--- /dev/null
+From b8fff407a180286aa683d543d878d98d9fc57b13 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Mon, 3 Nov 2014 13:57:46 +0100
+Subject: mac80211: fix use-after-free in defragmentation
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit b8fff407a180286aa683d543d878d98d9fc57b13 upstream.
+
+Upon receiving the last fragment, all but the first fragment
+are freed, but the multicast check for statistics at the end
+of the function refers to the current skb (the last fragment)
+causing a use-after-free bug.
+
+Since multicast frames cannot be fragmented and we check for
+this early in the function, just modify that check to also
+do the accounting to fix the issue.
+
+Reported-by: Yosef Khyal <yosefx.khyal@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/rx.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/net/mac80211/rx.c
++++ b/net/mac80211/rx.c
+@@ -1679,11 +1679,14 @@ ieee80211_rx_h_defragment(struct ieee802
+ sc = le16_to_cpu(hdr->seq_ctrl);
+ frag = sc & IEEE80211_SCTL_FRAG;
+
+- if (likely((!ieee80211_has_morefrags(fc) && frag == 0) ||
+- is_multicast_ether_addr(hdr->addr1))) {
+- /* not fragmented */
++ if (likely(!ieee80211_has_morefrags(fc) && frag == 0))
++ goto out;
++
++ if (is_multicast_ether_addr(hdr->addr1)) {
++ rx->local->dot11MulticastReceivedFrameCount++;
+ goto out;
+ }
++
+ I802_DEBUG_INC(rx->local->rx_handlers_fragments);
+
+ if (skb_linearize(rx->skb))
+@@ -1776,10 +1779,7 @@ ieee80211_rx_h_defragment(struct ieee802
+ out:
+ if (rx->sta)
+ rx->sta->rx_packets++;
+- if (is_multicast_ether_addr(hdr->addr1))
+- rx->local->dot11MulticastReceivedFrameCount++;
+- else
+- ieee80211_led_rx(rx->local);
++ ieee80211_led_rx(rx->local);
+ return RX_CONTINUE;
+ }
+
--- /dev/null
+From 46238845bd609a5c0fbe076e1b82b4c5b33360b2 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Tue, 21 Oct 2014 20:56:42 +0200
+Subject: mac80211: properly flush delayed scan work on interface removal
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+commit 46238845bd609a5c0fbe076e1b82b4c5b33360b2 upstream.
+
+When an interface is deleted, an ongoing hardware scan is canceled and
+the driver must abort the scan, at the very least reporting completion
+while the interface is removed.
+
+However, if it scheduled the work that might only run after everything
+is said and done, which leads to cfg80211 warning that the scan isn't
+reported as finished yet; this is no fault of the driver, it already
+did, but mac80211 hasn't processed it.
+
+To fix this situation, flush the delayed work when the interface being
+removed is the one that was executing the scan.
+
+Reported-by: Sujith Manoharan <sujith@msujith.org>
+Tested-by: Sujith Manoharan <sujith@msujith.org>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -760,10 +760,12 @@ static void ieee80211_do_stop(struct iee
+ int i, flushed;
+ struct ps_data *ps;
+ struct cfg80211_chan_def chandef;
++ bool cancel_scan;
+
+ clear_bit(SDATA_STATE_RUNNING, &sdata->state);
+
+- if (rcu_access_pointer(local->scan_sdata) == sdata)
++ cancel_scan = rcu_access_pointer(local->scan_sdata) == sdata;
++ if (cancel_scan)
+ ieee80211_scan_cancel(local);
+
+ /*
+@@ -973,6 +975,9 @@ static void ieee80211_do_stop(struct iee
+
+ ieee80211_recalc_ps(local, -1);
+
++ if (cancel_scan)
++ flush_delayed_work(&local->scan_work);
++
+ if (local->open_count == 0) {
+ ieee80211_stop_device(local);
+
--- /dev/null
+From ff1e417c7c239b7abfe70aa90460a77eaafc7f83 Mon Sep 17 00:00:00 2001
+From: Luciano Coelho <luciano.coelho@intel.com>
+Date: Tue, 28 Oct 2014 13:33:05 +0200
+Subject: mac80211: schedule the actual switch of the station before CSA count 0
+
+From: Luciano Coelho <luciano.coelho@intel.com>
+
+commit ff1e417c7c239b7abfe70aa90460a77eaafc7f83 upstream.
