PKG_NAME:=mac80211
-PKG_VERSION:=4.19.32-1
-PKG_RELEASE:=2
-PKG_SOURCE_URL:=@KERNEL/linux/kernel/projects/backports/stable/v4.19.32/
-PKG_HASH:=838db1565b54fe4bd1e769c54f30c65c9ea2fb5e99a0cddb7910561794ae317a
+PKG_VERSION:=4.19.57-1
+PKG_RELEASE:=1
+PKG_SOURCE_URL:=@KERNEL/linux/kernel/projects/backports/stable/v4.19.57/
+PKG_HASH:=f9c2d888cd49bd85e3f625f440468a803eeabb36662b56426c6cb2d15a7e049d
PKG_SOURCE:=backports-$(PKG_VERSION).tar.xz
PKG_BUILD_DIR:=$(KERNEL_BUILD_DIR)/backports-$(PKG_VERSION)
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
-@@ -2982,6 +2982,8 @@ void regulatory_hint_country_ie(struct w
+@@ -3021,6 +3021,8 @@ void regulatory_hint_country_ie(struct w
enum environment_cap env = ENVIRON_ANY;
struct regulatory_request *request = NULL, *lr;
/* IE len must be evenly divisible by 2 */
if (country_ie_len & 0x01)
return;
-@@ -3188,6 +3190,7 @@ static void restore_regulatory_settings(
+@@ -3227,6 +3229,7 @@ static void restore_regulatory_settings(
void regulatory_hint_disconnect(void)
{
@@ -5658,7 +5658,11 @@ static void ath10k_bss_info_changed(stru
if (changed & BSS_CHANGED_MCAST_RATE &&
- !WARN_ON(ath10k_mac_vif_chan(arvif->vif, &def))) {
+ !ath10k_mac_vif_chan(arvif->vif, &def)) {
band = def.chan->band;
- rateidx = vif->bss_conf.mcast_rate[band] - 1;
+ mcast_rate = vif->bss_conf.mcast_rate[band];
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -1463,7 +1463,7 @@ static u8 brcmf_sdio_rxglom(struct brcmf
+@@ -1474,7 +1474,7 @@ static u8 brcmf_sdio_rxglom(struct brcmf
struct sk_buff *pfirst, *pnext;
int errcode;
struct brcmf_sdio_hdrinfo rd_new;
-@@ -1597,7 +1597,6 @@ static u8 brcmf_sdio_rxglom(struct brcmf
+@@ -1608,7 +1608,6 @@ static u8 brcmf_sdio_rxglom(struct brcmf
/* Remove superframe header, remember offset */
skb_pull(pfirst, rd_new.dat_offset);
num = 0;
/* Validate all the subframe headers */
-@@ -3405,7 +3404,6 @@ static int brcmf_sdio_bus_preinit(struct
+@@ -3416,7 +3415,6 @@ static int brcmf_sdio_bus_preinit(struct
struct brcmf_sdio_dev *sdiodev = bus_if->bus_priv.sdio;
struct brcmf_sdio *bus = sdiodev->bus;
struct brcmf_core *core = bus->sdio_core;
u32 value;
int err;
-@@ -3448,7 +3446,6 @@ static int brcmf_sdio_bus_preinit(struct
+@@ -3459,7 +3457,6 @@ static int brcmf_sdio_bus_preinit(struct
if (sdiodev->sg_support) {
bus->txglom = false;
value = 1;
fwreq->bus_nr = devinfo->pdev->bus->number;
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -4174,6 +4174,7 @@ brcmf_sdio_prepare_fw_request(struct brc
+@@ -4185,6 +4185,7 @@ brcmf_sdio_prepare_fw_request(struct brc
fwreq->items[BRCMF_SDIO_FW_CODE].type = BRCMF_FW_TYPE_BINARY;
fwreq->items[BRCMF_SDIO_FW_NVRAM].type = BRCMF_FW_TYPE_NVRAM;
int credits_borrowed[BRCMF_FWS_FIFO_AC_VO + 1];
int deq_node_pos[BRCMF_FWS_FIFO_COUNT];
u32 fifo_credit_map;
-@@ -1237,6 +1238,9 @@ static void brcmf_fws_return_credits(str
+@@ -1241,6 +1242,9 @@ static void brcmf_fws_return_credits(str
}
fws->fifo_credit[fifo] += credits;
}
static void brcmf_fws_schedule_deq(struct brcmf_fws_info *fws)
-@@ -1595,19 +1599,21 @@ static int brcmf_fws_notify_credit_map(s
+@@ -1599,19 +1603,21 @@ static int brcmf_fws_notify_credit_map(s
brcmf_err("event payload too small (%d)\n", e->datalen);
return -EINVAL;
}
}
brcmf_fws_schedule_deq(fws);
brcmf_fws_unlock(fws);
-@@ -2013,7 +2019,7 @@ static int brcmf_fws_borrow_credit(struc
+@@ -2017,7 +2023,7 @@ static int brcmf_fws_borrow_credit(struc
}
for (lender_ac = 0; lender_ac <= BRCMF_FWS_FIFO_AC_VO; lender_ac++) {
fws->credits_borrowed[lender_ac]++;
fws->fifo_credit[lender_ac]--;
if (fws->fifo_credit[lender_ac] == 0)
-@@ -2210,8 +2216,9 @@ static void brcmf_fws_dequeue_worker(str
+@@ -2216,8 +2222,9 @@ static void brcmf_fws_dequeue_worker(str
}
continue;
}
skb = brcmf_fws_deq(fws, fifo);
if (!skb)
break;
-@@ -2222,7 +2229,7 @@ static void brcmf_fws_dequeue_worker(str
+@@ -2228,7 +2235,7 @@ static void brcmf_fws_dequeue_worker(str
break;
}
if ((fifo == BRCMF_FWS_FIFO_AC_BE) &&
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -6638,6 +6638,12 @@ static s32 brcmf_config_dongle(struct br
+@@ -6644,6 +6644,12 @@ static s32 brcmf_config_dongle(struct br
brcmf_configure_arp_nd_offload(ifp, true);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-@@ -1455,9 +1455,10 @@ static int brcmf_fws_txstatus_suppressed
+@@ -1459,9 +1459,10 @@ static int brcmf_fws_txstatus_suppressed
static int
brcmf_fws_txs_process(struct brcmf_fws_info *fws, u8 flags, u32 hslot,
int ret;
bool remove_from_hanger = true;
struct sk_buff *skb;
-@@ -1468,60 +1469,71 @@ brcmf_fws_txs_process(struct brcmf_fws_i
+@@ -1472,60 +1473,71 @@ brcmf_fws_txs_process(struct brcmf_fws_i
brcmf_dbg(DATA, "flags %d\n", flags);
if (flags == BRCMF_FWS_TXSTATUS_DISCARD)
return 0;
}
-@@ -1547,7 +1559,8 @@ static int brcmf_fws_fifocreditback_indi
+@@ -1551,7 +1563,8 @@ static int brcmf_fws_fifocreditback_indi
return BRCMF_FWS_RET_OK_SCHEDULE;
}
{
__le32 status_le;
__le16 seq_le;
-@@ -1556,23 +1569,31 @@ static int brcmf_fws_txstatus_indicate(s
+@@ -1560,23 +1573,31 @@ static int brcmf_fws_txstatus_indicate(s
u32 genbit;
u8 flags;
u16 seq;
brcmf_fws_unlock(fws);
return BRCMF_FWS_RET_OK_NOSCHEDULE;
}
-@@ -1888,8 +1909,6 @@ void brcmf_fws_hdrpull(struct brcmf_if *
+@@ -1892,8 +1913,6 @@ void brcmf_fws_hdrpull(struct brcmf_if *
err = BRCMF_FWS_RET_OK_NOSCHEDULE;
switch (type) {
case BRCMF_FWS_TYPE_HOST_REORDER_RXPKTS:
rd = (struct brcmf_skb_reorder_data *)skb->cb;
rd->reorder = data;
-@@ -1912,7 +1931,8 @@ void brcmf_fws_hdrpull(struct brcmf_if *
+@@ -1916,7 +1935,8 @@ void brcmf_fws_hdrpull(struct brcmf_if *
err = brcmf_fws_request_indicate(fws, type, data);
break;
case BRCMF_FWS_TYPE_TXSTATUS:
break;
case BRCMF_FWS_TYPE_FIFO_CREDITBACK:
err = brcmf_fws_fifocreditback_indicate(fws, data);
-@@ -2001,7 +2021,7 @@ static void brcmf_fws_rollback_toq(struc
+@@ -2005,7 +2025,7 @@ static void brcmf_fws_rollback_toq(struc
fws->stats.rollback_failed++;
hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
brcmf_fws_txs_process(fws, BRCMF_FWS_TXSTATUS_HOST_TOSSED,
} else {
fws->stats.rollback_success++;
brcmf_fws_return_credits(fws, fifo, 1);
-@@ -2462,7 +2482,8 @@ void brcmf_fws_bustxfail(struct brcmf_fw
+@@ -2476,7 +2496,8 @@ void brcmf_fws_bustxfail(struct brcmf_fw
}
brcmf_fws_lock(fws);
hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
/* Force SD->SB reset mapping (rev 11) */
#define SBSDIO_DEVCTL_SB_RST_CTL 0x30
/* Determined by CoreControl bit */
-@@ -4046,6 +4052,7 @@ static void brcmf_sdio_firmware_callback
+@@ -4057,6 +4063,7 @@ static void brcmf_sdio_firmware_callback
void *nvram;
u32 nvram_len;
u8 saveclk;
brcmf_dbg(TRACE, "Enter: dev=%s, err=%d\n", dev_name(dev), err);
-@@ -4101,8 +4108,23 @@ static void brcmf_sdio_firmware_callback
+@@ -4112,8 +4119,23 @@ static void brcmf_sdio_firmware_callback
brcmf_sdiod_writel(sdiod, core->base + SD_REG(hostintmask),
bus->hostintmask, NULL);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -4119,6 +4119,9 @@ static void brcmf_sdio_firmware_callback
+@@ -4130,6 +4130,9 @@ static void brcmf_sdio_firmware_callback
devctl |= SBSDIO_DEVCTL_F2WM_ENAB;
brcmf_sdiod_writeb(sdiod, SBSDIO_DEVICE_CTL, devctl,
&err);
};
static void pkt_align(struct sk_buff *p, int len, int align)
-@@ -677,6 +679,14 @@ brcmf_sdio_kso_control(struct brcmf_sdio
+@@ -683,6 +685,14 @@ brcmf_sdio_kso_control(struct brcmf_sdio
/* 1st KSO write goes to AOS wake up core if device is asleep */
brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_SLEEPCSR, wr_val, &err);
if (on) {
/* device WAKEUP through KSO:
* write bit 0 & read back until
-@@ -2402,6 +2412,14 @@ static int brcmf_sdio_tx_ctrlframe(struc
+@@ -2413,6 +2423,14 @@ static int brcmf_sdio_tx_ctrlframe(struc
return ret;
}
static void brcmf_sdio_bus_stop(struct device *dev)
{
struct brcmf_bus *bus_if = dev_get_drvdata(dev);
-@@ -2409,7 +2427,7 @@ static void brcmf_sdio_bus_stop(struct d
+@@ -2420,7 +2438,7 @@ static void brcmf_sdio_bus_stop(struct d
struct brcmf_sdio *bus = sdiodev->bus;
struct brcmf_core *core = bus->sdio_core;
u32 local_hostintmask;
int err;
brcmf_dbg(TRACE, "Enter\n");
-@@ -2436,9 +2454,14 @@ static void brcmf_sdio_bus_stop(struct d
+@@ -2447,9 +2465,14 @@ static void brcmf_sdio_bus_stop(struct d
/* Force backplane clocks to assure F2 interrupt propagates */
saveclk = brcmf_sdiod_readb(sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
&err);
if (err)
brcmf_err("Failed to force clock for F2: err %d\n",
err);
-@@ -3328,20 +3351,45 @@ err:
+@@ -3339,20 +3362,45 @@ err:
return bcmerror;
}
brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_WAKEUPCTRL, val, &err);
if (err) {
brcmf_err("error writing SBSDIO_FUNC1_WAKEUPCTRL\n");
-@@ -3350,8 +3398,7 @@ static void brcmf_sdio_sr_init(struct br
+@@ -3361,8 +3409,7 @@ static void brcmf_sdio_sr_init(struct br
/* Add CMD14 Support */
brcmf_sdiod_func0_wb(bus->sdiodev, SDIO_CCCR_BRCM_CARDCAP,
&err);
if (err) {
brcmf_err("error writing SDIO_CCCR_BRCM_CARDCAP\n");
-@@ -3359,7 +3406,7 @@ static void brcmf_sdio_sr_init(struct br
+@@ -3370,7 +3417,7 @@ static void brcmf_sdio_sr_init(struct br
}
brcmf_sdiod_writeb(bus->sdiodev, SBSDIO_FUNC1_CHIPCLKCSR,
if (err) {
brcmf_err("error writing SBSDIO_FUNC1_CHIPCLKCSR\n");
return;
-@@ -4051,7 +4098,7 @@ static void brcmf_sdio_firmware_callback
+@@ -4062,7 +4109,7 @@ static void brcmf_sdio_firmware_callback
const struct firmware *code;
void *nvram;
u32 nvram_len;
u8 devctl;
brcmf_dbg(TRACE, "Enter: dev=%s, err=%d\n", dev_name(dev), err);
-@@ -4085,8 +4132,11 @@ static void brcmf_sdio_firmware_callback
+@@ -4096,8 +4143,11 @@ static void brcmf_sdio_firmware_callback
/* Force clocks on backplane to be sure F2 interrupt propagates */
saveclk = brcmf_sdiod_readb(sdiod, SBSDIO_FUNC1_CHIPCLKCSR, &err);
if (!err) {
#ifdef DEBUG
-@@ -4173,6 +4174,17 @@ static void brcmf_sdio_firmware_callback
+@@ -4184,6 +4185,17 @@ static void brcmf_sdio_firmware_callback
CY_4373_F2_WATERMARK |
SBSDIO_MESBUSYCTRL_ENAB, &err);
break;
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -3354,7 +3354,11 @@ err:
+@@ -3365,7 +3365,11 @@ err:
static bool brcmf_sdio_aos_no_decode(struct brcmf_sdio *bus)
{
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -6308,6 +6308,16 @@ brcmf_txrx_stypes[NUM_NL80211_IFTYPES] =
+@@ -6314,6 +6314,16 @@ brcmf_txrx_stypes[NUM_NL80211_IFTYPES] =
.tx = 0xffff,
.rx = BIT(IEEE80211_STYPE_ACTION >> 4) |
BIT(IEEE80211_STYPE_PROBE_REQ >> 4)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
-@@ -1552,6 +1552,10 @@ void brcmf_usb_exit(void)
+@@ -1557,6 +1557,10 @@ void brcmf_usb_exit(void)
void brcmf_usb_register(void)
{
return -EINVAL;
}
-@@ -3498,7 +3531,7 @@ static void brcmf_report_wowl_wakeind(st
+@@ -3500,7 +3533,7 @@ static void brcmf_report_wowl_wakeind(st
err = brcmf_fil_iovar_data_get(ifp, "wowl_wakeind", &wake_ind_le,
sizeof(wake_ind_le));
if (err) {
return;
}
-@@ -3539,7 +3572,7 @@ static void brcmf_report_wowl_wakeind(st
+@@ -3541,7 +3574,7 @@ static void brcmf_report_wowl_wakeind(st
cfg->wowl.nd_data_completed,
BRCMF_ND_INFO_TIMEOUT);
if (!timeout)
else
wakeup_data.net_detect = cfg->wowl.nd_info;
}
-@@ -3747,7 +3780,7 @@ brcmf_cfg80211_set_pmksa(struct wiphy *w
+@@ -3749,7 +3782,7 @@ brcmf_cfg80211_set_pmksa(struct wiphy *w
cfg->pmk_list.npmk = cpu_to_le32(npmk);
}
} else {
return -EINVAL;
}
-@@ -3793,7 +3826,7 @@ brcmf_cfg80211_del_pmksa(struct wiphy *w
+@@ -3795,7 +3828,7 @@ brcmf_cfg80211_del_pmksa(struct wiphy *w
memset(&pmk[i], 0, sizeof(*pmk));
cfg->pmk_list.npmk = cpu_to_le32(npmk - 1);
} else {
return -EINVAL;
}
-@@ -3825,19 +3858,20 @@ brcmf_cfg80211_flush_pmksa(struct wiphy
+@@ -3827,19 +3860,20 @@ brcmf_cfg80211_flush_pmksa(struct wiphy
static s32 brcmf_configure_opensecurity(struct brcmf_if *ifp)
{
return err;
}
/* set upper-layer auth */
-@@ -3847,7 +3881,7 @@ static s32 brcmf_configure_opensecurity(
+@@ -3849,7 +3883,7 @@ static s32 brcmf_configure_opensecurity(
wpa_val = WPA_AUTH_DISABLED;
err = brcmf_fil_bsscfg_int_set(ifp, "wpa_auth", wpa_val);
if (err < 0) {
return err;
}
-@@ -3867,6 +3901,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -3869,6 +3903,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
const struct brcmf_vs_tlv *wpa_ie,
bool is_rsn_ie)
{
u32 auth = 0; /* d11 open authentication */
u16 count;
s32 err = 0;
-@@ -3897,13 +3932,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -3899,13 +3934,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
/* check for multicast cipher suite */
if (offset + WPA_IE_MIN_OUI_LEN > len) {
err = -EINVAL;
goto exit;
}
offset += TLV_OUI_LEN;
-@@ -3925,7 +3960,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -3927,7 +3962,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
break;
default:
err = -EINVAL;
goto exit;
}
-@@ -3936,13 +3971,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -3938,13 +3973,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
/* Check for unicast suite(s) */
if (offset + (WPA_IE_MIN_OUI_LEN * count) > len) {
err = -EINVAL;
goto exit;
}
offset += TLV_OUI_LEN;
-@@ -3960,7 +3995,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -3962,7 +3997,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
pval |= AES_ENABLED;
break;
default:
}
offset++;
}
-@@ -3970,13 +4005,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -3972,13 +4007,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
/* Check for auth key management suite(s) */
if (offset + (WPA_IE_MIN_OUI_LEN * count) > len) {
err = -EINVAL;
goto exit;
}
offset += TLV_OUI_LEN;
-@@ -4004,7 +4039,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -4006,7 +4041,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
wpa_auth |= WPA2_AUTH_1X_SHA256;
break;
default:
}
offset++;
}
-@@ -4046,7 +4081,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -4048,7 +4083,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
err = brcmf_fil_bsscfg_int_set(ifp, "wme_bss_disable",
wme_bss_disable);
if (err < 0) {
goto exit;
}
-@@ -4060,7 +4095,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -4062,7 +4097,7 @@ brcmf_configure_wpaie(struct brcmf_if *i
&data[offset],
WPA_IE_MIN_OUI_LEN);
if (err < 0) {
goto exit;
}
}
-@@ -4071,13 +4106,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -4073,13 +4108,13 @@ brcmf_configure_wpaie(struct brcmf_if *i
/* set auth */
err = brcmf_fil_bsscfg_int_set(ifp, "auth", auth);
if (err < 0) {
goto exit;
}
/* Configure MFP, this needs to go after wsec otherwise the wsec command
-@@ -4086,14 +4121,14 @@ brcmf_configure_wpaie(struct brcmf_if *i
+@@ -4088,14 +4123,14 @@ brcmf_configure_wpaie(struct brcmf_if *i
if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MFP)) {
err = brcmf_fil_bsscfg_int_set(ifp, "mfp", mfp);
if (err < 0) {
goto exit;
}
-@@ -4180,6 +4215,7 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
+@@ -4182,6 +4217,7 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
const u8 *vndr_ie_buf, u32 vndr_ie_len)
{
struct brcmf_if *ifp;
struct vif_saved_ie *saved_ie;
s32 err = 0;
u8 *iovar_ie_buf;
-@@ -4200,6 +4236,7 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
+@@ -4202,6 +4238,7 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
if (!vif)
return -ENODEV;
ifp = vif->ifp;
saved_ie = &vif->saved_ie;
brcmf_dbg(TRACE, "bsscfgidx %d, pktflag : 0x%02X\n", ifp->bsscfgidx,
-@@ -4231,13 +4268,13 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
+@@ -4233,13 +4270,13 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
break;
default:
err = -EPERM;
goto exit;
}
-@@ -4298,8 +4335,8 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
+@@ -4300,8 +4337,8 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
/* verify remained buf size before copy data */
if (remained_buf_len < (vndrie_info->vndrie.len +
VNDR_IE_VSIE_OFFSET)) {
break;
}
remained_buf_len -= (vndrie_info->ie_len +
-@@ -4330,7 +4367,7 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
+@@ -4332,7 +4369,7 @@ s32 brcmf_vif_set_mgmt_ie(struct brcmf_c
err = brcmf_fil_bsscfg_data_set(ifp, "vndr_ie", iovar_ie_buf,
total_ie_buf_len);
if (err)
}
exit:
-@@ -4358,13 +4395,14 @@ static s32
+@@ -4360,13 +4397,14 @@ static s32
