From 0ad8acaf434d360ad99813d981a68e605d6c8179 Mon Sep 17 00:00:00 2001 From: "Luis R. Rodriguez" Date: Tue, 24 Mar 2009 21:21:08 -0400 Subject: [PATCH 01/27] cfg80211: fix NULL pointer deference in reg_device_remove() We won't ever get here as regulatory_hint_core() can only fail on -ENOMEM and in that case we don't initialize cfg80211 but this is technically correct code. This is actually good for stable, where we don't check for -ENOMEM failure on __regulatory_hint()'s failure. Cc: stable@kernel.org Reported-by: Quentin Armitage Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville --- net/wireless/reg.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/wireless/reg.c b/net/wireless/reg.c index 6327e1617acb..6c1993d99902 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -2095,11 +2095,12 @@ int set_regdom(const struct ieee80211_regdomain *rd) /* Caller must hold cfg80211_mutex */ void reg_device_remove(struct wiphy *wiphy) { - struct wiphy *request_wiphy; + struct wiphy *request_wiphy = NULL; assert_cfg80211_lock(); - request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx); + if (last_request) + request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx); kfree(wiphy->regd); if (!last_request || !request_wiphy) From b3631286aca3f54427ca0eb950981e9753866f6c Mon Sep 17 00:00:00 2001 From: Vasanthakumar Thiagarajan Date: Wed, 25 Mar 2009 18:10:18 +0530 Subject: [PATCH 02/27] mac80211: Fix bug in getting rx status for frames pending in reorder buffer Currently rx status for frames which are completed from reorder buffer is taken from it's cb area which is not always right, cb is not holding the rx status when driver uses mac80211's non-irq rx handler to pass it's received frames. This results in dropping almost all frames from reorder buffer when security is enabled by doing double decryption (first in hw, second in sw because of wrong rx status). This patch copies rx status into cb area before the frame is put into reorder buffer. After this patch, there is a significant improvement in throughput with ath9k + WPA2(AES). Signed-off-by: Vasanthakumar Thiagarajan Acked-by: Johannes Berg Cc: stable@kernel.org Signed-off-by: John W. Linville --- net/mac80211/rx.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 64ebe664effc..5fa7aedd90ed 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -29,6 +29,7 @@ static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, struct tid_ampdu_rx *tid_agg_rx, struct sk_buff *skb, + struct ieee80211_rx_status *status, u16 mpdu_seq_num, int bar_req); /* @@ -1688,7 +1689,7 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_data *rx) /* manage reordering buffer according to requested */ /* sequence number */ rcu_read_lock(); - ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, + ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, NULL, start_seq_num, 1); rcu_read_unlock(); return RX_DROP_UNUSABLE; @@ -2293,6 +2294,7 @@ static inline u16 seq_sub(u16 sq1, u16 sq2) static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, struct tid_ampdu_rx *tid_agg_rx, struct sk_buff *skb, + struct ieee80211_rx_status *rxstatus, u16 mpdu_seq_num, int bar_req) { @@ -2374,6 +2376,8 @@ static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, /* put the frame in the reordering buffer */ tid_agg_rx->reorder_buf[index] = skb; + memcpy(tid_agg_rx->reorder_buf[index]->cb, rxstatus, + sizeof(*rxstatus)); tid_agg_rx->stored_mpdu_num++; /* release the buffer until next missing frame */ index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) @@ -2399,7 +2403,8 @@ static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, } static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local, - struct sk_buff *skb) + struct sk_buff *skb, + struct ieee80211_rx_status *status) { struct ieee80211_hw *hw = &local->hw; struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; @@ -2448,7 +2453,7 @@ static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local, /* according to mpdu sequence number deal with reordering buffer */ mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; - ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, + ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, status, mpdu_seq_num, 0); end_reorder: return ret; @@ -2512,7 +2517,7 @@ void __ieee80211_rx(struct ieee80211_hw *hw, struct sk_buff *skb, return; } - if (!ieee80211_rx_reorder_ampdu(local, skb)) + if (!ieee80211_rx_reorder_ampdu(local, skb, status)) __ieee80211_rx_handle_packet(hw, skb, status, rate); rcu_read_unlock(); From ec9a1d8c13e36440eda0f3c79b8149080e3ab5ba Mon Sep 17 00:00:00 2001 From: Michael Buesch Date: Fri, 27 Mar 2009 22:51:58 +0100 Subject: [PATCH 03/27] b43: Poison RX buffers This patch adds poisoning and sanity checking to the RX DMA buffers. This is used for protection against buggy hardware/firmware that raises RX interrupts without doing an actual DMA transfer. This mechanism protects against rare "bad packets" (due to uninitialized skb data) and rare kernel crashes due to uninitialized RX headers. The poison is selected to not match on valid frames and to be cheap for checking. The poison check mechanism _might_ trigger incorrectly, if we are voluntarily receiving frames with bad PLCP headers. However, this is nonfatal, because the chance of such a match is basically zero and in case it happens it just results in dropping the packet. Bad-PLCP RX defaults to off, and you should leave it off unless you want to listen to the latest news broadcasted by your microwave oven. This patch also moves the initialization of the RX-header "length" field in front of the mapping of the DMA buffer. The CPU should not touch the buffer after we mapped it. Cc: stable@kernel.org Reported-by: Francesco Gringoli Signed-off-by: Michael Buesch Signed-off-by: John W. Linville --- drivers/net/wireless/b43/dma.c | 37 ++++++++++++++++++++++++++++++---- 1 file changed, 33 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c index e228c1de6e11..dfa6c72c3bd2 100644 --- a/drivers/net/wireless/b43/dma.c +++ b/drivers/net/wireless/b43/dma.c @@ -555,11 +555,32 @@ address_error: return 1; } +static bool b43_rx_buffer_is_poisoned(struct b43_dmaring *ring, struct sk_buff *skb) +{ + unsigned char *f = skb->data + ring->frameoffset; + + return ((f[0] & f[1] & f[2] & f[3] & f[4] & f[5] & f[6] & f[7]) == 0xFF); +} + +static void b43_poison_rx_buffer(struct b43_dmaring *ring, struct sk_buff *skb) +{ + struct b43_rxhdr_fw4 *rxhdr; + unsigned char *frame; + + /* This poisons the RX buffer to detect DMA failures. */ + + rxhdr = (struct b43_rxhdr_fw4 *)(skb->data); + rxhdr->frame_len = 0; + + B43_WARN_ON(ring->rx_buffersize < ring->frameoffset + sizeof(struct b43_plcp_hdr6) + 2); + frame = skb->data + ring->frameoffset; + memset(frame, 0xFF, sizeof(struct b43_plcp_hdr6) + 2 /* padding */); +} + static int setup_rx_descbuffer(struct b43_dmaring *ring, struct b43_dmadesc_generic *desc, struct b43_dmadesc_meta *meta, gfp_t gfp_flags) { - struct b43_rxhdr_fw4 *rxhdr; dma_addr_t dmaaddr; struct sk_buff *skb; @@ -568,6 +589,7 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring, skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags); if (unlikely(!skb)) return -ENOMEM; + b43_poison_rx_buffer(ring, skb); dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0); if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) { /* ugh. try to realloc in zone_dma */ @@ -578,6 +600,7 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring, skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags); if (unlikely(!skb)) return -ENOMEM; + b43_poison_rx_buffer(ring, skb); dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0); if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) { @@ -592,9 +615,6 @@ static int setup_rx_descbuffer(struct b43_dmaring *ring, ring->ops->fill_descriptor(ring, desc, dmaaddr, ring->rx_buffersize, 0, 0, 0); - rxhdr = (struct b43_rxhdr_fw4 *)(skb->data); - rxhdr->frame_len = 0; - return 0; } @@ -1489,6 +1509,15 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) goto drop; } } + if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) { + /* Something went wrong with the DMA. + * The device did not touch the buffer and did not overwrite the poison. */ + b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n"); + /* recycle the descriptor buffer. */ + sync_descbuffer_for_device(ring, meta->dmaaddr, + ring->rx_buffersize); + goto drop; + } if (unlikely(len > ring->rx_buffersize)) { /* The data did not fit into one descriptor buffer * and is split over multiple buffers. From cf68636a9773aa97915497fe54fa4a51e3f08f3a Mon Sep 17 00:00:00 2001 From: Michael Buesch Date: Sat, 28 Mar 2009 00:41:25 +0100 Subject: [PATCH 04/27] b43: Refresh RX poison on buffer recycling The RX buffer poison needs to be refreshed, if we recycle an RX buffer, because it might be (partially) overwritten by some DMA operations. Cc: stable@kernel.org Cc: Francesco Gringoli Signed-off-by: Michael Buesch Signed-off-by: John W. Linville --- drivers/net/wireless/b43/dma.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/drivers/net/wireless/b43/dma.c b/drivers/net/wireless/b43/dma.c index dfa6c72c3bd2..eae680b53052 100644 --- a/drivers/net/wireless/b43/dma.c +++ b/drivers/net/wireless/b43/dma.c @@ -1503,20 +1503,16 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) len = le16_to_cpu(rxhdr->frame_len); } while (len == 0 && i++ < 5); if (unlikely(len == 0)) { - /* recycle the descriptor buffer. */ - sync_descbuffer_for_device(ring, meta->dmaaddr, - ring->rx_buffersize); - goto drop; + dmaaddr = meta->dmaaddr; + goto drop_recycle_buffer; } } if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) { /* Something went wrong with the DMA. * The device did not touch the buffer and did not overwrite the poison. */ b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n"); - /* recycle the descriptor buffer. */ - sync_descbuffer_for_device(ring, meta->dmaaddr, - ring->rx_buffersize); - goto drop; + dmaaddr = meta->dmaaddr; + goto drop_recycle_buffer; } if (unlikely(len > ring->rx_buffersize)) { /* The data did not fit into one descriptor buffer @@ -1530,6 +1526,7 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) while (1) { desc = ops->idx2desc(ring, *slot, &meta); /* recycle the descriptor buffer. */ + b43_poison_rx_buffer(ring, meta->skb); sync_descbuffer_for_device(ring, meta->dmaaddr, ring->rx_buffersize); *slot = next_slot(ring, *slot); @@ -1548,8 +1545,7 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) err = setup_rx_descbuffer(ring, desc, meta, GFP_ATOMIC); if (unlikely(err)) { b43dbg(ring->dev->wl, "DMA RX: setup_rx_descbuffer() failed\n"); - sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize); - goto drop; + goto drop_recycle_buffer; } unmap_descbuffer(ring, dmaaddr, ring->rx_buffersize, 0); @@ -1559,6 +1555,11 @@ static void dma_rx(struct b43_dmaring *ring, int *slot) b43_rx(ring->dev, skb, rxhdr); drop: return; + +drop_recycle_buffer: + /* Poison and recycle the RX buffer. */ + b43_poison_rx_buffer(ring, skb); + sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize); } void b43_dma_rx(struct b43_dmaring *ring) From 540828196e48ec54b64067a2b9defd870bff3ece Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Wed, 25 Mar 2009 03:11:44 +0100 Subject: [PATCH 05/27] p54: replace MAC80211_LEDS with P54_LEDS in p54.h I'm very sorry, as this change belongs to the other patch: "[PATCH] p54: fix SoftLED compile dependencies". however I must have somehow lost "git add" for that file. Signed-off-by: Christian Lamparter Acked-by: Larry Finger Signed-off-by: John W. Linville --- drivers/net/wireless/p54/p54.h | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/p54/p54.h b/drivers/net/wireless/p54/p54.h index 2dda5fe418b6..ecf8b6ed5a47 100644 --- a/drivers/net/wireless/p54/p54.h +++ b/drivers/net/wireless/p54/p54.h @@ -14,9 +14,9 @@ * published by the Free Software Foundation. */ -#ifdef CONFIG_MAC80211_LEDS +#ifdef CONFIG_P54_LEDS #include -#endif /* CONFIG_MAC80211_LEDS */ +#endif /* CONFIG_P54_LEDS */ enum p54_control_frame_types { P54_CONTROL_TYPE_SETUP = 0, @@ -116,7 +116,7 @@ enum fw_state { FW_STATE_RESETTING, }; -#ifdef CONFIG_MAC80211_LEDS +#ifdef CONFIG_P54_LEDS #define P54_LED_MAX_NAME_LEN 31 @@ -129,7 +129,7 @@ struct p54_led_dev { unsigned int registered; }; -#endif /* CONFIG_MAC80211_LEDS */ +#endif /* CONFIG_P54_LEDS */ struct p54_common { struct ieee80211_hw *hw; @@ -177,10 +177,10 @@ struct p54_common { u8 privacy_caps; u8 rx_keycache_size; /* LED