openwrt/staging/blogic.git
11 years agomwifiex: fix use-after-free in beacon_ie processing
Bing Zhao [Fri, 12 Apr 2013 17:34:17 +0000 (10:34 -0700)]
mwifiex: fix use-after-free in beacon_ie processing

beacon_ie buffer is allocated in mwifiex_fill_new_bss_desc()
and the buffer pointer is saved in bss_desc->beacon_buf.
beacon_ie is freed before the function returns. However,
bss_desc->beacon_buf is still being accessed afterwards.

Fix it by freeing beacon_ie (bss_desc->beacon_buf) in
caller's scope.

Reviewed-by: Doug Anderson <dianders@chromium.org>
Reviewed-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomwifiex: don't try to associate when bss_mode is not STA
Bing Zhao [Sat, 20 Apr 2013 04:00:44 +0000 (21:00 -0700)]
mwifiex: don't try to associate when bss_mode is not STA

We have blocked association attempts on interfaces configured in
AP and AD-HOC modes. P2P mode should be blocked too.

Furthermore, an error code must be returned if we are unable to
associate.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomwifiex: make use of msecs_to_jiffies()
Bing Zhao [Sat, 20 Apr 2013 00:44:44 +0000 (17:44 -0700)]
mwifiex: make use of msecs_to_jiffies()

Use msecs_to_jiffies() wherever possible.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomwifiex: correct bss_mode check while appending vht operation IE
Bing Zhao [Sat, 20 Apr 2013 00:44:43 +0000 (17:44 -0700)]
mwifiex: correct bss_mode check while appending vht operation IE

priv->bss_mode uses NL80211_IFTYPE_* definitions.
HostCmd_BSS_MODE_IBSS is used in ad-hoc start/join command between
driver and firmware.

Coincidentally both HostCmd_BSS_MODE_IBSS and NL80211_IFTYPE_STATION
are defined as 2. That explains why nobody complained.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomwifiex: use PCI_DMA_FROMDEVICE for RX queue de-init
Avinash Patil [Sat, 20 Apr 2013 00:44:42 +0000 (17:44 -0700)]
mwifiex: use PCI_DMA_FROMDEVICE for RX queue de-init

There is a typo in mwifiex_cleanup_rxq_ring() which uses
PCI_DMA_TODEVICE while unmapping PCI memory.
We should actually use PCI_DMA_FROMDEVICE.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomwifiex: configure p2p interface during initialization
Bing Zhao [Sat, 20 Apr 2013 00:44:41 +0000 (17:44 -0700)]
mwifiex: configure p2p interface during initialization

Send P2P_MODE_CFG cmd to firmware when p2p interface is created.
Without proper p2p configuration firmware may behave incorrectly
while handling commands sent through this interface.

Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: Stone Piao <piaoyun@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomwifiex: Start P2P devices in P2P mode
Paul Stewart [Fri, 19 Apr 2013 15:37:46 +0000 (08:37 -0700)]
mwifiex: Start P2P devices in P2P mode

p2p devices should identify themselves as such to userspace at
startup, so the connection manager can decide which interface
to start wpa_supplicant instances on.

Signed-off-by: Paul Stewart <pstew@chromium.org>
Reviewed-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2x00: Use more current logging styles, shrink object size
Joe Perches [Fri, 19 Apr 2013 15:33:40 +0000 (08:33 -0700)]
rt2x00: Use more current logging styles, shrink object size

Reduce object space ~2% using more current logging styles.

Neaten and simplify logging macros.
Use wiphy_<level> where appropriate.
Coalesce formats.

Convert ERROR/WARNING/INFO macros to rt2x00_<level>
Convert EEPROM to rt2x00_eeprom_dbg
Convert PROBE_ERROR to rt2x00_probe_err
Convert DEBUG to rt2x00_dbg
Convert EEPROM to rt2x00_eeprom_dbg

$ size drivers/net/wireless/rt2x00/built-in.o*
   text    data     bss     dec     hex filename
 245639   71696   69584  386919   5e767 drivers/net/wireless/rt2x00/built-in.o.new
 240609   70096   68944  379649   5cb01 drivers/net/wireless/rt2x00/built-in.o.new.nodyndbg
 240609   70096   68944  379649   5cb01 drivers/net/wireless/rt2x00/built-in.o.new.no_rt2x00_debug
 249198   70096   70352  389646   5f20e drivers/net/wireless/rt2x00/built-in.o.old
 249198   70096   70352  389646   5f20e drivers/net/wireless/rt2x00/built-in.o.old.nodyndbg
 244222   70096   69712  384030   5dc1e drivers/net/wireless/rt2x00/built-in.o.old.no_rt2x00_debug

Signed-off-by: Joe Perches <joe@perches.com>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2x00: rt2800lib: rename rt2800_init_bbb_early to rt2800_init_bbp_early
Gabor Juhos [Fri, 19 Apr 2013 08:13:52 +0000 (10:13 +0200)]
rt2x00: rt2800lib: rename rt2800_init_bbb_early to rt2800_init_bbp_early

The function is used for BBP register initialization,
fix the typo in the function name to reflect that.

The patch contains no functional changes.

Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: fix potential NULL pointer dereference in brcmf_fws_flow_control_check()
Wei Yongjun [Fri, 19 Apr 2013 02:14:31 +0000 (10:14 +0800)]
brcmfmac: fix potential NULL pointer dereference in brcmf_fws_flow_control_check()

The dereference to 'ifp' in debug code should be moved below the NULL test.

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
Acked-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agowil6210: more Rx descriptor accessor functions
Vladimir Kondratiev [Thu, 18 Apr 2013 11:33:53 +0000 (14:33 +0300)]
wil6210: more Rx descriptor accessor functions

Helpers to fetch various fields from the Rx descriptor

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agowil6210: Use cached copy of Tx descriptor
Vladimir Kondratiev [Thu, 18 Apr 2013 11:33:52 +0000 (14:33 +0300)]
wil6210: Use cached copy of Tx descriptor

Original Tx descriptor stored is in non-cached area for DMA;
copy it to the cached memory to speed-up access

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agowil6210: Tx init optimization
Vladimir Kondratiev [Thu, 18 Apr 2013 11:33:51 +0000 (14:33 +0300)]
wil6210: Tx init optimization

vring size is known from the beginning, fill it immediately
in the struct initializer
This is minor optimization that reduces code size.

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agowil6210: Use cached copy of Rx descriptor
Vladimir Kondratiev [Thu, 18 Apr 2013 11:33:50 +0000 (14:33 +0300)]
wil6210: Use cached copy of Rx descriptor

Rx descriptors stored in non-cacheable memory area for DMA.
Non-cacheable memory causes long access time from CPU.

