Граф коммитов

143326 Коммитов

Автор SHA1 Сообщение Дата
Hendrik Brueckner 60d3705fcb af_iucv: fix oops in iucv_sock_recvmsg() for MSG_PEEK flag
If iucv_sock_recvmsg() is called with MSG_PEEK flag set, the skb is enqueued
twice. If the socket is then closed, the pointer to the skb is freed twice.

Remove the skb_queue_head() call for MSG_PEEK, because the skb_recv_datagram()
function already handles MSG_PEEK (does not dequeue the skb).

Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 23:43:13 -07:00
Ursula Braun bbe188c8f1 af_iucv: consider state IUCV_CLOSING when closing a socket
Make sure a second invocation of iucv_sock_close() guarantees proper
freeing of an iucv path.

Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 23:43:13 -07:00
Reinette Chatre df833b1d73 iwlwifi: DMA fixes
A few issues wrt DMA were uncovered when using the driver with swiotlb.
- driver should not use memory after it has been mapped
- iwl3945's RX queue management cannot use all of iwlagn because
  the size of the RX buffer is different. Revert back to using
  iwl3945 specific routines that map/unmap memory.
- no need to "dma_syn_single_range_for_cpu" followed by pci_unmap_single,
  we can just call pci_unmap_single initially
- only map the memory area that will be used by device. this is especially
  relevant to the mapping of iwl_cmd. we should not map the entire
  structure because the meta data at the beginning of structure contains
  the address to be used later for unmapping. If the address to be used for
  unmapping is stored in mapped data it creates a problem.
- ensure that _if_ memory needs to be modified after it is mapped that we
  call _sync_single_for_cpu first, and then release it back to device with
  _sync_single_for_device
- we mapped the wrong length of data for host commands, with mapped length
  differing with length provided to device, fix that.

Thanks to Jason Andryuk <jandryuk@gmail.com> for significant bisecting
help to find these issues.

This fixes http://www.intellinuxwireless.org/bugzilla/show_bug.cgi?id=1964

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Tested-by: Jason Andryuk <jandryuk@gmail.com>
Tested-by: Ben Gamari <bgamari@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-21 16:43:34 -04:00
Reinette Chatre d2ee9cd2e2 iwlwifi: add debugging for TX path
When debugging TX issues it is helpful to know the seq nr of the
frame being transmitted. The seq nr is printed as part of ucode's
log informing us which frame is being processed. Having this information
printed in driver log makes it easy to match activities between driver
and firmware.

Also make possible to print TX flags directly. These are already printed
as part of entire TX command, but having it printed directly in cpu format
makes it easier to look at.

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-21 16:43:34 -04:00
Rami Rosen c491bf1205 mwl8: fix build warning.
This patch fixes a build warning in mwl8.c.
(Marvell TOPDOG wireless driver)

The warning it fixes is: "large integer implicitly truncated to unsigned type."

The rx_ctrl member of the mwl8k_rx_desc struct is 8 bit (__u8 ), whereas trying
to assign it a 32 bit value (which is returned from  cpu_to_le32())
causes the compiler to issue
a truncation warning.

Signed-off-by: Rami Rosen <ramirose@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-21 16:43:33 -04:00
Johannes Berg d1bcb9f127 mac80211: fix alignment calculation bug
When checking whether or not a given frame needs to be
moved to be properly aligned to a 4-byte boundary, we
use & 4 which wasn't intended, this code should check
the lowest two bits.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-21 16:43:33 -04:00
Reinette Chatre 7d42081a27 mac80211: do not print WARN if config interface
It is expected that config interface will always succeed as mac80211
will only request what driver supports. The exception here is when a
device has rfkill enabled. At this time the rfkill state is unknown to
mac80211 and config interface can fail. When this happens we deal with
this error instead of printing a WARN.

