From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Wed, 14 Nov 2007 22:11:54 +0000 (-0800)
Subject: more .23 patches added
X-Git-Tag: v2.6.23.2~11
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fb1fa9e4493b8c81f779b24e80eff2576b60afa1;p=thirdparty%2Fkernel%2Fstable-queue.git

more .23 patches added
---

diff --git a/queue-2.6.23/alsa-hdsp-fix-zero-division.patch b/queue-2.6.23/alsa-hdsp-fix-zero-division.patch
new file mode 100644
index 00000000000..db64914cbd6
--- /dev/null
+++ b/queue-2.6.23/alsa-hdsp-fix-zero-division.patch
@@ -0,0 +1,34 @@
+From 2a3988f6d2c5be9d02463097775d1c66a8290527 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 16 Oct 2007 14:26:32 +0200
+Subject: ALSA: hdsp - Fix zero division
+Message-ID: <b28811ef0711061446q3eb7330cm31a4c57a9ed00cc3@mail.gmail.com>
+
+From: Takashi Iwai <tiwai@suse.de>
+
+patch 2a3988f6d2c5be9d02463097775d1c66a8290527 in mainline.
+
+Fix zero-division bug in the calculation dds offset.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Jaroslav Kysela <perex@perex.cz>
+Cc: Maarten Bressers <mbressers@gmail.com>
+Cc: gentoo kernel <kernel@gentoo.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ sound/pci/rme9652/hdsp.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/sound/pci/rme9652/hdsp.c
++++ b/sound/pci/rme9652/hdsp.c
+@@ -3108,6 +3108,9 @@ static int hdsp_dds_offset(struct hdsp *
+ 	unsigned int dds_value = hdsp->dds_value;
+ 	int system_sample_rate = hdsp->system_sample_rate;
+ 
++	if (!dds_value)
++		return 0;
++
+ 	n = DDS_NUMERATOR;
+ 	/*
+ 	 * dds_value = n / rate
diff --git a/queue-2.6.23/ieee80211-fix-tkip-qos-bug.patch b/queue-2.6.23/ieee80211-fix-tkip-qos-bug.patch
new file mode 100644
index 00000000000..c39f5e5c3b1
--- /dev/null
+++ b/queue-2.6.23/ieee80211-fix-tkip-qos-bug.patch
@@ -0,0 +1,35 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:06:50 2007
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Fri, 26 Oct 2007 17:04:29 -0400
+Subject: ieee80211: fix TKIP QoS bug
+To: stable@kernel.org
+Cc: Johannes Berg <johannes@sipsolutions.net>, linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326813508-git-send-email-linville@tuxdriver.com>
+
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+patch e797aa1b7da6bfcb2e19a10ae5ead9aa7aea732b in mainline.
+
+The commit 65b6a277 titled "ieee80211: Fix header->qos_ctl endian issue"
+*introduced* an endianness bug. Partially revert it.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ieee80211/ieee80211_crypt_tkip.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ieee80211/ieee80211_crypt_tkip.c
++++ b/net/ieee80211/ieee80211_crypt_tkip.c
+@@ -584,7 +584,7 @@ static void michael_mic_hdr(struct sk_bu
+ 	if (stype & IEEE80211_STYPE_QOS_DATA) {
+ 		const struct ieee80211_hdr_3addrqos *qoshdr =
+ 			(struct ieee80211_hdr_3addrqos *)skb->data;
+-		hdr[12] = qoshdr->qos_ctl & cpu_to_le16(IEEE80211_QCTL_TID);
++		hdr[12] = le16_to_cpu(qoshdr->qos_ctl) & IEEE80211_QCTL_TID;
+ 	} else
+ 		hdr[12] = 0;		/* priority */
+ 
diff --git a/queue-2.6.23/ipw2100-send-wext-scan-events.patch b/queue-2.6.23/ipw2100-send-wext-scan-events.patch
new file mode 100644
index 00000000000..13a5b1a9719
--- /dev/null
+++ b/queue-2.6.23/ipw2100-send-wext-scan-events.patch
@@ -0,0 +1,115 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:07:23 2007
+From: Dan Williams <dcbw@redhat.com>
+Date: Fri, 26 Oct 2007 17:04:37 -0400
+Subject: ipw2100: send WEXT scan events
+To: stable@kernel.org
+Cc: Dan Williams <dcbw@redhat.com>, linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326831029-git-send-email-linville@tuxdriver.com>
+
+
+From: Dan Williams <dcbw@redhat.com>
+
+patch d20c678a450a25c1c12925f60c1b4cc040acc17d in mainline
+
+ipw2100 wasn't sending WEXT scan events at all on scan completion.  And
+like ipw2200, the driver aggressively auto-scans, requiring
+non-user-requested scan events to be batched together and sent at
+specific intervals instead of many times per seconds.
+
+Signed-off-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/ipw2100.c |   39 +++++++++++++++++++++++++++++++++++++++
+ drivers/net/wireless/ipw2100.h |    4 ++++
+ 2 files changed, 43 insertions(+)
+
+--- a/drivers/net/wireless/ipw2100.c
++++ b/drivers/net/wireless/ipw2100.c
+@@ -2102,12 +2102,46 @@ static void isr_indicate_rf_kill(struct 
+ 	queue_delayed_work(priv->workqueue, &priv->rf_kill, round_jiffies(HZ));
+ }
+ 
++static void send_scan_event(void *data)
++{
++	struct ipw2100_priv *priv = data;
++	union iwreq_data wrqu;
++
++	wrqu.data.length = 0;
++	wrqu.data.flags = 0;
++	wireless_send_event(priv->net_dev, SIOCGIWSCAN, &wrqu, NULL);
++}
++
++static void ipw2100_scan_event_later(struct work_struct *work)
++{
++	send_scan_event(container_of(work, struct ipw2100_priv,
++					scan_event_later.work));
++}
++
++static void ipw2100_scan_event_now(struct work_struct *work)
++{
++	send_scan_event(container_of(work, struct ipw2100_priv,
++					scan_event_now));
++}
++
+ static void isr_scan_complete(struct ipw2100_priv *priv, u32 status)
+ {
+ 	IPW_DEBUG_SCAN("scan complete\n");
+ 	/* Age the scan results... */
+ 	priv->ieee->scans++;
+ 	priv->status &= ~STATUS_SCANNING;
++
++	/* Only userspace-requested scan completion events go out immediately */
++	if (!priv->user_requested_scan) {
++		if (!delayed_work_pending(&priv->scan_event_later))
++			queue_delayed_work(priv->workqueue,
++					&priv->scan_event_later,
++					round_jiffies(msecs_to_jiffies(4000)));
++	} else {
++		priv->user_requested_scan = 0;
++		cancel_delayed_work(&priv->scan_event_later);
++		queue_work(priv->workqueue, &priv->scan_event_now);
++	}
+ }
+ 
+ #ifdef CONFIG_IPW2100_DEBUG
+@@ -4376,6 +4410,7 @@ static void ipw2100_kill_workqueue(struc
+ 		cancel_delayed_work(&priv->wx_event_work);
+ 		cancel_delayed_work(&priv->hang_check);
+ 		cancel_delayed_work(&priv->rf_kill);
++		cancel_delayed_work(&priv->scan_event_later);
+ 		destroy_workqueue(priv->workqueue);
+ 		priv->workqueue = NULL;
+ 	}
+@@ -6118,6 +6153,8 @@ static struct net_device *ipw2100_alloc_
+ 	INIT_DELAYED_WORK(&priv->wx_event_work, ipw2100_wx_event_work);
+ 	INIT_DELAYED_WORK(&priv->hang_check, ipw2100_hang_check);
+ 	INIT_DELAYED_WORK(&priv->rf_kill, ipw2100_rf_kill);
++	INIT_WORK(&priv->scan_event_now, ipw2100_scan_event_now);
++	INIT_DELAYED_WORK(&priv->scan_event_later, ipw2100_scan_event_later);
+ 
+ 	tasklet_init(&priv->irq_tasklet, (void (*)(unsigned long))
+ 		     ipw2100_irq_tasklet, (unsigned long)priv);
+@@ -7427,6 +7464,8 @@ static int ipw2100_wx_set_scan(struct ne
+ 	}
+ 
+ 	IPW_DEBUG_WX("Initiating scan...\n");
++
++	priv->user_requested_scan = 1;
+ 	if (ipw2100_set_scan_options(priv) || ipw2100_start_scan(priv)) {
+ 		IPW_DEBUG_WX("Start scan failed.\n");
+ 
+--- a/drivers/net/wireless/ipw2100.h
++++ b/drivers/net/wireless/ipw2100.h
+@@ -588,6 +588,10 @@ struct ipw2100_priv {
+ 	struct delayed_work wx_event_work;
+ 	struct delayed_work hang_check;
+ 	struct delayed_work rf_kill;
++	struct work_struct scan_event_now;
++	struct delayed_work scan_event_later;
++
++	int user_requested_scan;
+ 
+ 	u32 interrupts;
+ 	int tx_interrupts;
diff --git a/queue-2.6.23/mac80211-honor-iw_scan_this_essid-in-siwscan-ioctl.patch b/queue-2.6.23/mac80211-honor-iw_scan_this_essid-in-siwscan-ioctl.patch
new file mode 100644
index 00000000000..c6f89652a44
--- /dev/null
+++ b/queue-2.6.23/mac80211-honor-iw_scan_this_essid-in-siwscan-ioctl.patch
@@ -0,0 +1,85 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:08:18 2007
+From: Bill Moss <bmoss@clemson.edu>
+Date: Fri, 26 Oct 2007 17:04:33 -0400
+Subject: mac80211: honor IW_SCAN_THIS_ESSID in siwscan ioctl
+To: stable@kernel.org
+Cc: Abhijeet Kolekar <abhijeet.kolekar@intel.com>, linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>, Bill Moss <bmoss@clemson.edu>
+Message-ID: <11934326823646-git-send-email-linville@tuxdriver.com>
+
+
+From: Bill Moss <bmoss@clemson.edu>
+
+patch 107acb23ba763197d390ae9ffd347f3e2a524d39 in mainline.
