype)
- {
- struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
-- u16 hdrlen, ethertype;
-- u8 *payload;
-- u8 dst[ETH_ALEN];
-- u8 src[ETH_ALEN] __aligned(2);
-+ struct {
-+ u8 hdr[ETH_ALEN] __aligned(2);
-+ __be16 proto;
-+ } payload;
-+ struct ethhdr tmp;
-+ u16 hdrlen;
-+ u8 mesh_flags = 0;
-
- if (unlikely(!ieee80211_is_data_present(hdr->frame_control)))
- return -1;
-
- hdrlen = ieee80211_hdrlen(hdr->frame_control);
-+ if (skb->len < hdrlen + 8)
-+ return -1;
-
- /* convert IEEE 802.11 header + possible LLC headers into Ethernet
- * header
-@@ -432,8 +442,11 @@ int ieee80211_data_to_8023(struct sk_buf
- * 1 0 BSSID SA DA n/a
- * 1 1 RA TA DA SA
- */
-- memcpy(dst, ieee80211_get_DA(hdr), ETH_ALEN);
-- memcpy(src, ieee80211_get_SA(hdr), ETH_ALEN);
-+ memcpy(tmp.h_dest, ieee80211_get_DA(hdr), ETH_ALEN);
-+ memcpy(tmp.h_source, ieee80211_get_SA(hdr), ETH_ALEN);
-+
-+ if (iftype == NL80211_IFTYPE_MESH_POINT)
-+ skb_copy_bits(skb, hdrlen, &mesh_flags, 1);
-
- switch (hdr->frame_control &
- cpu_to_le16(IEEE80211_FCTL_TODS | IEEE80211_FCTL_FROMDS)) {
-@@ -450,44 +463,31 @@ int ieee80211_data_to_8023(struct sk_buf
- iftype != NL80211_IFTYPE_STATION))
- return -1;
- if (iftype == NL80211_IFTYPE_MESH_POINT) {
-- struct ieee80211s_hdr *meshdr =
-- (struct ieee80211s_hdr *) (skb->data + hdrlen);
-- /* make sure meshdr->flags is on the linear part */
-- if (!pskb_may_pull(skb, hdrlen + 1))
-- return -1;
-- if (meshdr->flags & MESH_FLAGS_AE_A4)
-+ if (mesh_flags & MESH_FLAGS_AE_A4)
- return -1;
-- if (meshdr->flags & MESH_FLAGS_AE_A5_A6) {
-+ if (mesh_flags & MESH_FLAGS_AE_A5_A6) {
- skb_copy_bits(skb, hdrlen +
- offsetof(struct ieee80211s_hdr, eaddr1),
-- dst, ETH_ALEN);
-- skb_copy_bits(skb, hdrlen +
-- offsetof(struct ieee80211s_hdr, eaddr2),
-- src, ETH_ALEN);
-+ tmp.h_dest, 2 * ETH_ALEN);
- }
-- hdrlen += ieee80211_get_mesh_hdrlen(meshdr);
-+ hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags);
- }
- break;
- case cpu_to_le16(IEEE80211_FCTL_FROMDS):
- if ((iftype != NL80211_IFTYPE_STATION &&
- iftype != NL80211_IFTYPE_P2P_CLIENT &&
- iftype != NL80211_IFTYPE_MESH_POINT) ||
-- (is_multicast_ether_addr(dst) &&
-- ether_addr_equal(src, addr)))
-+ (is_multicast_ether_addr(tmp.h_dest) &&
-+ ether_addr_equal(tmp.h_source, addr)))
- return -1;
- if (iftype == NL80211_IFTYPE_MESH_POINT) {
-- struct ieee80211s_hdr *meshdr =
-- (struct ieee80211s_hdr *) (skb->data + hdrlen);
-- /* make sure meshdr->flags is on the linear part */
-- if (!pskb_may_pull(skb, hdrlen + 1))
-- return -1;
-- if (meshdr->flags & MESH_FLAGS_AE_A5_A6)
-+ if (mesh_flags & MESH_FLAGS_AE_A5_A6)
- return -1;
-- if (meshdr->flags & MESH_FLAGS_AE_A4)
-+ if (mesh_flags & MESH_FLAGS_AE_A4)
- skb_copy_bits(skb, hdrlen +
- offsetof(struct ieee80211s_hdr, eaddr1),
-- src, ETH_ALEN);
-- hdrlen += ieee80211_get_mesh_hdrlen(meshdr);
-+ tmp.h_source, ETH_ALEN);
-+ hdrlen += __ieee80211_get_mesh_hdrlen(mesh_flags);
- }
- break;
- case cpu_to_le16(0):
-@@ -498,33 +498,33 @@ int ieee80211_data_to_8023(struct sk_buf
- break;
- }
-
-- if (!pskb_may_pull(skb, hdrlen + 8))
-- return -1;
--
-- payload = skb->data + hdrlen;
-- ethertype = (payload[6] << 8) | payload[7];
-+ skb_copy_bits(skb, hdrlen, &payload, sizeof(payload));
-+ tmp.h_proto = payload.proto;
-
-- if (likely((ether_addr_equal(payload, rfc1042_header) &&
-- ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
-- ether_addr_equal(payload, bridge_tunnel_header))) {
-+ if (likely((ether_addr_equal(payload.hdr, rfc1042_header) &&
-+ tmp.h_proto != htons(ETH_P_AARP) &&
-+ tmp.h_proto != htons(ETH_P_IPX)) ||
-+ ether_addr_equal(payload.hdr, bridge_tunnel_header)))
- /* remove RFC1042 or Bridge-Tunnel encapsulation and
- * replace EtherType */
-- skb_pull(skb, hdrlen + 6);
-- memcpy(skb_push(skb, ETH_ALEN), src, ETH_ALEN);
-- memcpy(skb_push(skb, ETH_ALEN), dst, ETH_ALEN);
-- } else {
-- struct ethhdr *ehdr;
-- __be16 len;
-+ hdrlen += ETH_ALEN + 2;
-+ else
-+ tmp.h_proto = htons(skb->len);
-
-- skb_pull(skb, hdrlen);
-- len = htons(skb->len);
-+ pskb_pull(skb, hdrlen);
-+
-+ if (!ehdr)
- ehdr = (struct ethhdr *) skb_push(skb, sizeof(struct ethhdr));
-- memcpy(ehdr->h_dest, dst, ETH_ALEN);
-- memcpy(ehdr->h_source, src, ETH_ALEN);
-- ehdr->h_proto = len;
-- }
-+ memcpy(ehdr, &tmp, sizeof(tmp));
-+
- return 0;
- }
-+
-+int ieee80211_data_to_8023(struct sk_buff *skb, const u8 *addr,
-+ enum nl80211_iftype iftype)
-+{
-+ return __ieee80211_data_to_8023(skb, NULL, addr, iftype);
-+}
- EXPORT_SYMBOL(ieee80211_data_to_8023);
-
- int ieee80211_data_from_8023(struct sk_buff *skb, const u8 *addr,
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Tue, 2 Feb 2016 14:39:10 +0100
-Subject: [PATCH] cfg80211: add support for non-linear skbs in
- ieee80211_amsdu_to_8023s
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/wireless/util.c
-+++ b/net/wireless/util.c
-@@ -644,73 +644,75 @@ int ieee80211_data_from_8023(struct sk_b
- }
- EXPORT_SYMBOL(ieee80211_data_from_8023);
-
-+static struct sk_buff *
-+__ieee80211_amsdu_copy(struct sk_buff *skb, unsigned int hlen,
-+ int offset, int len)
-+{
-+ struct sk_buff *frame;
-+
-+ if (skb->len - offset < len)
-+ return NULL;
-+
-+ /*
-+ * Allocate and reserve two bytes more for payload
-+ * alignment since sizeof(struct ethhdr) is 14.
-+ */
-+ frame = dev_alloc_skb(hlen + sizeof(struct ethhdr) + 2 + len);
-+
-+ skb_reserve(frame, hlen + sizeof(struct ethhdr) + 2);
-+ skb_copy_bits(skb, offset, skb_put(frame, len), len);
-+
-+ return frame;
-+}
-
- void ieee80211_amsdu_to_8023s(struct sk_buff *skb, struct sk_buff_head *list,
- const u8 *addr, enum nl80211_iftype iftype,
- const unsigned int extra_headroom,
- bool has_80211_header)
- {
-+ unsigned int hlen = ALIGN(extra_headroom, 4);
- struct sk_buff *frame = NULL;
- u16 ethertype;
- u8 *payload;
-- const struct ethhdr *eth;
-- int remaining, err;
-- u8 dst[ETH_ALEN], src[ETH_ALEN];
--
-- if (skb_linearize(skb))
-- goto out;
-+ int offset = 0, remaining, err;
-+ struct ethhdr eth;
-+ bool reuse_skb = true;
-+ bool last = false;
-
- if (has_80211_header) {
-- err = ieee80211_data_to_8023(skb, addr, iftype);
-+ err = __ieee80211_data_to_8023(skb, ð, addr, iftype);
- if (err)
- goto out;
--
-- /* skip the wrapping header */
-- eth = (struct ethhdr *) skb_pull(skb, sizeof(struct ethhdr));
-- if (!eth)
-- goto out;
-- } else {
-- eth = (struct ethhdr *) skb->data;
- }
-
-- while (skb != frame) {
-+ while (!last) {
-+ unsigned int subframe_len;
-+ int len;
- u8 padding;
-- __be16 len = eth->h_proto;
-- unsigned int subframe_len = sizeof(struct ethhdr) + ntohs(len);
--
-- remaining = skb->len;
-- memcpy(dst, eth->h_dest, ETH_ALEN);
-- memcpy(src, eth->h_source, ETH_ALEN);
-
-+ skb_copy_bits(skb, offset, ð, sizeof(eth));
-+ len = ntohs(eth.h_proto);
-+ subframe_len = sizeof(struct ethhdr) + len;
- padding = (4 - subframe_len) & 0x3;
-+
- /* the last MSDU has no padding */
-+ remaining = skb->len - offset;
- if (subframe_len > remaining)
- goto purge;
-
-- skb_pull(skb, sizeof(struct ethhdr));
-+ offset += sizeof(struct ethhdr);
- /* reuse skb for the last subframe */
-- if (remaining <= subframe_len + padding)
-+ last = remaining <= subframe_len + padding;
-+ if (!skb_is_nonlinear(skb) && last) {
-+ skb_pull(skb, offset);
- frame = skb;
-- else {
-- unsigned int hlen = ALIGN(extra_headroom, 4);
-- /*
-- * Allocate and reserve two bytes more for payload
-- * alignment since sizeof(struct ethhdr) is 14.
-- */
-- frame = dev_alloc_skb(hlen + subframe_len + 2);
-+ reuse_skb = true;
-+ } else {
-+ frame = __ieee80211_amsdu_copy(skb, hlen, offset, len);
- if (!frame)
- goto purge;
-
-- skb_reserve(frame, hlen + sizeof(struct ethhdr) + 2);
-- memcpy(skb_put(frame, ntohs(len)), skb->data,
-- ntohs(len));
--
-- eth = (struct ethhdr *)skb_pull(skb, ntohs(len) +
-- padding);
-- if (!eth) {
-- dev_kfree_skb(frame);
-- goto purge;
-- }
-+ offset += len + padding;
- }
-
- skb_reset_network_header(frame);
-@@ -719,24 +721,20 @@ void ieee80211_amsdu_to_8023s(struct sk_
-
- payload = frame->data;
- ethertype = (payload[6] << 8) | payload[7];
--
- if (likely((ether_addr_equal(payload, rfc1042_header) &&
- ethertype != ETH_P_AARP && ethertype != ETH_P_IPX) ||
- ether_addr_equal(payload, bridge_tunnel_header))) {
-- /* remove RFC1042 or Bridge-Tunnel
-- * encapsulation and replace EtherType */
-- skb_pull(frame, 6);
-- memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
-- memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
-- } else {
-- memcpy(skb_push(frame, sizeof(__be16)), &len,
-- sizeof(__be16));
-- memcpy(skb_push(frame, ETH_ALEN), src, ETH_ALEN);
-- memcpy(skb_push(frame, ETH_ALEN), dst, ETH_ALEN);
-+ eth.h_proto = htons(ethertype);
-+ skb_pull(frame, ETH_ALEN + 2);
- }
-+
-+ memcpy(skb_push(frame, sizeof(eth)), ð, sizeof(eth));
- __skb_queue_tail(list, frame);
- }
-
-+ if (!reuse_skb)
-+ dev_kfree_skb(skb);
-+
- return;
-
- purge:
+++ /dev/null
-From: Sven Eckelmann <sven@narfation.org>
-Date: Tue, 26 Jan 2016 17:11:13 +0100
-Subject: [PATCH] mac80211: Parse legacy and HT rate in injected frames
-
-Drivers/devices without their own rate control algorithm can get the
-information what rates they should use from either the radiotap header of
-injected frames or from the rate control algorithm. But the parsing of the
-legacy rate information from the radiotap header was removed in commit
-e6a9854b05c1 ("mac80211/drivers: rewrite the rate control API").
-
-The removal of this feature heavily reduced the usefulness of frame
-injection when wanting to simulate specific transmission behavior. Having
-rate parsing together with MCS rates and retry support allows a fine
-grained selection of the tx behavior of injected frames for these kind of
-tests.
-
-Signed-off-by: Sven Eckelmann <sven@narfation.org>
-Cc: Simon Wunderlich <sw@simonwunderlich.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/include/net/mac80211.h
-+++ b/include/net/mac80211.h
-@@ -708,12 +708,14 @@ enum mac80211_tx_info_flags {
- * protocol frame (e.g. EAP)
- * @IEEE80211_TX_CTRL_PS_RESPONSE: This frame is a response to a poll
- * frame (PS-Poll or uAPSD).
-+ * @IEEE80211_TX_CTRL_RATE_INJECT: This frame is injected with rate information
- *
- * These flags are used in tx_info->control.flags.
- */
- enum mac80211_tx_control_flags {
- IEEE80211_TX_CTRL_PORT_CTRL_PROTO = BIT(0),
- IEEE80211_TX_CTRL_PS_RESPONSE = BIT(1),
-+ IEEE80211_TX_CTRL_RATE_INJECT = BIT(2),
- };
-
- /*
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -710,6 +710,10 @@ ieee80211_tx_h_rate_ctrl(struct ieee8021
-
- info->control.short_preamble = txrc.short_preamble;
-
-+ /* don't ask rate control when rate already injected via radiotap */
-+ if (info->control.flags & IEEE80211_TX_CTRL_RATE_INJECT)
-+ return TX_CONTINUE;
-+
- if (tx->sta)
- assoc = test_sta_flag(tx->sta, WLAN_STA_ASSOC);
-
-@@ -1665,15 +1669,24 @@ void ieee80211_xmit(struct ieee80211_sub
- ieee80211_tx(sdata, sta, skb, false);
- }
-
--static bool ieee80211_parse_tx_radiotap(struct sk_buff *skb)
-+static bool ieee80211_parse_tx_radiotap(struct ieee80211_local *local,
-+ struct sk_buff *skb)
- {
- struct ieee80211_radiotap_iterator iterator;
- struct ieee80211_radiotap_header *rthdr =
- (struct ieee80211_radiotap_header *) skb->data;
- struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-+ struct ieee80211_supported_band *sband =
-+ local->hw.wiphy->bands[info->band];
- int ret = ieee80211_radiotap_iterator_init(&iterator, rthdr, skb->len,
- NULL);
- u16 txflags;
-+ u16 rate = 0;
-+ bool rate_found = false;
-+ u8 rate_retries = 0;
-+ u16 rate_flags = 0;
-+ u8 mcs_known, mcs_flags;
-+ int i;
-
- info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
- IEEE80211_TX_CTL_DONTFRAG;
-@@ -1724,6 +1737,35 @@ static bool ieee80211_parse_tx_radiotap(
- info->flags |= IEEE80211_TX_CTL_NO_ACK;
- break;
-
-+ case IEEE80211_RADIOTAP_RATE:
-+ rate = *iterator.this_arg;
-+ rate_flags = 0;
-+ rate_found = true;
-+ break;
-+
-+ case IEEE80211_RADIOTAP_DATA_RETRIES:
-+ rate_retries = *iterator.this_arg;
-+ break;
-+
-+ case IEEE80211_RADIOTAP_MCS:
-+ mcs_known = iterator.this_arg[0];
-+ mcs_flags = iterator.this_arg[1];
-+ if (!(mcs_known & IEEE80211_RADIOTAP_MCS_HAVE_MCS))
-+ break;
-+
-+ rate_found = true;
-+ rate = iterator.this_arg[2];
-+ rate_flags = IEEE80211_TX_RC_MCS;
-+
-+ if (mcs_known & IEEE80211_RADIOTAP_MCS_HAVE_GI &&
-+ mcs_flags & IEEE80211_RADIOTAP_MCS_SGI)
-+ rate_flags |= IEEE80211_TX_RC_SHORT_GI;
-+
-+ if (mcs_known & IEEE80211_RADIOTAP_MCS_HAVE_BW &&
-+ mcs_flags & IEEE80211_RADIOTAP_MCS_BW_40)
-+ rate_flags |= IEEE80211_TX_RC_40_MHZ_WIDTH;
-+ break;
-+
- /*
- * Please update the file
- * Documentation/networking/mac80211-injection.txt
-@@ -1738,6 +1780,32 @@ static bool ieee80211_parse_tx_radiotap(
- if (ret != -ENOENT) /* ie, if we didn't simply run out of fields */
- return false;
-
-+ if (rate_found) {
-+ info->control.flags |= IEEE80211_TX_CTRL_RATE_INJECT;
-+
-+ for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
-+ info->control.rates[i].idx = -1;
-+ info->control.rates[i].flags = 0;
-+ info->control.rates[i].count = 0;
-+ }
-+
-+ if (rate_flags & IEEE80211_TX_RC_MCS) {
-+ info->control.rates[0].idx = rate;
-+ } else {
-+ for (i = 0; i < sband->n_bitrates; i++) {
-+ if (rate * 5 != sband->bitrates[i].bitrate)
-+ continue;
-+
-+ info->control.rates[0].idx = i;
-+ break;
-+ }
-+ }
-+
-+ info->control.rates[0].flags = rate_flags;
-+ info->control.rates[0].count = min_t(u8, rate_retries + 1,
-+ local->hw.max_rate_tries);
-+ }
-+
- /*
- * remove the radiotap header
- * iterator->_max_length was sanity-checked against
-@@ -1819,7 +1887,7 @@ netdev_tx_t ieee80211_monitor_start_xmit
- IEEE80211_TX_CTL_INJECTED;
-
- /* process and remove the injection radiotap header */
-- if (!ieee80211_parse_tx_radiotap(skb))
-+ if (!ieee80211_parse_tx_radiotap(local, skb))
- goto fail;
-
- rcu_read_lock();
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Fri, 5 Feb 2016 01:38:51 +0100
-Subject: [PATCH] mac80211: add A-MSDU tx support
-
-Requires software tx queueing support. frag_list support (for zero-copy)
-is optional.
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/include/net/mac80211.h
-+++ b/include/net/mac80211.h
-@@ -709,6 +709,7 @@ enum mac80211_tx_info_flags {
- * @IEEE80211_TX_CTRL_PS_RESPONSE: This frame is a response to a poll
- * frame (PS-Poll or uAPSD).
- * @IEEE80211_TX_CTRL_RATE_INJECT: This frame is injected with rate information
-+ * @IEEE80211_TX_CTRL_AMSDU: This frame is an A-MSDU frame
- *
- * These flags are used in tx_info->control.flags.
- */
-@@ -716,6 +717,7 @@ enum mac80211_tx_control_flags {
- IEEE80211_TX_CTRL_PORT_CTRL_PROTO = BIT(0),
- IEEE80211_TX_CTRL_PS_RESPONSE = BIT(1),
- IEEE80211_TX_CTRL_RATE_INJECT = BIT(2),
-+ IEEE80211_TX_CTRL_AMSDU = BIT(3),
- };
-
- /*
-@@ -1728,6 +1730,7 @@ struct ieee80211_sta_rates {
- * size is min(max_amsdu_len, 7935) bytes.
- * Both additional HT limits must be enforced by the low level driver.
- * This is defined by the spec (IEEE 802.11-2012 section 8.3.2.2 NOTE 2).
-+ * @max_rc_amsdu_len: Maximum A-MSDU size in bytes recommended by rate control.
- * @txq: per-TID data TX queues (if driver uses the TXQ abstraction)
- */
- struct ieee80211_sta {
-@@ -1748,6 +1751,7 @@ struct ieee80211_sta {
- bool mfp;
- u8 max_amsdu_subframes;
- u16 max_amsdu_len;
-+ u16 max_rc_amsdu_len;
-
- struct ieee80211_txq *txq[IEEE80211_NUM_TIDS];
-
-@@ -1961,6 +1965,15 @@ struct ieee80211_txq {
- * order and does not need to manage its own reorder buffer or BA session
- * timeout.
- *
-+ * @IEEE80211_HW_TX_AMSDU: Hardware (or driver) supports software aggregated
-+ * A-MSDU frames. Requires software tx queueing and fast-xmit support.
-+ * When not using minstrel/minstrel_ht rate control, the driver should
-+ * limit the maximum A-MSDU size based on the current tx rate by setting
-+ * max_rc_amsdu_len in struct ieee80211_sta.
-+ *
-+ * @IEEE80211_HW_TX_FRAG_LIST: Hardware (or driver) supports sending frag_list
-+ * skbs, needed for zero-copy software A-MSDU.
-+ *
- * @NUM_IEEE80211_HW_FLAGS: number of hardware flags, used for sizing arrays
- */
- enum ieee80211_hw_flags {
-@@ -1998,6 +2011,8 @@ enum ieee80211_hw_flags {
- IEEE80211_HW_BEACON_TX_STATUS,
- IEEE80211_HW_NEEDS_UNIQUE_STA_ADDR,
- IEEE80211_HW_SUPPORTS_REORDERING_BUFFER,
-+ IEEE80211_HW_TX_AMSDU,
-+ IEEE80211_HW_TX_FRAG_LIST,
-
- /* keep last, obviously */
- NUM_IEEE80211_HW_FLAGS
-@@ -2070,6 +2085,9 @@ enum ieee80211_hw_flags {
- * size is smaller (an example is LinkSys WRT120N with FW v1.0.07
- * build 002 Jun 18 2012).
- *
-+ * @max_tx_fragments: maximum number of tx buffers per (A)-MSDU, sum
-+ * of 1 + skb_shinfo(skb)->nr_frags for each skb in the frag_list.
