X-Git-Url: https://git.rohieb.name/openwrt.git/blobdiff_plain/d349dd54e7b15d674e13020f71d9644607789a1f..f251f740878af188b1f27d19ec921efa6c577349:/package/mac80211/patches/300-pending_work.patch diff --git a/package/mac80211/patches/300-pending_work.patch b/package/mac80211/patches/300-pending_work.patch index 782f7d787..adf59f61a 100644 --- a/package/mac80211/patches/300-pending_work.patch +++ b/package/mac80211/patches/300-pending_work.patch @@ -1,694 +1,6 @@ ---- a/drivers/net/wireless/ath/ath9k/hw.h -+++ b/drivers/net/wireless/ath/ath9k/hw.h -@@ -603,7 +603,6 @@ struct ath_hw_ops { - int power_off); - void (*rx_enable)(struct ath_hw *ah); - void (*set_desc_link)(void *ds, u32 link); -- void (*get_desc_link)(void *ds, u32 **link); - bool (*calibrate)(struct ath_hw *ah, - struct ath9k_channel *chan, - u8 rxchainmask, ---- a/drivers/net/wireless/ath/ath9k/main.c -+++ b/drivers/net/wireless/ath/ath9k/main.c -@@ -62,8 +62,6 @@ static bool ath9k_has_pending_frames(str - - if (txq->axq_depth || !list_empty(&txq->axq_acq)) - pending = true; -- else if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) -- pending = !list_empty(&txq->txq_fifo_pending); - - spin_unlock_bh(&txq->axq_lock); - return pending; ---- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c -+++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c -@@ -28,11 +28,6 @@ static void ar9002_hw_set_desc_link(void - ((struct ath_desc*) ds)->ds_link = ds_link; - } - --static void ar9002_hw_get_desc_link(void *ds, u32 **ds_link) --{ -- *ds_link = &((struct ath_desc *)ds)->ds_link; --} -- - static bool ar9002_hw_get_isr(struct ath_hw *ah, enum ath9k_int *masked) - { - u32 isr = 0; -@@ -437,7 +432,6 @@ void ar9002_hw_attach_mac_ops(struct ath - - ops->rx_enable = ar9002_hw_rx_enable; - ops->set_desc_link = ar9002_hw_set_desc_link; -- ops->get_desc_link = ar9002_hw_get_desc_link; - ops->get_isr = ar9002_hw_get_isr; - ops->fill_txdesc = ar9002_hw_fill_txdesc; - ops->proc_txdesc = ar9002_hw_proc_txdesc; ---- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c -+++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c -@@ -43,13 +43,6 @@ static void ar9003_hw_set_desc_link(void - ads->ctl10 |= ar9003_calc_ptr_chksum(ads); - } - --static void ar9003_hw_get_desc_link(void *ds, u32 **ds_link) --{ -- struct ar9003_txc *ads = ds; -- -- *ds_link = &ads->link; --} -- - static bool ar9003_hw_get_isr(struct ath_hw *ah, enum ath9k_int *masked) - { - u32 isr = 0; -@@ -498,7 +491,6 @@ void ar9003_hw_attach_mac_ops(struct ath - - ops->rx_enable = ar9003_hw_rx_enable; - ops->set_desc_link = ar9003_hw_set_desc_link; -- ops->get_desc_link = ar9003_hw_get_desc_link; - ops->get_isr = ar9003_hw_get_isr; - ops->fill_txdesc = ar9003_hw_fill_txdesc; - ops->proc_txdesc = ar9003_hw_proc_txdesc; ---- a/drivers/net/wireless/ath/ath9k/ath9k.h -+++ b/drivers/net/wireless/ath/ath9k/ath9k.h -@@ -179,7 +179,7 @@ enum ATH_AGGR_STATUS { - struct ath_txq { - int mac80211_qnum; /* mac80211 queue number, -1 means not mac80211 Q */ - u32 axq_qnum; /* ath9k hardware queue number */ -- u32 *axq_link; -+ void *axq_link; - struct list_head axq_q; - spinlock_t axq_lock; - u32 axq_depth; -@@ -188,7 +188,6 @@ struct ath_txq { - bool axq_tx_inprogress; - struct list_head axq_acq; - struct list_head txq_fifo[ATH_TXFIFO_DEPTH]; -- struct list_head txq_fifo_pending; - u8 txq_headidx; - u8 txq_tailidx; - int pending_frames; ---- a/drivers/net/wireless/ath/ath9k/debug.c -+++ b/drivers/net/wireless/ath/ath9k/debug.c -@@ -550,6 +550,7 @@ static ssize_t read_file_xmit(struct fil - - PR("MPDUs Queued: ", queued); - PR("MPDUs Completed: ", completed); -+ PR("MPDUs XRetried: ", xretries); - PR("Aggregates: ", a_aggr); - PR("AMPDUs Queued HW:", a_queued_hw); - PR("AMPDUs Queued SW:", a_queued_sw); -@@ -587,7 +588,6 @@ static ssize_t read_file_xmit(struct fil - - PRQLE("axq_q empty: ", axq_q); - PRQLE("axq_acq empty: ", axq_acq); -- PRQLE("txq_fifo_pending: ", txq_fifo_pending); - for (i = 0; i < ATH_TXFIFO_DEPTH; i++) { - snprintf(tmp, sizeof(tmp) - 1, "txq_fifo[%i] empty: ", i); - PRQLE(tmp, txq_fifo[i]); -@@ -807,7 +807,10 @@ void ath_debug_stat_tx(struct ath_softc - else - TX_STAT_INC(qnum, a_completed); - } else { -- TX_STAT_INC(qnum, completed); -+ if (bf_isxretried(bf)) -+ TX_STAT_INC(qnum, xretries); -+ else -+ TX_STAT_INC(qnum, completed); - } - - if (ts->ts_status & ATH9K_TXERR_FIFO) ---- a/drivers/net/wireless/ath/ath9k/hw-ops.h -+++ b/drivers/net/wireless/ath/ath9k/hw-ops.h -@@ -39,11 +39,6 @@ static inline void ath9k_hw_set_desc_lin - ath9k_hw_ops(ah)->set_desc_link(ds, link); - } - --static inline void ath9k_hw_get_desc_link(struct ath_hw *ah, void *ds, -- u32 **link) --{ -- ath9k_hw_ops(ah)->get_desc_link(ds, link); --} - static inline bool ath9k_hw_calibrate(struct ath_hw *ah, - struct ath9k_channel *chan, - u8 rxchainmask, ---- a/drivers/net/wireless/ath/ath9k/xmit.c -+++ b/drivers/net/wireless/ath/ath9k/xmit.c -@@ -53,7 +53,7 @@ static void ath_tx_complete_buf(struct a - struct ath_txq *txq, struct list_head *bf_q, - struct ath_tx_status *ts, int txok, int sendbar); - static void ath_tx_txqaddbuf(struct ath_softc *sc, struct ath_txq *txq, -- struct list_head *head); -+ struct list_head *head, bool internal); - static void ath_buf_set_rate(struct ath_softc *sc, struct ath_buf *bf, int len); - static void ath_tx_rc_status(struct ath_softc *sc, struct ath_buf *bf, - struct ath_tx_status *ts, int nframes, int nbad, -@@ -377,8 +377,7 @@ static void ath_tx_complete_aggr(struct - bf_next = bf->bf_next; - - bf->bf_state.bf_type |= BUF_XRETRY; -- if ((sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) || -- !bf->bf_stale || bf_next != NULL) -+ if (!bf->bf_stale || bf_next != NULL) - list_move_tail(&bf->list, &bf_head); - - ath_tx_rc_status(sc, bf, ts, 1, 1, 0, false); -@@ -463,20 +462,14 @@ static void ath_tx_complete_aggr(struct - } - } - -- if (!(sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) && -- bf_next == NULL) { -- /* -- * Make sure the last desc is reclaimed if it -- * not a holding desc. -- */ -- if (!bf_last->bf_stale) -- list_move_tail(&bf->list, &bf_head); -- else -- INIT_LIST_HEAD(&bf_head); -- } else { -- BUG_ON(list_empty(bf_q)); -+ /* -+ * Make sure the last desc is reclaimed if it -+ * not a holding desc. -+ */ -+ if (!bf_last->bf_stale || bf_next != NULL) - list_move_tail(&bf->list, &bf_head); -- } -+ else -+ INIT_LIST_HEAD(&bf_head); - - if (!txpending || (tid->state & AGGR_CLEANUP)) { - /* -@@ -837,7 +830,7 @@ static void ath_tx_sched_aggr(struct ath - bf->bf_state.bf_type &= ~BUF_AGGR; - ath9k_hw_clr11n_aggr(sc->sc_ah, bf->bf_desc); - ath_buf_set_rate(sc, bf, fi->framelen); -- ath_tx_txqaddbuf(sc, txq, &bf_q); -+ ath_tx_txqaddbuf(sc, txq, &bf_q, false); - continue; - } - -@@ -849,7 +842,7 @@ static void ath_tx_sched_aggr(struct ath - /* anchor last desc of aggregate */ - ath9k_hw_set11n_aggr_last(sc->sc_ah, bf->bf_lastbf->bf_desc); - -- ath_tx_txqaddbuf(sc, txq, &bf_q); -+ ath_tx_txqaddbuf(sc, txq, &bf_q, false); - TX_STAT_INC(txq->axq_qnum, a_aggr); - - } while (txq->axq_ampdu_depth < ATH_AGGR_MIN_QDEPTH && -@@ -1085,7 +1078,6 @@ struct ath_txq *ath_txq_setup(struct ath - txq->txq_headidx = txq->txq_tailidx = 0; - for (i = 0; i < ATH_TXFIFO_DEPTH; i++) - INIT_LIST_HEAD(&txq->txq_fifo[i]); -- INIT_LIST_HEAD(&txq->txq_fifo_pending); - } - return &sc->tx.txq[axq_qnum]; - } -@@ -1155,13 +1147,8 @@ static bool bf_is_ampdu_not_probing(stru - return bf_isampdu(bf) && !(info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE); - } - --/* -- * Drain a given TX queue (could be Beacon or Data) -- * -- * This assumes output has been stopped and -- * we do not need to block ath_tx_tasklet. -- */ --void ath_draintxq(struct ath_softc *sc, struct ath_txq *txq, bool retry_tx) -+static void ath_drain_txq_list(struct ath_softc *sc, struct ath_txq *txq, -+ struct list_head *list, bool retry_tx) - { - struct ath_buf *bf, *lastbf; - struct list_head bf_head; -@@ -1170,93 +1157,63 @@ void ath_draintxq(struct ath_softc *sc, - memset(&ts, 0, sizeof(ts)); - INIT_LIST_HEAD(&bf_head); - -- for (;;) { -- spin_lock_bh(&txq->axq_lock); -+ while (!list_empty(list)) { -+ bf = list_first_entry(list, struct ath_buf, list); - -- if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { -- if (list_empty(&txq->txq_fifo[txq->txq_tailidx])) { -- txq->txq_headidx = txq->txq_tailidx = 0; -- spin_unlock_bh(&txq->axq_lock); -- break; -- } else { -- bf = list_first_entry(&txq->txq_fifo[txq->txq_tailidx], -- struct ath_buf, list); -- } -- } else { -- if (list_empty(&txq->axq_q)) { -- txq->axq_link = NULL; -- spin_unlock_bh(&txq->axq_lock); -- break; -- } -- bf = list_first_entry(&txq->axq_q, struct ath_buf, -- list); -- -- if (bf->bf_stale) { -- list_del(&bf->list); -- spin_unlock_bh(&txq->axq_lock); -+ if (bf->bf_stale) { -+ list_del(&bf->list); - -- ath_tx_return_buffer(sc, bf); -- continue; -- } -+ ath_tx_return_buffer(sc, bf); -+ continue; - } - - lastbf = bf->bf_lastbf; -- -- if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { -- list_cut_position(&bf_head, -- &txq->txq_fifo[txq->txq_tailidx], -- &lastbf->list); -- INCR(txq->txq_tailidx, ATH_TXFIFO_DEPTH); -- } else { -- /* remove ath_buf's of the same mpdu from txq */ -- list_cut_position(&bf_head, &txq->axq_q, &lastbf->list); -- } -+ list_cut_position(&bf_head, list, &lastbf->list); - - txq->axq_depth--; - if (bf_is_ampdu_not_probing(bf)) - txq->axq_ampdu_depth--; -- spin_unlock_bh(&txq->axq_lock); - -+ spin_unlock_bh(&txq->axq_lock); - if (bf_isampdu(bf)) - ath_tx_complete_aggr(sc, txq, bf, &bf_head, &ts, 0, - retry_tx); - else - ath_tx_complete_buf(sc, bf, txq, &bf_head, &ts, 0, 0); -+ spin_lock_bh(&txq->axq_lock); - } -+} - -+/* -+ * Drain a given TX queue (could be Beacon or Data) -+ * -+ * This assumes output has been stopped and -+ * we do not need to block ath_tx_tasklet. -+ */ -+void ath_draintxq(struct ath_softc *sc, struct ath_txq *txq, bool retry_tx) -+{ - spin_lock_bh(&txq->axq_lock); -- txq->axq_tx_inprogress = false; -- spin_unlock_bh(&txq->axq_lock); -- - if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { -- spin_lock_bh(&txq->axq_lock); -- while (!list_empty(&txq->txq_fifo_pending)) { -- bf = list_first_entry(&txq->txq_fifo_pending, -- struct ath_buf, list); -- list_cut_position(&bf_head, -- &txq->txq_fifo_pending, -- &bf->bf_lastbf->list); -- spin_unlock_bh(&txq->axq_lock); -+ int idx = txq->txq_tailidx; - -- if (bf_isampdu(bf)) -- ath_tx_complete_aggr(sc, txq, bf, &bf_head, -- &ts, 0, retry_tx); -- else -- ath_tx_complete_buf(sc, bf, txq, &bf_head, -- &ts, 0, 0); -- spin_lock_bh(&txq->axq_lock); -+ while (!list_empty(&txq->txq_fifo[idx])) { -+ ath_drain_txq_list(sc, txq, &txq->txq_fifo[idx], -+ retry_tx); -+ -+ INCR(idx, ATH_TXFIFO_DEPTH); - } -- spin_unlock_bh(&txq->axq_lock); -+ txq->txq_tailidx = idx; - } - -+ txq->axq_link = NULL; -+ txq->axq_tx_inprogress = false; -+ ath_drain_txq_list(sc, txq, &txq->axq_q, retry_tx); -+ - /* flush any pending frames if aggregation is enabled */ -- if (sc->sc_flags & SC_OP_TXAGGR) { -- if (!retry_tx) { -- spin_lock_bh(&txq->axq_lock); -- ath_txq_drain_pending_buffers(sc, txq); -- spin_unlock_bh(&txq->axq_lock); -- } -- } -+ if ((sc->sc_flags & SC_OP_TXAGGR) && !retry_tx) -+ ath_txq_drain_pending_buffers(sc, txq); -+ -+ spin_unlock_bh(&txq->axq_lock); - } - - bool ath_drain_all_txq(struct ath_softc *sc, bool retry_tx) -@@ -1370,11 +1327,13 @@ void ath_txq_schedule(struct ath_softc * - * assume the descriptors are already chained together by caller. - */ - static void ath_tx_txqaddbuf(struct ath_softc *sc, struct ath_txq *txq, -- struct list_head *head) -+ struct list_head *head, bool internal) - { - struct ath_hw *ah = sc->sc_ah; - struct ath_common *common = ath9k_hw_common(ah); -- struct ath_buf *bf; -+ struct ath_buf *bf, *bf_last; -+ bool puttxbuf = false; -+ bool edma; - - /* - * Insert the frame on the outbound list and -@@ -1384,51 +1343,49 @@ static void ath_tx_txqaddbuf(struct ath_ - if (list_empty(head)) - return; - -+ edma = !!