+
+This patch fixes the problem of associating with wpa_secured hidden
+AP.  Please try out.
+
+The original author of this patch is Bill Moss <bmoss@clemson.edu>
+
+Signed-off-by: Abhijeet Kolekar <abhijeet.kolekar@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/ieee80211_ioctl.c |   40 ++++++++++++++++++++++++----------------
+ 1 file changed, 24 insertions(+), 16 deletions(-)
+
+--- a/net/mac80211/ieee80211_ioctl.c
++++ b/net/mac80211/ieee80211_ioctl.c
+@@ -687,32 +687,40 @@ static int ieee80211_ioctl_giwap(struct 
+ 
+ static int ieee80211_ioctl_siwscan(struct net_device *dev,
+ 				   struct iw_request_info *info,
+-				   struct iw_point *data, char *extra)
++				   union iwreq_data *wrqu, char *extra)
+ {
+ 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
++	struct iw_scan_req *req = NULL;
+ 	u8 *ssid = NULL;
+ 	size_t ssid_len = 0;
+ 
+ 	if (!netif_running(dev))
+ 		return -ENETDOWN;
+ 
+-	switch (sdata->type) {
+-	case IEEE80211_IF_TYPE_STA:
+-	case IEEE80211_IF_TYPE_IBSS:
+-		if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
+-			ssid = sdata->u.sta.ssid;
+-			ssid_len = sdata->u.sta.ssid_len;
+-		}
+-		break;
+-	case IEEE80211_IF_TYPE_AP:
+-		if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
+-			ssid = sdata->u.ap.ssid;
+-			ssid_len = sdata->u.ap.ssid_len;
++	if (wrqu->data.length == sizeof(struct iw_scan_req) &&
++	    wrqu->data.flags & IW_SCAN_THIS_ESSID) {
++		req = (struct iw_scan_req *)extra;
++		ssid = req->essid;
++		ssid_len = req->essid_len;
++	} else {
++		switch (sdata->type) {
++		case IEEE80211_IF_TYPE_STA:
++		case IEEE80211_IF_TYPE_IBSS:
++			if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
++				ssid = sdata->u.sta.ssid;
++				ssid_len = sdata->u.sta.ssid_len;
++			}
++			break;
++		case IEEE80211_IF_TYPE_AP:
++			if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
++				ssid = sdata->u.ap.ssid;
++				ssid_len = sdata->u.ap.ssid_len;
++			}
++			break;
++		default:
++			return -EOPNOTSUPP;
+ 		}
+-		break;
+-	default:
+-		return -EOPNOTSUPP;
+ 	}
+ 
+ 	return ieee80211_sta_req_scan(dev, ssid, ssid_len);
diff --git a/queue-2.6.23/mac80211-make-ieee802_11_parse_elems-return-void.patch b/queue-2.6.23/mac80211-make-ieee802_11_parse_elems-return-void.patch
new file mode 100644
index 00000000000..e1bf84b4f08
--- /dev/null
+++ b/queue-2.6.23/mac80211-make-ieee802_11_parse_elems-return-void.patch
@@ -0,0 +1,164 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:07:45 2007
+From: "John W. Linville" <linville@tuxdriver.com>
+Date: Fri, 26 Oct 2007 17:04:35 -0400
+Subject: mac80211: make ieee802_11_parse_elems return void
+To: stable@kernel.org
+Cc: linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326823109-git-send-email-linville@tuxdriver.com>
+
+
+From: John W. Linville <linville@tuxdriver.com>
+
+patch 67a4cce4a89718d252b61aaf58882c69c0e2f6e3 in mainline.
+
+Some APs send management frames with junk padding after the last IE.
+We already account for a similar problem with some Apple Airport
+devices, but at least one device is known to send more than a single
+extra byte.  The device in question is the Draytek Vigor2900:
+
+	http://www.draytek.com.au/products/Vigor2900.php
+
+The junk in question looks like an IE that runs off the end of the
+frame.  This cause us to return ParseFailed.  Since the frame in
+question is an association response, this causes us to fail to associate
+with this AP.
+
+The return code from ieee802_11_parse_elems is superfluous.
+All callers still check for the presence of the specific IEs that
+interest them anyway.  So, remove the return code so the parse never
+"fails".
