ath9k: improve ANI debugfs file
[openwrt.git] / package / kernel / mac80211 / patches / 300-pending_work.patch
1 commit 8d804f1af11e4e058b1e8453327777d73a585cb8
2 Author: Felix Fietkau <nbd@openwrt.org>
3 Date:   Sun Mar 9 11:25:43 2014 +0100
4
5     ath9k: clean up and enhance ANI debugfs file
6     
7     Unify scnprintf calls and include the current OFDM/CCK immunity level.
8     
9     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
10
11 commit 22e298b5a3a8a49e33805d4e351965123dede35b
12 Author: Felix Fietkau <nbd@openwrt.org>
13 Date:   Sun Mar 9 10:58:47 2014 +0100
14
15     ath9k: fix ready time of the multicast buffer queue
16     
17     qi->tqi_readyTime is written directly to registers that expect
18     microseconds as unit instead of TU.
19     When setting the CABQ ready time, cur_conf->beacon_interval is in TU, so
20     convert it to microseconds before passing it to ath9k_hw.
21     
22     This should hopefully fix some Tx DMA issues with buffered multicast
23     frames in AP mode.
24     
25     Cc: stable@vger.kernel.org
26     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
27
28 commit fcb064fdd5a27bec8d24099bc0172468f34c97cb
29 Author: Felix Fietkau <nbd@openwrt.org>
30 Date:   Sun Mar 9 09:43:09 2014 +0100
31
32     ath9k_hw: fix unreachable code in baseband hang detection code
33     
34     The commit "ath9k: reduce baseband hang detection false positive rate"
35     added a delay in the loop checking the baseband state, however it was
36     unreachable due to previous 'continue' statements.
37     
38     Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
39     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
40
41 commit 31959d8df39319e32c6d5ba9c135727be90cfad7
42 Author: Michal Kazior <michal.kazior@tieto.com>
43 Date:   Fri Mar 7 08:09:38 2014 +0100
44
45     mac80211: fix possible NULL dereference
46     
47     If chanctx is missing on a given vif then the band
48     is assumed to be 2GHz. However if hw doesn't
49     support 2GHz band then mac80211 ended up with a
50     NULL dereference.
51     
52     This fixes a splat:
53     
54     [ 4605.207223] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
55     [ 4605.210789] IP: [<ffffffffa07b5635>] ieee80211_parse_bitrates+0x65/0x110 [mac80211]
56     
57     The splat was preceeded by WARN_ON(!chanctx_conf)
58     in ieee80211_get_sdata_band().
59     
60     Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
61
62 commit 6c5a3ffa0a2d22c091a2717f427259bacf77ac5e
63 Author: Michael Braun <michael-dev@fami-braun.de>
64 Date:   Thu Mar 6 15:08:43 2014 +0100
65
66     mac80211: fix WPA with VLAN on AP side with ps-sta again
67     
68     commit de74a1d9032f4d37ea453ad2a647e1aff4cd2591
69       "mac80211: fix WPA with VLAN on AP side with ps-sta"
70     fixed an issue where queued multicast packets would
71     be sent out encrypted with the key of an other bss.
72     
73     commit "7cbf9d017dbb5e3276de7d527925d42d4c11e732"
74       "mac80211: fix oops on mesh PS broadcast forwarding"
75     essentially reverted it, because vif.type cannot be AP_VLAN
76     due to the check to vif.type in ieee80211_get_buffered_bc before.
77     
78     As the later commit intended to fix the MESH case, fix it
79     by checking for IFTYPE_AP instead of IFTYPE_AP_VLAN.
80     
81     Fixes: 7cbf9d017dbb
82     Cc: <stable@vger.kernel.org> # 3.10.x
83     Cc: <stable@vger.kernel.org> # 3.11.x
84     Cc: <stable@vger.kernel.org> # 3.12.x
85     Cc: <stable@vger.kernel.org> # 3.13.x
86     Cc: <linux-wireless@vger.kernel.org>
87     Cc: <projekt-wlan@fem.tu-ilmenau.de>
88     Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
89
90 commit 9d6ab9bdb9b368a6cf9519f0f92509b5b2c297ec
91 Author: Johannes Berg <johannes.berg@intel.com>
92 Date:   Mon Mar 3 14:19:08 2014 +0100
93
94     cfg80211: remove racy beacon_interval assignment
95     
96     In case of AP mode, the beacon interval is already reset to
97     zero inside cfg80211_stop_ap(), and in the other modes it
98     isn't relevant. Remove the assignment to remove a potential
99     race since the assignment isn't properly locked.
100     
101     Reported-by: Michal Kazior <michal.kazior@tieto.com>
102     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
103
104 commit 1abdeca3c6fb9cf1f84f85e78ed8d1c33bd69db0
105 Author: Felix Fietkau <nbd@openwrt.org>
106 Date:   Fri Feb 28 18:52:56 2014 +0100
107
108     ath9k_hw: tweak noise immunity thresholds for older chipsets
109     
110     Older chipsets are more sensitive to high PHY error counts, and the
111     current noise immunity thresholds were based on tests run at QCA with
112     newer chipsets.
113     
114     This patch brings back the values from the old ANI implementation for
115     old chipsets, and it also disables weak signal detection on an earlier
116     noise immunity level, to improve overall radio stability on affected
117     devices.
118     
119     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
120
121 commit 431e506da5953adc3b65af25f4b90873d528c115
122 Author: Felix Fietkau <nbd@openwrt.org>
123 Date:   Fri Feb 28 18:44:13 2014 +0100
124
125     ath9k_hw: toggle weak signal detection in AP mode on older chipsets
126     
127     The commit 80b4205b "ath9k: Fix OFDM weak signal detection for AP mode"
128     prevented weak signal detection changes from taking effect in AP mode on
129     all chipsets, claiming it is "not allowed".
130     
131     The main reason for not disabling weak signal detection in AP mode is
132     that typically beacon RSSI is used to track whether it is needed to
133     boost range, and this is unavailable in AP mode for obvious reasons.
134     
135     The problem with not disabling weak signal detection is that older
136     chipsets are very sensitive to high PHY error counts. When faced with
137     heavy noise, this can lead to an excessive amount of "Failed to stop
138     TX DMA" errors in the field.
139     
140     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
141
142 commit 98d1a6c5b14688ed030e81b889f607be308e0df9
143 Author: Felix Fietkau <nbd@openwrt.org>
144 Date:   Mon Feb 24 22:20:32 2014 +0100
145
146     ath9k: fix invalid descriptor discarding
147     
148     Only set sc->rx.discard_next to rx_stats->rs_more when actually
149     discarding the current descriptor.
150     
151     Also, fix a detection of broken descriptors:
152     First the code checks if the current descriptor is not done.
153     Then it checks if the next descriptor is done.
154     Add a check that afterwards checks the first descriptor again, because
155     it might have been completed in the mean time.
156     
157     This fixes a regression introduced in
158     commit 723e711356b5a8a95728a890e254e8b0d47b55cf
159     "ath9k: fix handling of broken descriptors"
160     
161     Cc: stable@vger.kernel.org
162     Reported-by: Marco André Dinis <marcoandredinis@gmail.com>
163     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
164
165 commit 52a46300e782fe6994466523eb2b0b59091ea59f
166 Author: Felix Fietkau <nbd@openwrt.org>
167 Date:   Mon Feb 24 11:43:50 2014 +0100
168
169     ath9k: reduce baseband hang detection false positive rate
170     
171     Check if the baseband state remains stable, and add a small delay
172     between register reads.
173     
174     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
175
176 commit 118945bb12082e9d4edddc868d88143164e0f440
177 Author: Felix Fietkau <nbd@openwrt.org>
178 Date:   Sat Feb 22 14:55:23 2014 +0100
179
180     ath5k: set SURVEY_INFO_IN_USE on get_survey
181     
182     Only one channel is returned - the one currently being used.
183     
184     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
185
186 commit ee41f72476e1ea44283dfe1cbf75b9543a1e15c8
187 Author: Felix Fietkau <nbd@openwrt.org>
188 Date:   Sat Feb 22 14:44:52 2014 +0100
189
190     ath9k: make some hardware reset log messages debug-only
191     
192     On some chips, baseband watchdog hangs are more common than others, and
193     the driver has support for handling them.
194     Interrupts even after a watchdog hang are also quite common, so there's
195     not much point in spamming the user's logfiles.
196     
197     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
198
199 commit b14fbb554fc65a2e0b5c41a319269b0350f187e7
200 Author: Felix Fietkau <nbd@openwrt.org>
201 Date:   Sat Feb 22 14:35:25 2014 +0100
202
203     ath9k: do not set half/quarter channel flags in AR_PHY_MODE
204     
205     5/10 MHz channel bandwidth is configured via the PLL clock, instead of
206     the AR_PHY_MODE register. Using that register is AR93xx specific, and
207     makes the mode incompatible with earlier chipsets.
208     
209     In some early versions, these flags were apparently applied at the wrong
210     point in time and thus did not cause connectivity issues, however now
211     they are causing problems, as pointed out in this OpenWrt ticket:
212     
213     https://dev.openwrt.org/ticket/14916
214     
215     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
216
217 commit 0f1cb7be2551b30b02cd54c897e0e29e483cfda5
218 Author: Felix Fietkau <nbd@openwrt.org>
219 Date:   Sat Feb 22 13:43:29 2014 +0100
220
221     ath9k: fix ps-poll responses under a-mpdu sessions
222     
223     When passing tx frames to the U-APSD queue for powersave poll responses,
224     the ath_atx_tid pointer needs to be passed to ath_tx_setup_buffer for
225     proper sequence number accounting.
226     
227     This fixes high latency and connection stability issues with ath9k
228     running as AP and a few kinds of mobile phones as client, when PS-Poll
229     is heavily used
230     
231     Cc: stable@vger.kernel.org
232     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
233
234 commit d5d87a37bbd6066b2c3c5d0bd0fe2a6e2ea45cc5
235 Author: Felix Fietkau <nbd@openwrt.org>
236 Date:   Fri Feb 21 11:39:59 2014 +0100
237
238     ath9k: list more reset causes in debugfs
239     
240     Number of MAC hangs and stuck beacons were missing
241     
242     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
243
244 commit d84856012e0f10fe598a5ad3b7b869397a089e07
245 Author: Johannes Berg <johannes.berg@intel.com>
246 Date:   Thu Feb 20 11:19:58 2014 +0100
247
248     mac80211: fix station wakeup powersave race
249     
250     Consider the following (relatively unlikely) scenario:
251      1) station goes to sleep while frames are buffered in driver
252      2) driver blocks wakeup (until no more frames are buffered)
253      3) station wakes up again
254      4) driver unblocks wakeup
255     
256     In this case, the current mac80211 code will do the following:
257      1) WLAN_STA_PS_STA set
258      2) WLAN_STA_PS_DRIVER set
259      3) - nothing -
260      4) WLAN_STA_PS_DRIVER cleared
261     
262     As a result, no frames will be delivered to the client, even
263     though it is awake, until it sends another frame to us that
264     triggers ieee80211_sta_ps_deliver_wakeup() in sta_ps_end().
265     
266     Since we now take the PS spinlock, we can fix this while at
267     the same time removing the complexity with the pending skb
268     queue function. This was broken since my commit 50a9432daeec
269     ("mac80211: fix powersaving clients races") due to removing
270     the clearing of WLAN_STA_PS_STA in the RX path.
271     
272     While at it, fix a cleanup path issue when a station is
273     removed while the driver is still blocking its wakeup.
274     
275     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
276
277 commit 798f2786602cbe93e6b928299614aa36ebf50692
278 Author: Johannes Berg <johannes.berg@intel.com>
279 Date:   Mon Feb 17 20:49:03 2014 +0100
280
281     mac80211: insert stations before adding to driver
282     
283     There's a race condition in mac80211 because we add stations
284     to the internal lists after adding them to the driver, which
285     means that (for example) the following can happen:
286      1. a station connects and is added
287      2. first, it is added to the driver
288      3. then, it is added to the mac80211 lists
289     
290     If the station goes to sleep between steps 2 and 3, and the
291     firmware/hardware records it as being asleep, mac80211 will
292     never instruct the driver to wake it up again as it never
293     realized it went to sleep since the RX path discarded the
294     frame as a "spurious class 3 frame", no station entry was
295     present yet.
296     
297     Fix this by adding the station in software first, and only
298     then adding it to the driver. That way, any state that the
299     driver changes will be reflected properly in mac80211's
300     station state. The problematic part is the roll-back if the
301     driver fails to add the station, in that case a bit more is
302     needed. To not make that overly complex prevent starting BA
303     sessions in the meantime.
304     
305     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
306
307 commit b9ba6a520cb07ab3aa7aaaf9ce4a0bc7a6bc06fe
308 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
309 Date:   Thu Feb 20 09:22:11 2014 +0200
310
311     mac80211: fix AP powersave TX vs. wakeup race
312     
313     There is a race between the TX path and the STA wakeup: while
314     a station is sleeping, mac80211 buffers frames until it wakes
315     up, then the frames are transmitted. However, the RX and TX
316     path are concurrent, so the packet indicating wakeup can be
317     processed while a packet is being transmitted.
318     
319     This can lead to a situation where the buffered frames list
320     is emptied on the one side, while a frame is being added on
321     the other side, as the station is still seen as sleeping in
322     the TX path.
323     
324     As a result, the newly added frame will not be send anytime
325     soon. It might be sent much later (and out of order) when the
326     station goes to sleep and wakes up the next time.
327     
328     Additionally, it can lead to the crash below.
329     
330     Fix all this by synchronising both paths with a new lock.
331     Both path are not fastpath since they handle PS situations.
332     
333     In a later patch we'll remove the extra skb queue locks to
334     reduce locking overhead.
335     
336     BUG: unable to handle kernel
337     NULL pointer dereference at 000000b0
338     IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
339     *pde = 00000000
340     Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
341     EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1
342     EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
343     EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
344     ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
345      DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
346     CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
347     DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
348     DR6: ffff0ff0 DR7: 00000400
349     Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
350     iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
351     Stack:
352      e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
353      ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
354      ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
355     Call Trace:
356      [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211]
357      [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211]
358      [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211]
359      [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211]
360      [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
361      [<c149ef70>] dev_hard_start_xmit+0x450/0x950
362      [<c14b9aa9>] sch_direct_xmit+0xa9/0x250
363      [<c14b9c9b>] __qdisc_run+0x4b/0x150
364      [<c149f732>] dev_queue_xmit+0x2c2/0xca0
365     
366     Cc: stable@vger.kernel.org
367     Reported-by: Yaara Rozenblum <yaara.rozenblum@intel.com>
368     Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
369     Reviewed-by: Stanislaw Gruszka <sgruszka@redhat.com>
370     [reword commit log, use a separate lock]
371     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
372
373 commit 80e419de0dff38436b30d363311c625766193f86
374 Author: Inbal Hacohen <Inbal.Hacohen@intel.com>
375 Date:   Wed Feb 12 09:32:27 2014 +0200
376
377     cfg80211: bugfix in regulatory user hint process
378     
379     After processing hint_user, we would want to schedule the
380     timeout work only if we are actually waiting to CRDA. This happens
381     when the status is not "IGNORE" nor "ALREADY_SET".
382     
383     Signed-off-by: Inbal Hacohen <Inbal.Hacohen@intel.com>
384     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
385
386 commit 6514c93afede55284e2cb63359aadedb85884c80
387 Author: Jouni Malinen <jouni@qca.qualcomm.com>
388 Date:   Tue Feb 18 20:41:08 2014 +0200
389
390     ath9k: Enable U-APSD AP mode support
391     
392     mac80211 handles the actual operations, so ath9k can just indicate
393     support for this. Based on initial tests, this combination seems to
394     work fine.
395     
396     Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
397
398 commit a63caf0a357ad5c1f08d6b7827dc76c451445017
399 Author: Stanislaw Gruszka <sgruszka@redhat.com>
400 Date:   Wed Feb 19 13:15:17 2014 +0100
401
402     ath9k: protect tid->sched check
403     
404     We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That
405     is race condition which can result of doing list_del(&tid->list) twice
406     (second time with poisoned list node) and cause crash like shown below:
407     
408     [424271.637220] BUG: unable to handle kernel paging request at 00100104
409     [424271.637328] IP: [<f90fc072>] ath_tx_aggr_sleep+0x62/0xe0 [ath9k]
410     ...