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-21 16:43:32 -04:00
Reinette Chatre 71d449b55a iwl3945: use cancel_delayed_work_sync to cancel rfkill_poll
Users reported lockup with work still trying to run
after module has been unloaded.

http://thread.gmane.org/gmane.linux.kernel.wireless.general/30594/focus=30601

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reported-by: TJ <ubuntu@tjworld.net>
Reported-by: Huaxu Wan <huaxu.wan@linux.intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-21 16:43:32 -04:00
Jay Sternberg 4b6f764e14 iwlwifi: fix EEPROM validation mask to include OTP only devices
Fix the bug where some revisions of 6000 series hardware cannot
be used. Later versions of 6000 series have the EEPROM replaced by
OTP. For these devices to be used we need to expand valid EEPROM mask.

Signed-off-by: Jay Sternberg <jay.e.sternberg@linux.intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-21 16:43:30 -04:00
Johannes Berg 1bb593801e atmel: fix netdev ops conversion
sparse says:

drivers/net/wireless/atmel.c:1501:3: warning: Initializer entry defined twice
drivers/net/wireless/atmel.c:1505:3:   also defined here

and it's correct; atmel has its own ndo_change_mtu and
shouldn't use eth_change_mtu.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 02:08:51 -07:00
Ken Kawasaki 99b28c4709 pcnet_cs: add cis(firmware) of the Allied Telesis LA-PCM
pcnet_cs: add cis(firmware) of the Allied Telesis LA-PCM

Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 02:06:14 -07:00
Roland Dreier 1a44cc3778 mlx4_en: Fix cleanup if workqueue create in mlx4_en_add() fails
If creating a workqueue fails, don't jump to the error path where that
same workqueue is destroyed, since destroy_workqueue() can't handle a
NULL pointer.

This was spotted by the Coverity checker (CID 2617).

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 01:47:08 -07:00
Yevgeny Petrilin b1b243afac mlx4_en: Move to SW counters for total bytes and packets
The per ring counters are implemented in SW. Now moving to have the total
counters as the sum of all rings. This way the numbers will always be consistent
and we no longer depend on HW buffer size limitations for those counters
that can be insufficient in some cases.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 01:47:07 -07:00
Yevgeny Petrilin 45b4d66d69 mlx4_en: use NETIF_F_IP_CSUM | NETIF_F_IPV6_CSUM for tx csum at initialization
The former usage was to set the NETIF_F_HW_CSUM flag which is not used
in get_tx_csum. It caused Ethtool to show tx checksum as "on" even
though it was turned off in previous operation.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 01:47:07 -07:00
Yevgeny Petrilin 966508f7a5 mlx4_en: Assign dummy event handler for TX queue
The low level driver always assumes this handler exists.
The lack of it could cause kernel panic

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 01:47:05 -07:00
Yevgeny Petrilin 1e338db56e mlx4_en: Fix a race at restart task
The query whether the port is up or not should be done at
the execution of the restart task and not when it is queued.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 01:47:04 -07:00
Yevgeny Petrilin 9a4f92a603 mlx4_en: Fix error handling while activating RX rings
In case of failure of either srq creation or page allocation,
the cleanup code handled the failed ring as well, and tried
to destroy resources that where not allocated.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-21 01:47:03 -07:00
David S. Miller 775d8d9315 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-04-20 15:33:46 -07:00
Matt Carlson 62cedd11f6 tg3: Fix SEEPROM accesses
The recent NVRAM patches sanitized how the driver deals with NVRAM
data, but they failed to bring the SEEPROM interfaces inline with
the new strategy.  This patch brings the SEEPROM interfaces up to date.
This patch also reverts commit 0d489ffb76
("tg3: fix big endian MAC address collection failure").

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Tested-by: Robin Holt <holt@sgi.com>
Tested-by: James Bottomley <james.bottomley@HansenPartnership.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 14:52:29 -07:00
Johannes Berg 7e0986c17f mac80211: fix basic rate bitmap calculation
"mac80211: fix basic rates setting from association response"
introduced a copy/paste error.

