From d66b14b6aabeb624f7f66ae9ebee6d0cdf907055 Mon Sep 17 00:00:00 2001
From: rmilecki <rmilecki@3c298f89-4303-0410-b956-a3cf2f4a3e73>
Date: Wed, 29 Jun 2016 18:06:01 +0000
Subject: [PATCH] mac80211: brcmfmac: fix lockup related to P2P interface
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Signed-off-by: RafaÅ MiÅecki <zajec5@gmail.com>

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@49391 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 ...ac-include-required-headers-in-cfg80211.h.patch |  37 +++++
 ...ightly-simplify-building-interface-combin.patch | 108 +++++++++++++++
 ...x-lockup-when-removing-P2P-interface-afte.patch | 154 +++++++++++++++++++++
 ...mfmac-register-wiphy-s-during-module_init.patch |   2 +-
 4 files changed, 300 insertions(+), 1 deletion(-)
 create mode 100644 package/kernel/mac80211/patches/352-brcmfmac-include-required-headers-in-cfg80211.h.patch
 create mode 100644 package/kernel/mac80211/patches/353-brcmfmac-slightly-simplify-building-interface-combin.patch
 create mode 100644 package/kernel/mac80211/patches/354-brcmfmac-fix-lockup-when-removing-P2P-interface-afte.patch

diff --git a/package/kernel/mac80211/patches/352-brcmfmac-include-required-headers-in-cfg80211.h.patch b/package/kernel/mac80211/patches/352-brcmfmac-include-required-headers-in-cfg80211.h.patch
new file mode 100644
index 0000000000..bfcab292c6
--- /dev/null
+++ b/package/kernel/mac80211/patches/352-brcmfmac-include-required-headers-in-cfg80211.h.patch
@@ -0,0 +1,37 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
+Date: Tue, 7 Jun 2016 08:20:21 +0200
+Subject: [PATCH] brcmfmac: include required headers in cfg80211.h
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Without this including cfg80211.h in a wrong order could result in:
+
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h:122:24: error: array type has incomplete element type
+  struct brcmf_wsec_key key[BRCMF_MAX_DEFAULT_KEYS];
+                        ^
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h:291:24: error: field âp2pâ has incomplete type
+  struct brcmf_p2p_info p2p;
+                        ^
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h:297:27: error: field âpmk_listâ has incomplete type
+  struct brcmf_pmk_list_le pmk_list;
+                           ^
+drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h:317:28: error: field âassoclistâ has incomplete type
+  struct brcmf_assoclist_le assoclist;
+
+Signed-off-by: RafaÅ MiÅecki <zajec5@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.h
+@@ -20,6 +20,9 @@
+ /* for brcmu_d11inf */
+ #include <brcmu_d11.h>
+ 
++#include "fwil_types.h"
++#include "p2p.h"
++
+ #define WL_NUM_SCAN_MAX			10
+ #define WL_TLV_INFO_MAX			1024
+ #define WL_BSS_INFO_MAX			2048
diff --git a/package/kernel/mac80211/patches/353-brcmfmac-slightly-simplify-building-interface-combin.patch b/package/kernel/mac80211/patches/353-brcmfmac-slightly-simplify-building-interface-combin.patch
new file mode 100644
index 0000000000..8bf6d1be3a
--- /dev/null
+++ b/package/kernel/mac80211/patches/353-brcmfmac-slightly-simplify-building-interface-combin.patch
@@ -0,0 +1,108 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
+Date: Tue, 7 Jun 2016 21:10:18 +0200
+Subject: [PATCH] brcmfmac: slightly simplify building interface combinations
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This change reorders some operations in brcmf_setup_ifmodes in hope to
+make it simpler:
+1) It allocates arrays right before filling them. This way it's easier
+   to follow requested array length as it's immediately followed by
+   code filling it. It's easier to check e.g. why we need 4 entries for
+   P2P. Other than that it deduplicates some checks (e.g. for P2P).
+2) It reorders code to first prepare limits and then define a new combo.
+   Previously this was mixed (e.g. we were setting num of channels
+   before preparing limits).
+3) It modifies mbss code to use i variable just like other combos do.