411     [424271.639953] Call Trace:
412     [424271.639998]  [<f90f6900>] ? ath9k_get_survey+0x110/0x110 [ath9k]
413     [424271.640083]  [<f90f6942>] ath9k_sta_notify+0x42/0x50 [ath9k]
414     [424271.640177]  [<f809cfef>] sta_ps_start+0x8f/0x1c0 [mac80211]
415     [424271.640258]  [<c10f730e>] ? free_compound_page+0x2e/0x40
416     [424271.640346]  [<f809e915>] ieee80211_rx_handlers+0x9d5/0x2340 [mac80211]
417     [424271.640437]  [<c112f048>] ? kmem_cache_free+0x1d8/0x1f0
418     [424271.640510]  [<c1345a84>] ? kfree_skbmem+0x34/0x90
419     [424271.640578]  [<c10fc23c>] ? put_page+0x2c/0x40
420     [424271.640640]  [<c1345a84>] ? kfree_skbmem+0x34/0x90
421     [424271.640706]  [<c1345a84>] ? kfree_skbmem+0x34/0x90
422     [424271.640787]  [<f809dde3>] ? ieee80211_rx_handlers_result+0x73/0x1d0 [mac80211]
423     [424271.640897]  [<f80a07a0>] ieee80211_prepare_and_rx_handle+0x520/0xad0 [mac80211]
424     [424271.641009]  [<f809e22d>] ? ieee80211_rx_handlers+0x2ed/0x2340 [mac80211]
425     [424271.641104]  [<c13846ce>] ? ip_output+0x7e/0xd0
426     [424271.641182]  [<f80a1057>] ieee80211_rx+0x307/0x7c0 [mac80211]
427     [424271.641266]  [<f90fa6ee>] ath_rx_tasklet+0x88e/0xf70 [ath9k]
428     [424271.641358]  [<f80a0f2c>] ? ieee80211_rx+0x1dc/0x7c0 [mac80211]
429     [424271.641445]  [<f90f82db>] ath9k_tasklet+0xcb/0x130 [ath9k]
430     
431     Bug report:
432     https://bugzilla.kernel.org/show_bug.cgi?id=70551
433     
434     Reported-and-tested-by: Max Sydorenko <maxim.stargazer@gmail.com>
435     Cc: stable@vger.kernel.org
436     Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
437
438 commit 82ed9e3ccc02797df2ffe4b78127c4cd5f799a41
439 Author: Felix Fietkau <nbd@openwrt.org>
440 Date:   Tue Feb 11 15:54:13 2014 +0100
441
442     mac80211: send control port protocol frames to the VO queue
443     
444     Improves reliability of wifi connections with WPA, since authentication
445     frames are prioritized over normal traffic and also typically exempt
446     from aggregation.
447     
448     Cc: stable@vger.kernel.org
449     Signed-off-by: Felix Fietkau <nbd@openwrt.org>
450
451 commit d4426800f71e972feaa33e04c5801fc730627bdd
452 Author: Stanislaw Gruszka <stf_xl@wp.pl>
453 Date:   Mon Feb 10 22:38:28 2014 +0100
454
455     rtl8187: fix regression on MIPS without coherent DMA
456     
457     This patch fixes regression caused by commit a16dad77634 "MIPS: Fix
458     potencial corruption". That commit fixes one corruption scenario in
459     cost of adding another one, which actually start to cause crashes
460     on Yeeloong laptop when rtl8187 driver is used.
461     
462     For correct DMA read operation on machines without DMA coherence, kernel
463     have to invalidate cache, such it will refill later with new data that
464     device wrote to memory, when that data is needed to process. We can only
465     invalidate full cache line. Hence when cache line includes both dma
466     buffer and some other data (written in cache, but not yet in main
467     memory), the other data can not hit memory due to invalidation. That
468     happen on rtl8187 where struct rtl8187_priv fields are located just
469     before and after small buffers that are passed to USB layer and DMA
470     is performed on them.
471     
472     To fix the problem we align buffers and reserve space after them to make
473     them match cache line.
474     
475     This patch does not resolve all possible MIPS problems entirely, for
476     that we have to assure that we always map cache aligned buffers for DMA,
477     what can be complex or even not possible. But patch fixes visible and
478     reproducible regression and seems other possible corruptions do not
479     happen in practice, since Yeeloong laptop works stable without rtl8187
480     driver.
481     
482     Bug report:
483     https://bugzilla.kernel.org/show_bug.cgi?id=54391
484     
485     Reported-by: Petr Pisar <petr.pisar@atlas.cz>
486     Bisected-by: Tom Li <biergaizi2009@gmail.com>
487     Reported-and-tested-by: Tom Li <biergaizi2009@gmail.com>
488     Cc: stable@vger.kernel.org
489     Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
490
491 commit e2f141d67ad1e7fe10aaab61811e8a409dfb2442
492 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
493 Date:   Fri Feb 7 10:29:55 2014 +0530
494
495     ath9k: Calculate IQ-CAL median
496     
497     This patch adds a routine to calculate the median IQ correction
498     values for AR955x, which is used for outlier detection.
499     The normal method which is used for all other chips is
500     bypassed for AR955x.
501     
502     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
503
504 commit c52a6fce0820c8d0687443ab86058ae03b478c8f
505 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
506 Date:   Fri Feb 7 10:29:54 2014 +0530
507
508     ath9k: Expand the IQ coefficient array
509     
510     This will be used for storing data for mutiple
511     IQ calibration runs, for AR955x.
512     
513     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
514
515 commit 034969ff5c2b6431d10e07c1938f0b916da85cc3
516 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
517 Date:   Fri Feb 7 10:29:53 2014 +0530
518
519     ath9k: Modify IQ calibration for AR955x
520     
521     IQ calibration post-processing for AR955x is different
522     from other chips - instead of just doing it as part
523     of AGC calibration once, it is triggered 3 times and
524     a median is determined. This patch adds initial support
525     for changing the calibration behavior for AR955x.
526     
527     Also, to simplify things, a helper routine to issue/poll
528     AGC calibration is used.
529     
530     For non-AR955x chips, the iqcal_idx (which will be used
531     in subsequent patches) is set to zero.
532     
533     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
534
535 commit 9b1ed6454e6f3511f24266be99b4e403f243f6a8
536 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
537 Date:   Fri Feb 7 10:29:52 2014 +0530
538
539     ath9k: Fix magnitude/phase calculation
540     
541     Incorrect values are programmed in the registers
542     containing the IQ correction coefficients by the IQ-CAL
543     post-processing code. Fix this.
544     
545     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
546
547 commit 36f93484f96f79171dcecb67c5ef0c3de22531a6
548 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
549 Date:   Fri Feb 7 10:29:51 2014 +0530
550
551     ath9k: Rename ar9003_hw_tx_iqcal_load_avg_2_passes
552     
553     Use ar9003_hw_tx_iq_cal_outlier_detection instead.
554     
555     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
556
557 commit 3af09a7f5d21dd5fd15b973ce6a91a575da30417
558 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
559 Date:   Fri Feb 7 10:29:50 2014 +0530
560
561     ath9k: Check explicitly for IQ calibration
562     
563     In chips like AR955x, the initvals contain the information
564     whether IQ calibration is to be done in the HW when an
565     AGC calibration is triggered. Check if IQ-CAL is enabled
566     in the initvals before flagging 'txiqcal_done' as true.
567     
568     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
569
570 commit cb4969634b93c4643a32cc3fbd27d2b288b25771
571 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
572 Date:   Fri Feb 7 10:29:49 2014 +0530
573
574     ath9k: Fix IQ cal post processing for SoC
575     
576     Calibration data is not reused for SoC chips, so
577     call ar9003_hw_tx_iq_cal_post_proc() with the correct
578     argument. The 'is_reusable' flag is currently used
579     only for PC-OEM chips, but it makes things clearer to
580     specify it explicity.
581     
582     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
583
584 commit e138e0ef9560c46ce93dbb22a728a57888e94d1c
585 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
586 Date:   Mon Feb 3 13:31:37 2014 +0530
587
588     ath9k: Fix TX power calculation
589     
590     The commit, "ath9k_hw: Fix incorrect Tx control power in AR9003 template"
591     fixed the incorrect values in the eeprom templates, but if
592     boards have already been calibrated with incorrect values,
593     they would still be using the wrong TX power. Fix this by assigning
594     a default value in such cases.
595     
596     Cc: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
597     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
598
599 commit b9f268b5b01331c3c82179abca551429450e9417
600 Author: Michal Kazior <michal.kazior@tieto.com>
601 Date:   Wed Jan 29 14:22:27 2014 +0100
602
603     cfg80211: consider existing DFS interfaces
604     
605     It was possible to break interface combinations in
606     the following way:
607     
608      combo 1: iftype = AP, num_ifaces = 2, num_chans = 2,
609      combo 2: iftype = AP, num_ifaces = 1, num_chans = 1, radar = HT20
610     
611     With the above interface combinations it was
612     possible to:
613     
614      step 1. start AP on DFS channel by matching combo 2
615      step 2. start AP on non-DFS channel by matching combo 1
616     
617     This was possible beacuse (step 2) did not consider
618     if other interfaces require radar detection.
619     
620     The patch changes how cfg80211 tracks channels -
621     instead of channel itself now a complete chandef
622     is stored.
623     
624     Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
625     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
626
627 commit bc9c62f5f511cc395c62dbf4cdd437f23db53b28
628 Author: Antonio Quartulli <antonio@open-mesh.com>
629 Date:   Wed Jan 29 17:53:43 2014 +0100
630
631     cfg80211: fix channel configuration in IBSS join
632     
633     When receiving an IBSS_JOINED event select the BSS object
634     based on the {bssid, channel} couple rather than the bssid
635     only.
636     With the current approach if another cell having the same
637     BSSID (but using a different channel) exists then cfg80211
638     picks up the wrong BSS object.
639     The result is a mismatching channel configuration between
640     cfg80211 and the driver, that can lead to any sort of
641     problem.
642     
643     The issue can be triggered by having an IBSS sitting on
644     given channel and then asking the driver to create a new
645     cell using the same BSSID but with a different frequency.
646     By passing the channel to cfg80211_get_bss() we can solve
647     this ambiguity and retrieve/create the correct BSS object.
648     All the users of cfg80211_ibss_joined() have been changed
649     accordingly.
650     
651     Moreover WARN when cfg80211_ibss_joined() gets a NULL
652     channel as argument and remove a bogus call of the same
653     function in ath6kl (it does not make sense to call
654     cfg80211_ibss_joined() with a zero BSSID on ibss-leave).
655     
656     Cc: Kalle Valo <kvalo@qca.qualcomm.com>
657     Cc: Arend van Spriel <arend@broadcom.com>
658     Cc: Bing Zhao <bzhao@marvell.com>
659     Cc: Jussi Kivilinna <jussi.kivilinna@iki.fi>
660     Cc: libertas-dev@lists.infradead.org
661     Acked-by: Kalle Valo <kvalo@qca.qualcomm.com>
662     Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
663     [minor code cleanup in ath6kl]
664     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
665
666 commit 7e0c41cb41f215aba2c39b1c237bb4d42ec49a85
667 Author: Johannes Berg <johannes.berg@intel.com>
668 Date:   Fri Jan 24 14:41:44 2014 +0100
669
670     mac80211: fix bufferable MMPDU RX handling
671     
672     Action, disassoc and deauth frames are bufferable, and as such don't
673     have the PM bit in the frame control field reserved which means we
674     need to react to the bit when receiving in such a frame.
675     
676     Fix this by introducing a new helper ieee80211_is_bufferable_mmpdu()
677     and using it for the RX path that currently ignores the PM bit in
678     any non-data frames for doze->wake transitions, but listens to it in
679     all frames for wake->doze transitions, both of which are wrong.
680     
681     Also use the new helper in the TX path to clean up the code.
682     
683     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
684
685 commit fc0df6d2343636e3f48a069330d5b972e3d8659d
686 Author: Janusz Dziedzic <janusz.dziedzic@tieto.com>
687 Date:   Fri Jan 24 14:29:21 2014 +0100
688
689     cfg80211: set preset_chandef after channel switch
690     
691     Set preset_chandef in channel switch notification.
692     In other case we will have old preset_chandef.
693     
694     Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
695     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
696
697 commit cdec895e2344987ff171cece96e25d7407a3ebf6
698 Author: Simon Wunderlich <simon@open-mesh.com>
699 Date:   Fri Jan 24 23:48:29 2014 +0100
700
701     mac80211: send ibss probe responses with noack flag
702     
703     Responding to probe requests for scanning clients will often create
704     excessive retries, as it happens quite often that the scanning client
705     already left the channel. Therefore do it like hostapd and send probe
706     responses for wildcard SSID only once by using the noack flag.
707     
708     Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
709     [fix typo & 'wildcard SSID' in commit log]
710     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
711
712 commit 0b865d1e6b9c05052adae9315df7cb195dc60c3b
713 Author: Luciano Coelho <luciano.coelho@intel.com>
714 Date:   Tue Jan 28 17:09:08 2014 +0200
715
716     mac80211: ibss: remove unnecessary call to release channel
717     
718     The ieee80211_vif_use_channel() function calls
719     ieee80211_vif_release_channel(), so there's no need to call it
720     explicitly in __ieee80211_sta_join_ibss().
721     
722     Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
723     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
724
725 commit e1b6c17e971f0a51ff86c2dac2584c63cd999cd7
726 Author: Michal Kazior <michal.kazior@tieto.com>
727 Date:   Wed Jan 29 07:56:21 2014 +0100
728
729     mac80211: add missing CSA locking
730     
731     The patch adds a missing sdata lock and adds a few
732     lockdeps for easier maintenance.
733     
734     Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
735     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
736
737 commit ad17ba7d14d225b109b73c177cd446afb8050598
738 Author: Michal Kazior <michal.kazior@tieto.com>
739 Date:   Wed Jan 29 07:56:20 2014 +0100
740
741     mac80211: fix sdata->radar_required locking
742     
743     radar_required setting wasn't protected by
744     local->mtx in some places. This should prevent
745     from scanning/radar detection/roc colliding.
746     
747     Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
748     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
749
750 commit 5fcd5f1808813a3d9e502fd756e01bee8a79c85d
751 Author: Michal Kazior <michal.kazior@tieto.com>
752 Date:   Wed Jan 29 07:56:19 2014 +0100
753
754     mac80211: move csa_active setting in STA CSA
755     
756     The sdata->vif.csa_active could be left set after,
757     e.g. channel context constraints check fail in STA
758     mode leaving the interface in a strange state for
759     a brief period of time until it is disconnected.
760     This was harmless but ugly.
761     
762     Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
763     Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
764     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
765
766 commit e486da4b7eed71821c6b4c1bb9ac62ffd3ab13e9
767 Author: Michal Kazior <michal.kazior@tieto.com>
768 Date:   Wed Jan 29 07:56:18 2014 +0100
769
770     mac80211: fix possible memory leak on AP CSA failure
771     
772     If CSA for AP interface failed and the interface
773     was not stopped afterwards another CSA request
774     would leak sdata->u.ap.next_beacon.
775     
776     Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
777     Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
778     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
779
780 commit 3a77ba08940682bf3d52cf14f980337324af9d4a
781 Author: Johannes Berg <johannes.berg@intel.com>
782 Date:   Sat Feb 1 00:33:29 2014 +0100
783
784     mac80211: fix fragmentation code, particularly for encryption
785     
786     The "new" fragmentation code (since my rewrite almost 5 years ago)
787     erroneously sets skb->len rather than using skb_trim() to adjust
788     the length of the first fragment after copying out all the others.
789     This leaves the skb tail pointer pointing to after where the data
790     originally ended, and thus causes the encryption MIC to be written
791     at that point, rather than where it belongs: immediately after the
792     data.
793     
794     The impact of this is that if software encryption is done, then
795      a) encryption doesn't work for the first fragment, the connection
796         becomes unusable as the first fragment will never be properly
797         verified at the receiver, the MIC is practically guaranteed to
798         be wrong
799      b) we leak up to 8 bytes of plaintext (!) of the packet out into
800         the air
801     
802     This is only mitigated by the fact that many devices are capable
803     of doing encryption in hardware, in which case this can't happen
804     as the tail pointer is irrelevant in that case. Additionally,
805     fragmentation is not used very frequently and would normally have
806     to be configured manually.
807     
808     Fix this by using skb_trim() properly.
809     
810     Cc: stable@vger.kernel.org
811     Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
812     Reported-by: Jouni Malinen <j@w1.fi>
813     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
814
815 commit de5f242e0c10e841017e37eb8c38974a642dbca8
816 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
817 Date:   Tue Jan 28 06:21:59 2014 +0530
818
819     ath9k: Fix build error on ARM
820     
821     Use mdelay instead of udelay to fix this error:
822     
823     ERROR: "__bad_udelay" [drivers/net/wireless/ath/ath9k/ath9k_hw.ko] undefined!
824     make[1]: *** [__modpost] Error 1
825     make: *** [modules] Error 2
826     
827     Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
828     Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
829
830 commit 8e3ea7a51dfc61810fcefd947f6edcf61125252a
831 Author: Geert Uytterhoeven <geert@linux-m68k.org>
832 Date:   Sun Jan 26 11:53:21 2014 +0100
833
834     ath9k: Fix uninitialized variable in ath9k_has_tx_pending()
835     
836     drivers/net/wireless/ath/ath9k/main.c: In function ‘ath9k_has_tx_pending’:
837     drivers/net/wireless/ath/ath9k/main.c:1869: warning: ‘npend’ may be used uninitialized in this function
838     
839     Introduced by commit 10e2318103f5941aa70c318afe34bc41f1b98529 ("ath9k:
840     optimize ath9k_flush").