(ah->caps.hw_caps & ATH9K_HW_CAP_EDMA); - bf = list_first_entry(head, struct ath_buf, list); -+ bf_last = list_entry(head->prev, struct ath_buf, list); - - ath_dbg(common, ATH_DBG_QUEUE, - "qnum: %d, txq depth: %d\n", txq->axq_qnum, txq->axq_depth); - -- if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { -- if (txq->axq_depth >= ATH_TXFIFO_DEPTH) { -- list_splice_tail_init(head, &txq->txq_fifo_pending); -- return; -- } -- if (!list_empty(&txq->txq_fifo[txq->txq_headidx])) -- ath_dbg(common, ATH_DBG_XMIT, -- "Initializing tx fifo %d which is non-empty\n", -- txq->txq_headidx); -- INIT_LIST_HEAD(&txq->txq_fifo[txq->txq_headidx]); -- list_splice_init(head, &txq->txq_fifo[txq->txq_headidx]); -+ if (edma && list_empty(&txq->txq_fifo[txq->txq_headidx])) { -+ list_splice_tail_init(head, &txq->txq_fifo[txq->txq_headidx]); - INCR(txq->txq_headidx, ATH_TXFIFO_DEPTH); -- TX_STAT_INC(txq->axq_qnum, puttxbuf); -- ath9k_hw_puttxbuf(ah, txq->axq_qnum, bf->bf_daddr); -- ath_dbg(common, ATH_DBG_XMIT, "TXDP[%u] = %llx (%p)\n", -- txq->axq_qnum, ito64(bf->bf_daddr), bf->bf_desc); -+ puttxbuf = true; - } else { - list_splice_tail_init(head, &txq->axq_q); - -- if (txq->axq_link == NULL) { -- TX_STAT_INC(txq->axq_qnum, puttxbuf); -- ath9k_hw_puttxbuf(ah, txq->axq_qnum, bf->bf_daddr); -- ath_dbg(common, ATH_DBG_XMIT, "TXDP[%u] = %llx (%p)\n", -- txq->axq_qnum, ito64(bf->bf_daddr), -- bf->bf_desc); -- } else { -- *txq->axq_link = bf->bf_daddr; -+ if (txq->axq_link) { -+ ath9k_hw_set_desc_link(ah, txq->axq_link, bf->bf_daddr); - ath_dbg(common, ATH_DBG_XMIT, - "link[%u] (%p)=%llx (%p)\n", - txq->axq_qnum, txq->axq_link, - ito64(bf->bf_daddr), bf->bf_desc); -- } -- ath9k_hw_get_desc_link(ah, bf->bf_lastbf->bf_desc, -- &txq->axq_link); -+ } else if (!edma) -+ puttxbuf = true; -+ -+ txq->axq_link = bf_last->bf_desc; -+ } -+ -+ if (puttxbuf) { -+ TX_STAT_INC(txq->axq_qnum, puttxbuf); -+ ath9k_hw_puttxbuf(ah, txq->axq_qnum, bf->bf_daddr); -+ ath_dbg(common, ATH_DBG_XMIT, "TXDP[%u] = %llx (%p)\n", -+ txq->axq_qnum, ito64(bf->bf_daddr), bf->bf_desc); -+ } -+ -+ if (!edma) { - TX_STAT_INC(txq->axq_qnum, txstart); - ath9k_hw_txstart(ah, txq->axq_qnum); - } -- txq->axq_depth++; -- if (bf_is_ampdu_not_probing(bf)) -- txq->axq_ampdu_depth++; -+ -+ if (!internal) { -+ txq->axq_depth++; -+ if (bf_is_ampdu_not_probing(bf)) -+ txq->axq_ampdu_depth++; -+ } - } - - static void ath_tx_send_ampdu(struct ath_softc *sc, struct ath_atx_tid *tid, -@@ -1470,7 +1427,7 @@ static void ath_tx_send_ampdu(struct ath - TX_STAT_INC(txctl->txq->axq_qnum, a_queued_hw); - bf->bf_lastbf = bf; - ath_buf_set_rate(sc, bf, fi->framelen); -- ath_tx_txqaddbuf(sc, txctl->txq, &bf_head); -+ ath_tx_txqaddbuf(sc, txctl->txq, &bf_head, false); - } - - static void ath_tx_send_normal(struct ath_softc *sc, struct ath_txq *txq, -@@ -1490,7 +1447,7 @@ static void ath_tx_send_normal(struct at - bf->bf_lastbf = bf; - fi = get_frame_info(bf->bf_mpdu); - ath_buf_set_rate(sc, bf, fi->framelen); -- ath_tx_txqaddbuf(sc, txq, bf_head); -+ ath_tx_txqaddbuf(sc, txq, bf_head, false); - TX_STAT_INC(txq->axq_qnum, queued); - } - -@@ -2077,6 +2034,38 @@ static void ath_tx_rc_status(struct ath_ - tx_info->status.rates[tx_rateindex].count = ts->ts_longretry + 1; - } - -+static void ath_tx_process_buffer(struct ath_softc *sc, struct ath_txq *txq, -+ struct ath_tx_status *ts, struct ath_buf *bf, -+ struct list_head *bf_head) -+{ -+ int txok; -+ -+ txq->axq_depth--; -+ txok = !(ts->ts_status & ATH9K_TXERR_MASK); -+ txq->axq_tx_inprogress = false; -+ if (bf_is_ampdu_not_probing(bf)) -+ txq->axq_ampdu_depth--; -+ -+ spin_unlock_bh(&txq->axq_lock); -+ -+ if (!bf_isampdu(bf)) { -+ /* -+ * This frame is sent out as a single frame. -+ * Use hardware retry status for this frame. -+ */ -+ if (ts->ts_status & ATH9K_TXERR_XRETRY) -+ bf->bf_state.bf_type |= BUF_XRETRY; -+ ath_tx_rc_status(sc, bf, ts, 1, txok ? 0 : 1, txok, true); -+ ath_tx_complete_buf(sc, bf, txq, bf_head, ts, txok, 0); -+ } else -+ ath_tx_complete_aggr(sc, txq, bf, bf_head, ts, txok, true); -+ -+ spin_lock_bh(&txq->axq_lock); -+ -+ if (sc->sc_flags & SC_OP_TXAGGR) -+ ath_txq_schedule(sc, txq); -+} -+ - static void ath_tx_processq(struct ath_softc *sc, struct ath_txq *txq) - { - struct ath_hw *ah = sc->sc_ah; -@@ -2085,20 +2074,18 @@ static void ath_tx_processq(struct ath_s - struct list_head bf_head; - struct ath_desc *ds; - struct ath_tx_status ts; -- int txok; - int status; - - ath_dbg(common, ATH_DBG_QUEUE, "tx queue %d (%x), link %p\n", - txq->axq_qnum, ath9k_hw_gettxbuf(sc->sc_ah, txq->axq_qnum), - txq->axq_link); - -+ spin_lock_bh(&txq->axq_lock); - for (;;) { -- spin_lock_bh(&txq->axq_lock); - if (list_empty(&txq->axq_q)) { - txq->axq_link = NULL; - if (sc->sc_flags & SC_OP_TXAGGR) - ath_txq_schedule(sc, txq); -- spin_unlock_bh(&txq->axq_lock); - break; - } - bf = list_first_entry(&txq->axq_q, struct ath_buf, list); -@@ -2114,13 +2101,11 @@ static void ath_tx_processq(struct ath_s - bf_held = NULL; - if (bf->bf_stale) { - bf_held = bf; -- if (list_is_last(&bf_held->list, &txq->axq_q)) { -- spin_unlock_bh(&txq->axq_lock); -+ if (list_is_last(&bf_held->list, &txq->axq_q)) - break; -- } else { -- bf = list_entry(bf_held->list.next, -- struct ath_buf, list); -- } -+ -+ bf = list_entry(bf_held->list.next, struct ath_buf, -+ list); - } - - lastbf = bf->bf_lastbf; -@@ -2128,10 +2113,9 @@ static void ath_tx_processq(struct ath_s - - memset(&ts, 0, sizeof(ts)); - status = ath9k_hw_txprocdesc(ah, ds, &ts); -- if (status == -EINPROGRESS) { -- spin_unlock_bh(&txq->axq_lock); -+ if (status == -EINPROGRESS) - break; -- } -+ - TX_STAT_INC(txq->axq_qnum, txprocdesc); - - /* -@@ -2145,42 +2129,14 @@ static void ath_tx_processq(struct ath_s - list_cut_position(&bf_head, - &txq->axq_q, lastbf->list.prev); - -- txq->axq_depth--; -- txok = !(ts.ts_status & ATH9K_TXERR_MASK); -- txq->axq_tx_inprogress = false; -- if (bf_held) -+ if (bf_held) { - list_del(&bf_held->list); -- -- if (bf_is_ampdu_not_probing(bf)) -- txq->axq_ampdu_depth--; -- -- spin_unlock_bh(&txq->axq_lock); -- -- if (bf_held) - ath_tx_return_buffer(sc, bf_held); -- -- if (!bf_isampdu(bf)) { -- /* -- * This frame is sent out as a single frame. -- * Use hardware retry status for this frame. -- */ -- if (ts.ts_status & ATH9K_TXERR_XRETRY) -- bf->bf_state.bf_type |= BUF_XRETRY; -- ath_tx_rc_status(sc, bf, &ts, 1, txok ? 