--- /dev/null
+From a3dc48e82bb146ef11cf75676c8410c1df29b0c4 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 9 Jan 2013 16:16:52 +0100
+Subject: ath9k: do not link receive buffers during flush
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit a3dc48e82bb146ef11cf75676c8410c1df29b0c4 upstream.
+
+On AR9300 the rx FIFO needs to be empty during reset to ensure that no
+further DMA activity is generated, otherwise it might lead to memory
+corruption issues.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/recv.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/recv.c
++++ b/drivers/net/wireless/ath/ath9k/recv.c
+@@ -744,6 +744,7 @@ static struct ath_buf *ath_get_next_rx_b
+ return NULL;
+ }
+
++ list_del(&bf->list);
+ if (!bf->bf_mpdu)
+ return bf;
+
+@@ -1251,14 +1252,15 @@ requeue_drop_frag:
+ sc->rx.frag = NULL;
+ }
+ requeue:
++ list_add_tail(&bf->list, &sc->rx.rxbuf);
++ if (flush)
++ continue;
++
+ if (edma) {
+- list_add_tail(&bf->list, &sc->rx.rxbuf);
+ ath_rx_edma_buf_link(sc, qtype);
+ } else {
+- list_move_tail(&bf->list, &sc->rx.rxbuf);
+ ath_rx_buf_link(sc, bf);
+- if (!flush)
+- ath9k_hw_rxena(ah);
++ ath9k_hw_rxena(ah);
+ }
+ } while (1);
+
--- /dev/null
+From 1adb2e2b5f85023d17eb4f95386a57029df27c88 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 9 Jan 2013 16:16:53 +0100
+Subject: ath9k: fix double-free bug on beacon generate failure
+
+From: Felix Fietkau <nbd@openwrt.org>
+
+commit 1adb2e2b5f85023d17eb4f95386a57029df27c88 upstream.
+
+When the next beacon is sent, the ath_buf from the previous run is reused.
+If getting a new beacon from mac80211 fails, bf->bf_mpdu is not reset, yet
+the skb is freed, leading to a double-free on the next beacon tx attempt,
+resulting in a system crash.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/beacon.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/wireless/ath/ath9k/beacon.c
++++ b/drivers/net/wireless/ath/ath9k/beacon.c
+@@ -147,6 +147,7 @@ static struct ath_buf *ath9k_beacon_gene
+ skb->len, DMA_TO_DEVICE);
+ dev_kfree_skb_any(skb);
+ bf->bf_buf_addr = 0;
++ bf->bf_mpdu = NULL;
+ }
+
+ skb = ieee80211_beacon_get(hw, vif);
mac80211-synchronize-scan-off-on-channel-and-ps-states.patch
mac80211-fix-ft-roaming.patch
ath9k_htc-fix-memory-leak.patch
+ath9k-do-not-link-receive-buffers-during-flush.patch
+ath9k-fix-double-free-bug-on-beacon-generate-failure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