Copy rx descriptor to the skb->cb, and use this copy.
It provides faster memory access, and will be usefull to keep
Rx information for later processing (BACK reorder)

Signed-off-by: Vladimir Kondratiev <qca_vkondrat@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: stop dequeue upon sk_buff commit failure
Arend van Spriel [Wed, 17 Apr 2013 19:25:58 +0000 (21:25 +0200)]
brcmfmac: stop dequeue upon sk_buff commit failure

In the dequeue worker the function brcmf_commit_skb() is called.
However, instead of increment the credit count upon success it
should break the for loop upon failure. Otherwise, it will result
in an endless loop.

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: change return type for brcmf_rollback_toq() to void
Arend van Spriel [Wed, 17 Apr 2013 19:25:57 +0000 (21:25 +0200)]
brcmfmac: change return type for brcmf_rollback_toq() to void

The function brcmf_rollback_toq() is already called in error path
and its result should not override the initial error value. As the
function releases the sk_buff there is no need to return anything
so change return type to void.

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: finalize transmit upon any rollback failure
Arend van Spriel [Wed, 17 Apr 2013 19:25:56 +0000 (21:25 +0200)]
brcmfmac: finalize transmit upon any rollback failure

All rollback failures should result in freeing of the sk_buff
by calling brcmf_txfinalize().

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: use lock in brcmf_fws_del_interface()
Arend van Spriel [Wed, 17 Apr 2013 19:25:55 +0000 (21:25 +0200)]
brcmfmac: use lock in brcmf_fws_del_interface()

When deleting an interface in firmware-signalling module it will
clear any destination descriptors. To avoid concurrency issues it
should take the lock using brcmf_fws_lock().

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: schedule dequeue upon firmware-signal reception
Arend van Spriel [Wed, 17 Apr 2013 19:25:54 +0000 (21:25 +0200)]
brcmfmac: schedule dequeue upon firmware-signal reception

Several firmware signals should be considered as opportunity to
send packets to the firmware. This patch adds conditional scheduling
of the dequeue worker thread while handling those signals.

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: destination mac closed when interface is closed
Arend van Spriel [Wed, 17 Apr 2013 19:25:53 +0000 (21:25 +0200)]
brcmfmac: destination mac closed when interface is closed

Firmware signals a destination is closed as well as an interface. A
destination is associated with an interface. When an interface is
closed consequently the destination should be considered closed as
well.

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmutil: simplify brcmu_pkt_free_skb()
Arend van Spriel [Wed, 17 Apr 2013 19:25:52 +0000 (21:25 +0200)]
brcmutil: simplify brcmu_pkt_free_skb()

The function brcmu_pkt_free_skb() use skb->destructor to decide
how the sk_buff should be freed. However, when running AP mode
with iptables configured this results in a kernel warning.

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: remove error message upon allocation failure
Arend van Spriel [Wed, 17 Apr 2013 19:25:51 +0000 (21:25 +0200)]
brcmfmac: remove error message upon allocation failure

In function brcmf_add_if() an error message is printed
upon alloc_netdev() failure. The allocation failure itself
spews enough info in the log so remove the error message.

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: check memory allocation in brcmf_add_if()
Arend van Spriel [Wed, 17 Apr 2013 19:25:50 +0000 (21:25 +0200)]
brcmfmac: check memory allocation in brcmf_add_if()

For P2P_DEVICE interface the struct brcmf_if instance is
allocated using kzalloc() which can fail. Add pointer
check and return -ENOMEM if it failed. Fixes the following
smatch error:

"drivers/net/wireless/brcm80211/brcmfmac/dhd_linux.c:770
brcmf_add_if()
  error: potential null dereference 'ifp'. (kzalloc returns null)"

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Piotr Haber <phaber@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agobrcmfmac: reinitialize dequeue mask per node
Arend van Spriel [Wed, 17 Apr 2013 19:25:49 +0000 (21:25 +0200)]
brcmfmac: reinitialize dequeue mask per node

The mask was only initialized for the first node, but it should be
done for each node that is handled in the loop.

Reviewed-by: Hante Meuleman <meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: nulify all last words of TXWI
Stanislaw Gruszka [Wed, 17 Apr 2013 12:30:48 +0000 (14:30 +0200)]
rt2800: nulify all last words of TXWI

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2x00: provide separate information about TXWI & RXWI sizes
Stanislaw Gruszka [Wed, 17 Apr 2013 12:30:47 +0000 (14:30 +0200)]
rt2x00: provide separate information about TXWI & RXWI sizes

On new 2800 hardware sizes of TXWI & RXIW can be different than TXD
& RXD sizes, so we need to difference between them. Let's define
winfo_size as size of in buffer descriptor (TXWI & RXWI), and desc_size
of as size of additional descriptor - in separate DMA coherent buffer
for PCI hardware (TXD & RXD) and yet another in buffer descriptor for
USB hardware (TXINFO & RXINFO).

Change is rt2x00 wild, but should affect only 2800 driver.

Patch also fix beaconing for 5592usb AP mode.

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: cleanup rt2800_init_rfcsr
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:20 +0000 (14:08 +0200)]
rt2800: cleanup rt2800_init_rfcsr

This procedure is simple switch now and return no error any longer.

Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: add rt2800_normal_mode_setup_3xxx subroutine
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:19 +0000 (14:08 +0200)]
rt2800: add rt2800_normal_mode_setup_3xxx subroutine

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: add rt2800_led_open_drain_enable subroutine
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:18 +0000 (14:08 +0200)]
rt2800: add rt2800_led_open_drain_enable subroutine

Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: move RF_R27 setup to individual rfcsr init subroutines
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:17 +0000 (14:08 +0200)]
rt2800: move RF_R27 setup to individual rfcsr init subroutines

Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: add rt2800_rx_filter_calibration procedure
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:16 +0000 (14:08 +0200)]
rt2800: add rt2800_rx_filter_calibration procedure

Add procedure for both bands filter calibration and use it on individual
chipset init rfcsr subroutines.

Remove "Set back to initial state" code for 3290 since vendor driver
DPO_RT3290_LinuxSTA_V2600_20120508 does not include it.

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: move RFCSR6_R2 & LDO_CFG0 setup to 3572 specific rfcsr init
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:15 +0000 (14:08 +0200)]
rt2800: move RFCSR6_R2 & LDO_CFG0 setup to 3572 specific rfcsr init

Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: move GPIO_SWITCH setup to 3390 specific rfcsr init
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:14 +0000 (14:08 +0200)]
rt2800: move GPIO_SWITCH setup to 3390 specific rfcsr init

Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: move 30xx common rf init code
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:13 +0000 (14:08 +0200)]
rt2800: move 30xx common rf init code

Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: move RFCSR29_RSSI_GAIN to 3290 specific rfcsr init
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:12 +0000 (14:08 +0200)]
rt2800: move RFCSR29_RSSI_GAIN to 3290 specific rfcsr init

Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: move rf init calibration code
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:11 +0000 (14:08 +0200)]
rt2800: move rf init calibration code

Add separate function for rf init calibration code and use it
on all init rf subroutines.

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2800: merge 5xxx normal mode setup
Stanislaw Gruszka [Wed, 17 Apr 2013 12:08:10 +0000 (14:08 +0200)]
rt2800: merge 5xxx normal mode setup

Merge code which program the same registes at the end of rfcsr
initialization for 5592, 5392 and 5390 chips.