management */ - #ifdef CONFIG_MAC80211_LEDS +#ifdef CONFIG_P54_LEDS struct p54_led_dev assoc_led; struct p54_led_dev tx_led; - #endif /* CONFIG_MAC80211_LEDS */ +#endif /* CONFIG_P54_LEDS */ u16 softled_state; /* bit field of glowing LEDs */ }; From 731c6531684250c46d732e369b25b003356f3947 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Mon, 30 Mar 2009 15:55:24 +0200 Subject: [PATCH 06/27] p54spi: fix locking warning in p54spi_op_tx This patch fixes the following waring: > ------------[ cut here ]------------ >WARNING: at kernel/softirq.c:138 local_bh_enable+0x54/0xbc() >Modules linked in: p54spi >[] (dump_stack+0x0/0x14) >[] (warn_on_slowpath+0x0/0x68) >[] (local_bh_enable+0x0/0xbc) >[] (p54spi_op_tx+0x0/0x4c [p54spi]) >[] (p54_sta_unlock+0x0/0x78) p54spi_op_tx needs to be called from different locking contexts. Therefore we have to protect the linked list with irqsave spinlocks. Reported-by: Max Filippov Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- drivers/net/wireless/p54/p54spi.c | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/drivers/net/wireless/p54/p54spi.c b/drivers/net/wireless/p54/p54spi.c index 2b222aaa6f0a..d1fe577de3d4 100644 --- a/drivers/net/wireless/p54/p54spi.c +++ b/drivers/net/wireless/p54/p54spi.c @@ -457,9 +457,10 @@ static int p54spi_wq_tx(struct p54s_priv *priv) struct ieee80211_tx_info *info; struct p54_tx_info *minfo; struct p54s_tx_info *dinfo; + unsigned long flags; int ret = 0; - spin_lock_bh(&priv->tx_lock); + spin_lock_irqsave(&priv->tx_lock, flags); while (!list_empty(&priv->tx_pending)) { entry = list_entry(priv->tx_pending.next, @@ -467,7 +468,7 @@ static int p54spi_wq_tx(struct p54s_priv *priv) list_del_init(&entry->tx_list); - spin_unlock_bh(&priv->tx_lock); + spin_unlock_irqrestore(&priv->tx_lock, flags); dinfo = container_of((void *) entry, struct p54s_tx_info, tx_list); @@ -479,16 +480,14 @@ static int p54spi_wq_tx(struct p54s_priv *priv) ret = p54spi_tx_frame(priv, skb); - spin_lock_bh(&priv->tx_lock); - if (ret < 0) { p54_free_skb(priv->hw, skb); - goto out; + return ret; } - } -out: - spin_unlock_bh(&priv->tx_lock); + spin_lock_irqsave(&priv->tx_lock, flags); + } + spin_unlock_irqrestore(&priv->tx_lock, flags); return ret; } @@ -498,12 +497,13 @@ static void p54spi_op_tx(struct ieee80211_hw *dev, struct sk_buff *skb) struct ieee80211_tx_info *info = IEEE80211_SKB_CB(skb); struct p54_tx_info *mi = (struct p54_tx_info *) info->rate_driver_data; struct p54s_tx_info *di = (struct p54s_tx_info *) mi->data; + unsigned long flags; BUILD_BUG_ON(sizeof(*di) > sizeof((mi->data))); - spin_lock_bh(&priv->tx_lock); + spin_lock_irqsave(&priv->tx_lock, flags); list_add_tail(&di->tx_list, &priv->tx_pending); - spin_unlock_bh(&priv->tx_lock); + spin_unlock_irqrestore(&priv->tx_lock, flags); queue_work(priv->hw->workqueue, &priv->work); } @@ -604,6 +604,7 @@ out: static void p54spi_op_stop(struct ieee80211_hw *dev) { struct p54s_priv *priv = dev->priv; + unsigned long flags; if (mutex_lock_interruptible(&priv->mutex)) { /* FIXME: how to handle this error? */ @@ -615,9 +616,9 @@ static void p54spi_op_stop(struct ieee80211_hw *dev) cancel_work_sync(&priv->work); p54spi_power_off(priv); - spin_lock_bh(&priv->tx_lock); + spin_lock_irqsave(&priv->tx_lock, flags); INIT_LIST_HEAD(&priv->tx_pending); - spin_unlock_bh(&priv->tx_lock); + spin_unlock_irqrestore(&priv->tx_lock, flags); priv->fw_state = FW_STATE_OFF; mutex_unlock(&priv->mutex); From c6dbe17f193c4adc8afc6884f26efb5fa27aa8af Mon Sep 17 00:00:00 2001 From: Masakazu Mokuno Date: Mon, 30 Mar 2009 11:04:36 -0700 Subject: [PATCH 07/27] net/ps3: Fix wireless AP connect error handling This patch fixes the bug that the driver tries to continue to connect(associate) to AP even if gelic_wl_do_{wpa,wep}_setup() fails, Signed-off-by: Masakazu Mokuno Signed-off-by: Geoff Levand Signed-off-by: John W. Linville --- drivers/net/ps3_gelic_wireless.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/ps3_gelic_wireless.c b/drivers/net/ps3_gelic_wireless.c index a5ac2bd58b5b..4f3ada622f9b 100644 --- a/drivers/net/ps3_gelic_wireless.c +++ b/drivers/net/ps3_gelic_wireless.c @@ -2101,6 +2101,9 @@ static int gelic_wl_associate_bss(struct gelic_wl_info *wl, if (ret) { pr_debug("%s: WEP/WPA setup failed %d\n", __func__, ret); + ret = -EPERM; + gelic_wl_send_iwap_event(wl, NULL); + goto out; } /* start association */ From 853da11b94e674445e93660f47a5f0aeeea09623 Mon Sep 17 00:00:00 2001 From: Pavel Roskin Date: Fri, 3 Apr 2009 20:10:26 -0400 Subject: [PATCH 08/27] ath9k: fix access to a freed skb in ath_rx_tasklet() Signed-off-by: Pavel Roskin Signed-off-by: John W. Linville --- drivers/net/wireless/ath9k/recv.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath9k/recv.c b/drivers/net/wireless/ath9k/recv.c index 71cb18d6757d..dd1f30156740 100644 --- a/drivers/net/wireless/ath9k/recv.c +++ b/drivers/net/wireless/ath9k/recv.c @@ -493,6 +493,7 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush) int hdrlen, padsize, retval; bool decrypt_error = false; u8 keyix; + __le16 fc; spin_lock_bh(&sc->rx.rxbuflock); @@ -606,6 +607,7 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush) /* see if any padding is done by the hw and remove it */ hdr = (struct ieee80211_hdr *)skb->data; hdrlen = ieee80211_get_hdrlen_from_skb(skb); + fc = hdr->frame_control; /* The MAC header is padded to have 32-bit boundary if the * packet payload is non-zero. The general calculation for @@ -690,7 +692,7 @@ int ath_rx_tasklet(struct ath_softc *sc, int flush) sc->rx.rxotherant = 0; } - if (ieee80211_is_beacon(hdr->frame_control) && + if (ieee80211_is_beacon(fc) && (sc->sc_flags & SC_OP_WAIT_FOR_BEACON)) { sc->sc_flags &= ~SC_OP_WAIT_FOR_BEACON; ath9k_hw_setpower(sc->sc_ah, ATH9K_PM_NETWORK_SLEEP); From 47afbaf5af9454a7a1a64591e20cbfcc27ca67a8 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Tue, 7 Apr 2009 15:22:28 +0200 Subject: [PATCH 09/27] mac80211: correct wext transmit power handler Wext makes no assumptions about the contents of data->txpower.fixed and data->txpower.value when data->txpower.disabled is set, so do not update the user-requested power level while disabling. Also, when wext configures a really _fixed_ power output [1], we should reject it instead of limiting it to the