Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 518314ff authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'for-davem' of... 

Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless

 into wireless

John W. Linville says:

====================
Here are some more fixes intended for the 3.9 stream...

Regarding the mac80211 bits, Johannes says:

"I had changed the idle handling to simplify it, but broken the
sequencing of commands, at least for ath9k-htc, one patch restores the
sequence. The other patch fixes a crash Jouni found while stress-testing
the remain-on-channel code, when an item is deleted the work struct can
run twice and crash the second time."

As for the iwlwifi bits, Johannes says:

"The only fix here is to the passive-no-RX firmware regulatory
enforcement driver support code to not drop auth frames in quick
succession, leading to not being able to connect to APs on passive
channels in certain circumstances."

Don't forget the NFC bits, about which Samuel says:

"This time we have:

- A crash fix for when a DGRAM LLCP socket is listening while the NFC adapter
  is physically removed.
- A potential double skb free when the LLCP socket receive queue is full.
- A fix for properly handling multiple and consecutive LLCP connections, and
  not trash the socket ack log.
- A build failure for the MEI microread physical layer, now that the MEI bus
  APIs have been merged into char-misc-next."

On top of that, Stone Piao provides an mwifiex fix to avoid accessing
beyond the end of a buffer.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents da241efc 407ad2b7

drivers/net/wireless/iwlwifi/dvm/rxon.c

+8 −10
Original line number Diff line number Diff line
@@ -1419,6 +1419,14 @@ void iwlagn_bss_info_changed(struct ieee80211_hw *hw, 


	mutex_lock(&priv->mutex);



	if (changes & BSS_CHANGED_IDLE && bss_conf->idle) {

		/*

		 * If we go idle, then clearly no "passive-no-rx"

		 * workaround is needed any more, this is a reset.

		 */

		iwlagn_lift_passive_no_rx(priv);

	}



	if (unlikely(!iwl_is_ready(priv))) {

		IWL_DEBUG_MAC80211(priv, "leave - not ready\n");

		mutex_unlock(&priv->mutex);
@@ -1450,16 +1458,6 @@ void iwlagn_bss_info_changed(struct ieee80211_hw *hw, 
			priv->timestamp = bss_conf->sync_tsf;

			ctx->staging.filter_flags |= RXON_FILTER_ASSOC_MSK;

		} else {

			/*

			 * If we disassociate while there are pending

			 * frames, just wake up the queues and let the

			 * frames "escape" ... This shouldn't really

			 * be happening to start with, but we should

			 * not get stuck in this case either since it

			 * can happen if userspace gets confused.

			 */

			iwlagn_lift_passive_no_rx(priv);



			ctx->staging.filter_flags &= ~RXON_FILTER_ASSOC_MSK;



			if (ctx->ctxid == IWL_RXON_CTX_BSS)

drivers/net/wireless/iwlwifi/dvm/tx.c

+1 −1
Original line number Diff line number Diff line
@@ -1192,7 +1192,7 @@ int iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb, 
			memset(&info->status, 0, sizeof(info->status));



			if (status == TX_STATUS_FAIL_PASSIVE_NO_RX &&

			    iwl_is_associated_ctx(ctx) && ctx->vif &&

			    ctx->vif &&

			    ctx->vif->type == NL80211_IFTYPE_STATION) {

				/* block and stop all queues */

				priv->passive_no_rx = true;

drivers/net/wireless/mwifiex/cfg80211.c

+2 −1
Original line number Diff line number Diff line
@@ -1892,7 +1892,8 @@ mwifiex_cfg80211_scan(struct wiphy *wiphy, 
		}

	}



	for (i = 0; i < request->n_channels; i++) {

	for (i = 0; i < min_t(u32, request->n_channels,

			      MWIFIEX_USER_SCAN_CHAN_MAX); i++) {

		chan = request->channels[i];

		priv->user_scan_cfg->chan_list[i].chan_number = chan->hw_value;

		priv->user_scan_cfg->chan_list[i].radio_type = chan->band;

drivers/nfc/microread/mei.c

+17 −21
Original line number Diff line number Diff line
@@ -22,7 +22,7 @@ 
#include <linux/slab.h>

#include <linux/interrupt.h>

#include <linux/gpio.h>

#include <linux/mei_bus.h>

#include <linux/mei_cl_bus.h>



#include <linux/nfc.h>

#include <net/nfc/hci.h>
@@ -32,9 +32,6 @@ 


#define MICROREAD_DRIVER_NAME "microread"



#define MICROREAD_UUID UUID_LE(0x0bb17a78, 0x2a8e, 0x4c50, 0x94, \

			       0xd4, 0x50, 0x26, 0x67, 0x23, 0x77, 0x5c)



struct mei_nfc_hdr {

	u8 cmd;

	u8 status;
@@ -48,7 +45,7 @@ struct mei_nfc_hdr { 
#define MEI_NFC_MAX_READ (MEI_NFC_HEADER_SIZE + MEI_NFC_MAX_HCI_PAYLOAD)



struct microread_mei_phy {

	struct mei_device *mei_device;

	struct mei_cl_device *device;

	struct nfc_hci_dev *hdev;



	int powered;
@@ -105,14 +102,14 @@ static int microread_mei_write(void *phy_id, struct sk_buff *skb) 


