aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* wireless: libertas: fix unaligned le64 accessesSteven Miao2011-11-09
| | | | | | | | use get_unaligned_le64() to get timestamp Signed-off-by: Steven Miao <realmz6@gmail.com> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* cfg80211: fix bug on regulatory core exit on access to last_requestLuis R. Rodriguez2011-11-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 4d9d88d1 by Scott James Remnant <keybuk@google.com> added the .uevent() callback for the regulatory device used during the platform device registration. The change was done to account for queuing up udev change requests through udevadm triggers. The change also meant that upon regulatory core exit we will now send a uevent() but the uevent() callback, reg_device_uevent(), also accessed last_request. Right before commiting device suicide we free'd last_request but never set it to NULL so platform_device_unregister() would lead to bogus kernel paging request. Fix this and also simply supress uevents right before we commit suicide as they are pointless. This fix is required for kernels >= v2.6.39 $ git describe --contains 4d9d88d1 v2.6.39-rc1~468^2~25^2^2~21 The impact of not having this present is that a bogus paging access may occur (only read) upon cfg80211 unload time. You may also get this BUG complaint below. Although Johannes could not reproduce the issue this fix is theoretically correct. mac80211_hwsim: unregister radios mac80211_hwsim: closing netlink BUG: unable to handle kernel paging request at ffff88001a06b5ab IP: [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211] PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC CPU 0 Modules linked in: cfg80211(-) [last unloaded: mac80211] Pid: 2279, comm: rmmod Tainted: G W 3.1.0-wl+ #663 Bochs Bochs RIP: 0010:[<ffffffffa030df9a>] [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211] RSP: 0000:ffff88001c5f9d58 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0 RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0 R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001 FS: 00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780) Stack: ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820 ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189 Call Trace: [<ffffffff812ff7e5>] dev_uevent+0xc5/0x170 [<ffffffff81241dc7>] kobject_uevent_env+0x1f7/0x490 [<ffffffff81040189>] ? sub_preempt_count+0x29/0x60 [<ffffffff814cab1a>] ? _raw_spin_unlock_irqrestore+0x4a/0x90 [<ffffffff81305307>] ? devres_release_all+0x27/0x60 [<ffffffff8124206b>] kobject_uevent+0xb/0x10 [<ffffffff812fee27>] device_del+0x157/0x1b0 [<ffffffff8130377d>] platform_device_del+0x1d/0x90 [<ffffffff81303b76>] platform_device_unregister+0x16/0x30 [<ffffffffa030fffd>] regulatory_exit+0x5d/0x180 [cfg80211] [<ffffffffa032bec3>] cfg80211_exit+0x2b/0x45 [cfg80211] [<ffffffff8109a84c>] sys_delete_module+0x16c/0x220 [<ffffffff8108a23e>] ? trace_hardirqs_on_caller+0x7e/0x120 [<ffffffff814cba02>] system_call_fastpath+0x16/0x1b Code: <all your base are belong to me> RIP [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211] RSP <ffff88001c5f9d58> CR2: ffff88001a06b5ab ---[ end trace 147c5099a411e8c0 ]--- Reported-by: Johannes Berg <johannes@sipsolutions.net> Cc: Scott James Remnant <keybuk@google.com> Cc: stable@vger.kernel.org Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: fix bug in ieee80211_build_probe_reqJohannes Berg2011-11-09
| | | | | | | | | | ieee80211_probereq_get() can return NULL in which case we should clean up & return NULL in ieee80211_build_probe_req() as well. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: fix NULL dereference in radiotap codeJohannes Berg2011-11-09