regulatory constraint. If the user wants to set a _limit_ [2] then we should honour that. [1] iwconfig wlan0 txpower 20dBm fixed [2] iwconfig wlan0 txpower 10dBm This fixes http://www.intellinuxwireless.org/bugzilla/show_bug.cgi?id=1942 Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/main.c | 2 +- net/mac80211/wext.c | 41 +++++++++++++++++++++++++++++++++-------- 2 files changed, 34 insertions(+), 9 deletions(-) diff --git a/net/mac80211/main.c b/net/mac80211/main.c index a6f1d8a869bc..fbcbed6cad01 100644 --- a/net/mac80211/main.c +++ b/net/mac80211/main.c @@ -258,7 +258,7 @@ int ieee80211_hw_config(struct ieee80211_local *local, u32 changed) (chan->max_power - local->power_constr_level) : chan->max_power; - if (local->user_power_level) + if (local->user_power_level >= 0) power = min(power, local->user_power_level); if (local->hw.conf.power_level != power) { diff --git a/net/mac80211/wext.c b/net/mac80211/wext.c index deb4ecec122a..ce9115c18152 100644 --- a/net/mac80211/wext.c +++ b/net/mac80211/wext.c @@ -417,6 +417,7 @@ static int ieee80211_ioctl_siwtxpower(struct net_device *dev, { struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); struct ieee80211_channel* chan = local->hw.conf.channel; + bool reconf = false; u32 reconf_flags = 0; int new_power_level; @@ -427,14 +428,38 @@ static int ieee80211_ioctl_siwtxpower(struct net_device *dev, if (!chan) return -EINVAL; - if (data->txpower.fixed) - new_power_level = min(data->txpower.value, chan->max_power); - else /* Automatic power level setting */ - new_power_level = chan->max_power; + /* only change when not disabling */ + if (!data->txpower.disabled) { + if (data->txpower.fixed) { + if (data->txpower.value < 0) + return -EINVAL; + new_power_level = data->txpower.value; + /* + * Debatable, but we cannot do a fixed power + * level above the regulatory constraint. + * Use "iwconfig wlan0 txpower 15dBm" instead. + */ + if (new_power_level > chan->max_power) + return -EINVAL; + } else { + /* + * Automatic power level setting, max being the value + * passed in from userland. + */ + if (data->txpower.value < 0) + new_power_level = -1; + else + new_power_level = data->txpower.value; + } - local->user_power_level = new_power_level; - if (local->hw.conf.power_level != new_power_level) - reconf_flags |= IEEE80211_CONF_CHANGE_POWER; + reconf = true; + + /* + * ieee80211_hw_config() will limit to the channel's + * max power and possibly power constraint from AP. + */ + local->user_power_level = new_power_level; + } if (local->hw.conf.radio_enabled != !(data->txpower.disabled)) { local->hw.conf.radio_enabled = !(data->txpower.disabled); @@ -442,7 +467,7 @@ static int ieee80211_ioctl_siwtxpower(struct net_device *dev, ieee80211_led_radio(local, local->hw.conf.radio_enabled); } - if (reconf_flags) + if (reconf || reconf_flags) ieee80211_hw_config(local, reconf_flags); return 0; From f54930f363113a9357c9ae008965b6484a61cd29 Mon Sep 17 00:00:00 2001 From: Philip Rakity Date: Tue, 7 Apr 2009 12:41:17 -0700 Subject: [PATCH 10/27] libertas: don't leak skb on receive error Don't lead memory when receive errors Signed-off-by: Philip Rakity Acked-by: Dan Williams Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/rx.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c index 63d7e19ce9bd..8e669775cb5d 100644 --- a/drivers/net/wireless/libertas/rx.c +++ b/drivers/net/wireless/libertas/rx.c @@ -170,6 +170,7 @@ int lbs_process_rxed_packet(struct lbs_private *priv, struct sk_buff *skb) lbs_deb_rx("rx err: frame received with bad length\n"); dev->stats.rx_length_errors++; ret = 0; + dev_kfree_skb(skb); goto done; } @@ -181,6 +182,7 @@ int lbs_process_rxed_packet(struct lbs_private *priv, struct sk_buff *skb) lbs_pr_alert("rxpd not ok\n"); dev->stats.rx_errors++; ret = 0; + dev_kfree_skb(skb); goto done; } From 02a9a39294017f105aedebcca5f49d552b18dbaa Mon Sep 17 00:00:00 2001 From: Jamie Lentin Date: Tue, 7 Apr 2009 22:59:56 +0100 Subject: [PATCH 11/27] at76c50x-usb: Add device ID for OQO model 01+ Add USB device ID for OQO 01+'s internal wireless LAN An OQO employee mentions the chip's true identity here:- ftp://ftp.oqo.com/unsupported/linux/OQOLinux.html Signed-off-by: Jamie Lentin Acked-by: Kalle Valo Signed-off-by: John W. Linville --- drivers/net/wireless/at76c50x-usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/at76c50x-usb.c b/drivers/net/wireless/at76c50x-usb.c index 0c02f1c2bd94..744f4f4dd3d1 100644 --- a/drivers/net/wireless/at76c50x-usb.c +++ b/drivers/net/wireless/at76c50x-usb.c @@ -250,6 +250,8 @@ static struct usb_device_id dev_table[] = { { USB_DEVICE(0x03eb, 0x7617), USB_DEVICE_DATA(BOARD_505A) }, /* Siemens Gigaset USB WLAN Adapter 11 */ { USB_DEVICE(0x1690, 0x0701), USB_DEVICE_DATA(BOARD_505A) }, + /* OQO Model 01+ Internal Wi-Fi */ + { USB_DEVICE(0x1557, 0x0002), USB_DEVICE_DATA(BOARD_505A) }, /* * at76c505amx-rfmd */ From 011f5c5bb20c08af93faa8bfd8d611c8cf85134f Mon Sep 17 00:00:00 2001 From: Dan Williams Date: Wed, 8 Apr 2009 10:15:17 -0400 Subject: [PATCH 12/27] airo: queue SIOCSIWAUTH-requested auth mode change for next commit Code was clearly wrong, plus callers expect the mode change to happen as soon as possible, not dropped on the floor until the next time some other config value changes and a commit happens. Signed-off-by: Dan Williams Signed-off-by: John W. Linville --- drivers/net/wireless/airo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c index f21a6171c691..c36d3a3d655f 100644 --- a/drivers/net/wireless/airo.c +++ b/drivers/net/wireless/airo.c @@ -6713,11 +6713,11 @@ static int airo_set_auth(struct net_device *dev, local->config.authType = AUTH_ENCRYPT; } else return -EINVAL; - break; /* Commit the changes to flags if needed */ if (local->config.authType != currentAuthType) set_bit (FLAG_COMMIT, &local->flags); + break; } case IW_AUTH_WPA_ENABLED: From 4fc298b86635c60061bbd81cef8de2b031e5c4a7 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Tue, 24 Mar 2009 21:58:08 +0100 Subject: [PATCH 13/27] ar9170: add Cace Airpcap NX usb_id This patch adds a new device to ar9170usb. Reported-by: Mike Kershaw/Dragorn Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- drivers/net/wireless/ar9170/usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/ar9170/usb.c