X-Git-Url: http://git.archive.openwrt.org/?a=blobdiff_plain;f=package%2Fkernel%2Fmac80211%2Fpatches%2F300-pending_work.patch;h=796b34c97dccd4e02dcd3562292bd76d6ca13b57;hb=3818debcd0b7c1d56ed155cc10748b0314319d53;hp=dc57bae2f3eff67069e3e446a62966a136e64443;hpb=66a76be5c1cfb858e7584263189667426ca76a80;p=14.07%2Fopenwrt.git

diff --git a/package/kernel/mac80211/patches/300-pending_work.patch b/package/kernel/mac80211/patches/300-pending_work.patch
index dc57bae..796b34c 100644
--- a/package/kernel/mac80211/patches/300-pending_work.patch
+++ b/package/kernel/mac80211/patches/300-pending_work.patch
@@ -1,3 +1,76 @@
+commit 77980bee5f1f743b46f8749185aca28b8ec69741
+Author: Johannes Berg <johannes.berg@intel.com>
+Date:   Mon Nov 3 14:29:09 2014 +0100
+
+    mac80211: fix use-after-free in defragmentation
+    
+    Upon receiving the last fragment, all but the first fragment
+    are freed, but the multicast check for statistics at the end
+    of the function refers to the current skb (the last fragment)
+    causing a use-after-free bug.
+    
+    Since multicast frames cannot be fragmented and we check for
+    this early in the function, just modify that check to also
+    do the accounting to fix the issue.
+    
+    Cc: stable@vger.kernel.org
+    Reported-by: Yosef Khyal <yosefx.khyal@intel.com>
+    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+commit e252be2d718dada0abd72208a44b9f1b63919883
+Author: Hauke Mehrtens <hauke@hauke-m.de>
+Date:   Wed Nov 5 23:31:07 2014 +0100
+
+    b43: fix NULL pointer dereference in b43_phy_copy()
+    
+    phy_read and phy_write are not set for every phy any more sine this:
+    commit d342b95dd735014a590f9051b1ba227eb54ca8f6
+    Author: Rafał Miłecki <zajec5@gmail.com>
+    Date:   Thu Jul 31 21:59:43 2014 +0200
+    
+        b43: don't duplicate common PHY read/write ops
+    
+    b43_phy_copy() accesses phy_read and phy_write directly and will fail
+    with some phys. This patch fixes the regression by using the
+    b43_phy_read() and b43_phy_write() functions which should be used for
+    read and write access.
+    
+    This should fix this bug report:
+    https://bugzilla.kernel.org/show_bug.cgi?id=87731
+    
+    Reported-by: Volker Kempter <v.kempter@pe.tu-clausthal.de>
+    Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
+
+commit ddf93ad61cb009ed05ff2547923fb269a3604408
+Author: Miaoqing Pan <miaoqing@qca.qualcomm.com>
+Date:   Thu Nov 6 10:52:23 2014 +0530
+
+    ath9k: Fix RTC_DERIVED_CLK usage
+    
+    Based on the reference clock, which could be 25MHz or 40MHz,
+    AR_RTC_DERIVED_CLK is programmed differently for AR9340 and AR9550.
+    But, when a chip reset is done, processing the initvals
+    sets the register back to the default value.
+    
+    Fix this by moving the code in ath9k_hw_init_pll() to
+    ar9003_hw_override_ini(). Also, do this override for AR9531.
+    
+    Cc: stable@vger.kernel.org
+    Signed-off-by: Miaoqing Pan <miaoqing@qca.qualcomm.com>
+    Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
+
+commit 536b05e91ac2715942f792184c26beb43dbaa522
+Author: Felix Fietkau <nbd@openwrt.org>
+Date:   Mon Oct 27 11:50:28 2014 +0100
+
+    mac80211: flush keys for AP mode on ieee80211_do_stop
+    
+    Userspace can add keys to an AP mode interface before start_ap has been
+    called. If there have been no calls to start_ap/stop_ap in the mean
+    time, the keys will still be around when the interface is brought down.
+    
+    Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+
 commit c35074725eb19f353beb5f71266f9e985e46f583
 Author: Felix Fietkau <nbd@openwrt.org>
 Date:   Wed Oct 22 18:16:14 2014 +0200
@@ -988,6 +1061,36 @@ Date:   Mon May 19 21:20:49 2014 +0200
  	ieee80211_sta_ps_deliver_wakeup(sta);
  }
  