| | | | | | | | | | | | | | | | | | | | | | | | When receiving failed PLCP frames is enabled, there won't be a rate pointer when we add the radiotap header and thus the kernel will crash. Fix this by not assuming the rate pointer is always valid. It's still always valid for frames that have good PLCP though, and that is checked & enforced. This was broken by my commit fc88518916793af8ad6a02e05ff254d95c36d875 Author: Johannes Berg <johannes.berg@intel.com> Date: Fri Jul 30 13:23:12 2010 +0200 mac80211: don't check rates on PLCP error frames where I removed the check in this case but didn't take into account that the rate info would be used. Reported-by: Xiaokang Qin <xiaokang.qin@intel.com> Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* wl12xx: fix wl12xx_scan_sched_scan_ssid_list() check that all given ssids ↵Eyal Shapira2011-11-08
| | | | | | | | | | | are in filters A minor fix for the check that verifies that all given SSIDs (in req) exist in the filters (the match sets) Signed-off-by: Eyal Shapira <eyal@wizery.com> Acked-by: Luciano Coelho <coelho@ti.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath: Fix NULL ptr dereference in ath_reg_apply_world_flagsHelmut Schaa2011-11-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This happens with devices using a regulatory domain 0x68 that are only 5Ghz capable because ath_reg_apply_active_scan_flags assumes that we always have a 2,4Ghz band. CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 82cd838c, ra == 82cd8384 Oops[#1]: Cpu 0 $ 0 : 00000000 00000061 00000003 00000024 $ 4 : 00000003 000016c1 82f900ac 00000024 $ 8 : 00000000 82cda304 0058bad8 00000005 $12 : 005908f8 001e8481 00000003 1dcd6500 $16 : 00000002 00000000 82c700c0 82c700c0 $20 : 82d415e4 82c70d64 82c70200 82c715bc $24 : 00000000 11e1a300 $28 : 82ce2000 82ce3c70 82c715a8 82cd8384 Hi : 00000000 Lo : 0000001e epc : 82cd838c ath_reg_apply_world_flags+0x78/0x17c [ath] Not tainted ra : 82cd8384 ath_reg_apply_world_flags+0x70/0x17c [ath] Status: 1000d403 KERNEL EXL IE Cause : 80800008 BadVA : 00000000 PrId : 00019374 (MIPS 24Kc) Modules linked in: ath9k(+) ath9k_common ath9k_hw ath mac80211 cfg80211 compat_firmware_class compat arc4 aes_generic deflate ecb cbc leds_gpio button_hotplug gpio_buttons input_polldev ie Process insmod (pid: 464, threadinfo=82ce2000, task=838b31d8, tls=00000000) Stack : 00000000 00000002 82f900ac 82c700c0 82d415e4 82c70d64 00000000 00000068 82f900ac 82cd88f4 82c700c0 82cda304 00000001 000020f0 82f90000 82c70d40 00000002 82f90000 82f900ac 82d4207c 82d518a0 00000002 7fee6118 8017c0d8 00000008 8397ba00 82c70d40 00000000 82c70200 83813000 83813058 b0010000 82d518a0 00000002 7fee6118 82d4b8c8 83445cc0 80120dc0 83804000 800eeda0 ... Call Trace: [<82cd838c>] ath_reg_apply_world_flags+0x78/0x17c [ath] [<82cd88f4>] ath_regd_init+0x464/0x488 [ath] [<82d4207c>] ath9k_init_device+0x6a4/0x6b4 [ath9k] [<82d4b8c8>] ath_pci_probe+0x27c/0x358 [ath9k] [<80181de0>] pci_device_probe+0x64/0xa4 [<8019e874>] driver_probe_device+0xb8/0x190 [<8019e9b8>] __driver_attach+0x6c/0xa4 [<8019dfc0>] bus_for_each_dev+0x60/0xb0 [<8019d744>] bus_add_driver+0xc4/0x25c [<8019ed6c>] driver_register+0xe0/0x198 [<8018206c>] __pci_register_driver+0x50/0xe0 [<82dd0010>] ath9k_init+0x10/0x54 [ath9k] [<8006b4a0>] do_one_initcall+0x68/0x1ec [<800a901c>] sys_init_module+0xec/0x23c [<80062544>] stack_done+0x20/0x3c Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* cfg80211: fix missing kernel-docJohannes Berg2011-11-08
| | | | | | | Two new struct members were not documented, fix that. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* Merge branch 'master' of ↵John W. Linville2011-11-08
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth
| * Bluetooth: Add support for Broadcom BCM20702A0Wen-chien Jesse Sung2011-11-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since this device declares itself as vendor specific, must add a new entry to device ID table to support it. usb-device output of this device: T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=413c ProdID=8197 Rev=01.12 S: Manufacturer=Broadcom Corp S: Product=BCM20702A0 S: SerialNumber=D0DF9AA9C9F1 C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none) I: If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none) Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: Use miliseconds for L2CAP channel timeoutsAndrzej Kaczmarek2011-11-07