b/drivers/net/wireless/ar9170/usb.c index ad296840893e..43e8d8de9a5c 100644 --- a/drivers/net/wireless/ar9170/usb.c +++ b/drivers/net/wireless/ar9170/usb.c @@ -59,6 +59,8 @@ static struct usb_device_id ar9170_usb_ids[] = { { USB_DEVICE(0x0cf3, 0x9170) }, /* Atheros TG121N */ { USB_DEVICE(0x0cf3, 0x1001) }, + /* Cace Airpcap NX */ + { USB_DEVICE(0xcace, 0x0300) }, /* D-Link DWA 160A */ { USB_DEVICE(0x07d1, 0x3c10) }, /* Netgear WNDA3100 */ From e3062403f5f71c48cf26e791e576f4feca4c9c0f Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Sun, 29 Mar 2009 22:50:28 +0200 Subject: [PATCH 14/27] p54usb: add Telsey 802.11g USB2.0 Adapter Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- drivers/net/wireless/p54/p54usb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/net/wireless/p54/p54usb.c b/drivers/net/wireless/p54/p54usb.c index da6640afc835..6cc6cbc9234f 100644 --- a/drivers/net/wireless/p54/p54usb.c +++ b/drivers/net/wireless/p54/p54usb.c @@ -71,6 +71,7 @@ static struct usb_device_id p54u_table[] __devinitdata = { {USB_DEVICE(0x1260, 0xee22)}, /* SMC 2862W-G version 2 */ {USB_DEVICE(0x13b1, 0x000a)}, /* Linksys WUSB54G ver 2 */ {USB_DEVICE(0x13B1, 0x000C)}, /* Linksys WUSB54AG */ + {USB_DEVICE(0x1413, 0x5400)}, /* Telsey 802.11g USB2.0 Adapter */ {USB_DEVICE(0x1435, 0x0427)}, /* Inventel UR054G */ {USB_DEVICE(0x2001, 0x3704)}, /* DLink DWL-G122 rev A2 */ {USB_DEVICE(0x413c, 0x8102)}, /* Spinnaker DUT */ From 6aabd4c4441133836ac969a9488458b37f83b677 Mon Sep 17 00:00:00 2001 From: Ivo van Doorn Date: Sat, 28 Mar 2009 20:52:14 +0100 Subject: [PATCH 15/27] rt2x00: Add rt73usb USB IDs Signed-off-by: Ivo van Doorn Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt73usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/rt2x00/rt73usb.c b/drivers/net/wireless/rt2x00/rt73usb.c index 420fff42c0dd..853b2b279b64 100644 --- a/drivers/net/wireless/rt2x00/rt73usb.c +++ b/drivers/net/wireless/rt2x00/rt73usb.c @@ -2369,6 +2369,8 @@ static struct usb_device_id rt73usb_device_table[] = { /* Buffalo */ { USB_DEVICE(0x0411, 0x00d8), USB_DEVICE_DATA(&rt73usb_ops) }, { USB_DEVICE(0x0411, 0x00f4), USB_DEVICE_DATA(&rt73usb_ops) }, + { USB_DEVICE(0x0411, 0x0116), USB_DEVICE_DATA(&rt73usb_ops) }, + { USB_DEVICE(0x0411, 0x0119), USB_DEVICE_DATA(&rt73usb_ops) }, /* CNet */ { USB_DEVICE(0x1371, 0x9022), USB_DEVICE_DATA(&rt73usb_ops) }, { USB_DEVICE(0x1371, 0x9032), USB_DEVICE_DATA(&rt73usb_ops) }, From 591f3dc200abb2100c473248a121ce14bfeeabd6 Mon Sep 17 00:00:00 2001 From: Michael Buesch Date: Tue, 31 Mar 2009 12:27:32 +0200 Subject: [PATCH 16/27] b43: Do radio lock assertion in software The assertion of the lock-bit in the hardware register is unreliable, because there are devices with quirks that will randomly set the bit. Do the assertion in software, only. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville --- drivers/net/wireless/b43/main.c | 5 +++++ drivers/net/wireless/b43/phy_common.c | 16 ++++++++++++---- drivers/net/wireless/b43/phy_common.h | 4 +++- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c index 4896e0831114..79b685e300c7 100644 --- a/drivers/net/wireless/b43/main.c +++ b/drivers/net/wireless/b43/main.c @@ -3974,6 +3974,11 @@ static void setup_struct_phy_for_init(struct b43_wldev *dev, phy->next_txpwr_check_time = jiffies; /* PHY TX errors counter. */ atomic_set(&phy->txerr_cnt, B43_PHY_TX_BADNESS_LIMIT); + +#if B43_DEBUG + phy->phy_locked = 0; + phy->radio_locked = 0; +#endif } static void setup_struct_wldev_for_init(struct b43_wldev *dev) diff --git a/drivers/net/wireless/b43/phy_common.c b/drivers/net/wireless/b43/phy_common.c index 026b61c03fb9..e176b6e0d9cf 100644 --- a/drivers/net/wireless/b43/phy_common.c +++ b/drivers/net/wireless/b43/phy_common.c @@ -131,12 +131,16 @@ void b43_radio_lock(struct b43_wldev *dev) { u32 macctl; +#if B43_DEBUG + B43_WARN_ON(dev->phy.radio_locked); + dev->phy.radio_locked = 1; +#endif + macctl = b43_read32(dev, B43_MMIO_MACCTL); - B43_WARN_ON(macctl & B43_MACCTL_RADIOLOCK); macctl |= B43_MACCTL_RADIOLOCK; b43_write32(dev, B43_MMIO_MACCTL, macctl); - /* Commit the write and wait for the device - * to exit any radio register access. */ + /* Commit the write and wait for the firmware + * to finish any radio register access. */ b43_read32(dev, B43_MMIO_MACCTL); udelay(10); } @@ -145,11 +149,15 @@ void b43_radio_unlock(struct b43_wldev *dev) { u32 macctl; +#if B43_DEBUG + B43_WARN_ON(!dev->phy.radio_locked); + dev->phy.radio_locked = 0; +#endif + /* Commit any write */ b43_read16(dev, B43_MMIO_PHY_VER); /* unlock */ macctl = b43_read32(dev, B43_MMIO_MACCTL); - B43_WARN_ON(!(macctl & B43_MACCTL_RADIOLOCK)); macctl &= ~B43_MACCTL_RADIOLOCK; b43_write32(dev, B43_MMIO_MACCTL, macctl); } diff --git a/drivers/net/wireless/b43/phy_common.h b/drivers/net/wireless/b43/phy_common.h index c9f5430d1d7d..b2d99101947b 100644 --- a/drivers/net/wireless/b43/phy_common.h +++ b/drivers/net/wireless/b43/phy_common.h @@ -245,8 +245,10 @@ struct b43_phy { atomic_t txerr_cnt; #ifdef CONFIG_B43_DEBUG - /* PHY registers locked by b43_phy_lock()? */ + /* PHY registers locked (w.r.t. firmware) */ bool phy_locked; + /* Radio registers locked (w.r.t. firmware) */ + bool radio_locked; #endif /* B43_DEBUG */ }; From a860402d8f1756dae48cdcabe153c974116fc37e Mon Sep 17 00:00:00 2001 From: Michael Buesch Date: Wed, 15 Apr 2009 14:41:22 -0400 Subject: [PATCH 17/27] mac80211: quiet beacon loss messages On Sunday 05 April 2009 11:29:38 Michael Buesch wrote: > On Sunday 05 April 2009 11:23:59 Jaswinder Singh Rajput wrote: > > With latest linus tree I am getting, .config file attached: > > > > [ 22.895051] r8169: eth0: link down > > [ 22.897564] ADDRCONF(NETDEV_UP): eth0: link is not ready > > [ 22.928047] ADDRCONF(NETDEV_UP): wlan0: link is not ready > > [ 22.982292] libvirtd used greatest stack depth: 4200 bytes left > > [ 63.709879] wlan0: authenticate with AP 00:11:95:9e:df:f6 > > [ 63.712096] wlan0: authenticated > > [ 63.712127] wlan0: associate with AP 00:11:95:9e:df:f6 > > [ 63.726831] wlan0: RX AssocResp from 00:11:95:9e:df:f6 (capab=0x471 status=0 aid=1) > > [ 63.726855] wlan0: associated > > [ 63.730093] ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready > > [ 74.296087] wlan0: no IPv6 routers present > > [ 