1 commit d84856012e0f10fe598a5ad3b7b869397a089e07
2 Author: Johannes Berg <johannes.berg@intel.com>
3 Date: Thu Feb 20 11:19:58 2014 +0100
5 mac80211: fix station wakeup powersave race
7 Consider the following (relatively unlikely) scenario:
8 1) station goes to sleep while frames are buffered in driver
9 2) driver blocks wakeup (until no more frames are buffered)
10 3) station wakes up again
11 4) driver unblocks wakeup
13 In this case, the current mac80211 code will do the following:
14 1) WLAN_STA_PS_STA set
15 2) WLAN_STA_PS_DRIVER set
17 4) WLAN_STA_PS_DRIVER cleared
19 As a result, no frames will be delivered to the client, even
20 though it is awake, until it sends another frame to us that
21 triggers ieee80211_sta_ps_deliver_wakeup() in sta_ps_end().
23 Since we now take the PS spinlock, we can fix this while at
24 the same time removing the complexity with the pending skb
25 queue function. This was broken since my commit 50a9432daeec
26 ("mac80211: fix powersaving clients races") due to removing
27 the clearing of WLAN_STA_PS_STA in the RX path.
29 While at it, fix a cleanup path issue when a station is
30 removed while the driver is still blocking its wakeup.
32 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
34 commit 798f2786602cbe93e6b928299614aa36ebf50692
35 Author: Johannes Berg <johannes.berg@intel.com>
36 Date: Mon Feb 17 20:49:03 2014 +0100
38 mac80211: insert stations before adding to driver
40 There's a race condition in mac80211 because we add stations
41 to the internal lists after adding them to the driver, which
42 means that (for example) the following can happen:
43 1. a station connects and is added
44 2. first, it is added to the driver
45 3. then, it is added to the mac80211 lists
47 If the station goes to sleep between steps 2 and 3, and the
48 firmware/hardware records it as being asleep, mac80211 will
49 never instruct the driver to wake it up again as it never
50 realized it went to sleep since the RX path discarded the
51 frame as a "spurious class 3 frame", no station entry was
54 Fix this by adding the station in software first, and only
55 then adding it to the driver. That way, any state that the
56 driver changes will be reflected properly in mac80211's
57 station state. The problematic part is the roll-back if the
58 driver fails to add the station, in that case a bit more is
59 needed. To not make that overly complex prevent starting BA
60 sessions in the meantime.
62 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
64 commit b9ba6a520cb07ab3aa7aaaf9ce4a0bc7a6bc06fe
65 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
66 Date: Thu Feb 20 09:22:11 2014 +0200
68 mac80211: fix AP powersave TX vs. wakeup race
70 There is a race between the TX path and the STA wakeup: while
71 a station is sleeping, mac80211 buffers frames until it wakes
72 up, then the frames are transmitted. However, the RX and TX
73 path are concurrent, so the packet indicating wakeup can be
74 processed while a packet is being transmitted.
76 This can lead to a situation where the buffered frames list
77 is emptied on the one side, while a frame is being added on
78 the other side, as the station is still seen as sleeping in
81 As a result, the newly added frame will not be send anytime
82 soon. It might be sent much later (and out of order) when the
83 station goes to sleep and wakes up the next time.
85 Additionally, it can lead to the crash below.
87 Fix all this by synchronising both paths with a new lock.
88 Both path are not fastpath since they handle PS situations.
90 In a later patch we'll remove the extra skb queue locks to
91 reduce locking overhead.
93 BUG: unable to handle kernel
94 NULL pointer dereference at 000000b0
95 IP: [<ff6f1791>] ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
97 Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
98 EIP: 0060:[<ff6f1791>] EFLAGS: 00210282 CPU: 1
99 EIP is at ieee80211_report_used_skb+0x11/0x3e0 [mac80211]
100 EAX: e5900da0 EBX: 00000000 ECX: 00000001 EDX: 00000000
101 ESI: e41d00c0 EDI: e5900da0 EBP: ebe458e4 ESP: ebe458b0
102 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
103 CR0: 8005003b CR2: 000000b0 CR3: 25a78000 CR4: 000407d0
104 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
105 DR6: ffff0ff0 DR7: 00000400
106 Process iperf (pid: 3934, ti=ebe44000 task=e757c0b0 task.ti=ebe44000)
107 iwlwifi 0000:02:00.0: I iwl_pcie_enqueue_hcmd Sending command LQ_CMD (#4e), seq: 0x0903, 92 bytes at 3[3]:9
109 e403b32c ebe458c4 00200002 00200286 e403b338 ebe458cc c10960bb e5900da0
110 ff76a6ec ebe458d8 00000000 e41d00c0 e5900da0 ebe458f0 ff6f1b75 e403b210
111 ebe4598c ff723dc1 00000000 ff76a6ec e597c978 e403b758 00000002 00000002
113 [<ff6f1b75>] ieee80211_free_txskb+0x15/0x20 [mac80211]
114 [<ff723dc1>] invoke_tx_handlers+0x1661/0x1780 [mac80211]
115 [<ff7248a5>] ieee80211_tx+0x75/0x100 [mac80211]
116 [<ff7249bf>] ieee80211_xmit+0x8f/0xc0 [mac80211]
117 [<ff72550e>] ieee80211_subif_start_xmit+0x4fe/0xe20 [mac80211]
118 [<c149ef70>] dev_hard_start_xmit+0x450/0x950
119 [<c14b9aa9>] sch_direct_xmit+0xa9/0x250
120 [<c14b9c9b>] __qdisc_run+0x4b/0x150
121 [<c149f732>] dev_queue_xmit+0x2c2/0xca0
123 Cc: stable@vger.kernel.org
124 Reported-by: Yaara Rozenblum <yaara.rozenblum@intel.com>
125 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
126 Reviewed-by: Stanislaw Gruszka <sgruszka@redhat.com>
127 [reword commit log, use a separate lock]
128 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
130 commit 80e419de0dff38436b30d363311c625766193f86
131 Author: Inbal Hacohen <Inbal.Hacohen@intel.com>
132 Date: Wed Feb 12 09:32:27 2014 +0200
134 cfg80211: bugfix in regulatory user hint process
136 After processing hint_user, we would want to schedule the
137 timeout work only if we are actually waiting to CRDA. This happens
138 when the status is not "IGNORE" nor "ALREADY_SET".
140 Signed-off-by: Inbal Hacohen <Inbal.Hacohen@intel.com>
141 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
143 commit 6514c93afede55284e2cb63359aadedb85884c80
144 Author: Jouni Malinen <jouni@qca.qualcomm.com>
145 Date: Tue Feb 18 20:41:08 2014 +0200
147 ath9k: Enable U-APSD AP mode support
149 mac80211 handles the actual operations, so ath9k can just indicate
150 support for this. Based on initial tests, this combination seems to
153 Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
155 commit a63caf0a357ad5c1f08d6b7827dc76c451445017
156 Author: Stanislaw Gruszka <sgruszka@redhat.com>
157 Date: Wed Feb 19 13:15:17 2014 +0100
159 ath9k: protect tid->sched check
161 We check tid->sched without a lock taken on ath_tx_aggr_sleep(). That
162 is race condition which can result of doing list_del(&tid->list) twice
163 (second time with poisoned list node) and cause crash like shown below:
165 [424271.637220] BUG: unable to handle kernel paging request at 00100104
166 [424271.637328] IP: [<f90fc072>] ath_tx_aggr_sleep+0x62/0xe0 [ath9k]
168 [424271.639953] Call Trace:
169 [424271.639998] [<f90f6900>] ? ath9k_get_survey+0x110/0x110 [ath9k]
170 [424271.640083] [<f90f6942>] ath9k_sta_notify+0x42/0x50 [ath9k]
171 [424271.640177] [<f809cfef>] sta_ps_start+0x8f/0x1c0 [mac80211]
172 [424271.640258] [<c10f730e>] ? free_compound_page+0x2e/0x40
173 [424271.640346] [<f809e915>] ieee80211_rx_handlers+0x9d5/0x2340 [mac80211]
174 [424271.640437] [<c112f048>] ? kmem_cache_free+0x1d8/0x1f0
175 [424271.640510] [<c1345a84>] ? kfree_skbmem+0x34/0x90
176 [424271.640578] [<c10fc23c>] ? put_page+0x2c/0x40
177 [424271.640640] [<c1345a84>] ? kfree_skbmem+0x34/0x90
178 [424271.640706] [<c1345a84>] ? kfree_skbmem+0x34/0x90
179 [424271.640787] [<f809dde3>] ? ieee80211_rx_handlers_result+0x73/0x1d0 [mac80211]
180 [424271.640897] [<f80a07a0>] ieee80211_prepare_and_rx_handle+0x520/0xad0 [mac80211]
181 [424271.641009] [<f809e22d>] ? ieee80211_rx_handlers+0x2ed/0x2340 [mac80211]
182 [424271.641104] [<c13846ce>] ? ip_output+0x7e/0xd0
183 [424271.641182] [<f80a1057>] ieee80211_rx+0x307/0x7c0 [mac80211]
184 [424271.641266] [<f90fa6ee>] ath_rx_tasklet+0x88e/0xf70 [ath9k]
185 [424271.641358] [<f80a0f2c>] ? ieee80211_rx+0x1dc/0x7c0 [mac80211]
186 [424271.641445] [<f90f82db>] ath9k_tasklet+0xcb/0x130 [ath9k]
189 https://bugzilla.kernel.org/show_bug.cgi?id=70551
191 Reported-and-tested-by: Max Sydorenko <maxim.stargazer@gmail.com>
192 Cc: stable@vger.kernel.org
193 Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
195 commit 82ed9e3ccc02797df2ffe4b78127c4cd5f799a41
196 Author: Felix Fietkau <nbd@openwrt.org>
197 Date: Tue Feb 11 15:54:13 2014 +0100
199 mac80211: send control port protocol frames to the VO queue
201 Improves reliability of wifi connections with WPA, since authentication
202 frames are prioritized over normal traffic and also typically exempt
205 Cc: stable@vger.kernel.org
206 Signed-off-by: Felix Fietkau <nbd@openwrt.org>
208 commit d4426800f71e972feaa33e04c5801fc730627bdd
209 Author: Stanislaw Gruszka <stf_xl@wp.pl>
210 Date: Mon Feb 10 22:38:28 2014 +0100
212 rtl8187: fix regression on MIPS without coherent DMA
214 This patch fixes regression caused by commit a16dad77634 "MIPS: Fix
215 potencial corruption". That commit fixes one corruption scenario in
216 cost of adding another one, which actually start to cause crashes
217 on Yeeloong laptop when rtl8187 driver is used.
219 For correct DMA read operation on machines without DMA coherence, kernel
220 have to invalidate cache, such it will refill later with new data that
221 device wrote to memory, when that data is needed to process. We can only
222 invalidate full cache line. Hence when cache line includes both dma
223 buffer and some other data (written in cache, but not yet in main
224 memory), the other data can not hit memory due to invalidation. That
225 happen on rtl8187 where struct rtl8187_priv fields are located just
226 before and after small buffers that are passed to USB layer and DMA
227 is performed on them.
229 To fix the problem we align buffers and reserve space after them to make
230 them match cache line.
232 This patch does not resolve all possible MIPS problems entirely, for
233 that we have to assure that we always map cache aligned buffers for DMA,
234 what can be complex or even not possible. But patch fixes visible and
235 reproducible regression and seems other possible corruptions do not
236 happen in practice, since Yeeloong laptop works stable without rtl8187
240 https://bugzilla.kernel.org/show_bug.cgi?id=54391
242 Reported-by: Petr Pisar <petr.pisar@atlas.cz>
243 Bisected-by: Tom Li <biergaizi2009@gmail.com>
244 Reported-and-tested-by: Tom Li <biergaizi2009@gmail.com>
245 Cc: stable@vger.kernel.org
246 Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
248 commit e2f141d67ad1e7fe10aaab61811e8a409dfb2442
249 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
250 Date: Fri Feb 7 10:29:55 2014 +0530
252 ath9k: Calculate IQ-CAL median
254 This patch adds a routine to calculate the median IQ correction
255 values for AR955x, which is used for outlier detection.
256 The normal method which is used for all other chips is
259 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
261 commit c52a6fce0820c8d0687443ab86058ae03b478c8f
262 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
263 Date: Fri Feb 7 10:29:54 2014 +0530
265 ath9k: Expand the IQ coefficient array
267 This will be used for storing data for mutiple
268 IQ calibration runs, for AR955x.
270 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
272 commit 034969ff5c2b6431d10e07c1938f0b916da85cc3
273 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
274 Date: Fri Feb 7 10:29:53 2014 +0530
276 ath9k: Modify IQ calibration for AR955x
278 IQ calibration post-processing for AR955x is different
279 from other chips - instead of just doing it as part
280 of AGC calibration once, it is triggered 3 times and
281 a median is determined. This patch adds initial support
282 for changing the calibration behavior for AR955x.
284 Also, to simplify things, a helper routine to issue/poll
285 AGC calibration is used.
287 For non-AR955x chips, the iqcal_idx (which will be used
288 in subsequent patches) is set to zero.
290 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
292 commit 9b1ed6454e6f3511f24266be99b4e403f243f6a8
293 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
294 Date: Fri Feb 7 10:29:52 2014 +0530
296 ath9k: Fix magnitude/phase calculation
298 Incorrect values are programmed in the registers
299 containing the IQ correction coefficients by the IQ-CAL
300 post-processing code. Fix this.
302 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
304 commit 36f93484f96f79171dcecb67c5ef0c3de22531a6
305 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
306 Date: Fri Feb 7 10:29:51 2014 +0530
308 ath9k: Rename ar9003_hw_tx_iqcal_load_avg_2_passes
310 Use ar9003_hw_tx_iq_cal_outlier_detection instead.
312 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
314 commit 3af09a7f5d21dd5fd15b973ce6a91a575da30417
315 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
316 Date: Fri Feb 7 10:29:50 2014 +0530
318 ath9k: Check explicitly for IQ calibration
320 In chips like AR955x, the initvals contain the information
321 whether IQ calibration is to be done in the HW when an
322 AGC calibration is triggered. Check if IQ-CAL is enabled
323 in the initvals before flagging 'txiqcal_done' as true.
325 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
327 commit cb4969634b93c4643a32cc3fbd27d2b288b25771
328 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
329 Date: Fri Feb 7 10:29:49 2014 +0530
331 ath9k: Fix IQ cal post processing for SoC
333 Calibration data is not reused for SoC chips, so
334 call ar9003_hw_tx_iq_cal_post_proc() with the correct
335 argument. The 'is_reusable' flag is currently used
336 only for PC-OEM chips, but it makes things clearer to
337 specify it explicity.
339 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
341 commit e138e0ef9560c46ce93dbb22a728a57888e94d1c
342 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
343 Date: Mon Feb 3 13:31:37 2014 +0530
345 ath9k: Fix TX power calculation
347 The commit, "ath9k_hw: Fix incorrect Tx control power in AR9003 template"
348 fixed the incorrect values in the eeprom templates, but if
349 boards have already been calibrated with incorrect values,
350 they would still be using the wrong TX power. Fix this by assigning
351 a default value in such cases.
353 Cc: Rajkumar Manoharan <rmanohar@qti.qualcomm.com>
354 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
356 commit b9f268b5b01331c3c82179abca551429450e9417
357 Author: Michal Kazior <michal.kazior@tieto.com>
358 Date: Wed Jan 29 14:22:27 2014 +0100
360 cfg80211: consider existing DFS interfaces
362 It was possible to break interface combinations in
365 combo 1: iftype = AP, num_ifaces = 2, num_chans = 2,
366 combo 2: iftype = AP, num_ifaces = 1, num_chans = 1, radar = HT20
368 With the above interface combinations it was
371 step 1. start AP on DFS channel by matching combo 2
372 step 2. start AP on non-DFS channel by matching combo 1
374 This was possible beacuse (step 2) did not consider
375 if other interfaces require radar detection.