	MEI_DUMP_SKB_OUT("mei frame sent", skb);



	r = mei_send(phy->device, skb->data, skb->len);

	r = mei_cl_send(phy->device, skb->data, skb->len);

	if (r > 0)

		r = 0;



	return r;

}



static void microread_event_cb(struct mei_device *device, u32 events,

static void microread_event_cb(struct mei_cl_device *device, u32 events,

			       void *context)

{

	struct microread_mei_phy *phy = context;
@@ -120,7 +117,7 @@ static void microread_event_cb(struct mei_device *device, u32 events, 
	if (phy->hard_fault != 0)

		return;



	if (events & BIT(MEI_EVENT_RX)) {

	if (events & BIT(MEI_CL_EVENT_RX)) {

		struct sk_buff *skb;

		int reply_size;
@@ -128,7 +125,7 @@ static void microread_event_cb(struct mei_device *device, u32 events, 
		if (!skb)

			return;



		reply_size = mei_recv(device, skb->data, MEI_NFC_MAX_READ);

		reply_size = mei_cl_recv(device, skb->data, MEI_NFC_MAX_READ);

		if (reply_size < MEI_NFC_HEADER_SIZE) {

			kfree(skb);

			return;
@@ -149,8 +146,8 @@ static struct nfc_phy_ops mei_phy_ops = { 
	.disable = microread_mei_disable,

};



static int microread_mei_probe(struct mei_device *device,

			       const struct mei_id *id)

static int microread_mei_probe(struct mei_cl_device *device,

			       const struct mei_cl_device_id *id)

{

	struct microread_mei_phy *phy;

	int r;
@@ -164,9 +161,9 @@ static int microread_mei_probe(struct mei_device *device, 
	}



	phy->device = device;

	mei_set_clientdata(device, phy);

	mei_cl_set_drvdata(device, phy);



	r = mei_register_event_cb(device, microread_event_cb, phy);

	r = mei_cl_register_event_cb(device, microread_event_cb, phy);

	if (r) {

		pr_err(MICROREAD_DRIVER_NAME ": event cb registration failed\n");

		goto err_out;
@@ -186,9 +183,9 @@ err_out: 
	return r;

}



static int microread_mei_remove(struct mei_device *device)

static int microread_mei_remove(struct mei_cl_device *device)

{

	struct microread_mei_phy *phy = mei_get_clientdata(device);

	struct microread_mei_phy *phy = mei_cl_get_drvdata(device);



	pr_info("Removing microread\n");
@@ -202,16 +199,15 @@ static int microread_mei_remove(struct mei_device *device) 
	return 0;

}



static struct mei_id microread_mei_tbl[] = {

	{ MICROREAD_DRIVER_NAME, MICROREAD_UUID },

static struct mei_cl_device_id microread_mei_tbl[] = {

	{ MICROREAD_DRIVER_NAME },



	/* required last entry */

	{ }

};



MODULE_DEVICE_TABLE(mei, microread_mei_tbl);



static struct mei_driver microread_driver = {

static struct mei_cl_driver microread_driver = {

	.id_table = microread_mei_tbl,

	.name = MICROREAD_DRIVER_NAME,
@@ -225,7 +221,7 @@ static int microread_mei_init(void) 


	pr_debug(DRIVER_DESC ": %s\n", __func__);



	r = mei_driver_register(&microread_driver);

	r = mei_cl_driver_register(&microread_driver);

	if (r) {

		pr_err(MICROREAD_DRIVER_NAME ": driver registration failed\n");

		return r;
@@ -236,7 +232,7 @@ static int microread_mei_init(void) 


static void microread_mei_exit(void)

{

	mei_driver_unregister(&microread_driver);

	mei_cl_driver_unregister(&microread_driver);

}



module_init(microread_mei_init);

net/mac80211/cfg.c

+4 −2
Original line number Diff line number Diff line
@@ -2582,7 +2582,7 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local, 
			list_del(&dep->list);

			mutex_unlock(&local->mtx);



			ieee80211_roc_notify_destroy(dep);

			ieee80211_roc_notify_destroy(dep, true);

			return 0;

		}
@@ -2622,7 +2622,7 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local, 
			ieee80211_start_next_roc(local);

		mutex_unlock(&local->mtx);



		ieee80211_roc_notify_destroy(found);

		ieee80211_roc_notify_destroy(found, true);

	} else {

		/* work may be pending so use it all the time */

		found->abort = true;
@@ -2632,6 +2632,8 @@ static int ieee80211_cancel_roc(struct ieee80211_local *local, 


		/* work will clean up etc */

		flush_delayed_work(&found->work);

		WARN_ON(!found->to_be_freed);

		kfree(found);

	}



	return 0;