+
+Signed-off-by: RafaÅ MiÅecki <zajec5@gmail.com>
+Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -6224,29 +6224,15 @@ static int brcmf_setup_ifmodes(struct wi
+ 	if (!combo)
+ 		goto err;
+ 
+-	c0_limits = kcalloc(p2p ? 3 : 2, sizeof(*c0_limits), GFP_KERNEL);
+-	if (!c0_limits)
+-		goto err;
+-
+-	if (p2p) {
+-		p2p_limits = kcalloc(4, sizeof(*p2p_limits), GFP_KERNEL);
+-		if (!p2p_limits)
+-			goto err;
+-	}
+-
+-	if (mbss) {
+-		mbss_limits = kcalloc(1, sizeof(*mbss_limits), GFP_KERNEL);
+-		if (!mbss_limits)
+-			goto err;
+-	}
+-
+ 	wiphy->interface_modes = BIT(NL80211_IFTYPE_STATION) |
+ 				 BIT(NL80211_IFTYPE_ADHOC) |
+ 				 BIT(NL80211_IFTYPE_AP);
+ 
+ 	c = 0;
+ 	i = 0;
+-	combo[c].num_different_channels = 1;
++	c0_limits = kcalloc(p2p ? 3 : 2, sizeof(*c0_limits), GFP_KERNEL);
++	if (!c0_limits)
++		goto err;
+ 	c0_limits[i].max = 1;
+ 	c0_limits[i++].types = BIT(NL80211_IFTYPE_STATION);
+ 	if (p2p) {
+@@ -6264,6 +6250,7 @@ static int brcmf_setup_ifmodes(struct wi
+ 		c0_limits[i].max = 1;
+ 		c0_limits[i++].types = BIT(NL80211_IFTYPE_AP);
+ 	}
++	combo[c].num_different_channels = 1;
+ 	combo[c].max_interfaces = i;
+ 	combo[c].n_limits = i;
+ 	combo[c].limits = c0_limits;
+@@ -6271,7 +6258,9 @@ static int brcmf_setup_ifmodes(struct wi
+ 	if (p2p) {
+ 		c++;
+ 		i = 0;
+-		combo[c].num_different_channels = 1;
++		p2p_limits = kcalloc(4, sizeof(*p2p_limits), GFP_KERNEL);
++		if (!p2p_limits)
++			goto err;
+ 		p2p_limits[i].max = 1;
+ 		p2p_limits[i++].types = BIT(NL80211_IFTYPE_STATION);
+ 		p2p_limits[i].max = 1;
+@@ -6280,6 +6269,7 @@ static int brcmf_setup_ifmodes(struct wi
+ 		p2p_limits[i++].types = BIT(NL80211_IFTYPE_P2P_CLIENT);
+ 		p2p_limits[i].max = 1;
+ 		p2p_limits[i++].types = BIT(NL80211_IFTYPE_P2P_DEVICE);
++		combo[c].num_different_channels = 1;
+ 		combo[c].max_interfaces = i;
+ 		combo[c].n_limits = i;
+ 		combo[c].limits = p2p_limits;
+@@ -6287,14 +6277,19 @@ static int brcmf_setup_ifmodes(struct wi
+ 
+ 	if (mbss) {
+ 		c++;
++		i = 0;
++		mbss_limits = kcalloc(1, sizeof(*mbss_limits), GFP_KERNEL);
++		if (!mbss_limits)
++			goto err;
++		mbss_limits[i].max = 4;
++		mbss_limits[i++].types = BIT(NL80211_IFTYPE_AP);
+ 		combo[c].beacon_int_infra_match = true;
+ 		combo[c].num_different_channels = 1;
+-		mbss_limits[0].max = 4;
+-		mbss_limits[0].types = BIT(NL80211_IFTYPE_AP);
+ 		combo[c].max_interfaces = 4;
+-		combo[c].n_limits = 1;
++		combo[c].n_limits = i;
+ 		combo[c].limits = mbss_limits;
+ 	}
++
+ 	wiphy->n_iface_combinations = n_combos;
+ 	wiphy->iface_combinations = combo;
+ 	return 0;
diff --git a/package/kernel/mac80211/patches/354-brcmfmac-fix-lockup-when-removing-P2P-interface-afte.patch b/package/kernel/mac80211/patches/354-brcmfmac-fix-lockup-when-removing-P2P-interface-afte.patch
new file mode 100644
index 0000000000..894dbd8eef
--- /dev/null
+++ b/package/kernel/mac80211/patches/354-brcmfmac-fix-lockup-when-removing-P2P-interface-afte.patch
@@ -0,0 +1,154 @@
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com>
+Date: Fri, 17 Jun 2016 12:29:21 +0200
+Subject: [PATCH] brcmfmac: fix lockup when removing P2P interface after event
+ timeout
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Removing P2P interface is handled by sending a proper request to the
+firmware. On success firmware triggers an event and driver's handler
+removes a matching interface.