-+ *
- * @offchannel_tx_hw_queue: HW queue ID to use for offchannel TX
- * (if %IEEE80211_HW_QUEUE_CONTROL is set)
- *
-@@ -2124,6 +2142,7 @@ struct ieee80211_hw {
- u8 max_rate_tries;
- u8 max_rx_aggregation_subframes;
- u8 max_tx_aggregation_subframes;
-+ u8 max_tx_fragments;
- u8 offchannel_tx_hw_queue;
- u8 radiotap_mcs_details;
- u16 radiotap_vht_details;
---- a/net/mac80211/agg-tx.c
-+++ b/net/mac80211/agg-tx.c
-@@ -935,6 +935,7 @@ void ieee80211_process_addba_resp(struct
- size_t len)
- {
- struct tid_ampdu_tx *tid_tx;
-+ struct ieee80211_txq *txq;
- u16 capab, tid;
- u8 buf_size;
- bool amsdu;
-@@ -945,6 +946,10 @@ void ieee80211_process_addba_resp(struct
- buf_size = (capab & IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK) >> 6;
- buf_size = min(buf_size, local->hw.max_tx_aggregation_subframes);
-
-+ txq = sta->sta.txq[tid];
-+ if (!amsdu && txq)
-+ set_bit(IEEE80211_TXQ_NO_AMSDU, &to_txq_info(txq)->flags);
-+
- mutex_lock(&sta->ampdu_mlme.mtx);
-
- tid_tx = rcu_dereference_protected_tid_tx(sta, tid);
---- a/net/mac80211/debugfs.c
-+++ b/net/mac80211/debugfs.c
-@@ -127,6 +127,8 @@ static const char *hw_flag_names[NUM_IEE
- FLAG(BEACON_TX_STATUS),
- FLAG(NEEDS_UNIQUE_STA_ADDR),
- FLAG(SUPPORTS_REORDERING_BUFFER),
-+ FLAG(TX_AMSDU),
-+ FLAG(TX_FRAG_LIST),
-
- /* keep last for the build bug below */
- (void *)0x1
---- a/net/mac80211/ieee80211_i.h
-+++ b/net/mac80211/ieee80211_i.h
-@@ -799,6 +799,7 @@ struct mac80211_qos_map {
- enum txq_info_flags {
- IEEE80211_TXQ_STOP,
- IEEE80211_TXQ_AMPDU,
-+ IEEE80211_TXQ_NO_AMSDU,
- };
-
- struct txq_info {
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -1318,6 +1318,10 @@ struct sk_buff *ieee80211_tx_dequeue(str
- out:
- spin_unlock_bh(&txqi->queue.lock);
-
-+ if (skb && skb_has_frag_list(skb) &&
-+ !ieee80211_hw_check(&local->hw, TX_FRAG_LIST))
-+ skb_linearize(skb);
-+
- return skb;
- }
- EXPORT_SYMBOL(ieee80211_tx_dequeue);
-@@ -2757,6 +2761,163 @@ void ieee80211_clear_fast_xmit(struct st
- kfree_rcu(fast_tx, rcu_head);
- }
-
-+static bool ieee80211_amsdu_realloc_pad(struct ieee80211_local *local,
-+ struct sk_buff *skb, int headroom,
-+ int *subframe_len)
-+{
-+ int amsdu_len = *subframe_len + sizeof(struct ethhdr);
-+ int padding = (4 - amsdu_len) & 3;
-+
-+ if (skb_headroom(skb) < headroom || skb_tailroom(skb) < padding) {
-+ I802_DEBUG_INC(local->tx_expand_skb_head);
-+
-+ if (pskb_expand_head(skb, headroom, padding, GFP_ATOMIC)) {
-+ wiphy_debug(local->hw.wiphy,
-+ "failed to reallocate TX buffer\n");
-+ return false;
-+ }
-+ }
-+
-+ if (padding) {
-+ *subframe_len += padding;
-+ memset(skb_put(skb, padding), 0, padding);
-+ }
-+
-+ return true;
-+}
-+
-+static bool ieee80211_amsdu_prepare_head(struct ieee80211_sub_if_data *sdata,
-+ struct ieee80211_fast_tx *fast_tx,
-+ struct sk_buff *skb)
-+{
-+ struct ieee80211_local *local = sdata->local;
-+ struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb);
-+ struct ieee80211_hdr *hdr;
-+ struct ethhdr amsdu_hdr;
-+ int hdr_len = fast_tx->hdr_len - sizeof(rfc1042_header);
-+ int subframe_len = skb->len - hdr_len;
-+ void *data;
-+ u8 *qc;
-+
-+ if (info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE)
-+ return false;
-+
-+ if (info->control.flags & IEEE80211_TX_CTRL_AMSDU)
-+ return true;
-+
-+ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(amsdu_hdr),
-+ &subframe_len))
-+ return false;
-+
-+ amsdu_hdr.h_proto = cpu_to_be16(subframe_len);
-+ memcpy(amsdu_hdr.h_source, skb->data + fast_tx->sa_offs, ETH_ALEN);
-+ memcpy(amsdu_hdr.h_dest, skb->data + fast_tx->da_offs, ETH_ALEN);
-+
-+ data = skb_push(skb, sizeof(amsdu_hdr));
-+ memmove(data, data + sizeof(amsdu_hdr), hdr_len);
-+ memcpy(data + hdr_len, &amsdu_hdr, sizeof(amsdu_hdr));
-+
-+ hdr = data;
-+ qc = ieee80211_get_qos_ctl(hdr);
-+ *qc |= IEEE80211_QOS_CTL_A_MSDU_PRESENT;
-+
-+ info->control.flags |= IEEE80211_TX_CTRL_AMSDU;
-+
-+ return true;
-+}
-+
-+static bool ieee80211_amsdu_aggregate(struct ieee80211_sub_if_data *sdata,
-+ struct sta_info *sta,
-+ struct ieee80211_fast_tx *fast_tx,
-+ struct sk_buff *skb)
-+{
-+ struct ieee80211_local *local = sdata->local;
-+ u8 tid = skb->priority & IEEE80211_QOS_CTL_TAG1D_MASK;
-+ struct ieee80211_txq *txq = sta->sta.txq[tid];
-+ struct txq_info *txqi;
-+ struct sk_buff **frag_tail, *head;
-+ int subframe_len = skb->len - ETH_ALEN;
-+ u8 max_subframes = sta->sta.max_amsdu_subframes;
-+ int max_frags = local->hw.max_tx_fragments;
-+ int max_amsdu_len = sta->sta.max_amsdu_len;
-+ __be16 len;
-+ void *data;
-+ bool ret = false;
-+ int n = 1, nfrags;
-+
-+ if (!ieee80211_hw_check(&local->hw, TX_AMSDU))
-+ return false;
-+
-+ if (!txq)
-+ return false;
-+
-+ txqi = to_txq_info(txq);
-+ if (test_bit(IEEE80211_TXQ_NO_AMSDU, &txqi->flags))
-+ return false;
-+
-+ if (sta->sta.max_rc_amsdu_len)
-+ max_amsdu_len = min_t(int, max_amsdu_len,
-+ sta->sta.max_rc_amsdu_len);
-+
-+ spin_lock_bh(&txqi->queue.lock);
-+
-+ head = skb_peek_tail(&txqi->queue);
-+ if (!head)
-+ goto out;
-+
-+ if (skb->len + head->len > max_amsdu_len)
-+ goto out;
-+
-+ /*
-+ * HT A-MPDU limits maximum MPDU size to 4095 bytes. Since aggregation
-+ * sessions are started/stopped without txq flush, use the limit here
-+ * to avoid having to de-aggregate later.
-+ */
-+ if (skb->len + head->len > 4095 &&
-+ !sta->sta.vht_cap.vht_supported)
-+ goto out;
-+
-+ if (!ieee80211_amsdu_prepare_head(sdata, fast_tx, head))
-+ goto out;
-+
-+ nfrags = 1 + skb_shinfo(skb)->nr_frags;
-+ nfrags += 1 + skb_shinfo(head)->nr_frags;
-+ frag_tail = &skb_shinfo(head)->frag_list;
-+ while (*frag_tail) {
-+ nfrags += 1 + skb_shinfo(*frag_tail)->nr_frags;
-+ frag_tail = &(*frag_tail)->next;
-+ n++;
-+ }
-+
-+ if (max_subframes && n > max_subframes)
-+ goto out;
-+
-+ if (max_frags && nfrags > max_frags)
-+ goto out;
-+
-+ if (!ieee80211_amsdu_realloc_pad(local, skb, sizeof(rfc1042_header) + 2,
-+ &subframe_len))
-+ return false;
-+
-+ ret = true;
-+ data = skb_push(skb, ETH_ALEN + 2);
-+ memmove(data, data + ETH_ALEN + 2, 2 * ETH_ALEN);
-+
-+ data += 2 * ETH_ALEN;
-+ len = cpu_to_be16(subframe_len);
-+ memcpy(data, &len, 2);
-+ memcpy(data + 2, rfc1042_header, sizeof(rfc1042_header));
-+
-+ head->len += skb->len;
-+ head->data_len += skb->len;
-+ *frag_tail = skb;
-+
-+out:
-+ spin_unlock_bh(&txqi->queue.lock);
-+
-+ return ret;
-+}
-+
- static bool ieee80211_xmit_fast(struct ieee80211_sub_if_data *sdata,
- struct net_device *dev, struct sta_info *sta,
- struct ieee80211_fast_tx *fast_tx,
-@@ -2811,6 +2972,10 @@ static bool ieee80211_xmit_fast(struct i
-
- ieee80211_tx_stats(dev, skb->len + extra_head);
-
-+ if ((hdr->frame_control & cpu_to_le16(IEEE80211_STYPE_QOS_DATA)) &&
-+ ieee80211_amsdu_aggregate(sdata, sta, fast_tx, skb))
-+ return true;
-+
- /* will not be crypto-handled beyond what we do here, so use false
- * as the may-encrypt argument for the resize to not account for
- * more room than we already have in 'extra_head'
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Wed, 20 Jan 2016 16:46:04 +0100
-Subject: [PATCH] brcmfmac: fix setting primary channel for 80 MHz width
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-First of all it changes the way we calculate primary channel offset. If
-we use e.g. 80 MHz channel with primary frequency 5180 MHz (which means
-center frequency is 5210 MHz) it makes sense to calculate primary offset
-as -30 MHz.
-Then it fixes values we compare primary_offset with. We were comparing
-offset in MHz against -2 or 2 which was resulting in picking a wrong
-primary channel.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -247,7 +247,7 @@ static u16 chandef_to_chanspec(struct br
- brcmf_dbg(TRACE, "chandef: control %d center %d width %d\n",
- ch->chan->center_freq, ch->center_freq1, ch->width);
- ch_inf.chnum = ieee80211_frequency_to_channel(ch->center_freq1);
-- primary_offset = ch->center_freq1 - ch->chan->center_freq;
-+ primary_offset = ch->chan->center_freq - ch->center_freq1;
- switch (ch->width) {
- case NL80211_CHAN_WIDTH_20:
- case NL80211_CHAN_WIDTH_20_NOHT:
-@@ -256,24 +256,21 @@ static u16 chandef_to_chanspec(struct br
- break;
- case NL80211_CHAN_WIDTH_40:
- ch_inf.bw = BRCMU_CHAN_BW_40;
-- if (primary_offset < 0)
-+ if (primary_offset > 0)
- ch_inf.sb = BRCMU_CHAN_SB_U;
- else
- ch_inf.sb = BRCMU_CHAN_SB_L;
- break;
- case NL80211_CHAN_WIDTH_80:
- ch_inf.bw = BRCMU_CHAN_BW_80;
-- if (primary_offset < 0) {
-- if (primary_offset < -CH_10MHZ_APART)
-- ch_inf.sb = BRCMU_CHAN_SB_UU;
-- else
-- ch_inf.sb = BRCMU_CHAN_SB_UL;
-- } else {
-- if (primary_offset > CH_10MHZ_APART)
-- ch_inf.sb = BRCMU_CHAN_SB_LL;
-- else
-- ch_inf.sb = BRCMU_CHAN_SB_LU;
-- }
-+ if (primary_offset == -30)
-+ ch_inf.sb = BRCMU_CHAN_SB_LL;
-+ else if (primary_offset == -10)
-+ ch_inf.sb = BRCMU_CHAN_SB_LU;
-+ else if (primary_offset == 10)
-+ ch_inf.sb = BRCMU_CHAN_SB_UL;
-+ else
-+ ch_inf.sb = BRCMU_CHAN_SB_UU;
- break;
- case NL80211_CHAN_WIDTH_80P80:
- case NL80211_CHAN_WIDTH_160:
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Tue, 26 Jan 2016 17:57:01 +0100
-Subject: [PATCH] brcmfmac: analyze descriptors of current component only
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-So far we were looking for address descriptors without a check for
-crossing current component border. In case of dealing with unsupported
-descriptor or descriptor missing at all the code would incorrectly get
-data from another component.
-
-Consider this binary-described component from BCM4366 EROM:
-4bf83b01 TAG==CI CID==0x83b
-20080201 TAG==CI PORTS==0+1 WRAPPERS==0+1
-18400035 TAG==ADDR SZ_SZD TYPE_SLAVE
-00050000
-18107085 TAG==ADDR SZ_4K TYPE_SWRAP
-
-Driver was assigning invalid base address to this core:
-brcmfmac: [6 ] core 0x83b:32 base 0x18109000 wrap 0x18107000
-which came from totally different component defined in EROM:
-43b36701 TAG==CI CID==0x367
-00000201 TAG==CI PORTS==0+1 WRAPPERS==0+0
-18109005 TAG==ADDR SZ_4K TYPE_SLAVE
-
-This change will also allow us to support components without wrapper
-address in the future.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-@@ -803,7 +803,14 @@ static int brcmf_chip_dmp_get_regaddr(st
- *eromaddr -= 4;
- return -EFAULT;
- }
-- } while (desc != DMP_DESC_ADDRESS);
-+ } while (desc != DMP_DESC_ADDRESS &&
-+ desc != DMP_DESC_COMPONENT);
-+
-+ /* stop if we crossed current component border */
-+ if (desc == DMP_DESC_COMPONENT) {
-+ *eromaddr -= 4;
-+ return 0;
-+ }
-
- /* skip upper 32-bit address descriptor */
- if (val & DMP_DESC_ADDRSIZE_GT32)
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Tue, 26 Jan 2016 17:57:02 +0100
-Subject: [PATCH] brcmfmac: allow storing PMU core without wrapper address
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Separated PMU core can be found in new devices and should be used for
-accessing PMU registers (which were routed through ChipCommon so far).
-This core is one of exceptions that doesn't have or need wrapper address
-to be still safely accessible.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-@@ -883,7 +883,8 @@ int brcmf_chip_dmp_erom_scan(struct brcm
- rev = (val & DMP_COMP_REVISION) >> DMP_COMP_REVISION_S;
-
- /* need core with ports */
-- if (nmw + nsw == 0)
-+ if (nmw + nsw == 0 &&
-+ id != BCMA_CORE_PMU)
- continue;
-
- /* try to obtain register address info */
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Tue, 26 Jan 2016 17:57:03 +0100
-Subject: [PATCH] brcmfmac: read extended capabilities of ChipCommon core
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is an extra bitfield with info about some present hardware.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-@@ -1025,6 +1025,9 @@ static int brcmf_chip_setup(struct brcmf
- /* get chipcommon capabilites */
- pub->cc_caps = chip->ops->read32(chip->ctx,
- CORE_CC_REG(base, capabilities));
-+ pub->cc_caps_ext = chip->ops->read32(chip->ctx,
-+ CORE_CC_REG(base,
-+ capabilities_ext));
-
- /* get pmu caps & rev */
- if (pub->cc_caps & CC_CAP_PMU) {
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h
-@@ -27,6 +27,7 @@
- * @chip: chip identifier.
- * @chiprev: chip revision.
- * @cc_caps: chipcommon core capabilities.
-+ * @cc_caps_ext: chipcommon core extended capabilities.
- * @pmucaps: PMU capabilities.
- * @pmurev: PMU revision.
- * @rambase: RAM base address (only applicable for ARM CR4 chips).
-@@ -38,6 +39,7 @@ struct brcmf_chip {
- u32 chip;
- u32 chiprev;
- u32 cc_caps;
-+ u32 cc_caps_ext;
- u32 pmucaps;
- u32 pmurev;
- u32 rambase;
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Tue, 26 Jan 2016 17:57:04 +0100
-Subject: [PATCH] brcmfmac: access PMU registers using standalone PMU core if
- available
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-On recent Broadcom chipsets PMU is present as separated core and it
-can't be accessed using ChipCommon anymore as it fails with e.g.:
-[ 18.198412] Unhandled fault: imprecise external abort (0x1406) at 0xb6da200f
-
-Add a new helper function that will return a proper core that should be
-used for accessing PMU registers.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.c
-@@ -1014,6 +1014,7 @@ static int brcmf_chip_setup(struct brcmf
- {
- struct brcmf_chip *pub;
- struct brcmf_core_priv *cc;
-+ struct brcmf_core *pmu;
- u32 base;
- u32 val;
- int ret = 0;
-@@ -1030,9 +1031,10 @@ static int brcmf_chip_setup(struct brcmf
- capabilities_ext));
-
- /* get pmu caps & rev */
-+ pmu = brcmf_chip_get_pmu(pub); /* after reading cc_caps_ext */
- if (pub->cc_caps & CC_CAP_PMU) {
- val = chip->ops->read32(chip->ctx,
-- CORE_CC_REG(base, pmucapabilities));
-+ CORE_CC_REG(pmu->base, pmucapabilities));
- pub->pmurev = val & PCAP_REV_MASK;
- pub->pmucaps = val;
- }
-@@ -1131,6 +1133,23 @@ struct brcmf_core *brcmf_chip_get_chipco
- return &cc->pub;
- }
-
-+struct brcmf_core *brcmf_chip_get_pmu(struct brcmf_chip *pub)
-+{
-+ struct brcmf_core *cc = brcmf_chip_get_chipcommon(pub);
-+ struct brcmf_core *pmu;
-+
-+ /* See if there is separated PMU core available */
-+ if (cc->rev >= 35 &&
-+ pub->cc_caps_ext & BCMA_CC_CAP_EXT_AOB_PRESENT) {
-+ pmu = brcmf_chip_get_core(pub, BCMA_CORE_PMU);
-+ if (pmu)
-+ return pmu;
-+ }
-+
-+ /* Fallback to ChipCommon core for older hardware */
-+ return cc;
-+}
-+
- bool brcmf_chip_iscoreup(struct brcmf_core *pub)
- {
- struct brcmf_core_priv *core;
-@@ -1301,6 +1320,7 @@ bool brcmf_chip_sr_capable(struct brcmf_
- {
- u32 base, addr, reg, pmu_cc3_mask = ~0;
- struct brcmf_chip_priv *chip;
-+ struct brcmf_core *pmu = brcmf_chip_get_pmu(pub);
-
- brcmf_dbg(TRACE, "Enter\n");
-
-@@ -1320,9 +1340,9 @@ bool brcmf_chip_sr_capable(struct brcmf_
- case BRCM_CC_4335_CHIP_ID:
- case BRCM_CC_4339_CHIP_ID:
- /* read PMU chipcontrol register 3 */
-- addr = CORE_CC_REG(base, chipcontrol_addr);
-+ addr = CORE_CC_REG(pmu->base, chipcontrol_addr);
- chip->ops->write32(chip->ctx, addr, 3);
-- addr = CORE_CC_REG(base, chipcontrol_data);
-+ addr = CORE_CC_REG(pmu->base, chipcontrol_data);
- reg = chip->ops->read32(chip->ctx, addr);
- return (reg & pmu_cc3_mask) != 0;
- case BRCM_CC_43430_CHIP_ID:
-@@ -1330,12 +1350,12 @@ bool brcmf_chip_sr_capable(struct brcmf_
- reg = chip->ops->read32(chip->ctx, addr);
- return reg != 0;
- default:
-- addr = CORE_CC_REG(base, pmucapabilities_ext);
-+ addr = CORE_CC_REG(pmu->base, pmucapabilities_ext);
- reg = chip->ops->read32(chip->ctx, addr);
- if ((reg & PCAPEXT_SR_SUPPORTED_MASK) == 0)
- return false;
-
-- addr = CORE_CC_REG(base, retention_ctl);
-+ addr = CORE_CC_REG(pmu->base, retention_ctl);
- reg = chip->ops->read32(chip->ctx, addr);
- return (reg & (PMU_RCTL_MACPHY_DISABLE_MASK |
- PMU_RCTL_LOGIC_DISABLE_MASK)) == 0;
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/chip.h
-@@ -85,6 +85,7 @@ struct brcmf_chip *brcmf_chip_attach(voi
- void brcmf_chip_detach(struct brcmf_chip *chip);
- struct brcmf_core *brcmf_chip_get_core(struct brcmf_chip *chip, u16 coreid);
- struct brcmf_core *brcmf_chip_get_chipcommon(struct brcmf_chip *chip);
-+struct brcmf_core *brcmf_chip_get_pmu(struct brcmf_chip *pub);
- bool brcmf_chip_iscoreup(struct brcmf_core *core);
- void brcmf_chip_coredisable(struct brcmf_core *core, u32 prereset, u32 reset);
- void brcmf_chip_resetcore(struct brcmf_core *core, u32 prereset, u32 reset,
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -3615,7 +3615,6 @@ brcmf_sdio_drivestrengthinit(struct brcm
- const struct sdiod_drive_str *str_tab = NULL;
- u32 str_mask;
- u32 str_shift;
-- u32 base;
- u32 i;
- u32 drivestrength_sel = 0;
- u32 cc_data_temp;
-@@ -3658,14 +3657,15 @@ brcmf_sdio_drivestrengthinit(struct brcm
- }
-
- if (str_tab != NULL) {
-+ struct brcmf_core *pmu = brcmf_chip_get_pmu(ci);
-+
- for (i = 0; str_tab[i].strength != 0; i++) {
- if (drivestrength >= str_tab[i].strength) {
- drivestrength_sel = str_tab[i].sel;
- break;
- }
- }
-- base = brcmf_chip_get_chipcommon(ci)->base;
-- addr = CORE_CC_REG(base, chipcontrol_addr);
-+ addr = CORE_CC_REG(pmu->base, chipcontrol_addr);
- brcmf_sdiod_regwl(sdiodev, addr, 1, NULL);
- cc_data_temp = brcmf_sdiod_regrl(sdiodev, addr, NULL);
- cc_data_temp &= ~str_mask;
-@@ -3835,8 +3835,7 @@ brcmf_sdio_probe_attach(struct brcmf_sdi
- goto fail;
-
- /* set PMUControl so a backplane reset does PMU state reload */
-- reg_addr = CORE_CC_REG(brcmf_chip_get_chipcommon(bus->ci)->base,
-- pmucontrol);
-+ reg_addr = CORE_CC_REG(brcmf_chip_get_pmu(bus->ci)->base, pmucontrol);
- reg_val = brcmf_sdiod_regrl(bus->sdiodev, reg_addr, &err);
- if (err)
- goto fail;
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Tue, 26 Jan 2016 17:57:05 +0100
-Subject: [PATCH] brcmfmac: add support for 14e4:4365 PCI ID with BCM4366
- chipset
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-On Broadcom ARM routers BCM4366 cards are available with 14e4:4365 ID.
-Unfortunately this ID was already used by Broadcom for cards with
-BCM43142, a totally different chipset requiring SoftMAC driver. To avoid
-a conflict between brcmfmac and bcma use more specific ID entry with
-subvendor and subdevice specified.
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -1951,6 +1951,9 @@ static const struct dev_pm_ops brcmf_pci
-
- #define BRCMF_PCIE_DEVICE(dev_id) { BRCM_PCIE_VENDOR_ID_BROADCOM, dev_id,\
- PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_NETWORK_OTHER << 8, 0xffff00, 0 }
-+#define BRCMF_PCIE_DEVICE_SUB(dev_id, subvend, subdev) { \
-+ BRCM_PCIE_VENDOR_ID_BROADCOM, dev_id,\
-+ subvend, subdev, PCI_CLASS_NETWORK_OTHER << 8, 0xffff00, 0 }
-
- static struct pci_device_id brcmf_pcie_devid_table[] = {
- BRCMF_PCIE_DEVICE(BRCM_PCIE_4350_DEVICE_ID),
-@@ -1966,6 +1969,7 @@ static struct pci_device_id brcmf_pcie_d
- BRCMF_PCIE_DEVICE(BRCM_PCIE_4365_DEVICE_ID),
- BRCMF_PCIE_DEVICE(BRCM_PCIE_4365_2G_DEVICE_ID),
- BRCMF_PCIE_DEVICE(BRCM_PCIE_4365_5G_DEVICE_ID),
-+ BRCMF_PCIE_DEVICE_SUB(0x4365, BRCM_PCIE_VENDOR_ID_BROADCOM, 0x4365),
- BRCMF_PCIE_DEVICE(BRCM_PCIE_4366_DEVICE_ID),
- BRCMF_PCIE_DEVICE(BRCM_PCIE_4366_2G_DEVICE_ID),
- BRCMF_PCIE_DEVICE(BRCM_PCIE_4366_5G_DEVICE_ID),
+++ /dev/null
-From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
-Date: Sun, 31 Jan 2016 12:14:34 +0100
-Subject: [PATCH] brcmfmac: treat NULL character in NVRAM as separator
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Platform NVRAM (stored on a flash partition) has entries separated by a
-NULL (\0) char. Our parsing code switches from VALUE state to IDLE
-whenever it meets a NULL (\0). When that happens our IDLE handler should
-simply consume it and analyze whatever is placed ahead.
-
-This fixes harmless warnings spamming debugging output:
-[ 155.165624] brcmfmac: brcmf_nvram_handle_idle warning: ln=1:col=20: ignoring invalid character
-[ 155.180806] brcmfmac: brcmf_nvram_handle_idle warning: ln=1:col=44: ignoring invalid character
-[ 155.195971] brcmfmac: brcmf_nvram_handle_idle warning: ln=1:col=63: ignoring invalid character
-
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c
-@@ -93,7 +93,7 @@ static enum nvram_parser_state brcmf_nvr
- c = nvp->data[nvp->pos];
- if (c == '\n')
- return COMMENT;
-- if (is_whitespace(c))
-+ if (is_whitespace(c) || c == '\0')
- goto proceed;
- if (c == '#')
- return COMMENT;
+++ /dev/null
-From: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
-Date: Mon, 25 Jan 2016 11:47:29 +0100
-Subject: [PATCH] brcmfmac: sdio: Increase the default timeouts a bit
-
-On a Radxa Rock2 board with a Ampak AP6335 (Broadcom 4339 core) it seems
-the card responds very quickly most of the time, unfortunately during
-initialisation it sometimes seems to take just a bit over 2 seconds to
-respond.