| | | | | | | | | | | | | | | | | | | | | | Timers set by __set_chan_timer() should use miliseconds instead of jiffies. Commit 942ecc9c4643db5ce071562e0a23f99464d6b461 updated l2cap_set_timer() so it expects timeout to be specified in msecs instead of jiffies. This makes timeouts unreliable when CONFIG_HZ is not set to 1000. Signed-off-by: Andrzej Kaczmarek <andrzej.kaczmarek@tieto.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: Revert: Fix L2CAP connection establishmentArek Lichwa2011-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 330605423ca6eafafb8dcc27502bce1c585d1b06. The commit introduces regression when two 2.1 devices attempt establish rfcomm channel. Such connection is refused since there's a security block issue on l2cap. It means the link is unencrypted. 2011-09-16 18:08:46.567616 < ACL data: handle 1 flags 0x00 dlen 24 0000: 14 00 40 00 06 00 02 00 0f 35 03 19 12 00 ff ff ..@......5....˙˙ 0010: 35 05 0a 00 00 ff ff 00 5....˙˙. 2011-09-16 18:08:46.572377 > HCI Event: Number of Completed Packets (0x13) plen 5 handle 1 packets 1 2011-09-16 18:08:46.577931 > ACL data: handle 1 flags 0x02 dlen 88 L2CAP(d): cid 0x0040 len 84 [psm 0] 0000: 07 00 02 00 4f 00 4c 35 4a 35 48 09 00 00 0a 00 ....O.L5J5H..... 0010: 01 00 00 09 00 01 35 03 19 12 00 09 00 05 35 03 ......5.......5. 0020: 19 10 02 09 00 09 35 08 35 06 19 12 00 09 01 02 ......5.5....... 0030: 09 02 00 09 01 02 09 02 01 09 00 0a 09 02 02 09 ................ 0040: 00 00 09 02 03 09 00 00 09 02 04 28 01 09 02 05 ...........(.... 0050: 09 00 02 00 .... 2011-09-16 18:08:46.626057 < HCI Command: Authentication Requested (0x01|0x0011) plen 2 handle 1 2011-09-16 18:08:46.627614 > HCI Event: Command Status (0x0f) plen 4 Authentication Requested (0x01|0x0011) status 0x00 ncmd 1 2011-09-16 18:08:46.627675 > HCI Event: Link Key Request (0x17) plen 6 bdaddr 00:00:F2:6A:29:69 2011-09-16 18:08:46.634999 < HCI Command: Link Key Request Reply (0x01|0x000b) plen 22 bdaddr 00:00:F2:6A:29:69 key 58CD393179FC902E5E8F512A855EE532 2011-09-16 18:08:46.683278 > HCI Event: Command Complete (0x0e) plen 10 Link Key Request Reply (0x01|0x000b) ncmd 1 status 0x00 bdaddr 00:00:F2:6A:29:69 2011-09-16 18:08:46.764729 > HCI Event: Auth Complete (0x06) plen 3 status 0x00 handle 1 2011-09-16 18:08:46.764821 < ACL data: handle 1 flags 0x00 dlen 12 0000: 08 00 01 00 02 05 04 00 03 00 41 00 ..........A. 2011-09-16 18:08:46.764851 > HCI Event: Command Status (0x0f) plen 4 Unknown (0x00|0x0000) status 0x00 ncmd 2 2011-09-16 18:08:46.768117 > HCI Event: Number of Completed Packets (0x13) plen 5 handle 1 packets 1 2011-09-16 18:08:46.770894 > ACL data: handle 1 flags 0x02 dlen 16 L2CAP(s): Connect rsp: dcid 0x0000 scid 0x0041 result 3 status 0 Connection refused - security block 2011-09-16 18:08:49.000691 < ACL data: handle 1 flags 0x00 dlen 12 0000: 08 00 01 00 06 06 04 00 40 00 40 00 ........@.@. 2011-09-16 18:08:49.015675 > HCI Event: Number of Completed Packets (0x13) plen 5 handle 1 packets 1 2011-09-16 18:08:49.016927 > ACL data: handle 1 flags 0x02 dlen 12 L2CAP(s): Disconn rsp: dcid 0x0040 scid 0x0040 2011-09-16 18:08:51.009480 < HCI Command: Disconnect (0x01|0x0006) plen 3 handle 1 reason 0x13 Reason: Remote User Terminated Connection 2011-09-16 18:08:51.011525 > HCI Event: Command Status (0x0f) plen 4 Disconnect (0x01|0x0006) status 0x00 ncmd 1 2011-09-16 18:08:51.123494 > HCI Event: Disconn Complete (0x05) plen 4 status 0x00 handle 1 reason 0x16 Reason: Connection Terminated by Local Host Signed-off-by: Arek Lichwa <arkadiusz.lichwa@tieto.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
* | mac80211: uAPSD - fix IEEE80211_FCTL_MOREDATA bit settingJanusz.Dziedzic@tieto.com2011-11-07
| | | | | | | | | | | | | | | | | | Set IEEE80211_FCTL_MOREDATA bit also in case we have buffered frames (more than one) only for one AC. Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | net, wireless, mwifiex: Fix mem leak in mwifiex_update_curr_bss_params()Jesper Juhl2011-11-07
