X-Git-Url: https://git.archive.openwrt.org/?p=openwrt.git;a=blobdiff_plain;f=package%2Fkernel%2Fmac80211%2Fpatches%2F300-pending_work.patch;h=d78f97f200301f91bde877dff1a1ad1c1f8c8bb7;hp=0e5ceb8b929bbd3fdebe9c3f6402d5a765e36dca;hb=95b5891c5f06bafbe63a5374608f3572c492c16c;hpb=f93d379550eb777e275949a992b9f9d516b23f5d diff --git a/package/kernel/mac80211/patches/300-pending_work.patch b/package/kernel/mac80211/patches/300-pending_work.patch index 0e5ceb8b92..d78f97f200 100644 --- a/package/kernel/mac80211/patches/300-pending_work.patch +++ b/package/kernel/mac80211/patches/300-pending_work.patch @@ -1,1404 +1,1279 @@ ---- a/net/mac80211/agg-rx.c -+++ b/net/mac80211/agg-rx.c -@@ -204,6 +204,8 @@ static void ieee80211_send_addba_resp(st - memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN); - else if (sdata->vif.type == NL80211_IFTYPE_ADHOC) - memcpy(mgmt->bssid, sdata->u.ibss.bssid, ETH_ALEN); -+ else if (sdata->vif.type == NL80211_IFTYPE_WDS) -+ memcpy(mgmt->bssid, da, ETH_ALEN); - - mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | - IEEE80211_STYPE_ACTION); ---- a/net/mac80211/agg-tx.c -+++ b/net/mac80211/agg-tx.c -@@ -81,7 +81,8 @@ static void ieee80211_send_addba_request - memcpy(mgmt->sa, sdata->vif.addr, ETH_ALEN); - if (sdata->vif.type == NL80211_IFTYPE_AP || - sdata->vif.type == NL80211_IFTYPE_AP_VLAN || -- sdata->vif.type == NL80211_IFTYPE_MESH_POINT) -+ sdata->vif.type == NL80211_IFTYPE_MESH_POINT || -+ sdata->vif.type == NL80211_IFTYPE_WDS) - memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN); - else if (sdata->vif.type == NL80211_IFTYPE_STATION) - memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN); -@@ -527,6 +528,7 @@ int ieee80211_start_tx_ba_session(struct - sdata->vif.type != NL80211_IFTYPE_MESH_POINT && - sdata->vif.type != NL80211_IFTYPE_AP_VLAN && - sdata->vif.type != NL80211_IFTYPE_AP && -+ sdata->vif.type != NL80211_IFTYPE_WDS && - sdata->vif.type != NL80211_IFTYPE_ADHOC) - return -EINVAL; - ---- a/net/mac80211/debugfs_sta.c -+++ b/net/mac80211/debugfs_sta.c -@@ -66,11 +66,11 @@ static ssize_t sta_flags_read(struct fil - test_sta_flag(sta, WLAN_STA_##flg) ? #flg "\n" : "" - - int res = scnprintf(buf, sizeof(buf), -- "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", -+ "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s", - TEST(AUTH), TEST(ASSOC), TEST(PS_STA), - TEST(PS_DRIVER), TEST(AUTHORIZED), - TEST(SHORT_PREAMBLE), -- TEST(WME), TEST(WDS), TEST(CLEAR_PS_FILT), -+ TEST(WME), TEST(CLEAR_PS_FILT), - TEST(MFP), TEST(BLOCK_BA), TEST(PSPOLL), - TEST(UAPSD), TEST(SP), TEST(TDLS_PEER), - TEST(TDLS_PEER_AUTH), TEST(4ADDR_EVENT), ---- a/net/mac80211/iface.c -+++ b/net/mac80211/iface.c -@@ -463,7 +463,6 @@ int ieee80211_do_open(struct wireless_de - struct ieee80211_sub_if_data *sdata = IEEE80211_WDEV_TO_SUB_IF(wdev); - struct net_device *dev = wdev->netdev; - struct ieee80211_local *local = sdata->local; -- struct sta_info *sta; - u32 changed = 0; - int res; - u32 hw_reconf_flags = 0; -@@ -629,30 +628,8 @@ int ieee80211_do_open(struct wireless_de - - set_bit(SDATA_STATE_RUNNING, &sdata->state); - -- if (sdata->vif.type == NL80211_IFTYPE_WDS) { -- /* Create STA entry for the WDS peer */ -- sta = sta_info_alloc(sdata, sdata->u.wds.remote_addr, -- GFP_KERNEL); -- if (!sta) { -- res = -ENOMEM; -- goto err_del_interface; -- } -- -- sta_info_pre_move_state(sta, IEEE80211_STA_AUTH); -- sta_info_pre_move_state(sta, IEEE80211_STA_ASSOC); -- sta_info_pre_move_state(sta, IEEE80211_STA_AUTHORIZED); -- -- res = sta_info_insert(sta); -- if (res) { -- /* STA has been freed */ -- goto err_del_interface; -- } -- -- rate_control_rate_init(sta); -- netif_carrier_on(dev); -- } else if (sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) { -+ if (sdata->vif.type == NL80211_IFTYPE_P2P_DEVICE) - rcu_assign_pointer(local->p2p_sdata, sdata); -- } - - /* - * set_multicast_list will be invoked by the networking core -@@ -1116,6 +1093,74 @@ static void ieee80211_if_setup(struct ne - dev->destructor = free_netdev; - } - -+static void ieee80211_wds_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, -+ struct sk_buff *skb) -+{ -+ struct ieee80211_local *local = sdata->local; -+ struct ieee80211_rx_status *rx_status; -+ struct ieee802_11_elems elems; -+ struct ieee80211_mgmt *mgmt; -+ struct sta_info *sta; -+ size_t baselen; -+ u32 rates = 0; -+ u16 stype; -+ bool new = false; -+ enum ieee80211_band band; -+ struct ieee80211_supported_band *sband; -+ -+ rx_status = IEEE80211_SKB_RXCB(skb); -+ band = rx_status->band; -+ sband = local->hw.wiphy->bands[band]; -+ mgmt = (struct ieee80211_mgmt *) skb->data; -+ stype = le16_to_cpu(mgmt->frame_control) & IEEE80211_FCTL_STYPE; -+ -+ if (stype != IEEE80211_STYPE_BEACON) -+ return; -+ -+ baselen = (u8 *) mgmt->u.probe_resp.variable - (u8 *) mgmt; -+ if (baselen > skb->len) -+ return; -+ -+ ieee802_11_parse_elems(mgmt->u.probe_resp.variable, -+ skb->len - baselen, false, &elems); -+ -+ rates = ieee80211_sta_get_rates(local, &elems, band, NULL); -+ -+ rcu_read_lock(); -+ -+ sta = sta_info_get(sdata, sdata->u.wds.remote_addr); -+ -+ if (!sta) { -+ rcu_read_unlock(); -+ sta = sta_info_alloc(sdata, sdata->u.wds.remote_addr, -+ GFP_KERNEL); -+ if (!sta) -+ return; -+ -+ new = true; -+ } -+ -+ sta->last_rx = jiffies; -+ sta->sta.supp_rates[band] = rates; -+ -+ if (elems.ht_cap_elem) -+ ieee80211_ht_cap_ie_to_sta_ht_cap(sdata, sband, -+ elems.ht_cap_elem, sta); -+ -+ if (elems.wmm_param) -+ set_sta_flag(sta, WLAN_STA_WME); -+ -+ if (new) { -+ sta_info_pre_move_state(sta, IEEE80211_STA_AUTH); -+ sta_info_pre_move_state(sta, IEEE80211_STA_ASSOC); -+ sta_info_pre_move_state(sta, IEEE80211_STA_AUTHORIZED); -+ rate_control_rate_init(sta); -+ sta_info_insert_rcu(sta); -+ } -+ -+ rcu_read_unlock(); -+} -+ - static void ieee80211_iface_work(struct work_struct *work) - { - struct ieee80211_sub_if_data *sdata = -@@ -1220,6 +1265,9 @@ static void ieee80211_iface_work(struct - break; - ieee80211_mesh_rx_queued_mgmt(sdata, skb); - break; -+ case NL80211_IFTYPE_WDS: -+ ieee80211_wds_rx_queued_mgmt(sdata, skb); -+ break; - default: - WARN(1, "frame for unexpected interface type"); - break; ---- a/net/mac80211/rc80211_minstrel_ht.c -+++ b/net/mac80211/rc80211_minstrel_ht.c -@@ -804,10 +804,18 @@ minstrel_ht_get_rate(void *priv, struct - - sample_group = &minstrel_mcs_groups[sample_idx / MCS_GROUP_RATES]; - info->flags |= IEEE80211_TX_CTL_RATE_CTRL_PROBE; -+ rate->count = 1; +commit de5f242e0c10e841017e37eb8c38974a642dbca8 +Author: Sujith Manoharan +Date: Tue Jan 28 06:21:59 2014 +0530 + + ath9k: Fix build error on ARM + + Use mdelay instead of udelay to fix this error: + + ERROR: "__bad_udelay" [drivers/net/wireless/ath/ath9k/ath9k_hw.ko] undefined! + make[1]: *** [__modpost] Error 1 + make: *** [modules] Error 2 + + Reported-by: Josh Boyer + Signed-off-by: Sujith Manoharan + +commit 8e3ea7a51dfc61810fcefd947f6edcf61125252a +Author: Geert Uytterhoeven +Date: Sun Jan 26 11:53:21 2014 +0100 + + ath9k: Fix uninitialized variable in ath9k_has_tx_pending() + + drivers/net/wireless/ath/ath9k/main.c: In function ‘ath9k_has_tx_pending’: + drivers/net/wireless/ath/ath9k/main.c:1869: warning: ‘npend’ may be used uninitialized in this function + + Introduced by commit 10e2318103f5941aa70c318afe34bc41f1b98529 ("ath9k: + optimize ath9k_flush"). + + Signed-off-by: Geert Uytterhoeven + +commit a4a634a6937ebdd827fa58e8fcdb8ca49a3769f6 +Author: Emmanuel Grumbach +Date: Mon Jan 27 11:07:42 2014 +0200 + + mac80211: release the channel in error path in start_ap + + When the driver cannot start the AP or when the assignement + of the beacon goes wrong, we need to unassign the vif. + + Cc: stable@vger.kernel.org + Signed-off-by: Emmanuel Grumbach + Signed-off-by: Johannes Berg + +commit dfb6889a75c601aedb7450b7e606668e77da6679 +Author: Johannes Berg +Date: Wed Jan 22 11:14:19 2014 +0200 + + cfg80211: send scan results from work queue + + Due to the previous commit, when a scan finishes, it is in theory + possible to hit the following sequence: + 1. interface starts being removed + 2. scan is cancelled by driver and cfg80211 is notified + 3. scan done work is scheduled + 4. interface is removed completely, rdev->scan_req is freed, + event sent to userspace but scan done work remains pending + 5. new scan is requested on another virtual interface + 6. scan done work runs, freeing the still-running scan + + To fix this situation, hang on to the scan done message and block + new scans while that is the case, and only send the message from + the work function, regardless of whether the scan_req is already + freed from interface removal. This makes step 5 above impossible + and changes step 6 to be + 5. scan done work runs, sending the scan done message + + As this can't work for wext, so we send the message immediately, + but this shouldn't be an issue since we still return -EBUSY. + + Signed-off-by: Johannes Berg + +commit 45b7ab41fc08627d9a8428cb413d5d84662a9707 +Author: Johannes Berg +Date: Wed Jan 22 11:14:18 2014 +0200 + + cfg80211: fix scan done race + + When an interface/wdev is removed, any ongoing scan should be + cancelled by the driver. This will make it call cfg80211, which + only queues a work struct. If interface/wdev removal is quick + enough, this can leave the scan request pending and processed + only after the interface is gone, causing a use-after-free. + + Fix this by making sure the scan request is not pending after + the interface is destroyed. We can't flush or cancel the work + item due to locking concerns, but when it'll run it shouldn't + find anything to do. This leaves a potential issue, if a new + scan gets requested before the work runs, it prematurely stops + the running scan, potentially causing another crash. I'll fix + that in the next patch. + + This was particularly observed with P2P_DEVICE wdevs, likely + because freeing them is quicker than freeing netdevs. + + Reported-by: Andrei Otcheretianski + Fixes: 4a58e7c38443 ("cfg80211: don't "leak" uncompleted scans") + Signed-off-by: Johannes Berg + +commit ae04fa489ab31b5a10d3cc8399f52761175d4321 +Author: Emmanuel Grumbach +Date: Thu Jan 23 14:28:16 2014 +0200 + + mac80211: avoid deadlock revealed by lockdep + + sdata->u.ap.request_smps_work can’t be flushed synchronously + under wdev_lock(wdev) since ieee80211_request_smps_ap_work + itself locks the same lock. + While at it, reset the driver_smps_mode when the ap is + stopped to its default: OFF. + + This solves: + + ====================================================== + [ INFO: possible circular locking dependency detected ] + 3.12.0-ipeer+ #2 Tainted: G O + ------------------------------------------------------- + rmmod/2867 is trying to acquire lock: + ((&sdata->u.ap.request_smps_work)){+.+...}, at: [] flush_work+0x0/0x90 + + but task is already holding lock: + (&wdev->mtx){+.+.+.}, at: [] cfg80211_stop_ap+0x26/0x230 [cfg80211] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&wdev->mtx){+.+.+.