+
+Acked-by: Michael Wu <flamingice@sourmilk.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/ieee80211_sta.c |   56 ++++++-------------------------------------
+ 1 file changed, 9 insertions(+), 47 deletions(-)
+
+--- a/net/mac80211/ieee80211_sta.c
++++ b/net/mac80211/ieee80211_sta.c
+@@ -108,15 +108,11 @@ struct ieee802_11_elems {
+ 	u8 wmm_param_len;
+ };
+ 
+-typedef enum { ParseOK = 0, ParseUnknown = 1, ParseFailed = -1 } ParseRes;
+-
+-
+-static ParseRes ieee802_11_parse_elems(u8 *start, size_t len,
+-				       struct ieee802_11_elems *elems)
++static void ieee802_11_parse_elems(u8 *start, size_t len,
++				   struct ieee802_11_elems *elems)
+ {
+ 	size_t left = len;
+ 	u8 *pos = start;
+-	int unknown = 0;
+ 
+ 	memset(elems, 0, sizeof(*elems));
+ 
+@@ -127,15 +123,8 @@ static ParseRes ieee802_11_parse_elems(u
+ 		elen = *pos++;
+ 		left -= 2;
+ 
+-		if (elen > left) {
+-#if 0
+-			if (net_ratelimit())
+-				printk(KERN_DEBUG "IEEE 802.11 element parse "
+-				       "failed (id=%d elen=%d left=%d)\n",
+-				       id, elen, left);
+-#endif
+-			return ParseFailed;
+-		}
++		if (elen > left)
++			return;
+ 
+ 		switch (id) {
+ 		case WLAN_EID_SSID:
+@@ -202,28 +191,15 @@ static ParseRes ieee802_11_parse_elems(u
+ 			elems->ext_supp_rates_len = elen;
+ 			break;
+ 		default:
+-#if 0
+-			printk(KERN_DEBUG "IEEE 802.11 element parse ignored "
+-				      "unknown element (id=%d elen=%d)\n",
+-				      id, elen);
+-#endif
+-			unknown++;
+ 			break;
+ 		}
+ 
+ 		left -= elen;
+ 		pos += elen;
+ 	}
+-
+-	/* Do not trigger error if left == 1 as Apple Airport base stations
+-	 * send AssocResps that are one spurious byte too long. */
+-
+-	return unknown ? ParseUnknown : ParseOK;
+ }
+ 
+ 
+-
+-
+ static int ecw2cw(int ecw)
+ {
+ 	int cw = 1;
+@@ -907,12 +883,7 @@ static void ieee80211_auth_challenge(str
+ 
+ 	printk(KERN_DEBUG "%s: replying to auth challenge\n", dev->name);
+ 	pos = mgmt->u.auth.variable;
+-	if (ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), &elems)
+-	    == ParseFailed) {
+-		printk(KERN_DEBUG "%s: failed to parse Auth(challenge)\n",
+-		       dev->name);
+-		return;
+-	}
++	ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), &elems);
+ 	if (!elems.challenge) {
+ 		printk(KERN_DEBUG "%s: no challenge IE in shared key auth "
+ 		       "frame\n", dev->name);
+@@ -1200,12 +1171,7 @@ static void ieee80211_rx_mgmt_assoc_resp
+ 	aid &= ~(BIT(15) | BIT(14));
+ 
+ 	pos = mgmt->u.assoc_resp.variable;
+-	if (ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), &elems)
+-	    == ParseFailed) {
+-		printk(KERN_DEBUG "%s: failed to parse AssocResp\n",
+-		       dev->name);
+-		return;
+-	}
++	ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), &elems);
+ 
+ 	if (!elems.supp_rates) {
+ 		printk(KERN_DEBUG "%s: no SuppRates element in AssocResp\n",
+@@ -1434,7 +1400,7 @@ static void ieee80211_rx_bss_info(struct
+ 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee802_11_elems elems;
+ 	size_t baselen;
+-	int channel, invalid = 0, clen;
++	int channel, clen;
+ 	struct ieee80211_sta_bss *bss;
+ 	struct sta_info *sta;
+ 	struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+@@ -1478,9 +1444,7 @@ static void ieee80211_rx_bss_info(struct
+ #endif /* CONFIG_MAC80211_IBSS_DEBUG */
+ 	}
+ 
+-	if (ieee802_11_parse_elems(mgmt->u.beacon.variable, len - baselen,
+-				   &elems) == ParseFailed)
+-		invalid = 1;
++	ieee802_11_parse_elems(mgmt->u.beacon.variable, len - baselen, &elems);
+ 
+ 	if (sdata->type == IEEE80211_IF_TYPE_IBSS && elems.supp_rates &&
+ 	    memcmp(mgmt->bssid, sdata->u.sta.bssid, ETH_ALEN) == 0 &&
+@@ -1699,9 +1663,7 @@ static void ieee80211_rx_mgmt_beacon(str
+ 	if (baselen > len)
+ 		return;
+ 
+-	if (ieee802_11_parse_elems(mgmt->u.beacon.variable, len - baselen,
+-				   &elems) == ParseFailed)
+-		return;
++	ieee802_11_parse_elems(mgmt->u.beacon.variable, len - baselen, &elems);
+ 
+ 	if (elems.erp_info && elems.erp_info_len >= 1)
+ 		ieee80211_handle_erp_ie(dev, elems.erp_info[0]);
diff --git a/queue-2.6.23/mac80211-only-honor-iw_scan_this_essid-in-sta-ibss-and-ap-modes.patch b/queue-2.6.23/mac80211-only-honor-iw_scan_this_essid-in-sta-ibss-and-ap-modes.patch
new file mode 100644
index 00000000000..814988d1818
--- /dev/null
+++ b/queue-2.6.23/mac80211-only-honor-iw_scan_this_essid-in-sta-ibss-and-ap-modes.patch
@@ -0,0 +1,75 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:07:34 2007
+From: "John W. Linville" <linville@tuxdriver.com>
+Date: Fri, 26 Oct 2007 17:04:34 -0400
+Subject: mac80211: only honor IW_SCAN_THIS_ESSID in STA, IBSS, and AP modes
+To: stable@kernel.org
+Cc: linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326821301-git-send-email-linville@tuxdriver.com>
+
+
+From: John W. Linville <linville@tuxdriver.com>
+
+patch d114f399b4da6fa7f9da3bbf1fb841370c11e788 in mainline.
+
+The previous IW_SCAN_THIS_ESSID patch left a hole allowing scan
+requests on interfaces in inappropriate modes.
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/ieee80211_ioctl.c |   37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+--- a/net/mac80211/ieee80211_ioctl.c
++++ b/net/mac80211/ieee80211_ioctl.c
+@@ -698,29 +698,30 @@ static int ieee80211_ioctl_siwscan(struc
+ 	if (!netif_running(dev))
+ 		return -ENETDOWN;
+ 
++	switch (sdata->type) {
++	case IEEE80211_IF_TYPE_STA:
++	case IEEE80211_IF_TYPE_IBSS:
++		if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
++			ssid = sdata->u.sta.ssid;
++			ssid_len = sdata->u.sta.ssid_len;
++		}
++		break;
++	case IEEE80211_IF_TYPE_AP:
++		if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
++			ssid = sdata->u.ap.ssid;
++			ssid_len = sdata->u.ap.ssid_len;
++		}
++		break;
++	default:
++		return -EOPNOTSUPP;
++	}
++
++	/* if SSID was specified explicitly then use that */
+ 	if (wrqu->data.length == sizeof(struct iw_scan_req) &&
+ 	    wrqu->data.flags & IW_SCAN_THIS_ESSID) {
+ 		req = (struct iw_scan_req *)extra;
+ 		ssid = req->essid;
+ 		ssid_len = req->essid_len;
+-	} else {
+-		switch (sdata->type) {
+-		case IEEE80211_IF_TYPE_STA:
+-		case IEEE80211_IF_TYPE_IBSS:
+-			if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
+-				ssid = sdata->u.sta.ssid;
+-				ssid_len = sdata->u.sta.ssid_len;
+-			}
+-			break;
+-		case IEEE80211_IF_TYPE_AP:
+-			if (local->scan_flags & IEEE80211_SCAN_MATCH_SSID) {
+-				ssid = sdata->u.ap.ssid;
+-				ssid_len = sdata->u.ap.ssid_len;
+-			}
+-			break;
+-		default:
+-			return -EOPNOTSUPP;
+-		}
+ 	}
+ 
+ 	return ieee80211_sta_req_scan(dev, ssid, ssid_len);
diff --git a/queue-2.6.23/mac80211-reorder-association-debug-output.patch b/queue-2.6.23/mac80211-reorder-association-debug-output.patch
new file mode 100644
index 00000000000..c0296f48610
--- /dev/null
+++ b/queue-2.6.23/mac80211-reorder-association-debug-output.patch
@@ -0,0 +1,56 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:07:12 2007
+From: Johannes Berg <johannes@sipsolutions.net>
+Date: Fri, 26 Oct 2007 17:04:30 -0400
+Subject: mac80211: reorder association debug output
+To: stable@kernel.org
+Cc: Johannes Berg <johannes@sipsolutions.net>, linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <1193432681145-git-send-email-linville@tuxdriver.com>
+
+
+From: Johannes Berg <johannes@sipsolutions.net>
+
+patch 1dd84aa213d0f98a91a1ec9be2f750f5f48e75a0 in mainline.
+
+There's no reason to warn about an invalid AID field when the
+association was denied.
