From d51cd7973eeef9b40db42afbd28b9691ad234d9d Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 30 Aug 2011 21:58:03 +0300
Subject: [PATCH] --- yaml --- r: 266563 b: refs/heads/master c:
 9809d8ef274bb53f47998bbc401efcbb10226893 h: refs/heads/master i:   266561:
 08618aeb483eb3b2ea4287d4a20bb38340b66a0b   266559:
 1c6410764b8fa61d569e31aa859a67c5093e99b9 v: v3

---
 [refs]                                      |  2 +-
 trunk/drivers/net/wireless/ath/ath6kl/wmi.c | 15 ++++++++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/[refs] b/[refs]
index bf23d755aedb..47519c3eb12b 100644
--- a/[refs]
+++ b/[refs]
@@ -1,2 +1,2 @@
 ---
-refs/heads/master: a0df5db15b432cd49319254132fda80cb3081ad6
+refs/heads/master: 9809d8ef274bb53f47998bbc401efcbb10226893
diff --git a/trunk/drivers/net/wireless/ath/ath6kl/wmi.c b/trunk/drivers/net/wireless/ath/ath6kl/wmi.c
index d098cbd07fa9..dec869790c17 100644
--- a/trunk/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/trunk/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -552,17 +552,26 @@ static int ath6kl_wmi_p2p_capabilities_event_rx(u8 *datap, int len)
 	return 0;
 }
 
-static int ath6kl_wmi_rx_action_event_rx(u8 *datap, int len)
+static int ath6kl_wmi_rx_action_event_rx(struct wmi *wmi, u8 *datap, int len)
 {
 	struct wmi_rx_action_event *ev;
+	u32 freq;
 	u16 dlen;
+	struct ath6kl *ar = wmi->parent_dev;
 
 	if (len < sizeof(*ev))
 		return -EINVAL;
 
 	ev = (struct wmi_rx_action_event *) datap;
+	freq = le32_to_cpu(ev->freq);
 	dlen = le16_to_cpu(ev->len);
-	ath6kl_dbg(ATH6KL_DBG_WMI, "rx_action: len=%u\n", dlen);
+	if (datap + len < ev->data + dlen) {
+		ath6kl_err("invalid wmi_rx_action_event: "
+			   "len=%d dlen=%u\n", len, dlen);
+		return -EINVAL;
+	}
+	ath6kl_dbg(ATH6KL_DBG_WMI, "rx_action: len=%u freq=%u\n", dlen, freq);
+	cfg80211_rx_mgmt(ar->net_dev, freq, ev->data, dlen, GFP_ATOMIC);
 
 	return 0;
 }
@@ -3086,7 +3095,7 @@ int ath6kl_wmi_control_rx(struct wmi *wmi, struct sk_buff *skb)
 		break;
 	case WMI_RX_ACTION_EVENTID:
 		ath6kl_dbg(ATH6KL_DBG_WMI, "WMI_RX_ACTION_EVENTID\n");
-		ret = ath6kl_wmi_rx_action_event_rx(datap, len);
+		ret = ath6kl_wmi_rx_action_event_rx(wmi, datap, len);
 		break;
 	case WMI_P2P_INFO_EVENTID:
 		ath6kl_dbg(ATH6KL_DBG_WMI, "WMI_P2P_INFO_EVENTID\n");