brcmf_config_ap_mgmt_ie(struct brcmf_cfg80211_vif *vif,
struct cfg80211_beacon_data *beacon)
{
return err;
}
brcmf_dbg(TRACE, "Applied Vndr IEs for Beacon\n");
-@@ -4374,7 +4412,7 @@ brcmf_config_ap_mgmt_ie(struct brcmf_cfg
+@@ -4376,7 +4414,7 @@ brcmf_config_ap_mgmt_ie(struct brcmf_cfg
beacon->proberesp_ies,
beacon->proberesp_ies_len);
if (err)
else
brcmf_dbg(TRACE, "Applied Vndr IEs for Probe Resp\n");
-@@ -4483,7 +4521,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4485,7 +4523,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,
is_11d);
if (err < 0) {
goto exit;
}
}
-@@ -4491,8 +4530,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4493,8 +4532,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_BCNPRD,
settings->beacon_interval);
if (err < 0) {
goto exit;
}
}
-@@ -4500,7 +4539,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4502,7 +4541,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_DTIMPRD,
settings->dtim_period);
if (err < 0) {
goto exit;
}
}
-@@ -4510,7 +4550,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4512,7 +4552,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
!brcmf_feat_is_enabled(ifp, BRCMF_FEAT_RSDB))) {
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_DOWN, 1);
if (err < 0) {
goto exit;
}
brcmf_fil_iovar_int_set(ifp, "apsta", 0);
-@@ -4518,7 +4559,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4520,7 +4561,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_INFRA, 1);
if (err < 0) {
goto exit;
}
} else if (WARN_ON(supports_11d && (is_11d != ifp->vif->is_11d))) {
-@@ -4534,7 +4575,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4536,7 +4577,8 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_AP, 1);
if (err < 0) {
goto exit;
}
if (!mbss) {
-@@ -4543,14 +4585,14 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4545,14 +4587,14 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
*/
err = brcmf_fil_iovar_int_set(ifp, "chanspec", chanspec);
if (err < 0) {
goto exit;
}
/* On DOWN the firmware removes the WEP keys, reconfigure
-@@ -4565,14 +4607,14 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4567,14 +4609,14 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_SSID,
&join_params, sizeof(join_params));
if (err < 0) {
goto exit;
}
}
-@@ -4581,14 +4623,14 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4583,14 +4625,14 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
} else if (dev_role == NL80211_IFTYPE_P2P_GO) {
err = brcmf_fil_iovar_int_set(ifp, "chanspec", chanspec);
if (err < 0) {
goto exit;
}
bss_enable.bsscfgidx = cpu_to_le32(ifp->bsscfgidx);
-@@ -4596,7 +4638,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
+@@ -4598,7 +4640,7 @@ brcmf_cfg80211_start_ap(struct wiphy *wi
err = brcmf_fil_iovar_data_set(ifp, "bss", &bss_enable,
sizeof(bss_enable));
if (err < 0) {
goto exit;
}
-@@ -4644,13 +4686,13 @@ static int brcmf_cfg80211_stop_ap(struct
+@@ -4646,13 +4688,13 @@ static int brcmf_cfg80211_stop_ap(struct
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_SSID,
&join_params, sizeof(join_params));
if (err < 0)
if (brcmf_feat_is_enabled(ifp, BRCMF_FEAT_MBSS))
brcmf_fil_iovar_int_set(ifp, "mbss", 0);
brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_REGULATORY,
-@@ -4658,7 +4700,7 @@ static int brcmf_cfg80211_stop_ap(struct
+@@ -4660,7 +4702,7 @@ static int brcmf_cfg80211_stop_ap(struct
/* Bring device back up so it can be used again */
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_UP, 1);
if (err < 0)
brcmf_vif_clear_mgmt_ies(ifp->vif);
} else {
-@@ -4667,7 +4709,7 @@ static int brcmf_cfg80211_stop_ap(struct
+@@ -4669,7 +4711,7 @@ static int brcmf_cfg80211_stop_ap(struct
err = brcmf_fil_iovar_data_set(ifp, "bss", &bss_enable,
sizeof(bss_enable));
if (err < 0)
}
brcmf_set_mpc(ifp, 1);
brcmf_configure_arp_nd_offload(ifp, true);
-@@ -4715,7 +4757,8 @@ brcmf_cfg80211_del_station(struct wiphy
+@@ -4717,7 +4759,8 @@ brcmf_cfg80211_del_station(struct wiphy
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SCB_DEAUTHENTICATE_FOR_REASON,
&scbval, sizeof(scbval));
if (err)
brcmf_dbg(TRACE, "Exit\n");
return err;
-@@ -4745,7 +4788,7 @@ brcmf_cfg80211_change_station(struct wip
+@@ -4747,7 +4790,7 @@ brcmf_cfg80211_change_station(struct wip
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_SCB_DEAUTHORIZE,
(void *)mac, ETH_ALEN);
if (err < 0)
return err;
}
-@@ -4795,7 +4838,7 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+@@ -4797,7 +4840,7 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
mgmt = (const struct ieee80211_mgmt *)buf;
if (!ieee80211_is_mgmt(mgmt->frame_control)) {
return -EPERM;
}
-@@ -4826,13 +4869,13 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
+@@ -4828,13 +4871,13 @@ brcmf_cfg80211_mgmt_tx(struct wiphy *wip
GFP_KERNEL);
} else if (ieee80211_is_action(mgmt->frame_control)) {
if (len > BRCMF_FIL_ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN) {
err = -ENOMEM;
goto exit;
}
-@@ -4890,7 +4933,7 @@ brcmf_cfg80211_cancel_remain_on_channel(
+@@ -4892,7 +4935,7 @@ brcmf_cfg80211_cancel_remain_on_channel(
vif = cfg->p2p.bss_idx[P2PAPI_BSSCFG_DEVICE].vif;
if (vif == NULL) {
err = -ENODEV;
goto exit;
}
-@@ -4918,7 +4961,7 @@ static int brcmf_cfg80211_get_channel(st
+@@ -4920,7 +4963,7 @@ static int brcmf_cfg80211_get_channel(st
err = brcmf_fil_iovar_int_get(ifp, "chanspec", &chanspec);
if (err) {
return err;
}
-@@ -5057,7 +5100,7 @@ static int brcmf_cfg80211_tdls_oper(stru
+@@ -5059,7 +5102,7 @@ static int brcmf_cfg80211_tdls_oper(stru
ret = brcmf_fil_iovar_data_set(ifp, "tdls_endpoint",
&info, sizeof(info));
if (ret < 0)
return ret;
}
-@@ -5078,7 +5121,7 @@ brcmf_cfg80211_update_conn_params(struct
+@@ -5080,7 +5123,7 @@ brcmf_cfg80211_update_conn_params(struct
err = brcmf_vif_set_mgmt_ie(ifp->vif, BRCMF_VNDR_IE_ASSOCREQ_FLAG,
sme->ie, sme->ie_len);
if (err)
else
brcmf_dbg(TRACE, "Applied Vndr IEs for Assoc request\n");
-@@ -5104,7 +5147,7 @@ brcmf_cfg80211_set_rekey_data(struct wip
+@@ -5106,7 +5149,7 @@ brcmf_cfg80211_set_rekey_data(struct wip
ret = brcmf_fil_iovar_data_set(ifp, "gtk_key_info", >k_le,
sizeof(gtk_le));
if (ret < 0)
return ret;
}
-@@ -5336,6 +5379,7 @@ static void brcmf_clear_assoc_ies(struct
+@@ -5338,6 +5381,7 @@ static void brcmf_clear_assoc_ies(struct
static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
struct brcmf_if *ifp)
{
struct brcmf_cfg80211_assoc_ielen_le *assoc_info;
struct brcmf_cfg80211_connect_info *conn_info = cfg_to_conn(cfg);
u32 req_len;
-@@ -5347,7 +5391,7 @@ static s32 brcmf_get_assoc_ies(struct br
+@@ -5349,7 +5393,7 @@ static s32 brcmf_get_assoc_ies(struct br
err = brcmf_fil_iovar_data_get(ifp, "assoc_info",
cfg->extra_buf, WL_ASSOC_INFO_MAX);
if (err) {
return err;
}
assoc_info =
-@@ -5359,7 +5403,7 @@ static s32 brcmf_get_assoc_ies(struct br
+@@ -5361,7 +5405,7 @@ static s32 brcmf_get_assoc_ies(struct br
cfg->extra_buf,
WL_ASSOC_INFO_MAX);
if (err) {
return err;
}
conn_info->req_ie_len = req_len;
-@@ -5375,7 +5419,7 @@ static s32 brcmf_get_assoc_ies(struct br
+@@ -5379,7 +5423,7 @@ static s32 brcmf_get_assoc_ies(struct br
cfg->extra_buf,
WL_ASSOC_INFO_MAX);
if (err) {
return err;
}
conn_info->resp_ie_len = resp_len;
-@@ -5502,6 +5546,7 @@ brcmf_notify_connect_status_ap(struct br
+@@ -5508,6 +5552,7 @@ brcmf_notify_connect_status_ap(struct br
struct net_device *ndev,
const struct brcmf_event_msg *e, void *data)
{
static int generation;
u32 event = e->event_code;
u32 reason = e->reason;
-@@ -5519,7 +5564,7 @@ brcmf_notify_connect_status_ap(struct br
+@@ -5525,7 +5570,7 @@ brcmf_notify_connect_status_ap(struct br
if (((event == BRCMF_E_ASSOC_IND) || (event == BRCMF_E_REASSOC_IND)) &&
(reason == BRCMF_E_STATUS_SUCCESS)) {
if (!data) {
return -EINVAL;
}
-@@ -5811,6 +5856,7 @@ static void init_vif_event(struct brcmf_
+@@ -5817,6 +5862,7 @@ static void init_vif_event(struct brcmf_
static s32 brcmf_dongle_roam(struct brcmf_if *ifp)
{
s32 err;
u32 bcn_timeout;
__le32 roamtrigger[2];
-@@ -5823,7 +5869,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5829,7 +5875,7 @@ static s32 brcmf_dongle_roam(struct brcm
bcn_timeout = BRCMF_DEFAULT_BCN_TIMEOUT_ROAM_ON;
err = brcmf_fil_iovar_int_set(ifp, "bcn_timeout", bcn_timeout);
if (err) {
goto roam_setup_done;
}
-@@ -5835,7 +5881,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5841,7 +5887,7 @@ static s32 brcmf_dongle_roam(struct brcm
err = brcmf_fil_iovar_int_set(ifp, "roam_off",
ifp->drvr->settings->roamoff);
if (err) {
goto roam_setup_done;
}
-@@ -5844,7 +5890,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5850,7 +5896,7 @@ static s32 brcmf_dongle_roam(struct brcm
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_ROAM_TRIGGER,
(void *)roamtrigger, sizeof(roamtrigger));
if (err) {
goto roam_setup_done;
}
-@@ -5853,7 +5899,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5859,7 +5905,7 @@ static s32 brcmf_dongle_roam(struct brcm
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_ROAM_DELTA,
(void *)roam_delta, sizeof(roam_delta));
if (err) {
goto roam_setup_done;
}
-@@ -5864,25 +5910,26 @@ roam_setup_done:
+@@ -5870,25 +5916,26 @@ roam_setup_done:
static s32
brcmf_dongle_scantime(struct brcmf_if *ifp)
{
goto dongle_scantime_out;
}
-@@ -5914,10 +5961,10 @@ static void brcmf_update_bw40_channel_fl
+@@ -5920,10 +5967,10 @@ static void brcmf_update_bw40_channel_fl
static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
u32 bw_cap[])
{
struct brcmf_chanspec_list *list;
struct brcmu_chan ch;
int err;
-@@ -5936,11 +5983,10 @@ static int brcmf_construct_chaninfo(stru
+@@ -5942,11 +5989,10 @@ static int brcmf_construct_chaninfo(stru
err = brcmf_fil_iovar_data_get(ifp, "chanspecs", pbuf,
BRCMF_DCMD_MEDLEN);
if (err) {
band = wiphy->bands[NL80211_BAND_2GHZ];
if (band)
for (i = 0; i < band->n_channels; i++)
-@@ -5960,7 +6006,8 @@ static int brcmf_construct_chaninfo(stru
+@@ -5966,7 +6012,8 @@ static int brcmf_construct_chaninfo(stru
} else if (ch.band == BRCMU_CHAN_BAND_5G) {
band = wiphy->bands[NL80211_BAND_5GHZ];
} else {
continue;
}
if (!band)
-@@ -5983,8 +6030,8 @@ static int brcmf_construct_chaninfo(stru
+@@ -5989,8 +6036,8 @@ static int brcmf_construct_chaninfo(stru
/* It seems firmware supports some channel we never
* considered. Something new in IEEE standard?
*/
continue;
}
-@@ -6030,6 +6077,7 @@ fail_pbuf:
+@@ -6036,6 +6083,7 @@ fail_pbuf:
static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
{
struct brcmf_if *ifp = brcmf_get_ifp(cfg->pub, 0);
struct ieee80211_supported_band *band;
struct brcmf_fil_bwcap_le band_bwcap;
-@@ -6076,7 +6124,7 @@ static int brcmf_enable_bw40_2g(struct b
+@@ -6082,7 +6130,7 @@ static int brcmf_enable_bw40_2g(struct b
err = brcmf_fil_iovar_data_get(ifp, "chanspecs", pbuf,
BRCMF_DCMD_MEDLEN);
if (err) {
kfree(pbuf);
return err;
}
-@@ -6107,6 +6155,7 @@ static int brcmf_enable_bw40_2g(struct b
+@@ -6113,6 +6161,7 @@ static int brcmf_enable_bw40_2g(struct b
static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[])
{
u32 band, mimo_bwcap;
int err;
-@@ -6142,7 +6191,7 @@ static void brcmf_get_bwcap(struct brcmf
+@@ -6148,7 +6197,7 @@ static void brcmf_get_bwcap(struct brcmf
bw_cap[NL80211_BAND_5GHZ] |= WLC_BW_20MHZ_BIT;
break;
default:
}
}
-@@ -6218,7 +6267,7 @@ static void brcmf_update_vht_cap(struct
+@@ -6224,7 +6273,7 @@ static void brcmf_update_vht_cap(struct
static int brcmf_setup_wiphybands(struct brcmf_cfg80211_info *cfg)
{
struct brcmf_if *ifp = brcmf_get_ifp(cfg->pub, 0);
u32 nmode = 0;
u32 vhtmode = 0;
u32 bw_cap[2] = { WLC_BW_20MHZ_BIT, WLC_BW_20MHZ_BIT };
-@@ -6234,7 +6283,7 @@ static int brcmf_setup_wiphybands(struct
+@@ -6240,7 +6289,7 @@ static int brcmf_setup_wiphybands(struct
(void)brcmf_fil_iovar_int_get(ifp, "vhtmode", &vhtmode);
err = brcmf_fil_iovar_int_get(ifp, "nmode", &nmode);
if (err) {
} else {
brcmf_get_bwcap(ifp, bw_cap);
}
-@@ -6244,7 +6293,7 @@ static int brcmf_setup_wiphybands(struct
+@@ -6250,7 +6299,7 @@ static int brcmf_setup_wiphybands(struct
err = brcmf_fil_iovar_int_get(ifp, "rxchain", &rxchain);
if (err) {
nchain = 1;
} else {
for (nchain = 0; rxchain; nchain++)
-@@ -6254,7 +6303,7 @@ static int brcmf_setup_wiphybands(struct
+@@ -6260,7 +6309,7 @@ static int brcmf_setup_wiphybands(struct
err = brcmf_construct_chaninfo(cfg, bw_cap);
if (err) {
return err;
}
-@@ -6266,7 +6315,6 @@ static int brcmf_setup_wiphybands(struct
+@@ -6272,7 +6321,6 @@ static int brcmf_setup_wiphybands(struct
&txbf_bfr_cap);
}
for (i = 0; i < ARRAY_SIZE(wiphy->bands); i++) {
band = wiphy->bands[i];
if (band == NULL)
-@@ -6467,7 +6515,7 @@ static void brcmf_wiphy_wowl_params(stru
+@@ -6473,7 +6521,7 @@ static void brcmf_wiphy_wowl_params(stru
wowl = kmemdup(&brcmf_wowlan_support, sizeof(brcmf_wowlan_support),
GFP_KERNEL);
if (!wowl) {
wiphy->wowlan = &brcmf_wowlan_support;
return;
}
-@@ -6564,7 +6612,7 @@ static int brcmf_setup_wiphy(struct wiph
+@@ -6570,7 +6618,7 @@ static int brcmf_setup_wiphy(struct wiph
err = brcmf_fil_cmd_data_get(ifp, BRCMF_C_GET_BANDLIST, &bandlist,
sizeof(bandlist));
if (err) {
return err;
}
/* first entry in bandlist is number of bands */
-@@ -6613,6 +6661,7 @@ static int brcmf_setup_wiphy(struct wiph
+@@ -6619,6 +6667,7 @@ static int brcmf_setup_wiphy(struct wiph
static s32 brcmf_config_dongle(struct brcmf_cfg80211_info *cfg)
{
struct net_device *ndev;
struct wireless_dev *wdev;
struct brcmf_if *ifp;
-@@ -6650,7 +6699,7 @@ static s32 brcmf_config_dongle(struct br
+@@ -6656,7 +6705,7 @@ static s32 brcmf_config_dongle(struct br
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_FAKEFRAG, 1);
if (err) {
goto default_conf_out;
}
-@@ -6842,8 +6891,8 @@ static void brcmf_cfg80211_reg_notifier(
+@@ -6848,8 +6897,8 @@ static void brcmf_cfg80211_reg_notifier(
/* ignore non-ISO3166 country codes */
for (i = 0; i < 2; i++)
if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {
return;
}
-@@ -6852,7 +6901,7 @@ static void brcmf_cfg80211_reg_notifier(
+@@ -6858,7 +6907,7 @@ static void brcmf_cfg80211_reg_notifier(
err = brcmf_fil_iovar_data_get(ifp, "country", &ccreq, sizeof(ccreq));
if (err) {
return;
}
-@@ -6862,7 +6911,7 @@ static void brcmf_cfg80211_reg_notifier(
+@@ -6868,7 +6917,7 @@ static void brcmf_cfg80211_reg_notifier(
err = brcmf_fil_iovar_data_set(ifp, "country", &ccreq, sizeof(ccreq));
if (err) {
return;
}
brcmf_setup_wiphybands(cfg);
-@@ -6908,13 +6957,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -6914,13 +6963,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
u16 *cap = NULL;
if (!ndev) {
return NULL;
}
-@@ -6935,7 +6984,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -6941,7 +6990,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
err = wl_init_priv(cfg);
if (err) {
brcmf_free_vif(vif);
goto wiphy_out;
}
-@@ -6944,7 +6993,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -6950,7 +6999,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
/* determine d11 io type before wiphy setup */
err = brcmf_fil_cmd_int_get(ifp, BRCMF_C_GET_VERSION, &io_type);
if (err) {
goto priv_out;
}
cfg->d11inf.io_type = (u8)io_type;
-@@ -6978,13 +7027,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -6984,13 +7033,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
#endif
err = wiphy_register(wiphy);
if (err < 0) {
goto wiphy_unreg_out;
}
-@@ -7002,24 +7051,24 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -7008,24 +7057,24 @@ struct brcmf_cfg80211_info *brcmf_cfg802
err = brcmf_fweh_activate_events(ifp);
if (err) {
brcmf_btcoex_detach(cfg);
brcmf_p2p_detach(&cfg->p2p);
goto wiphy_unreg_out;
-@@ -7039,7 +7088,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -7045,7 +7094,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
/* (re-) activate FWEH event handling */
err = brcmf_fweh_activate_events(ifp);
if (err) {
+++ /dev/null
-From 1b5e2423164b3670e8bc9174e4762d297990deff Mon Sep 17 00:00:00 2001
-From: Arend van Spriel <arend.vanspriel@broadcom.com>
-Date: Thu, 14 Feb 2019 13:43:47 +0100
-Subject: [PATCH] brcmfmac: assure SSID length from firmware is limited
-
-The SSID length as received from firmware should not exceed
-IEEE80211_MAX_SSID_LEN as that would result in heap overflow.
