Merge tag 'iwlwifi-for-kalle-2017-07-21' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-fixes

Some iwlwifi fixes for 4.13:

* A few NULL pointer dereferences in the recovery flow;
* A small but important fix for IBSS;
* A one-liner fix for tracing, which was including too much data;
* Some of these are bugzilla bug fixes;

8 files changed, 34 insertions, 9 deletions

diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
index adaa2f0097cc..fb40ddfced99 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/tx.c
@@ -1189,11 +1189,11 @@ void iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_cmd_buffer *rxb)
                                 next_reclaimed;
                         IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d\n",
                                                   next_reclaimed);
+                        iwlagn_check_ratid_empty(priv, sta_id, tid);
                 }
 
                 iwl_trans_reclaim(priv->trans, txq_id, ssn, &skbs);
 
-                iwlagn_check_ratid_empty(priv, sta_id, tid);
                 freed = 0;
 
                 /* process frames */
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-devtrace.h b/drivers/net/wireless/intel/iwlwifi/iwl-devtrace.h
index 545d14b0bc92..f5c1127253cb 100644
--- a/drivers/net/wireless/intel/iwlwifi/iwl-devtrace.h
+++ b/drivers/net/wireless/intel/iwlwifi/iwl-devtrace.h
@@ -55,8 +55,8 @@ static inline bool iwl_trace_data(struct sk_buff *skb)
         /* also account for the RFC 1042 header, of course */
         offs += 6;
 
-        return skb->len > offs + 2 &&
-               *(__be16 *)(skb->data + offs) == cpu_to_be16(ETH_P_PAE);
+        return skb->len <= offs + 2 ||
+                *(__be16 *)(skb->data + offs) != cpu_to_be16(ETH_P_PAE);
 }
 
 static inline size_t iwl_rx_trace_len(const struct iwl_trans *trans,
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index bcde1ba0f1c8..c7b1e58e3384 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -1084,7 +1084,13 @@ int __iwl_mvm_mac_start(struct iwl_mvm *mvm)
 
         lockdep_assert_held(&mvm->mutex);
 
-        if (test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)) {
+        if (test_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED, &mvm->status)) {
+                /*
+                 * Now convert the HW_RESTART_REQUESTED flag to IN_HW_RESTART
+                 * so later code will - from now on - see that we're doing it.
+                 */
+                set_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status);
+                clear_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED, &mvm->status);
                 /* Clean up some internal and mac80211 state on restart */
                 iwl_mvm_restart_cleanup(mvm);
         } else {
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
index eaacfaf37206..ddd8719f27b8 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mvm.h
@@ -1090,6 +1090,7 @@ struct iwl_mvm {
  * @IWL_MVM_STATUS_HW_RFKILL: HW RF-kill is asserted
  * @IWL_MVM_STATUS_HW_CTKILL: CT-kill is active
  * @IWL_MVM_STATUS_ROC_RUNNING: remain-on-channel is running
+ * @IWL_MVM_STATUS_HW_RESTART_REQUESTED: HW restart was requested
  * @IWL_MVM_STATUS_IN_HW_RESTART: HW restart is active
  * @IWL_MVM_STATUS_IN_D0I3: NIC is in D0i3
  * @IWL_MVM_STATUS_ROC_AUX_RUNNING: AUX remain-on-channel is running
@@ -1101,6 +1102,7 @@ enum iwl_mvm_status {
         IWL_MVM_STATUS_HW_RFKILL,
         IWL_MVM_STATUS_HW_CTKILL,
         IWL_MVM_STATUS_ROC_RUNNING,
+        IWL_MVM_STATUS_HW_RESTART_REQUESTED,
         IWL_MVM_STATUS_IN_HW_RESTART,
         IWL_MVM_STATUS_IN_D0I3,
         IWL_MVM_STATUS_ROC_AUX_RUNNING,
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
index 4d1188b8736a..9c175d5e9d67 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/ops.c
@@ -1235,9 +1235,8 @@ void iwl_mvm_nic_restart(struct iwl_mvm *mvm, bool fw_error)
          */
         if (!mvm->fw_restart && fw_error) {
                 iwl_mvm_fw_dbg_collect_desc(mvm, &iwl_mvm_dump_desc_assert,
-                                            NULL);
-        } else if (test_and_set_bit(IWL_MVM_STATUS_IN_HW_RESTART,
-                                    &mvm->status)) {
+                                        NULL);
+        } else if (test_bit(IWL_MVM_STATUS_IN_HW_RESTART, &mvm->status)) {
                 struct iwl_mvm_reprobe *reprobe;
 