841     
842     Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
843
844 commit a4a634a6937ebdd827fa58e8fcdb8ca49a3769f6
845 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
846 Date:   Mon Jan 27 11:07:42 2014 +0200
847
848     mac80211: release the channel in error path in start_ap
849     
850     When the driver cannot start the AP or when the assignement
851     of the beacon goes wrong, we need to unassign the vif.
852     
853     Cc: stable@vger.kernel.org
854     Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
855     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
856
857 commit dfb6889a75c601aedb7450b7e606668e77da6679
858 Author: Johannes Berg <johannes.berg@intel.com>
859 Date:   Wed Jan 22 11:14:19 2014 +0200
860
861     cfg80211: send scan results from work queue
862     
863     Due to the previous commit, when a scan finishes, it is in theory
864     possible to hit the following sequence:
865      1. interface starts being removed
866      2. scan is cancelled by driver and cfg80211 is notified
867      3. scan done work is scheduled
868      4. interface is removed completely, rdev->scan_req is freed,
869         event sent to userspace but scan done work remains pending
870      5. new scan is requested on another virtual interface
871      6. scan done work runs, freeing the still-running scan
872     
873     To fix this situation, hang on to the scan done message and block
874     new scans while that is the case, and only send the message from
875     the work function, regardless of whether the scan_req is already
876     freed from interface removal. This makes step 5 above impossible
877     and changes step 6 to be
878      5. scan done work runs, sending the scan done message
879     
880     As this can't work for wext, so we send the message immediately,
881     but this shouldn't be an issue since we still return -EBUSY.
882     
883     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
884
885 commit 45b7ab41fc08627d9a8428cb413d5d84662a9707
886 Author: Johannes Berg <johannes.berg@intel.com>
887 Date:   Wed Jan 22 11:14:18 2014 +0200
888
889     cfg80211: fix scan done race
890     
891     When an interface/wdev is removed, any ongoing scan should be
892     cancelled by the driver. This will make it call cfg80211, which
893     only queues a work struct. If interface/wdev removal is quick
894     enough, this can leave the scan request pending and processed
895     only after the interface is gone, causing a use-after-free.
896     
897     Fix this by making sure the scan request is not pending after
898     the interface is destroyed. We can't flush or cancel the work
899     item due to locking concerns, but when it'll run it shouldn't
900     find anything to do. This leaves a potential issue, if a new
901     scan gets requested before the work runs, it prematurely stops
902     the running scan, potentially causing another crash. I'll fix
903     that in the next patch.
904     
905     This was particularly observed with P2P_DEVICE wdevs, likely
906     because freeing them is quicker than freeing netdevs.
907     
908     Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
909     Fixes: 4a58e7c38443 ("cfg80211: don't "leak" uncompleted scans")
910     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
911
912 commit ae04fa489ab31b5a10d3cc8399f52761175d4321
913 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
914 Date:   Thu Jan 23 14:28:16 2014 +0200
915
916     mac80211: avoid deadlock revealed by lockdep
917     
918     sdata->u.ap.request_smps_work can’t be flushed synchronously
919     under wdev_lock(wdev) since ieee80211_request_smps_ap_work
920     itself locks the same lock.
921     While at it, reset the driver_smps_mode when the ap is
922     stopped to its default: OFF.
923     
924     This solves:
925     
926     ======================================================
927     [ INFO: possible circular locking dependency detected ]
928     3.12.0-ipeer+ #2 Tainted: G           O
929     -------------------------------------------------------
930     rmmod/2867 is trying to acquire lock:
931       ((&sdata->u.ap.request_smps_work)){+.+...}, at: [<c105b8d0>] flush_work+0x0/0x90
932     
933     but task is already holding lock:
934       (&wdev->mtx){+.+.+.}, at: [<f9b32626>] cfg80211_stop_ap+0x26/0x230 [cfg80211]
935     
936     which lock already depends on the new lock.
937     
938     the existing dependency chain (in reverse order) is:
939     
940     -> #1 (&wdev->mtx){+.+.+.}:
941             [<c10aefa9>] lock_acquire+0x79/0xe0
942             [<c1607a1a>] mutex_lock_nested+0x4a/0x360
943             [<fb06288b>] ieee80211_request_smps_ap_work+0x2b/0x50 [mac80211]
944             [<c105cdd8>] process_one_work+0x198/0x450
945             [<c105d469>] worker_thread+0xf9/0x320
946             [<c10669ff>] kthread+0x9f/0xb0
947             [<c1613397>] ret_from_kernel_thread+0x1b/0x28
948     
949     -> #0 ((&sdata->u.ap.request_smps_work)){+.+...}:
950             [<c10ae9df>] __lock_acquire+0x183f/0x1910
951             [<c10aefa9>] lock_acquire+0x79/0xe0
952             [<c105b917>] flush_work+0x47/0x90
953             [<c105d867>] __cancel_work_timer+0x67/0xe0
954             [<c105d90f>] cancel_work_sync+0xf/0x20
955             [<fb0765cc>] ieee80211_stop_ap+0x8c/0x340 [mac80211]
956             [<f9b3268c>] cfg80211_stop_ap+0x8c/0x230 [cfg80211]
957             [<f9b0d8f9>] cfg80211_leave+0x79/0x100 [cfg80211]
958             [<f9b0da72>] cfg80211_netdev_notifier_call+0xf2/0x4f0 [cfg80211]
959             [<c160f2c9>] notifier_call_chain+0x59/0x130
960             [<c106c6de>] __raw_notifier_call_chain+0x1e/0x30
961             [<c106c70f>] raw_notifier_call_chain+0x1f/0x30
962             [<c14f8213>] call_netdevice_notifiers_info+0x33/0x70
963             [<c14f8263>] call_netdevice_notifiers+0x13/0x20
964             [<c14f82a4>] __dev_close_many+0x34/0xb0
965             [<c14f83fe>] dev_close_many+0x6e/0xc0
966             [<c14f9c77>] rollback_registered_many+0xa7/0x1f0
967             [<c14f9dd4>] unregister_netdevice_many+0x14/0x60
968             [<fb06f4d9>] ieee80211_remove_interfaces+0xe9/0x170 [mac80211]
969             [<fb055116>] ieee80211_unregister_hw+0x56/0x110 [mac80211]
970             [<fa3e9396>] iwl_op_mode_mvm_stop+0x26/0xe0 [iwlmvm]
971             [<f9b9d8ca>] _iwl_op_mode_stop+0x3a/0x70 [iwlwifi]
972             [<f9b9d96f>] iwl_opmode_deregister+0x6f/0x90 [iwlwifi]
973             [<fa405179>] __exit_compat+0xd/0x19 [iwlmvm]
974             [<c10b8bf9>] SyS_delete_module+0x179/0x2b0
975             [<c1613421>] sysenter_do_call+0x12/0x32
976     
977     Fixes: 687da132234f ("mac80211: implement SMPS for AP")
978     Cc: <stable@vger.kernel.org> [3.13]
979     Reported-by: Ilan Peer <ilan.peer@intel.com>
980     Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
981     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
982
983 commit 178b205e96217164fd7c30113464250d0b6f5eca
984 Author: Johannes Berg <johannes.berg@intel.com>
985 Date:   Thu Jan 23 16:32:29 2014 +0100
986
987     cfg80211: re-enable 5/10 MHz support
988     
989     Unfortunately I forgot this during the merge window, but the
990     patch seems small enough to go in as a fix. The userspace API
991     bug that was the reason for disabling it has long been fixed.
992     
993     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
994
995 commit 110a1c79acda14edc83b7c8dc5af9c7ddd23eb61
996 Author: Pontus Fuchs <pontus.fuchs@gmail.com>
997 Date:   Thu Jan 16 15:00:40 2014 +0100
998
999     nl80211: Reset split_start when netlink skb is exhausted
1000     
1001     When the netlink skb is exhausted split_start is left set. In the
1002     subsequent retry, with a larger buffer, the dump is continued from the
1003     failing point instead of from the beginning.
1004     
1005     This was causing my rt28xx based USB dongle to now show up when
1006     running "iw list" with an old iw version without split dump support.
1007     
1008     Cc: stable@vger.kernel.org
1009     Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps")
1010     Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
1011     [avoid the entire workaround when state->split is set]
1012     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1013
1014 commit b4c31b45ffc7ef110fa9ecc34d7878fe7c5b9da4
1015 Author: Eliad Peller <eliad@wizery.com>
1016 Date:   Sun Jan 12 11:06:37 2014 +0200
1017
1018     mac80211: move roc cookie assignment earlier
1019     
1020     ieee80211_start_roc_work() might add a new roc
1021     to existing roc, and tell cfg80211 it has already
1022     started.
1023     
1024     However, this might happen before the roc cookie
1025     was set, resulting in REMAIN_ON_CHANNEL (started)
1026     event with null cookie. Consequently, it can make
1027     wpa_supplicant go out of sync.
1028     
1029     Fix it by setting the roc cookie earlier.
1030     
1031     Cc: stable@vger.kernel.org
1032     Signed-off-by: Eliad Peller <eliad@wizery.com>
1033     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1034
1035 commit cfdc9157bfd7bcf88ab4dae08873a9907eba984c
1036 Author: Johannes Berg <johannes.berg@intel.com>
1037 Date:   Fri Jan 24 14:06:29 2014 +0100
1038
1039     nl80211: send event when AP operation is stopped
1040     
1041     There are a few cases, e.g. suspend, where an AP interface is
1042     stopped by the kernel rather than by userspace request, most
1043     commonly when suspending. To let userspace know about this,
1044     send the NL80211_CMD_STOP_AP command as an event every time
1045     an AP interface is stopped. This also happens when userspace
1046     did in fact request the AP stop, but that's not a problem.
1047     
1048     For full-MAC drivers this may need to be extended to also
1049     cover cases where the device stopped the AP operation for
1050     some reason, this a bit more complicated because then all
1051     cfg80211 state also needs to be reset; such API is not part
1052     of this patch.
1053     
1054     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1055
1056 commit d5d567eda7704f190379ca852a8f9a4112e3eee3
1057 Author: Johannes Berg <johannes.berg@intel.com>
1058 Date:   Thu Jan 23 16:20:29 2014 +0100
1059
1060     mac80211: add length check in ieee80211_is_robust_mgmt_frame()
1061     
1062     A few places weren't checking that the frame passed to the
1063     function actually has enough data even though the function
1064     clearly documents it must have a payload byte. Make this
1065     safer by changing the function to take an skb and checking
1066     the length inside. The old version is preserved for now as
1067     the rtl* drivers use it and don't have a correct skb.
1068     
1069     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1070
1071 commit f8f6d212a047fc65c7d3442dfc038f65517236fc
1072 Author: Johannes Berg <johannes.berg@intel.com>
1073 Date:   Fri Jan 24 10:53:53 2014 +0100
1074
1075     nl80211: fix scheduled scan RSSI matchset attribute confusion
1076     
1077     The scheduled scan matchsets were intended to be a list of filters,
1078     with the found BSS having to pass at least one of them to be passed
1079     to the host. When the RSSI attribute was added, however, this was
1080     broken and currently wpa_supplicant adds that attribute in its own
1081     matchset; however, it doesn't intend that to mean that anything
1082     that passes the RSSI filter should be passed to the host, instead
1083     it wants it to mean that everything needs to also have higher RSSI.
1084     
1085     This is semantically problematic because we have a list of filters
1086     like [ SSID1, SSID2, SSID3, RSSI ] with no real indication which
1087     one should be OR'ed and which one AND'ed.
1088     
1089     To fix this, move the RSSI filter attribute into each matchset. As
1090     we need to stay backward compatible, treat a matchset with only the
1091     RSSI attribute as a "default RSSI filter" for all other matchsets,
1092     but only if there are other matchsets (an RSSI-only matchset by
1093     itself is still desirable.)
1094     
1095     To make driver implementation easier, keep a global min_rssi_thold
1096     for the entire request as well. The only affected driver is ath6kl.
1097     
1098     I found this when I looked into the code after Raja Mani submitted
1099     a patch fixing the n_match_sets calculation to disregard the RSSI,
1100     but that patch didn't address the semantic issue.
1101     
1102     Reported-by: Raja Mani <rmani@qti.qualcomm.com>
1103     Acked-by: Luciano Coelho <luciano.coelho@intel.com>
1104     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1105
1106 commit de553e8545e65a6dc4e45f43df7e1443d4291922
1107 Author: Johannes Berg <johannes.berg@intel.com>
1108 Date:   Fri Jan 24 10:17:47 2014 +0100
1109
1110     nl80211: check nla_parse() return values
1111     
1112     If there's a policy, then nla_parse() return values must be
1113     checked, otherwise the policy is useless and there's nothing
1114     that ensures the attributes are actually what we expect them
1115     to be.
1116     
1117     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1118
1119 commit 652204a0733e9e1c54661d6f9d36e2e1e3b22bb1
1120 Author: Karl Beldan <karl.beldan@rivierawaves.com>
1121 Date:   Thu Jan 23 20:06:34 2014 +0100
1122
1123     mac80211: send {ADD,DEL}BA on AC_VO like other mgmt frames, as per spec
1124     
1125     ATM, {ADD,DEL}BA and BAR frames are sent on the AC matching the TID of
1126     the BA parameters. In the discussion [1] about this patch, Johannes
1127     recalled that it fixed some races with the DELBA and indeed this
1128     behavior was introduced in [2].
1129     While [2] is right for the BARs, the part queueing the {ADD,DEL}BAs on
1130     their BA params TID AC violates the spec and is more a workaround for
1131     some drivers. Helmut expressed some concerns wrt such drivers, in
1132     particular DELBAs in rt2x00.
1133     
1134     ATM, DELBAs are sent after a driver has called (hence "purposely")
1135     ieee80211_start_tx_ba_cb_irqsafe and Johannes and Emmanuel gave some
1136     details wrt intentions behind the split of the IEEE80211_AMPDU_TX_STOP_*
1137     given to the driver ampdu_action supposed to call this function, which
1138     could prove handy to people trying to do the right thing in faulty
1139     drivers (if their fw/hw don't get in their way).
1140     
1141     [1] http://mid.gmane.org/1390391564-18481-1-git-send-email-karl.beldan@gmail.com
1142     [2] Commit: cf6bb79ad828 ("mac80211: Use appropriate TID for sending BAR, ADDBA and DELBA frames")
1143     
1144     Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
1145     Cc: Helmut Schaa <helmut.schaa@googlemail.com>
1146     Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
1147     Signed-off-by: Johannes Berg <johannes.berg@intel.com>
1148 --- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
1149 +++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
1150 @@ -790,7 +790,7 @@ void ath6kl_cfg80211_connect_event(struc
1151         if (nw_type & ADHOC_NETWORK) {
1152                 ath6kl_dbg(ATH6KL_DBG_WLAN_CFG, "ad-hoc %s selected\n",
1153                            nw_type & ADHOC_CREATOR ? "creator" : "joiner");
1154 -               cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
1155 +               cfg80211_ibss_joined(vif->ndev, bssid, chan, GFP_KERNEL);
1156                 cfg80211_put_bss(ar->wiphy, bss);
1157                 return;
1158         }
1159 @@ -861,13 +861,9 @@ void ath6kl_cfg80211_disconnect_event(st
1160         }
1161  
1162         if (vif->nw_type & ADHOC_NETWORK) {
1163 -               if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC) {
1164 +               if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC)
1165                         ath6kl_dbg(ATH6KL_DBG_WLAN_CFG,
1166                                    "%s: ath6k not in ibss mode\n", __func__);
1167 -                       return;
1168 -               }
1169 -               memset(bssid, 0, ETH_ALEN);
1170 -               cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
1171                 return;
1172         }
1173  
1174 @@ -3256,6 +3252,15 @@ static int ath6kl_cfg80211_sscan_start(s
1175         struct ath6kl_vif *vif = netdev_priv(dev);
1176         u16 interval;
1177         int ret, rssi_thold;
1178 +       int n_match_sets = request->n_match_sets;
1179 +
1180 +       /*
1181 +        * If there's a matchset w/o an SSID, then assume it's just for
1182 +        * the RSSI (nothing else is currently supported) and ignore it.
1183 +        * The device only supports a global RSSI filter that we set below.