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agoath9k: always set common->macaddr to the MAC adress of a virtual interface
Felix Fietkau [Tue, 16 Apr 2013 10:51:57 +0000 (12:51 +0200)]
ath9k: always set common->macaddr to the MAC adress of a virtual interface

In some cases it can be useful to change the MAC address of a virtual
interface to something that's completely different from the EEPROM
stored MAC address. In this case it is a bad idea to use the EEPROM MAC
address for calculating the BSSID mask, as that would make it too wide.

In one case a few devices have been observed to send ACKs for many
packets on the channel not directed at them, which results in a neat
Denial of Service attack on the channel.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agoath: update hardware mac address with bssid mask
Felix Fietkau [Tue, 16 Apr 2013 10:51:56 +0000 (12:51 +0200)]
ath: update hardware mac address with bssid mask

Preparation for updating common->macaddr along with virtual interface
MAC address changes.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agoath9k: use GFP_ATOMIC under spinlock
Dan Carpenter [Tue, 16 Apr 2013 07:51:28 +0000 (10:51 +0300)]
ath9k: use GFP_ATOMIC under spinlock

This is called with spinlocks held so we have to use GFP_ATOMIC.  It's
the sc_pcu_lock in ath9k_stop() that's the issue.  The call tree looks
like this:

ath9k_stop()
ath_prepare_reset()
ath_stoprecv()
ath_flushrecv()
ath_rx_tasklet()
ath9k_dfs_process_phyerr()
pd->add_pulse() => dpd_add_pulse()
channel_detector_get()
channel_detector_create()
pri_detector_init()

channel_detector_create() uses GFP_ATOMIC as well.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Tested-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Acked-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agoath9k: change DFS logging to use ath_dbg()
Zefir Kurtisi [Mon, 15 Apr 2013 09:29:06 +0000 (11:29 +0200)]
ath9k: change DFS logging to use ath_dbg()

The DFS pattern detector was initially planned to reside on
a higher layer and used generic pr_*() logging functions.

Being part of ath9k, use ath_dbg() instead and make DFS log
ouput selectable via ATH_DBG_DFS (0x20000) at runtime.

This patch does not contain functional modifications.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@neratec.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agort2x00: Fix transmit power troubles on some Ralink RT30xx cards
Alex A. Mihaylov [Mon, 15 Apr 2013 03:29:35 +0000 (07:29 +0400)]
rt2x00: Fix transmit power troubles on some Ralink RT30xx cards

Some cards on Ralink RT30xx chipset not have correctly TX_MIXER_GAIN
value in them EEPROM/EFUSE. In this case, we must use default value,
but always used EEPROM/EFUSE value. As result we have tranmitt power
range from -10dBm to +6dBm instead 0dBm to +16dBm.

Correctly value in EEPROM/EFUSE is one or more for RT3070 and two or
more for other RT30xx chips.

Tested on Canyon CNP-WF518N1 usb Wi-Fi dongle and Jorjin WN8020 usb
embedded Wi-Fi module.

Signed-off-by: Alex A. Mihaylov <minimumlaw@rambler.ru>
Cc: stable@vger.kernel.org
Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomwl8k: remove nonstandard rate 72 Mbps
Jonas Gorski [Sun, 14 Apr 2013 12:11:58 +0000 (14:11 +0200)]
mwl8k: remove nonstandard rate 72 Mbps

This rate causes an overflow in the extended rates IE's data rate field,
with the overflowing bit setting the Basic Rate Set membership. This
results in a bogus 8 Mpbs basic rate, making clients checking them refuse
association.

Since the rate is likely unused anyway (HT will yield better rates between
supporting chips), we can just remove it.

This fixes association from wpa_supplicant and Android 4.x and newer.

Signed-off-by: Jonas Gorski <jogo@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agoMerge branch 'for-john' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac802...
John W. Linville [Mon, 22 Apr 2013 18:58:14 +0000 (14:58 -0400)]
Merge branch 'for-john' of git://git./linux/kernel/git/jberg/mac80211-next

11 years agoMerge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetoot...
John W. Linville [Mon, 22 Apr 2013 18:56:41 +0000 (14:56 -0400)]
Merge branch 'for-upstream' of git://git./linux/kernel/git/bluetooth/bluetooth-next

11 years agoMerge tag 'nfc-next-3.10-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sameo...
John W. Linville [Mon, 22 Apr 2013 18:54:31 +0000 (14:54 -0400)]
Merge tag 'nfc-next-3.10-2' of git://git./linux/kernel/git/sameo/nfc-next

Samuel Ortiz <sameo@linux.intel.com> says:

"This is the 2nd NFC pull request for 3.10.

With this one we have:

- A major pn533 update. The pn533 framing support has been changed in order to
  easily support all pn533 derivatives. For example we now support the ACR122
  USB dongle.

- An NFC MEI physical layer code factorization through the mei_phy NFC API.
  Both the microread and the pn544 drivers now use it.

- LLCP aggregation support. This allows NFC p2p devices to send aggregated
  frames containing all sort of LLCP frames except SYMM and aggregation
  frames.

- More LLCP socket options for getting the remote device link parameters.

- Fixes for the LLCP socket option code added with the first pull request for
  3.10.

- Some support for LLCP corner cases like 0 length SDUs and general DISC
  (tagged with a 0,0 dsap ssap couple) handling.

- RFKILL support for NFC."

Signed-off-by: John W. Linville <linville@tuxdriver.com>
11 years agomac80211_hwsim: handle IEEE80211_HW_SUPPORTS_RC_TABLE
Karl Beldan [Fri, 19 Apr 2013 12:44:52 +0000 (14:44 +0200)]
mac80211_hwsim: handle IEEE80211_HW_SUPPORTS_RC_TABLE

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211/minstrel: use the new rate control API
Felix Fietkau [Mon, 22 Apr 2013 14:14:43 +0000 (16:14 +0200)]
mac80211/minstrel: use the new rate control API

Pass the rate selection table to mac80211 from minstrel_update_stats.
Only rates for sample attempts are set in info->control.rates, with deferred
sampling, only the second slot gets changed.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211/minstrel_ht: use the new rate control API
Felix Fietkau [Mon, 22 Apr 2013 14:14:42 +0000 (16:14 +0200)]
mac80211/minstrel_ht: use the new rate control API

Pass the rate selection table to mac80211 from minstrel_ht_update_stats.
Only rates for sample attempts are set in info->control.rates.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: improve the rate control API
Felix Fietkau [Mon, 22 Apr 2013 14:14:41 +0000 (16:14 +0200)]
mac80211: improve the rate control API

Allow rate control modules to pass a rate selection table to mac80211
and the driver. This allows drivers to fetch the most recent rate
selection from the sta pointer for already buffered frames. This allows
rate control to respond faster to sudden link changes and it is also a
step towards adding minstrel_ht support to drivers like iwlwifi.