| | | | | | | | | | | | | | | | | | | | | | If kmemdup() fails we leak the memory allocated to bss_desc. This patch fixes the leak. I also removed the pointless default assignment of 'NULL' to 'bss_desc' while I was there anyway. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Reviewed-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | cfg80211: fix cmp_iesJohannes Berg2011-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | When comparing two items by IE, the sort order wasn't stable, which could lead to issues in the rbtree. Make it stable by making a missing IE sort before a present IE. Also sort by length first if it differs and then by contents. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | cfg80211: allow setting TXQ parameters only in AP modeJohannes Berg2011-11-07
| | | | | | | | | | | | | | | | | | | | | | In other modes the parameters should not be set. Right now, mac80211 will set them, even if the user asked for setting them on VLANs which the driver doesn't know about, causing all kinds of trouble. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | nl80211: fix HT capability attribute validationJohannes Berg2011-11-07
| | | | | | | | | | | | | | | | | | | | | | Since the NL80211_ATTR_HT_CAPABILITY attribute is used as a struct, it needs a minimum, not maximum length. Enforce that properly. Not doing so could potentially lead to reading after the buffer. Cc: stable@vger.kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | mac80211: use min rate as basic rate for buggy APsEliad Peller2011-11-07
| | | | | | | | | | | | | | | | | | | | | | | | Some buggy APs (and even P2P_GO) don't advertise their basic rates in the association response. In such case, use the min supported rate as the basic rate. Reported-by: Pontus Fuchs <pontus.fuchs@gmail.com> Signed-off-by: Eliad Peller <eliad@wizery.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | brcm80211: smac: eliminate a null pointer dereference in dma.cArend van Spriel2011-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Though it's unlikely, di may be null, so we can't dereference di->dma.dmactrlflags until we've checked it. Move this de-reference after the check, and adjust the error message to not require de-referencing di. This is based upon Julia's original patch: <1319846297-2985-2-git-send-email-julia@diku.dk> Reported-by: Julia Lawall <julia@diku.dk> Acked-by: Arend van Spriel <arend@broadcom.com> Signed-off-by: Julian Calaby <julian.calaby@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | b43: HT-PHY: report signal to mac80211Rafał Miłecki2011-11-07
| | | | | | | | | | Signed-off-by: Rafał Miłecki <zajec5@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | b43: fill ctl1 word on all newer PHYs, fix PHY errorsRafał Miłecki2011-11-07
| | | | | | | | | | | | | | | | | | This fixes PHY transmission errors reported on some LP-PHY and HT-PHY cards. For LP-PHY they were quite rare and not really noticable. On HT-PHY they were critical, OFDM rates were not available at all. Signed-off-by: Rafał Miłecki <zajec5@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | mac80211: warn only once about not finding a rateJohannes Berg2011-11-04
|/ | | | | | | | | | The warning really shouldn't happen, but until we find the reason why it does don't spew it all the time, just once is enough to know we've hit it. Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* iwlwifi: don't perform "echo test" when cmd queue stuckWey-Yi Guy2011-11-02
| | | | | | | | | | Perform "echo test" when cmd queue stuck detected, somethime it will cause calltrace. I am not sure how to fix it yet, just remove the action now until find a better way to handle it. Reported-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* b43: Remove unneeded messageLarry Finger2011-11-02
| | | | | | | | | | The driver can spam the logs with "RX: Packet dropped" messages. These drops originate from 1. a correpted PLCP, 2. decryption errors, and 3. packet size underruns. Condition #3 logs a separate message, thus no dropped message is needed. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: disable powersave for broken APsJohannes Berg2011-11-02
