diff --git a/package/kernel/mac80211/patches/300-pending_work.patch b/package/kernel/mac80211/patches/300-pending_work.patch index 6251b45..796b34c 100644 --- a/package/kernel/mac80211/patches/300-pending_work.patch +++ b/package/kernel/mac80211/patches/300-pending_work.patch @@ -1,3 +1,64 @@ +commit 77980bee5f1f743b46f8749185aca28b8ec69741 +Author: Johannes Berg +Date: Mon Nov 3 14:29:09 2014 +0100 + + mac80211: fix use-after-free in defragmentation + + Upon receiving the last fragment, all but the first fragment + are freed, but the multicast check for statistics at the end + of the function refers to the current skb (the last fragment) + causing a use-after-free bug. + + Since multicast frames cannot be fragmented and we check for + this early in the function, just modify that check to also + do the accounting to fix the issue. + + Cc: stable@vger.kernel.org + Reported-by: Yosef Khyal + Signed-off-by: Johannes Berg + +commit e252be2d718dada0abd72208a44b9f1b63919883 +Author: Hauke Mehrtens +Date: Wed Nov 5 23:31:07 2014 +0100 + + b43: fix NULL pointer dereference in b43_phy_copy() + + phy_read and phy_write are not set for every phy any more sine this: + commit d342b95dd735014a590f9051b1ba227eb54ca8f6 + Author: Rafał Miłecki + Date: Thu Jul 31 21:59:43 2014 +0200 + + b43: don't duplicate common PHY read/write ops + + b43_phy_copy() accesses phy_read and phy_write directly and will fail + with some phys. This patch fixes the regression by using the + b43_phy_read() and b43_phy_write() functions which should be used for + read and write access. + + This should fix this bug report: + https://bugzilla.kernel.org/show_bug.cgi?id=87731 + + Reported-by: Volker Kempter + Signed-off-by: Hauke Mehrtens + +commit ddf93ad61cb009ed05ff2547923fb269a3604408 +Author: Miaoqing Pan +Date: Thu Nov 6 10:52:23 2014 +0530 + + ath9k: Fix RTC_DERIVED_CLK usage + + Based on the reference clock, which could be 25MHz or 40MHz, + AR_RTC_DERIVED_CLK is programmed differently for AR9340 and AR9550. + But, when a chip reset is done, processing the initvals + sets the register back to the default value. + + Fix this by moving the code in ath9k_hw_init_pll() to + ar9003_hw_override_ini(). Also, do this override for AR9531. + + Cc: stable@vger.kernel.org + Signed-off-by: Miaoqing Pan + Signed-off-by: Sujith Manoharan + commit 536b05e91ac2715942f792184c26beb43dbaa522 Author: Felix Fietkau Date: Mon Oct 27 11:50:28 2014 +0100 @@ -1000,6 +1061,36 @@ Date: Mon May 19 21:20:49 2014 +0200 ieee80211_sta_ps_deliver_wakeup(sta); } +@@ -1646,11 +1648,14 @@ ieee80211_rx_h_defragment(struct ieee802 + sc = le16_to_cpu(hdr->seq_ctrl); + frag = sc & IEEE80211_SCTL_FRAG; + +- if (likely((!ieee80211_has_morefrags(fc) && frag == 0) || +- is_multicast_ether_addr(hdr->addr1))) { +- /* not fragmented */ ++ if (likely(!ieee80211_has_morefrags(fc) && frag == 0)) ++ goto out; ++ ++ if (is_multicast_ether_addr(hdr->addr1)) { ++ rx->local->dot11MulticastReceivedFrameCount++; + goto out; + } ++ + I802_DEBUG_INC(rx->local->rx_handlers_fragments); + + if (skb_linearize(rx->skb)) +@@ -1743,10 +1748,7 @@ ieee80211_rx_h_defragment(struct ieee802 + out: + if (rx->sta) + rx->sta->rx_packets++; +- if (is_multicast_ether_addr(hdr->addr1)) +- rx->local->dot11MulticastReceivedFrameCount++; +- else +- ieee80211_led_rx(rx->local); ++ ieee80211_led_rx(rx->local); + return RX_CONTINUE; + } + --- a/net/mac80211/sta_info.h +++ b/net/mac80211/sta_info.h @@ -82,6 +82,7 @@ enum ieee80211_sta_info_flags { @@ -3255,7 +3346,27 @@ Date: Mon May 19 21:20:49 