-
-This results intialization failing with message like:
- brcmf_c_preinit_dcmds: Retreiving cur_etheraddr failed, -52
- brcmf_bus_start: failed: -52
- brcmf_sdio_firmware_callback: dongle is not responding
-
-Increasing the timeout to allow for a bit more headroom allows the
-card to initialize reliably.
-
-A quick search online after diagnosing/fixing this showed that Google
-has a similar patch in their ChromeOS tree, so this doesn't seem
-specific to the board I'm using.
-
-Signed-off-by: Sjoerd Simons <sjoerd.simons@collabora.co.uk>
-Reviewed-by: Julian Calaby <julian.calaby@gmail.com>
-Acked-by: Arend van Spriel <arend@broadcom.com>
-Reviewed-by: Douglas Anderson <dianders@chromium.org>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -45,8 +45,8 @@
- #include "chip.h"
- #include "firmware.h"
-
--#define DCMD_RESP_TIMEOUT msecs_to_jiffies(2000)
--#define CTL_DONE_TIMEOUT msecs_to_jiffies(2000)
-+#define DCMD_RESP_TIMEOUT msecs_to_jiffies(2500)
-+#define CTL_DONE_TIMEOUT msecs_to_jiffies(2500)
-
- #ifdef DEBUG
-
+++ /dev/null
-From: Miaoqing Pan <miaoqing@codeaurora.org>
-Date: Fri, 5 Feb 2016 09:45:50 +0800
-Subject: [PATCH] ath9k: make NF load complete quickly and reliably
-
-Make NF load complete quickly and reliably. NF load execution
-is delayed by HW to end of frame if frame Rx or Tx is ongoing.
-Increasing timeout to max frame duration. If NF cal is ongoing
-before NF load, stop it before load, and restart it afterwards.
-
-Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
----
-
---- a/drivers/net/wireless/ath/ath9k/calib.c
-+++ b/drivers/net/wireless/ath/ath9k/calib.c
-@@ -241,6 +241,7 @@ int ath9k_hw_loadnf(struct ath_hw *ah, s
- u8 chainmask = (ah->rxchainmask << 3) | ah->rxchainmask;
- struct ath_common *common = ath9k_hw_common(ah);
- s16 default_nf = ath9k_hw_get_default_nf(ah, chan);
-+ u32 bb_agc_ctl = REG_READ(ah, AR_PHY_AGC_CONTROL);
-
- if (ah->caldata)
- h = ah->caldata->nfCalHist;
-@@ -264,6 +265,16 @@ int ath9k_hw_loadnf(struct ath_hw *ah, s
- }
-
- /*
-+ * stop NF cal if ongoing to ensure NF load completes immediately
-+ * (or after end rx/tx frame if ongoing)
-+ */
-+ if (bb_agc_ctl & AR_PHY_AGC_CONTROL_NF) {
-+ REG_CLR_BIT(ah, AR_PHY_AGC_CONTROL, AR_PHY_AGC_CONTROL_NF);
-+ REG_RMW_BUFFER_FLUSH(ah);
-+ ENABLE_REG_RMW_BUFFER(ah);
-+ }
-+
-+ /*
- * Load software filtered NF value into baseband internal minCCApwr
- * variable.
- */
-@@ -276,18 +287,33 @@ int ath9k_hw_loadnf(struct ath_hw *ah, s
-
- /*
- * Wait for load to complete, should be fast, a few 10s of us.
-- * The max delay was changed from an original 250us to 10000us
-- * since 250us often results in NF load timeout and causes deaf
-- * condition during stress testing 12/12/2009
-+ * The max delay was changed from an original 250us to 22.2 msec.
-+ * This would increase timeout to the longest possible frame
-+ * (11n max length 22.1 msec)
- */
-- for (j = 0; j < 10000; j++) {
-+ for (j = 0; j < 22200; j++) {
- if ((REG_READ(ah, AR_PHY_AGC_CONTROL) &
-- AR_PHY_AGC_CONTROL_NF) == 0)
-+ AR_PHY_AGC_CONTROL_NF) == 0)
- break;
- udelay(10);
- }
-
- /*
-+ * Restart NF so it can continue.
-+ */
-+ if (bb_agc_ctl & AR_PHY_AGC_CONTROL_NF) {
-+ ENABLE_REG_RMW_BUFFER(ah);
-+ if (bb_agc_ctl & AR_PHY_AGC_CONTROL_ENABLE_NF)
-+ REG_SET_BIT(ah, AR_PHY_AGC_CONTROL,
-+ AR_PHY_AGC_CONTROL_ENABLE_NF);
-+ if (bb_agc_ctl & AR_PHY_AGC_CONTROL_NO_UPDATE_NF)
-+ REG_SET_BIT(ah, AR_PHY_AGC_CONTROL,
-+ AR_PHY_AGC_CONTROL_NO_UPDATE_NF);
-+ REG_SET_BIT(ah, AR_PHY_AGC_CONTROL, AR_PHY_AGC_CONTROL_NF);
-+ REG_RMW_BUFFER_FLUSH(ah);
-+ }
-+
-+ /*
- * We timed out waiting for the noisefloor to load, probably due to an
- * in-progress rx. Simply return here and allow the load plenty of time
- * to complete before the next calibration interval. We need to avoid
-@@ -296,7 +322,7 @@ int ath9k_hw_loadnf(struct ath_hw *ah, s
- * here, the baseband nf cal will just be capped by our present
- * noisefloor until the next calibration timer.
- */
-- if (j == 10000) {
-+ if (j == 22200) {
- ath_dbg(common, ANY,
- "Timeout while waiting for nf to load: AR_PHY_AGC_CONTROL=0x%x\n",
- REG_READ(ah, AR_PHY_AGC_CONTROL));
+++ /dev/null
-From: Henning Rogge <hrogge@gmail.com>
-Date: Wed, 3 Feb 2016 13:58:36 +0100
-Subject: [PATCH] mac80211: Remove MPP table entries with MPath
-
-Make the mesh_path_del() function remove all mpp table entries
-that are proxied by the removed mesh path.
-
-Acked-by: Bob Copeland <me@bobcopeland.com>
-Signed-off-by: Henning Rogge <henning.rogge@fkie.fraunhofer.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/mesh_pathtbl.c
-+++ b/net/mac80211/mesh_pathtbl.c
-@@ -835,6 +835,29 @@ void mesh_path_flush_by_nexthop(struct s
- rcu_read_unlock();
- }
-
-+static void mpp_flush_by_proxy(struct ieee80211_sub_if_data *sdata,
-+ const u8 *proxy)
-+{
-+ struct mesh_table *tbl;
-+ struct mesh_path *mpp;
-+ struct mpath_node *node;
-+ int i;
-+
-+ rcu_read_lock();
-+ read_lock_bh(&pathtbl_resize_lock);
-+ tbl = resize_dereference_mpp_paths();
-+ for_each_mesh_entry(tbl, node, i) {
-+ mpp = node->mpath;
-+ if (ether_addr_equal(mpp->mpp, proxy)) {
-+ spin_lock(&tbl->hashwlock[i]);
-+ __mesh_path_del(tbl, node);
-+ spin_unlock(&tbl->hashwlock[i]);
-+ }
-+ }
-+ read_unlock_bh(&pathtbl_resize_lock);
-+ rcu_read_unlock();
-+}
-+
- static void table_flush_by_iface(struct mesh_table *tbl,
- struct ieee80211_sub_if_data *sdata)
- {
-@@ -892,6 +915,9 @@ int mesh_path_del(struct ieee80211_sub_i
- int hash_idx;
- int err = 0;
-
-+ /* flush relevant mpp entries first */
-+ mpp_flush_by_proxy(sdata, addr);
-+
- read_lock_bh(&pathtbl_resize_lock);
- tbl = resize_dereference_mesh_paths();
- hash_idx = mesh_table_hash(addr, sdata, tbl);
+++ /dev/null
-From: Henning Rogge <hrogge@gmail.com>
-Date: Wed, 3 Feb 2016 13:58:37 +0100
-Subject: [PATCH] mac80211: let unused MPP table entries timeout
-
-Remember the last time when a mpp table entry is used for
-rx or tx and remove them after MESH_PATH_EXPIRE time.
-
-Acked-by: Bob Copeland <me@bobcopeland.com>
-Signed-off-by: Henning Rogge <henning.rogge@fkie.fraunhofer.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/mesh_pathtbl.c
-+++ b/net/mac80211/mesh_pathtbl.c
-@@ -942,6 +942,46 @@ enddel:
- }
-
- /**
-+ * mpp_path_del - delete a mesh proxy path from the table
-+ *
-+ * @addr: addr address (ETH_ALEN length)
-+ * @sdata: local subif
-+ *
-+ * Returns: 0 if successful
-+ */
-+static int mpp_path_del(struct ieee80211_sub_if_data *sdata, const u8 *addr)
-+{
-+ struct mesh_table *tbl;
-+ struct mesh_path *mpath;
-+ struct mpath_node *node;
-+ struct hlist_head *bucket;
-+ int hash_idx;
-+ int err = 0;
-+
-+ read_lock_bh(&pathtbl_resize_lock);
-+ tbl = resize_dereference_mpp_paths();
-+ hash_idx = mesh_table_hash(addr, sdata, tbl);
-+ bucket = &tbl->hash_buckets[hash_idx];
-+
-+ spin_lock(&tbl->hashwlock[hash_idx]);
-+ hlist_for_each_entry(node, bucket, list) {
-+ mpath = node->mpath;
-+ if (mpath->sdata == sdata &&
-+ ether_addr_equal(addr, mpath->dst)) {
-+ __mesh_path_del(tbl, node);
-+ goto enddel;
-+ }
-+ }
-+
-+ err = -ENXIO;
-+enddel:
-+ mesh_paths_generation++;
-+ spin_unlock(&tbl->hashwlock[hash_idx]);
-+ read_unlock_bh(&pathtbl_resize_lock);
-+ return err;
-+}
-+
-+/**
- * mesh_path_tx_pending - sends pending frames in a mesh path queue
- *
- * @mpath: mesh path to activate
-@@ -1157,6 +1197,17 @@ void mesh_path_expire(struct ieee80211_s
- time_after(jiffies, mpath->exp_time + MESH_PATH_EXPIRE))
- mesh_path_del(mpath->sdata, mpath->dst);
- }
-+
-+ tbl = rcu_dereference(mpp_paths);
-+ for_each_mesh_entry(tbl, node, i) {
-+ if (node->mpath->sdata != sdata)
-+ continue;
-+ mpath = node->mpath;
-+ if ((!(mpath->flags & MESH_PATH_FIXED)) &&
-+ time_after(jiffies, mpath->exp_time + MESH_PATH_EXPIRE))
-+ mpp_path_del(mpath->sdata, mpath->dst);
-+ }
-+
- rcu_read_unlock();
- }
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -2291,6 +2291,7 @@ ieee80211_rx_h_mesh_fwding(struct ieee80
- spin_lock_bh(&mppath->state_lock);
- if (!ether_addr_equal(mppath->mpp, mpp_addr))
- memcpy(mppath->mpp, mpp_addr, ETH_ALEN);
-+ mppath->exp_time = jiffies;
- spin_unlock_bh(&mppath->state_lock);
- }
- rcu_read_unlock();
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -2171,8 +2171,11 @@ static struct sk_buff *ieee80211_build_h
- mpp_lookup = true;
- }
-
-- if (mpp_lookup)
-+ if (mpp_lookup) {
- mppath = mpp_path_lookup(sdata, skb->data);
-+ if (mppath)
-+ mppath->exp_time = jiffies;
-+ }
-
- if (mppath && mpath)
- mesh_path_del(mpath->sdata, mpath->dst);
+++ /dev/null
-From: Henning Rogge <hrogge@gmail.com>
-Date: Wed, 3 Feb 2016 13:58:38 +0100
-Subject: [PATCH] mac80211: Unify mesh and mpp path removal function
-
-mpp_path_del() and mesh_path_del() are mostly the same function.
-Move common code into a new static function.
-
-Acked-by: Bob Copeland <me@bobcopeland.com>
-Signed-off-by: Henning Rogge <henning.rogge@fkie.fraunhofer.de>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/mesh_pathtbl.c
-+++ b/net/mac80211/mesh_pathtbl.c
-@@ -55,16 +55,21 @@ int mpp_paths_generation;
- static DEFINE_RWLOCK(pathtbl_resize_lock);
-
-
-+static inline struct mesh_table *resize_dereference_paths(
-+ struct mesh_table __rcu *table)
-+{
-+ return rcu_dereference_protected(table,
-+ lockdep_is_held(&pathtbl_resize_lock));
-+}
-+
- static inline struct mesh_table *resize_dereference_mesh_paths(void)
- {
-- return rcu_dereference_protected(mesh_paths,
-- lockdep_is_held(&pathtbl_resize_lock));
-+ return resize_dereference_paths(mesh_paths);
- }
-
- static inline struct mesh_table *resize_dereference_mpp_paths(void)
- {
-- return rcu_dereference_protected(mpp_paths,
-- lockdep_is_held(&pathtbl_resize_lock));
-+ return resize_dereference_paths(mpp_paths);
- }
-
- /*
-@@ -899,14 +904,17 @@ void mesh_path_flush_by_iface(struct iee
- }
-
- /**
-- * mesh_path_del - delete a mesh path from the table
-+ * table_path_del - delete a path from the mesh or mpp table
- *
-- * @addr: dst address (ETH_ALEN length)
-+ * @tbl: mesh or mpp path table
- * @sdata: local subif
-+ * @addr: dst address (ETH_ALEN length)
- *
- * Returns: 0 if successful
- */
--int mesh_path_del(struct ieee80211_sub_if_data *sdata, const u8 *addr)
-+static int table_path_del(struct mesh_table __rcu *rcu_tbl,
-+ struct ieee80211_sub_if_data *sdata,
-+ const u8 *addr)
- {
- struct mesh_table *tbl;
- struct mesh_path *mpath;
-@@ -915,11 +923,7 @@ int mesh_path_del(struct ieee80211_sub_i
- int hash_idx;
- int err = 0;
-
-- /* flush relevant mpp entries first */
-- mpp_flush_by_proxy(sdata, addr);
--
-- read_lock_bh(&pathtbl_resize_lock);
-- tbl = resize_dereference_mesh_paths();
-+ tbl = resize_dereference_paths(rcu_tbl);
- hash_idx = mesh_table_hash(addr, sdata, tbl);
- bucket = &tbl->hash_buckets[hash_idx];
-
-@@ -935,9 +939,30 @@ int mesh_path_del(struct ieee80211_sub_i
-
- err = -ENXIO;
- enddel:
-- mesh_paths_generation++;
- spin_unlock(&tbl->hashwlock[hash_idx]);
-+ return err;
-+}
-+
-+/**
-+ * mesh_path_del - delete a mesh path from the table
-+ *
-+ * @addr: dst address (ETH_ALEN length)
-+ * @sdata: local subif
-+ *
-+ * Returns: 0 if successful
-+ */
-+int mesh_path_del(struct ieee80211_sub_if_data *sdata, const u8 *addr)
-+{
-+ int err = 0;
-+
-+ /* flush relevant mpp entries first */
-+ mpp_flush_by_proxy(sdata, addr);
-+
-+ read_lock_bh(&pathtbl_resize_lock);
-+ err = table_path_del(mesh_paths, sdata, addr);
-+ mesh_paths_generation++;
- read_unlock_bh(&pathtbl_resize_lock);
-+
- return err;
- }
-
-@@ -951,33 +976,13 @@ enddel:
- */
- static int mpp_path_del(struct ieee80211_sub_if_data *sdata, const u8 *addr)
- {
-- struct mesh_table *tbl;
-- struct mesh_path *mpath;
-- struct mpath_node *node;
-- struct hlist_head *bucket;
-- int hash_idx;
- int err = 0;
-
- read_lock_bh(&pathtbl_resize_lock);
-- tbl = resize_dereference_mpp_paths();
-- hash_idx = mesh_table_hash(addr, sdata, tbl);
-- bucket = &tbl->hash_buckets[hash_idx];
--
-- spin_lock(&tbl->hashwlock[hash_idx]);
-- hlist_for_each_entry(node, bucket, list) {
-- mpath = node->mpath;
-- if (mpath->sdata == sdata &&
-- ether_addr_equal(addr, mpath->dst)) {
-- __mesh_path_del(tbl, node);
-- goto enddel;
-- }
-- }
--
-- err = -ENXIO;
--enddel:
-- mesh_paths_generation++;
-- spin_unlock(&tbl->hashwlock[hash_idx]);
-+ err = table_path_del(mpp_paths, sdata, addr);
-+ mpp_paths_generation++;
- read_unlock_bh(&pathtbl_resize_lock);
-+
- return err;
- }
-
+++ /dev/null
-From: Sven Eckelmann <sven.eckelmann@open-mesh.com>
-Date: Tue, 2 Feb 2016 08:12:26 +0100
-Subject: [PATCH] mac80211: minstrel: Change expected throughput unit back to
- Kbps
-
-The change from cur_tp to the function
-minstrel_get_tp_avg/minstrel_ht_get_tp_avg changed the unit used for the
-current throughput. For example in minstrel_ht the correct
-conversion between them would be:
-
- mrs->cur_tp / 10 == minstrel_ht_get_tp_avg(..).
-
-This factor 10 must also be included in the calculation of
-minstrel_get_expected_throughput and minstrel_ht_get_expected_throughput to
-return values with the unit [Kbps] instead of [10Kbps]. Otherwise routing
-algorithms like B.A.T.M.A.N. V will make incorrect decision based on these
-values. Its kernel based implementation expects expected_throughput always
-to have the unit [Kbps] and not sometimes [10Kbps] and sometimes [Kbps].
-
-The same requirement has iw or olsrdv2's nl80211 based statistics module
-which retrieve the same data via NL80211_STA_INFO_TX_BITRATE.
-
-Cc: stable@vger.kernel.org
-Fixes: 6a27b2c40b48 ("mac80211: restructure per-rate throughput calculation into function")
-Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rc80211_minstrel.c
-+++ b/net/mac80211/rc80211_minstrel.c
-@@ -711,7 +711,7 @@ static u32 minstrel_get_expected_through
- * computing cur_tp
- */
- tmp_mrs = &mi->r[idx].stats;
-- tmp_cur_tp = minstrel_get_tp_avg(&mi->r[idx], tmp_mrs->prob_ewma);
-+ tmp_cur_tp = minstrel_get_tp_avg(&mi->r[idx], tmp_mrs->prob_ewma) * 10;
- tmp_cur_tp = tmp_cur_tp * 1200 * 8 / 1024;
-
- return tmp_cur_tp;
---- a/net/mac80211/rc80211_minstrel_ht.c
-+++ b/net/mac80211/rc80211_minstrel_ht.c
-@@ -1335,7 +1335,8 @@ static u32 minstrel_ht_get_expected_thro
- prob = mi->groups[i].rates[j].prob_ewma;
-
- /* convert tp_avg from pkt per second in kbps */
-- tp_avg = minstrel_ht_get_tp_avg(mi, i, j, prob) * AVG_PKT_SIZE * 8 / 1024;
-+ tp_avg = minstrel_ht_get_tp_avg(mi, i, j, prob) * 10;
-+ tp_avg = tp_avg * AVG_PKT_SIZE * 8 / 1024;
-
- return tp_avg;
- }
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Sun, 7 Feb 2016 18:08:24 +0100
-Subject: [PATCH] brcmfmac: Increase nr of supported flowrings.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-New generation devices have firmware which has more than 256 flowrings.
-E.g. following debugging message comes from 14e4:4365 BCM4366:
-[ 194.606245] brcmfmac: brcmf_pcie_init_ringbuffers Nr of flowrings is 264
-
-At various code places (related to flowrings) we were using u8 which
-could lead to storing wrong number or infinite loops when indexing with
-this type. This issue was quite easy to spot in brcmf_flowring_detach
-where it led to infinite loop e.g. on failed initialization.
-
-This patch switches code to proper types and increases the maximum
-number of supported flowrings to 512.
-
-Originally this change was sent in September 2015, but back it was
-causing a regression on BCM43602 resulting in:
-Unable to handle kernel NULL pointer dereference at virtual address ...
-
-The reason for this regression was missing update (s/u8/u16) of struct
-brcmf_flowring_ring. This problem was handled in 9f64df9 ("brcmfmac: Fix
-bug in flowring management."). Starting with that it's safe to apply
-this original patch as it doesn't cause a regression anymore.
-
-This patch fixes an infinite loop on BCM4366 which is supported since
-4.4 so it makes sense to apply it to stable 4.4+.