+
+Due to the time it takes to process the beacon that started the CSA
+process, we may be late for the switch if we try to reach exactly
+beacon 0. To avoid that, use count - 1 when calculating the switch time.
+
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1086,7 +1086,8 @@ ieee80211_sta_process_chanswitch(struct
+ ieee80211_queue_work(&local->hw, &ifmgd->chswitch_work);
+ else
+ mod_timer(&ifmgd->chswitch_timer,
+- TU_TO_EXP_TIME(csa_ie.count * cbss->beacon_interval));
++ TU_TO_EXP_TIME((csa_ie.count - 1) *
++ cbss->beacon_interval));
+ }
+
+ static u32 ieee80211_handle_pwr_constr(struct ieee80211_sub_if_data *sdata,
--- /dev/null
+From 84469a45a1bedec9918e94ab2f78c5dc0739e4a7 Mon Sep 17 00:00:00 2001
+From: Luciano Coelho <luciano.coelho@intel.com>
+Date: Tue, 28 Oct 2014 13:33:04 +0200
+Subject: mac80211: use secondary channel offset IE also beacons during CSA
+
+From: Luciano Coelho <luciano.coelho@intel.com>
+
+commit 84469a45a1bedec9918e94ab2f78c5dc0739e4a7 upstream.
+
+If we are switching from an HT40+ to an HT40- channel (or vice-versa),
+we need the secondary channel offset IE to specify what is the
+post-CSA offset to be used. This applies both to beacons and to probe
+responses.
+
+In ieee80211_parse_ch_switch_ie() we were ignoring this IE from
+beacons and using the *current* HT information IE instead. This was
+causing us to use the same offset as before the switch.
+
+Fix that by using the secondary channel offset IE also for beacons and
+don't ever use the pre-switch offset. Additionally, remove the
+"beacon" argument from ieee80211_parse_ch_switch_ie(), since it's not
+needed anymore.
+
+Reported-by: Jouni Malinen <j@w1.fi>
+Signed-off-by: Luciano Coelho <luciano.coelho@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/ibss.c | 2 +-
+ net/mac80211/ieee80211_i.h | 3 +--
+ net/mac80211/mesh.c | 2 +-
+ net/mac80211/mlme.c | 2 +-
+ net/mac80211/spectmgmt.c | 18 ++++++------------
+ 5 files changed, 10 insertions(+), 17 deletions(-)
+
+--- a/net/mac80211/ibss.c
++++ b/net/mac80211/ibss.c
+@@ -815,7 +815,7 @@ ieee80211_ibss_process_chanswitch(struct
+
+ memset(¶ms, 0, sizeof(params));
+ memset(&csa_ie, 0, sizeof(csa_ie));
+- err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon,
++ err = ieee80211_parse_ch_switch_ie(sdata, elems,
+ ifibss->chandef.chan->band,
+ sta_flags, ifibss->bssid, &csa_ie);
+ /* can't switch to destination channel, fail */
+--- a/net/mac80211/ieee80211_i.h
++++ b/net/mac80211/ieee80211_i.h
+@@ -1569,7 +1569,6 @@ void ieee80211_process_measurement_req(s
+ * ieee80211_parse_ch_switch_ie - parses channel switch IEs
+ * @sdata: the sdata of the interface which has received the frame
+ * @elems: parsed 802.11 elements received with the frame
+- * @beacon: indicates if the frame was a beacon or probe response
+ * @current_band: indicates the current band
+ * @sta_flags: contains information about own capabilities and restrictions
+ * to decide which channel switch announcements can be accepted. Only the
+@@ -1583,7 +1582,7 @@ void ieee80211_process_measurement_req(s
+ * Return: 0 on success, <0 on error and >0 if there is nothing to parse.