2014 +0200 static u32 ar9003_hw_compute_pll_control(struct ath_hw *ah, struct ath9k_channel *chan) { -@@ -1779,7 +1796,12 @@ void ar9003_hw_attach_phy_ops(struct ath +@@ -647,6 +664,19 @@ static void ar9003_hw_override_ini(struc + ah->enabled_cals |= TX_CL_CAL; + else + ah->enabled_cals &= ~TX_CL_CAL; ++ ++ if (AR_SREV_9340(ah) || AR_SREV_9531(ah) || AR_SREV_9550(ah)) { ++ if (ah->is_clk_25mhz) { ++ REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1); ++ REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7); ++ REG_WRITE(ah, AR_SLP32_INC, 0x0001e7ae); ++ } else { ++ REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1); ++ REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400); ++ REG_WRITE(ah, AR_SLP32_INC, 0x0001e800); ++ } ++ udelay(100); ++ } + } + + static void ar9003_hw_prog_ini(struct ath_hw *ah, +@@ -1779,7 +1809,12 @@ void ar9003_hw_attach_phy_ops(struct ath priv_ops->rf_set_freq = ar9003_hw_set_channel; priv_ops->spur_mitigate_freq = ar9003_hw_spur_mitigate; @@ -3308,6 +3419,26 @@ Date: Mon May 19 21:20:49 2014 +0200 if (AR_SREV_9565(ah)) pll |= 0x40000; REG_WRITE(ah, AR_RTC_PLL_CONTROL, pll); +@@ -858,19 +861,6 @@ static void ath9k_hw_init_pll(struct ath + udelay(RTC_PLL_SETTLE_DELAY); + + REG_WRITE(ah, AR_RTC_SLEEP_CLK, AR_RTC_FORCE_DERIVED_CLK); +- +- if (AR_SREV_9340(ah) || AR_SREV_9550(ah)) { +- if (ah->is_clk_25mhz) { +- REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x17c << 1); +- REG_WRITE(ah, AR_SLP32_MODE, 0x0010f3d7); +- REG_WRITE(ah, AR_SLP32_INC, 0x0001e7ae); +- } else { +- REG_WRITE(ah, AR_RTC_DERIVED_CLK, 0x261 << 1); +- REG_WRITE(ah, AR_SLP32_MODE, 0x0010f400); +- REG_WRITE(ah, AR_SLP32_INC, 0x0001e800); +- } +- udelay(100); +- } + } + + static void ath9k_hw_init_interrupt_masks(struct ath_hw *ah, --- a/drivers/net/wireless/ath/ath9k/reg.h +++ b/drivers/net/wireless/ath/ath9k/reg.h @@ -1236,12 +1236,23 @@ enum { @@ -3352,3 +3483,15 @@ Date: Mon May 19 21:20:49 2014 +0200 } EXPORT_SYMBOL(ath9k_cmn_update_txpow); +--- a/drivers/net/wireless/b43/phy_common.c ++++ b/drivers/net/wireless/b43/phy_common.c +@@ -276,8 +276,7 @@ void b43_phy_write(struct b43_wldev *dev + void b43_phy_copy(struct b43_wldev *dev, u16 destreg, u16 srcreg) + { + assert_mac_suspended(dev); +- dev->phy.ops->phy_write(dev, destreg, +- dev->phy.ops->phy_read(dev, srcreg)); ++ b43_phy_write(dev, destreg, b43_phy_read(dev, srcreg)); + } + + void b43_phy_mask(struct b43_wldev *dev, u16 offset, u16 mask) diff --git a/package/kernel/mac80211/patches/310-ap_scan.patch b/package/kernel/mac80211/patches/310-ap_scan.patch index 23ecd37..0f620a3 100644 --- a/package/kernel/mac80211/patches/310-ap_scan.patch +++ b/package/kernel/mac80211/patches/310-ap_scan.patch @@ -1,6 +1,6 @@ --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c -@@ -1903,7 +1903,7 @@ static int ieee80211_scan(struct wiphy * +@@ -1902,7 +1902,7 @@ static int ieee80211_scan(struct wiphy * * the frames sent while scanning on other channel will be * lost) */ diff --git a/package/kernel/mac80211/patches/523-ath9k_use_configured_antenna_gain.patch b/package/kernel/mac80211/patches/523-ath9k_use_configured_antenna_gain.patch index dcc3ee4..9b51c4c 100644 --- a/package/kernel/mac80211/patches/523-ath9k_use_configured_antenna_gain.patch +++ b/package/kernel/mac80211/patches/523-ath9k_use_configured_antenna_gain.patch @@ -10,7 +10,7 @@ --- a/drivers/net/wireless/ath/ath9k/hw.c +++ b/drivers/net/wireless/ath/ath9k/hw.c -@@ -2724,7 +2724,7 @@ void ath9k_hw_apply_txpower(struct ath_h +@@ -2711,7 +2711,7 @@ void ath9k_hw_apply_txpower(struct ath_h channel = chan->chan; chan_pwr = min_t(int, channel->max_power * 2, MAX_RATE_POWER); new_pwr = min_t(int, chan_pwr, reg->power_limit); diff --git a/package/kernel/mac80211/patches/542-ath9k_debugfs_diag.patch b/package/kernel/mac80211/patches/542-ath9k_debugfs_diag.patch index 984955f..f36a0e6 100644 --- a/package/kernel/mac80211/patches/542-ath9k_debugfs_diag.patch +++ b/package/kernel/mac80211/patches/542-ath9k_debugfs_diag.patch @@ -94,7 +94,7 @@ struct ath_gen_timer *ath_gen_timer_alloc(struct ath_hw *ah, --- a/drivers/net/wireless/ath/ath9k/hw.c +++ b/drivers/net/wireless/ath/ath9k/hw.c -@@ -1738,6 +1738,20 @@ fail: +@@ -1725,6 +1725,20 @@ fail: return -EINVAL; } @@ -115,7 +115,7 @@ int ath9k_hw_reset(struct ath_hw *ah, struct ath9k_channel *chan, struct ath9k_hw_cal_data *caldata, bool fastcc) { -@@ -1943,6 +1957,7 @@ int ath9k_hw_reset(struct ath_hw *ah, st +@@ -1930,6 +1944,7 @@ int ath9k_hw_reset(struct ath_hw *ah, st ar9003_hw_disable_phy_restart(ah); ath9k_hw_apply_gpio_override(ah); diff --git a/package/kernel/mac80211/patches/543-ath9k-allow-to-disable-bands-via-platform-data.patch b/package/kernel/mac80211/patches/543-ath9k-allow-to-disable-bands-via-platform-data.patch index d99dcc8..2483744 100644 --- a/package/kernel/mac80211/patches/543-ath9k-allow-to-disable-bands-via-platform-data.patch +++ b/package/kernel/mac80211/patches/543-ath9k-allow-to-disable-bands-via-platform-data.patch @@ -11,7 +11,7 @@ int (*external_reset)(void); --- a/drivers/net/wireless/ath/ath9k/hw.c +++ b/drivers/net/wireless/ath/ath9k/hw.c -@@ -2331,17 +2331,25 @@ int ath9k_hw_fill_cap_info(struct ath_hw +@@ -2318,17 +2318,25 @@ int ath9k_hw_fill_cap_info(struct ath_hw } eeval = ah->eep_ops->get_eeprom(ah, EEP_OP_MODE); diff --git a/package/kernel/mac80211/patches/550-ath9k_entropy_from_adc.patch b/package/kernel/mac80211/patches/550-ath9k_entropy_from_adc.patch index dd2551a..f16f6b0 100644 --- a/package/kernel/mac80211/patches/550-ath9k_entropy_from_adc.patch +++ b/package/kernel/mac80211/patches/550-ath9k_entropy_from_adc.patch @@ -18,7 +18,7 @@ void (*spectral_scan_trigger)(struct ath_hw *ah); --- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c +++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c -@@ -1781,6 +1781,26 @@ static void ar9003_hw_tx99_set_txpower(s +@@ -1794,6 +1794,26 @@ static void ar9003_hw_tx99_set_txpower(s ATH9K_POW_SM(p_pwr_array[ALL_TARGET_HT40_14], 0)); } @@ -45,7 +45,7 @@ void ar9003_hw_attach_phy_ops(struct ath_hw *ah) { struct ath_hw_private_ops *priv_ops = ath9k_hw_private_ops(ah); -@@ -1816,6 +1836,7 @@ void ar9003_hw_attach_phy_ops(struct ath +@@ -1829,6 +1849,7 @@ void ar9003_hw_attach_phy_ops(struct ath priv_ops->set_radar_params = ar9003_hw_set_radar_params; priv_ops->fast_chan_change = ar9003_hw_fast_chan_change; diff --git a/package/kernel/mac80211/patches/551-ath9k-ar933x-usb-hang-workaround.patch b/package/kernel/mac80211/patches/551-ath9k-ar933x-usb-hang-workaround.patch index a3094c0..feadd2d 100644 --- a/package/kernel/mac80211/patches/551-ath9k-ar933x-usb-hang-workaround.patch +++ b/package/kernel/mac80211/patches/551-ath9k-ar933x-usb-hang-workaround.patch @@ -20,7 +20,7 @@ /******************/ /* Chip Revisions */ /******************/ -@@ -1340,6 +1353,9 @@ static bool ath9k_hw_set_reset(struct at +@@ -1327,6 +1340,9 @@ static bool ath9k_hw_set_reset(struct at if (AR_SREV_9100(ah)) udelay(50); @@ -30,7 +30,7 @@ return true; } -@@ -1439,6 +1455,9 @@ static bool ath9k_hw_chip_reset(struct