0 : 1, txok, true); - } - -- if (bf_isampdu(bf)) -- ath_tx_complete_aggr(sc, txq, bf, &bf_head, &ts, txok, -- true); -- else -- ath_tx_complete_buf(sc, bf, txq, &bf_head, &ts, txok, 0); -- -- spin_lock_bh(&txq->axq_lock); -- -- if (sc->sc_flags & SC_OP_TXAGGR) -- ath_txq_schedule(sc, txq); -- spin_unlock_bh(&txq->axq_lock); -+ ath_tx_process_buffer(sc, txq, &ts, bf, &bf_head); - } -+ spin_unlock_bh(&txq->axq_lock); - } - - static void ath_tx_complete_poll_work(struct work_struct *work) -@@ -2237,17 +2193,16 @@ void ath_tx_tasklet(struct ath_softc *sc - - void ath_tx_edma_tasklet(struct ath_softc *sc) - { -- struct ath_tx_status txs; -+ struct ath_tx_status ts; - struct ath_common *common = ath9k_hw_common(sc->sc_ah); - struct ath_hw *ah = sc->sc_ah; - struct ath_txq *txq; - struct ath_buf *bf, *lastbf; - struct list_head bf_head; - int status; -- int txok; - - for (;;) { -- status = ath9k_hw_txprocdesc(ah, NULL, (void *)&txs); -+ status = ath9k_hw_txprocdesc(ah, NULL, (void *)&ts); - if (status == -EINPROGRESS) - break; - if (status == -EIO) { -@@ -2257,12 +2212,13 @@ void ath_tx_edma_tasklet(struct ath_soft - } - - /* Skip beacon completions */ -- if (txs.qid == sc->beacon.beaconq) -+ if (ts.qid == sc->beacon.beaconq) - continue; - -- txq = &sc->tx.txq[txs.qid]; -+ txq = &sc->tx.txq[ts.qid]; - - spin_lock_bh(&txq->axq_lock); -+ - if (list_empty(&txq->txq_fifo[txq->txq_tailidx])) { - spin_unlock_bh(&txq->axq_lock); - return; -@@ -2275,41 +2231,21 @@ void ath_tx_edma_tasklet(struct ath_soft - INIT_LIST_HEAD(&bf_head); - list_cut_position(&bf_head, &txq->txq_fifo[txq->txq_tailidx], - &lastbf->list); -- INCR(txq->txq_tailidx, ATH_TXFIFO_DEPTH); -- txq->axq_depth--; -- txq->axq_tx_inprogress = false; -- if (bf_is_ampdu_not_probing(bf)) -- txq->axq_ampdu_depth--; -- spin_unlock_bh(&txq->axq_lock); - -- txok = !(txs.ts_status & ATH9K_TXERR_MASK); -- -- if (!bf_isampdu(bf)) { -- if (txs.ts_status & ATH9K_TXERR_XRETRY) -- bf->bf_state.bf_type |= BUF_XRETRY; -- ath_tx_rc_status(sc, bf, &txs, 1, txok ? 0 : 1, txok, true); -- } -- -- if (bf_isampdu(bf)) -- ath_tx_complete_aggr(sc, txq, bf, &bf_head, &txs, -- txok, true); -- else -- ath_tx_complete_buf(sc, bf, txq, &bf_head, -- &txs, txok, 0); -+ if (list_empty(&txq->txq_fifo[txq->txq_tailidx])) { -+ INCR(txq->txq_tailidx, ATH_TXFIFO_DEPTH); - -- spin_lock_bh(&txq->axq_lock); -+ if (!list_empty(&txq->axq_q)) { -+ struct list_head bf_q; - -- if (!list_empty(&txq->txq_fifo_pending)) { -- INIT_LIST_HEAD(&bf_head); -- bf = list_first_entry(&txq->txq_fifo_pending, -- struct ath_buf, list); -- list_cut_position(&bf_head, -- &txq->txq_fifo_pending, -- &bf->bf_lastbf->list); -- ath_tx_txqaddbuf(sc, txq, &bf_head); -- } else if (sc->sc_flags & SC_OP_TXAGGR) -- ath_txq_schedule(sc, txq); -+ INIT_LIST_HEAD(&bf_q); -+ txq->axq_link = NULL; -+ list_splice_tail_init(&txq->axq_q, &bf_q); -+ ath_tx_txqaddbuf(sc, txq, &bf_q, true); -+ } -+ } - -+ ath_tx_process_buffer(sc, txq, &ts, bf, &bf_head); - spin_unlock_bh(&txq->axq_lock); - } - } --- a/net/mac80211/agg-rx.c +++ b/net/mac80211/agg-rx.c -@@ -161,6 +161,8 @@ static void ieee80211_send_addba_resp(st +@@ -176,6 +176,8 @@ static void ieee80211_send_addba_resp(st memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN); else if (sdata->vif.type == NL80211_IFTYPE_STATION) memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN); @@ -697,6 +9,19 @@ mgmt->frame_control = cpu_to_le16(IEEE80211_FTYPE_MGMT | IEEE80211_STYPE_ACTION); +@@ -262,7 +264,11 @@ void ieee80211_process_addba_request(str + "%pM on tid %u\n", + mgmt->sa, tid); + #endif /* CONFIG_MAC80211_HT_DEBUG */ +- goto end; ++ ++ /* delete existing Rx BA session on the same tid */ ++ ___ieee80211_stop_rx_ba_session(sta, tid, WLAN_BACK_RECIPIENT, ++ WLAN_STATUS_UNSPECIFIED_QOS, ++ false); + } + + /* prepare A-MPDU MLME for Rx aggregation */ --- a/net/mac80211/agg-tx.c +++ b/net/mac80211/agg-tx.c @@ -79,7 +79,8 @@ static void ieee80211_send_addba_request @@ -709,7 +34,7 @@ memcpy(mgmt->bssid, sdata->vif.addr, ETH_ALEN); else if (sdata->vif.type == NL80211_IFTYPE_STATION) memcpy(mgmt->bssid, sdata->u.mgd.bssid, ETH_ALEN); -@@ -388,7 +389,8 @@ int ieee80211_start_tx_ba_session(struct +@@ -398,7 +399,8 @@ int ieee80211_start_tx_ba_session(struct */ if (sdata->vif.type != NL80211_IFTYPE_STATION && sdata->vif.type != NL80211_IFTYPE_AP_VLAN && @@ -933,55 +258,821 @@ WLAN_STA_CLEAR_PS_FILT = 1<<9, WLAN_STA_MFP = 1<<10, WLAN_STA_BLOCK_BA = 1<<11, ---- a/drivers/net/wireless/ath/ath9k/debug.h -+++ b/drivers/net/wireless/ath/ath9k/debug.h -@@ -116,6 +116,7 @@ struct ath_tx_stats { - u32 tx_bytes_all; - u32 queued; - u32 completed; -+ u32 xretries; - u32 a_aggr; - u32 a_queued_hw; - u32 a_queued_sw; ---- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c -+++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c -@@ -4645,10 +4645,16 @@ static void ar9003_hw_set_power_per_rate - case 1: +--- a/drivers/net/wireless/ath/ath9k/beacon.c ++++ b/drivers/net/wireless/ath/ath9k/beacon.c +@@ -360,6 +360,7 @@ void ath_beacon_tasklet(unsigned long da + struct ath_common *common = ath9k_hw_common(ah); + struct ath_buf *bf = NULL; + struct ieee80211_vif *vif; ++ struct ath_tx_status ts; + int slot; + u32 bfaddr, bc = 0; + +@@ -384,7 +385,9 @@ void ath_beacon_tasklet(unsigned long da + ath_dbg(common, ATH_DBG_BSTUCK, + "beacon is officially stuck\n"); + sc->sc_flags |= SC_OP_TSF_RESET; ++ spin_lock(&sc->sc_pcu_lock); + ath_reset(sc, true); ++ spin_unlock(&sc->sc_pcu_lock); + } + + return; +@@ -464,6 +467,11 @@ void ath_beacon_tasklet(unsigned long da + ath9k_hw_txstart(ah, sc->beacon.beaconq); + + sc->beacon.ast_be_xmit += bc; /* XXX per-vif? */ ++ if (ah->caps.hw_caps & ATH9K_HW_CAP_EDMA) { ++ spin_lock_bh(&sc->sc_pcu_lock); ++ ath9k_hw_txprocdesc(ah, bf->bf_desc, (void *)&ts); ++ spin_unlock_bh(&sc->sc_pcu_lock); ++ } + } + } + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -617,8 +617,11 @@ void ath_hw_check(struct work_struct *wo + ath_dbg(common, ATH_DBG_RESET, "Possible baseband hang, " + "busy=%d (try %d)\n", busy, sc->hw_busy_count + 1); + if (busy >= 99) { +- if (++sc->hw_busy_count >= 3) ++ if (++sc->hw_busy_count >= 3) { ++ spin_lock_bh(&sc->sc_pcu_lock); + ath_reset(sc, true); ++ spin_unlock_bh(&sc->sc_pcu_lock); ++ } + } else if (busy >= 0) + sc->hw_busy_count = 0; + +@@ -637,7 +640,9 @@ static void ath_hw_pll_rx_hang_check(str + /* Rx is hung for more than 500ms. Reset it */ + ath_dbg(common, ATH_DBG_RESET, + "Possible RX hang, resetting"); ++ spin_lock_bh(&sc->sc_pcu_lock); + ath_reset(sc, true); ++ spin_unlock_bh(&sc->sc_pcu_lock); + count = 0; + } + } else +@@ -674,7 +679,9 @@ void ath9k_tasklet(unsigned long data) + + if ((status & ATH9K_INT_FATAL) || + (status & ATH9K_INT_BB_WATCHDOG)) { ++ spin_lock(&sc->sc_pcu_lock); + ath_reset(sc, true); ++ spin_unlock(&sc->sc_pcu_lock); + return; + } + +@@ -980,7 +987,6 @@ int ath_reset(struct ath_softc *sc, bool + del_timer_sync(&common->ani.timer); + + ath9k_ps_wakeup(sc); +- spin_lock_bh(&sc->sc_pcu_lock); + + ieee80211_stop_queues(hw); + +@@ -1023,7 +1029,6 @@ int ath_reset(struct ath_softc *sc, bool + } + + ieee80211_wake_queues(hw); +- spin_unlock_bh(&sc->sc_pcu_lock); + + /* Start ANI */ + if (!common->disable_ani) +@@ -2326,9 +2331,9 @@ static void ath9k_flush(struct ieee80211 + ath9k_ps_wakeup(sc); + spin_lock_bh(&sc->sc_pcu_lock); + drain_txq = ath_drain_all_txq(sc, false); +- spin_unlock_bh(&sc->sc_pcu_lock); + if (!drain_txq) + ath_reset(sc, false); ++ spin_unlock_bh(&sc->sc_pcu_lock); + ath9k_ps_restore(sc); + ieee80211_wake_queues(hw); + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -565,11 +565,8 @@ static void ath_tx_complete_aggr(struct + + rcu_read_unlock(); + +- if (needreset) { +- spin_unlock_bh(&sc->sc_pcu_lock); ++ if (needreset) + ath_reset(sc, false); +- spin_lock_bh(&sc->sc_pcu_lock); +- } + } + + static u32 ath_lookup_rate(struct ath_softc *sc, struct ath_buf *bf, +@@ -664,7 +661,8 @@ static int ath_compute_num_delims(struct + * TODO - this could be improved to be dependent on the rate. + * The hardware can keep up at lower rates, but not higher rates + */ +- if (fi->keyix != ATH9K_TXKEYIX_INVALID) ++ if ((fi->keyix != ATH9K_TXKEYIX_INVALID) && ++ !(sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_EDMA)) + ndelim += ATH_AGGR_ENCRYPTDELIM; + + /* +@@ -2169,7 +2167,9 @@ static void ath_tx_complete_poll_work(st + if (needreset) { + ath_dbg(ath9k_hw_common(sc->sc_ah), ATH_DBG_RESET, + "tx hung, resetting the chip\n"); ++ spin_lock_bh(&sc->sc_pcu_lock); + ath_reset(sc, true); ++ spin_unlock_bh(&sc->sc_pcu_lock); + } + + ieee80211_queue_delayed_work(sc->hw, &sc->tx_complete_work, +--- a/drivers/net/wireless/ath/ath9k/ar9003_paprd.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_paprd.c +@@ -236,7 +236,7 @@ static void ar9003_paprd_get_gain_table( + memset(entry, 0, sizeof(ah->paprd_gain_table_entries)); + memset(index, 0, sizeof(ah->paprd_gain_table_index)); + +- for (i = 0; i < 32; i++) { ++ for (i = 0; i < PAPRD_GAIN_TABLE_ENTRIES; i++) { + entry[i] = REG_READ(ah, reg); + index[i] = (entry[i] >> 24) & 0xff; + reg += 4; +@@ -246,13 +246,13 @@ static void ar9003_paprd_get_gain_table( + static unsigned int ar9003_get_desired_gain(struct ath_hw *ah, int chain, + int target_power) + { +- int olpc_gain_delta = 0; ++ int olpc_gain_delta = 0, cl_gain_mod; + int alpha_therm, alpha_volt; + int therm_cal_value, volt_cal_value; + int therm_value, volt_value; + int thermal_gain_corr, voltage_gain_corr; + int desired_scale, desired_gain = 0; +- u32 reg; ++ u32 reg_olpc = 0, reg_cl_gain = 0; + + REG_CLR_BIT(ah, AR_PHY_PAPRD_TRAINER_STAT1, + AR_PHY_PAPRD_TRAINER_STAT1_PAPRD_TRAIN_DONE); +@@ -271,15 +271,29 @@ static unsigned int ar9003_get_desired_g + volt_value = REG_READ_FIELD(ah, AR_PHY_BB_THERM_ADC_4, + AR_PHY_BB_THERM_ADC_4_LATEST_VOLT_VALUE); + +- if (chain == 0) +- reg = AR_PHY_TPC_11_B0; +- else if (chain == 1) +- reg = AR_PHY_TPC_11_B1; +- else +- reg = AR_PHY_TPC_11_B2; ++ switch (chain) { ++ case 0: ++ reg_olpc = AR_PHY_TPC_11_B0; ++ reg_cl_gain = AR_PHY_CL_TAB_0; ++ break; ++ case 1: ++ reg_olpc = AR_PHY_TPC_11_B1; ++ reg_cl_gain = AR_PHY_CL_TAB_1; ++ break; ++ case 2: ++ reg_olpc = AR_PHY_TPC_11_B2; ++ reg_cl_gain = AR_PHY_CL_TAB_2; ++ break; ++ default: ++ ath_dbg(ath9k_hw_common(ah), ATH_DBG_CALIBRATE, ++ "Invalid chainmask: %d\n", chain); ++ break; ++ } + +- olpc_gain_delta = REG_READ_FIELD(ah, reg, ++ olpc_gain_delta = REG_READ_FIELD(ah, reg_olpc, + AR_PHY_TPC_11_OLPC_GAIN_DELTA); ++ cl_gain_mod = REG_READ_FIELD(ah, reg_cl_gain, ++ AR_PHY_CL_TAB_CL_GAIN_MOD); + + if (olpc_gain_delta >= 128) + olpc_gain_delta = olpc_gain_delta - 256; +@@ -289,7 +303,7 @@ static unsigned int ar9003_get_desired_g + voltage_gain_corr = (alpha_volt * (volt_value - volt_cal_value) + + (128 / 2)) / 128; + desired_gain = target_power - olpc_gain_delta - thermal_gain_corr - +- voltage_gain_corr + desired_scale; ++ voltage_gain_corr + desired_scale + cl_gain_mod; + + return desired_gain; + } +@@ -727,7 +741,7 @@ int ar9003_paprd_setup_gain_table(struct + desired_gain = ar9003_get_desired_gain(ah, chain, train_power); + + gain_index = 0; +- for (i = 0; i < 32; i++) { ++ for (i = 0; i < PAPRD_GAIN_TABLE_ENTRIES; i++) { + if (ah->paprd_gain_table_index[i] >= desired_gain) + break; + gain_index++; +--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.h ++++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.h +@@ -1121,6 +1121,9 @@ + #define AR_PHY_POWERTX_RATE8_POWERTXHT40_5 0x3F00 + #define AR_PHY_POWERTX_RATE8_POWERTXHT40_5_S 8 + ++#define AR_PHY_CL_TAB_CL_GAIN_MOD 0x1f ++#define AR_PHY_CL_TAB_CL_GAIN_MOD_S 0 ++ + void ar9003_hw_set_chain_masks(struct ath_hw *ah, u8 rx, u8 tx); + + #endif /* AR9003_PHY_H */ +--- a/drivers/net/wireless/ath/ath5k/eeprom.c ++++ b/drivers/net/wireless/ath/ath5k/eeprom.c +@@ -691,14 +691,12 @@ ath5k_eeprom_free_pcal_info(struct ath5k + if (!chinfo[pier].pd_curves) + continue; + +- for (pdg = 0; pdg < ee->ee_pd_gains[mode]; pdg++) { ++ for (pdg = 0; pdg < AR5K_EEPROM_N_PD_CURVES; pdg++) { + struct ath5k_pdgain_info *pd = + &chinfo[pier].pd_curves[pdg]; + +- if (pd != NULL) { +- kfree(pd->pd_step); +- kfree(pd->pd_pwr); +- } ++ kfree(pd->pd_step); ++ kfree(pd->pd_pwr); + } + + kfree(chinfo[pier].pd_curves); +--- a/drivers/net/wireless/ath/ath9k/ar9003_mac.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_mac.c +@@ -229,6 +229,7 @@ static void ar9003_hw_fill_txdesc(struct + static int ar9003_hw_proc_txdesc(struct ath_hw *ah, void *ds, + struct ath_tx_status *ts) + { ++ struct ar9003_txc *txc = (struct ar9003_txc *) ds; + struct ar9003_txs *ads; + u32 status; + +@@ -238,7 +239,11 @@ static int ar9003_hw_proc_txdesc(struct + if ((status & AR_TxDone) == 0) + return -EINPROGRESS; + +- ah->ts_tail = (ah->ts_tail + 1) % ah->ts_size; ++ ts->qid = MS(ads->ds_info, AR_TxQcuNum); ++ if (!txc || (MS(txc->info, AR_TxQcuNum) == ts->qid)) ++ ah->ts_tail = (ah->ts_tail + 1) % ah->ts_size; ++ else ++ return -ENOENT; + + if ((MS(ads->ds_info, AR_DescId) != ATHEROS_VENDOR_ID) || + (MS(ads->ds_info, AR_TxRxDesc) != 1)) { +@@ -254,7 +259,6 @@ static int ar9003_hw_proc_txdesc(struct + ts->ts_seqnum = MS(status, AR_SeqNum); + ts->tid = MS(status, AR_TxTid); + +- ts->qid = MS(ads->ds_info, AR_TxQcuNum); + ts->desc_id = MS(ads->status1, AR_TxDescId); + ts->ts_tstamp = ads->status4; + ts->ts_status = 0; +--- a/net/mac80211/wpa.c ++++ b/net/mac80211/wpa.