}: + [] lock_acquire+0x79/0xe0 + [] mutex_lock_nested+0x4a/0x360 + [] ieee80211_request_smps_ap_work+0x2b/0x50 [mac80211] + [] process_one_work+0x198/0x450 + [] worker_thread+0xf9/0x320 + [] kthread+0x9f/0xb0 + [] ret_from_kernel_thread+0x1b/0x28 + + -> #0 ((&sdata->u.ap.request_smps_work)){+.+...}: + [] __lock_acquire+0x183f/0x1910 + [] lock_acquire+0x79/0xe0 + [] flush_work+0x47/0x90 + [] __cancel_work_timer+0x67/0xe0 + [] cancel_work_sync+0xf/0x20 + [] ieee80211_stop_ap+0x8c/0x340 [mac80211] + [] cfg80211_stop_ap+0x8c/0x230 [cfg80211] + [] cfg80211_leave+0x79/0x100 [cfg80211] + [] cfg80211_netdev_notifier_call+0xf2/0x4f0 [cfg80211] + [] notifier_call_chain+0x59/0x130 + [] __raw_notifier_call_chain+0x1e/0x30 + [] raw_notifier_call_chain+0x1f/0x30 + [] call_netdevice_notifiers_info+0x33/0x70 + [] call_netdevice_notifiers+0x13/0x20 + [] __dev_close_many+0x34/0xb0 + [] dev_close_many+0x6e/0xc0 + [] rollback_registered_many+0xa7/0x1f0 + [] unregister_netdevice_many+0x14/0x60 + [] ieee80211_remove_interfaces+0xe9/0x170 [mac80211] + [] ieee80211_unregister_hw+0x56/0x110 [mac80211] + [] iwl_op_mode_mvm_stop+0x26/0xe0 [iwlmvm] + [] _iwl_op_mode_stop+0x3a/0x70 [iwlwifi] + [] iwl_opmode_deregister+0x6f/0x90 [iwlwifi] + [] __exit_compat+0xd/0x19 [iwlmvm] + [] SyS_delete_module+0x179/0x2b0 + [] sysenter_do_call+0x12/0x32 + + Fixes: 687da132234f ("mac80211: implement SMPS for AP") + Cc: [3.13] + Reported-by: Ilan Peer + Signed-off-by: Emmanuel Grumbach + Signed-off-by: Johannes Berg + +commit 178b205e96217164fd7c30113464250d0b6f5eca +Author: Johannes Berg +Date: Thu Jan 23 16:32:29 2014 +0100 + + cfg80211: re-enable 5/10 MHz support + + Unfortunately I forgot this during the merge window, but the + patch seems small enough to go in as a fix. The userspace API + bug that was the reason for disabling it has long been fixed. + + Signed-off-by: Johannes Berg + +commit 110a1c79acda14edc83b7c8dc5af9c7ddd23eb61 +Author: Pontus Fuchs +Date: Thu Jan 16 15:00:40 2014 +0100 + + nl80211: Reset split_start when netlink skb is exhausted + + When the netlink skb is exhausted split_start is left set. In the + subsequent retry, with a larger buffer, the dump is continued from the + failing point instead of from the beginning. + + This was causing my rt28xx based USB dongle to now show up when + running "iw list" with an old iw version without split dump support. + + Cc: stable@vger.kernel.org + Fixes: 3713b4e364ef ("nl80211: allow splitting wiphy information in dumps") + Signed-off-by: Pontus Fuchs + [avoid the entire workaround when state->split is set] + Signed-off-by: Johannes Berg + +commit b4c31b45ffc7ef110fa9ecc34d7878fe7c5b9da4 +Author: Eliad Peller +Date: Sun Jan 12 11:06:37 2014 +0200 + + mac80211: move roc cookie assignment earlier + + ieee80211_start_roc_work() might add a new roc + to existing roc, and tell cfg80211 it has already + started. + + However, this might happen before the roc cookie + was set, resulting in REMAIN_ON_CHANNEL (started) + event with null cookie. Consequently, it can make + wpa_supplicant go out of sync. + + Fix it by setting the roc cookie earlier. + + Cc: stable@vger.kernel.org + Signed-off-by: Eliad Peller + Signed-off-by: Johannes Berg + +commit cfdc9157bfd7bcf88ab4dae08873a9907eba984c +Author: Johannes Berg +Date: Fri Jan 24 14:06:29 2014 +0100 + + nl80211: send event when AP operation is stopped + + There are a few cases, e.g. suspend, where an AP interface is + stopped by the kernel rather than by userspace request, most + commonly when suspending. To let userspace know about this, + send the NL80211_CMD_STOP_AP command as an event every time + an AP interface is stopped. This also happens when userspace + did in fact request the AP stop, but that's not a problem. + + For full-MAC drivers this may need to be extended to also + cover cases where the device stopped the AP operation for + some reason, this a bit more complicated because then all + cfg80211 state also needs to be reset; such API is not part + of this patch. + + Signed-off-by: Johannes Berg + +commit d5d567eda7704f190379ca852a8f9a4112e3eee3 +Author: Johannes Berg +Date: Thu Jan 23 16:20:29 2014 +0100 + + mac80211: add length check in ieee80211_is_robust_mgmt_frame() + + A few places weren't checking that the frame passed to the + function actually has enough data even though the function + clearly documents it must have a payload byte. Make this + safer by changing the function to take an skb and checking + the length inside. The old version is preserved for now as + the rtl* drivers use it and don't have a correct skb. + + Signed-off-by: Johannes Berg + +commit f8f6d212a047fc65c7d3442dfc038f65517236fc +Author: Johannes Berg +Date: Fri Jan 24 10:53:53 2014 +0100 + + nl80211: fix scheduled scan RSSI matchset attribute confusion + + The scheduled scan matchsets were intended to be a list of filters, + with the found BSS having to pass at least one of them to be passed + to the host. When the RSSI attribute was added, however, this was + broken and currently wpa_supplicant adds that attribute in its own + matchset; however, it doesn't intend that to mean that anything + that passes the RSSI filter should be passed to the host, instead + it wants it to mean that everything needs to also have higher RSSI. + + This is semantically problematic because we have a list of filters + like [ SSID1, SSID2, SSID3, RSSI ] with no real indication which + one should be OR'ed and which one AND'ed. + + To fix this, move the RSSI filter attribute into each matchset. As + we need to stay backward compatible, treat a matchset with only the + RSSI attribute as a "default RSSI filter" for all other matchsets, + but only if there are other matchsets (an RSSI-only matchset by + itself is still desirable.) + + To make driver implementation easier, keep a global min_rssi_thold + for the entire request as well. The only affected driver is ath6kl. + + I found this when I looked into the code after Raja Mani submitted + a patch fixing the n_match_sets calculation to disregard the RSSI, + but that patch didn't address the semantic issue. + + Reported-by: Raja Mani + Acked-by: Luciano Coelho + Signed-off-by: Johannes Berg + +commit de553e8545e65a6dc4e45f43df7e1443d4291922 +Author: Johannes Berg +Date: Fri Jan 24 10:17:47 2014 +0100 + + nl80211: check nla_parse() return values + + If there's a policy, then nla_parse() return values must be + checked, otherwise the policy is useless and there's nothing + that ensures the attributes are actually what we expect them + to be. + + Signed-off-by: Johannes Berg + +commit 652204a0733e9e1c54661d6f9d36e2e1e3b22bb1 +Author: Karl Beldan +Date: Thu Jan 23 20:06:34 2014 +0100 + + mac80211: send {ADD,DEL}BA on AC_VO like other mgmt frames, as per spec + + ATM, {ADD,DEL}BA and BAR frames are sent on the AC matching the TID of + the BA parameters. In the discussion [1] about this patch, Johannes + recalled that it fixed some races with the DELBA and indeed this + behavior was introduced in [2]. + While [2] is right for the BARs, the part queueing the {ADD,DEL}BAs on + their BA params TID AC violates the spec and is more a workaround for + some drivers. Helmut expressed some concerns wrt such drivers, in + particular DELBAs in rt2x00. + + ATM, DELBAs are sent after a driver has called (hence "purposely") + ieee80211_start_tx_ba_cb_irqsafe and Johannes and Emmanuel gave some + details wrt intentions behind the split of the IEEE80211_AMPDU_TX_STOP_* + given to the driver ampdu_action supposed to call this function, which + could prove handy to people trying to do the right thing in faulty + drivers (if their fw/hw don't get in their way). + + [1] http://mid.gmane.org/1390391564-18481-1-git-send-email-karl.beldan@gmail.com + [2] Commit: cf6bb79ad828 ("mac80211: Use appropriate TID for sending BAR, ADDBA and DELBA frames") + + Signed-off-by: Karl Beldan + Cc: Helmut Schaa + Cc: Emmanuel Grumbach + Signed-off-by: Johannes Berg +--- a/drivers/net/wireless/ath/ath6kl/cfg80211.c ++++ b/drivers/net/wireless/ath/ath6kl/cfg80211.c +@@ -3256,6 +3256,15 @@ static int ath6kl_cfg80211_sscan_start(s + struct ath6kl_vif *vif = netdev_priv(dev); + u16 interval; + int ret, rssi_thold; ++ int n_match_sets = request->n_match_sets; + -+ if (sample_idx / MCS_GROUP_RATES == MINSTREL_CCK_GROUP) { -+ int idx = sample_idx % ARRAY_SIZE(mp->cck_rates); -+ rate->idx = mp->cck_rates[idx]; -+ rate->flags = 0; -+ return; -+ } -+ - rate->idx = sample_idx % MCS_GROUP_RATES + - (sample_group->streams - 1) * MCS_GROUP_RATES; - rate->flags = IEEE80211_TX_RC_MCS | sample_group->flags; -- rate->count = 1; - } - - static void ---- a/net/mac80211/rx.c -+++ b/net/mac80211/rx.c -@@ -936,8 +936,14 @@ ieee80211_rx_h_check(struct ieee80211_rx - struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)rx->skb->data; - struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(rx->skb); - -- /* Drop duplicate 802.11 retransmissions (IEEE 802.11 Chap. 9.2.9) */ -- if (rx->sta && !is_multicast_ether_addr(hdr->addr1)) { + /* -+ * Drop duplicate 802.11 retransmissions -+ * (IEEE 802.11-2012: 9.3.2.10 "Duplicate detection and recovery") ++ * If there's a matchset w/o an SSID, then assume it's just for ++ * the RSSI (nothing else is currently supported) and ignore it. ++ * The device only supports a global RSSI filter that we set below. + */ -+ if (rx->skb->len >= 24 && rx->sta && -+ !ieee80211_is_ctl(hdr->frame_control) && -+ !ieee80211_is_qos_nullfunc(hdr->frame_control) && -+ !is_multicast_ether_addr(hdr->addr1)) { - if (unlikely(ieee80211_has_retry(hdr->frame_control) && - rx->sta->last_seq_ctrl[rx->seqno_idx] == - hdr->seq_ctrl)) { -@@ -2369,6 +2375,7 @@ ieee80211_rx_h_action(struct ieee80211_r - sdata->vif.type != NL80211_IFTYPE_MESH_POINT && - sdata->vif.type != NL80211_IFTYPE_AP_VLAN && - sdata->vif.type != NL80211_IFTYPE_AP && -+ sdata->vif.type != NL80211_IFTYPE_WDS && - sdata->vif.type != NL80211_IFTYPE_ADHOC) - break; - -@@ -2720,14 +2727,15 @@ ieee80211_rx_h_mgmt(struct ieee80211_rx_ - - if (!ieee80211_vif_is_mesh(&sdata->vif) && - sdata->vif.type != NL80211_IFTYPE_ADHOC && -- sdata->vif.type != NL80211_IFTYPE_STATION) -+ sdata->vif.type != NL80211_IFTYPE_STATION && -+ sdata->vif.type != NL80211_IFTYPE_WDS) - return RX_DROP_MONITOR; - - switch (stype) { - case cpu_to_le16(IEEE80211_STYPE_AUTH): - case cpu_to_le16(IEEE80211_STYPE_BEACON): - case cpu_to_le16(IEEE80211_STYPE_PROBE_RESP): -- /* process for all: mesh, mlme, ibss */ -+ /* process for all: mesh, mlme, ibss, wds */ - break; - case cpu_to_le16(IEEE80211_STYPE_ASSOC_RESP): - case cpu_to_le16(IEEE80211_STYPE_REASSOC_RESP): -@@ -3059,10 +3067,16 @@ static int prepare_for_handlers(struct i - } - break; - case NL80211_IFTYPE_WDS: -- if (bssid || !ieee80211_is_data(hdr->frame_control)) -- return 0; - if (!ether_addr_equal(sdata->u.wds.remote_addr, hdr->addr2)) - return 0; -+ -+ if (ieee80211_is_data(hdr->frame_control) || -+ ieee80211_is_action(hdr->frame_control)) { -+ if (compare_ether_addr(sdata->vif.addr, hdr->addr1)) -+ return 0; -+ } else if (!ieee80211_is_beacon(hdr->frame_control)) -+ return 0; -+ - break; - case NL80211_IFTYPE_P2P_DEVICE: - if (!ieee80211_is_public_action(hdr, skb->len) && ---- a/net/mac80211/sta_info.h -+++ b/net/mac80211/sta_info.h -@@ -32,7 +32,6 @@ - * @WLAN_STA_SHORT_PREAMBLE: Station is capable of receiving short-preamble - * frames. - * @WLAN_STA_WME: Station is a QoS-STA. -- * @WLAN_STA_WDS: Station is one of our WDS peers. - * @WLAN_STA_CLEAR_PS_FILT: Clear PS filter in hardware (using the - * IEEE80211_TX_CTL_CLEAR_PS_FILT control flag) when the next - * frame to this station is transmitted. -@@ -66,7 +65,6 @@ enum ieee80211_sta_info_flags { - WLAN_STA_AUTHORIZED, - WLAN_STA_SHORT_PREAMBLE, - WLAN_STA_WME, -- WLAN_STA_WDS, - WLAN_STA_CLEAR_PS_FILT, - WLAN_STA_MFP, - WLAN_STA_BLOCK_BA, ---- a/drivers/net/wireless/ath/ath9k/xmit.c -+++ b/drivers/net/wireless/ath/ath9k/xmit.c -@@ -146,6 +146,28 @@ static void ath_set_rates(struct ieee802 - ARRAY_SIZE(bf->rates)); - } - -+static void ath_txq_skb_done(struct ath_softc *sc, struct ath_txq *txq, -+ struct sk_buff *skb) -+{ -+ int q; -+ -+ q = skb_get_queue_mapping(skb); -+ if (txq == sc->tx.uapsdq) -+ txq = sc->tx.txq_map[q]; -+ -+ if (txq != sc->tx.txq_map[q]) -+ return; -+ -+ if (WARN_ON(--txq->pending_frames < 0)) -+ txq->pending_frames = 0; -+ -+ if (txq->stopped && -+ txq->pending_frames < sc->tx.txq_max_pending[q]) { -+ ieee80211_wake_queue(sc->hw, q); -+ txq->stopped = false; -+ } -+} -+ - static void ath_tx_flush_tid(struct ath_softc *sc, struct ath_atx_tid *tid) - { - struct ath_txq *txq = tid->ac->txq; -@@ -167,6 +189,7 @@ static void ath_tx_flush_tid(struct ath_ - if (!bf) { - bf = ath_tx_setup_buffer(sc, txq, tid, skb); - if (!bf) { -+ ath_txq_skb_done(sc, txq, skb); - ieee80211_free_txskb(sc->hw, skb); - continue; - } -@@ -811,6 +834,7 @@ ath_tx_get_tid_subframe(struct ath_softc ++ if (n_match_sets == 1 && !request->match_sets[0].ssid.ssid_len) ++ n_match_sets = 0; + + if (ar->state != ATH6KL_STATE_ON) + return -EIO; +@@ -3268,11 +3277,11 @@ static int ath6kl_cfg80211_sscan_start(s + ret = ath6kl_set_probed_ssids(ar, vif, request->ssids, + request->n_ssids, + request->match_sets, +- request->n_match_sets); ++ n_match_sets); + if (ret < 0) + return ret; + +- if (!request->n_match_sets) { ++ if (!n_match_sets) { + ret = ath6kl_wmi_bssfilter_cmd(ar->wmi, vif->fw_vif_idx, + ALL_BSS_FILTER, 0); + if (ret < 0) +@@ -3286,12 +3295,12 @@ static int ath6kl_cfg80211_sscan_start(s + + if (test_bit(ATH6KL_FW_CAPABILITY_RSSI_SCAN_THOLD, + ar->fw_capabilities)) { +- if (request->rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF) ++ if (request->min_rssi_thold <= NL80211_SCAN_RSSI_THOLD_OFF) + rssi_thold = 0; +- else if (request->rssi_thold < -127) ++ else if (request->min_rssi_thold < -127) + rssi_thold = -127; + else +- rssi_thold = request->rssi_thold; ++ rssi_thold = request->min_rssi_thold; + + ret = ath6kl_wmi_set_rssi_filter_cmd(ar->wmi, vif->fw_vif_idx, + rssi_thold); +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -1316,7 +1316,7 @@ static bool ath9k_hw_set_reset(struct at + if (AR_SREV_9300_20_OR_LATER(ah)) + udelay(50); + else if (AR_SREV_9100(ah)) +- udelay(10000); ++ mdelay(10); + else + udelay(100); - if (!bf) { - __skb_unlink(skb, &tid->buf_q); -+ ath_txq_skb_done(sc, txq, skb); - ieee80211_free_txskb(sc->hw, skb); - continue; - } -@@ -1824,6 +1848,7 @@ static void ath_tx_send_ampdu(struct ath +@@ -2051,9 +2051,8 @@ static bool ath9k_hw_set_power_awake(str - bf = ath_tx_setup_buffer(sc, txq, tid, skb); - if (!bf) { -+ ath_txq_skb_done(sc, txq, skb); - ieee80211_free_txskb(sc->hw, skb); - return; - } -@@ -2090,6 +2115,7 @@ int ath_tx_start(struct ieee80211_hw *hw - - bf = ath_tx_setup_buffer(sc, txq, tid, skb); - if (!bf) { -+ ath_txq_skb_done(sc, txq, skb); - if (txctl->paprd) - dev_kfree_skb_any(skb); - else -@@ -2189,7 +2215,7 @@ static void ath_tx_complete(struct ath_s - struct ieee80211_tx_info *tx_info = IEEE80211_SKB_CB(skb); - struct ath_common *common = ath9k_hw_common(sc->sc_ah); - struct ieee80211_hdr * hdr = (struct ieee80211_hdr *)skb->data; -- int q, padpos, padsize; -+ int padpos, padsize; - unsigned long flags; - - ath_dbg(common, XMIT, "TX complete: skb: %p\n", skb); -@@ -2225,21 +2251,7 @@ static void ath_tx_complete(struct ath_s - spin_unlock_irqrestore(&sc->sc_pm_lock, flags); - - __skb_queue_tail(&txq->complete_q, skb); -- -- q = skb_get_queue_mapping(skb); -- if (txq == sc->tx.uapsdq) -- txq = sc->tx.txq_map[q]; -- -- if (txq == sc->tx.txq_map[q]) { -- if (WARN_ON(--txq->pending_frames < 0)) -- txq->pending_frames = 0; + REG_SET_BIT(ah, AR_RTC_FORCE_WAKE, + AR_RTC_FORCE_WAKE_EN); - -- if (txq->stopped && -- txq->pending_frames < sc->tx.txq_max_pending[q]) { -- ieee80211_wake_queue(sc->hw, q); -- txq->stopped = false; -- } -- } -+ ath_txq_skb_done(sc, txq, skb); - } + if (AR_SREV_9100(ah)) +- udelay(10000); ++ mdelay(10); + else + udelay(50); - static void ath_tx_complete_buf(struct ath_softc *sc, struct ath_buf *bf, --- a/drivers/net/wireless/ath/ath9k/main.c +++ b/drivers/net/wireless/ath/ath9k/main.c -@@ -2094,7 +2094,7 @@ static void ath9k_wow_add_pattern(struct - { - struct ath_hw *ah = sc->sc_ah; - struct ath9k_wow_pattern *wow_pattern = NULL; -- struct cfg80211_wowlan_trig_pkt_pattern *patterns = wowlan->patterns; -+ struct cfg80211_pkt_pattern *patterns = wowlan->patterns; - int mask_len; - s8 i = 0; - ---- a/drivers/net/wireless/mwifiex/cfg80211.c -+++ b/drivers/net/wireless/mwifiex/cfg80211.c -@@ -2298,8 +2298,7 @@ EXPORT_SYMBOL_GPL(mwifiex_del_virtual_in - - #ifdef CONFIG_PM - static bool --mwifiex_is_pattern_supported(struct cfg80211_wowlan_trig_pkt_pattern *pat, -- s8 *byte_seq) -+mwifiex_is_pattern_supported(struct cfg80211_pkt_pattern *pat, s8 *byte_seq) - { - int j, k, valid_byte_cnt = 0; - bool dont_care_byte = false; ---- a/drivers/net/wireless/ti/wlcore/main.c -+++ b/drivers/net/wireless/ti/wlcore/main.c -@@ -1315,7 +1315,7 @@ static struct sk_buff *wl12xx_alloc_dumm - - #ifdef CONFIG_PM - static int --wl1271_validate_wowlan_pattern(struct cfg80211_wowlan_trig_pkt_pattern *p) -+wl1271_validate_wowlan_pattern(struct cfg80211_pkt_pattern *p) +@@ -1866,7 +1866,7 @@ static void ath9k_set_coverage_class(str + + static bool ath9k_has_tx_pending(struct ath_softc *sc) { - int num_fields = 0, in_field = 0, fields_size = 0; - int i, pattern_len = 0; -@@ -1458,9 +1458,9 @@ void wl1271_rx_filter_flatten_fields(str - * Allocates an RX filter returned through f - * which needs to be freed using rx_filter_free() +- int i, npend; ++ int i, npend = 0; + + for (i = 0; i < ATH9K_NUM_TX_QUEUES; i++) { + if (!ATH_TXQ_SETUP(sc, i)) +--- a/drivers/net/wireless/iwlwifi/mvm/scan.c ++++ b/drivers/net/wireless/iwlwifi/mvm/scan.c +@@ -595,6 +595,9 @@ static void iwl_scan_offload_build_ssid( + * config match list. + */ + for (i = 0; i < req->n_match_sets && i < PROBE_OPTION_MAX; i++) { ++ /* skip empty SSID matchsets */ ++ if (!req->match_sets[i].ssid.ssid_len) ++ continue; + scan->direct_scan[i].id = WLAN_EID_SSID; + scan->direct_scan[i].len = req->match_sets[i].ssid.ssid_len; + memcpy(scan->direct_scan[i].ssid, req->match_sets[i].ssid.ssid, +--- a/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8188ee/trx.c +@@ -452,7 +452,7 @@ bool rtl88ee_rx_query_desc(struct ieee80 + /* During testing, hdr was NULL */ + return false; + } +- if ((ieee80211_is_robust_mgmt_frame(hdr)) && ++ if ((_ieee80211_is_robust_mgmt_frame(hdr)) && + (ieee80211_has_protected(hdr->frame_control))) + rx_status->flag &= ~RX_FLAG_DECRYPTED; + else +--- a/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192ce/trx.c +@@ -393,7 +393,7 @@ bool rtl92ce_rx_query_desc(struct ieee80 + /* In testing, hdr was NULL here */ + return false; + } +- if ((ieee80211_is_robust_mgmt_frame(hdr)) && ++ if ((_ieee80211_is_robust_mgmt_frame(hdr)) && + (ieee80211_has_protected(hdr->frame_control))) + rx_status->flag &= ~RX_FLAG_DECRYPTED; + else +--- a/drivers/net/wireless/rtlwifi/rtl8192se/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192se/trx.c +@@ -310,7 +310,7 @@ bool rtl92se_rx_query_desc(struct ieee80 + /* during testing, hdr was NULL here */ + return false; + } +- if ((ieee80211_is_robust_mgmt_frame(hdr)) && ++ if ((_ieee80211_is_robust_mgmt_frame(hdr)) && + (ieee80211_has_protected(hdr->frame_control))) + rx_status->flag &= ~RX_FLAG_DECRYPTED; + else +--- a/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8723ae/trx.c +@@ -334,7 +334,7 @@ bool rtl8723ae_rx_query_desc(struct ieee + /* during testing, hdr could be NULL here */ + return false; + } +- if ((ieee80211_is_robust_mgmt_frame(hdr)) && ++ if ((_ieee80211_is_robust_mgmt_frame(hdr)) && + (ieee80211_has_protected(hdr->frame_control))) + rx_status->flag &= ~RX_FLAG_DECRYPTED; + else +--- a/include/linux/ieee80211.h ++++ b/include/linux/ieee80211.h +@@ -2192,10 +2192,10 @@ static inline u8 *ieee80211_get_DA(struc + } + + /** +- * ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame ++ * _ieee80211_is_robust_mgmt_frame - check if frame is a robust management frame + * @hdr: the frame (buffer must include at least the first octet of payload) */ --static int wl1271_convert_wowlan_pattern_to_rx_filter( -- struct cfg80211_wowlan_trig_pkt_pattern *p, -- struct wl12xx_rx_filter **f) -+static int -+wl1271_convert_wowlan_pattern_to_rx_filter(struct cfg80211_pkt_pattern *p, -+ struct wl12xx_rx_filter **f) +-static inline bool ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr) ++static inline bool _ieee80211_is_robust_mgmt_frame(struct ieee80211_hdr *hdr) { - int i, j, ret = 0; - struct wl12xx_rx_filter *filter; -@@ -1562,7 +1562,7 @@ static int wl1271_configure_wowlan(struc - - /* Translate WoWLAN patterns into filters */ - for (i = 0; i < wow->n_patterns; i++) { -- struct cfg80211_wowlan_trig_pkt_pattern *p; -+ struct cfg80211_pkt_pattern *p; - struct wl12xx_rx_filter *filter = NULL; + if (ieee80211_is_disassoc(hdr->frame_control) || + ieee80211_is_deauth(hdr->frame_control)) +@@ -2224,6 +2224,17 @@ static inline bool ieee80211_is_robust_m + } - p = &wow->patterns[i]; + /** ++ * ieee80211_is_robust_mgmt_frame - check if skb contains a robust mgmt frame ++ * @skb: the skb containing the frame, length will be checked ++ */ ++static inline bool ieee80211_is_robust_mgmt_frame(struct sk_buff *skb) ++{ ++ if (skb->len < 25) ++ return false; ++ return _ieee80211_is_robust_mgmt_frame((void *)skb->data); ++} ++ ++/** + * ieee80211_is_public_action - check if frame is a public action frame + * @hdr: the frame + * @len: length of the frame --- a/include/net/cfg80211.h +++ b/include/net/cfg80211.h -@@ -1698,7 +1698,7 @@ struct cfg80211_pmksa { +@@ -1395,9 +1395,11 @@ struct cfg80211_scan_request { + * struct cfg80211_match_set - sets of attributes to match + * + * @ssid: SSID to be matched ++ * @rssi_thold: don't report scan results below this threshold (in s32 dBm) + */ + struct cfg80211_match_set { + struct cfg80211_ssid ssid; ++ s32 rssi_thold; }; /** -- * struct cfg80211_wowlan_trig_pkt_pattern - packet pattern -+ * struct cfg80211_pkt_pattern - packet pattern - * @mask: bitmask where to match pattern and where to ignore bytes, - * one bit per byte, in same format as nl80211 - * @pattern: bytes to match where bitmask is 1 -@@ -1708,7 +1708,7 @@ struct cfg80211_pmksa { - * Internal note: @mask and @pattern are allocated in one chunk of - * memory, free @mask only! +@@ -1420,7 +1422,8 @@ struct cfg80211_match_set { + * @dev: the interface + * @scan_start: start time of the scheduled scan + * @channels: channels to scan +- * @rssi_thold: don't report scan results below this threshold (in s32 dBm) ++ * @min_rssi_thold: for drivers only supporting a single threshold, this ++ * contains the minimum over all matchsets */ --struct cfg80211_wowlan_trig_pkt_pattern { -+struct cfg80211_pkt_pattern { - u8 *mask, *pattern; - int pattern_len; - int pkt_offset; -@@ -1770,7 +1770,7 @@ struct cfg80211_wowlan { - bool any, disconnect, magic_pkt, gtk_rekey_failure, - eap_identity_req, four_way_handshake, - rfkill_release; -- struct cfg80211_wowlan_trig_pkt_pattern *patterns; -+ struct cfg80211_pkt_pattern *patterns; - struct cfg80211_wowlan_tcp *tcp; - int n_patterns; - }; + struct cfg80211_sched_scan_request { + struct cfg80211_ssid *ssids; +@@ -1433,7 +1436,7 @@ struct cfg80211_sched_scan_request { + u32 flags; + struct cfg80211_match_set *match_sets; + int n_match_sets; +- s32 rssi_thold; ++ s32 min_rssi_thold; + + /* internal */ + struct wiphy *wiphy; --- a/include/uapi/linux/nl80211.h +++ b/include/uapi/linux/nl80211.h -@@ -3060,11 +3060,11 @@ enum nl80211_tx_power_setting { - }; +@@ -2442,9 +2442,15 @@ enum nl80211_reg_rule_attr { + * enum nl80211_sched_scan_match_attr - scheduled scan match attributes + * @__NL80211_SCHED_SCAN_MATCH_ATTR_INVALID: attribute number 0 is reserved + * @NL80211_SCHED_SCAN_MATCH_ATTR_SSID: SSID to be used for matching, +- * only report BSS with matching SSID. ++ * only report BSS with matching SSID. + * @NL80211_SCHED_SCAN_MATCH_ATTR_RSSI: RSSI threshold (in dBm) for reporting a +- * BSS in scan results. Filtering is turned off if not specified. ++ * BSS in scan results. Filtering is turned off if not specified. Note that ++ * if this attribute is in a match set of its own, then it is treated as ++ * the default value for all matchsets with an SSID, rather than being a ++ * matchset of its own without an RSSI filter. This is due to problems with ++ * how this API was implemented in the past. Also, due to the same problem, ++ * the only way to create a matchset with only an RSSI filter (with this ++ * attribute) is if there's only a single matchset with the RSSI attribute. + * @NL80211_SCHED_SCAN_MATCH_ATTR_MAX: highest scheduled scan filter + * attribute number currently defined + * @__NL80211_SCHED_SCAN_MATCH_ATTR_AFTER_LAST: internal use +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -107,7 +107,7 @@ static void ieee80211_send_addba_request + mgmt->u.action.u.addba_req.start_seq_num = + cpu_to_le16(start_seq_num << 4); - /** -- * enum nl80211_wowlan_packet_pattern_attr - WoWLAN packet pattern attribute -- * @__NL80211_WOWLAN_PKTPAT_INVALID: invalid number for nested attribute -- * @NL80211_WOWLAN_PKTPAT_PATTERN: the pattern, values where the mask has -+ * enum nl80211_packet_pattern_attr - packet pattern attribute -+ * @__NL80211_PKTPAT_INVALID: invalid number for nested attribute -+ * @NL80211_PKTPAT_PATTERN: the pattern, values where the mask has - * a zero bit are ignored -- * @NL80211_WOWLAN_PKTPAT_MASK: pattern mask, must be long enough to have -+ * @NL80211_PKTPAT_MASK: pattern mask, must be long enough to have - * a bit for each byte in the pattern. The lowest-order bit corresponds - * to the first byte of the pattern, but the bytes of the pattern are - * in a little-endian-like format, i.e. the 9th byte of the pattern -@@ -3075,23 +3075,23 @@ enum nl80211_tx_power_setting { - * Note that the pattern matching is done as though frames were not - * 802.11 frames but 802.3 frames, i.e. the frame is fully unpacked - * first (including SNAP header unpacking) and then matched. -- * @NL80211_WOWLAN_PKTPAT_OFFSET: packet offset, pattern is matched after -+ * @NL80211_PKTPAT_OFFSET: packet offset, pattern is matched after - * these fixed number of bytes of received packet -- * @NUM_NL80211_WOWLAN_PKTPAT: number of attributes -- * @MAX_NL80211_WOWLAN_PKTPAT: max attribute number -+ * @NUM_NL80211_PKTPAT: number of attributes -+ * @MAX_NL80211_PKTPAT: max attribute number - */ --enum nl80211_wowlan_packet_pattern_attr { -- __NL80211_WOWLAN_PKTPAT_INVALID, -- NL80211_WOWLAN_PKTPAT_MASK, -- NL80211_WOWLAN_PKTPAT_PATTERN, -- NL80211_WOWLAN_PKTPAT_OFFSET, -+enum nl80211_packet_pattern_attr { -+ __NL80211_PKTPAT_INVALID, -+ NL80211_PKTPAT_MASK, -+ NL80211_PKTPAT_PATTERN, -+ NL80211_PKTPAT_OFFSET, - -- NUM_NL80211_WOWLAN_PKTPAT, -- MAX_NL80211_WOWLAN_PKTPAT = NUM_NL80211_WOWLAN_PKTPAT - 1, -+ NUM_NL80211_PKTPAT, -+ MAX_NL80211_PKTPAT = NUM_NL80211_PKTPAT - 1, - }; +- ieee80211_tx_skb_tid(sdata, skb, tid); ++ ieee80211_tx_skb(sdata, skb); + } - /** -- * struct nl80211_wowlan_pattern_support - pattern support information -+ * struct nl80211_pattern_support - packet pattern support information - * @max_patterns: maximum number of patterns supported - * @min_pattern_len: minimum length of each pattern - * @max_pattern_len: maximum length of each pattern -@@ -3101,13 +3101,22 @@ enum nl80211_wowlan_packet_pattern_attr - * that is part of %NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED in the - * capability information given by the kernel to userspace. - */ --struct nl80211_wowlan_pattern_support { -+struct nl80211_pattern_support { - __u32 max_patterns; - __u32 min_pattern_len; - __u32 max_pattern_len; - __u32 max_pkt_offset; - } __attribute__((packed)); - -+/* only for backward compatibility */ -+#define __NL80211_WOWLAN_PKTPAT_INVALID __NL80211_PKTPAT_INVALID -+#define NL80211_WOWLAN_PKTPAT_MASK NL80211_PKTPAT_MASK -+#define NL80211_WOWLAN_PKTPAT_PATTERN NL80211_PKTPAT_PATTERN -+#define NL80211_WOWLAN_PKTPAT_OFFSET NL80211_PKTPAT_OFFSET -+#define NUM_NL80211_WOWLAN_PKTPAT NUM_NL80211_PKTPAT -+#define MAX_NL80211_WOWLAN_PKTPAT MAX_NL80211_PKTPAT -+#define nl80211_wowlan_pattern_support nl80211_pattern_support -+ - /** - * enum nl80211_wowlan_triggers - WoWLAN trigger definitions - * @__NL80211_WOWLAN_TRIG_INVALID: invalid number for nested attributes -@@ -3127,7 +3136,7 @@ struct nl80211_wowlan_pattern_support { - * pattern matching is done after the packet is converted to the MSDU. - * - * In %NL80211_ATTR_WOWLAN_TRIGGERS_SUPPORTED, it is a binary attribute -- * carrying a &struct nl80211_wowlan_pattern_support. -+ * carrying a &struct nl80211_pattern_support. - * - * When reporting wakeup. it is a u32 attribute containing the 0-based - * index of the pattern that caused the wakeup, in the patterns passed -@@ -3284,7 +3293,7 @@ struct nl80211_wowlan_tcp_data_token_fea - * @NL80211_WOWLAN_TCP_WAKE_PAYLOAD: wake packet payload, for advertising a - * u32 attribute holding the maximum length - * @NL80211_WOWLAN_TCP_WAKE_MASK: Wake packet payload mask, not used for -- * feature advertising. The mask works like @NL80211_WOWLAN_PKTPAT_MASK -+ * feature advertising. The mask works like @NL80211_PKTPAT_MASK - * but on the TCP payload only. - * @NUM_NL80211_WOWLAN_TCP: number of TCP attributes - * @MAX_NL80211_WOWLAN_TCP: highest attribute number ---- a/net/mac80211/mesh_ps.c -+++ b/net/mac80211/mesh_ps.c -@@ -229,6 +229,10 @@ void ieee80211_mps_sta_status_update(str - enum nl80211_mesh_power_mode pm; - bool do_buffer; - -+ /* For non-assoc STA, prevent buffering or frame transmission */ -+ if (sta->sta_state < IEEE80211_STA_ASSOC) -+ return; -+ - /* - * use peer-specific power mode if peering is established and the - * peer's power mode is known ---- a/net/wireless/nl80211.c -+++ b/net/wireless/nl80211.c -@@ -441,10 +441,12 @@ static int nl80211_prepare_wdev_dump(str - goto out_unlock; - } - *rdev = wiphy_to_dev((*wdev)->wiphy); -- cb->args[0] = (*rdev)->wiphy_idx; -+ /* 0 is the first index - add 1 to parse only once */ -+ cb->args[0] = (*rdev)->wiphy_idx + 1; - cb->args[1] = (*wdev)->identifier; - } else { -- struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0]); -+ /* subtract the 1 again here */ -+ struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); - struct wireless_dev *tmp; - - if (!wiphy) { -@@ -974,7 +976,7 @@ static int nl80211_send_wowlan(struct sk - return -ENOBUFS; - - if (dev->wiphy.wowlan->n_patterns) { -- struct nl80211_wowlan_pattern_support pat = { -+ struct nl80211_pattern_support pat = { - .max_patterns = dev->wiphy.wowlan->n_patterns, - .min_pattern_len = dev->wiphy.wowlan->pattern_min_len, - .max_pattern_len = dev->wiphy.wowlan->pattern_max_len, -@@ -1568,8 +1570,10 @@ static int nl80211_dump_wiphy(struct sk_ - rtnl_lock(); - if (!state) { - state = kzalloc(sizeof(*state), GFP_KERNEL); -- if (!state) -+ if (!state) { -+ rtnl_unlock(); - return -ENOMEM; + void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn) +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -1021,8 +1021,10 @@ static int ieee80211_start_ap(struct wip + IEEE80211_P2P_OPPPS_ENABLE_BIT; + + err = ieee80211_assign_beacon(sdata, ¶ms->beacon); +- if (err < 0) ++ if (err < 0) { ++ ieee80211_vif_release_channel(sdata); + return err; ++ } + changed |= err; + + err = drv_start_ap(sdata->local, sdata); +@@ -1032,6 +1034,7 @@ static int ieee80211_start_ap(struct wip + if (old) + kfree_rcu(old, rcu_head); + RCU_INIT_POINTER(sdata->u.ap.beacon, NULL); ++ ieee80211_vif_release_channel(sdata); + return err; + } + +@@ -1090,8 +1093,6 @@ static int ieee80211_stop_ap(struct wiph + kfree(sdata->u.ap.next_beacon); + sdata->u.ap.next_beacon = NULL; + +- cancel_work_sync(&sdata->u.ap.request_smps_work); +- + /* turn off carrier for this interface and dependent VLANs */ + list_for_each_entry(vlan, &sdata->u.ap.vlans, u.vlan.list) + netif_carrier_off(vlan->dev); +@@ -1103,6 +1104,7 @@ static int ieee80211_stop_ap(struct wiph + kfree_rcu(old_beacon, rcu_head); + if (old_probe_resp) + kfree_rcu(old_probe_resp, rcu_head); ++ sdata->u.ap.driver_smps_mode = IEEE80211_SMPS_OFF; + + __sta_info_flush(sdata, true); + ieee80211_free_keys(sdata, true); +@@ -2638,6 +2640,24 @@ static int ieee80211_start_roc_work(stru + INIT_DELAYED_WORK(&roc->work, ieee80211_sw_roc_work); + INIT_LIST_HEAD(&roc->dependents); + ++ /* ++ * cookie is either the roc cookie (for normal roc) ++ * or the SKB (for mgmt TX) ++ */ ++ if (!txskb) { ++ /* local->mtx protects this */ ++ local->roc_cookie_counter++; ++ roc->cookie = local->roc_cookie_counter; ++ /* wow, you wrapped 64 bits ... more likely a bug */ ++ if (WARN_ON(roc->cookie == 0)) { ++ roc->cookie = 1; ++ local->roc_cookie_counter++; + } - state->filter_wiphy = -1; - ret = nl80211_dump_wiphy_parse(skb, cb, state); - if (ret) { -@@ -6615,12 +6619,14 @@ EXPORT_SYMBOL(cfg80211_testmode_alloc_ev ++ *cookie = roc->cookie; ++ } else { ++ *cookie = (unsigned long)txskb; ++ } ++ + /* if there's one pending or we're scanning, queue this one */ + if (!list_empty(&local->roc_list) || + local->scanning || local->radar_detect_enabled) +@@ -2772,24 +2792,6 @@ static int ieee80211_start_roc_work(stru + if (!queued) + list_add_tail(&roc->list, &local->roc_list); + +- /* +- * cookie is either the roc cookie (for normal roc) +- * or the SKB (for mgmt TX) +- */ +- if (!txskb) { +- /* local->mtx protects this */ +- local->roc_cookie_counter++; +- roc->cookie = local->roc_cookie_counter; +- /* wow, you wrapped 64 bits ... more likely a bug */ +- if (WARN_ON(roc->cookie == 0)) { +- roc->cookie = 1; +- local->roc_cookie_counter++; +- } +- *cookie = roc->cookie; +- } else { +- *cookie = (unsigned long)txskb; +- } +- + return 0; + } - void cfg80211_testmode_event(struct sk_buff *skb, gfp_t gfp) - { -+ struct cfg80211_registered_device *rdev = ((void **)skb->cb)[0]; - void *hdr = ((void **)skb->cb)[1]; - struct nlattr *data = ((void **)skb->cb)[2]; - - nla_nest_end(skb, data); - genlmsg_end(skb, hdr); -- genlmsg_multicast(skb, 0, nl80211_testmode_mcgrp.id, gfp); -+ genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), skb, 0, -+ nl80211_testmode_mcgrp.id, gfp); +--- a/net/mac80211/ht.c ++++ b/net/mac80211/ht.c +@@ -375,7 +375,7 @@ void ieee80211_send_delba(struct ieee802 + mgmt->u.action.u.delba.params = cpu_to_le16(params); + mgmt->u.action.u.delba.reason_code = cpu_to_le16(reason_code); + +- ieee80211_tx_skb_tid(sdata, skb, tid); ++ ieee80211_tx_skb(sdata, skb); } - EXPORT_SYMBOL(cfg80211_testmode_event); - #endif -@@ -7593,12 +7599,11 @@ static int nl80211_send_wowlan_patterns( - if (!nl_pat) - return -ENOBUFS; - pat_len = wowlan->patterns[i].pattern_len; -- if (nla_put(msg, NL80211_WOWLAN_PKTPAT_MASK, -- DIV_ROUND_UP(pat_len, 8), -+ if (nla_put(msg, NL80211_PKTPAT_MASK, DIV_ROUND_UP(pat_len, 8), - wowlan->patterns[i].mask) || -- nla_put(msg, NL80211_WOWLAN_PKTPAT_PATTERN, -- pat_len, wowlan->patterns[i].pattern) || -- nla_put_u32(msg, NL80211_WOWLAN_PKTPAT_OFFSET, -+ nla_put(msg, NL80211_PKTPAT_PATTERN, pat_len, -+ wowlan->patterns[i].pattern) || -+ nla_put_u32(msg, NL80211_PKTPAT_OFFSET, - wowlan->patterns[i].pkt_offset)) - return -ENOBUFS; - nla_nest_end(msg, nl_pat); -@@ -7939,7 +7944,7 @@ static int nl80211_set_wowlan(struct sk_ - struct nlattr *pat; - int n_patterns = 0; - int rem, pat_len, mask_len, pkt_offset; -- struct nlattr *pat_tb[NUM_NL80211_WOWLAN_PKTPAT]; -+ struct nlattr *pat_tb[NUM_NL80211_PKTPAT]; - - nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN], - rem) -@@ -7958,26 +7963,25 @@ static int nl80211_set_wowlan(struct sk_ - - nla_for_each_nested(pat, tb[NL80211_WOWLAN_TRIG_PKT_PATTERN], - rem) { -- nla_parse(pat_tb, MAX_NL80211_WOWLAN_PKTPAT, -- nla_data(pat), nla_len(pat), NULL); -+ nla_parse(pat_tb, MAX_NL80211_PKTPAT, nla_data(pat), -+ nla_len(pat), NULL); - err = -EINVAL; -- if (!pat_tb[NL80211_WOWLAN_PKTPAT_MASK] || -- !pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]) -+ if (!pat_tb[NL80211_PKTPAT_MASK] || -+ !pat_tb[NL80211_PKTPAT_PATTERN]) - goto error; -- pat_len = nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]); -+ pat_len = nla_len(pat_tb[NL80211_PKTPAT_PATTERN]); - mask_len = DIV_ROUND_UP(pat_len, 8); -- if (nla_len(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]) != -- mask_len) -+ if (nla_len(pat_tb[NL80211_PKTPAT_MASK]) != mask_len) - goto error; - if (pat_len > wowlan->pattern_max_len || - pat_len < wowlan->pattern_min_len) - goto error; - -- if (!pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET]) -+ if (!pat_tb[NL80211_PKTPAT_OFFSET]) - pkt_offset = 0; - else - pkt_offset = nla_get_u32( -- pat_tb[NL80211_WOWLAN_PKTPAT_OFFSET]); -+ pat_tb[NL80211_PKTPAT_OFFSET]); - if (pkt_offset > wowlan->max_pkt_offset) - goto error; - new_triggers.patterns[i].pkt_offset = pkt_offset; -@@ -7991,11 +7995,11 @@ static int nl80211_set_wowlan(struct sk_ - new_triggers.patterns[i].pattern = - new_triggers.patterns[i].mask + mask_len; - memcpy(new_triggers.patterns[i].mask, -- nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_MASK]), -+ nla_data(pat_tb[NL80211_PKTPAT_MASK]), - mask_len); - new_triggers.patterns[i].pattern_len = pat_len; - memcpy(new_triggers.patterns[i].pattern, -- nla_data(pat_tb[NL80211_WOWLAN_PKTPAT_PATTERN]), -+ nla_data(pat_tb[NL80211_PKTPAT_PATTERN]), - pat_len); - i++; - } -@@ -10066,7 +10070,8 @@ void cfg80211_mgmt_tx_status(struct wire - genlmsg_end(msg, hdr); + void ieee80211_process_delba(struct ieee80211_sub_if_data *sdata, +@@ -466,7 +466,9 @@ void ieee80211_request_smps_ap_work(stru + u.ap.request_smps_work); -- genlmsg_multicast(msg, 0, nl80211_mlme_mcgrp.id, gfp); -+ genlmsg_multicast_netns(wiphy_net(&rdev->wiphy), msg, 0, -+ nl80211_mlme_mcgrp.id, gfp); - return; + sdata_lock(sdata); +- __ieee80211_request_smps_ap(sdata, sdata->u.ap.driver_smps_mode); ++ if (sdata_dereference(sdata->u.ap.beacon, sdata)) ++ __ieee80211_request_smps_ap(sdata, ++ sdata->u.ap.driver_smps_mode); + sdata_unlock(sdata); + } - nla_put_failure: ---- a/net/wireless/reg.c -+++ b/net/wireless/reg.c -@@ -2247,10 +2247,13 @@ int reg_device_uevent(struct device *dev +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -770,12 +770,19 @@ static void ieee80211_do_stop(struct iee - void wiphy_regulatory_register(struct wiphy *wiphy) - { -+ struct regulatory_request *lr; -+ - if (!reg_dev_ignore_cell_hint(wiphy)) - reg_num_devs_support_basehint++; + ieee80211_roc_purge(local, sdata); -- wiphy_update_regulatory(wiphy, NL80211_REGDOM_SET_BY_CORE); -+ lr = get_last_request(); -+ wiphy_update_regulatory(wiphy, lr->initiator); - } +- if (sdata->vif.type == NL80211_IFTYPE_STATION) ++ switch (sdata->vif.type) { ++ case NL80211_IFTYPE_STATION: + ieee80211_mgd_stop(sdata); +- +- if (sdata->vif.type == NL80211_IFTYPE_ADHOC) ++ break; ++ case NL80211_IFTYPE_ADHOC: + ieee80211_ibss_stop(sdata); +- ++ break; ++ case NL80211_IFTYPE_AP: ++ cancel_work_sync(&sdata->u.ap.request_smps_work); ++ break; ++ default: ++ break; ++ } - void wiphy_regulatory_deregister(struct wiphy *wiphy) -@@ -2279,7 +2282,9 @@ void wiphy_regulatory_deregister(struct - static void reg_timeout_work(struct work_struct *work) + /* + * Remove all stations associated with this interface. +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -599,10 +599,10 @@ static int ieee80211_is_unicast_robust_m { - REG_DBG_PRINT("Timeout while waiting for CRDA to reply, restoring regulatory settings\n"); -+ rtnl_lock(); - restore_regulatory_settings(true); -+ rtnl_unlock(); - } + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; - int __init regulatory_init(void) ---- a/net/wireless/sme.c -+++ b/net/wireless/sme.c -@@ -34,8 +34,10 @@ struct cfg80211_conn { - CFG80211_CONN_SCAN_AGAIN, - CFG80211_CONN_AUTHENTICATE_NEXT, - CFG80211_CONN_AUTHENTICATING, -+ CFG80211_CONN_AUTH_FAILED, - CFG80211_CONN_ASSOCIATE_NEXT, - CFG80211_CONN_ASSOCIATING, -+ CFG80211_CONN_ASSOC_FAILED, - CFG80211_CONN_DEAUTH, - CFG80211_CONN_CONNECTED, - } state; -@@ -164,6 +166,8 @@ static int cfg80211_conn_do_work(struct - NULL, 0, - params->key, params->key_len, - params->key_idx, NULL, 0); -+ case CFG80211_CONN_AUTH_FAILED: -+ return -ENOTCONN; - case CFG80211_CONN_ASSOCIATE_NEXT: - BUG_ON(!rdev->ops->assoc); - wdev->conn->state = CFG80211_CONN_ASSOCIATING; -@@ -188,10 +192,17 @@ static int cfg80211_conn_do_work(struct - WLAN_REASON_DEAUTH_LEAVING, - false); - return err; -+ case CFG80211_CONN_ASSOC_FAILED: -+ cfg80211_mlme_deauth(rdev, wdev->netdev, params->bssid, -+ NULL, 0, -+ WLAN_REASON_DEAUTH_LEAVING, false); -+ return -ENOTCONN; - case CFG80211_CONN_DEAUTH: - cfg80211_mlme_deauth(rdev, wdev->netdev, params->bssid, - NULL, 0, - WLAN_REASON_DEAUTH_LEAVING, false); -+ /* free directly, disconnected event already sent */ -+ cfg80211_sme_free(wdev); - return 0; - default: +- if (skb->len < 24 || is_multicast_ether_addr(hdr->addr1)) ++ if (is_multicast_ether_addr(hdr->addr1)) return 0; -@@ -371,7 +382,7 @@ bool cfg80211_sme_rx_assoc_resp(struct w - return true; - } -- wdev->conn->state = CFG80211_CONN_DEAUTH; -+ wdev->conn->state = CFG80211_CONN_ASSOC_FAILED; - schedule_work(&rdev->conn_work); - return false; +- return ieee80211_is_robust_mgmt_frame(hdr); ++ return ieee80211_is_robust_mgmt_frame(skb); } -@@ -383,7 +394,13 @@ void cfg80211_sme_deauth(struct wireless - void cfg80211_sme_auth_timeout(struct wireless_dev *wdev) + +@@ -610,10 +610,10 @@ static int ieee80211_is_multicast_robust { -- cfg80211_sme_free(wdev); -+ struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy); -+ -+ if (!wdev->conn) -+ return; -+ -+ wdev->conn->state = CFG80211_CONN_AUTH_FAILED; -+ schedule_work(&rdev->conn_work); - } + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; - void cfg80211_sme_disassoc(struct wireless_dev *wdev) -@@ -399,7 +416,13 @@ void cfg80211_sme_disassoc(struct wirele +- if (skb->len < 24 || !is_multicast_ether_addr(hdr->addr1)) ++ if (!is_multicast_ether_addr(hdr->addr1)) + return 0; - void cfg80211_sme_assoc_timeout(struct wireless_dev *wdev) - { -- cfg80211_sme_disassoc(wdev); -+ struct cfg80211_registered_device *rdev = wiphy_to_dev(wdev->wiphy); -+ -+ if (!wdev->conn) -+ return; -+ -+ wdev->conn->state = CFG80211_CONN_ASSOC_FAILED; -+ schedule_work(&rdev->conn_work); +- return ieee80211_is_robust_mgmt_frame(hdr); ++ return ieee80211_is_robust_mgmt_frame(skb); } - static int cfg80211_sme_connect(struct wireless_dev *wdev, ---- a/net/mac80211/rc80211_minstrel.c -+++ b/net/mac80211/rc80211_minstrel.c -@@ -290,7 +290,7 @@ minstrel_get_rate(void *priv, struct iee - struct minstrel_rate *msr, *mr; - unsigned int ndx; - bool mrr_capable; -- bool prev_sample = mi->prev_sample; -+ bool prev_sample; - int delta; - int sampling_ratio; - -@@ -314,6 +314,7 @@ minstrel_get_rate(void *priv, struct iee - (mi->sample_count + mi->sample_deferred / 2); - - /* delta < 0: no sampling required */ -+ prev_sample = mi->prev_sample; - mi->prev_sample = false; - if (delta < 0 || (!mrr_capable && prev_sample)) - return; ---- a/drivers/net/wireless/rt2x00/rt2x00queue.c -+++ b/drivers/net/wireless/rt2x00/rt2x00queue.c -@@ -936,13 +936,8 @@ void rt2x00queue_index_inc(struct queue_ - spin_unlock_irqrestore(&queue->index_lock, irqflags); - } --void rt2x00queue_pause_queue(struct data_queue *queue) -+void rt2x00queue_pause_queue_nocheck(struct data_queue *queue) - { -- if (!test_bit(DEVICE_STATE_PRESENT, &queue->rt2x00dev->flags) || -- !test_bit(QUEUE_STARTED, &queue->flags) || -- test_and_set_bit(QUEUE_PAUSED, &queue->flags)) -- return; -- - switch (queue->qid) { - case QID_AC_VO: - case QID_AC_VI: -@@ -958,6 +953,15 @@ void rt2x00queue_pause_queue(struct data - break; - } - } -+void rt2x00queue_pause_queue(struct data_queue *queue) -+{ -+ if (!test_bit(DEVICE_STATE_PRESENT, &queue->rt2x00dev->flags) || -+ !test_bit(QUEUE_STARTED, &queue->flags) || -+ test_and_set_bit(QUEUE_PAUSED, &queue->flags)) -+ return; -+ -+ rt2x00queue_pause_queue_nocheck(queue); -+} - EXPORT_SYMBOL_GPL(rt2x00queue_pause_queue); +@@ -626,7 +626,7 @@ static int ieee80211_get_mmie_keyidx(str + if (skb->len < 24 + sizeof(*mmie) || !is_multicast_ether_addr(hdr->da)) + return -1; - void rt2x00queue_unpause_queue(struct data_queue *queue) -@@ -1019,7 +1023,7 @@ void rt2x00queue_stop_queue(struct data_ - return; - } +- if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) hdr)) ++ if (!ieee80211_is_robust_mgmt_frame(skb)) + return -1; /* not a robust management frame */ -- rt2x00queue_pause_queue(queue); -+ rt2x00queue_pause_queue_nocheck(queue); - - queue->rt2x00dev->ops->lib->stop_queue(queue); - ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -31,10 +31,12 @@ - #include "led.h" - - #define IEEE80211_AUTH_TIMEOUT (HZ / 5) -+#define IEEE80211_AUTH_TIMEOUT_LONG (HZ / 2) - #define IEEE80211_AUTH_TIMEOUT_SHORT (HZ / 10) - #define IEEE80211_AUTH_MAX_TRIES 3 - #define IEEE80211_AUTH_WAIT_ASSOC (HZ * 5) - #define IEEE80211_ASSOC_TIMEOUT (HZ / 5) -+#define IEEE80211_ASSOC_TIMEOUT_LONG (HZ / 2) - #define IEEE80211_ASSOC_TIMEOUT_SHORT (HZ / 10) - #define IEEE80211_ASSOC_MAX_TRIES 3 - -@@ -209,8 +211,9 @@ ieee80211_determine_chantype(struct ieee - struct ieee80211_channel *channel, - const struct ieee80211_ht_operation *ht_oper, - const struct ieee80211_vht_operation *vht_oper, -- struct cfg80211_chan_def *chandef, bool verbose) -+ struct cfg80211_chan_def *chandef, bool tracking) - { -+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; - struct cfg80211_chan_def vht_chandef; - u32 ht_cfreq, ret; - -@@ -229,7 +232,7 @@ ieee80211_determine_chantype(struct ieee - ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan, - channel->band); - /* check that channel matches the right operating channel */ -- if (channel->center_freq != ht_cfreq) { -+ if (!tracking && channel->center_freq != ht_cfreq) { - /* - * It's possible that some APs are confused here; - * Netgear WNDR3700 sometimes reports 4 higher than -@@ -237,11 +240,10 @@ ieee80211_determine_chantype(struct ieee - * since we look at probe response/beacon data here - * it should be OK. + mmie = (struct ieee80211_mmie *) +@@ -1845,8 +1845,7 @@ static int ieee80211_drop_unencrypted_mg + * having configured keys. */ -- if (verbose) -- sdata_info(sdata, -- "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", -- channel->center_freq, ht_cfreq, -- ht_oper->primary_chan, channel->band); -+ sdata_info(sdata, -+ "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", -+ channel->center_freq, ht_cfreq, -+ ht_oper->primary_chan, channel->band); - ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT; - goto out; - } -@@ -295,7 +297,7 @@ ieee80211_determine_chantype(struct ieee - channel->band); - break; - default: -- if (verbose) -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) - sdata_info(sdata, - "AP VHT operation IE has invalid channel width (%d), disable VHT\n", - vht_oper->chan_width); -@@ -304,7 +306,7 @@ ieee80211_determine_chantype(struct ieee + if (unlikely(ieee80211_is_action(fc) && !rx->key && +- ieee80211_is_robust_mgmt_frame( +- (struct ieee80211_hdr *) rx->skb->data))) ++ ieee80211_is_robust_mgmt_frame(rx->skb))) + return -EACCES; } - if (!cfg80211_chandef_valid(&vht_chandef)) { -- if (verbose) -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) - sdata_info(sdata, - "AP VHT information is invalid, disable VHT\n"); - ret = IEEE80211_STA_DISABLE_VHT; -@@ -317,7 +319,7 @@ ieee80211_determine_chantype(struct ieee - } - - if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) { -- if (verbose) -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) - sdata_info(sdata, - "AP VHT information doesn't match HT, disable VHT\n"); - ret = IEEE80211_STA_DISABLE_VHT; -@@ -333,18 +335,27 @@ out: - if (ret & IEEE80211_STA_DISABLE_VHT) - vht_chandef = *chandef; +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -452,8 +452,7 @@ static int ieee80211_use_mfp(__le16 fc, + if (sta == NULL || !test_sta_flag(sta, WLAN_STA_MFP)) + return 0; -+ /* -+ * Ignore the DISABLED flag when we're already connected and only -+ * tracking the APs beacon for bandwidth changes - otherwise we -+ * might get disconnected here if we connect to an AP, update our -+ * regulatory information based on the AP's country IE and the -+ * information we have is wrong/outdated and disables the channel -+ * that we're actually using for the connection to the AP. -+ */ - while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef, -- IEEE80211_CHAN_DISABLED)) { -+ tracking ? 0 : -+ IEEE80211_CHAN_DISABLED)) { - if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) { - ret = IEEE80211_STA_DISABLE_HT | - IEEE80211_STA_DISABLE_VHT; -- goto out; -+ break; - } +- if (!ieee80211_is_robust_mgmt_frame((struct ieee80211_hdr *) +- skb->data)) ++ if (!ieee80211_is_robust_mgmt_frame(skb)) + return 0; - ret |= chandef_downgrade(chandef); + return 1; +@@ -567,7 +566,7 @@ ieee80211_tx_h_select_key(struct ieee802 + tx->key = key; + else if (ieee80211_is_mgmt(hdr->frame_control) && + is_multicast_ether_addr(hdr->addr1) && +- ieee80211_is_robust_mgmt_frame(hdr) && ++ ieee80211_is_robust_mgmt_frame(tx->skb) && + (key = rcu_dereference(tx->sdata->default_mgmt_key))) + tx->key = key; + else if (is_multicast_ether_addr(hdr->addr1) && +@@ -582,12 +581,12 @@ ieee80211_tx_h_select_key(struct ieee802 + tx->key = NULL; + else if (tx->skb->protocol == tx->sdata->control_port_protocol) + tx->key = NULL; +- else if (ieee80211_is_robust_mgmt_frame(hdr) && ++ else if (ieee80211_is_robust_mgmt_frame(tx->skb) && + !(ieee80211_is_action(hdr->frame_control) && + tx->sta && test_sta_flag(tx->sta, WLAN_STA_MFP))) + tx->key = NULL; + else if (ieee80211_is_mgmt(hdr->frame_control) && +- !ieee80211_is_robust_mgmt_frame(hdr)) ++ !ieee80211_is_robust_mgmt_frame(tx->skb)) + tx->key = NULL; + else { + I802_DEBUG_INC(tx->local->tx_handlers_drop_unencrypted); +--- a/net/mac80211/wpa.c ++++ b/net/mac80211/wpa.c +@@ -499,7 +499,7 @@ ieee80211_crypto_ccmp_decrypt(struct iee + hdrlen = ieee80211_hdrlen(hdr->frame_control); + + if (!ieee80211_is_data(hdr->frame_control) && +- !ieee80211_is_robust_mgmt_frame(hdr)) ++ !ieee80211_is_robust_mgmt_frame(skb)) + return RX_CONTINUE; + + data_len = skb->len - hdrlen - IEEE80211_CCMP_HDR_LEN - +--- a/net/wireless/ap.c ++++ b/net/wireless/ap.c +@@ -30,6 +30,7 @@ static int __cfg80211_stop_ap(struct cfg + wdev->channel = NULL; + wdev->ssid_len = 0; + rdev_set_qos_map(rdev, dev, NULL); ++ nl80211_send_ap_stopped(wdev); } -- if (chandef->width != vht_chandef.width && verbose) -+ if (chandef->width != vht_chandef.width && !tracking) - sdata_info(sdata, - "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n"); + return err; +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -203,8 +203,11 @@ void cfg80211_stop_p2p_device(struct cfg -@@ -384,7 +395,7 @@ static int ieee80211_config_bw(struct ie + rdev->opencount--; - /* calculate new channel (type) based on HT/VHT operation IEs */ - flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper, -- vht_oper, &chandef, false); -+ vht_oper, &chandef, true); +- WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev && +- !rdev->scan_req->notified); ++ if (rdev->scan_req && rdev->scan_req->wdev == wdev) { ++ if (WARN_ON(!rdev->scan_req->notified)) ++ rdev->scan_req->aborted = true; ++ ___cfg80211_scan_done(rdev, false); ++ } + } + + static int cfg80211_rfkill_set_block(void *data, bool blocked) +@@ -447,9 +450,6 @@ int wiphy_register(struct wiphy *wiphy) + int i; + u16 ifmodes = wiphy->interface_modes; +- /* support for 5/10 MHz is broken due to nl80211 API mess - disable */ +- wiphy->flags &= ~WIPHY_FLAG_SUPPORTS_5_10_MHZ; +- /* - * Downgrade the new channel if we associated with restricted -@@ -3394,10 +3405,13 @@ static int ieee80211_probe_auth(struct i - - if (tx_flags == 0) { - auth_data->timeout = jiffies + IEEE80211_AUTH_TIMEOUT; -- ifmgd->auth_data->timeout_started = true; -+ auth_data->timeout_started = true; - run_again(sdata, auth_data->timeout); - } else { -- auth_data->timeout_started = false; -+ auth_data->timeout = -+ round_jiffies_up(jiffies + IEEE80211_AUTH_TIMEOUT_LONG); -+ auth_data->timeout_started = true; -+ run_again(sdata, auth_data->timeout); - } + * There are major locking problems in nl80211/mac80211 for CSA, + * disable for all drivers until this has been reworked. +@@ -875,8 +875,11 @@ static int cfg80211_netdev_notifier_call + break; + case NETDEV_DOWN: + cfg80211_update_iface_num(rdev, wdev->iftype, -1); +- WARN_ON(rdev->scan_req && rdev->scan_req->wdev == wdev && +- !rdev->scan_req->notified); ++ if (rdev->scan_req && rdev->scan_req->wdev == wdev) { ++ if (WARN_ON(!rdev->scan_req->notified)) ++ rdev->scan_req->aborted = true; ++ ___cfg80211_scan_done(rdev, false); ++ } - return 0; -@@ -3434,7 +3448,11 @@ static int ieee80211_do_assoc(struct iee - assoc_data->timeout_started = true; - run_again(sdata, assoc_data->timeout); - } else { -- assoc_data->timeout_started = false; -+ assoc_data->timeout = -+ round_jiffies_up(jiffies + -+ IEEE80211_ASSOC_TIMEOUT_LONG); -+ assoc_data->timeout_started = true; -+ run_again(sdata, assoc_data->timeout); + if (WARN_ON(rdev->sched_scan_req && + rdev->sched_scan_req->dev == wdev->netdev)) { +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -62,6 +62,7 @@ struct cfg80211_registered_device { + struct rb_root bss_tree; + u32 bss_generation; + struct cfg80211_scan_request *scan_req; /* protected by RTNL */ ++ struct sk_buff *scan_msg; + struct cfg80211_sched_scan_request *sched_scan_req; + unsigned long suspend_at; + struct work_struct scan_done_wk; +@@ -361,7 +362,8 @@ int cfg80211_validate_key_settings(struc + struct key_params *params, int key_idx, + bool pairwise, const u8 *mac_addr); + void __cfg80211_scan_done(struct work_struct *wk); +-void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev); ++void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, ++ bool send_message); + void __cfg80211_sched_scan_results(struct work_struct *wk); + int __cfg80211_stop_sched_scan(struct cfg80211_registered_device *rdev, + bool driver_initiated); +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -1723,9 +1723,10 @@ static int nl80211_dump_wiphy(struct sk_ + * We can then retry with the larger buffer. + */ + if ((ret == -ENOBUFS || ret == -EMSGSIZE) && +- !skb->len && ++ !skb->len && !state->split && + cb->min_dump_alloc < 4096) { + cb->min_dump_alloc = 4096; ++ state->split_start = 0; + rtnl_unlock(); + return 1; + } +@@ -2047,10 +2048,12 @@ static int nl80211_set_wiphy(struct sk_b + nla_for_each_nested(nl_txq_params, + info->attrs[NL80211_ATTR_WIPHY_TXQ_PARAMS], + rem_txq_params) { +- nla_parse(tb, NL80211_TXQ_ATTR_MAX, +- nla_data(nl_txq_params), +- nla_len(nl_txq_params), +- txq_params_policy); ++ result = nla_parse(tb, NL80211_TXQ_ATTR_MAX, ++ nla_data(nl_txq_params), ++ nla_len(nl_txq_params), ++ txq_params_policy); ++ if (result) ++ goto bad_res; + result = parse_txq_params(tb, &txq_params); + if (result) + goto bad_res; +@@ -5210,9 +5213,11 @@ static int nl80211_set_reg(struct sk_buf + + nla_for_each_nested(nl_reg_rule, info->attrs[NL80211_ATTR_REG_RULES], + rem_reg_rules) { +- nla_parse(tb, NL80211_REG_RULE_ATTR_MAX, +- nla_data(nl_reg_rule), nla_len(nl_reg_rule), +- reg_rule_policy); ++ r = nla_parse(tb, NL80211_REG_RULE_ATTR_MAX, ++ nla_data(nl_reg_rule), nla_len(nl_reg_rule), ++ reg_rule_policy); ++ if (r) ++ goto bad_reg; + r = parse_reg_rule(tb, &rd->reg_rules[rule_idx]); + if (r) + goto bad_reg; +@@ -5277,7 +5282,7 @@ static int nl80211_trigger_scan(struct s + if (!rdev->ops->scan) + return -EOPNOTSUPP; + +- if (rdev->scan_req) { ++ if (rdev->scan_req || rdev->scan_msg) { + err = -EBUSY; + goto unlock; } +@@ -5475,6 +5480,7 @@ static int nl80211_start_sched_scan(stru + enum ieee80211_band band; + size_t ie_len; + struct nlattr *tb[NL80211_SCHED_SCAN_MATCH_ATTR_MAX + 1]; ++ s32 default_match_rssi = NL80211_SCAN_RSSI_THOLD_OFF; + + if (!