-
-Cc: <stable@vger.kernel.org> # 4.4+
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.c
-@@ -32,7 +32,7 @@
- #define BRCMF_FLOWRING_LOW (BRCMF_FLOWRING_HIGH - 256)
- #define BRCMF_FLOWRING_INVALID_IFIDX 0xff
-
--#define BRCMF_FLOWRING_HASH_AP(da, fifo, ifidx) (da[5] + fifo + ifidx * 16)
-+#define BRCMF_FLOWRING_HASH_AP(da, fifo, ifidx) (da[5] * 2 + fifo + ifidx * 16)
- #define BRCMF_FLOWRING_HASH_STA(fifo, ifidx) (fifo + ifidx * 16)
-
- static const u8 brcmf_flowring_prio2fifo[] = {
-@@ -68,7 +68,7 @@ u32 brcmf_flowring_lookup(struct brcmf_f
- u8 prio, u8 ifidx)
- {
- struct brcmf_flowring_hash *hash;
-- u8 hash_idx;
-+ u16 hash_idx;
- u32 i;
- bool found;
- bool sta;
-@@ -88,6 +88,7 @@ u32 brcmf_flowring_lookup(struct brcmf_f
- }
- hash_idx = sta ? BRCMF_FLOWRING_HASH_STA(fifo, ifidx) :
- BRCMF_FLOWRING_HASH_AP(mac, fifo, ifidx);
-+ hash_idx &= (BRCMF_FLOWRING_HASHSIZE - 1);
- found = false;
- hash = flow->hash;
- for (i = 0; i < BRCMF_FLOWRING_HASHSIZE; i++) {
-@@ -98,6 +99,7 @@ u32 brcmf_flowring_lookup(struct brcmf_f
- break;
- }
- hash_idx++;
-+ hash_idx &= (BRCMF_FLOWRING_HASHSIZE - 1);
- }
- if (found)
- return hash[hash_idx].flowid;
-@@ -111,7 +113,7 @@ u32 brcmf_flowring_create(struct brcmf_f
- {
- struct brcmf_flowring_ring *ring;
- struct brcmf_flowring_hash *hash;
-- u8 hash_idx;
-+ u16 hash_idx;
- u32 i;
- bool found;
- u8 fifo;
-@@ -131,6 +133,7 @@ u32 brcmf_flowring_create(struct brcmf_f
- }
- hash_idx = sta ? BRCMF_FLOWRING_HASH_STA(fifo, ifidx) :
- BRCMF_FLOWRING_HASH_AP(mac, fifo, ifidx);
-+ hash_idx &= (BRCMF_FLOWRING_HASHSIZE - 1);
- found = false;
- hash = flow->hash;
- for (i = 0; i < BRCMF_FLOWRING_HASHSIZE; i++) {
-@@ -140,6 +143,7 @@ u32 brcmf_flowring_create(struct brcmf_f
- break;
- }
- hash_idx++;
-+ hash_idx &= (BRCMF_FLOWRING_HASHSIZE - 1);
- }
- if (found) {
- for (i = 0; i < flow->nrofrings; i++) {
-@@ -169,7 +173,7 @@ u32 brcmf_flowring_create(struct brcmf_f
- }
-
-
--u8 brcmf_flowring_tid(struct brcmf_flowring *flow, u8 flowid)
-+u8 brcmf_flowring_tid(struct brcmf_flowring *flow, u16 flowid)
- {
- struct brcmf_flowring_ring *ring;
-
-@@ -179,7 +183,7 @@ u8 brcmf_flowring_tid(struct brcmf_flowr
- }
-
-
--static void brcmf_flowring_block(struct brcmf_flowring *flow, u8 flowid,
-+static void brcmf_flowring_block(struct brcmf_flowring *flow, u16 flowid,
- bool blocked)
- {
- struct brcmf_flowring_ring *ring;
-@@ -228,10 +232,10 @@ static void brcmf_flowring_block(struct
- }
-
-
--void brcmf_flowring_delete(struct brcmf_flowring *flow, u8 flowid)
-+void brcmf_flowring_delete(struct brcmf_flowring *flow, u16 flowid)
- {
- struct brcmf_flowring_ring *ring;
-- u8 hash_idx;
-+ u16 hash_idx;
- struct sk_buff *skb;
-
- ring = flow->rings[flowid];
-@@ -253,7 +257,7 @@ void brcmf_flowring_delete(struct brcmf_
- }
-
-
--u32 brcmf_flowring_enqueue(struct brcmf_flowring *flow, u8 flowid,
-+u32 brcmf_flowring_enqueue(struct brcmf_flowring *flow, u16 flowid,
- struct sk_buff *skb)
- {
- struct brcmf_flowring_ring *ring;
-@@ -279,7 +283,7 @@ u32 brcmf_flowring_enqueue(struct brcmf_
- }
-
-
--struct sk_buff *brcmf_flowring_dequeue(struct brcmf_flowring *flow, u8 flowid)
-+struct sk_buff *brcmf_flowring_dequeue(struct brcmf_flowring *flow, u16 flowid)
- {
- struct brcmf_flowring_ring *ring;
- struct sk_buff *skb;
-@@ -300,7 +304,7 @@ struct sk_buff *brcmf_flowring_dequeue(s
- }
-
-
--void brcmf_flowring_reinsert(struct brcmf_flowring *flow, u8 flowid,
-+void brcmf_flowring_reinsert(struct brcmf_flowring *flow, u16 flowid,
- struct sk_buff *skb)
- {
- struct brcmf_flowring_ring *ring;
-@@ -311,7 +315,7 @@ void brcmf_flowring_reinsert(struct brcm
- }
-
-
--u32 brcmf_flowring_qlen(struct brcmf_flowring *flow, u8 flowid)
-+u32 brcmf_flowring_qlen(struct brcmf_flowring *flow, u16 flowid)
- {
- struct brcmf_flowring_ring *ring;
-
-@@ -326,7 +330,7 @@ u32 brcmf_flowring_qlen(struct brcmf_flo
- }
-
-
--void brcmf_flowring_open(struct brcmf_flowring *flow, u8 flowid)
-+void brcmf_flowring_open(struct brcmf_flowring *flow, u16 flowid)
- {
- struct brcmf_flowring_ring *ring;
-
-@@ -340,10 +344,10 @@ void brcmf_flowring_open(struct brcmf_fl
- }
-
-
--u8 brcmf_flowring_ifidx_get(struct brcmf_flowring *flow, u8 flowid)
-+u8 brcmf_flowring_ifidx_get(struct brcmf_flowring *flow, u16 flowid)
- {
- struct brcmf_flowring_ring *ring;
-- u8 hash_idx;
-+ u16 hash_idx;
-
- ring = flow->rings[flowid];
- hash_idx = ring->hash_id;
-@@ -384,7 +388,7 @@ void brcmf_flowring_detach(struct brcmf_
- struct brcmf_pub *drvr = bus_if->drvr;
- struct brcmf_flowring_tdls_entry *search;
- struct brcmf_flowring_tdls_entry *remove;
-- u8 flowid;
-+ u16 flowid;
-
- for (flowid = 0; flowid < flow->nrofrings; flowid++) {
- if (flow->rings[flowid])
-@@ -408,7 +412,7 @@ void brcmf_flowring_configure_addr_mode(
- struct brcmf_bus *bus_if = dev_get_drvdata(flow->dev);
- struct brcmf_pub *drvr = bus_if->drvr;
- u32 i;
-- u8 flowid;
-+ u16 flowid;
-
- if (flow->addr_mode[ifidx] != addr_mode) {
- for (i = 0; i < ARRAY_SIZE(flow->hash); i++) {
-@@ -434,7 +438,7 @@ void brcmf_flowring_delete_peer(struct b
- struct brcmf_flowring_tdls_entry *prev;
- struct brcmf_flowring_tdls_entry *search;
- u32 i;
-- u8 flowid;
-+ u16 flowid;
- bool sta;
-
- sta = (flow->addr_mode[ifidx] == ADDR_INDIRECT);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/flowring.h
-@@ -16,7 +16,7 @@
- #define BRCMFMAC_FLOWRING_H
-
-
--#define BRCMF_FLOWRING_HASHSIZE 256
-+#define BRCMF_FLOWRING_HASHSIZE 512 /* has to be 2^x */
- #define BRCMF_FLOWRING_INVALID_ID 0xFFFFFFFF
-
-
-@@ -24,7 +24,7 @@ struct brcmf_flowring_hash {
- u8 mac[ETH_ALEN];
- u8 fifo;
- u8 ifidx;
-- u8 flowid;
-+ u16 flowid;
- };
-
- enum ring_status {
-@@ -61,16 +61,16 @@ u32 brcmf_flowring_lookup(struct brcmf_f
- u8 prio, u8 ifidx);
- u32 brcmf_flowring_create(struct brcmf_flowring *flow, u8 da[ETH_ALEN],
- u8 prio, u8 ifidx);
--void brcmf_flowring_delete(struct brcmf_flowring *flow, u8 flowid);
--void brcmf_flowring_open(struct brcmf_flowring *flow, u8 flowid);
--u8 brcmf_flowring_tid(struct brcmf_flowring *flow, u8 flowid);
--u32 brcmf_flowring_enqueue(struct brcmf_flowring *flow, u8 flowid,
-+void brcmf_flowring_delete(struct brcmf_flowring *flow, u16 flowid);
-+void brcmf_flowring_open(struct brcmf_flowring *flow, u16 flowid);
-+u8 brcmf_flowring_tid(struct brcmf_flowring *flow, u16 flowid);
-+u32 brcmf_flowring_enqueue(struct brcmf_flowring *flow, u16 flowid,
- struct sk_buff *skb);
--struct sk_buff *brcmf_flowring_dequeue(struct brcmf_flowring *flow, u8 flowid);
--void brcmf_flowring_reinsert(struct brcmf_flowring *flow, u8 flowid,
-+struct sk_buff *brcmf_flowring_dequeue(struct brcmf_flowring *flow, u16 flowid);
-+void brcmf_flowring_reinsert(struct brcmf_flowring *flow, u16 flowid,
- struct sk_buff *skb);
--u32 brcmf_flowring_qlen(struct brcmf_flowring *flow, u8 flowid);
--u8 brcmf_flowring_ifidx_get(struct brcmf_flowring *flow, u8 flowid);
-+u32 brcmf_flowring_qlen(struct brcmf_flowring *flow, u16 flowid);
-+u8 brcmf_flowring_ifidx_get(struct brcmf_flowring *flow, u16 flowid);
- struct brcmf_flowring *brcmf_flowring_attach(struct device *dev, u16 nrofrings);
- void brcmf_flowring_detach(struct brcmf_flowring *flow);
- void brcmf_flowring_configure_addr_mode(struct brcmf_flowring *flow, int ifidx,
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
-@@ -677,7 +677,7 @@ static u32 brcmf_msgbuf_flowring_create(
- }
-
-
--static void brcmf_msgbuf_txflow(struct brcmf_msgbuf *msgbuf, u8 flowid)
-+static void brcmf_msgbuf_txflow(struct brcmf_msgbuf *msgbuf, u16 flowid)
- {
- struct brcmf_flowring *flow = msgbuf->flow;
- struct brcmf_commonring *commonring;
-@@ -1310,7 +1310,7 @@ int brcmf_proto_msgbuf_rx_trigger(struct
- }
-
-
--void brcmf_msgbuf_delete_flowring(struct brcmf_pub *drvr, u8 flowid)
-+void brcmf_msgbuf_delete_flowring(struct brcmf_pub *drvr, u16 flowid)
- {
- struct brcmf_msgbuf *msgbuf = (struct brcmf_msgbuf *)drvr->proto->pd;
- struct msgbuf_tx_flowring_delete_req *delete;
-@@ -1415,6 +1415,13 @@ int brcmf_proto_msgbuf_attach(struct brc
- u32 count;
-
- if_msgbuf = drvr->bus_if->msgbuf;
-+
-+ if (if_msgbuf->nrof_flowrings >= BRCMF_FLOWRING_HASHSIZE) {
-+ brcmf_err("driver not configured for this many flowrings %d\n",
-+ if_msgbuf->nrof_flowrings);
-+ if_msgbuf->nrof_flowrings = BRCMF_FLOWRING_HASHSIZE - 1;
-+ }
-+
- msgbuf = kzalloc(sizeof(*msgbuf), GFP_KERNEL);
- if (!msgbuf)
- goto fail;
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.h
-@@ -33,7 +33,7 @@
-
-
- int brcmf_proto_msgbuf_rx_trigger(struct device *dev);
--void brcmf_msgbuf_delete_flowring(struct brcmf_pub *drvr, u8 flowid);
-+void brcmf_msgbuf_delete_flowring(struct brcmf_pub *drvr, u16 flowid);
- int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr);
- void brcmf_proto_msgbuf_detach(struct brcmf_pub *drvr);
- #else
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Mon, 8 Feb 2016 14:24:36 +0100
-Subject: [PATCH] cfg80211: fix faulty variable initialization in
- ieee80211_amsdu_to_8023s
-
-reuse_skb is set to true if the code decides to use the last segment.
-Fixes a memory leak
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/net/wireless/util.c
-+++ b/net/wireless/util.c
-@@ -676,7 +676,7 @@ void ieee80211_amsdu_to_8023s(struct sk_
- u8 *payload;
- int offset = 0, remaining, err;
- struct ethhdr eth;
-- bool reuse_skb = true;
-+ bool reuse_skb = false;
- bool last = false;
-
- if (has_80211_header) {
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Mon, 8 Feb 2016 14:33:19 +0100
-Subject: [PATCH] cfg80211: reuse existing page fragments in A-MSDU rx
-
-This massively reduces data copying and thus improves rx performance
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/net/wireless/util.c
-+++ b/net/wireless/util.c
-@@ -644,23 +644,93 @@ int ieee80211_data_from_8023(struct sk_b
- }
- EXPORT_SYMBOL(ieee80211_data_from_8023);
-
-+static void
-+__frame_add_frag(struct sk_buff *skb, struct page *page,
-+ void *ptr, int len, int size)
-+{
-+ struct skb_shared_info *sh = skb_shinfo(skb);
-+ int page_offset;
-+
-+ atomic_inc(&page->_count);
-+ page_offset = ptr - page_address(page);
-+ skb_add_rx_frag(skb, sh->nr_frags, page, page_offset, len, size);
-+}
-+
-+static void
-+__ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
-+ int offset, int len)
-+{
-+ struct skb_shared_info *sh = skb_shinfo(skb);
-+ const skb_frag_t *frag = &sh->frags[-1];
-+ struct page *frag_page;
-+ void *frag_ptr;
-+ int frag_len, frag_size;
-+ int head_size = skb->len - skb->data_len;
-+ int cur_len;
-+
-+ frag_page = virt_to_head_page(skb->head);
-+ frag_ptr = skb->data;
-+ frag_size = head_size;
-+
-+ while (offset >= frag_size) {
-+ offset -= frag_size;
-+ frag++;
-+ frag_page = skb_frag_page(frag);
-+ frag_ptr = skb_frag_address(frag);
-+ frag_size = skb_frag_size(frag);
-+ }
-+
-+ frag_ptr += offset;
-+ frag_len = frag_size - offset;
-+
-+ cur_len = min(len, frag_len);
-+
-+ __frame_add_frag(frame, frag_page, frag_ptr, cur_len, frag_size);
-+ len -= cur_len;
-+
-+ while (len > 0) {
-+ frag++;
-+ frag_len = skb_frag_size(frag);
-+ cur_len = min(len, frag_len);
-+ __frame_add_frag(frame, skb_frag_page(frag),
-+ skb_frag_address(frag), cur_len, frag_len);
-+ len -= cur_len;
-+ }
-+}
-+
- static struct sk_buff *
- __ieee80211_amsdu_copy(struct sk_buff *skb, unsigned int hlen,
-- int offset, int len)
-+ int offset, int len, bool reuse_frag)
- {
- struct sk_buff *frame;
-+ int cur_len = len;
-
- if (skb->len - offset < len)
- return NULL;
-
- /*
-+ * When reusing framents, copy some data to the head to simplify
-+ * ethernet header handling and speed up protocol header processing
-+ * in the stack later.
-+ */
-+ if (reuse_frag)
-+ cur_len = min_t(int, len, 32);
-+
-+ /*
- * Allocate and reserve two bytes more for payload
- * alignment since sizeof(struct ethhdr) is 14.
- */
-- frame = dev_alloc_skb(hlen + sizeof(struct ethhdr) + 2 + len);
-+ frame = dev_alloc_skb(hlen + sizeof(struct ethhdr) + 2 + cur_len);
-
- skb_reserve(frame, hlen + sizeof(struct ethhdr) + 2);
-- skb_copy_bits(skb, offset, skb_put(frame, len), len);
-+ skb_copy_bits(skb, offset, skb_put(frame, cur_len), cur_len);
-+
-+ len -= cur_len;
-+ if (!len)
-+ return frame;
-+
-+ offset += cur_len;
-+ __ieee80211_amsdu_copy_frag(skb, frame, offset, len);
-
- return frame;
- }
-@@ -676,6 +746,7 @@ void ieee80211_amsdu_to_8023s(struct sk_
- u8 *payload;
- int offset = 0, remaining, err;
- struct ethhdr eth;
-+ bool reuse_frag = skb->head_frag && !skb_has_frag_list(skb);
- bool reuse_skb = false;
- bool last = false;
-
-@@ -703,12 +774,13 @@ void ieee80211_amsdu_to_8023s(struct sk_
- offset += sizeof(struct ethhdr);
- /* reuse skb for the last subframe */
- last = remaining <= subframe_len + padding;
-- if (!skb_is_nonlinear(skb) && last) {
-+ if (!skb_is_nonlinear(skb) && !reuse_frag && last) {
- skb_pull(skb, offset);
- frame = skb;
- reuse_skb = true;
- } else {
-- frame = __ieee80211_amsdu_copy(skb, hlen, offset, len);
-+ frame = __ieee80211_amsdu_copy(skb, hlen, offset, len,
-+ reuse_frag);
- if (!frame)
- goto purge;
-
+++ /dev/null
-From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
-Date: Wed, 10 Feb 2016 16:08:17 +0100
-Subject: [PATCH] mac80211: fix wiphy supported_band access
-
-Fix wiphy supported_band access in tx radiotap parsing. In particular,
-info->band is always set to 0 (IEEE80211_BAND_2GHZ) since it has not
-assigned yet. This cause a kernel crash on 5GHz only devices.
-Move ieee80211_parse_tx_radiotap() after info->band assignment
-
-Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
----
-
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -1890,10 +1890,6 @@ netdev_tx_t ieee80211_monitor_start_xmit
- info->flags = IEEE80211_TX_CTL_REQ_TX_STATUS |
- IEEE80211_TX_CTL_INJECTED;
-
-- /* process and remove the injection radiotap header */
-- if (!ieee80211_parse_tx_radiotap(local, skb))
-- goto fail;
--
- rcu_read_lock();
-
- /*
-@@ -1955,6 +1951,10 @@ netdev_tx_t ieee80211_monitor_start_xmit
- goto fail_rcu;
-
- info->band = chandef->chan->band;
-+ /* process and remove the injection radiotap header */
-+ if (!ieee80211_parse_tx_radiotap(local, skb))
-+ goto fail_rcu;
-+
- ieee80211_xmit(sdata, NULL, skb);
- rcu_read_unlock();
-
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Thu, 18 Feb 2016 19:30:05 +0100
-Subject: [PATCH] mac80211: minstrel_ht: set A-MSDU tx limits based on selected
- max_prob_rate
-
-Prevents excessive A-MSDU aggregation at low data rates or bad
-conditions.
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/net/mac80211/rc80211_minstrel_ht.c
-+++ b/net/mac80211/rc80211_minstrel_ht.c
-@@ -883,6 +883,39 @@ minstrel_ht_set_rate(struct minstrel_pri
- ratetbl->rate[offset].flags = flags;
- }
-
-+static int
-+minstrel_ht_get_max_amsdu_len(struct minstrel_ht_sta *mi)
-+{
-+ int group = mi->max_prob_rate / MCS_GROUP_RATES;
-+ const struct mcs_group *g = &minstrel_mcs_groups[group];
-+ int rate = mi->max_prob_rate % MCS_GROUP_RATES;
-+
-+ /* Disable A-MSDU if max_prob_rate is bad */
-+ if (mi->groups[group].rates[rate].prob_ewma < MINSTREL_FRAC(50, 100))
-+ return 1;
-+
-+ /* If the rate is slower than single-stream MCS1, make A-MSDU limit small */
-+ if (g->duration[rate] > MCS_DURATION(1, 0, 52))
-+ return 500;
-+
-+ /*
-+ * If the rate is slower than single-stream MCS4, limit A-MSDU to usual
-+ * data packet size
-+ */
-+ if (g->duration[rate] > MCS_DURATION(1, 0, 104))
-+ return 1500;
-+
-+ /*
-+ * If the rate is slower than single-stream MCS7, limit A-MSDU to twice
-+ * the usual data packet size
-+ */
-+ if (g->duration[rate] > MCS_DURATION(1, 0, 260))
-+ return 3000;
-+
-+ /* unlimited */
-+ return 0;
-+}
-+
- static void
- minstrel_ht_update_rates(struct minstrel_priv *mp, struct minstrel_ht_sta *mi)
- {
-@@ -907,6 +940,7 @@ minstrel_ht_update_rates(struct minstrel
- minstrel_ht_set_rate(mp, mi, rates, i++, mi->max_prob_rate);
- }
-
-+ mi->sta->max_rc_amsdu_len = minstrel_ht_get_max_amsdu_len(mi);
- rates->rate[i].idx = -1;
- rate_control_set_rates(mp->hw, mi->sta, rates);
- }
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Thu, 18 Feb 2016 19:45:33 +0100
-Subject: [PATCH] mac80211: minstrel_ht: set default tx aggregation timeout to
- 0
-
-The value 5000 was put here with the addition of the timeout field to
-ieee80211_start_tx_ba_session. It was originally added in mac80211 to
-save resources for drivers like iwlwifi, which only supports a limited
-number of concurrent aggregation sessions.
-
-Since iwlwifi does not use minstrel_ht and other drivers don't need
-this, 0 is a better default - especially since there have been
-recent reports of aggregation setup related issues reproduced with
-ath9k. This should improve stability without causing any adverse
-effects.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/net/mac80211/rc80211_minstrel_ht.c
-+++ b/net/mac80211/rc80211_minstrel_ht.c
-@@ -692,7 +692,7 @@ minstrel_aggr_check(struct ieee80211_sta
- if (likely(sta->ampdu_mlme.tid_tx[tid]))
- return;
-
-- ieee80211_start_tx_ba_session(pubsta, tid, 5000);
-+ ieee80211_start_tx_ba_session(pubsta, tid, 0);
- }
-
- static void
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Wed, 24 Feb 2016 12:03:13 +0100
-Subject: [PATCH] mac80211: minstrel_ht: fix a logic error in RTS/CTS handling
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-RTS/CTS needs to be enabled if the rate is a fallback rate *or* if it's
-a dual-stream rate and the sta is in dynamic SMPS mode.
-
-Fixes: a3ebb4e1b763 ("mac80211: minstrel_ht: handle peers in dynamic SMPS")
-Reported-by: MatÃas Richart <mrichart@fing.edu.uy>
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/net/mac80211/rc80211_minstrel_ht.c
-+++ b/net/mac80211/rc80211_minstrel_ht.c
-@@ -872,7 +872,7 @@ minstrel_ht_set_rate(struct minstrel_pri
- * - if station is in dynamic SMPS (and streams > 1)
- * - for fallback rates, to increase chances of getting through
- */
-- if (offset > 0 &&
-+ if (offset > 0 ||
- (mi->sta->smps_mode == IEEE80211_SMPS_DYNAMIC &&
- group->streams > 1)) {
- ratetbl->rate[offset].count = ratetbl->rate[offset].count_rts;
+++ /dev/null
-From: Jouni Malinen <jouni@qca.qualcomm.com>
-Date: Tue, 1 Mar 2016 00:29:00 +0200
-Subject: [PATCH] mac80211: Fix Public Action frame RX in AP mode
-
-Public Action frames use special rules for how the BSSID field (Address
-3) is set. A wildcard BSSID is used in cases where the transmitter and
-recipient are not members of the same BSS. As such, we need to accept
-Public Action frames with wildcard BSSID.
-
-Commit db8e17324553 ("mac80211: ignore frames between TDLS peers when
-operating as AP") added a rule that drops Action frames to TDLS-peers
-based on an Action frame having different DA (Address 1) and BSSID
-(Address 3) values. This is not correct since it misses the possibility
-of BSSID being a wildcard BSSID in which case the Address 1 would not
-necessarily match.
-
-Fix this by allowing mac80211 to accept wildcard BSSID in an Action
-frame when in AP mode.
-
-Fixes: db8e17324553 ("mac80211: ignore frames between TDLS peers when operating as AP")
-Cc: stable@vger.kernel.org
-Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/mac80211/rx.c
-+++ b/net/mac80211/rx.c
-@@ -3374,6 +3374,7 @@ static bool ieee80211_accept_frame(struc
- return false;
- /* ignore action frames to TDLS-peers */
- if (ieee80211_is_action(hdr->frame_control) &&
-+ !is_broadcast_ether_addr(bssid) &&
- !ether_addr_equal(bssid, hdr->addr1))
- return false;
- }
+++ /dev/null
-From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
-Date: Fri, 19 Feb 2016 11:43:04 +0100
-Subject: [PATCH] cfg80211: add radiotap VHT info to rtap_namespace_sizes
-
-Add IEEE80211_RADIOTAP_VHT entry to rtap_namespace_sizes array in order to
-define alignment and size of VHT info in tx radiotap
-
-Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
-
---- a/net/wireless/radiotap.c
-+++ b/net/wireless/radiotap.c
-@@ -43,6 +43,7 @@ static const struct radiotap_align_size
- [IEEE80211_RADIOTAP_DATA_RETRIES] = { .align = 1, .size = 1, },
- [IEEE80211_RADIOTAP_MCS] = { .align = 1, .size = 3, },
- [IEEE80211_RADIOTAP_AMPDU_STATUS] = { .align = 4, .size = 8, },
-+ [IEEE80211_RADIOTAP_VHT] = { .align = 2, .size = 12, },
- /*
- * add more here as they are defined in radiotap.h
- */
+++ /dev/null
-From: Sven Eckelmann <sven@narfation.org>
-Date: Wed, 24 Feb 2016 16:25:49 +0100
-Subject: [PATCH] mac80211: fix parsing of 40Mhz in injected radiotap
- header
-
-The MCS bandwidth part of the radiotap header is 2 bits wide. The full 2
-bit have to compared against IEEE80211_RADIOTAP_MCS_BW_40 and not only if
-the first bit is set. Otherwise IEEE80211_RADIOTAP_MCS_BW_40 can be
-confused with IEEE80211_RADIOTAP_MCS_BW_20U.
-
-Fixes: 5ec3aed9ba4c ("mac80211: Parse legacy and HT rate in injected frames")
-Signed-off-by: Sven Eckelmann <sven@narfation.org>
----
-
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -1689,7 +1689,7 @@ static bool ieee80211_parse_tx_radiotap(
- bool rate_found = false;
- u8 rate_retries = 0;
- u16 rate_flags = 0;
-- u8 mcs_known, mcs_flags;
-+ u8 mcs_known, mcs_flags, mcs_bw;
- int i;
-
- info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
-@@ -1765,8 +1765,9 @@ static bool ieee80211_parse_tx_radiotap(
- mcs_flags & IEEE80211_RADIOTAP_MCS_SGI)
- rate_flags |= IEEE80211_TX_RC_SHORT_GI;
-
-+ mcs_bw = mcs_flags & IEEE80211_RADIOTAP_MCS_BW_MASK;
- if (mcs_known & IEEE80211_RADIOTAP_MCS_HAVE_BW &&
-- mcs_flags & IEEE80211_RADIOTAP_MCS_BW_40)
-+ mcs_bw == IEEE80211_RADIOTAP_MCS_BW_40)
- rate_flags |= IEEE80211_TX_RC_40_MHZ_WIDTH;
- break;
-
+++ /dev/null
-From: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
-Date: Tue, 23 Feb 2016 15:43:35 +0100
-Subject: [PATCH] mac80211: parse VHT info in injected frames
-
-Add VHT radiotap parsing support to ieee80211_parse_tx_radiotap().