When a driver sets IEEE80211_HW_SUPPORTS_RC_TABLE, mac80211 will not
fill info->control.rates with rates from the rate table (to preserve
explicit overrides by the rate control module). The driver then
explicitly calls ieee80211_get_tx_rates to merge overrides from
info->control.rates with defaults from the sta rate table.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agocfg80211: introduce critical protocol indication from user-space
Arend van Spriel [Thu, 18 Apr 2013 13:49:00 +0000 (15:49 +0200)]
cfg80211: introduce critical protocol indication from user-space

Some protocols need a more reliable connection to complete
successful in reasonable time. This patch adds a user-space
API to indicate the wireless driver that a critical protocol
is about to commence and when it is done, using nl80211 primitives
NL80211_CMD_CRIT_PROTOCOL_START and NL80211_CRIT_PROTOCOL_STOP.

There can be only on critical protocol session started per
registered cfg80211 device.

The driver can support this by implementing the cfg80211 callbacks
.crit_proto_start() and .crit_proto_stop(). Examples of protocols
that can benefit from this are DHCP, EAPOL, APIPA. Exactly how the
link can/should be made more reliable is up to the driver. Things
to consider are avoid scanning, no multi-channel operations, and
alter coexistence schemes.

Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
Signed-off-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: minstrel_ht: initialize rates selection
Karl Beldan [Thu, 18 Apr 2013 12:26:21 +0000 (14:26 +0200)]
mac80211: minstrel_ht: initialize rates selection

Initialize {mp,mi}->{max_tp_rate,max_tp_rate2,max_prob_rate} in
minstrel_ht's rate_init and rate_update.

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: minstrel_ht: pick only supported rates for sta and group max*rates
Karl Beldan [Thu, 18 Apr 2013 12:26:20 +0000 (14:26 +0200)]
mac80211: minstrel_ht: pick only supported rates for sta and group max*rates

minstrel_ht initializes max_tp_rate max_tp_rate2 and max_prob_rate to
zero both for minstrel_ht_sta and minstrel_mcs_group_data.
This is wrong since there is no guarantee that the 1st rate of any
group is supported.

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agorfkill: fix error return code in rfkill_gpio_probe()
Wei Yongjun [Thu, 18 Apr 2013 02:31:16 +0000 (10:31 +0800)]
rfkill: fix error return code in rfkill_gpio_probe()

Fix to return a negative error code from the error handling
case instead of 0, as returned elsewhere in this function.

Signed-off-by: Wei Yongjun <yongjun_wei@trendmicro.com.cn>
[fix some indentation on the way]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: use synchronize_rcu() with rcu_barrier()
Bob Copeland [Thu, 18 Apr 2013 22:26:49 +0000 (18:26 -0400)]
mac80211: use synchronize_rcu() with rcu_barrier()

The RCU docs used to state that rcu_barrier() included a wait
for an RCU grace period; however the comments for rcu_barrier()
as of commit f0a0e6f... "rcu: Clarify memory-ordering properties
of grace-period primitives" contradict this.

So add back synchronize_{rcu,net}() to where they once were,
but keep the rcu_barrier()s for the call_rcu() callbacks.

Cc: stable <stable@vger.kernel.org>
Signed-off-by: Bob Copeland <bob@cozybit.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: indicate admission control in TX queue parameters
Alexander Bondar [Sun, 7 Apr 2013 06:53:30 +0000 (09:53 +0300)]
mac80211: indicate admission control in TX queue parameters

Some driver implementations need to know whether mandatory
admission control is required by the AP for some ACs. Add
a parameter to the TX queue parameters indicating this.

As there's currently no support for admission control in
mac80211's AP implementation, it's only ever set for the
client implementation.

Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agocfg80211: invert P2P-Device vs. netdev check ordering
Johannes Berg [Fri, 19 Apr 2013 10:19:39 +0000 (12:19 +0200)]
cfg80211: invert P2P-Device vs. netdev check ordering

In cfg80211_can_use_iftype_chan(), check for P2P Device
first, and then for netdevs. This doesn't really change
anything but makes the code a bit easier to read since
it may not be obvious for everyone at first that a P2P
device has no netdev.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agocfg80211: fix P2P-Device stop locking
Johannes Berg [Fri, 19 Apr 2013 10:18:19 +0000 (12:18 +0200)]
cfg80211: fix P2P-Device stop locking

cfg80211_stop_p2p_device() requires the devlist_mtx to
be held, but nl80211_stop_p2p_device() doesn't acquire
it which is a locking error and causes a warning (when
lockdep is enabled). Fix this.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agoMerge remote-tracking branch 'wireless-next/master' into mac80211-next
Johannes Berg [Mon, 22 Apr 2013 13:31:43 +0000 (15:31 +0200)]
Merge remote-tracking branch 'wireless-next/master' into mac80211-next

11 years agonl80211: allow using wdev identifiers to get scan results
Johannes Berg [Thu, 18 Apr 2013 23:02:55 +0000 (01:02 +0200)]
nl80211: allow using wdev identifiers to get scan results

Most dump callbacks, including the scan results one, use
the netdev to identify what to do, which is incorrect for
the P2P_DEVICE support, it needs to be able to get the
scan result from the wdev. Change all dumps to unify the
code, but ones other than scan don't really support being
executed on a wdev that has no netdev.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: fix P2P-Device management frame RX
Johannes Berg [Thu, 18 Apr 2013 21:42:19 +0000 (23:42 +0200)]
mac80211: fix P2P-Device management frame RX

There's an issue in receiving broadcast management frames
on P2P Device virtual interfaces, such frames have the RX
flag IEEE80211_RX_RA_MATCH cleared and are thus dropped
in ieee80211_rx_h_mgmt_check(). They should be let through
to make it to ieee80211_rx_h_userspace_mgmt() and then to
userspace.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agoBluetooth: Rename LE_SCANNING_* macros
Andre Guedes [Thu, 4 Apr 2013 23:21:02 +0000 (20:21 -0300)]
Bluetooth: Rename LE_SCANNING_* macros

This patch renames LE_SCANNING_ENABLED and LE_SCANNING_DISABLED
macros to LE_SCAN_ENABLE and LE_SCAN_DISABLE in order to keep
the same prefix others LE scan macros have.

It also fixes le_scan_enable_req function so it uses the LE_SCAN_
ENABLE macro instead of a magic number.

Signed-off-by: Andre Guedes <andre.guedes@openbossa.org>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: Add macros for filter duplicates values
Andre Guedes [Thu, 4 Apr 2013 23:21:01 +0000 (20:21 -0300)]
Bluetooth: Add macros for filter duplicates values

This patch adds macros for filter_duplicates parameter values from
HCI LE Set Scan Enable command. It also fixes le_scan_enable_req
function so it uses the LE_SCAN_FILTER_DUP_ENABLE macro instead of
a magic number.

The LE_SCAN_FILTER_DUP_DISABLE was also defined since it will be
required to properly support the GAP Observer Role.