79.349044] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 119.358200] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 179.354292] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 259.366044] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 359.348292] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 361.953459] packagekitd used greatest stack depth: 4160 bytes left > > [ 478.824258] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 598.813343] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 718.817292] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 838.824567] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 958.815402] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1078.848434] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1198.822913] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1318.824931] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1438.814157] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1558.827336] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1678.823011] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1798.830589] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 1918.828044] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 2038.827224] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 2116.517152] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 2158.840243] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > [ 2278.827427] wlan0: beacon loss from AP 00:11:95:9e:df:f6 - sending probe request > > > I think this message should only show if CONFIG_MAC80211_VERBOSE_DEBUG is set. > It's kind of expected that we lose a beacon once in a while, so we shouldn't print > verbose messages to the kernel log (even if they are KERN_DEBUG). > > And besides that, I think one can easily remotely trigger this message and flood the logs. > So it should probably _also_ be ratelimited. Something like this: Signed-off-by: Michael Buesch --- net/mac80211/mlme.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 7ecda9d59d8a..1b14d0204dd2 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -945,9 +945,13 @@ void ieee80211_beacon_loss_work(struct work_struct *work) u.mgd.beacon_loss_work); struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; - printk(KERN_DEBUG "%s: driver reports beacon loss from AP %pM " - "- sending probe request\n", sdata->dev->name, - sdata->u.mgd.bssid); +#ifdef CONFIG_MAC80211_VERBOSE_DEBUG + if (net_ratelimit()) { + printk(KERN_DEBUG "%s: driver reports beacon loss from AP %pM " + "- sending probe request\n", sdata->dev->name, + sdata->u.mgd.bssid); + } +#endif ifmgd->flags |= IEEE80211_STA_PROBEREQ_POLL; ieee80211_send_probe_req(sdata, ifmgd->bssid, ifmgd->ssid, @@ -1007,9 +1011,13 @@ static void ieee80211_associated(struct ieee80211_sub_if_data *sdata) (local->hw.conf.flags & IEEE80211_CONF_PS)) && time_after(jiffies, ifmgd->last_beacon + IEEE80211_MONITORING_INTERVAL)) { - printk(KERN_DEBUG "%s: beacon loss from AP %pM " - "- sending probe request\n", - sdata->dev->name, ifmgd->bssid); +#ifdef CONFIG_MAC80211_VERBOSE_DEBUG + if (net_ratelimit()) { + printk(KERN_DEBUG "%s: beacon loss from AP %pM " + "- sending probe request\n", + sdata->dev->name, ifmgd->bssid); + } +#endif ifmgd->flags |= IEEE80211_STA_PROBEREQ_POLL; ieee80211_send_probe_req(sdata, ifmgd->bssid, ifmgd->ssid, ifmgd->ssid_len, NULL, 0); From d60cc91acdc45f234d8830409203f504d03513c9 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 9 Apr 2009 09:56:02 +0200 Subject: [PATCH 18/27] fix iwl3945 registration regression I forgot that iwl3945 registration is separate from iwlagn. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl3945-base.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c index ce729281ff62..8d738d752487 100644 --- a/drivers/net/wireless/iwlwifi/iwl3945-base.c +++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c @@ -4913,6 +4913,8 @@ static int iwl3945_setup_mac(struct iwl_priv *priv) hw->wiphy->custom_regulatory = true; + hw->wiphy->max_scan_ssids = 1; /* WILL FIX */ + /* Default value; 4 EDCA QOS priorities */ hw->queues = 4; From f05faa31c387fb07f4c561350f00ba12cf673c9f Mon Sep 17 00:00:00 2001 From: Herton Ronaldo Krzesinski Date: Fri, 10 Apr 2009 18:05:14 -0300 Subject: [PATCH 19/27] rt2x00: prevent double kfree when failing to register hardware MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In a scenario where there isn't any firmware available, we will have a double kfree of rt2x00dev->spec.channels_info when ieee80211_register_hw returns an error status inside rt2x00lib_probe_hw. The problem is that if ieee80211_register_hw fails, we call rt2x00lib_remove_hw twice: * first inside rt2x00lib_probe_hw upon failure of ieee80211_register_hw * error status is returned to rt2x00lib_probe_dev, which then sees it and calls in this case rt2x00lib_remove_dev that will again run rt2x00lib_remove_hw Prevent this avoiding calling rt2x00lib_remove_hw inside rt2x00lib_probe_hw Problem was detected with CONFIG_DEBUG_PAGEALLOC=y, CONFIG_SLUB_DEBUG=y, CONFIG_SLUB_DEBUG_ON=y, that dumps this with no firmware available: rt61pci 0000:00:07.0: PCI INT A -> GSI 19 (level, low) -> IRQ 19 wmaster0 (rt61pci): not using net_device_ops yet phy0: Selected rate control algorithm 'pid' phy0: Failed to initialize wep: -2 phy0 -> rt2x00lib_probe_dev: Error - Failed to initialize hw. ============================================================================= BUG kmalloc-128: Object already free ----------------------------------------------------------------------------- INFO: Allocated in rt61pci_probe_hw+0x3e5/0x6e0 [rt61pci] age=340 cpu=0 pid=21 INFO: Freed in rt2x00lib_remove_hw+0x59/0x70 [rt2x00lib] age=0 cpu=0 pid=21 INFO: Slab 0xc13ac3e0 objects=23 used=10 fp=0xdd59f6e0 flags=0x400000c3 INFO: Object 0xdd59f6e0 @offset=1760 fp=0xdd59f790 Bytes b4 0xdd59f6d0: 15 00 00 00 b2 8a fb ff 5a 5a 5a 5a 5a 5a 5a 5a ....².