On continuous loading and unloading of AR6004 ath6kl USB
driver it triggers a panic due to NULL pointer dereference of
'target' pointer.

while true; do sudo modprobe -v ath6kl_core;
sudo modprobe -v ath6kl_usb; sudo modprobe -r usb;
sudo modprobe -r ath6kl_core; done

ar->htc_target can be NULL due to a race condition that can occur
during driver initialization(we do 'ath6kl_hif_power_on' before
initializing 'ar->htc_target' via 'ath6kl_htc_create').
'ath6kl_hif_power_on' assigns 'ath6kl_recv_complete' as
usb_complete_t/callback function for 'usb_fill_bulk_urb'.
Thus the possibility of ar->htc_target being NULL
via ath6kl_recv_complete -> ath6kl_usb_io_comp_work
before even 'ath6kl_htc_create' is finished to initialize
ar->htc_create.

Worth noting is the obvious solution  of doing 'ath6kl_hif_power_on'
later(i.e after we are done with 'ath6kl_htc_create', causes a
h/w bring up failure in AR6003 SDIO, as 'ath6kl_hif_power_on' is a
pre-requisite to get the target version 'ath6kl_bmi_get_target_info'.
So simply check for NULL pointer for 'ar->htc_target' and bail out.

[23614.518282] BUG: unable to handle kernel NULL pointer dereference at
00000904
[23614.518463] IP: [<c012e7a6>] __ticket_spin_trylock+0x6/0x30
[23614.518570] *pde = 00000000
[23614.518664] Oops: 0000 [#1] SMP
[23614.518795] Modules linked in: ath6kl_usb(O+) ath6kl_core(O)
[23614.520012] EIP: 0060:[<c012e7a6>] EFLAGS: 00010286 CPU: 0
[23614.520012] EIP is at __ticket_spin_trylock+0x6/0x30
Call Trace:
	[<c03f2a44>] do_raw_spin_trylock+0x14/0x40
	[<c06daa12>] _raw_spin_lock_bh+0x52/0x80
	[<f85464b4>] ? ath6kl_htc_pipe_rx_complete+0x3b4/0x4c0 [ath6kl_core]
	[<f85464b4>] ath6kl_htc_pipe_rx_complete+0x3b4/0x4c0 [ath6kl_core]
	[<c05bc272>] ? skb_dequeue+0x22/0x70
	[<c05bc272>] ? skb_dequeue+0x22/0x70
	[<f855bb32>] ath6kl_core_rx_complete+0x12/0x20 [ath6kl_core]
	[<f848771a>] ath6kl_usb_io_comp_work+0xaa/0xb0 [ath6kl_usb]
	[<c015b863>] process_one_work+0x1a3/0x5e0
	[<c015b7e7>] ? process_one_work+0x127/0x5e0
	[<f8487670>] ? ath6kl_usb_reset_resume+0x30/0x30 [ath6kl_usb]
	[<c015bfde>] worker_thread+0x11e/0x3f0
	Kernel panic - not syncing: Fatal exception in interrupt
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

dev_kfree_skb kernel API itself takes for checking for NULL
skb, so an explicit check is not required.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Assign 'true' to the bool variable instead of needless typecasting.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

WLAN_ENABLED is vif specific, not part of
the driver's struct ath6kl. Proper clearing
of this flag is already taken care in
ath6kl_cleanup_vif.

Cc: wei-jen jlin <jenlin@qca.qualcomm.com>
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Just use WARN_ON rather than an if containing only WARN_ON(1).

A simplified version of the semantic patch that makes this transformation
is as follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression e;
@@
- if (e) WARN_ON(1);
+ WARN_ON(e);
// </smpl>
Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Power Save Enabled : REC_POWER - conserve power
without sacrificing performance.
Power Save Disabled : MAX_PERF_POWER - maximum
performance at the expense of power.
Hence fix the debug message.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

As ath6kl firmware can't do intersections the driver should only listen
to regdom changes from cellular base stations, all other requests need to
be refused.
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Make use of SDIO CRC error workaround hardware flag and avoid
target revision checks.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

AR6004(UB134) firmware supports only LP Endpoint, So map
all Access Categories to Low Priority endpoints. This fixes a WPA2
connection issue as the uplink(tx) endpoint is appropriately
mapped in sync with the firmware.
Tested-by: NBen Gray <ben.r.gray@gmail.com>
Reported-by: NBen Gray <ben.r.gray@gmail.com>
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Currently AR6004 handles the inactivity timeout resolution
in minutes rather than seconds. So parse the inactivity timeout
to the firmware in minutes. For now we will cleanup the
inactive station entries to the nearest converted minutes
(ex:  an inactive time of 70 seconds would take atleast 2 - 3 minutes)
Tested with surprise removal of client cards/host shutdown.