1184 +        */
1185 +       if (n_match_sets == 1 && !request->match_sets[0].ssid.ssid_len)
1186 +               n_match_sets = 0;
1187  
1188         if (ar->state != ATH6KL_STATE_ON)
1189                 return -EIO;
1190 @@ -3268,11 +3273,11 @@ static int ath6kl_cfg80211_sscan_start(s
1191         ret = ath6kl_set_probed_ssids(ar, vif, request->ssids,
1192                                       request->n_ssids,
1193                                       request->match_sets,
1194 -                                     request->n_match_sets);
1195 +                                     n_match_sets);
1196         if (ret < 0)
1197                 return ret;
1198  
1199 -       if (!request->n_match_sets) {
1200 +       if (!n_match_sets) {
1201                 ret = ath6kl_wmi_bssfilter_cmd(ar->wmi, vif->fw_vif_idx,
1202                                                ALL_BSS_FILTER, 0);
1203                 if (ret < 0)
1204 @@ -3286,12 +3291,12 @@ static int ath6kl_cfg80211_sscan_start(s
1205  
1206         if (test_bit(ATH6KL_FW_CAPABILITY_RSSI_SCAN_THOLD,
1207                      ar->fw_capabilities)) {
1208 -               if (request->rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
1209 +               if (request->min_rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
1210                         rssi_thold = 0;
1211 -               else if (request->rssi_thold < -127)
1212 +               else if (request->min_rssi_thold < -127)
1213                         rssi_thold = -127;
1214                 else
1215 -                       rssi_thold = request->rssi_thold;
1216 +                       rssi_thold = request->min_rssi_thold;
1217  
1218                 ret = ath6kl_wmi_set_rssi_filter_cmd(ar->wmi, vif->fw_vif_idx,
1219                                                      rssi_thold);
1220 --- a/drivers/net/wireless/ath/ath9k/hw.c
1221 +++ b/drivers/net/wireless/ath/ath9k/hw.c
1222 @@ -1316,7 +1316,7 @@ static bool ath9k_hw_set_reset(struct at
1223         if (AR_SREV_9300_20_OR_LATER(ah))
1224                 udelay(50);
1225         else if (AR_SREV_9100(ah))
1226 -               udelay(10000);
1227 +               mdelay(10);
1228         else
1229                 udelay(100);
1230  
1231 @@ -1534,7 +1534,7 @@ EXPORT_SYMBOL(ath9k_hw_check_nav);
1232  bool ath9k_hw_check_alive(struct ath_hw *ah)
1233  {
1234         int count = 50;
1235 -       u32 reg;
1236 +       u32 reg, last_val;
1237  
1238         if (AR_SREV_9300(ah))
1239                 return !ath9k_hw_detect_mac_hang(ah);
1240 @@ -1542,9 +1542,14 @@ bool ath9k_hw_check_alive(struct ath_hw 
1241         if (AR_SREV_9285_12_OR_LATER(ah))
1242                 return true;
1243  
1244 +       last_val = REG_READ(ah, AR_OBS_BUS_1);
1245         do {
1246                 reg = REG_READ(ah, AR_OBS_BUS_1);
1247 +               if (reg != last_val)
1248 +                       return true;
1249  
1250 +               udelay(1);
1251 +               last_val = reg;
1252                 if ((reg & 0x7E7FFFEF) == 0x00702400)
1253                         continue;
1254  
1255 @@ -2051,9 +2056,8 @@ static bool ath9k_hw_set_power_awake(str
1256  
1257         REG_SET_BIT(ah, AR_RTC_FORCE_WAKE,
1258                     AR_RTC_FORCE_WAKE_EN);
1259 -
1260         if (AR_SREV_9100(ah))
1261 -               udelay(10000);
1262 +               mdelay(10);
1263         else
1264                 udelay(50);
1265  
1266 --- a/drivers/net/wireless/ath/ath9k/main.c
1267 +++ b/drivers/net/wireless/ath/ath9k/main.c
1268 @@ -451,7 +451,7 @@ void ath9k_tasklet(unsigned long data)
1269                  * interrupts are enabled in the reset routine.
1270                  */
1271                 atomic_inc(&ah->intr_ref_cnt);
1272 -               ath_dbg(common, ANY, "FATAL: Skipping interrupts\n");
1273 +               ath_dbg(common, RESET, "FATAL: Skipping interrupts\n");
1274                 goto out;
1275         }
1276  
1277 @@ -471,7 +471,7 @@ void ath9k_tasklet(unsigned long data)
1278                          * interrupts are enabled in the reset routine.
1279                          */
1280                         atomic_inc(&ah->intr_ref_cnt);
1281 -                       ath_dbg(common, ANY,
1282 +                       ath_dbg(common, RESET,
1283                                 "BB_WATCHDOG: Skipping interrupts\n");
1284                         goto out;
1285                 }
1286 @@ -484,7 +484,7 @@ void ath9k_tasklet(unsigned long data)
1287                         type = RESET_TYPE_TX_GTT;
1288                         ath9k_queue_reset(sc, type);
1289                         atomic_inc(&ah->intr_ref_cnt);
1290 -                       ath_dbg(common, ANY,
1291 +                       ath_dbg(common, RESET,
1292                                 "GTT: Skipping interrupts\n");
1293                         goto out;
1294                 }
1295 @@ -1866,7 +1866,7 @@ static void ath9k_set_coverage_class(str
1296  
1297  static bool ath9k_has_tx_pending(struct ath_softc *sc)
1298  {
1299 -       int i, npend;
1300 +       int i, npend = 0;
1301  
1302         for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
1303                 if (!ATH_TXQ_SETUP(sc, i))
1304 --- a/drivers/net/wireless/iwlwifi/mvm/scan.c
1305 +++ b/drivers/net/wireless/iwlwifi/mvm/scan.c
1306 @@ -595,6 +595,9 @@ static void iwl_scan_offload_build_ssid(
1307          * config match list.
1308          */
1309         for (i = 0; i < req->n_match_sets && i < PROBE_OPTION_MAX; i++) {
1310 +               /* skip empty SSID matchsets */
1311 +               if (!req->match_sets[i].ssid.ssid_len)
1312 +                       continue;
1313                 scan->direct_scan[i].id = WLAN_EID_SSID;
1314                 scan->direct_scan[i].len = req->match_sets[i].ssid.ssid_len;
1315                 memcpy(scan->direct_scan[i].ssid, req->match_sets[i].ssid.ssid,
1316 --- a/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
1317 +++ b/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
1318 @@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80
1319                         /* During testing, hdr was NULL */
1320                         return false;
1321                 }
1322 -               if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1323 +               if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1324                     (ieee80211_has_protected(hdr->frame_control)))
1325                         rx_status->flag &= ~RX_FLAG_DECRYPTED;
1326                 else
1327 --- a/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
1328 +++ b/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
1329 @@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80
1330                         /* In testing, hdr was NULL here */
1331                         return false;
1332                 }
1333 -               if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1334 +               if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1335                     (ieee80211_has_protected(hdr->frame_control)))
1336                         rx_status->flag &= ~RX_FLAG_DECRYPTED;
1337                 else
1338 --- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
1339 +++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
1340 @@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80
1341                         /* during testing, hdr was NULL here */
1342                         return false;
1343                 }
1344 -               if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1345 +               if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1346                         (ieee80211_has_protected(hdr->frame_control)))
1347                         rx_status->flag &= ~RX_FLAG_DECRYPTED;
1348                 else
1349 --- a/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
1350 +++ b/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
1351 @@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee
1352                         /* during testing, hdr could be NULL here */
1353                         return false;
1354                 }
1355 -               if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1356 +               if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1357                         (ieee80211_has_protected(hdr->frame_control)))
1358                         rx_status->flag &= ~RX_FLAG_DECRYPTED;
1359                 else
1360 --- a/include/linux/ieee80211.h
1361 +++ b/include/linux/ieee80211.h
1362 @@ -597,6 +597,20 @@ static inline int ieee80211_is_qos_nullf
1363  }
1364  
1365  /**
1366 + * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU
1367 + * @fc: frame control field in little-endian byteorder
1368 + */
1369 +static inline bool ieee80211_is_bufferable_mmpdu(__le16 fc)
1370 +{
1371 +       /* IEEE 802.11-2012, definition of "bufferable management frame";
1372 +        * note that this ignores the IBSS special case. */
1373 +       return ieee80211_is_mgmt(fc) &&
1374 +              (ieee80211_is_action(fc) ||
1375 +               ieee80211_is_disassoc(fc) ||
1376 +               ieee80211_is_deauth(fc));
1377 +}
1378 +
1379 +/**
1380   * ieee80211_is_first_frag - check if IEEE80211_SCTL_FRAG is not set
1381   * @seq_ctrl: frame sequence control bytes in little-endian byteorder
1382   */
1383 @@ -2192,10 +2206,10 @@ static inline u8 *ieee80211_get_DA(struc
1384  }
1385  
1386  /**
1387 - * ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
1388 + * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
1389   * @hdr: the frame (buffer must include at least the first octet of payload)
1390   */
1391 -static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
1392 +static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
1393  {
1394         if (ieee80211_is_disassoc(hdr->frame_control) ||
1395             ieee80211_is_deauth(hdr->frame_control))
1396 @@ -2224,6 +2238,17 @@ static inline bool ieee80211_is_robust_m
1397  }
1398  
1399  /**
1400 + * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
1401 + * @skb: the skb containing the frame, length will be checked
1402 + */
1403 +static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
1404 +{
1405 +       if (skb->len < 25)
1406 +               return false;
1407 +       return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
1408 +}
1409 +
1410 +/**
1411   * ieee80211_is_public_action - check if frame is a public action frame
1412   * @hdr: the frame
1413   * @len: length of the frame
1414 --- a/include/net/cfg80211.h
1415 +++ b/include/net/cfg80211.h
1416 @@ -1395,9 +1395,11 @@ struct cfg80211_scan_request {
1417   * struct cfg80211_match_set - sets of attributes to match
1418   *
1419   * @ssid: SSID to be matched
1420 + * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
1421   */
1422  struct cfg80211_match_set {
1423         struct cfg80211_ssid ssid;
1424 +       s32 rssi_thold;
1425  };
1426  
1427  /**
1428 @@ -1420,7 +1422,8 @@ struct cfg80211_match_set {
1429   * @dev: the interface
1430   * @scan_start: start time of the scheduled scan
1431   * @channels: channels to scan
1432 - * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
1433 + * @min_rssi_thold: for drivers only supporting a single threshold, this
1434 + *     contains the minimum over all matchsets
1435   */
1436  struct cfg80211_sched_scan_request {
1437         struct cfg80211_ssid *ssids;
1438 @@ -1433,7 +1436,7 @@ struct cfg80211_sched_scan_request {
1439         u32 flags;
1440         struct cfg80211_match_set *match_sets;
1441         int n_match_sets;
1442 -       s32 rssi_thold;
1443 +       s32 min_rssi_thold;
1444  
1445         /* internal */
1446         struct wiphy *wiphy;
1447 @@ -3130,8 +3133,8 @@ struct cfg80211_cached_keys;
1448   * @identifier: (private) Identifier used in nl80211 to identify this
1449   *     wireless device if it has no netdev
1450   * @current_bss: (private) Used by the internal configuration code
1451 - * @channel: (private) Used by the internal configuration code to track
1452 - *     the user-set AP, monitor and WDS channel
1453 + * @chandef: (private) Used by the internal configuration code to track
1454 + *     the user-set channel definition.
1455   * @preset_chandef: (private) Used by the internal configuration code to
1456   *     track the channel to be used for AP later
1457   * @bssid: (private) Used by the internal configuration code
1458 @@ -3195,9 +3198,7 @@ struct wireless_dev {
1459  
1460         struct cfg80211_internal_bss *current_bss; /* associated / joined */
1461         struct cfg80211_chan_def preset_chandef;
1462 -
1463 -       /* for AP and mesh channel tracking */
1464 -       struct ieee80211_channel *channel;
1465 +       struct cfg80211_chan_def chandef;
1466  
1467         bool ibss_fixed;
1468         bool ibss_dfs_possible;
1469 @@ -3879,6 +3880,7 @@ void cfg80211_michael_mic_failure(struct
1470   *
1471   * @dev: network device
1472   * @bssid: the BSSID of the IBSS joined
1473 + * @channel: the channel of the IBSS joined
1474   * @gfp: allocation flags
1475   *
1476   * This function notifies cfg80211 that the device joined an IBSS or
1477 @@ -3888,7 +3890,8 @@ void cfg80211_michael_mic_failure(struct
1478   * with the locally generated beacon -- this guarantees that there is
1479   * always a scan result for this IBSS. cfg80211 will handle the rest.
1480   */
1481 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp);
1482 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
1483 +                         struct ieee80211_channel *channel, gfp_t gfp);
1484  
1485  /**
1486   * cfg80211_notify_new_candidate - notify cfg80211 of a new mesh peer candidate
1487 --- a/include/uapi/linux/nl80211.h
1488 +++ b/include/uapi/linux/nl80211.h
1489 @@ -2442,9 +2442,15 @@ enum nl80211_reg_rule_attr {
1490   * enum nl80211_sched_scan_match_attr - scheduled scan match attributes
1491   * @__NL80211_SCHED_SCAN_MATCH_ATTR_INVALID: attribute number 0 is reserved
1492   * @NL80211_SCHED_SCAN_MATCH_ATTR_SSID: SSID to be used for matching,
1493 - * only report BSS with matching SSID.
1494 + *     only report BSS with matching SSID.
1495   * @NL80211_SCHED_SCAN_MATCH_ATTR_RSSI: RSSI threshold (in dBm) for reporting a
1496 - *     BSS in scan results. Filtering is turned off if not specified.
1497 + *     BSS in scan results. Filtering is turned off if not specified. Note that
1498 + *     if this attribute is in a match set of its own, then it is treated as
1499 + *     the default value for all matchsets with an SSID, rather than being a
1500 + *     matchset of its own without an RSSI filter. This is due to problems with
1501 + *     how this API was implemented in the past. Also, due to the same problem,
1502 + *     the only way to create a matchset with only an RSSI filter (with this
1503 + *     attribute) is if there's only a single matchset with the RSSI attribute.
