1 commit 6514c93afede55284e2cb63359aadedb85884c80
2 Author: Jouni Malinen <jouni@qca.qualcomm.com>
3 Date: Tue Feb 18 20:41:08 2014 +0200
5 ath9k: Enable U-APSD AP mode support
7 mac80211 handles the actual operations, so ath9k can just indicate
8 support for this. Based on initial tests, this combination seems to
11 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
13 commit a63caf0a357ad5c1f08d6b7827dc76c451445017
14 Author: Stanislaw Gruszka <sgruszka@redhat.com>
15 Date: Wed Feb 19 13:15:17 2014 +0100
17 ath9k: protect tid->sched check
19 We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That
20 is race condition which can result of doing list_del(&tid->list) twice
21 (second time with poisoned list node) and cause crash like shown below:
23 [424271.637220] BUG: unable to handle kernel paging request at 00100104
24 [424271.637328] IP: [<f90fc072>] ath_tx_aggr_sleep+0x62/0xe0 [ath9k]
26 [424271.639953] Call Trace:
27 [424271.639998] [<f90f6900>] ? ath9k_get_survey+0x110/0x110 [ath9k]
28 [424271.640083] [<f90f6942>] ath9k_sta_notify+0x42/0x50 [ath9k]
29 [424271.640177] [<f809cfef>] sta_ps_start+0x8f/0x1c0 [mac80211]
30 [424271.640258] [<c10f730e>] ? free_compound_page+0x2e/0x40
31 [424271.640346] [<f809e915>] ieee80211_rx_handlers+0x9d5/0x2340 [mac80211]
32 [424271.640437] [<c112f048>] ? kmem_cache_free+0x1d8/0x1f0
33 [424271.640510] [<c1345a84>] ? kfree_skbmem+0x34/0x90
34 [424271.640578] [<c10fc23c>] ? put_page+0x2c/0x40
35 [424271.640640] [<c1345a84>] ? kfree_skbmem+0x34/0x90
36 [424271.640706] [<c1345a84>] ? kfree_skbmem+0x34/0x90
37 [424271.640787] [<f809dde3>] ? ieee80211_rx_handlers_result+0x73/0x1d0 [mac80211]
38 [424271.640897] [<f80a07a0>] ieee80211_prepare_and_rx_handle+0x520/0xad0 [mac80211]
39 [424271.641009] [<f809e22d>] ? ieee80211_rx_handlers+0x2ed/0x2340 [mac80211]
40 [424271.641104] [<c13846ce>] ? ip_output+0x7e/0xd0
41 [424271.641182] [<f80a1057>] ieee80211_rx+0x307/0x7c0 [mac80211]
42 [424271.641266] [<f90fa6ee>] ath_rx_tasklet+0x88e/0xf70 [ath9k]
43 [424271.641358] [<f80a0f2c>] ? ieee80211_rx+0x1dc/0x7c0 [mac80211]
44 [424271.641445] [<f90f82db>] ath9k_tasklet+0xcb/0x130 [ath9k]
47 https://bugzilla.kernel.org/show_bug.cgi?id=70551
49 Reported-and-tested-by: Max Sydorenko <maxim.stargazer@gmail.com>
50 Cc: stable@vger.kernel.org
51 Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
53 commit 82ed9e3ccc02797df2ffe4b78127c4cd5f799a41
54 Author: Felix Fietkau <nbd@openwrt.org>
55 Date: Tue Feb 11 15:54:13 2014 +0100
57 mac80211: send control port protocol frames to the VO queue
59 Improves reliability of wifi connections with WPA, since authentication
60 frames are prioritized over normal traffic and also typically exempt
63 Cc: stable@vger.kernel.org
64 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
66 commit d4426800f71e972feaa33e04c5801fc730627bdd
67 Author: Stanislaw Gruszka <stf_xl@wp.pl>
68 Date: Mon Feb 10 22:38:28 2014 +0100
70 rtl8187: fix regression on MIPS without coherent DMA
72 This patch fixes regression caused by commit a16dad77634 "MIPS: Fix
73 potencial corruption". That commit fixes one corruption scenario in
74 cost of adding another one, which actually start to cause crashes
75 on Yeeloong laptop when rtl8187 driver is used.
77 For correct DMA read operation on machines without DMA coherence, kernel
78 have to invalidate cache, such it will refill later with new data that
79 device wrote to memory, when that data is needed to process. We can only
80 invalidate full cache line. Hence when cache line includes both dma
81 buffer and some other data (written in cache, but not yet in main
82 memory), the other data can not hit memory due to invalidation. That
83 happen on rtl8187 where struct rtl8187_priv fields are located just
84 before and after small buffers that are passed to USB layer and DMA
87 To fix the problem we align buffers and reserve space after them to make
88 them match cache line.
90 This patch does not resolve all possible MIPS problems entirely, for
91 that we have to assure that we always map cache aligned buffers for DMA,
92 what can be complex or even not possible. But patch fixes visible and
93 reproducible regression and seems other possible corruptions do not
94 happen in practice, since Yeeloong laptop works stable without rtl8187
98 https://bugzilla.kernel.org/show_bug.cgi?id=54391
100 Reported-by: Petr Pisar <petr.pisar@atlas.cz>
101 Bisected-by: Tom Li <biergaizi2009@gmail.com>
102 Reported-and-tested-by: Tom Li <biergaizi2009@gmail.com>
103 Cc: stable@vger.kernel.org
104 Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
106 commit e2f141d67ad1e7fe10aaab61811e8a409dfb2442
107 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
108 Date: Fri Feb 7 10:29:55 2014 +0530
110 ath9k: Calculate IQ-CAL median
112 This patch adds a routine to calculate the median IQ correction
113 values for AR955x, which is used for outlier detection.
114 The normal method which is used for all other chips is
117 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
119 commit c52a6fce0820c8d0687443ab86058ae03b478c8f
120 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
121 Date: Fri Feb 7 10:29:54 2014 +0530
123 ath9k: Expand the IQ coefficient array
125 This will be used for storing data for mutiple
126 IQ calibration runs, for AR955x.
128 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
130 commit 034969ff5c2b6431d10e07c1938f0b916da85cc3
131 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
132 Date: Fri Feb 7 10:29:53 2014 +0530
134 ath9k: Modify IQ calibration for AR955x
136 IQ calibration post-processing for AR955x is different
137 from other chips - instead of just doing it as part
138 of AGC calibration once, it is triggered 3 times and
139 a median is determined. This patch adds initial support
140 for changing the calibration behavior for AR955x.
142 Also, to simplify things, a helper routine to issue/poll
143 AGC calibration is used.
145 For non-AR955x chips, the iqcal_idx (which will be used
146 in subsequent patches) is set to zero.
148 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
150 commit 9b1ed6454e6f3511f24266be99b4e403f243f6a8
151 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
152 Date: Fri Feb 7 10:29:52 2014 +0530
154 ath9k: Fix magnitude/phase calculation
156 Incorrect values are programmed in the registers
157 containing the IQ correction coefficients by the IQ-CAL
158 post-processing code. Fix this.
160 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
162 commit 36f93484f96f79171dcecb67c5ef0c3de22531a6
163 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
164 Date: Fri Feb 7 10:29:51 2014 +0530
166 ath9k: Rename ar9003_hw_tx_iqcal_load_avg_2_passes
168 Use ar9003_hw_tx_iq_cal_outlier_detection instead.
170 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
172 commit 3af09a7f5d21dd5fd15b973ce6a91a575da30417
173 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
174 Date: Fri Feb 7 10:29:50 2014 +0530
176 ath9k: Check explicitly for IQ calibration
178 In chips like AR955x, the initvals contain the information
179 whether IQ calibration is to be done in the HW when an
180 AGC calibration is triggered. Check if IQ-CAL is enabled
181 in the initvals before flagging 'txiqcal_done' as true.
183 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
185 commit cb4969634b93c4643a32cc3fbd27d2b288b25771
186 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
187 Date: Fri Feb 7 10:29:49 2014 +0530
189 ath9k: Fix IQ cal post processing for SoC
191 Calibration data is not reused for SoC chips, so
192 call ar9003_hw_tx_iq_cal_post_proc() with the correct
193 argument. The 'is_reusable' flag is currently used
194 only for PC-OEM chips, but it makes things clearer to
195 specify it explicity.
197 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
199 commit e138e0ef9560c46ce93dbb22a728a57888e94d1c
200 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
201 Date: Mon Feb 3 13:31:37 2014 +0530
203 ath9k: Fix TX power calculation
205 The commit, "ath9k_hw: Fix incorrect Tx control power in AR9003 template"
206 fixed the incorrect values in the eeprom templates, but if
207 boards have already been calibrated with incorrect values,
208 they would still be using the wrong TX power. Fix this by assigning
209 a default value in such cases.
211 Cc: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
212 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
214 commit b9f268b5b01331c3c82179abca551429450e9417
215 Author: Michal Kazior <michal.kazior@tieto.com>
216 Date: Wed Jan 29 14:22:27 2014 +0100
218 cfg80211: consider existing DFS interfaces
220 It was possible to break interface combinations in
223 combo 1: iftype = AP, num_ifaces = 2, num_chans = 2,
224 combo 2: iftype = AP, num_ifaces = 1, num_chans = 1, radar = HT20
226 With the above interface combinations it was
229 step 1. start AP on DFS channel by matching combo 2
230 step 2. start AP on non-DFS channel by matching combo 1
232 This was possible beacuse (step 2) did not consider
233 if other interfaces require radar detection.
235 The patch changes how cfg80211 tracks channels -
236 instead of channel itself now a complete chandef
239 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
240 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
242 commit bc9c62f5f511cc395c62dbf4cdd437f23db53b28
243 Author: Antonio Quartulli <antonio@open-mesh.com>
244 Date: Wed Jan 29 17:53:43 2014 +0100
246 cfg80211: fix channel configuration in IBSS join
248 When receiving an IBSS_JOINED event select the BSS object
249 based on the {bssid, channel} couple rather than the bssid
251 With the current approach if another cell having the same
252 BSSID (but using a different channel) exists then cfg80211
253 picks up the wrong BSS object.
254 The result is a mismatching channel configuration between
255 cfg80211 and the driver, that can lead to any sort of
258 The issue can be triggered by having an IBSS sitting on
259 given channel and then asking the driver to create a new
260 cell using the same BSSID but with a different frequency.
261 By passing the channel to cfg80211_get_bss() we can solve
262 this ambiguity and retrieve/create the correct BSS object.
263 All the users of cfg80211_ibss_joined() have been changed
266 Moreover WARN when cfg80211_ibss_joined() gets a NULL
267 channel as argument and remove a bogus call of the same
268 function in ath6kl (it does not make sense to call
269 cfg80211_ibss_joined() with a zero BSSID on ibss-leave).
271 Cc: Kalle Valo <kvalo@qca.qualcomm.com>
272 Cc: Arend van Spriel <arend@broadcom.com>
273 Cc: Bing Zhao <bzhao@marvell.com>
274 Cc: Jussi Kivilinna <jussi.kivilinna@iki.fi>
275 Cc: libertas-dev@lists.infradead.org
276 Acked-by: Kalle Valo <kvalo@qca.qualcomm.com>
277 Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
278 [minor code cleanup in ath6kl]
279 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
281 commit 7e0c41cb41f215aba2c39b1c237bb4d42ec49a85
282 Author: Johannes Berg <johannes.berg@intel.com>
283 Date: Fri Jan 24 14:41:44 2014 +0100
285 mac80211: fix bufferable MMPDU RX handling
287 Action, disassoc and deauth frames are bufferable, and as such don't
288 have the PM bit in the frame control field reserved which means we
289 need to react to the bit when receiving in such a frame.
291 Fix this by introducing a new helper ieee80211_is_bufferable_mmpdu()
292 and using it for the RX path that currently ignores the PM bit in
293 any non-data frames for doze->wake transitions, but listens to it in
294 all frames for wake->doze transitions, both of which are wrong.
296 Also use the new helper in the TX path to clean up the code.
298 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
300 commit fc0df6d2343636e3f48a069330d5b972e3d8659d
301 Author: Janusz Dziedzic <janusz.dziedzic@tieto.com>
302 Date: Fri Jan 24 14:29:21 2014 +0100
304 cfg80211: set preset_chandef after channel switch
306 Set preset_chandef in channel switch notification.
307 In other case we will have old preset_chandef.
309 Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
310 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
312 commit cdec895e2344987ff171cece96e25d7407a3ebf6
313 Author: Simon Wunderlich <simon@open-mesh.com>
314 Date: Fri Jan 24 23:48:29 2014 +0100
316 mac80211: send ibss probe responses with noack flag
318 Responding to probe requests for scanning clients will often create
319 excessive retries, as it happens quite often that the scanning client
320 already left the channel. Therefore do it like hostapd and send probe
321 responses for wildcard SSID only once by using the noack flag.