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include "ieee80211_i.h" + #include "michael.h" +@@ -86,6 +87,11 @@ ieee80211_rx_h_michael_mic_verify(struct + struct sk_buff *skb = rx->skb; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; ++ int queue = rx->queue; ++ ++ /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */ ++ if (rx->queue == NUM_RX_DATA_QUEUES - 1) ++ queue = 0; + + /* + * it makes no sense to check for MIC errors on anything other +@@ -148,8 +154,8 @@ ieee80211_rx_h_michael_mic_verify(struct + + update_iv: + /* update IV in key information to be able to detect replays */ +- rx->key->u.tkip.rx[rx->queue].iv32 = rx->tkip_iv32; +- rx->key->u.tkip.rx[rx->queue].iv16 = rx->tkip_iv16; ++ rx->key->u.tkip.rx[queue].iv32 = rx->tkip_iv32; ++ rx->key->u.tkip.rx[queue].iv16 = rx->tkip_iv16; + + return RX_CONTINUE; + +@@ -165,6 +171,7 @@ static int tkip_encrypt_skb(struct ieee8 + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; + struct ieee80211_key *key = tx->key; + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); ++ unsigned long flags; + unsigned int hdrlen; + int len, tail; + u8 *pos; +@@ -192,11 +199,12 @@ static int tkip_encrypt_skb(struct ieee8 + pos += hdrlen; + + /* Increase IV for the frame */ ++ spin_lock_irqsave(&key->u.tkip.txlock, flags); + key->u.tkip.tx.iv16++; + if (key->u.tkip.tx.iv16 == 0) + key->u.tkip.tx.iv32++; +- +- pos = ieee80211_tkip_add_iv(pos, key, key->u.tkip.tx.iv16); ++ pos = ieee80211_tkip_add_iv(pos, key); ++ spin_unlock_irqrestore(&key->u.tkip.txlock, flags); + + /* hwaccel - with software IV */ + if (info->control.hw_key) +@@ -205,9 +213,8 @@ static int tkip_encrypt_skb(struct ieee8 + /* Add room for ICV */ + skb_put(skb, TKIP_ICV_LEN); + +- hdr = (struct ieee80211_hdr *) skb->data; + return ieee80211_tkip_encrypt_data(tx->local->wep_tx_tfm, +- key, pos, len, hdr->addr2); ++ key, skb, pos, len); + } + + +@@ -235,6 +242,11 @@ ieee80211_crypto_tkip_decrypt(struct iee + struct ieee80211_key *key = rx->key; + struct sk_buff *skb = rx->skb; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); ++ int queue = rx->queue; ++ ++ /* otherwise, TKIP is vulnerable to TID 0 vs. non-QoS replays */ ++ if (rx->queue == NUM_RX_DATA_QUEUES - 1) ++ queue = 0; + + hdrlen = ieee80211_hdrlen(hdr->frame_control); + +@@ -255,7 +267,7 @@ ieee80211_crypto_tkip_decrypt(struct iee + res = ieee80211_tkip_decrypt_data(rx->local->wep_rx_tfm, + key, skb->data + hdrlen, + skb->len - hdrlen, rx->sta->sta.addr, +- hdr->addr1, hwaccel, rx->queue, ++ hdr->addr1, hwaccel, queue, + &rx->tkip_iv32, + &rx->tkip_iv16); + if (res != TKIP_DECRYPT_OK) +@@ -283,6 +295,8 @@ static void ccmp_special_blocks(struct s + unsigned int hdrlen; + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; + ++ memset(scratch, 0, 6 * AES_BLOCK_LEN); ++ + b_0 = scratch + 3 * AES_BLOCK_LEN; + aad = scratch + 4 * AES_BLOCK_LEN; + +@@ -373,8 +387,10 @@ static int ccmp_encrypt_skb(struct ieee8 + struct ieee80211_key *key = tx->key; + struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); + int hdrlen, len, tail; +- u8 *pos, *pn; +- int i; ++ u8 *pos; ++ u8 pn[6]; ++ u64 pn64; ++ u8 scratch[6 * AES_BLOCK_LEN]; + + if (info->control.hw_key && + !(info->control.hw_key->flags & IEEE80211_KEY_FLAG_GENERATE_IV)) { +@@ -402,14 +418,14 @@ static int ccmp_encrypt_skb(struct ieee8 + hdr = (struct ieee80211_hdr *) pos; + pos += hdrlen; + +- /* PN = PN + 1 */ +- pn = key->u.ccmp.tx_pn; ++ pn64 = atomic64_inc_return(&key->u.ccmp.tx_pn); + +- for (i = CCMP_PN_LEN - 1; i >= 0; i--) { +- pn[i]++; +- if (pn[i]) +- break; +- } ++ pn[5] = pn64; ++ pn[4] = pn64 >> 8; ++ pn[3] = pn64 >> 16; ++ pn[2] = pn64 >> 24; ++ pn[1] = pn64 >> 32; ++ pn[0] = pn64 >> 40; + + ccmp_pn2hdr(pos, pn, key->conf.keyidx); + +@@ -418,8 +434,8 @@ static int ccmp_encrypt_skb(struct ieee8 + return 0; + + pos += CCMP_HDR_LEN; +- ccmp_special_blocks(skb, pn, key->u.ccmp.tx_crypto_buf, 0); +- ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, key->u.ccmp.tx_crypto_buf, pos, len, ++ ccmp_special_blocks(skb, pn, scratch, 0); ++ ieee80211_aes_ccm_encrypt(key->u.ccmp.tfm, scratch, pos, len, + pos, skb_put(skb, CCMP_MIC_LEN)); + + return 0; +@@ -475,11 +491,12 @@ ieee80211_crypto_ccmp_decrypt(struct iee + } + + if (!(status->flag & RX_FLAG_DECRYPTED)) { ++ u8 scratch[6 * AES_BLOCK_LEN]; + /* hardware didn't decrypt/verify MIC */ +- ccmp_special_blocks(skb, pn, key->u.ccmp.rx_crypto_buf, 1); ++ ccmp_special_blocks(skb, pn, scratch, 1); + + if (ieee80211_aes_ccm_decrypt( +- key->u.ccmp.tfm, key->u.ccmp.rx_crypto_buf, ++ key->u.ccmp.tfm, scratch, + skb->data + hdrlen + CCMP_HDR_LEN, data_len, + skb->data + skb->len - CCMP_MIC_LEN, + skb->data + hdrlen + CCMP_HDR_LEN)) +--- a/drivers/net/wireless/b43/xmit.c ++++ b/drivers/net/wireless/b43/xmit.c +@@ -323,8 +323,7 @@ int b43_generate_txhdr(struct b43_wldev + /* we give the phase1key and iv16 here, the key is stored in + * shm. With that the hardware can do phase 2 and encryption. + */ +- ieee80211_get_tkip_key(info->control.hw_key, skb_frag, +- IEEE80211_TKIP_P1_KEY, (u8*)phase1key); ++ ieee80211_get_tkip_p1k(info->control.hw_key, skb_frag, phase1key); + /* phase1key is in host endian. Copy to little-endian txhdr->iv. */ + for (i = 0; i < 5; i++) { + txhdr->iv[i * 2 + 0] = phase1key[i]; +--- a/drivers/net/wireless/iwlegacy/iwl-4965-tx.c ++++ b/drivers/net/wireless/iwlegacy/iwl-4965-tx.c +@@ -240,8 +240,7 @@ static void iwl4965_tx_cmd_build_hwcrypt + + case WLAN_CIPHER_SUITE_TKIP: + tx_cmd->sec_ctl = TX_CMD_SEC_TKIP; +- ieee80211_get_tkip_key(keyconf, skb_frag, +- IEEE80211_TKIP_P2_KEY, tx_cmd->key); ++ ieee80211_get_tkip_p2k(keyconf, skb_frag, tx_cmd->key); + IWL_DEBUG_TX(priv, "tx_cmd with tkip hwcrypto\n"); break; - case 2: -- scaledPower -= REDUCE_SCALED_POWER_BY_TWO_CHAIN; -+ if (scaledPower > REDUCE_SCALED_POWER_BY_TWO_CHAIN) -+ scaledPower -= REDUCE_SCALED_POWER_BY_TWO_CHAIN; -+ else -+ scaledPower = 0; + +--- a/drivers/net/wireless/iwlwifi/iwl-agn-tx.