1504   * @NL80211_SCHED_SCAN_MATCH_ATTR_MAX: highest scheduled scan filter
1505   *     attribute number currently defined
1506   * @__NL80211_SCHED_SCAN_MATCH_ATTR_AFTER_LAST: internal use
1507 --- a/net/mac80211/agg-tx.c
1508 +++ b/net/mac80211/agg-tx.c
1509 @@ -107,7 +107,7 @@ static void ieee80211_send_addba_request
1510         mgmt->u.action.u.addba_req.start_seq_num =
1511                                         cpu_to_le16(start_seq_num << 4);
1512  
1513 -       ieee80211_tx_skb_tid(sdata, skb, tid);
1514 +       ieee80211_tx_skb(sdata, skb);
1515  }
1516  
1517  void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
1518 --- a/net/mac80211/cfg.c
1519 +++ b/net/mac80211/cfg.c
1520 @@ -970,9 +970,9 @@ static int ieee80211_start_ap(struct wip
1521         /* TODO: make hostapd tell us what it wants */
1522         sdata->smps_mode = IEEE80211_SMPS_OFF;
1523         sdata->needed_rx_chains = sdata->local->rx_chains;
1524 -       sdata->radar_required = params->radar_required;
1525  
1526         mutex_lock(&local->mtx);
1527 +       sdata->radar_required = params->radar_required;
1528         err = ieee80211_vif_use_channel(sdata, &params->chandef,
1529                                         IEEE80211_CHANCTX_SHARED);
1530         mutex_unlock(&local->mtx);
1531 @@ -1021,8 +1021,10 @@ static int ieee80211_start_ap(struct wip
1532                                         IEEE80211_P2P_OPPPS_ENABLE_BIT;
1533  
1534         err = ieee80211_assign_beacon(sdata, &params->beacon);
1535 -       if (err < 0)
1536 +       if (err < 0) {
1537 +               ieee80211_vif_release_channel(sdata);
1538                 return err;
1539 +       }
1540         changed |= err;
1541  
1542         err = drv_start_ap(sdata->local, sdata);
1543 @@ -1032,6 +1034,7 @@ static int ieee80211_start_ap(struct wip
1544                 if (old)
1545                         kfree_rcu(old, rcu_head);
1546                 RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
1547 +               ieee80211_vif_release_channel(sdata);
1548                 return err;
1549         }
1550  
1551 @@ -1053,6 +1056,7 @@ static int ieee80211_change_beacon(struc
1552         int err;
1553  
1554         sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1555 +       sdata_assert_lock(sdata);
1556  
1557         /* don't allow changing the beacon while CSA is in place - offset
1558          * of channel switch counter may change
1559 @@ -1080,6 +1084,8 @@ static int ieee80211_stop_ap(struct wiph
1560         struct probe_resp *old_probe_resp;
1561         struct cfg80211_chan_def chandef;
1562  
1563 +       sdata_assert_lock(sdata);
1564 +
1565         old_beacon = sdata_dereference(sdata->u.ap.beacon, sdata);
1566         if (!old_beacon)
1567                 return -ENOENT;
1568 @@ -1090,8 +1096,6 @@ static int ieee80211_stop_ap(struct wiph
1569         kfree(sdata->u.ap.next_beacon);
1570         sdata->u.ap.next_beacon = NULL;
1571  
1572 -       cancel_work_sync(&sdata->u.ap.request_smps_work);
1573 -
1574         /* turn off carrier for this interface and dependent VLANs */
1575         list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
1576                 netif_carrier_off(vlan->dev);
1577 @@ -1103,6 +1107,7 @@ static int ieee80211_stop_ap(struct wiph
1578         kfree_rcu(old_beacon, rcu_head);
1579         if (old_probe_resp)
1580                 kfree_rcu(old_probe_resp, rcu_head);
1581 +       sdata->u.ap.driver_smps_mode = IEEE80211_SMPS_OFF;
1582  
1583         __sta_info_flush(sdata, true);
1584         ieee80211_free_keys(sdata, true);
1585 @@ -1988,6 +1993,9 @@ static int ieee80211_change_bss(struct w
1586  
1587         band = ieee80211_get_sdata_band(sdata);
1588  
1589 +       if (WARN_ON(!wiphy->bands[band]))
1590 +               return -EINVAL;
1591 +
1592         if (params->use_cts_prot >= 0) {
1593                 sdata->vif.bss_conf.use_cts_prot = params->use_cts_prot;
1594                 changed |= BSS_CHANGED_ERP_CTS_PROT;
1595 @@ -2638,6 +2646,24 @@ static int ieee80211_start_roc_work(stru
1596         INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work);
1597         INIT_LIST_HEAD(&roc->dependents);
1598  
1599 +       /*
1600 +        * cookie is either the roc cookie (for normal roc)
1601 +        * or the SKB (for mgmt TX)
1602 +        */
1603 +       if (!txskb) {
1604 +               /* local->mtx protects this */
1605 +               local->roc_cookie_counter++;
1606 +               roc->cookie = local->roc_cookie_counter;
1607 +               /* wow, you wrapped 64 bits ... more likely a bug */
1608 +               if (WARN_ON(roc->cookie == 0)) {
1609 +                       roc->cookie = 1;
1610 +                       local->roc_cookie_counter++;
1611 +               }
1612 +               *cookie = roc->cookie;
1613 +       } else {
1614 +               *cookie = (unsigned long)txskb;
1615 +       }
1616 +
1617         /* if there's one pending or we're scanning, queue this one */
1618         if (!list_empty(&local->roc_list) ||
1619             local->scanning || local->radar_detect_enabled)
1620 @@ -2772,24 +2798,6 @@ static int ieee80211_start_roc_work(stru
1621         if (!queued)
1622                 list_add_tail(&roc->list, &local->roc_list);
1623  
1624 -       /*
1625 -        * cookie is either the roc cookie (for normal roc)
1626 -        * or the SKB (for mgmt TX)
1627 -        */
1628 -       if (!txskb) {
1629 -               /* local->mtx protects this */
1630 -               local->roc_cookie_counter++;
1631 -               roc->cookie = local->roc_cookie_counter;
1632 -               /* wow, you wrapped 64 bits ... more likely a bug */
1633 -               if (WARN_ON(roc->cookie == 0)) {
1634 -                       roc->cookie = 1;
1635 -                       local->roc_cookie_counter++;
1636 -               }
1637 -               *cookie = roc->cookie;
1638 -       } else {
1639 -               *cookie = (unsigned long)txskb;
1640 -       }
1641 -
1642         return 0;
1643  }
1644  
1645 @@ -3004,8 +3012,10 @@ void ieee80211_csa_finalize_work(struct 
1646         if (!ieee80211_sdata_running(sdata))
1647                 goto unlock;
1648  
1649 -       sdata->radar_required = sdata->csa_radar_required;
1650 +       sdata_assert_lock(sdata);
1651 +
1652         mutex_lock(&local->mtx);
1653 +       sdata->radar_required = sdata->csa_radar_required;
1654         err = ieee80211_vif_change_channel(sdata, &changed);
1655         mutex_unlock(&local->mtx);
1656         if (WARN_ON(err < 0))
1657 @@ -3022,13 +3032,13 @@ void ieee80211_csa_finalize_work(struct 
1658         switch (sdata->vif.type) {
1659         case NL80211_IFTYPE_AP:
1660                 err = ieee80211_assign_beacon(sdata, sdata->u.ap.next_beacon);
1661 +               kfree(sdata->u.ap.next_beacon);
1662 +               sdata->u.ap.next_beacon = NULL;
1663 +
1664                 if (err < 0)
1665                         goto unlock;
1666  
1667                 changed |= err;
1668 -               kfree(sdata->u.ap.next_beacon);
1669 -               sdata->u.ap.next_beacon = NULL;
1670 -
1671                 ieee80211_bss_info_change_notify(sdata, err);
1672                 break;
1673         case NL80211_IFTYPE_ADHOC:
1674 @@ -3066,7 +3076,7 @@ int ieee80211_channel_switch(struct wiph
1675         struct ieee80211_if_mesh __maybe_unused *ifmsh;
1676         int err, num_chanctx;
1677  
1678 -       lockdep_assert_held(&sdata->wdev.mtx);
1679 +       sdata_assert_lock(sdata);
1680  
1681         if (!list_empty(&local->roc_list) || local->scanning)
1682                 return -EBUSY;
1683 --- a/net/mac80211/ht.c
1684 +++ b/net/mac80211/ht.c
1685 @@ -375,7 +375,7 @@ void ieee80211_send_delba(struct ieee802
1686         mgmt->u.action.u.delba.params = cpu_to_le16(params);
1687         mgmt->u.action.u.delba.reason_code = cpu_to_le16(reason_code);
1688  
1689 -       ieee80211_tx_skb_tid(sdata, skb, tid);
1690 +       ieee80211_tx_skb(sdata, skb);
1691  }
1692  
1693  void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
1694 @@ -466,7 +466,9 @@ void ieee80211_request_smps_ap_work(stru
1695                              u.ap.request_smps_work);
1696  
1697         sdata_lock(sdata);
1698 -       __ieee80211_request_smps_ap(sdata, sdata->u.ap.driver_smps_mode);
1699 +       if (sdata_dereference(sdata->u.ap.beacon, sdata))
1700 +               __ieee80211_request_smps_ap(sdata,
1701 +                                           sdata->u.ap.driver_smps_mode);
1702         sdata_unlock(sdata);
1703  }
1704  
1705 --- a/net/mac80211/iface.c
1706 +++ b/net/mac80211/iface.c
1707 @@ -770,12 +770,19 @@ static void ieee80211_do_stop(struct iee
1708  
1709         ieee80211_roc_purge(local, sdata);
1710  
1711 -       if (sdata->vif.type == NL80211_IFTYPE_STATION)
1712 +       switch (sdata->vif.type) {
1713 +       case NL80211_IFTYPE_STATION:
1714                 ieee80211_mgd_stop(sdata);
1715 -
1716 -       if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
1717 +               break;
1718 +       case NL80211_IFTYPE_ADHOC:
1719                 ieee80211_ibss_stop(sdata);
1720 -
1721 +               break;
1722 +       case NL80211_IFTYPE_AP:
1723 +               cancel_work_sync(&sdata->u.ap.request_smps_work);
1724 +               break;
1725 +       default:
1726 +               break;
1727 +       }
1728  
1729         /*
1730          * Remove all stations associated with this interface.
1731 @@ -827,7 +834,9 @@ static void ieee80211_do_stop(struct iee
1732         cancel_work_sync(&local->dynamic_ps_enable_work);
1733  
1734         cancel_work_sync(&sdata->recalc_smps);
1735 +       sdata_lock(sdata);
1736         sdata->vif.csa_active = false;
1737 +       sdata_unlock(sdata);
1738         cancel_work_sync(&sdata->csa_finalize_work);
1739  
1740         cancel_delayed_work_sync(&sdata->dfs_cac_timer_work);
1741 --- a/net/mac80211/rx.c
1742 +++ b/net/mac80211/rx.c
1743 @@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_m
1744  {
1745         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1746  
1747 -       if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
1748 +       if (is_multicast_ether_addr(hdr->addr1))
1749                 return 0;
1750  
1751 -       return ieee80211_is_robust_mgmt_frame(hdr);
1752 +       return ieee80211_is_robust_mgmt_frame(skb);
1753  }
1754  
1755  
1756 @@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust
1757  {
1758         struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1759  
1760 -       if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
1761 +       if (!is_multicast_ether_addr(hdr->addr1))
1762                 return 0;
1763  
1764 -       return ieee80211_is_robust_mgmt_frame(hdr);
1765 +       return ieee80211_is_robust_mgmt_frame(skb);
1766  }
1767  
1768  
1769 @@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(str
1770         if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
1771                 return -1;
1772  
1773 -       if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
1774 +       if (!ieee80211_is_robust_mgmt_frame(skb))
1775                 return -1; /* not a robust management frame */
1776  
1777         mmie = (struct ieee80211_mmie *)
1778 @@ -1128,6 +1128,13 @@ static void sta_ps_end(struct sta_info *
1779                sta->sta.addr, sta->sta.aid);
1780  
1781         if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1782 +               /*
1783 +                * Clear the flag only if the other one is still set
1784 +                * so that the TX path won't start TX'ing new frames
1785 +                * directly ... In the case that the driver flag isn't
1786 +                * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1787 +                */
1788 +               clear_sta_flag(sta, WLAN_STA_PS_STA);
1789                 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1790                        sta->sta.addr, sta->sta.aid);
1791                 return;
1792 @@ -1311,18 +1318,15 @@ ieee80211_rx_h_sta_process(struct ieee80
1793             !ieee80211_has_morefrags(hdr->frame_control) &&
1794             !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1795             (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1796 -            rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1797 +            rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1798 +           /* PM bit is only checked in frames where it isn't reserved,
1799 +            * in AP mode it's reserved in non-bufferable management frames
1800 +            * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
1801 +            */
1802 +           (!ieee80211_is_mgmt(hdr->frame_control) ||
1803 +            ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
1804                 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1805 -                       /*
1806 -                        * Ignore doze->wake transitions that are
1807 -                        * indicated by non-data frames, the standard
1808 -                        * is unclear here, but for example going to
1809 -                        * PS mode and then scanning would cause a
1810 -                        * doze->wake transition for the probe request,
1811 -                        * and that is clearly undesirable.
1812 -                        */
1813 -                       if (ieee80211_is_data(hdr->frame_control) &&
1814 -                           !ieee80211_has_pm(hdr->frame_control))
1815 +                       if (!ieee80211_has_pm(hdr->frame_control))
1816                                 sta_ps_end(sta);
1817                 } else {
1818                         if (ieee80211_has_pm(hdr->frame_control))
1819 @@ -1845,8 +1849,7 @@ static int ieee80211_drop_unencrypted_mg
1820                  * having configured keys.
1821                  */
1822                 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
1823 -                            ieee80211_is_robust_mgmt_frame(
1824 -                                    (struct ieee80211_hdr *) rx->skb->data)))
1825 +                            ieee80211_is_robust_mgmt_frame(rx->skb)))
1826                         return -EACCES;
1827         }
1828  
1829 --- a/net/mac80211/tx.c
1830 +++ b/net/mac80211/tx.c
1831 @@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc, 
1832         if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
1833                 return 0;
1834  
1835 -       if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
1836 -                                           skb->data))
1837 +       if (!ieee80211_is_robust_mgmt_frame(skb))
1838                 return 0;
1839  
1840         return 1;
1841 @@ -478,6 +477,20 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
1842                        sta->sta.addr, sta->sta.aid, ac);
1843                 if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
1844                         purge_old_ps_buffers(tx->local);
1845 +
1846 +               /* sync with ieee80211_sta_ps_deliver_wakeup */
1847 +               spin_lock(&sta->ps_lock);
1848 +               /*
1849 +                * STA woke up the meantime and all the frames on ps_tx_buf have
1850 +                * been queued to pending queue. No reordering can happen, go
1851 +                * ahead and Tx the packet.
1852 +                */
1853 +               if (!test_sta_flag(sta, WLAN_STA_PS_STA) &&
1854 +                   !test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1855 +                       spin_unlock(&sta->ps_lock);
1856 +                       return TX_CONTINUE;
1857 +               }
1858 +
1859                 if (skb_queue_len(&sta->ps_tx_buf[ac]) >= STA_MAX_TX_BUFFER) {
1860                         struct sk_buff *old = skb_dequeue(&sta->ps_tx_buf[ac]);
1861                         ps_dbg(tx->sdata,
1862 @@ -492,6 +505,7 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
1863                 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
1864                 info->flags &= ~IEEE80211_TX_TEMPORARY_FLAGS;
1865                 skb_queue_tail(&sta->ps_tx_buf[ac], tx->skb);
1866 +               spin_unlock(&sta->ps_lock);
1867  
1868                 if (!timer_pending(&local->sta_cleanup))
1869                         mod_timer(&local->sta_cleanup,
1870 @@ -525,9 +539,7 @@ ieee80211_tx_h_ps_buf(struct ieee80211_t
1871  
1872         /* only deauth, disassoc and action are bufferable MMPDUs */
1873         if (ieee80211_is_mgmt(hdr->frame_control) &&
1874 -           !ieee80211_is_deauth(hdr->frame_control) &&
1875 -           !ieee80211_is_disassoc(hdr->frame_control) &&
1876 -           !ieee80211_is_action(hdr->frame_control)) {
1877 +           !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
1878                 if (tx->flags & IEEE80211_TX_UNICAST)
1879                         info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
1880                 return TX_CONTINUE;
1881 @@ -567,7 +579,7 @@ ieee80211_tx_h_select_key(struct ieee802
1882                 tx->key = key;
1883         else if (ieee80211_is_mgmt(hdr->frame_control) &&
1884                  is_multicast_ether_addr(hdr->addr1) &&
1885 -                ieee80211_is_robust_mgmt_frame(hdr) &&
1886 +                ieee80211_is_robust_mgmt_frame(tx->skb) &&
1887                  (key = rcu_dereference(tx->sdata->default_mgmt_key)))
1888                 tx->key = key;
1889         else if (is_multicast_ether_addr(hdr->addr1) &&
1890 @@ -582,12 +594,12 @@ ieee80211_tx_h_select_key(struct ieee802
1891                 tx->key = NULL;
1892         else if (tx->skb->protocol == tx->sdata->control_port_protocol)
1893                 tx->key = NULL;
1894 -       else if (ieee80211_is_robust_mgmt_frame(hdr) &&
1895 +       else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
1896                  !(ieee80211_is_action(hdr->frame_control) &&
1897                    tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
1898                 tx->key = NULL;
1899         else if (ieee80211_is_mgmt(hdr->frame_control) &&
1900 -                !ieee80211_is_robust_mgmt_frame(hdr))
1901 +                !ieee80211_is_robust_mgmt_frame(tx->skb))
1902                 tx->key = NULL;
1903         else {
1904                 I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
1905 @@ -878,7 +890,7 @@ static int ieee80211_fragment(struct iee
1906         }
1907  
1908         /* adjust first fragment's length */
1909 -       skb->len = hdrlen + per_fragm;
1910 +       skb_trim(skb, hdrlen + per_fragm);
1911         return 0;
1912  }
1913  
1914 @@ -2900,7 +2912,7 @@ ieee80211_get_buffered_bc(struct ieee802
1915                                 cpu_to_le16(IEEE80211_FCTL_MOREDATA);
1916                 }
1917  
1918 -               if (sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
1919 +               if (sdata->vif.type == NL80211_IFTYPE_AP)
1920                         sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
1921                 if (!ieee80211_tx_prepare(sdata, &tx, skb))
1922                         break;
1923 --- a/net/mac80211/wpa.c
1924 +++ b/net/mac80211/wpa.c
1925 @@ -499,7 +499,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee
1926         hdrlen = ieee80211_hdrlen(hdr->frame_control);
1927  
1928         if (!ieee80211_is_data(hdr->frame_control) &&
1929 -           !ieee80211_is_robust_mgmt_frame(hdr))
1930 +           !ieee80211_is_robust_mgmt_frame(skb))
1931                 return RX_CONTINUE;
1932  
1933         data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
1934 --- a/net/wireless/ap.c
1935 +++ b/net/wireless/ap.c
1936 @@ -27,9 +27,10 @@ static int __cfg80211_stop_ap(struct cfg
1937         err = rdev_stop_ap(rdev, dev);
1938         if (!err) {
1939                 wdev->beacon_interval = 0;
1940 -               wdev->channel = NULL;
1941 +               memset(&wdev->chandef, 0, sizeof(wdev->chandef));
1942                 wdev->ssid_len = 0;
1943                 rdev_set_qos_map(rdev, dev, NULL);
1944 +               nl80211_send_ap_stopped(wdev);
1945         }
1946  
1947         return err;
1948 --- a/net/wireless/core.c
1949 +++ b/net/wireless/core.c
1950 @@ -203,8 +203,11 @@ void cfg80211_stop_p2p_device(struct cfg
1951  
1952         rdev->opencount--;
1953  
1954 -       WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1955 -               !rdev->scan_req->notified);
1956 +       if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1957 +               if (WARN_ON(!rdev->scan_req->notified))
1958 +                       rdev->scan_req->aborted = true;
1959 +               ___cfg80211_scan_done(rdev, false);
1960 +       }
1961  }
1962  
1963  static int cfg80211_rfkill_set_block(void *data, bool blocked)
1964 @@ -447,9 +450,6 @@ int wiphy_register(struct wiphy *wiphy)
1965         int i;
1966         u16 ifmodes = wiphy->interface_modes;
1967  
1968 -       /* support for 5/10 MHz is broken due to nl80211 API mess - disable */
1969 -       wiphy->flags &= ~WIPHY_FLAG_SUPPORTS_5_10_MHZ;
1970 -
1971         /*
1972          * There are major locking problems in nl80211/mac80211 for CSA,
1973          * disable for all drivers until this has been reworked.