Signed-off-by: Andre Guedes <andre.guedes@openbossa.org>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: Add LE scan type macros
Andre Guedes [Thu, 4 Apr 2013 23:21:00 +0000 (20:21 -0300)]
Bluetooth: Add LE scan type macros

This patch adds macros for active and passive LE scan type values.
The LE_SCAN_PASSIVE was also defined since it will be used in future
by LE connection routine and GAP Observer Role support.

Signed-off-by: Andre Guedes <andre.guedes@openbossa.org>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: Change LE scanning timeout macros
Andre Guedes [Thu, 4 Apr 2013 23:20:59 +0000 (20:20 -0300)]
Bluetooth: Change LE scanning timeout macros

Define LE scanning timeout macros in jiffies just like we do for
others timeout macros.

Signed-off-by: Andre Guedes <andre.guedes@openbossa.org>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: Add reading of all local feature pages
Johan Hedberg [Wed, 17 Apr 2013 12:00:52 +0000 (15:00 +0300)]
Bluetooth: Add reading of all local feature pages

With the introduction of CSA4 there is now also a features page number 2
available. This patch increments the maximum supported page number to 2
and adds code for reading all available pages (as long as we have
support for them - indicated by HCI_MAX_PAGES).

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: Track feature pages in a single table
Johan Hedberg [Wed, 17 Apr 2013 12:00:51 +0000 (15:00 +0300)]
Bluetooth: Track feature pages in a single table

The local and remote features are organized by page number. Page 0
are the LMP features, page 1 the host features, and any pages beyond 1
features that future core specification versions may define. So far
we've only had the first two pages and two separate variables has been
convenient enough, however with the introduction of Core Specification
Addendum 4 there are features defined on page 2.

Instead of requiring the addition of a new variable each time a new page
number is defined, this patch refactors the code to use a single table
for the features. The patch needs to update both the hci_dev and
hci_conn structures since there are macros that depend on the features
being represented in the same way in both of them.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: Move and rename hci_conn_accept
Frédéric Dalleau [Tue, 16 Apr 2013 15:28:58 +0000 (17:28 +0200)]
Bluetooth: Move and rename hci_conn_accept

Since this function is only used by sco, move it from hci_event.c to
sco.c and rename to sco_conn_defer_accept. Make it static.

Signed-off-by: Frédéric Dalleau <frederic.dalleau@linux.intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: Fix incorrect SSP mode bit for non SSP devices
Jaganath Kanakkassery [Tue, 16 Apr 2013 14:46:30 +0000 (20:16 +0530)]
Bluetooth: Fix incorrect SSP mode bit for non SSP devices

Some faulty non SSP devices send extended inquiry response
during device discovery which is a violation of 2.1 specification.
So for these devices we set SSP bit during acl connection
initiation thinking that it is an SSP device. But for these
devices, in remote host features event SSP supported bit
will be off. But we are not clearing the SSP bit in that case
and eventually SSP bit in conn flag will be incorrectly set for
these devices.

The software which has caused this issue is MecApp
http://www.mecel.se/products/bluetooth/downloads/MecApp_download

This patch does a workaround by clearing the SSP bit if it is
not supported in remote host features event

hcidump log
----------

< HCI Command: Inquiry (0x01|0x0001) plen 5
    lap 0x9e8b33 len 4 num 0
> HCI Event: Command Status (0x0f) plen 4
    Inquiry (0x01|0x0001) status 0x00 ncmd 1
> HCI Event: Extended Inquiry Result (0x2f) plen 255
    bdaddr 00:1B:DC:05:B5:25 mode 1 clkoffset 0x3263 class 0x3c0000 rssi -77
    Unknown type 0x42 with 8 bytes data
    Unknown type 0x1e with 2 bytes data
> HCI Event: Inquiry Complete (0x01) plen 1
    status 0x00

< HCI Command: Create Connection (0x01|0x0005) plen 13
    bdaddr 00:1B:DC:05:B5:25 ptype 0xcc18 rswitch 0x01 clkoffset 0x0000
    Packet type: DM1 DM3 DM5 DH1 DH3 DH5
> HCI Event: Command Status (0x0f) plen 4
    Create Connection (0x01|0x0005) status 0x00 ncmd 1
> HCI Event: Connect Complete (0x03) plen 11
    status 0x00 handle 12 bdaddr 00:1B:DC:05:B5:25 type ACL encrypt 0x00
< HCI Command: Read Remote Supported Features (0x01|0x001b) plen 2
    handle 12
> HCI Event: Command Status (0x0f) plen 4
    Read Remote Supported Features (0x01|0x001b) status 0x00 ncmd 1
> HCI Event: Read Remote Supported Features (0x0b) plen 11
    status 0x00 handle 12
    Features: 0xff 0xff 0x8f 0x7e 0xd8 0x1f 0x5b 0x87
< HCI Command: Read Remote Extended Features (0x01|0x001c) plen 3
    handle 12 page 1
> HCI Event: Command Status (0x0f) plen 4
    Read Remote Extended Features (0x01|0x001c) status 0x00 ncmd 1
> HCI Event: Page Scan Repetition Mode Change (0x20) plen 7
    bdaddr 00:1B:DC:05:B5:25 mode 1
> HCI Event: Max Slots Change (0x1b) plen 3
    handle 12 slots 5
> HCI Event: Read Remote Extended Features (0x23) plen 13
    status 0x00 handle 12 page 1 max 0
    Features: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
< HCI Command: Remote Name Request (0x01|0x0019) plen 10
    bdaddr 00:1B:DC:05:B5:25 mode 2 clkoffset 0x0000
> HCI Event: Command Status (0x0f) plen 4
    Remote Name Request (0x01|0x0019) status 0x00 ncmd 1
> HCI Event: Remote Name Req Complete (0x07) plen 255
    status 0x00 bdaddr 00:1B:DC:05:B5:25 name 'Bluetooth PTS Radio v4'
< HCI Command: Authentication Requested (0x01|0x0011) plen 2
    handle 12
> HCI Event: Command Status (0x0f) plen 4
    Authentication Requested (0x01|0x0011) status 0x00 ncmd 1
> HCI Event: Link Key Request (0x17) plen 6
    bdaddr 00:1B:DC:05:B5:25
< HCI Command: Link Key Request Negative Reply (0x01|0x000c) plen 6
    bdaddr 00:1B:DC:05:B5:25
> HCI Event: Command Complete (0x0e) plen 10
    Link Key Request Negative Reply (0x01|0x000c) ncmd 1
    status 0x00 bdaddr 00:1B:DC:05:B5:25
> HCI Event: PIN Code Request (0x16) plen 6
    bdaddr 00:1B:DC:05:B5:25

Signed-off-by: Jaganath Kanakkassery <jaganath.k@samsung.com>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agomac80211: optimize minstrel_ewma
Karl Beldan [Wed, 17 Apr 2013 11:43:22 +0000 (13:43 +0200)]
mac80211: optimize minstrel_ewma

Use powers of two in ewma of minstrel.
This changes :
- EWMA_DIV   from 100 to 2^7
- EWMA_LEVEL from 75 (/EWMA_DIV=100) to 2^6 + 2^5 (/EWMA_DIV=128)

Note that this changes EWMA_DIV - EWMA_LEVEL from 25 to 2^5 and keeps
EWMA_LEVEL / EWMA_DIV == 0.75.