| | | | | | | | | | | | | | | Only AID values 1-2007 are valid, but some APs have been found to send random bogus values, in the reported case an AP that was sending the AID field value 0xffff, an AID of 0x3fff (16383). There isn't much we can do but disable powersave since there's no way it can work properly in this case. Cc: stable@vger.kernel.org Reported-by: Bill C Riemers <briemers@redhat.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* iwlwifi: allow pci_enable_msi failWey-Yi Guy2011-11-02
| | | | | | | | | | | Continue the init process even fail to enable msi out_iounmap is no longer used, remove it Reported-by: werner <w.landgraf@ru.ru> Tested-by: werner <w.landgraf@ru.ru> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* libertas: ensure we clean up a scan request properlyAndres Salomon2011-11-02
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 2e30168b ("libertas: terminate scan when stopping interface") adds cleanup code to lbs_eth_stop to call cfg80211_scan_done if there's an outstanding cfg80211_scan_request. However, it assumes that the scan request was allocated via the cfg80211 stack. Libertas has its own internal allocation method, kept track of with priv->internal_scan. This doesn't set scan_req->wiphy, amongst other things, which results in hitting a BUG() when we call cfg80211_scan_done on the request. This provides a function to take care of the low-level scan_req cleanup details. We simply call that to deal with finishing up scan requests. The bug we were hitting was: [ 964.321495] kernel BUG at net/wireless/core.h:87! [ 964.329970] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 964.341963] pgd = dcf80000 ... [ 964.849998] 9fe0: 00000000 beb417b8 4018e280 401e822c 60000010 00000004 00000000 00000000 [ 964.865007] [<c003104c>] (__bug+0x1c/0x28) from [<c0384ffc>] (cfg80211_scan_done+0x54/0x6c) [ 964.895324] [<c0384ffc>] (cfg80211_scan_done+0x54/0x6c) from [<bf028bac>] (lbs_eth_stop+0x10c/0x188 [libertas]) [ 964.895324] [<bf028bac>] (lbs_eth_stop+0x10c/0x188 [libertas]) from [<c03002a0>] (__dev_close_many+0x94/0xc4) [ 964.918995] [<c03002a0>] (__dev_close_many+0x94/0xc4) from [<c030037c>] (dev_close_many+0x78/0xe0) Signed-off-by: Andres Salomon <dilinger@queued.net> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_hw: Fix noise floor calibration timeout on fast channel changeRajkumar Manoharan2011-11-02
| | | | | | | | | | | During the fast channel change noise floor values are being loaded twice at init_cal and after channel_change. The commit "ath9k_hw: Improve fast channel change for AR9003 chips" overlooked it that caused failure to load nf while doing bgscan. This patch performs noise floor calibration after the fast and full reset. Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_hw: Update AR9485 initvals to fix system hang issueRajkumar Manoharan2011-11-02
| | | | | | | | | This patch fixes system hang when resuming from S3 state and lower rate sens failure issue. Cc: stable@kernel.org Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: Fix TDLS support validation in add_station handlerJouni Malinen2011-11-02
| | | | | | | | | We need to verify whether the command is successful before allocating the station entry to avoid extra processing. This also fixes a memory leak on the error path. Signed-off-by: Jouni Malinen <j@w1.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* carl9170: fix AMPDU TX_CTL_REQ_TX_STATUS handlingChristian Lamparter2011-11-02
| | | | | | | | | | | | | | Previously the driver did not care if TX_CTL_REQ_TX_STATUS was set on aggregated frames or not and it would silently drop successfully sent frames if possible [much like: "no news is good news!"]. But, TX_CTL_REQ_TX_STATUS was invented for a reason and no tx status report should ever be dropped if it is set. Reported-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_hw: Fix regression of register offset of AR9330/AR9340Rajkumar Manoharan2011-11-02
| | | | | | | | | | | The commit ce407afc10 introduced regression for AR9330/AR9340 register offsets. Some of the register offsets are common for AR9330/AR9340/AR9485 except AR9380. Fix that. Cc: stable@kernel.org [3.1.0+] Cc: Senthil Balasubramanian <senthilb@qca.qualcomm.com> Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: config hw when going back on-channelEliad Peller2011-11-02
