mac80211: call rate control only after init

mac80211: do not call rate control .tx_status before .rate_init
mwifiex: clear previous security setting during association
ath9k: stop on rates with idx -1 in ath9k rate control's .tx_status
ath9k_hw: prevent writes to const data on AR9160
rt2x00: fix a possible NULL pointer dereference
iwlwifi: fix key removal
mac80211: zero initialize count field in ieee80211_tx_rate
mac80211: Fix a warning on changing to monitor mode from STA
brcm80211: smac: fix endless retry of A-MPDU transmissions
brcm80211: smac: only print block-ack timeout message at trace level

ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch

@@ -0,0 +1,39 @@
+From 2504a6423b9ab4c36df78227055995644de19edb Mon Sep 17 00:00:00 2001
+From: Pavel Roskin <proski@gnu.org>
+Date: Sat, 11 Feb 2012 10:01:53 -0500
+Subject: [PATCH] ath9k: stop on rates with idx -1 in ath9k rate control's
+ .tx_status
+
+Rate control algorithms are supposed to stop processing when they
+encounter a rate with the index -1.  Checking for rate->count not being
+zero is not enough.
+
+Allowing a rate with negative index leads to memory corruption in
+ath_debug_stat_rc().
+
+One consequence of the bug is discussed at
+https://bugzilla.redhat.com/show_bug.cgi?id=768639
+
+Signed-off-by: Pavel Roskin <proski@gnu.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/ath/ath9k/rc.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/rc.c b/drivers/net/wireless/ath/ath9k/rc.c
+index 635b592..a427a16 100644
+--- a/drivers/net/wireless/ath/ath9k/rc.c
++++ b/drivers/net/wireless/ath/ath9k/rc.c
+@@ -1346,7 +1346,7 @@ static void ath_tx_status(void *priv, struct ieee80211_supported_band *sband,
+ 	fc = hdr->frame_control;
+ 	for (i = 0; i < sc->hw->max_rates; i++) {
+ 		struct ieee80211_tx_rate *rate = &tx_info->status.rates[i];
+-		if (!rate->count)
++		if (rate->idx < 0 || !rate->count)
+ 			break;
+ 
+ 		final_ts_idx = i;
+-- 
+1.7.4.4
+

ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch

@@ -0,0 +1,117 @@
+From 9bbb8168ed3d8b946f9c1901a63a675012de88f2 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 15 Feb 2012 19:31:20 +0100
+Subject: [PATCH] ath9k_hw: prevent writes to const data on AR9160
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Duplicate the data for iniAddac early on, to avoid having to do redundant
+memcpy calls later. While we're at it, make AR5416 < v2.2 use the same
+codepath. Fixes a reported crash on x86.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Reported-by: Magnus Määttä <magnus.maatta@logica.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/ath/ath9k/ar5008_phy.c |   25 +------------------------
+ drivers/net/wireless/ath/ath9k/ar9002_hw.c  |   19 +++++++++++++++++++
+ drivers/net/wireless/ath/ath9k/hw.h         |    1 -
+ 3 files changed, 20 insertions(+), 25 deletions(-)
+
+diff --git a/drivers/net/wireless/ath/ath9k/ar5008_phy.c b/drivers/net/wireless/ath/ath9k/ar5008_phy.c
+index f901a17..86a891f 100644
+--- a/drivers/net/wireless/ath/ath9k/ar5008_phy.c
++++ b/drivers/net/wireless/ath/ath9k/ar5008_phy.c
+@@ -489,8 +489,6 @@ static int ar5008_hw_rf_alloc_ext_banks(struct ath_hw *ah)
+ 	ATH_ALLOC_BANK(ah->analogBank6Data, ah->iniBank6.ia_rows);
+ 	ATH_ALLOC_BANK(ah->analogBank6TPCData, ah->iniBank6TPC.ia_rows);
+ 	ATH_ALLOC_BANK(ah->analogBank7Data, ah->iniBank7.ia_rows);
+-	ATH_ALLOC_BANK(ah->addac5416_21,
+-		       ah->iniAddac.ia_rows * ah->iniAddac.ia_columns);
+ 	ATH_ALLOC_BANK(ah->bank6Temp, ah->iniBank6.ia_rows);
+ 
+ 	return 0;
+@@ -519,7 +517,6 @@ static void ar5008_hw_rf_free_ext_banks(struct ath_hw *ah)
+ 	ATH_FREE_BANK(ah->analogBank6Data);
+ 	ATH_FREE_BANK(ah->analogBank6TPCData);
+ 	ATH_FREE_BANK(ah->analogBank7Data);
+-	ATH_FREE_BANK(ah->addac5416_21);
+ 	ATH_FREE_BANK(ah->bank6Temp);
+ 
+ #undef ATH_FREE_BANK
+@@ -805,27 +802,7 @@ static int ar5008_hw_process_ini(struct ath_hw *ah,
+ 	if (ah->eep_ops->set_addac)
+ 		ah->eep_ops->set_addac(ah, chan);
+ 
+-	if (AR_SREV_5416_22_OR_LATER(ah)) {
+-		REG_WRITE_ARRAY(&ah->iniAddac, 1, regWrites);
+-	} else {
+-		struct ar5416IniArray temp;
+-		u32 addacSize =
+-			sizeof(u32) * ah->iniAddac.ia_rows *
+-			ah->iniAddac.ia_columns;
+-
+-		/* For AR5416 2.0/2.1 */
+-		memcpy(ah->addac5416_21,
+-		       ah->iniAddac.ia_array, addacSize);
+-
+-		/* override CLKDRV value at [row, column] = [31, 1] */
+-		(ah->addac5416_21)[31 * ah->iniAddac.ia_columns + 1] = 0;
+-
+-		temp.ia_array = ah->addac5416_21;
+-		temp.ia_columns = ah->iniAddac.ia_columns;
+-		temp.ia_rows = ah->iniAddac.ia_rows;
+-		REG_WRITE_ARRAY(&temp, 1, regWrites);
+-	}
+-
++	REG_WRITE_ARRAY(&ah->iniAddac, 1, regWrites);
+ 	REG_WRITE(ah, AR_PHY_ADC_SERIAL_CTL, AR_PHY_SEL_INTERNAL_ADDAC);
+ 
+ 	ENABLE_REGWRITE_BUFFER(ah);
+diff --git a/drivers/net/wireless/ath/ath9k/ar9002_hw.c b/drivers/net/wireless/ath/ath9k/ar9002_hw.c
+index 11f192a..d190411 100644
+--- a/drivers/net/wireless/ath/ath9k/ar9002_hw.c
++++ b/drivers/net/wireless/ath/ath9k/ar9002_hw.c
+@@ -180,6 +180,25 @@ static void ar9002_hw_init_mode_regs(struct ath_hw *ah)
+ 		INIT_INI_ARRAY(&ah->iniAddac, ar5416Addac,
+ 			       ARRAY_SIZE(ar5416Addac), 2);
+ 	}
++
++	/* iniAddac needs to be modified for these chips */
++	if (AR_SREV_9160(ah) || !AR_SREV_5416_22_OR_LATER(ah)) {
++		struct ar5416IniArray *addac = &ah->iniAddac;
++		u32 size = sizeof(u32) * addac->ia_rows * addac->ia_columns;
++		u32 *data;
++
++		data = kmalloc(size, GFP_KERNEL);
++		if (!data)
++			return;
++
++		memcpy(data, addac->ia_array, size);
++		addac->ia_array = data;
++
++		if (!AR_SREV_5416_22_OR_LATER(ah)) {
++			/* override CLKDRV value */
++			INI_RA(addac, 31,1) = 0;
++		}
++	}
+ }
+ 
+ /* Support for Japan ch.14 (2484) spread */
+diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h
+index 6a29004..c8261d4 100644
+--- a/drivers/net/wireless/ath/ath9k/hw.h
++++ b/drivers/net/wireless/ath/ath9k/hw.h
+@@ -940,7 +940,6 @@ struct ath_hw {
+ 	u32 *analogBank6Data;
+ 	u32 *analogBank6TPCData;
+ 	u32 *analogBank7Data;
+-	u32 *addac5416_21;
+ 	u32 *bank6Temp;
+ 
+ 	u8 txpower_limit;
+-- 
+1.7.4.4
+

brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch

@@ -0,0 +1,56 @@
+From 85091fc0a75653e239dc8379658515e577544927 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend@broadcom.com>
+Date: Thu, 23 Feb 2012 18:38:22 +0100
+Subject: [PATCH] brcm80211: smac: fix endless retry of A-MPDU transmissions
+
+The A-MPDU code checked against a retry limit, but it was using
+the wrong variable to do so. This patch fixes this to assure
+proper retry mechanism.
+
+This problem had a side-effect causing the mac80211 flush callback
+to remain waiting forever as well. That side effect has been fixed
+by commit by Stanislaw Gruszka:
+
+commit f96b08a7e6f69c0f0a576554df3df5b1b519c479
+Date:   Tue Jan 17 12:38:50 2012 +0100
+
+    brcmsmac: fix tx queue flush infinite loop
+
+    Reference:
+    https://bugzilla.kernel.org/show_bug.cgi?id=42576
+
+Cc: Stanislaw Gruszka <sgruszka@redhat.com>
+Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
+Reviewed-by: Alwin Beukers <alwin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/brcm80211/brcmsmac/ampdu.c |    6 +-----
+ 1 files changed, 1 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
+index 90911ee..9265226 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
+@@ -1051,17 +1051,13 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb,
+ 		}
+ 		/* either retransmit or send bar if ack not recd */
+ 		if (!ack_recd) {
+-			struct ieee80211_tx_rate *txrate =
+-			    tx_info->status.rates;
+-			if (retry && (txrate[0].count < (int)retry_limit)) {
++			if (retry && (ini->txretry[index] < (int)retry_limit)) {
+ 				ini->txretry[index]++;
+ 				ini->tx_in_transit--;
+ 				/*
+ 				 * Use high prededence for retransmit to
+ 				 * give some punch
+ 				 */
+-				/* brcms_c_txq_enq(wlc, scb, p,
+-				 * BRCMS_PRIO_TO_PREC(tid)); */
+ 				brcms_c_txq_enq(wlc, scb, p,
+ 						BRCMS_PRIO_TO_HI_PREC(tid));
+ 			} else {
+-- 
+1.7.4.4
+

brcm80211-smac-only-print-block-ack-timeout-message-.patch

@@ -0,0 +1,37 @@
+From 2b0a53d51b5f263bb581bbdb40ebb9f7e09609b1 Mon Sep 17 00:00:00 2001
+From: Arend van Spriel <arend@broadcom.com>
+Date: Thu, 23 Feb 2012 18:38:23 +0100
+Subject: [PATCH] brcm80211: smac: only print block-ack timeout message at
+ trace level
+
+In regular use block-ack timeouts can happen so it does not make
+sense to fill the log with these messages.
+
+Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
+Reviewed-by: Alwin Beukers <alwin@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/brcm80211/brcmsmac/ampdu.c |    6 +++---
+ 1 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
+index 9265226..30b5887 100644
+--- a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
++++ b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c
+@@ -1070,9 +1070,9 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb,
+ 				    IEEE80211_TX_STAT_AMPDU_NO_BACK;
+ 				skb_pull(p, D11_PHY_HDR_LEN);
+ 				skb_pull(p, D11_TXH_LEN);
+-				wiphy_err(wiphy, "%s: BA Timeout, seq %d, in_"
+-					"transit %d\n", "AMPDU status", seq,
+-					ini->tx_in_transit);
++				BCMMSG(wiphy,
++				       "BA Timeout, seq %d, in_transit %d\n",
++				       seq, ini->tx_in_transit);
+ 				ieee80211_tx_status_irqsafe(wlc->pub->ieee_hw,
+ 							    p);
+ 			}
+-- 
+1.7.4.4
+