-That capability has been tested using a d-link dir-860l rev b1 running
-OpenWrt trunk and mt76 driver
-
-Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
----
-
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -1690,6 +1690,8 @@ static bool ieee80211_parse_tx_radiotap(
- u8 rate_retries = 0;
- u16 rate_flags = 0;
- u8 mcs_known, mcs_flags, mcs_bw;
-+ u16 vht_known;
-+ u8 vht_mcs = 0, vht_nss = 0;
- int i;
-
- info->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT |
-@@ -1771,6 +1773,32 @@ static bool ieee80211_parse_tx_radiotap(
- rate_flags |= IEEE80211_TX_RC_40_MHZ_WIDTH;
- break;
-
-+ case IEEE80211_RADIOTAP_VHT:
-+ vht_known = get_unaligned_le16(iterator.this_arg);
-+ rate_found = true;
-+
-+ rate_flags = IEEE80211_TX_RC_VHT_MCS;
-+ if ((vht_known & IEEE80211_RADIOTAP_VHT_KNOWN_GI) &&
-+ (iterator.this_arg[2] &
-+ IEEE80211_RADIOTAP_VHT_FLAG_SGI))
-+ rate_flags |= IEEE80211_TX_RC_SHORT_GI;
-+ if (vht_known &
-+ IEEE80211_RADIOTAP_VHT_KNOWN_BANDWIDTH) {
-+ if (iterator.this_arg[3] == 1)
-+ rate_flags |=
-+ IEEE80211_TX_RC_40_MHZ_WIDTH;
-+ else if (iterator.this_arg[3] == 4)
-+ rate_flags |=
-+ IEEE80211_TX_RC_80_MHZ_WIDTH;
-+ else if (iterator.this_arg[3] == 11)
-+ rate_flags |=
-+ IEEE80211_TX_RC_160_MHZ_WIDTH;
-+ }
-+
-+ vht_mcs = iterator.this_arg[4] >> 4;
-+ vht_nss = iterator.this_arg[4] & 0xF;
-+ break;
-+
- /*
- * Please update the file
- * Documentation/networking/mac80211-injection.txt
-@@ -1796,6 +1824,9 @@ static bool ieee80211_parse_tx_radiotap(
-
- if (rate_flags & IEEE80211_TX_RC_MCS) {
- info->control.rates[0].idx = rate;
-+ } else if (rate_flags & IEEE80211_TX_RC_VHT_MCS) {
-+ ieee80211_rate_set_vht(info->control.rates, vht_mcs,
-+ vht_nss);
- } else {
- for (i = 0; i < sband->n_bitrates; i++) {
- if (rate * 5 != sband->bitrates[i].bitrate)
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Wed, 2 Mar 2016 15:51:40 +0100
-Subject: [PATCH] mac80211: do not pass injected frames without a valid rate to
- the driver
-
-Fall back to rate control if the requested bitrate was not found.
-
-Fixes: dfdfc2beb0dd ("mac80211: Parse legacy and HT rate in injected frames")
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -1837,6 +1837,9 @@ static bool ieee80211_parse_tx_radiotap(
- }
- }
-
-+ if (info->control.rates[0].idx < 0)
-+ info->control.flags &= ~IEEE80211_TX_CTRL_RATE_INJECT;
-+
- info->control.rates[0].flags = rate_flags;
- info->control.rates[0].count = min_t(u8, rate_retries + 1,
- local->hw.max_rate_tries);
+++ /dev/null
-From: Felix Fietkau <nbd@openwrt.org>
-Date: Thu, 3 Mar 2016 23:20:06 +0100
-Subject: [PATCH] mac80211: minstrel_ht: improve sample rate skip logic
-
-There were a few issues that were slowing down the process of finding
-the optimal rate, especially on devices with multi-rate retry
-limitations:
-
-When max_tp_rate[0] was slower than max_tp_rate[1], the code did not
-sample max_tp_rate[1], which would often allow it to switch places with
-max_tp_rate[0] (e.g. if only the first sampling attempts were bad, but the
-rate is otherwise good).
-
-Also, sample attempts of rates between max_tp_rate[0] and [1] were being
-ignored in this case, because the code only checked if the rate was
-slower than [1].
-
-Fix this by checking against the fastest / second fastest max_tp_rate
-instead of assuming a specific order between the two.
-
-In my tests this patch significantly reduces the time until minstrel_ht
-finds the optimal rate right after assoc
-
-Signed-off-by: Felix Fietkau <nbd@openwrt.org>
----
-
---- a/net/mac80211/rc80211_minstrel_ht.c
-+++ b/net/mac80211/rc80211_minstrel_ht.c
-@@ -958,6 +958,7 @@ minstrel_get_sample_rate(struct minstrel
- struct minstrel_rate_stats *mrs;
- struct minstrel_mcs_group_data *mg;
- unsigned int sample_dur, sample_group, cur_max_tp_streams;
-+ int tp_rate1, tp_rate2;
- int sample_idx = 0;
-
- if (mi->sample_wait > 0) {
-@@ -979,14 +980,22 @@ minstrel_get_sample_rate(struct minstrel
- mrs = &mg->rates[sample_idx];
- sample_idx += sample_group * MCS_GROUP_RATES;
-
-+ /* Set tp_rate1, tp_rate2 to the highest / second highest max_tp_rate */
-+ if (minstrel_get_duration(mi->max_tp_rate[0]) >
-+ minstrel_get_duration(mi->max_tp_rate[1])) {
-+ tp_rate1 = mi->max_tp_rate[1];
-+ tp_rate2 = mi->max_tp_rate[0];
-+ } else {
-+ tp_rate1 = mi->max_tp_rate[0];
-+ tp_rate2 = mi->max_tp_rate[1];
-+ }
-+
- /*
- * Sampling might add some overhead (RTS, no aggregation)
-- * to the frame. Hence, don't use sampling for the currently
-- * used rates.
-+ * to the frame. Hence, don't use sampling for the highest currently
-+ * used highest throughput or probability rate.
- */
-- if (sample_idx == mi->max_tp_rate[0] ||
-- sample_idx == mi->max_tp_rate[1] ||
-- sample_idx == mi->max_prob_rate)
-+ if (sample_idx == mi->max_tp_rate[0] || sample_idx == mi->max_prob_rate)
- return -1;
-
- /*
-@@ -1001,10 +1010,10 @@ minstrel_get_sample_rate(struct minstrel
- * if the link is working perfectly.
- */
-
-- cur_max_tp_streams = minstrel_mcs_groups[mi->max_tp_rate[0] /
-+ cur_max_tp_streams = minstrel_mcs_groups[tp_rate1 /
- MCS_GROUP_RATES].streams;
- sample_dur = minstrel_get_duration(sample_idx);
-- if (sample_dur >= minstrel_get_duration(mi->max_tp_rate[1]) &&
-+ if (sample_dur >= minstrel_get_duration(tp_rate2) &&
- (cur_max_tp_streams - 1 <
- minstrel_mcs_groups[sample_group].streams ||
- sample_dur >= minstrel_get_duration(mi->max_prob_rate))) {
+++ /dev/null
-From: Arend van Spriel <arend@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:50 +0100
-Subject: [PATCH] brcmfmac: change function name for
- brcmf_cfg80211_wait_vif_event_timeout()
-
-Dropping the '_timeout' from the function name as the fact that a timeout
-value is passed makes it obvious a timeout is used. Also helps to keep code
-lines a bit shorter and easier to stick to 80 char boundary.
-
-Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -564,8 +564,8 @@ struct wireless_dev *brcmf_ap_add_vif(st
- }
-
- /* wait for firmware event */
-- err = brcmf_cfg80211_wait_vif_event_timeout(cfg, BRCMF_E_IF_ADD,
-- BRCMF_VIF_EVENT_TIMEOUT);
-+ err = brcmf_cfg80211_wait_vif_event(cfg, BRCMF_E_IF_ADD,
-+ BRCMF_VIF_EVENT_TIMEOUT);
- brcmf_cfg80211_arm_vif_event(cfg, NULL);
- if (!err) {
- brcmf_err("timeout occurred\n");
-@@ -6395,8 +6395,9 @@ bool brcmf_cfg80211_vif_event_armed(stru
-
- return armed;
- }
--int brcmf_cfg80211_wait_vif_event_timeout(struct brcmf_cfg80211_info *cfg,
-- u8 action, ulong timeout)
-+
-+int brcmf_cfg80211_wait_vif_event(struct brcmf_cfg80211_info *cfg,
-+ u8 action, ulong timeout)
- {
- struct brcmf_cfg80211_vif_event *event = &cfg->vif_event;
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
-@@ -402,8 +402,8 @@ bool brcmf_get_vif_state_any(struct brcm
- void brcmf_cfg80211_arm_vif_event(struct brcmf_cfg80211_info *cfg,
- struct brcmf_cfg80211_vif *vif);
- bool brcmf_cfg80211_vif_event_armed(struct brcmf_cfg80211_info *cfg);
--int brcmf_cfg80211_wait_vif_event_timeout(struct brcmf_cfg80211_info *cfg,
-- u8 action, ulong timeout);
-+int brcmf_cfg80211_wait_vif_event(struct brcmf_cfg80211_info *cfg,
-+ u8 action, ulong timeout);
- s32 brcmf_notify_escan_complete(struct brcmf_cfg80211_info *cfg,
- struct brcmf_if *ifp, bool aborted,
- bool fw_abort);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
-@@ -1988,8 +1988,8 @@ int brcmf_p2p_ifchange(struct brcmf_cfg8
- brcmf_cfg80211_arm_vif_event(cfg, NULL);
- return err;
- }
-- err = brcmf_cfg80211_wait_vif_event_timeout(cfg, BRCMF_E_IF_CHANGE,
-- BRCMF_VIF_EVENT_TIMEOUT);
-+ err = brcmf_cfg80211_wait_vif_event(cfg, BRCMF_E_IF_CHANGE,
-+ BRCMF_VIF_EVENT_TIMEOUT);
- brcmf_cfg80211_arm_vif_event(cfg, NULL);
- if (!err) {
- brcmf_err("No BRCMF_E_IF_CHANGE event received\n");
-@@ -2090,8 +2090,8 @@ static struct wireless_dev *brcmf_p2p_cr
- }
-
- /* wait for firmware event */
-- err = brcmf_cfg80211_wait_vif_event_timeout(p2p->cfg, BRCMF_E_IF_ADD,
-- BRCMF_VIF_EVENT_TIMEOUT);
-+ err = brcmf_cfg80211_wait_vif_event(p2p->cfg, BRCMF_E_IF_ADD,
-+ BRCMF_VIF_EVENT_TIMEOUT);
- brcmf_cfg80211_arm_vif_event(p2p->cfg, NULL);
- brcmf_fweh_p2pdev_setup(pri_ifp, false);
- if (!err) {
-@@ -2180,8 +2180,8 @@ struct wireless_dev *brcmf_p2p_add_vif(s
- }
-
- /* wait for firmware event */
-- err = brcmf_cfg80211_wait_vif_event_timeout(cfg, BRCMF_E_IF_ADD,
-- BRCMF_VIF_EVENT_TIMEOUT);
-+ err = brcmf_cfg80211_wait_vif_event(cfg, BRCMF_E_IF_ADD,
-+ BRCMF_VIF_EVENT_TIMEOUT);
- brcmf_cfg80211_arm_vif_event(cfg, NULL);
- if (!err) {
- brcmf_err("timeout occurred\n");
-@@ -2274,8 +2274,8 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
- }
- if (!err) {
- /* wait for firmware event */
-- err = brcmf_cfg80211_wait_vif_event_timeout(cfg, BRCMF_E_IF_DEL,
-- BRCMF_VIF_EVENT_TIMEOUT);
-+ err = brcmf_cfg80211_wait_vif_event(cfg, BRCMF_E_IF_DEL,
-+ BRCMF_VIF_EVENT_TIMEOUT);
- if (!err)
- err = -EIO;
- else
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:51 +0100
-Subject: [PATCH] brcmfmac: Limit memory allocs to <64K
-
-Some systems have problems with allocating memory allocation larger
-then 64K. Often on unload/load or suspend/resume a failure is
-reported: Could not allocate wiphy device. This patch makes the
-escan intermediate storage buf dynamically allocated, and smaller
-than 64K.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -1125,7 +1125,7 @@ brcmf_cfg80211_escan(struct wiphy *wiphy
-
- /* Arm scan timeout timer */
- mod_timer(&cfg->escan_timeout, jiffies +
-- WL_ESCAN_TIMER_INTERVAL_MS * HZ / 1000);
-+ BRCMF_ESCAN_TIMER_INTERVAL_MS * HZ / 1000);
-
- return 0;
-
-@@ -3020,7 +3020,7 @@ brcmf_cfg80211_escan_handler(struct brcm
-
- list = (struct brcmf_scan_results *)
- cfg->escan_info.escan_buf;
-- if (bi_length > WL_ESCAN_BUF_SIZE - list->buflen) {
-+ if (bi_length > BRCMF_ESCAN_BUF_SIZE - list->buflen) {
- brcmf_err("Buffer is too small: ignoring\n");
- goto exit;
- }
-@@ -3033,8 +3033,8 @@ brcmf_cfg80211_escan_handler(struct brcm
- bss_info_le))
- goto exit;
- }
-- memcpy(&(cfg->escan_info.escan_buf[list->buflen]),
-- bss_info_le, bi_length);
-+ memcpy(&cfg->escan_info.escan_buf[list->buflen], bss_info_le,
-+ bi_length);
- list->version = le32_to_cpu(bss_info_le->version);
- list->buflen += bi_length;
- list->count++;
-@@ -5402,14 +5402,14 @@ static void brcmf_deinit_priv_mem(struct
- {
- kfree(cfg->conf);
- cfg->conf = NULL;
-- kfree(cfg->escan_ioctl_buf);
-- cfg->escan_ioctl_buf = NULL;
- kfree(cfg->extra_buf);
- cfg->extra_buf = NULL;
- kfree(cfg->wowl.nd);
- cfg->wowl.nd = NULL;
- kfree(cfg->wowl.nd_info);
- cfg->wowl.nd_info = NULL;
-+ kfree(cfg->escan_info.escan_buf);
-+ cfg->escan_info.escan_buf = NULL;
- }
-
- static s32 brcmf_init_priv_mem(struct brcmf_cfg80211_info *cfg)
-@@ -5417,9 +5417,6 @@ static s32 brcmf_init_priv_mem(struct br
- cfg->conf = kzalloc(sizeof(*cfg->conf), GFP_KERNEL);
- if (!cfg->conf)
- goto init_priv_mem_out;
-- cfg->escan_ioctl_buf = kzalloc(BRCMF_DCMD_MEDLEN, GFP_KERNEL);
-- if (!cfg->escan_ioctl_buf)
-- goto init_priv_mem_out;
- cfg->extra_buf = kzalloc(WL_EXTRA_BUF_MAX, GFP_KERNEL);
- if (!cfg->extra_buf)
- goto init_priv_mem_out;
-@@ -5431,6 +5428,9 @@ static s32 brcmf_init_priv_mem(struct br
- GFP_KERNEL);
- if (!cfg->wowl.nd_info)
- goto init_priv_mem_out;
-+ cfg->escan_info.escan_buf = kzalloc(BRCMF_ESCAN_BUF_SIZE, GFP_KERNEL);
-+ if (!cfg->escan_info.escan_buf)
-+ goto init_priv_mem_out;
-
- return 0;
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
-@@ -28,8 +28,11 @@
- #define WL_ROAM_TRIGGER_LEVEL -75
- #define WL_ROAM_DELTA 20
-
--#define WL_ESCAN_BUF_SIZE (1024 * 64)
--#define WL_ESCAN_TIMER_INTERVAL_MS 10000 /* E-Scan timeout */
-+/* Keep BRCMF_ESCAN_BUF_SIZE below 64K (65536). Allocing over 64K can be
-+ * problematic on some systems and should be avoided.
-+ */
-+#define BRCMF_ESCAN_BUF_SIZE 65000
-+#define BRCMF_ESCAN_TIMER_INTERVAL_MS 10000 /* E-Scan timeout */
-
- #define WL_ESCAN_ACTION_START 1
- #define WL_ESCAN_ACTION_CONTINUE 2
-@@ -205,7 +208,7 @@ enum wl_escan_state {
-
- struct escan_info {
- u32 escan_state;
-- u8 escan_buf[WL_ESCAN_BUF_SIZE];
-+ u8 *escan_buf;
- struct wiphy *wiphy;
- struct brcmf_if *ifp;
- s32 (*run)(struct brcmf_cfg80211_info *cfg, struct brcmf_if *ifp,
-@@ -278,7 +281,6 @@ struct brcmf_cfg80211_wowl {
- * @escan_info: escan information.
- * @escan_timeout: Timer for catch scan timeout.
- * @escan_timeout_work: scan timeout worker.
-- * @escan_ioctl_buf: dongle command buffer for escan commands.
- * @vif_list: linked list of vif instances.
- * @vif_cnt: number of vif instances.
- * @vif_event: vif event signalling.
-@@ -309,7 +311,6 @@ struct brcmf_cfg80211_info {
- struct escan_info escan_info;
- struct timer_list escan_timeout;
- struct work_struct escan_timeout_work;
-- u8 *escan_ioctl_buf;
- struct list_head vif_list;
- struct brcmf_cfg80211_vif_event vif_event;
- struct completion vif_disabled;
+++ /dev/null
-From: Franky Lin <frankyl@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:52 +0100
-Subject: [PATCH] brcmfmac: check for wowl support before enumerating feature
- flag
-
-In some cases wiphy->wowlan could be NULL if firmware doesn't have the
-support. Driver should check for support before walking down the feature
-flags.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Franky Lin <frankyl@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -6594,7 +6594,8 @@ struct brcmf_cfg80211_info *brcmf_cfg802
- if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_SCAN_RANDOM_MAC)) {
- wiphy->features |= NL80211_FEATURE_SCHED_SCAN_RANDOM_MAC_ADDR;
- #ifdef CONFIG_PM
-- if (wiphy->wowlan->flags & WIPHY_WOWLAN_NET_DETECT)
-+ if (wiphy->wowlan &&
-+ wiphy->wowlan->flags & WIPHY_WOWLAN_NET_DETECT)
- wiphy->features |= NL80211_FEATURE_ND_RANDOM_MAC_ADDR;
- #endif
- }
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:53 +0100
-Subject: [PATCH] brcmfmac: Configure country code using device specific
- settings
-
-Country code configuration in a device is a device specific
-operation. For this the country code as specified by reg notifier
-(iso3166 alpha2) needs to be translated to a device specific
-country locale and revision number. This patch adds this
-translation and puts a placeholder in the device specific settings
-where the translation table can be stored. Additional patches will
-be needed to read these tables from for example device platform
-data.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -6405,28 +6405,85 @@ int brcmf_cfg80211_wait_vif_event(struct
- vif_event_equals(event, action), timeout);
- }
-
-+static s32 brcmf_translate_country_code(struct brcmf_pub *drvr, char alpha2[2],
-+ struct brcmf_fil_country_le *ccreq)
-+{
-+ struct cc_translate *country_codes;
-+ struct cc_entry *cc;
-+ s32 found_index;
-+ int i;
-+
-+ country_codes = drvr->settings->country_codes;
-+ if (!country_codes) {
-+ brcmf_dbg(TRACE, "No country codes configured for device\n");
-+ return -EINVAL;
-+ }
-+
-+ if ((alpha2[0] == ccreq->country_abbrev[0]) &&
-+ (alpha2[1] == ccreq->country_abbrev[1])) {
-+ brcmf_dbg(TRACE, "Country code already set\n");
-+ return -EAGAIN;
-+ }
-+
-+ found_index = -1;
-+ for (i = 0; i < country_codes->table_size; i++) {
-+ cc = &country_codes->table[i];
-+ if ((cc->iso3166[0] == '\0') && (found_index == -1))
-+ found_index = i;
-+ if ((cc->iso3166[0] == alpha2[0]) &&
-+ (cc->iso3166[1] == alpha2[1])) {
-+ found_index = i;
-+ break;
-+ }
-+ }
-+ if (found_index == -1) {
-+ brcmf_dbg(TRACE, "No country code match found\n");
-+ return -EINVAL;
-+ }
-+ memset(ccreq, 0, sizeof(*ccreq));
-+ ccreq->rev = cpu_to_le32(country_codes->table[found_index].rev);
-+ memcpy(ccreq->ccode, country_codes->table[found_index].cc,
-+ BRCMF_COUNTRY_BUF_SZ);
-+ ccreq->country_abbrev[0] = alpha2[0];
-+ ccreq->country_abbrev[1] = alpha2[1];
-+ ccreq->country_abbrev[2] = 0;
-+
-+ return 0;
-+}
-+
- static void brcmf_cfg80211_reg_notifier(struct wiphy *wiphy,
- struct regulatory_request *req)
- {
- struct brcmf_cfg80211_info *cfg = wiphy_priv(wiphy);
- struct brcmf_if *ifp = netdev_priv(cfg_to_ndev(cfg));
- struct brcmf_fil_country_le ccreq;
-+ s32 err;
- int i;
-
-- brcmf_dbg(TRACE, "enter: initiator=%d, alpha=%c%c\n", req->initiator,
-- req->alpha2[0], req->alpha2[1]);
--
- /* ignore non-ISO3166 country codes */
- for (i = 0; i < sizeof(req->alpha2); i++)
- if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {
-- brcmf_err("not a ISO3166 code\n");
-+ brcmf_err("not a ISO3166 code (0x%02x 0x%02x)\n",
-+ req->alpha2[0], req->alpha2[1]);
- return;
- }
-- memset(&ccreq, 0, sizeof(ccreq));
-- ccreq.rev = cpu_to_le32(-1);
-- memcpy(ccreq.ccode, req->alpha2, sizeof(req->alpha2));
-- if (brcmf_fil_iovar_data_set(ifp, "country", &ccreq, sizeof(ccreq))) {
-- brcmf_err("firmware rejected country setting\n");
-+
-+ brcmf_dbg(TRACE, "Enter: initiator=%d, alpha=%c%c\n", req->initiator,
-+ req->alpha2[0], req->alpha2[1]);
-+
-+ err = brcmf_fil_iovar_data_get(ifp, "country", &ccreq, sizeof(ccreq));
-+ if (err) {
-+ brcmf_err("Country code iovar returned err = %d\n", err);
-+ return;
-+ }
-+
-+ err = brcmf_translate_country_code(ifp->drvr, req->alpha2, &ccreq);
-+ if (err)
-+ return;
-+
-+ err = brcmf_fil_iovar_data_set(ifp, "country", &ccreq, sizeof(ccreq));
-+ if (err) {
-+ brcmf_err("Firmware rejected country setting\n");
- return;
- }
- brcmf_setup_wiphybands(wiphy);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-@@ -230,10 +230,8 @@ void brcmf_mp_attach(void)
- int brcmf_mp_device_attach(struct brcmf_pub *drvr)
- {
- drvr->settings = kzalloc(sizeof(*drvr->settings), GFP_ATOMIC);
-- if (!drvr->settings) {
-- brcmf_err("Failed to alloca storage space for settings\n");
-+ if (!drvr->settings)
- return -ENOMEM;
-- }
-
- drvr->settings->sdiod_txglomsz = brcmf_sdiod_txglomsz;
- drvr->settings->p2p_enable = !!brcmf_p2p_enable;
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-@@ -15,6 +15,8 @@
- #ifndef BRCMFMAC_COMMON_H
- #define BRCMFMAC_COMMON_H
-
-+#include "fwil_types.h"
-+
- extern const u8 ALLFFMAC[ETH_ALEN];
-
- #define BRCMF_FW_ALTPATH_LEN 256
-@@ -39,6 +41,33 @@ struct brcmf_mp_global_t {
- extern struct brcmf_mp_global_t brcmf_mp_global;
-
- /**
-+ * struct cc_entry - Struct for translating user space country code (iso3166) to
-+ * firmware country code and revision.
-+ *
-+ * @iso3166: iso3166 alpha 2 country code string.
-+ * @cc: firmware country code string.
-+ * @rev: firmware country code revision.
-+ */
-+struct cc_entry {
-+ char iso3166[BRCMF_COUNTRY_BUF_SZ];
-+ char cc[BRCMF_COUNTRY_BUF_SZ];
-+ s32 rev;
-+};
-+
-+/**
-+ * struct cc_translate - Struct for translating country codes as set by user
-+ * space to a country code and rev which can be used by
-+ * firmware.
-+ *
-+ * @table_size: number of entries in table (> 0)
-+ * @table: dynamic array of 1 or more elements with translation information.
-+ */
-+struct cc_translate {
-+ int table_size;
-+ struct cc_entry table[0];
-+};
-+
-+/**
- * struct brcmf_mp_device - Device module paramaters.
- *
- * @sdiod_txglomsz: SDIO txglom size.
-@@ -47,6 +76,7 @@ extern struct brcmf_mp_global_t brcmf_mp
- * @feature_disable: Feature_disable bitmask.
- * @fcmode: FWS flow control.
- * @roamoff: Firmware roaming off?