1974 @@ -795,8 +795,6 @@ void cfg80211_leave(struct cfg80211_regi
1975         default:
1976                 break;
1977         }
1978 -
1979 -       wdev->beacon_interval = 0;
1980  }
1981  
1982  static int cfg80211_netdev_notifier_call(struct notifier_block *nb,
1983 @@ -875,8 +873,11 @@ static int cfg80211_netdev_notifier_call
1984                 break;
1985         case NETDEV_DOWN:
1986                 cfg80211_update_iface_num(rdev, wdev->iftype, -1);
1987 -               WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1988 -                       !rdev->scan_req->notified);
1989 +               if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1990 +                       if (WARN_ON(!rdev->scan_req->notified))
1991 +                               rdev->scan_req->aborted = true;
1992 +                       ___cfg80211_scan_done(rdev, false);
1993 +               }
1994  
1995                 if (WARN_ON(rdev->sched_scan_req &&
1996                             rdev->sched_scan_req->dev == wdev->netdev)) {
1997 --- a/net/wireless/core.h
1998 +++ b/net/wireless/core.h
1999 @@ -62,6 +62,7 @@ struct cfg80211_registered_device {
2000         struct rb_root bss_tree;
2001         u32 bss_generation;
2002         struct cfg80211_scan_request *scan_req; /* protected by RTNL */
2003 +       struct sk_buff *scan_msg;
2004         struct cfg80211_sched_scan_request *sched_scan_req;
2005         unsigned long suspend_at;
2006         struct work_struct scan_done_wk;
2007 @@ -210,6 +211,7 @@ struct cfg80211_event {
2008                 } dc;
2009                 struct {
2010                         u8 bssid[ETH_ALEN];
2011 +                       struct ieee80211_channel *channel;
2012                 } ij;
2013         };
2014  };
2015 @@ -257,7 +259,8 @@ int __cfg80211_leave_ibss(struct cfg8021
2016                           struct net_device *dev, bool nowext);
2017  int cfg80211_leave_ibss(struct cfg80211_registered_device *rdev,
2018                         struct net_device *dev, bool nowext);
2019 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid);
2020 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2021 +                           struct ieee80211_channel *channel);
2022  int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
2023                             struct wireless_dev *wdev);
2024  
2025 @@ -361,7 +364,8 @@ int cfg80211_validate_key_settings(struc
2026                                    struct key_params *params, int key_idx,
2027                                    bool pairwise, const u8 *mac_addr);
2028  void __cfg80211_scan_done(struct work_struct *wk);
2029 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev);
2030 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
2031 +                          bool send_message);
2032  void __cfg80211_sched_scan_results(struct work_struct *wk);
2033  int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
2034                                bool driver_initiated);
2035 @@ -441,7 +445,8 @@ static inline unsigned int elapsed_jiffi
2036  void
2037  cfg80211_get_chan_state(struct wireless_dev *wdev,
2038                         struct ieee80211_channel **chan,
2039 -                       enum cfg80211_chan_mode *chanmode);
2040 +                       enum cfg80211_chan_mode *chanmode,
2041 +                       u8 *radar_detect);
2042  
2043  int cfg80211_set_monitor_channel(struct cfg80211_registered_device *rdev,
2044                                  struct cfg80211_chan_def *chandef);
2045 --- a/net/wireless/nl80211.c
2046 +++ b/net/wireless/nl80211.c
2047 @@ -1723,9 +1723,10 @@ static int nl80211_dump_wiphy(struct sk_
2048                                  * We can then retry with the larger buffer.
2049                                  */
2050                                 if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
2051 -                                   !skb->len &&
2052 +                                   !skb->len && !state->split &&
2053                                     cb->min_dump_alloc < 4096) {
2054                                         cb->min_dump_alloc = 4096;
2055 +                                       state->split_start = 0;
2056                                         rtnl_unlock();
2057                                         return 1;
2058                                 }
2059 @@ -2047,10 +2048,12 @@ static int nl80211_set_wiphy(struct sk_b
2060                 nla_for_each_nested(nl_txq_params,
2061                                     info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
2062                                     rem_txq_params) {
2063 -                       nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2064 -                                 nla_data(nl_txq_params),
2065 -                                 nla_len(nl_txq_params),
2066 -                                 txq_params_policy);
2067 +                       result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
2068 +                                          nla_data(nl_txq_params),
2069 +                                          nla_len(nl_txq_params),
2070 +                                          txq_params_policy);
2071 +                       if (result)
2072 +                               goto bad_res;
2073                         result = parse_txq_params(tb, &txq_params);
2074                         if (result)
2075                                 goto bad_res;
2076 @@ -3289,7 +3292,7 @@ static int nl80211_start_ap(struct sk_bu
2077         if (!err) {
2078                 wdev->preset_chandef = params.chandef;
2079                 wdev->beacon_interval = params.beacon_interval;
2080 -               wdev->channel = params.chandef.chan;
2081 +               wdev->chandef = params.chandef;
2082                 wdev->ssid_len = params.ssid_len;
2083                 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
2084         }
2085 @@ -5210,9 +5213,11 @@ static int nl80211_set_reg(struct sk_buf
2086  
2087         nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
2088                             rem_reg_rules) {
2089 -               nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
2090 -                         nla_data(nl_reg_rule), nla_len(nl_reg_rule),
2091 -                         reg_rule_policy);
2092 +               r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
2093 +                             nla_data(nl_reg_rule), nla_len(nl_reg_rule),
2094 +                             reg_rule_policy);
2095 +               if (r)
2096 +                       goto bad_reg;
2097                 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
2098                 if (r)
2099                         goto bad_reg;
2100 @@ -5277,7 +5282,7 @@ static int nl80211_trigger_scan(struct s
2101         if (!rdev->ops->scan)
2102                 return -EOPNOTSUPP;
2103  
2104 -       if (rdev->scan_req) {
2105 +       if (rdev->scan_req || rdev->scan_msg) {
2106                 err = -EBUSY;
2107                 goto unlock;
2108         }
2109 @@ -5475,6 +5480,7 @@ static int nl80211_start_sched_scan(stru
2110         enum ieee80211_band band;
2111         size_t ie_len;
2112         struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
2113 +       s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
2114  
2115         if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
2116             !rdev->ops->sched_scan_start)
2117 @@ -5509,11 +5515,40 @@ static int nl80211_start_sched_scan(stru
2118         if (n_ssids > wiphy->max_sched_scan_ssids)
2119                 return -EINVAL;
2120  
2121 -       if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
2122 +       /*
2123 +        * First, count the number of 'real' matchsets. Due to an issue with
2124 +        * the old implementation, matchsets containing only the RSSI attribute
2125 +        * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
2126 +        * RSSI for all matchsets, rather than their own matchset for reporting
2127 +        * all APs with a strong RSSI. This is needed to be compatible with
2128 +        * older userspace that treated a matchset with only the RSSI as the
2129 +        * global RSSI for all other matchsets - if there are other matchsets.
2130 +        */
2131 +       if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
2132                 nla_for_each_nested(attr,
2133                                     info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
2134 -                                   tmp)
2135 -                       n_match_sets++;
2136 +                                   tmp) {
2137 +                       struct nlattr *rssi;
2138 +
2139 +                       err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
2140 +                                       nla_data(attr), nla_len(attr),
2141 +                                       nl80211_match_policy);
2142 +                       if (err)
2143 +                               return err;
2144 +                       /* add other standalone attributes here */
2145 +                       if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
2146 +                               n_match_sets++;
2147 +                               continue;
2148 +                       }
2149 +                       rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
2150 +                       if (rssi)
2151 +                               default_match_rssi = nla_get_s32(rssi);
2152 +               }
2153 +       }
2154 +
2155 +       /* However, if there's no other matchset, add the RSSI one */
2156 +       if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
2157 +               n_match_sets = 1;
2158  
2159         if (n_match_sets > wiphy->max_match_sets)
2160                 return -EINVAL;
2161 @@ -5634,11 +5669,22 @@ static int nl80211_start_sched_scan(stru
2162                                     tmp) {
2163                         struct nlattr *ssid, *rssi;
2164  
2165 -                       nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
2166 -                                 nla_data(attr), nla_len(attr),
2167 -                                 nl80211_match_policy);
2168 +                       err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
2169 +                                       nla_data(attr), nla_len(attr),
2170 +                                       nl80211_match_policy);
2171 +                       if (err)
2172 +                               goto out_free;
2173                         ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
2174                         if (ssid) {
2175 +                               if (WARN_ON(i >= n_match_sets)) {
2176 +                                       /* this indicates a programming error,
2177 +                                        * the loop above should have verified
2178 +                                        * things properly
2179 +                                        */
2180 +                                       err = -EINVAL;
2181 +                                       goto out_free;
2182 +                               }
2183 +
2184                                 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
2185                                         err = -EINVAL;
2186                                         goto out_free;
2187 @@ -5647,15 +5693,28 @@ static int nl80211_start_sched_scan(stru
2188                                        nla_data(ssid), nla_len(ssid));
2189                                 request->match_sets[i].ssid.ssid_len =
2190                                         nla_len(ssid);
2191 +                               /* special attribute - old implemenation w/a */
2192 +                               request->match_sets[i].rssi_thold =
2193 +                                       default_match_rssi;
2194 +                               rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
2195 +                               if (rssi)
2196 +                                       request->match_sets[i].rssi_thold =
2197 +                                               nla_get_s32(rssi);
2198                         }
2199 -                       rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
2200 -                       if (rssi)
2201 -                               request->rssi_thold = nla_get_u32(rssi);
2202 -                       else
2203 -                               request->rssi_thold =
2204 -                                                  NL80211_SCAN_RSSI_THOLD_OFF;
2205                         i++;
2206                 }
2207 +
2208 +               /* there was no other matchset, so the RSSI one is alone */
2209 +               if (i == 0)
2210 +                       request->match_sets[0].rssi_thold = default_match_rssi;
2211 +
2212 +               request->min_rssi_thold = INT_MAX;
2213 +               for (i = 0; i < n_match_sets; i++)
2214 +                       request->min_rssi_thold =
2215 +                               min(request->match_sets[i].rssi_thold,
2216 +                                   request->min_rssi_thold);
2217 +       } else {
2218 +               request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
2219         }
2220  
2221         if (info->attrs[NL80211_ATTR_IE]) {
2222 @@ -5751,7 +5810,7 @@ static int nl80211_start_radar_detection
2223  
2224         err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
2225         if (!err) {
2226 -               wdev->channel = chandef.chan;
2227 +               wdev->chandef = chandef;
2228                 wdev->cac_started = true;
2229                 wdev->cac_start_time = jiffies;
2230         }
2231 @@ -7502,16 +7561,19 @@ static int nl80211_set_tx_bitrate_mask(s
2232          * directly to the enum ieee80211_band values used in cfg80211.