-
-Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
-Reviewed-by: Franky Lin <franky.lin@broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 2 ++
- 1 file changed, 2 insertions(+)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -3499,6 +3499,8 @@ brcmf_wowl_nd_results(struct brcmf_if *i
- }
-
- netinfo = brcmf_get_netinfo_array(pfn_result);
-+ if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
-+ netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
- memcpy(cfg->wowl.nd->ssid.ssid, netinfo->SSID, netinfo->SSID_len);
- cfg->wowl.nd->ssid.ssid_len = netinfo->SSID_len;
- cfg->wowl.nd->n_channels = 1;
+++ /dev/null
-From a4176ec356c73a46c07c181c6d04039fafa34a9f Mon Sep 17 00:00:00 2001
-From: Arend van Spriel <arend.vanspriel@broadcom.com>
-Date: Thu, 14 Feb 2019 13:43:48 +0100
-Subject: [PATCH] brcmfmac: add subtype check for event handling in data path
-
-For USB there is no separate channel being used to pass events
-from firmware to the host driver and as such are passed over the
-data path. In order to detect mock event messages an additional
-check is needed on event subtype. This check is added conditionally
-using unlikely() keyword.
-
-Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
-Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
-Reviewed-by: Franky Lin <franky.lin@broadcom.com>
-Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../wireless/broadcom/brcm80211/brcmfmac/core.c | 5 +++--
- .../wireless/broadcom/brcm80211/brcmfmac/fweh.h | 16 ++++++++++++----
- .../broadcom/brcm80211/brcmfmac/msgbuf.c | 2 +-
- 3 files changed, 16 insertions(+), 7 deletions(-)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -519,7 +519,8 @@ void brcmf_rx_frame(struct device *dev,
- } else {
- /* Process special event packets */
- if (handle_event)
-- brcmf_fweh_process_skb(ifp->drvr, skb);
-+ brcmf_fweh_process_skb(ifp->drvr, skb,
-+ BCMILCP_SUBTYPE_VENDOR_LONG);
-
- brcmf_netif_rx(ifp, skb);
- }
-@@ -536,7 +537,7 @@ void brcmf_rx_event(struct device *dev,
- if (brcmf_rx_hdrpull(drvr, skb, &ifp))
- return;
-
-- brcmf_fweh_process_skb(ifp->drvr, skb);
-+ brcmf_fweh_process_skb(ifp->drvr, skb, 0);
- brcmu_pkt_buf_free_skb(skb);
- }
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
-@@ -211,7 +211,7 @@ enum brcmf_fweh_event_code {
- */
- #define BRCM_OUI "\x00\x10\x18"
- #define BCMILCP_BCM_SUBTYPE_EVENT 1
--
-+#define BCMILCP_SUBTYPE_VENDOR_LONG 32769
-
- /**
- * struct brcm_ethhdr - broadcom specific ether header.
-@@ -334,10 +334,10 @@ void brcmf_fweh_process_event(struct brc
- void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
-
- static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
-- struct sk_buff *skb)
-+ struct sk_buff *skb, u16 stype)
- {
- struct brcmf_event *event_packet;
-- u16 usr_stype;
-+ u16 subtype, usr_stype;
-
- /* only process events when protocol matches */
- if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
-@@ -346,8 +346,16 @@ static inline void brcmf_fweh_process_sk
- if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
- return;
-
-- /* check for BRCM oui match */
- event_packet = (struct brcmf_event *)skb_mac_header(skb);
-+
-+ /* check subtype if needed */
-+ if (unlikely(stype)) {
-+ subtype = get_unaligned_be16(&event_packet->hdr.subtype);
-+ if (subtype != stype)
-+ return;
-+ }
-+
-+ /* check for BRCM oui match */
- if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
- sizeof(event_packet->hdr.oui)))
- return;
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c
-@@ -1116,7 +1116,7 @@ static void brcmf_msgbuf_process_event(s
-
- skb->protocol = eth_type_trans(skb, ifp->ndev);
-
-- brcmf_fweh_process_skb(ifp->drvr, skb);
-+ brcmf_fweh_process_skb(ifp->drvr, skb, 0);
-
- exit:
- brcmu_pkt_buf_free_skb(skb);
*/
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1177,6 +1177,7 @@ static int brcmf_bus_started(struct brcm
+@@ -1181,6 +1181,7 @@ static int brcmf_bus_started(struct brcm
brcmf_debugfs_add_entry(drvr, "revinfo", brcmf_revinfo_read);
brcmf_feat_debugfs_create(drvr);
brcmf_proto_debugfs_create(drvr);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -3143,9 +3143,12 @@ static int brcmf_debugfs_sdio_count_read
+@@ -3154,9 +3154,12 @@ static int brcmf_debugfs_sdio_count_read
return 0;
}
struct dentry *dentry = brcmf_debugfs_get_devdir(drvr);
if (IS_ERR_OR_NULL(dentry))
-@@ -3165,7 +3168,7 @@ static int brcmf_sdio_checkdied(struct b
+@@ -3176,7 +3179,7 @@ static int brcmf_sdio_checkdied(struct b
return 0;
}
{
}
#endif /* DEBUG */
-@@ -3477,8 +3480,6 @@ static int brcmf_sdio_bus_preinit(struct
+@@ -3488,8 +3491,6 @@ static int brcmf_sdio_bus_preinit(struct
if (bus->rxbuf)
bus->rxblen = value;
/* the commands below use the terms tx and rx from
* a device perspective, ie. bus:txglom affects the
* bus transfers from device to host.
-@@ -4088,6 +4089,7 @@ static const struct brcmf_bus_ops brcmf_
+@@ -4099,6 +4100,7 @@ static const struct brcmf_bus_ops brcmf_
.get_ramsize = brcmf_sdio_bus_get_ramsize,
.get_memdump = brcmf_sdio_bus_get_memdump,
.get_fwname = brcmf_sdio_get_fwname,
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -2999,21 +2999,35 @@ static int brcmf_sdio_trap_info(struct s
+@@ -3010,21 +3010,35 @@ static int brcmf_sdio_trap_info(struct s
if (error < 0)
return error;
return 0;
}
-@@ -3067,8 +3081,10 @@ static int brcmf_sdio_checkdied(struct b
+@@ -3078,8 +3092,10 @@ static int brcmf_sdio_checkdied(struct b
else if (sh.flags & SDPCM_SHARED_ASSERT)
brcmf_err("assertion in dongle\n");
return 0;
}
-@@ -4199,7 +4215,7 @@ static void brcmf_sdio_firmware_callback
+@@ -4210,7 +4226,7 @@ static void brcmf_sdio_firmware_callback
} else {
/* Disable F2 again */
sdio_disable_func(sdiod->func2);
}
if (brcmf_chip_sr_capable(bus->ci)) {
-@@ -4220,8 +4236,10 @@ static void brcmf_sdio_firmware_callback
+@@ -4231,8 +4247,10 @@ static void brcmf_sdio_firmware_callback
}
/* If we didn't come up, turn off backplane clock */
sdio_release_host(sdiod->func1);
-@@ -4235,12 +4253,15 @@ static void brcmf_sdio_firmware_callback
+@@ -4246,12 +4264,15 @@ static void brcmf_sdio_firmware_callback
err = brcmf_attach(sdiod->dev, sdiod->settings);
if (err != 0) {
brcmf_err("brcmf_attach failed\n");
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -6043,11 +6043,18 @@ static int brcmf_construct_chaninfo(stru
+@@ -6047,11 +6047,18 @@ static int brcmf_construct_chaninfo(stru
/* assuming the chanspecs order is HT20,
* HT40 upper, HT40 lower, and VHT80.
*/
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -6044,6 +6044,9 @@ static int brcmf_construct_chaninfo(stru
+@@ -6048,6 +6048,9 @@ static int brcmf_construct_chaninfo(stru
* HT40 upper, HT40 lower, and VHT80.
*/
switch (ch.bw) {
return err;
}
conn_info->req_ie_len = req_len;
-@@ -5421,7 +5465,7 @@ static s32 brcmf_get_assoc_ies(struct br
+@@ -5423,7 +5467,7 @@ static s32 brcmf_get_assoc_ies(struct br
cfg->extra_buf,
WL_ASSOC_INFO_MAX);
if (err) {
return err;
}
conn_info->resp_ie_len = resp_len;
-@@ -5548,7 +5592,7 @@ brcmf_notify_connect_status_ap(struct br
+@@ -5552,7 +5596,7 @@ brcmf_notify_connect_status_ap(struct br
struct net_device *ndev,
const struct brcmf_event_msg *e, void *data)
{
static int generation;
u32 event = e->event_code;
u32 reason = e->reason;
-@@ -5566,7 +5610,7 @@ brcmf_notify_connect_status_ap(struct br
+@@ -5570,7 +5614,7 @@ brcmf_notify_connect_status_ap(struct br
if (((event == BRCMF_E_ASSOC_IND) || (event == BRCMF_E_REASSOC_IND)) &&
(reason == BRCMF_E_STATUS_SUCCESS)) {
if (!data) {
return -EINVAL;
}
-@@ -5858,7 +5902,7 @@ static void init_vif_event(struct brcmf_
+@@ -5862,7 +5906,7 @@ static void init_vif_event(struct brcmf_
static s32 brcmf_dongle_roam(struct brcmf_if *ifp)
{
s32 err;
u32 bcn_timeout;
__le32 roamtrigger[2];
-@@ -5871,7 +5915,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5875,7 +5919,7 @@ static s32 brcmf_dongle_roam(struct brcm
bcn_timeout = BRCMF_DEFAULT_BCN_TIMEOUT_ROAM_ON;
err = brcmf_fil_iovar_int_set(ifp, "bcn_timeout", bcn_timeout);
if (err) {
goto roam_setup_done;
}
-@@ -5883,7 +5927,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5887,7 +5931,7 @@ static s32 brcmf_dongle_roam(struct brcm
err = brcmf_fil_iovar_int_set(ifp, "roam_off",
ifp->drvr->settings->roamoff);
if (err) {
goto roam_setup_done;
}
-@@ -5892,7 +5936,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5896,7 +5940,7 @@ static s32 brcmf_dongle_roam(struct brcm
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_ROAM_TRIGGER,
(void *)roamtrigger, sizeof(roamtrigger));
if (err) {
goto roam_setup_done;
}
-@@ -5901,7 +5945,7 @@ static s32 brcmf_dongle_roam(struct brcm
+@@ -5905,7 +5949,7 @@ static s32 brcmf_dongle_roam(struct brcm
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_ROAM_DELTA,
(void *)roam_delta, sizeof(roam_delta));
if (err) {
goto roam_setup_done;
}
-@@ -5912,26 +5956,26 @@ roam_setup_done:
+@@ -5916,26 +5960,26 @@ roam_setup_done:
static s32
brcmf_dongle_scantime(struct brcmf_if *ifp)
{
goto dongle_scantime_out;
}
-@@ -5964,7 +6008,8 @@ static int brcmf_construct_chaninfo(stru
+@@ -5968,7 +6012,8 @@ static int brcmf_construct_chaninfo(stru
u32 bw_cap[])
{
struct wiphy *wiphy = cfg_to_wiphy(cfg);
struct ieee80211_supported_band *band;
struct ieee80211_channel *channel;
struct brcmf_chanspec_list *list;
-@@ -5985,7 +6030,7 @@ static int brcmf_construct_chaninfo(stru
+@@ -5989,7 +6034,7 @@ static int brcmf_construct_chaninfo(stru
err = brcmf_fil_iovar_data_get(ifp, "chanspecs", pbuf,
BRCMF_DCMD_MEDLEN);
if (err) {
goto fail_pbuf;
}
-@@ -6008,7 +6053,7 @@ static int brcmf_construct_chaninfo(stru
+@@ -6012,7 +6057,7 @@ static int brcmf_construct_chaninfo(stru
} else if (ch.band == BRCMU_CHAN_BAND_5G) {
band = wiphy->bands[NL80211_BAND_5GHZ];
} else {
ch.chspec);
continue;
}
-@@ -6032,7 +6077,7 @@ static int brcmf_construct_chaninfo(stru
+@@ -6036,7 +6081,7 @@ static int brcmf_construct_chaninfo(stru
/* It seems firmware supports some channel we never
* considered. Something new in IEEE standard?