-+ * @country_codes: If available, pointer to struct for translating country codes
- */
- struct brcmf_mp_device {
- int sdiod_txglomsz;
-@@ -56,6 +86,7 @@ struct brcmf_mp_device {
- int fcmode;
- bool roamoff;
- bool ignore_probe_fail;
-+ struct cc_translate *country_codes;
- };
-
- void brcmf_mp_attach(void);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
-@@ -134,6 +134,8 @@
- #define BRCMF_PFN_MAC_OUI_ONLY BIT(0)
- #define BRCMF_PFN_SET_MAC_UNASSOC BIT(1)
-
-+#define BRCMF_MCSSET_LEN 16
-+
- /* join preference types for join_pref iovar */
- enum brcmf_join_pref_types {
- BRCMF_JOIN_PREF_RSSI = 1,
-@@ -279,7 +281,7 @@ struct brcmf_bss_info_le {
- __le32 reserved32[1]; /* Reserved for expansion of BSS properties */
- u8 flags; /* flags */
- u8 reserved[3]; /* Reserved for expansion of BSS properties */
-- u8 basic_mcs[MCSSET_LEN]; /* 802.11N BSS required MCS set */
-+ u8 basic_mcs[BRCMF_MCSSET_LEN]; /* 802.11N BSS required MCS set */
-
- __le16 ie_offset; /* offset at which IEs start, from beginning */
- __le32 ie_length; /* byte length of Information Elements */
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:54 +0100
-Subject: [PATCH] brcmfmac: Add length checks on firmware events
-
-Add additional length checks on firmware events to create more
-robust code.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Reviewed-by: Lei Zhang <leizh@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3092,6 +3092,11 @@ brcmf_notify_sched_scan_results(struct b
-
- brcmf_dbg(SCAN, "Enter\n");
-
-+ if (e->datalen < (sizeof(*pfn_result) + sizeof(*netinfo))) {
-+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
-+ return 0;
-+ }
-+
- if (e->event_code == BRCMF_E_PFN_NET_LOST) {
- brcmf_dbg(SCAN, "PFN NET LOST event. Do Nothing\n");
- return 0;
-@@ -3415,6 +3420,11 @@ brcmf_wowl_nd_results(struct brcmf_if *i
-
- brcmf_dbg(SCAN, "Enter\n");
-
-+ if (e->datalen < (sizeof(*pfn_result) + sizeof(*netinfo))) {
-+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
-+ return 0;
-+ }
-+
- pfn_result = (struct brcmf_pno_scanresults_le *)data;
-
- if (e->event_code == BRCMF_E_PFN_NET_LOST) {
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
-@@ -26,50 +26,6 @@
- #include "fwil.h"
-
- /**
-- * struct brcm_ethhdr - broadcom specific ether header.
-- *
-- * @subtype: subtype for this packet.
-- * @length: TODO: length of appended data.
-- * @version: version indication.
-- * @oui: OUI of this packet.
-- * @usr_subtype: subtype for this OUI.
-- */
--struct brcm_ethhdr {
-- __be16 subtype;
-- __be16 length;
-- u8 version;
-- u8 oui[3];
-- __be16 usr_subtype;
--} __packed;
--
--struct brcmf_event_msg_be {
-- __be16 version;
-- __be16 flags;
-- __be32 event_type;
-- __be32 status;
-- __be32 reason;
-- __be32 auth_type;
-- __be32 datalen;
-- u8 addr[ETH_ALEN];
-- char ifname[IFNAMSIZ];
-- u8 ifidx;
-- u8 bsscfgidx;
--} __packed;
--
--/**
-- * struct brcmf_event - contents of broadcom event packet.
-- *
-- * @eth: standard ether header.
-- * @hdr: broadcom specific ether header.
-- * @msg: common part of the actual event message.
-- */
--struct brcmf_event {
-- struct ethhdr eth;
-- struct brcm_ethhdr hdr;
-- struct brcmf_event_msg_be msg;
--} __packed;
--
--/**
- * struct brcmf_fweh_queue_item - event item on event queue.
- *
- * @q: list element for queuing.
-@@ -85,6 +41,7 @@ struct brcmf_fweh_queue_item {
- u8 ifidx;
- u8 ifaddr[ETH_ALEN];
- struct brcmf_event_msg_be emsg;
-+ u32 datalen;
- u8 data[0];
- };
-
-@@ -294,6 +251,11 @@ static void brcmf_fweh_event_worker(stru
- brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), event->data,
- min_t(u32, emsg.datalen, 64),
- "event payload, len=%d\n", emsg.datalen);
-+ if (emsg.datalen > event->datalen) {
-+ brcmf_err("event invalid length header=%d, msg=%d\n",
-+ event->datalen, emsg.datalen);
-+ goto event_free;
-+ }
-
- /* special handling of interface event */
- if (event->code == BRCMF_E_IF) {
-@@ -439,7 +401,8 @@ int brcmf_fweh_activate_events(struct br
- * dispatch the event to a registered handler (using worker).
- */
- void brcmf_fweh_process_event(struct brcmf_pub *drvr,
-- struct brcmf_event *event_packet)
-+ struct brcmf_event *event_packet,
-+ u32 packet_len)
- {
- enum brcmf_fweh_event_code code;
- struct brcmf_fweh_info *fweh = &drvr->fweh;
-@@ -459,6 +422,9 @@ void brcmf_fweh_process_event(struct brc
- if (code != BRCMF_E_IF && !fweh->evt_handler[code])
- return;
-
-+ if (datalen > BRCMF_DCMD_MAXLEN)
-+ return;
-+
- if (in_interrupt())
- alloc_flag = GFP_ATOMIC;
-
-@@ -472,6 +438,7 @@ void brcmf_fweh_process_event(struct brc
- /* use memcpy to get aligned event message */
- memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
- memcpy(event->data, data, datalen);
-+ event->datalen = datalen;
- memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
-
- brcmf_fweh_queue_event(fweh, event);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
-@@ -27,7 +27,6 @@
- struct brcmf_pub;
- struct brcmf_if;
- struct brcmf_cfg80211_info;
--struct brcmf_event;
-
- /* list of firmware events */
- #define BRCMF_FWEH_EVENT_ENUM_DEFLIST \
-@@ -180,13 +179,55 @@ enum brcmf_fweh_event_code {
- /**
- * definitions for event packet validation.
- */
--#define BRCMF_EVENT_OUI_OFFSET 19
--#define BRCM_OUI "\x00\x10\x18"
--#define DOT11_OUI_LEN 3
--#define BCMILCP_BCM_SUBTYPE_EVENT 1
-+#define BRCM_OUI "\x00\x10\x18"
-+#define BCMILCP_BCM_SUBTYPE_EVENT 1
-
-
- /**
-+ * struct brcm_ethhdr - broadcom specific ether header.
-+ *
-+ * @subtype: subtype for this packet.
-+ * @length: TODO: length of appended data.
-+ * @version: version indication.
-+ * @oui: OUI of this packet.
-+ * @usr_subtype: subtype for this OUI.
-+ */
-+struct brcm_ethhdr {
-+ __be16 subtype;
-+ __be16 length;
-+ u8 version;
-+ u8 oui[3];
-+ __be16 usr_subtype;
-+} __packed;
-+
-+struct brcmf_event_msg_be {
-+ __be16 version;
-+ __be16 flags;
-+ __be32 event_type;
-+ __be32 status;
-+ __be32 reason;
-+ __be32 auth_type;
-+ __be32 datalen;
-+ u8 addr[ETH_ALEN];
-+ char ifname[IFNAMSIZ];
-+ u8 ifidx;
-+ u8 bsscfgidx;
-+} __packed;
-+
-+/**
-+ * struct brcmf_event - contents of broadcom event packet.
-+ *
-+ * @eth: standard ether header.
-+ * @hdr: broadcom specific ether header.
-+ * @msg: common part of the actual event message.
-+ */
-+struct brcmf_event {
-+ struct ethhdr eth;
-+ struct brcm_ethhdr hdr;
-+ struct brcmf_event_msg_be msg;
-+} __packed;
-+
-+/**
- * struct brcmf_event_msg - firmware event message.
- *
- * @version: version information.
-@@ -256,34 +297,35 @@ void brcmf_fweh_unregister(struct brcmf_
- enum brcmf_fweh_event_code code);
- int brcmf_fweh_activate_events(struct brcmf_if *ifp);
- void brcmf_fweh_process_event(struct brcmf_pub *drvr,
-- struct brcmf_event *event_packet);
-+ struct brcmf_event *event_packet,
-+ u32 packet_len);
- void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
-
- static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
- struct sk_buff *skb)
- {
- struct brcmf_event *event_packet;
-- u8 *data;
- u16 usr_stype;
-
- /* only process events when protocol matches */
- if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
- return;
-
-+ if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
-+ return;
-+
- /* check for BRCM oui match */
- event_packet = (struct brcmf_event *)skb_mac_header(skb);
-- data = (u8 *)event_packet;
-- data += BRCMF_EVENT_OUI_OFFSET;
-- if (memcmp(BRCM_OUI, data, DOT11_OUI_LEN))
-+ if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
-+ sizeof(event_packet->hdr.oui)))
- return;
-
- /* final match on usr_subtype */
-- data += DOT11_OUI_LEN;
-- usr_stype = get_unaligned_be16(data);
-+ usr_stype = get_unaligned_be16(&event_packet->hdr.usr_subtype);
- if (usr_stype != BCMILCP_BCM_SUBTYPE_EVENT)
- return;
-
-- brcmf_fweh_process_event(drvr, event_packet);
-+ brcmf_fweh_process_event(drvr, event_packet, skb->len + ETH_HLEN);
- }
-
- #endif /* FWEH_H_ */
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
-@@ -1361,6 +1361,11 @@ int brcmf_p2p_notify_action_frame_rx(str
- u16 mgmt_type;
- u8 action;
-
-+ if (e->datalen < sizeof(*rxframe)) {
-+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
-+ return 0;
-+ }
-+
- ch.chspec = be16_to_cpu(rxframe->chanspec);
- cfg->d11inf.decchspec(&ch);
- /* Check if wpa_supplicant has registered for this frame */
-@@ -1858,6 +1863,11 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
- brcmf_dbg(INFO, "Enter: event %d reason %d\n", e->event_code,
- e->reason);
-
-+ if (e->datalen < sizeof(*rxframe)) {
-+ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
-+ return 0;
-+ }
-+
- ch.chspec = be16_to_cpu(rxframe->chanspec);
- cfg->d11inf.decchspec(&ch);
-
+++ /dev/null
-From: Franky Lin <frankyl@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:55 +0100
-Subject: [PATCH] brcmfmac: add neighbor discovery offload ip address table
- configuration
-
-Configure ipv6 address for neighbor discovery offload ip table in
-firmware obtained through ipv6 address notification callback.
-
-Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Franky Lin <frankyl@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -456,7 +456,7 @@ send_key_to_dongle(struct brcmf_if *ifp,
- }
-
- static s32
--brcmf_configure_arp_offload(struct brcmf_if *ifp, bool enable)
-+brcmf_configure_arp_nd_offload(struct brcmf_if *ifp, bool enable)
- {
- s32 err;
- u32 mode;
-@@ -484,6 +484,15 @@ brcmf_configure_arp_offload(struct brcmf
- enable, mode);
- }
-
-+ err = brcmf_fil_iovar_int_set(ifp, "ndoe", enable);
-+ if (err) {
-+ brcmf_dbg(TRACE, "failed to configure (%d) ND offload err = %d\n",
-+ enable, err);
-+ err = 0;
-+ } else
-+ brcmf_dbg(TRACE, "successfully configured (%d) ND offload to 0x%x\n",
-+ enable, mode);
-+
- return err;
- }
-
-@@ -3543,7 +3552,7 @@ static s32 brcmf_cfg80211_resume(struct
- brcmf_report_wowl_wakeind(wiphy, ifp);
- brcmf_fil_iovar_int_set(ifp, "wowl_clear", 0);
- brcmf_config_wowl_pattern(ifp, "clr", NULL, 0, NULL, 0);
-- brcmf_configure_arp_offload(ifp, true);
-+ brcmf_configure_arp_nd_offload(ifp, true);
- brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_PM,
- cfg->wowl.pre_pmmode);
- cfg->wowl.active = false;
-@@ -3567,7 +3576,7 @@ static void brcmf_configure_wowl(struct
-
- brcmf_dbg(TRACE, "Suspend, wowl config.\n");
-
-- brcmf_configure_arp_offload(ifp, false);
-+ brcmf_configure_arp_nd_offload(ifp, false);
- brcmf_fil_cmd_int_get(ifp, BRCMF_C_GET_PM, &cfg->wowl.pre_pmmode);
- brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_PM, PM_MAX);
-
-@@ -4336,7 +4345,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
-
- if (!mbss) {
- brcmf_set_mpc(ifp, 0);
-- brcmf_configure_arp_offload(ifp, false);
-+ brcmf_configure_arp_nd_offload(ifp, false);
- }
-
- /* find the RSN_IE */
-@@ -4482,7 +4491,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
- exit:
- if ((err) && (!mbss)) {
- brcmf_set_mpc(ifp, 1);
-- brcmf_configure_arp_offload(ifp, true);
-+ brcmf_configure_arp_nd_offload(ifp, true);
- }
- return err;
- }
-@@ -4540,7 +4549,7 @@ static int brcmf_cfg80211_stop_ap(struct
- brcmf_err("bss_enable config failed %d\n", err);
- }
- brcmf_set_mpc(ifp, 1);
-- brcmf_configure_arp_offload(ifp, true);
-+ brcmf_configure_arp_nd_offload(ifp, true);
- clear_bit(BRCMF_VIF_STATUS_AP_CREATED, &ifp->vif->sme_state);
- brcmf_net_setcarrier(ifp, false);
-
-@@ -6287,7 +6296,7 @@ static s32 brcmf_config_dongle(struct br
- if (err)
- goto default_conf_out;
-
-- brcmf_configure_arp_offload(ifp, true);
-+ brcmf_configure_arp_nd_offload(ifp, true);
-
- cfg->dongle_up = true;
- default_conf_out:
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -20,6 +20,8 @@
- #include <linux/inetdevice.h>
- #include <net/cfg80211.h>
- #include <net/rtnetlink.h>
-+#include <net/addrconf.h>
-+#include <net/ipv6.h>
- #include <brcmu_utils.h>
- #include <brcmu_wifi.h>
-
-@@ -172,6 +174,35 @@ _brcmf_set_mac_address(struct work_struc
- }
- }
-
-+#if IS_ENABLED(CONFIG_IPV6)
-+static void _brcmf_update_ndtable(struct work_struct *work)
-+{
-+ struct brcmf_if *ifp;
-+ int i, ret;
-+
-+ ifp = container_of(work, struct brcmf_if, ndoffload_work);
-+
-+ /* clear the table in firmware */
-+ ret = brcmf_fil_iovar_data_set(ifp, "nd_hostip_clear", NULL, 0);
-+ if (ret) {
-+ brcmf_dbg(TRACE, "fail to clear nd ip table err:%d\n", ret);
-+ return;
-+ }
-+
-+ for (i = 0; i < ifp->ipv6addr_idx; i++) {
-+ ret = brcmf_fil_iovar_data_set(ifp, "nd_hostip",
-+ &ifp->ipv6_addr_tbl[i],
-+ sizeof(struct in6_addr));
-+ if (ret)
-+ brcmf_err("add nd ip err %d\n", ret);
-+ }
-+}
-+#else
-+static void _brcmf_update_ndtable(struct work_struct *work)
-+{
-+}
-+#endif
-+
- static int brcmf_netdev_set_mac_address(struct net_device *ndev, void *addr)
- {
- struct brcmf_if *ifp = netdev_priv(ndev);
-@@ -685,6 +716,7 @@ int brcmf_net_attach(struct brcmf_if *if
-
- INIT_WORK(&ifp->setmacaddr_work, _brcmf_set_mac_address);
- INIT_WORK(&ifp->multicast_work, _brcmf_set_multicast_list);
-+ INIT_WORK(&ifp->ndoffload_work, _brcmf_update_ndtable);
-
- if (rtnl_locked)
- err = register_netdevice(ndev);
-@@ -884,6 +916,7 @@ static void brcmf_del_if(struct brcmf_pu
- if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
- cancel_work_sync(&ifp->setmacaddr_work);
- cancel_work_sync(&ifp->multicast_work);
-+ cancel_work_sync(&ifp->ndoffload_work);
- }
- brcmf_net_detach(ifp->ndev);
- } else {
-@@ -1025,6 +1058,56 @@ static int brcmf_inetaddr_changed(struct
- }
- #endif
-
-+#if IS_ENABLED(CONFIG_IPV6)
-+static int brcmf_inet6addr_changed(struct notifier_block *nb,
-+ unsigned long action, void *data)
-+{
-+ struct brcmf_pub *drvr = container_of(nb, struct brcmf_pub,
-+ inet6addr_notifier);
-+ struct inet6_ifaddr *ifa = data;
-+ struct brcmf_if *ifp;
-+ int i;
-+ struct in6_addr *table;
-+
-+ /* Only handle primary interface */
-+ ifp = drvr->iflist[0];
-+ if (!ifp)
-+ return NOTIFY_DONE;
-+ if (ifp->ndev != ifa->idev->dev)
-+ return NOTIFY_DONE;
-+
-+ table = ifp->ipv6_addr_tbl;
-+ for (i = 0; i < NDOL_MAX_ENTRIES; i++)
-+ if (ipv6_addr_equal(&ifa->addr, &table[i]))
-+ break;
-+
-+ switch (action) {
-+ case NETDEV_UP:
-+ if (i == NDOL_MAX_ENTRIES) {
-+ if (ifp->ipv6addr_idx < NDOL_MAX_ENTRIES) {
-+ table[ifp->ipv6addr_idx++] = ifa->addr;
-+ } else {
-+ for (i = 0; i < NDOL_MAX_ENTRIES - 1; i++)
-+ table[i] = table[i + 1];
-+ table[NDOL_MAX_ENTRIES - 1] = ifa->addr;
-+ }
-+ }
-+ break;
-+ case NETDEV_DOWN:
-+ if (i < NDOL_MAX_ENTRIES)
-+ for (; i < ifp->ipv6addr_idx; i++)
-+ table[i] = table[i + 1];
-+ break;
-+ default:
-+ break;
-+ }
-+
-+ schedule_work(&ifp->ndoffload_work);
-+
-+ return NOTIFY_OK;
-+}
-+#endif
-+
- int brcmf_attach(struct device *dev)
- {
- struct brcmf_pub *drvr = NULL;
-@@ -1164,30 +1247,41 @@ int brcmf_bus_start(struct device *dev)
- #ifdef CONFIG_INET
- drvr->inetaddr_notifier.notifier_call = brcmf_inetaddr_changed;
- ret = register_inetaddr_notifier(&drvr->inetaddr_notifier);
-+ if (ret)
-+ goto fail;
-+
-+#if IS_ENABLED(CONFIG_IPV6)
-+ drvr->inet6addr_notifier.notifier_call = brcmf_inet6addr_changed;
-+ ret = register_inet6addr_notifier(&drvr->inet6addr_notifier);
-+ if (ret) {
-+ unregister_inetaddr_notifier(&drvr->inetaddr_notifier);
-+ goto fail;
-+ }
- #endif
-+#endif /* CONFIG_INET */
-+
-+ return 0;
-
- fail:
-- if (ret < 0) {
-- brcmf_err("failed: %d\n", ret);
-- if (drvr->config) {
-- brcmf_cfg80211_detach(drvr->config);
-- drvr->config = NULL;
-- }
-- if (drvr->fws) {
-- brcmf_fws_del_interface(ifp);
-- brcmf_fws_deinit(drvr);
-- }
-- if (ifp)
-- brcmf_net_detach(ifp->ndev);
-- if (p2p_ifp)
-- brcmf_net_detach(p2p_ifp->ndev);
-- drvr->iflist[0] = NULL;
-- drvr->iflist[1] = NULL;
-- if (brcmf_ignoring_probe_fail(drvr))
-- ret = 0;
-- return ret;
-+ brcmf_err("failed: %d\n", ret);
-+ if (drvr->config) {
-+ brcmf_cfg80211_detach(drvr->config);
-+ drvr->config = NULL;
-+ }
-+ if (drvr->fws) {
-+ brcmf_fws_del_interface(ifp);
-+ brcmf_fws_deinit(drvr);
- }
-- return 0;
-+ if (ifp)
-+ brcmf_net_detach(ifp->ndev);
-+ if (p2p_ifp)
-+ brcmf_net_detach(p2p_ifp->ndev);
-+ drvr->iflist[0] = NULL;
-+ drvr->iflist[1] = NULL;
-+ if (brcmf_ignoring_probe_fail(drvr))
-+ ret = 0;
-+
-+ return ret;
- }
-
- void brcmf_bus_add_txhdrlen(struct device *dev, uint len)
-@@ -1237,6 +1331,10 @@ void brcmf_detach(struct device *dev)
- unregister_inetaddr_notifier(&drvr->inetaddr_notifier);
- #endif
-
-+#if IS_ENABLED(CONFIG_IPV6)
-+ unregister_inet6addr_notifier(&drvr->inet6addr_notifier);
-+#endif
-+
- /* stop firmware event handling */
- brcmf_fweh_detach(drvr);
- if (drvr->config)
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
-@@ -48,6 +48,8 @@
- */
- #define BRCMF_DRIVER_FIRMWARE_VERSION_LEN 32
-
-+#define NDOL_MAX_ENTRIES 8
-+
- /**
- * struct brcmf_ampdu_rx_reorder - AMPDU receive reorder info
- *
-@@ -143,6 +145,7 @@ struct brcmf_pub {
- #endif
-
- struct notifier_block inetaddr_notifier;
-+ struct notifier_block inet6addr_notifier;
- struct brcmf_mp_device *settings;
- };
-
-@@ -175,6 +178,7 @@ enum brcmf_netif_stop_reason {
- * @stats: interface specific network statistics.
- * @setmacaddr_work: worker object for setting mac address.
- * @multicast_work: worker object for multicast provisioning.
-+ * @ndoffload_work: worker object for neighbor discovery offload configuration.
- * @fws_desc: interface specific firmware-signalling descriptor.
- * @ifidx: interface index in device firmware.
- * @bsscfgidx: index of bss associated with this interface.
-@@ -191,6 +195,7 @@ struct brcmf_if {
- struct net_device_stats stats;
- struct work_struct setmacaddr_work;
- struct work_struct multicast_work;
-+ struct work_struct ndoffload_work;
- struct brcmf_fws_mac_descriptor *fws_desc;
- int ifidx;
- s32 bsscfgidx;
-@@ -199,6 +204,8 @@ struct brcmf_if {
- spinlock_t netif_stop_lock;
- atomic_t pend_8021x_cnt;
- wait_queue_head_t pend_8021x_wait;
-+ struct in6_addr ipv6_addr_tbl[NDOL_MAX_ENTRIES];
-+ u8 ipv6addr_idx;
- };
-
- struct brcmf_skb_reorder_data {
+++ /dev/null
-From: Franky Lin <frankyl@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:56 +0100
-Subject: [PATCH] brcmfmac: check return for ARP ip setting iovar
-
-The return value of iovar set function should be saved and checked.
-
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Franky Lin <frankyl@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1039,14 +1039,14 @@ static int brcmf_inetaddr_changed(struct
- return NOTIFY_OK;
- }
- for (i = 0; i < ARPOL_MAX_ENTRIES; i++) {
-- if (addr_table[i] != 0) {
-- brcmf_fil_iovar_data_set(ifp,
-- "arp_hostip", &addr_table[i],
-- sizeof(addr_table[i]));
-- if (ret)
-- brcmf_err("add arp ip err %d\n",
-- ret);
-- }
-+ if (addr_table[i] == 0)
-+ continue;
-+ ret = brcmf_fil_iovar_data_set(ifp, "arp_hostip",
-+ &addr_table[i],
-+ sizeof(addr_table[i]));
-+ if (ret)
-+ brcmf_err("add arp ip err %d\n",
-+ ret);
- }
- }
- break;
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:57 +0100
-Subject: [PATCH] brcmfmac: use device memsize config from fw if defined
-
-Newer type pcie devices have memory which get shared between fw and
-hw. The division of this memory is done firmware compile time. As a
-result the ramsize as used by driver needs to be adjusted for this.