+ */
+ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
+- struct ieee802_11_elems *elems, bool beacon,
++ struct ieee802_11_elems *elems,
+ enum ieee80211_band current_band,
+ u32 sta_flags, u8 *bssid,
+ struct ieee80211_csa_ie *csa_ie);
+--- a/net/mac80211/mesh.c
++++ b/net/mac80211/mesh.c
+@@ -885,7 +885,7 @@ ieee80211_mesh_process_chnswitch(struct
+
+ memset(¶ms, 0, sizeof(params));
+ memset(&csa_ie, 0, sizeof(csa_ie));
+- err = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, band,
++ err = ieee80211_parse_ch_switch_ie(sdata, elems, band,
+ sta_flags, sdata->vif.addr,
+ &csa_ie);
+ if (err < 0)
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -1001,7 +1001,7 @@ ieee80211_sta_process_chanswitch(struct
+
+ current_band = cbss->channel->band;
+ memset(&csa_ie, 0, sizeof(csa_ie));
+- res = ieee80211_parse_ch_switch_ie(sdata, elems, beacon, current_band,
++ res = ieee80211_parse_ch_switch_ie(sdata, elems, current_band,
+ ifmgd->flags,
+ ifmgd->associated->bssid, &csa_ie);
+ if (res < 0)
+--- a/net/mac80211/spectmgmt.c
++++ b/net/mac80211/spectmgmt.c
+@@ -22,7 +22,7 @@
+ #include "wme.h"
+
+ int ieee80211_parse_ch_switch_ie(struct ieee80211_sub_if_data *sdata,
+- struct ieee802_11_elems *elems, bool beacon,
++ struct ieee802_11_elems *elems,
+ enum ieee80211_band current_band,
+ u32 sta_flags, u8 *bssid,
+ struct ieee80211_csa_ie *csa_ie)
+@@ -91,19 +91,13 @@ int ieee80211_parse_ch_switch_ie(struct
+ return -EINVAL;
+ }
+
+- if (!beacon && sec_chan_offs) {
++ if (sec_chan_offs) {
+ secondary_channel_offset = sec_chan_offs->sec_chan_offs;
+- } else if (beacon && ht_oper) {
+- secondary_channel_offset =
+- ht_oper->ht_param & IEEE80211_HT_PARAM_CHA_SEC_OFFSET;
+ } else if (!(sta_flags & IEEE80211_STA_DISABLE_HT)) {
+- /* If it's not a beacon, HT is enabled and the IE not present,
+- * it's 20 MHz, 802.11-2012 8.5.2.6:
+- * This element [the Secondary Channel Offset Element] is
+- * present when switching to a 40 MHz channel. It may be
+- * present when switching to a 20 MHz channel (in which
+- * case the secondary channel offset is set to SCN).
+- */
++ /* If the secondary channel offset IE is not present,
++ * we can't know what's the post-CSA offset, so the
++ * best we can do is use 20MHz.
++ */
+ secondary_channel_offset = IEEE80211_HT_PARAM_CHA_SEC_NONE;
+ }
+
--- /dev/null
+From 805dbe17d1c832ad341f14fae8cedf41b67ca6fa Mon Sep 17 00:00:00 2001
+From: Junjie Mao <eternal.n08@gmail.com>
+Date: Tue, 28 Oct 2014 09:31:47 +0800
+Subject: mac80211_hwsim: release driver when ieee80211_register_hw fails
+
+From: Junjie Mao <eternal.n08@gmail.com>
+
+commit 805dbe17d1c832ad341f14fae8cedf41b67ca6fa upstream.