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Acked-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: cosmetics for minstrel_debugfs
Karl Beldan [Wed, 17 Apr 2013 12:08:26 +0000 (14:08 +0200)]
mac80211: cosmetics for minstrel_debugfs

This changes the minstrel stats ouput from:

rate     throughput  ewma prob   this prob  this succ/attempt   success    attempts
 BCD   6         0.0        0.0        0.0          0(  0)          0           0

to:

rate      throughput  ewma prob  this prob  this succ/attempt   success    attempts
 BCD   6         0.0        0.0        0.0             0(  0)         0           0

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Acked-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: fix station entry leak/warning while suspending
Johannes Berg [Wed, 17 Apr 2013 09:26:40 +0000 (11:26 +0200)]
mac80211: fix station entry leak/warning while suspending

Since Stanislaw's patches, when suspending while connected,
cfg80211 will disconnect. This causes the AP station to be
removed, which uses call_rcu() to clean up. Due to needing
process context, this queues a work struct on the mac80211
workqueue. This will warn and fail when already suspended,
which can happen if the rcu call doesn't happen quickly.

To fix this, replace the synchronize_net() which is really
just synchronize_rcu_expedited() with rcu_barrier(), which
unlike synchronize_rcu() waits until RCU callback have run
and thus avoids this issue.

In theory, this can even happen without Stanislaw's change
to disconnect on suspend since userspace might disconnect
just before suspending, though then it's unlikely that the
call_rcu() will be delayed long enough.

Cc: stable@vger.kernel.org [3.7+]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agoBluetooth: hidp: fix sending output reports on intr channel
David Herrmann [Sat, 6 Apr 2013 18:28:52 +0000 (20:28 +0200)]
Bluetooth: hidp: fix sending output reports on intr channel

According to the specifications, data output reports must be sent on the
interrupt channel. See also usbhid implementation.
Sending these reports on the control channel breaks newer Wii Remotes.

Note that this will make output reports asynchronous. However, that's how
hid_output_raw_report() is supposed to work with HID_OUTPUT_REPORT as
report type. There are no responses to output reports.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: don't send boot-protocol messages as HID-reports
David Herrmann [Sat, 6 Apr 2013 18:28:51 +0000 (20:28 +0200)]
Bluetooth: hidp: don't send boot-protocol messages as HID-reports

If a device is registered as HID device, it is always in Report-Mode.
Therefore, we must not send Boot-Protocol messages on
hidinput_input_event() callbacks. This confuses devices and may cause
disconnects on protocol errors.

We disable the hidinput_input_event() callback for now. We can implement
it properly later, but lets first fix the current code by disabling it.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: merge 'send' functions into hidp_send_message()
David Herrmann [Sat, 6 Apr 2013 18:28:50 +0000 (20:28 +0200)]
Bluetooth: hidp: merge 'send' functions into hidp_send_message()

We handle skb buffers all over the place, even though we have
hidp_send_*_message() helpers. This creates a more generic
hidp_send_message() helper and uses it instead of dealing with transmit
queues directly everywhere.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: merge hidp_process_{ctrl,intr}_transmit()
David Herrmann [Sat, 6 Apr 2013 18:28:49 +0000 (20:28 +0200)]
Bluetooth: hidp: merge hidp_process_{ctrl,intr}_transmit()

Both hidp_process_ctrl_transmit() and hidp_process_intr_transmit() are
exactly the same apart from the transmit-queue and socket pointers.
Therefore, pass them as argument and merge both functions into one so we
avoid 25 lines of code-duplication.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: handle kernel_sendmsg() errors correctly
David Herrmann [Sat, 6 Apr 2013 18:28:48 +0000 (20:28 +0200)]
Bluetooth: hidp: handle kernel_sendmsg() errors correctly

We shouldn't push back the skbs if kernel_sendmsg() fails. Instead, we
terminate the connection and drop the skb. Only on EAGAIN we push it back
and return.
l2cap doesn't return EAGAIN, yet, but this guarantees we're safe if it
will at some time in the future.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: remove old session-management
David Herrmann [Sat, 6 Apr 2013 18:28:47 +0000 (20:28 +0200)]
Bluetooth: hidp: remove old session-management

We have the full new session-management now available so lets switch over
and remove all the old code. Few semantics changed, so we need to adjust
the sock.c callers a bit. But this mostly simplifies the logic.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: add new session-management helpers
David Herrmann [Sat, 6 Apr 2013 18:28:46 +0000 (20:28 +0200)]
Bluetooth: hidp: add new session-management helpers

This is a rewrite of the HIDP session management. It implements HIDP as an
l2cap_user sub-module so we get proper notification when the underlying
connection goes away.

The helpers are not yet used but only added in this commit. The old
session management is still used and will be removed in a following patch.

The old session-management was flawed. Hotplugging is horribly broken and
we have no way of getting notified when the underlying connection goes
down. The whole idea of removing the HID/input sub-devices from within the
session itself is broken and suffers from major dead-locks. We never can
guarantee that the session can unregister itself as long as we use
synchronous shutdowns. This can only work with asynchronous shutdowns.
However, in this case we _must_ be able to unregister the session from the
outside as otherwise the l2cap_conn object might be unlinked before we
are.

The new session-management is based on l2cap_user. There is only one
way how to add a session and how to delete a session: "probe" and "remove"
callbacks from l2cap_user.
This guarantees that the session can be registered and unregistered at
_any_ time without any synchronous shutdown.
On the other hand, much work has been put into proper session-refcounting.
We can unregister/unlink the session only if we can guarantee that it will
stay alive. But for asynchronous shutdowns we never know when the last
user goes away so we must use proper ref-counting.

The old ->conn field has been renamed to ->hconn so we can reuse ->conn in
the new session management. No other existing HIDP code is modified.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: l2cap: add l2cap_user sub-modules
David Herrmann [Sat, 6 Apr 2013 18:28:45 +0000 (20:28 +0200)]
Bluetooth: l2cap: add l2cap_user sub-modules

Several sub-modules like HIDP, rfcomm, ... need to track l2cap
connections. The l2cap_conn->hcon->dev object is used as parent for sysfs
devices so the sub-modules need to be notified when the hci_conn object is
removed from sysfs.

As submodules normally use the l2cap layer, the l2cap_user objects are
registered there instead of on the underlying hci_conn object. This avoids
any direct dependency on the HCI layer and lets the l2cap core handle any
specifics.

This patch introduces l2cap_user objects which contain a "probe" and
"remove" callback. You can register them on any l2cap_conn object and if
it is active, the "probe" callback will get called. Otherwise, an error is
returned.

