From: Greg Kroah-Hartman Date: Tue, 23 Nov 2010 00:06:35 +0000 (-0800) Subject: .36 patches X-Git-Tag: v2.6.27.57~72 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ad522180e8e19a3a0c1852afbba6fe9b60073849;p=thirdparty%2Fkernel%2Fstable-queue.git .36 patches --- diff --git a/queue-2.6.36/cfg80211-fix-bss-double-unlinking.patch b/queue-2.6.36/cfg80211-fix-bss-double-unlinking.patch new file mode 100644 index 00000000000..a21f5c1a4c0 --- /dev/null +++ b/queue-2.6.36/cfg80211-fix-bss-double-unlinking.patch @@ -0,0 +1,56 @@ +From 3207390a8b58bfc1335750f91cf6783c48ca19ca Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 6 Oct 2010 21:18:04 +0200 +Subject: cfg80211: fix BSS double-unlinking + +From: Johannes Berg + +commit 3207390a8b58bfc1335750f91cf6783c48ca19ca upstream. + +When multiple interfaces are actively trying +to associate with the same BSS, they may both +find that the BSS isn't there and then try to +unlink it. This can cause errors since the +unlinking code can't currently deal with items +that have already been unlinked. + +Normally this doesn't happen as most people +don't try to use multiple station interfaces +that associate at the same time too. + +Fix this by using the list entry as a flag to +see if the item is still on a list. + +Reported-by: Ben Greear +Tested-by: Hun-Kyi Wynn +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/scan.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -650,14 +650,14 @@ void cfg80211_unlink_bss(struct wiphy *w + bss = container_of(pub, struct cfg80211_internal_bss, pub); + + spin_lock_bh(&dev->bss_lock); ++ if (!list_empty(&bss->list)) { ++ list_del_init(&bss->list); ++ dev->bss_generation++; ++ rb_erase(&bss->rbn, &dev->bss_tree); + +- list_del(&bss->list); +- dev->bss_generation++; +- rb_erase(&bss->rbn, &dev->bss_tree); +- ++ kref_put(&bss->ref, bss_release); ++ } + spin_unlock_bh(&dev->bss_lock); +- +- kref_put(&bss->ref, bss_release); + } + EXPORT_SYMBOL(cfg80211_unlink_bss); + diff --git a/queue-2.6.36/cfg80211-fix-locking.patch b/queue-2.6.36/cfg80211-fix-locking.patch new file mode 100644 index 00000000000..3fe78937691 --- /dev/null +++ b/queue-2.6.36/cfg80211-fix-locking.patch @@ -0,0 +1,60 @@ +From 2234362c427e2ef667595b9b81c0125003ac5607 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 30 Sep 2010 22:17:43 +0200 +Subject: cfg80211: fix locking + +From: Johannes Berg + +commit 2234362c427e2ef667595b9b81c0125003ac5607 upstream. + +Add missing unlocking of the wiphy in set_channel, +and don't try to unlock a non-existing wiphy in +set_cqm. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -761,11 +761,13 @@ static int nl80211_set_channel(struct sk + + result = get_rdev_dev_by_info_ifindex(info, &rdev, &netdev); + if (result) +- goto unlock; ++ goto unlock_rtnl; + + result = __nl80211_set_channel(rdev, netdev->ieee80211_ptr, info); + +- unlock: ++ dev_put(netdev); ++ cfg80211_unlock_rdev(rdev); ++ unlock_rtnl: + rtnl_unlock(); + + return result; +@@ -4996,7 +4998,7 @@ static int nl80211_set_cqm_rssi(struct g + + err = get_rdev_dev_by_info_ifindex(info, &rdev, &dev); + if (err) +- goto unlock_rdev; ++ goto unlock_rtnl; + + wdev = dev->ieee80211_ptr; + +@@ -5013,9 +5015,10 @@ static int nl80211_set_cqm_rssi(struct g + err = rdev->ops->set_cqm_rssi_config(wdev->wiphy, dev, + threshold, hysteresis); + +-unlock_rdev: ++ unlock_rdev: + cfg80211_unlock_rdev(rdev); + dev_put(dev); ++ unlock_rtnl: + rtnl_unlock(); + + return err; diff --git a/queue-2.6.36/cfg80211-fix-regression-on-processing-country-ies.patch b/queue-2.6.36/cfg80211-fix-regression-on-processing-country-ies.patch new file mode 100644 index 00000000000..b90b18a26ad --- /dev/null +++ b/queue-2.6.36/cfg80211-fix-regression-on-processing-country-ies.patch @@ -0,0 +1,47 @@ +From a171fba491f54216e356efa46096171a7ed01d10 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Mon, 18 Oct 2010 17:44:51 -0700 +Subject: cfg80211: fix regression on processing country IEs + +From: Luis R. Rodriguez + +commit a171fba491f54216e356efa46096171a7ed01d10 upstream. + +The patch 4f366c5: + + wireless: only use alpha2 regulatory information from country IE + +removed some complex intersection we were always doing between the AP's +country IE info and what we got from CRDA. When CRDA sent us back a +regulatory domain we would do some sanity checks on that regulatory +domain response we just got. Part of these sanity checks included +checking that we already had performed an intersection for the +request of NL80211_REGDOM_SET_BY_COUNTRY_IE type. + +This mean that cfg80211 was only processing country IEs for cases +where we already had an intersection, but since we removed enforcing +this this is no longer required, we should just apply the country +IE country hint with the data received from CRDA. + +This patch has fixes intended for kernels >= 2.6.36. + +Reported-by: Easwar Krishnan +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -1170,7 +1170,7 @@ static int ignore_request(struct wiphy * + return 0; + return -EALREADY; + } +- return REG_INTERSECT; ++ return 0; + case NL80211_REGDOM_SET_BY_DRIVER: + if (last_request->initiator == NL80211_REGDOM_SET_BY_CORE) { + if (regdom_changes(pending_request->alpha2)) diff --git a/queue-2.6.36/drm-radeon-kms-register-an-i2c-adapter-name-for-the-dp-aux-bus.patch b/queue-2.6.36/drm-radeon-kms-register-an-i2c-adapter-name-for-the-dp-aux-bus.patch new file mode 100644 index 00000000000..f585f7f3a9b --- /dev/null +++ b/queue-2.6.36/drm-radeon-kms-register-an-i2c-adapter-name-for-the-dp-aux-bus.patch @@ -0,0 +1,35 @@ +From a5193fe50e7f21c26d22c17c8196420fac1a3ca7 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 17 Nov 2010 17:56:49 -0500 +Subject: drm/radeon/kms: register an i2c adapter name for the dp aux bus + +From: Alex Deucher + +commit a5193fe50e7f21c26d22c17c8196420fac1a3ca7 upstream. + +This causes the connector to not be added since i2c init fails +for the adapter. Fixes: +https://bugs.freedesktop.org/show_bug.cgi?id=31688 + +Noticed by Ari Savolainen. + +Signed-off-by: Alex Deucher +Cc: Ari Savolainen +Cc: Jean Delvare +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_i2c.