| | | | | | | | | | When going back on-channel, we should reconfigure the hw iff the hardware is not already configured to the operational channel. Signed-off-by: Eliad Peller <eliad@wizery.com> Cc: stable@kernel.org # 2.6.39+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: fix remain_off_channel regressionEliad Peller2011-11-02
| | | | | | | | | | | | | | | | | | | | The offchannel code is currently broken - we should remain_off_channel if the work was started, and the work's channel and channel_type are the same as local->tmp_channel and local->tmp_channel_type. However, if wk->chan_type and local->tmp_channel_type coexist (e.g. have the same channel type), we won't remain_off_channel. This behavior was introduced by commit da2fd1f ("mac80211: Allow work items to use existing channel type.") Tested-by: Ben Greear <greearb@candelatech.com> Signed-off-by: Eliad Peller <eliad@wizery.com> Cc: stable@kernel.org # 2.6.39+ Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_hw: Fix radio retention for AR9462Rajkumar Manoharan2011-11-02
| | | | | | | | | | | IQ calibration during fast channel change sometimes failed with RTT. And also restoring invalid radio retention readings during init cal could cause failure to set the channel properly. This patch counts the valid rtt history readings and clears rtt mask. Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_hw: Fix regression of register offset for AR9003 chipsRajkumar Manoharan2011-11-02
| | | | | | | | | | | | | | | | | My recent commits (3782c69d, 324c74a) introduced regression for register offset selection that based on the macversion. Not using parentheses in proper manner for ternary operator leads to select wrong offset for the registers. This issue was observed with AR9462 chip that immediate disconnect after the association with the following message ieee80211 phy3: wlan0: Failed to send nullfunc to AP 00:23:69:12:ea:47 after 500ms, disconnecting. Cc: stable@kernel.org Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* iwlagn: fix the race in the unmapping of the HCMDEmmanuel Grumbach2011-11-02
| | | | | | | | | | | | | | As Stanislaw pointed out, my patch iwlagn: fix a race in the unmapping of the TFDs solved only part of the problem. The race still exists for TFDs of the host commands. Fix that too. Reported-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* Merge branch 'master' of ↵John W. Linville2011-11-02
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth
| * Bluetooth: bfusb: Fix error path on firmware loadDavid Herrmann2011-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | When loading the usb-configuration we do not signal the end of configuration on memory allocation error. This patch moves the memory allocation to the top so every error path uses "goto error" now to correctly send the usb-ctrl message when detecting some error. This also replaces GFP_ATOMIC with GFP_KERNEL as we are allowed to sleep here. Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: bcm203x: Use GFP_KERNEL in workqueueDavid Herrmann2011-10-31
| | | | | | | | | | | | | | | | | | | | A workqueue is allowed to sleep so we can safely use GFP_KERNEL instead of GFP_ATOMIC. This is still legacy code when the driver used timer BHs and not a worqueue. Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: bcm203x: Fix race condition on disconnectDavid Herrmann2011-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When disconnecting a bcm203x device we kill and destroy the usb-urb, however, there might still be a pending work-structure which resubmits the now invalid urb. To avoid this race condition, we simply set a shutdown-flag and synchronously kill the worker first. This also adds a comment to all schedule_work()s, as it is really not clear that they are used as replacement for short timers (which can be seen in the git history). Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: ath3k: Use GFP_KERNEL instead of GFP_ATOMICDavid Herrmann2011-10-31