377 The patch changes how cfg80211 tracks channels -
378 instead of channel itself now a complete chandef
381 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
382 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
384 commit bc9c62f5f511cc395c62dbf4cdd437f23db53b28
385 Author: Antonio Quartulli <antonio@open-mesh.com>
386 Date: Wed Jan 29 17:53:43 2014 +0100
388 cfg80211: fix channel configuration in IBSS join
390 When receiving an IBSS_JOINED event select the BSS object
391 based on the {bssid, channel} couple rather than the bssid
393 With the current approach if another cell having the same
394 BSSID (but using a different channel) exists then cfg80211
395 picks up the wrong BSS object.
396 The result is a mismatching channel configuration between
397 cfg80211 and the driver, that can lead to any sort of
400 The issue can be triggered by having an IBSS sitting on
401 given channel and then asking the driver to create a new
402 cell using the same BSSID but with a different frequency.
403 By passing the channel to cfg80211_get_bss() we can solve
404 this ambiguity and retrieve/create the correct BSS object.
405 All the users of cfg80211_ibss_joined() have been changed
408 Moreover WARN when cfg80211_ibss_joined() gets a NULL
409 channel as argument and remove a bogus call of the same
410 function in ath6kl (it does not make sense to call
411 cfg80211_ibss_joined() with a zero BSSID on ibss-leave).
413 Cc: Kalle Valo <kvalo@qca.qualcomm.com>
414 Cc: Arend van Spriel <arend@broadcom.com>
415 Cc: Bing Zhao <bzhao@marvell.com>
416 Cc: Jussi Kivilinna <jussi.kivilinna@iki.fi>
417 Cc: libertas-dev@lists.infradead.org
418 Acked-by: Kalle Valo <kvalo@qca.qualcomm.com>
419 Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
420 [minor code cleanup in ath6kl]
421 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
423 commit 7e0c41cb41f215aba2c39b1c237bb4d42ec49a85
424 Author: Johannes Berg <johannes.berg@intel.com>
425 Date: Fri Jan 24 14:41:44 2014 +0100
427 mac80211: fix bufferable MMPDU RX handling
429 Action, disassoc and deauth frames are bufferable, and as such don't
430 have the PM bit in the frame control field reserved which means we
431 need to react to the bit when receiving in such a frame.
433 Fix this by introducing a new helper ieee80211_is_bufferable_mmpdu()
434 and using it for the RX path that currently ignores the PM bit in
435 any non-data frames for doze->wake transitions, but listens to it in
436 all frames for wake->doze transitions, both of which are wrong.
438 Also use the new helper in the TX path to clean up the code.
440 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
442 commit fc0df6d2343636e3f48a069330d5b972e3d8659d
443 Author: Janusz Dziedzic <janusz.dziedzic@tieto.com>
444 Date: Fri Jan 24 14:29:21 2014 +0100
446 cfg80211: set preset_chandef after channel switch
448 Set preset_chandef in channel switch notification.
449 In other case we will have old preset_chandef.
451 Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
452 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
454 commit cdec895e2344987ff171cece96e25d7407a3ebf6
455 Author: Simon Wunderlich <simon@open-mesh.com>
456 Date: Fri Jan 24 23:48:29 2014 +0100
458 mac80211: send ibss probe responses with noack flag
460 Responding to probe requests for scanning clients will often create
461 excessive retries, as it happens quite often that the scanning client
462 already left the channel. Therefore do it like hostapd and send probe
463 responses for wildcard SSID only once by using the noack flag.
465 Signed-off-by: Simon Wunderlich <simon@open-mesh.com>
466 [fix typo & 'wildcard SSID' in commit log]
467 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
469 commit 0b865d1e6b9c05052adae9315df7cb195dc60c3b
470 Author: Luciano Coelho <luciano.coelho@intel.com>
471 Date: Tue Jan 28 17:09:08 2014 +0200
473 mac80211: ibss: remove unnecessary call to release channel
475 The ieee80211_vif_use_channel() function calls
476 ieee80211_vif_release_channel(), so there's no need to call it
477 explicitly in __ieee80211_sta_join_ibss().
479 Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
480 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
482 commit e1b6c17e971f0a51ff86c2dac2584c63cd999cd7
483 Author: Michal Kazior <michal.kazior@tieto.com>
484 Date: Wed Jan 29 07:56:21 2014 +0100
486 mac80211: add missing CSA locking
488 The patch adds a missing sdata lock and adds a few
489 lockdeps for easier maintenance.
491 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
492 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
494 commit ad17ba7d14d225b109b73c177cd446afb8050598
495 Author: Michal Kazior <michal.kazior@tieto.com>
496 Date: Wed Jan 29 07:56:20 2014 +0100
498 mac80211: fix sdata->radar_required locking
500 radar_required setting wasn't protected by
501 local->mtx in some places. This should prevent
502 from scanning/radar detection/roc colliding.
504 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
505 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
507 commit 5fcd5f1808813a3d9e502fd756e01bee8a79c85d
508 Author: Michal Kazior <michal.kazior@tieto.com>
509 Date: Wed Jan 29 07:56:19 2014 +0100
511 mac80211: move csa_active setting in STA CSA
513 The sdata->vif.csa_active could be left set after,
514 e.g. channel context constraints check fail in STA
515 mode leaving the interface in a strange state for
516 a brief period of time until it is disconnected.
517 This was harmless but ugly.
519 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
520 Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
521 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
523 commit e486da4b7eed71821c6b4c1bb9ac62ffd3ab13e9
524 Author: Michal Kazior <michal.kazior@tieto.com>
525 Date: Wed Jan 29 07:56:18 2014 +0100
527 mac80211: fix possible memory leak on AP CSA failure
529 If CSA for AP interface failed and the interface
530 was not stopped afterwards another CSA request
531 would leak sdata->u.ap.next_beacon.
533 Signed-off-by: Michal Kazior <michal.kazior@tieto.com>
534 Reviewed-by: Luciano Coelho <luciano.coelho@intel.com>
535 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
537 commit 3a77ba08940682bf3d52cf14f980337324af9d4a
538 Author: Johannes Berg <johannes.berg@intel.com>
539 Date: Sat Feb 1 00:33:29 2014 +0100
541 mac80211: fix fragmentation code, particularly for encryption
543 The "new" fragmentation code (since my rewrite almost 5 years ago)
544 erroneously sets skb->len rather than using skb_trim() to adjust
545 the length of the first fragment after copying out all the others.
546 This leaves the skb tail pointer pointing to after where the data
547 originally ended, and thus causes the encryption MIC to be written
548 at that point, rather than where it belongs: immediately after the
551 The impact of this is that if software encryption is done, then
552 a) encryption doesn't work for the first fragment, the connection
553 becomes unusable as the first fragment will never be properly
554 verified at the receiver, the MIC is practically guaranteed to
556 b) we leak up to 8 bytes of plaintext (!) of the packet out into
559 This is only mitigated by the fact that many devices are capable
560 of doing encryption in hardware, in which case this can't happen
561 as the tail pointer is irrelevant in that case. Additionally,
562 fragmentation is not used very frequently and would normally have
563 to be configured manually.
565 Fix this by using skb_trim() properly.
567 Cc: stable@vger.kernel.org
568 Fixes: 2de8e0d999b8 ("mac80211: rewrite fragmentation")
569 Reported-by: Jouni Malinen <j@w1.fi>
570 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
572 commit de5f242e0c10e841017e37eb8c38974a642dbca8
573 Author: Sujith Manoharan <c_manoha@qca.qualcomm.com>
574 Date: Tue Jan 28 06:21:59 2014 +0530
576 ath9k: Fix build error on ARM
578 Use mdelay instead of udelay to fix this error:
580 ERROR: "__bad_udelay" [drivers/net/wireless/ath/ath9k/ath9k_hw.ko] undefined!
581 make[1]: *** [__modpost] Error 1
582 make: *** [modules] Error 2
584 Reported-by: Josh Boyer <jwboyer@fedoraproject.org>
585 Signed-off-by: Sujith Manoharan <c_manoha@qca.qualcomm.com>
587 commit 8e3ea7a51dfc61810fcefd947f6edcf61125252a
588 Author: Geert Uytterhoeven <geert@linux-m68k.org>
589 Date: Sun Jan 26 11:53:21 2014 +0100
591 ath9k: Fix uninitialized variable in ath9k_has_tx_pending()
593 drivers/net/wireless/ath/ath9k/main.c: In function ‘ath9k_has_tx_pending’:
594 drivers/net/wireless/ath/ath9k/main.c:1869: warning: ‘npend’ may be used uninitialized in this function
596 Introduced by commit 10e2318103f5941aa70c318afe34bc41f1b98529 ("ath9k:
597 optimize ath9k_flush").
599 Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
601 commit a4a634a6937ebdd827fa58e8fcdb8ca49a3769f6
602 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
603 Date: Mon Jan 27 11:07:42 2014 +0200
605 mac80211: release the channel in error path in start_ap
607 When the driver cannot start the AP or when the assignement
608 of the beacon goes wrong, we need to unassign the vif.
610 Cc: stable@vger.kernel.org
611 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
612 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
614 commit dfb6889a75c601aedb7450b7e606668e77da6679
615 Author: Johannes Berg <johannes.berg@intel.com>
616 Date: Wed Jan 22 11:14:19 2014 +0200
618 cfg80211: send scan results from work queue
620 Due to the previous commit, when a scan finishes, it is in theory
621 possible to hit the following sequence:
622 1. interface starts being removed
623 2. scan is cancelled by driver and cfg80211 is notified
624 3. scan done work is scheduled
625 4. interface is removed completely, rdev->scan_req is freed,
626 event sent to userspace but scan done work remains pending
627 5. new scan is requested on another virtual interface
628 6. scan done work runs, freeing the still-running scan
630 To fix this situation, hang on to the scan done message and block
631 new scans while that is the case, and only send the message from
632 the work function, regardless of whether the scan_req is already
633 freed from interface removal. This makes step 5 above impossible
634 and changes step 6 to be
635 5. scan done work runs, sending the scan done message
637 As this can't work for wext, so we send the message immediately,
638 but this shouldn't be an issue since we still return -EBUSY.
640 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
642 commit 45b7ab41fc08627d9a8428cb413d5d84662a9707
643 Author: Johannes Berg <johannes.berg@intel.com>
644 Date: Wed Jan 22 11:14:18 2014 +0200
646 cfg80211: fix scan done race
648 When an interface/wdev is removed, any ongoing scan should be
649 cancelled by the driver. This will make it call cfg80211, which
650 only queues a work struct. If interface/wdev removal is quick
651 enough, this can leave the scan request pending and processed
652 only after the interface is gone, causing a use-after-free.
654 Fix this by making sure the scan request is not pending after
655 the interface is destroyed. We can't flush or cancel the work
656 item due to locking concerns, but when it'll run it shouldn't
657 find anything to do. This leaves a potential issue, if a new
658 scan gets requested before the work runs, it prematurely stops
659 the running scan, potentially causing another crash. I'll fix
660 that in the next patch.
662 This was particularly observed with P2P_DEVICE wdevs, likely
663 because freeing them is quicker than freeing netdevs.
665 Reported-by: Andrei Otcheretianski <andrei.otcheretianski@intel.com>
666 Fixes: 4a58e7c38443 ("cfg80211: don't "leak" uncompleted scans")
667 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
669 commit ae04fa489ab31b5a10d3cc8399f52761175d4321
670 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
671 Date: Thu Jan 23 14:28:16 2014 +0200
673 mac80211: avoid deadlock revealed by lockdep
675 sdata->u.ap.request_smps_work can’t be flushed synchronously
676 under wdev_lock(wdev) since ieee80211_request_smps_ap_work
677 itself locks the same lock.
678 While at it, reset the driver_smps_mode when the ap is
679 stopped to its default: OFF.
683 ======================================================
684 [ INFO: possible circular locking dependency detected ]
685 3.12.0-ipeer+ #2 Tainted: G O
686 -------------------------------------------------------
687 rmmod/2867 is trying to acquire lock:
688 ((&sdata->u.ap.request_smps_work)){+.+...}, at: [<c105b8d0>] flush_work+0x0/0x90
690 but task is already holding lock:
691 (&wdev->mtx){+.+.+.}, at: [<f9b32626>] cfg80211_stop_ap+0x26/0x230 [cfg80211]
693 which lock already depends on the new lock.
695 the existing dependency chain (in reverse order) is:
697 -> #1 (&wdev->mtx){+.+.+.}:
698 [<c10aefa9>] lock_acquire+0x79/0xe0
699 [<c1607a1a>] mutex_lock_nested+0x4a/0x360
700 [<fb06288b>] ieee80211_request_smps_ap_work+0x2b/0x50 [mac80211]
701 [<c105cdd8>] process_one_work+0x198/0x450
702 [<c105d469>] worker_thread+0xf9/0x320
703 [<c10669ff>] kthread+0x9f/0xb0
704 [<c1613397>] ret_from_kernel_thread+0x1b/0x28
706 -> #0 ((&sdata->u.ap.request_smps_work)){+.+...}:
707 [<c10ae9df>] __lock_acquire+0x183f/0x1910
708 [<c10aefa9>] lock_acquire+0x79/0xe0
709 [<c105b917>] flush_work+0x47/0x90
710 [<c105d867>] __cancel_work_timer+0x67/0xe0
711 [<c105d90f>] cancel_work_sync+0xf/0x20
712 [<fb0765cc>] ieee80211_stop_ap+0x8c/0x340 [mac80211]
713 [<f9b3268c>] cfg80211_stop_ap+0x8c/0x230 [cfg80211]
714 [<f9b0d8f9>] cfg80211_leave+0x79/0x100 [cfg80211]
715 [<f9b0da72>] cfg80211_netdev_notifier_call+0xf2/0x4f0 [cfg80211]
716 [<c160f2c9>] notifier_call_chain+0x59/0x130
717 [<c106c6de>] __raw_notifier_call_chain+0x1e/0x30
718 [<c106c70f>] raw_notifier_call_chain+0x1f/0x30
719 [<c14f8213>] call_netdevice_notifiers_info+0x33/0x70
720 [<c14f8263>] call_netdevice_notifiers+0x13/0x20
721 [<c14f82a4>] __dev_close_many+0x34/0xb0
722 [<c14f83fe>] dev_close_many+0x6e/0xc0
723 [<c14f9c77>] rollback_registered_many+0xa7/0x1f0
724 [<c14f9dd4>] unregister_netdevice_many+0x14/0x60
725 [<fb06f4d9>] ieee80211_remove_interfaces+0xe9/0x170 [mac80211]
726 [<fb055116>] ieee80211_unregister_hw+0x56/0x110 [mac80211]
727 [<fa3e9396>] iwl_op_mode_mvm_stop+0x26/0xe0 [iwlmvm]
728 [<f9b9d8ca>] _iwl_op_mode_stop+0x3a/0x70 [iwlwifi]
729 [<f9b9d96f>] iwl_opmode_deregister+0x6f/0x90 [iwlwifi]
730 [<fa405179>] __exit_compat+0xd/0x19 [iwlmvm]
731 [<c10b8bf9>] SyS_delete_module+0x179/0x2b0
732 [<c1613421>] sysenter_do_call+0x12/0x32
734 Fixes: 687da132234f ("mac80211: implement SMPS for AP")
735 Cc: <stable@vger.kernel.org> [3.13]
736 Reported-by: Ilan Peer <ilan.peer@intel.com>
737 Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
738 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
740 commit 178b205e96217164fd7c30113464250d0b6f5eca
741 Author: Johannes Berg <johannes.berg@intel.com>
742 Date: Thu Jan 23 16:32:29 2014 +0100
744 cfg80211: re-enable 5/10 MHz support
746 Unfortunately I forgot this during the merge window, but the
747 patch seems small enough to go in as a fix. The userspace API
748 bug that was the reason for disabling it has long been fixed.