*/
ch.control_ch_num);
continue;
}
-@@ -6089,8 +6134,8 @@ fail_pbuf:
+@@ -6093,8 +6138,8 @@ fail_pbuf:
static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
{
struct ieee80211_supported_band *band;
struct brcmf_fil_bwcap_le band_bwcap;
struct brcmf_chanspec_list *list;
-@@ -6136,7 +6181,7 @@ static int brcmf_enable_bw40_2g(struct b
+@@ -6140,7 +6185,7 @@ static int brcmf_enable_bw40_2g(struct b
err = brcmf_fil_iovar_data_get(ifp, "chanspecs", pbuf,
BRCMF_DCMD_MEDLEN);
if (err) {
kfree(pbuf);
return err;
}
-@@ -6167,7 +6212,7 @@ static int brcmf_enable_bw40_2g(struct b
+@@ -6171,7 +6216,7 @@ static int brcmf_enable_bw40_2g(struct b
static void brcmf_get_bwcap(struct brcmf_if *ifp, u32 bw_cap[])
{
u32 band, mimo_bwcap;
int err;
-@@ -6203,7 +6248,7 @@ static void brcmf_get_bwcap(struct brcmf
+@@ -6207,7 +6252,7 @@ static void brcmf_get_bwcap(struct brcmf
bw_cap[NL80211_BAND_5GHZ] |= WLC_BW_20MHZ_BIT;
break;
default:
}
}
-@@ -6278,7 +6323,8 @@ static void brcmf_update_vht_cap(struct
+@@ -6282,7 +6327,8 @@ static void brcmf_update_vht_cap(struct
static int brcmf_setup_wiphybands(struct brcmf_cfg80211_info *cfg)
{
struct wiphy *wiphy = cfg_to_wiphy(cfg);
u32 nmode = 0;
u32 vhtmode = 0;
-@@ -6295,7 +6341,7 @@ static int brcmf_setup_wiphybands(struct
+@@ -6299,7 +6345,7 @@ static int brcmf_setup_wiphybands(struct
(void)brcmf_fil_iovar_int_get(ifp, "vhtmode", &vhtmode);
err = brcmf_fil_iovar_int_get(ifp, "nmode", &nmode);
if (err) {
} else {
brcmf_get_bwcap(ifp, bw_cap);
}
-@@ -6305,7 +6351,7 @@ static int brcmf_setup_wiphybands(struct
+@@ -6309,7 +6355,7 @@ static int brcmf_setup_wiphybands(struct
err = brcmf_fil_iovar_int_get(ifp, "rxchain", &rxchain);
if (err) {
nchain = 1;
} else {
for (nchain = 0; rxchain; nchain++)
-@@ -6315,7 +6361,7 @@ static int brcmf_setup_wiphybands(struct
+@@ -6319,7 +6365,7 @@ static int brcmf_setup_wiphybands(struct
err = brcmf_construct_chaninfo(cfg, bw_cap);
if (err) {
return err;
}
-@@ -6522,12 +6568,13 @@ static void brcmf_wiphy_wowl_params(stru
+@@ -6526,12 +6572,13 @@ static void brcmf_wiphy_wowl_params(stru
{
#ifdef CONFIG_PM
struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
wiphy->wowlan = &brcmf_wowlan_support;
return;
}
-@@ -6624,7 +6671,7 @@ static int brcmf_setup_wiphy(struct wiph
+@@ -6628,7 +6675,7 @@ static int brcmf_setup_wiphy(struct wiph
err = brcmf_fil_cmd_data_get(ifp, BRCMF_C_GET_BANDLIST, &bandlist,
sizeof(bandlist));
if (err) {
return err;
}
/* first entry in bandlist is number of bands */
-@@ -6673,7 +6720,7 @@ static int brcmf_setup_wiphy(struct wiph
+@@ -6677,7 +6724,7 @@ static int brcmf_setup_wiphy(struct wiph
static s32 brcmf_config_dongle(struct brcmf_cfg80211_info *cfg)
{
struct net_device *ndev;
struct wireless_dev *wdev;
struct brcmf_if *ifp;
-@@ -6711,7 +6758,7 @@ static s32 brcmf_config_dongle(struct br
+@@ -6715,7 +6762,7 @@ static s32 brcmf_config_dongle(struct br
err = brcmf_fil_cmd_int_set(ifp, BRCMF_C_SET_FAKEFRAG, 1);
if (err) {
goto default_conf_out;
}
-@@ -6892,6 +6939,7 @@ static void brcmf_cfg80211_reg_notifier(
+@@ -6896,6 +6943,7 @@ static void brcmf_cfg80211_reg_notifier(
{
struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
struct brcmf_if *ifp = brcmf_get_ifp(cfg->pub, 0);
struct brcmf_fil_country_le ccreq;
s32 err;
int i;
-@@ -6903,7 +6951,7 @@ static void brcmf_cfg80211_reg_notifier(
+@@ -6907,7 +6955,7 @@ static void brcmf_cfg80211_reg_notifier(
/* ignore non-ISO3166 country codes */
for (i = 0; i < 2; i++)
if (req->alpha2[i] < 'A' || req->alpha2[i] > 'Z') {
req->alpha2[0], req->alpha2[1]);
return;
}
-@@ -6913,7 +6961,7 @@ static void brcmf_cfg80211_reg_notifier(
+@@ -6917,7 +6965,7 @@ static void brcmf_cfg80211_reg_notifier(
err = brcmf_fil_iovar_data_get(ifp, "country", &ccreq, sizeof(ccreq));
if (err) {
return;
}
-@@ -6923,7 +6971,7 @@ static void brcmf_cfg80211_reg_notifier(
+@@ -6927,7 +6975,7 @@ static void brcmf_cfg80211_reg_notifier(
err = brcmf_fil_iovar_data_set(ifp, "country", &ccreq, sizeof(ccreq));
if (err) {
return;
}
brcmf_setup_wiphybands(cfg);
-@@ -6969,13 +7017,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -6973,13 +7021,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
u16 *cap = NULL;
if (!ndev) {
return NULL;
}
-@@ -6996,7 +7044,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -7000,7 +7048,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
err = wl_init_priv(cfg);
if (err) {
brcmf_free_vif(vif);
goto wiphy_out;
}
-@@ -7005,7 +7053,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -7009,7 +7057,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
/* determine d11 io type before wiphy setup */
err = brcmf_fil_cmd_int_get(ifp, BRCMF_C_GET_VERSION, &io_type);
if (err) {
goto priv_out;
}
cfg->d11inf.io_type = (u8)io_type;
-@@ -7039,13 +7087,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -7043,13 +7091,13 @@ struct brcmf_cfg80211_info *brcmf_cfg802
#endif
err = wiphy_register(wiphy);
if (err < 0) {
goto wiphy_unreg_out;
}
-@@ -7063,24 +7111,24 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -7067,24 +7115,24 @@ struct brcmf_cfg80211_info *brcmf_cfg802
err = brcmf_fweh_activate_events(ifp);
if (err) {
brcmf_btcoex_detach(cfg);
brcmf_p2p_detach(&cfg->p2p);
goto wiphy_unreg_out;
-@@ -7100,7 +7148,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
+@@ -7104,7 +7152,7 @@ struct brcmf_cfg80211_info *brcmf_cfg802
/* (re-) activate FWEH event handling */
err = brcmf_fweh_activate_events(ifp);
if (err) {
brcmf_net_detach(ifp->ndev, false);
drvr->iflist[bsscfgidx] = NULL;
@@ -864,7 +866,7 @@ static void brcmf_del_if(struct brcmf_pu
+
ifp = drvr->iflist[bsscfgidx];
- drvr->iflist[bsscfgidx] = NULL;
if (!ifp) {
- brcmf_err("Null interface, bsscfgidx=%d\n", bsscfgidx);
+ bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx);
return;
}
brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
-@@ -914,16 +916,17 @@ static int brcmf_psm_watchdog_notify(str
+@@ -918,16 +920,17 @@ static int brcmf_psm_watchdog_notify(str
const struct brcmf_event_msg *evtmsg,
void *data)
{
return err;
}
-@@ -967,7 +970,7 @@ static int brcmf_inetaddr_changed(struct
+@@ -971,7 +974,7 @@ static int brcmf_inetaddr_changed(struct
ret = brcmf_fil_iovar_data_get(ifp, "arp_hostip", addr_table,
sizeof(addr_table));
if (ret) {
return NOTIFY_OK;
}
-@@ -984,7 +987,7 @@ static int brcmf_inetaddr_changed(struct
+@@ -988,7 +991,7 @@ static int brcmf_inetaddr_changed(struct
ret = brcmf_fil_iovar_data_set(ifp, "arp_hostip",
&ifa->ifa_address, sizeof(ifa->ifa_address));
if (ret)
}
break;
case NETDEV_DOWN:
-@@ -996,8 +999,8 @@ static int brcmf_inetaddr_changed(struct
+@@ -1000,8 +1003,8 @@ static int brcmf_inetaddr_changed(struct
ret = brcmf_fil_iovar_data_set(ifp, "arp_hostip_clear",
NULL, 0);
if (ret) {
return NOTIFY_OK;
}
for (i = 0; i < ARPOL_MAX_ENTRIES; i++) {
-@@ -1007,8 +1010,8 @@ static int brcmf_inetaddr_changed(struct
+@@ -1011,8 +1014,8 @@ static int brcmf_inetaddr_changed(struct
&addr_table[i],
sizeof(addr_table[i]));
if (ret)
}
}
break;
-@@ -1182,7 +1185,7 @@ static int brcmf_bus_started(struct brcm
+@@ -1186,7 +1189,7 @@ static int brcmf_bus_started(struct brcm
return 0;
fail:
if (drvr->config) {
brcmf_cfg80211_detach(drvr->config);
drvr->config = NULL;
-@@ -1234,7 +1237,7 @@ int brcmf_attach(struct device *dev, str
+@@ -1238,7 +1241,7 @@ int brcmf_attach(struct device *dev, str
/* Attach and link in the protocol */
ret = brcmf_proto_attach(drvr);
if (ret != 0) {
goto fail;
}
-@@ -1247,7 +1250,7 @@ int brcmf_attach(struct device *dev, str
+@@ -1251,7 +1254,7 @@ int brcmf_attach(struct device *dev, str
ret = brcmf_bus_started(drvr, ops);
if (ret != 0) {
goto fail;
}
-@@ -1347,6 +1350,7 @@ static int brcmf_get_pend_8021x_cnt(stru
+@@ -1353,6 +1356,7 @@ static int brcmf_get_pend_8021x_cnt(stru
int brcmf_netdev_wait_pend8021x(struct brcmf_if *ifp)
{
int err;
err = wait_event_timeout(ifp->pend_8021x_wait,
-@@ -1354,7 +1358,7 @@ int brcmf_netdev_wait_pend8021x(struct b
+@@ -1360,7 +1364,7 @@ int brcmf_netdev_wait_pend8021x(struct b
MAX_WAIT_FOR_8021X_TX);
if (!err)
ifp->bsscfgidx, name, len);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-@@ -1255,6 +1255,7 @@ static int brcmf_fws_enq(struct brcmf_fw
+@@ -1259,6 +1259,7 @@ static int brcmf_fws_enq(struct brcmf_fw
enum brcmf_fws_skb_state state, int fifo,
struct sk_buff *p)
{
int prec = 2 * fifo;
u32 *qfull_stat = &fws->stats.delayq_full_error;
struct brcmf_fws_mac_descriptor *entry;
-@@ -1267,7 +1268,7 @@ static int brcmf_fws_enq(struct brcmf_fw
+@@ -1271,7 +1272,7 @@ static int brcmf_fws_enq(struct brcmf_fw
entry = brcmf_skbcb(p)->mac;
if (entry == NULL) {
return -ENOENT;
}
-@@ -1457,6 +1458,7 @@ static int
+@@ -1461,6 +1462,7 @@ static int
brcmf_fws_txs_process(struct brcmf_fws_info *fws, u8 flags, u32 hslot,
u32 genbit, u16 seq, u8 compcnt)
{
u32 fifo;
u8 cnt = 0;
int ret;
-@@ -1481,14 +1483,14 @@ brcmf_fws_txs_process(struct brcmf_fws_i
+@@ -1485,14 +1487,14 @@ brcmf_fws_txs_process(struct brcmf_fws_i
else if (flags == BRCMF_FWS_TXSTATUS_HOST_TOSSED)
fws->stats.txs_host_tossed += compcnt;
else
goto cont;
}
-@@ -1612,12 +1614,13 @@ static int brcmf_fws_notify_credit_map(s
+@@ -1616,12 +1618,13 @@ static int brcmf_fws_notify_credit_map(s
const struct brcmf_event_msg *e,
void *data)
{
return -EINVAL;
}
-@@ -1681,6 +1684,7 @@ static void brcmf_rxreorder_get_skb_list
+@@ -1685,6 +1688,7 @@ static void brcmf_rxreorder_get_skb_list
void brcmf_fws_rxreorder(struct brcmf_if *ifp, struct sk_buff *pkt)
{
u8 *reorder_data;
u8 flow_id, max_idx, cur_idx, exp_idx, end_idx;
struct brcmf_ampdu_rx_reorder *rfi;
-@@ -1695,7 +1699,7 @@ void brcmf_fws_rxreorder(struct brcmf_if
+@@ -1699,7 +1703,7 @@ void brcmf_fws_rxreorder(struct brcmf_if
/* validate flags and flow id */
if (flags == 0xFF) {
brcmf_netif_rx(ifp, pkt);
return;
}
-@@ -1732,7 +1736,7 @@ void brcmf_fws_rxreorder(struct brcmf_if
+@@ -1736,7 +1740,7 @@ void brcmf_fws_rxreorder(struct brcmf_if
flow_id, max_idx);
rfi = kzalloc(buf_size, GFP_ATOMIC);
if (rfi == NULL) {
brcmf_netif_rx(ifp, pkt);
return;
}
-@@ -1996,6 +2000,7 @@ static u8 brcmf_fws_precommit_skb(struct
+@@ -2000,6 +2004,7 @@ static u8 brcmf_fws_precommit_skb(struct
static void brcmf_fws_rollback_toq(struct brcmf_fws_info *fws,
struct sk_buff *skb, int fifo)
{
struct brcmf_fws_mac_descriptor *entry;
struct sk_buff *pktout;
int qidx, hslot;
-@@ -2009,11 +2014,11 @@ static void brcmf_fws_rollback_toq(struc
+@@ -2013,11 +2018,11 @@ static void brcmf_fws_rollback_toq(struc
pktout = brcmu_pktq_penq_head(&entry->psq, qidx, skb);
if (pktout == NULL) {
rc = -ENOENT;
}
-@@ -2118,7 +2123,8 @@ static int brcmf_fws_assign_htod(struct
+@@ -2122,7 +2127,8 @@ static int brcmf_fws_assign_htod(struct
int brcmf_fws_process_skb(struct brcmf_if *ifp, struct sk_buff *skb)
{
struct brcmf_skbuff_cb *skcb = brcmf_skbcb(skb);
struct ethhdr *eh = (struct ethhdr *)(skb->data);
int fifo = BRCMF_FWS_FIFO_BCMC;
-@@ -2146,7 +2152,7 @@ int brcmf_fws_process_skb(struct brcmf_i
+@@ -2150,7 +2156,7 @@ int brcmf_fws_process_skb(struct brcmf_i
brcmf_fws_enq(fws, BRCMF_FWS_SKBSTATE_DELAYED, fifo, skb);
brcmf_fws_schedule_deq(fws);
} else {
brcmf_txfinalize(ifp, skb, false);
rc = -ENOMEM;
}
-@@ -2365,7 +2371,7 @@ struct brcmf_fws_info *brcmf_fws_attach(
+@@ -2371,7 +2377,7 @@ struct brcmf_fws_info *brcmf_fws_attach(
fws->fws_wq = create_singlethread_workqueue("brcmf_fws_wq");
if (fws->fws_wq == NULL) {
rc = -EBADF;
goto fail;
}
-@@ -2381,13 +2387,13 @@ struct brcmf_fws_info *brcmf_fws_attach(
+@@ -2387,13 +2393,13 @@ struct brcmf_fws_info *brcmf_fws_attach(
rc = brcmf_fweh_register(drvr, BRCMF_E_FIFO_CREDIT_MAP,
brcmf_fws_notify_credit_map);
if (rc < 0) {
brcmf_fweh_unregister(drvr, BRCMF_E_FIFO_CREDIT_MAP);
goto fail;
}
-@@ -2399,7 +2405,7 @@ struct brcmf_fws_info *brcmf_fws_attach(
+@@ -2405,7 +2411,7 @@ struct brcmf_fws_info *brcmf_fws_attach(
fws->fw_signals = true;
ifp = brcmf_get_ifp(drvr, 0);
if (brcmf_fil_iovar_int_set(ifp, "tlv", tlv)) {
void brcmf_bus_change_state(struct brcmf_bus *bus, enum brcmf_bus_state state);
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1294,6 +1294,16 @@ void brcmf_dev_coredump(struct device *d
+@@ -1298,6 +1298,16 @@ void brcmf_dev_coredump(struct device *d
brcmf_dbg(TRACE, "failed to create coredump\n");
}
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c
-@@ -1090,8 +1090,8 @@ static u32 brcmf_sdio_hostmail(struct br
+@@ -1101,8 +1101,8 @@ static u32 brcmf_sdio_hostmail(struct br
/* dongle indicates the firmware has halted/crashed */
if (hmb_data & HMB_DATA_FWHALT) {
*/
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1105,6 +1105,14 @@ static int brcmf_revinfo_read(struct seq
+@@ -1109,6 +1109,14 @@ static int brcmf_revinfo_read(struct seq
return 0;
}
static int brcmf_bus_started(struct brcmf_pub *drvr, struct cfg80211_ops *ops)
{
int ret = -1;
-@@ -1176,6 +1184,8 @@ static int brcmf_bus_started(struct brcm
+@@ -1180,6 +1188,8 @@ static int brcmf_bus_started(struct brcm
#endif
#endif /* CONFIG_INET */
/* populate debugfs */
brcmf_debugfs_add_entry(drvr, "revinfo", brcmf_revinfo_read);
brcmf_feat_debugfs_create(drvr);
-@@ -1302,6 +1312,8 @@ void brcmf_fw_crashed(struct device *dev
+@@ -1306,6 +1316,8 @@ void brcmf_fw_crashed(struct device *dev
bphy_err(drvr, "Firmware has halted or crashed\n");
brcmf_dev_coredump(dev);
+++ /dev/null
-From c80d26e81ef1802f30364b4ad1955c1443a592b9 Mon Sep 17 00:00:00 2001
-From: Piotr Figiel <p.figiel@camlintechnologies.com>
-Date: Mon, 4 Mar 2019 15:42:49 +0000
-Subject: [PATCH] brcmfmac: fix WARNING during USB disconnect in case of
- unempty psq
-
-brcmu_pkt_buf_free_skb emits WARNING when attempting to free a sk_buff
-which is part of any queue. After USB disconnect this may have happened
-when brcmf_fws_hanger_cleanup() is called as per-interface psq was never
-cleaned when removing the interface.
-Change brcmf_fws_macdesc_cleanup() in a way that it removes the
-corresponding packets from hanger table (to avoid double-free when
-brcmf_fws_hanger_cleanup() is called) and add a call to clean-up the
-interface specific packet queue.
-
-Below is a WARNING during USB disconnect with Raspberry Pi WiFi dongle
-running in AP mode. This was reproducible when the interface was
-transmitting during the disconnect and is fixed with this commit.