iwlwifi-fix-key-removal.patch

@@ -0,0 +1,56 @@
+From 5dcbf480473f6c3f06ad2426b7517038a2a18911 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 17 Feb 2012 09:47:14 -0800
+Subject: [PATCH] iwlwifi: fix key removal
+
+When trying to remove a key, we always send key
+flags just setting the key type, not including
+the multicast flag and the key ID. As a result,
+whenever any key was removed, the unicast key 0
+would be removed, causing a complete connection
+loss after the second rekey (the first doesn't
+cause a key removal). Fix the key removal code
+to include the key ID and multicast flag, thus
+removing the correct key.
+
+Cc: stable@vger.kernel.org
+Reported-by: Alexander Schnaidt <alex.schnaidt@googlemail.com>
+Tested-by: Alexander Schnaidt <alex.schnaidt@googlemail.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/iwlwifi/iwl-agn-sta.c |   10 +++++++++-
+ 1 files changed, 9 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+index 7353826..e483cfa 100644
+--- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
++++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c
+@@ -1187,6 +1187,7 @@ int iwl_remove_dynamic_key(struct iwl_priv *priv,
+ 	unsigned long flags;
+ 	struct iwl_addsta_cmd sta_cmd;
+ 	u8 sta_id = iwlagn_key_sta_id(priv, ctx->vif, sta);
++	__le16 key_flags;
+ 
+ 	/* if station isn't there, neither is the key */
+ 	if (sta_id == IWL_INVALID_STATION)
+@@ -1212,7 +1213,14 @@ int iwl_remove_dynamic_key(struct iwl_priv *priv,
+ 		IWL_ERR(priv, "offset %d not used in uCode key table.\n",
+ 			keyconf->hw_key_idx);
+ 
+-	sta_cmd.key.key_flags = STA_KEY_FLG_NO_ENC | STA_KEY_FLG_INVALID;
++	key_flags = cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS);
++	key_flags |= STA_KEY_FLG_MAP_KEY_MSK | STA_KEY_FLG_NO_ENC |
++		     STA_KEY_FLG_INVALID;
++
++	if (!(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE))
++		key_flags |= STA_KEY_MULTICAST_MSK;
++
++	sta_cmd.key.key_flags = key_flags;
+ 	sta_cmd.key.key_offset = WEP_INVALID_OFFSET;
+ 	sta_cmd.sta.modify_mask = STA_MODIFY_KEY_MASK;
+ 	sta_cmd.mode = STA_CONTROL_MODIFY_MSK;
+-- 
+1.7.4.4
+

kernel.spec

@@ -845,6 +845,17 @@ Patch50121: bcma-don-t-fail-for-bad-SPROM-CRC.patch
 Patch50122: zd1211rw-firmware-needs-duration_id-set-to-zero-for-.patch
 Patch50123: mac80211-Fix-a-rwlock-bad-magic-bug.patch
 Patch50124: rtlwifi-Modify-rtl_pci_init-to-return-0-on-success.patch
+Patch50125: mac80211-call-rate-control-only-after-init.patch
+Patch50126: mac80211-do-not-call-rate-control-.tx_status-before-.patch
+Patch50127: mwifiex-clear-previous-security-setting-during-assoc.patch
+Patch50128: ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch
+Patch50129: ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch
+Patch50130: rt2x00-fix-a-possible-NULL-pointer-dereference.patch
+Patch50131: iwlwifi-fix-key-removal.patch
+Patch50132: mac80211-zero-initialize-count-field-in-ieee80211_tx.patch
+Patch50133: mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch
+Patch50134: brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch
+Patch50135: brcm80211-smac-only-print-block-ack-timeout-message-.patch
 
 %endif
 
@@ -1633,6 +1644,17 @@ ApplyPatch bcma-don-t-fail-for-bad-SPROM-CRC.patch
 ApplyPatch zd1211rw-firmware-needs-duration_id-set-to-zero-for-.patch
 ApplyPatch mac80211-Fix-a-rwlock-bad-magic-bug.patch
 ApplyPatch rtlwifi-Modify-rtl_pci_init-to-return-0-on-success.patch
+ApplyPatch mac80211-call-rate-control-only-after-init.patch
+ApplyPatch mac80211-do-not-call-rate-control-.tx_status-before-.patch
+ApplyPatch mwifiex-clear-previous-security-setting-during-assoc.patch
+ApplyPatch ath9k-stop-on-rates-with-idx-1-in-ath9k-rate-control.patch
+ApplyPatch ath9k_hw-prevent-writes-to-const-data-on-AR9160.patch
+ApplyPatch rt2x00-fix-a-possible-NULL-pointer-dereference.patch
+ApplyPatch iwlwifi-fix-key-removal.patch
+ApplyPatch mac80211-zero-initialize-count-field-in-ieee80211_tx.patch
+ApplyPatch mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch
+ApplyPatch brcm80211-smac-fix-endless-retry-of-A-MPDU-transmiss.patch
+ApplyPatch brcm80211-smac-only-print-block-ack-timeout-message-.patch
 
 ApplyPatch rt2x00_fix_MCU_request_failures.patch
 
@@ -2346,6 +2368,19 @@ fi
 # and build.
 