323 Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
324 [fix typo & 'wildcard SSID' in commit log]
325 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
327 commit 0b865d1e6b9c05052adae9315df7cb195dc60c3b
328 Author: Luciano Coelho <luciano.coelho@intel.com>
329 Date: Tue Jan 28 17:09:08 2014 +0200
331 mac80211: ibss: remove unnecessary call to release channel
333 The ieee80211_vif_use_channel() function calls
334 ieee80211_vif_release_channel(), so there's no need to call it
335 explicitly in __ieee80211_sta_join_ibss().
337 Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
338 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
340 commit e1b6c17e971f0a51ff86c2dac2584c63cd999cd7
341 Author: Michal Kazior <michal.kazior@tieto.com>
342 Date: Wed Jan 29 07:56:21 2014 +0100
344 mac80211: add missing CSA locking
346 The patch adds a missing sdata lock and adds a few
347 lockdeps for easier maintenance.
349 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
350 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
352 commit ad17ba7d14d225b109b73c177cd446afb8050598
353 Author: Michal Kazior <michal.kazior@tieto.com>
354 Date: Wed Jan 29 07:56:20 2014 +0100
356 mac80211: fix sdata->radar_required locking
358 radar_required setting wasn't protected by
359 local->mtx in some places. This should prevent
360 from scanning/radar detection/roc colliding.
362 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
363 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
365 commit 5fcd5f1808813a3d9e502fd756e01bee8a79c85d
366 Author: Michal Kazior <michal.kazior@tieto.com>
367 Date: Wed Jan 29 07:56:19 2014 +0100
369 mac80211: move csa_active setting in STA CSA
371 The sdata->vif.csa_active could be left set after,
372 e.g. channel context constraints check fail in STA
373 mode leaving the interface in a strange state for
374 a brief period of time until it is disconnected.
375 This was harmless but ugly.
377 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
378 Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
379 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
381 commit e486da4b7eed71821c6b4c1bb9ac62ffd3ab13e9
382 Author: Michal Kazior <michal.kazior@tieto.com>
383 Date: Wed Jan 29 07:56:18 2014 +0100
385 mac80211: fix possible memory leak on AP CSA failure
387 If CSA for AP interface failed and the interface
388 was not stopped afterwards another CSA request
389 would leak sdata->u.ap.next_beacon.
391 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
392 Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
393 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
395 commit 3a77ba08940682bf3d52cf14f980337324af9d4a
396 Author: Johannes Berg <johannes.berg@intel.com>
397 Date: Sat Feb 1 00:33:29 2014 +0100
399 mac80211: fix fragmentation code, particularly for encryption
401 The "new" fragmentation code (since my rewrite almost 5 years ago)
402 erroneously sets skb->len rather than using skb_trim() to adjust
403 the length of the first fragment after copying out all the others.
404 This leaves the skb tail pointer pointing to after where the data
405 originally ended, and thus causes the encryption MIC to be written
406 at that point, rather than where it belongs: immediately after the
409 The impact of this is that if software encryption is done, then
410 a) encryption doesn't work for the first fragment, the connection
411 becomes unusable as the first fragment will never be properly
412 verified at the receiver, the MIC is practically guaranteed to
414 b) we leak up to 8 bytes of plaintext (!) of the packet out into
417 This is only mitigated by the fact that many devices are capable
418 of doing encryption in hardware, in which case this can't happen
419 as the tail pointer is irrelevant in that case. Additionally,
420 fragmentation is not used very frequently and would normally have
421 to be configured manually.
423 Fix this by using skb_trim() properly.
425 Cc: stable@vger.kernel.org
426 Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
427 Reported-by: Jouni Malinen <j@w1.fi>
428 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
430 commit de5f242e0c10e841017e37eb8c38974a642dbca8
431 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
432 Date: Tue Jan 28 06:21:59 2014 +0530
434 ath9k: Fix build error on ARM
436 Use mdelay instead of udelay to fix this error:
438 ERROR: "__bad_udelay" [drivers/net/wireless/ath/ath9k/ath9k_hw.ko] undefined!
439 make[1]: *** [__modpost] Error 1
440 make: *** [modules] Error 2
442 Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
443 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
445 commit 8e3ea7a51dfc61810fcefd947f6edcf61125252a
446 Author: Geert Uytterhoeven <geert@linux-m68k.org>
447 Date: Sun Jan 26 11:53:21 2014 +0100
449 ath9k: Fix uninitialized variable in ath9k_has_tx_pending()
451 drivers/net/wireless/ath/ath9k/main.c: In function ‘ath9k_has_tx_pending’:
452 drivers/net/wireless/ath/ath9k/main.c:1869: warning: ‘npend’ may be used uninitialized in this function
454 Introduced by commit 10e2318103f5941aa70c318afe34bc41f1b98529 ("ath9k:
455 optimize ath9k_flush").
457 Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
459 commit a4a634a6937ebdd827fa58e8fcdb8ca49a3769f6
460 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
461 Date: Mon Jan 27 11:07:42 2014 +0200
463 mac80211: release the channel in error path in start_ap
465 When the driver cannot start the AP or when the assignement
466 of the beacon goes wrong, we need to unassign the vif.
468 Cc: stable@vger.kernel.org
469 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
470 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
472 commit dfb6889a75c601aedb7450b7e606668e77da6679
473 Author: Johannes Berg <johannes.berg@intel.com>
474 Date: Wed Jan 22 11:14:19 2014 +0200
476 cfg80211: send scan results from work queue
478 Due to the previous commit, when a scan finishes, it is in theory
479 possible to hit the following sequence:
480 1. interface starts being removed
481 2. scan is cancelled by driver and cfg80211 is notified
482 3. scan done work is scheduled
483 4. interface is removed completely, rdev->scan_req is freed,
484 event sent to userspace but scan done work remains pending
485 5. new scan is requested on another virtual interface
486 6. scan done work runs, freeing the still-running scan
488 To fix this situation, hang on to the scan done message and block
489 new scans while that is the case, and only send the message from
490 the work function, regardless of whether the scan_req is already
491 freed from interface removal. This makes step 5 above impossible
492 and changes step 6 to be
493 5. scan done work runs, sending the scan done message
495 As this can't work for wext, so we send the message immediately,
496 but this shouldn't be an issue since we still return -EBUSY.
498 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
500 commit 45b7ab41fc08627d9a8428cb413d5d84662a9707
501 Author: Johannes Berg <johannes.berg@intel.com>
502 Date: Wed Jan 22 11:14:18 2014 +0200
504 cfg80211: fix scan done race
506 When an interface/wdev is removed, any ongoing scan should be
507 cancelled by the driver. This will make it call cfg80211, which
508 only queues a work struct. If interface/wdev removal is quick
509 enough, this can leave the scan request pending and processed
510 only after the interface is gone, causing a use-after-free.
512 Fix this by making sure the scan request is not pending after
513 the interface is destroyed. We can't flush or cancel the work
514 item due to locking concerns, but when it'll run it shouldn't
515 find anything to do. This leaves a potential issue, if a new
516 scan gets requested before the work runs, it prematurely stops
517 the running scan, potentially causing another crash. I'll fix
518 that in the next patch.
520 This was particularly observed with P2P_DEVICE wdevs, likely
521 because freeing them is quicker than freeing netdevs.
523 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
524 Fixes: 4a58e7c38443 ("cfg80211: don't "leak" uncompleted scans")
525 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
527 commit ae04fa489ab31b5a10d3cc8399f52761175d4321
528 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
529 Date: Thu Jan 23 14:28:16 2014 +0200
531 mac80211: avoid deadlock revealed by lockdep
533 sdata->u.ap.request_smps_work can’t be flushed synchronously
534 under wdev_lock(wdev) since ieee80211_request_smps_ap_work
535 itself locks the same lock.
536 While at it, reset the driver_smps_mode when the ap is
537 stopped to its default: OFF.
541 ======================================================
542 [ INFO: possible circular locking dependency detected ]
543 3.12.0-ipeer+ #2 Tainted: G O
544 -------------------------------------------------------
545 rmmod/2867 is trying to acquire lock:
546 ((&sdata->u.ap.request_smps_work)){+.+...}, at: [<c105b8d0>] flush_work+0x0/0x90
548 but task is already holding lock:
549 (&wdev->mtx){+.+.+.}, at: [<f9b32626>] cfg80211_stop_ap+0x26/0x230 [cfg80211]
551 which lock already depends on the new lock.
553 the existing dependency chain (in reverse order) is:
555 -> #1 (&wdev->mtx){+.+.+.}:
556 [<c10aefa9>] lock_acquire+0x79/0xe0
557 [<c1607a1a>] mutex_lock_nested+0x4a/0x360
558 [<fb06288b>] ieee80211_request_smps_ap_work+0x2b/0x50 [mac80211]
559 [<c105cdd8>] process_one_work+0x198/0x450
560 [<c105d469>] worker_thread+0xf9/0x320
561 [<c10669ff>] kthread+0x9f/0xb0
562 [<c1613397>] ret_from_kernel_thread+0x1b/0x28
564 -> #0 ((&sdata->u.ap.request_smps_work)){+.+...}:
565 [<c10ae9df>] __lock_acquire+0x183f/0x1910
566 [<c10aefa9>] lock_acquire+0x79/0xe0
567 [<c105b917>] flush_work+0x47/0x90
568 [<c105d867>] __cancel_work_timer+0x67/0xe0
569 [<c105d90f>] cancel_work_sync+0xf/0x20
570 [<fb0765cc>] ieee80211_stop_ap+0x8c/0x340 [mac80211]
571 [<f9b3268c>] cfg80211_stop_ap+0x8c/0x230 [cfg80211]
572 [<f9b0d8f9>] cfg80211_leave+0x79/0x100 [cfg80211]
573 [<f9b0da72>] cfg80211_netdev_notifier_call+0xf2/0x4f0 [cfg80211]
574 [<c160f2c9>] notifier_call_chain+0x59/0x130
575 [<c106c6de>] __raw_notifier_call_chain+0x1e/0x30
576 [<c106c70f>] raw_notifier_call_chain+0x1f/0x30
577 [<c14f8213>] call_netdevice_notifiers_info+0x33/0x70
578 [<c14f8263>] call_netdevice_notifiers+0x13/0x20
579 [<c14f82a4>] __dev_close_many+0x34/0xb0
580 [<c14f83fe>] dev_close_many+0x6e/0xc0
581 [<c14f9c77>] rollback_registered_many+0xa7/0x1f0
582 [<c14f9dd4>] unregister_netdevice_many+0x14/0x60
583 [<fb06f4d9>] ieee80211_remove_interfaces+0xe9/0x170 [mac80211]
584 [<fb055116>] ieee80211_unregister_hw+0x56/0x110 [mac80211]
585 [<fa3e9396>] iwl_op_mode_mvm_stop+0x26/0xe0 [iwlmvm]
586 [<f9b9d8ca>] _iwl_op_mode_stop+0x3a/0x70 [iwlwifi]
587 [<f9b9d96f>] iwl_opmode_deregister+0x6f/0x90 [iwlwifi]
588 [<fa405179>] __exit_compat+0xd/0x19 [iwlmvm]
589 [<c10b8bf9>] SyS_delete_module+0x179/0x2b0
590 [<c1613421>] sysenter_do_call+0x12/0x32
592 Fixes: 687da132234f ("mac80211: implement SMPS for AP")
593 Cc: <stable@vger.kernel.org> [3.13]
594 Reported-by: Ilan Peer <ilan.peer@intel.com>
595 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
596 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
598 commit 178b205e96217164fd7c30113464250d0b6f5eca
599 Author: Johannes Berg <johannes.berg@intel.com>
600 Date: Thu Jan 23 16:32:29 2014 +0100
602 cfg80211: re-enable 5/10 MHz support
604 Unfortunately I forgot this during the merge window, but the
605 patch seems small enough to go in as a fix. The userspace API
606 bug that was the reason for disabling it has long been fixed.
608 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
610 commit 110a1c79acda14edc83b7c8dc5af9c7ddd23eb61
611 Author: Pontus Fuchs <pontus.fuchs@gmail.com>
612 Date: Thu Jan 16 15:00:40 2014 +0100
614 nl80211: Reset split_start when netlink skb is exhausted
616 When the netlink skb is exhausted split_start is left set. In the
617 subsequent retry, with a larger buffer, the dump is continued from the
618 failing point instead of from the beginning.
620 This was causing my rt28xx based USB dongle to now show up when
621 running "iw list" with an old iw version without split dump support.
623 Cc: stable@vger.kernel.org
624 Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps")
625 Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
626 [avoid the entire workaround when state->split is set]
627 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
629 commit b4c31b45ffc7ef110fa9ecc34d7878fe7c5b9da4
630 Author: Eliad Peller <eliad@wizery.com>
631 Date: Sun Jan 12 11:06:37 2014 +0200
633 mac80211: move roc cookie assignment earlier
635 ieee80211_start_roc_work() might add a new roc
636 to existing roc, and tell cfg80211 it has already
639 However, this might happen before the roc cookie
640 was set, resulting in REMAIN_ON_CHANNEL (started)
641 event with null cookie. Consequently, it can make
642 wpa_supplicant go out of sync.
