From 1913e57cf9a7be4565c56a3fbfd85106919ea006 Mon Sep 17 00:00:00 2001
From: Mathias Jeppsson <mathias.jeppsson@sonymobile.com>
Date: Sat, 7 Jul 2012 00:53:18 +0200
Subject: [PATCH 1/8] NFC: Fix empty HCI message list check

list_first_entry() will never return NULL. Instead use
list_for_each_entry_safe() to iterate through the list.

Signed-off-by: Mathias Jeppsson <mathias.jeppsson@sonymobile.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/nfc/hci/core.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index e1a640d2b588..da6e039c8606 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -682,13 +682,12 @@ EXPORT_SYMBOL(nfc_hci_register_device);
 
 void nfc_hci_unregister_device(struct nfc_hci_dev *hdev)
 {
-	struct hci_msg *msg;
+	struct hci_msg *msg, *n;
 
 	skb_queue_purge(&hdev->rx_hcp_frags);
 	skb_queue_purge(&hdev->msg_rx_queue);
 
-	while ((msg = list_first_entry(&hdev->msg_tx_queue, struct hci_msg,
-				       msg_l)) != NULL) {
+	list_for_each_entry_safe(msg, n, &hdev->msg_tx_queue, msg_l) {
 		list_del(&msg->msg_l);
 		skb_queue_purge(&msg->msg_frags);
 		kfree(msg);

From f8bf65bf3688835f95f7c74f5c844a64b2743a42 Mon Sep 17 00:00:00 2001
From: Mathias Jeppsson <mathias.jeppsson@sonymobile.com>
Date: Sat, 7 Jul 2012 00:53:19 +0200
Subject: [PATCH 2/8] NFC: Fix order of arguments to list_add_tail() when
 queueing HCP frames

The HCP message should be added to transmit queue, not the other way around.

Signed-off-by: Mathias Jeppsson <mathias.jeppsson@sonymobile.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/nfc/hci/hcp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/nfc/hci/hcp.c b/net/nfc/hci/hcp.c
index 7212cf2c5785..f4dad1a89740 100644
--- a/net/nfc/hci/hcp.c
+++ b/net/nfc/hci/hcp.c
@@ -105,7 +105,7 @@ int nfc_hci_hcp_message_tx(struct nfc_hci_dev *hdev, u8 pipe,
 	}
 
 	mutex_lock(&hdev->msg_tx_mutex);
-	list_add_tail(&hdev->msg_tx_queue, &cmd->msg_l);
+	list_add_tail(&cmd->msg_l, &hdev->msg_tx_queue);
 	mutex_unlock(&hdev->msg_tx_mutex);
 
 	queue_work(hdev->msg_tx_wq, &hdev->msg_tx_work);

From 353d09c6ceedc1cb0c54fe5002c0ca80b6ee6e4f Mon Sep 17 00:00:00 2001
From: Christian Lamparter <chunkeey@googlemail.com>
Date: Sat, 7 Jul 2012 15:07:13 +0200
Subject: [PATCH 3/8] mac80211: fix read outside array bounds

ieee802_1d_to_ac is defined as a const int[8],
but the tid parameter has a range from 0 to 15.

Cc: stable@vger.kernel.org
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/mac80211/tx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index e453212fa17f..85cf32d2f7b5 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -2733,7 +2733,7 @@ EXPORT_SYMBOL(ieee80211_get_buffered_bc);
 void ieee80211_tx_skb_tid(struct ieee80211_sub_if_data *sdata,
 			  struct sk_buff *skb, int tid)
 {
-	int ac = ieee802_1d_to_ac[tid];
+	int ac = ieee802_1d_to_ac[tid & 7];
 
 	skb_set_mac_header(skb, 0);
 	skb_set_network_header(skb, 0);

From 7c41f3159ca4f04dfc22c791fd96d3d057dcaf90 Mon Sep 17 00:00:00 2001
From: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
Date: Wed, 11 Jul 2012 16:28:21 +0800
Subject: [PATCH 4/8] mac80211: Fix the Problem of Unreachable Mesh STA from DS

This patch fixes the problem of unreachable mesh STA from
Distribution System (DS) due to the introduction of previous
patch solving the mesh STA joining from one MBSS to another
MBSS.

Reported-by: Georgiewskiy Yuriy <bottleman@icf.org.ru>
Signed-off-by: Chun-Yeow Yeoh <yeohchunyeow@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/mac80211/tx.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 85cf32d2f7b5..eab0d19eb4bd 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1836,6 +1836,9 @@ netdev_tx_t ieee80211_subif_start_xmit(struct sk_buff *skb,
 					/* RA TA mDA mSA AE:DA SA */
 					mesh_da = mppath->mpp;
 					is_mesh_mcast = 0;
+				} else if (mpath) {
+					mesh_da = mpath->dst;
+					is_mesh_mcast = 0;
 				} else {
 					/* DA TA mSA AE:SA */
 					mesh_da = bcast;

From 89e1180121f281af16855d4954b9fe3d7354fe73 Mon Sep 17 00:00:00 2001
From: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Date: Wed, 11 Jul 2012 13:21:41 +0200
Subject: [PATCH 5/8] mwl8k: fix possible race condition in info->control.sta
 use

info->control.sta may only be dereferenced during the drv_tx call otherwise
could lead to use-after-free bugs