 %changelog
+* Fri Feb 24 2012 John W. Linville <linville@redhat.com>
+- mac80211: call rate control only after init
+- mac80211: do not call rate control .tx_status before .rate_init
+- mwifiex: clear previous security setting during association
+- ath9k: stop on rates with idx -1 in ath9k rate control's .tx_status
+- ath9k_hw: prevent writes to const data on AR9160
+- rt2x00: fix a possible NULL pointer dereference
+- iwlwifi: fix key removal
+- mac80211: zero initialize count field in ieee80211_tx_rate
+- mac80211: Fix a warning on changing to monitor mode from STA
+- brcm80211: smac: fix endless retry of A-MPDU transmissions
+- brcm80211: smac: only print block-ack timeout message at trace level
+
 * Mon Feb 20 2012 Dave Jones <davej@redhat.com> 3.2.7-1
 - Do not call drivers when invalidating partitions for -ENOMEDIUM
 

mac80211-Fix-a-warning-on-changing-to-monitor-mode-f.patch

@@ -0,0 +1,72 @@
+From 0dee00686da88cc32753e02e4e8efdd9e326e4d2 Mon Sep 17 00:00:00 2001
+From: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
+Date: Mon, 20 Feb 2012 14:44:01 +0530
+Subject: [PATCH] mac80211: Fix a warning on changing to monitor mode from STA
+
+nothing needs to be done for monitor/AP_VLAN mode on calling
+ieee80211_bss_info_change_notify -> drv_bss_info_changed with the change
+flag 'BSS_CHANGED_IDLE'. 'wl1271' seems to use BSS_CHANGED_IDLE only for
+STA and IBSS mode. further the non-idle state of the monitor mode is
+taken care by the 'count' variable which counts non-idle interfaces.
+ieee80211_idle_off(local, "in use") will be called.
+this fixes the following WARNING when we have initially STA mode
+(network manager running) and not associated, and change it to monitor
+mode with network manager disabled and bringing up the monitor mode.
+this changes the idle state from 'true' (STA unassociated) to 'false'
+(MONITOR mode)
+exposed by the commit 405385f8ce7a2ed8f82e216d88b5282142e1288b
+"mac80211: set bss_conf.idle when vif is connected"
+
+	WARNING: net/mac80211/main.c:212
+	ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211]()
+	Hardware name: 64756D6
+	Pid: 3835, comm: ifconfig Tainted: G           O
+	3.3.0-rc3-wl #9
+	Call Trace:
+	  [<c0133b02>] warn_slowpath_common+0x72/0xa0
+	  [<fc8e8c3f>] ?
+	  ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211]
+	  [<fc8e8c3f>] ?
+	  ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211]
+	  [<c0133b52>] warn_slowpath_null+0x22/0x30
+	  [<fc8e8c3f>]
+	  ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211]
+	  [<fc8f9de3>] __ieee80211_recalc_idle+0x113/0x430
+	  [mac80211]
+	  [<fc8fabc6>] ieee80211_do_open+0x156/0x7e0 [mac80211]
+	  [<fc8f8a25>] ?
+	  ieee80211_check_concurrent_iface+0x25/0x180 [mac80211]
+	  [<c015dd9f>] ? raw_notifier_call_chain+0x1f/0x30
+	  [<fc8fb290>] ieee80211_open+0x40/0x80 [mac80211]
+	  [<c05894f6>] __dev_open+0x96/0xe0
+	  [<c068fba5>] ? _raw_spin_unlock_bh+0x35/0x40
+	  [<c05881d9>] __dev_change_flags+0x109/0x170
+	  [<c0589423>] dev_change_flags+0x23/0x60
+	  [<c05f3770>] devinet_ioctl+0x6a0/0x770
+
+ ieee80211 phy0: device no longer idle - in use
+
+Cc: Eliad Peller <eliad@wizery.com>
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ net/mac80211/iface.c |    3 +++
+ 1 files changed, 3 insertions(+), 0 deletions(-)
+
+diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c
+index 01a21c2..8e2137b 100644
+--- a/net/mac80211/iface.c
++++ b/net/mac80211/iface.c
+@@ -1332,6 +1332,9 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local)
+ 		hw_roc = true;
+ 
+ 	list_for_each_entry(sdata, &local->interfaces, list) {
++		if (sdata->vif.type == NL80211_IFTYPE_MONITOR ||
++		    sdata->vif.type == NL80211_IFTYPE_AP_VLAN)
++			continue;
+ 		if (sdata->old_idle == sdata->vif.bss_conf.idle)
+ 			continue;
+ 		if (!ieee80211_sdata_running(sdata))
+-- 
+1.7.4.4
+