-This is done by reading the memory size from the firmware.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -207,6 +207,10 @@ static struct brcmf_firmware_mapping brc
- #define BRCMF_PCIE_CFGREG_REG_BAR3_CONFIG 0x4F4
- #define BRCMF_PCIE_LINK_STATUS_CTRL_ASPM_ENAB 3
-
-+/* Magic number at a magic location to find RAM size */
-+#define BRCMF_RAMSIZE_MAGIC 0x534d4152 /* SMAR */
-+#define BRCMF_RAMSIZE_OFFSET 0x6c
-+
-
- struct brcmf_pcie_console {
- u32 base_addr;
-@@ -1412,6 +1416,28 @@ static const struct brcmf_bus_ops brcmf_
- };
-
-
-+static void
-+brcmf_pcie_adjust_ramsize(struct brcmf_pciedev_info *devinfo, u8 *data,
-+ u32 data_len)
-+{
-+ __le32 *field;
-+ u32 newsize;
-+
-+ if (data_len < BRCMF_RAMSIZE_OFFSET + 8)
-+ return;
-+
-+ field = (__le32 *)&data[BRCMF_RAMSIZE_OFFSET];
-+ if (le32_to_cpup(field) != BRCMF_RAMSIZE_MAGIC)
-+ return;
-+ field++;
-+ newsize = le32_to_cpup(field);
-+
-+ brcmf_dbg(PCIE, "Found ramsize info in FW, adjusting to 0x%x\n",
-+ newsize);
-+ devinfo->ci->ramsize = newsize;
-+}
-+
-+
- static int
- brcmf_pcie_init_share_ram_info(struct brcmf_pciedev_info *devinfo,
- u32 sharedram_addr)
-@@ -1694,6 +1720,13 @@ static void brcmf_pcie_setup(struct devi
-
- brcmf_pcie_attach(devinfo);
-
-+ /* Some of the firmwares have the size of the memory of the device
-+ * defined inside the firmware. This is because part of the memory in
-+ * the device is shared and the devision is determined by FW. Parse
-+ * the firmware and adjust the chip memory size now.
-+ */
-+ brcmf_pcie_adjust_ramsize(devinfo, (u8 *)fw->data, fw->size);
-+
- ret = brcmf_pcie_download_fw_nvram(devinfo, fw, nvram, nvram_len);
- if (ret)
- goto fail;
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:58 +0100
-Subject: [PATCH] brcmfmac: use bar1 window size as provided by pci subsystem
-
-The PCIE bar1 window size is specified by chip. Currently the
-ioremap of bar1 was using a define which always matched the size
-of bar1, but newer chips can have a different bar1 sizes. With
-this patch the ioremap will be called with the by chip provided
-window size.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -72,7 +72,6 @@ static struct brcmf_firmware_mapping brc
-
- #define BRCMF_PCIE_FW_UP_TIMEOUT 2000 /* msec */
-
--#define BRCMF_PCIE_TCM_MAP_SIZE (4096 * 1024)
- #define BRCMF_PCIE_REG_MAP_SIZE (32 * 1024)
-
- /* backplane addres space accessed by BAR0 */
-@@ -252,7 +251,6 @@ struct brcmf_pciedev_info {
- char nvram_name[BRCMF_FW_NAME_LEN];
- void __iomem *regs;
- void __iomem *tcm;
-- u32 tcm_size;
- u32 ram_base;
- u32 ram_size;
- struct brcmf_chip *ci;
-@@ -1592,8 +1590,7 @@ static int brcmf_pcie_get_resource(struc
- }
-
- devinfo->regs = ioremap_nocache(bar0_addr, BRCMF_PCIE_REG_MAP_SIZE);
-- devinfo->tcm = ioremap_nocache(bar1_addr, BRCMF_PCIE_TCM_MAP_SIZE);
-- devinfo->tcm_size = BRCMF_PCIE_TCM_MAP_SIZE;
-+ devinfo->tcm = ioremap_nocache(bar1_addr, bar1_size);
-
- if (!devinfo->regs || !devinfo->tcm) {
- brcmf_err("ioremap() failed (%p,%p)\n", devinfo->regs,
-@@ -1602,8 +1599,9 @@ static int brcmf_pcie_get_resource(struc
- }
- brcmf_dbg(PCIE, "Phys addr : reg space = %p base addr %#016llx\n",
- devinfo->regs, (unsigned long long)bar0_addr);
-- brcmf_dbg(PCIE, "Phys addr : mem space = %p base addr %#016llx\n",
-- devinfo->tcm, (unsigned long long)bar1_addr);
-+ brcmf_dbg(PCIE, "Phys addr : mem space = %p base addr %#016llx size 0x%x\n",
-+ devinfo->tcm, (unsigned long long)bar1_addr,
-+ (unsigned int)bar1_size);
-
- return 0;
- }
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:26:59 +0100
-Subject: [PATCH] brcmfmac: add support for the PCIE 4366c0 chip
-
-A newer version of the 4366 PCIE chip has been released. Add
-support for this version of the chip.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -53,6 +53,7 @@ BRCMF_FW_NVRAM_DEF(4358, "brcmfmac4358-p
- BRCMF_FW_NVRAM_DEF(4359, "brcmfmac4359-pcie.bin", "brcmfmac4359-pcie.txt");
- BRCMF_FW_NVRAM_DEF(4365B, "brcmfmac4365b-pcie.bin", "brcmfmac4365b-pcie.txt");
- BRCMF_FW_NVRAM_DEF(4366B, "brcmfmac4366b-pcie.bin", "brcmfmac4366b-pcie.txt");
-+BRCMF_FW_NVRAM_DEF(4366C, "brcmfmac4366c-pcie.bin", "brcmfmac4366c-pcie.txt");
- BRCMF_FW_NVRAM_DEF(4371, "brcmfmac4371-pcie.bin", "brcmfmac4371-pcie.txt");
-
- static struct brcmf_firmware_mapping brcmf_pcie_fwnames[] = {
-@@ -66,7 +67,8 @@ static struct brcmf_firmware_mapping brc
- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4358_CHIP_ID, 0xFFFFFFFF, 4358),
- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4359_CHIP_ID, 0xFFFFFFFF, 4359),
- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4365_CHIP_ID, 0xFFFFFFFF, 4365B),
-- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0xFFFFFFFF, 4366B),
-+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0x0000000F, 4366B),
-+ BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4366_CHIP_ID, 0xFFFFFFF0, 4366C),
- BRCMF_FW_NVRAM_ENTRY(BRCM_CC_4371_CHIP_ID, 0xFFFFFFFF, 4371),
- };
-
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:27:00 +0100
-Subject: [PATCH] brcmfmac: remove pcie gen1 support
-
-The PCIE bus driver supports older gen1 (v1) chips, but there is no
-actual device which is using this older pcie core which is supported
-by brcmfmac. Remove all gen1 related code.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c
-@@ -100,9 +100,6 @@ static struct brcmf_firmware_mapping brc
- #define BRCMF_PCIE_PCIE2REG_CONFIGDATA 0x124
- #define BRCMF_PCIE_PCIE2REG_H2D_MAILBOX 0x140
-
--#define BRCMF_PCIE_GENREV1 1
--#define BRCMF_PCIE_GENREV2 2
--
- #define BRCMF_PCIE2_INTA 0x01
- #define BRCMF_PCIE2_INTB 0x02
-
-@@ -257,9 +254,7 @@ struct brcmf_pciedev_info {
- u32 ram_size;
- struct brcmf_chip *ci;
- u32 coreid;
-- u32 generic_corerev;
- struct brcmf_pcie_shared_info shared;
-- void (*ringbell)(struct brcmf_pciedev_info *devinfo);
- wait_queue_head_t mbdata_resp_wait;
- bool mbdata_completed;
- bool irq_allocated;
-@@ -746,68 +741,22 @@ static void brcmf_pcie_bus_console_read(
- }
-
-
--static __used void brcmf_pcie_ringbell_v1(struct brcmf_pciedev_info *devinfo)
--{
-- u32 reg_value;
--
-- brcmf_dbg(PCIE, "RING !\n");
-- reg_value = brcmf_pcie_read_reg32(devinfo,
-- BRCMF_PCIE_PCIE2REG_MAILBOXINT);
-- reg_value |= BRCMF_PCIE2_INTB;
-- brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT,
-- reg_value);
--}
--
--
--static void brcmf_pcie_ringbell_v2(struct brcmf_pciedev_info *devinfo)
--{
-- brcmf_dbg(PCIE, "RING !\n");
-- /* Any arbitrary value will do, lets use 1 */
-- brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_H2D_MAILBOX, 1);
--}
--
--
- static void brcmf_pcie_intr_disable(struct brcmf_pciedev_info *devinfo)
- {
-- if (devinfo->generic_corerev == BRCMF_PCIE_GENREV1)
-- pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_INTMASK,
-- 0);
-- else
-- brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXMASK,
-- 0);
-+ brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXMASK, 0);
- }
-
-
- static void brcmf_pcie_intr_enable(struct brcmf_pciedev_info *devinfo)
- {
-- if (devinfo->generic_corerev == BRCMF_PCIE_GENREV1)
-- pci_write_config_dword(devinfo->pdev, BRCMF_PCIE_REG_INTMASK,
-- BRCMF_PCIE_INT_DEF);
-- else
-- brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXMASK,
-- BRCMF_PCIE_MB_INT_D2H_DB |
-- BRCMF_PCIE_MB_INT_FN0_0 |
-- BRCMF_PCIE_MB_INT_FN0_1);
-+ brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXMASK,
-+ BRCMF_PCIE_MB_INT_D2H_DB |
-+ BRCMF_PCIE_MB_INT_FN0_0 |
-+ BRCMF_PCIE_MB_INT_FN0_1);
- }
-
-
--static irqreturn_t brcmf_pcie_quick_check_isr_v1(int irq, void *arg)
--{
-- struct brcmf_pciedev_info *devinfo = (struct brcmf_pciedev_info *)arg;
-- u32 status;
--
-- status = 0;
-- pci_read_config_dword(devinfo->pdev, BRCMF_PCIE_REG_INTSTATUS, &status);
-- if (status) {
-- brcmf_pcie_intr_disable(devinfo);
-- brcmf_dbg(PCIE, "Enter\n");
-- return IRQ_WAKE_THREAD;
-- }
-- return IRQ_NONE;
--}
--
--
--static irqreturn_t brcmf_pcie_quick_check_isr_v2(int irq, void *arg)
-+static irqreturn_t brcmf_pcie_quick_check_isr(int irq, void *arg)
- {
- struct brcmf_pciedev_info *devinfo = (struct brcmf_pciedev_info *)arg;
-
-@@ -820,29 +769,7 @@ static irqreturn_t brcmf_pcie_quick_chec
- }
-
-
--static irqreturn_t brcmf_pcie_isr_thread_v1(int irq, void *arg)
--{
-- struct brcmf_pciedev_info *devinfo = (struct brcmf_pciedev_info *)arg;
-- const struct pci_dev *pdev = devinfo->pdev;
-- u32 status;
--
-- devinfo->in_irq = true;
-- status = 0;
-- pci_read_config_dword(pdev, BRCMF_PCIE_REG_INTSTATUS, &status);
-- brcmf_dbg(PCIE, "Enter %x\n", status);
-- if (status) {
-- pci_write_config_dword(pdev, BRCMF_PCIE_REG_INTSTATUS, status);
-- if (devinfo->state == BRCMFMAC_PCIE_STATE_UP)
-- brcmf_proto_msgbuf_rx_trigger(&devinfo->pdev->dev);
-- }
-- if (devinfo->state == BRCMFMAC_PCIE_STATE_UP)
-- brcmf_pcie_intr_enable(devinfo);
-- devinfo->in_irq = false;
-- return IRQ_HANDLED;
--}
--
--
--static irqreturn_t brcmf_pcie_isr_thread_v2(int irq, void *arg)
-+static irqreturn_t brcmf_pcie_isr_thread(int irq, void *arg)
- {
- struct brcmf_pciedev_info *devinfo = (struct brcmf_pciedev_info *)arg;
- u32 status;
-@@ -879,28 +806,14 @@ static int brcmf_pcie_request_irq(struct
- brcmf_pcie_intr_disable(devinfo);
-
- brcmf_dbg(PCIE, "Enter\n");
-- /* is it a v1 or v2 implementation */
-+
- pci_enable_msi(pdev);
-- if (devinfo->generic_corerev == BRCMF_PCIE_GENREV1) {
-- if (request_threaded_irq(pdev->irq,
-- brcmf_pcie_quick_check_isr_v1,
-- brcmf_pcie_isr_thread_v1,
-- IRQF_SHARED, "brcmf_pcie_intr",
-- devinfo)) {
-- pci_disable_msi(pdev);
-- brcmf_err("Failed to request IRQ %d\n", pdev->irq);
-- return -EIO;
-- }
-- } else {
-- if (request_threaded_irq(pdev->irq,
-- brcmf_pcie_quick_check_isr_v2,
-- brcmf_pcie_isr_thread_v2,
-- IRQF_SHARED, "brcmf_pcie_intr",
-- devinfo)) {
-- pci_disable_msi(pdev);
-- brcmf_err("Failed to request IRQ %d\n", pdev->irq);
-- return -EIO;
-- }
-+ if (request_threaded_irq(pdev->irq, brcmf_pcie_quick_check_isr,
-+ brcmf_pcie_isr_thread, IRQF_SHARED,
-+ "brcmf_pcie_intr", devinfo)) {
-+ pci_disable_msi(pdev);
-+ brcmf_err("Failed to request IRQ %d\n", pdev->irq);
-+ return -EIO;
- }
- devinfo->irq_allocated = true;
- return 0;
-@@ -931,16 +844,9 @@ static void brcmf_pcie_release_irq(struc
- if (devinfo->in_irq)
- brcmf_err("Still in IRQ (processing) !!!\n");
-
-- if (devinfo->generic_corerev == BRCMF_PCIE_GENREV1) {
-- status = 0;
-- pci_read_config_dword(pdev, BRCMF_PCIE_REG_INTSTATUS, &status);
-- pci_write_config_dword(pdev, BRCMF_PCIE_REG_INTSTATUS, status);
-- } else {
-- status = brcmf_pcie_read_reg32(devinfo,
-- BRCMF_PCIE_PCIE2REG_MAILBOXINT);
-- brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT,
-- status);
-- }
-+ status = brcmf_pcie_read_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT);
-+ brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_MAILBOXINT, status);
-+
- devinfo->irq_allocated = false;
- }
-
-@@ -989,7 +895,9 @@ static int brcmf_pcie_ring_mb_ring_bell(
- if (devinfo->state != BRCMFMAC_PCIE_STATE_UP)
- return -EIO;
-
-- devinfo->ringbell(devinfo);
-+ brcmf_dbg(PCIE, "RING !\n");
-+ /* Any arbitrary value will do, lets use 1 */
-+ brcmf_pcie_write_reg32(devinfo, BRCMF_PCIE_PCIE2REG_H2D_MAILBOX, 1);
-
- return 0;
- }
-@@ -1503,9 +1411,6 @@ static int brcmf_pcie_download_fw_nvram(
- u32 address;
- u32 resetintr;
-
-- devinfo->ringbell = brcmf_pcie_ringbell_v2;
-- devinfo->generic_corerev = BRCMF_PCIE_GENREV2;
--
- brcmf_dbg(PCIE, "Halt ARM.\n");
- err = brcmf_pcie_enter_download_state(devinfo);
- if (err)
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:27:01 +0100
-Subject: [PATCH] brcmfmac: increase timeout for tx eapol
-
-When keys get set and updated this has to happen after eapol got
-transmitted (without key or old key) before the key can be updated.
-To make sure the order of sending eapol and configuring key is done
-correctly a timeout for tx of eapol is applied. This timeout is set
-to 50 msec, which is not always enough. Especially in AP mode and
-key updates the timeout may need to be much longer because client(s)
-can be in powersave. Increase the timeout from 50 to 950 msec.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -42,7 +42,7 @@ MODULE_AUTHOR("Broadcom Corporation");
- MODULE_DESCRIPTION("Broadcom 802.11 wireless LAN fullmac driver.");
- MODULE_LICENSE("Dual BSD/GPL");
-
--#define MAX_WAIT_FOR_8021X_TX msecs_to_jiffies(50)
-+#define MAX_WAIT_FOR_8021X_TX msecs_to_jiffies(950)
-
- /* AMPDU rx reordering definitions */
- #define BRCMF_RXREORDER_FLOWID_OFFSET 0
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:27:02 +0100
-Subject: [PATCH] brcmfmac: move module init and exit to common
-
-In preparation of module parameters for all devices the module init
-and exit routines are moved to the common file.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-@@ -28,6 +28,10 @@
- #include "tracepoint.h"
- #include "common.h"
-
-+MODULE_AUTHOR("Broadcom Corporation");
-+MODULE_DESCRIPTION("Broadcom 802.11 wireless LAN fullmac driver.");
-+MODULE_LICENSE("Dual BSD/GPL");
-+
- const u8 ALLFFMAC[ETH_ALEN] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
-
- #define BRCMF_DEFAULT_SCAN_CHANNEL_TIME 40
-@@ -221,7 +225,7 @@ void __brcmf_dbg(u32 level, const char *
- }
- #endif
-
--void brcmf_mp_attach(void)
-+static void brcmf_mp_attach(void)
- {
- strlcpy(brcmf_mp_global.firmware_path, brcmf_firmware_path,
- BRCMF_FW_ALTPATH_LEN);
-@@ -249,3 +253,33 @@ void brcmf_mp_device_detach(struct brcmf
- kfree(drvr->settings);
- }
-
-+static int __init brcmfmac_module_init(void)
-+{
-+ int err;
-+
-+ /* Initialize debug system first */
-+ brcmf_debugfs_init();
-+
-+#ifdef CPTCFG_BRCMFMAC_SDIO
-+ brcmf_sdio_init();
-+#endif
-+ /* Initialize global module paramaters */
-+ brcmf_mp_attach();
-+
-+ /* Continue the initialization by registering the different busses */
-+ err = brcmf_core_init();
-+ if (err)
-+ brcmf_debugfs_exit();
-+
-+ return err;
-+}
-+
-+static void __exit brcmfmac_module_exit(void)
-+{
-+ brcmf_core_exit();
-+ brcmf_debugfs_exit();
-+}
-+
-+module_init(brcmfmac_module_init);
-+module_exit(brcmfmac_module_exit);
-+
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-@@ -89,7 +89,6 @@ struct brcmf_mp_device {
- struct cc_translate *country_codes;
- };
-
--void brcmf_mp_attach(void);
- int brcmf_mp_device_attach(struct brcmf_pub *drvr);
- void brcmf_mp_device_detach(struct brcmf_pub *drvr);
- #ifdef DEBUG
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -38,10 +38,6 @@
- #include "pcie.h"
- #include "common.h"
-
--MODULE_AUTHOR("Broadcom Corporation");
--MODULE_DESCRIPTION("Broadcom 802.11 wireless LAN fullmac driver.");
--MODULE_LICENSE("Dual BSD/GPL");
--
- #define MAX_WAIT_FOR_8021X_TX msecs_to_jiffies(950)
-
- /* AMPDU rx reordering definitions */
-@@ -1422,19 +1418,15 @@ static void brcmf_driver_register(struct
- }
- static DECLARE_WORK(brcmf_driver_work, brcmf_driver_register);
-
--static int __init brcmfmac_module_init(void)
-+int __init brcmf_core_init(void)
- {
-- brcmf_debugfs_init();
--#ifdef CPTCFG_BRCMFMAC_SDIO
-- brcmf_sdio_init();
--#endif
- if (!schedule_work(&brcmf_driver_work))
- return -EBUSY;
-
- return 0;
- }
-
--static void __exit brcmfmac_module_exit(void)
-+void __exit brcmf_core_exit(void)
- {
- cancel_work_sync(&brcmf_driver_work);
-
-@@ -1447,8 +1439,5 @@ static void __exit brcmfmac_module_exit(
- #ifdef CPTCFG_BRCMFMAC_PCIE
- brcmf_pcie_exit();
- #endif
-- brcmf_debugfs_exit();
- }
-
--module_init(brcmfmac_module_init);
--module_exit(brcmfmac_module_exit);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
-@@ -227,5 +227,7 @@ void brcmf_txflowblock_if(struct brcmf_i
- void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success);
- void brcmf_netif_rx(struct brcmf_if *ifp, struct sk_buff *skb);
- void brcmf_net_setcarrier(struct brcmf_if *ifp, bool on);
-+int __init brcmf_core_init(void);
-+void __exit brcmf_core_exit(void);
-
- #endif /* BRCMFMAC_CORE_H */
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:27:03 +0100
-Subject: [PATCH] brcmfmac: add wowl gtk rekeying offload support
-
-This patch adds support for gtk rekeying offload and for gtk
-rekeying failure during wowl mode.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3526,6 +3526,10 @@ static void brcmf_report_wowl_wakeind(st
- else
- wakeup_data.net_detect = cfg->wowl.nd_info;
- }
-+ if (wakeind & BRCMF_WOWL_GTK_FAILURE) {
-+ brcmf_dbg(INFO, "WOWL Wake indicator: BRCMF_WOWL_GTK_FAILURE\n");
-+ wakeup_data.gtk_rekey_failure = true;
-+ }
- } else {
- wakeup = NULL;
- }
-@@ -3607,6 +3611,8 @@ static void brcmf_configure_wowl(struct
- brcmf_fweh_register(cfg->pub, BRCMF_E_PFN_NET_FOUND,
- brcmf_wowl_nd_results);
- }
-+ if (wowl->gtk_rekey_failure)
-+ wowl_config |= BRCMF_WOWL_GTK_FAILURE;
- if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state))
- wowl_config |= BRCMF_WOWL_UNASSOC;
-
-@@ -4874,7 +4880,32 @@ static int brcmf_cfg80211_tdls_oper(stru
- return ret;
- }
-
--static struct cfg80211_ops wl_cfg80211_ops = {
-+#ifdef CONFIG_PM
-+static int
-+brcmf_cfg80211_set_rekey_data(struct wiphy *wiphy, struct net_device *ndev,
-+ struct cfg80211_gtk_rekey_data *gtk)
-+{
-+ struct brcmf_if *ifp = netdev_priv(ndev);
-+ struct brcmf_gtk_keyinfo_le gtk_le;
-+ int ret;
-+
-+ brcmf_dbg(TRACE, "Enter, bssidx=%d\n", ifp->bsscfgidx);
-+
-+ memcpy(gtk_le.kck, gtk->kck, sizeof(gtk_le.kck));
-+ memcpy(gtk_le.kek, gtk->kek, sizeof(gtk_le.kek));
-+ memcpy(gtk_le.replay_counter, gtk->replay_ctr,
-+ sizeof(gtk_le.replay_counter));
-+
-+ ret = brcmf_fil_iovar_data_set(ifp, "gtk_key_info", >k_le,
-+ sizeof(gtk_le));
-+ if (ret < 0)
-+ brcmf_err("gtk_key_info iovar failed: ret=%d\n", ret);
-+
-+ return ret;
-+}
-+#endif
-+
-+static struct cfg80211_ops brcmf_cfg80211_ops = {
- .add_virtual_intf = brcmf_cfg80211_add_iface,
- .del_virtual_intf = brcmf_cfg80211_del_iface,
- .change_virtual_intf = brcmf_cfg80211_change_iface,
-@@ -6139,19 +6170,18 @@ static void brcmf_wiphy_wowl_params(stru
- {
- #ifdef CONFIG_PM
- struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
-- s32 err;
-- u32 wowl_cap;
-
- if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_PNO)) {
-- err = brcmf_fil_iovar_int_get(ifp, "wowl_cap", &wowl_cap);
-- if (!err) {
-- if (wowl_cap & BRCMF_WOWL_PFN_FOUND) {
-- brcmf_wowlan_support.flags |=
-- WIPHY_WOWLAN_NET_DETECT;
-- init_waitqueue_head(&cfg->wowl.nd_data_wait);
-- }
-+ if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_WOWL_ND)) {
-+ brcmf_wowlan_support.flags |= WIPHY_WOWLAN_NET_DETECT;
-+ init_waitqueue_head(&cfg->wowl.nd_data_wait);
- }
- }
-+ if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_WOWL_GTK)) {
-+ brcmf_wowlan_support.flags |= WIPHY_WOWLAN_SUPPORTS_GTK_REKEY;
-+ brcmf_wowlan_support.flags |= WIPHY_WOWLAN_GTK_REKEY_FAILURE;
-+ }
-+
- wiphy->wowlan = &brcmf_wowlan_support;
- #endif
- }
-@@ -6538,6 +6568,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
- struct net_device *ndev = brcmf_get_ifp(drvr, 0)->ndev;
- struct brcmf_cfg80211_info *cfg;
- struct wiphy *wiphy;
-+ struct cfg80211_ops *ops;
- struct brcmf_cfg80211_vif *vif;
- struct brcmf_if *ifp;
- s32 err = 0;
-@@ -6549,8 +6580,17 @@ struct brcmf_cfg80211_info *brcmf_cfg802
- return NULL;
- }
-
-+ ops = kzalloc(sizeof(*ops), GFP_KERNEL);
-+ if (!ops)
-+ return NULL;
-+
-+ memcpy(ops, &brcmf_cfg80211_ops, sizeof(*ops));
- ifp = netdev_priv(ndev);
-- wiphy = wiphy_new(&wl_cfg80211_ops, sizeof(struct brcmf_cfg80211_info));
-+#ifdef CONFIG_PM
-+ if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_WOWL_GTK))
-+ ops->set_rekey_data = brcmf_cfg80211_set_rekey_data;
-+#endif
-+ wiphy = wiphy_new(ops, sizeof(struct brcmf_cfg80211_info));
- if (!wiphy) {
- brcmf_err("Could not allocate wiphy device\n");
- return NULL;
-@@ -6560,6 +6600,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
-
- cfg = wiphy_priv(wiphy);
- cfg->wiphy = wiphy;
-+ cfg->ops = ops;
- cfg->pub = drvr;
- init_vif_event(&cfg->vif_event);
- INIT_LIST_HEAD(&cfg->vif_list);
-@@ -6686,6 +6727,7 @@ priv_out:
- ifp->vif = NULL;
- wiphy_out:
- brcmf_free_wiphy(wiphy);
-+ kfree(ops);
- return NULL;
- }
-
-@@ -6696,6 +6738,7 @@ void brcmf_cfg80211_detach(struct brcmf_
-
- brcmf_btcoex_detach(cfg);
- wiphy_unregister(cfg->wiphy);
-+ kfree(cfg->ops);
- wl_deinit_priv(cfg);
- brcmf_free_wiphy(cfg->wiphy);
- }
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
-@@ -256,6 +256,7 @@ struct brcmf_cfg80211_wowl {
- * struct brcmf_cfg80211_info - dongle private data of cfg80211 interface
- *
- * @wiphy: wiphy object for cfg80211 interface.