The l2cap_conn object will call your "remove" callback directly before it
is removed from user-space. This allows you to remove your submodules
_before_ the parent l2cap_conn and hci_conn object is removed.

At any time you can asynchronously unregister your l2cap_user object if
your submodule vanishes before the l2cap_conn object does.

There is no way around l2cap_user. If we want wire-protocols in the
kernel, we always want the hci_conn object as parent in the sysfs tree. We
cannot use a channel here since we might need multiple channels for a
single protocol.
But the problem is, we _must_ get notified when an l2cap_conn object is
removed. We cannot use reference-counting for object-removal! This is not
how it works. If a hardware is removed, we should immediately remove the
object from sysfs. Any other behavior would be inconsistent with the rest
of the system. Also note that device_del() might sleep, but it doesn't
wait for user-space or block very long. It only _unlinks_ the object from
sysfs and the whole device-tree. Everything else is handled by ref-counts!
This is exactly what the other sub-modules must do: unlink their devices
when the "remove" l2cap_user callback is called. They should not do any
cleanup or synchronous shutdowns.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: l2cap: introduce l2cap_conn ref-counting
David Herrmann [Sat, 6 Apr 2013 18:28:44 +0000 (20:28 +0200)]
Bluetooth: l2cap: introduce l2cap_conn ref-counting

If we want to use l2cap_conn outside of l2cap_core.c, we need refcounting
for these objects. Otherwise, we cannot synchronize l2cap locks with
outside locks and end up with deadlocks.

Hence, introduce ref-counting for l2cap_conn objects. This doesn't affect
l2cap internals at all, as they use a direct synchronization.
We also keep a reference to the parent hci_conn for locking purposes as
l2cap_conn depends on this. This doesn't affect the connection itself but
only the lifetime of the (dead) object.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: move hidp_schedule() to core.c
David Herrmann [Sat, 6 Apr 2013 18:28:43 +0000 (20:28 +0200)]
Bluetooth: hidp: move hidp_schedule() to core.c

There is no reason to keep this helper in the header file. No other file
depends on it so move it into hidp/core.c where it belongs.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: allow constant arguments for bacmp()/bacpy()
David Herrmann [Sat, 6 Apr 2013 18:28:42 +0000 (20:28 +0200)]
Bluetooth: allow constant arguments for bacmp()/bacpy()

There is no reason to require the source arguments to be writeable so fix
this to allow constant source addresses.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: test "terminate" before sleeping
David Herrmann [Sat, 6 Apr 2013 18:28:41 +0000 (20:28 +0200)]
Bluetooth: hidp: test "terminate" before sleeping

The "terminate" flag is guaranteed to be set before the session terminates
and the handlers are woken up. Hence, we need to add it to the
sleep-condition.

Note that testing the flags is not enough as nothing prevents us from
setting the flags again after the session-handler terminated.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: hidp: remove unused session->state field
David Herrmann [Sat, 6 Apr 2013 18:28:40 +0000 (20:28 +0200)]
Bluetooth: hidp: remove unused session->state field

This field is always BT_CONNECTED. Remove it and set it to BT_CONNECTED in
hidp_copy_session() unconditionally.

Also note that this field is totally bogus. Userspace can query an
hidp-session for its state. However, whenever user-space queries us, this
field should be BT_CONNECTED. If it wasn't BT_CONNECTED, then we would be
currently cleaning up the session and the session itself would exit in the
next few milliseconds. Hence, there is no reason to let user-space know
that the session will exit now if they cannot make _any_ use of that.

Thus, remove the field and let user-space think that a session is always
BT_CONNECTED as long as they can query it.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: introduce hci_conn ref-counting
David Herrmann [Sat, 6 Apr 2013 18:28:39 +0000 (20:28 +0200)]
Bluetooth: introduce hci_conn ref-counting

We currently do not allow using hci_conn from outside of HCI-core.
However, several other users could make great use of it. This includes
HIDP, rfcomm and all other sub-protocols that rely on an active
connection.

Hence, we now introduce hci_conn ref-counting. We currently never call
get_device(). put_device() is exclusively used in hci_conn_del_sysfs().
Hence, we currently never have a greater device-refcnt than 1.
Therefore, it is safe to move the put_device() call from
hci_conn_del_sysfs() to hci_conn_del() (it's the only caller). In fact,
this even fixes a "use-after-free" bug as we access hci_conn after calling
hci_conn_del_sysfs() in hci_conn_del().

From now on we can add references to hci_conn objects in other layers
(like l2cap_sock, HIDP, rfcomm, ...) and grab a reference via
hci_conn_get(). This does _not_ guarantee, that the connection is still
alive. But, this isn't what we want. We can simply lock the hci_conn
device and use "device_is_registered(hci_conn->dev)" to test that.
However, this is hardly necessary as outside users should never rely on
the HCI connection to be alive, anyway. Instead, they should solely rely
on the device-object to be available.
But if sub-devices want the hci_conn object as sysfs parent, they need to
be notified when the connection drops. This will be introduced in later
patches with l2cap_users.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agoBluetooth: remove unneeded hci_conn_hold/put_device()
David Herrmann [Sat, 6 Apr 2013 18:28:38 +0000 (20:28 +0200)]
Bluetooth: remove unneeded hci_conn_hold/put_device()

hci_conn_hold/put_device() is used to control when hci_conn->dev is no
longer needed and can be deleted from the system. Lets first look how they
are currently used throughout the code (excluding HIDP!).

All code that uses hci_conn_hold_device() looks like this:
    ...
    hci_conn_hold_device();
    hci_conn_add_sysfs();
    ...
On the other side, hci_conn_put_device() is exclusively used in
hci_conn_del().

So, considering that hci_conn_del() must not be called twice (which would
fail horribly), we know that hci_conn_put_device() is only called _once_
(which is in hci_conn_del()).
On the other hand, hci_conn_add_sysfs() must not be called twice, either
(it would call device_add twice, which breaks the device, see
drivers/base/core.c). So we know that hci_conn_hold_device() is also
called only once (it's only called directly before hci_conn_add_sysfs()).

So hold and put are known to be called only once. That means we can safely
remove them and directly call hci_conn_del_sysfs() in hci_conn_del().

But there is one issue left: HIDP also uses hci_conn_hold/put_device().
However, this case can be ignored and simply removed as it is totally
broken. The issue is, the only thing HIDP delays with
hci_conn_hold_device() is the removal of the hci_conn->dev from sysfs.
But, the hci_conn device has no mechanism to get notified when its own
parent (hci_dev) gets removed from sysfs. hci_dev_hold/put() does _not_
control when it is removed but only when the device object is created
and destroyed.
And hci_dev calls hci_conn_flush_*() when it removes itself from sysfs,
which itself causes hci_conn_del() to be called, but it does _not_ cause
hci_conn_del_sysfs() to be called, which is wrong.

Hence, we fix it to call hci_conn_del_sysfs() in hci_conn_del(). This
guarantees that a hci_conn object is removed from sysfs _before_ its
parent hci_dev is removed.