750 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
752 commit 110a1c79acda14edc83b7c8dc5af9c7ddd23eb61
753 Author: Pontus Fuchs <pontus.fuchs@gmail.com>
754 Date: Thu Jan 16 15:00:40 2014 +0100
756 nl80211: Reset split_start when netlink skb is exhausted
758 When the netlink skb is exhausted split_start is left set. In the
759 subsequent retry, with a larger buffer, the dump is continued from the
760 failing point instead of from the beginning.
762 This was causing my rt28xx based USB dongle to now show up when
763 running "iw list" with an old iw version without split dump support.
765 Cc: stable@vger.kernel.org
766 Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps")
767 Signed-off-by: Pontus Fuchs <pontus.fuchs@gmail.com>
768 [avoid the entire workaround when state->split is set]
769 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
771 commit b4c31b45ffc7ef110fa9ecc34d7878fe7c5b9da4
772 Author: Eliad Peller <eliad@wizery.com>
773 Date: Sun Jan 12 11:06:37 2014 +0200
775 mac80211: move roc cookie assignment earlier
777 ieee80211_start_roc_work() might add a new roc
778 to existing roc, and tell cfg80211 it has already
781 However, this might happen before the roc cookie
782 was set, resulting in REMAIN_ON_CHANNEL (started)
783 event with null cookie. Consequently, it can make
784 wpa_supplicant go out of sync.
786 Fix it by setting the roc cookie earlier.
788 Cc: stable@vger.kernel.org
789 Signed-off-by: Eliad Peller <eliad@wizery.com>
790 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
792 commit cfdc9157bfd7bcf88ab4dae08873a9907eba984c
793 Author: Johannes Berg <johannes.berg@intel.com>
794 Date: Fri Jan 24 14:06:29 2014 +0100
796 nl80211: send event when AP operation is stopped
798 There are a few cases, e.g. suspend, where an AP interface is
799 stopped by the kernel rather than by userspace request, most
800 commonly when suspending. To let userspace know about this,
801 send the NL80211_CMD_STOP_AP command as an event every time
802 an AP interface is stopped. This also happens when userspace
803 did in fact request the AP stop, but that's not a problem.
805 For full-MAC drivers this may need to be extended to also
806 cover cases where the device stopped the AP operation for
807 some reason, this a bit more complicated because then all
808 cfg80211 state also needs to be reset; such API is not part
811 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
813 commit d5d567eda7704f190379ca852a8f9a4112e3eee3
814 Author: Johannes Berg <johannes.berg@intel.com>
815 Date: Thu Jan 23 16:20:29 2014 +0100
817 mac80211: add length check in ieee80211_is_robust_mgmt_frame()
819 A few places weren't checking that the frame passed to the
820 function actually has enough data even though the function
821 clearly documents it must have a payload byte. Make this
822 safer by changing the function to take an skb and checking
823 the length inside. The old version is preserved for now as
824 the rtl* drivers use it and don't have a correct skb.
826 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
828 commit f8f6d212a047fc65c7d3442dfc038f65517236fc
829 Author: Johannes Berg <johannes.berg@intel.com>
830 Date: Fri Jan 24 10:53:53 2014 +0100
832 nl80211: fix scheduled scan RSSI matchset attribute confusion
834 The scheduled scan matchsets were intended to be a list of filters,
835 with the found BSS having to pass at least one of them to be passed
836 to the host. When the RSSI attribute was added, however, this was
837 broken and currently wpa_supplicant adds that attribute in its own
838 matchset; however, it doesn't intend that to mean that anything
839 that passes the RSSI filter should be passed to the host, instead
840 it wants it to mean that everything needs to also have higher RSSI.
842 This is semantically problematic because we have a list of filters
843 like [ SSID1, SSID2, SSID3, RSSI ] with no real indication which
844 one should be OR'ed and which one AND'ed.
846 To fix this, move the RSSI filter attribute into each matchset. As
847 we need to stay backward compatible, treat a matchset with only the
848 RSSI attribute as a "default RSSI filter" for all other matchsets,
849 but only if there are other matchsets (an RSSI-only matchset by
850 itself is still desirable.)
852 To make driver implementation easier, keep a global min_rssi_thold
853 for the entire request as well. The only affected driver is ath6kl.
855 I found this when I looked into the code after Raja Mani submitted
856 a patch fixing the n_match_sets calculation to disregard the RSSI,
857 but that patch didn't address the semantic issue.
859 Reported-by: Raja Mani <rmani@qti.qualcomm.com>
860 Acked-by: Luciano Coelho <luciano.coelho@intel.com>
861 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
863 commit de553e8545e65a6dc4e45f43df7e1443d4291922
864 Author: Johannes Berg <johannes.berg@intel.com>
865 Date: Fri Jan 24 10:17:47 2014 +0100
867 nl80211: check nla_parse() return values
869 If there's a policy, then nla_parse() return values must be
870 checked, otherwise the policy is useless and there's nothing
871 that ensures the attributes are actually what we expect them
874 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
876 commit 652204a0733e9e1c54661d6f9d36e2e1e3b22bb1
877 Author: Karl Beldan <karl.beldan@rivierawaves.com>
878 Date: Thu Jan 23 20:06:34 2014 +0100
880 mac80211: send {ADD,DEL}BA on AC_VO like other mgmt frames, as per spec
882 ATM, {ADD,DEL}BA and BAR frames are sent on the AC matching the TID of
883 the BA parameters. In the discussion [1] about this patch, Johannes
884 recalled that it fixed some races with the DELBA and indeed this
885 behavior was introduced in [2].
886 While [2] is right for the BARs, the part queueing the {ADD,DEL}BAs on
887 their BA params TID AC violates the spec and is more a workaround for
888 some drivers. Helmut expressed some concerns wrt such drivers, in
889 particular DELBAs in rt2x00.
891 ATM, DELBAs are sent after a driver has called (hence "purposely")
892 ieee80211_start_tx_ba_cb_irqsafe and Johannes and Emmanuel gave some
893 details wrt intentions behind the split of the IEEE80211_AMPDU_TX_STOP_*
894 given to the driver ampdu_action supposed to call this function, which
895 could prove handy to people trying to do the right thing in faulty
896 drivers (if their fw/hw don't get in their way).
898 [1] http://mid.gmane.org/1390391564-18481-1-git-send-email-karl.beldan@gmail.com
899 [2] Commit: cf6bb79ad828 ("mac80211: Use appropriate TID for sending BAR, ADDBA and DELBA frames")
901 Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
902 Cc: Helmut Schaa <helmut.schaa@googlemail.com>
903 Cc: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
904 Signed-off-by: Johannes Berg <johannes.berg@intel.com>
905 --- a/drivers/net/wireless/ath/ath6kl/cfg80211.c
906 +++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c
907 @@ -790,7 +790,7 @@ void ath6kl_cfg80211_connect_event(struc
908 if (nw_type & ADHOC_NETWORK) {
909 ath6kl_dbg(ATH6KL_DBG_WLAN_CFG, "ad-hoc %s selected\n",
910 nw_type & ADHOC_CREATOR ? "creator" : "joiner");
911 - cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
912 + cfg80211_ibss_joined(vif->ndev, bssid, chan, GFP_KERNEL);
913 cfg80211_put_bss(ar->wiphy, bss);
916 @@ -861,13 +861,9 @@ void ath6kl_cfg80211_disconnect_event(st
919 if (vif->nw_type & ADHOC_NETWORK) {
920 - if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC) {
921 + if (vif->wdev.iftype != NL80211_IFTYPE_ADHOC)
922 ath6kl_dbg(ATH6KL_DBG_WLAN_CFG,
923 "%s: ath6k not in ibss mode\n", __func__);
926 - memset(bssid, 0, ETH_ALEN);
927 - cfg80211_ibss_joined(vif->ndev, bssid, GFP_KERNEL);
931 @@ -3256,6 +3252,15 @@ static int ath6kl_cfg80211_sscan_start(s
932 struct ath6kl_vif *vif = netdev_priv(dev);
935 + int n_match_sets = request->n_match_sets;
938 + * If there's a matchset w/o an SSID, then assume it's just for
939 + * the RSSI (nothing else is currently supported) and ignore it.
940 + * The device only supports a global RSSI filter that we set below.
942 + if (n_match_sets == 1 && !request->match_sets[0].ssid.ssid_len)
945 if (ar->state != ATH6KL_STATE_ON)
947 @@ -3268,11 +3273,11 @@ static int ath6kl_cfg80211_sscan_start(s
948 ret = ath6kl_set_probed_ssids(ar, vif, request->ssids,
951 - request->n_match_sets);
956 - if (!request->n_match_sets) {
957 + if (!n_match_sets) {
958 ret = ath6kl_wmi_bssfilter_cmd(ar->wmi, vif->fw_vif_idx,
961 @@ -3286,12 +3291,12 @@ static int ath6kl_cfg80211_sscan_start(s
963 if (test_bit(ATH6KL_FW_CAPABILITY_RSSI_SCAN_THOLD,
964 ar->fw_capabilities)) {
965 - if (request->rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
966 + if (request->min_rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF)
968 - else if (request->rssi_thold < -127)
969 + else if (request->min_rssi_thold < -127)
972 - rssi_thold = request->rssi_thold;
973 + rssi_thold = request->min_rssi_thold;
975 ret = ath6kl_wmi_set_rssi_filter_cmd(ar->wmi, vif->fw_vif_idx,
977 --- a/drivers/net/wireless/ath/ath9k/hw.c
978 +++ b/drivers/net/wireless/ath/ath9k/hw.c
979 @@ -1316,7 +1316,7 @@ static bool ath9k_hw_set_reset(struct at
980 if (AR_SREV_9300_20_OR_LATER(ah))
982 else if (AR_SREV_9100(ah))
988 @@ -2051,9 +2051,8 @@ static bool ath9k_hw_set_power_awake(str
990 REG_SET_BIT(ah, AR_RTC_FORCE_WAKE,
991 AR_RTC_FORCE_WAKE_EN);
993 if (AR_SREV_9100(ah))
999 --- a/drivers/net/wireless/ath/ath9k/main.c
1000 +++ b/drivers/net/wireless/ath/ath9k/main.c
1001 @@ -1866,7 +1866,7 @@ static void ath9k_set_coverage_class(str
1003 static bool ath9k_has_tx_pending(struct ath_softc *sc)
1008 for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) {
1009 if (!ATH_TXQ_SETUP(sc, i))
1010 --- a/drivers/net/wireless/iwlwifi/mvm/scan.c
1011 +++ b/drivers/net/wireless/iwlwifi/mvm/scan.c
1012 @@ -595,6 +595,9 @@ static void iwl_scan_offload_build_ssid(
1013 * config match list.
1015 for (i = 0; i < req->n_match_sets && i < PROBE_OPTION_MAX; i++) {
1016 + /* skip empty SSID matchsets */
1017 + if (!req->match_sets[i].ssid.ssid_len)
1019 scan->direct_scan[i].id = WLAN_EID_SSID;
1020 scan->direct_scan[i].len = req->match_sets[i].ssid.ssid_len;
1021 memcpy(scan->direct_scan[i].ssid, req->match_sets[i].ssid.ssid,
1022 --- a/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
1023 +++ b/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c
1024 @@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80
1025 /* During testing, hdr was NULL */
1028 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1029 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1030 (ieee80211_has_protected(hdr->frame_control)))
1031 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1033 --- a/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
1034 +++ b/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c
1035 @@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80
1036 /* In testing, hdr was NULL here */
1039 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1040 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1041 (ieee80211_has_protected(hdr->frame_control)))
1042 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1044 --- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
1045 +++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c
1046 @@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80
1047 /* during testing, hdr was NULL here */
1050 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1051 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1052 (ieee80211_has_protected(hdr->frame_control)))
1053 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1055 --- a/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
1056 +++ b/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c
1057 @@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee
1058 /* during testing, hdr could be NULL here */
1061 - if ((ieee80211_is_robust_mgmt_frame(hdr)) &&
1062 + if ((_ieee80211_is_robust_mgmt_frame(hdr)) &&
1063 (ieee80211_has_protected(hdr->frame_control)))
1064 rx_status->flag &= ~RX_FLAG_DECRYPTED;
1066 --- a/include/linux/ieee80211.h
1067 +++ b/include/linux/ieee80211.h
1068 @@ -597,6 +597,20 @@ static inline int ieee80211_is_qos_nullf
1072 + * ieee80211_is_bufferable_mmpdu - check if frame is bufferable MMPDU
1073 + * @fc: frame control field in little-endian byteorder
1075 +static inline bool ieee80211_is_bufferable_mmpdu(__le16 fc)
1077 + /* IEEE 802.11-2012, definition of "bufferable management frame";
1078 + * note that this ignores the IBSS special case. */
1079 + return ieee80211_is_mgmt(fc) &&
1080 + (ieee80211_is_action(fc) ||
1081 + ieee80211_is_disassoc(fc) ||
1082 + ieee80211_is_deauth(fc));
1086 * ieee80211_is_first_frag - check if IEEE80211_SCTL_FRAG is not set
1087 * @seq_ctrl: frame sequence control bytes in little-endian byteorder
1089 @@ -2192,10 +2206,10 @@ static inline u8 *ieee80211_get_DA(struc
1093 - * ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
1094 + * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame
1095 * @hdr: the frame (buffer must include at least the first octet of payload)
1097 -static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
1098 +static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr)
1100 if (ieee80211_is_disassoc(hdr->frame_control) ||
1101 ieee80211_is_deauth(hdr->frame_control))
1102 @@ -2224,6 +2238,17 @@ static inline bool ieee80211_is_robust_m
1106 + * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame
1107 + * @skb: the skb containing the frame, length will be checked
1109 +static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb)
1111 + if (skb->len < 25)
1113 + return _ieee80211_is_robust_mgmt_frame((void *)skb->data);
1117 * ieee80211_is_public_action - check if frame is a public action frame
1119 * @len: length of the frame
1120 --- a/include/net/cfg80211.h
1121 +++ b/include/net/cfg80211.h
1122 @@ -1395,9 +1395,11 @@ struct cfg80211_scan_request {
1123 * struct cfg80211_match_set - sets of attributes to match
1125 * @ssid: SSID to be matched
1126 + * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
1128 struct cfg80211_match_set {
1129 struct cfg80211_ssid ssid;
1134 @@ -1420,7 +1422,8 @@ struct cfg80211_match_set {
1135 * @dev: the interface
1136 * @scan_start: start time of the scheduled scan
1137 * @channels: channels to scan
1138 - * @rssi_thold: don't report scan results below this threshold (in s32 dBm)
1139 + * @min_rssi_thold: for drivers only supporting a single threshold, this
1140 + * contains the minimum over all matchsets
1142 struct cfg80211_sched_scan_request {
1143 struct cfg80211_ssid *ssids;
1144 @@ -1433,7 +1436,7 @@ struct cfg80211_sched_scan_request {
1146 struct cfg80211_match_set *match_sets;
1149 + s32 min_rssi_thold;
1152 struct wiphy *wiphy;
1153 @@ -3130,8 +3133,8 @@ struct cfg80211_cached_keys;
1154 * @identifier: (private) Identifier used in nl80211 to identify this
1155 * wireless device if it has no netdev
1156 * @current_bss: (private) Used by the internal configuration code
1157 - * @channel: (private) Used by the internal configuration code to track
1158 - * the user-set AP, monitor and WDS channel
1159 + * @chandef: (private) Used by the internal configuration code to track
1160 + * the user-set channel definition.
1161 * @preset_chandef: (private) Used by the internal configuration code to
1162 * track the channel to be used for AP later
1163 * @bssid: (private) Used by the internal configuration code
1164 @@ -3195,9 +3198,7 @@ struct wireless_dev {
1166 struct cfg80211_internal_bss *current_bss; /* associated / joined */
1167 struct cfg80211_chan_def preset_chandef;
1169 - /* for AP and mesh channel tracking */
1170 - struct ieee80211_channel *channel;
1171 + struct cfg80211_chan_def chandef;
1174 bool ibss_dfs_possible;
1175 @@ -3879,6 +3880,7 @@ void cfg80211_michael_mic_failure(struct
1177 * @dev: network device
1178 * @bssid: the BSSID of the IBSS joined
1179 + * @channel: the channel of the IBSS joined
1180 * @gfp: allocation flags
1182 * This function notifies cfg80211 that the device joined an IBSS or
1183 @@ -3888,7 +3890,8 @@ void cfg80211_michael_mic_failure(struct
1184 * with the locally generated beacon -- this guarantees that there is
1185 * always a scan result for this IBSS. cfg80211 will handle the rest.