644 Fix it by setting the roc cookie earlier.
646 Cc: stable@vger.kernel.org
647 Signed-off-by: Eliad Peller <eliad@wizery.com>
648 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
650 commit cfdc9157bfd7bcf88ab4dae08873a9907eba984c
651 Author: Johannes Berg <johannes.berg@intel.com>
652 Date: Fri Jan 24 14:06:29 2014 +0100
654 nl80211: send event when AP operation is stopped
656 There are a few cases, e.g. suspend, where an AP interface is
657 stopped by the kernel rather than by userspace request, most
658 commonly when suspending. To let userspace know about this,
659 send the NL80211_CMD_STOP_AP command as an event every time
660 an AP interface is stopped. This also happens when userspace
661 did in fact request the AP stop, but that's not a problem.
663 For full-MAC drivers this may need to be extended to also
664 cover cases where the device stopped the AP operation for
665 some reason, this a bit more complicated because then all
666 cfg80211 state also needs to be reset; such API is not part
669 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
671 commit d5d567eda7704f190379ca852a8f9a4112e3eee3
672 Author: Johannes Berg <johannes.berg@intel.com>
673 Date: Thu Jan 23 16:20:29 2014 +0100
675 mac80211: add length check in ieee80211_is_robust_mgmt_frame()
677 A few places weren't checking that the frame passed to the
678 function actually has enough data even though the function
679 clearly documents it must have a payload byte. Make this
680 safer by changing the function to take an skb and checking
681 the length inside. The old version is preserved for now as
682 the rtl* drivers use it and don't have a correct skb.
684 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
686 commit f8f6d212a047fc65c7d3442dfc038f65517236fc
687 Author: Johannes Berg <johannes.berg@intel.com>
688 Date: Fri Jan 24 10:53:53 2014 +0100
690 nl80211: fix scheduled scan RSSI matchset attribute confusion
692 The scheduled scan matchsets were intended to be a list of filters,
693 with the found BSS having to pass at least one of them to be passed
694 to the host. When the RSSI attribute was added, however, this was
695 broken and currently wpa_supplicant adds that attribute in its own
696 matchset; however, it doesn't intend that to mean that anything
697 that passes the RSSI filter should be passed to the host, instead
698 it wants it to mean that everything needs to also have higher RSSI.
700 This is semantically problematic because we have a list of filters
701 like [ SSID1, SSID2, SSID3, RSSI ] with no real indication which
702 one should be OR'ed and which one AND'ed.
704 To fix this, move the RSSI filter attribute into each matchset. As
705 we need to stay backward compatible, treat a matchset with only the
706 RSSI attribute as a "default RSSI filter" for all other matchsets,
707 but only if there are other matchsets (an RSSI-only matchset by
708 itself is still desirable.)
710 To make driver implementation easier, keep a global min_rssi_thold
711 for the entire request as well. The only affected driver is ath6kl.
713 I found this when I looked into the code after Raja Mani submitted
714 a patch fixing the n_match_sets calculation to disregard the RSSI,
715 but that patch didn't address the semantic issue.
717 Reported-by: Raja Mani <rmani@qti.qualcomm.com>
718 Acked-by: Luciano Coelho <luciano.coelho@intel.com>
719 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
721 commit de553e8545e65a6dc4e45f43df7e1443d4291922
722 Author: Johannes Berg <johannes.berg@intel.com>
723 Date: Fri Jan 24 10:17:47 2014 +0100
725 nl80211: check nla_parse() return values
727 If there's a policy, then nla_parse() return values must be
728 checked, otherwise the policy is useless and there's nothing
729 that ensures the attributes are actually what we expect them
732 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
734 commit 652204a0733e9e1c54661d6f9d36e2e1e3b22bb1
735 Author: Karl Beldan <karl.beldan@rivierawaves.com>
736 Date: Thu Jan 23 20:06:34 2014 +0100
738 mac80211: send {ADD,DEL}BA on AC_VO like other mgmt frames, as per spec
740 ATM, {ADD,DEL}BA and BAR frames are sent on the AC matching the TID of
741 the BA parameters. In the discussion [1] about this patch, Johannes
742 recalled that it fixed some races with the DELBA and indeed this
743 behavior was introduced in [2].
744 While [2] is right for the BARs, the part queueing the {ADD,DEL}BAs on
745 their BA params TID AC violates the spec and is more a workaround for
746 some drivers. Helmut expressed some concerns wrt such drivers, in
747 particular DELBAs in rt2x00.
749 ATM, DELBAs are sent after a driver has called (hence "purposely")
750 ieee80211_start_tx_ba_cb_irqsafe and Johannes and Emmanuel gave some
751 details wrt intentions behind the split of the IEEE80211_AMPDU_TX_STOP_*
752 given to the driver ampdu_action supposed to call this function, which
753 could prove handy to people trying to do the right thing in faulty
754 drivers (if their fw/hw don't get in their way).
756 [1] http://mid.gmane.org/1390391564-18481-1-git-send-email-karl.beldan@gmail.com
757 [2] Commit: cf6bb79ad828 ("mac80211: Use appropriate TID for sending BAR, ADDBA and DELBA frames")
759 Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
760 Cc: Helmut Schaa <helmut.schaa@googlemail.com>
761 Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
762 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
763 --- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
764 +++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
765 @@ -790,7 +790,7 @@ void ath6kl_cfg80211_connect_event(struc
766 if (nw_type & ADHOC_NETWORK) {
767 ath6kl_dbg(ATH6KL_DBG_WLAN_CFG, "ad-hoc %s selected\n",
768 nw_type & ADHOC_CREATOR ? "creator" : "joiner");
769 - cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
770 + cfg80211_ibss_joined(vif->ndev, bssid, chan, GFP_KERNEL);
771 cfg80211_put_bss(ar->wiphy, bss);
774 @@ -861,13 +861,9 @@ void ath6kl_cfg80211_disconnect_event(st
777 if (vif->nw_type & ADHOC_NETWORK) {
778 - if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC) {
779 + if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC)
780 ath6kl_dbg(ATH6KL_DBG_WLAN_CFG,
781 "%s: ath6k not in ibss mode\n", __func__);
784 - memset(bssid, 0, ETH_ALEN);
785 - cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
789 @@ -3256,6 +3252,15 @@ static int ath6kl_cfg80211_sscan_start(s
790 struct ath6kl_vif *vif = netdev_priv(dev);
793 + int n_match_sets = request->n_match_sets;
796 + * If there's a matchset w/o an SSID, then assume it's just for
797 + * the RSSI (nothing else is currently supported) and ignore it.
798 + * The device only supports a global RSSI filter that we set below.
800 + if (n_match_sets == 1 && !request->match_sets[0].ssid.ssid_len)
803 if (ar->state != ATH6KL_STATE_ON)
805 @@ -3268,11 +3273,11 @@ static int ath6kl_cfg80211_sscan_start(s
806 ret = ath6kl_set_probed_ssids(ar, vif, request->ssids,
809 - request->n_match_sets);
814 - if (!request->n_match_sets) {
815 + if (!n_match_sets) {
816 ret = ath6kl_wmi_bssfilter_cmd(ar->wmi, vif->fw_vif_idx,
819 @@ -3286,12 +3291,12 @@ static int ath6kl_cfg80211_sscan_start(s
821 if (test_bit(ATH6KL_FW_CAPABILITY_RSSI_SCAN_THOLD,
822 ar->fw_capabilities)) {
823 - if (request->rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
824 + if (request->min_rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
826 - else if (request->rssi_thold < -127)
827 + else if (request->min_rssi_thold < -127)
830 - rssi_thold = request->rssi_thold;
831 + rssi_thold = request->min_rssi_thold;
833 ret = ath6kl_wmi_set_rssi_filter_cmd(ar->wmi, vif->fw_vif_idx,
835 --- a/drivers/net/wireless/ath/ath9k/hw.c
836 +++ b/drivers/net/wireless/ath/ath9k/hw.c
837 @@ -1316,7 +1316,7 @@ static bool ath9k_hw_set_reset(struct at
838 if (AR_SREV_9300_20_OR_LATER(ah))
840 else if (AR_SREV_9100(ah))
846 @@ -2051,9 +2051,8 @@ static bool ath9k_hw_set_power_awake(str
848 REG_SET_BIT(ah, AR_RTC_FORCE_WAKE,
849 AR_RTC_FORCE_WAKE_EN);
851 if (AR_SREV_9100(ah))
857 --- a/drivers/net/wireless/ath/ath9k/main.c
858 +++ b/drivers/net/wireless/ath/ath9k/main.c
859 @@ -1866,7 +1866,7 @@ static void ath9k_set_coverage_class(str
861 static bool ath9k_has_tx_pending(struct ath_softc *sc)
866 for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
867 if (!ATH_TXQ_SETUP(sc, i))
868 --- a/drivers/net/wireless/iwlwifi/mvm/scan.c
869 +++ b/drivers/net/wireless/iwlwifi/mvm/scan.c
870 @@ -595,6 +595,9 @@ static void iwl_scan_offload_build_ssid(
873 for (i = 0; i < req->n_match_sets && i < PROBE_OPTION_MAX; i++) {
874 + /* skip empty SSID matchsets */
875 + if (!req->match_sets[i].ssid.ssid_len)
877 scan->direct_scan[i].id = WLAN_EID_SSID;
878 scan->direct_scan[i].len = req->match_sets[i].ssid.ssid_len;
879 memcpy(scan->direct_scan[i].ssid, req->match_sets[i].ssid.ssid,
880 --- a/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
881 +++ b/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
882 @@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80
883 /* During testing, hdr was NULL */
886 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
887 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
888 (ieee80211_has_protected(hdr->frame_control)))
889 rx_status->flag &= ~RX_FLAG_DECRYPTED;
891 --- a/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
892 +++ b/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
893 @@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80
894 /* In testing, hdr was NULL here */
897 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
898 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
899 (ieee80211_has_protected(hdr->frame_control)))
900 rx_status->flag &= ~RX_FLAG_DECRYPTED;
902 --- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
903 +++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
904 @@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80
905 /* during testing, hdr was NULL here */
908 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
909 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
910 (ieee80211_has_protected(hdr->frame_control)))
911 rx_status->flag &= ~RX_FLAG_DECRYPTED;
913 --- a/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
914 +++ b/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
915 @@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee
916 /* during testing, hdr could be NULL here */
919 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
920 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
921 (ieee80211_has_protected(hdr->frame_control)))
922 rx_status->flag &= ~RX_FLAG_DECRYPTED;
924 --- a/include/linux/ieee80211.h
925 +++ b/include/linux/ieee80211.h
926 @@ -597,6 +597,20 @@ static inline int ieee80211_is_qos_nullf
930 + * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU
931 + * @fc: frame control field in little-endian byteorder
933 +static inline bool ieee80211_is_bufferable_mmpdu(__le16 fc)
935 + /* IEEE 802.11-2012, definition of "bufferable management frame";
936 + * note that this ignores the IBSS special case. */
937 + return ieee80211_is_mgmt(fc) &&
938 + (ieee80211_is_action(fc) ||
939 + ieee80211_is_disassoc(fc) ||
940 + ieee80211_is_deauth(fc));
944 * ieee80211_is_first_frag - check if IEEE80211_SCTL_FRAG is not set
945 * @seq_ctrl: frame sequence control bytes in little-endian byteorder
947 @@ -2192,10 +2206,10 @@ static inline u8 *ieee80211_get_DA(struc
951 - * ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
952 + * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
953 * @hdr: the frame (buffer must include at least the first octet of payload)
955 -static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
956 +static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
958 if (ieee80211_is_disassoc(hdr->frame_control) ||
959 ieee80211_is_deauth(hdr->frame_control))
960 @@ -2224,6 +2238,17 @@ static inline bool ieee80211_is_robust_m
964 + * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
965 + * @skb: the skb containing the frame, length will be checked
967 +static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
971 + return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
975 * ieee80211_is_public_action - check if frame is a public action frame
977 * @len: length of the frame
978 --- a/include/net/cfg80211.h
979 +++ b/include/net/cfg80211.h
980 @@ -1395,9 +1395,11 @@ struct cfg80211_scan_request {
981 * struct cfg80211_match_set - sets of attributes to match
983 * @ssid: SSID to be matched
984 + * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
986 struct cfg80211_match_set {
987 struct cfg80211_ssid ssid;
992 @@ -1420,7 +1422,8 @@ struct cfg80211_match_set {
993 * @dev: the interface
994 * @scan_start: start time of the scheduled scan
995 * @channels: channels to scan
996 - * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
997 + * @min_rssi_thold: for drivers only supporting a single threshold, this
998 + * contains the minimum over all matchsets
1000 struct cfg80211_sched_scan_request {
1001 struct cfg80211_ssid *ssids;
1002 @@ -1433,7 +1436,7 @@ struct cfg80211_sched_scan_request {
1004 struct cfg80211_match_set *match_sets;
1007 + s32 min_rssi_thold;
1010 struct wiphy *wiphy;
1011 @@ -3130,8 +3133,8 @@ struct cfg80211_cached_keys;
1012 * @identifier: (private) Identifier used in nl80211 to identify this
1013 * wireless device if it has no netdev
1014 * @current_bss: (private) Used by the internal configuration code
1015 - * @channel: (private) Used by the internal configuration code to track
1016 - * the user-set AP, monitor and WDS channel
1017 + * @chandef: (private) Used by the internal configuration code to track
1018 + * the user-set channel definition.
