diff --git a/ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch b/ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch new file mode 100644 index 0000000..f118bd5 --- /dev/null +++ b/ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch @@ -0,0 +1,39 @@ +From 2504a6423b9ab4c36df78227055995644de19edb Mon Sep 17 00:00:00 2001 +From: Pavel Roskin +Date: Sat, 11 Feb 2012 10:01:53 -0500 +Subject: [PATCH] ath9k: stop on rates with idx -1 in ath9k rate control's + .tx_status + +Rate control algorithms are supposed to stop processing when they +encounter a rate with the index -1. Checking for rate->count not being +zero is not enough. + +Allowing a rate with negative index leads to memory corruption in +ath_debug_stat_rc(). + +One consequence of the bug is discussed at +https://bugzilla.redhat.com/show_bug.cgi?id=768639 + +Signed-off-by: Pavel Roskin +Cc: stable@vger.kernel.org +Signed-off-by: John W. Linville +--- + drivers/net/wireless/ath/ath9k/rc.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/rc.c b/drivers/net/wireless/ath/ath9k/rc.c +index 635b592..a427a16 100644 +--- a/drivers/net/wireless/ath/ath9k/rc.c ++++ b/drivers/net/wireless/ath/ath9k/rc.c +@@ -1346,7 +1346,7 @@ static void ath_tx_status(void *priv, struct ieee80211_supported_band *sband, + fc = hdr->frame_control; + for (i = 0; i < sc->hw->max_rates; i++) { + struct ieee80211_tx_rate *rate = &tx_info->status.rates[i]; +- if (!rate->count) ++ if (rate->idx < 0 || !rate->count) + break; + + final_ts_idx = i; +-- +1.7.4.4 + diff --git a/ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch b/ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch new file mode 100644 index 0000000..f034020 --- /dev/null +++ b/ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch @@ -0,0 +1,117 @@ +From 9bbb8168ed3d8b946f9c1901a63a675012de88f2 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 15 Feb 2012 19:31:20 +0100 +Subject: [PATCH] ath9k_hw: prevent writes to const data on AR9160 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Duplicate the data for iniAddac early on, to avoid having to do redundant +memcpy calls later. While we're at it, make AR5416 < v2.2 use the same +codepath. Fixes a reported crash on x86. + +Signed-off-by: Felix Fietkau +Reported-by: Magnus Määttä +Cc: stable@vger.kernel.org +Signed-off-by: John W. Linville +--- + drivers/net/wireless/ath/ath9k/ar5008_phy.c | 25 +------------------------ + drivers/net/wireless/ath/ath9k/ar9002_hw.c | 19 +++++++++++++++++++ + drivers/net/wireless/ath/ath9k/hw.h | 1 - + 3 files changed, 20 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/ar5008_phy.c b/drivers/net/wireless/ath/ath9k/ar5008_phy.c +index f901a17..86a891f 100644 +--- a/drivers/net/wireless/ath/ath9k/ar5008_phy.c ++++ b/drivers/net/wireless/ath/ath9k/ar5008_phy.c +@@ -489,8 +489,6 @@ static int ar5008_hw_rf_alloc_ext_banks(struct ath_hw *ah) + ATH_ALLOC_BANK(ah->analogBank6Data, ah->iniBank6.ia_rows); + ATH_ALLOC_BANK(ah->analogBank6TPCData, ah->iniBank6TPC.ia_rows); + ATH_ALLOC_BANK(ah->analogBank7Data, ah->iniBank7.ia_rows); +- ATH_ALLOC_BANK(ah->addac5416_21, +- ah->iniAddac.ia_rows * ah->iniAddac.ia_columns); + ATH_ALLOC_BANK(ah->bank6Temp, ah->iniBank6.ia_rows); + + return 0; +@@ -519,7 +517,6 @@ static void ar5008_hw_rf_free_ext_banks(struct ath_hw *ah) + ATH_FREE_BANK(ah->analogBank6Data); + ATH_FREE_BANK(ah->analogBank6TPCData); + ATH_FREE_BANK(ah->analogBank7Data); +- ATH_FREE_BANK(ah->addac5416_21); + ATH_FREE_BANK(ah->bank6Temp); + + #undef