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-tx.c +@@ -497,8 +497,7 @@ static void iwlagn_tx_cmd_build_hwcrypto + + case WLAN_CIPHER_SUITE_TKIP: + tx_cmd->sec_ctl = TX_CMD_SEC_TKIP; +- ieee80211_get_tkip_key(keyconf, skb_frag, +- IEEE80211_TKIP_P2_KEY, tx_cmd->key); ++ ieee80211_get_tkip_p2k(keyconf, skb_frag, tx_cmd->key); + IWL_DEBUG_TX(priv, "tx_cmd with tkip hwcrypto\n"); break; - case 3: -- scaledPower -= REDUCE_SCALED_POWER_BY_THREE_CHAIN; -+ if (scaledPower > REDUCE_SCALED_POWER_BY_THREE_CHAIN) -+ scaledPower -= REDUCE_SCALED_POWER_BY_THREE_CHAIN; -+ else -+ scaledPower = 0; + +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -960,21 +960,6 @@ enum sta_notify_cmd { + }; + + /** +- * enum ieee80211_tkip_key_type - get tkip key +- * +- * Used by drivers which need to get a tkip key for skb. Some drivers need a +- * phase 1 key, others need a phase 2 key. A single function allows the driver +- * to get the key, this enum indicates what type of key is required. +- * +- * @IEEE80211_TKIP_P1_KEY: the driver needs a phase 1 key +- * @IEEE80211_TKIP_P2_KEY: the driver needs a phase 2 key +- */ +-enum ieee80211_tkip_key_type { +- IEEE80211_TKIP_P1_KEY, +- IEEE80211_TKIP_P2_KEY, +-}; +- +-/** + * enum ieee80211_hw_flags - hardware flags + * + * These flags are used to indicate hardware capabilities to +@@ -2568,21 +2553,33 @@ struct sk_buff * + ieee80211_get_buffered_bc(struct ieee80211_hw *hw, struct ieee80211_vif *vif); + + /** +- * ieee80211_get_tkip_key - get a TKIP rc4 for skb ++ * ieee80211_get_tkip_p1k - get a TKIP phase 1 key ++ * ++ * This function returns the TKIP phase 1 key for the IV32 taken ++ * from the given packet. ++ * ++ * @keyconf: the parameter passed with the set key ++ * @skb: the packet to take the IV32 value from that will be encrypted ++ * with this P1K ++ * @p1k: a buffer to which the key will be written, as 5 u16 values ++ */ ++void ieee80211_get_tkip_p1k(struct ieee80211_key_conf *keyconf, ++ struct sk_buff *skb, u16 *p1k); ++ ++/** ++ * ieee80211_get_tkip_p2k - get a TKIP phase 2 key + * +- * This function computes a TKIP rc4 key for an skb. It computes +- * a phase 1 key if needed (iv16 wraps around). This function is to +- * be used by drivers which can do HW encryption but need to compute +- * to phase 1/2 key in SW. ++ * This function computes the TKIP RC4 key for the IV values ++ * in the packet. + * + * @keyconf: the parameter passed with the set key +- * @skb: the skb for which the key is needed +- * @type: TBD +- * @key: a buffer to which the key will be written +- */ +-void ieee80211_get_tkip_key(struct ieee80211_key_conf *keyconf, +- struct sk_buff *skb, +- enum ieee80211_tkip_key_type type, u8 *key); ++ * @skb: the packet to take the IV32/IV16 values from that will be ++ * encrypted with this key ++ * @p2k: a buffer to which the key will be written, 16 bytes ++ */ ++void ieee80211_get_tkip_p2k(struct ieee80211_key_conf *keyconf, ++ struct sk_buff *skb, u8 *p2k); ++ + /** + * ieee80211_wake_queue - wake specific queue + * @hw: pointer as obtained from ieee80211_alloc_hw(). +--- a/net/mac80211/key.c ++++ b/net/mac80211/key.c +@@ -333,6 +333,7 @@ struct ieee80211_key *ieee80211_key_allo + get_unaligned_le16(seq); + } + } ++ spin_lock_init(&key->u.tkip.txlock); break; + case WLAN_CIPHER_SUITE_CCMP: + key->conf.iv_len = CCMP_HDR_LEN; +--- a/net/mac80211/key.h ++++ b/net/mac80211/key.h +@@ -52,9 +52,10 @@ enum ieee80211_internal_tkip_state { + }; + + struct tkip_ctx { +- u32 iv32; +- u16 iv16; +- u16 p1k[5]; ++ u32 iv32; /* current iv32 */ ++ u16 iv16; /* current iv16 */ ++ u16 p1k[5]; /* p1k cache */ ++ u32 p1k_iv32; /* iv32 for which p1k computed */ + enum ieee80211_internal_tkip_state state; + }; + +@@ -71,6 +72,9 @@ struct ieee80211_key { + + union { + struct { ++ /* protects tx context */ ++ spinlock_t txlock; ++ + /* last used TSC */ + struct tkip_ctx tx; + +@@ -78,7 +82,7 @@ struct ieee80211_key { + struct tkip_ctx rx[NUM_RX_DATA_QUEUES]; + } tkip; + struct { +- u8 tx_pn[6]; ++ atomic64_t tx_pn; + /* + * Last received packet number. The first + * NUM_RX_DATA_QUEUES counters are used with Data +@@ -88,12 +92,9 @@ struct ieee80211_key { + u8 rx_pn[NUM_RX_DATA_QUEUES + 1][6]; + struct crypto_cipher *tfm; + u32 replays; /* dot11RSNAStatsCCMPReplays */ +- /* scratch buffers for virt_to_page() (crypto API) */ + #ifndef AES_BLOCK_LEN + #define AES_BLOCK_LEN 16 + #endif +- u8 tx_crypto_buf[6 * AES_BLOCK_LEN]; +- u8 rx_crypto_buf[6 * AES_BLOCK_LEN]; + } ccmp; + struct { + u8 tx_pn[6]; +--- a/net/mac80211/tkip.c ++++ b/net/mac80211/tkip.c +@@ -101,6 +101,7 @@ static void tkip_mixing_phase1(const u8 + p1k[4] += tkipS(p1k[3] ^ get_unaligned_le16(tk + 0 + j)) + i; } + ctx->state = TKIP_STATE_PHASE1_DONE; ++ ctx->p1k_iv32 = tsc_IV32; + } + + static void tkip_mixing_phase2(const u8 *tk, struct tkip_ctx *ctx, +@@ -140,60 +141,72 @@ static void tkip_mixing_phase2(const u8 + /* Add TKIP IV and Ext. IV at @pos. @iv0, @iv1, and @iv2 are the first octets + * of the IV. Returns pointer to the octet following IVs (i.e., beginning of + * the packet payload). */ +-u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16) ++u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key) + { +- pos = write_tkip_iv(pos, iv16); ++ lockdep_assert_held(&key->u.tkip.txlock); ++ ++ pos = write_tkip_iv(pos, key->u.tkip.tx.iv16); + *pos++ = (key->conf.keyidx << 6) | (1 << 5) /* Ext IV */; + put_unaligned_le32(key->u.tkip.tx.iv32, pos); + return pos + 4; + } + +-void ieee80211_get_tkip_key(struct ieee80211_key_conf *keyconf, +- struct sk_buff *skb, enum ieee80211_tkip_key_type type, +- u8 *outkey) ++static void ieee80211_compute_tkip_p1k(struct ieee80211_key *key, u32 iv32) + { +- struct ieee80211_key *key = (struct ieee80211_key *) +- container_of(keyconf, struct ieee80211_key, conf); +- struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; +- u8 *data; +- const u8 *tk; +- struct tkip_ctx *ctx; +- u16 iv16; +- u32 iv32; +- +- data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control); +- iv16 = data[2] | (data[0] << 8); +- iv32 = get_unaligned_le32(&data[4]); +- +- tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; +- ctx = &key->u.tkip.tx; +- +-#ifdef CONFIG_MAC80211_TKIP_DEBUG +- printk(KERN_DEBUG "TKIP encrypt: iv16 = 0x%04x, iv32 = 0x%08x\n", +- iv16, iv32); ++ struct ieee80211_sub_if_data *sdata = key->sdata; ++ struct tkip_ctx *ctx = &key->u.tkip.tx; ++ const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; + +- if (iv32 != ctx->iv32) { +- printk(KERN_DEBUG "skb: iv32 = 0x%08x key: iv32 = 0x%08x\n", +- iv32, ctx->iv32); +- printk(KERN_DEBUG "Wrap around of iv16 in the middle of a " +- "fragmented packet\n"); +- } +-#endif ++ lockdep_assert_held(&key->u.tkip.txlock); + +- /* Update the p1k only when the iv16 in the packet wraps around, this +- * might occur after the wrap around of iv16 in the key in case of +- * fragmented packets. */ +- if (iv16 == 0 || ctx->state == TKIP_STATE_NOT_INIT) +- tkip_mixing_phase1(tk, ctx, hdr->addr2, iv32); ++ /* ++ * Update the P1K when the IV32 is different from the value it ++ * had when we last computed it (or when not initialised yet). ++ * This might flip-flop back and forth if packets are processed ++ * out-of-order due to the different ACs, but then we have to ++ * just compute the P1K more often. ++ */ ++ if (ctx->p1k_iv32 != iv32 || ctx->state == TKIP_STATE_NOT_INIT) ++ tkip_mixing_phase1(tk, ctx, sdata->vif.addr, iv32); ++} + +- if (type == IEEE80211_TKIP_P1_KEY) { +- memcpy(outkey, ctx->p1k, sizeof(u16) * 5); +- return; +- } ++void ieee80211_get_tkip_p1k(struct ieee80211_key_conf *keyconf, ++ struct sk_buff *skb, u16 *p1k) ++{ ++ struct ieee80211_key *key = (struct ieee80211_key *) ++ container_of(keyconf, struct ieee80211_key, conf); ++ struct tkip_ctx *ctx = &key->u.tkip.tx; ++ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; ++ const u8 *data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control); ++ u32 iv32 = get_unaligned_le32(&data[4]); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&key->u.tkip.txlock, flags); ++ ieee80211_compute_tkip_p1k(key, iv32); ++ memcpy(p1k, ctx->p1k, sizeof(ctx->p1k)); ++ spin_unlock_irqrestore(&key->u.tkip.txlock, flags); ++} ++EXPORT_SYMBOL(ieee80211_get_tkip_p1k); + +- tkip_mixing_phase2(tk, ctx, iv16, outkey); ++void ieee80211_get_tkip_p2k(struct ieee80211_key_conf *keyconf, ++ struct sk_buff *skb, u8 *p2k) ++{ ++ struct ieee80211_key *key = (struct ieee80211_key *) ++ container_of(keyconf, struct ieee80211_key, conf); ++ const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; ++ struct tkip_ctx *ctx = &key->u.tkip.tx; ++ struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)skb->data; ++ const u8 *data = (u8 *)hdr + ieee80211_hdrlen(hdr->frame_control); ++ u32 iv32 = get_unaligned_le32(&data[4]); ++ u16 iv16 = data[2] | (data[0] << 8); ++ unsigned long flags; ++ ++ spin_lock_irqsave(&key->u.tkip.txlock, flags); ++ ieee80211_compute_tkip_p1k(key, iv32); ++ tkip_mixing_phase2(tk, ctx, iv16, p2k); ++ spin_unlock_irqrestore(&key->u.tkip.txlock, flags); + } +-EXPORT_SYMBOL(ieee80211_get_tkip_key); ++EXPORT_SYMBOL(ieee80211_get_tkip_p2k); + + /* + * Encrypt packet payload with TKIP using @key. @pos is a pointer to the +@@ -204,19 +217,15 @@ EXPORT_SYMBOL(ieee80211_get_tkip_key); + */ + int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm, + struct ieee80211_key *key, +- u8 *pos, size_t payload_len, u8 *ta) ++ struct sk_buff *skb, ++ u8 *payload, size_t payload_len) + { + u8 rc4key[16]; +- struct tkip_ctx *ctx = &key->u.tkip.tx; +- const u8 *tk = &key->conf.key[NL80211_TKIP_DATA_OFFSET_ENCR_KEY]; +- +- /* Calculate per-packet key */ +- if (ctx->iv16 == 0 || ctx->state == TKIP_STATE_NOT_INIT) +- tkip_mixing_phase1(tk, ctx, ta, ctx->iv32); + +- tkip_mixing_phase2(tk, ctx, ctx->iv16, rc4key); ++ ieee80211_get_tkip_p2k(&key->conf, skb, rc4key); + +- return ieee80211_wep_encrypt_data(tfm, rc4key, 16, pos, payload_len); ++ return ieee80211_wep_encrypt_data(tfm, rc4key, 16, ++ payload, payload_len); + } ---- a/drivers/net/wireless/ath/ath9k/eeprom_9287.c -+++ b/drivers/net/wireless/ath/ath9k/eeprom_9287.c -@@ -524,10 +524,16 @@ static void ath9k_hw_set_ar9287_power_pe - case 1: + /* Decrypt packet payload with TKIP using @key. @pos is a pointer to the +--- a/net/mac80211/tkip.h ++++ b/net/mac80211/tkip.h +@@ -13,11 +13,13 @@ + #include + #include "key.h" + +-u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key, u16 iv16); ++u8 *ieee80211_tkip_add_iv(u8 *pos, struct ieee80211_key *key); + + int ieee80211_tkip_encrypt_data(struct crypto_cipher *tfm, +- struct ieee80211_key *key, +- u8 *pos, size_t payload_len, u8 *ta); ++ struct ieee80211_key *key, ++ struct sk_buff *skb, ++ u8 *payload, size_t payload_len); ++ + enum { + TKIP_DECRYPT_OK = 0, + TKIP_DECRYPT_NO_EXT_IV = -1, +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -209,6 +209,7 @@ static int ieee80211_get_key(struct wiph + u8 seq[6] = {0}; + struct key_params params; + struct ieee80211_key *key = NULL; ++ u64 pn64; + u32 iv32; + u16 iv16; + int err = -ENOENT; +@@ -256,12 +257,13 @@ static int ieee80211_get_key(struct wiph + params.seq_len = 6; + break; + case WLAN_CIPHER_SUITE_CCMP: +- seq[0] = key->u.ccmp.tx_pn[5]; +- seq[1] = key->u.ccmp.tx_pn[4]; +- seq[2] = key->u.ccmp.tx_pn[3]; +- seq[3] = key->u.ccmp.tx_pn[2]; +- seq[4] = key->u.ccmp.tx_pn[1]; +- seq[5] = key->u.ccmp.tx_pn[0]; ++ pn64 = atomic64_read(&key->u.ccmp.tx_pn); ++ seq[0] = pn64; ++ seq[1] = pn64 >> 8; ++ seq[2] = pn64 >> 16; ++ seq[3] = pn64 >> 24; ++ seq[4] = pn64 >> 32; ++ seq[5] = pn64 >> 40; + params.seq = seq; + params.seq_len = 6; break; - case 2: -- scaledPower -= REDUCE_SCALED_POWER_BY_TWO_CHAIN; -+ if (scaledPower > REDUCE_SCALED_POWER_BY_TWO_CHAIN) -+ scaledPower -= REDUCE_SCALED_POWER_BY_TWO_CHAIN; -+ else -+ scaledPower = 0; +--- a/net/mac80211/debugfs_key.c ++++ b/net/mac80211/debugfs_key.c +@@ -79,6 +79,7 @@ static ssize_t key_tx_spec_read(struct f + size_t count, loff_t *ppos) + { + const u8 *tpn; ++ u64 pn; + char buf[20]; + int len; + struct ieee80211_key *key = file->private_data; +@@ -94,9 +95,10 @@ static ssize_t key_tx_spec_read(struct f + key->u.tkip.tx.iv16); break; - case 3: -- scaledPower -= REDUCE_SCALED_POWER_BY_THREE_CHAIN; -+ if (scaledPower > REDUCE_SCALED_POWER_BY_THREE_CHAIN) -+ scaledPower -= REDUCE_SCALED_POWER_BY_THREE_CHAIN; -+ else -+ scaledPower = 0; + case WLAN_CIPHER_SUITE_CCMP: +- tpn = key->u.ccmp.tx_pn; ++ pn = atomic64_read(&key->u.ccmp.tx_pn); + len = scnprintf(buf, sizeof(buf), "%02x%02x%02x%02x%02x%02x\n", +- tpn[0], tpn[1], tpn[2], tpn[3], tpn[4], tpn[5]); ++ (u8)(pn >> 40), (u8)(pn >> 32), (u8)(pn >> 24), ++ (u8)(pn >> 16), (u8)(pn >> 8), (u8)pn); break; - } - scaledPower = max((u16)0, scaledPower); + case WLAN_CIPHER_SUITE_AES_CMAC: + tpn = key->u.aes_cmac.tx_pn;