1019 * @preset_chandef: (private) Used by the internal configuration code to
1020 * track the channel to be used for AP later
1021 * @bssid: (private) Used by the internal configuration code
1022 @@ -3195,9 +3198,7 @@ struct wireless_dev {
1024 struct cfg80211_internal_bss *current_bss; /* associated / joined */
1025 struct cfg80211_chan_def preset_chandef;
1027 - /* for AP and mesh channel tracking */
1028 - struct ieee80211_channel *channel;
1029 + struct cfg80211_chan_def chandef;
1032 bool ibss_dfs_possible;
1033 @@ -3879,6 +3880,7 @@ void cfg80211_michael_mic_failure(struct
1035 * @dev: network device
1036 * @bssid: the BSSID of the IBSS joined
1037 + * @channel: the channel of the IBSS joined
1038 * @gfp: allocation flags
1040 * This function notifies cfg80211 that the device joined an IBSS or
1041 @@ -3888,7 +3890,8 @@ void cfg80211_michael_mic_failure(struct
1042 * with the locally generated beacon -- this guarantees that there is
1043 * always a scan result for this IBSS. cfg80211 will handle the rest.
1045 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp);
1046 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
1047 + struct ieee80211_channel *channel, gfp_t gfp);
1050 * cfg80211_notify_new_candidate - notify cfg80211 of a new mesh peer candidate
1051 --- a/include/uapi/linux/nl80211.h
1052 +++ b/include/uapi/linux/nl80211.h
1053 @@ -2442,9 +2442,15 @@ enum nl80211_reg_rule_attr {
1054 * enum nl80211_sched_scan_match_attr - scheduled scan match attributes
1055 * @__NL80211_SCHED_SCAN_MATCH_ATTR_INVALID: attribute number 0 is reserved
1056 * @NL80211_SCHED_SCAN_MATCH_ATTR_SSID: SSID to be used for matching,
1057 - * only report BSS with matching SSID.
1058 + * only report BSS with matching SSID.
1059 * @NL80211_SCHED_SCAN_MATCH_ATTR_RSSI: RSSI threshold (in dBm) for reporting a
1060 - * BSS in scan results. Filtering is turned off if not specified.
1061 + * BSS in scan results. Filtering is turned off if not specified. Note that
1062 + * if this attribute is in a match set of its own, then it is treated as
1063 + * the default value for all matchsets with an SSID, rather than being a
1064 + * matchset of its own without an RSSI filter. This is due to problems with
1065 + * how this API was implemented in the past. Also, due to the same problem,
1066 + * the only way to create a matchset with only an RSSI filter (with this
1067 + * attribute) is if there's only a single matchset with the RSSI attribute.
1068 * @NL80211_SCHED_SCAN_MATCH_ATTR_MAX: highest scheduled scan filter
1069 * attribute number currently defined
1070 * @__NL80211_SCHED_SCAN_MATCH_ATTR_AFTER_LAST: internal use
1071 --- a/net/mac80211/agg-tx.c
1072 +++ b/net/mac80211/agg-tx.c
1073 @@ -107,7 +107,7 @@ static void ieee80211_send_addba_request
1074 mgmt->u.action.u.addba_req.start_seq_num =
1075 cpu_to_le16(start_seq_num << 4);
1077 - ieee80211_tx_skb_tid(sdata, skb, tid);
1078 + ieee80211_tx_skb(sdata, skb);
1081 void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
1082 --- a/net/mac80211/cfg.c
1083 +++ b/net/mac80211/cfg.c
1084 @@ -970,9 +970,9 @@ static int ieee80211_start_ap(struct wip
1085 /* TODO: make hostapd tell us what it wants */
1086 sdata->smps_mode = IEEE80211_SMPS_OFF;
1087 sdata->needed_rx_chains = sdata->local->rx_chains;
1088 - sdata->radar_required = params->radar_required;
1090 mutex_lock(&local->mtx);
1091 + sdata->radar_required = params->radar_required;
1092 err = ieee80211_vif_use_channel(sdata, ¶ms->chandef,
1093 IEEE80211_CHANCTX_SHARED);
1094 mutex_unlock(&local->mtx);
1095 @@ -1021,8 +1021,10 @@ static int ieee80211_start_ap(struct wip
1096 IEEE80211_P2P_OPPPS_ENABLE_BIT;
1098 err = ieee80211_assign_beacon(sdata, ¶ms->beacon);
1101 + ieee80211_vif_release_channel(sdata);
1106 err = drv_start_ap(sdata->local, sdata);
1107 @@ -1032,6 +1034,7 @@ static int ieee80211_start_ap(struct wip
1109 kfree_rcu(old, rcu_head);
1110 RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
1111 + ieee80211_vif_release_channel(sdata);
1115 @@ -1053,6 +1056,7 @@ static int ieee80211_change_beacon(struc
1118 sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1119 + sdata_assert_lock(sdata);
1121 /* don't allow changing the beacon while CSA is in place - offset
1122 * of channel switch counter may change
1123 @@ -1080,6 +1084,8 @@ static int ieee80211_stop_ap(struct wiph
1124 struct probe_resp *old_probe_resp;
1125 struct cfg80211_chan_def chandef;
1127 + sdata_assert_lock(sdata);
1129 old_beacon = sdata_dereference(sdata->u.ap.beacon, sdata);
1132 @@ -1090,8 +1096,6 @@ static int ieee80211_stop_ap(struct wiph
1133 kfree(sdata->u.ap.next_beacon);
1134 sdata->u.ap.next_beacon = NULL;
1136 - cancel_work_sync(&sdata->u.ap.request_smps_work);
1138 /* turn off carrier for this interface and dependent VLANs */
1139 list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
1140 netif_carrier_off(vlan->dev);
1141 @@ -1103,6 +1107,7 @@ static int ieee80211_stop_ap(struct wiph
1142 kfree_rcu(old_beacon, rcu_head);
1144 kfree_rcu(old_probe_resp, rcu_head);
1145 + sdata->u.ap.driver_smps_mode = IEEE80211_SMPS_OFF;
1147 __sta_info_flush(sdata, true);
1148 ieee80211_free_keys(sdata, true);
1149 @@ -2638,6 +2643,24 @@ static int ieee80211_start_roc_work(stru
1150 INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work);
1151 INIT_LIST_HEAD(&roc->dependents);
1154 + * cookie is either the roc cookie (for normal roc)
1155 + * or the SKB (for mgmt TX)
1158 + /* local->mtx protects this */
1159 + local->roc_cookie_counter++;
1160 + roc->cookie = local->roc_cookie_counter;
1161 + /* wow, you wrapped 64 bits ... more likely a bug */
1162 + if (WARN_ON(roc->cookie == 0)) {
1164 + local->roc_cookie_counter++;
1166 + *cookie = roc->cookie;
1168 + *cookie = (unsigned long)txskb;
1171 /* if there's one pending or we're scanning, queue this one */
1172 if (!list_empty(&local->roc_list) ||
1173 local->scanning || local->radar_detect_enabled)
1174 @@ -2772,24 +2795,6 @@ static int ieee80211_start_roc_work(stru
1176 list_add_tail(&roc->list, &local->roc_list);
1179 - * cookie is either the roc cookie (for normal roc)
1180 - * or the SKB (for mgmt TX)
1183 - /* local->mtx protects this */
1184 - local->roc_cookie_counter++;
1185 - roc->cookie = local->roc_cookie_counter;
1186 - /* wow, you wrapped 64 bits ... more likely a bug */
1187 - if (WARN_ON(roc->cookie == 0)) {
1189 - local->roc_cookie_counter++;
1191 - *cookie = roc->cookie;
1193 - *cookie = (unsigned long)txskb;
1199 @@ -3004,8 +3009,10 @@ void ieee80211_csa_finalize_work(struct
1200 if (!ieee80211_sdata_running(sdata))
1203 - sdata->radar_required = sdata->csa_radar_required;
1204 + sdata_assert_lock(sdata);
1206 mutex_lock(&local->mtx);
1207 + sdata->radar_required = sdata->csa_radar_required;
1208 err = ieee80211_vif_change_channel(sdata, &changed);
1209 mutex_unlock(&local->mtx);
1210 if (WARN_ON(err < 0))
1211 @@ -3022,13 +3029,13 @@ void ieee80211_csa_finalize_work(struct
1212 switch (sdata->vif.type) {
1213 case NL80211_IFTYPE_AP:
1214 err = ieee80211_assign_beacon(sdata, sdata->u.ap.next_beacon);
1215 + kfree(sdata->u.ap.next_beacon);
1216 + sdata->u.ap.next_beacon = NULL;
1222 - kfree(sdata->u.ap.next_beacon);
1223 - sdata->u.ap.next_beacon = NULL;
1225 ieee80211_bss_info_change_notify(sdata, err);
1227 case NL80211_IFTYPE_ADHOC:
1228 @@ -3066,7 +3073,7 @@ int ieee80211_channel_switch(struct wiph
1229 struct ieee80211_if_mesh __maybe_unused *ifmsh;
1230 int err, num_chanctx;
1232 - lockdep_assert_held(&sdata->wdev.mtx);
1233 + sdata_assert_lock(sdata);
1235 if (!list_empty(&local->roc_list) || local->scanning)
1237 --- a/net/mac80211/ht.c
1238 +++ b/net/mac80211/ht.c
1239 @@ -375,7 +375,7 @@ void ieee80211_send_delba(struct ieee802
1240 mgmt->u.action.u.delba.params = cpu_to_le16(params);
1241 mgmt->u.action.u.delba.reason_code = cpu_to_le16(reason_code);
1243 - ieee80211_tx_skb_tid(sdata, skb, tid);
1244 + ieee80211_tx_skb(sdata, skb);
1247 void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
1248 @@ -466,7 +466,9 @@ void ieee80211_request_smps_ap_work(stru
1249 u.ap.request_smps_work);
1252 - __ieee80211_request_smps_ap(sdata, sdata->u.ap.driver_smps_mode);
1253 + if (sdata_dereference(sdata->u.ap.beacon, sdata))
1254 + __ieee80211_request_smps_ap(sdata,
1255 + sdata->u.ap.driver_smps_mode);
1256 sdata_unlock(sdata);
1259 --- a/net/mac80211/iface.c
1260 +++ b/net/mac80211/iface.c
1261 @@ -770,12 +770,19 @@ static void ieee80211_do_stop(struct iee
1263 ieee80211_roc_purge(local, sdata);
1265 - if (sdata->vif.type == NL80211_IFTYPE_STATION)
1266 + switch (sdata->vif.type) {
1267 + case NL80211_IFTYPE_STATION:
1268 ieee80211_mgd_stop(sdata);
1270 - if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
1272 + case NL80211_IFTYPE_ADHOC:
1273 ieee80211_ibss_stop(sdata);
1276 + case NL80211_IFTYPE_AP:
1277 + cancel_work_sync(&sdata->u.ap.request_smps_work);
1284 * Remove all stations associated with this interface.
1285 @@ -827,7 +834,9 @@ static void ieee80211_do_stop(struct iee
1286 cancel_work_sync(&local->dynamic_ps_enable_work);
1288 cancel_work_sync(&sdata->recalc_smps);
1289 + sdata_lock(sdata);
1290 sdata->vif.csa_active = false;
1291 + sdata_unlock(sdata);
1292 cancel_work_sync(&sdata->csa_finalize_work);
1294 cancel_delayed_work_sync(&sdata->dfs_cac_timer_work);
1295 --- a/net/mac80211/rx.c
1296 +++ b/net/mac80211/rx.c
1297 @@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_m
1299 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1301 - if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
1302 + if (is_multicast_ether_addr(hdr->addr1))
1305 - return ieee80211_is_robust_mgmt_frame(hdr);
1306 + return ieee80211_is_robust_mgmt_frame(skb);
1310 @@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust
1312 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1314 - if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
1315 + if (!is_multicast_ether_addr(hdr->addr1))
1318 - return ieee80211_is_robust_mgmt_frame(hdr);
1319 + return ieee80211_is_robust_mgmt_frame(skb);
1323 @@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(str
1324 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
1327 - if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
1328 + if (!ieee80211_is_robust_mgmt_frame(skb))
1329 return -1; /* not a robust management frame */
1331 mmie = (struct ieee80211_mmie *)
1332 @@ -1311,18 +1311,15 @@ ieee80211_rx_h_sta_process(struct ieee80
1333 !ieee80211_has_morefrags(hdr->frame_control) &&
1334 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1335 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1336 - rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1337 + rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1338 + /* PM bit is only checked in frames where it isn't reserved,
1339 + * in AP mode it's reserved in non-bufferable management frames
1340 + * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
1342 + (!ieee80211_is_mgmt(hdr->frame_control) ||
1343 + ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
1344 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1346 - * Ignore doze->wake transitions that are
1347 - * indicated by non-data frames, the standard
1348 - * is unclear here, but for example going to
1349 - * PS mode and then scanning would cause a
1350 - * doze->wake transition for the probe request,
1351 - * and that is clearly undesirable.