+
+Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
+Acked-by: Michael Wu <flamingice@sourmilk.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/ieee80211_sta.c |   11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/net/mac80211/ieee80211_sta.c
++++ b/net/mac80211/ieee80211_sta.c
+@@ -1174,15 +1174,11 @@ static void ieee80211_rx_mgmt_assoc_resp
+ 	capab_info = le16_to_cpu(mgmt->u.assoc_resp.capab_info);
+ 	status_code = le16_to_cpu(mgmt->u.assoc_resp.status_code);
+ 	aid = le16_to_cpu(mgmt->u.assoc_resp.aid);
+-	if ((aid & (BIT(15) | BIT(14))) != (BIT(15) | BIT(14)))
+-		printk(KERN_DEBUG "%s: invalid aid value %d; bits 15:14 not "
+-		       "set\n", dev->name, aid);
+-	aid &= ~(BIT(15) | BIT(14));
+ 
+ 	printk(KERN_DEBUG "%s: RX %sssocResp from " MAC_FMT " (capab=0x%x "
+ 	       "status=%d aid=%d)\n",
+ 	       dev->name, reassoc ? "Rea" : "A", MAC_ARG(mgmt->sa),
+-	       capab_info, status_code, aid);
++	       capab_info, status_code, aid & ~(BIT(15) | BIT(14)));
+ 
+ 	if (status_code != WLAN_STATUS_SUCCESS) {
+ 		printk(KERN_DEBUG "%s: AP denied association (code=%d)\n",
+@@ -1192,6 +1188,11 @@ static void ieee80211_rx_mgmt_assoc_resp
+ 		return;
+ 	}
+ 
++	if ((aid & (BIT(15) | BIT(14))) != (BIT(15) | BIT(14)))
++		printk(KERN_DEBUG "%s: invalid aid value %d; bits 15:14 not "
++		       "set\n", dev->name, aid);
++	aid &= ~(BIT(15) | BIT(14));
++
+ 	pos = mgmt->u.assoc_resp.variable;
+ 	if (ieee802_11_parse_elems(pos, len - (pos - (u8 *) mgmt), &elems)
+ 	    == ParseFailed) {
diff --git a/queue-2.6.23/mac80211-store-channel-info-in-sta_bss_list.patch b/queue-2.6.23/mac80211-store-channel-info-in-sta_bss_list.patch
new file mode 100644
index 00000000000..28e7b9cc573
--- /dev/null
+++ b/queue-2.6.23/mac80211-store-channel-info-in-sta_bss_list.patch
@@ -0,0 +1,181 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:08:07 2007
+From: "John W. Linville" <linville@tuxdriver.com>
+Date: Fri, 26 Oct 2007 17:04:31 -0400
+Subject: mac80211: store channel info in sta_bss_list
+To: stable@kernel.org
+Cc: linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326812028-git-send-email-linville@tuxdriver.com>
+
+From: John W. Linville <linville@tuxdriver.com>
+
+patch 65c107ab3befc37b21d1c970a6159525bc0121b8 in mainline.
+
+Some AP equipment "in the wild" uses the same BSSID on multiple channels
+(particularly "a" vs. "b/g").  This patch changes the key of sta_bss_list
+to include both the BSSID and the channel so as to prevent a BSSID on
+one channel from eclipsing the same BSSID on another channel.
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/ieee80211_sta.c |   35 ++++++++++++++++++++---------------
+ 1 file changed, 20 insertions(+), 15 deletions(-)
+
+--- a/net/mac80211/ieee80211_sta.c
++++ b/net/mac80211/ieee80211_sta.c
+@@ -61,7 +61,7 @@
+ static void ieee80211_send_probe_req(struct net_device *dev, u8 *dst,
+ 				     u8 *ssid, size_t ssid_len);
+ static struct ieee80211_sta_bss *
+-ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid);
++ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid, int channel);
+ static void ieee80211_rx_bss_put(struct net_device *dev,
+ 				 struct ieee80211_sta_bss *bss);
+ static int ieee80211_sta_find_ibss(struct net_device *dev,
+@@ -387,6 +387,7 @@ static void ieee80211_set_associated(str
+ 				     struct ieee80211_if_sta *ifsta, int assoc)
+ {
+ 	union iwreq_data wrqu;
++	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+ 
+ 	if (ifsta->associated == assoc)
+@@ -401,7 +402,8 @@ static void ieee80211_set_associated(str
+ 		if (sdata->type != IEEE80211_IF_TYPE_STA)
+ 			return;
+ 
+-		bss = ieee80211_rx_bss_get(dev, ifsta->bssid);
++		bss = ieee80211_rx_bss_get(dev, ifsta->bssid,
++					   local->hw.conf.channel);
+ 		if (bss) {
+ 			if (bss->has_erp_value)
+ 				ieee80211_handle_erp_ie(dev, bss->erp_value);
+@@ -543,7 +545,7 @@ static void ieee80211_send_assoc(struct 
+ 		capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME |
+ 			WLAN_CAPABILITY_SHORT_PREAMBLE;
+ 	}
+-	bss = ieee80211_rx_bss_get(dev, ifsta->bssid);
++	bss = ieee80211_rx_bss_get(dev, ifsta->bssid, local->hw.conf.channel);
+ 	if (bss) {
+ 		if (bss->capability & WLAN_CAPABILITY_PRIVACY)
+ 			capab |= WLAN_CAPABILITY_PRIVACY;
+@@ -695,6 +697,7 @@ static void ieee80211_send_disassoc(stru
+ static int ieee80211_privacy_mismatch(struct net_device *dev,
+ 				      struct ieee80211_if_sta *ifsta)
+ {
++	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sta_bss *bss;
+ 	int res = 0;
+ 
+@@ -702,7 +705,7 @@ static int ieee80211_privacy_mismatch(st
+ 	    ifsta->key_mgmt != IEEE80211_KEY_MGMT_NONE)
+ 		return 0;
+ 
+-	bss = ieee80211_rx_bss_get(dev, ifsta->bssid);
++	bss = ieee80211_rx_bss_get(dev, ifsta->bssid, local->hw.conf.channel);
+ 	if (!bss)
+ 		return 0;
+ 
+@@ -1211,7 +1214,8 @@ static void ieee80211_rx_mgmt_assoc_resp
+ 	 * update our stored copy */
+ 	if (elems.erp_info && elems.erp_info_len >= 1) {
+ 		struct ieee80211_sta_bss *bss
+-			= ieee80211_rx_bss_get(dev, ifsta->bssid);
++			= ieee80211_rx_bss_get(dev, ifsta->bssid,
++					       local->hw.conf.channel);
+ 		if (bss) {
+ 			bss->erp_value = elems.erp_info[0];
+ 			bss->has_erp_value = 1;
+@@ -1241,7 +1245,8 @@ static void ieee80211_rx_mgmt_assoc_resp
+ 			       " AP\n", dev->name);
+ 			return;
+ 		}
+-		bss = ieee80211_rx_bss_get(dev, ifsta->bssid);
++		bss = ieee80211_rx_bss_get(dev, ifsta->bssid,
++					   local->hw.conf.channel);
+ 		if (bss) {
+ 			sta->last_rssi = bss->rssi;
+ 			sta->last_signal = bss->signal;
+@@ -1322,7 +1327,7 @@ static void __ieee80211_rx_bss_hash_del(
+ 
+ 
+ static struct ieee80211_sta_bss *
+-ieee80211_rx_bss_add(struct net_device *dev, u8 *bssid)
++ieee80211_rx_bss_add(struct net_device *dev, u8 *bssid, int channel)
+ {
+ 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sta_bss *bss;
+@@ -1333,6 +1338,7 @@ ieee80211_rx_bss_add(struct net_device *
+ 	atomic_inc(&bss->users);
+ 	atomic_inc(&bss->users);
+ 	memcpy(bss->bssid, bssid, ETH_ALEN);
++	bss->channel = channel;
+ 
+ 	spin_lock_bh(&local->sta_bss_lock);
+ 	/* TODO: order by RSSI? */
+@@ -1344,7 +1350,7 @@ ieee80211_rx_bss_add(struct net_device *
+ 
+ 
+ static struct ieee80211_sta_bss *
+-ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid)
++ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid, int channel)
+ {
+ 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sta_bss *bss;
+@@ -1352,7 +1358,8 @@ ieee80211_rx_bss_get(struct net_device *