-
-------------[ cut here ]------------
-WARNING: CPU: 0 PID: 1171 at drivers/net/wireless/broadcom/brcm80211/brcmutil/utils.c:49 brcmu_pkt_buf_free_skb+0x3c/0x40
-Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base libcomposite configfs udc_core
-CPU: 0 PID: 1171 Comm: kworker/0:0 Not tainted 4.19.23-00075-gde33ed8 #99
-Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
-Workqueue: usb_hub_wq hub_event
-[<8010ff84>] (unwind_backtrace) from [<8010bb64>] (show_stack+0x10/0x14)
-[<8010bb64>] (show_stack) from [<80840278>] (dump_stack+0x88/0x9c)
-[<80840278>] (dump_stack) from [<8011f5ec>] (__warn+0xfc/0x114)
-[<8011f5ec>] (__warn) from [<8011f71c>] (warn_slowpath_null+0x40/0x48)
-[<8011f71c>] (warn_slowpath_null) from [<805a476c>] (brcmu_pkt_buf_free_skb+0x3c/0x40)
-[<805a476c>] (brcmu_pkt_buf_free_skb) from [<805bb6c4>] (brcmf_fws_cleanup+0x1e4/0x22c)
-[<805bb6c4>] (brcmf_fws_cleanup) from [<805bc854>] (brcmf_fws_del_interface+0x58/0x68)
-[<805bc854>] (brcmf_fws_del_interface) from [<805b66ac>] (brcmf_remove_interface+0x40/0x150)
-[<805b66ac>] (brcmf_remove_interface) from [<805b6870>] (brcmf_detach+0x6c/0xb0)
-[<805b6870>] (brcmf_detach) from [<805bdbb8>] (brcmf_usb_disconnect+0x30/0x4c)
-[<805bdbb8>] (brcmf_usb_disconnect) from [<805e5d64>] (usb_unbind_interface+0x5c/0x1e0)
-[<805e5d64>] (usb_unbind_interface) from [<804aab10>] (device_release_driver_internal+0x154/0x1ec)
-[<804aab10>] (device_release_driver_internal) from [<804a97f4>] (bus_remove_device+0xcc/0xf8)
-[<804a97f4>] (bus_remove_device) from [<804a6fc0>] (device_del+0x118/0x308)
-[<804a6fc0>] (device_del) from [<805e488c>] (usb_disable_device+0xa0/0x1c8)
-[<805e488c>] (usb_disable_device) from [<805dcf98>] (usb_disconnect+0x70/0x1d8)
-[<805dcf98>] (usb_disconnect) from [<805ddd84>] (hub_event+0x464/0xf50)
-[<805ddd84>] (hub_event) from [<80135a70>] (process_one_work+0x138/0x3f8)
-[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
-[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
-[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
-Exception stack(0xecf8dfb0 to 0xecf8dff8)
-dfa0: 00000000 00000000 00000000 00000000
-dfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-dfe0: 00000000 00000000 00000000 00000000 00000013 00000000
----[ end trace 38d234018e9e2a90 ]---
-------------[ cut here ]------------
-
-Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../broadcom/brcm80211/brcmfmac/fwsignal.c | 42 +++++++++++--------
- 1 file changed, 24 insertions(+), 18 deletions(-)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-@@ -580,24 +580,6 @@ static bool brcmf_fws_ifidx_match(struct
- return ifidx == *(int *)arg;
- }
-
--static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
-- int ifidx)
--{
-- bool (*matchfn)(struct sk_buff *, void *) = NULL;
-- struct sk_buff *skb;
-- int prec;
--
-- if (ifidx != -1)
-- matchfn = brcmf_fws_ifidx_match;
-- for (prec = 0; prec < q->num_prec; prec++) {
-- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
-- while (skb) {
-- brcmu_pkt_buf_free_skb(skb);
-- skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
-- }
-- }
--}
--
- static void brcmf_fws_hanger_init(struct brcmf_fws_hanger *hanger)
- {
- int i;
-@@ -669,6 +651,28 @@ static inline int brcmf_fws_hanger_poppk
- return 0;
- }
-
-+static void brcmf_fws_psq_flush(struct brcmf_fws_info *fws, struct pktq *q,
-+ int ifidx)
-+{
-+ bool (*matchfn)(struct sk_buff *, void *) = NULL;
-+ struct sk_buff *skb;
-+ int prec;
-+ u32 hslot;
-+
-+ if (ifidx != -1)
-+ matchfn = brcmf_fws_ifidx_match;
-+ for (prec = 0; prec < q->num_prec; prec++) {
-+ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
-+ while (skb) {
-+ hslot = brcmf_skb_htod_tag_get_field(skb, HSLOT);
-+ brcmf_fws_hanger_poppkt(&fws->hanger, hslot, &skb,
-+ true);
-+ brcmu_pkt_buf_free_skb(skb);
-+ skb = brcmu_pktq_pdeq_match(q, prec, matchfn, &ifidx);
-+ }
-+ }
-+}
-+
- static int brcmf_fws_hanger_mark_suppressed(struct brcmf_fws_hanger *h,
- u32 slot_id)
- {
-@@ -2200,6 +2204,8 @@ void brcmf_fws_del_interface(struct brcm
- brcmf_fws_lock(fws);
- ifp->fws_desc = NULL;
- brcmf_dbg(TRACE, "deleting %s\n", entry->name);
-+ brcmf_fws_macdesc_cleanup(fws, &fws->desc.iface[ifp->ifidx],
-+ ifp->ifidx);
- brcmf_fws_macdesc_deinit(entry);
- brcmf_fws_cleanup(fws, ifp->ifidx);
- brcmf_fws_unlock(fws);
+++ /dev/null
-From 5cdb0ef6144f47440850553579aa923c20a63f23 Mon Sep 17 00:00:00 2001
-From: Piotr Figiel <p.figiel@camlintechnologies.com>
-Date: Mon, 4 Mar 2019 15:42:52 +0000
-Subject: [PATCH] brcmfmac: fix NULL pointer derefence during USB disconnect
-
-In case USB disconnect happens at the moment transmitting workqueue is in
-progress the underlying interface may be gone causing a NULL pointer
-dereference. Add synchronization of the workqueue destruction with the
-detach implementation in core so that the transmitting workqueue is stopped
-during detach before the interfaces are removed.
-
-Fix following Oops:
-
-Unable to handle kernel NULL pointer dereference at virtual address 00000008
-pgd = 9e6a802d
-[00000008] *pgd=00000000
-Internal error: Oops: 5 [#1] PREEMPT SMP ARM
-Modules linked in: nf_log_ipv4 nf_log_common xt_LOG xt_limit iptable_mangle
-xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4
-iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis u_ether
-usb_serial_simple usbserial cdc_acm brcmfmac brcmutil smsc95xx usbnet
-ci_hdrc_imx ci_hdrc ulpi usbmisc_imx 8250_exar 8250_pci 8250 8250_base
-libcomposite configfs udc_core
-CPU: 0 PID: 7 Comm: kworker/u8:0 Not tainted 4.19.23-00076-g03740aa-dirty #102
-Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
-Workqueue: brcmf_fws_wq brcmf_fws_dequeue_worker [brcmfmac]
-PC is at brcmf_txfinalize+0x34/0x90 [brcmfmac]
-LR is at brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac]
-pc : [<7f0dee64>] lr : [<7f0e4140>] psr: 60010093
-sp : ee8abef0 ip : 00000000 fp : edf38000
-r10: ffffffed r9 : edf38970 r8 : edf38004
-r7 : edf3e970 r6 : 00000000 r5 : ede69000 r4 : 00000000
-r3 : 00000a97 r2 : 00000000 r1 : 0000888e r0 : ede69000
-Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none
-Control: 10c5387d Table: 7d03c04a DAC: 00000051
-Process kworker/u8:0 (pid: 7, stack limit = 0x24ec3e04)
-Stack: (0xee8abef0 to 0xee8ac000)
-bee0: ede69000 00000000 ed56c3e0 7f0e4140
-bf00: 00000001 00000000 edf38004 edf3e99c ed56c3e0 80d03d00 edfea43a edf3e970
-bf20: ee809880 ee804200 ee971100 00000000 edf3e974 00000000 ee804200 80135a70
-bf40: 80d03d00 ee804218 ee809880 ee809894 ee804200 80d03d00 ee804218 ee8aa000
-bf60: 00000088 80135d5c 00000000 ee829f00 ee829dc0 00000000 ee809880 80135d30
-bf80: ee829f1c ee873eac 00000000 8013b1a0 ee829dc0 8013b07c 00000000 00000000
-bfa0: 00000000 00000000 00000000 801010e8 00000000 00000000 00000000 00000000
-bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-bfe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000
-[<7f0dee64>] (brcmf_txfinalize [brcmfmac]) from [<7f0e4140>] (brcmf_fws_dequeue_worker+0x218/0x33c [brcmfmac])
-[<7f0e4140>] (brcmf_fws_dequeue_worker [brcmfmac]) from [<80135a70>] (process_one_work+0x138/0x3f8)
-[<80135a70>] (process_one_work) from [<80135d5c>] (worker_thread+0x2c/0x554)
-[<80135d5c>] (worker_thread) from [<8013b1a0>] (kthread+0x124/0x154)
-[<8013b1a0>] (kthread) from [<801010e8>] (ret_from_fork+0x14/0x2c)
-Exception stack(0xee8abfb0 to 0xee8abff8)
-bfa0: 00000000 00000000 00000000 00000000
-bfc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-bfe0: 00000000 00000000 00000000 00000000 00000013 00000000
-Code: e1530001 0a000007 e3560000 e1a00005 (05942008)
----[ end trace 079239dd31c86e90 ]---
-
-Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../wireless/broadcom/brcm80211/brcmfmac/bcdc.c | 11 +++++++++--
- .../wireless/broadcom/brcm80211/brcmfmac/bcdc.h | 6 ++++--
- .../wireless/broadcom/brcm80211/brcmfmac/core.c | 4 +++-
- .../broadcom/brcm80211/brcmfmac/fwsignal.c | 16 ++++++++++++----
- .../broadcom/brcm80211/brcmfmac/fwsignal.h | 3 ++-
- .../wireless/broadcom/brcm80211/brcmfmac/proto.c | 10 ++++++++--
- .../wireless/broadcom/brcm80211/brcmfmac/proto.h | 3 ++-
- 7 files changed, 40 insertions(+), 13 deletions(-)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.c
-@@ -490,11 +490,18 @@ fail:
- return -ENOMEM;
- }
-
--void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr)
-+void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr)
-+{
-+ struct brcmf_bcdc *bcdc = drvr->proto->pd;
-+
-+ brcmf_fws_detach_pre_delif(bcdc->fws);
-+}
-+
-+void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr)
- {
- struct brcmf_bcdc *bcdc = drvr->proto->pd;
-
- drvr->proto->pd = NULL;
-- brcmf_fws_detach(bcdc->fws);
-+ brcmf_fws_detach_post_delif(bcdc->fws);
- kfree(bcdc);
- }
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/bcdc.h
-@@ -18,14 +18,16 @@
-
- #ifdef CPTCFG_BRCMFMAC_PROTO_BCDC
- int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr);
--void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr);
-+void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr);
-+void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr);
- void brcmf_proto_bcdc_txflowblock(struct device *dev, bool state);
- void brcmf_proto_bcdc_txcomplete(struct device *dev, struct sk_buff *txp,
- bool success);
- struct brcmf_fws_info *drvr_to_fws(struct brcmf_pub *drvr);
- #else
- static inline int brcmf_proto_bcdc_attach(struct brcmf_pub *drvr) { return 0; }
--static inline void brcmf_proto_bcdc_detach(struct brcmf_pub *drvr) {}
-+static void brcmf_proto_bcdc_detach_pre_delif(struct brcmf_pub *drvr) {};
-+static inline void brcmf_proto_bcdc_detach_post_delif(struct brcmf_pub *drvr) {}
- #endif
-
- #endif /* BRCMFMAC_BCDC_H */
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -1342,6 +1342,8 @@ void brcmf_detach(struct device *dev)
-
- brcmf_bus_change_state(bus_if, BRCMF_BUS_DOWN);
-
-+ brcmf_proto_detach_pre_delif(drvr);
-+
- /* make sure primary interface removed last */
- for (i = BRCMF_MAX_IFS-1; i > -1; i--)
- brcmf_remove_interface(drvr->iflist[i], false);
-@@ -1351,7 +1353,7 @@ void brcmf_detach(struct device *dev)
-
- brcmf_bus_stop(drvr->bus_if);
-
-- brcmf_proto_detach(drvr);
-+ brcmf_proto_detach_post_delif(drvr);
-
- bus_if->drvr = NULL;
- wiphy_free(drvr->wiphy);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.c
-@@ -2443,17 +2443,25 @@ struct brcmf_fws_info *brcmf_fws_attach(
- return fws;
-
- fail:
-- brcmf_fws_detach(fws);
-+ brcmf_fws_detach_pre_delif(fws);
-+ brcmf_fws_detach_post_delif(fws);
- return ERR_PTR(rc);
- }
-
--void brcmf_fws_detach(struct brcmf_fws_info *fws)
-+void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws)
- {
- if (!fws)
- return;
--
-- if (fws->fws_wq)
-+ if (fws->fws_wq) {
- destroy_workqueue(fws->fws_wq);
-+ fws->fws_wq = NULL;
-+ }
-+}
-+
-+void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws)
-+{
-+ if (!fws)
-+ return;
-
- /* cleanup */
- brcmf_fws_lock(fws);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwsignal.h
-@@ -19,7 +19,8 @@
- #define FWSIGNAL_H_
-
- struct brcmf_fws_info *brcmf_fws_attach(struct brcmf_pub *drvr);
--void brcmf_fws_detach(struct brcmf_fws_info *fws);
-+void brcmf_fws_detach_pre_delif(struct brcmf_fws_info *fws);
-+void brcmf_fws_detach_post_delif(struct brcmf_fws_info *fws);
- void brcmf_fws_debugfs_create(struct brcmf_pub *drvr);
- bool brcmf_fws_queue_skbs(struct brcmf_fws_info *fws);
- bool brcmf_fws_fc_active(struct brcmf_fws_info *fws);
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.c
-@@ -67,16 +67,22 @@ fail:
- return -ENOMEM;
- }
-
--void brcmf_proto_detach(struct brcmf_pub *drvr)
-+void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr)
- {
- brcmf_dbg(TRACE, "Enter\n");
-
- if (drvr->proto) {
- if (drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
-- brcmf_proto_bcdc_detach(drvr);
-+ brcmf_proto_bcdc_detach_post_delif(drvr);
- else if (drvr->bus_if->proto_type == BRCMF_PROTO_MSGBUF)
- brcmf_proto_msgbuf_detach(drvr);
- kfree(drvr->proto);
- drvr->proto = NULL;
- }
- }
-+
-+void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr)
-+{
-+ if (drvr->proto && drvr->bus_if->proto_type == BRCMF_PROTO_BCDC)
-+ brcmf_proto_bcdc_detach_pre_delif(drvr);
-+}
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/proto.h
-@@ -54,7 +54,8 @@ struct brcmf_proto {
-
-
- int brcmf_proto_attach(struct brcmf_pub *drvr);
--void brcmf_proto_detach(struct brcmf_pub *drvr);
-+void brcmf_proto_detach_pre_delif(struct brcmf_pub *drvr);
-+void brcmf_proto_detach_post_delif(struct brcmf_pub *drvr);
-
- static inline int brcmf_proto_hdrpull(struct brcmf_pub *drvr, bool do_fws,
- struct sk_buff *skb,
+++ /dev/null
-From db3b9e2e1d58080d0754bdf9293dabf8c6491b67 Mon Sep 17 00:00:00 2001
-From: Piotr Figiel <p.figiel@camlintechnologies.com>
-Date: Fri, 8 Mar 2019 15:25:04 +0000
-Subject: [PATCH] brcmfmac: fix race during disconnect when USB completion is
- in progress
-
-It was observed that rarely during USB disconnect happening shortly after
-connect (before full initialization completes) usb_hub_wq would wait
-forever for the dev_init_lock to be unlocked. dev_init_lock would remain
-locked though because of infinite wait during usb_kill_urb:
-
-[ 2730.656472] kworker/0:2 D 0 260 2 0x00000000
-[ 2730.660700] Workqueue: events request_firmware_work_func
-[ 2730.664807] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
-[ 2730.670587] [<809dd164>] (schedule) from [<8069af44>] (usb_kill_urb+0xdc/0x114)
-[ 2730.676815] [<8069af44>] (usb_kill_urb) from [<7f258b50>] (brcmf_usb_free_q+0x34/0xa8 [brcmfmac])
-[ 2730.684833] [<7f258b50>] (brcmf_usb_free_q [brcmfmac]) from [<7f2517d4>] (brcmf_detach+0xa0/0xb8 [brcmfmac])
-[ 2730.693557] [<7f2517d4>] (brcmf_detach [brcmfmac]) from [<7f251a34>] (brcmf_attach+0xac/0x3d8 [brcmfmac])
-[ 2730.702094] [<7f251a34>] (brcmf_attach [brcmfmac]) from [<7f2587ac>] (brcmf_usb_probe_phase2+0x468/0x4a0 [brcmfmac])
-[ 2730.711601] [<7f2587ac>] (brcmf_usb_probe_phase2 [brcmfmac]) from [<7f252888>] (brcmf_fw_request_done+0x194/0x220 [brcmfmac])
-[ 2730.721795] [<7f252888>] (brcmf_fw_request_done [brcmfmac]) from [<805748e4>] (request_firmware_work_func+0x4c/0x88)
-[ 2730.731125] [<805748e4>] (request_firmware_work_func) from [<80141474>] (process_one_work+0x228/0x808)
-[ 2730.739223] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
-[ 2730.746105] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
-[ 2730.752227] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
-
-[ 2733.099695] kworker/0:3 D 0 1065 2 0x00000000
-[ 2733.103926] Workqueue: usb_hub_wq hub_event
-[ 2733.106914] [<809dca20>] (__schedule) from [<809dd164>] (schedule+0x4c/0xac)
-[ 2733.112693] [<809dd164>] (schedule) from [<809e2a8c>] (schedule_timeout+0x214/0x3e4)
-[ 2733.119621] [<809e2a8c>] (schedule_timeout) from [<809dde2c>] (wait_for_common+0xc4/0x1c0)
-[ 2733.126810] [<809dde2c>] (wait_for_common) from [<7f258d00>] (brcmf_usb_disconnect+0x1c/0x4c [brcmfmac])
-[ 2733.135206] [<7f258d00>] (brcmf_usb_disconnect [brcmfmac]) from [<8069e0c8>] (usb_unbind_interface+0x5c/0x1e4)
-[ 2733.143943] [<8069e0c8>] (usb_unbind_interface) from [<8056d3e8>] (device_release_driver_internal+0x164/0x1fc)
-[ 2733.152769] [<8056d3e8>] (device_release_driver_internal) from [<8056c078>] (bus_remove_device+0xd0/0xfc)
-[ 2733.161138] [<8056c078>] (bus_remove_device) from [<8056977c>] (device_del+0x11c/0x310)
-[ 2733.167939] [<8056977c>] (device_del) from [<8069cba8>] (usb_disable_device+0xa0/0x1cc)
-[ 2733.174743] [<8069cba8>] (usb_disable_device) from [<8069507c>] (usb_disconnect+0x74/0x1dc)
-[ 2733.181823] [<8069507c>] (usb_disconnect) from [<80695e88>] (hub_event+0x478/0xf88)
-[ 2733.188278] [<80695e88>] (hub_event) from [<80141474>] (process_one_work+0x228/0x808)
-[ 2733.194905] [<80141474>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
-[ 2733.201724] [<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
-[ 2733.207913] [<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
-
-It was traced down to a case where usb_kill_urb would be called on an URB
-structure containing more or less random data, including large number in
-its use_count. During the debugging it appeared that in brcmf_usb_free_q()
-the traversal over URBs' lists is not synchronized with operations on those
-lists in brcmf_usb_rx_complete() leading to handling
-brcmf_usbdev_info structure (holding lists' head) as lists' element and in
-result causing above problem.
-
-Fix it by walking through all URBs during brcmf_cancel_all_urbs using the
-arrays of requests instead of linked lists.
-
-Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
-@@ -682,12 +682,18 @@ static int brcmf_usb_up(struct device *d
-
- static void brcmf_cancel_all_urbs(struct brcmf_usbdev_info *devinfo)
- {
-+ int i;
-+
- if (devinfo->ctl_urb)
- usb_kill_urb(devinfo->ctl_urb);
- if (devinfo->bulk_urb)
- usb_kill_urb(devinfo->bulk_urb);
-- brcmf_usb_free_q(&devinfo->tx_postq, true);
-- brcmf_usb_free_q(&devinfo->rx_postq, true);
-+ if (devinfo->tx_reqs)
-+ for (i = 0; i < devinfo->bus_pub.ntxq; i++)
-+ usb_kill_urb(devinfo->tx_reqs[i].urb);
-+ if (devinfo->rx_reqs)
-+ for (i = 0; i < devinfo->bus_pub.nrxq; i++)
-+ usb_kill_urb(devinfo->rx_reqs[i].urb);
- }
-
- static void brcmf_usb_down(struct device *dev)
+++ /dev/null
-From 24d413a31afaee9bbbf79226052c386b01780ce2 Mon Sep 17 00:00:00 2001
-From: Piotr Figiel <p.figiel@camlintechnologies.com>
-Date: Wed, 13 Mar 2019 09:52:01 +0000
-Subject: [PATCH] brcmfmac: fix Oops when bringing up interface during USB
- disconnect
-
-Fix a race which leads to an Oops with NULL pointer dereference. The
-dereference is in brcmf_config_dongle() when cfg_to_ndev() attempts to get
-net_device structure of interface with index 0 via if2bss mapping. This
-shouldn't fail because of check for bus being ready in brcmf_netdev_open(),
-but it's not synchronised with USB disconnect and there is a race: after
-the check the bus can be marked down and the mapping for interface 0 may be
-gone.