ATH_FREE_BANK +@@ -805,27 +802,7 @@ static int ar5008_hw_process_ini(struct ath_hw *ah, + if (ah->eep_ops->set_addac) + ah->eep_ops->set_addac(ah, chan); + +- if (AR_SREV_5416_22_OR_LATER(ah)) { +- REG_WRITE_ARRAY(&ah->iniAddac, 1, regWrites); +- } else { +- struct ar5416IniArray temp; +- u32 addacSize = +- sizeof(u32) * ah->iniAddac.ia_rows * +- ah->iniAddac.ia_columns; +- +- /* For AR5416 2.0/2.1 */ +- memcpy(ah->addac5416_21, +- ah->iniAddac.ia_array, addacSize); +- +- /* override CLKDRV value at [row, column] = [31, 1] */ +- (ah->addac5416_21)[31 * ah->iniAddac.ia_columns + 1] = 0; +- +- temp.ia_array = ah->addac5416_21; +- temp.ia_columns = ah->iniAddac.ia_columns; +- temp.ia_rows = ah->iniAddac.ia_rows; +- REG_WRITE_ARRAY(&temp, 1, regWrites); +- } +- ++ REG_WRITE_ARRAY(&ah->iniAddac, 1, regWrites); + REG_WRITE(ah, AR_PHY_ADC_SERIAL_CTL, AR_PHY_SEL_INTERNAL_ADDAC); + + ENABLE_REGWRITE_BUFFER(ah); +diff --git a/drivers/net/wireless/ath/ath9k/ar9002_hw.c b/drivers/net/wireless/ath/ath9k/ar9002_hw.c +index 11f192a..d190411 100644 +--- a/drivers/net/wireless/ath/ath9k/ar9002_hw.c ++++ b/drivers/net/wireless/ath/ath9k/ar9002_hw.c +@@ -180,6 +180,25 @@ static void ar9002_hw_init_mode_regs(struct ath_hw *ah) + INIT_INI_ARRAY(&ah->iniAddac, ar5416Addac, + ARRAY_SIZE(ar5416Addac), 2); + } ++ ++ /* iniAddac needs to be modified for these chips */ ++ if (AR_SREV_9160(ah) || !AR_SREV_5416_22_OR_LATER(ah)) { ++ struct ar5416IniArray *addac = &ah->iniAddac; ++ u32 size = sizeof(u32) * addac->ia_rows * addac->ia_columns; ++ u32 *data; ++ ++ data = kmalloc(size, GFP_KERNEL); ++ if (!data) ++ return; ++ ++ memcpy(data, addac->ia_array, size); ++ addac->ia_array = data; ++ ++ if (!AR_SREV_5416_22_OR_LATER(ah)) { ++ /* override CLKDRV value */ ++ INI_RA(addac, 31,1) = 0; ++ } ++ } + } + + /* Support for Japan ch.14 (2484) spread */ +diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h +index 6a29004..c8261d4 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.h ++++ b/drivers/net/wireless/ath/ath9k/hw.h +@@ -940,7 +940,6 @@ struct ath_hw { + u32 *analogBank6Data; + u32 *analogBank6TPCData; + u32 *analogBank7Data; +- u32 *addac5416_21; + u32 *bank6Temp; + + u8 txpower_limit; +-- +1.7.4.4 + diff --git a/brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch b/brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch new file mode 100644 index 0000000..c50c642 --- /dev/null +++ b/brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch @@ -0,0 +1,56 @@ +From 85091fc0a75653e239dc8379658515e577544927 Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Thu, 23 Feb 2012 18:38:22 +0100 +Subject: [PATCH] brcm80211: smac: fix endless retry of A-MPDU transmissions + +The A-MPDU code checked against a retry limit, but it was using +the wrong variable to do so. This patch fixes this to assure +proper retry mechanism. + +This problem had a side-effect causing the mac80211 flush callback +to remain waiting forever as well. That side effect has been fixed +by commit by Stanislaw Gruszka: + +commit f96b08a7e6f69c0f0a576554df3df5b1b519c479 +Date: Tue Jan 17 12:38:50 2012 +0100 + + brcmsmac: fix tx queue flush infinite loop + + Reference: + https://bugzilla.kernel.org/show_bug.cgi?id=42576 + +Cc: Stanislaw Gruszka +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Alwin Beukers +Signed-off-by: Arend van Spriel +Signed-off-by: John W. Linville +--- + drivers/net/wireless/brcm80211/brcmsmac/ampdu.c | 6 +----- + 1 files changed, 1 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c +index 90911ee..9265226 100644 +--- a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c +@@ -1051,17 +1051,13 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb, + } + /* either retransmit or send bar if ack not recd */ + if (!ack_recd) { +- struct ieee80211_tx_rate *txrate = +- tx_info->status.rates; +- if (retry && (txrate[0].count < (int)retry_limit)) { ++ if (retry && (ini->txretry[index] < (int)retry_limit)) { + ini->txretry[index]++; + ini->tx_in_transit--; + /* + * Use high prededence for retransmit to + * give some punch + */ +- /* brcms_c_txq_enq(wlc, scb, p, +- * BRCMS_PRIO_TO_PREC(tid)); */ + brcms_c_txq_enq(wlc, scb, p, + BRCMS_PRIO_TO_HI_PREC(tid)); + } else { +-- +1.7.4.4 + diff --git a/brcm80211-smac-only-print-block-ack-timeout-message-.patch b/brcm80211-smac-only-print-block-ack-timeout-message-.patch new file mode 100644 index 0000000..b0e9d69 --- /dev/null +++ b/brcm80211-smac-only-print-block-ack-timeout-message-.patch @@ -0,0 +1,37 @@ +From 2b0a53d51b5f263bb581bbdb40ebb9f7e09609b1 Mon Sep 17 00:00:00 2001 +From: Arend van Spriel +Date: Thu, 23 Feb 2012 18:38:23 +0100 +Subject: [PATCH] brcm80211: smac: only print block-ack timeout message at + trace level + +In regular use block-ack timeouts can happen so it does not make +sense to fill the log with these messages. + +Reviewed-by: Pieter-Paul Giesberts +Reviewed-by: Alwin Beukers +Signed-off-by: Arend van Spriel +Signed-off-by: John W. Linville +--- + drivers/net/wireless/brcm80211/brcmsmac/ampdu.c | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c +index 9265226..30b5887 100644 +--- a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c +@@ -1070,9 +1070,9 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb, + IEEE80211_TX_STAT_AMPDU_NO_BACK; + skb_pull(p, D11_PHY_HDR_LEN); + skb_pull(p, D11_TXH_LEN); +- wiphy_err(wiphy, "%s: BA Timeout, seq %d, in_" +- "transit %d\n", "AMPDU status", seq, +- ini->tx_in_transit); ++ BCMMSG(wiphy, ++ "BA Timeout, seq %d, in_transit %d\n", ++ seq, ini->tx_in_transit); + ieee80211_tx_status_irqsafe(wlc->pub->ieee_hw, + p); + } +-- +1.7.4.4 + diff --git a/iwlwifi-fix-key-removal.patch b/iwlwifi-fix-key-removal.patch new file mode 100644 index 0000000..9a90160 --- /dev/null +++ b/iwlwifi-fix-key-removal.patch @@ -0,0 +1,56 @@ +From 5dcbf480473f6c3f06ad2426b7517038a2a18911 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 17 Feb 2012 09:47:14 -0800 +Subject: [PATCH] iwlwifi: fix key removal + +When trying to remove a key, we always send key +flags just setting the key type, not including +the multicast flag and the key ID. As a result, +whenever any key was removed, the unicast key 0 +would be removed, causing a complete connection +loss after the second rekey (the first doesn't +cause a key removal). Fix the key removal code +to include the key ID and multicast flag, thus +removing the correct key. + +Cc: stable@vger.kernel.org +Reported-by: Alexander Schnaidt +Tested-by: Alexander Schnaidt +Signed-off-by: Johannes Berg +Signed-off-by: Wey-Yi Guy +Signed-off-by: John W. Linville +--- + drivers/net/wireless/iwlwifi/iwl-agn-sta.c | 10 +++++++++- + 1 files changed, 9 insertions(+), 1 deletions(-) + +diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c +index 7353826..e483cfa 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c +@@ -1187,6 +1187,7 @@ int iwl_remove_dynamic_key(struct iwl_priv *priv, + unsigned long flags; + struct iwl_addsta_cmd sta_cmd; + u8 sta_id = iwlagn_key_sta_id(priv, ctx->vif, sta); ++ __le16 key_flags; + + /* if station isn't there, neither is the key */ + if (sta_id == IWL_INVALID_STATION) +@@ -1212,7 +1213,14 @@ int iwl_remove_dynamic_key(struct iwl_priv *priv, + IWL_ERR(priv, "offset %d not used in uCode key table.\n", + keyconf->hw_key_idx); + +- sta_cmd.key.key_flags = STA_KEY_FLG_NO_ENC | STA_KEY_FLG_INVALID; ++ key_flags = cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); ++ key_flags |= STA_KEY_FLG_MAP_KEY_MSK | STA_KEY_FLG_NO_ENC | ++ STA_KEY_FLG_INVALID; ++ ++ if (!(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE)) ++ key_flags |= STA_KEY_MULTICAST_MSK; ++ ++ sta_cmd.key.key_flags = key_flags; + sta_cmd.key.key_offset = WEP_INVALID_OFFSET; + sta_cmd.sta.modify_mask = STA_MODIFY_KEY_MASK; + sta_cmd.mode = STA_CONTROL_MODIFY_MSK; +-- +1.7.4.4 + diff --git a/kernel.spec b/kernel.spec index ecc5c2a..15fded6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -845,6 +845,17 @@ Patch50121: bcma-don-t-fail-for-bad-SPROM-CRC.patch Patch50122: zd1211rw-firmware-needs-duration_id-set-to-zero-for-.patch Patch50123: mac80211-Fix-a-rwlock-bad-magic-bug.patch Patch50124: rtlwifi-Modify-rtl_pci_init-to-return-0-on-success.patch +Patch50125: mac80211-call-rate-control-only-after-init.patch +Patch50126: mac80211-do-not-call-rate-control-.tx_status-before-.patch +Patch50127: mwifiex-clear-previous-security-setting-during-assoc.patch +Patch50128: ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch +Patch50129: ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch +Patch50130: rt2x00-fix-a-possible-NULL-pointer-dereference.patch +Patch50131: iwlwifi-fix-key-removal.patch +Patch50132: mac80211-zero-initialize-count-field-in-ieee80211_tx.patch +Patch50133: mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch +Patch50134: brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch +Patch50135: brcm80211-smac-only-print-block-ack-timeout-message-.patch %endif @@ -1633,6 +1644,17 @@ ApplyPatch bcma-don-t-fail-for-bad-SPROM-CRC.patch ApplyPatch zd1211rw-firmware-needs-duration_id-set-to-zero-for-.patch ApplyPatch mac80211-Fix-a-rwlock-bad-magic-bug.patch ApplyPatch rtlwifi-Modify-rtl_pci_init-to-return-0-on-success.patch +ApplyPatch mac80211-call-rate-control-only-after-init.patch +ApplyPatch mac80211-do-not-call-rate-control-.tx_status-before-.patch +ApplyPatch mwifiex-clear-previous-security-setting-during-assoc.patch +ApplyPatch ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch +ApplyPatch ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch +ApplyPatch rt2x00-fix-a-possible-NULL-pointer-dereference.patch +ApplyPatch iwlwifi-fix-key-removal.patch +ApplyPatch mac80211-zero-initialize-count-field-in-ieee80211_tx.patch +ApplyPatch mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch +ApplyPatch brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch +ApplyPatch brcm80211-smac-only-print-block-ack-timeout-message-.patch ApplyPatch rt2x00_fix_MCU_request_failures.patch @@ -2346,6 +2368,19 @@ fi # and build. %changelog +* Fri Feb 24 2012 John W. Linville +- mac80211: call rate control only after init +- mac80211: do not call rate