+ 	spin_lock_bh(&local->sta_bss_lock);
+ 	bss = local->sta_bss_hash[STA_HASH(bssid)];
+ 	while (bss) {
+-		if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0) {
++		if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 &&
++		    bss->channel == channel) {
+ 			atomic_inc(&bss->users);
+ 			break;
+ 		}
+@@ -1520,9 +1527,9 @@ static void ieee80211_rx_bss_info(struct
+ 	else
+ 		channel = rx_status->channel;
+ 
+-	bss = ieee80211_rx_bss_get(dev, mgmt->bssid);
++	bss = ieee80211_rx_bss_get(dev, mgmt->bssid, channel);
+ 	if (!bss) {
+-		bss = ieee80211_rx_bss_add(dev, mgmt->bssid);
++		bss = ieee80211_rx_bss_add(dev, mgmt->bssid, channel);
+ 		if (!bss)
+ 			return;
+ 	} else {
+@@ -1622,7 +1629,6 @@ static void ieee80211_rx_bss_info(struct
+ 
+ 
+ 	bss->hw_mode = rx_status->phymode;
+-	bss->channel = channel;
+ 	bss->freq = rx_status->freq;
+ 	if (channel != rx_status->channel &&
+ 	    (bss->hw_mode == MODE_IEEE80211G ||
+@@ -2355,7 +2361,7 @@ static int ieee80211_sta_create_ibss(str
+ 	printk(KERN_DEBUG "%s: Creating new IBSS network, BSSID " MAC_FMT "\n",
+ 	       dev->name, MAC_ARG(bssid));
+ 
+-	bss = ieee80211_rx_bss_add(dev, bssid);
++	bss = ieee80211_rx_bss_add(dev, bssid, local->hw.conf.channel);
+ 	if (!bss)
+ 		return -ENOMEM;
+ 
+@@ -2366,7 +2372,6 @@ static int ieee80211_sta_create_ibss(str
+ 		local->hw.conf.beacon_int = 100;
+ 	bss->beacon_int = local->hw.conf.beacon_int;
+ 	bss->hw_mode = local->hw.conf.phymode;
+-	bss->channel = local->hw.conf.channel;
+ 	bss->freq = local->hw.conf.freq;
+ 	bss->last_update = jiffies;
+ 	bss->capability = WLAN_CAPABILITY_IBSS;
+@@ -2426,7 +2431,7 @@ static int ieee80211_sta_find_ibss(struc
+ 	       MAC_FMT "\n", MAC_ARG(bssid), MAC_ARG(ifsta->bssid));
+ #endif /* CONFIG_MAC80211_IBSS_DEBUG */
+ 	if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 &&
+-	    (bss = ieee80211_rx_bss_get(dev, bssid))) {
++	    (bss = ieee80211_rx_bss_get(dev, bssid, local->hw.conf.channel))) {
+ 		printk(KERN_DEBUG "%s: Selected IBSS BSSID " MAC_FMT
+ 		       " based on configured SSID\n",
+ 		       dev->name, MAC_ARG(bssid));
diff --git a/queue-2.6.23/mac80211-store-ssid-in-sta_bss_list.patch b/queue-2.6.23/mac80211-store-ssid-in-sta_bss_list.patch
new file mode 100644
index 00000000000..5f6b1c19fb5
--- /dev/null
+++ b/queue-2.6.23/mac80211-store-ssid-in-sta_bss_list.patch
@@ -0,0 +1,197 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:06:06 2007
+From: "John W. Linville" <linville@tuxdriver.com>
+Date: Fri, 26 Oct 2007 17:04:32 -0400
+Subject: mac80211: store SSID in sta_bss_list
+To: stable@kernel.org
+Cc: linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326813245-git-send-email-linville@tuxdriver.com>
+
+
+From: John W. Linville <linville@tuxdriver.com>
+
+patch cffdd30d20d163343b1c6de25bcb0cc978a1ebf9 in mainline.
+
+Some AP equipment "in the wild" services multiple SSIDs using the
+same BSSID.  This patch changes the key of sta_bss_list to include
+the SSID as well as the BSSID and the channel so as to prevent one
+SSID from eclipsing another SSID with the same BSSID.
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/mac80211/ieee80211_sta.c |   54 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 33 insertions(+), 21 deletions(-)
+
+--- a/net/mac80211/ieee80211_sta.c
++++ b/net/mac80211/ieee80211_sta.c
+@@ -12,7 +12,6 @@
+  */
+ 
+ /* TODO:
+- * BSS table: use <BSSID,SSID> as the key to support multi-SSID APs
+  * order BSS list by RSSI(?) ("quality of AP")
+  * scan result table filtering (by capability (privacy, IBSS/BSS, WPA/RSN IE,
+  *    SSID)
+@@ -61,7 +60,8 @@
+ static void ieee80211_send_probe_req(struct net_device *dev, u8 *dst,
+ 				     u8 *ssid, size_t ssid_len);
+ static struct ieee80211_sta_bss *
+-ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid, int channel);
++ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid, int channel,
++		     u8 *ssid, u8 ssid_len);
+ static void ieee80211_rx_bss_put(struct net_device *dev,
+ 				 struct ieee80211_sta_bss *bss);
+ static int ieee80211_sta_find_ibss(struct net_device *dev,
+@@ -403,7 +403,8 @@ static void ieee80211_set_associated(str
+ 			return;
+ 
+ 		bss = ieee80211_rx_bss_get(dev, ifsta->bssid,
+-					   local->hw.conf.channel);
++					   local->hw.conf.channel,
++					   ifsta->ssid, ifsta->ssid_len);
+ 		if (bss) {
+ 			if (bss->has_erp_value)
+ 				ieee80211_handle_erp_ie(dev, bss->erp_value);
+@@ -545,7 +546,8 @@ static void ieee80211_send_assoc(struct 
+ 		capab |= WLAN_CAPABILITY_SHORT_SLOT_TIME |
+ 			WLAN_CAPABILITY_SHORT_PREAMBLE;
+ 	}
+-	bss = ieee80211_rx_bss_get(dev, ifsta->bssid, local->hw.conf.channel);
++	bss = ieee80211_rx_bss_get(dev, ifsta->bssid, local->hw.conf.channel,
++				   ifsta->ssid, ifsta->ssid_len);
+ 	if (bss) {
+ 		if (bss->capability & WLAN_CAPABILITY_PRIVACY)
+ 			capab |= WLAN_CAPABILITY_PRIVACY;
+@@ -705,7 +707,8 @@ static int ieee80211_privacy_mismatch(st
+ 	    ifsta->key_mgmt != IEEE80211_KEY_MGMT_NONE)
+ 		return 0;
+ 
+-	bss = ieee80211_rx_bss_get(dev, ifsta->bssid, local->hw.conf.channel);
++	bss = ieee80211_rx_bss_get(dev, ifsta->bssid, local->hw.conf.channel,
++				   ifsta->ssid, ifsta->ssid_len);
+ 	if (!bss)
+ 		return 0;
+ 
+@@ -1215,7 +1218,8 @@ static void ieee80211_rx_mgmt_assoc_resp
+ 	if (elems.erp_info && elems.erp_info_len >= 1) {
+ 		struct ieee80211_sta_bss *bss
+ 			= ieee80211_rx_bss_get(dev, ifsta->bssid,
+-					       local->hw.conf.channel);
++					       local->hw.conf.channel,
++					       ifsta->ssid, ifsta->ssid_len);
+ 		if (bss) {
+ 			bss->erp_value = elems.erp_info[0];
+ 			bss->has_erp_value = 1;
+@@ -1246,7 +1250,8 @@ static void ieee80211_rx_mgmt_assoc_resp
+ 			return;
+ 		}
+ 		bss = ieee80211_rx_bss_get(dev, ifsta->bssid,
+-					   local->hw.conf.channel);
++					   local->hw.conf.channel,
++					   ifsta->ssid, ifsta->ssid_len);
+ 		if (bss) {
+ 			sta->last_rssi = bss->rssi;
+ 			sta->last_signal = bss->signal;
+@@ -1327,7 +1332,8 @@ static void __ieee80211_rx_bss_hash_del(
+ 
+ 
+ static struct ieee80211_sta_bss *
+-ieee80211_rx_bss_add(struct net_device *dev, u8 *bssid, int channel)
++ieee80211_rx_bss_add(struct net_device *dev, u8 *bssid, int channel,
++		     u8 *ssid, u8 ssid_len)
+ {
+ 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sta_bss *bss;
+@@ -1339,6 +1345,10 @@ ieee80211_rx_bss_add(struct net_device *
+ 	atomic_inc(&bss->users);
+ 	memcpy(bss->bssid, bssid, ETH_ALEN);
+ 	bss->channel = channel;
++	if (ssid && ssid_len <= IEEE80211_MAX_SSID_LEN) {