The changes to HIDP look scary, wrong and broken. However, if you look at
the HIDP session management, you will notice they're already broken in the
exact _same_ way (ever tried "unplugging" HIDP devices? Breaks _all_ the
time).
So this patch only makes HIDP look _scary_ and _obviously broken_. It does
not break HIDP itself, it already is!

See later patches in this series which fix HIDP to use proper
session-management.

Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
11 years agomac80211: fix CTS protection handling
Felix Fietkau [Tue, 16 Apr 2013 11:38:43 +0000 (13:38 +0200)]
mac80211: fix CTS protection handling

The rates[0] CTS and RTS flags are only set after rate control has been
called, so minstrel cannot use them to for setting the number of
retries. This patch adds two new flags to explicitly indicate RTS/CTS use.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: fix and optimize MCS mask handling
Felix Fietkau [Tue, 16 Apr 2013 11:38:42 +0000 (13:38 +0200)]
mac80211: fix and optimize MCS mask handling

Currently the code always copies the configured MCS mask (even if it is
set to default), but only uses it if legacy rates were also masked out.
Fix this by adding a flag that tracks whether the configured MCS mask is
set to default or not.
Optimize the code further by storing a pointer to the configured rate
mask in txrc instead of using memcpy.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211_hwsim: handle VHT rates in rx_status
Karl Beldan [Mon, 15 Apr 2013 15:09:30 +0000 (17:09 +0200)]
mac80211_hwsim: handle VHT rates in rx_status

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: VHT off-by-one NSS
Karl Beldan [Mon, 15 Apr 2013 15:09:29 +0000 (17:09 +0200)]
mac80211: VHT off-by-one NSS

The number of VHT spatial streams (NSS) is found in:
- s8 ieee80211_tx_rate.rate.idx[6:4] (tx - filled by rate control)
- u8 ieee80211_rx_status.vht_nss     (rx - filled by driver)
Tx discriminates valid rates indexes with the sign bit and encodes NSS
starting from 0 to 7 (note this matches some hw encodings e.g IWLMVM).
Rx does not have the same constraints, and encodes NSS starting from 1
to 8 (note this matches what wireshark expects in the radiotap header).

To handle ieee80211_tx_rate.rate.idx[6:4] ieee80211_rate_set_vht() and
ieee80211_rate_get_vht_nss() assume their nss parameter and return value
respectively runs from 0 to 7.
ATM, there are only 2 users of these: cfg.c:sta_set_rate_info_t() and
iwlwifi/mvm/tx.c:iwl_mvm_hwrate_to_tx_control(), but both assume nss
runs from 1 to 8.
This patch fixes this inconsistency by making ieee80211_rate_set_vht()
and ieee80211_rate_get_vht_nss() handle an nss running from 1 to 8.

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: adjust initial chandefs assignments in ieee80211_register_hw
Karl Beldan [Mon, 15 Apr 2013 17:04:06 +0000 (19:04 +0200)]
mac80211: adjust initial chandefs assignments in ieee80211_register_hw

I noticed that monitor interfaces by default would start on 5GHz
while STA/AP ones would start 2GHZ - It stems from the fact that
ieee80211_register_hw unnecessarily adjusts the local->monitor_chandef
for each band.

This avoids this and while at it uses a single dflt_chandef to initialize
in one go local->{hw.conf.chandef,_oper_chandef,monitor_chandef}

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: fix rate control tx handler for VHT rates
Karl Beldan [Mon, 15 Apr 2013 16:28:21 +0000 (18:28 +0200)]
mac80211: fix rate control tx handler for VHT rates

Handle VHT rates like HT ones, otherwise we easily trigger the pre-HT
rates WARN_ON(rc_rate->idx >= sband->n_bitrates) which will set
rc_rate->idx to -1.

Signed-off-by: Karl Beldan <karl.beldan@rivierawaves.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: remove warning from ieee80211_beacon_loss
Alexander Bondar [Tue, 9 Apr 2013 14:14:09 +0000 (17:14 +0300)]
mac80211: remove warning from ieee80211_beacon_loss

Currently, mac80211 assumes that connection monitor offload
for BSS station implies that the device:
- sends periodic keep alive packets to associated AP
- monitors missed beacons
- actively probes the AP in case of missed beacons

In case of poor connection conditions it expects the function
ieee80211_connection_loss() to be called by driver. However,
some devices implement connection monitor offload excluding
active AP probing.

To allow them to call ieee80211_beacon_loss() cleanly, remove
the warning there and thus allow them to use mac80211 for the
AP probing even if connection monitor offload is supported.

Signed-off-by: Alexander Bondar <alexander.bondar@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: handle wide bandwidth channel switch
Johannes Berg [Thu, 28 Mar 2013 09:44:18 +0000 (10:44 +0100)]
mac80211: handle wide bandwidth channel switch

Parse and react to the wide bandwidth channel switch element
in beacons/action frames. Finding the element was done in a
previous patch (it has different positions in beacons/action
frames), now handle it. If there's something wrong with it
simply disconnect.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: parse VHT channel switch IEs
Johannes Berg [Tue, 26 Mar 2013 13:54:16 +0000 (14:54 +0100)]
mac80211: parse VHT channel switch IEs

VHT introduces multiple IEs that need to be parsed for a
wide bandwidth channel switch. Two are (currently) needed
in mac80211:
 * wide bandwidth channel switch element
 * channel switch wrapper element

The former is contained in the latter for beacons and probe
responses, but not for the spectrum management action frames
so the IE parser needs a new argument to differentiate them.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: handle extended channel switch announcement
Johannes Berg [Tue, 26 Mar 2013 14:17:18 +0000 (15:17 +0100)]
mac80211: handle extended channel switch announcement

Handle the (public) extended channel switch announcement
action frames. Parts of the data in these frames isn't
really in IEs, but put it into the elems struct anyway
to simplify the handling.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: support secondary channel offset in CSA
Johannes Berg [Mon, 25 Mar 2013 17:29:27 +0000 (18:29 +0100)]
mac80211: support secondary channel offset in CSA

Add support for the secondary channel offset IE in channel
switch announcements. This is necessary for proper handling
of CSA on HT access points.

For this to work it is also necessary to convert everything
here to use chandef structs instead of just channels. The
driver updates aren't really correct though. In particular,
the TI wl18xx driver update can't possibly be right since
it just ignores the new channel width for lack of firmware
API.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agomac80211: support extended channel switch
Johannes Berg [Tue, 26 Mar 2013 13:13:58 +0000 (14:13 +0100)]
mac80211: support extended channel switch

Support extended channel switch when the operating
class is one of the global operating classes as
defined in Annex E of 802.11-2012. If it isn't,
disconnect from the AP instead.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
11 years agocfg80211: add ieee80211_operating_class_to_band
Johannes Berg [Wed, 1 Aug 2012 15:00:55 +0000 (17:00 +0200)]
cfg80211: add ieee80211_operating_class_to_band

This function converts a (global only!) operating
class to an internal band identifier. This will
be needed for extended channel switch support.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>