control .tx_status before .rate_init +- mwifiex: clear previous security setting during association +- ath9k: stop on rates with idx -1 in ath9k rate control's .tx_status +- ath9k_hw: prevent writes to const data on AR9160 +- rt2x00: fix a possible NULL pointer dereference +- iwlwifi: fix key removal +- mac80211: zero initialize count field in ieee80211_tx_rate +- mac80211: Fix a warning on changing to monitor mode from STA +- brcm80211: smac: fix endless retry of A-MPDU transmissions +- brcm80211: smac: only print block-ack timeout message at trace level + * Mon Feb 20 2012 Dave Jones 3.2.7-1 - Do not call drivers when invalidating partitions for -ENOMEDIUM diff --git a/mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch b/mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch new file mode 100644 index 0000000..421bd93 --- /dev/null +++ b/mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch @@ -0,0 +1,72 @@ +From 0dee00686da88cc32753e02e4e8efdd9e326e4d2 Mon Sep 17 00:00:00 2001 +From: Mohammed Shafi Shajakhan +Date: Mon, 20 Feb 2012 14:44:01 +0530 +Subject: [PATCH] mac80211: Fix a warning on changing to monitor mode from STA + +nothing needs to be done for monitor/AP_VLAN mode on calling +ieee80211_bss_info_change_notify -> drv_bss_info_changed with the change +flag 'BSS_CHANGED_IDLE'. 'wl1271' seems to use BSS_CHANGED_IDLE only for +STA and IBSS mode. further the non-idle state of the monitor mode is +taken care by the 'count' variable which counts non-idle interfaces. +ieee80211_idle_off(local, "in use") will be called. +this fixes the following WARNING when we have initially STA mode +(network manager running) and not associated, and change it to monitor +mode with network manager disabled and bringing up the monitor mode. +this changes the idle state from 'true' (STA unassociated) to 'false' +(MONITOR mode) +exposed by the commit 405385f8ce7a2ed8f82e216d88b5282142e1288b +"mac80211: set bss_conf.idle when vif is connected" + + WARNING: net/mac80211/main.c:212 + ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211]() + Hardware name: 64756D6 + Pid: 3835, comm: ifconfig Tainted: G O + 3.3.0-rc3-wl #9 + Call Trace: + [] warn_slowpath_common+0x72/0xa0 + [] ? + ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] + [] ? + ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] + [] warn_slowpath_null+0x22/0x30 + [] + ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] + [] __ieee80211_recalc_idle+0x113/0x430 + [mac80211] + [] ieee80211_do_open+0x156/0x7e0 [mac80211] + [] ? + ieee80211_check_concurrent_iface+0x25/0x180 [mac80211] + [] ? raw_notifier_call_chain+0x1f/0x30 + [] ieee80211_open+0x40/0x80 [mac80211] + [] __dev_open+0x96/0xe0 + [] ? _raw_spin_unlock_bh+0x35/0x40 + [] __dev_change_flags+0x109/0x170 + [] dev_change_flags+0x23/0x60 + [] devinet_ioctl+0x6a0/0x770 + + ieee80211 phy0: device no longer idle - in use + +Cc: Eliad Peller +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: John W. Linville +--- + net/mac80211/iface.