-+ * @ops: pointer to copy of ops as registered with wiphy object.
- * @conf: dongle configuration.
- * @p2p: peer-to-peer specific information.
- * @btcoex: Bluetooth coexistence information.
-@@ -288,6 +289,7 @@ struct brcmf_cfg80211_wowl {
- */
- struct brcmf_cfg80211_info {
- struct wiphy *wiphy;
-+ struct cfg80211_ops *ops;
- struct brcmf_cfg80211_conf *conf;
- struct brcmf_p2p_info p2p;
- struct brcmf_btcoex_info *btcoex;
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
-@@ -136,6 +136,7 @@ void brcmf_feat_attach(struct brcmf_pub
- {
- struct brcmf_if *ifp = brcmf_get_ifp(drvr, 0);
- struct brcmf_pno_macaddr_le pfn_mac;
-+ u32 wowl_cap;
- s32 err;
-
- brcmf_feat_firmware_capabilities(ifp);
-@@ -143,6 +144,17 @@ void brcmf_feat_attach(struct brcmf_pub
- brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_PNO, "pfn");
- if (drvr->bus_if->wowl_supported)
- brcmf_feat_iovar_int_get(ifp, BRCMF_FEAT_WOWL, "wowl");
-+ if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_WOWL)) {
-+ err = brcmf_fil_iovar_int_get(ifp, "wowl_cap", &wowl_cap);
-+ if (!err) {
-+ if (wowl_cap & BRCMF_WOWL_PFN_FOUND)
-+ ifp->drvr->feat_flags |=
-+ BIT(BRCMF_FEAT_WOWL_ND);
-+ if (wowl_cap & BRCMF_WOWL_GTK_FAILURE)
-+ ifp->drvr->feat_flags |=
-+ BIT(BRCMF_FEAT_WOWL_GTK);
-+ }
-+ }
- /* MBSS does not work for 43362 */
- if (drvr->bus_if->chip == BRCM_CC_43362_CHIP_ID)
- ifp->drvr->feat_flags &= ~BIT(BRCMF_FEAT_MBSS);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
-@@ -27,6 +27,8 @@
- * RSDB: Real Simultaneous Dual Band
- * TDLS: Tunneled Direct Link Setup
- * SCAN_RANDOM_MAC: Random MAC during (net detect) scheduled scan.
-+ * WOWL_ND: WOWL net detect (PNO)
-+ * WOWL_GTK: (WOWL) GTK rekeying offload
- */
- #define BRCMF_FEAT_LIST \
- BRCMF_FEAT_DEF(MBSS) \
-@@ -36,7 +38,9 @@
- BRCMF_FEAT_DEF(P2P) \
- BRCMF_FEAT_DEF(RSDB) \
- BRCMF_FEAT_DEF(TDLS) \
-- BRCMF_FEAT_DEF(SCAN_RANDOM_MAC)
-+ BRCMF_FEAT_DEF(SCAN_RANDOM_MAC) \
-+ BRCMF_FEAT_DEF(WOWL_ND) \
-+ BRCMF_FEAT_DEF(WOWL_GTK)
-
- /*
- * Quirks:
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
-@@ -111,7 +111,9 @@
- /* Wakeup if received matched secured pattern: */
- #define BRCMF_WOWL_SECURE (1 << 25)
- /* Wakeup on finding preferred network */
--#define BRCMF_WOWL_PFN_FOUND (1 << 26)
-+#define BRCMF_WOWL_PFN_FOUND (1 << 27)
-+/* Wakeup on receiving pairwise key EAP packets: */
-+#define WIPHY_WOWL_EAP_PK (1 << 28)
- /* Link Down indication in WoWL mode: */
- #define BRCMF_WOWL_LINKDOWN (1 << 31)
-
-@@ -136,6 +138,10 @@
-
- #define BRCMF_MCSSET_LEN 16
-
-+#define BRCMF_RSN_KCK_LENGTH 16
-+#define BRCMF_RSN_KEK_LENGTH 16
-+#define BRCMF_RSN_REPLAY_LEN 8
-+
- /* join preference types for join_pref iovar */
- enum brcmf_join_pref_types {
- BRCMF_JOIN_PREF_RSSI = 1,
-@@ -789,4 +795,17 @@ struct brcmf_pktcnt_le {
- __le32 rx_ocast_good_pkt;
- };
-
-+/**
-+ * struct brcmf_gtk_keyinfo_le - GTP rekey data
-+ *
-+ * @kck: key confirmation key.
-+ * @kek: key encryption key.
-+ * @replay_counter: replay counter.
-+ */
-+struct brcmf_gtk_keyinfo_le {
-+ u8 kck[BRCMF_RSN_KCK_LENGTH];
-+ u8 kek[BRCMF_RSN_KEK_LENGTH];
-+ u8 replay_counter[BRCMF_RSN_REPLAY_LEN];
-+};
-+
- #endif /* FWIL_TYPES_H_ */
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:27:04 +0100
-Subject: [PATCH] brcmfmac: move platform data retrieval code to common
-
-In preparation of module parameters for all devices the module
-platform data retrieval is moved from sdio to common. It is still
-only used for sdio devices.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcmsdh.c
-@@ -27,8 +27,6 @@
- #include <linux/mmc/sdio_func.h>
- #include <linux/mmc/card.h>
- #include <linux/mmc/host.h>
--#include <linux/platform_device.h>
--#include <linux/platform_data/brcmfmac-sdio.h>
- #include <linux/pm_runtime.h>
- #include <linux/suspend.h>
- #include <linux/errno.h>
-@@ -46,7 +44,6 @@
- #include "bus.h"
- #include "debug.h"
- #include "sdio.h"
--#include "of.h"
- #include "core.h"
- #include "common.h"
-
-@@ -106,18 +103,18 @@ static void brcmf_sdiod_dummy_irqhandler
-
- int brcmf_sdiod_intr_register(struct brcmf_sdio_dev *sdiodev)
- {
-+ struct brcmfmac_sdio_platform_data *pdata;
- int ret = 0;
- u8 data;
- u32 addr, gpiocontrol;
- unsigned long flags;
-
-- if ((sdiodev->pdata) && (sdiodev->pdata->oob_irq_supported)) {
-+ pdata = sdiodev->pdata;
-+ if ((pdata) && (pdata->oob_irq_supported)) {
- brcmf_dbg(SDIO, "Enter, register OOB IRQ %d\n",
-- sdiodev->pdata->oob_irq_nr);
-- ret = request_irq(sdiodev->pdata->oob_irq_nr,
-- brcmf_sdiod_oob_irqhandler,
-- sdiodev->pdata->oob_irq_flags,
-- "brcmf_oob_intr",
-+ pdata->oob_irq_nr);
-+ ret = request_irq(pdata->oob_irq_nr, brcmf_sdiod_oob_irqhandler,
-+ pdata->oob_irq_flags, "brcmf_oob_intr",
- &sdiodev->func[1]->dev);
- if (ret != 0) {
- brcmf_err("request_irq failed %d\n", ret);
-@@ -129,7 +126,7 @@ int brcmf_sdiod_intr_register(struct brc
- sdiodev->irq_en = true;
- spin_unlock_irqrestore(&sdiodev->irq_en_lock, flags);
-
-- ret = enable_irq_wake(sdiodev->pdata->oob_irq_nr);
-+ ret = enable_irq_wake(pdata->oob_irq_nr);
- if (ret != 0) {
- brcmf_err("enable_irq_wake failed %d\n", ret);
- return ret;
-@@ -158,7 +155,7 @@ int brcmf_sdiod_intr_register(struct brc
-
- /* redirect, configure and enable io for interrupt signal */
- data = SDIO_SEPINT_MASK | SDIO_SEPINT_OE;
-- if (sdiodev->pdata->oob_irq_flags & IRQF_TRIGGER_HIGH)
-+ if (pdata->oob_irq_flags & IRQF_TRIGGER_HIGH)
- data |= SDIO_SEPINT_ACT_HI;
- brcmf_sdiod_regwb(sdiodev, SDIO_CCCR_BRCM_SEPINT, data, &ret);
-
-@@ -176,9 +173,12 @@ int brcmf_sdiod_intr_register(struct brc
-
- int brcmf_sdiod_intr_unregister(struct brcmf_sdio_dev *sdiodev)
- {
-+ struct brcmfmac_sdio_platform_data *pdata;
-+
- brcmf_dbg(SDIO, "Entering\n");
-
-- if ((sdiodev->pdata) && (sdiodev->pdata->oob_irq_supported)) {
-+ pdata = sdiodev->pdata;
-+ if ((pdata) && (pdata->oob_irq_supported)) {
- sdio_claim_host(sdiodev->func[1]);
- brcmf_sdiod_regwb(sdiodev, SDIO_CCCR_BRCM_SEPINT, 0, NULL);
- brcmf_sdiod_regwb(sdiodev, SDIO_CCCR_IENx, 0, NULL);
-@@ -187,11 +187,10 @@ int brcmf_sdiod_intr_unregister(struct b
- if (sdiodev->oob_irq_requested) {
- sdiodev->oob_irq_requested = false;
- if (sdiodev->irq_wake) {
-- disable_irq_wake(sdiodev->pdata->oob_irq_nr);
-+ disable_irq_wake(pdata->oob_irq_nr);
- sdiodev->irq_wake = false;
- }
-- free_irq(sdiodev->pdata->oob_irq_nr,
-- &sdiodev->func[1]->dev);
-+ free_irq(pdata->oob_irq_nr, &sdiodev->func[1]->dev);
- sdiodev->irq_en = false;
- }
- } else {
-@@ -1103,8 +1102,6 @@ static const struct sdio_device_id brcmf
- };
- MODULE_DEVICE_TABLE(sdio, brcmf_sdmmc_ids);
-
--static struct brcmfmac_sdio_platform_data *brcmfmac_sdio_pdata;
--
-
- static void brcmf_sdiod_acpi_set_power_manageable(struct device *dev,
- int val)
-@@ -1167,10 +1164,7 @@ static int brcmf_ops_sdio_probe(struct s
- dev_set_drvdata(&func->dev, bus_if);
- dev_set_drvdata(&sdiodev->func[1]->dev, bus_if);
- sdiodev->dev = &sdiodev->func[1]->dev;
-- sdiodev->pdata = brcmfmac_sdio_pdata;
--
-- if (!sdiodev->pdata)
-- brcmf_of_probe(sdiodev);
-+ sdiodev->pdata = brcmf_get_module_param(sdiodev->dev);
-
- #ifdef CONFIG_PM_SLEEP
- /* wowl can be supported when KEEP_POWER is true and (WAKE_SDIO_IRQ
-@@ -1296,7 +1290,7 @@ static const struct dev_pm_ops brcmf_sdi
- static struct sdio_driver brcmf_sdmmc_driver = {
- .probe = brcmf_ops_sdio_probe,
- .remove = brcmf_ops_sdio_remove,
-- .name = BRCMFMAC_SDIO_PDATA_NAME,
-+ .name = KBUILD_MODNAME,
- .id_table = brcmf_sdmmc_ids,
- .drv = {
- .owner = THIS_MODULE,
-@@ -1306,37 +1300,6 @@ static struct sdio_driver brcmf_sdmmc_dr
- },
- };
-
--static int __init brcmf_sdio_pd_probe(struct platform_device *pdev)
--{
-- brcmf_dbg(SDIO, "Enter\n");
--
-- brcmfmac_sdio_pdata = dev_get_platdata(&pdev->dev);
--
-- if (brcmfmac_sdio_pdata->power_on)
-- brcmfmac_sdio_pdata->power_on();
--
-- return 0;
--}
--
--static int brcmf_sdio_pd_remove(struct platform_device *pdev)
--{
-- brcmf_dbg(SDIO, "Enter\n");
--
-- if (brcmfmac_sdio_pdata->power_off)
-- brcmfmac_sdio_pdata->power_off();
--
-- sdio_unregister_driver(&brcmf_sdmmc_driver);
--
-- return 0;
--}
--
--static struct platform_driver brcmf_sdio_pd = {
-- .remove = brcmf_sdio_pd_remove,
-- .driver = {
-- .name = BRCMFMAC_SDIO_PDATA_NAME,
-- }
--};
--
- void brcmf_sdio_register(void)
- {
- int ret;
-@@ -1350,19 +1313,6 @@ void brcmf_sdio_exit(void)
- {
- brcmf_dbg(SDIO, "Enter\n");
-
-- if (brcmfmac_sdio_pdata)
-- platform_driver_unregister(&brcmf_sdio_pd);
-- else
-- sdio_unregister_driver(&brcmf_sdmmc_driver);
-+ sdio_unregister_driver(&brcmf_sdmmc_driver);
- }
-
--void __init brcmf_sdio_init(void)
--{
-- int ret;
--
-- brcmf_dbg(SDIO, "Enter\n");
--
-- ret = platform_driver_probe(&brcmf_sdio_pd, brcmf_sdio_pd_probe);
-- if (ret == -ENODEV)
-- brcmf_dbg(SDIO, "No platform data available.\n");
--}
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c
-@@ -27,6 +27,7 @@
- #include "fwil_types.h"
- #include "tracepoint.h"
- #include "common.h"
-+#include "of.h"
-
- MODULE_AUTHOR("Broadcom Corporation");
- MODULE_DESCRIPTION("Broadcom 802.11 wireless LAN fullmac driver.");
-@@ -79,6 +80,7 @@ module_param_named(ignore_probe_fail, br
- MODULE_PARM_DESC(ignore_probe_fail, "always succeed probe for debugging");
- #endif
-
-+static struct brcmfmac_sdio_platform_data *brcmfmac_pdata;
- struct brcmf_mp_global_t brcmf_mp_global;
-
- int brcmf_c_preinit_dcmds(struct brcmf_if *ifp)
-@@ -231,6 +233,13 @@ static void brcmf_mp_attach(void)
- BRCMF_FW_ALTPATH_LEN);
- }
-
-+struct brcmfmac_sdio_platform_data *brcmf_get_module_param(struct device *dev)
-+{
-+ if (!brcmfmac_pdata)
-+ brcmf_of_probe(dev, &brcmfmac_pdata);
-+ return brcmfmac_pdata;
-+}
-+
- int brcmf_mp_device_attach(struct brcmf_pub *drvr)
- {
- drvr->settings = kzalloc(sizeof(*drvr->settings), GFP_ATOMIC);
-@@ -253,6 +262,35 @@ void brcmf_mp_device_detach(struct brcmf
- kfree(drvr->settings);
- }
-
-+static int __init brcmf_common_pd_probe(struct platform_device *pdev)
-+{
-+ brcmf_dbg(INFO, "Enter\n");
-+
-+ brcmfmac_pdata = dev_get_platdata(&pdev->dev);
-+
-+ if (brcmfmac_pdata->power_on)
-+ brcmfmac_pdata->power_on();
-+
-+ return 0;
-+}
-+
-+static int brcmf_common_pd_remove(struct platform_device *pdev)
-+{
-+ brcmf_dbg(INFO, "Enter\n");
-+
-+ if (brcmfmac_pdata->power_off)
-+ brcmfmac_pdata->power_off();
-+
-+ return 0;
-+}
-+
-+static struct platform_driver brcmf_pd = {
-+ .remove = brcmf_common_pd_remove,
-+ .driver = {
-+ .name = BRCMFMAC_SDIO_PDATA_NAME,
-+ }
-+};
-+
- static int __init brcmfmac_module_init(void)
- {
- int err;
-@@ -260,16 +298,21 @@ static int __init brcmfmac_module_init(v
- /* Initialize debug system first */
- brcmf_debugfs_init();
-
--#ifdef CPTCFG_BRCMFMAC_SDIO
-- brcmf_sdio_init();
--#endif
-+ /* Get the platform data (if available) for our devices */
-+ err = platform_driver_probe(&brcmf_pd, brcmf_common_pd_probe);
-+ if (err == -ENODEV)
-+ brcmf_dbg(INFO, "No platform data available.\n");
-+
- /* Initialize global module paramaters */
- brcmf_mp_attach();
-
- /* Continue the initialization by registering the different busses */
- err = brcmf_core_init();
-- if (err)
-+ if (err) {
- brcmf_debugfs_exit();
-+ if (brcmfmac_pdata)
-+ platform_driver_unregister(&brcmf_pd);
-+ }
-
- return err;
- }
-@@ -277,6 +320,8 @@ static int __init brcmfmac_module_init(v
- static void __exit brcmfmac_module_exit(void)
- {
- brcmf_core_exit();
-+ if (brcmfmac_pdata)
-+ platform_driver_unregister(&brcmf_pd);
- brcmf_debugfs_exit();
- }
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.h
-@@ -15,6 +15,8 @@
- #ifndef BRCMFMAC_COMMON_H
- #define BRCMFMAC_COMMON_H
-
-+#include <linux/platform_device.h>
-+#include <linux/platform_data/brcmfmac-sdio.h>
- #include "fwil_types.h"
-
- extern const u8 ALLFFMAC[ETH_ALEN];
-@@ -89,6 +91,7 @@ struct brcmf_mp_device {
- struct cc_translate *country_codes;
- };
-
-+struct brcmfmac_sdio_platform_data *brcmf_get_module_param(struct device *dev);
- int brcmf_mp_device_attach(struct brcmf_pub *drvr);
- void brcmf_mp_device_detach(struct brcmf_pub *drvr);
- #ifdef DEBUG
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.c
-@@ -16,17 +16,16 @@
- #include <linux/init.h>
- #include <linux/of.h>
- #include <linux/of_irq.h>
--#include <linux/mmc/card.h>
--#include <linux/platform_data/brcmfmac-sdio.h>
--#include <linux/mmc/sdio_func.h>
-
- #include <defs.h>
- #include "debug.h"
--#include "sdio.h"
-+#include "core.h"
-+#include "common.h"
-+#include "of.h"
-
--void brcmf_of_probe(struct brcmf_sdio_dev *sdiodev)
-+void
-+brcmf_of_probe(struct device *dev, struct brcmfmac_sdio_platform_data **sdio)
- {
-- struct device *dev = sdiodev->dev;
- struct device_node *np = dev->of_node;
- int irq;
- u32 irqf;
-@@ -35,12 +34,12 @@ void brcmf_of_probe(struct brcmf_sdio_de
- if (!np || !of_device_is_compatible(np, "brcm,bcm4329-fmac"))
- return;
-
-- sdiodev->pdata = devm_kzalloc(dev, sizeof(*sdiodev->pdata), GFP_KERNEL);
-- if (!sdiodev->pdata)
-+ *sdio = devm_kzalloc(dev, sizeof(*sdio), GFP_KERNEL);
-+ if (!(*sdio))
- return;
-
- if (of_property_read_u32(np, "brcm,drive-strength", &val) == 0)
-- sdiodev->pdata->drive_strength = val;
-+ (*sdio)->drive_strength = val;
-
- /* make sure there are interrupts defined in the node */
- if (!of_find_property(np, "interrupts", NULL))
-@@ -53,7 +52,7 @@ void brcmf_of_probe(struct brcmf_sdio_de
- }
- irqf = irqd_get_trigger_type(irq_get_irq_data(irq));
-
-- sdiodev->pdata->oob_irq_supported = true;
-- sdiodev->pdata->oob_irq_nr = irq;
-- sdiodev->pdata->oob_irq_flags = irqf;
-+ (*sdio)->oob_irq_supported = true;
-+ (*sdio)->oob_irq_nr = irq;
-+ (*sdio)->oob_irq_flags = irqf;
- }
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/of.h
-@@ -14,9 +14,11 @@
- * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
- #ifdef CONFIG_OF
--void brcmf_of_probe(struct brcmf_sdio_dev *sdiodev);
-+void
-+brcmf_of_probe(struct device *dev, struct brcmfmac_sdio_platform_data **sdio);
- #else
--static void brcmf_of_probe(struct brcmf_sdio_dev *sdiodev)
-+static void brcmf_of_probe(struct device *dev,
-+ struct brcmfmac_sdio_platform_data **sdio)
- {
- }
- #endif /* CONFIG_OF */
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:27:05 +0100
-Subject: [PATCH] brcmfmac: keep ARP and ND offload enabled during WOWL
-
-Currently ARP and ND (IPv6 Neigbor Discovery) offload get disabled
-on entering suspend. However when firmwares support the wowl_cap
-iovar then these offload routines can be kept enabled as they
-will work during WOWL as well.
-
-Reviewed-by: Arend Van Spriel <arend@broadcom.com>
-Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
-Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
-Signed-off-by: Arend van Spriel <arend@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3556,7 +3556,8 @@ static s32 brcmf_cfg80211_resume(struct
- brcmf_report_wowl_wakeind(wiphy, ifp);
- brcmf_fil_iovar_int_set(ifp, "wowl_clear", 0);
- brcmf_config_wowl_pattern(ifp, "clr", NULL, 0, NULL, 0);
-- brcmf_configure_arp_nd_offload(ifp, true);
-+ if (!brcmf_feat_is_enabled(ifp, BRCMF_FEAT_WOWL_ARP_ND))
-+ brcmf_configure_arp_nd_offload(ifp, true);
- brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_PM,
- cfg->wowl.pre_pmmode);
- cfg->wowl.active = false;
-@@ -3580,7 +3581,8 @@ static void brcmf_configure_wowl(struct
-
- brcmf_dbg(TRACE, "Suspend, wowl config.\n");
-
-- brcmf_configure_arp_nd_offload(ifp, false);
-+ if (!brcmf_feat_is_enabled(ifp, BRCMF_FEAT_WOWL_ARP_ND))
-+ brcmf_configure_arp_nd_offload(ifp, false);
- brcmf_fil_cmd_int_get(ifp, BRCMF_C_GET_PM, &cfg->wowl.pre_pmmode);
- brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_PM, PM_MAX);
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.c
-@@ -147,6 +147,7 @@ void brcmf_feat_attach(struct brcmf_pub
- if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_WOWL)) {
- err = brcmf_fil_iovar_int_get(ifp, "wowl_cap", &wowl_cap);
- if (!err) {
-+ ifp->drvr->feat_flags |= BIT(BRCMF_FEAT_WOWL_ARP_ND);
- if (wowl_cap & BRCMF_WOWL_PFN_FOUND)
- ifp->drvr->feat_flags |=
- BIT(BRCMF_FEAT_WOWL_ND);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/feature.h
-@@ -29,6 +29,7 @@
- * SCAN_RANDOM_MAC: Random MAC during (net detect) scheduled scan.
- * WOWL_ND: WOWL net detect (PNO)
- * WOWL_GTK: (WOWL) GTK rekeying offload
-+ * WOWL_ARP_ND: ARP and Neighbor Discovery offload support during WOWL.
- */
- #define BRCMF_FEAT_LIST \
- BRCMF_FEAT_DEF(MBSS) \
-@@ -40,7 +41,8 @@
- BRCMF_FEAT_DEF(TDLS) \
- BRCMF_FEAT_DEF(SCAN_RANDOM_MAC) \
- BRCMF_FEAT_DEF(WOWL_ND) \
-- BRCMF_FEAT_DEF(WOWL_GTK)
-+ BRCMF_FEAT_DEF(WOWL_GTK) \
-+ BRCMF_FEAT_DEF(WOWL_ARP_ND)
-
- /*
- * Quirks:
+++ /dev/null
-From: Hante Meuleman <meuleman@broadcom.com>
-Date: Wed, 17 Feb 2016 11:27:07 +0100
-Subject: [PATCH] brcmfmac: switch to new platform data
-
-Platform data is only available for sdio. With this patch a new
-platform data structure is being used which allows for platform
-data for any device and configurable per device. This patch only
-switches to the new structure and adds support