+
+However on event timeout we remove interface directly from the cfg80211
+callback. Current code doesn't handle this case correctly as it always
+assumes rtnl to be unlocked.
+
+Fix it by adding an extra rtnl_locked parameter to functions and calling
+unregister_netdevice when needed.
+
+Signed-off-by: RafaÅ MiÅecki <zajec5@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+@@ -548,12 +548,16 @@ fail:
+ 	return -EBADE;
+ }
+ 
+-static void brcmf_net_detach(struct net_device *ndev)
++static void brcmf_net_detach(struct net_device *ndev, bool rtnl_locked)
+ {
+-	if (ndev->reg_state == NETREG_REGISTERED)
+-		unregister_netdev(ndev);
+-	else
++	if (ndev->reg_state == NETREG_REGISTERED) {
++		if (rtnl_locked)
++			unregister_netdevice(ndev);
++		else
++			unregister_netdev(ndev);
++	} else {
+ 		brcmf_cfg80211_free_netdev(ndev);
++	}
+ }
+ 
+ void brcmf_net_setcarrier(struct brcmf_if *ifp, bool on)
+@@ -651,7 +655,7 @@ struct brcmf_if *brcmf_add_if(struct brc
+ 			brcmf_err("ERROR: netdev:%s already exists\n",
+ 				  ifp->ndev->name);
+ 			netif_stop_queue(ifp->ndev);
+-			brcmf_net_detach(ifp->ndev);
++			brcmf_net_detach(ifp->ndev, false);
+ 			drvr->iflist[bsscfgidx] = NULL;
+ 		} else {
+ 			brcmf_dbg(INFO, "netdev:%s ignore IF event\n",
+@@ -699,7 +703,8 @@ struct brcmf_if *brcmf_add_if(struct brc
+ 	return ifp;
+ }
+ 
+-static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx)
++static void brcmf_del_if(struct brcmf_pub *drvr, s32 bsscfgidx,
++			 bool rtnl_locked)
+ {
+ 	struct brcmf_if *ifp;
+ 
+@@ -729,7 +734,7 @@ static void brcmf_del_if(struct brcmf_pu
+ 			cancel_work_sync(&ifp->multicast_work);
+ 			cancel_work_sync(&ifp->ndoffload_work);
+ 		}
+-		brcmf_net_detach(ifp->ndev);
++		brcmf_net_detach(ifp->ndev, rtnl_locked);
+ 	} else {
+ 		/* Only p2p device interfaces which get dynamically created
+ 		 * end up here. In this case the p2p module should be informed
+@@ -743,14 +748,14 @@ static void brcmf_del_if(struct brcmf_pu
+ 	}
+ }
+ 
+-void brcmf_remove_interface(struct brcmf_if *ifp)
++void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)
+ {
+ 	if (!ifp || WARN_ON(ifp->drvr->iflist[ifp->bsscfgidx] != ifp))
+ 		return;
+ 	brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", ifp->bsscfgidx,
+ 		  ifp->ifidx);
+ 	brcmf_fws_del_interface(ifp);
+-	brcmf_del_if(ifp->drvr, ifp->bsscfgidx);
++	brcmf_del_if(ifp->drvr, ifp->bsscfgidx, rtnl_locked);
+ }
+ 
+ #ifdef CONFIG_INET
+@@ -1057,9 +1062,9 @@ fail:
+ 		brcmf_fws_deinit(drvr);
+ 	}
+ 	if (ifp)
+-		brcmf_net_detach(ifp->ndev);
++		brcmf_net_detach(ifp->ndev, false);
+ 	if (p2p_ifp)
+-		brcmf_net_detach(p2p_ifp->ndev);
++		brcmf_net_detach(p2p_ifp->ndev, false);