+@@ -1646,11 +1648,14 @@ ieee80211_rx_h_defragment(struct ieee802
+ 	sc = le16_to_cpu(hdr->seq_ctrl);
+ 	frag = sc & IEEE80211_SCTL_FRAG;
+ 
+-	if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
+-		   is_multicast_ether_addr(hdr->addr1))) {
+-		/* not fragmented */
++	if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
++		goto out;
++
++	if (is_multicast_ether_addr(hdr->addr1)) {
++		rx->local->dot11MulticastReceivedFrameCount++;
+ 		goto out;
+ 	}
++
+ 	I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+ 
+ 	if (skb_linearize(rx->skb))
+@@ -1743,10 +1748,7 @@ ieee80211_rx_h_defragment(struct ieee802
+  out:
+ 	if (rx->sta)
+ 		rx->sta->rx_packets++;
+-	if (is_multicast_ether_addr(hdr->addr1))
+-		rx->local->dot11MulticastReceivedFrameCount++;
+-	else
+-		ieee80211_led_rx(rx->local);
++	ieee80211_led_rx(rx->local);
+ 	return RX_CONTINUE;
+ }
+ 
 --- a/net/mac80211/sta_info.h
 +++ b/net/mac80211/sta_info.h
 @@ -82,6 +82,7 @@ enum ieee80211_sta_info_flags {
@@ -2080,7 +2183,15 @@ Date:   Mon May 19 21:20:49 2014 +0200
  	if (err < 0)
  		return err;
  	ieee80211_bss_info_change_notify(sdata, err);
-@@ -3073,7 +2766,8 @@ static int ieee80211_set_after_csa_beaco
+@@ -1164,7 +857,6 @@ static int ieee80211_stop_ap(struct wiph
+ 	sdata->u.ap.driver_smps_mode = IEEE80211_SMPS_OFF;
+ 
+ 	__sta_info_flush(sdata, true);
+-	ieee80211_free_keys(sdata, true);
+ 
+ 	sdata->vif.bss_conf.enable_beacon = false;
+ 	sdata->vif.bss_conf.ssid_len = 0;
+@@ -3073,7 +2765,8 @@ static int ieee80211_set_after_csa_beaco
  
  	switch (sdata->vif.type) {
  	case NL80211_IFTYPE_AP:
@@ -2090,7 +2201,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  		kfree(sdata->u.ap.next_beacon);
  		sdata->u.ap.next_beacon = NULL;
  
-@@ -3176,6 +2870,7 @@ static int ieee80211_set_csa_beacon(stru
+@@ -3176,6 +2869,7 @@ static int ieee80211_set_csa_beacon(stru
  				    struct cfg80211_csa_settings *params,
  				    u32 *changed)
  {
@@ -2098,7 +2209,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  	int err;
  
  	switch (sdata->vif.type) {
-@@ -3210,20 +2905,13 @@ static int ieee80211_set_csa_beacon(stru
+@@ -3210,20 +2904,13 @@ static int ieee80211_set_csa_beacon(stru
  		     IEEE80211_MAX_CSA_COUNTERS_NUM))
  			return -EINVAL;
  
@@ -2125,7 +2236,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  		if (err < 0) {
  			kfree(sdata->u.ap.next_beacon);
  			return err;
-@@ -3367,7 +3055,6 @@ __ieee80211_channel_switch(struct wiphy 
+@@ -3367,7 +3054,6 @@ __ieee80211_channel_switch(struct wiphy 
  	sdata->csa_radar_required = params->radar_required;
  	sdata->csa_chandef = params->chandef;
  	sdata->csa_block_tx = params->block_tx;
@@ -2133,7 +2244,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  	sdata->vif.csa_active = true;
  
  	if (sdata->csa_block_tx)
-@@ -3515,10 +3202,23 @@ static int ieee80211_mgmt_tx(struct wiph
+@@ -3515,10 +3201,23 @@ static int ieee80211_mgmt_tx(struct wiph
  	     sdata->vif.type == NL80211_IFTYPE_ADHOC) &&
  	    params->n_csa_offsets) {
  		int i;
@@ -2160,7 +2271,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  	}
  
  	IEEE80211_SKB_CB(skb)->flags = flags;
-@@ -3598,21 +3298,6 @@ static int ieee80211_get_antenna(struct 
+@@ -3598,21 +3297,6 @@ static int ieee80211_get_antenna(struct 
  	return drv_get_antenna(local, tx_ant, rx_ant);
  }
  
@@ -2182,7 +2293,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  static int ieee80211_set_rekey_data(struct wiphy *wiphy,
  				    struct net_device *dev,
  				    struct cfg80211_gtk_rekey_data *data)
-@@ -3844,8 +3529,6 @@ const struct cfg80211_ops mac80211_confi
+@@ -3844,8 +3528,6 @@ const struct cfg80211_ops mac80211_confi
  	.mgmt_frame_register = ieee80211_mgmt_frame_register,
  	.set_antenna = ieee80211_set_antenna,
  	.get_antenna = ieee80211_get_antenna,
@@ -2191,7 +2302,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  	.set_rekey_data = ieee80211_set_rekey_data,
  	.tdls_oper = ieee80211_tdls_oper,
  	.tdls_mgmt = ieee80211_tdls_mgmt,
-@@ -3854,9 +3537,6 @@ const struct cfg80211_ops mac80211_confi
+@@ -3854,9 +3536,6 @@ const struct cfg80211_ops mac80211_confi
  #ifdef CONFIG_PM
  	.set_wakeup = ieee80211_set_wakeup,
  #endif
@@ -2375,7 +2486,17 @@ Date:   Mon May 19 21:20:49 2014 +0200
  