Reported-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Thomas Huehn <thomas@net.t-labs.tu-berlin.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 drivers/net/wireless/mwl8k.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c
index cf7bdc66f822..224e03ade145 100644
--- a/drivers/net/wireless/mwl8k.c
+++ b/drivers/net/wireless/mwl8k.c
@@ -1665,7 +1665,9 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force)
 
 		info = IEEE80211_SKB_CB(skb);
 		if (ieee80211_is_data(wh->frame_control)) {
-			sta = info->control.sta;
+			rcu_read_lock();
+			sta = ieee80211_find_sta_by_ifaddr(hw, wh->addr1,
+							   wh->addr2);
 			if (sta) {
 				sta_info = MWL8K_STA(sta);
 				BUG_ON(sta_info == NULL);
@@ -1682,6 +1684,7 @@ mwl8k_txq_reclaim(struct ieee80211_hw *hw, int index, int limit, int force)
 					sta_info->is_ampdu_allowed = true;
 				}
 			}
+			rcu_read_unlock();
 		}
 
 		ieee80211_tx_info_clear_status(info);

From fe020120cb863ba918c6d603345342a880272c4d Mon Sep 17 00:00:00 2001
From: Amitkumar Karwar <akarwar@marvell.com>
Date: Wed, 11 Jul 2012 18:12:57 -0700
Subject: [PATCH 6/8] mwifiex: correction in mcs index check

mwifiex driver supports 2x2 chips as well. Hence valid mcs values
are 0 to 15. The check for mcs index is corrected in this patch.

For example: if 40MHz is enabled and mcs index is 11, "iw link"
command would show "tx bitrate: 108.0 MBit/s" without this patch.
Now it shows "tx bitrate: 108.0 MBit/s MCS 11 40Mhz" with the patch.

Cc: "3.2.y, 3.3.y, 3.4.y" <stable@vger.kernel.org>
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 drivers/net/wireless/mwifiex/cfg80211.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index 5c7fd185373c..76b5c0f021fa 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -634,9 +634,9 @@ mwifiex_dump_station_info(struct mwifiex_private *priv,
 
 	/*
 	 * Bit 0 in tx_htinfo indicates that current Tx rate is 11n rate. Valid
-	 * MCS index values for us are 0 to 7.
+	 * MCS index values for us are 0 to 15.
 	 */
-	if ((priv->tx_htinfo & BIT(0)) && (priv->tx_rate < 8)) {
+	if ((priv->tx_htinfo & BIT(0)) && (priv->tx_rate < 16)) {
 		sinfo->txrate.mcs = priv->tx_rate;
 		sinfo->txrate.flags |= RATE_INFO_FLAGS_MCS;
 		/* 40MHz rate */

From 81b3039557faf1359f40494003aaade745de6c24 Mon Sep 17 00:00:00 2001
From: Eric Lapuyade <eric.lapuyade@intel.com>
Date: Thu, 12 Jul 2012 20:27:54 +0200
Subject: [PATCH 7/8] NFC: Set target nfcid1 for all HCI reader A targets

Without the discovered target nfcid1 and its length set properly, type 2
tags detection fails with the pn544 as it checks for them from
pn544_hci_complete_target_discovered().

Signed-off-by: Eric Lapuyade <eric.lapuyade@intel.com>
Reported-by: Mathias Jeppsson <mathias.jeppsson@sonymobile.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/nfc/hci/core.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/net/nfc/hci/core.c b/net/nfc/hci/core.c
index da6e039c8606..4896ef13f83d 100644
--- a/net/nfc/hci/core.c
+++ b/net/nfc/hci/core.c
@@ -170,6 +170,7 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate)
 	struct nfc_target *targets;
 	struct sk_buff *atqa_skb = NULL;
 	struct sk_buff *sak_skb = NULL;
+	struct sk_buff *uid_skb = NULL;
 	int r;
 
 	pr_debug("from gate %d\n", gate);
@@ -205,6 +206,19 @@ static int nfc_hci_target_discovered(struct nfc_hci_dev *hdev, u8 gate)
 		targets->sens_res = be16_to_cpu(*(u16 *)atqa_skb->data);
 		targets->sel_res = sak_skb->data[0];
 
+		r = nfc_hci_get_param(hdev, NFC_HCI_RF_READER_A_GATE,
+				      NFC_HCI_RF_READER_A_UID, &uid_skb);
+		if (r < 0)
+			goto exit;
+
+		if (uid_skb->len == 0 || uid_skb->len > NFC_NFCID1_MAXSIZE) {
+			r = -EPROTO;
+			goto exit;
+		}
+
+		memcpy(targets->nfcid1, uid_skb->data, uid_skb->len);
+		targets->nfcid1_len = uid_skb->len;
+
 		if (hdev->ops->complete_target_discovered) {
 			r = hdev->ops->complete_target_discovered(hdev, gate,
 								  targets);
@@ -240,6 +254,7 @@ exit:
 	kfree(targets);
 	kfree_skb(atqa_skb);
 	kfree_skb(sak_skb);
+	kfree_skb(uid_skb);
 
 	return r;
 }

From 8a70e7f8f3081770238fbe19f78116af1d4b0652 Mon Sep 17 00:00:00 2001
From: Dave Jones <davej@redhat.com>
Date: Thu, 12 Jul 2012 19:17:34 +0200
Subject: [PATCH 8/8] NFC: NCI module license 'unspecified' taints kernel

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
---
 net/nfc/nci/core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/nfc/nci/core.c b/net/nfc/nci/core.c
index d560e6f13072..f18f207fd3a3 100644
--- a/net/nfc/nci/core.c
+++ b/net/nfc/nci/core.c
@@ -27,6 +27,7 @@
 
 #define pr_fmt(fmt) KBUILD_MODNAME ": %s: " fmt, __func__
 
+#include <linux/module.h>
 #include <linux/types.h>
 #include <linux/workqueue.h>
 #include <linux/completion.h>
@@ -878,3 +879,5 @@ static void nci_cmd_work(struct work_struct *work)
 			  jiffies + msecs_to_jiffies(NCI_CMD_TIMEOUT));
 	}
 }
+
+MODULE_LICENSE("GPL");