(rdev->wiphy.flags & WIPHY_FLAG_SUPPORTS_SCHED_SCAN) || + !rdev->ops->sched_scan_start) +@@ -5509,11 +5515,40 @@ static int nl80211_start_sched_scan(stru + if (n_ssids > wiphy->max_sched_scan_ssids) + return -EINVAL; - return 0; -@@ -3829,7 +3847,7 @@ static int ieee80211_prep_channel(struct - ifmgd->flags |= ieee80211_determine_chantype(sdata, sband, - cbss->channel, - ht_oper, vht_oper, -- &chandef, true); -+ &chandef, false); - - sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss), - local->rx_chains); ---- a/net/wireless/core.c -+++ b/net/wireless/core.c -@@ -772,6 +772,7 @@ void cfg80211_leave(struct cfg80211_regi - cfg80211_leave_mesh(rdev, dev); - break; - case NL80211_IFTYPE_AP: -+ case NL80211_IFTYPE_P2P_GO: - cfg80211_stop_ap(rdev, dev); - break; - default: ---- a/drivers/net/wireless/rtlwifi/Kconfig -+++ b/drivers/net/wireless/rtlwifi/Kconfig -@@ -1,29 +1,22 @@ --config RTLWIFI -- tristate "Realtek wireless card support" -+menuconfig RTL_CARDS -+ tristate "Realtek rtlwifi family of devices" - depends on m -- depends on MAC80211 -- select BACKPORT_FW_LOADER -- ---help--- -- This is common code for RTL8192CE/RTL8192CU/RTL8192SE/RTL8723AE -- drivers. This module does nothing by itself - the various front-end -- drivers need to be enabled to support any desired devices. -- -- If you choose to build as a module, it'll be called rtlwifi. -- --config RTLWIFI_DEBUG -- bool "Debugging output for rtlwifi driver family" -- depends on RTLWIFI -+ depends on MAC80211 && (PCI || USB) - default y - ---help--- -- To use the module option that sets the dynamic-debugging level for, -- the front-end driver, this parameter must be "Y". For memory-limited -- systems, choose "N". If in doubt, choose "Y". -+ This option will enable support for the Realtek mac80211-based -+ wireless drivers. Drivers rtl8192ce, rtl8192cu, rtl8192se, rtl8192de, -+ rtl8723eu, and rtl8188eu share some common code. -+ -+if RTL_CARDS - - config RTL8192CE - tristate "Realtek RTL8192CE/RTL8188CE Wireless Network Adapter" - depends on m -- depends on RTLWIFI && PCI -+ depends on PCI - select RTL8192C_COMMON -+ select RTLWIFI -+ select RTLWIFI_PCI - ---help--- - This is the driver for Realtek RTL8192CE/RTL8188CE 802.11n PCIe - wireless network adapters. -@@ -33,7 +26,9 @@ config RTL8192CE - config RTL8192SE - tristate "Realtek RTL8192SE/RTL8191SE PCIe Wireless Network Adapter" - depends on m -- depends on RTLWIFI && PCI -+ depends on PCI -+ select RTLWIFI -+ select RTLWIFI_PCI - ---help--- - This is the driver for Realtek RTL8192SE/RTL8191SE 802.11n PCIe - wireless network adapters. -@@ -43,7 +38,9 @@ config RTL8192SE - config RTL8192DE - tristate "Realtek RTL8192DE/RTL8188DE PCIe Wireless Network Adapter" - depends on m -- depends on RTLWIFI && PCI -+ depends on PCI -+ select RTLWIFI -+ select RTLWIFI_PCI - ---help--- - This is the driver for Realtek RTL8192DE/RTL8188DE 802.11n PCIe - wireless network adapters. -@@ -53,7 +50,9 @@ config RTL8192DE - config RTL8723AE - tristate "Realtek RTL8723AE PCIe Wireless Network Adapter" - depends on m -- depends on RTLWIFI && PCI -+ depends on PCI -+ select RTLWIFI -+ select RTLWIFI_PCI - ---help--- - This is the driver for Realtek RTL8723AE 802.11n PCIe - wireless network adapters. -@@ -63,7 +62,9 @@ config RTL8723AE - config RTL8188EE - tristate "Realtek RTL8188EE Wireless Network Adapter" - depends on m -- depends on RTLWIFI && PCI -+ depends on PCI -+ select RTLWIFI -+ select RTLWIFI_PCI - ---help--- - This is the driver for Realtek RTL8188EE 802.11n PCIe - wireless network adapters. -@@ -73,7 +74,9 @@ config RTL8188EE - config RTL8192CU - tristate "Realtek RTL8192CU/RTL8188CU USB Wireless Network Adapter" - depends on m -- depends on RTLWIFI && USB -+ depends on USB -+ select RTLWIFI -+ select RTLWIFI_USB - select RTL8192C_COMMON - ---help--- - This is the driver for Realtek RTL8192CU/RTL8188CU 802.11n USB -@@ -81,8 +84,32 @@ config RTL8192CU - - If you choose to build it as a module, it will be called rtl8192cu - -+config RTLWIFI -+ tristate "Realtek common driver part" -+ depends on m -+ select BACKPORT_FW_LOADER +- if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) ++ /* ++ * First, count the number of 'real' matchsets. Due to an issue with ++ * the old implementation, matchsets containing only the RSSI attribute ++ * (NL80211_SCHED_SCAN_MATCH_ATTR_RSSI) are considered as the 'default' ++ * RSSI for all matchsets, rather than their own matchset for reporting ++ * all APs with a strong RSSI. This is needed to be compatible with ++ * older userspace that treated a matchset with only the RSSI as the ++ * global RSSI for all other matchsets - if there are other matchsets. ++ */ ++ if (info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH]) { + nla_for_each_nested(attr, + info->attrs[NL80211_ATTR_SCHED_SCAN_MATCH], +- tmp) +- n_match_sets++; ++ tmp) { ++ struct nlattr *rssi; + -+config RTLWIFI_PCI -+ depends on m -+ tristate ++ err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX, ++ nla_data(attr), nla_len(attr), ++ nl80211_match_policy); ++ if (err) ++ return err; ++ /* add other standalone attributes here */ ++ if (tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]) { ++ n_match_sets++; ++ continue; ++ } ++ rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI]; ++ if (rssi) ++ default_match_rssi = nla_get_s32(rssi); ++ } ++ } + -+config RTLWIFI_USB -+ depends on m -+ tristate ++ /* However, if there's no other matchset, add the RSSI one */ ++ if (!n_match_sets && default_match_rssi != NL80211_SCAN_RSSI_THOLD_OFF) ++ n_match_sets = 1; + + if (n_match_sets > wiphy->max_match_sets) + return -EINVAL; +@@ -5634,11 +5669,22 @@ static int nl80211_start_sched_scan(stru + tmp) { + struct nlattr *ssid, *rssi; + +- nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX, +- nla_data(attr), nla_len(attr), +- nl80211_match_policy); ++ err = nla_parse(tb, NL80211_SCHED_SCAN_MATCH_ATTR_MAX, ++ nla_data(attr), nla_len(attr), ++ nl80211_match_policy); ++ if (err) ++ goto out_free; + ssid = tb[NL80211_SCHED_SCAN_MATCH_ATTR_SSID]; + if (ssid) { ++ if (WARN_ON(i >= n_match_sets)) { ++ /* this indicates a programming error, ++ * the loop above should have verified ++ * things properly ++ */ ++ err = -EINVAL; ++ goto out_free; ++ } + -+config RTLWIFI_DEBUG -+ bool "Debugging output for rtlwifi driver family" -+ depends on RTLWIFI -+ default y -+ ---help--- -+ To use the module option that sets the dynamic-debugging level for, -+ the front-end driver, this parameter must be "Y". For memory-limited -+ systems, choose "N". If in doubt, choose "Y". + if (nla_len(ssid) > IEEE80211_MAX_SSID_LEN) { + err = -EINVAL; + goto out_free; +@@ -5647,15 +5693,28 @@ static int nl80211_start_sched_scan(stru + nla_data(ssid), nla_len(ssid)); + request->match_sets[i].ssid.ssid_len = + nla_len(ssid); ++ /* special attribute - old implemenation w/a */ ++ request->match_sets[i].rssi_thold = ++ default_match_rssi; ++ rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI]; ++ if (rssi) ++ request->match_sets[i].rssi_thold = ++ nla_get_s32(rssi); + } +- rssi = tb[NL80211_SCHED_SCAN_MATCH_ATTR_RSSI]; +- if (rssi) +- request->rssi_thold = nla_get_u32(rssi); +- else +- request->rssi_thold = +- NL80211_SCAN_RSSI_THOLD_OFF; + i++; + } + - config RTL8192C_COMMON - tristate - depends on m - depends on RTL8192CE || RTL8192CU - default m ++ /* there was no other matchset, so the RSSI one is alone */ ++ if (i == 0) ++ request->match_sets[0].rssi_thold = default_match_rssi; + -+endif ---- a/drivers/net/wireless/rtlwifi/Makefile -+++ b/drivers/net/wireless/rtlwifi/Makefile -@@ -12,13 +12,11 @@ rtlwifi-objs := \ - - rtl8192c_common-objs += \ - --ifneq ($(CONFIG_PCI),) --rtlwifi-objs += pci.o --endif -+obj-$(CPTCFG_RTLWIFI_PCI) += rtl_pci.o -+rtl_pci-objs := pci.o - --ifneq ($(CONFIG_USB),) --rtlwifi-objs += usb.o --endif -+obj-$(CPTCFG_RTLWIFI_USB) += rtl_usb.o -+rtl_usb-objs := usb.o - - obj-$(CPTCFG_RTL8192C_COMMON) += rtl8192c/ - obj-$(CPTCFG_RTL8192CE) += rtl8192ce/ ---- a/drivers/net/wireless/rtlwifi/base.c -+++ b/drivers/net/wireless/rtlwifi/base.c -@@ -173,6 +173,7 @@ u8 rtl_tid_to_ac(u8 tid) - { - return tid_to_ac[tid]; - } -+EXPORT_SYMBOL_GPL(rtl_tid_to_ac); ++ request->min_rssi_thold = INT_MAX; ++ for (i = 0; i < n_match_sets; i++) ++ request->min_rssi_thold = ++ min(request->match_sets[i].rssi_thold, ++ request->min_rssi_thold); ++ } else { ++ request->min_rssi_thold = NL80211_SCAN_RSSI_THOLD_OFF; + } - static void _rtl_init_hw_ht_capab(struct ieee80211_hw *hw, - struct ieee80211_sta_ht_cap *ht_cap) -@@ -407,6 +408,7 @@ void rtl_deinit_deferred_work(struct iee - cancel_delayed_work(&rtlpriv->works.ps_rfon_wq); - cancel_delayed_work(&rtlpriv->works.fwevt_wq); + if (info->attrs[NL80211_ATTR_IE]) { +@@ -7502,16 +7561,19 @@ static int nl80211_set_tx_bitrate_mask(s + * directly to the enum ieee80211_band values used in cfg80211. + */ + BUILD_BUG_ON(NL80211_MAX_SUPP_HT_RATES > IEEE80211_HT_MCS_MASK_LEN * 8); +- nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) +- { ++ nla_for_each_nested(tx_rates, info->attrs[NL80211_ATTR_TX_RATES], rem) { + enum ieee80211_band band = nla_type(tx_rates); ++ int err; ++ + if (band < 0 || band >= IEEE80211_NUM_BANDS) + return -EINVAL; + sband = rdev->wiphy.bands[band]; + if (sband == NULL) + return -EINVAL; +- nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates), +- nla_len(tx_rates), nl80211_txattr_policy); ++ err = nla_parse(tb, NL80211_TXRATE_MAX, nla_data(tx_rates), ++ nla_len(tx_rates), nl80211_txattr_policy); ++ if (err) ++ return err; + if (tb[NL80211_TXRATE_LEGACY]) { + mask.control[band].legacy = rateset_to_mask( + sband, +@@ -10054,40 +10116,31 @@ void nl80211_send_scan_start(struct cfg8 + NL80211_MCGRP_SCAN, GFP_KERNEL); } -+EXPORT_SYMBOL_GPL(rtl_deinit_deferred_work); - void rtl_init_rfkill(struct ieee80211_hw *hw) - { -@@ -440,6 +442,7 @@ void rtl_deinit_rfkill(struct ieee80211_ +-void nl80211_send_scan_done(struct cfg80211_registered_device *rdev, +- struct wireless_dev *wdev) ++struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev, ++ struct wireless_dev *wdev, bool aborted) { - wiphy_rfkill_stop_polling(hw->wiphy); - } -+EXPORT_SYMBOL_GPL(rtl_deinit_rfkill); + struct sk_buff *msg; - int rtl_init_core(struct ieee80211_hw *hw) - { -@@ -490,10 +493,12 @@ int rtl_init_core(struct ieee80211_hw *h + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) +- return; ++ return NULL; - return 0; - } -+EXPORT_SYMBOL_GPL(rtl_init_core); + if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0, +- NL80211_CMD_NEW_SCAN_RESULTS) < 