++		memcpy(bss->ssid, ssid, ssid_len);
++		bss->ssid_len = ssid_len;
++	}
+ 
+ 	spin_lock_bh(&local->sta_bss_lock);
+ 	/* TODO: order by RSSI? */
+@@ -1350,7 +1360,8 @@ ieee80211_rx_bss_add(struct net_device *
+ 
+ 
+ static struct ieee80211_sta_bss *
+-ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid, int channel)
++ieee80211_rx_bss_get(struct net_device *dev, u8 *bssid, int channel,
++		     u8 *ssid, u8 ssid_len)
+ {
+ 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sta_bss *bss;
+@@ -1358,8 +1369,10 @@ ieee80211_rx_bss_get(struct net_device *
+ 	spin_lock_bh(&local->sta_bss_lock);
+ 	bss = local->sta_bss_hash[STA_HASH(bssid)];
+ 	while (bss) {
+-		if (memcmp(bss->bssid, bssid, ETH_ALEN) == 0 &&
+-		    bss->channel == channel) {
++		if (!memcmp(bss->bssid, bssid, ETH_ALEN) &&
++		    bss->channel == channel &&
++		    bss->ssid_len == ssid_len &&
++		    (ssid_len == 0 || !memcmp(bss->ssid, ssid, ssid_len))) {
+ 			atomic_inc(&bss->users);
+ 			break;
+ 		}
+@@ -1527,9 +1540,11 @@ static void ieee80211_rx_bss_info(struct
+ 	else
+ 		channel = rx_status->channel;
+ 
+-	bss = ieee80211_rx_bss_get(dev, mgmt->bssid, channel);
++	bss = ieee80211_rx_bss_get(dev, mgmt->bssid, channel,
++				   elems.ssid, elems.ssid_len);
+ 	if (!bss) {
+-		bss = ieee80211_rx_bss_add(dev, mgmt->bssid, channel);
++		bss = ieee80211_rx_bss_add(dev, mgmt->bssid, channel,
++					   elems.ssid, elems.ssid_len);
+ 		if (!bss)
+ 			return;
+ 	} else {
+@@ -1555,10 +1570,6 @@ static void ieee80211_rx_bss_info(struct
+ 
+ 	bss->beacon_int = le16_to_cpu(mgmt->u.beacon.beacon_int);
+ 	bss->capability = le16_to_cpu(mgmt->u.beacon.capab_info);
+-	if (elems.ssid && elems.ssid_len <= IEEE80211_MAX_SSID_LEN) {
+-		memcpy(bss->ssid, elems.ssid, elems.ssid_len);
+-		bss->ssid_len = elems.ssid_len;
+-	}
+ 
+ 	bss->supp_rates_len = 0;
+ 	if (elems.supp_rates) {
+@@ -2339,7 +2350,7 @@ static int ieee80211_sta_create_ibss(str
+ {
+ 	struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr);
+ 	struct ieee80211_sta_bss *bss;
+-	struct ieee80211_sub_if_data *sdata;
++	struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+ 	struct ieee80211_hw_mode *mode;
+ 	u8 bssid[ETH_ALEN], *pos;
+ 	int i;
+@@ -2361,11 +2372,11 @@ static int ieee80211_sta_create_ibss(str
+ 	printk(KERN_DEBUG "%s: Creating new IBSS network, BSSID " MAC_FMT "\n",
+ 	       dev->name, MAC_ARG(bssid));
+ 
+-	bss = ieee80211_rx_bss_add(dev, bssid, local->hw.conf.channel);
++	bss = ieee80211_rx_bss_add(dev, bssid, local->hw.conf.channel,
++				   sdata->u.sta.ssid, sdata->u.sta.ssid_len);
+ 	if (!bss)
+ 		return -ENOMEM;
+ 
+-	sdata = IEEE80211_DEV_TO_SUB_IF(dev);
+ 	mode = local->oper_hw_mode;
+ 
+ 	if (local->hw.conf.beacon_int == 0)
+@@ -2431,7 +2442,8 @@ static int ieee80211_sta_find_ibss(struc
+ 	       MAC_FMT "\n", MAC_ARG(bssid), MAC_ARG(ifsta->bssid));
+ #endif /* CONFIG_MAC80211_IBSS_DEBUG */
+ 	if (found && memcmp(ifsta->bssid, bssid, ETH_ALEN) != 0 &&
+-	    (bss = ieee80211_rx_bss_get(dev, bssid, local->hw.conf.channel))) {
++	    (bss = ieee80211_rx_bss_get(dev, bssid, local->hw.conf.channel,
++					ifsta->ssid, ifsta->ssid_len))) {
+ 		printk(KERN_DEBUG "%s: Selected IBSS BSSID " MAC_FMT
+ 		       " based on configured SSID\n",
+ 		       dev->name, MAC_ARG(bssid));
diff --git a/queue-2.6.23/netfilter-nf_conntrack_tcp-fix-connection-reopening.patch b/queue-2.6.23/netfilter-nf_conntrack_tcp-fix-connection-reopening.patch
new file mode 100644
index 00000000000..49e8a95a909
--- /dev/null
+++ b/queue-2.6.23/netfilter-nf_conntrack_tcp-fix-connection-reopening.patch
@@ -0,0 +1,101 @@
+From stable-bounces@linux.kernel.org Mon Nov  5 03:38:25 2007
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Mon, 05 Nov 2007 12:37:55 +0100
+Subject: NETFILTER: nf_conntrack_tcp: fix connection reopening
+To: stable@kernel.org
+Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>, "David S. Miller" <davem@davemloft.net>, Krzysztof Piotr Oledzki <ole@ans.pl>, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Message-ID: <472F0093.6040508@trash.net>
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+Upstream commits: 17311393 + bc34b841 merged together.  Merge done by
+Patrick McHardy <kaber@trash.net>
+
+[NETFILTER]: nf_conntrack_tcp: fix connection reopening
+
+With your description I could reproduce the bug and actually you were
+completely right: the code above is incorrect. Somehow I was able to
+misread RFC1122 and mixed the roles :-(:
+
+   When a connection is >>closed actively<<, it MUST linger in
+   TIME-WAIT state for a time 2xMSL (Maximum Segment Lifetime).
+   However, it MAY >>accept<< a new SYN from the remote TCP to
+   reopen the connection directly from TIME-WAIT state, if it:
+   [...]
+
+The fix is as follows: if the receiver initiated an active close, then the
+sender may reopen the connection - otherwise try to figure out if we hold
+a dead connection.
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ net/netfilter/nf_conntrack_proto_tcp.c |   38 ++++++++++++++-------------------
+ 1 file changed, 17 insertions(+), 21 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_proto_tcp.c
++++ b/net/netfilter/nf_conntrack_proto_tcp.c
+@@ -831,6 +831,22 @@ static int tcp_packet(struct nf_conn *co
+ 	tuple = &conntrack->tuplehash[dir].tuple;
+ 
+ 	switch (new_state) {
++	case TCP_CONNTRACK_SYN_SENT:
++		if (old_state < TCP_CONNTRACK_TIME_WAIT)
++			break;
++		if ((conntrack->proto.tcp.seen[!dir].flags &
++			IP_CT_TCP_FLAG_CLOSE_INIT)
++		    || (conntrack->proto.tcp.last_dir == dir
++		        && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
++			/* Attempt to reopen a closed/aborted connection.
++			 * Delete this connection and look up again. */
++			write_unlock_bh(&tcp_lock);
++			if (del_timer(&conntrack->timeout))
++				conntrack->timeout.function((unsigned long)
++							    conntrack);
++			return -NF_REPEAT;
++		}
++		/* Fall through */
+ 	case TCP_CONNTRACK_IGNORE:
+ 		/* Ignored packets:
+ 		 *
+@@ -879,27 +895,6 @@ static int tcp_packet(struct nf_conn *co
+ 			nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+ 				  "nf_ct_tcp: invalid state ");
+ 		return -NF_ACCEPT;
+-	case TCP_CONNTRACK_SYN_SENT:
+-		if (old_state < TCP_CONNTRACK_TIME_WAIT)
+-			break;
+-		if ((conntrack->proto.tcp.seen[dir].flags &
+-			IP_CT_TCP_FLAG_CLOSE_INIT)
+-		    || after(ntohl(th->seq),
+-			     conntrack->proto.tcp.seen[dir].td_end)) {
+-			/* Attempt to reopen a closed connection.