-
-Solve this by modifying disconnect handling so that the removal of mapping
-of ifidx to brcmf_if structure happens after netdev removal (which is
-synchronous with brcmf_netdev_open() thanks to rtln being locked in
-devinet_ioctl()). This assures brcmf_netdev_open() returns before the
-mapping is removed during disconnect.
-
-Unable to handle kernel NULL pointer dereference at virtual address 00000008
-pgd = bcae2612
-[00000008] *pgd=8be73831
-Internal error: Oops: 17 [#1] PREEMPT SMP ARM
-Modules linked in: brcmfmac brcmutil nf_log_ipv4 nf_log_common xt_LOG xt_limit
-iptable_mangle xt_connmark xt_tcpudp xt_conntrack nf_conntrack nf_defrag_ipv6
-nf_defrag_ipv4 iptable_filter ip_tables x_tables usb_f_mass_storage usb_f_rndis
-u_ether usb_serial_simple usbserial cdc_acm smsc95xx usbnet ci_hdrc_imx ci_hdrc
-usbmisc_imx ulpi 8250_exar 8250_pci 8250 8250_base libcomposite configfs
-udc_core [last unloaded: brcmutil]
-CPU: 2 PID: 24478 Comm: ifconfig Not tainted 4.19.23-00078-ga62866d-dirty #115
-Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
-PC is at brcmf_cfg80211_up+0x94/0x29c [brcmfmac]
-LR is at brcmf_cfg80211_up+0x8c/0x29c [brcmfmac]
-pc : [<7f26a91c>] lr : [<7f26a914>] psr: a0070013
-sp : eca99d28 ip : 00000000 fp : ee9c6c00
-r10: 00000036 r9 : 00000000 r8 : ece4002c
-r7 : edb5b800 r6 : 00000000 r5 : 80f08448 r4 : edb5b968
-r3 : ffffffff r2 : 00000000 r1 : 00000002 r0 : 00000000
-Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none
-Control: 10c5387d Table: 7ca0c04a DAC: 00000051
-Process ifconfig (pid: 24478, stack limit = 0xd9e85a0e)
-Stack: (0xeca99d28 to 0xeca9a000)
-9d20: 00000000 80f873b0 0000000d 80f08448 eca99d68 50d45f32
-9d40: 7f27de94 ece40000 80f08448 80f08448 7f27de94 ece4002c 00000000 00000036
-9d60: ee9c6c00 7f27262c 00001002 50d45f32 ece40000 00000000 80f08448 80772008
-9d80: 00000001 00001043 00001002 ece40000 00000000 50d45f32 ece40000 00000001
-9da0: 80f08448 00001043 00001002 807723d0 00000000 50d45f32 80f08448 eca99e58
-9dc0: 80f87113 50d45f32 80f08448 ece40000 ece40138 00001002 80f08448 00000000
-9de0: 00000000 80772434 edbd5380 eca99e58 edbd5380 80f08448 ee9c6c0c 80805f70
-9e00: 00000000 ede08e00 00008914 ece40000 00000014 ee9c6c0c 600c0013 00001043
-9e20: 0208a8c0 ffffffff 00000000 50d45f32 eca98000 80f08448 7ee9fc38 00008914
-9e40: 80f68e40 00000051 eca98000 00000036 00000003 80808b9c 6e616c77 00000030
-9e60: 00000000 00000000 00001043 0208a8c0 ffffffff 00000000 80f08448 00000000
-9e80: 00000000 816d8b20 600c0013 00000001 ede09320 801763d4 00000000 50d45f32
-9ea0: eca98000 80f08448 7ee9fc38 50d45f32 00008914 80f08448 7ee9fc38 80f68e40
-9ec0: ed531540 8074721c 00000800 00000001 00000000 6e616c77 00000030 00000000
-9ee0: 00000000 00001002 0208a8c0 ffffffff 00000000 50d45f32 80f08448 7ee9fc38
-9f00: ed531560 ec8fc900 80285a6c 80285138 edb910c0 00000000 ecd91008 ede08e00
-9f20: 80f08448 00000000 00000000 816d8b20 600c0013 00000001 ede09320 801763d4
-9f40: 00000000 50d45f32 00021000 edb91118 edb910c0 80f08448 01b29000 edb91118
-9f60: eca99f7c 50d45f32 00021000 ec8fc900 00000003 ec8fc900 00008914 7ee9fc38
-9f80: eca98000 00000036 00000003 80285a6c 00086364 7ee9fe1c 000000c3 00000036
-9fa0: 801011c4 80101000 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
-9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
-9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc 600c0010 00000003 00000000 00000000
-[<7f26a91c>] (brcmf_cfg80211_up [brcmfmac]) from [<7f27262c>] (brcmf_netdev_open+0x74/0xe8 [brcmfmac])
-[<7f27262c>] (brcmf_netdev_open [brcmfmac]) from [<80772008>] (__dev_open+0xcc/0x150)
-[<80772008>] (__dev_open) from [<807723d0>] (__dev_change_flags+0x168/0x1b4)
-[<807723d0>] (__dev_change_flags) from [<80772434>] (dev_change_flags+0x18/0x48)
-[<80772434>] (dev_change_flags) from [<80805f70>] (devinet_ioctl+0x67c/0x79c)
-[<80805f70>] (devinet_ioctl) from [<80808b9c>] (inet_ioctl+0x210/0x3d4)
-[<80808b9c>] (inet_ioctl) from [<8074721c>] (sock_ioctl+0x350/0x524)
-[<8074721c>] (sock_ioctl) from [<80285138>] (do_vfs_ioctl+0xb0/0x9b0)
-[<80285138>] (do_vfs_ioctl) from [<80285a6c>] (ksys_ioctl+0x34/0x5c)
-[<80285a6c>] (ksys_ioctl) from [<80101000>] (ret_fast_syscall+0x0/0x28)
-Exception stack(0xeca99fa8 to 0xeca99ff0)
-9fa0: 00086364 7ee9fe1c 00000003 00008914 7ee9fc38 00086364
-9fc0: 00086364 7ee9fe1c 000000c3 00000036 0008630c 7ee9fe1c 7ee9fc38 00000003
-9fe0: 000a42b8 7ee9fbd4 00019914 76e09acc
-Code: e5970328 eb002021 e1a02006 e3a01002 (e5909008)
----[ end trace 5cbac2333f3ac5df ]---
-
-Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../net/wireless/broadcom/brcm80211/brcmfmac/core.c | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c
-@@ -862,17 +862,17 @@ static void brcmf_del_if(struct brcmf_pu
- bool rtnl_locked)
- {
- struct brcmf_if *ifp;
-+ int ifidx;
-
- ifp = drvr->iflist[bsscfgidx];
-- drvr->iflist[bsscfgidx] = NULL;
- if (!ifp) {
- bphy_err(drvr, "Null interface, bsscfgidx=%d\n", bsscfgidx);
- return;
- }
- brcmf_dbg(TRACE, "Enter, bsscfgidx=%d, ifidx=%d\n", bsscfgidx,
- ifp->ifidx);
-- if (drvr->if2bss[ifp->ifidx] == bsscfgidx)
-- drvr->if2bss[ifp->ifidx] = BRCMF_BSSIDX_INVALID;
-+ ifidx = ifp->ifidx;
-+
- if (ifp->ndev) {
- if (bsscfgidx == 0) {
- if (ifp->ndev->netdev_ops == &brcmf_netdev_ops_pri) {
-@@ -900,6 +900,10 @@ static void brcmf_del_if(struct brcmf_pu
- brcmf_p2p_ifp_removed(ifp, rtnl_locked);
- kfree(ifp);
- }
-+
-+ drvr->iflist[bsscfgidx] = NULL;
-+ if (drvr->if2bss[ifidx] == bsscfgidx)
-+ drvr->if2bss[ifidx] = BRCMF_BSSIDX_INVALID;
- }
-
- void brcmf_remove_interface(struct brcmf_if *ifp, bool rtnl_locked)
+++ /dev/null
-From a9fd0953fa4a62887306be28641b4b0809f3b2fd Mon Sep 17 00:00:00 2001
-From: Piotr Figiel <p.figiel@camlintechnologies.com>
-Date: Wed, 13 Mar 2019 09:52:42 +0000
-Subject: [PATCH] brcmfmac: convert dev_init_lock mutex to completion
-
-Leaving dev_init_lock mutex locked in probe causes BUG and a WARNING when
-kernel is compiled with CONFIG_PROVE_LOCKING. Convert mutex to completion
-which silences those warnings and improves code readability.
-
-Fix below errors when connecting the USB WiFi dongle:
-
-brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43143 for chip BCM43143/2
-BUG: workqueue leaked lock or atomic: kworker/0:2/0x00000000/434
- last function: hub_event
-1 lock held by kworker/0:2/434:
- #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
-CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
-Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
-Workqueue: usb_hub_wq hub_event
-[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
-[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
-[<809c4324>] (dump_stack) from [<8014195c>] (process_one_work+0x710/0x808)
-[<8014195c>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
-[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
-[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
-Exception stack(0xed1d9fb0 to 0xed1d9ff8)
-9fa0: 00000000 00000000 00000000 00000000
-9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
-
-======================================================
-WARNING: possible circular locking dependency detected
-4.19.23-00084-g454a789-dirty #123 Not tainted
-------------------------------------------------------
-kworker/0:2/434 is trying to acquire lock:
-e29cf799 ((wq_completion)"events"){+.+.}, at: process_one_work+0x174/0x808
-
-but task is already holding lock:
-18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
-
-which lock already depends on the new lock.
-
-the existing dependency chain (in reverse order) is:
-
--> #2 (&devinfo->dev_init_lock){+.+.}:
- mutex_lock_nested+0x1c/0x24
- brcmf_usb_probe+0x78/0x550 [brcmfmac]
- usb_probe_interface+0xc0/0x1bc
- really_probe+0x228/0x2c0
- __driver_attach+0xe4/0xe8
- bus_for_each_dev+0x68/0xb4
- bus_add_driver+0x19c/0x214
- driver_register+0x78/0x110
- usb_register_driver+0x84/0x148
- process_one_work+0x228/0x808
- worker_thread+0x2c/0x564
- kthread+0x13c/0x16c
- ret_from_fork+0x14/0x20
- (null)
-
--> #1 (brcmf_driver_work){+.+.}:
- worker_thread+0x2c/0x564
- kthread+0x13c/0x16c
- ret_from_fork+0x14/0x20
- (null)
-
--> #0 ((wq_completion)"events"){+.+.}:
- process_one_work+0x1b8/0x808
- worker_thread+0x2c/0x564
- kthread+0x13c/0x16c
- ret_from_fork+0x14/0x20
- (null)
-
-other info that might help us debug this:
-
-Chain exists of:
- (wq_completion)"events" --> brcmf_driver_work --> &devinfo->dev_init_lock
-
- Possible unsafe locking scenario:
-
- CPU0 CPU1
- ---- ----
- lock(&devinfo->dev_init_lock);
- lock(brcmf_driver_work);
- lock(&devinfo->dev_init_lock);
- lock((wq_completion)"events");
-
- *** DEADLOCK ***
-
-1 lock held by kworker/0:2/434:
- #0: 18d5dcdf (&devinfo->dev_init_lock){+.+.}, at: brcmf_usb_probe+0x78/0x550 [brcmfmac]
-
-stack backtrace:
-CPU: 0 PID: 434 Comm: kworker/0:2 Not tainted 4.19.23-00084-g454a789-dirty #123
-Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree)
-Workqueue: events request_firmware_work_func
-[<8011237c>] (unwind_backtrace) from [<8010d74c>] (show_stack+0x10/0x14)
-[<8010d74c>] (show_stack) from [<809c4324>] (dump_stack+0xa8/0xd4)
-[<809c4324>] (dump_stack) from [<80172838>] (print_circular_bug+0x210/0x330)
-[<80172838>] (print_circular_bug) from [<80175940>] (__lock_acquire+0x160c/0x1a30)
-[<80175940>] (__lock_acquire) from [<8017671c>] (lock_acquire+0xe0/0x268)
-[<8017671c>] (lock_acquire) from [<80141404>] (process_one_work+0x1b8/0x808)
-[<80141404>] (process_one_work) from [<80141a80>] (worker_thread+0x2c/0x564)
-[<80141a80>] (worker_thread) from [<80147bcc>] (kthread+0x13c/0x16c)
-[<80147bcc>] (kthread) from [<801010b4>] (ret_from_fork+0x14/0x20)
-Exception stack(0xed1d9fb0 to 0xed1d9ff8)
-9fa0: 00000000 00000000 00000000 00000000
-9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
-9fe0: 00000000 00000000 00000000 00000000 00000013 00000000
-
-Signed-off-by: Piotr Figiel <p.figiel@camlintechnologies.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- .../wireless/broadcom/brcm80211/brcmfmac/usb.c | 17 ++++++++---------
- 1 file changed, 8 insertions(+), 9 deletions(-)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
-@@ -160,7 +160,7 @@ struct brcmf_usbdev_info {
-
- struct usb_device *usbdev;
- struct device *dev;
-- struct mutex dev_init_lock;
-+ struct completion dev_init_done;
-
- int ctl_in_pipe, ctl_out_pipe;
- struct urb *ctl_urb; /* URB for control endpoint */
-@@ -1194,11 +1194,11 @@ static void brcmf_usb_probe_phase2(struc
- if (ret)
- goto error;
-
-- mutex_unlock(&devinfo->dev_init_lock);
-+ complete(&devinfo->dev_init_done);
- return;
- error:
- brcmf_dbg(TRACE, "failed: dev=%s, err=%d\n", dev_name(dev), ret);
-- mutex_unlock(&devinfo->dev_init_lock);
-+ complete(&devinfo->dev_init_done);
- device_release_driver(dev);
- }
-
-@@ -1266,7 +1266,7 @@ static int brcmf_usb_probe_cb(struct brc
- if (ret)
- goto fail;
- /* we are done */
-- mutex_unlock(&devinfo->dev_init_lock);
-+ complete(&devinfo->dev_init_done);
- return 0;
- }
- bus->chip = bus_pub->devid;
-@@ -1326,11 +1326,10 @@ brcmf_usb_probe(struct usb_interface *in
-
- devinfo->usbdev = usb;
- devinfo->dev = &usb->dev;
-- /* Take an init lock, to protect for disconnect while still loading.
-+ /* Init completion, to protect for disconnect while still loading.
- * Necessary because of the asynchronous firmware load construction
- */
-- mutex_init(&devinfo->dev_init_lock);
-- mutex_lock(&devinfo->dev_init_lock);
-+ init_completion(&devinfo->dev_init_done);
-
- usb_set_intfdata(intf, devinfo);
-
-@@ -1408,7 +1407,7 @@ brcmf_usb_probe(struct usb_interface *in
- return 0;
-
- fail:
-- mutex_unlock(&devinfo->dev_init_lock);
-+ complete(&devinfo->dev_init_done);
- kfree(devinfo);
- usb_set_intfdata(intf, NULL);
- return ret;
-@@ -1423,7 +1422,7 @@ brcmf_usb_disconnect(struct usb_interfac
- devinfo = (struct brcmf_usbdev_info *)usb_get_intfdata(intf);
-
- if (devinfo) {
-- mutex_lock(&devinfo->dev_init_lock);
-+ wait_for_completion(&devinfo->dev_init_done);
- /* Make sure that devinfo still exists. Firmware probe routines
- * may have released the device and cleared the intfdata.
- */
+++ /dev/null
-From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001
-From: Kangjie Lu <kjlu@umn.edu>
-Date: Fri, 15 Mar 2019 12:04:32 -0500
-Subject: [PATCH] brcmfmac: fix missing checks for kmemdup
-
-In case kmemdup fails, the fix sets conn_info->req_ie_len and
-conn_info->resp_ie_len to zero to avoid buffer overflows.
-
-Signed-off-by: Kangjie Lu <kjlu@umn.edu>
-Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
-@@ -5456,6 +5456,8 @@ static s32 brcmf_get_assoc_ies(struct br
- conn_info->req_ie =
- kmemdup(cfg->extra_buf, conn_info->req_ie_len,
- GFP_KERNEL);
-+ if (!conn_info->req_ie)
-+ conn_info->req_ie_len = 0;
- } else {
- conn_info->req_ie_len = 0;
- conn_info->req_ie = NULL;
-@@ -5472,6 +5474,8 @@ static s32 brcmf_get_assoc_ies(struct br
- conn_info->resp_ie =
- kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
- GFP_KERNEL);
-+ if (!conn_info->resp_ie)
-+ conn_info->resp_ie_len = 0;
- } else {
- conn_info->resp_ie_len = 0;
- conn_info->resp_ie = NULL;
+++ /dev/null
-From e025da3d7aa4770bb1d1b3b0aa7cc4da1744852d Mon Sep 17 00:00:00 2001
-From: Dan Carpenter <dan.carpenter@oracle.com>
-Date: Wed, 24 Apr 2019 12:52:18 +0300
-Subject: [PATCH] brcm80211: potential NULL dereference in
- brcmf_cfg80211_vndr_cmds_dcmd_handler()
-
-If "ret_len" is negative then it could lead to a NULL dereference.
-
-The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
-then we don't allocate the "dcmd_buf" buffer. Then we pass "ret_len" to
-brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
-Most of the functions in that call tree check whether the buffer we pass
-is NULL but there are at least a couple places which don't such as
-brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd(). We memcpy() to and
-from the buffer so it would result in a NULL dereference.
-
-The fix is to change the types so that "ret_len" can't be negative. (If
-we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
-issue).