Unfortunately, this not just leads to wrong data being passed
to the driver but is remotely exploitable for some hardware or
driver combinations.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Kalle Valo ad935687db mac80211: fix beacon loss detection after scan
Currently beacon loss detection triggers after a scan. A probe request
is sent and a message like this is printed to the log:

wlan0: beacon loss from AP 00:12:17:e7:98:de - sending probe request

But in fact there is no beacon loss, the beacons are just not received
because of the ongoing scan. Fix it by updating last_beacon after
the scan has finished.

Reported-by: Jaswinder Singh Rajput <jaswinder@kernel.org>
Signed-off-by: Kalle Valo <kalle.valo@iki.fi>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Jouni Malinen d91c01c757 nl80211: Make nl80211_send_mlme_event() atomic
One of the code paths sending deauth/disassoc events ends up calling
this function with rcu_read_lock held, so we must use GFP_ATOMIC in
allocation routines.

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Christian Lamparter e10a9dfc35 ar9170usb: fix hang on resume
This patch fixes a hang on resume when the filesystem is not
available and request_firmware blocks.

However, the device does not accept the firmware on resume.
and it will exit with:

> firmware part 1 upload failed (-71).
> device is in a bad state. please reconnect it!

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Robert P. J. Day 18aaab15f9 MAC80211: Remove unused MAC80211_VERBOSE_SPECT_MGMT_DEBUG.
Remove this unused Kconfig variable, which Intel apparently once
promised to make use of but never did.

Signed-off-by: Robert P. J. Day <rpjday@crashcourse.ca>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Joerg Albert 230f7af0d8 mwl8k: fix module re-insertion bug
swap mwl8k_remove and mwl8k_shutdown functions to allow
"rmmod mwl8k; modprobe mwl8k"

Signed-off-by: Joerg Albert <jal2@gmx.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Christian Lamparter c3b93c878d p54: deactivate broken powersave function
This patch deactivates powersave in station mode.

It does not work correctly yet, so the code does more harm than good.

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Joe Perches 125143966f iwl3945-base.c: Add missing space to debug print
"not" is not printed without a space after %pM

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Ivo van Doorn 499a214ca2 rt2x00: Don't free register information on suspend
After suspend & resume the rt2x00 devices won't wakeup
anymore due to a broken register information setup.
The most important problem is the release of the EEPROM
buffer which is completely cleared and never read again
after the suspend.

Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-20 16:36:26 -04:00
Herbert Xu c40af84a67 tun: Fix sk_sleep races when attaching/detaching
As the sk_sleep wait queue actually lives in tfile, which may be
detached from the tun device, bad things will happen when we use
sk_sleep after detaching.

Since the tun device is the persistent data structure here (when
requested by the user), it makes much more sense to have the wait
queue live there.  There is no reason to have it in tfile at all
since the only time we can wait is if we have a tun attached.
In fact we already have a wait queue in tun_struct, so we might
as well use it.

Reported-by: Eric W. Biederman <ebiederm@xmission.com>
Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Tested-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 03:01:48 -07:00
Herbert Xu 9c3fea6ab0 tun: Only free a netdev when all tun descriptors are closed
The commit c70f182940 ("tun: Fix
races between tun_net_close and free_netdev") fixed a race where
an asynchronous deletion of a tun device can hose a poll(2) on
a tun fd attached to that device.

However, this came at the cost of moving the tun wait queue into
the tun file data structure.  The problem with this is that it
imposes restrictions on when and where the tun device can access
the wait queue since the tun file may change at any time due to
detaching and reattaching.

In particular, now that we need to use the wait queue on the
receive path it becomes difficult to properly synchronise this
with the detachment of the tun device.

This patch solves the original race in a different way.  Since
the race is only because the underlying memory gets freed, we
can prevent it simply by ensuring that we don't do that until
all tun descriptors ever attached to the device (even if they
have since be detached because they may still be sitting in poll)
have been closed.