  	sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
  
-@@ -1303,6 +1304,7 @@ static void ieee80211_setup_sdata(struct
+@@ -928,9 +929,6 @@ static void ieee80211_do_stop(struct iee
+ 		 * another CPU.
+ 		 */
+ 		ieee80211_free_keys(sdata, true);
+-
+-		/* fall through */
+-	case NL80211_IFTYPE_AP:
+ 		skb_queue_purge(&sdata->skb_queue);
+ 	}
+ 
+@@ -1303,6 +1301,7 @@ static void ieee80211_setup_sdata(struct
  	sdata->control_port_protocol = cpu_to_be16(ETH_P_PAE);
  	sdata->control_port_no_encrypt = false;
  	sdata->encrypt_headroom = IEEE80211_ENCRYPT_HEADROOM;
@@ -2383,7 +2504,7 @@ Date:   Mon May 19 21:20:49 2014 +0200
  
  	sdata->noack_map = 0;
  
-@@ -1721,6 +1723,8 @@ int ieee80211_if_add(struct ieee80211_lo
+@@ -1721,6 +1720,8 @@ int ieee80211_if_add(struct ieee80211_lo
  
  		ndev->features |= local->hw.netdev_features;
  
@@ -3225,7 +3346,27 @@ Date:   Mon May 19 21:20:49 2014 +0200
  static u32 ar9003_hw_compute_pll_control(struct ath_hw *ah,
  					 struct ath9k_channel *chan)
  {
-@@ -1779,7 +1796,12 @@ void ar9003_hw_attach_phy_ops(struct ath
+@@ -647,6 +664,19 @@ static void ar9003_hw_override_ini(struc
+ 		ah->enabled_cals |= TX_CL_CAL;
+ 	else
+ 		ah->enabled_cals &= ~TX_CL_CAL;
++
++	if (AR_SREV_9340(ah) || AR_SREV_9531(ah) || AR_SREV_9550(ah)) {
++		if (ah->is_clk_25mhz) {
++			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1);
++			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7);
++			REG_WRITE(ah, AR_SLP32_INC, 0x0001e7ae);
++		} else {
++			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1);
++			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400);
++			REG_WRITE(ah, AR_SLP32_INC, 0x0001e800);
++		}
++		udelay(100);
++	}
+ }
+ 
+ static void ar9003_hw_prog_ini(struct ath_hw *ah,
+@@ -1779,7 +1809,12 @@ void ar9003_hw_attach_phy_ops(struct ath
  
  	priv_ops->rf_set_freq = ar9003_hw_set_channel;
  	priv_ops->spur_mitigate_freq = ar9003_hw_spur_mitigate;
@@ -3278,6 +3419,26 @@ Date:   Mon May 19 21:20:49 2014 +0200
  	if (AR_SREV_9565(ah))
  		pll |= 0x40000;
  	REG_WRITE(ah, AR_RTC_PLL_CONTROL, pll);
+@@ -858,19 +861,6 @@ static void ath9k_hw_init_pll(struct ath
+ 	udelay(RTC_PLL_SETTLE_DELAY);
+ 
+ 	REG_WRITE(ah, AR_RTC_SLEEP_CLK, AR_RTC_FORCE_DERIVED_CLK);
+-
+-	if (AR_SREV_9340(ah) || AR_SREV_9550(ah)) {
+-		if (ah->is_clk_25mhz) {
+-			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1);
+-			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7);
+-			REG_WRITE(ah,  AR_SLP32_INC, 0x0001e7ae);
+-		} else {
+-			REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1);
+-			REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400);
+-			REG_WRITE(ah,  AR_SLP32_INC, 0x0001e800);
+-		}
+-		udelay(100);
+-	}
+ }
+ 
+ static void ath9k_hw_init_interrupt_masks(struct ath_hw *ah,
 --- a/drivers/net/wireless/ath/ath9k/reg.h
 +++ b/drivers/net/wireless/ath/ath9k/reg.h
 @@ -1236,12 +1236,23 @@ enum {
@@ -3322,3 +3483,15 @@ Date:   Mon May 19 21:20:49 2014 +0200
  }
  EXPORT_SYMBOL(ath9k_cmn_update_txpow);
  
+--- a/drivers/net/wireless/b43/phy_common.c
++++ b/drivers/net/wireless/b43/phy_common.c
+@@ -276,8 +276,7 @@ void b43_phy_write(struct b43_wldev *dev
+ void b43_phy_copy(struct b43_wldev *dev, u16 destreg, u16 srcreg)
+ {
+ 	assert_mac_suspended(dev);
+-	dev->phy.ops->phy_write(dev, destreg,
+-		dev->phy.ops->phy_read(dev, srcreg));
++	b43_phy_write(dev, destreg, b43_phy_read(dev, srcreg));
+ }
+ 
+ void b43_phy_mask(struct b43_wldev *dev, u16 offset, u16 mask)