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 01a21c2..8e2137b 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -1332,6 +1332,9 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local) + hw_roc = true; + + list_for_each_entry(sdata, &local->interfaces, list) { ++ if (sdata->vif.type == NL80211_IFTYPE_MONITOR || ++ sdata->vif.type == NL80211_IFTYPE_AP_VLAN) ++ continue; + if (sdata->old_idle == sdata->vif.bss_conf.idle) + continue; + if (!ieee80211_sdata_running(sdata)) +-- +1.7.4.4 + diff --git a/mac80211-call-rate-control-only-after-init.patch b/mac80211-call-rate-control-only-after-init.patch new file mode 100644 index 0000000..16fdda1 --- /dev/null +++ b/mac80211-call-rate-control-only-after-init.patch @@ -0,0 +1,91 @@ +From 4b5a433ae5348c23caa0b5f0a2fca7c342acb200 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 20 Jan 2012 13:55:23 +0100 +Subject: [PATCH] mac80211: call rate control only after init + +There are situations where we don't have the +necessary rate control information yet for +station entries, e.g. when associating. This +currently doesn't really happen due to the +dummy station handling; explicitly disabling +rate control when it's not initialised will +allow us to remove dummy stations. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +--- + net/mac80211/debugfs_sta.c | 4 ++-- + net/mac80211/rate.c | 2 +- + net/mac80211/rate.h | 1 + + net/mac80211/sta_info.h | 2 ++ + 4 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c +index 2406b3e..d86217d 100644 +--- a/net/mac80211/debugfs_sta.c ++++ b/net/mac80211/debugfs_sta.c +@@ -63,14 +63,14 @@ static ssize_t sta_flags_read(struct file *file, char __user *userbuf, + test_sta_flag(sta, WLAN_STA_##flg) ? #flg "\n" : "" + + int res = scnprintf(buf, sizeof(buf), +- "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", ++ "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", + TEST(AUTH), TEST(ASSOC), TEST(PS_STA), + TEST(PS_DRIVER), TEST(AUTHORIZED), + TEST(SHORT_PREAMBLE), + TEST(WME), TEST(WDS), TEST(CLEAR_PS_FILT), + TEST(MFP), TEST(BLOCK_BA), TEST(PSPOLL), + TEST(UAPSD), TEST(SP), TEST(TDLS_PEER), +- TEST(TDLS_PEER_AUTH)); ++ TEST(TDLS_PEER_AUTH), TEST(RATE_CONTROL)); + #undef TEST + return simple_read_from_buffer(userbuf, count, ppos, buf, res); + } +diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c +index 5a5a776..ad64f4d 100644 +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -336,7 +336,7 @@ void rate_control_get_rate(struct ieee80211_sub_if_data *sdata, + int i; + u32 mask; + +- if (sta) { ++ if (sta && test_sta_flag(sta, WLAN_STA_RATE_CONTROL)) { + ista = &sta->sta; + priv_sta = sta->rate_ctrl_priv; + } +diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h +index 168427b..2b83f32 100644 +--- a/net/mac80211/rate.h ++++ b/net/mac80211/rate.h +@@ -62,6 +62,7 @@ static inline void rate_control_rate_init(struct sta_info *sta) + sband = local->hw.wiphy->bands[local->hw.conf.channel->band]; + + ref->ops->rate_init(ref->priv, sband, ista, priv_sta); ++ set_sta_flag(sta, WLAN_STA_RATE_CONTROL); + } + + static inline void rate_control_rate_update(struct ieee80211_local *local, +diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h +index 6f77f12..bfed851 100644 +--- a/net/mac80211/sta_info.h ++++ b/net/mac80211/sta_info.h +@@ -52,6 +52,7 @@ + * @WLAN_STA_SP: Station is in a service period, so don't try to + * reply to other uAPSD trigger frames or PS-Poll. + * @WLAN_STA_4ADDR_EVENT: 4-addr event was already sent for this frame. ++ * @WLAN_STA_RATE_CONTROL: rate control was initialized for this station. + */ + enum ieee80211_sta_info_flags { + WLAN_STA_AUTH, +@@ -71,6 +72,7 @@ enum ieee80211_sta_info_flags { + WLAN_STA_UAPSD, + WLAN_STA_SP, + WLAN_STA_4ADDR_EVENT, ++ WLAN_STA_RATE_CONTROL, + }; + + enum ieee80211_sta_state { +-- +1.7.4.4 + diff --git a/mac80211-do-not-call-rate-control-.tx_status-before-.patch b/mac80211-do-not-call-rate-control-.tx_status-before-.patch new file mode 100644 index 0000000..28343b3 --- /dev/null +++ b/mac80211-do-not-call-rate-control-.tx_status-before-.patch @@ -0,0 +1,33 @@ +From 216c57b214bd621335ff698b475f6db2802502dc Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 8 Feb 2012 19:17:11 +0100 +Subject: [PATCH] mac80211: do not call rate control .tx_status before + .rate_init + +Most rate control implementations assume .get_rate and .tx_status are only +called once the per-station data has been fully initialized. +minstrel_ht crashes if this assumption is violated. + +Signed-off-by: Felix Fietkau +Tested-by: Arend van Spriel +Signed-off-by: John W. Linville +--- + net/mac80211/rate.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h +index 2b83f32..80cfc00 100644 +--- a/net/mac80211/rate.h ++++ b/net/mac80211/rate.h +@@ -41,7 +41,7 @@ static inline void rate_control_tx_status(struct ieee80211_local *local, + struct ieee80211_sta *ista = &sta->sta; + void *priv_sta = sta->rate_ctrl_priv; + +- if (!ref) ++ if (!ref || !test_sta_flag(sta, WLAN_STA_RATE_CONTROL)) + return; + + ref->ops->tx_status(ref->priv, sband, ista, priv_sta, skb); +-- +1.7.4.4 + diff --git a/mac80211-zero-initialize-count-field-in-ieee80211_tx.patch b/mac80211-zero-initialize-count-field-in-ieee80211_tx.patch new file mode 100644 index 0000000..4b0ec16 --- /dev/null +++ b/mac80211-zero-initialize-count-field-in-ieee80211_tx.patch @@ -0,0 +1,39 @@ +From 8617b093d0031837a7be9b32bc674580cfb5f6b5 Mon Sep 17 00:00:00 2001 +From: Mohammed Shafi Shajakhan +Date: Mon, 20 Feb 2012 10:05:31 +0530 +Subject: [PATCH] mac80211: zero initialize count field in ieee80211_tx_rate + +rate control algorithms concludes the rate as invalid +with rate[i].idx < -1 , while they do also check for rate[i].count is +non-zero. it would be safer to zero initialize the 'count' field. +recently we had a ath9k rate control crash where the ath9k rate control +in ath_tx_status assumed to check only for rate[i].count being non-zero +in one instance and ended up in using invalid rate index for +'connection monitoring NULL func frames' which eventually lead to the crash. +thanks to Pavel Roskin for fixing it and finding the root cause. +https://bugzilla.redhat.com/show_bug.cgi?id=768639 + +Cc: stable@vger.kernel.org +Cc: Pavel Roskin +Signed-off-by: Mohammed Shafi Shajakhan +Signed-off-by: John W. Linville +--- + net/mac80211/rate.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c +index ad64f4d..f9b8e81 100644 +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -344,7 +344,7 @@ void rate_control_get_rate(struct ieee80211_sub_if_data *sdata, + for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) { + info->control.rates[i].idx = -1; + info->control.rates[i].flags = 0; +- info->control.rates[i].count = 1; ++ info->control.rates[i].count = 0; + } + + if (sdata->local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) +-- +1.7.4.4 + diff --git a/mwifiex-clear-previous-security-setting-during-assoc.patch b/mwifiex-clear-previous-security-setting-during-assoc.patch new file mode 100644 index 0000000..f3fa7cb --- /dev/null +++ b/mwifiex-clear-previous-security-setting-during-assoc.patch @@ -0,0 +1,55 @@ +From 6670f15b1f6858a43b292d8ab64464e9f085a6aa Mon Sep 17 00:00:00 2001 +From: Amitkumar Karwar +Date: Thu, 9 