This is done by using reference counting the attached tun file
descriptors.  The refcount in tun->sk has been reappropriated
for this purpose since it was already being used for that, albeit
from the opposite angle.

Note that we no longer zero tfile->tun since tun_get will return
NULL anyway after the refcount on tfile hits zero.  Instead it
represents whether this device has ever been attached to a device.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 03:01:47 -07:00
Ben Hutchings 5db8765a86 net: Fix GRO for multiple page fragments
This loop over fragments in napi_fraginfo_skb() was "interesting".

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:20:30 -07:00
David S. Miller 9a5120ddd1 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6 2009-04-20 02:16:44 -07:00
Marcin Slusarz eb39c57ff7 net: fix "compatibility" typos
Signed-off-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:15:01 -07:00
Ilpo Järvinen 52cf3cc8ac tcp: fix mid-wq adjustment helper
Just noticed while doing some new work that the recent
mid-wq adjustment logic will misbehave when FACK is not
in use (happens either due sysctl'ed off or auto-detected
reordering) because I forgot the relevant TCPCB tagbit.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:15:00 -07:00
Jarek Poplawski 8caf153974 net: sch_netem: Fix an inconsistency in ingress netem timestamps.
Alex Sidorenko reported:

"while experimenting with 'netem' we have found some strange behaviour. It
seemed that ingress delay as measured by 'ping' command shows up on some
hosts but not on others.

After some investigation I have found that the problem is that skbuff->tstamp
field value depends on whether there are any packet sniffers enabled. That
is:

- if any ptype_all handler is registered, the tstamp field is as expected
- if there are no ptype_all handlers, the tstamp field does not show the delay"

This patch prevents unnecessary update of tstamp in dev_queue_xmit_nit()
on ingress path (with act_mirred) adding a check, so minimal overhead on
the fast path, but only when sniffers etc. are active.

Since netem at ingress seems to logically emulate a network before a host,
tstamp is zeroed to trigger the update and pretend delays are from the
outside.

Reported-by: Alex Sidorenko <alexandre.sidorenko@hp.com>
Tested-by: Alex Sidorenko <alexandre.sidorenko@hp.com>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:14:59 -07:00
Alan Cox c7c1a0f60b ax25: proc uid file misses header
This has been broken for a while. I happened to catch it testing because one
app "knew" that the top line of the calls data was the policy line and got
confused.

Put the header back.

Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:14:59 -07:00
Divy Le Ray e8d1937073 cxgb3: Fix EEH final recovery attempt
EEH attempts to recover up 6 times.
The last attempt leaves all the ports and adapter down.hen
The driver is then unloaded, bringing the adapter down again
unconditionally. The unload will hang.
Check if the adapter is already down before trying to bring it down again.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:07:27 -07:00
Divy Le Ray 2c2f409f32 cxgb3: Fix potential msi-x vector leak
Release vectors when a MSI-X allocation fails.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:07:25 -07:00
Divy Le Ray c80b0c28ca cxgb3: fix workqueue flush issues
The fatal error task can be scheduled while processing an offload packet
in NAPI context when the connection handle is bogus. this can race
with the ports being brought down and the cxgb3 workqueue being flushed.
Stop napi processing before flushing the work queue.

The ULP drivers (iSCSI, iWARP) might also schedule a task on keventd_wk
while releasing a connection handle (cxgb3_offload.c::cxgb3_queue_tid_release()).
The driver however does not flush any work on keventd_wq while being unloaded.
This patch also fixes this.

Also call cancel_delayed_work_sync in place of the the deprecated
cancel_rearming_delayed_workqueue.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:07:24 -07:00
Divy Le Ray 3851c66cf0 cxgb3: fix link fault handling
Use the existing periodic task to handle link faults.
The link fault interrupt handler is also called in work queue context,
which is wrong and might cause potential deadlocks.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-20 02:07:23 -07:00
Marcel Holtmann 9499237a1c Bluetooth: Add workaround for wrong HCI event in eSCO setup
The Broadcom chips with 2.1 firmware handle the fallback case to a SCO
link wrongly when setting up eSCO connections.

  < HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
      handle 11 voice setting 0x0060
  > HCI Event: Command Status (0x0f) plen 4
      Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1
  > HCI Event: Connect Complete (0x03) plen 11
      status 0x00 handle 1 bdaddr 00:1E:3A:xx:xx:xx type SCO encrypt 0x01

The Link Manager negotiates the fallback to SCO, but then sends out
a Connect Complete event. This is wrong and the Link Manager should
actually send a Synchronous Connection Complete event if the Setup
Synchronous Connection has been used. Only the remote side is allowed
to use Connect Complete to indicate the missing support for eSCO in
the host stack.

This patch adds a workaround for this which clearly should not be
needed, but reality is that broken Broadcom devices are deployed.

Based on a report by Ville Tervo <ville.tervo@nokia.com>

Signed-off-by: Marcel Holtman <marcel@holtmann.org>
2009-04-19 19:30:03 +02:00
Marcel Holtmann 732547f96e Bluetooth: Fallback from eSCO to SCO on unspecified error
Some Bluetooth chips (like the ones from Texas Instruments) don't do
proper eSCO negotiations inside the Link Manager. They just return an
error code and in case of the Kyocera ED-8800 headset it is just a
random error.

  < HCI Command: Setup Synchronous Connection 0x01|0x0028) plen 17
    handle 1 voice setting 0x0060
  > HCI Event: Command Status (0x0f) plen 4
    Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1
  > HCI Event: Synchronous Connect Complete (0x2c) plen 17
    status 0x1f handle 257 bdaddr 00:14:0A:xx:xx:xx type eSCO
    Error: Unspecified Error

In these cases it is up to the host stack to fallback to a SCO setup
and so retry with SCO parameters.

Based on a report by Nick Pelly <npelly@google.com>

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2009-04-19 19:14:14 +02:00
Johan Hedberg e2139b3272 Bluetooth: Fix removing of RFCOMM DLC timer with DEFER_SETUP
There is a missing call to rfcomm_dlc_clear_timer in the case that
DEFER_SETUP is used and so the connection gets disconnected after the
timeout even if it was successfully accepted previously.

This patch adds a call to rfcomm_dlc_clear_timer to rfcomm_dlc_accept
which will get called when the user accepts the connection by calling
read() on the socket.

Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
2009-04-19 18:56:45 +02:00
Patrick McHardy 7816a0a862 vlan/macvlan: fix NULL pointer dereferences in ethtool handlers
Check whether the underlying device provides a set of ethtool ops before
checking for individual handlers to avoid NULL pointer dereferences.

Reported-by: Art van Breemen <ard@telegraafnet.nl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-04-17 15:59:23 -07:00
David S. Miller 75a241f959 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-04-17 15:54:40 -07:00
David S. Miller e18e37e509 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6 2009-04-17 15:38:38 -07:00
Christian Lamparter 957b0516f7 ar9170usb: add ZyXEL NWD271N
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-17 15:27:14 -04:00
Johannes Berg 60375541f7 mac80211: validate TIM IE length
The TIM IE must not be shorter than 4 bytes, so verify that
when parsing it.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-17 15:27:13 -04:00
Johannes Berg cd1658f592 cfg80211: do not replace BSS structs
Instead, allocate extra IE memory if necessary. Normally,
this isn't even necessary since there's enough space.

This is a better way of correcting the "held BSS can
disappear" issue, but also a lot more code. It is also
necessary for proper auth/assoc BSS handling in the
future.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-17 15:27:13 -04:00
Johannes Berg 160002fe84 cfg80211: copy hold when replacing BSS
When we receive a probe response frame we can replace the
BSS struct in our list -- but if that struct is held then
we need to hold the new one as well.

We really should fix this completely and not replace the
struct, but this is a bandaid for now.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-04-17 15:27:13 -04:00