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/radeon/radeon_i2c.c ++++ b/drivers/gpu/drm/radeon/radeon_i2c.c +@@ -946,6 +946,7 @@ struct radeon_i2c_chan *radeon_i2c_creat + i2c->rec = *rec; + i2c->adapter.owner = THIS_MODULE; + i2c->dev = dev; ++ sprintf(i2c->adapter.name, "Radeon aux bus %s", name); + i2c_set_adapdata(&i2c->adapter, i2c); + i2c->adapter.algo_data = &i2c->algo.dp; + i2c->algo.dp.aux_ch = radeon_dp_i2c_aux_ch; diff --git a/queue-2.6.36/i2c-pca-platform-change-device-name-of-request_irq.patch b/queue-2.6.36/i2c-pca-platform-change-device-name-of-request_irq.patch new file mode 100644 index 00000000000..2a1a4111b24 --- /dev/null +++ b/queue-2.6.36/i2c-pca-platform-change-device-name-of-request_irq.patch @@ -0,0 +1,32 @@ +From 323584436db0cb05286425d4dfd9516fce88487f Mon Sep 17 00:00:00 2001 +From: Nobuhiro Iwamatsu +Date: Sun, 24 Oct 2010 18:16:57 +0200 +Subject: i2c-pca-platform: Change device name of request_irq + +From: Nobuhiro Iwamatsu + +commit 323584436db0cb05286425d4dfd9516fce88487f upstream. + +i2c->adap.name shouldn't be used in request_irq. +Instead the driver name "i2c-pca-platform" should be used. + +Signed-off-by: Nobuhiro Iwamatsu +Acked-by: Wolfram Sang +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-pca-platform.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/i2c/busses/i2c-pca-platform.c ++++ b/drivers/i2c/busses/i2c-pca-platform.c +@@ -224,7 +224,7 @@ static int __devinit i2c_pca_pf_probe(st + + if (irq) { + ret = request_irq(irq, i2c_pca_pf_handler, +- IRQF_TRIGGER_FALLING, i2c->adap.name, i2c); ++ IRQF_TRIGGER_FALLING, pdev->name, i2c); + if (ret) + goto e_reqirq; + } diff --git a/queue-2.6.36/isdn-gigaset-bas_gigaset-locking-fix.patch b/queue-2.6.36/isdn-gigaset-bas_gigaset-locking-fix.patch new file mode 100644 index 00000000000..522087d64e4 --- /dev/null +++ b/queue-2.6.36/isdn-gigaset-bas_gigaset-locking-fix.patch @@ -0,0 +1,51 @@ +From b33ffa5cbf52ee751bb8068218ebb3c742c5a515 Mon Sep 17 00:00:00 2001 +From: Tilman Schmidt +Date: Thu, 30 Sep 2010 13:34:30 +0000 +Subject: isdn/gigaset: bas_gigaset locking fix + +From: Tilman Schmidt + +commit b33ffa5cbf52ee751bb8068218ebb3c742c5a515 upstream. + +Unlock cs->lock before calling error_hangup() which is marked +"cs->lock must not be held". + +Signed-off-by: Tilman Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/bas-gigaset.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -1581,13 +1581,13 @@ static int gigaset_init_bchannel(struct + + ret = starturbs(bcs); + if (ret < 0) { ++ spin_unlock_irqrestore(&cs->lock, flags); + dev_err(cs->dev, + "could not start isochronous I/O for channel B%d: %s\n", + bcs->channel + 1, + ret == -EFAULT ? "null URB" : get_usb_rcmsg(ret)); + if (ret != -ENODEV) + error_hangup(bcs); +- spin_unlock_irqrestore(&cs->lock, flags); + return ret; + } + +@@ -1597,11 +1597,11 @@ static int gigaset_init_bchannel(struct + dev_err(cs->dev, "could not open channel B%d\n", + bcs->channel + 1); + stopurbs(bcs->hw.bas); +- if (ret != -ENODEV) +- error_hangup(bcs); + } + + spin_unlock_irqrestore(&cs->lock, flags); ++ if (ret < 0 && ret != -ENODEV) ++ error_hangup(bcs); + return ret; + } + diff --git a/queue-2.6.36/isdn-gigaset-correct-bas_gigaset-rx-buffer-handling.patch b/queue-2.6.36/isdn-gigaset-correct-bas_gigaset-rx-buffer-handling.patch new file mode 100644 index 00000000000..e328cd7aebd --- /dev/null +++ b/queue-2.6.36/isdn-gigaset-correct-bas_gigaset-rx-buffer-handling.patch @@ -0,0 +1,50 @@ +From f3d531b99fb30945b4a64d6e2e86e1e62605aca5 Mon Sep 17 00:00:00 2001 +From: Tilman Schmidt +Date: Thu, 30 Sep 2010 13:34:51 +0000 +Subject: isdn/gigaset: correct bas_gigaset rx buffer handling + +From: Tilman Schmidt + +commit f3d531b99fb30945b4a64d6e2e86e1e62605aca5 upstream. + +In transparent data reception, avoid a NULL pointer dereference +in case an skbuff cannot be allocated, remove an inappropriate +call to the HDLC flush routine, and correct the accounting of +received bytes for continued buffers. + +Signed-off-by: Tilman Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/isocdata.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/isdn/gigaset/isocdata.c ++++ b/drivers/isdn/gigaset/isocdata.c +@@ -842,13 +842,14 @@ static inline void trans_receive(unsigne + + if (unlikely(bcs->ignore)) { + bcs->ignore--; +- hdlc_flush(bcs); + return; + } + skb = bcs->rx_skb; +- if (skb == NULL) ++ if (skb == NULL) { + skb = gigaset_new_rx_skb(bcs); +- bcs->hw.bas->goodbytes += skb->len; ++ if (skb == NULL) ++ return; ++ } + dobytes = bcs->rx_bufsize - skb->len; + while (count > 0) { + dst = skb_put(skb, count < dobytes ? count : dobytes); +@@ -860,6 +861,7 @@ static inline void trans_receive(unsigne + if (dobytes == 0) { + dump_bytes(DEBUG_STREAM_DUMP, + "rcv data", skb->data, skb->len); ++ bcs->hw.bas->goodbytes += skb->len; + gigaset_skb_rcvd(bcs, skb); + skb = gigaset_new_rx_skb(bcs); + if (skb == NULL) diff --git a/queue-2.6.36/isdn-gigaset-fix-bas_gigaset-at-read-error-handling.patch b/queue-2.6.36/isdn-gigaset-fix-bas_gigaset-at-read-error-handling.patch new file mode 100644 index 00000000000..97c2943fbf4 --- /dev/null +++ b/queue-2.6.36/isdn-gigaset-fix-bas_gigaset-at-read-error-handling.patch @@ -0,0 +1,157 @@ +From c8701a08d6a4efeae45d84d0aa87172f23b14e3c Mon Sep 17 00:00:00 2001 +From: Tilman Schmidt +Date: Thu, 30 Sep 2010 13:34:40 +0000 +Subject: isdn/gigaset: fix bas_gigaset AT read error handling + +From: Tilman Schmidt + +commit c8701a08d6a4efeae45d84d0aa87172f23b14e3c upstream. + +Rework the handling of USB errors in AT response reads +to fix a possible infinite retry loop and a memory leak, +and silence a few overly verbose kernel messages. + +Signed-off-by: Tilman Schmidt +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/isdn/gigaset/bas-gigaset.c | 83 ++++++++++++++----------------------- + 1 file changed, 33 insertions(+), 50 deletions(-) + +--- a/drivers/isdn/gigaset/bas-gigaset.c ++++ b/drivers/isdn/gigaset/bas-gigaset.c +@@ -438,23 +438,27 @@ static void cmd_in_timeout(unsigned long + return; + } + +- if (ucs->retry_cmd_in++ < BAS_RETRY) { +- dev_notice(cs->dev, "control read: timeout, retry %d\n", +- ucs->retry_cmd_in); +- rc = atread_submit(cs, BAS_TIMEOUT); +- if (rc >= 0 || rc == -ENODEV) +- /* resubmitted or disconnected */ +- /* - bypass regular exit block */ +- return; +- } else { ++ if (ucs->retry_cmd_in++ >= BAS_RETRY) { + dev_err(cs->dev, + "control read: timeout, giving up after %d tries\n", + ucs->retry_cmd_in); ++ kfree(ucs->rcvbuf); ++ ucs->rcvbuf = NULL; ++ ucs->rcvbuf_size = 0; ++ error_reset(cs); ++ return; ++ } ++ ++ gig_dbg(DEBUG_USBREQ, "%s: timeout, retry %d", ++ __func__, ucs->retry_cmd_in); ++ rc = atread_submit(cs, BAS_TIMEOUT); ++ if (rc < 0) { ++ kfree(ucs->rcvbuf); ++ ucs->rcvbuf = NULL; ++ ucs->rcvbuf_size = 0; ++ if (rc != -ENODEV) ++ error_reset(cs); + } +- kfree(ucs->rcvbuf); +- ucs->rcvbuf = NULL; +- ucs->rcvbuf_size = 0; +- error_reset(cs); + } + + /* read_ctrl_callback +@@ -470,18 +474,11 @@ static void read_ctrl_callback(struct ur + struct cardstate *cs = inbuf->cs; + struct bas_cardstate *ucs = cs->hw.bas; + int status = urb->status; +- int have_data = 0; + unsigned numbytes; + int rc; + + update_basstate(ucs, 0, BS_ATRDPEND); + wake_up(&ucs->waitqueue); +- +- if (!ucs->rcvbuf_size) { +- dev_warn(cs->dev, "%s: no receive in progress\n", __func__); +- return; +- } +- + del_timer(&ucs->timer_cmd_in); + + switch (status) { +@@ -495,19 +492,10 @@ static void read_ctrl_callback(struct ur + numbytes = ucs->rcvbuf_size; + } + +- /* copy received bytes to inbuf */ +- have_data = gigaset_fill_inbuf(inbuf, ucs->rcvbuf, numbytes); +- +- if (unlikely(numbytes < ucs->rcvbuf_size)) { +- /* incomplete - resubmit for remaining bytes */ +- ucs->rcvbuf_size -= numbytes; +- ucs->retry_cmd_in = 0; +- rc = atread_submit(cs, BAS_TIMEOUT); +- if (rc >= 0 || rc == -ENODEV) +- /* resubmitted or disconnected */ +- /* - bypass regular exit block */ +- return; +- error_reset(cs); ++ /* copy received bytes to inbuf, notify event layer */ ++ if (gigaset_fill_inbuf(inbuf, ucs->rcvbuf, numbytes)) { ++ gig_dbg(DEBUG_INTR, "%s-->BH", __func__); ++ gigaset_schedule_event(cs); + } + break; + +@@ -516,37 +504,32 @@ static void read_ctrl_callback(struct ur + case -EINPROGRESS: /* pending */ + case -ENODEV: /* device removed */ + case -ESHUTDOWN: /* device shut down */ +- /* no action necessary */ ++ /* no further action necessary */ + gig_dbg(DEBUG_USBREQ, "%s: %s", + __func__, get_usb_statmsg(status)); + break; + +- default: /* severe trouble */ +- dev_warn(cs->dev, "control read: %s\n", +- get_usb_statmsg(status)); ++ default: /* other errors: retry */ + if (ucs->retry_cmd_in++ < BAS_RETRY) { +- dev_notice(cs->dev, "control read: retry %d\n", +- ucs->retry_cmd_in); ++ gig_dbg(DEBUG_USBREQ, "%s: %s, retry %d", __func__, ++ get_usb_statmsg(status), ucs->retry_cmd_in); + rc = atread_submit(cs, BAS_TIMEOUT); +- if (rc >= 0 || rc == -ENODEV) +- /* resubmitted or disconnected */ +- /* - bypass regular exit block */ ++ if (rc >= 0) ++ /* successfully resubmitted, skip freeing */ + return; +- } else { +- dev_err(cs->dev, +- "control read: giving up after %d tries\n", +- ucs->retry_cmd_in); ++ if (rc == -ENODEV) ++ /* disconnect, no further action necessary */ ++ break; + } ++ dev_err(cs->dev, "control read: %s, giving up after %d tries\n", ++ get_usb_statmsg(status), ucs->retry_cmd_in); + error_reset(cs); + } + ++ /* read finished, free buffer */ + kfree(ucs->rcvbuf); + ucs->rcvbuf = NULL; + ucs->rcvbuf_size = 0; +- if (have_data) { +- gig_dbg(DEBUG_INTR, "%s-->BH", __func__); +- gigaset_schedule_event(cs); +- } + } + + /* atread_submit diff --git a/queue-2.6.36/mac80211-add-helper-for-reseting-the-connection-monitor.patch b/queue-2.6.36/mac80211-add-helper-for-reseting-the-connection-monitor.patch new file mode 100644 index 00000000000..92f14042190 --- /dev/null +++ b/queue-2.6.36/mac80211-add-helper-for-reseting-the-connection-monitor.patch @@ -0,0 +1,65 @@ +From be099e82e9cf6d5d65d044e9ef6fc8bee3c7a113 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Thu, 16 Sep 2010 15:12:29 -0400 +Subject: mac80211: add helper for reseting the connection monitor + +From: Luis R. Rodriguez + +commit be099e82e9cf6d5d65d044e9ef6fc8bee3c7a113 upstream. + +This will be used in another place later. The connection +monitor was added as of 2.6.35 so these fixes will be +applicable to >= 2.6.35. + +Cc: Paul Stewart +Cc: Amod Bodas +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ieee80211_i.h | 1 + + net/mac80211/mlme.c | 15 ++++++++++----- + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1003,6 +1003,7 @@ void ieee80211_sta_restart(struct ieee80 + void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata); + void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb); ++void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata); + + /* IBSS code */ + void ieee80211_ibss_notify_scan_completed(struct ieee80211_local *local); +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -118,6 +118,15 @@ static void mod_beacon_timer(struct ieee + round_jiffies_up(jiffies + IEEE80211_BEACON_LOSS_TIME)); + } + ++void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata) ++{ ++ if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR) ++ return; ++ ++ mod_timer(&sdata->u.mgd.conn_mon_timer, ++ round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME)); ++} ++ + static int ecw2cw(int ecw) + { + return (1 << ecw) - 1; +@@ -1006,11 +1015,7 @@ void ieee80211_sta_rx_notify(struct ieee + if (is_multicast_ether_addr(hdr->addr1)) + return; + +- if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR) +- return; +- +- mod_timer(&sdata->u.mgd.conn_mon_timer, +- round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME)); ++ ieee80211_sta_reset_conn_monitor(sdata); + } + + static void ieee80211_mgd_probe_ap_send(struct ieee80211_sub_if_data *sdata) diff --git a/queue-2.6.36/mac80211-clear-txflags-for-ps-filtered-frames.patch b/queue-2.6.36/mac80211-clear-txflags-for-ps-filtered-frames.patch new file mode 100644 index 00000000000..198837453f2 --- /dev/null +++ b/queue-2.6.36/mac80211-clear-txflags-for-ps-filtered-frames.patch @@ -0,0 +1,68 @@ +From eb7d3066cf864342e8ae6a5c1126a1602c4d06c0 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Tue, 21 Sep 2010 21:36:18 +0200 +Subject: mac80211: clear txflags for ps-filtered frames + +From: Christian Lamparter + +commit eb7d3066cf864342e8ae6a5c1126a1602c4d06c0 upstream. + +This patch fixes stale mac80211_tx_control_flags for +filtered / retried frames. + +Because ieee80211_handle_filtered_frame feeds skbs back +into the tx path, they have to be stripped of some tx +flags so they won't confuse the stack, driver or device. + +Acked-by: Johannes Berg +Signed-off-by: Christian Lamparter +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/mac80211.h | 16 ++++++++++++++++ + net/mac80211/status.c | 1 + + 2 files changed, 17 insertions(+) + +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -315,6 +315,9 @@ struct ieee80211_bss_conf { + * @IEEE80211_TX_CTL_LDPC: tells the driver to use LDPC for this frame + * @IEEE80211_TX_CTL_STBC: Enables Space-Time Block Coding (STBC) for this + * frame and selects the maximum number of streams that it can use. ++ * ++ * Note: If you have to add new flags to the enumeration, then don't ++ * forget to update %IEEE80211_TX_TEMPORARY_FLAGS when necessary. + */ + enum mac80211_tx_control_flags { + IEEE80211_TX_CTL_REQ_TX_STATUS = BIT(0), +@@ -344,6 +347,19 @@ enum mac80211_tx_control_flags { + + #define IEEE80211_TX_CTL_STBC_SHIFT 23 + ++/* ++ * This definition is used as a mask to clear all temporary flags, which are ++ * set by the tx handlers for each transmission attempt by the mac80211 stack. ++ */ ++#define IEEE80211_TX_TEMPORARY_FLAGS (IEEE80211_TX_CTL_NO_ACK | \ ++ IEEE80211_TX_CTL_CLEAR_PS_FILT | IEEE80211_TX_CTL_FIRST_FRAGMENT | \ ++ IEEE80211_TX_CTL_SEND_AFTER_DTIM | IEEE80211_TX_CTL_AMPDU | \ ++ IEEE80211_TX_STAT_TX_FILTERED | IEEE80211_TX_STAT_ACK | \ ++ IEEE80211_TX_STAT_AMPDU | IEEE80211_TX_STAT_AMPDU_NO_BACK | \ ++ IEEE80211_TX_CTL_RATE_CTRL_PROBE | IEEE80211_TX_CTL_PSPOLL_RESPONSE | \ ++ IEEE80211_TX_CTL_MORE_FRAMES | IEEE80211_TX_CTL_LDPC | \ ++ IEEE80211_TX_CTL_STBC) ++ + /** + * enum mac80211_rate_control_flags - per-rate flags set by the + * Rate Control algorithm. +--- a/net/mac80211/status.c ++++ b/net/mac80211/status.c +@@ -58,6 +58,7 @@ static void ieee80211_handle_filtered_fr + info->control.vif = &sta->sdata->vif; + info->flags |= IEEE80211_TX_INTFL_NEED_TXPROCESSING | + IEEE80211_TX_INTFL_RETRANSMISSION; ++ info->flags &= ~IEEE80211_TX_TEMPORARY_FLAGS; + + sta->tx_filtered_count++; + diff --git a/queue-2.6.36/mac80211-delete-addba-response-timer.patch b/queue-2.6.36/mac80211-delete-addba-response-timer.patch new file mode 100644 index 00000000000..e62a550de8f --- /dev/null +++ b/queue-2.6.36/mac80211-delete-addba-response-timer.patch @@ -0,0 +1,45 @@ +From 44271488b91c9eecf249e075a1805dd887e222d2 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 5 Oct 2010 21:40:33 +0200 +Subject: mac80211: delete AddBA response timer + +From: Johannes Berg + +commit 44271488b91c9eecf249e075a1805dd887e222d2 upstream. + +We never delete the addBA response timer, which +is typically fine, but if the station it belongs +to is deleted very quickly after starting the BA +session, before the peer had a chance to reply, +the timer may fire after the station struct has +been freed already. Therefore, we need to delete +the timer in a suitable spot -- best when the +session is being stopped (which will happen even +then) in which case the delete will be a no-op +most of the time. + +I've reproduced the scenario and tested the fix. + +This fixes the crash reported at +http://mid.gmane.org/4CAB6F96.6090701@candelatech.com + +Reported-by: Ben Greear +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/agg-tx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -177,6 +177,8 @@ int ___ieee80211_stop_tx_ba_session(stru + + del_timer_sync(&tid_tx->addba_resp_timer); + ++ del_timer_sync(&tid_tx->addba_resp_timer); ++ + /* + * After this packets are no longer handed right through + * to the driver but are put onto tid_tx->pending instead, diff --git a/queue-2.6.36/mac80211-disable-beacon-monitor-while-going-offchannel.patch b/queue-2.6.36/mac80211-disable-beacon-monitor-while-going-offchannel.patch new file mode 100644 index 00000000000..2984c750a85 --- /dev/null +++ b/queue-2.6.36/mac80211-disable-beacon-monitor-while-going-offchannel.patch @@ -0,0 +1,44 @@ +From 3bc3c0d748402e8c1f31b8569f5924d25d7b8e30 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Thu, 16 Sep 2010 15:12:33 -0400 +Subject: mac80211: disable beacon monitor while going offchannel + +From: Luis R. Rodriguez + +commit 3bc3c0d748402e8c1f31b8569f5924d25d7b8e30 upstream. + +The beacon monitor should be disabled when going off channel +to prevent spurious warnings and triggering connection +deterioration work such as sending probe requests. Re-enable +the beacon monitor once we come back to the home channel. + +This patch has fixes for stable kernels [2.6.34+]. + +Cc: Paul Stewart +Cc: Amod Bodas +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/offchannel.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/mac80211/offchannel.c ++++ b/net/mac80211/offchannel.c +@@ -29,6 +29,7 @@ static void ieee80211_offchannel_ps_enab + /* FIXME: what to do when local->pspolling is true? */ + + del_timer_sync(&local->dynamic_ps_timer); ++ del_timer_sync(&ifmgd->bcn_mon_timer); + del_timer_sync(&ifmgd->conn_mon_timer); + + cancel_work_sync(&local->dynamic_ps_enable_work); +@@ -89,6 +90,7 @@ static void ieee80211_offchannel_ps_disa + msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout)); + } + ++ ieee80211_sta_reset_beacon_monitor(sdata); + ieee80211_sta_reset_conn_monitor(sdata); + } + diff --git a/queue-2.6.36/mac80211-don-t-sanitize-invalid-rates.patch b/queue-2.6.36/mac80211-don-t-sanitize-invalid-rates.patch new file mode 100644 index 00000000000..126097e9ded --- /dev/null +++ b/queue-2.6.36/mac80211-don-t-sanitize-invalid-rates.patch @@ -0,0 +1,42 @@ +From 5f4e6b2d3c74c1adda1cbfd9d9d30da22c7484fc Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Sat, 16 Oct 2010 18:49:15 +0200 +Subject: mac80211: don't sanitize invalid rates + +From: Christian Lamparter + +commit 5f4e6b2d3c74c1adda1cbfd9d9d30da22c7484fc upstream. + +I found this bug while poking around with a pure-gn AP. + +Commit: +cfg80211/mac80211: Use more generic bitrate mask for rate control + +Added some sanity checks to ensure that each tx rate index +is included in the configured mask and it would change any +rate indexes if it wasn't. + +But, the current implementation doesn't take into account +that the invalid rate index "-1" has a special meaning +(= no further attempts) and it should not be "changed". + +Signed-off-by: Christian Lamparter +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rate.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -328,6 +328,9 @@ void rate_control_get_rate(struct ieee80 + * if needed. + */ + for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) { ++ /* Skip invalid rates */ ++ if (info->control.rates[i].idx < 0) ++ break; + /* Rate masking supports only legacy rates for now */ + if (info->control.rates[i].flags & IEEE80211_TX_RC_MCS) + continue; diff --git a/queue-2.6.36/mac80211-fix-channel-assumption-for-association-done-work.patch b/queue-2.6.36/mac80211-fix-channel-assumption-for-association-done-work.patch new file mode 100644 index 00000000000..6f3e622149f --- /dev/null +++ b/queue-2.6.36/mac80211-fix-channel-assumption-for-association-done-work.patch @@ -0,0 +1,55 @@ +From e7480bbb926c5816e4fbfca70748096bbe0e4978 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Fri, 1 Oct 2010 17:05:19 -0400 +Subject: mac80211: fix channel assumption for association done work + +From: Luis R. Rodriguez + +commit e7480bbb926c5816e4fbfca70748096bbe0e4978 upstream. + +Be consistent and use the wk->chan instead of the +local->hw.conf.channel for the association done