                 IWL_ERR(mvm,
@@ -1268,6 +1267,7 @@ void iwl_mvm_nic_restart(struct iwl_mvm *mvm, bool fw_error)
 
                 if (fw_error && mvm->fw_restart > 0)
                         mvm->fw_restart--;
+                set_bit(IWL_MVM_STATUS_HW_RESTART_REQUESTED, &mvm->status);
                 ieee80211_restart_hw(mvm->hw);
         }
 }
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
index 4df5f13fcdae..ab66b4394dfc 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/sta.c
@@ -277,6 +277,18 @@ static void iwl_mvm_rx_agg_session_expired(unsigned long data)
 
         /* Timer expired */
         sta = rcu_dereference(ba_data->mvm->fw_id_to_mac_id[ba_data->sta_id]);
+
+        /*
+         * sta should be valid unless the following happens:
+         * The firmware asserts which triggers a reconfig flow, but
+         * the reconfig fails before we set the pointer to sta into
+         * the fw_id_to_mac_id pointer table. Mac80211 can't stop
+         * A-MDPU and hence the timer continues to run. Then, the
+         * timer expires and sta is NULL.
+         */
+        if (!sta)
+                goto unlock;
+
         mvm_sta = iwl_mvm_sta_from_mac80211(sta);
         ieee80211_stop_rx_ba_session_offl(mvm_sta->vif,
                                           sta->addr, ba_data->tid);
@@ -2015,7 +2027,8 @@ int iwl_mvm_send_add_bcast_sta(struct iwl_mvm *mvm, struct ieee80211_vif *vif)
                                                 IWL_MAX_TID_COUNT,
                                                 wdg_timeout);
 
-                if (vif->type == NL80211_IFTYPE_AP)
+                if (vif->type == NL80211_IFTYPE_AP ||
+                    vif->type == NL80211_IFTYPE_ADHOC)
                         mvm->probe_queue = queue;
                 else if (vif->type == NL80211_IFTYPE_P2P_DEVICE)
                         mvm->p2p_dev_queue = queue;
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
index 92b3a55d0fbc..f95eec52508e 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
@@ -3150,7 +3150,8 @@ struct iwl_trans *iwl_trans_pcie_alloc(struct pci_dev *pdev,
         init_waitqueue_head(&trans_pcie->d0i3_waitq);
 
         if (trans_pcie->msix_enabled) {
-                if (iwl_pcie_init_msix_handler(pdev, trans_pcie))
+                ret = iwl_pcie_init_msix_handler(pdev, trans_pcie);
+                if (ret)
                         goto out_no_pci;
          } else {
                 ret = iwl_pcie_alloc_ict(trans);
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
index de50418adae5..034bdb4a0b06 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx.c
@@ -298,6 +298,9 @@ void iwl_pcie_txq_check_wrptrs(struct iwl_trans *trans)
         for (i = 0; i < trans->cfg->base_params->num_of_queues; i++) {
                 struct iwl_txq *txq = trans_pcie->txq[i];
 
+                if (!test_bit(i, trans_pcie->queue_used))
+                        continue;
+
                 spin_lock_bh(&txq->lock);
                 if (txq->need_update) {
                         iwl_pcie_txq_inc_wr_ptr(trans, txq);