2233          */
2234         BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
2235 -       nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
2236 -       {
2237 +       nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
2238                 enum ieee80211_band band = nla_type(tx_rates);
2239 +               int err;
2240 +
2241                 if (band < 0 || band >= IEEE80211_NUM_BANDS)
2242                         return -EINVAL;
2243                 sband = rdev->wiphy.bands[band];
2244                 if (sband == NULL)
2245                         return -EINVAL;
2246 -               nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
2247 -                         nla_len(tx_rates), nl80211_txattr_policy);
2248 +               err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
2249 +                               nla_len(tx_rates), nl80211_txattr_policy);
2250 +               if (err)
2251 +                       return err;
2252                 if (tb[NL80211_TXRATE_LEGACY]) {
2253                         mask.control[band].legacy = rateset_to_mask(
2254                                 sband,
2255 @@ -10054,40 +10116,31 @@ void nl80211_send_scan_start(struct cfg8
2256                                 NL80211_MCGRP_SCAN, GFP_KERNEL);
2257  }
2258  
2259 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
2260 -                           struct wireless_dev *wdev)
2261 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
2262 +                                      struct wireless_dev *wdev, bool aborted)
2263  {
2264         struct sk_buff *msg;
2265  
2266         msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2267         if (!msg)
2268 -               return;
2269 +               return NULL;
2270  
2271         if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
2272 -                                 NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
2273 +                                 aborted ? NL80211_CMD_SCAN_ABORTED :
2274 +                                           NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
2275                 nlmsg_free(msg);
2276 -               return;
2277 +               return NULL;
2278         }
2279  
2280 -       genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
2281 -                               NL80211_MCGRP_SCAN, GFP_KERNEL);
2282 +       return msg;
2283  }
2284  
2285 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
2286 -                              struct wireless_dev *wdev)
2287 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
2288 +                             struct sk_buff *msg)
2289  {
2290 -       struct sk_buff *msg;
2291 -
2292 -       msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2293         if (!msg)
2294                 return;
2295  
2296 -       if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
2297 -                                 NL80211_CMD_SCAN_ABORTED) < 0) {
2298 -               nlmsg_free(msg);
2299 -               return;
2300 -       }
2301 -
2302         genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
2303                                 NL80211_MCGRP_SCAN, GFP_KERNEL);
2304  }
2305 @@ -11158,7 +11211,8 @@ void cfg80211_ch_switch_notify(struct ne
2306                     wdev->iftype != NL80211_IFTYPE_MESH_POINT))
2307                 return;
2308  
2309 -       wdev->channel = chandef->chan;
2310 +       wdev->chandef = *chandef;
2311 +       wdev->preset_chandef = *chandef;
2312         nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
2313  }
2314  EXPORT_SYMBOL(cfg80211_ch_switch_notify);
2315 @@ -11673,6 +11727,35 @@ void cfg80211_crit_proto_stopped(struct 
2316  }
2317  EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
2318  
2319 +void nl80211_send_ap_stopped(struct wireless_dev *wdev)
2320 +{
2321 +       struct wiphy *wiphy = wdev->wiphy;
2322 +       struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
2323 +       struct sk_buff *msg;
2324 +       void *hdr;
2325 +
2326 +       msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2327 +       if (!msg)
2328 +               return;
2329 +
2330 +       hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
2331 +       if (!hdr)
2332 +               goto out;
2333 +
2334 +       if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2335 +           nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
2336 +           nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
2337 +               goto out;
2338 +
2339 +       genlmsg_end(msg, hdr);
2340 +
2341 +       genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
2342 +                               NL80211_MCGRP_MLME, GFP_KERNEL);
2343 +       return;
2344 + out:
2345 +       nlmsg_free(msg);
2346 +}
2347 +
2348  /* initialisation/exit functions */
2349  
2350  int nl80211_init(void)
2351 --- a/net/wireless/nl80211.h
2352 +++ b/net/wireless/nl80211.h
2353 @@ -8,10 +8,10 @@ void nl80211_exit(void);
2354  void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev);
2355  void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
2356                              struct wireless_dev *wdev);
2357 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
2358 -                           struct wireless_dev *wdev);
2359 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
2360 -                              struct wireless_dev *wdev);
2361 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
2362 +                                      struct wireless_dev *wdev, bool aborted);
2363 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
2364 +                             struct sk_buff *msg);
2365  void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
2366                              struct net_device *netdev, u32 cmd);
2367  void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
2368 @@ -74,6 +74,8 @@ nl80211_radar_notify(struct cfg80211_reg
2369                      enum nl80211_radar_event event,
2370                      struct net_device *netdev, gfp_t gfp);
2371  
2372 +void nl80211_send_ap_stopped(struct wireless_dev *wdev);
2373 +
2374  void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev);
2375  
2376  #endif /* __NET_WIRELESS_NL80211_H */
2377 --- a/net/wireless/scan.c
2378 +++ b/net/wireless/scan.c
2379 @@ -161,18 +161,25 @@ static void __cfg80211_bss_expire(struct
2380                 dev->bss_generation++;
2381  }
2382  
2383 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
2384 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
2385 +                          bool send_message)
2386  {
2387         struct cfg80211_scan_request *request;
2388         struct wireless_dev *wdev;
2389 +       struct sk_buff *msg;
2390  #ifdef CPTCFG_CFG80211_WEXT
2391         union iwreq_data wrqu;
2392  #endif
2393  
2394         ASSERT_RTNL();
2395  
2396 -       request = rdev->scan_req;
2397 +       if (rdev->scan_msg) {
2398 +               nl80211_send_scan_result(rdev, rdev->scan_msg);
2399 +               rdev->scan_msg = NULL;
2400 +               return;
2401 +       }
2402  
2403 +       request = rdev->scan_req;
2404         if (!request)
2405                 return;
2406  
2407 @@ -186,18 +193,16 @@ void ___cfg80211_scan_done(struct cfg802
2408         if (wdev->netdev)
2409                 cfg80211_sme_scan_done(wdev->netdev);
2410  
2411 -       if (request->aborted) {
2412 -               nl80211_send_scan_aborted(rdev, wdev);
2413 -       } else {
2414 -               if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
2415 -                       /* flush entries from previous scans */
2416 -                       spin_lock_bh(&rdev->bss_lock);
2417 -                       __cfg80211_bss_expire(rdev, request->scan_start);
2418 -                       spin_unlock_bh(&rdev->bss_lock);
2419 -               }
2420 -               nl80211_send_scan_done(rdev, wdev);
2421 +       if (!request->aborted &&
2422 +           request->flags & NL80211_SCAN_FLAG_FLUSH) {
2423 +               /* flush entries from previous scans */
2424 +               spin_lock_bh(&rdev->bss_lock);
2425 +               __cfg80211_bss_expire(rdev, request->scan_start);
2426 +               spin_unlock_bh(&rdev->bss_lock);
2427         }
2428  
2429 +       msg = nl80211_build_scan_msg(rdev, wdev, request->aborted);
2430 +
2431  #ifdef CPTCFG_CFG80211_WEXT
2432         if (wdev->netdev && !request->aborted) {
2433                 memset(&wrqu, 0, sizeof(wrqu));
2434 @@ -211,6 +216,11 @@ void ___cfg80211_scan_done(struct cfg802
2435  
2436         rdev->scan_req = NULL;
2437         kfree(request);
2438 +
2439 +       if (!send_message)
2440 +               rdev->scan_msg = msg;
2441 +       else
2442 +               nl80211_send_scan_result(rdev, msg);
2443  }
2444  
2445  void __cfg80211_scan_done(struct work_struct *wk)
2446 @@ -221,7 +231,7 @@ void __cfg80211_scan_done(struct work_st
2447                             scan_done_wk);
2448  
2449         rtnl_lock();
2450 -       ___cfg80211_scan_done(rdev);
2451 +       ___cfg80211_scan_done(rdev, true);
2452         rtnl_unlock();
2453  }
2454  
2455 @@ -1079,7 +1089,7 @@ int cfg80211_wext_siwscan(struct net_dev
2456         if (IS_ERR(rdev))
2457                 return PTR_ERR(rdev);
2458  
2459 -       if (rdev->scan_req) {
2460 +       if (rdev->scan_req || rdev->scan_msg) {
2461                 err = -EBUSY;
2462                 goto out;
2463         }
2464 @@ -1481,7 +1491,7 @@ int cfg80211_wext_giwscan(struct net_dev
2465         if (IS_ERR(rdev))
2466                 return PTR_ERR(rdev);
2467  
2468 -       if (rdev->scan_req)
2469 +       if (rdev->scan_req || rdev->scan_msg)
2470                 return -EAGAIN;
2471  
2472         res = ieee80211_scan_results(rdev, info, extra, data->length);
2473 --- a/net/wireless/sme.c
2474 +++ b/net/wireless/sme.c
2475 @@ -67,7 +67,7 @@ static int cfg80211_conn_scan(struct wir
2476         ASSERT_RDEV_LOCK(rdev);
2477         ASSERT_WDEV_LOCK(wdev);
2478  
2479 -       if (rdev->scan_req)
2480 +       if (rdev->scan_req || rdev->scan_msg)
2481                 return -EBUSY;
2482  
2483         if (wdev->conn->params.channel)
2484 --- a/net/mac80211/mlme.c
2485 +++ b/net/mac80211/mlme.c
2486 @@ -1001,7 +1001,6 @@ ieee80211_sta_process_chanswitch(struct 
2487         }
2488  
2489         ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
2490 -       sdata->vif.csa_active = true;
2491  
2492         mutex_lock(&local->chanctx_mtx);
2493         if (local->use_chanctx) {
2494 @@ -1039,6 +1038,7 @@ ieee80211_sta_process_chanswitch(struct 
2495         mutex_unlock(&local->chanctx_mtx);
2496  
2497         sdata->csa_chandef = csa_ie.chandef;
2498 +       sdata->vif.csa_active = true;
2499  
2500         if (csa_ie.mode)
2501                 ieee80211_stop_queues_by_reason(&local->hw,
2502 --- a/net/mac80211/chan.c
2503 +++ b/net/mac80211/chan.c
2504 @@ -196,6 +196,8 @@ static bool ieee80211_is_radar_required(
2505  {
2506         struct ieee80211_sub_if_data *sdata;
2507  
2508 +       lockdep_assert_held(&local->mtx);
2509 +
2510         rcu_read_lock();
2511         list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2512                 if (sdata->radar_required) {
2513 --- a/net/mac80211/ibss.c
2514 +++ b/net/mac80211/ibss.c
2515 @@ -294,7 +294,6 @@ static void __ieee80211_sta_join_ibss(st
2516         }
2517  
2518         mutex_lock(&local->mtx);
2519 -       ieee80211_vif_release_channel(sdata);
2520         if (ieee80211_vif_use_channel(sdata, &chandef,
2521                                       ifibss->fixed_channel ?
2522                                         IEEE80211_CHANCTX_SHARED :
2523 @@ -303,6 +302,7 @@ static void __ieee80211_sta_join_ibss(st
2524                 mutex_unlock(&local->mtx);
2525                 return;
2526         }
2527 +       sdata->radar_required = radar_required;
2528         mutex_unlock(&local->mtx);
2529  
2530         memcpy(ifibss->bssid, bssid, ETH_ALEN);
2531 @@ -318,7 +318,6 @@ static void __ieee80211_sta_join_ibss(st
2532         rcu_assign_pointer(ifibss->presp, presp);
2533         mgmt = (void *)presp->head;
2534  
2535 -       sdata->radar_required = radar_required;
2536         sdata->vif.bss_conf.enable_beacon = true;
2537         sdata->vif.bss_conf.beacon_int = beacon_int;
2538         sdata->vif.bss_conf.basic_rates = basic_rates;
2539 @@ -386,7 +385,7 @@ static void __ieee80211_sta_join_ibss(st
2540                                               presp->head_len, 0, GFP_KERNEL);
2541         cfg80211_put_bss(local->hw.wiphy, bss);
2542         netif_carrier_on(sdata->dev);
2543 -       cfg80211_ibss_joined(sdata->dev, ifibss->bssid, GFP_KERNEL);
2544 +       cfg80211_ibss_joined(sdata->dev, ifibss->bssid, chan, GFP_KERNEL);
2545  }
2546  
2547  static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
2548 @@ -802,6 +801,8 @@ ieee80211_ibss_process_chanswitch(struct
2549         int err;
2550         u32 sta_flags;
2551  
2552 +       sdata_assert_lock(sdata);
2553 +
2554         sta_flags = IEEE80211_STA_DISABLE_VHT;
2555         switch (ifibss->chandef.width) {
2556         case NL80211_CHAN_WIDTH_5:
2557 @@ -1471,6 +1472,11 @@ static void ieee80211_rx_mgmt_probe_req(
2558         memcpy(((struct ieee80211_mgmt *) skb->data)->da, mgmt->sa, ETH_ALEN);
2559         ibss_dbg(sdata, "Sending ProbeResp to %pM\n", mgmt->sa);
2560         IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2561 +
2562 +       /* avoid excessive retries for probe request to wildcard SSIDs */
2563 +       if (pos[1] == 0)
2564 +               IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_NO_ACK;
2565 +
2566         ieee80211_tx_skb(sdata, skb);
2567  }
2568  
2569 --- a/net/mac80211/mesh.c
2570 +++ b/net/mac80211/mesh.c
2571 @@ -872,6 +872,8 @@ ieee80211_mesh_process_chnswitch(struct 
2572         if (!ifmsh->mesh_id)
2573                 return false;
2574  
2575 +       sdata_assert_lock(sdata);
2576 +
2577         sta_flags = IEEE80211_STA_DISABLE_VHT;
2578         switch (sdata->vif.bss_conf.chandef.width) {
2579         case NL80211_CHAN_WIDTH_20_NOHT:
2580 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2581 +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2582 @@ -4658,6 +4658,7 @@ brcmf_notify_connect_status(struct brcmf
2583         struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
2584         struct net_device *ndev = ifp->ndev;
2585         struct brcmf_cfg80211_profile *profile = &ifp->vif->profile;
2586 +       struct ieee80211_channel *chan;
2587         s32 err = 0;
2588  
2589         if (ifp->vif->mode == WL_MODE_AP) {
2590 @@ -4665,9 +4666,10 @@ brcmf_notify_connect_status(struct brcmf
2591         } else if (brcmf_is_linkup(e)) {
2592                 brcmf_dbg(CONN, "Linkup\n");
2593                 if (brcmf_is_ibssmode(ifp->vif)) {
2594 +                       chan = ieee80211_get_channel(cfg->wiphy, cfg->channel);
2595                         memcpy(profile->bssid, e->addr, ETH_ALEN);
2596                         wl_inform_ibss(cfg, ndev, e->addr);
2597 -                       cfg80211_ibss_joined(ndev, e->addr, GFP_KERNEL);
2598 +                       cfg80211_ibss_joined(ndev, e->addr, chan, GFP_KERNEL);
2599                         clear_bit(BRCMF_VIF_STATUS_CONNECTING,
2600                                   &ifp->vif->sme_state);
2601                         set_bit(BRCMF_VIF_STATUS_CONNECTED,
2602 --- a/drivers/net/wireless/libertas/cfg.c
2603 +++ b/drivers/net/wireless/libertas/cfg.c
2604 @@ -1766,7 +1766,8 @@ static void lbs_join_post(struct lbs_pri
2605         memcpy(priv->wdev->ssid, params->ssid, params->ssid_len);
2606         priv->wdev->ssid_len = params->ssid_len;
2607  
2608 -       cfg80211_ibss_joined(priv->dev, bssid, GFP_KERNEL);
2609 +       cfg80211_ibss_joined(priv->dev, bssid, params->chandef.chan,
2610 +                            GFP_KERNEL);
2611  
2612         /* TODO: consider doing this at MACREG_INT_CODE_LINK_SENSED time */
2613         priv->connect_status = LBS_CONNECTED;
2614 --- a/drivers/net/wireless/mwifiex/cfg80211.c
2615 +++ b/drivers/net/wireless/mwifiex/cfg80211.c
2616 @@ -1881,7 +1881,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy 
2617                                      params->privacy);
2618  done:
2619         if (!ret) {
2620 -               cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid, GFP_KERNEL);
2621 +               cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid,
2622 +                                    params->chandef.chan, GFP_KERNEL);
2623                 dev_dbg(priv->adapter->dev,
2624                         "info: joined/created adhoc network with bssid"
2625                         " %pM successfully\n", priv->cfg_bssid);
2626 --- a/drivers/net/wireless/rndis_wlan.c
2627 +++ b/drivers/net/wireless/rndis_wlan.c
2628 @@ -2835,7 +2835,9 @@ static void rndis_wlan_do_link_up_work(s
2629                                         bssid, req_ie, req_ie_len,
2630                                         resp_ie, resp_ie_len, GFP_KERNEL);
2631         } else if (priv->infra_mode == NDIS_80211_INFRA_ADHOC)
2632 -               cfg80211_ibss_joined(usbdev->net, bssid, GFP_KERNEL);
2633 +               cfg80211_ibss_joined(usbdev->net, bssid,
2634 +                                    get_current_channel(usbdev, NULL),
2635 +                                    GFP_KERNEL);
2636  
2637         kfree(info);
2638  
2639 --- a/net/wireless/ibss.c
2640 +++ b/net/wireless/ibss.c
2641 @@ -14,7 +14,8 @@
2642  #include "rdev-ops.h"
2643  
2644  
2645 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
2646 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2647 +                           struct ieee80211_channel *channel)
2648  {
2649         struct wireless_dev *wdev = dev->ieee80211_ptr;
2650         struct cfg80211_bss *bss;
2651 @@ -28,8 +29,7 @@ void __cfg80211_ibss_joined(struct net_d
2652         if (!wdev->ssid_len)
2653                 return;
2654  
2655 -       bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
2656 -                              wdev->ssid, wdev->ssid_len,
2657 +       bss = cfg80211_get_bss(wdev->wiphy, channel, bssid, NULL, 0,
2658                                WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_IBSS);
2659  
2660         if (WARN_ON(!bss))
2661 @@ -54,21 +54,26 @@ void __cfg80211_ibss_joined(struct net_d
2662  #endif
2663  }
2664  
2665 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
2666 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2667 +                         struct ieee80211_channel *channel, gfp_t gfp)
2668  {
2669         struct wireless_dev *wdev = dev->ieee80211_ptr;
2670         struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
2671         struct cfg80211_event *ev;