mac80211-call-rate-control-only-after-init.patch

@@ -0,0 +1,91 @@
+From 4b5a433ae5348c23caa0b5f0a2fca7c342acb200 Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Fri, 20 Jan 2012 13:55:23 +0100
+Subject: [PATCH] mac80211: call rate control only after init
+
+There are situations where we don't have the
+necessary rate control information yet for
+station entries, e.g. when associating. This
+currently doesn't really happen due to the
+dummy station handling; explicitly disabling
+rate control when it's not initialised will
+allow us to remove dummy stations.
+
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ net/mac80211/debugfs_sta.c |    4 ++--
+ net/mac80211/rate.c        |    2 +-
+ net/mac80211/rate.h        |    1 +
+ net/mac80211/sta_info.h    |    2 ++
+ 4 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/net/mac80211/debugfs_sta.c b/net/mac80211/debugfs_sta.c
+index 2406b3e..d86217d 100644
+--- a/net/mac80211/debugfs_sta.c
++++ b/net/mac80211/debugfs_sta.c
+@@ -63,14 +63,14 @@ static ssize_t sta_flags_read(struct file *file, char __user *userbuf,
+ 	test_sta_flag(sta, WLAN_STA_##flg) ? #flg "\n" : ""
+ 
+ 	int res = scnprintf(buf, sizeof(buf),
+-			    "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
++			    "%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s",
+ 			    TEST(AUTH), TEST(ASSOC), TEST(PS_STA),
+ 			    TEST(PS_DRIVER), TEST(AUTHORIZED),
+ 			    TEST(SHORT_PREAMBLE),
+ 			    TEST(WME), TEST(WDS), TEST(CLEAR_PS_FILT),
+ 			    TEST(MFP), TEST(BLOCK_BA), TEST(PSPOLL),
+ 			    TEST(UAPSD), TEST(SP), TEST(TDLS_PEER),
+-			    TEST(TDLS_PEER_AUTH));
++			    TEST(TDLS_PEER_AUTH), TEST(RATE_CONTROL));
+ #undef TEST
+ 	return simple_read_from_buffer(userbuf, count, ppos, buf, res);
+ }
+diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
+index 5a5a776..ad64f4d 100644
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -336,7 +336,7 @@ void rate_control_get_rate(struct ieee80211_sub_if_data *sdata,
+ 	int i;
+ 	u32 mask;
+ 
+-	if (sta) {
++	if (sta && test_sta_flag(sta, WLAN_STA_RATE_CONTROL)) {
+ 		ista = &sta->sta;
+ 		priv_sta = sta->rate_ctrl_priv;
+ 	}
+diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h
+index 168427b..2b83f32 100644
+--- a/net/mac80211/rate.h
++++ b/net/mac80211/rate.h
+@@ -62,6 +62,7 @@ static inline void rate_control_rate_init(struct sta_info *sta)
+ 	sband = local->hw.wiphy->bands[local->hw.conf.channel->band];
+ 
+ 	ref->ops->rate_init(ref->priv, sband, ista, priv_sta);
++	set_sta_flag(sta, WLAN_STA_RATE_CONTROL);
+ }
+ 
+ static inline void rate_control_rate_update(struct ieee80211_local *local,
+diff --git a/net/mac80211/sta_info.h b/net/mac80211/sta_info.h
+index 6f77f12..bfed851 100644
+--- a/net/mac80211/sta_info.h
++++ b/net/mac80211/sta_info.h
+@@ -52,6 +52,7 @@
+  * @WLAN_STA_SP: Station is in a service period, so don't try to
+  *	reply to other uAPSD trigger frames or PS-Poll.
+  * @WLAN_STA_4ADDR_EVENT: 4-addr event was already sent for this frame.
++ * @WLAN_STA_RATE_CONTROL: rate control was initialized for this station.
+  */
+ enum ieee80211_sta_info_flags {
+ 	WLAN_STA_AUTH,
+@@ -71,6 +72,7 @@ enum ieee80211_sta_info_flags {
+ 	WLAN_STA_UAPSD,
+ 	WLAN_STA_SP,
+ 	WLAN_STA_4ADDR_EVENT,
++	WLAN_STA_RATE_CONTROL,
+ };
+ 
+ enum ieee80211_sta_state {
+-- 
+1.7.4.4
+