+
+The driver is not released when ieee80211_register_hw fails in
+mac80211_hwsim_create_radio, leading to the access to the unregistered (and
+possibly freed) device in platform_driver_unregister:
+
+[ 0.447547] mac80211_hwsim: ieee80211_register_hw failed (-2)
+[ 0.448292] ------------[ cut here ]------------
+[ 0.448854] WARNING: CPU: 0 PID: 1 at ../include/linux/kref.h:47 kobject_get+0x33/0x50()
+[ 0.449839] CPU: 0 PID: 1 Comm: swapper Not tainted 3.17.0-00001-gdd46990-dirty #2
+[ 0.450813] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 0.451512] 00000000 00000000 78025e38 7967c6c6 78025e68 7905e09b 7988b480 00000000
+[ 0.452579] 00000001 79887d62 0000002f 79170bb3 79170bb3 78397008 79ac9d74 00000001
+[ 0.453614] 78025e78 7905e15d 00000009 00000000 78025e84 79170bb3 78397000 78025e8c
+[ 0.454632] Call Trace:
+[ 0.454921] [<7967c6c6>] dump_stack+0x16/0x18
+[ 0.455453] [<7905e09b>] warn_slowpath_common+0x6b/0x90
+[ 0.456067] [<79170bb3>] ? kobject_get+0x33/0x50
+[ 0.456612] [<79170bb3>] ? kobject_get+0x33/0x50
+[ 0.457155] [<7905e15d>] warn_slowpath_null+0x1d/0x20
+[ 0.457748] [<79170bb3>] kobject_get+0x33/0x50
+[ 0.458274] [<7925824f>] get_device+0xf/0x20
+[ 0.458779] [<7925b5cd>] driver_detach+0x3d/0xa0
+[ 0.459331] [<7925a3ff>] bus_remove_driver+0x8f/0xb0
+[ 0.459927] [<7925bf80>] ? class_unregister+0x40/0x80
+[ 0.460660] [<7925bad7>] driver_unregister+0x47/0x50
+[ 0.461248] [<7925c033>] ? class_destroy+0x13/0x20
+[ 0.461824] [<7925d07b>] platform_driver_unregister+0xb/0x10
+[ 0.462507] [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
+[ 0.463161] [<79b30c58>] do_one_initcall+0x106/0x1a9
+[ 0.463758] [<79b517b8>] ? if_spi_init_module+0xac/0xac
+[ 0.464393] [<79b517b8>] ? if_spi_init_module+0xac/0xac
+[ 0.465001] [<79071935>] ? parse_args+0x2f5/0x480
+[ 0.465569] [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
+[ 0.466345] [<79b30dd9>] kernel_init_freeable+0xde/0x17d
+[ 0.466972] [<79b304d6>] ? do_early_param+0x7a/0x7a
+[ 0.467546] [<79677b1b>] kernel_init+0xb/0xe0
+[ 0.468072] [<79075f42>] ? schedule_tail+0x12/0x40
+[ 0.468658] [<79686580>] ret_from_kernel_thread+0x20/0x30
+[ 0.469303] [<79677b10>] ? rest_init+0xc0/0xc0
+[ 0.469829] ---[ end trace ad8ac403ff8aef5c ]---
+[ 0.470509] ------------[ cut here ]------------
+[ 0.471047] WARNING: CPU: 0 PID: 1 at ../kernel/locking/lockdep.c:3161 __lock_acquire.isra.22+0x7aa/0xb00()
+[ 0.472163] DEBUG_LOCKS_WARN_ON(id >= MAX_LOCKDEP_KEYS)
+[ 0.472774] CPU: 0 PID: 1 Comm: swapper Tainted: G W 3.17.0-00001-gdd46990-dirty #2
+[ 0.473815] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 0.474492] 78025de0 78025de0 78025da0 7967c6c6 78025dd0 7905e09b 79888931 78025dfc
+[ 0.475515] 00000001 79888a93 00000c59 7907f33a 7907f33a 78028000 fffe9d09 00000000
+[ 0.476519] 78025de8 7905e10e 00000009 78025de0 79888931 78025dfc 78025e24 7907f33a