a +@@ -1426,6 +1442,9 @@ static bool ath9k_hw_chip_reset(struct a ar9003_hw_internal_regulator_apply(ah); ath9k_hw_init_pll(ah, chan); @@ -40,7 +40,7 @@ return true; } -@@ -1733,8 +1752,14 @@ static int ath9k_hw_do_fastcc(struct ath +@@ -1720,8 +1739,14 @@ static int ath9k_hw_do_fastcc(struct ath if (AR_SREV_9271(ah)) ar9002_hw_load_ani_reg(ah, chan); @@ -55,7 +55,7 @@ return -EINVAL; } -@@ -1962,6 +1987,9 @@ int ath9k_hw_reset(struct ath_hw *ah, st +@@ -1949,6 +1974,9 @@ int ath9k_hw_reset(struct ath_hw *ah, st if (AR_SREV_9565(ah) && common->bt_ant_diversity) REG_SET_BIT(ah, AR_BTCOEX_WL_LNADIV, AR_BTCOEX_WL_LNADIV_FORCE_ON); diff --git a/package/kernel/mac80211/patches/562-ath9k_ani_ws_detect.patch b/package/kernel/mac80211/patches/562-ath9k_ani_ws_detect.patch index d18a1ff..5db8c4a 100644 --- a/package/kernel/mac80211/patches/562-ath9k_ani_ws_detect.patch +++ b/package/kernel/mac80211/patches/562-ath9k_ani_ws_detect.patch @@ -79,7 +79,7 @@ /** * ar9003_hw_set_channel - set channel on single-chip device * @ah: atheros hardware structure -@@ -971,11 +957,6 @@ static bool ar9003_hw_ani_control(struct +@@ -984,11 +970,6 @@ static bool ar9003_hw_ani_control(struct struct ath_common *common = ath9k_hw_common(ah); struct ath9k_channel *chan = ah->curchan; struct ar5416AniState *aniState = &ah->ani; @@ -91,7 +91,7 @@ s32 value, value2; switch (cmd & ah->ani_function) { -@@ -989,61 +970,6 @@ static bool ar9003_hw_ani_control(struct +@@ -1002,61 +983,6 @@ static bool ar9003_hw_ani_control(struct */ u32 on = param ? 1 : 0; diff --git a/package/kernel/mac80211/patches/567-ath9k_fix_init_nfcal.patch b/package/kernel/mac80211/patches/567-ath9k_fix_init_nfcal.patch index 70ceca7..e407b23 100644 --- a/package/kernel/mac80211/patches/567-ath9k_fix_init_nfcal.patch +++ b/package/kernel/mac80211/patches/567-ath9k_fix_init_nfcal.patch @@ -10,7 +10,7 @@ set_bit(NFCAL_PENDING, &ah->caldata->cal_flags); --- a/drivers/net/wireless/ath/ath9k/hw.c +++ b/drivers/net/wireless/ath/ath9k/hw.c -@@ -1972,8 +1972,10 @@ int ath9k_hw_reset(struct ath_hw *ah, st +@@ -1959,8 +1959,10 @@ int ath9k_hw_reset(struct ath_hw *ah, st if (ath9k_hw_mci_is_enabled(ah)) ar9003_mci_check_bt(ah); diff --git a/package/kernel/mac80211/patches/800-b43-backports-form-wireless-testing-master-master-20.patch b/package/kernel/mac80211/patches/800-b43-backports-form-wireless-testing-master-master-20.patch index 03c2cbf..947b54e 100644 --- a/package/kernel/mac80211/patches/800-b43-backports-form-wireless-testing-master-master-20.patch +++ b/package/kernel/mac80211/patches/800-b43-backports-form-wireless-testing-master-master-20.patch @@ -817,7 +817,7 @@ This brings b43 up to wireless-testing/master master-2014-07-29-1 if (ops->exit) ops->exit(dev); } -@@ -403,9 +411,6 @@ int b43_switch_channel(struct b43_wldev +@@ -402,9 +410,6 @@ int b43_switch_channel(struct b43_wldev u16 channelcookie, savedcookie; int err; @@ -827,7 +827,7 @@ This brings b43 up to wireless-testing/master master-2014-07-29-1 /* First we set the channel radio code to prevent the * firmware from sending ghost packets. */ -@@ -423,7 +428,6 @@ int b43_switch_channel(struct b43_wldev +@@ -422,7 +427,6 @@ int b43_switch_channel(struct b43_wldev if (err) goto err_restore_cookie; @@ -835,7 +835,7 @@ This brings b43 up to wireless-testing/master master-2014-07-29-1 /* Wait for the radio to tune to the channel and stabilize. */ msleep(8); -@@ -542,10 +546,9 @@ void b43_phyop_switch_analog_generic(str +@@ -541,10 +545,9 @@ void b43_phyop_switch_analog_generic(str }