+ 	drvr->iflist[0] = NULL;
+ 	drvr->iflist[1] = NULL;
+ 	if (drvr->settings->ignore_probe_fail)
+@@ -1128,7 +1133,7 @@ void brcmf_detach(struct device *dev)
+ 
+ 	/* make sure primary interface removed last */
+ 	for (i = BRCMF_MAX_IFS-1; i > -1; i--)
+-		brcmf_remove_interface(drvr->iflist[i]);
++		brcmf_remove_interface(drvr->iflist[i], false);
+ 
+ 	brcmf_cfg80211_detach(drvr->config);
+ 
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.h
+@@ -216,7 +216,7 @@ struct brcmf_if *brcmf_get_ifp(struct br
+ int brcmf_net_attach(struct brcmf_if *ifp, bool rtnl_locked);
+ struct brcmf_if *brcmf_add_if(struct brcmf_pub *drvr, s32 bsscfgidx, s32 ifidx,
+ 			      bool is_p2pdev, char *name, u8 *mac_addr);
+-void brcmf_remove_interface(struct brcmf_if *ifp);
++void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked);
+ void brcmf_txflowblock_if(struct brcmf_if *ifp,
+ 			  enum brcmf_netif_stop_reason reason, bool state);
+ void brcmf_txfinalize(struct brcmf_if *ifp, struct sk_buff *txp, bool success);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -183,7 +183,7 @@ static void brcmf_fweh_handle_if_event(s
+ 	err = brcmf_fweh_call_event_handler(ifp, emsg->event_code, emsg, data);
+ 
+ 	if (ifp && ifevent->action == BRCMF_E_IF_DEL)
+-		brcmf_remove_interface(ifp);
++		brcmf_remove_interface(ifp, false);
+ }
+ 
+ /**
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -2289,7 +2289,7 @@ int brcmf_p2p_del_vif(struct wiphy *wiph
+ 			err = 0;
+ 	}
+ 	if (err)
+-		brcmf_remove_interface(vif->ifp);
++		brcmf_remove_interface(vif->ifp, true);
+ 
+ 	brcmf_cfg80211_arm_vif_event(cfg, NULL);
+ 	if (vif->wdev.iftype != NL80211_IFTYPE_P2P_DEVICE)
+@@ -2395,7 +2395,7 @@ void brcmf_p2p_detach(struct brcmf_p2p_i
+ 	if (vif != NULL) {
+ 		brcmf_p2p_cancel_remain_on_channel(vif->ifp);
+ 		brcmf_p2p_deinit_discovery(p2p);
+-		brcmf_remove_interface(vif->ifp);
++		brcmf_remove_interface(vif->ifp, false);
+ 	}
+ 	/* just set it all to zero */
+ 	memset(p2p, 0, sizeof(*p2p));
diff --git a/package/kernel/mac80211/patches/861-brcmfmac-register-wiphy-s-during-module_init.patch b/package/kernel/mac80211/patches/861-brcmfmac-register-wiphy-s-during-module_init.patch
index 0bfaae6a1b..ae571c99ab 100644
--- a/package/kernel/mac80211/patches/861-brcmfmac-register-wiphy-s-during-module_init.patch
+++ b/package/kernel/mac80211/patches/861-brcmfmac-register-wiphy-s-during-module_init.patch
@@ -13,7 +13,7 @@ Signed-off-by: RafaÅ MiÅecki <zajec5@gmail.com>
 
 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1208,6 +1208,7 @@ int __init brcmf_core_init(void)
+@@ -1213,6 +1213,7 @@ int __init brcmf_core_init(void)
  {
  	if (!schedule_work(&brcmf_driver_work))
  		return -EBUSY;
-- 
2.11.0