From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 14 Jun 2012 17:31:48 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.35~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6150fb3f58ef3593ad4805a358ba471cc6749054;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	mac80211-clean-up-remain-on-channel-on-interface-stop.patch
---

diff --git a/queue-3.0/mac80211-clean-up-remain-on-channel-on-interface-stop.patch b/queue-3.0/mac80211-clean-up-remain-on-channel-on-interface-stop.patch
new file mode 100644
index 00000000000..4d6c6b42a0b
--- /dev/null
+++ b/queue-3.0/mac80211-clean-up-remain-on-channel-on-interface-stop.patch
@@ -0,0 +1,76 @@
+From 71ecfa1893034eeb1c93e02e22ee2ad26d080858 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Thu, 31 May 2012 15:09:27 +0200
+Subject: mac80211: clean up remain-on-channel on interface stop
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit 71ecfa1893034eeb1c93e02e22ee2ad26d080858 upstream.
+
+When any interface goes down, it could be the one that we
+were doing a remain-on-channel with. We therefore need to
+cancel the remain-on-channel and flush the related work
+structs so they don't run after the interface has been
+removed or even destroyed.
+
+It's also possible in this case that an off-channel SKB
+was never transmitted, so free it if this is the case.
+Note that this can also happen if the driver finishes
+the off-channel period without ever starting it.
+
+Reported-by: Nirav Shah <nirav.j2.shah@intel.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/iface.c      |   12 ++++++++++++
+ net/mac80211/offchannel.c |   16 ++++++++++++++++
+ 2 files changed, 28 insertions(+)
+
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -498,6 +498,18 @@ static void ieee80211_do_stop(struct iee
+ 		ieee80211_configure_filter(local);
+ 		break;
+ 	default:
++		mutex_lock(&local->mtx);
++		if (local->hw_roc_dev == sdata->dev &&
++		    local->hw_roc_channel) {
++			/* ignore return value since this is racy */
++			drv_cancel_remain_on_channel(local);
++			ieee80211_queue_work(&local->hw, &local->hw_roc_done);
++		}
++		mutex_unlock(&local->mtx);
++
++		flush_work(&local->hw_roc_start);
++		flush_work(&local->hw_roc_done);
++
+ 		flush_work(&sdata->work);
+ 		/*
+ 		 * When we get here, the interface is marked down.
+--- a/net/mac80211/offchannel.c
++++ b/net/mac80211/offchannel.c
+@@ -251,6 +251,22 @@ static void ieee80211_hw_roc_done(struct
+ 		return;
+ 	}
+ 
++	/* was never transmitted */
++	if (local->hw_roc_skb) {
++		u64 cookie;
++
++		cookie = local->hw_roc_cookie ^ 2;
++
++		cfg80211_mgmt_tx_status(local->hw_roc_dev, cookie,
++					local->hw_roc_skb->data,
++					local->hw_roc_skb->len, false,
++					GFP_KERNEL);
++
++		kfree_skb(local->hw_roc_skb);
++		local->hw_roc_skb = NULL;
++		local->hw_roc_skb_for_status = NULL;
++	}
++
+ 	if (!local->hw_roc_for_tx)
+ 		cfg80211_remain_on_channel_expired(local->hw_roc_dev,
+ 						   local->hw_roc_cookie,
diff --git a/queue-3.0/series b/queue-3.0/series
index a3857ddbf26..3e530476f51 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -2,3 +2,4 @@ char-agp-add-another-ironlake-host-bridge.patch
 btree-fix-tree-corruption-in-btree_get_prev.patch
 powerpc-fix-kernel-panic-during-kernel-module-load.patch
 crypto-aesni-intel-fix-unaligned-cbc-decrypt-for-x86-32.patch
+mac80211-clean-up-remain-on-channel-on-interface-stop.patch