1353 - if (ieee80211_is_data(hdr->frame_control) &&
1354 - !ieee80211_has_pm(hdr->frame_control))
1355 + if (!ieee80211_has_pm(hdr->frame_control))
1358 if (ieee80211_has_pm(hdr->frame_control))
1359 @@ -1845,8 +1842,7 @@ static int ieee80211_drop_unencrypted_mg
1360 * having configured keys.
1362 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
1363 - ieee80211_is_robust_mgmt_frame(
1364 - (struct ieee80211_hdr *) rx->skb->data)))
1365 + ieee80211_is_robust_mgmt_frame(rx->skb)))
1369 --- a/net/mac80211/tx.c
1370 +++ b/net/mac80211/tx.c
1371 @@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc,
1372 if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
1375 - if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
1377 + if (!ieee80211_is_robust_mgmt_frame(skb))
1381 @@ -525,9 +524,7 @@ ieee80211_tx_h_ps_buf(struct ieee80211_t
1383 /* only deauth, disassoc and action are bufferable MMPDUs */
1384 if (ieee80211_is_mgmt(hdr->frame_control) &&
1385 - !ieee80211_is_deauth(hdr->frame_control) &&
1386 - !ieee80211_is_disassoc(hdr->frame_control) &&
1387 - !ieee80211_is_action(hdr->frame_control)) {
1388 + !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
1389 if (tx->flags & IEEE80211_TX_UNICAST)
1390 info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
1392 @@ -567,7 +564,7 @@ ieee80211_tx_h_select_key(struct ieee802
1394 else if (ieee80211_is_mgmt(hdr->frame_control) &&
1395 is_multicast_ether_addr(hdr->addr1) &&
1396 - ieee80211_is_robust_mgmt_frame(hdr) &&
1397 + ieee80211_is_robust_mgmt_frame(tx->skb) &&
1398 (key = rcu_dereference(tx->sdata->default_mgmt_key)))
1400 else if (is_multicast_ether_addr(hdr->addr1) &&
1401 @@ -582,12 +579,12 @@ ieee80211_tx_h_select_key(struct ieee802
1403 else if (tx->skb->protocol == tx->sdata->control_port_protocol)
1405 - else if (ieee80211_is_robust_mgmt_frame(hdr) &&
1406 + else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
1407 !(ieee80211_is_action(hdr->frame_control) &&
1408 tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
1410 else if (ieee80211_is_mgmt(hdr->frame_control) &&
1411 - !ieee80211_is_robust_mgmt_frame(hdr))
1412 + !ieee80211_is_robust_mgmt_frame(tx->skb))
1415 I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
1416 @@ -878,7 +875,7 @@ static int ieee80211_fragment(struct iee
1419 /* adjust first fragment's length */
1420 - skb->len = hdrlen + per_fragm;
1421 + skb_trim(skb, hdrlen + per_fragm);
1425 --- a/net/mac80211/wpa.c
1426 +++ b/net/mac80211/wpa.c
1427 @@ -499,7 +499,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee
1428 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1430 if (!ieee80211_is_data(hdr->frame_control) &&
1431 - !ieee80211_is_robust_mgmt_frame(hdr))
1432 + !ieee80211_is_robust_mgmt_frame(skb))
1435 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
1436 --- a/net/wireless/ap.c
1437 +++ b/net/wireless/ap.c
1438 @@ -27,9 +27,10 @@ static int __cfg80211_stop_ap(struct cfg
1439 err = rdev_stop_ap(rdev, dev);
1441 wdev->beacon_interval = 0;
1442 - wdev->channel = NULL;
1443 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
1445 rdev_set_qos_map(rdev, dev, NULL);
1446 + nl80211_send_ap_stopped(wdev);
1450 --- a/net/wireless/core.c
1451 +++ b/net/wireless/core.c
1452 @@ -203,8 +203,11 @@ void cfg80211_stop_p2p_device(struct cfg
1456 - WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1457 - !rdev->scan_req->notified);
1458 + if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1459 + if (WARN_ON(!rdev->scan_req->notified))
1460 + rdev->scan_req->aborted = true;
1461 + ___cfg80211_scan_done(rdev, false);
1465 static int cfg80211_rfkill_set_block(void *data, bool blocked)
1466 @@ -447,9 +450,6 @@ int wiphy_register(struct wiphy *wiphy)
1468 u16 ifmodes = wiphy->interface_modes;
1470 - /* support for 5/10 MHz is broken due to nl80211 API mess - disable */
1471 - wiphy->flags &= ~WIPHY_FLAG_SUPPORTS_5_10_MHZ;
1474 * There are major locking problems in nl80211/mac80211 for CSA,
1475 * disable for all drivers until this has been reworked.
1476 @@ -875,8 +875,11 @@ static int cfg80211_netdev_notifier_call
1479 cfg80211_update_iface_num(rdev, wdev->iftype, -1);
1480 - WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1481 - !rdev->scan_req->notified);
1482 + if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1483 + if (WARN_ON(!rdev->scan_req->notified))
1484 + rdev->scan_req->aborted = true;
1485 + ___cfg80211_scan_done(rdev, false);
1488 if (WARN_ON(rdev->sched_scan_req &&
1489 rdev->sched_scan_req->dev == wdev->netdev)) {
1490 --- a/net/wireless/core.h
1491 +++ b/net/wireless/core.h
1492 @@ -62,6 +62,7 @@ struct cfg80211_registered_device {
1493 struct rb_root bss_tree;
1495 struct cfg80211_scan_request *scan_req; /* protected by RTNL */
1496 + struct sk_buff *scan_msg;
1497 struct cfg80211_sched_scan_request *sched_scan_req;
1498 unsigned long suspend_at;
1499 struct work_struct scan_done_wk;
1500 @@ -210,6 +211,7 @@ struct cfg80211_event {
1504 + struct ieee80211_channel *channel;
1508 @@ -257,7 +259,8 @@ int __cfg80211_leave_ibss(struct cfg8021
1509 struct net_device *dev, bool nowext);
1510 int cfg80211_leave_ibss(struct cfg80211_registered_device *rdev,
1511 struct net_device *dev, bool nowext);
1512 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid);
1513 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
1514 + struct ieee80211_channel *channel);
1515 int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
1516 struct wireless_dev *wdev);
1518 @@ -361,7 +364,8 @@ int cfg80211_validate_key_settings(struc
1519 struct key_params *params, int key_idx,
1520 bool pairwise, const u8 *mac_addr);
1521 void __cfg80211_scan_done(struct work_struct *wk);
1522 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev);
1523 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
1524 + bool send_message);
1525 void __cfg80211_sched_scan_results(struct work_struct *wk);
1526 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
1527 bool driver_initiated);
1528 @@ -441,7 +445,8 @@ static inline unsigned int elapsed_jiffi
1530 cfg80211_get_chan_state(struct wireless_dev *wdev,
1531 struct ieee80211_channel **chan,
1532 - enum cfg80211_chan_mode *chanmode);
1533 + enum cfg80211_chan_mode *chanmode,
1534 + u8 *radar_detect);
1536 int cfg80211_set_monitor_channel(struct cfg80211_registered_device *rdev,
1537 struct cfg80211_chan_def *chandef);
1538 --- a/net/wireless/nl80211.c
1539 +++ b/net/wireless/nl80211.c
1540 @@ -1723,9 +1723,10 @@ static int nl80211_dump_wiphy(struct sk_
1541 * We can then retry with the larger buffer.
1543 if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1545 + !skb->len && !state->split &&
1546 cb->min_dump_alloc < 4096) {
1547 cb->min_dump_alloc = 4096;
1548 + state->split_start = 0;
1552 @@ -2047,10 +2048,12 @@ static int nl80211_set_wiphy(struct sk_b
1553 nla_for_each_nested(nl_txq_params,
1554 info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1556 - nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1557 - nla_data(nl_txq_params),
1558 - nla_len(nl_txq_params),
1559 - txq_params_policy);
1560 + result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1561 + nla_data(nl_txq_params),
1562 + nla_len(nl_txq_params),
1563 + txq_params_policy);
1566 result = parse_txq_params(tb, &txq_params);
1569 @@ -3289,7 +3292,7 @@ static int nl80211_start_ap(struct sk_bu
1571 wdev->preset_chandef = params.chandef;
1572 wdev->beacon_interval = params.beacon_interval;
1573 - wdev->channel = params.chandef.chan;
1574 + wdev->chandef = params.chandef;
1575 wdev->ssid_len = params.ssid_len;
1576 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
1578 @@ -5210,9 +5213,11 @@ static int nl80211_set_reg(struct sk_buf
1580 nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
1582 - nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
1583 - nla_data(nl_reg_rule), nla_len(nl_reg_rule),
1585 + r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
1586 + nla_data(nl_reg_rule), nla_len(nl_reg_rule),
1590 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
1593 @@ -5277,7 +5282,7 @@ static int nl80211_trigger_scan(struct s
1594 if (!rdev->ops->scan)
1597 - if (rdev->scan_req) {
1598 + if (rdev->scan_req || rdev->scan_msg) {
1602 @@ -5475,6 +5480,7 @@ static int nl80211_start_sched_scan(stru
1603 enum ieee80211_band band;
1605 struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
1606 + s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
1608 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
1609 !rdev->ops->sched_scan_start)
1610 @@ -5509,11 +5515,40 @@ static int nl80211_start_sched_scan(stru
1611 if (n_ssids > wiphy->max_sched_scan_ssids)
1614 - if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
1616 + * First, count the number of 'real' matchsets. Due to an issue with
1617 + * the old implementation, matchsets containing only the RSSI attribute
1618 + * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
1619 + * RSSI for all matchsets, rather than their own matchset for reporting
1620 + * all APs with a strong RSSI. This is needed to be compatible with
1621 + * older userspace that treated a matchset with only the RSSI as the
1622 + * global RSSI for all other matchsets - if there are other matchsets.
1624 + if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
1625 nla_for_each_nested(attr,
1626 info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
1630 + struct nlattr *rssi;
1632 + err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
1633 + nla_data(attr), nla_len(attr),
1634 + nl80211_match_policy);
1637 + /* add other standalone attributes here */
1638 + if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
1642 + rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
1644 + default_match_rssi = nla_get_s32(rssi);
1648 + /* However, if there's no other matchset, add the RSSI one */
1649 + if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
1652 if (n_match_sets > wiphy->max_match_sets)
1654 @@ -5634,11 +5669,22 @@ static int nl80211_start_sched_scan(stru
1656 struct nlattr *ssid, *rssi;
1658 - nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
1659 - nla_data(attr), nla_len(attr),
1660 - nl80211_match_policy);
1661 + err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
1662 + nla_data(attr), nla_len(attr),
1663 + nl80211_match_policy);
1666 ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
1668 + if (WARN_ON(i >= n_match_sets)) {
1669 + /* this indicates a programming error,
1670 + * the loop above should have verified
1677 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
1680 @@ -5647,15 +5693,28 @@ static int nl80211_start_sched_scan(stru
1681 nla_data(ssid), nla_len(ssid));
1682 request->match_sets[i].ssid.ssid_len =
1684 + /* special attribute - old implemenation w/a */
1685 + request->match_sets[i].rssi_thold =
1686 + default_match_rssi;
1687 + rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
1689 + request->match_sets[i].rssi_thold =
1690 + nla_get_s32(rssi);
1692 - rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
1694 - request->rssi_thold = nla_get_u32(rssi);
1696 - request->rssi_thold =
1697 - NL80211_SCAN_RSSI_THOLD_OFF;
1701 + /* there was no other matchset, so the RSSI one is alone */
1703 + request->match_sets[0].rssi_thold = default_match_rssi;
1705 + request->min_rssi_thold = INT_MAX;
1706 + for (i = 0; i < n_match_sets; i++)
1707 + request->min_rssi_thold =
1708 + min(request->match_sets[i].rssi_thold,
1709 + request->min_rssi_thold);
1711 + request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
1714 if (info->attrs[NL80211_ATTR_IE]) {
1715 @@ -5751,7 +5810,7 @@ static int nl80211_start_radar_detection
1717 err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
1719 - wdev->channel = chandef.chan;
1720 + wdev->chandef = chandef;
1721 wdev->cac_started = true;
1722 wdev->cac_start_time = jiffies;
1724 @@ -7502,16 +7561,19 @@ static int nl80211_set_tx_bitrate_mask(s
1725 * directly to the enum ieee80211_band values used in cfg80211.