Cc: Manikandan Radhakrishnan <mradhakr@qca.qualcomm.com>
Reported-by: NLeela Kella <leela@qca.qualcomm.com>
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Rename ATH6KL_HW_FLAG_64BIT_RATES to ATH6KL_HW_64BIT_RATES.
This seemed to be necessary to add/use new hardware flags
without exceeding 80 lines. We shall be adding new hw flags
dropping the FLAG term.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Incase the resource allocation for the struct ath6kl_urb_context in the
function ath6kl_usb_alloc_pipe_resources fails, return this error
case so that ath6kl_usb_probe is aware of this error case.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

These checks are no longer needed as the necessary
USB support is already present in the driver.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Endpoint ID is checked to make sure it is valid.
Signed-off-by: NPandiyarajan Pitchaimuthu <c_ppitch@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

The variable assigned_ep can be assigned value of -1 and is never
checked if it equals -1. So the endpoint array can have -1  as the index
value and can be out of bounds.

The value of assigned_ep is checked for -1 and is ensured that the
endpoint array doesn't go out of bounds.
Signed-off-by: NPandiyarajan Pitchaimuthu <c_ppitch@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

When a station tries to connect to an AP and if the MAC of the
station is in the AP's block list, the station cannot connect to the
AP. This is notified to the userspace with event
NL80211_CMD_CONN_FAILED and attribute NL80211_ATTR_CONN_FAILED_REASON.
The reason sent will be NL80211_CONN_FAIL_BLOCKED_CLIENT.
Signed-off-by: NPandiyarajan Pitchaimuthu <c_ppitch@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

When a station requests connection to an AP, that has already been
connected to the maximum number of stations it can support, an event
is sent to user space via NL80211_CMD_CONN_FAILED command and reason
attribute NL80211_ATTR_CONN_FAILED_REASON with
NL80211_CONN_FAIL_MAX_CLIENTS as reason.
Signed-off-by: NPandiyarajan Pitchaimuthu <c_ppitch@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

The skb->tail pointer of rx buffers is not adjusted
after skb->data pointer is aligned to 4-byte, this
causes random rx data corruption.
Signed-off-by: NJin Navy <nhjin@qca.qualcomm.com>
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

It's safe to check endpoint id values before it get
really used. Found this on code review.
Signed-off-by: NRaja Mani <rmani@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

There are 28 items defined in rate table array 'wmi_rate_tbl'.
The rate table index (reply->rate_index) in ath6kl_wmi_bitrate_reply_rx()
func is not checked for the valid max limit index before accessing
rate table array. There may be some incidents to get memory crashes
without safe max check. Fix this.

Found this on code review.
Signed-off-by: NRaja Mani <rmani@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Return value of ath6kl_get_regpair() is stored in 'regpair' in
ath6kl_wmi_regdomain_event() func and it's directly accessed
in the debug prints without checking for NULL value. There are
situation to get NULL pointer as a return value from
ath6kl_get_regpair() func. Fix this.

Found this on code review.
Signed-off-by: NRaja Mani <rmani@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Disallowing any wmi commands while re-initializing the
firmware results in connection failures after recovery
is done in open/WEP mode. To fix this, clear WMI_READY,
to make sure no wmi command is tried while fw is down.
Remove ATH6KL_STATE_RECOVERY state check in ath6kl_control_tx()
so that any configuration during fw init time will go through
using wmi commands.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Using list_move_tail() instead of list_del() + list_add_tail().

spatch with a semantic match is used to found this problem.
(http://coccinelle.lip6.fr/)
Signed-off-by: NWei Yongjun <yongjun_wei@trendmicro.com.cn>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

gcc 4.8 warns

/backup/lsrc/git/linux-lto-2.6/drivers/net/wireless/ath/ath6kl/sdio.c:
In function 'ath6kl_sdio_enable_scatter':
/backup/lsrc/git/linux-lto-2.6/drivers/net/wireless/ath/ath6kl/sdio.c:748:16:
warning: 'ret' may be used uninitialized in this function
[-Wmaybe-uninitialized]
  if (virt_scat || ret) {
                ^