+-			* Delete this connection and look up again. */
+-			write_unlock_bh(&tcp_lock);
+-			if (del_timer(&conntrack->timeout))
+-				conntrack->timeout.function((unsigned long)
+-							    conntrack);
+-			return -NF_REPEAT;
+-		} else {
+-			write_unlock_bh(&tcp_lock);
+-			if (LOG_INVALID(IPPROTO_TCP))
+-				nf_log_packet(pf, 0, skb, NULL, NULL,
+-					      NULL, "nf_ct_tcp: invalid SYN");
+-			return -NF_ACCEPT;
+-		}
+ 	case TCP_CONNTRACK_CLOSE:
+ 		if (index == TCP_RST_SET
+ 		    && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)
+@@ -932,6 +927,7 @@ static int tcp_packet(struct nf_conn *co
+      in_window:
+ 	/* From now on we have got in-window packets */
+ 	conntrack->proto.tcp.last_index = index;
++	conntrack->proto.tcp.last_dir = dir;
+ 
+ 	pr_debug("tcp_conntracks: ");
+ 	NF_CT_DUMP_TUPLE(tuple);
diff --git a/queue-2.6.23/revert-x86_64-allocate-sparsemem-memmap-above-4g.patch b/queue-2.6.23/revert-x86_64-allocate-sparsemem-memmap-above-4g.patch
new file mode 100644
index 00000000000..447db079608
--- /dev/null
+++ b/queue-2.6.23/revert-x86_64-allocate-sparsemem-memmap-above-4g.patch
@@ -0,0 +1,100 @@
+From stable-bounces@linux.kernel.org Thu Nov  1 16:08:33 2007
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Thu, 01 Nov 2007 19:07:35 -0400
+Subject: revert "x86_64: allocate sparsemem memmap above 4G"
+To: linux-stable <stable@kernel.org>
+Cc: Zou Nan hai <nanhai.zou@intel.com>
+Message-ID: <472A5C37.7050602@redhat.com>
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+Reverted upstream by commit 6a22c57b8d2a62dea7280a6b2ac807a539ef0716
+
+Revert this commit:
+
+	commit 2e1c49db4c640b35df13889b86b9d62215ade4b6
+	Author: Zou Nan hai <nanhai.zou@intel.com>
+	Date:   Fri Jun 1 00:46:28 2007 -0700
+	
+	x86_64: allocate sparsemem memmap above 4G
+
+This reverts commit 2e1c49db4c640b35df13889b86b9d62215ade4b6.
+
+First off, testing in Fedora has shown it to cause boot failures,
+bisected down by Martin Ebourne, and reported by Dave Jobes.  So the
+commit will likely be reverted in the 2.6.23 stable kernels.
+
+Secondly, in the 2.6.24 model, x86-64 has now grown support for
+SPARSEMEM_VMEMMAP, which disables the relevant code anyway, so while the
+bug is not visible any more, it's become invisible due to the code just
+being irrelevant and no longer enabled on the only architecture that
+this ever affected.
+
+Reported-by: Dave Jones <davej@redhat.com>
+Tested-by: Martin Ebourne <fedora@ebourne.me.uk>
+Cc: Zou Nan hai <nanhai.zou@intel.com>
+Cc: Suresh Siddha <suresh.b.siddha@intel.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Andy Whitcroft <apw@shadowen.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86_64/mm/init.c   |    6 ------
+ include/linux/bootmem.h |    1 -
+ mm/sparse.c             |   11 -----------
+ 3 files changed, 18 deletions(-)
+
+--- a/arch/x86_64/mm/init.c
++++ b/arch/x86_64/mm/init.c
+@@ -734,12 +734,6 @@ int in_gate_area_no_task(unsigned long a
+ 	return (addr >= VSYSCALL_START) && (addr < VSYSCALL_END);
+ }
+ 
+-void * __init alloc_bootmem_high_node(pg_data_t *pgdat, unsigned long size)
+-{
+-	return __alloc_bootmem_core(pgdat->bdata, size,
+-			SMP_CACHE_BYTES, (4UL*1024*1024*1024), 0);
+-}
+-
+ const char *arch_vma_name(struct vm_area_struct *vma)
+ {
+ 	if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
+--- a/include/linux/bootmem.h
++++ b/include/linux/bootmem.h
+@@ -59,7 +59,6 @@ extern void *__alloc_bootmem_core(struct
+ 				  unsigned long align,
+ 				  unsigned long goal,
+ 				  unsigned long limit);
+-extern void *alloc_bootmem_high_node(pg_data_t *pgdat, unsigned long size);
+ 
+ #ifndef CONFIG_HAVE_ARCH_BOOTMEM_NODE
+ extern void reserve_bootmem(unsigned long addr, unsigned long size);
+--- a/mm/sparse.c
++++ b/mm/sparse.c
+@@ -215,12 +215,6 @@ static int __meminit sparse_init_one_sec
+ 	return 1;
+ }
+ 
+-__attribute__((weak)) __init
+-void *alloc_bootmem_high_node(pg_data_t *pgdat, unsigned long size)
+-{
+-	return NULL;
+-}
+-
+ static struct page __init *sparse_early_mem_map_alloc(unsigned long pnum)
+ {
+ 	struct page *map;
+@@ -231,11 +225,6 @@ static struct page __init *sparse_early_
+ 	if (map)
+ 		return map;
+ 
+-  	map = alloc_bootmem_high_node(NODE_DATA(nid),
+-                       sizeof(struct page) * PAGES_PER_SECTION);
+-	if (map)
+-		return map;
+-
+ 	map = alloc_bootmem_node(NODE_DATA(nid),
+ 			sizeof(struct page) * PAGES_PER_SECTION);
+ 	if (map)
diff --git a/queue-2.6.23/rtl8187-fix-more-frag-bit-checking-rts-duration-calc.patch b/queue-2.6.23/rtl8187-fix-more-frag-bit-checking-rts-duration-calc.patch
new file mode 100644
index 00000000000..6570ab0827c
--- /dev/null
+++ b/queue-2.6.23/rtl8187-fix-more-frag-bit-checking-rts-duration-calc.patch
@@ -0,0 +1,79 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:07:56 2007
+From: Michael Wu <flamingice@sourmilk.net>
+Date: Fri, 26 Oct 2007 17:04:38 -0400
+Subject: rtl8187: Fix more frag bit checking, rts duration calc
+To: stable@kernel.org
+Cc: Michael Wu <flamingice@sourmilk.net>, linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326831563-git-send-email-linville@tuxdriver.com>
+
+
+From: Michael Wu <flamingice@sourmilk.net>
+
+patch 98798f4875b7149db4eb7d0a126fc6dcd9637821 in mainline.
+
+The wrong pointer is passed to ieee80211_get_morefrag. Fix this.
+
+While we're at it, reorder things so they look better and the rts duration
+calculation is done with the right length.
+
+Thanks to Christoph Hellwig for finding the ieee80211_get_morefrag issue.