-
-Fixes: 1bacb0487d0e ("brcmfmac: replace cfg80211 testmode with vendor command")
-Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
---- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
-+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/vendor.c
-@@ -35,9 +35,10 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
- struct brcmf_if *ifp;
- const struct brcmf_vndr_dcmd_hdr *cmdhdr = data;
- struct sk_buff *reply;
-- int ret, payload, ret_len;
-+ unsigned int payload, ret_len;
- void *dcmd_buf = NULL, *wr_pointer;
- u16 msglen, maxmsglen = PAGE_SIZE - 0x100;
-+ int ret;
-
- if (len < sizeof(*cmdhdr)) {
- brcmf_err("vendor command too short: %d\n", len);
-@@ -65,7 +66,7 @@ static int brcmf_cfg80211_vndr_cmds_dcmd
- brcmf_err("oversize return buffer %d\n", ret_len);
- ret_len = BRCMF_DCMD_MAXLEN;
- }
-- payload = max(ret_len, len) + 1;
-+ payload = max_t(unsigned int, ret_len, len) + 1;
- dcmd_buf = vzalloc(payload);
- if (NULL == dcmd_buf)
- return -ENOMEM;
--- a/drivers/net/wireless/marvell/mwl8k.c
+++ b/drivers/net/wireless/marvell/mwl8k.c
-@@ -5686,6 +5686,7 @@ MODULE_FIRMWARE("mwl8k/fmimage_8366.fw")
+@@ -5691,6 +5691,7 @@ MODULE_FIRMWARE("mwl8k/fmimage_8366.fw")
MODULE_FIRMWARE(MWL8K_8366_AP_FW(MWL8K_8366_AP_FW_API));
static const struct pci_device_id mwl8k_pci_id_table[] = {
--- a/drivers/net/wireless/marvell/mwl8k.c
+++ b/drivers/net/wireless/marvell/mwl8k.c
-@@ -6271,6 +6271,8 @@ static int mwl8k_probe(struct pci_dev *p
+@@ -6276,6 +6276,8 @@ static int mwl8k_probe(struct pci_dev *p
priv->running_bsses = 0;
return rc;
err_stop_firmware:
-@@ -6304,8 +6306,6 @@ static void mwl8k_remove(struct pci_dev
+@@ -6309,8 +6311,6 @@ static void mwl8k_remove(struct pci_dev
return;
priv = hw->priv;
+++ /dev/null
-From b897577af85bb5e5638efa780bc3716fae5212d3 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Petr=20=C5=A0tetiar?= <ynezz@true.cz>
-Date: Mon, 8 Apr 2019 09:45:56 +0200
-Subject: [PATCH] mwl8k: Fix rate_idx underflow
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-It was reported on OpenWrt bug tracking system[1], that several users
-are affected by the endless reboot of their routers if they configure
-5GHz interface with channel 44 or 48.
-
-The reboot loop is caused by the following excessive number of WARN_ON
-messages:
-
- WARNING: CPU: 0 PID: 0 at backports-4.19.23-1/net/mac80211/rx.c:4516
- ieee80211_rx_napi+0x1fc/0xa54 [mac80211]
-
-as the messages are being correctly emitted by the following guard:
-
- case RX_ENC_LEGACY:
- if (WARN_ON(status->rate_idx >= sband->n_bitrates))
-
-as the rate_idx is in this case erroneously set to 251 (0xfb). This fix
-simply converts previously used magic number to proper constant and
-guards against substraction which is leading to the currently observed
-underflow.
-
-1. https://bugs.openwrt.org/index.php?do=details&task_id=2218
-
-Fixes: 854783444bab ("mwl8k: properly set receive status rate index on 5 GHz receive")
-Cc: <stable@vger.kernel.org>
-Tested-by: Eubert Bao <bunnier@gmail.com>
-Reported-by: Eubert Bao <bunnier@gmail.com>
-Signed-off-by: Petr Å tetiar <ynezz@true.cz>
----
- drivers/net/wireless/marvell/mwl8k.c | 13 +++++++++----
- 1 file changed, 9 insertions(+), 4 deletions(-)
-
---- a/drivers/net/wireless/marvell/mwl8k.c
-+++ b/drivers/net/wireless/marvell/mwl8k.c
-@@ -441,6 +441,9 @@ static const struct ieee80211_rate mwl8k
- #define MWL8K_CMD_UPDATE_STADB 0x1123
- #define MWL8K_CMD_BASTREAM 0x1125
-
-+#define MWL8K_LEGACY_5G_RATE_OFFSET \
-+ (ARRAY_SIZE(mwl8k_rates_24) - ARRAY_SIZE(mwl8k_rates_50))
-+
- static const char *mwl8k_cmd_name(__le16 cmd, char *buf, int bufsize)
- {
- u16 command = le16_to_cpu(cmd);
-@@ -1016,8 +1019,9 @@ mwl8k_rxd_ap_process(void *_rxd, struct
-
- if (rxd->channel > 14) {
- status->band = NL80211_BAND_5GHZ;
-- if (!(status->encoding == RX_ENC_HT))
-- status->rate_idx -= 5;
-+ if (!(status->encoding == RX_ENC_HT) &&
-+ status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET)
-+ status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET;
- } else {
- status->band = NL80211_BAND_2GHZ;
- }
-@@ -1124,8 +1128,9 @@ mwl8k_rxd_sta_process(void *_rxd, struct
-
- if (rxd->channel > 14) {
- status->band = NL80211_BAND_5GHZ;
-- if (!(status->encoding == RX_ENC_HT))
-- status->rate_idx -= 5;
-+ if (!(status->encoding == RX_ENC_HT) &&
-+ status->rate_idx >= MWL8K_LEGACY_5G_RATE_OFFSET)
-+ status->rate_idx -= MWL8K_LEGACY_5G_RATE_OFFSET;
- } else {
- status->band = NL80211_BAND_2GHZ;
- }
rt2800mmio_enable_interrupt(rt2x00dev,
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
-@@ -980,6 +980,8 @@ struct rt2x00_dev {
+@@ -979,6 +979,8 @@ struct rt2x00_dev {
*/
DECLARE_KFIFO_PTR(txstatus_fifo, u32);
*/
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
-@@ -1039,6 +1039,7 @@ void rt2x00queue_start_queues(struct rt2
+@@ -1042,6 +1042,7 @@ void rt2x00queue_start_queues(struct rt2
*/
tx_queue_for_each(rt2x00dev, queue)
rt2x00queue_start_queue(queue);
* Driver configuration
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
-@@ -720,8 +720,12 @@ void rt2x00mac_flush(struct ieee80211_hw
+@@ -710,8 +710,12 @@ void rt2x00mac_flush(struct ieee80211_hw
if (!test_bit(DEVICE_STATE_PRESENT, &rt2x00dev->flags))
return;
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
-@@ -1017,6 +1017,7 @@ struct rt2x00_dev {
+@@ -1016,6 +1016,7 @@ struct rt2x00_dev {
unsigned int extra_tx_headroom;
struct usb_anchor *anchor;
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
-@@ -671,7 +671,7 @@ int rt2x00queue_write_tx_frame(struct da
+@@ -674,7 +674,7 @@ int rt2x00queue_write_tx_frame(struct da
spin_lock(&queue->tx_lock);
if (unlikely(rt2x00queue_full(queue))) {
if (rt2800_entry_txstatus_timeout(rt2x00dev, entry))
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
-@@ -981,8 +981,6 @@ struct rt2x00_dev {
+@@ -980,8 +980,6 @@ struct rt2x00_dev {
*/
DECLARE_KFIFO_PTR(txstatus_fifo, u32);
*/
--- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
-@@ -1039,7 +1039,6 @@ void rt2x00queue_start_queues(struct rt2
+@@ -1042,7 +1042,6 @@ void rt2x00queue_start_queues(struct rt2
*/
tx_queue_for_each(rt2x00dev, queue)
rt2x00queue_start_queue(queue);
+++ /dev/null
-From 746ba11f170603bf1eaade817553a6c2e9135bbe Mon Sep 17 00:00:00 2001
-From: Vijayakumar Durai <vijayakumar.durai1@vivint.com>
-Date: Wed, 27 Mar 2019 11:03:17 +0100
-Subject: [PATCH] rt2x00: do not increment sequence number while
- re-transmitting
-
-Currently rt2x00 devices retransmit the management frames with
-incremented sequence number if hardware is assigning the sequence.
-
-This is HW bug fixed already for non-QOS data frames, but it should
-be fixed for management frames except beacon.
-
-Without fix retransmitted frames have wrong SN:
-
- AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1648, FN=0, Flags=........C Frame is not being retransmitted 1648 1
- AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1649, FN=0, Flags=....R...C Frame is being retransmitted 1649 1
- AlphaNet_e8:fb:36 Vivotek_52:31:51 Authentication, SN=1650, FN=0, Flags=....R...C Frame is being retransmitted 1650 1
-
-With the fix SN stays correctly the same:
-
- 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=........C
- 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
- 88:6a:e3:e8:f9:a2 8c:f5:a3:88:76:87 Authentication, SN=1450, FN=0, Flags=....R...C
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Vijayakumar Durai <vijayakumar.durai1@vivint.com>
-[sgruszka: simplify code, change comments and changelog]
-Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
-Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
----
- drivers/net/wireless/ralink/rt2x00/rt2x00.h | 1 -
- drivers/net/wireless/ralink/rt2x00/rt2x00mac.c | 10 ----------
- drivers/net/wireless/ralink/rt2x00/rt2x00queue.c | 15 +++++++++------
- 3 files changed, 9 insertions(+), 17 deletions(-)
-
---- a/drivers/net/wireless/ralink/rt2x00/rt2x00.h
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00.h
-@@ -673,7 +673,6 @@ enum rt2x00_state_flags {
- CONFIG_CHANNEL_HT40,
- CONFIG_POWERSAVING,
- CONFIG_HT_DISABLED,
-- CONFIG_QOS_DISABLED,
- CONFIG_MONITORING,
-
- /*
---- a/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00mac.c
-@@ -642,19 +642,9 @@ void rt2x00mac_bss_info_changed(struct i
- rt2x00dev->intf_associated--;
-
- rt2x00leds_led_assoc(rt2x00dev, !!rt2x00dev->intf_associated);
--
-- clear_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
- }
-
- /*
-- * Check for access point which do not support 802.11e . We have to
-- * generate data frames sequence number in S/W for such AP, because
-- * of H/W bug.
-- */
-- if (changes & BSS_CHANGED_QOS && !bss_conf->qos)
-- set_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags);
--
-- /*
- * When the erp information has changed, we should perform
- * additional configuration steps. For all other changes we are done.
- */
---- a/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
-+++ b/drivers/net/wireless/ralink/rt2x00/rt2x00queue.c
-@@ -201,15 +201,18 @@ static void rt2x00queue_create_tx_descri
- if (!rt2x00_has_cap_flag(rt2x00dev, REQUIRE_SW_SEQNO)) {
- /*
- * rt2800 has a H/W (or F/W) bug, device incorrectly increase
-- * seqno on retransmited data (non-QOS) frames. To workaround
-- * the problem let's generate seqno in software if QOS is
-- * disabled.
-+ * seqno on retransmitted data (non-QOS) and management frames.
-+ * To workaround the problem let's generate seqno in software.
-+ * Except for beacons which are transmitted periodically by H/W
-+ * hence hardware has to assign seqno for them.
- */
-- if (test_bit(CONFIG_QOS_DISABLED, &rt2x00dev->flags))
-- __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
-- else
-+ if (ieee80211_is_beacon(hdr->frame_control)) {
-+ __set_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
- /* H/W will generate sequence number */
- return;
-+ }
-+
-+ __clear_bit(ENTRY_TXD_GENERATE_SEQ, &txdesc->flags);
- }
-
- /*
struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb);
struct ieee80211_key *key = rx->key;
struct ieee80211_mmie_16 *mmie;
-- u8 aad[GMAC_AAD_LEN], mic[GMAC_MIC_LEN], ipn[6], nonce[GMAC_NONCE_LEN];
-+ u8 aad[20], mic[16], ipn[6], nonce[12];
+- u8 aad[GMAC_AAD_LEN], *mic, ipn[6], nonce[GMAC_NONCE_LEN];
++ u8 aad[20], *mic, ipn[6], nonce[12];
struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data;
if (!ieee80211_is_mgmt(hdr->frame_control))
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -3797,6 +3797,12 @@ out:
+@@ -3800,6 +3800,12 @@ out:
netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
struct net_device *dev)
{
(unsigned long) local);
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -3482,13 +3482,19 @@ struct sk_buff *ieee80211_tx_dequeue(str
+@@ -3485,13 +3485,19 @@ struct sk_buff *ieee80211_tx_dequeue(str
struct ieee80211_tx_info *info;
struct ieee80211_tx_data tx;
ieee80211_tx_result r;
/* Make sure fragments stay together. */
skb = __skb_dequeue(&txqi->frags);
if (skb)
-@@ -3583,6 +3589,7 @@ begin:
+@@ -3586,6 +3592,7 @@ begin:
}
IEEE80211_SKB_CB(skb)->control.vif = vif;
+++ /dev/null
-From: Felix Fietkau <nbd@nbd.name>
-Date: Fri, 1 Mar 2019 14:42:56 +0100
-Subject: [PATCH] mac80211: do not call driver wake_tx_queue op during reconfig
-
-There are several scenarios in which mac80211 can call drv_wake_tx_queue
-after ieee80211_restart_hw has been called and has not yet completed.
-Driver private structs are considered uninitialized until mac80211 has
-uploaded the vifs, stations and keys again, so using private tx queue
-data during that time is not safe.
-
-The driver can also not rely on drv_reconfig_complete to figure out when
-it is safe to accept drv_wake_tx_queue calls again, because it is only
-called after all tx queues are woken again.
-
-To fix this, bail out early in drv_wake_tx_queue if local->in_reconfig
-is set.
-
-Cc: stable@vger.kernel.org
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
----
-
---- a/net/mac80211/driver-ops.h
-+++ b/net/mac80211/driver-ops.h
-@@ -1166,6 +1166,9 @@ static inline void drv_wake_tx_queue(str
- {
- struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
-
-+ if (local->in_reconfig)
-+ return;
-+
- if (!check_sdata_in_driver(sdata))
- return;
-
+++ /dev/null
-From: Felix Fietkau <nbd@nbd.name>
-Date: Thu, 8 Mar 2018 21:00:56 +0100
-Subject: [PATCH] mac80211: fix memory accounting with A-MSDU aggregation
-
-fq uses skb->truesize for memory usage tracking. Increments/decrements
-are done on enqueue/dequeue.
-When A-MSDU aggregation is performed on tx side, the packet is
-aggregated with the last packet in the queue belonging to the same flow.
-There are multiple bugs here:
-- The truesize field of the aggregated packet isn't updated, so memory
-usage is underestimated
-- fq->memory_usage isn't adjusted.
-
-Because of the combination of both bugs, this only causes tx issues in
-rare cases, mainly when the A-MSDU head needs to be reallocated.
-
-Fix this by adjusting both truesize of the A-MSDU head and adding the
-truesize delta to fq->memory_usage.