1187 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp);
1188 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
1189 + struct ieee80211_channel *channel, gfp_t gfp);
1192 * cfg80211_notify_new_candidate - notify cfg80211 of a new mesh peer candidate
1193 --- a/include/uapi/linux/nl80211.h
1194 +++ b/include/uapi/linux/nl80211.h
1195 @@ -2442,9 +2442,15 @@ enum nl80211_reg_rule_attr {
1196 * enum nl80211_sched_scan_match_attr - scheduled scan match attributes
1197 * @__NL80211_SCHED_SCAN_MATCH_ATTR_INVALID: attribute number 0 is reserved
1198 * @NL80211_SCHED_SCAN_MATCH_ATTR_SSID: SSID to be used for matching,
1199 - * only report BSS with matching SSID.
1200 + * only report BSS with matching SSID.
1201 * @NL80211_SCHED_SCAN_MATCH_ATTR_RSSI: RSSI threshold (in dBm) for reporting a
1202 - * BSS in scan results. Filtering is turned off if not specified.
1203 + * BSS in scan results. Filtering is turned off if not specified. Note that
1204 + * if this attribute is in a match set of its own, then it is treated as
1205 + * the default value for all matchsets with an SSID, rather than being a
1206 + * matchset of its own without an RSSI filter. This is due to problems with
1207 + * how this API was implemented in the past. Also, due to the same problem,
1208 + * the only way to create a matchset with only an RSSI filter (with this
1209 + * attribute) is if there's only a single matchset with the RSSI attribute.
1210 * @NL80211_SCHED_SCAN_MATCH_ATTR_MAX: highest scheduled scan filter
1211 * attribute number currently defined
1212 * @__NL80211_SCHED_SCAN_MATCH_ATTR_AFTER_LAST: internal use
1213 --- a/net/mac80211/agg-tx.c
1214 +++ b/net/mac80211/agg-tx.c
1215 @@ -107,7 +107,7 @@ static void ieee80211_send_addba_request
1216 mgmt->u.action.u.addba_req.start_seq_num =
1217 cpu_to_le16(start_seq_num << 4);
1219 - ieee80211_tx_skb_tid(sdata, skb, tid);
1220 + ieee80211_tx_skb(sdata, skb);
1223 void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)
1224 --- a/net/mac80211/cfg.c
1225 +++ b/net/mac80211/cfg.c
1226 @@ -970,9 +970,9 @@ static int ieee80211_start_ap(struct wip
1227 /* TODO: make hostapd tell us what it wants */
1228 sdata->smps_mode = IEEE80211_SMPS_OFF;
1229 sdata->needed_rx_chains = sdata->local->rx_chains;
1230 - sdata->radar_required = params->radar_required;
1232 mutex_lock(&local->mtx);
1233 + sdata->radar_required = params->radar_required;
1234 err = ieee80211_vif_use_channel(sdata, ¶ms->chandef,
1235 IEEE80211_CHANCTX_SHARED);
1236 mutex_unlock(&local->mtx);
1237 @@ -1021,8 +1021,10 @@ static int ieee80211_start_ap(struct wip
1238 IEEE80211_P2P_OPPPS_ENABLE_BIT;
1240 err = ieee80211_assign_beacon(sdata, ¶ms->beacon);
1243 + ieee80211_vif_release_channel(sdata);
1248 err = drv_start_ap(sdata->local, sdata);
1249 @@ -1032,6 +1034,7 @@ static int ieee80211_start_ap(struct wip
1251 kfree_rcu(old, rcu_head);
1252 RCU_INIT_POINTER(sdata->u.ap.beacon, NULL);
1253 + ieee80211_vif_release_channel(sdata);
1257 @@ -1053,6 +1056,7 @@ static int ieee80211_change_beacon(struc
1260 sdata = IEEE80211_DEV_TO_SUB_IF(dev);
1261 + sdata_assert_lock(sdata);
1263 /* don't allow changing the beacon while CSA is in place - offset
1264 * of channel switch counter may change
1265 @@ -1080,6 +1084,8 @@ static int ieee80211_stop_ap(struct wiph
1266 struct probe_resp *old_probe_resp;
1267 struct cfg80211_chan_def chandef;
1269 + sdata_assert_lock(sdata);
1271 old_beacon = sdata_dereference(sdata->u.ap.beacon, sdata);
1274 @@ -1090,8 +1096,6 @@ static int ieee80211_stop_ap(struct wiph
1275 kfree(sdata->u.ap.next_beacon);
1276 sdata->u.ap.next_beacon = NULL;
1278 - cancel_work_sync(&sdata->u.ap.request_smps_work);
1280 /* turn off carrier for this interface and dependent VLANs */
1281 list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list)
1282 netif_carrier_off(vlan->dev);
1283 @@ -1103,6 +1107,7 @@ static int ieee80211_stop_ap(struct wiph
1284 kfree_rcu(old_beacon, rcu_head);
1286 kfree_rcu(old_probe_resp, rcu_head);
1287 + sdata->u.ap.driver_smps_mode = IEEE80211_SMPS_OFF;
1289 __sta_info_flush(sdata, true);
1290 ieee80211_free_keys(sdata, true);
1291 @@ -2638,6 +2643,24 @@ static int ieee80211_start_roc_work(stru
1292 INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work);
1293 INIT_LIST_HEAD(&roc->dependents);
1296 + * cookie is either the roc cookie (for normal roc)
1297 + * or the SKB (for mgmt TX)
1300 + /* local->mtx protects this */
1301 + local->roc_cookie_counter++;
1302 + roc->cookie = local->roc_cookie_counter;
1303 + /* wow, you wrapped 64 bits ... more likely a bug */
1304 + if (WARN_ON(roc->cookie == 0)) {
1306 + local->roc_cookie_counter++;
1308 + *cookie = roc->cookie;
1310 + *cookie = (unsigned long)txskb;
1313 /* if there's one pending or we're scanning, queue this one */
1314 if (!list_empty(&local->roc_list) ||
1315 local->scanning || local->radar_detect_enabled)
1316 @@ -2772,24 +2795,6 @@ static int ieee80211_start_roc_work(stru
1318 list_add_tail(&roc->list, &local->roc_list);
1321 - * cookie is either the roc cookie (for normal roc)
1322 - * or the SKB (for mgmt TX)
1325 - /* local->mtx protects this */
1326 - local->roc_cookie_counter++;
1327 - roc->cookie = local->roc_cookie_counter;
1328 - /* wow, you wrapped 64 bits ... more likely a bug */
1329 - if (WARN_ON(roc->cookie == 0)) {
1331 - local->roc_cookie_counter++;
1333 - *cookie = roc->cookie;
1335 - *cookie = (unsigned long)txskb;
1341 @@ -3004,8 +3009,10 @@ void ieee80211_csa_finalize_work(struct
1342 if (!ieee80211_sdata_running(sdata))
1345 - sdata->radar_required = sdata->csa_radar_required;
1346 + sdata_assert_lock(sdata);
1348 mutex_lock(&local->mtx);
1349 + sdata->radar_required = sdata->csa_radar_required;
1350 err = ieee80211_vif_change_channel(sdata, &changed);
1351 mutex_unlock(&local->mtx);
1352 if (WARN_ON(err < 0))
1353 @@ -3022,13 +3029,13 @@ void ieee80211_csa_finalize_work(struct
1354 switch (sdata->vif.type) {
1355 case NL80211_IFTYPE_AP:
1356 err = ieee80211_assign_beacon(sdata, sdata->u.ap.next_beacon);
1357 + kfree(sdata->u.ap.next_beacon);
1358 + sdata->u.ap.next_beacon = NULL;
1364 - kfree(sdata->u.ap.next_beacon);
1365 - sdata->u.ap.next_beacon = NULL;
1367 ieee80211_bss_info_change_notify(sdata, err);
1369 case NL80211_IFTYPE_ADHOC:
1370 @@ -3066,7 +3073,7 @@ int ieee80211_channel_switch(struct wiph
1371 struct ieee80211_if_mesh __maybe_unused *ifmsh;
1372 int err, num_chanctx;
1374 - lockdep_assert_held(&sdata->wdev.mtx);
1375 + sdata_assert_lock(sdata);
1377 if (!list_empty(&local->roc_list) || local->scanning)
1379 --- a/net/mac80211/ht.c
1380 +++ b/net/mac80211/ht.c
1381 @@ -375,7 +375,7 @@ void ieee80211_send_delba(struct ieee802
1382 mgmt->u.action.u.delba.params = cpu_to_le16(params);
1383 mgmt->u.action.u.delba.reason_code = cpu_to_le16(reason_code);
1385 - ieee80211_tx_skb_tid(sdata, skb, tid);
1386 + ieee80211_tx_skb(sdata, skb);
1389 void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata,
1390 @@ -466,7 +466,9 @@ void ieee80211_request_smps_ap_work(stru
1391 u.ap.request_smps_work);
1394 - __ieee80211_request_smps_ap(sdata, sdata->u.ap.driver_smps_mode);
1395 + if (sdata_dereference(sdata->u.ap.beacon, sdata))
1396 + __ieee80211_request_smps_ap(sdata,
1397 + sdata->u.ap.driver_smps_mode);
1398 sdata_unlock(sdata);
1401 --- a/net/mac80211/iface.c
1402 +++ b/net/mac80211/iface.c
1403 @@ -770,12 +770,19 @@ static void ieee80211_do_stop(struct iee
1405 ieee80211_roc_purge(local, sdata);
1407 - if (sdata->vif.type == NL80211_IFTYPE_STATION)
1408 + switch (sdata->vif.type) {
1409 + case NL80211_IFTYPE_STATION:
1410 ieee80211_mgd_stop(sdata);
1412 - if (sdata->vif.type == NL80211_IFTYPE_ADHOC)
1414 + case NL80211_IFTYPE_ADHOC:
1415 ieee80211_ibss_stop(sdata);
1418 + case NL80211_IFTYPE_AP:
1419 + cancel_work_sync(&sdata->u.ap.request_smps_work);
1426 * Remove all stations associated with this interface.
1427 @@ -827,7 +834,9 @@ static void ieee80211_do_stop(struct iee
1428 cancel_work_sync(&local->dynamic_ps_enable_work);
1430 cancel_work_sync(&sdata->recalc_smps);
1431 + sdata_lock(sdata);
1432 sdata->vif.csa_active = false;
1433 + sdata_unlock(sdata);
1434 cancel_work_sync(&sdata->csa_finalize_work);
1436 cancel_delayed_work_sync(&sdata->dfs_cac_timer_work);
1437 --- a/net/mac80211/rx.c
1438 +++ b/net/mac80211/rx.c
1439 @@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_m
1441 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1443 - if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1))
1444 + if (is_multicast_ether_addr(hdr->addr1))
1447 - return ieee80211_is_robust_mgmt_frame(hdr);
1448 + return ieee80211_is_robust_mgmt_frame(skb);
1452 @@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust
1454 struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data;
1456 - if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1))
1457 + if (!is_multicast_ether_addr(hdr->addr1))
1460 - return ieee80211_is_robust_mgmt_frame(hdr);
1461 + return ieee80211_is_robust_mgmt_frame(skb);
1465 @@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(str
1466 if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da))
1469 - if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr))
1470 + if (!ieee80211_is_robust_mgmt_frame(skb))
1471 return -1; /* not a robust management frame */
1473 mmie = (struct ieee80211_mmie *)
1474 @@ -1128,6 +1128,13 @@ static void sta_ps_end(struct sta_info *
1475 sta->sta.addr, sta->sta.aid);
1477 if (test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1479 + * Clear the flag only if the other one is still set
1480 + * so that the TX path won't start TX'ing new frames
1481 + * directly ... In the case that the driver flag isn't
1482 + * set ieee80211_sta_ps_deliver_wakeup() will clear it.
1484 + clear_sta_flag(sta, WLAN_STA_PS_STA);
1485 ps_dbg(sta->sdata, "STA %pM aid %d driver-ps-blocked\n",
1486 sta->sta.addr, sta->sta.aid);
1488 @@ -1311,18 +1318,15 @@ ieee80211_rx_h_sta_process(struct ieee80
1489 !ieee80211_has_morefrags(hdr->frame_control) &&
1490 !(status->rx_flags & IEEE80211_RX_DEFERRED_RELEASE) &&
1491 (rx->sdata->vif.type == NL80211_IFTYPE_AP ||
1492 - rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)) {
1493 + rx->sdata->vif.type == NL80211_IFTYPE_AP_VLAN) &&
1494 + /* PM bit is only checked in frames where it isn't reserved,
1495 + * in AP mode it's reserved in non-bufferable management frames
1496 + * (cf. IEEE 802.11-2012 8.2.4.1.7 Power Management field)
1498 + (!ieee80211_is_mgmt(hdr->frame_control) ||
1499 + ieee80211_is_bufferable_mmpdu(hdr->frame_control))) {
1500 if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
1502 - * Ignore doze->wake transitions that are
1503 - * indicated by non-data frames, the standard
1504 - * is unclear here, but for example going to
1505 - * PS mode and then scanning would cause a
1506 - * doze->wake transition for the probe request,
1507 - * and that is clearly undesirable.
1509 - if (ieee80211_is_data(hdr->frame_control) &&
1510 - !ieee80211_has_pm(hdr->frame_control))
1511 + if (!ieee80211_has_pm(hdr->frame_control))
1514 if (ieee80211_has_pm(hdr->frame_control))
1515 @@ -1845,8 +1849,7 @@ static int ieee80211_drop_unencrypted_mg
1516 * having configured keys.
1518 if (unlikely(ieee80211_is_action(fc) && !rx->key &&
1519 - ieee80211_is_robust_mgmt_frame(
1520 - (struct ieee80211_hdr *) rx->skb->data)))
1521 + ieee80211_is_robust_mgmt_frame(rx->skb)))
1525 --- a/net/mac80211/tx.c
1526 +++ b/net/mac80211/tx.c
1527 @@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc,
1528 if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP))
1531 - if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *)
1533 + if (!ieee80211_is_robust_mgmt_frame(skb))
1537 @@ -478,6 +477,20 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
1538 sta->sta.addr, sta->sta.aid, ac);
1539 if (tx->local->total_ps_buffered >= TOTAL_MAX_TX_BUFFER)
1540 purge_old_ps_buffers(tx->local);
1542 + /* sync with ieee80211_sta_ps_deliver_wakeup */
1543 + spin_lock(&sta->ps_lock);
1545 + * STA woke up the meantime and all the frames on ps_tx_buf have
1546 + * been queued to pending queue. No reordering can happen, go
1547 + * ahead and Tx the packet.