2672         unsigned long flags;
2673  
2674 -       trace_cfg80211_ibss_joined(dev, bssid);
2675 +       trace_cfg80211_ibss_joined(dev, bssid, channel);
2676 +
2677 +       if (WARN_ON(!channel))
2678 +               return;
2679  
2680         ev = kzalloc(sizeof(*ev), gfp);
2681         if (!ev)
2682                 return;
2683  
2684         ev->type = EVENT_IBSS_JOINED;
2685 -       memcpy(ev->cr.bssid, bssid, ETH_ALEN);
2686 +       memcpy(ev->ij.bssid, bssid, ETH_ALEN);
2687 +       ev->ij.channel = channel;
2688  
2689         spin_lock_irqsave(&wdev->event_lock, flags);
2690         list_add_tail(&ev->list, &wdev->event_list);
2691 @@ -117,6 +122,7 @@ int __cfg80211_join_ibss(struct cfg80211
2692  
2693         wdev->ibss_fixed = params->channel_fixed;
2694         wdev->ibss_dfs_possible = params->userspace_handles_dfs;
2695 +       wdev->chandef = params->chandef;
2696  #ifdef CPTCFG_CFG80211_WEXT
2697         wdev->wext.ibss.chandef = params->chandef;
2698  #endif
2699 @@ -200,6 +206,7 @@ static void __cfg80211_clear_ibss(struct
2700  
2701         wdev->current_bss = NULL;
2702         wdev->ssid_len = 0;
2703 +       memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2704  #ifdef CPTCFG_CFG80211_WEXT
2705         if (!nowext)
2706                 wdev->wext.ibss.ssid_len = 0;
2707 --- a/net/wireless/trace.h
2708 +++ b/net/wireless/trace.h
2709 @@ -2278,11 +2278,6 @@ DECLARE_EVENT_CLASS(cfg80211_rx_evt,
2710         TP_printk(NETDEV_PR_FMT ", " MAC_PR_FMT, NETDEV_PR_ARG, MAC_PR_ARG(addr))
2711  );
2712  
2713 -DEFINE_EVENT(cfg80211_rx_evt, cfg80211_ibss_joined,
2714 -       TP_PROTO(struct net_device *netdev, const u8 *addr),
2715 -       TP_ARGS(netdev, addr)
2716 -);
2717 -
2718  DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_spurious_frame,
2719         TP_PROTO(struct net_device *netdev, const u8 *addr),
2720         TP_ARGS(netdev, addr)
2721 @@ -2293,6 +2288,24 @@ DEFINE_EVENT(cfg80211_rx_evt, cfg80211_r
2722         TP_ARGS(netdev, addr)
2723  );
2724  
2725 +TRACE_EVENT(cfg80211_ibss_joined,
2726 +       TP_PROTO(struct net_device *netdev, const u8 *bssid,
2727 +                struct ieee80211_channel *channel),
2728 +       TP_ARGS(netdev, bssid, channel),
2729 +       TP_STRUCT__entry(
2730 +               NETDEV_ENTRY
2731 +               MAC_ENTRY(bssid)
2732 +               CHAN_ENTRY
2733 +       ),
2734 +       TP_fast_assign(
2735 +               NETDEV_ASSIGN;
2736 +               MAC_ASSIGN(bssid, bssid);
2737 +               CHAN_ASSIGN(channel);
2738 +       ),
2739 +       TP_printk(NETDEV_PR_FMT ", bssid: " MAC_PR_FMT ", " CHAN_PR_FMT,
2740 +                 NETDEV_PR_ARG, MAC_PR_ARG(bssid), CHAN_PR_ARG)
2741 +);
2742 +
2743  TRACE_EVENT(cfg80211_probe_status,
2744         TP_PROTO(struct net_device *netdev, const u8 *addr, u64 cookie,
2745                  bool acked),
2746 --- a/net/wireless/util.c
2747 +++ b/net/wireless/util.c
2748 @@ -820,7 +820,8 @@ void cfg80211_process_wdev_events(struct
2749                                                 ev->dc.reason, true);
2750                         break;
2751                 case EVENT_IBSS_JOINED:
2752 -                       __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid);
2753 +                       __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid,
2754 +                                              ev->ij.channel);
2755                         break;
2756                 }
2757                 wdev_unlock(wdev);
2758 @@ -1356,7 +1357,7 @@ int cfg80211_can_use_iftype_chan(struct 
2759                  */
2760                 mutex_lock_nested(&wdev_iter->mtx, 1);
2761                 __acquire(wdev_iter->mtx);
2762 -               cfg80211_get_chan_state(wdev_iter, &ch, &chmode);
2763 +               cfg80211_get_chan_state(wdev_iter, &ch, &chmode, &radar_detect);
2764                 wdev_unlock(wdev_iter);
2765  
2766                 switch (chmode) {
2767 --- a/net/wireless/chan.c
2768 +++ b/net/wireless/chan.c
2769 @@ -642,7 +642,8 @@ int cfg80211_set_monitor_channel(struct 
2770  void
2771  cfg80211_get_chan_state(struct wireless_dev *wdev,
2772                         struct ieee80211_channel **chan,
2773 -                       enum cfg80211_chan_mode *chanmode)
2774 +                       enum cfg80211_chan_mode *chanmode,
2775 +                       u8 *radar_detect)
2776  {
2777         *chan = NULL;
2778         *chanmode = CHAN_MODE_UNDEFINED;
2779 @@ -660,6 +661,11 @@ cfg80211_get_chan_state(struct wireless_
2780                                      !wdev->ibss_dfs_possible)
2781                                   ? CHAN_MODE_SHARED
2782                                   : CHAN_MODE_EXCLUSIVE;
2783 +
2784 +                       /* consider worst-case - IBSS can try to return to the
2785 +                        * original user-specified channel as creator */
2786 +                       if (wdev->ibss_dfs_possible)
2787 +                               *radar_detect |= BIT(wdev->chandef.width);
2788                         return;
2789                 }
2790                 break;
2791 @@ -674,17 +680,26 @@ cfg80211_get_chan_state(struct wireless_
2792         case NL80211_IFTYPE_AP:
2793         case NL80211_IFTYPE_P2P_GO:
2794                 if (wdev->cac_started) {
2795 -                       *chan = wdev->channel;
2796 +                       *chan = wdev->chandef.chan;
2797                         *chanmode = CHAN_MODE_SHARED;
2798 +                       *radar_detect |= BIT(wdev->chandef.width);
2799                 } else if (wdev->beacon_interval) {
2800 -                       *chan = wdev->channel;
2801 +                       *chan = wdev->chandef.chan;
2802                         *chanmode = CHAN_MODE_SHARED;
2803 +
2804 +                       if (cfg80211_chandef_dfs_required(wdev->wiphy,
2805 +                                                         &wdev->chandef))
2806 +                               *radar_detect |= BIT(wdev->chandef.width);
2807                 }
2808                 return;
2809         case NL80211_IFTYPE_MESH_POINT:
2810                 if (wdev->mesh_id_len) {
2811 -                       *chan = wdev->channel;
2812 +                       *chan = wdev->chandef.chan;
2813                         *chanmode = CHAN_MODE_SHARED;
2814 +
2815 +                       if (cfg80211_chandef_dfs_required(wdev->wiphy,
2816 +                                                         &wdev->chandef))
2817 +                               *radar_detect |= BIT(wdev->chandef.width);
2818                 }
2819                 return;
2820         case NL80211_IFTYPE_MONITOR:
2821 --- a/net/wireless/mesh.c
2822 +++ b/net/wireless/mesh.c
2823 @@ -195,7 +195,7 @@ int __cfg80211_join_mesh(struct cfg80211
2824         if (!err) {
2825                 memcpy(wdev->ssid, setup->mesh_id, setup->mesh_id_len);
2826                 wdev->mesh_id_len = setup->mesh_id_len;
2827 -               wdev->channel = setup->chandef.chan;
2828 +               wdev->chandef = setup->chandef;
2829         }
2830  
2831         return err;
2832 @@ -244,7 +244,7 @@ int cfg80211_set_mesh_channel(struct cfg
2833                 err = rdev_libertas_set_mesh_channel(rdev, wdev->netdev,
2834                                                      chandef->chan);
2835                 if (!err)
2836 -                       wdev->channel = chandef->chan;
2837 +                       wdev->chandef = *chandef;
2838  
2839                 return err;
2840         }
2841 @@ -276,7 +276,7 @@ static int __cfg80211_leave_mesh(struct 
2842         err = rdev_leave_mesh(rdev, dev);
2843         if (!err) {
2844                 wdev->mesh_id_len = 0;
2845 -               wdev->channel = NULL;
2846 +               memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2847                 rdev_set_qos_map(rdev, dev, NULL);
2848         }
2849  
2850 --- a/net/wireless/mlme.c
2851 +++ b/net/wireless/mlme.c
2852 @@ -772,7 +772,7 @@ void cfg80211_cac_event(struct net_devic
2853         if (WARN_ON(!wdev->cac_started))
2854                 return;
2855  
2856 -       if (WARN_ON(!wdev->channel))
2857 +       if (WARN_ON(!wdev->chandef.chan))
2858                 return;
2859  
2860         switch (event) {
2861 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2862 +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2863 @@ -5065,6 +5065,10 @@ static u16 ar9003_hw_get_max_edge_power(
2864                         break;
2865                 }
2866         }
2867 +
2868 +       if (is2GHz && !twiceMaxEdgePower)
2869 +               twiceMaxEdgePower = 60;
2870 +
2871         return twiceMaxEdgePower;
2872  }
2873  
2874 --- a/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2875 +++ b/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2876 @@ -23,10 +23,11 @@
2877  #define MAX_MEASUREMENT        MAX_IQCAL_MEASUREMENT
2878  #define MAX_MAG_DELTA  11
2879  #define MAX_PHS_DELTA  10
2880 +#define MAXIQCAL        3
2881  
2882  struct coeff {
2883 -       int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2884 -       int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2885 +       int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2886 +       int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2887         int iqc_coeff[2];
2888  };
2889  
2890 @@ -800,7 +801,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2891         if (q_q_coff > 63)
2892                 q_q_coff = 63;
2893  
2894 -       iqc_coeff[0] = (q_q_coff * 128) + q_i_coff;
2895 +       iqc_coeff[0] = (q_q_coff * 128) + (0x7f & q_i_coff);
2896  
2897         ath_dbg(common, CALIBRATE, "tx chain %d: iq corr coeff=%x\n",
2898                 chain_idx, iqc_coeff[0]);
2899 @@ -831,7 +832,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2900         if (q_q_coff > 63)
2901                 q_q_coff = 63;
2902  
2903 -       iqc_coeff[1] = (q_q_coff * 128) + q_i_coff;
2904 +       iqc_coeff[1] = (q_q_coff * 128) + (0x7f & q_i_coff);
2905  
2906         ath_dbg(common, CALIBRATE, "rx chain %d: iq corr coeff=%x\n",
2907                 chain_idx, iqc_coeff[1]);
2908 @@ -839,7 +840,8 @@ static bool ar9003_hw_calc_iq_corr(struc
2909         return true;
2910  }
2911  
2912 -static void ar9003_hw_detect_outlier(int *mp_coeff, int nmeasurement,
2913 +static void ar9003_hw_detect_outlier(int mp_coeff[][MAXIQCAL],
2914 +                                    int nmeasurement,
2915                                      int max_delta)
2916  {
2917         int mp_max = -64, max_idx = 0;
2918 @@ -848,20 +850,20 @@ static void ar9003_hw_detect_outlier(int
2919  
2920         /* find min/max mismatch across all calibrated gains */
2921         for (i = 0; i < nmeasurement; i++) {
2922 -               if (mp_coeff[i] > mp_max) {
2923 -                       mp_max = mp_coeff[i];
2924 +               if (mp_coeff[i][0] > mp_max) {
2925 +                       mp_max = mp_coeff[i][0];
2926                         max_idx = i;
2927 -               } else if (mp_coeff[i] < mp_min) {
2928 -                       mp_min = mp_coeff[i];
2929 +               } else if (mp_coeff[i][0] < mp_min) {
2930 +                       mp_min = mp_coeff[i][0];
2931                         min_idx = i;
2932                 }
2933         }
2934  
2935         /* find average (exclude max abs value) */
2936         for (i = 0; i < nmeasurement; i++) {
2937 -               if ((abs(mp_coeff[i]) < abs(mp_max)) ||
2938 -                   (abs(mp_coeff[i]) < abs(mp_min))) {
2939 -                       mp_avg += mp_coeff[i];
2940 +               if ((abs(mp_coeff[i][0]) < abs(mp_max)) ||
2941 +                   (abs(mp_coeff[i][0]) < abs(mp_min))) {
2942 +                       mp_avg += mp_coeff[i][0];
2943                         mp_count++;
2944                 }
2945         }
2946 @@ -873,7 +875,7 @@ static void ar9003_hw_detect_outlier(int
2947         if (mp_count)
2948                 mp_avg /= mp_count;
2949         else
2950 -               mp_avg = mp_coeff[nmeasurement - 1];
2951 +               mp_avg = mp_coeff[nmeasurement - 1][0];
2952  
2953         /* detect outlier */
2954         if (abs(mp_max - mp_min) > max_delta) {
2955 @@ -882,15 +884,16 @@ static void ar9003_hw_detect_outlier(int
2956                 else
2957                         outlier_idx = min_idx;
2958  
2959 -               mp_coeff[outlier_idx] = mp_avg;
2960 +               mp_coeff[outlier_idx][0] = mp_avg;
2961         }
2962  }
2963  
2964 -static void ar9003_hw_tx_iqcal_load_avg_2_passes(struct ath_hw *ah,
2965 -                                                struct coeff *coeff,
2966 -                                                bool is_reusable)
2967 +static void ar9003_hw_tx_iq_cal_outlier_detection(struct ath_hw *ah,
2968 +                                                 struct coeff *coeff,
2969 +                                                 bool is_reusable)
2970  {
2971         int i, im, nmeasurement;
2972 +       int magnitude, phase;
2973         u32 tx_corr_coeff[MAX_MEASUREMENT][AR9300_MAX_CHAINS];
2974         struct ath9k_hw_cal_data *caldata = ah->caldata;
2975  
2976 @@ -920,21 +923,30 @@ static void ar9003_hw_tx_iqcal_load_avg_
2977                 if (nmeasurement > MAX_MEASUREMENT)
2978                         nmeasurement = MAX_MEASUREMENT;
2979  
2980 -               /* detect outlier only if nmeasurement > 1 */
2981 -               if (nmeasurement > 1) {
2982 -                       /* Detect magnitude outlier */
2983 -                       ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2984 -                                       nmeasurement, MAX_MAG_DELTA);
2985 -
2986 -                       /* Detect phase outlier */
2987 -                       ar9003_hw_detect_outlier(coeff->phs_coeff[i],
2988 -                                       nmeasurement, MAX_PHS_DELTA);
2989 +               /*
2990 +                * Skip normal outlier detection for AR9550.
2991 +                */
2992 +               if (!AR_SREV_9550(ah)) {
2993 +                       /* detect outlier only if nmeasurement > 1 */
2994 +                       if (nmeasurement > 1) {
2995 +                               /* Detect magnitude outlier */
2996 +                               ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2997 +                                                        nmeasurement,
2998 +                                                        MAX_MAG_DELTA);
2999 +
3000 +                               /* Detect phase outlier */
3001 +                               ar9003_hw_detect_outlier(coeff->phs_coeff[i],
3002 +                                                        nmeasurement,
3003 +                                                        MAX_PHS_DELTA);
3004 +                       }
3005                 }
3006  
3007                 for (im = 0; im < nmeasurement; im++) {
3008 +                       magnitude = coeff->mag_coeff[i][im][0];
3009 +                       phase = coeff->phs_coeff[i][im][0];
3010  
3011 -                       coeff->iqc_coeff[0] = (coeff->mag_coeff[i][im] & 0x7f) |
3012 -                               ((coeff->phs_coeff[i][im] & 0x7f) << 7);
3013 +                       coeff->iqc_coeff[0] =
3014 +                               (phase & 0x7f) | ((magnitude & 0x7f) << 7);
3015  
3016                         if ((im % 2) == 0)
3017                                 REG_RMW_FIELD(ah, tx_corr_coeff[im][i],
3018 @@ -991,7 +1003,63 @@ static bool ar9003_hw_tx_iq_cal_run(stru
3019         return true;
3020  }
3021  
3022 -static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah, bool is_reusable)
3023 +static void __ar955x_tx_iq_cal_sort(struct ath_hw *ah,
3024 +                                   struct coeff *coeff,
3025 +                                   int i, int nmeasurement)
3026 +{
3027 +       struct ath_common *common = ath9k_hw_common(ah);
3028 +       int im, ix, iy, temp;
3029 +
3030 +       for (im = 0; im < nmeasurement; im++) {
3031 +               for (ix = 0; ix < MAXIQCAL - 1; ix++) {
3032 +                       for (iy = ix + 1; iy <= MAXIQCAL - 1; iy++) {
3033 +                               if (coeff->mag_coeff[i][im][iy] <
3034 +                                   coeff->mag_coeff[i][im][ix]) {
3035 +                                       temp = coeff->mag_coeff[i][im][ix];
3036 +                                       coeff->mag_coeff[i][im][ix] =
3037 +                                               coeff->mag_coeff[i][im][iy];
3038 +                                       coeff->mag_coeff[i][im][iy] = temp;
3039 +                               }
3040 +                               if (coeff->phs_coeff[i][im][iy] <
3041 +                                   coeff->phs_coeff[i][im][ix]) {
3042 +                                       temp = coeff->phs_coeff[i][im][ix];
3043 +                                       coeff->phs_coeff[i][im][ix] =
3044 +                                               coeff->phs_coeff[i][im][iy];
3045 +                                       coeff->phs_coeff[i][im][iy] = temp;
3046 +                               }
3047 +                       }
3048 +               }
3049 +               coeff->mag_coeff[i][im][0] = coeff->mag_coeff[i][im][MAXIQCAL / 2];
3050 +               coeff->phs_coeff[i][im][0] = coeff->phs_coeff[i][im][MAXIQCAL / 2];
3051 +
3052 +               ath_dbg(common, CALIBRATE,
3053 +                       "IQCAL: Median [ch%d][gain%d]: mag = %d phase = %d\n",
3054 +                       i, im,
3055 +                       coeff->mag_coeff[i][im][0],
3056 +                       coeff->phs_coeff[i][im][0]);
3057 +       }
3058 +}
3059 +
3060 +static bool ar955x_tx_iq_cal_median(struct ath_hw *ah,
3061 +                                   struct coeff *coeff,
3062 +                                   int iqcal_idx,
3063 +                                   int nmeasurement)
3064 +{
3065 +       int i;
3066 +
3067 +       if ((iqcal_idx + 1) != MAXIQCAL)
3068 +               return false;
3069 +
3070 +       for (i = 0; i < AR9300_MAX_CHAINS; i++) {
3071 +               __ar955x_tx_iq_cal_sort(ah, coeff, i, nmeasurement);
3072 +       }
3073 +
3074 +       return true;
3075 +}
3076 +
3077 +static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah,
3078 +                                         int iqcal_idx,
3079 +                                         bool is_reusable)
3080  {
3081         struct ath_common *common = ath9k_hw_common(ah);
3082         const u32 txiqcal_status[AR9300_MAX_CHAINS] = {
3083 @@ -1004,10 +1072,11 @@ static void ar9003_hw_tx_iq_cal_post_pro
3084                 AR_PHY_CHAN_INFO_TAB_1,
3085                 AR_PHY_CHAN_INFO_TAB_2,
3086         };
3087 -       struct coeff coeff;
3088 +       static struct coeff coeff;
3089         s32 iq_res[6];