Feb 2012 18:32:22 -0800 +Subject: [PATCH] mwifiex: clear previous security setting during association + +Driver maintains different flags for WEP, WPA, WPA2 security modes. +Appropriate flag is set using security information provided in +connect request. mwifiex_is_network_compatible() routine uses them +to check if driver's setting is compatible with AP. Association is +aborted if the routine fails. + +For some corner cases, it is observed that association is failed +even for valid security information based on association history. +This patch fixes the problem by clearing previous security setting +during each association. + +We should set WEP key provided in connect request as default tx key. +This missing change is also added here. + +Signed-off-by: Amitkumar Karwar +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +--- + drivers/net/wireless/mwifiex/cfg80211.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c +index c3b6c46..5b2972b 100644 +--- a/drivers/net/wireless/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/mwifiex/cfg80211.c +@@ -841,7 +841,12 @@ mwifiex_cfg80211_assoc(struct mwifiex_private *priv, size_t ssid_len, u8 *ssid, + ret = mwifiex_set_rf_channel(priv, channel, + priv->adapter->channel_type); + +- ret = mwifiex_set_encode(priv, NULL, 0, 0, 1); /* Disable keys */ ++ /* As this is new association, clear locally stored ++ * keys and security related flags */ ++ priv->sec_info.wpa_enabled = false; ++ priv->sec_info.wpa2_enabled = false; ++ priv->wep_key_curr_index = 0; ++ ret = mwifiex_set_encode(priv, NULL, 0, 0, 1); + + if (mode == NL80211_IFTYPE_ADHOC) { + /* "privacy" is set only for ad-hoc mode */ +@@ -886,6 +891,7 @@ mwifiex_cfg80211_assoc(struct mwifiex_private *priv, size_t ssid_len, u8 *ssid, + dev_dbg(priv->adapter->dev, + "info: setting wep encryption" + " with key len %d\n", sme->key_len); ++ priv->wep_key_curr_index = sme->key_idx; + ret = mwifiex_set_encode(priv, sme->key, sme->key_len, + sme->key_idx, 0); + } +-- +1.7.4.4 + diff --git a/rt2x00-fix-a-possible-NULL-pointer-dereference.patch b/rt2x00-fix-a-possible-NULL-pointer-dereference.patch new file mode 100644 index 0000000..8158bcb --- /dev/null +++ b/rt2x00-fix-a-possible-NULL-pointer-dereference.patch @@ -0,0 +1,37 @@ +From 7be081539e540517d5e1fcbf96b8080074afbf08 Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Thu, 16 Feb 2012 20:44:59 +0100 +Subject: [PATCH] rt2x00: fix a possible NULL pointer dereference + +The 'rt2x00lib_probe_dev' function tries to +allocate the workqueue. If the allocation +fails, 'rt2x00_lib_remove_dev' is called on +the error path. Because 'rt2x00dev->workqueue' +is NULL in this case, the 'destroy_workqueue' +call will cause a NULL pointer dereference. + +Signed-off-by: Gabor Juhos +Acked-by: Gertjan van Wingerde +Acked-by: Ivo van Doorn +Signed-off-by: John W. Linville +--- + drivers/net/wireless/rt2x00/rt2x00dev.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c +index c3e1aa7..d2a1ea9 100644 +--- a/drivers/net/wireless/rt2x00/rt2x00dev.c ++++ b/drivers/net/wireless/rt2x00/rt2x00dev.c +@@ -1220,7 +1220,8 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev) + cancel_work_sync(&rt2x00dev->rxdone_work); + cancel_work_sync(&rt2x00dev->txdone_work); + } +- destroy_workqueue(rt2x00dev->workqueue); ++ if (rt2x00dev->workqueue) ++ destroy_workqueue(rt2x00dev->workqueue); + + /* + * Free the tx status fifo. +-- +1.7.4.4 +