ûÿZZZZZZZZ Object 0xdd59f6e0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xdd59f6f0: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xdd59f700: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xdd59f710: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xdd59f720: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xdd59f730: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xdd59f740: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk Object 0xdd59f750: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b a5 kkkkkkkkkkkkkkk¥ Redzone 0xdd59f760: bb bb bb bb »»»» Padding 0xdd59f788: 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZ Pid: 21, comm: stage1 Not tainted 2.6.29.1-desktop-1.1mnb #1 Call Trace: [] print_trailer+0xd3/0x120 [] object_err+0x37/0x50 [] __slab_free+0xe7/0x2f0 [] kfree+0x7e/0xd0 [] ? rt2x00lib_remove_hw+0x59/0x70 [rt2x00lib] [] ? rt2x00lib_remove_hw+0x59/0x70 [rt2x00lib] [] rt2x00lib_remove_hw+0x59/0x70 [rt2x00lib] [] rt2x00lib_remove_dev+0x37/0x50 [rt2x00lib] [] rt2x00lib_probe_dev+0x1a7/0x3b0 [rt2x00lib] [] rt2x00pci_probe+0xdf/0x1ee [rt2x00pci] [] local_pci_probe+0xe/0x10 [] pci_device_probe+0x60/0x80 [] driver_probe_device+0x9a/0x2e0 [] __driver_attach+0x89/0x90 [] bus_for_each_dev+0x4b/0x70 [] ? pci_device_remove+0x0/0x40 [] driver_attach+0x19/0x20 [] ? __driver_attach+0x0/0x90 [] bus_add_driver+0x1cf/0x2a0 [] ? pci_device_remove+0x0/0x40 [] driver_register+0x69/0x140 [] __pci_register_driver+0x40/0x80 [] ? rt61pci_init+0x0/0x19 [rt61pci] [] rt61pci_init+0x17/0x19 [rt61pci] [] do_one_initcall+0x26/0x1c0 [] ? slab_pad_check+0x3c/0x120 [] ? slab_pad_check+0x3c/0x120 [] ? check_object+0xda/0x210 [] ? percpu_free+0x46/0x50 [] ? __slab_free+0x22e/0x2f0 [] ? percpu_free+0x46/0x50 [] ? percpu_free+0x46/0x50 [] ? percpu_free+0x46/0x50 [] ? stop_machine_destroy+0x3c/0x40 [] ? load_module+0xa5/0x1c50 [] ? rt61pci_eepromregister_read+0x0/0x40 [rt61pci] [] ? rt2x00pci_write_tx_data+0x0/0x90 [rt2x00pci] [] ? mutex_lock+0xb/0x20 [] ? mutex_lock+0xb/0x20 [] ? tracepoint_update_probe_range+0x76/0xa0 [] ? tracepoint_module_notify+0x2f/0x40 [] ? notifier_call_chain+0x2d/0x70 [] ? __blocking_notifier_call_chain+0x4d/0x60 [] ? blocking_notifier_call_chain+0x1a/0x20 [] sys_init_module+0x96/0x1d0 [] ? sys_munmap+0x46/0x60 [] syscall_call+0x7/0xb FIX kmalloc-128: Object at 0xdd59f6e0 not freed rt61pci 0000:00:07.0: PCI INT A disabled rt61pci: probe of 0000:00:07.0 failed with error -2 Signed-off-by: Herton Ronaldo Krzesinski Acked-by: Ivo van Doorn Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2x00dev.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c index 05f94e21b423..5752aaae906b 100644 --- a/drivers/net/wireless/rt2x00/rt2x00dev.c +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c @@ -646,10 +646,8 @@ static int rt2x00lib_probe_hw(struct rt2x00_dev *rt2x00dev) * Register HW. */ status = ieee80211_register_hw(rt2x00dev->hw); - if (status) { - rt2x00lib_remove_hw(rt2x00dev); + if (status) return status; - } set_bit(DEVICE_STATE_REGISTERED_HW, &rt2x00dev->flags); From 23a99840d571a237845fd0906bce78e7c76be650 Mon Sep 17 00:00:00 2001 From: Gerrit Renker Date: Tue, 14 Apr 2009 06:32:56 +0200 Subject: [PATCH 20/27] mac80211: Fragmentation threshold (typo) mac80211: Fragmentation threshold (typo) ieee80211_ioctl_siwfrag() sets the fragmentation_threshold to 2352 when frame fragmentation is to be disabled, yet the corresponding 'get' function tests for 2353 bytes instead. This causes user-space tools to display a fragmentation threshold of 2352 bytes even if fragmentation has been disabled. Signed-off-by: Gerrit Renker Signed-off-by: John W. Linville --- net/mac80211/wext.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/wext.c b/net/mac80211/wext.c index ce9115c18152..959aa8379ccf 100644 --- a/net/mac80211/wext.c +++ b/net/mac80211/wext.c @@ -555,7 +555,7 @@ static int ieee80211_ioctl_giwfrag(struct net_device *dev, struct ieee80211_local *local = wdev_priv(dev->ieee80211_ptr); frag->value = local->fragmentation_threshold; - frag->disabled = (frag->value >= IEEE80211_MAX_RTS_THRESHOLD); + frag->disabled = (frag->value >= IEEE80211_MAX_FRAG_THRESHOLD); frag->fixed = 1; return 0; From 91fe9ca74e8220f17e2fa71a92cda330857daac4 Mon Sep 17 00:00:00 2001 From: Pavel Roskin Date: Thu, 9 Apr 2009 21:41:05 -0400 Subject: [PATCH 21/27] orinoco: correct timeout logic in __orinoco_hw_set_tkip_key() If the value read from HERMES_RID_TXQUEUEEMPTY becomes 0 after exactly 100 readings, we wrongly consider it a timeout. Rewrite the clever while loop as a for loop that does the right thing and looks simpler. Reported by Juha Leppanen Signed-off-by: Pavel Roskin Signed-off-by: John W. Linville --- drivers/net/wireless/orinoco/hw.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/drivers/net/wireless/orinoco/hw.c b/drivers/net/wireless/orinoco/hw.c index 081428d9409e..632fac86a308 100644 --- a/drivers/net/wireless/orinoco/hw.c +++ b/drivers/net/wireless/orinoco/hw.c @@ -372,15 +372,13 @@ int __orinoco_hw_set_tkip_key(hermes_t *hw, int key_idx, int set_tx, } /* Wait upto 100ms for tx queue to empty */ - k = 100; - do { - k--; + for (k = 100; k > 0; k--) { udelay(1000); ret = hermes_read_wordrec(hw, USER_BAP, HERMES_RID_TXQUEUEEMPTY, &xmitting); - if (ret) + if (ret || !xmitting) break; - } while ((k > 0) && xmitting); + } if (k == 0) ret = -ETIMEDOUT; From 1269fa737f21b3f643e4b12d3ac9938b142a7f00 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 10 Apr 2009 10:02:45 +0200 Subject: [PATCH 22/27] ar9170: fix struct layout on arm arm will pad even between u8's, so mark the structs/unions packed. Fixes a build bug on arm due to BUILD_BUG_ON tests in the code. Signed-off-by: Johannes Berg Reported-by: Al Viro Signed-off-by: John W. Linville --- drivers/net/wireless/ar9170/hw.h | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/ar9170/hw.h b/drivers/net/wireless/ar9170/hw.h index 13091bd9d815..53e250a4278f 100644 --- a/drivers/net/wireless/ar9170/hw.h +++ b/drivers/net/wireless/ar9170/hw.h @@ -310,7 +310,7 @@ struct ar9170_tx_control { struct ar9170_rx_head { u8 plcp[12]; -}; +} __packed; struct ar9170_rx_tail { union { @@ -318,16 +318,16 @@ struct ar9170_rx_tail { u8 rssi_ant0, rssi_ant1, rssi_ant2, rssi_ant0x, rssi_ant1x, rssi_ant2x, rssi_combined; - }; + } __packed; u8 rssi[7]; - }; + } __packed; u8 evm_stream0[6], evm_stream1[6]; u8 phy_err; u8 SAidx, DAidx; u8 error; u8 status; -}; +} __packed; #define AR9170_ENC_ALG_NONE 0x0 #define AR9170_ENC_ALG_WEP64 0x1 From 7181d4673710888b6d7084b37b9d77ed4f4e41b2 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 15 Apr 2009 21:33:15 +0200 Subject: [PATCH 23/27] mac80211: avoid crashing when no scan sdata Using the scan_sdata variable here is terribly wrong, if there has never been a scan then we fail. However, we need a bandaid... Signed-off-by: Johannes Berg Cc: stable@kernel.org [2.6.29] Signed-off-by: John W. Linville --- net/mac80211/mlme.