mac80211-do-not-call-rate-control-.tx_status-before-.patch

@@ -0,0 +1,33 @@
+From 216c57b214bd621335ff698b475f6db2802502dc Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@openwrt.org>
+Date: Wed, 8 Feb 2012 19:17:11 +0100
+Subject: [PATCH] mac80211: do not call rate control .tx_status before
+ .rate_init
+
+Most rate control implementations assume .get_rate and .tx_status are only
+called once the per-station data has been fully initialized.
+minstrel_ht crashes if this assumption is violated.
+
+Signed-off-by: Felix Fietkau <nbd@openwrt.org>
+Tested-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ net/mac80211/rate.h |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/mac80211/rate.h b/net/mac80211/rate.h
+index 2b83f32..80cfc00 100644
+--- a/net/mac80211/rate.h
++++ b/net/mac80211/rate.h
+@@ -41,7 +41,7 @@ static inline void rate_control_tx_status(struct ieee80211_local *local,
+ 	struct ieee80211_sta *ista = &sta->sta;
+ 	void *priv_sta = sta->rate_ctrl_priv;
+ 
+-	if (!ref)
++	if (!ref || !test_sta_flag(sta, WLAN_STA_RATE_CONTROL))
+ 		return;
+ 
+ 	ref->ops->tx_status(ref->priv, sband, ista, priv_sta, skb);
+-- 
+1.7.4.4
+

mac80211-zero-initialize-count-field-in-ieee80211_tx.patch

@@ -0,0 +1,39 @@
+From 8617b093d0031837a7be9b32bc674580cfb5f6b5 Mon Sep 17 00:00:00 2001
+From: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
+Date: Mon, 20 Feb 2012 10:05:31 +0530
+Subject: [PATCH] mac80211: zero initialize count field in ieee80211_tx_rate
+
+rate control algorithms concludes the rate as invalid
+with rate[i].idx < -1 , while they do also check for rate[i].count is
+non-zero. it would be safer to zero initialize the 'count' field.
+recently we had a ath9k rate control crash where the ath9k rate control
+in ath_tx_status assumed to check only for rate[i].count being non-zero
+in one instance and ended up in using invalid rate index for
+'connection monitoring NULL func frames' which eventually lead to the crash.
+thanks to Pavel Roskin for fixing it and finding the root cause.
+https://bugzilla.redhat.com/show_bug.cgi?id=768639
+
+Cc: stable@vger.kernel.org
+Cc: Pavel Roskin <proski@gnu.org>
+Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ net/mac80211/rate.c |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c
+index ad64f4d..f9b8e81 100644
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -344,7 +344,7 @@ void rate_control_get_rate(struct ieee80211_sub_if_data *sdata,
+ 	for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) {
+ 		info->control.rates[i].idx = -1;
+ 		info->control.rates[i].flags = 0;
+-		info->control.rates[i].count = 1;
++		info->control.rates[i].count = 0;
+ 	}
+ 
+ 	if (sdata->local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL)
+-- 
+1.7.4.4
+