work. +This prevents any possible races against channel changes +while we run this work. + +In the case that the race did happen we would be initializing +the bit rates for the new AP under the assumption of a wrong +channel and in the worst case, wrong band. This could lead +to trying to assuming we could use CCK frames on 5 GHz, for +example. + +This patch has a fix for kernels >= v2.6.34 + +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1262,7 +1262,7 @@ static bool ieee80211_assoc_success(stru + + rates = 0; + basic_rates = 0; +- sband = local->hw.wiphy->bands[local->hw.conf.channel->band]; ++ sband = local->hw.wiphy->bands[wk->chan->band]; + + for (i = 0; i < elems.supp_rates_len; i++) { + int rate = (elems.supp_rates[i] & 0x7f) * 5; +@@ -1298,11 +1298,11 @@ static bool ieee80211_assoc_success(stru + } + } + +- sta->sta.supp_rates[local->hw.conf.channel->band] = rates; ++ sta->sta.supp_rates[wk->chan->band] = rates; + sdata->vif.bss_conf.basic_rates = basic_rates; + + /* cf. IEEE 802.11 9.2.12 */ +- if (local->hw.conf.channel->band == IEEE80211_BAND_2GHZ && ++ if (wk->chan->band == IEEE80211_BAND_2GHZ && + have_higher_than_11mbit) + sdata->flags |= IEEE80211_SDATA_OPERATING_GMODE; + else diff --git a/queue-2.6.36/mac80211-fix-ibss-station-got-expired-immediately.patch b/queue-2.6.36/mac80211-fix-ibss-station-got-expired-immediately.patch new file mode 100644 index 00000000000..cc63fe274aa --- /dev/null +++ b/queue-2.6.36/mac80211-fix-ibss-station-got-expired-immediately.patch @@ -0,0 +1,31 @@ +From c8716d9dc13c7f6ee92f2bfc6cc3b723b417bff8 Mon Sep 17 00:00:00 2001 +From: Rajkumar Manoharan +Date: Sat, 23 Oct 2010 10:59:57 +0530 +Subject: mac80211: Fix ibss station got expired immediately + +From: Rajkumar Manoharan + +commit c8716d9dc13c7f6ee92f2bfc6cc3b723b417bff8 upstream. + +Station addition in ieee80211_ibss_rx_queued_mgmt is not updating +sta->last_rx which is causing station expiry in ieee80211_ibss_work +path. So sta addition and deletion happens repeatedly. + +Signed-off-by: Rajkumar Manoharan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ibss.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -435,6 +435,7 @@ struct sta_info *ieee80211_ibss_add_sta( + if (!sta) + return NULL; + ++ sta->last_rx = jiffies; + set_sta_flags(sta, WLAN_STA_AUTHORIZED); + + /* make sure mandatory rates are always added */ diff --git a/queue-2.6.36/mac80211-fix-offchannel-assumption-upon-association.patch b/queue-2.6.36/mac80211-fix-offchannel-assumption-upon-association.patch new file mode 100644 index 00000000000..86a80d43019 --- /dev/null +++ b/queue-2.6.36/mac80211-fix-offchannel-assumption-upon-association.patch @@ -0,0 +1,44 @@ +From 8d4780eb1ece4e8109b4f6b2e5e61f7fc593c3f4 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Fri, 24 Sep 2010 21:59:57 -0400 +Subject: mac80211: fix offchannel assumption upon association + +From: Luis R. Rodriguez + +commit 8d4780eb1ece4e8109b4f6b2e5e61f7fc593c3f4 upstream. + +Association is dealt with as an atomic offchannel operation, +we do this because we don't know we are associated until we +get the associatin response from the AP. When we do get the +associatin response though we were never clearing the offchannel +state. This has a few implications, we told drivers we were +still offchannel, and the first configured TX power for the +channel does not take into account any power constraints. + +For ath9k this meant ANI calibration would not start upon +association, and we'd have to wait until the first bgscan +to be triggered. There may be other issues this resolves +but I'm too lazy to comb the code to check. + +Cc: Amod Bodas +Cc: Vasanth Thiagarajan +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -108,7 +108,8 @@ int ieee80211_hw_config(struct ieee80211 + chan = scan_chan; + channel_type = NL80211_CHAN_NO_HT; + local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL; +- } else if (local->tmp_channel) { ++ } else if (local->tmp_channel && ++ local->oper_channel != local->tmp_channel) { + chan = scan_chan = local->tmp_channel; + channel_type = local->tmp_channel_type; + local->hw.conf.flags |= IEEE80211_CONF_OFFCHANNEL; diff --git a/queue-2.6.36/mac80211-fix-possible-null-pointer-de-reference.patch b/queue-2.6.36/mac80211-fix-possible-null-pointer-de-reference.patch new file mode 100644 index 00000000000..2242bf02ef9 --- /dev/null +++ b/queue-2.6.36/mac80211-fix-possible-null-pointer-de-reference.patch @@ -0,0 +1,86 @@ +From d12c74528e3065c90df70fbc06ec6ffd6e804738 Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Fri, 8 Oct 2010 22:27:07 +0200 +Subject: mac80211: fix possible null-pointer de-reference + +From: Christian Lamparter + +commit d12c74528e3065c90df70fbc06ec6ffd6e804738 upstream. + +This patch not only fixes a null-pointer de-reference +that would be triggered by a PLINK_OPEN frame with mis- +matching/incompatible mesh configuration, but also +responds correctly to non-compatible PLINK_OPEN frames +by generating a PLINK_CLOSE with the right reason code. + +The original bug was detected by smatch. +( http://repo.or.cz/w/smatch.git ) + +net/mac80211/mesh_plink.c +574 mesh_rx_plink_frame(168) +error: we previously assumed 'sta' could be null. + +Reviewed-and-Tested-by: Steve deRosier +Reviewed-and-Tested-by: Javier Cardona +Acked-by: Johannes Berg +Signed-off-by: Christian Lamparter +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mesh_plink.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -412,7 +412,7 @@ void mesh_rx_plink_frame(struct ieee8021 + enum plink_event event; + enum plink_frame_type ftype; + size_t baselen; +- bool deactivated; ++ bool deactivated, matches_local = true; + u8 ie_len; + u8 *baseaddr; + __le16 plid, llid, reason; +@@ -487,6 +487,7 @@ void mesh_rx_plink_frame(struct ieee8021 + /* Now we will figure out the appropriate event... */ + event = PLINK_UNDEFINED; + if (ftype != PLINK_CLOSE && (!mesh_matches_local(&elems, sdata))) { ++ matches_local = false; + switch (ftype) { + case PLINK_OPEN: + event = OPN_RJCT; +@@ -498,7 +499,15 @@ void mesh_rx_plink_frame(struct ieee8021 + /* avoid warning */ + break; + } +- spin_lock_bh(&sta->lock); ++ } ++ ++ if (!sta && !matches_local) { ++ rcu_read_unlock(); ++ reason = cpu_to_le16(MESH_CAPABILITY_POLICY_VIOLATION); ++ llid = 0; ++ mesh_plink_frame_tx(sdata, PLINK_CLOSE, mgmt->sa, llid, ++ plid, reason); ++ return; + } else if (!sta) { + /* ftype == PLINK_OPEN */ + u32 rates; +@@ -522,7 +531,7 @@ void mesh_rx_plink_frame(struct ieee8021 + } + event = OPN_ACPT; + spin_lock_bh(&sta->lock); +- } else { ++ } else