1549 + if (!test_sta_flag(sta, WLAN_STA_PS_STA) &&
1550 + !test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
1551 + spin_unlock(&sta->ps_lock);
1552 + return TX_CONTINUE;
1555 if (skb_queue_len(&sta->ps_tx_buf[ac]) >= STA_MAX_TX_BUFFER) {
1556 struct sk_buff *old = skb_dequeue(&sta->ps_tx_buf[ac]);
1558 @@ -492,6 +505,7 @@ ieee80211_tx_h_unicast_ps_buf(struct iee
1559 info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING;
1560 info->flags &= ~IEEE80211_TX_TEMPORARY_FLAGS;
1561 skb_queue_tail(&sta->ps_tx_buf[ac], tx->skb);
1562 + spin_unlock(&sta->ps_lock);
1564 if (!timer_pending(&local->sta_cleanup))
1565 mod_timer(&local->sta_cleanup,
1566 @@ -525,9 +539,7 @@ ieee80211_tx_h_ps_buf(struct ieee80211_t
1568 /* only deauth, disassoc and action are bufferable MMPDUs */
1569 if (ieee80211_is_mgmt(hdr->frame_control) &&
1570 - !ieee80211_is_deauth(hdr->frame_control) &&
1571 - !ieee80211_is_disassoc(hdr->frame_control) &&
1572 - !ieee80211_is_action(hdr->frame_control)) {
1573 + !ieee80211_is_bufferable_mmpdu(hdr->frame_control)) {
1574 if (tx->flags & IEEE80211_TX_UNICAST)
1575 info->flags |= IEEE80211_TX_CTL_NO_PS_BUFFER;
1577 @@ -567,7 +579,7 @@ ieee80211_tx_h_select_key(struct ieee802
1579 else if (ieee80211_is_mgmt(hdr->frame_control) &&
1580 is_multicast_ether_addr(hdr->addr1) &&
1581 - ieee80211_is_robust_mgmt_frame(hdr) &&
1582 + ieee80211_is_robust_mgmt_frame(tx->skb) &&
1583 (key = rcu_dereference(tx->sdata->default_mgmt_key)))
1585 else if (is_multicast_ether_addr(hdr->addr1) &&
1586 @@ -582,12 +594,12 @@ ieee80211_tx_h_select_key(struct ieee802
1588 else if (tx->skb->protocol == tx->sdata->control_port_protocol)
1590 - else if (ieee80211_is_robust_mgmt_frame(hdr) &&
1591 + else if (ieee80211_is_robust_mgmt_frame(tx->skb) &&
1592 !(ieee80211_is_action(hdr->frame_control) &&
1593 tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP)))
1595 else if (ieee80211_is_mgmt(hdr->frame_control) &&
1596 - !ieee80211_is_robust_mgmt_frame(hdr))
1597 + !ieee80211_is_robust_mgmt_frame(tx->skb))
1600 I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted);
1601 @@ -878,7 +890,7 @@ static int ieee80211_fragment(struct iee
1604 /* adjust first fragment's length */
1605 - skb->len = hdrlen + per_fragm;
1606 + skb_trim(skb, hdrlen + per_fragm);
1610 --- a/net/mac80211/wpa.c
1611 +++ b/net/mac80211/wpa.c
1612 @@ -499,7 +499,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee
1613 hdrlen = ieee80211_hdrlen(hdr->frame_control);
1615 if (!ieee80211_is_data(hdr->frame_control) &&
1616 - !ieee80211_is_robust_mgmt_frame(hdr))
1617 + !ieee80211_is_robust_mgmt_frame(skb))
1620 data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN -
1621 --- a/net/wireless/ap.c
1622 +++ b/net/wireless/ap.c
1623 @@ -27,9 +27,10 @@ static int __cfg80211_stop_ap(struct cfg
1624 err = rdev_stop_ap(rdev, dev);
1626 wdev->beacon_interval = 0;
1627 - wdev->channel = NULL;
1628 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
1630 rdev_set_qos_map(rdev, dev, NULL);
1631 + nl80211_send_ap_stopped(wdev);
1635 --- a/net/wireless/core.c
1636 +++ b/net/wireless/core.c
1637 @@ -203,8 +203,11 @@ void cfg80211_stop_p2p_device(struct cfg
1641 - WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1642 - !rdev->scan_req->notified);
1643 + if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1644 + if (WARN_ON(!rdev->scan_req->notified))
1645 + rdev->scan_req->aborted = true;
1646 + ___cfg80211_scan_done(rdev, false);
1650 static int cfg80211_rfkill_set_block(void *data, bool blocked)
1651 @@ -447,9 +450,6 @@ int wiphy_register(struct wiphy *wiphy)
1653 u16 ifmodes = wiphy->interface_modes;
1655 - /* support for 5/10 MHz is broken due to nl80211 API mess - disable */
1656 - wiphy->flags &= ~WIPHY_FLAG_SUPPORTS_5_10_MHZ;
1659 * There are major locking problems in nl80211/mac80211 for CSA,
1660 * disable for all drivers until this has been reworked.
1661 @@ -875,8 +875,11 @@ static int cfg80211_netdev_notifier_call
1664 cfg80211_update_iface_num(rdev, wdev->iftype, -1);
1665 - WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev &&
1666 - !rdev->scan_req->notified);
1667 + if (rdev->scan_req && rdev->scan_req->wdev == wdev) {
1668 + if (WARN_ON(!rdev->scan_req->notified))
1669 + rdev->scan_req->aborted = true;
1670 + ___cfg80211_scan_done(rdev, false);
1673 if (WARN_ON(rdev->sched_scan_req &&
1674 rdev->sched_scan_req->dev == wdev->netdev)) {
1675 --- a/net/wireless/core.h
1676 +++ b/net/wireless/core.h
1677 @@ -62,6 +62,7 @@ struct cfg80211_registered_device {
1678 struct rb_root bss_tree;
1680 struct cfg80211_scan_request *scan_req; /* protected by RTNL */
1681 + struct sk_buff *scan_msg;
1682 struct cfg80211_sched_scan_request *sched_scan_req;
1683 unsigned long suspend_at;
1684 struct work_struct scan_done_wk;
1685 @@ -210,6 +211,7 @@ struct cfg80211_event {
1689 + struct ieee80211_channel *channel;
1693 @@ -257,7 +259,8 @@ int __cfg80211_leave_ibss(struct cfg8021
1694 struct net_device *dev, bool nowext);
1695 int cfg80211_leave_ibss(struct cfg80211_registered_device *rdev,
1696 struct net_device *dev, bool nowext);
1697 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid);
1698 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
1699 + struct ieee80211_channel *channel);
1700 int cfg80211_ibss_wext_join(struct cfg80211_registered_device *rdev,
1701 struct wireless_dev *wdev);
1703 @@ -361,7 +364,8 @@ int cfg80211_validate_key_settings(struc
1704 struct key_params *params, int key_idx,
1705 bool pairwise, const u8 *mac_addr);
1706 void __cfg80211_scan_done(struct work_struct *wk);
1707 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev);
1708 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
1709 + bool send_message);
1710 void __cfg80211_sched_scan_results(struct work_struct *wk);
1711 int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev,
1712 bool driver_initiated);
1713 @@ -441,7 +445,8 @@ static inline unsigned int elapsed_jiffi
1715 cfg80211_get_chan_state(struct wireless_dev *wdev,
1716 struct ieee80211_channel **chan,
1717 - enum cfg80211_chan_mode *chanmode);
1718 + enum cfg80211_chan_mode *chanmode,
1719 + u8 *radar_detect);
1721 int cfg80211_set_monitor_channel(struct cfg80211_registered_device *rdev,
1722 struct cfg80211_chan_def *chandef);
1723 --- a/net/wireless/nl80211.c
1724 +++ b/net/wireless/nl80211.c
1725 @@ -1723,9 +1723,10 @@ static int nl80211_dump_wiphy(struct sk_
1726 * We can then retry with the larger buffer.
1728 if ((ret == -ENOBUFS || ret == -EMSGSIZE) &&
1730 + !skb->len && !state->split &&
1731 cb->min_dump_alloc < 4096) {
1732 cb->min_dump_alloc = 4096;
1733 + state->split_start = 0;
1737 @@ -2047,10 +2048,12 @@ static int nl80211_set_wiphy(struct sk_b
1738 nla_for_each_nested(nl_txq_params,
1739 info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS],
1741 - nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1742 - nla_data(nl_txq_params),
1743 - nla_len(nl_txq_params),
1744 - txq_params_policy);
1745 + result = nla_parse(tb, NL80211_TXQ_ATTR_MAX,
1746 + nla_data(nl_txq_params),
1747 + nla_len(nl_txq_params),
1748 + txq_params_policy);
1751 result = parse_txq_params(tb, &txq_params);
1754 @@ -3289,7 +3292,7 @@ static int nl80211_start_ap(struct sk_bu
1756 wdev->preset_chandef = params.chandef;
1757 wdev->beacon_interval = params.beacon_interval;
1758 - wdev->channel = params.chandef.chan;
1759 + wdev->chandef = params.chandef;
1760 wdev->ssid_len = params.ssid_len;
1761 memcpy(wdev->ssid, params.ssid, wdev->ssid_len);
1763 @@ -5210,9 +5213,11 @@ static int nl80211_set_reg(struct sk_buf
1765 nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES],
1767 - nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
1768 - nla_data(nl_reg_rule), nla_len(nl_reg_rule),
1770 + r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX,
1771 + nla_data(nl_reg_rule), nla_len(nl_reg_rule),
1775 r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]);
1778 @@ -5277,7 +5282,7 @@ static int nl80211_trigger_scan(struct s
1779 if (!rdev->ops->scan)
1782 - if (rdev->scan_req) {
1783 + if (rdev->scan_req || rdev->scan_msg) {
1787 @@ -5475,6 +5480,7 @@ static int nl80211_start_sched_scan(stru
1788 enum ieee80211_band band;
1790 struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1];
1791 + s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF;
1793 if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) ||
1794 !rdev->ops->sched_scan_start)
1795 @@ -5509,11 +5515,40 @@ static int nl80211_start_sched_scan(stru
1796 if (n_ssids > wiphy->max_sched_scan_ssids)
1799 - if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH])
1801 + * First, count the number of 'real' matchsets. Due to an issue with
1802 + * the old implementation, matchsets containing only the RSSI attribute
1803 + * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default'
1804 + * RSSI for all matchsets, rather than their own matchset for reporting
1805 + * all APs with a strong RSSI. This is needed to be compatible with
1806 + * older userspace that treated a matchset with only the RSSI as the
1807 + * global RSSI for all other matchsets - if there are other matchsets.
1809 + if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) {
1810 nla_for_each_nested(attr,
1811 info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH],
1815 + struct nlattr *rssi;
1817 + err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
1818 + nla_data(attr), nla_len(attr),
1819 + nl80211_match_policy);
1822 + /* add other standalone attributes here */
1823 + if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) {
1827 + rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
1829 + default_match_rssi = nla_get_s32(rssi);
1833 + /* However, if there's no other matchset, add the RSSI one */
1834 + if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF)
1837 if (n_match_sets > wiphy->max_match_sets)
1839 @@ -5634,11 +5669,22 @@ static int nl80211_start_sched_scan(stru
1841 struct nlattr *ssid, *rssi;
1843 - nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
1844 - nla_data(attr), nla_len(attr),
1845 - nl80211_match_policy);
1846 + err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX,
1847 + nla_data(attr), nla_len(attr),
1848 + nl80211_match_policy);
1851 ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID];
1853 + if (WARN_ON(i >= n_match_sets)) {
1854 + /* this indicates a programming error,
1855 + * the loop above should have verified
1862 if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) {
1865 @@ -5647,15 +5693,28 @@ static int nl80211_start_sched_scan(stru
1866 nla_data(ssid), nla_len(ssid));
1867 request->match_sets[i].ssid.ssid_len =
1869 + /* special attribute - old implemenation w/a */
1870 + request->match_sets[i].rssi_thold =
1871 + default_match_rssi;
1872 + rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
1874 + request->match_sets[i].rssi_thold =
1875 + nla_get_s32(rssi);
1877 - rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI];
1879 - request->rssi_thold = nla_get_u32(rssi);
1881 - request->rssi_thold =
1882 - NL80211_SCAN_RSSI_THOLD_OFF;
1886 + /* there was no other matchset, so the RSSI one is alone */
1888 + request->match_sets[0].rssi_thold = default_match_rssi;
1890 + request->min_rssi_thold = INT_MAX;
1891 + for (i = 0; i < n_match_sets; i++)
1892 + request->min_rssi_thold =
1893 + min(request->match_sets[i].rssi_thold,
1894 + request->min_rssi_thold);
1896 + request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF;
1899 if (info->attrs[NL80211_ATTR_IE]) {
1900 @@ -5751,7 +5810,7 @@ static int nl80211_start_radar_detection
1902 err = rdev->ops->start_radar_detection(&rdev->wiphy, dev, &chandef);
1904 - wdev->channel = chandef.chan;
1905 + wdev->chandef = chandef;
1906 wdev->cac_started = true;
1907 wdev->cac_start_time = jiffies;
1909 @@ -7502,16 +7561,19 @@ static int nl80211_set_tx_bitrate_mask(s
1910 * directly to the enum ieee80211_band values used in cfg80211.