1727 BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
1728 - nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
1730 + nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
1731 enum ieee80211_band band = nla_type(tx_rates);
1734 if (band < 0 || band >= IEEE80211_NUM_BANDS)
1736 sband = rdev->wiphy.bands[band];
1739 - nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
1740 - nla_len(tx_rates), nl80211_txattr_policy);
1741 + err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
1742 + nla_len(tx_rates), nl80211_txattr_policy);
1745 if (tb[NL80211_TXRATE_LEGACY]) {
1746 mask.control[band].legacy = rateset_to_mask(
1748 @@ -10054,40 +10116,31 @@ void nl80211_send_scan_start(struct cfg8
1749 NL80211_MCGRP_SCAN, GFP_KERNEL);
1752 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
1753 - struct wireless_dev *wdev)
1754 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
1755 + struct wireless_dev *wdev, bool aborted)
1757 struct sk_buff *msg;
1759 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1764 if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
1765 - NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
1766 + aborted ? NL80211_CMD_SCAN_ABORTED :
1767 + NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
1773 - genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
1774 - NL80211_MCGRP_SCAN, GFP_KERNEL);
1778 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
1779 - struct wireless_dev *wdev)
1780 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
1781 + struct sk_buff *msg)
1783 - struct sk_buff *msg;
1785 - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1789 - if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
1790 - NL80211_CMD_SCAN_ABORTED) < 0) {
1795 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
1796 NL80211_MCGRP_SCAN, GFP_KERNEL);
1798 @@ -11158,7 +11211,8 @@ void cfg80211_ch_switch_notify(struct ne
1799 wdev->iftype != NL80211_IFTYPE_MESH_POINT))
1802 - wdev->channel = chandef->chan;
1803 + wdev->chandef = *chandef;
1804 + wdev->preset_chandef = *chandef;
1805 nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
1807 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
1808 @@ -11673,6 +11727,35 @@ void cfg80211_crit_proto_stopped(struct
1810 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
1812 +void nl80211_send_ap_stopped(struct wireless_dev *wdev)
1814 + struct wiphy *wiphy = wdev->wiphy;
1815 + struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
1816 + struct sk_buff *msg;
1819 + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1823 + hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
1827 + if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
1828 + nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
1829 + nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
1832 + genlmsg_end(msg, hdr);
1834 + genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
1835 + NL80211_MCGRP_MLME, GFP_KERNEL);
1841 /* initialisation/exit functions */
1843 int nl80211_init(void)
1844 --- a/net/wireless/nl80211.h
1845 +++ b/net/wireless/nl80211.h
1846 @@ -8,10 +8,10 @@ void nl80211_exit(void);
1847 void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev);
1848 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
1849 struct wireless_dev *wdev);
1850 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
1851 - struct wireless_dev *wdev);
1852 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
1853 - struct wireless_dev *wdev);
1854 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
1855 + struct wireless_dev *wdev, bool aborted);
1856 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
1857 + struct sk_buff *msg);
1858 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
1859 struct net_device *netdev, u32 cmd);
1860 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
1861 @@ -74,6 +74,8 @@ nl80211_radar_notify(struct cfg80211_reg
1862 enum nl80211_radar_event event,
1863 struct net_device *netdev, gfp_t gfp);
1865 +void nl80211_send_ap_stopped(struct wireless_dev *wdev);
1867 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev);
1869 #endif /* __NET_WIRELESS_NL80211_H */
1870 --- a/net/wireless/scan.c
1871 +++ b/net/wireless/scan.c
1872 @@ -161,18 +161,25 @@ static void __cfg80211_bss_expire(struct
1873 dev->bss_generation++;
1876 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
1877 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
1878 + bool send_message)
1880 struct cfg80211_scan_request *request;
1881 struct wireless_dev *wdev;
1882 + struct sk_buff *msg;
1883 #ifdef CPTCFG_CFG80211_WEXT
1884 union iwreq_data wrqu;
1889 - request = rdev->scan_req;
1890 + if (rdev->scan_msg) {
1891 + nl80211_send_scan_result(rdev, rdev->scan_msg);
1892 + rdev->scan_msg = NULL;
1896 + request = rdev->scan_req;
1900 @@ -186,18 +193,16 @@ void ___cfg80211_scan_done(struct cfg802
1902 cfg80211_sme_scan_done(wdev->netdev);
1904 - if (request->aborted) {
1905 - nl80211_send_scan_aborted(rdev, wdev);
1907 - if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
1908 - /* flush entries from previous scans */
1909 - spin_lock_bh(&rdev->bss_lock);
1910 - __cfg80211_bss_expire(rdev, request->scan_start);
1911 - spin_unlock_bh(&rdev->bss_lock);
1913 - nl80211_send_scan_done(rdev, wdev);
1914 + if (!request->aborted &&
1915 + request->flags & NL80211_SCAN_FLAG_FLUSH) {
1916 + /* flush entries from previous scans */
1917 + spin_lock_bh(&rdev->bss_lock);
1918 + __cfg80211_bss_expire(rdev, request->scan_start);
1919 + spin_unlock_bh(&rdev->bss_lock);
1922 + msg = nl80211_build_scan_msg(rdev, wdev, request->aborted);
1924 #ifdef CPTCFG_CFG80211_WEXT
1925 if (wdev->netdev && !request->aborted) {
1926 memset(&wrqu, 0, sizeof(wrqu));
1927 @@ -211,6 +216,11 @@ void ___cfg80211_scan_done(struct cfg802
1929 rdev->scan_req = NULL;
1932 + if (!send_message)
1933 + rdev->scan_msg = msg;
1935 + nl80211_send_scan_result(rdev, msg);
1938 void __cfg80211_scan_done(struct work_struct *wk)
1939 @@ -221,7 +231,7 @@ void __cfg80211_scan_done(struct work_st
1943 - ___cfg80211_scan_done(rdev);
1944 + ___cfg80211_scan_done(rdev, true);
1948 @@ -1079,7 +1089,7 @@ int cfg80211_wext_siwscan(struct net_dev
1950 return PTR_ERR(rdev);
1952 - if (rdev->scan_req) {
1953 + if (rdev->scan_req || rdev->scan_msg) {
1957 @@ -1481,7 +1491,7 @@ int cfg80211_wext_giwscan(struct net_dev
1959 return PTR_ERR(rdev);
1961 - if (rdev->scan_req)
1962 + if (rdev->scan_req || rdev->scan_msg)
1965 res = ieee80211_scan_results(rdev, info, extra, data->length);
1966 --- a/net/wireless/sme.c
1967 +++ b/net/wireless/sme.c
1968 @@ -67,7 +67,7 @@ static int cfg80211_conn_scan(struct wir
1969 ASSERT_RDEV_LOCK(rdev);
1970 ASSERT_WDEV_LOCK(wdev);
1972 - if (rdev->scan_req)
1973 + if (rdev->scan_req || rdev->scan_msg)
1976 if (wdev->conn->params.channel)
1977 --- a/net/mac80211/mlme.c
1978 +++ b/net/mac80211/mlme.c
1979 @@ -1001,7 +1001,6 @@ ieee80211_sta_process_chanswitch(struct
1982 ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
1983 - sdata->vif.csa_active = true;
1985 mutex_lock(&local->chanctx_mtx);
1986 if (local->use_chanctx) {
1987 @@ -1039,6 +1038,7 @@ ieee80211_sta_process_chanswitch(struct
1988 mutex_unlock(&local->chanctx_mtx);
1990 sdata->csa_chandef = csa_ie.chandef;
1991 + sdata->vif.csa_active = true;
1994 ieee80211_stop_queues_by_reason(&local->hw,
1995 --- a/net/mac80211/chan.c
1996 +++ b/net/mac80211/chan.c
1997 @@ -196,6 +196,8 @@ static bool ieee80211_is_radar_required(
1999 struct ieee80211_sub_if_data *sdata;
2001 + lockdep_assert_held(&local->mtx);
2004 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2005 if (sdata->radar_required) {
2006 --- a/net/mac80211/ibss.c
2007 +++ b/net/mac80211/ibss.c
2008 @@ -294,7 +294,6 @@ static void __ieee80211_sta_join_ibss(st
2011 mutex_lock(&local->mtx);
2012 - ieee80211_vif_release_channel(sdata);
2013 if (ieee80211_vif_use_channel(sdata, &chandef,
2014 ifibss->fixed_channel ?
2015 IEEE80211_CHANCTX_SHARED :
2016 @@ -303,6 +302,7 @@ static void __ieee80211_sta_join_ibss(st
2017 mutex_unlock(&local->mtx);
2020 + sdata->radar_required = radar_required;
2021 mutex_unlock(&local->mtx);
2023 memcpy(ifibss->bssid, bssid, ETH_ALEN);
2024 @@ -318,7 +318,6 @@ static void __ieee80211_sta_join_ibss(st
2025 rcu_assign_pointer(ifibss->presp, presp);
2026 mgmt = (void *)presp->head;
2028 - sdata->radar_required = radar_required;
2029 sdata->vif.bss_conf.enable_beacon = true;
2030 sdata->vif.bss_conf.beacon_int = beacon_int;
2031 sdata->vif.bss_conf.basic_rates = basic_rates;
2032 @@ -386,7 +385,7 @@ static void __ieee80211_sta_join_ibss(st
2033 presp->head_len, 0, GFP_KERNEL);
2034 cfg80211_put_bss(local->hw.wiphy, bss);
2035 netif_carrier_on(sdata->dev);
2036 - cfg80211_ibss_joined(sdata->dev, ifibss->bssid, GFP_KERNEL);
2037 + cfg80211_ibss_joined(sdata->dev, ifibss->bssid, chan, GFP_KERNEL);
2040 static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
2041 @@ -802,6 +801,8 @@ ieee80211_ibss_process_chanswitch(struct
2045 + sdata_assert_lock(sdata);
2047 sta_flags = IEEE80211_STA_DISABLE_VHT;
2048 switch (ifibss->chandef.width) {
2049 case NL80211_CHAN_WIDTH_5:
2050 @@ -1471,6 +1472,11 @@ static void ieee80211_rx_mgmt_probe_req(
2051 memcpy(((struct ieee80211_mgmt *) skb->data)->da, mgmt->sa, ETH_ALEN);
2052 ibss_dbg(sdata, "Sending ProbeResp to %pM\n", mgmt->sa);
2053 IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2055 + /* avoid excessive retries for probe request to wildcard SSIDs */
2057 + IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_NO_ACK;
2059 ieee80211_tx_skb(sdata, skb);
2062 --- a/net/mac80211/mesh.c
2063 +++ b/net/mac80211/mesh.c
2064 @@ -872,6 +872,8 @@ ieee80211_mesh_process_chnswitch(struct
2065 if (!ifmsh->mesh_id)
2068 + sdata_assert_lock(sdata);
2070 sta_flags = IEEE80211_STA_DISABLE_VHT;
2071 switch (sdata->vif.bss_conf.chandef.width) {
2072 case NL80211_CHAN_WIDTH_20_NOHT:
2073 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2074 +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2075 @@ -4658,6 +4658,7 @@ brcmf_notify_connect_status(struct brcmf
2076 struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
2077 struct net_device *ndev = ifp->ndev;
2078 struct brcmf_cfg80211_profile *profile = &ifp->vif->profile;
2079 + struct ieee80211_channel *chan;
2082 if (ifp->vif->mode == WL_MODE_AP) {
2083 @@ -4665,9 +4666,10 @@ brcmf_notify_connect_status(struct brcmf
2084 } else if (brcmf_is_linkup(e)) {
2085 brcmf_dbg(CONN, "Linkup\n");
2086 if (brcmf_is_ibssmode(ifp->vif)) {
2087 + chan = ieee80211_get_channel(cfg->wiphy, cfg->channel);
2088 memcpy(profile->bssid, e->addr, ETH_ALEN);
2089 wl_inform_ibss(cfg, ndev, e->addr);
2090 - cfg80211_ibss_joined(ndev, e->addr, GFP_KERNEL);
2091 + cfg80211_ibss_joined(ndev, e->addr, chan, GFP_KERNEL);
2092 clear_bit(BRCMF_VIF_STATUS_CONNECTING,
2093 &ifp->vif->sme_state);
2094 set_bit(BRCMF_VIF_STATUS_CONNECTED,
2095 --- a/drivers/net/wireless/libertas/cfg.c
2096 +++ b/drivers/net/wireless/libertas/cfg.c
2097 @@ -1766,7 +1766,8 @@ static void lbs_join_post(struct lbs_pri
2098 memcpy(priv->wdev->ssid, params->ssid, params->ssid_len);
2099 priv->wdev->ssid_len = params->ssid_len;