if (matches_local) { + spin_lock_bh(&sta->lock); + switch (ftype) { + case PLINK_OPEN: +@@ -564,6 +573,8 @@ void mesh_rx_plink_frame(struct ieee8021 + rcu_read_unlock(); + return; + } ++ } else { ++ spin_lock_bh(&sta->lock); + } + + mpl_dbg("Mesh plink (peer, state, llid, plid, event): %pM %s %d %d %d\n", diff --git a/queue-2.6.36/mac80211-fix-signal-strength-average-initialization-for-cqm-events.patch b/queue-2.6.36/mac80211-fix-signal-strength-average-initialization-for-cqm-events.patch new file mode 100644 index 00000000000..0f3b4e80481 --- /dev/null +++ b/queue-2.6.36/mac80211-fix-signal-strength-average-initialization-for-cqm-events.patch @@ -0,0 +1,37 @@ +From 3ba06c6fbd651ed3377e584026d1c112b492cc8b Mon Sep 17 00:00:00 2001 +From: Jouni Malinen +Date: Fri, 27 Aug 2010 22:21:13 +0300 +Subject: mac80211: Fix signal strength average initialization for CQM events + +From: Jouni Malinen + +commit 3ba06c6fbd651ed3377e584026d1c112b492cc8b upstream. + +The ave_beacon_signal value uses 1/16 dB unit and as such, must be +initialized with the signal level of the first Beacon frame multiplied +by 16. This fixes an issue where the initial CQM events are reported +incorrectly with a burst of events while the running average +approaches the correct value after the incorrect initialization. This +could cause user space -based roaming decision process to get quite +confused at the moment when we would like to go through authentication +and DHCP. + +Signed-off-by: Jouni Malinen +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1540,7 +1540,7 @@ static void ieee80211_rx_mgmt_beacon(str + ifmgd->last_beacon_signal = rx_status->signal; + if (ifmgd->flags & IEEE80211_STA_RESET_SIGNAL_AVE) { + ifmgd->flags &= ~IEEE80211_STA_RESET_SIGNAL_AVE; +- ifmgd->ave_beacon_signal = rx_status->signal; ++ ifmgd->ave_beacon_signal = rx_status->signal * 16; + ifmgd->last_cqm_event_signal = 0; + } else { + ifmgd->ave_beacon_signal = diff --git a/queue-2.6.36/mac80211-make-the-beacon-monitor-available-externally.patch b/queue-2.6.36/mac80211-make-the-beacon-monitor-available-externally.patch new file mode 100644 index 00000000000..ecf290eec2a --- /dev/null +++ b/queue-2.6.36/mac80211-make-the-beacon-monitor-available-externally.patch @@ -0,0 +1,72 @@ +From d3a910a8e4e846b9a767d35483f4dc7c6de7af82 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Thu, 16 Sep 2010 15:12:32 -0400 +Subject: mac80211: make the beacon monitor available externally + +From: Luis R. Rodriguez + +commit d3a910a8e4e846b9a767d35483f4dc7c6de7af82 upstream. + +This will be used by other components next. The beacon +monitor was added as of 2.6.34 so these fixes are applicable +only to kernels >= 2.6.34. + +Cc: Paul Stewart +Cc: Amod Bodas +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ieee80211_i.h | 1 + + net/mac80211/mlme.c | 8 ++++---- + 2 files changed, 5 insertions(+), 4 deletions(-) + +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -1003,6 +1003,7 @@ void ieee80211_sta_restart(struct ieee80 + void ieee80211_sta_work(struct ieee80211_sub_if_data *sdata); + void ieee80211_sta_rx_queued_mgmt(struct ieee80211_sub_if_data *sdata, + struct sk_buff *skb); ++void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata); + void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata); + + /* IBSS code */ +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -109,7 +109,7 @@ static void run_again(struct ieee80211_i + mod_timer(&ifmgd->timer, timeout); + } + +-static void mod_beacon_timer(struct ieee80211_sub_if_data *sdata) ++void ieee80211_sta_reset_beacon_monitor(struct ieee80211_sub_if_data *sdata) + { + if (sdata->local->hw.flags & IEEE80211_HW_BEACON_FILTER) + return; +@@ -1367,7 +1367,7 @@ static bool ieee80211_assoc_success(stru + * Also start the timer that will detect beacon loss. + */ + ieee80211_sta_rx_notify(sdata, (struct ieee80211_hdr *)mgmt); +- mod_beacon_timer(sdata); ++ ieee80211_sta_reset_beacon_monitor(sdata); + + return true; + } +@@ -1470,7 +1470,7 @@ static void ieee80211_rx_mgmt_probe_resp + * we have or will be receiving any beacons or data, so let's + * schedule the timers again, just in case. + */ +- mod_beacon_timer(sdata); ++ ieee80211_sta_reset_beacon_monitor(sdata); + + mod_timer(&ifmgd->conn_mon_timer, + round_jiffies_up(jiffies + +@@ -1593,7 +1593,7 @@ static void ieee80211_rx_mgmt_beacon(str + * Push the beacon loss detection into the future since + * we are processing a beacon from the AP just now. + */ +- mod_beacon_timer(sdata); ++ ieee80211_sta_reset_beacon_monitor(sdata); + + ncrc = crc32_be(0, (void *)&mgmt->u.beacon.beacon_int, 4); + ncrc = ieee802_11_parse_elems_crc(mgmt->u.beacon.variable, diff --git a/queue-2.6.36/mac80211-minstrel_ht-a-mpdu-fix.patch b/queue-2.6.36/mac80211-minstrel_ht-a-mpdu-fix.patch new file mode 100644 index 00000000000..23a393efd4e --- /dev/null +++ b/queue-2.6.36/mac80211-minstrel_ht-a-mpdu-fix.patch @@ -0,0 +1,61 @@ +From 15d46f38df87f89242e470f5797120fa384c1fc3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B6rn=20Smedman?= +Date: Sun, 10 Oct 2010 22:14:25 +0200 +Subject: mac80211: minstrel_ht A-MPDU fix +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Bj=C3=B6rn=20Smedman?= + +commit 15d46f38df87f89242e470f5797120fa384c1fc3 upstream. + +This patch fixes two problems with the minstrel_ht rate control +algorithms handling of A-MPDU frames: + +1. The ampdu_len field of the tx status is not always initialized for +non-HT frames (and it would probably be unreasonable to require all +drivers to do so). This could cause rate control statistics to be +corrupted. We now trust the ampdu_len and ampdu_ack_len fields only when +the frame is marked with the IEEE80211_TX_STAT_AMPDU flag. + +2. Successful transmission attempts where only recognized when the A-MPDU +subframe carrying the rate control status information was marked with the +IEEE80211_TX_STAT_ACK flag. If this information happed to be carried on a +frame that failed to be ACKed then the other subframes (which may have +succeeded) where not correctly registered. We now update rate control +statistics regardless of whether the subframe carrying the information was +ACKed or not. + +Signed-off-by: Björn Smedman +Acked-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel_ht.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -397,8 +397,9 @@ minstrel_ht_tx_status(void *priv, struct + !(info->flags & IEEE80211_TX_STAT_AMPDU)) + return; + +- if (!info->status.ampdu_len) { +- info->status.ampdu_ack_len = 1; ++ if (!