+[ 0.477523] Call Trace:
+[ 0.477821] [<7967c6c6>] dump_stack+0x16/0x18
+[ 0.478352] [<7905e09b>] warn_slowpath_common+0x6b/0x90
+[ 0.478976] [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
+[ 0.479658] [<7907f33a>] ? __lock_acquire.isra.22+0x7aa/0xb00
+[ 0.480417] [<7905e10e>] warn_slowpath_fmt+0x2e/0x30
+[ 0.480479] [<7907f33a>] __lock_acquire.isra.22+0x7aa/0xb00
+[ 0.480479] [<79078aa5>] ? sched_clock_cpu+0xb5/0xf0
+[ 0.480479] [<7907fd06>] lock_acquire+0x56/0x70
+[ 0.480479] [<7925b5e8>] ? driver_detach+0x58/0xa0
+[ 0.480479] [<79682d11>] mutex_lock_nested+0x61/0x2a0
+[ 0.480479] [<7925b5e8>] ? driver_detach+0x58/0xa0
+[ 0.480479] [<7925b5e8>] ? driver_detach+0x58/0xa0
+[ 0.480479] [<7925b5e8>] driver_detach+0x58/0xa0
+[ 0.480479] [<7925a3ff>] bus_remove_driver+0x8f/0xb0
+[ 0.480479] [<7925bf80>] ? class_unregister+0x40/0x80
+[ 0.480479] [<7925bad7>] driver_unregister+0x47/0x50
+[ 0.480479] [<7925c033>] ? class_destroy+0x13/0x20
+[ 0.480479] [<7925d07b>] platform_driver_unregister+0xb/0x10
+[ 0.480479] [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
+[ 0.480479] [<79b30c58>] do_one_initcall+0x106/0x1a9
+[ 0.480479] [<79b517b8>] ? if_spi_init_module+0xac/0xac
+[ 0.480479] [<79b517b8>] ? if_spi_init_module+0xac/0xac
+[ 0.480479] [<79071935>] ? parse_args+0x2f5/0x480
+[ 0.480479] [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
+[ 0.480479] [<79b30dd9>] kernel_init_freeable+0xde/0x17d
+[ 0.480479] [<79b304d6>] ? do_early_param+0x7a/0x7a
+[ 0.480479] [<79677b1b>] kernel_init+0xb/0xe0
+[ 0.480479] [<79075f42>] ? schedule_tail+0x12/0x40
+[ 0.480479] [<79686580>] ret_from_kernel_thread+0x20/0x30
+[ 0.480479] [<79677b10>] ? rest_init+0xc0/0xc0
+[ 0.480479] ---[ end trace ad8ac403ff8aef5d ]---
+[ 0.495478] BUG: unable to handle kernel paging request at 00200200
+[ 0.496257] IP: [<79682de5>] mutex_lock_nested+0x135/0x2a0
+[ 0.496923] *pde = 00000000
+[ 0.497290] Oops: 0002 [#1]
+[ 0.497653] CPU: 0 PID: 1 Comm: swapper Tainted: G W 3.17.0-00001-gdd46990-dirty #2
+[ 0.498659] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+[ 0.499321] task: 78028000 ti: 78024000 task.ti: 78024000
+[ 0.499955] EIP: 0060:[<79682de5>] EFLAGS: 00010097 CPU: 0
+[ 0.500620] EIP is at mutex_lock_nested+0x135/0x2a0
+[ 0.501145] EAX: 00200200 EBX: 78397434 ECX: 78397460 EDX: 78025e70
+[ 0.501816] ESI: 00000246 EDI: 78028000 EBP: 78025e8c ESP: 78025e54
+[ 0.502497] DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
+[ 0.503076] CR0: 8005003b CR2: 00200200 CR3: 01b9d000 CR4: 00000690
+[ 0.503773] Stack:
+[ 0.503998] 00000000 00000001 00000000 7925b5e8 78397460 7925b5e8 78397474 78397460
+[ 0.504944] 00200200 11111111 78025e70 78397000 79ac9d74 00000001 78025ea0 7925b5e8
+[ 0.505451] 79ac9d74 fffffffe 00000001 78025ebc 7925a3ff 7a251398 78025ec8 7925bf80
+[ 0.505451] Call Trace:
+[ 0.505451] [<7925b5e8>] ? driver_detach+0x58/0xa0