-
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
----
-
---- a/net/mac80211/tx.c
-+++ b/net/mac80211/tx.c
-@@ -3185,6 +3185,7 @@ static bool ieee80211_amsdu_aggregate(st
- u8 max_subframes = sta->sta.max_amsdu_subframes;
- int max_frags = local->hw.max_tx_fragments;
- int max_amsdu_len = sta->sta.max_amsdu_len;
-+ int orig_truesize;
- __be16 len;
- void *data;
- bool ret = false;
-@@ -3216,12 +3217,13 @@ static bool ieee80211_amsdu_aggregate(st
- flow = fq_flow_classify(fq, tin, skb, fq_flow_get_default_func);
- head = skb_peek_tail(&flow->queue);
- if (!head)
-- goto out;
-+ goto unlock;
-
-+ orig_truesize = head->truesize;
- orig_len = head->len;
-
- if (skb->len + head->len > max_amsdu_len)
-- goto out;
-+ goto unlock;
-
- nfrags = 1 + skb_shinfo(skb)->nr_frags;
- nfrags += 1 + skb_shinfo(head)->nr_frags;
-@@ -3279,6 +3281,9 @@ out_recalc:
- fq_recalc_backlog(fq, tin, flow);
- }
- out:
-+ fq->memory_usage += head->truesize - orig_truesize;
-+
-+unlock:
- spin_unlock_bh(&fq->lock);
-
- return ret;
+++ /dev/null
-From: Felix Fietkau <nbd@nbd.name>
-Date: Wed, 13 Mar 2019 18:52:56 +0100
-Subject: [PATCH] mac80211: fix unaligned access in mesh table hash function
-
-The pointer to the last four bytes of the address is not guaranteed to be
-aligned, so we need to use __get_unaligned_cpu32 here
-
-Signed-off-by: Felix Fietkau <nbd@nbd.name>
----
-
---- a/net/mac80211/mesh_pathtbl.c
-+++ b/net/mac80211/mesh_pathtbl.c
-@@ -23,7 +23,7 @@ static void mesh_path_free_rcu(struct me
- static u32 mesh_table_hash(const void *addr, u32 len, u32 seed)
- {
- /* Use last four bytes of hw addr as hash index */
-- return jhash_1word(*(u32 *)(addr+2), seed);
-+ return jhash_1word(__get_unaligned_cpu32(addr+2), seed);
- }
-
- static const struct rhashtable_params mesh_rht_params = {
return true;
}
-@@ -3602,6 +3606,60 @@ out:
+@@ -3600,6 +3604,60 @@ out:
}
EXPORT_SYMBOL(ieee80211_tx_dequeue);
};
/* policy for the key attributes */
-@@ -4658,6 +4659,11 @@ static int nl80211_send_station(struct s
+@@ -4664,6 +4665,11 @@ static int nl80211_send_station(struct s
PUT_SINFO(PLID, plid, u16);
PUT_SINFO(PLINK_STATE, plink_state, u8);
PUT_SINFO_U64(RX_DURATION, rx_duration);
switch (rdev->wiphy.signal_type) {
case CFG80211_SIGNAL_TYPE_MBM:
-@@ -5294,6 +5300,15 @@ static int nl80211_set_station(struct sk
+@@ -5300,6 +5306,15 @@ static int nl80211_set_station(struct sk
nla_get_u8(info->attrs[NL80211_ATTR_OPMODE_NOTIF]);
}
/* Include parameters for TDLS peer (will check later) */
err = nl80211_set_station_tdls(info, ¶ms);
if (err)
-@@ -5432,6 +5447,15 @@ static int nl80211_new_station(struct sk
+@@ -5438,6 +5453,15 @@ static int nl80211_new_station(struct sk
return -EINVAL;
}
spin_lock_bh(&local->active_txq_lock[txqi->txq.ac]);
list_del_init(&txqi->schedule_order);
spin_unlock_bh(&local->active_txq_lock[txqi->txq.ac]);
-@@ -3613,11 +3616,28 @@ struct ieee80211_txq *ieee80211_next_txq
+@@ -3611,11 +3614,28 @@ struct ieee80211_txq *ieee80211_next_txq
lockdep_assert_held(&local->active_txq_lock[ac]);
return NULL;
list_del_init(&txqi->schedule_order);
-@@ -3635,12 +3655,74 @@ void ieee80211_return_txq(struct ieee802
+@@ -3633,12 +3653,74 @@ void ieee80211_return_txq(struct ieee802
lockdep_assert_held(&local->active_txq_lock[txq->ac]);
if (list_empty(&txqi->schedule_order) &&
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -3675,6 +3675,19 @@ void ieee80211_return_txq(struct ieee802
+@@ -3673,6 +3673,19 @@ void ieee80211_return_txq(struct ieee802
}
EXPORT_SYMBOL(ieee80211_return_txq);
if (likely(sta)) {
if (!IS_ERR(sta))
tx->sta = sta;
-@@ -3525,6 +3525,7 @@ begin:
+@@ -3523,6 +3523,7 @@ begin:
tx.local = local;
tx.skb = skb;
tx.sdata = vif_to_sdata(info->control.vif);
if (txq->sta)
tx.sta = container_of(txq->sta, struct sta_info, sta);
-@@ -3551,7 +3552,7 @@ begin:
+@@ -3549,7 +3550,7 @@ begin:
if (tx.key &&
(tx.key->conf.flags & IEEE80211_KEY_FLAG_GENERATE_IV))
ieee80211_xmit_fast_finish(sta->sdata, sta, pn_offs,
tx.key, skb);
-@@ -4008,6 +4009,7 @@ ieee80211_build_data_template(struct iee
+@@ -4006,6 +4007,7 @@ ieee80211_build_data_template(struct iee
hdr = (void *)skb->data;
tx.sta = sta_info_get(sdata, hdr->addr1);
tx.skb = skb;
/* We store the key here so there's no point in using rcu_dereference()
* but that's fine because the code that changes the pointers will call
* this function after doing so. For a single CPU that would be enough,
-@@ -3525,7 +3531,7 @@ begin:
+@@ -3523,7 +3529,7 @@ begin:
tx.local = local;
tx.skb = skb;
tx.sdata = vif_to_sdata(info->control.vif);
if (txq->sta)
tx.sta = container_of(txq->sta, struct sta_info, sta);
-@@ -4009,7 +4015,7 @@ ieee80211_build_data_template(struct iee
+@@ -4007,7 +4013,7 @@ ieee80211_build_data_template(struct iee
hdr = (void *)skb->data;
tx.sta = sta_info_get(sdata, hdr->addr1);
tx.skb = skb;
* ieee80211_txq_may_transmit - check whether TXQ is allowed to transmit
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -3619,16 +3619,17 @@ EXPORT_SYMBOL(ieee80211_tx_dequeue);
+@@ -3617,16 +3617,17 @@ EXPORT_SYMBOL(ieee80211_tx_dequeue);
struct ieee80211_txq *ieee80211_next_txq(struct ieee80211_hw *hw, u8 ac)
{
struct ieee80211_local *local = hw_to_local(hw);
if (txqi->txq.sta) {
struct sta_info *sta = container_of(txqi->txq.sta,
-@@ -3645,21 +3646,25 @@ struct ieee80211_txq *ieee80211_next_txq
+@@ -3643,21 +3644,25 @@ struct ieee80211_txq *ieee80211_next_txq
if (txqi->schedule_round == local->schedule_round[ac])
if (list_empty(&txqi->schedule_order) &&
(!skb_queue_empty(&txqi->frags) || txqi->tin.backlog_packets)) {
-@@ -3679,18 +3684,7 @@ void ieee80211_return_txq(struct ieee802
+@@ -3677,18 +3682,7 @@ void ieee80211_return_txq(struct ieee802
list_add_tail(&txqi->schedule_order,
&local->active_txqs[txq->ac]);
}
spin_unlock_bh(&local->active_txq_lock[txq->ac]);
}
EXPORT_SYMBOL(ieee80211_schedule_txq);
-@@ -3703,7 +3697,7 @@ bool ieee80211_txq_may_transmit(struct i
+@@ -3701,7 +3695,7 @@ bool ieee80211_txq_may_transmit(struct i
struct sta_info *sta;
u8 ac = txq->ac;
if (!txqi->txq.sta)
goto out;
-@@ -3733,34 +3727,27 @@ bool ieee80211_txq_may_transmit(struct i
+@@ -3731,34 +3725,27 @@ bool ieee80211_txq_may_transmit(struct i
sta->airtime[ac].deficit += sta->airtime_weight;
list_move_tail(&txqi->schedule_order, &local->active_txqs[ac]);
+ fq_flow_get_default_func);
head = skb_peek_tail(&flow->queue);
if (!head)
- goto unlock;
+ goto out;
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -3507,6 +3507,7 @@ struct sk_buff *ieee80211_tx_dequeue(str
+@@ -3505,6 +3505,7 @@ struct sk_buff *ieee80211_tx_dequeue(str
ieee80211_tx_result r;
struct ieee80211_vif *vif = txq->vif;
spin_lock_bh(&fq->lock);
if (test_bit(IEEE80211_TXQ_STOP, &txqi->flags) ||
-@@ -3523,11 +3524,12 @@ struct sk_buff *ieee80211_tx_dequeue(str
+@@ -3521,11 +3522,12 @@ struct sk_buff *ieee80211_tx_dequeue(str
if (skb)
goto out;
hdr = (struct ieee80211_hdr *)skb->data;
info = IEEE80211_SKB_CB(skb);
-@@ -3573,8 +3575,11 @@ begin:
+@@ -3571,8 +3573,11 @@ begin:
skb = __skb_dequeue(&tx.skbs);
}
if (skb && skb_has_frag_list(skb) &&
-@@ -3613,6 +3618,7 @@ begin:
+@@ -3611,6 +3616,7 @@ begin:
}
IEEE80211_SKB_CB(skb)->control.vif = vif;
}
if (encaps_data)
-@@ -3377,7 +3367,6 @@ static bool ieee80211_xmit_fast(struct i
+@@ -3375,7 +3365,6 @@ static bool ieee80211_xmit_fast(struct i
struct ieee80211_local *local = sdata->local;
u16 ethertype = (skb->data[12] << 8) | skb->data[13];
int extra_head = fast_tx->hdr_len - (ETH_HLEN - 2);
struct ethhdr eth;
struct ieee80211_tx_info *info;
struct ieee80211_hdr *hdr = (void *)fast_tx->hdr;
-@@ -3429,10 +3418,7 @@ static bool ieee80211_xmit_fast(struct i
+@@ -3427,10 +3416,7 @@ static bool ieee80211_xmit_fast(struct i
* as the may-encrypt argument for the resize to not account for
* more room than we already have in 'extra_head'
*/
/**
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -3655,8 +3655,9 @@ out:
+@@ -3653,8 +3653,9 @@ out:
}
EXPORT_SYMBOL(ieee80211_next_txq);
{
struct ieee80211_local *local = hw_to_local(hw);
struct txq_info *txqi = to_txq_info(txq);
-@@ -3664,7 +3665,8 @@ void ieee80211_schedule_txq(struct ieee8
+@@ -3662,7 +3663,8 @@ void ieee80211_schedule_txq(struct ieee8
spin_lock_bh(&local->active_txq_lock[txq->ac]);
if (list_empty(&txqi->schedule_order) &&
/* If airtime accounting is active, always enqueue STAs at the
* head of the list to ensure that they only get moved to the
* back by the airtime DRR scheduler once they have a negative
-@@ -3684,7 +3686,7 @@ void ieee80211_schedule_txq(struct ieee8
+@@ -3682,7 +3684,7 @@ void ieee80211_schedule_txq(struct ieee8
spin_unlock_bh(&local->active_txq_lock[txq->ac]);
}
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
-@@ -3753,6 +3753,7 @@ void __ieee80211_subif_start_xmit(struct
+@@ -3751,6 +3751,7 @@ void __ieee80211_subif_start_xmit(struct
u32 info_flags)
{
struct ieee80211_sub_if_data *sdata = IEEE80211_DEV_TO_SUB_IF(dev);
struct sta_info *sta;
struct sk_buff *next;
-@@ -3766,7 +3767,15 @@ void __ieee80211_subif_start_xmit(struct
+@@ -3764,7 +3765,15 @@ void __ieee80211_subif_start_xmit(struct
if (ieee80211_lookup_ra_sta(sdata, skb, &sta))
goto out_free;
- MCS_GROUP(2, 0, BW_20, 4),
- MCS_GROUP(3, 0, BW_20, 4),
- MCS_GROUP(4, 0, BW_20, 4),
-+ MCS_GROUP(1, 0, BW_20),
-+ MCS_GROUP(2, 0, BW_20),
-+ MCS_GROUP(3, 0, BW_20),
-+ MCS_GROUP(4, 0, BW_20),
-
+-
- MCS_GROUP(1, 1, BW_20, 5),
- MCS_GROUP(2, 1, BW_20, 4),
- MCS_GROUP(3, 1, BW_20, 4),
- MCS_GROUP(4, 1, BW_20, 4),
-+ MCS_GROUP(1, 1, BW_20),
-+ MCS_GROUP(2, 1, BW_20),
-+ MCS_GROUP(3, 1, BW_20),
-+ MCS_GROUP(4, 1, BW_20),
-
+-
- MCS_GROUP(1, 0, BW_40, 4),
- MCS_GROUP(2, 0, BW_40, 4),
- MCS_GROUP(3, 0, BW_40, 4),
- MCS_GROUP(4, 0, BW_40, 4),
-+ MCS_GROUP(1, 0, BW_40),
-+ MCS_GROUP(2, 0, BW_40),
-+ MCS_GROUP(3, 0, BW_40),
-+ MCS_GROUP(4, 0, BW_40),
-
+-
- MCS_GROUP(1, 1, BW_40, 4),
- MCS_GROUP(2, 1, BW_40, 4),
- MCS_GROUP(3, 1, BW_40, 4),
- MCS_GROUP(4, 1, BW_40, 4),
-+ MCS_GROUP(1, 1, BW_40),
-+ MCS_GROUP(2, 1, BW_40),
-+ MCS_GROUP(3, 1, BW_40),
-+ MCS_GROUP(4, 1, BW_40),
-
+-
- CCK_GROUP(8),
-+ CCK_GROUP,
-
+-
- VHT_GROUP(1, 0, BW_20, 5),
- VHT_GROUP(2, 0, BW_20, 4),
- VHT_GROUP(3, 0, BW_20, 4),
- VHT_GROUP(4, 0, BW_20, 4),
-+ VHT_GROUP(1, 0, BW_20),
-+ VHT_GROUP(2, 0, BW_20),
-+ VHT_GROUP(3, 0, BW_20),
-+ VHT_GROUP(4, 0, BW_20),
-
+-
- VHT_GROUP(1, 1, BW_20, 5),
- VHT_GROUP(2, 1, BW_20, 4),
- VHT_GROUP(3, 1, BW_20, 4),
- VHT_GROUP(4, 1, BW_20, 4),
-+ VHT_GROUP(1, 1, BW_20),
-+ VHT_GROUP(2, 1, BW_20),
-+ VHT_GROUP(3, 1, BW_20),
-+ VHT_GROUP(4, 1, BW_20),
-
+-
- VHT_GROUP(1, 0, BW_40, 4),
- VHT_GROUP(2, 0, BW_40, 4),
- VHT_GROUP(3, 0, BW_40, 4),
- VHT_GROUP(4, 0, BW_40, 3),
-+ VHT_GROUP(1, 0, BW_40),
-+ VHT_GROUP(2, 0, BW_40),
-+ VHT_GROUP(3, 0, BW_40),
-+ VHT_GROUP(4, 0, BW_40),
-
+-
- VHT_GROUP(1, 1, BW_40, 4),
- VHT_GROUP(2, 1, BW_40, 4),
- VHT_GROUP(3, 1, BW_40, 4),
- VHT_GROUP(4, 1, BW_40, 3),
-+ VHT_GROUP(1, 1, BW_40),
-+ VHT_GROUP(2, 1, BW_40),
-+ VHT_GROUP(3, 1, BW_40),
-+ VHT_GROUP(4, 1, BW_40),
-
+-
- VHT_GROUP(1, 0, BW_80, 4),
- VHT_GROUP(2, 0, BW_80, 4),
- VHT_GROUP(3, 0, BW_80, 4),
- VHT_GROUP(4, 0, BW_80, 2),
-+ VHT_GROUP(1, 0, BW_80),
-+ VHT_GROUP(2, 0, BW_80),
-+ VHT_GROUP(3, 0, BW_80),
-+ VHT_GROUP(4, 0, BW_80),
-
+-
- VHT_GROUP(1, 1, BW_80, 4),
- VHT_GROUP(2, 1, BW_80, 4),
- VHT_GROUP(3, 1, BW_80, 4),
- VHT_GROUP(4, 1, BW_80, 2),
++ MCS_GROUP(1, 0, BW_20),
++ MCS_GROUP(2, 0, BW_20),
++ MCS_GROUP(3, 0, BW_20),
++ MCS_GROUP(4, 0, BW_20),
++
++ MCS_GROUP(1, 1, BW_20),
++ MCS_GROUP(2, 1, BW_20),
++ MCS_GROUP(3, 1, BW_20),
++ MCS_GROUP(4, 1, BW_20),
++
++ MCS_GROUP(1, 0, BW_40),
++ MCS_GROUP(2, 0, BW_40),
++ MCS_GROUP(3, 0, BW_40),
++ MCS_GROUP(4, 0, BW_40),
++
++ MCS_GROUP(1, 1, BW_40),
++ MCS_GROUP(2, 1, BW_40),
++ MCS_GROUP(3, 1, BW_40),
++ MCS_GROUP(4, 1, BW_40),
++
++ CCK_GROUP,
++
++ VHT_GROUP(1, 0, BW_20),
++ VHT_GROUP(2, 0, BW_20),
++ VHT_GROUP(3, 0, BW_20),
++ VHT_GROUP(4, 0, BW_20),
++
++ VHT_GROUP(1, 1, BW_20),
++ VHT_GROUP(2, 1, BW_20),
++ VHT_GROUP(3, 1, BW_20),
++ VHT_GROUP(4, 1, BW_20),
++
++ VHT_GROUP(1, 0, BW_40),
++ VHT_GROUP(2, 0, BW_40),
++ VHT_GROUP(3, 0, BW_40),
++ VHT_GROUP(4, 0, BW_40),
++
++ VHT_GROUP(1, 1, BW_40),
++ VHT_GROUP(2, 1, BW_40),
++ VHT_GROUP(3, 1, BW_40),
++ VHT_GROUP(4, 1, BW_40),
++
++ VHT_GROUP(1, 0, BW_80),
++ VHT_GROUP(2, 0, BW_80),
++ VHT_GROUP(3, 0, BW_80),
++ VHT_GROUP(4, 0, BW_80),
++
+ VHT_GROUP(1, 1, BW_80),
+ VHT_GROUP(2, 1, BW_80),
+ VHT_GROUP(3, 1, BW_80),
+++ /dev/null
-From 33d915d9e8ce811d8958915ccd18d71a66c7c495 Mon Sep 17 00:00:00 2001
-From: Manikanta Pubbisetty <mpubbise@codeaurora.org>
-Date: Wed, 8 May 2019 14:55:33 +0530
-Subject: [PATCH] {nl,mac}80211: allow 4addr AP operation on crypto controlled
- devices
-
-As per the current design, in the case of sw crypto controlled devices,
-it is the device which advertises the support for AP/VLAN iftype based
-on it's ability to tranmsit packets encrypted in software
-(In VLAN functionality, group traffic generated for a specific
-VLAN group is always encrypted in software). Commit db3bdcb9c3ff
-("mac80211: allow AP_VLAN operation on crypto controlled devices")
-has introduced this change.
-
-Since 4addr AP operation also uses AP/VLAN iftype, this conditional
-way of advertising AP/VLAN support has broken 4addr AP mode operation on
-crypto controlled devices which do not support VLAN functionality.
-
-In the case of ath10k driver, not all firmwares have support for VLAN
-functionality but all can support 4addr AP operation. Because AP/VLAN
-support is not advertised for these devices, 4addr AP operations are
-also blocked.
-
-Fix this by allowing 4addr operation on devices which do not support
-AP/VLAN iftype but can support 4addr AP operation (decision is based on
-the wiphy flag WIPHY_FLAG_4ADDR_AP).
-
-Cc: stable@vger.kernel.org
-Fixes: db3bdcb9c3ff ("mac80211: allow AP_VLAN operation on crypto controlled devices")
-Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
-Signed-off-by: Johannes Berg <johannes.berg@intel.com>
----
- include/net/cfg80211.h | 3 ++-
- net/mac80211/util.c | 4 +++-
- net/wireless/core.c | 6 +++++-
- net/wireless/nl80211.c | 8 ++++++--
- 4 files changed, 16 insertions(+), 5 deletions(-)
-
---- a/include/net/cfg80211.h
-+++ b/include/net/cfg80211.h
-@@ -3457,7 +3457,8 @@ struct cfg80211_ops {
- * on wiphy_new(), but can be changed by the driver if it has a good
- * reason to override the default
- * @WIPHY_FLAG_4ADDR_AP: supports 4addr mode even on AP (with a single station
-- * on a VLAN interface)
-+ * on a VLAN interface). This flag also serves an extra purpose of
-+ * supporting 4ADDR AP mode on devices which do not support AP/VLAN iftype.
- * @WIPHY_FLAG_4ADDR_STATION: supports 4addr mode even as a station
- * @WIPHY_FLAG_CONTROL_PORT_PROTOCOL: This device supports setting the
- * control port protocol ethertype. The device also honours the
---- a/net/mac80211/util.c
-+++ b/net/mac80211/util.c
-@@ -3626,7 +3626,9 @@ int ieee80211_check_combinations(struct
- }
-
- /* Always allow software iftypes */
-- if (local->hw.wiphy->software_iftypes & BIT(iftype)) {
-+ if (local->hw.wiphy->software_iftypes & BIT(iftype) ||
-+ (iftype == NL80211_IFTYPE_AP_VLAN &&
-+ local->hw.wiphy->flags & WIPHY_FLAG_4ADDR_AP)) {
- if (radar_detect)
- return -EINVAL;
- return 0;
---- a/net/wireless/core.c
-+++ b/net/wireless/core.c
-@@ -1351,8 +1351,12 @@ static int cfg80211_netdev_notifier_call
- }
- break;
- case NETDEV_PRE_UP:
-- if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)))
-+ if (!(wdev->wiphy->interface_modes & BIT(wdev->iftype)) &&
-+ !(wdev->iftype == NL80211_IFTYPE_AP_VLAN &&
-+ rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP &&
-+ wdev->use_4addr))
- return notifier_from_errno(-EOPNOTSUPP);
-+
- if (rfkill_blocked(rdev->rfkill))
- return notifier_from_errno(-ERFKILL);
- break;
---- a/net/wireless/nl80211.c
-+++ b/net/wireless/nl80211.c
-@@ -3194,8 +3194,7 @@ static int nl80211_new_interface(struct
- return -EINVAL;
- }
-
-- if (!rdev->ops->add_virtual_intf ||
-- !(rdev->wiphy.interface_modes & (1 << type)))
-+ if (!rdev->ops->add_virtual_intf)
- return -EOPNOTSUPP;
-
- if ((type == NL80211_IFTYPE_P2P_DEVICE || type == NL80211_IFTYPE_NAN ||
-@@ -3214,6 +3213,11 @@ static int nl80211_new_interface(struct
- return err;
- }
-
-+ if (!(rdev->wiphy.interface_modes & (1 << type)) &&
-+ !(type == NL80211_IFTYPE_AP_VLAN && params.use_4addr &&
-+ rdev->wiphy.flags & WIPHY_FLAG_4ADDR_AP))
-+ return -EOPNOTSUPP;
-+
- err = nl80211_parse_mon_options(rdev, type, info, ¶ms);
- if (err < 0)
- return err;