(info->flags & IEEE80211_TX_STAT_AMPDU)) { ++ info->status.ampdu_ack_len = ++ (info->flags & IEEE80211_TX_STAT_ACK ? 1 : 0); + info->status.ampdu_len = 1; + } + +@@ -426,7 +427,7 @@ minstrel_ht_tx_status(void *priv, struct + group = minstrel_ht_get_group_idx(&ar[i]); + rate = &mi->groups[group].rates[ar[i].idx % 8]; + +- if (last && (info->flags & IEEE80211_TX_STAT_ACK)) ++ if (last) + rate->success += info->status.ampdu_ack_len; + + rate->attempts += ar[i].count * info->status.ampdu_len; diff --git a/queue-2.6.36/mac80211-reset-connection-idle-when-going-offchannel.patch b/queue-2.6.36/mac80211-reset-connection-idle-when-going-offchannel.patch new file mode 100644 index 00000000000..342439ab154 --- /dev/null +++ b/queue-2.6.36/mac80211-reset-connection-idle-when-going-offchannel.patch @@ -0,0 +1,57 @@ +From 4730d5977f3e12b828d354f7752cffd94bdf39e5 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Thu, 16 Sep 2010 15:12:31 -0400 +Subject: mac80211: reset connection idle when going offchannel + +From: Luis R. Rodriguez + +commit 4730d5977f3e12b828d354f7752cffd94bdf39e5 upstream. + +When we go offchannel mac80211 currently leaves alive the +connection idle monitor. This should be instead postponed +until we come back to our home channel, otherwise by the +time we get back to the home channel we could be triggering +unecesary probe requests. For APs that do not respond to +unicast probe requests (Nexus One is a simple example) this +means we essentially get disconnected after the probes +fails. + +This patch has stable fixes for kernels [2.6.35+] + +Cc: Paul Stewart +Cc: Amod Bodas +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/offchannel.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/mac80211/offchannel.c ++++ b/net/mac80211/offchannel.c +@@ -22,12 +22,15 @@ + static void ieee80211_offchannel_ps_enable(struct ieee80211_sub_if_data *sdata) + { + struct ieee80211_local *local = sdata->local; ++ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + + local->offchannel_ps_enabled = false; + + /* FIXME: what to do when local->pspolling is true? */ + + del_timer_sync(&local->dynamic_ps_timer); ++ del_timer_sync(&ifmgd->conn_mon_timer); ++ + cancel_work_sync(&local->dynamic_ps_enable_work); + + if (local->hw.conf.flags & IEEE80211_CONF_PS) { +@@ -85,6 +88,8 @@ static void ieee80211_offchannel_ps_disa + mod_timer(&local->dynamic_ps_timer, jiffies + + msecs_to_jiffies(local->hw.conf.dynamic_ps_timeout)); + } ++ ++ ieee80211_sta_reset_conn_monitor(sdata); + } + + void ieee80211_offchannel_stop_beaconing(struct ieee80211_local *local) diff --git a/queue-2.6.36/mac80211-reset-probe-send-counter-upon-connection-timer-reset.patch b/queue-2.6.36/mac80211-reset-probe-send-counter-upon-connection-timer-reset.patch new file mode 100644 index 00000000000..328ba9702dc --- /dev/null +++ b/queue-2.6.36/mac80211-reset-probe-send-counter-upon-connection-timer-reset.patch @@ -0,0 +1,46 @@ +From 0c699c3a75d4e8d0d2c317f83048d8fd3ffe692a Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Thu, 16 Sep 2010 15:12:30 -0400 +Subject: mac80211: reset probe send counter upon connection timer reset + +From: Luis R. Rodriguez + +commit 0c699c3a75d4e8d0d2c317f83048d8fd3ffe692a upstream. + +Upon beacon loss we send probe requests after 30 seconds of idle +time and we wait for each probe response 1/2 second. We send a +total of 3 probe requests before giving up on the AP. In the case +that we reset the connection idle monitor we should reset the probe +requests count to 0. Right now this won't help in any way but +the next patch will. + +This patch has fixes for stable kernel [2.6.35+]. + +Cc: Paul Stewart +Cc: Amod Bodas +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -120,11 +120,15 @@ void ieee80211_sta_reset_beacon_monitor( + + void ieee80211_sta_reset_conn_monitor(struct ieee80211_sub_if_data *sdata) + { ++ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; ++ + if (sdata->local->hw.flags & IEEE80211_HW_CONNECTION_MONITOR) + return; + + mod_timer(&sdata->u.mgd.conn_mon_timer, + round_jiffies_up(jiffies + IEEE80211_CONNECTION_IDLE_TIME)); ++ ++ ifmgd->probe_send_count = 0; + } + + static int ecw2cw(int ecw) diff --git a/queue-2.6.36/mac80211-send-last-3-5-probe-requests-as-unicast.patch b/queue-2.6.36/mac80211-send-last-3-5-probe-requests-as-unicast.patch new file mode 100644 index 00000000000..e7346ee2f28 --- /dev/null +++ b/queue-2.6.36/mac80211-send-last-3-5-probe-requests-as-unicast.patch @@ -0,0 +1,70 @@ +From f01a067d9e4598c71e3c9ee3a84859d2e8af4f8e Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Thu, 16 Sep 2010 15:12:34 -0400 +Subject: mac80211: send last 3/5 probe requests as unicast + +From: Luis R. Rodriguez + +commit f01a067d9e4598c71e3c9ee3a84859d2e8af4f8e upstream. + +Some buggy APs do not respond to unicast probe requests +or send unicast probe requests very delayed so in the +worst case we should try to send broadcast probe requests, +otherwise we can get disconnected from these APs. + +Even if drivers do not have filters to disregard probe +responses from foreign APs mac80211 will only process +probe responses from our associated AP for re-arming +connection monitoring. + +We need to do this since the beacon monitor does not +push back the connection monitor by design so even if we +are getting beacons from these type of APs our connection +monitor currently relies heavily on the way the probe +requests are received on the AP. An example of an AP +affected by this is the Nexus One, but this has also been +observed with random APs. + +We can probably optimize this later by using null funcs +instead of probe requests. + +For more details refer to: + +http://code.google.com/p/chromium-os/issues/detail?id=5715 + +This patch has fixes for stable kernels [2.6.35+]. + +Cc: Paul Stewart +Cc: Amod Bodas +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1022,10 +1022,19 @@ static void ieee80211_mgd_probe_ap_send( + { + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + const u8 *ssid; ++ u8 *dst = ifmgd->associated->bssid; ++ u8 unicast_limit = max(1, IEEE80211_MAX_PROBE_TRIES - 3); ++ ++ /* ++ * Try sending broadcast probe requests for the last three ++ * probe requests after the first ones failed since some ++ * buggy APs only support broadcast probe requests. ++ */ ++ if (ifmgd->probe_send_count >= unicast_limit) ++ dst = NULL; + + ssid = ieee80211_bss_get_ie(ifmgd->associated, WLAN_EID_SSID); +- ieee80211_send_probe_req(sdata, ifmgd->associated->bssid, +- ssid + 2, ssid[1], NULL, 0); ++ ieee80211_send_probe_req(sdata, dst, ssid + 2, ssid[1], NULL, 0); + + ifmgd->probe_send_count++; + ifmgd->probe_timeout = jiffies + IEEE80211_PROBE_WAIT; diff --git a/queue-2.6.36/mac80211-use-correct-station-flags-lock.patch b/queue-2.6.36/mac80211-use-correct-station-flags-lock.patch new file mode 100644 index 00000000000..f197a3a61ec --- /dev/null +++ b/queue-2.6.36/mac80211-use-correct-station-flags-lock.patch @@ -0,0 +1,53 @@ +From f5521b13880f4f4f612e1d20dd4f565122d16e04 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 14 Sep 2010 22:06:53 +0200 +Subject: mac80211: use correct station flags lock + +From: Johannes Berg + +commit f5521b13880f4f4f612e1d20dd4f565122d16e04 upstream. + +This code is modifying the station flags, and +as such should hold the flags lock so it can +do so atomically vs. other flags modifications +and readers. This issue was introduced when +this code was added in eccb8e8f, as it used +the wrong lock (thus not fixing the race that +was previously documented in a comment.) + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -634,6 +634,7 @@ static void sta_apply_parameters(struct + struct sta_info *sta, + struct station_parameters *params) + { ++ unsigned long flags; + u32 rates; + int i, j; + struct ieee80211_supported_band *sband; +@@ -642,7 +643,7 @@ static void sta_apply_parameters(struct + + sband = local->hw.wiphy->bands[local->oper_channel->band]; + +- spin_lock_bh(&sta->lock); ++ spin_lock_irqsave(&sta->flaglock, flags); + mask = params->sta_flags_mask; + set = params->sta_flags_set; + +@@ -669,7 +670,7 @@ static void sta_apply_parameters(struct + if (set & BIT(NL80211_STA_FLAG_MFP)) + sta->flags |= WLAN_STA_MFP; + } +- spin_unlock_bh(&sta->lock); ++ spin_unlock_irqrestore(&sta->flaglock, flags); + + /* + * cfg80211 validates this (1-2007) and allows setting the AID diff --git a/queue-2.6.36/series b/queue-2.6.36/series index 038a6909d25..bf80a2a3cca 100644 --- a/queue-2.6.36/series +++ b/queue-2.6.36/series @@ -40,3 +40,28 @@ ath9k_htc-add-new-devices-into-ar7010.patch ath9k_htc-add-support-for-device-id-3346.patch ath9k_htc-update-usb-device-id-list.patch ath9k-lock-reset-and-pcu-start-stopping.patch +cfg80211-fix-bss-double-unlinking.patch +cfg80211-fix-locking.patch +cfg80211-fix-regression-on-processing-country-ies.patch +mac80211-minstrel_ht-a-mpdu-fix.patch +mac80211-fix-possible-null-pointer-de-reference.patch +mac80211-fix-channel-assumption-for-association-done-work.patch +mac80211-fix-offchannel-assumption-upon-association.patch +mac80211-fix-signal-strength-average-initialization-for-cqm-events.patch +mac80211-reset-connection-idle-when-going-offchannel.patch +mac80211-add-helper-for-reseting-the-connection-monitor.patch +mac80211-make-the-beacon-monitor-available-externally.patch +mac80211-send-last-3-5-probe-requests-as-unicast.patch +mac80211-disable-beacon-monitor-while-going-offchannel.patch +mac80211-use-correct-station-flags-lock.patch +mac80211-clear-txflags-for-ps-filtered-frames.patch +mac80211-reset-probe-send-counter-upon-connection-timer-reset.patch +mac80211-fix-ibss-station-got-expired-immediately.patch +mac80211-don-t-sanitize-invalid-rates.patch +mac80211-delete-addba-response-timer.patch +isdn-gigaset-fix-bas_gigaset-at-read-error-handling.patch +isdn-gigaset-correct-bas_gigaset-rx-buffer-handling.patch +isdn-gigaset-bas_gigaset-locking-fix.patch +i2c-pca-platform-change-device-name-of-request_irq.patch +viafb-fix-i2c_transfer-error-handling.patch +drm-radeon-kms-register-an-i2c-adapter-name-for-the-dp-aux-bus.patch diff --git a/queue-2.6.36/viafb-fix-i2c_transfer-error-handling.patch b/queue-2.6.36/viafb-fix-i2c_transfer-error-handling.patch new file mode 100644 index 00000000000..aeea255b723 --- /dev/null +++ b/queue-2.6.36/viafb-fix-i2c_transfer-error-handling.patch @@ -0,0 +1,95 @@ +From 85c5702ac046b14713f776d59768252d8ed8018f Mon Sep 17 00:00:00 2001 +From: Florian Tobias Schandinat +Date: Fri, 17 Sep 2010 01:16:25 +0000 +Subject: viafb: fix i2c_transfer error handling + +From: Florian Tobias Schandinat + +commit 85c5702ac046b14713f776d59768252d8ed8018f upstream. + +i2c_transfer returns negative errno on error and number of messages +processed on success. Just returning this value would give a poor +interface as it is not obvious that you must compare with 2 after reading +1 or n bytes and with 1 after writing 1 byte to determine if it was +successful. To avoid this error prone interface convert the error code +of a successful read/write to zero and all other non-negative values to +an negative error code. +This fixes a regression introduced by + via: Rationalize vt1636 detection +which resulted in no longer detecting a VT1636 chip and therefore has +broken the output in configurations which contain this chip. + +Signed-off-by: Florian Tobias Schandinat +Acked-by: Jonathan Corbet +Cc: Joseph Chan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/via/via_i2c.c | 27 ++++++++++++++++++++++++--- + 1 file changed, 24 insertions(+), 3 deletions(-) + +--- a/drivers/video/via/via_i2c.c ++++ b/drivers/video/via/via_i2c.c +@@ -114,6 +114,7 @@ static void via_i2c_setsda(void *data, i + + int viafb_i2c_readbyte(u8 adap, u8 slave_addr, u8 index, u8 *pdata) + { ++ int ret; + u8 mm1[] = {0x00}; + struct i2c_msg msgs[2]; + +@@ -126,11 +127,18 @@ int viafb_i2c_readbyte(u8 adap, u8 slave + mm1[0] = index; + msgs[0].len = 1; msgs[1].len = 1; + msgs[0].buf = mm1; msgs[1].buf = pdata; +- return i2c_transfer(&via_i2c_par[adap].adapter, msgs, 2); ++ ret = i2c_transfer(&via_i2c_par[adap].adapter, msgs, 2); ++ if (ret == 2) ++ ret = 0; ++ else if (ret >= 0) ++ ret = -EIO; ++ ++ return ret; + } + + int viafb_i2c_writebyte(u8 adap, u8 slave_addr, u8 index, u8 data) + { ++ int ret; + u8 msg[2] = { index, data }; + struct i2c_msg msgs; + +@@ -140,11 +148,18 @@ int viafb_i2c_writebyte(u8 adap, u8 slav + msgs.addr = slave_addr / 2; + msgs.len = 2; + msgs.buf = msg; +- return i2c_transfer(&via_i2c_par[adap].adapter, &msgs, 1); ++ ret = i2c_transfer(&via_i2c_par[adap].adapter, &msgs, 1); ++ if (ret == 1) ++ ret = 0; ++ else if (ret >= 0) ++ ret = -EIO; ++ ++ return ret; + } + + int viafb_i2c_readbytes(u8 adap, u8 slave_addr, u8 index, u8 *buff, int buff_len) + { ++ int ret; + u8 mm1[] = {0x00}; + struct i2c_msg msgs[2]; + +@@ -156,7 +171,13 @@ int viafb_i2c_readbytes(u8 adap, u8 slav + mm1[0] = index; + msgs[0].len = 1; msgs[1].len = buff_len; + msgs[0].buf = mm1; msgs[1].buf = buff; +- return i2c_transfer(&via_i2c_par[adap].adapter, msgs, 2); ++ ret = i2c_transfer(&via_i2c_par[adap].adapter, msgs, 2); ++ if (ret == 2) ++ ret = 0; ++ else if (ret >= 0) ++ ret = -EIO; ++ ++ return ret; + } + + /*