From 09987790aebd48c176ab559ebb68c925bbf6ef4d Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@openwrt.org>
Date: Tue, 19 Dec 2006 22:52:16 +0000
Subject: add two patches from madwifi trac ticket 914 - should fix multiple
 wlanconfig create/destroy runs and a few wds related crashes

git-svn-id: svn://svn.openwrt.org/openwrt/trunk@5865 3c298f89-4303-0410-b956-a3cf2f4a3e73
---
 package/madwifi/patches/110-init_fix_PR_914.patch | 22 ++++++++++++
 package/madwifi/patches/111-wds_fix_PR_914.patch  | 43 +++++++++++++++++++++++
 2 files changed, 65 insertions(+)
 create mode 100644 package/madwifi/patches/110-init_fix_PR_914.patch
 create mode 100644 package/madwifi/patches/111-wds_fix_PR_914.patch

diff --git a/package/madwifi/patches/110-init_fix_PR_914.patch b/package/madwifi/patches/110-init_fix_PR_914.patch
new file mode 100644
index 0000000000..b6a0ca2b7d
--- /dev/null
+++ b/package/madwifi/patches/110-init_fix_PR_914.patch
@@ -0,0 +1,22 @@
+Doing ifconfig athX down/ifconfig athX up several times provokes kernel crash.
+See http://madwifi.org/ticket/914. But if ath_hal_phydisable() is skipped  -
+I observe NO CRASH whatsoever ... :\ Weird.
+
+Signed-off-by: Mindaugas Kriaučiūnas <mindaugas.kriauciunas@gmail.com>
+Signed-off-by: Žilvinas Valinskas <valins@soften.ktu.lt>
+
+Index: madwifi-ng-trunk/ath/if_ath.c
+===================================================================
+--- madwifi-ng-trunk.orig/ath/if_ath.c	2006-10-16 17:40:50.000000000 +0300
++++ madwifi-ng-trunk/ath/if_ath.c	2006-10-18 16:17:32.000000000 +0300
+@@ -1997,7 +1997,10 @@
+ 		ath_draintxq(sc);
+ 		if (!sc->sc_invalid) {
+ 			ath_stoprecv(sc);
++
++			/* XXX: this helps to avoid crashes on ifconfig down/up
+ 			ath_hal_phydisable(ah);
++			 */
+ 		} else
+ 			sc->sc_rxlink = NULL;
+ 		ath_beacon_free(sc);		/* XXX needed? */
diff --git a/package/madwifi/patches/111-wds_fix_PR_914.patch b/package/madwifi/patches/111-wds_fix_PR_914.patch
new file mode 100644
index 0000000000..3f8607de62
--- /dev/null
+++ b/package/madwifi/patches/111-wds_fix_PR_914.patch
@@ -0,0 +1,43 @@
+WDS related crash is observed. This causes by possible random memory
+writes/accesss. Note how wds is freed, yet it will be used further in
+loop ...
+
+Other usages in the tree of LIST_FOREACH() when element is found and
+acted up on element, loop is immediately break (either via break, or
+return). But not in this case ...
+
+Signed-off-by: Mindaugas Kriaučiūnas <mindaugas.kriauciunas@gmail.com>
+Signed-off-by: Žilvinas Valinskas <valins@soften.ktu.lt>
+
+Index: madwifi-ng-trunk/net80211/ieee80211_node.c
+===================================================================
+--- madwifi-ng-trunk.orig/net80211/ieee80211_node.c	2006-09-25 13:28:08.000000000 +0300
++++ madwifi-ng-trunk/net80211/ieee80211_node.c	2006-10-18 15:59:40.000000000 +0300
+@@ -961,11 +961,11 @@
+ ieee80211_del_wds_node(struct ieee80211_node_table *nt, struct ieee80211_node *ni)
+ {
+ 	int hash;
+-	struct ieee80211_wds_addr *wds;
++	struct ieee80211_wds_addr *wds, *next;
+ 
+ 	IEEE80211_NODE_LOCK_IRQ(nt);
+ 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
+-		LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
++		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) {
+ 			if (wds->wds_ni == ni) {
+ 				if (ieee80211_node_dectestref(ni)) {
+ 					_ieee80211_free_node(ni);
+@@ -984,11 +984,11 @@
+ {
+ 	struct ieee80211_node_table *nt = (struct ieee80211_node_table *)data;
+ 	int hash;
+-	struct ieee80211_wds_addr *wds;
++	struct ieee80211_wds_addr *wds, *next;
+ 
+ 	IEEE80211_NODE_LOCK_IRQ(nt);
+ 	for (hash = 0; hash < IEEE80211_NODE_HASHSIZE; hash++) {
+-		LIST_FOREACH(wds, &nt->nt_wds_hash[hash], wds_hash) {
++		LIST_FOREACH_SAFE(wds, &nt->nt_wds_hash[hash], wds_hash, next) {
+ 			if (wds->wds_agingcount != WDS_AGING_STATIC) {
+ 				if (!wds->wds_agingcount) {
+ 					if (ieee80211_node_dectestref(wds->wds_ni)) {
-- 
cgit v1.2.3