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 1b14d0204dd2..dc60804d6dd0 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -2113,12 +2113,13 @@ void ieee80211_dynamic_ps_enable_work(struct work_struct *work) struct ieee80211_local *local = container_of(work, struct ieee80211_local, dynamic_ps_enable_work); + /* XXX: using scan_sdata is completely broken! */ struct ieee80211_sub_if_data *sdata = local->scan_sdata; if (local->hw.conf.flags & IEEE80211_CONF_PS) return; - if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK) + if (local->hw.flags & IEEE80211_HW_PS_NULLFUNC_STACK && sdata) ieee80211_send_nullfunc(local, sdata, 1); local->hw.conf.flags |= IEEE80211_CONF_PS; From 160002fe845218f5789a26954048592c3920ac7b Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 16 Apr 2009 12:15:38 +0200 Subject: [PATCH 24/27] cfg80211: copy hold when replacing BSS When we receive a probe response frame we can replace the BSS struct in our list -- but if that struct is held then we need to hold the new one as well. We really should fix this completely and not replace the struct, but this is a bandaid for now. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/wireless/scan.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 2a00e362f5fe..4c77669275eb 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -364,6 +364,8 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev, list_replace(&found->list, &res->list); rb_replace_node(&found->rbn, &res->rbn, &dev->bss_tree); + /* XXX: workaround */ + res->hold = found->hold; kref_put(&found->ref, bss_release); found = res; } else if (found) { From cd1658f592a60d028dd2e48d86724b737a82cab0 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Thu, 16 Apr 2009 15:00:58 +0200 Subject: [PATCH 25/27] cfg80211: do not replace BSS structs Instead, allocate extra IE memory if necessary. Normally, this isn't even necessary since there's enough space. This is a better way of correcting the "held BSS can disappear" issue, but also a lot more code. It is also necessary for proper auth/assoc BSS handling in the future. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/wireless/core.h | 2 +- net/wireless/scan.c | 42 +++++++++++++++++++++++++++++++++--------- 2 files changed, 34 insertions(+), 10 deletions(-) diff --git a/net/wireless/core.h b/net/wireless/core.h index d43daa236ef9..0a592e4295f0 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h @@ -90,7 +90,7 @@ struct cfg80211_internal_bss { struct rb_node rbn; unsigned long ts; struct kref ref; - bool hold; + bool hold, ies_allocated; /* must be last because of priv member */ struct cfg80211_bss pub; diff --git a/net/wireless/scan.c b/net/wireless/scan.c index 4c77669275eb..2ae65b39b529 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -58,6 +58,10 @@ static void bss_release(struct kref *ref) bss = container_of(ref, struct cfg80211_internal_bss, ref); if (bss->pub.free_priv) bss->pub.free_priv(&bss->pub); + + if (bss->ies_allocated) + kfree(bss->pub.information_elements); + kfree(bss); } @@ -360,21 +364,41 @@ cfg80211_bss_update(struct cfg80211_registered_device *dev, found = rb_find_bss(dev, res); - if (found && overwrite) { - list_replace(&found->list, &res->list); - rb_replace_node(&found->rbn, &res->rbn, - &dev->bss_tree); - /* XXX: workaround */ - res->hold = found->hold; - kref_put(&found->ref, bss_release); - found = res; - } else if (found) { + if (found) { kref_get(&found->ref); found->pub.beacon_interval = res->pub.beacon_interval; found->pub.tsf = res->pub.tsf; found->pub.signal = res->pub.signal; found->pub.capability = res->pub.capability; found->ts = res->ts; + + /* overwrite IEs */ + if (overwrite) { + size_t used = dev->wiphy.bss_priv_size + sizeof(*res); + size_t ielen = res->pub.len_information_elements; + + if (ksize(found) >= used + ielen) { + memcpy(found->pub.information_elements, + res->pub.information_elements, ielen); + found->pub.len_information_elements = ielen; + } else { + u8 *ies = found->pub.information_elements; + + if (found->ies_allocated) { + if (ksize(ies) < ielen) + ies = krealloc(ies, ielen, + GFP_ATOMIC); + } else + ies = kmalloc(ielen, GFP_ATOMIC); + + if (ies) { + memcpy(ies, res->pub.information_elements, ielen); + found->ies_allocated = true; + found->pub.information_elements = ies; + } + } + } + kref_put(&res->ref, bss_release); } else { /* this "consumes" the reference */ From 60375541f7c8a577b977d344565259776c3acfc1 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 17 Apr 2009 00:54:23 +0200 Subject: [PATCH 26/27] mac80211: validate TIM IE length The TIM IE must not be shorter than 4 bytes, so verify that when parsing it. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/mlme.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index dc60804d6dd0..1619e0cd26e2 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -441,6 +441,9 @@ static bool ieee80211_check_tim(struct ieee802_11_elems *elems, u16 aid) u8 index, indexn1, indexn2; struct ieee80211_tim_ie *tim = (struct ieee80211_tim_ie *) elems->tim; + if (unlikely(!tim || elems->tim_len < 4)) + return false; + aid &= 0x3fff; index = aid / 8; mask = 1 << (aid & 7); From 957b0516f7881284b48f2f2e4a909a1c5de0ddf8 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Fri, 17 Apr 2009 14:52:23 +0200 Subject: [PATCH 27/27] ar9170usb: add ZyXEL NWD271N Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- drivers/net/wireless/ar9170/usb.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/ar9170/usb.c b/drivers/net/wireless/ar9170/usb.c index 43e8d8de9a5c..c9e422ead925 100644 --- a/drivers/net/wireless/ar9170/usb.c +++ b/drivers/net/wireless/ar9170/usb.c @@ -69,6 +69,8 @@ static struct usb_device_id ar9170_usb_ids[] = { { USB_DEVICE(0x0846, 0x9001) }, /* Zydas ZD1221 */ { USB_DEVICE(0x0ace, 0x1221) }, + /* ZyXEL NWD271N */ + { USB_DEVICE(0x0586, 0x3417) }, /* Z-Com UB81 BG */ { USB_DEVICE(0x0cde, 0x0023) }, /* Z-Com UB82 ABG */