From dec491e2b4d135c6aeb25535ef7afab3a285f6a9 Mon Sep 17 00:00:00 2001
From: Josh Boyer <jwboyer@redhat.com>
Date: Thu, 18 Oct 2012 08:26:39 -0400
Subject: [PATCH] Apply patch to fix iwlwifi crash (rhbz 770484)

---
 iwlwifi-fix-6000-ch-switch.patch | 94 ++++++++++++++++++++++++++++++++
 kernel.spec                      | 11 +++-
 2 files changed, 104 insertions(+), 1 deletion(-)
 create mode 100644 iwlwifi-fix-6000-ch-switch.patch

diff --git a/iwlwifi-fix-6000-ch-switch.patch b/iwlwifi-fix-6000-ch-switch.patch
new file mode 100644
index 000000000..0fbca2354
--- /dev/null
+++ b/iwlwifi-fix-6000-ch-switch.patch
@@ -0,0 +1,94 @@
+commit a7d3a5d97acd4b8db17e1d5c3014357c9b2040f9
+Author: Johannes Berg <johannes.berg@intel.com>
+Date:   Tue Sep 25 16:40:12 2012 +0200
+
+    iwlwifi: fix 6000 series channel switch command
+    
+    The channel switch command for 6000 series devices
+    is larger than the maximum inline command size of
+    320 bytes. The command is therefore refused with a
+    warning. Fix this by allocating the command and
+    using the NOCOPY mechanism.
+    
+    Cc: stable@kernel.org
+    Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+
+diff --git a/drivers/net/wireless/iwlwifi/dvm/devices.c b/drivers/net/wireless/iwlwifi/dvm/devices.c
+index 349c205..da58620 100644
+--- a/drivers/net/wireless/iwlwifi/dvm/devices.c
++++ b/drivers/net/wireless/iwlwifi/dvm/devices.c
+@@ -518,7 +518,7 @@ static int iwl6000_hw_channel_switch(struct iwl_priv *priv,
+ 	 * See iwlagn_mac_channel_switch.
+ 	 */
+ 	struct iwl_rxon_context *ctx = &priv->contexts[IWL_RXON_CTX_BSS];
+-	struct iwl6000_channel_switch_cmd cmd;
++	struct iwl6000_channel_switch_cmd *cmd;
+ 	u32 switch_time_in_usec, ucode_switch_time;
+ 	u16 ch;
+ 	u32 tsf_low;
+@@ -527,18 +527,25 @@ static int iwl6000_hw_channel_switch(struct iwl_priv *priv,
+ 	struct ieee80211_vif *vif = ctx->vif;
+ 	struct iwl_host_cmd hcmd = {
+ 		.id = REPLY_CHANNEL_SWITCH,
+-		.len = { sizeof(cmd), },
++		.len = { sizeof(*cmd), },
+ 		.flags = CMD_SYNC,
+-		.data = { &cmd, },
++		.dataflags[0] = IWL_HCMD_DFL_NOCOPY,
+ 	};
++	int err;
+ 
+-	cmd.band = priv->band == IEEE80211_BAND_2GHZ;
++	cmd = kzalloc(sizeof(*cmd), GFP_KERNEL);
++	if (!cmd)
++		return -ENOMEM;
++
++	hcmd.data[0] = cmd;
++
++	cmd->band = priv->band == IEEE80211_BAND_2GHZ;
+ 	ch = ch_switch->channel->hw_value;
+ 	IWL_DEBUG_11H(priv, "channel switch from %u to %u\n",
+ 		      ctx->active.channel, ch);
+-	cmd.channel = cpu_to_le16(ch);
+-	cmd.rxon_flags = ctx->staging.flags;
+-	cmd.rxon_filter_flags = ctx->staging.filter_flags;
++	cmd->channel = cpu_to_le16(ch);
++	cmd->rxon_flags = ctx->staging.flags;
++	cmd->rxon_filter_flags = ctx->staging.filter_flags;
+ 	switch_count = ch_switch->count;
+ 	tsf_low = ch_switch->timestamp & 0x0ffffffff;
+ 	/*
+@@ -554,23 +561,25 @@ static int iwl6000_hw_channel_switch(struct iwl_priv *priv,
+ 			switch_count = 0;
+ 	}
+ 	if (switch_count <= 1)
+-		cmd.switch_time = cpu_to_le32(priv->ucode_beacon_time);
++		cmd->switch_time = cpu_to_le32(priv->ucode_beacon_time);
+ 	else {
+ 		switch_time_in_usec =
+ 			vif->bss_conf.beacon_int * switch_count * TIME_UNIT;
+ 		ucode_switch_time = iwl_usecs_to_beacons(priv,
+ 							 switch_time_in_usec,
+ 							 beacon_interval);
+-		cmd.switch_time = iwl_add_beacon_time(priv,
+-						      priv->ucode_beacon_time,
+-						      ucode_switch_time,
+-						      beacon_interval);
++		cmd->switch_time = iwl_add_beacon_time(priv,
++						       priv->ucode_beacon_time,
++						       ucode_switch_time,
++						       beacon_interval);
+ 	}
+ 	IWL_DEBUG_11H(priv, "uCode time for the switch is 0x%x\n",
+-		      cmd.switch_time);
+-	cmd.expect_beacon = ch_switch->channel->flags & IEEE80211_CHAN_RADAR;
++		      cmd->switch_time);
++	cmd->expect_beacon = ch_switch->channel->flags & IEEE80211_CHAN_RADAR;
+ 
+-	return iwl_dvm_send_cmd(priv, &hcmd);
++	err = iwl_dvm_send_cmd(priv, &hcmd);
++	kfree(cmd);
++	return err;
+ }
+ 
+ struct iwl_lib_ops iwl6000_lib = {
diff --git a/kernel.spec b/kernel.spec
index 7755974d1..2fbb11c53 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -54,7 +54,7 @@ Summary: The Linux kernel
 # For non-released -rc kernels, this will be appended after the rcX and
 # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
 #
-%global baserelease 1
+%global baserelease 2
 %global fedora_build %{baserelease}
 
 # base_sublevel is the kernel version we're starting with and patching
@@ -681,6 +681,9 @@ Patch21300: unhandled-irqs-switch-to-polling.patch
 #rhbz 804957 CVE-2012-1568
 Patch21306: shlib_base_randomize.patch
 
+#rhbz 770484
+Patch22071: iwlwifi-fix-6000-ch-switch.patch
+
 # Debug patches
 Patch30000: weird-root-dentry-name-debug.patch
 Patch30010: debug-808990.patch
@@ -1287,6 +1290,9 @@ ApplyPatch unhandled-irqs-switch-to-polling.patch
 ApplyPatch weird-root-dentry-name-debug.patch
 ApplyPatch debug-808990.patch
 
+#rhbz 770484
+ApplyPatch iwlwifi-fix-6000-ch-switch.patch
+
 # END OF PATCH APPLICATIONS
 
 %endif
@@ -1987,6 +1993,9 @@ fi
 # and build.
 
 %changelog
+* Thu Oct 18 2012 Josh Boyer <jwboyer@redhat.com>
+- Apply patch to fix iwlwifi crash (rhbz 770484)
+
 * Tue Oct 16 2012 Dave Jones <davej@redhat.com> 3.6.2-1
 - Linux 3.6.2