1912 BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8);
1913 - nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem)
1915 + nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) {
1916 enum ieee80211_band band = nla_type(tx_rates);
1919 if (band < 0 || band >= IEEE80211_NUM_BANDS)
1921 sband = rdev->wiphy.bands[band];
1924 - nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
1925 - nla_len(tx_rates), nl80211_txattr_policy);
1926 + err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates),
1927 + nla_len(tx_rates), nl80211_txattr_policy);
1930 if (tb[NL80211_TXRATE_LEGACY]) {
1931 mask.control[band].legacy = rateset_to_mask(
1933 @@ -10054,40 +10116,31 @@ void nl80211_send_scan_start(struct cfg8
1934 NL80211_MCGRP_SCAN, GFP_KERNEL);
1937 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
1938 - struct wireless_dev *wdev)
1939 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
1940 + struct wireless_dev *wdev, bool aborted)
1942 struct sk_buff *msg;
1944 msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1949 if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
1950 - NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
1951 + aborted ? NL80211_CMD_SCAN_ABORTED :
1952 + NL80211_CMD_NEW_SCAN_RESULTS) < 0) {
1958 - genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
1959 - NL80211_MCGRP_SCAN, GFP_KERNEL);
1963 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
1964 - struct wireless_dev *wdev)
1965 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
1966 + struct sk_buff *msg)
1968 - struct sk_buff *msg;
1970 - msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1974 - if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0,
1975 - NL80211_CMD_SCAN_ABORTED) < 0) {
1980 genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0,
1981 NL80211_MCGRP_SCAN, GFP_KERNEL);
1983 @@ -11158,7 +11211,8 @@ void cfg80211_ch_switch_notify(struct ne
1984 wdev->iftype != NL80211_IFTYPE_MESH_POINT))
1987 - wdev->channel = chandef->chan;
1988 + wdev->chandef = *chandef;
1989 + wdev->preset_chandef = *chandef;
1990 nl80211_ch_switch_notify(rdev, dev, chandef, GFP_KERNEL);
1992 EXPORT_SYMBOL(cfg80211_ch_switch_notify);
1993 @@ -11673,6 +11727,35 @@ void cfg80211_crit_proto_stopped(struct
1995 EXPORT_SYMBOL(cfg80211_crit_proto_stopped);
1997 +void nl80211_send_ap_stopped(struct wireless_dev *wdev)
1999 + struct wiphy *wiphy = wdev->wiphy;
2000 + struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy);
2001 + struct sk_buff *msg;
2004 + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2008 + hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP);
2012 + if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) ||
2013 + nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) ||
2014 + nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev)))
2017 + genlmsg_end(msg, hdr);
2019 + genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0,
2020 + NL80211_MCGRP_MLME, GFP_KERNEL);
2026 /* initialisation/exit functions */
2028 int nl80211_init(void)
2029 --- a/net/wireless/nl80211.h
2030 +++ b/net/wireless/nl80211.h
2031 @@ -8,10 +8,10 @@ void nl80211_exit(void);
2032 void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev);
2033 void nl80211_send_scan_start(struct cfg80211_registered_device *rdev,
2034 struct wireless_dev *wdev);
2035 -void nl80211_send_scan_done(struct cfg80211_registered_device *rdev,
2036 - struct wireless_dev *wdev);
2037 -void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev,
2038 - struct wireless_dev *wdev);
2039 +struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev,
2040 + struct wireless_dev *wdev, bool aborted);
2041 +void nl80211_send_scan_result(struct cfg80211_registered_device *rdev,
2042 + struct sk_buff *msg);
2043 void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev,
2044 struct net_device *netdev, u32 cmd);
2045 void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev,
2046 @@ -74,6 +74,8 @@ nl80211_radar_notify(struct cfg80211_reg
2047 enum nl80211_radar_event event,
2048 struct net_device *netdev, gfp_t gfp);
2050 +void nl80211_send_ap_stopped(struct wireless_dev *wdev);
2052 void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev);
2054 #endif /* __NET_WIRELESS_NL80211_H */
2055 --- a/net/wireless/scan.c
2056 +++ b/net/wireless/scan.c
2057 @@ -161,18 +161,25 @@ static void __cfg80211_bss_expire(struct
2058 dev->bss_generation++;
2061 -void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev)
2062 +void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev,
2063 + bool send_message)
2065 struct cfg80211_scan_request *request;
2066 struct wireless_dev *wdev;
2067 + struct sk_buff *msg;
2068 #ifdef CPTCFG_CFG80211_WEXT
2069 union iwreq_data wrqu;
2074 - request = rdev->scan_req;
2075 + if (rdev->scan_msg) {
2076 + nl80211_send_scan_result(rdev, rdev->scan_msg);
2077 + rdev->scan_msg = NULL;
2081 + request = rdev->scan_req;
2085 @@ -186,18 +193,16 @@ void ___cfg80211_scan_done(struct cfg802
2087 cfg80211_sme_scan_done(wdev->netdev);
2089 - if (request->aborted) {
2090 - nl80211_send_scan_aborted(rdev, wdev);
2092 - if (request->flags & NL80211_SCAN_FLAG_FLUSH) {
2093 - /* flush entries from previous scans */
2094 - spin_lock_bh(&rdev->bss_lock);
2095 - __cfg80211_bss_expire(rdev, request->scan_start);
2096 - spin_unlock_bh(&rdev->bss_lock);
2098 - nl80211_send_scan_done(rdev, wdev);
2099 + if (!request->aborted &&
2100 + request->flags & NL80211_SCAN_FLAG_FLUSH) {
2101 + /* flush entries from previous scans */
2102 + spin_lock_bh(&rdev->bss_lock);
2103 + __cfg80211_bss_expire(rdev, request->scan_start);
2104 + spin_unlock_bh(&rdev->bss_lock);
2107 + msg = nl80211_build_scan_msg(rdev, wdev, request->aborted);
2109 #ifdef CPTCFG_CFG80211_WEXT
2110 if (wdev->netdev && !request->aborted) {
2111 memset(&wrqu, 0, sizeof(wrqu));
2112 @@ -211,6 +216,11 @@ void ___cfg80211_scan_done(struct cfg802
2114 rdev->scan_req = NULL;
2117 + if (!send_message)
2118 + rdev->scan_msg = msg;
2120 + nl80211_send_scan_result(rdev, msg);
2123 void __cfg80211_scan_done(struct work_struct *wk)
2124 @@ -221,7 +231,7 @@ void __cfg80211_scan_done(struct work_st
2128 - ___cfg80211_scan_done(rdev);
2129 + ___cfg80211_scan_done(rdev, true);
2133 @@ -1079,7 +1089,7 @@ int cfg80211_wext_siwscan(struct net_dev
2135 return PTR_ERR(rdev);
2137 - if (rdev->scan_req) {
2138 + if (rdev->scan_req || rdev->scan_msg) {
2142 @@ -1481,7 +1491,7 @@ int cfg80211_wext_giwscan(struct net_dev
2144 return PTR_ERR(rdev);
2146 - if (rdev->scan_req)
2147 + if (rdev->scan_req || rdev->scan_msg)
2150 res = ieee80211_scan_results(rdev, info, extra, data->length);
2151 --- a/net/wireless/sme.c
2152 +++ b/net/wireless/sme.c
2153 @@ -67,7 +67,7 @@ static int cfg80211_conn_scan(struct wir
2154 ASSERT_RDEV_LOCK(rdev);
2155 ASSERT_WDEV_LOCK(wdev);
2157 - if (rdev->scan_req)
2158 + if (rdev->scan_req || rdev->scan_msg)
2161 if (wdev->conn->params.channel)
2162 --- a/net/mac80211/mlme.c
2163 +++ b/net/mac80211/mlme.c
2164 @@ -1001,7 +1001,6 @@ ieee80211_sta_process_chanswitch(struct
2167 ifmgd->flags |= IEEE80211_STA_CSA_RECEIVED;
2168 - sdata->vif.csa_active = true;
2170 mutex_lock(&local->chanctx_mtx);
2171 if (local->use_chanctx) {
2172 @@ -1039,6 +1038,7 @@ ieee80211_sta_process_chanswitch(struct
2173 mutex_unlock(&local->chanctx_mtx);
2175 sdata->csa_chandef = csa_ie.chandef;
2176 + sdata->vif.csa_active = true;
2179 ieee80211_stop_queues_by_reason(&local->hw,
2180 --- a/net/mac80211/chan.c
2181 +++ b/net/mac80211/chan.c
2182 @@ -196,6 +196,8 @@ static bool ieee80211_is_radar_required(
2184 struct ieee80211_sub_if_data *sdata;
2186 + lockdep_assert_held(&local->mtx);
2189 list_for_each_entry_rcu(sdata, &local->interfaces, list) {
2190 if (sdata->radar_required) {
2191 --- a/net/mac80211/ibss.c
2192 +++ b/net/mac80211/ibss.c
2193 @@ -294,7 +294,6 @@ static void __ieee80211_sta_join_ibss(st
2196 mutex_lock(&local->mtx);
2197 - ieee80211_vif_release_channel(sdata);
2198 if (ieee80211_vif_use_channel(sdata, &chandef,
2199 ifibss->fixed_channel ?
2200 IEEE80211_CHANCTX_SHARED :
2201 @@ -303,6 +302,7 @@ static void __ieee80211_sta_join_ibss(st
2202 mutex_unlock(&local->mtx);
2205 + sdata->radar_required = radar_required;
2206 mutex_unlock(&local->mtx);
2208 memcpy(ifibss->bssid, bssid, ETH_ALEN);
2209 @@ -318,7 +318,6 @@ static void __ieee80211_sta_join_ibss(st
2210 rcu_assign_pointer(ifibss->presp, presp);
2211 mgmt = (void *)presp->head;
2213 - sdata->radar_required = radar_required;
2214 sdata->vif.bss_conf.enable_beacon = true;
2215 sdata->vif.bss_conf.beacon_int = beacon_int;
2216 sdata->vif.bss_conf.basic_rates = basic_rates;
2217 @@ -386,7 +385,7 @@ static void __ieee80211_sta_join_ibss(st
2218 presp->head_len, 0, GFP_KERNEL);
2219 cfg80211_put_bss(local->hw.wiphy, bss);
2220 netif_carrier_on(sdata->dev);
2221 - cfg80211_ibss_joined(sdata->dev, ifibss->bssid, GFP_KERNEL);
2222 + cfg80211_ibss_joined(sdata->dev, ifibss->bssid, chan, GFP_KERNEL);
2225 static void ieee80211_sta_join_ibss(struct ieee80211_sub_if_data *sdata,
2226 @@ -802,6 +801,8 @@ ieee80211_ibss_process_chanswitch(struct
2230 + sdata_assert_lock(sdata);
2232 sta_flags = IEEE80211_STA_DISABLE_VHT;
2233 switch (ifibss->chandef.width) {
2234 case NL80211_CHAN_WIDTH_5:
2235 @@ -1471,6 +1472,11 @@ static void ieee80211_rx_mgmt_probe_req(
2236 memcpy(((struct ieee80211_mgmt *) skb->data)->da, mgmt->sa, ETH_ALEN);
2237 ibss_dbg(sdata, "Sending ProbeResp to %pM\n", mgmt->sa);
2238 IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_INTFL_DONT_ENCRYPT;
2240 + /* avoid excessive retries for probe request to wildcard SSIDs */
2242 + IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_NO_ACK;
2244 ieee80211_tx_skb(sdata, skb);
2247 --- a/net/mac80211/mesh.c
2248 +++ b/net/mac80211/mesh.c
2249 @@ -872,6 +872,8 @@ ieee80211_mesh_process_chnswitch(struct
2250 if (!ifmsh->mesh_id)
2253 + sdata_assert_lock(sdata);
2255 sta_flags = IEEE80211_STA_DISABLE_VHT;
2256 switch (sdata->vif.bss_conf.chandef.width) {
2257 case NL80211_CHAN_WIDTH_20_NOHT:
2258 --- a/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2259 +++ b/drivers/net/wireless/brcm80211/brcmfmac/wl_cfg80211.c
2260 @@ -4658,6 +4658,7 @@ brcmf_notify_connect_status(struct brcmf
2261 struct brcmf_cfg80211_info *cfg = ifp->drvr->config;
2262 struct net_device *ndev = ifp->ndev;
2263 struct brcmf_cfg80211_profile *profile = &ifp->vif->profile;
2264 + struct ieee80211_channel *chan;
2267 if (ifp->vif->mode == WL_MODE_AP) {
2268 @@ -4665,9 +4666,10 @@ brcmf_notify_connect_status(struct brcmf
2269 } else if (brcmf_is_linkup(e)) {
2270 brcmf_dbg(CONN, "Linkup\n");
2271 if (brcmf_is_ibssmode(ifp->vif)) {
2272 + chan = ieee80211_get_channel(cfg->wiphy, cfg->channel);
2273 memcpy(profile->bssid, e->addr, ETH_ALEN);
2274 wl_inform_ibss(cfg, ndev, e->addr);
2275 - cfg80211_ibss_joined(ndev, e->addr, GFP_KERNEL);
2276 + cfg80211_ibss_joined(ndev, e->addr, chan, GFP_KERNEL);
2277 clear_bit(BRCMF_VIF_STATUS_CONNECTING,
2278 &ifp->vif->sme_state);
2279 set_bit(BRCMF_VIF_STATUS_CONNECTED,
2280 --- a/drivers/net/wireless/libertas/cfg.c
2281 +++ b/drivers/net/wireless/libertas/cfg.c
2282 @@ -1766,7 +1766,8 @@ static void lbs_join_post(struct lbs_pri
2283 memcpy(priv->wdev->ssid, params->ssid, params->ssid_len);
2284 priv->wdev->ssid_len = params->ssid_len;
2286 - cfg80211_ibss_joined(priv->dev, bssid, GFP_KERNEL);
2287 + cfg80211_ibss_joined(priv->dev, bssid, params->chandef.chan,
2290 /* TODO: consider doing this at MACREG_INT_CODE_LINK_SENSED time */
2291 priv->connect_status = LBS_CONNECTED;
2292 --- a/drivers/net/wireless/mwifiex/cfg80211.c
2293 +++ b/drivers/net/wireless/mwifiex/cfg80211.c
2294 @@ -1881,7 +1881,8 @@ mwifiex_cfg80211_join_ibss(struct wiphy
2298 - cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid, GFP_KERNEL);
2299 + cfg80211_ibss_joined(priv->netdev, priv->cfg_bssid,
2300 + params->chandef.chan, GFP_KERNEL);
2301 dev_dbg(priv->adapter->dev,
2302 "info: joined/created adhoc network with bssid"
2303 " %pM successfully\n", priv->cfg_bssid);
2304 --- a/drivers/net/wireless/rndis_wlan.c
2305 +++ b/drivers/net/wireless/rndis_wlan.c
2306 @@ -2835,7 +2835,9 @@ static void rndis_wlan_do_link_up_work(s
2307 bssid, req_ie, req_ie_len,
2308 resp_ie, resp_ie_len, GFP_KERNEL);
2309 } else if (priv->infra_mode == NDIS_80211_INFRA_ADHOC)
2310 - cfg80211_ibss_joined(usbdev->net, bssid, GFP_KERNEL);
2311 + cfg80211_ibss_joined(usbdev->net, bssid,
2312 + get_current_channel(usbdev, NULL),
2317 --- a/net/wireless/ibss.c
2318 +++ b/net/wireless/ibss.c
2320 #include "rdev-ops.h"
2323 -void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid)
2324 +void __cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2325 + struct ieee80211_channel *channel)
2327 struct wireless_dev *wdev = dev->ieee80211_ptr;
2328 struct cfg80211_bss *bss;
2329 @@ -28,8 +29,7 @@ void __cfg80211_ibss_joined(struct net_d
2330 if (!wdev->ssid_len)
2333 - bss = cfg80211_get_bss(wdev->wiphy, NULL, bssid,
2334 - wdev->ssid, wdev->ssid_len,
2335 + bss = cfg80211_get_bss(wdev->wiphy, channel, bssid, NULL, 0,
2336 WLAN_CAPABILITY_IBSS, WLAN_CAPABILITY_IBSS);
2339 @@ -54,21 +54,26 @@ void __cfg80211_ibss_joined(struct net_d
2343 -void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid, gfp_t gfp)
2344 +void cfg80211_ibss_joined(struct net_device *dev, const u8 *bssid,
2345 + struct ieee80211_channel *channel, gfp_t gfp)
2347 struct wireless_dev *wdev = dev->ieee80211_ptr;
2348 struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy);
2349 struct cfg80211_event *ev;
2350 unsigned long flags;
2352 - trace_cfg80211_ibss_joined(dev, bssid);
2353 + trace_cfg80211_ibss_joined(dev, bssid, channel);
2355 + if (WARN_ON(!channel))
2358 ev = kzalloc(sizeof(*ev), gfp);
2362 ev->type = EVENT_IBSS_JOINED;
2363 - memcpy(ev->cr.bssid, bssid, ETH_ALEN);