2101 - cfg80211_ibss_joined(priv->dev, bssid, GFP_KERNEL);
2102 + cfg80211_ibss_joined(priv->dev, bssid, params->chandef.chan,
2105 /* TODO: consider doing this at MACREG_INT_CODE_LINK_SENSED time */
2106 priv->connect_status = LBS_CONNECTED;
2107 --- a/drivers/net/wireless/mwifiex/cfg80211.c
2108 +++ b/drivers/net/wireless/mwifiex/cfg80211.c
2109 @@ -1881,7 +1881,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy
2113 - cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid, GFP_KERNEL);
2114 + cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid,
2115 + params->chandef.chan, GFP_KERNEL);
2116 dev_dbg(priv->adapter->dev,
2117 "info: joined/created adhoc network with bssid"
2118 " %pM successfully\n", priv->cfg_bssid);
2119 --- a/drivers/net/wireless/rndis_wlan.c
2120 +++ b/drivers/net/wireless/rndis_wlan.c
2121 @@ -2835,7 +2835,9 @@ static void rndis_wlan_do_link_up_work(s
2122 bssid, req_ie, req_ie_len,
2123 resp_ie, resp_ie_len, GFP_KERNEL);
2124 } else if (priv->infra_mode == NDIS_80211_INFRA_ADHOC)
2125 - cfg80211_ibss_joined(usbdev->net, bssid, GFP_KERNEL);
2126 + cfg80211_ibss_joined(usbdev->net, bssid,
2127 + get_current_channel(usbdev, NULL),
2132 --- a/net/wireless/ibss.c
2133 +++ b/net/wireless/ibss.c
2135 #include "rdev-ops.h"
2138 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
2139 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2140 + struct ieee80211_channel *channel)
2142 struct wireless_dev *wdev = dev->ieee80211_ptr;
2143 struct cfg80211_bss *bss;
2144 @@ -28,8 +29,7 @@ void __cfg80211_ibss_joined(struct net_d
2145 if (!wdev->ssid_len)
2148 - bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
2149 - wdev->ssid, wdev->ssid_len,
2150 + bss = cfg80211_get_bss(wdev->wiphy, channel, bssid, NULL, 0,
2151 WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_IBSS);
2154 @@ -54,21 +54,26 @@ void __cfg80211_ibss_joined(struct net_d
2158 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
2159 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2160 + struct ieee80211_channel *channel, gfp_t gfp)
2162 struct wireless_dev *wdev = dev->ieee80211_ptr;
2163 struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
2164 struct cfg80211_event *ev;
2165 unsigned long flags;
2167 - trace_cfg80211_ibss_joined(dev, bssid);
2168 + trace_cfg80211_ibss_joined(dev, bssid, channel);
2170 + if (WARN_ON(!channel))
2173 ev = kzalloc(sizeof(*ev), gfp);
2177 ev->type = EVENT_IBSS_JOINED;
2178 - memcpy(ev->cr.bssid, bssid, ETH_ALEN);
2179 + memcpy(ev->ij.bssid, bssid, ETH_ALEN);
2180 + ev->ij.channel = channel;
2182 spin_lock_irqsave(&wdev->event_lock, flags);
2183 list_add_tail(&ev->list, &wdev->event_list);
2184 @@ -117,6 +122,7 @@ int __cfg80211_join_ibss(struct cfg80211
2186 wdev->ibss_fixed = params->channel_fixed;
2187 wdev->ibss_dfs_possible = params->userspace_handles_dfs;
2188 + wdev->chandef = params->chandef;
2189 #ifdef CPTCFG_CFG80211_WEXT
2190 wdev->wext.ibss.chandef = params->chandef;
2192 @@ -200,6 +206,7 @@ static void __cfg80211_clear_ibss(struct
2194 wdev->current_bss = NULL;
2196 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2197 #ifdef CPTCFG_CFG80211_WEXT
2199 wdev->wext.ibss.ssid_len = 0;
2200 --- a/net/wireless/trace.h
2201 +++ b/net/wireless/trace.h
2202 @@ -2278,11 +2278,6 @@ DECLARE_EVENT_CLASS(cfg80211_rx_evt,
2203 TP_printk(NETDEV_PR_FMT ", " MAC_PR_FMT, NETDEV_PR_ARG, MAC_PR_ARG(addr))
2206 -DEFINE_EVENT(cfg80211_rx_evt, cfg80211_ibss_joined,
2207 - TP_PROTO(struct net_device *netdev, const u8 *addr),
2208 - TP_ARGS(netdev, addr)
2211 DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_spurious_frame,
2212 TP_PROTO(struct net_device *netdev, const u8 *addr),
2213 TP_ARGS(netdev, addr)
2214 @@ -2293,6 +2288,24 @@ DEFINE_EVENT(cfg80211_rx_evt, cfg80211_r
2215 TP_ARGS(netdev, addr)
2218 +TRACE_EVENT(cfg80211_ibss_joined,
2219 + TP_PROTO(struct net_device *netdev, const u8 *bssid,
2220 + struct ieee80211_channel *channel),
2221 + TP_ARGS(netdev, bssid, channel),
2229 + MAC_ASSIGN(bssid, bssid);
2230 + CHAN_ASSIGN(channel);
2232 + TP_printk(NETDEV_PR_FMT ", bssid: " MAC_PR_FMT ", " CHAN_PR_FMT,
2233 + NETDEV_PR_ARG, MAC_PR_ARG(bssid), CHAN_PR_ARG)
2236 TRACE_EVENT(cfg80211_probe_status,
2237 TP_PROTO(struct net_device *netdev, const u8 *addr, u64 cookie,
2239 --- a/net/wireless/util.c
2240 +++ b/net/wireless/util.c
2241 @@ -820,7 +820,8 @@ void cfg80211_process_wdev_events(struct
2242 ev->dc.reason, true);
2244 case EVENT_IBSS_JOINED:
2245 - __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid);
2246 + __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid,
2251 @@ -1356,7 +1357,7 @@ int cfg80211_can_use_iftype_chan(struct
2253 mutex_lock_nested(&wdev_iter->mtx, 1);
2254 __acquire(wdev_iter->mtx);
2255 - cfg80211_get_chan_state(wdev_iter, &ch, &chmode);
2256 + cfg80211_get_chan_state(wdev_iter, &ch, &chmode, &radar_detect);
2257 wdev_unlock(wdev_iter);
2260 --- a/net/wireless/chan.c
2261 +++ b/net/wireless/chan.c
2262 @@ -642,7 +642,8 @@ int cfg80211_set_monitor_channel(struct
2264 cfg80211_get_chan_state(struct wireless_dev *wdev,
2265 struct ieee80211_channel **chan,
2266 - enum cfg80211_chan_mode *chanmode)
2267 + enum cfg80211_chan_mode *chanmode,
2271 *chanmode = CHAN_MODE_UNDEFINED;
2272 @@ -660,6 +661,11 @@ cfg80211_get_chan_state(struct wireless_
2273 !wdev->ibss_dfs_possible)
2275 : CHAN_MODE_EXCLUSIVE;
2277 + /* consider worst-case - IBSS can try to return to the
2278 + * original user-specified channel as creator */
2279 + if (wdev->ibss_dfs_possible)
2280 + *radar_detect |= BIT(wdev->chandef.width);
2284 @@ -674,17 +680,26 @@ cfg80211_get_chan_state(struct wireless_
2285 case NL80211_IFTYPE_AP:
2286 case NL80211_IFTYPE_P2P_GO:
2287 if (wdev->cac_started) {
2288 - *chan = wdev->channel;
2289 + *chan = wdev->chandef.chan;
2290 *chanmode = CHAN_MODE_SHARED;
2291 + *radar_detect |= BIT(wdev->chandef.width);
2292 } else if (wdev->beacon_interval) {
2293 - *chan = wdev->channel;
2294 + *chan = wdev->chandef.chan;
2295 *chanmode = CHAN_MODE_SHARED;
2297 + if (cfg80211_chandef_dfs_required(wdev->wiphy,
2299 + *radar_detect |= BIT(wdev->chandef.width);
2302 case NL80211_IFTYPE_MESH_POINT:
2303 if (wdev->mesh_id_len) {
2304 - *chan = wdev->channel;
2305 + *chan = wdev->chandef.chan;
2306 *chanmode = CHAN_MODE_SHARED;
2308 + if (cfg80211_chandef_dfs_required(wdev->wiphy,
2310 + *radar_detect |= BIT(wdev->chandef.width);
2313 case NL80211_IFTYPE_MONITOR:
2314 --- a/net/wireless/mesh.c
2315 +++ b/net/wireless/mesh.c
2316 @@ -195,7 +195,7 @@ int __cfg80211_join_mesh(struct cfg80211
2318 memcpy(wdev->ssid, setup->mesh_id, setup->mesh_id_len);
2319 wdev->mesh_id_len = setup->mesh_id_len;
2320 - wdev->channel = setup->chandef.chan;
2321 + wdev->chandef = setup->chandef;
2325 @@ -244,7 +244,7 @@ int cfg80211_set_mesh_channel(struct cfg
2326 err = rdev_libertas_set_mesh_channel(rdev, wdev->netdev,
2329 - wdev->channel = chandef->chan;
2330 + wdev->chandef = *chandef;
2334 @@ -276,7 +276,7 @@ static int __cfg80211_leave_mesh(struct
2335 err = rdev_leave_mesh(rdev, dev);
2337 wdev->mesh_id_len = 0;
2338 - wdev->channel = NULL;
2339 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2340 rdev_set_qos_map(rdev, dev, NULL);
2343 --- a/net/wireless/mlme.c
2344 +++ b/net/wireless/mlme.c
2345 @@ -772,7 +772,7 @@ void cfg80211_cac_event(struct net_devic
2346 if (WARN_ON(!wdev->cac_started))
2349 - if (WARN_ON(!wdev->channel))
2350 + if (WARN_ON(!wdev->chandef.chan))
2354 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2355 +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2356 @@ -5065,6 +5065,10 @@ static u16 ar9003_hw_get_max_edge_power(
2361 + if (is2GHz && !twiceMaxEdgePower)
2362 + twiceMaxEdgePower = 60;
2364 return twiceMaxEdgePower;
2367 --- a/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2368 +++ b/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2370 #define MAX_MEASUREMENT MAX_IQCAL_MEASUREMENT
2371 #define MAX_MAG_DELTA 11
2372 #define MAX_PHS_DELTA 10
2376 - int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2377 - int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2378 + int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2379 + int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2383 @@ -800,7 +801,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2387 - iqc_coeff[0] = (q_q_coff * 128) + q_i_coff;
2388 + iqc_coeff[0] = (q_q_coff * 128) + (0x7f & q_i_coff);
2390 ath_dbg(common, CALIBRATE, "tx chain %d: iq corr coeff=%x\n",
2391 chain_idx, iqc_coeff[0]);
2392 @@ -831,7 +832,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2396 - iqc_coeff[1] = (q_q_coff * 128) + q_i_coff;
2397 + iqc_coeff[1] = (q_q_coff * 128) + (0x7f & q_i_coff);
2399 ath_dbg(common, CALIBRATE, "rx chain %d: iq corr coeff=%x\n",
2400 chain_idx, iqc_coeff[1]);
2401 @@ -839,7 +840,8 @@ static bool ar9003_hw_calc_iq_corr(struc
2405 -static void ar9003_hw_detect_outlier(int *mp_coeff, int nmeasurement,
2406 +static void ar9003_hw_detect_outlier(int mp_coeff[][MAXIQCAL],
2410 int mp_max = -64, max_idx = 0;
2411 @@ -848,20 +850,20 @@ static void ar9003_hw_detect_outlier(int
2413 /* find min/max mismatch across all calibrated gains */
2414 for (i = 0; i < nmeasurement; i++) {
2415 - if (mp_coeff[i] > mp_max) {
2416 - mp_max = mp_coeff[i];
2417 + if (mp_coeff[i][0] > mp_max) {
2418 + mp_max = mp_coeff[i][0];
2420 - } else if (mp_coeff[i] < mp_min) {
2421 - mp_min = mp_coeff[i];
2422 + } else if (mp_coeff[i][0] < mp_min) {
2423 + mp_min = mp_coeff[i][0];
2428 /* find average (exclude max abs value) */
2429 for (i = 0; i < nmeasurement; i++) {
2430 - if ((abs(mp_coeff[i]) < abs(mp_max)) ||
2431 - (abs(mp_coeff[i]) < abs(mp_min))) {
2432 - mp_avg += mp_coeff[i];
2433 + if ((abs(mp_coeff[i][0]) < abs(mp_max)) ||
2434 + (abs(mp_coeff[i][0]) < abs(mp_min))) {
2435 + mp_avg += mp_coeff[i][0];
2439 @@ -873,7 +875,7 @@ static void ar9003_hw_detect_outlier(int
2443 - mp_avg = mp_coeff[nmeasurement - 1];
2444 + mp_avg = mp_coeff[nmeasurement - 1][0];
2446 /* detect outlier */
2447 if (abs(mp_max - mp_min) > max_delta) {
2448 @@ -882,15 +884,16 @@ static void ar9003_hw_detect_outlier(int
2450 outlier_idx = min_idx;
2452 - mp_coeff[outlier_idx] = mp_avg;
2453 + mp_coeff[outlier_idx][0] = mp_avg;
2457 -static void ar9003_hw_tx_iqcal_load_avg_2_passes(struct ath_hw *ah,
2458 - struct coeff *coeff,
2460 +static void ar9003_hw_tx_iq_cal_outlier_detection(struct ath_hw *ah,
2461 + struct coeff *coeff,
2464 int i, im, nmeasurement;
2465 + int magnitude, phase;
2466 u32 tx_corr_coeff[MAX_MEASUREMENT][AR9300_MAX_CHAINS];
2467 struct ath9k_hw_cal_data *caldata = ah->caldata;
2469 @@ -920,21 +923,30 @@ static void ar9003_hw_tx_iqcal_load_avg_
2470 if (nmeasurement > MAX_MEASUREMENT)
2471 nmeasurement = MAX_MEASUREMENT;
2473 - /* detect outlier only if nmeasurement > 1 */
2474 - if (nmeasurement > 1) {
2475 - /* Detect magnitude outlier */
2476 - ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2477 - nmeasurement, MAX_MAG_DELTA);
2479 - /* Detect phase outlier */
2480 - ar9003_hw_detect_outlier(coeff->phs_coeff[i],
2481 - nmeasurement, MAX_PHS_DELTA);
2483 + * Skip normal outlier detection for AR9550.