mwifiex-clear-previous-security-setting-during-assoc.patch

@@ -0,0 +1,55 @@
+From 6670f15b1f6858a43b292d8ab64464e9f085a6aa Mon Sep 17 00:00:00 2001
+From: Amitkumar Karwar <akarwar@marvell.com>
+Date: Thu, 9 Feb 2012 18:32:22 -0800
+Subject: [PATCH] mwifiex: clear previous security setting during association
+
+Driver maintains different flags for WEP, WPA, WPA2 security modes.
+Appropriate flag is set using security information provided in
+connect request. mwifiex_is_network_compatible() routine uses them
+to check if driver's setting is compatible with AP. Association is
+aborted if the routine fails.
+
+For some corner cases, it is observed that association is failed
+even for valid security information based on association history.
+This patch fixes the problem by clearing previous security setting
+during each association.
+
+We should set WEP key provided in connect request as default tx key.
+This missing change is also added here.
+
+Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
+Signed-off-by: Bing Zhao <bzhao@marvell.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/mwifiex/cfg80211.c |    8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
+index c3b6c46..5b2972b 100644
+--- a/drivers/net/wireless/mwifiex/cfg80211.c
++++ b/drivers/net/wireless/mwifiex/cfg80211.c
+@@ -841,7 +841,12 @@ mwifiex_cfg80211_assoc(struct mwifiex_private *priv, size_t ssid_len, u8 *ssid,
+ 		ret = mwifiex_set_rf_channel(priv, channel,
+ 						priv->adapter->channel_type);
+ 
+-	ret = mwifiex_set_encode(priv, NULL, 0, 0, 1);	/* Disable keys */
++	/* As this is new association, clear locally stored
++	 * keys and security related flags */
++	priv->sec_info.wpa_enabled = false;
++	priv->sec_info.wpa2_enabled = false;
++	priv->wep_key_curr_index = 0;
++	ret = mwifiex_set_encode(priv, NULL, 0, 0, 1);
+ 
+ 	if (mode == NL80211_IFTYPE_ADHOC) {
+ 		/* "privacy" is set only for ad-hoc mode */
+@@ -886,6 +891,7 @@ mwifiex_cfg80211_assoc(struct mwifiex_private *priv, size_t ssid_len, u8 *ssid,
+ 			dev_dbg(priv->adapter->dev,
+ 				"info: setting wep encryption"
+ 				" with key len %d\n", sme->key_len);
++			priv->wep_key_curr_index = sme->key_idx;
+ 			ret = mwifiex_set_encode(priv, sme->key, sme->key_len,
+ 							sme->key_idx, 0);
+ 		}
+-- 
+1.7.4.4
+

rt2x00-fix-a-possible-NULL-pointer-dereference.patch

@@ -0,0 +1,37 @@
+From 7be081539e540517d5e1fcbf96b8080074afbf08 Mon Sep 17 00:00:00 2001
+From: Gabor Juhos <juhosg@openwrt.org>
+Date: Thu, 16 Feb 2012 20:44:59 +0100
+Subject: [PATCH] rt2x00: fix a possible NULL pointer dereference
+
+The 'rt2x00lib_probe_dev' function tries to
+allocate the workqueue. If the allocation
+fails, 'rt2x00_lib_remove_dev' is called on
+the error path. Because 'rt2x00dev->workqueue'
+is NULL in this case, the 'destroy_workqueue'
+call will cause a NULL pointer dereference.
+
+Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
+Acked-by: Gertjan van Wingerde <gwingerde@gmail.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+---
+ drivers/net/wireless/rt2x00/rt2x00dev.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c
+index c3e1aa7..d2a1ea9 100644
+--- a/drivers/net/wireless/rt2x00/rt2x00dev.c
++++ b/drivers/net/wireless/rt2x00/rt2x00dev.c
+@@ -1220,7 +1220,8 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev)
+ 		cancel_work_sync(&rt2x00dev->rxdone_work);
+ 		cancel_work_sync(&rt2x00dev->txdone_work);
+ 	}
+-	destroy_workqueue(rt2x00dev->workqueue);
++	if (rt2x00dev->workqueue)
++		destroy_workqueue(rt2x00dev->workqueue);
+ 
+ 	/*
+ 	 * Free the tx status fifo.
+-- 
+1.7.4.4
+