+
+Signed-off-by: Michael Wu <flamingice@sourmilk.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/rtl8187_dev.c |   31 ++++++++++++++++---------------
+ 1 file changed, 16 insertions(+), 15 deletions(-)
+
+--- a/drivers/net/wireless/rtl8187_dev.c
++++ b/drivers/net/wireless/rtl8187_dev.c
+@@ -78,7 +78,8 @@ static int rtl8187_tx(struct ieee80211_h
+ 	struct rtl8187_tx_hdr *hdr;
+ 	struct rtl8187_tx_info *info;
+ 	struct urb *urb;
+-	u32 tmp;
++	__le16 rts_dur = 0;
++	u32 flags;
+ 
+ 	urb = usb_alloc_urb(0, GFP_ATOMIC);
+ 	if (!urb) {
+@@ -86,24 +87,24 @@ static int rtl8187_tx(struct ieee80211_h
+ 		return 0;
+ 	}
+ 
+-	hdr = (struct rtl8187_tx_hdr *)skb_push(skb, sizeof(*hdr));
+-	tmp = skb->len - sizeof(*hdr);
+-	tmp |= RTL8187_TX_FLAG_NO_ENCRYPT;
+-	tmp |= control->rts_cts_rate << 19;
+-	tmp |= control->tx_rate << 24;
+-	if (ieee80211_get_morefrag((struct ieee80211_hdr *)skb))
+-		tmp |= RTL8187_TX_FLAG_MORE_FRAG;
++	flags = skb->len;
++	flags |= RTL8187_TX_FLAG_NO_ENCRYPT;
++	flags |= control->rts_cts_rate << 19;
++	flags |= control->tx_rate << 24;
++	if (ieee80211_get_morefrag((struct ieee80211_hdr *)skb->data))
++		flags |= RTL8187_TX_FLAG_MORE_FRAG;
+ 	if (control->flags & IEEE80211_TXCTL_USE_RTS_CTS) {
+-		tmp |= RTL8187_TX_FLAG_RTS;
+-		hdr->rts_duration =
+-			ieee80211_rts_duration(dev, skb->len, control);
++		flags |= RTL8187_TX_FLAG_RTS;
++		rts_dur = ieee80211_rts_duration(dev, skb->len, control);
+ 	}
+ 	if (control->flags & IEEE80211_TXCTL_USE_CTS_PROTECT)
+-		tmp |= RTL8187_TX_FLAG_CTS;
+-	hdr->flags = cpu_to_le32(tmp);
++		flags |= RTL8187_TX_FLAG_CTS;
++
++	hdr = (struct rtl8187_tx_hdr *)skb_push(skb, sizeof(*hdr));
++	hdr->flags = cpu_to_le32(flags);
+ 	hdr->len = 0;
+-	tmp = control->retry_limit << 8;
+-	hdr->retry = cpu_to_le32(tmp);
++	hdr->rts_duration = rts_dur;
++	hdr->retry = cpu_to_le32(control->retry_limit << 8);
+ 
+ 	info = (struct rtl8187_tx_info *)skb->cb;
+ 	info->control = kmemdup(control, sizeof(*control), GFP_ATOMIC);
diff --git a/queue-2.6.23/series b/queue-2.6.23/series
index a580635a60c..958b66f59e0 100644
--- a/queue-2.6.23/series
+++ b/queue-2.6.23/series
@@ -96,3 +96,17 @@ fix-set_vlan_ingress_priority_cmd-error-return.patch
 fix-crypto_alloc_comp-error-checking.patch
 fix-netlink-timeouts.patch
 fix-compat-futex-hangs.patch
+alsa-hdsp-fix-zero-division.patch
+revert-x86_64-allocate-sparsemem-memmap-above-4g.patch
+netfilter-nf_conntrack_tcp-fix-connection-reopening.patch
+ieee80211-fix-tkip-qos-bug.patch
+mac80211-reorder-association-debug-output.patch
+mac80211-store-channel-info-in-sta_bss_list.patch
+mac80211-store-ssid-in-sta_bss_list.patch
+mac80211-honor-iw_scan_this_essid-in-siwscan-ioctl.patch
+mac80211-only-honor-iw_scan_this_essid-in-sta-ibss-and-ap-modes.patch
+mac80211-make-ieee802_11_parse_elems-return-void.patch
+zd1201-avoid-null-ptr-access-of-skb-dev.patch
+ipw2100-send-wext-scan-events.patch
+rtl8187-fix-more-frag-bit-checking-rts-duration-calc.patch
+zd1211rw-fix-oops-when-ejecting-install-media.patch
diff --git a/queue-2.6.23/zd1201-avoid-null-ptr-access-of-skb-dev.patch b/queue-2.6.23/zd1201-avoid-null-ptr-access-of-skb-dev.patch
new file mode 100644
index 00000000000..a2defd6299e
--- /dev/null
+++ b/queue-2.6.23/zd1201-avoid-null-ptr-access-of-skb-dev.patch
@@ -0,0 +1,44 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:07:23 2007
+From: "John W. Linville" <linville@tuxdriver.com>
+Date: Fri, 26 Oct 2007 17:04:36 -0400
+Subject: zd1201: avoid null ptr access of skb->dev
+To: stable@kernel.org
+Cc: linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <11934326821662-git-send-email-linville@tuxdriver.com>
+
+
+From: John W. Linville <linville@tuxdriver.com>
+
+patch 3ba72b25211217de195e3f528dd36132b38a205b in mainline.
+
+skb->dev is not set until eth_type_trans is called...
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/zd1201.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/zd1201.c
++++ b/drivers/net/wireless/zd1201.c
+@@ -327,8 +327,8 @@ static void zd1201_usbrx(struct urb *urb
+ 			memcpy(skb_put(skb, 6), &data[datalen-8], 6);
+ 			memcpy(skb_put(skb, 2), &data[datalen-24], 2);
+ 			memcpy(skb_put(skb, len), data, len);
+-			skb->dev->last_rx = jiffies;
+ 			skb->protocol = eth_type_trans(skb, zd->dev);
++			skb->dev->last_rx = jiffies;
+ 			zd->stats.rx_packets++;
+ 			zd->stats.rx_bytes += skb->len;
+ 			netif_rx(skb);
+@@ -384,8 +384,8 @@ static void zd1201_usbrx(struct urb *urb
+ 			memcpy(skb_put(skb, 2), &data[6], 2);
+ 			memcpy(skb_put(skb, len), data+8, len);
+ 		}
+-		skb->dev->last_rx = jiffies;
+ 		skb->protocol = eth_type_trans(skb, zd->dev);
++		skb->dev->last_rx = jiffies;
+ 		zd->stats.rx_packets++;
+ 		zd->stats.rx_bytes += skb->len;
+ 		netif_rx(skb);
diff --git a/queue-2.6.23/zd1211rw-fix-oops-when-ejecting-install-media.patch b/queue-2.6.23/zd1211rw-fix-oops-when-ejecting-install-media.patch
new file mode 100644
index 00000000000..9de5ce176d9
--- /dev/null
+++ b/queue-2.6.23/zd1211rw-fix-oops-when-ejecting-install-media.patch
@@ -0,0 +1,47 @@
+From stable-bounces@linux.kernel.org Fri Oct 26 14:06:06 2007
+From: Marc Pignat <marc.pignat@hevs.ch>
+Date: Fri, 26 Oct 2007 17:04:39 -0400
+Subject: zd1211rw, fix oops when ejecting install media
+To: stable@kernel.org
+Cc: linux-wireless@vger.kernel.org, "John W. Linville" <linville@tuxdriver.com>, Marc Pignat <marc.pignat@hevs.ch>
+Message-ID: <11934326832747-git-send-email-linville@tuxdriver.com>
+
+
+From: Marc Pignat <marc.pignat@hevs.ch>
+
+patch e0579d576cb894a4cf3c5af04fbf38e8c1281738 in mainline.
+
+The disconnect function can dereference the net_device structure when it
+is never allocated. This is the case when ejecting the device installer.
+
+Signed-off-by: Marc Pignat <marc.pignat@hevs.ch>
+Acked-by: Daniel Drake <dsd@gentoo.org>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/wireless/zd1211rw/zd_usb.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/zd1211rw/zd_usb.c
++++ b/drivers/net/wireless/zd1211rw/zd_usb.c
+@@ -1041,14 +1041,17 @@ error:
+ static void disconnect(struct usb_interface *intf)
+ {
+ 	struct net_device *netdev = zd_intf_to_netdev(intf);
+-	struct zd_mac *mac = zd_netdev_mac(netdev);
+-	struct zd_usb *usb = &mac->chip.usb;
++	struct zd_mac *mac;
++	struct zd_usb *usb;
+ 
+ 	/* Either something really bad happened, or we're just dealing with
+ 	 * a DEVICE_INSTALLER. */
+ 	if (netdev == NULL)
+ 		return;
+ 
++	mac = zd_netdev_mac(netdev);
++	usb = &mac->chip.usb;
++
+ 	dev_dbg_f(zd_usb_dev(usb), "\n");
+ 
+ 	zd_netdev_disconnect(netdev);