The variable can indeed be uninitialized when the previous if branch is
skipped. I just set it to zero for now. I'm not fully sure the fix is
correct, maybe the || should be an && ?
Signed-off-by: NAndi Kleen <ak@linux.intel.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Add a modparam to configure recovery. Recovery
from firmware error is disabled by default to debug
the actual issue further. To recovery from error,
modprobe ath6kl_core recovery_enable=1.
Reported-by: NJin Navy <nhjin@qca.qualcomm.com>
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Add a bit in ath6kl_dev_state to maintian the run time state
of firmware recovery configuration. This would help to have
user configuration in fw_recovery which will be added in
a separate patch.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Checking for recovery state just before re-arming hb_timer is not
necessary, this should be done at the begining of the timer instead.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

hb_timer should be scheduled only when hb_poll is non-zero.
But in ath6kl_recovery_work() the timer is scheduled based
on fw_recovery.enable instead which is wrong.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

In some error conditions, fw pauses HTC pipes which would
result in control endpoint full condition. When we hit this
case, most of the time the device will be unusable. Re-initialize
the target to recover from this situation.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

This patch adds support to detect fw error condition by sending
periodic message (heart beat challenge) to firmware. Upon reception
of the message, fw would send a response event to driver. When
there are no reponses from fw for about 5 cmd driver would
trigger the recovery logic assuming that fw has gone into an
error state.

Capable fw will advertise this capability through
ATH6KL_FW_CAPABILITY_HEART_BEAT_POLL bit. This feature
is disabled by default, can be enabled through a modparam
(heart_beat_poll). This modparam also confiures the polling
interval in msecs.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Re-initialize the target when fw crash is reported.
This would make the device functional again after
target crash. During the target re-initialization
it is made sure that target is not bugged with data/cmd
request, ar->state ATH6KL_STATE_RECOVERY is used
for this purpose.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

So that these functions will be used to re-initialize the fw
upon detecting fw error. This refactoring moves ar->state
setting out of core stop/start functionality.
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

The MSB of rate index from FW is used for sgi. But the ath6kl_wmi_get_rate
doesn't handle it. The access to wmi_rate_tbl array may be out of range
if sgi is 1. This may cause the return value of ath6kl_wmi_get_rate()
function is incorrect link rate. We add sgi adjustment to avoid such case.

kvalo: change patch title
Signed-off-by: NDengke Qiu <dqiu@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

a minor cleanup in assigning the driver specific network type
based on interface type.
Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

Since WOW_MASK_SIZE and WOW_PATTERN_SIZE have the same value, are
logically equivalent, and part of the WMI API so therefore unlikely to
change, consolidate these into WOW_PATTERN_SIZE.

Reported-by Kalle Valo <kvalo@qualcomm.com>
Signed-off-by: NThomas Pedersen <c_tpeder@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

This patch reflects changes in the firmware scheduled scan
implementation to behave better in cases with multiple concurrent vifs.
Major changes:

	- scheduled scan filters and state are now programmed per-vif.
	- decouple scheduled scan from host sleep.

To maintain graceful failure with old firmwares, a new firmware
capability bit is introduced: ATH6KL_FW_CAPABILITY_SCHED_SCAN_V2.
ath6kl simply won't advertise scheduled scan to cfg80211 if the
SCHED_SCAN_V2 is not supported.

Since firmwares from here on out won't support the previous implicit API
for scheduled scan (set WoW filters and host sleep), bump the firmware
API to protect old drivers.

Unfortunately, due to firmware RAM constraints ath6kl still cannot
expect a scan complete event at the end of a scheduled scan results
cycle, so the sched_scan_timer is retained.
Signed-off-by: NThomas Pedersen <c_tpeder@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

ath6kl_usb_init() does not check usb_register() return value.
As a result it may incorrectly report success of driver initialization.

Found by Linux Driver Verification project (linuxtesting.org).

kvalo: fix commit title and make cosmetic changes to the code to follow
more the style used in the driver
Signed-off-by: NMarina Makienko <makienko@ispras.ru>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

We bail out from ath6kl_tx_complete() if any of the sanity
checks on skb and ath6kl_cookie fails. By doing this we
potentially leak few remaining buffers in packet_queue.
Make sure to proceed processing the remaining buffers
as well. This issue is found during code review.
Reported-by: NWang yufeng <yufengw@qca.qualcomm.com>
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

skb given to ath6kl_control_tx() is owned by ath6kl_control_tx().
Calling function should not free the skb for error cases.
This is found during code review.

kvalo: fix a checkpatch warning in ath6kl_wmi_cmd_send()
Signed-off-by: NVasanthakumar Thiagarajan <vthiagar@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>

If the firmware decides to initiate a channel switch on an AP vif
running an RSN BSS, reconfigure the saved RSN IE capabilities as well.

Fixes a bug where the beacon and 4-way handshake would have a capability
mismatch after a channel switch, since the firmware apparently clears
these on an AP disconnect.
Signed-off-by: NThomas Pedersen <c_tpeder@qca.qualcomm.com>
Signed-off-by: NKalle Valo <kvalo@qca.qualcomm.com>