2364 + memcpy(ev->ij.bssid, bssid, ETH_ALEN);
2365 + ev->ij.channel = channel;
2367 spin_lock_irqsave(&wdev->event_lock, flags);
2368 list_add_tail(&ev->list, &wdev->event_list);
2369 @@ -117,6 +122,7 @@ int __cfg80211_join_ibss(struct cfg80211
2371 wdev->ibss_fixed = params->channel_fixed;
2372 wdev->ibss_dfs_possible = params->userspace_handles_dfs;
2373 + wdev->chandef = params->chandef;
2374 #ifdef CPTCFG_CFG80211_WEXT
2375 wdev->wext.ibss.chandef = params->chandef;
2377 @@ -200,6 +206,7 @@ static void __cfg80211_clear_ibss(struct
2379 wdev->current_bss = NULL;
2381 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2382 #ifdef CPTCFG_CFG80211_WEXT
2384 wdev->wext.ibss.ssid_len = 0;
2385 --- a/net/wireless/trace.h
2386 +++ b/net/wireless/trace.h
2387 @@ -2278,11 +2278,6 @@ DECLARE_EVENT_CLASS(cfg80211_rx_evt,
2388 TP_printk(NETDEV_PR_FMT ", " MAC_PR_FMT, NETDEV_PR_ARG, MAC_PR_ARG(addr))
2391 -DEFINE_EVENT(cfg80211_rx_evt, cfg80211_ibss_joined,
2392 - TP_PROTO(struct net_device *netdev, const u8 *addr),
2393 - TP_ARGS(netdev, addr)
2396 DEFINE_EVENT(cfg80211_rx_evt, cfg80211_rx_spurious_frame,
2397 TP_PROTO(struct net_device *netdev, const u8 *addr),
2398 TP_ARGS(netdev, addr)
2399 @@ -2293,6 +2288,24 @@ DEFINE_EVENT(cfg80211_rx_evt, cfg80211_r
2400 TP_ARGS(netdev, addr)
2403 +TRACE_EVENT(cfg80211_ibss_joined,
2404 + TP_PROTO(struct net_device *netdev, const u8 *bssid,
2405 + struct ieee80211_channel *channel),
2406 + TP_ARGS(netdev, bssid, channel),
2414 + MAC_ASSIGN(bssid, bssid);
2415 + CHAN_ASSIGN(channel);
2417 + TP_printk(NETDEV_PR_FMT ", bssid: " MAC_PR_FMT ", " CHAN_PR_FMT,
2418 + NETDEV_PR_ARG, MAC_PR_ARG(bssid), CHAN_PR_ARG)
2421 TRACE_EVENT(cfg80211_probe_status,
2422 TP_PROTO(struct net_device *netdev, const u8 *addr, u64 cookie,
2424 --- a/net/wireless/util.c
2425 +++ b/net/wireless/util.c
2426 @@ -820,7 +820,8 @@ void cfg80211_process_wdev_events(struct
2427 ev->dc.reason, true);
2429 case EVENT_IBSS_JOINED:
2430 - __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid);
2431 + __cfg80211_ibss_joined(wdev->netdev, ev->ij.bssid,
2436 @@ -1356,7 +1357,7 @@ int cfg80211_can_use_iftype_chan(struct
2438 mutex_lock_nested(&wdev_iter->mtx, 1);
2439 __acquire(wdev_iter->mtx);
2440 - cfg80211_get_chan_state(wdev_iter, &ch, &chmode);
2441 + cfg80211_get_chan_state(wdev_iter, &ch, &chmode, &radar_detect);
2442 wdev_unlock(wdev_iter);
2445 --- a/net/wireless/chan.c
2446 +++ b/net/wireless/chan.c
2447 @@ -642,7 +642,8 @@ int cfg80211_set_monitor_channel(struct
2449 cfg80211_get_chan_state(struct wireless_dev *wdev,
2450 struct ieee80211_channel **chan,
2451 - enum cfg80211_chan_mode *chanmode)
2452 + enum cfg80211_chan_mode *chanmode,
2456 *chanmode = CHAN_MODE_UNDEFINED;
2457 @@ -660,6 +661,11 @@ cfg80211_get_chan_state(struct wireless_
2458 !wdev->ibss_dfs_possible)
2460 : CHAN_MODE_EXCLUSIVE;
2462 + /* consider worst-case - IBSS can try to return to the
2463 + * original user-specified channel as creator */
2464 + if (wdev->ibss_dfs_possible)
2465 + *radar_detect |= BIT(wdev->chandef.width);
2469 @@ -674,17 +680,26 @@ cfg80211_get_chan_state(struct wireless_
2470 case NL80211_IFTYPE_AP:
2471 case NL80211_IFTYPE_P2P_GO:
2472 if (wdev->cac_started) {
2473 - *chan = wdev->channel;
2474 + *chan = wdev->chandef.chan;
2475 *chanmode = CHAN_MODE_SHARED;
2476 + *radar_detect |= BIT(wdev->chandef.width);
2477 } else if (wdev->beacon_interval) {
2478 - *chan = wdev->channel;
2479 + *chan = wdev->chandef.chan;
2480 *chanmode = CHAN_MODE_SHARED;
2482 + if (cfg80211_chandef_dfs_required(wdev->wiphy,
2484 + *radar_detect |= BIT(wdev->chandef.width);
2487 case NL80211_IFTYPE_MESH_POINT:
2488 if (wdev->mesh_id_len) {
2489 - *chan = wdev->channel;
2490 + *chan = wdev->chandef.chan;
2491 *chanmode = CHAN_MODE_SHARED;
2493 + if (cfg80211_chandef_dfs_required(wdev->wiphy,
2495 + *radar_detect |= BIT(wdev->chandef.width);
2498 case NL80211_IFTYPE_MONITOR:
2499 --- a/net/wireless/mesh.c
2500 +++ b/net/wireless/mesh.c
2501 @@ -195,7 +195,7 @@ int __cfg80211_join_mesh(struct cfg80211
2503 memcpy(wdev->ssid, setup->mesh_id, setup->mesh_id_len);
2504 wdev->mesh_id_len = setup->mesh_id_len;
2505 - wdev->channel = setup->chandef.chan;
2506 + wdev->chandef = setup->chandef;
2510 @@ -244,7 +244,7 @@ int cfg80211_set_mesh_channel(struct cfg
2511 err = rdev_libertas_set_mesh_channel(rdev, wdev->netdev,
2514 - wdev->channel = chandef->chan;
2515 + wdev->chandef = *chandef;
2519 @@ -276,7 +276,7 @@ static int __cfg80211_leave_mesh(struct
2520 err = rdev_leave_mesh(rdev, dev);
2522 wdev->mesh_id_len = 0;
2523 - wdev->channel = NULL;
2524 + memset(&wdev->chandef, 0, sizeof(wdev->chandef));
2525 rdev_set_qos_map(rdev, dev, NULL);
2528 --- a/net/wireless/mlme.c
2529 +++ b/net/wireless/mlme.c
2530 @@ -772,7 +772,7 @@ void cfg80211_cac_event(struct net_devic
2531 if (WARN_ON(!wdev->cac_started))
2534 - if (WARN_ON(!wdev->channel))
2535 + if (WARN_ON(!wdev->chandef.chan))
2539 --- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2540 +++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c
2541 @@ -5065,6 +5065,10 @@ static u16 ar9003_hw_get_max_edge_power(
2546 + if (is2GHz && !twiceMaxEdgePower)
2547 + twiceMaxEdgePower = 60;
2549 return twiceMaxEdgePower;
2552 --- a/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2553 +++ b/drivers/net/wireless/ath/ath9k/ar9003_calib.c
2555 #define MAX_MEASUREMENT MAX_IQCAL_MEASUREMENT
2556 #define MAX_MAG_DELTA 11
2557 #define MAX_PHS_DELTA 10
2561 - int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2562 - int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT];
2563 + int mag_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2564 + int phs_coeff[AR9300_MAX_CHAINS][MAX_MEASUREMENT][MAXIQCAL];
2568 @@ -800,7 +801,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2572 - iqc_coeff[0] = (q_q_coff * 128) + q_i_coff;
2573 + iqc_coeff[0] = (q_q_coff * 128) + (0x7f & q_i_coff);
2575 ath_dbg(common, CALIBRATE, "tx chain %d: iq corr coeff=%x\n",
2576 chain_idx, iqc_coeff[0]);
2577 @@ -831,7 +832,7 @@ static bool ar9003_hw_calc_iq_corr(struc
2581 - iqc_coeff[1] = (q_q_coff * 128) + q_i_coff;
2582 + iqc_coeff[1] = (q_q_coff * 128) + (0x7f & q_i_coff);
2584 ath_dbg(common, CALIBRATE, "rx chain %d: iq corr coeff=%x\n",
2585 chain_idx, iqc_coeff[1]);
2586 @@ -839,7 +840,8 @@ static bool ar9003_hw_calc_iq_corr(struc
2590 -static void ar9003_hw_detect_outlier(int *mp_coeff, int nmeasurement,
2591 +static void ar9003_hw_detect_outlier(int mp_coeff[][MAXIQCAL],
2595 int mp_max = -64, max_idx = 0;
2596 @@ -848,20 +850,20 @@ static void ar9003_hw_detect_outlier(int
2598 /* find min/max mismatch across all calibrated gains */
2599 for (i = 0; i < nmeasurement; i++) {
2600 - if (mp_coeff[i] > mp_max) {
2601 - mp_max = mp_coeff[i];
2602 + if (mp_coeff[i][0] > mp_max) {
2603 + mp_max = mp_coeff[i][0];
2605 - } else if (mp_coeff[i] < mp_min) {
2606 - mp_min = mp_coeff[i];
2607 + } else if (mp_coeff[i][0] < mp_min) {
2608 + mp_min = mp_coeff[i][0];
2613 /* find average (exclude max abs value) */
2614 for (i = 0; i < nmeasurement; i++) {
2615 - if ((abs(mp_coeff[i]) < abs(mp_max)) ||
2616 - (abs(mp_coeff[i]) < abs(mp_min))) {
2617 - mp_avg += mp_coeff[i];
2618 + if ((abs(mp_coeff[i][0]) < abs(mp_max)) ||
2619 + (abs(mp_coeff[i][0]) < abs(mp_min))) {
2620 + mp_avg += mp_coeff[i][0];
2624 @@ -873,7 +875,7 @@ static void ar9003_hw_detect_outlier(int
2628 - mp_avg = mp_coeff[nmeasurement - 1];
2629 + mp_avg = mp_coeff[nmeasurement - 1][0];
2631 /* detect outlier */
2632 if (abs(mp_max - mp_min) > max_delta) {
2633 @@ -882,15 +884,16 @@ static void ar9003_hw_detect_outlier(int
2635 outlier_idx = min_idx;
2637 - mp_coeff[outlier_idx] = mp_avg;
2638 + mp_coeff[outlier_idx][0] = mp_avg;
2642 -static void ar9003_hw_tx_iqcal_load_avg_2_passes(struct ath_hw *ah,
2643 - struct coeff *coeff,
2645 +static void ar9003_hw_tx_iq_cal_outlier_detection(struct ath_hw *ah,
2646 + struct coeff *coeff,
2649 int i, im, nmeasurement;
2650 + int magnitude, phase;
2651 u32 tx_corr_coeff[MAX_MEASUREMENT][AR9300_MAX_CHAINS];
2652 struct ath9k_hw_cal_data *caldata = ah->caldata;
2654 @@ -920,21 +923,30 @@ static void ar9003_hw_tx_iqcal_load_avg_
2655 if (nmeasurement > MAX_MEASUREMENT)
2656 nmeasurement = MAX_MEASUREMENT;
2658 - /* detect outlier only if nmeasurement > 1 */
2659 - if (nmeasurement > 1) {
2660 - /* Detect magnitude outlier */
2661 - ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2662 - nmeasurement, MAX_MAG_DELTA);
2664 - /* Detect phase outlier */
2665 - ar9003_hw_detect_outlier(coeff->phs_coeff[i],
2666 - nmeasurement, MAX_PHS_DELTA);
2668 + * Skip normal outlier detection for AR9550.
2670 + if (!AR_SREV_9550(ah)) {
2671 + /* detect outlier only if nmeasurement > 1 */
2672 + if (nmeasurement > 1) {
2673 + /* Detect magnitude outlier */
2674 + ar9003_hw_detect_outlier(coeff->mag_coeff[i],
2678 + /* Detect phase outlier */
2679 + ar9003_hw_detect_outlier(coeff->phs_coeff[i],
2685 for (im = 0; im < nmeasurement; im++) {
2686 + magnitude = coeff->mag_coeff[i][im][0];
2687 + phase = coeff->phs_coeff[i][im][0];
2689 - coeff->iqc_coeff[0] = (coeff->mag_coeff[i][im] & 0x7f) |
2690 - ((coeff->phs_coeff[i][im] & 0x7f) << 7);
2691 + coeff->iqc_coeff[0] =
2692 + (phase & 0x7f) | ((magnitude & 0x7f) << 7);
2695 REG_RMW_FIELD(ah, tx_corr_coeff[im][i],
2696 @@ -991,7 +1003,63 @@ static bool ar9003_hw_tx_iq_cal_run(stru
2700 -static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah, bool is_reusable)
2701 +static void __ar955x_tx_iq_cal_sort(struct ath_hw *ah,
2702 + struct coeff *coeff,
2703 + int i, int nmeasurement)
2705 + struct ath_common *common = ath9k_hw_common(ah);
2706 + int im, ix, iy, temp;
2708 + for (im = 0; im < nmeasurement; im++) {
2709 + for (ix = 0; ix < MAXIQCAL - 1; ix++) {
2710 + for (iy = ix + 1; iy <= MAXIQCAL - 1; iy++) {
2711 + if (coeff->mag_coeff[i][im][iy] <
2712 + coeff->mag_coeff[i][im][ix]) {
2713 + temp = coeff->mag_coeff[i][im][ix];
2714 + coeff->mag_coeff[i][im][ix] =
2715 + coeff->mag_coeff[i][im][iy];
2716 + coeff->mag_coeff[i][im][iy] = temp;
2718 + if (coeff->phs_coeff[i][im][iy] <
2719 + coeff->phs_coeff[i][im][ix]) {
2720 + temp = coeff->phs_coeff[i][im][ix];
2721 + coeff->phs_coeff[i][im][ix] =
2722 + coeff->phs_coeff[i][im][iy];
2723 + coeff->phs_coeff[i][im][iy] = temp;
2727 + coeff->mag_coeff[i][im][0] = coeff->mag_coeff[i][im][MAXIQCAL / 2];
2728 + coeff->phs_coeff[i][im][0] = coeff->phs_coeff[i][im][MAXIQCAL / 2];
2730 + ath_dbg(common, CALIBRATE,
2731 + "IQCAL: Median [ch%d][gain%d]: mag = %d phase = %d\n",
2733 + coeff->mag_coeff[i][im][0],
2734 + coeff->phs_coeff[i][im][0]);
2738 +static bool ar955x_tx_iq_cal_median(struct ath_hw *ah,
2739 + struct coeff *coeff,
2745 + if ((iqcal_idx + 1) != MAXIQCAL)
2748 + for (i = 0; i < AR9300_MAX_CHAINS; i++) {
2749 + __ar955x_tx_iq_cal_sort(ah, coeff, i, nmeasurement);
2755 +static void ar9003_hw_tx_iq_cal_post_proc(struct ath_hw *ah,
2759 struct ath_common *common = ath9k_hw_common(ah);
2760 const u32 txiqcal_status[AR9300_MAX_CHAINS] = {
2761 @@ -1004,10 +1072,11 @@ static void ar9003_hw_tx_iq_cal_post_pro
2762 AR_PHY_CHAN_INFO_TAB_1,
2763 AR_PHY_CHAN_INFO_TAB_2,
2765 - struct coeff coeff;
2766 + static struct coeff coeff;
2770 + int nmeasurement = 0;
2771 + bool outlier_detect = true;
2773 for (i = 0; i < AR9300_MAX_CHAINS; i++) {
2774 if (!(ah->txchainmask & (1 << i)))
2775 @@ -1065,17 +1134,23 @@ static void ar9003_hw_tx_iq_cal_post_pro
2779 - coeff.mag_coeff[i][im] = coeff.iqc_coeff[0] & 0x7f;
2780 - coeff.phs_coeff[i][im] =
2781 + coeff.phs_coeff[i][im][iqcal_idx] =
2782 + coeff.iqc_coeff[0] & 0x7f;
2783 + coeff.mag_coeff[i][im][iqcal_idx] =
2784 (coeff.iqc_coeff[0] >> 7) & 0x7f;
2786 - if (coeff.mag_coeff[i][im] > 63)
2787 - coeff.mag_coeff[i][im] -= 128;
2788 - if (coeff.phs_coeff[i][im] > 63)
2789 - coeff.phs_coeff[i][im] -= 128;
2790 + if (coeff.mag_coeff[i][im][iqcal_idx] > 63)
2791 + coeff.mag_coeff[i][im][iqcal_idx] -= 128;
2792 + if (coeff.phs_coeff[i][im][iqcal_idx] > 63)
2793 + coeff.phs_coeff[i][im][iqcal_idx] -= 128;
2796 - ar9003_hw_tx_iqcal_load_avg_2_passes(ah, &coeff, is_reusable);
2798 + if (AR_SREV_9550(ah))
2799 + outlier_detect = ar955x_tx_iq_cal_median(ah, &coeff,
2800 + iqcal_idx, nmeasurement);
2801 + if (outlier_detect)
2802 + ar9003_hw_tx_iq_cal_outlier_detection(ah, &coeff, is_reusable);
2806 @@ -1409,7 +1484,7 @@ skip_tx_iqcal:
2810 - ar9003_hw_tx_iq_cal_post_proc(ah, is_reusable);
2811 + ar9003_hw_tx_iq_cal_post_proc(ah, 0, is_reusable);
2812 else if (caldata && test_bit(TXIQCAL_DONE, &caldata->cal_flags))
2813 ar9003_hw_tx_iq_cal_reload(ah);
2815 @@ -1455,14 +1530,38 @@ skip_tx_iqcal:
2819 +static bool do_ar9003_agc_cal(struct ath_hw *ah)
2821 + struct ath_common *common = ath9k_hw_common(ah);
2824 + REG_WRITE(ah, AR_PHY_AGC_CONTROL,
2825 + REG_READ(ah, AR_PHY_AGC_CONTROL) |
2826 + AR_PHY_AGC_CONTROL_CAL);
2828 + status = ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
2829 + AR_PHY_AGC_CONTROL_CAL,
2830 + 0, AH_WAIT_TIMEOUT);
2832 + ath_dbg(common, CALIBRATE,
2833 + "offset calibration failed to complete in %d ms,"
2834 + "noisy environment?\n",
2835 + AH_WAIT_TIMEOUT / 1000);
2842 static bool ar9003_hw_init_cal_soc(struct ath_hw *ah,
2843 struct ath9k_channel *chan)
2845 struct ath_common *common = ath9k_hw_common(ah);
2846 struct ath9k_hw_cal_data *caldata = ah->caldata;
2847 bool txiqcal_done = false;
2848 - bool is_reusable = true, status = true;
2849 + bool status = true;
2850 bool run_agc_cal = false, sep_iq_cal = false;
2853 /* Use chip chainmask only for calibration */
2854 ar9003_hw_set_chain_masks(ah, ah->caps.rx_chainmask, ah->caps.tx_chainmask);
2855 @@ -1485,7 +1584,12 @@ static bool ar9003_hw_init_cal_soc(struc
2856 * AGC calibration. Specifically, AR9550 in SoC chips.