2485 + if (!AR_SREV_9550(ah)) {
2486 + /* detect outlier only if nmeasurement > 1 */
2487 + if (nmeasurement > 1) {
2488 + /* Detect magnitude outlier */
2489 + ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2493 + /* Detect phase outlier */
2494 + ar9003_hw_detect_outlier(coeff->phs_coeff[i],
2500 for (im = 0; im < nmeasurement; im++) {
2501 + magnitude = coeff->mag_coeff[i][im][0];
2502 + phase = coeff->phs_coeff[i][im][0];
2504 - coeff->iqc_coeff[0] = (coeff->mag_coeff[i][im] & 0x7f) |
2505 - ((coeff->phs_coeff[i][im] & 0x7f) << 7);
2506 + coeff->iqc_coeff[0] =
2507 + (phase & 0x7f) | ((magnitude & 0x7f) << 7);
2510 REG_RMW_FIELD(ah, tx_corr_coeff[im][i],
2511 @@ -991,7 +1003,63 @@ static bool ar9003_hw_tx_iq_cal_run(stru
2515 -static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah, bool is_reusable)
2516 +static void __ar955x_tx_iq_cal_sort(struct ath_hw *ah,
2517 + struct coeff *coeff,
2518 + int i, int nmeasurement)
2520 + struct ath_common *common = ath9k_hw_common(ah);
2521 + int im, ix, iy, temp;
2523 + for (im = 0; im < nmeasurement; im++) {
2524 + for (ix = 0; ix < MAXIQCAL - 1; ix++) {
2525 + for (iy = ix + 1; iy <= MAXIQCAL - 1; iy++) {
2526 + if (coeff->mag_coeff[i][im][iy] <
2527 + coeff->mag_coeff[i][im][ix]) {
2528 + temp = coeff->mag_coeff[i][im][ix];
2529 + coeff->mag_coeff[i][im][ix] =
2530 + coeff->mag_coeff[i][im][iy];
2531 + coeff->mag_coeff[i][im][iy] = temp;
2533 + if (coeff->phs_coeff[i][im][iy] <
2534 + coeff->phs_coeff[i][im][ix]) {
2535 + temp = coeff->phs_coeff[i][im][ix];
2536 + coeff->phs_coeff[i][im][ix] =
2537 + coeff->phs_coeff[i][im][iy];
2538 + coeff->phs_coeff[i][im][iy] = temp;
2542 + coeff->mag_coeff[i][im][0] = coeff->mag_coeff[i][im][MAXIQCAL / 2];
2543 + coeff->phs_coeff[i][im][0] = coeff->phs_coeff[i][im][MAXIQCAL / 2];
2545 + ath_dbg(common, CALIBRATE,
2546 + "IQCAL: Median [ch%d][gain%d]: mag = %d phase = %d\n",
2548 + coeff->mag_coeff[i][im][0],
2549 + coeff->phs_coeff[i][im][0]);
2553 +static bool ar955x_tx_iq_cal_median(struct ath_hw *ah,
2554 + struct coeff *coeff,
2560 + if ((iqcal_idx + 1) != MAXIQCAL)
2563 + for (i = 0; i < AR9300_MAX_CHAINS; i++) {
2564 + __ar955x_tx_iq_cal_sort(ah, coeff, i, nmeasurement);
2570 +static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah,
2574 struct ath_common *common = ath9k_hw_common(ah);
2575 const u32 txiqcal_status[AR9300_MAX_CHAINS] = {
2576 @@ -1004,10 +1072,11 @@ static void ar9003_hw_tx_iq_cal_post_pro
2577 AR_PHY_CHAN_INFO_TAB_1,
2578 AR_PHY_CHAN_INFO_TAB_2,
2580 - struct coeff coeff;
2581 + static struct coeff coeff;
2585 + int nmeasurement = 0;
2586 + bool outlier_detect = true;
2588 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
2589 if (!(ah->txchainmask & (1 << i)))
2590 @@ -1065,17 +1134,23 @@ static void ar9003_hw_tx_iq_cal_post_pro
2594 - coeff.mag_coeff[i][im] = coeff.iqc_coeff[0] & 0x7f;
2595 - coeff.phs_coeff[i][im] =
2596 + coeff.phs_coeff[i][im][iqcal_idx] =
2597 + coeff.iqc_coeff[0] & 0x7f;
2598 + coeff.mag_coeff[i][im][iqcal_idx] =
2599 (coeff.iqc_coeff[0] >> 7) & 0x7f;
2601 - if (coeff.mag_coeff[i][im] > 63)
2602 - coeff.mag_coeff[i][im] -= 128;
2603 - if (coeff.phs_coeff[i][im] > 63)
2604 - coeff.phs_coeff[i][im] -= 128;
2605 + if (coeff.mag_coeff[i][im][iqcal_idx] > 63)
2606 + coeff.mag_coeff[i][im][iqcal_idx] -= 128;
2607 + if (coeff.phs_coeff[i][im][iqcal_idx] > 63)
2608 + coeff.phs_coeff[i][im][iqcal_idx] -= 128;
2611 - ar9003_hw_tx_iqcal_load_avg_2_passes(ah, &coeff, is_reusable);
2613 + if (AR_SREV_9550(ah))
2614 + outlier_detect = ar955x_tx_iq_cal_median(ah, &coeff,
2615 + iqcal_idx, nmeasurement);
2616 + if (outlier_detect)
2617 + ar9003_hw_tx_iq_cal_outlier_detection(ah, &coeff, is_reusable);
2621 @@ -1409,7 +1484,7 @@ skip_tx_iqcal:
2625 - ar9003_hw_tx_iq_cal_post_proc(ah, is_reusable);
2626 + ar9003_hw_tx_iq_cal_post_proc(ah, 0, is_reusable);
2627 else if (caldata && test_bit(TXIQCAL_DONE, &caldata->cal_flags))
2628 ar9003_hw_tx_iq_cal_reload(ah);
2630 @@ -1455,14 +1530,38 @@ skip_tx_iqcal:
2634 +static bool do_ar9003_agc_cal(struct ath_hw *ah)
2636 + struct ath_common *common = ath9k_hw_common(ah);
2639 + REG_WRITE(ah, AR_PHY_AGC_CONTROL,
2640 + REG_READ(ah, AR_PHY_AGC_CONTROL) |
2641 + AR_PHY_AGC_CONTROL_CAL);
2643 + status = ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
2644 + AR_PHY_AGC_CONTROL_CAL,
2645 + 0, AH_WAIT_TIMEOUT);
2647 + ath_dbg(common, CALIBRATE,
2648 + "offset calibration failed to complete in %d ms,"
2649 + "noisy environment?\n",
2650 + AH_WAIT_TIMEOUT / 1000);
2657 static bool ar9003_hw_init_cal_soc(struct ath_hw *ah,
2658 struct ath9k_channel *chan)
2660 struct ath_common *common = ath9k_hw_common(ah);
2661 struct ath9k_hw_cal_data *caldata = ah->caldata;
2662 bool txiqcal_done = false;
2663 - bool is_reusable = true, status = true;
2664 + bool status = true;
2665 bool run_agc_cal = false, sep_iq_cal = false;
2668 /* Use chip chainmask only for calibration */
2669 ar9003_hw_set_chain_masks(ah, ah->caps.rx_chainmask, ah->caps.tx_chainmask);
2670 @@ -1485,7 +1584,12 @@ static bool ar9003_hw_init_cal_soc(struc
2671 * AGC calibration. Specifically, AR9550 in SoC chips.
2673 if (ah->enabled_cals & TX_IQ_ON_AGC_CAL) {
2674 - txiqcal_done = true;
2675 + if (REG_READ_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_0,
2676 + AR_PHY_TX_IQCAL_CONTROL_0_ENABLE_TXIQ_CAL)) {
2677 + txiqcal_done = true;
2679 + txiqcal_done = false;
2684 @@ -1512,27 +1616,37 @@ skip_tx_iqcal:
2685 if (AR_SREV_9330_11(ah))
2686 ar9003_hw_manual_peak_cal(ah, 0, IS_CHAN_2GHZ(chan));
2688 - /* Calibrate the AGC */
2689 - REG_WRITE(ah, AR_PHY_AGC_CONTROL,
2690 - REG_READ(ah, AR_PHY_AGC_CONTROL) |
2691 - AR_PHY_AGC_CONTROL_CAL);
2693 - /* Poll for offset calibration complete */
2694 - status = ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
2695 - AR_PHY_AGC_CONTROL_CAL,
2696 - 0, AH_WAIT_TIMEOUT);
2699 + * For non-AR9550 chips, we just trigger AGC calibration
2700 + * in the HW, poll for completion and then process
2703 + * For AR955x, we run it multiple times and use
2704 + * median IQ correction.
2706 + if (!AR_SREV_9550(ah)) {
2707 + status = do_ar9003_agc_cal(ah);
2712 - ath_dbg(common, CALIBRATE,
2713 - "offset calibration failed to complete in %d ms; noisy environment?\n",
2714 - AH_WAIT_TIMEOUT / 1000);
2717 + ar9003_hw_tx_iq_cal_post_proc(ah, 0, false);
2719 + if (!txiqcal_done) {
2720 + status = do_ar9003_agc_cal(ah);
2724 + for (i = 0; i < MAXIQCAL; i++) {
2725 + status = do_ar9003_agc_cal(ah);
2728 + ar9003_hw_tx_iq_cal_post_proc(ah, i, false);
2735 - ar9003_hw_tx_iq_cal_post_proc(ah, is_reusable);
2737 /* Revert chainmask to runtime parameters */
2738 ar9003_hw_set_chain_masks(ah, ah->rxchainmask, ah->txchainmask);
2740 --- a/drivers/net/wireless/rtl818x/rtl8187/rtl8187.h
2741 +++ b/drivers/net/wireless/rtl818x/rtl8187/rtl8187.h
2746 +#include <linux/cache.h>
2748 #include "rtl818x.h"
2751 @@ -139,7 +141,10 @@ struct rtl8187_priv {
2758 + u8 dummy1[L1_CACHE_BYTES];
2759 + } ____cacheline_aligned;
2760 struct sk_buff_head queue;
2761 } b_tx_status; /* This queue is used by both -b and non-b devices */
2762 struct mutex io_mutex;
2763 @@ -147,7 +152,8 @@ struct rtl8187_priv {
2768 + u8 dummy2[L1_CACHE_BYTES];
2769 + } *io_dmabuf ____cacheline_aligned;
2773 --- a/net/mac80211/wme.c
2774 +++ b/net/mac80211/wme.c
2775 @@ -154,6 +154,11 @@ u16 ieee80211_select_queue(struct ieee80
2776 return IEEE80211_AC_BE;
2779 + if (skb->protocol == sdata->control_port_protocol) {
2780 + skb->priority = 7;
2781 + return ieee80211_downgrade_queue(sdata, skb);
2784 /* use the data classifier to determine what 802.1d tag the
2787 --- a/drivers/net/wireless/ath/ath9k/xmit.c
2788 +++ b/drivers/net/wireless/ath/ath9k/xmit.c
2789 @@ -1444,14 +1444,16 @@ void ath_tx_aggr_sleep(struct ieee80211_
2790 for (tidno = 0, tid = &an->tid[tidno];
2791 tidno < IEEE80211_NUM_TIDS; tidno++, tid++) {
2799 ath_txq_lock(sc, txq);
2801 + if (!tid->sched) {
2802 + ath_txq_unlock(sc, txq);
2806 buffered = ath_tid_has_buffered(tid);
2809 --- a/drivers/net/wireless/ath/ath9k/init.c
2810 +++ b/drivers/net/wireless/ath/ath9k/init.c
2811 @@ -943,6 +943,7 @@ static void ath9k_set_hw_capab(struct at
2812 hw->wiphy->flags |= WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
2813 hw->wiphy->flags |= WIPHY_FLAG_SUPPORTS_5_10_MHZ;
2814 hw->wiphy->flags |= WIPHY_FLAG_HAS_CHANNEL_SWITCH;
2815 + hw->wiphy->flags |= WIPHY_FLAG_AP_UAPSD;