From 0cd13c53c149d64a721c46dfb49aff9525add12d Mon Sep 17 00:00:00 2001
From: Felix Fietkau <nbd@nbd.name>
Date: Tue, 2 Aug 2016 11:14:55 +0200
Subject: [PATCH] mac80211: fix minor memleak on AP restart / warning on driver
 unload

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 ...ix-purging-multicast-PS-buffer-queue.patch | 54 +++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 package/kernel/mac80211/patches/334-mac80211-fix-purging-multicast-PS-buffer-queue.patch

diff --git a/package/kernel/mac80211/patches/334-mac80211-fix-purging-multicast-PS-buffer-queue.patch b/package/kernel/mac80211/patches/334-mac80211-fix-purging-multicast-PS-buffer-queue.patch
new file mode 100644
index 0000000000..dfcc6e4565
--- /dev/null
+++ b/package/kernel/mac80211/patches/334-mac80211-fix-purging-multicast-PS-buffer-queue.patch
@@ -0,0 +1,54 @@
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 2 Aug 2016 11:11:13 +0200
+Subject: [PATCH] mac80211: fix purging multicast PS buffer queue
+
+The code currently assumes that buffered multicast PS frames don't have
+a pending ACK frame for tx status reporting.
+However, hostapd sends a broadcast deauth frame on teardown for which tx
+status is requested. This can lead to the "Have pending ack frames"
+warning on module reload.
+Fix this by using ieee80211_free_txskb/ieee80211_purge_tx_queue.
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/net/mac80211/cfg.c
++++ b/net/mac80211/cfg.c
+@@ -868,7 +868,7 @@ static int ieee80211_stop_ap(struct wiph
+ 
+ 	/* free all potentially still buffered bcast frames */
+ 	local->total_ps_buffered -= skb_queue_len(&sdata->u.ap.ps.bc_buf);
+-	skb_queue_purge(&sdata->u.ap.ps.bc_buf);
++	ieee80211_purge_tx_queue(&local->hw, &sdata->u.ap.ps.bc_buf);
+ 
+ 	mutex_lock(&local->mtx);
+ 	ieee80211_vif_copy_chanctx_to_vlans(sdata, true);
+--- a/net/mac80211/tx.c
++++ b/net/mac80211/tx.c
+@@ -368,7 +368,7 @@ static void purge_old_ps_buffers(struct
+ 		skb = skb_dequeue(&ps->bc_buf);
+ 		if (skb) {
+ 			purged++;
+-			dev_kfree_skb(skb);
++			ieee80211_free_txskb(&local->hw, skb);
+ 		}
+ 		total += skb_queue_len(&ps->bc_buf);
+ 	}
+@@ -451,7 +451,7 @@ ieee80211_tx_h_multicast_ps_buf(struct i
+ 	if (skb_queue_len(&ps->bc_buf) >= AP_MAX_BC_BUFFER) {
+ 		ps_dbg(tx->sdata,
+ 		       "BC TX buffer full - dropping the oldest frame\n");
+-		dev_kfree_skb(skb_dequeue(&ps->bc_buf));
++		ieee80211_free_txskb(&tx->local->hw, skb_dequeue(&ps->bc_buf));
+ 	} else
+ 		tx->local->total_ps_buffered++;
+ 
+@@ -4276,7 +4276,7 @@ ieee80211_get_buffered_bc(struct ieee802
+ 			sdata = IEEE80211_DEV_TO_SUB_IF(skb->dev);
+ 		if (!ieee80211_tx_prepare(sdata, &tx, NULL, skb))
+ 			break;
+-		dev_kfree_skb_any(skb);
++		ieee80211_free_txskb(hw, skb);
+ 	}
+ 
+ 	info = IEEE80211_SKB_CB(skb);