+[ 0.505451] [<7925b5e8>] ? driver_detach+0x58/0xa0
+[ 0.505451] [<7925b5e8>] driver_detach+0x58/0xa0
+[ 0.505451] [<7925a3ff>] bus_remove_driver+0x8f/0xb0
+[ 0.505451] [<7925bf80>] ? class_unregister+0x40/0x80
+[ 0.505451] [<7925bad7>] driver_unregister+0x47/0x50
+[ 0.505451] [<7925c033>] ? class_destroy+0x13/0x20
+[ 0.505451] [<7925d07b>] platform_driver_unregister+0xb/0x10
+[ 0.505451] [<79b51ba0>] init_mac80211_hwsim+0x3e8/0x3f9
+[ 0.505451] [<79b30c58>] do_one_initcall+0x106/0x1a9
+[ 0.505451] [<79b517b8>] ? if_spi_init_module+0xac/0xac
+[ 0.505451] [<79b517b8>] ? if_spi_init_module+0xac/0xac
+[ 0.505451] [<79071935>] ? parse_args+0x2f5/0x480
+[ 0.505451] [<7906b41e>] ? __usermodehelper_set_disable_depth+0x3e/0x50
+[ 0.505451] [<79b30dd9>] kernel_init_freeable+0xde/0x17d
+[ 0.505451] [<79b304d6>] ? do_early_param+0x7a/0x7a
+[ 0.505451] [<79677b1b>] kernel_init+0xb/0xe0
+[ 0.505451] [<79075f42>] ? schedule_tail+0x12/0x40
+[ 0.505451] [<79686580>] ret_from_kernel_thread+0x20/0x30
+[ 0.505451] [<79677b10>] ? rest_init+0xc0/0xc0
+[ 0.505451] Code: 89 d8 e8 cf 9b 9f ff 8b 4f 04 8d 55 e4 89 d8 e8 72 9d 9f ff 8d 43 2c 89 c1 89 45 d8 8b 43 30 8d 55 e4 89 53 30 89 4d e4 89 45 e8 <89> 10 8b 55 dc 8b 45 e0 89 7d ec e8 db af 9f ff eb 11 90 31 c0
+[ 0.505451] EIP: [<79682de5>] mutex_lock_nested+0x135/0x2a0 SS:ESP 0068:78025e54
+[ 0.505451] CR2: 0000000000200200
+[ 0.505451] ---[ end trace ad8ac403ff8aef5e ]---
+[ 0.505451] Kernel panic - not syncing: Fatal exception
+
+Fixes: 9ea927748ced ("mac80211_hwsim: Register and bind to driver")
+Reported-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Junjie Mao <eternal.n08@gmail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/mac80211_hwsim.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/mac80211_hwsim.c
++++ b/drivers/net/wireless/mac80211_hwsim.c
+@@ -1974,7 +1974,7 @@ static int mac80211_hwsim_create_radio(i
+ if (err != 0) {
+ printk(KERN_DEBUG "mac80211_hwsim: device_bind_driver failed (%d)\n",
+ err);
+- goto failed_hw;
++ goto failed_bind;
+ }
+
+ skb_queue_head_init(&data->pending);
+@@ -2157,6 +2157,8 @@ static int mac80211_hwsim_create_radio(i
+ return idx;
+
+ failed_hw:
++ device_release_driver(data->dev);
++failed_bind:
+ device_unregister(data->dev);
+ failed_drvdata:
+ ieee80211_free_hw(hw);
xtensa-re-wire-umount-syscall-to-sys_oldumount.patch
libceph-do-not-crash-on-large-auth-tickets.patch
macvtap-fix-csum_start-when-vlan-tags-are-present.patch
+mac80211_hwsim-release-driver-when-ieee80211_register_hw-fails.patch
+mac80211-properly-flush-delayed-scan-work-on-interface-removal.patch
+mac80211-use-secondary-channel-offset-ie-also-beacons-during-csa.patch
+mac80211-schedule-the-actual-switch-of-the-station-before-csa-count-0.patch
+mac80211-fix-use-after-free-in-defragmentation.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