2858 if (ah->enabled_cals & TX_IQ_ON_AGC_CAL) {
2859 - txiqcal_done = true;
2860 + if (REG_READ_FIELD(ah, AR_PHY_TX_IQCAL_CONTROL_0,
2861 + AR_PHY_TX_IQCAL_CONTROL_0_ENABLE_TXIQ_CAL)) {
2862 + txiqcal_done = true;
2864 + txiqcal_done = false;
2869 @@ -1512,27 +1616,37 @@ skip_tx_iqcal:
2870 if (AR_SREV_9330_11(ah))
2871 ar9003_hw_manual_peak_cal(ah, 0, IS_CHAN_2GHZ(chan));
2873 - /* Calibrate the AGC */
2874 - REG_WRITE(ah, AR_PHY_AGC_CONTROL,
2875 - REG_READ(ah, AR_PHY_AGC_CONTROL) |
2876 - AR_PHY_AGC_CONTROL_CAL);
2878 - /* Poll for offset calibration complete */
2879 - status = ath9k_hw_wait(ah, AR_PHY_AGC_CONTROL,
2880 - AR_PHY_AGC_CONTROL_CAL,
2881 - 0, AH_WAIT_TIMEOUT);
2884 + * For non-AR9550 chips, we just trigger AGC calibration
2885 + * in the HW, poll for completion and then process
2888 + * For AR955x, we run it multiple times and use
2889 + * median IQ correction.
2891 + if (!AR_SREV_9550(ah)) {
2892 + status = do_ar9003_agc_cal(ah);
2897 - ath_dbg(common, CALIBRATE,
2898 - "offset calibration failed to complete in %d ms; noisy environment?\n",
2899 - AH_WAIT_TIMEOUT / 1000);
2902 + ar9003_hw_tx_iq_cal_post_proc(ah, 0, false);
2904 + if (!txiqcal_done) {
2905 + status = do_ar9003_agc_cal(ah);
2909 + for (i = 0; i < MAXIQCAL; i++) {
2910 + status = do_ar9003_agc_cal(ah);
2913 + ar9003_hw_tx_iq_cal_post_proc(ah, i, false);
2920 - ar9003_hw_tx_iq_cal_post_proc(ah, is_reusable);
2922 /* Revert chainmask to runtime parameters */
2923 ar9003_hw_set_chain_masks(ah, ah->rxchainmask, ah->txchainmask);
2925 --- a/drivers/net/wireless/rtl818x/rtl8187/rtl8187.h
2926 +++ b/drivers/net/wireless/rtl818x/rtl8187/rtl8187.h
2931 +#include <linux/cache.h>
2933 #include "rtl818x.h"
2936 @@ -139,7 +141,10 @@ struct rtl8187_priv {
2943 + u8 dummy1[L1_CACHE_BYTES];
2944 + } ____cacheline_aligned;
2945 struct sk_buff_head queue;
2946 } b_tx_status; /* This queue is used by both -b and non-b devices */
2947 struct mutex io_mutex;
2948 @@ -147,7 +152,8 @@ struct rtl8187_priv {
2953 + u8 dummy2[L1_CACHE_BYTES];
2954 + } *io_dmabuf ____cacheline_aligned;
2958 --- a/net/mac80211/wme.c
2959 +++ b/net/mac80211/wme.c
2960 @@ -154,6 +154,11 @@ u16 ieee80211_select_queue(struct ieee80
2961 return IEEE80211_AC_BE;
2964 + if (skb->protocol == sdata->control_port_protocol) {
2965 + skb->priority = 7;
2966 + return ieee80211_downgrade_queue(sdata, skb);
2969 /* use the data classifier to determine what 802.1d tag the
2972 --- a/drivers/net/wireless/ath/ath9k/xmit.c
2973 +++ b/drivers/net/wireless/ath/ath9k/xmit.c
2974 @@ -1444,14 +1444,16 @@ void ath_tx_aggr_sleep(struct ieee80211_
2975 for (tidno = 0, tid = &an->tid[tidno];
2976 tidno < IEEE80211_NUM_TIDS; tidno++, tid++) {
2984 ath_txq_lock(sc, txq);
2986 + if (!tid->sched) {
2987 + ath_txq_unlock(sc, txq);
2991 buffered = ath_tid_has_buffered(tid);
2994 --- a/drivers/net/wireless/ath/ath9k/init.c
2995 +++ b/drivers/net/wireless/ath/ath9k/init.c
2996 @@ -943,6 +943,7 @@ static void ath9k_set_hw_capab(struct at
2997 hw->wiphy->flags |= WIPHY_FLAG_HAS_REMAIN_ON_CHANNEL;
2998 hw->wiphy->flags |= WIPHY_FLAG_SUPPORTS_5_10_MHZ;
2999 hw->wiphy->flags |= WIPHY_FLAG_HAS_CHANNEL_SWITCH;
3000 + hw->wiphy->flags |= WIPHY_FLAG_AP_UAPSD;
3004 --- a/net/mac80211/ieee80211_i.h
3005 +++ b/net/mac80211/ieee80211_i.h
3006 @@ -1700,14 +1700,8 @@ void ieee80211_stop_queue_by_reason(stru
3007 void ieee80211_propagate_queue_wake(struct ieee80211_local *local, int queue);
3008 void ieee80211_add_pending_skb(struct ieee80211_local *local,
3009 struct sk_buff *skb);
3010 -void ieee80211_add_pending_skbs_fn(struct ieee80211_local *local,
3011 - struct sk_buff_head *skbs,
3012 - void (*fn)(void *data), void *data);
3013 -static inline void ieee80211_add_pending_skbs(struct ieee80211_local *local,
3014 - struct sk_buff_head *skbs)
3016 - ieee80211_add_pending_skbs_fn(local, skbs, NULL, NULL);
3018 +void ieee80211_add_pending_skbs(struct ieee80211_local *local,
3019 + struct sk_buff_head *skbs);
3020 void ieee80211_flush_queues(struct ieee80211_local *local,
3021 struct ieee80211_sub_if_data *sdata);
3023 --- a/net/mac80211/sta_info.c
3024 +++ b/net/mac80211/sta_info.c
3025 @@ -91,7 +91,7 @@ static int sta_info_hash_del(struct ieee
3029 -static void cleanup_single_sta(struct sta_info *sta)
3030 +static void __cleanup_single_sta(struct sta_info *sta)
3033 struct tid_ampdu_tx *tid_tx;
3034 @@ -99,7 +99,8 @@ static void cleanup_single_sta(struct st
3035 struct ieee80211_local *local = sdata->local;
3038 - if (test_sta_flag(sta, WLAN_STA_PS_STA)) {
3039 + if (test_sta_flag(sta, WLAN_STA_PS_STA) ||
3040 + test_sta_flag(sta, WLAN_STA_PS_DRIVER)) {
3041 if (sta->sdata->vif.type == NL80211_IFTYPE_AP ||
3042 sta->sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
3043 ps = &sdata->bss->ps;
3044 @@ -109,6 +110,7 @@ static void cleanup_single_sta(struct st
3047 clear_sta_flag(sta, WLAN_STA_PS_STA);
3048 + clear_sta_flag(sta, WLAN_STA_PS_DRIVER);
3050 atomic_dec(&ps->num_sta_ps);
3051 sta_info_recalc_tim(sta);
3052 @@ -139,7 +141,14 @@ static void cleanup_single_sta(struct st
3053 ieee80211_purge_tx_queue(&local->hw, &tid_tx->pending);
3058 +static void cleanup_single_sta(struct sta_info *sta)
3060 + struct ieee80211_sub_if_data *sdata = sta->sdata;
3061 + struct ieee80211_local *local = sdata->local;
3063 + __cleanup_single_sta(sta);
3064 sta_info_free(local, sta);
3067 @@ -330,6 +339,7 @@ struct sta_info *sta_info_alloc(struct i
3070 spin_lock_init(&sta->lock);
3071 + spin_lock_init(&sta->ps_lock);
3072 INIT_WORK(&sta->drv_unblock_wk, sta_unblock);
3073 INIT_WORK(&sta->ampdu_mlme.work, ieee80211_ba_session_work);
3074 mutex_init(&sta->ampdu_mlme.mtx);
3075 @@ -487,21 +497,26 @@ static int sta_info_insert_finish(struct
3079 - /* notify driver */
3080 - err = sta_info_insert_drv_state(local, sdata, sta);
3085 local->sta_generation++;
3088 + /* simplify things and don't accept BA sessions yet */
3089 + set_sta_flag(sta, WLAN_STA_BLOCK_BA);
3091 /* make the station visible */
3092 sta_info_hash_add(local, sta);
3094 list_add_rcu(&sta->list, &local->sta_list);
3096 + /* notify driver */
3097 + err = sta_info_insert_drv_state(local, sdata, sta);
3101 set_sta_flag(sta, WLAN_STA_INSERTED);
3102 + /* accept BA sessions now */
3103 + clear_sta_flag(sta, WLAN_STA_BLOCK_BA);
3105 ieee80211_recalc_min_chandef(sdata);
3106 ieee80211_sta_debugfs_add(sta);
3107 @@ -522,6 +537,12 @@ static int sta_info_insert_finish(struct
3108 mesh_accept_plinks_update(sdata);
3112 + sta_info_hash_del(local, sta);
3113 + list_del_rcu(&sta->list);
3115 + synchronize_net();
3116 + __cleanup_single_sta(sta);
3118 mutex_unlock(&local->sta_mtx);
3120 @@ -1071,10 +1092,14 @@ struct ieee80211_sta *ieee80211_find_sta
3122 EXPORT_SYMBOL(ieee80211_find_sta);
3124 -static void clear_sta_ps_flags(void *_sta)
3125 +/* powersave support code */
3126 +void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
3128 - struct sta_info *sta = _sta;
3129 struct ieee80211_sub_if_data *sdata = sta->sdata;
3130 + struct ieee80211_local *local = sdata->local;
3131 + struct sk_buff_head pending;
3132 + int filtered = 0, buffered = 0, ac;
3133 + unsigned long flags;
3136 if (sdata->vif.type == NL80211_IFTYPE_AP ||
3137 @@ -1085,20 +1110,6 @@ static void clear_sta_ps_flags(void *_st
3141 - clear_sta_flag(sta, WLAN_STA_PS_DRIVER);
3142 - if (test_and_clear_sta_flag(sta, WLAN_STA_PS_STA))
3143 - atomic_dec(&ps->num_sta_ps);
3146 -/* powersave support code */
3147 -void ieee80211_sta_ps_deliver_wakeup(struct sta_info *sta)
3149 - struct ieee80211_sub_if_data *sdata = sta->sdata;
3150 - struct ieee80211_local *local = sdata->local;
3151 - struct sk_buff_head pending;
3152 - int filtered = 0, buffered = 0, ac;
3153 - unsigned long flags;
3155 clear_sta_flag(sta, WLAN_STA_SP);
3157 BUILD_BUG_ON(BITS_TO_LONGS(IEEE80211_NUM_TIDS) > 1);
3158 @@ -1109,6 +1120,8 @@ void ieee80211_sta_ps_deliver_wakeup(str
3160 skb_queue_head_init(&pending);
3162 + /* sync with ieee80211_tx_h_unicast_ps_buf */
3163 + spin_lock(&sta->ps_lock);
3164 /* Send all buffered frames to the station */
3165 for (ac = 0; ac < IEEE80211_NUM_ACS; ac++) {
3166 int count = skb_queue_len(&pending), tmp;
3167 @@ -1127,7 +1140,12 @@ void ieee80211_sta_ps_deliver_wakeup(str
3168 buffered += tmp - count;
3171 - ieee80211_add_pending_skbs_fn(local, &pending, clear_sta_ps_flags, sta);
3172 + ieee80211_add_pending_skbs(local, &pending);
3173 + clear_sta_flag(sta, WLAN_STA_PS_DRIVER);
3174 + clear_sta_flag(sta, WLAN_STA_PS_STA);
3175 + spin_unlock(&sta->ps_lock);
3177 + atomic_dec(&ps->num_sta_ps);
3179 /* This station just woke up and isn't aware of our SMPS state */
3180 if (!ieee80211_smps_is_restrictive(sta->known_smps_mode,
3181 --- a/net/mac80211/sta_info.h
3182 +++ b/net/mac80211/sta_info.h
3183 @@ -267,6 +267,7 @@ struct ieee80211_tx_latency_stat {
3184 * @drv_unblock_wk: used for driver PS unblocking
3185 * @listen_interval: listen interval of this station, when we're acting as AP
3186 * @_flags: STA flags, see &enum ieee80211_sta_info_flags, do not use directly
3187 + * @ps_lock: used for powersave (when mac80211 is the AP) related locking
3188 * @ps_tx_buf: buffers (per AC) of frames to transmit to this station
3189 * when it leaves power saving state or polls
3190 * @tx_filtered: buffers (per AC) of frames we already tried to
3191 @@ -356,10 +357,8 @@ struct sta_info {
3192 /* use the accessors defined below */
3193 unsigned long _flags;
3196 - * STA powersave frame queues, no more than the internal
3197 - * locking required.
3199 + /* STA powersave lock and frame queues */
3200 + spinlock_t ps_lock;
3201 struct sk_buff_head ps_tx_buf[IEEE80211_NUM_ACS];
3202 struct sk_buff_head tx_filtered[IEEE80211_NUM_ACS];
3203 unsigned long driver_buffered_tids;
3204 --- a/net/mac80211/util.c
3205 +++ b/net/mac80211/util.c
3206 @@ -435,9 +435,8 @@ void ieee80211_add_pending_skb(struct ie
3207 spin_unlock_irqrestore(&local->queue_stop_reason_lock, flags);
3210 -void ieee80211_add_pending_skbs_fn(struct ieee80211_local *local,
3211 - struct sk_buff_head *skbs,
3212 - void (*fn)(void *data), void *data)
3213 +void ieee80211_add_pending_skbs(struct ieee80211_local *local,
3214 + struct sk_buff_head *skbs)
3216 struct ieee80211_hw *hw = &local->hw;
3217 struct sk_buff *skb;
3218 @@ -461,9 +460,6 @@ void ieee80211_add_pending_skbs_fn(struc
3219 __skb_queue_tail(&local->pending[queue], skb);
3225 for (i = 0; i < hw->queues; i++)
3226 __ieee80211_wake_queue(hw, i,
3227 IEEE80211_QUEUE_STOP_REASON_SKB_ADD);
3228 --- a/net/wireless/reg.c
3229 +++ b/net/wireless/reg.c
3230 @@ -1700,7 +1700,7 @@ static void reg_process_hint(struct regu
3232 case NL80211_REGDOM_SET_BY_USER:
3233 treatment = reg_process_hint_user(reg_request);
3234 - if (treatment == REG_REQ_OK ||
3235 + if (treatment == REG_REQ_IGNORE ||
3236 treatment == REG_REQ_ALREADY_SET)
3238 schedule_delayed_work(®_timeout, msecs_to_jiffies(3142));