0) { ++ aborted ? NL80211_CMD_SCAN_ABORTED : ++ NL80211_CMD_NEW_SCAN_RESULTS) < 0) { + nlmsg_free(msg); +- return; ++ return NULL; + } - void rtl_deinit_core(struct ieee80211_hw *hw) - { +- genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0, +- NL80211_MCGRP_SCAN, GFP_KERNEL); ++ return msg; } -+EXPORT_SYMBOL_GPL(rtl_deinit_core); - void rtl_init_rx_config(struct ieee80211_hw *hw) +-void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev, +- struct wireless_dev *wdev) ++void nl80211_send_scan_result(struct cfg80211_registered_device *rdev, ++ struct sk_buff *msg) { -@@ -502,6 +507,7 @@ void rtl_init_rx_config(struct ieee80211 - - rtlpriv->cfg->ops->get_hw_reg(hw, HW_VAR_RCR, (u8 *) (&mac->rx_conf)); - } -+EXPORT_SYMBOL_GPL(rtl_init_rx_config); - - /********************************************************* - * -@@ -880,6 +886,7 @@ bool rtl_tx_mgmt_proc(struct ieee80211_h - - return true; - } -+EXPORT_SYMBOL_GPL(rtl_tx_mgmt_proc); - - void rtl_get_tcb_desc(struct ieee80211_hw *hw, - struct ieee80211_tx_info *info, -@@ -1053,6 +1060,7 @@ bool rtl_action_proc(struct ieee80211_hw +- struct sk_buff *msg; +- +- msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) + return; - return true; +- if (nl80211_send_scan_msg(msg, rdev, wdev, 0, 0, 0, +- NL80211_CMD_SCAN_ABORTED) < 0) { +- nlmsg_free(msg); +- return; +- } +- + genlmsg_multicast_netns(&nl80211_fam, wiphy_net(&rdev->wiphy), msg, 0, + NL80211_MCGRP_SCAN, GFP_KERNEL); } -+EXPORT_SYMBOL_GPL(rtl_action_proc); - - /*should call before software enc*/ - u8 rtl_is_special_data(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx) -@@ -1126,6 +1134,7 @@ u8 rtl_is_special_data(struct ieee80211_ - - return false; +@@ -11673,6 +11726,35 @@ void cfg80211_crit_proto_stopped(struct } -+EXPORT_SYMBOL_GPL(rtl_is_special_data); + EXPORT_SYMBOL(cfg80211_crit_proto_stopped); - /********************************************************* - * -@@ -1301,6 +1310,7 @@ void rtl_beacon_statistic(struct ieee802 ++void nl80211_send_ap_stopped(struct wireless_dev *wdev) ++{ ++ struct wiphy *wiphy = wdev->wiphy; ++ struct cfg80211_registered_device *rdev = wiphy_to_dev(wiphy); ++ struct sk_buff *msg; ++ void *hdr; ++ ++ msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); ++ if (!msg) ++ return; ++ ++ hdr = nl80211hdr_put(msg, 0, 0, 0, NL80211_CMD_STOP_AP); ++ if (!hdr) ++ goto out; ++ ++ if (nla_put_u32(msg, NL80211_ATTR_WIPHY, rdev->wiphy_idx) || ++ nla_put_u32(msg, NL80211_ATTR_IFINDEX, wdev->netdev->ifindex) || ++ nla_put_u64(msg, NL80211_ATTR_WDEV, wdev_id(wdev))) ++ goto out; ++ ++ genlmsg_end(msg, hdr); ++ ++ genlmsg_multicast_netns(&nl80211_fam, wiphy_net(wiphy), msg, 0, ++ NL80211_MCGRP_MLME, GFP_KERNEL); ++ return; ++ out: ++ nlmsg_free(msg); ++} ++ + /* initialisation/exit functions */ + + int nl80211_init(void) +--- a/net/wireless/nl80211.h ++++ b/net/wireless/nl80211.h +@@ -8,10 +8,10 @@ void nl80211_exit(void); + void nl80211_notify_dev_rename(struct cfg80211_registered_device *rdev); + void nl80211_send_scan_start(struct cfg80211_registered_device *rdev, + struct wireless_dev *wdev); +-void nl80211_send_scan_done(struct cfg80211_registered_device *rdev, +- struct wireless_dev *wdev); +-void nl80211_send_scan_aborted(struct cfg80211_registered_device *rdev, +- struct wireless_dev *wdev); ++struct sk_buff *nl80211_build_scan_msg(struct cfg80211_registered_device *rdev, ++ struct wireless_dev *wdev, bool aborted); ++void nl80211_send_scan_result(struct cfg80211_registered_device *rdev, ++ struct sk_buff *msg); + void nl80211_send_sched_scan(struct cfg80211_registered_device *rdev, + struct net_device *netdev, u32 cmd); + void nl80211_send_sched_scan_results(struct cfg80211_registered_device *rdev, +@@ -74,6 +74,8 @@ nl80211_radar_notify(struct cfg80211_reg + enum nl80211_radar_event event, + struct net_device *netdev, gfp_t gfp); + ++void nl80211_send_ap_stopped(struct wireless_dev *wdev); ++ + void cfg80211_rdev_free_coalesce(struct cfg80211_registered_device *rdev); - rtlpriv->link_info.bcn_rx_inperiod++; + #endif /* __NET_WIRELESS_NL80211_H */ +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -161,18 +161,25 @@ static void __cfg80211_bss_expire(struct + dev->bss_generation++; } -+EXPORT_SYMBOL_GPL(rtl_beacon_statistic); - void rtl_watchdog_wq_callback(void *data) +-void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev) ++void ___cfg80211_scan_done(struct cfg80211_registered_device *rdev, ++ bool send_message) { -@@ -1794,6 +1804,7 @@ void rtl_recognize_peer(struct ieee80211 + struct cfg80211_scan_request *request; + struct wireless_dev *wdev; ++ struct sk_buff *msg; + #ifdef CPTCFG_CFG80211_WEXT + union iwreq_data wrqu; + #endif - mac->vendor = vendor; - } -+EXPORT_SYMBOL_GPL(rtl_recognize_peer); + ASSERT_RTNL(); - /********************************************************* - * -@@ -1850,6 +1861,7 @@ struct attribute_group rtl_attribute_gro - .name = "rtlsysfs", - .attrs = rtl_sysfs_entries, - }; -+EXPORT_SYMBOL_GPL(rtl_attribute_group); - - MODULE_AUTHOR("lizhaoming "); - MODULE_AUTHOR("Realtek WlanFAE "); -@@ -1857,7 +1869,8 @@ MODULE_AUTHOR("Larry Finger scan_req; ++ if (rdev->scan_msg) { ++ nl80211_send_scan_result(rdev, rdev->scan_msg); ++ rdev->scan_msg = NULL; ++ return; ++ } --struct rtl_global_var global_var = {}; -+struct rtl_global_var rtl_global_var = {}; -+EXPORT_SYMBOL_GPL(rtl_global_var); ++ request = rdev->scan_req; + if (!request) + return; - static int __init rtl_core_module_init(void) - { -@@ -1865,8 +1878,8 @@ static int __init rtl_core_module_init(v - pr_err("Unable to register rtl_rc, use default RC !!\n"); +@@ -186,18 +193,16 @@ void ___cfg80211_scan_done(struct cfg802 + if (wdev->netdev) + cfg80211_sme_scan_done(wdev->netdev); + +- if (request->aborted) { +- nl80211_send_scan_aborted(rdev, wdev); +- } else { +- if (request->flags & NL80211_SCAN_FLAG_FLUSH) { +- /* flush entries from previous scans */ +- spin_lock_bh(&rdev->bss_lock); +- __cfg80211_bss_expire(rdev, request->scan_start); +- spin_unlock_bh(&rdev->bss_lock); +- } +- nl80211_send_scan_done(rdev, wdev); ++ if (!request->aborted && ++ request->flags & NL80211_SCAN_FLAG_FLUSH) { ++ /* flush entries from previous scans */ ++ spin_lock_bh(&rdev->bss_lock); ++ __cfg80211_bss_expire(rdev, request->scan_start); ++ spin_unlock_bh(&rdev->bss_lock); + } - /* init some global vars */ -- INIT_LIST_HEAD(&global_var.glb_priv_list); -- spin_lock_init(&global_var.glb_list_lock); -+ INIT_LIST_HEAD(&rtl_global_var.glb_priv_list); -+ spin_lock_init(&rtl_global_var.glb_list_lock); ++ msg = nl80211_build_scan_msg(rdev, wdev, request->aborted); ++ + #ifdef CPTCFG_CFG80211_WEXT + if (wdev->netdev && !request->aborted) { + memset(&wrqu, 0, sizeof(wrqu)); +@@ -211,6 +216,11 @@ void ___cfg80211_scan_done(struct cfg802 - return 0; + rdev->scan_req = NULL; + kfree(request); ++ ++ if (!send_message) ++ rdev->scan_msg = msg; ++ else ++ nl80211_send_scan_result(rdev, msg); } ---- a/drivers/net/wireless/rtlwifi/base.h -+++ b/drivers/net/wireless/rtlwifi/base.h -@@ -147,7 +147,7 @@ void rtl_recognize_peer(struct ieee80211 - u8 rtl_tid_to_ac(u8 tid); - extern struct attribute_group rtl_attribute_group; - void rtl_easy_concurrent_retrytimer_callback(unsigned long data); --extern struct rtl_global_var global_var; -+extern struct rtl_global_var rtl_global_var; - int rtlwifi_rate_mapping(struct ieee80211_hw *hw, - bool isht, u8 desc_rate, bool first_ampdu); - bool rtl_tx_mgmt_proc(struct ieee80211_hw *hw, struct sk_buff *skb); ---- a/drivers/net/wireless/rtlwifi/core.c -+++ b/drivers/net/wireless/rtlwifi/core.c -@@ -1330,3 +1330,4 @@ const struct ieee80211_ops rtl_ops = { - .rfkill_poll = rtl_op_rfkill_poll, - .flush = rtl_op_flush, - }; -+EXPORT_SYMBOL_GPL(rtl_ops); ---- a/drivers/net/wireless/rtlwifi/debug.c -+++ b/drivers/net/wireless/rtlwifi/debug.c -@@ -51,3 +51,4 @@ void rtl_dbgp_flag_init(struct ieee80211 - /*Init Debug flag enable condition */ - } -+EXPORT_SYMBOL_GPL(rtl_dbgp_flag_init); ---- a/drivers/net/wireless/rtlwifi/efuse.c -+++ b/drivers/net/wireless/rtlwifi/efuse.c -@@ -229,6 +229,7 @@ void read_efuse_byte(struct ieee80211_hw + void __cfg80211_scan_done(struct work_struct *wk) +@@ -221,7 +231,7 @@ void __cfg80211_scan_done(struct work_st + scan_done_wk); - *pbuf = (u8) (value32 & 0xff); + rtnl_lock(); +- ___cfg80211_scan_done(rdev); ++ ___cfg80211_scan_done(rdev, true); + rtnl_unlock(); } -+EXPORT_SYMBOL_GPL(read_efuse_byte); - void read_efuse(struct ieee80211_hw *hw, u16 _offset, u16 _size_byte, u8 *pbuf) - { ---- a/drivers/net/wireless/rtlwifi/pci.c -+++ b/drivers/net/wireless/rtlwifi/pci.c -@@ -35,6 +35,13 @@ - #include "efuse.h" - #include - #include -+#include -+ -+MODULE_AUTHOR("lizhaoming "); -+MODULE_AUTHOR("Realtek WlanFAE "); -+MODULE_AUTHOR("Larry Finger "); -+MODULE_LICENSE("GPL"); -+MODULE_DESCRIPTION("PCI basic driver for rtlwifi"); - - static const u16 pcibridge_vendors[PCI_BRIDGE_VENDOR_MAX] = { - PCI_VENDOR_ID_INTEL, -@@ -1899,7 +1906,7 @@ int rtl_pci_probe(struct pci_dev *pdev, - rtlpriv->rtlhal.interface = INTF_PCI; - rtlpriv->cfg = (struct rtl_hal_cfg *)(id->driver_data); - rtlpriv->intf_ops = &rtl_pci_ops; -- rtlpriv->glb_var = &global_var; -+ rtlpriv->glb_var = &rtl_global_var; +@@ -1079,7 +1089,7 @@ int cfg80211_wext_siwscan(struct net_dev + if (IS_ERR(rdev)) + return PTR_ERR(rdev); - /* - *init dbgp flags before all ---- a/drivers/net/wireless/rtlwifi/ps.c -+++ b/drivers/net/wireless/rtlwifi/ps.c -@@ -269,6 +269,7 @@ void rtl_ips_nic_on(struct ieee80211_hw +- if (rdev->scan_req) { ++ if (rdev->scan_req || rdev->scan_msg) { + err = -EBUSY; + goto out; + } +@@ -1481,7 +1491,7 @@ int cfg80211_wext_giwscan(struct net_dev + if (IS_ERR(rdev)) + return PTR_ERR(rdev); - spin_unlock_irqrestore(&rtlpriv->locks.ips_lock, flags); - } -+EXPORT_SYMBOL_GPL(rtl_ips_nic_on); +- if (rdev->scan_req) ++ if (rdev->scan_req || rdev->scan_msg) + return -EAGAIN; - /*for FW LPS*/ + res = ieee80211_scan_results(rdev, info, extra, data->length); +--- a/net/wireless/sme.c ++++ b/net/wireless/sme.c +@@ -67,7 +67,7 @@ static int cfg80211_conn_scan(struct wir + ASSERT_RDEV_LOCK(rdev); + ASSERT_WDEV_LOCK(wdev); -@@ -518,6 +519,7 @@ void rtl_swlps_beacon(struct ieee80211_h - "u_bufferd: %x, m_buffered: %x\n", u_buffed, m_buffed); - } - } -+EXPORT_SYMBOL_GPL(rtl_swlps_beacon); +- if (rdev->scan_req) ++ if (rdev->scan_req || rdev->scan_msg) + return -EBUSY; - void rtl_swlps_rf_awake(struct ieee80211_hw *hw) - { -@@ -922,3 +924,4 @@ void rtl_p2p_info(struct ieee80211_hw *h - else - rtl_p2p_noa_ie(hw, data, len - FCS_LEN); - } -+EXPORT_SYMBOL_GPL(rtl_p2p_info); ---- a/drivers/net/wireless/rtlwifi/usb.c -+++ b/drivers/net/wireless/rtlwifi/usb.c -@@ -32,6 +32,13 @@ - #include "ps.h" - #include "rtl8192c/fw_common.h" - #include -+#include -+ -+MODULE_AUTHOR("lizhaoming "); -+MODULE_AUTHOR("Realtek WlanFAE "); -+MODULE_AUTHOR("Larry Finger "); -+MODULE_LICENSE("GPL"); -+MODULE_DESCRIPTION("USB basic driver for rtlwifi"); - - #define REALTEK_USB_VENQT_READ 0xC0 - #define REALTEK_USB_VENQT_WRITE 0x40 + if (wdev->conn->params.channel)