| | | | | | | | | | | | | | | | | | We are allowed to sleep here so no need to use GFP_ATOMIC. The caller (ath3k_probe) calls request_firmware() which definitely sleeps. Hence, we should avoid using GFP_ATOMIC. Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: Set HCI_MGMT flag only in read_controller_infoJohan Hedberg2011-10-31
| | | | | | | | | | | | | | | | | | | | The HCI_MGMT flag should only be set when user space requests the full controller information. This way we avoid potential issues with setting change events ariving before the actual read_controller_info command finishes. Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: Increase HCI reset timeout in hci_dev_do_closeSzymon Janc2011-10-31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I've noticed that my CSR usb dongle was not working if it was plugged in when PC was booting. It looks like I get two HCI reset command complete events (see hcidump logs below). The root cause is reset called from off_timer. Timeout for this reset to complete is set to 250ms and my bt dongle requires more time for replying with command complete event. After that, chip seems to reply with reset command complete event for next non-reset command. Attached patch increase mentioned timeout to HCI_INIT_TIMEOUT, this value is already used for timeouting hci_reset_req in hci_dev_reset(). This might also be related to BT not working after suspend that was reported here some time ago. Hcidump log: 2011-09-12 23:13:27.379465 < HCI Command: Reset (0x03|0x0003) plen 0 2011-09-12 23:13:27.380797 > HCI Event: Command Complete (0x0e) plen 4 Reset (0x03|0x0003) ncmd 1 status 0x00 2011-09-12 23:13:27.380859 < HCI Command: Read Local Supported Features (0x04|0x000 3) plen 0 2011-09-12 23:13:27.760789 > HCI Event: Command Complete (0x0e) plen 4 Reset (0x03|0x0003) ncmd 1 status 0x00 2011-09-12 23:13:27.760831 < HCI Command: Read Local Version Information (0x04|0x00 01) plen 0 2011-09-12 23:13:27.764780 > HCI Event: Command Complete (0x0e) plen 12 Read Local Version Information (0x04|0x0001) ncmd 1 status 0x00 HCI Version: 1.1 (0x1) HCI Revision: 0x36f LMP Version: 1.1 (0x1) LMP Subversion: 0x36f Manufacturer: Cambridge Silicon Radio (10) Signed-off-by: Szymon Janc <szymon@janc.net.pl> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * Bluetooth: rfcomm: Fix sleep in invalid context in rfcomm_security_cfmSzymon Janc2011-10-14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This was triggered by turning off encryption on ACL link when rfcomm was using high security. rfcomm_security_cfm (which is called from rx task) was closing DLC and this involves sending disconnect message (and locking socket). Move closing DLC to rfcomm_process_dlcs and only flag DLC for closure in rfcomm_security_cfm. BUG: sleeping function called from invalid context at net/core/sock.c:2032 in_atomic(): 1, irqs_disabled(): 0, pid: 1788, name: kworker/0:3 [<c0068a08>] (unwind_backtrace+0x0/0x108) from [<c05e25dc>] (dump_stack+0x20/0x24) [<c05e25dc>] (dump_stack+0x20/0x24) from [<c0087ba8>] (__might_sleep+0x110/0x12c) [<c0087ba8>] (__might_sleep+0x110/0x12c) from [<c04801d8>] (lock_sock_nested+0x2c/0x64) [<c04801d8>] (lock_sock_nested+0x2c/0x64) from [<c05670c8>] (l2cap_sock_sendmsg+0x58/0xcc) [<c05670c8>] (l2cap_sock_sendmsg+0x58/0xcc) from [<c047cf6c>] (sock_sendmsg+0xb0/0xd0) [<c047cf6c>] (sock_sendmsg+0xb0/0xd0) from [<c047cfc8>] (kernel_sendmsg+0x3c/0x44) [<c047cfc8>] (kernel_sendmsg+0x3c/0x44) from [<c056b0e8>] (rfcomm_send_frame+0x50/0x58) [<c056b0e8>] (rfcomm_send_frame+0x50/0x58) from [<c056b168>] (rfcomm_send_disc+0x78/0x80) [<c056b168>] (rfcomm_send_disc+0x78/0x80) from [<c056b9f4>] (__rfcomm_dlc_close+0x2d0/0x2fc) [<c056b9f4>] (__rfcomm_dlc_close+0x2d0/0x2fc) from [<c056bbac>] (rfcomm_security_cfm+0x140/0x1e0) [<c056bbac>] (rfcomm_security_cfm+0x140/0x1e0) from [<c0555ec0>] (hci_event_packet+0x1ce8/0x4d84) [<c0555ec0>] (hci_event_packet+0x1ce8/0x4d84) from [<c0550380>] (hci_rx_task+0x1d0/0x2d0) [<c0550380>] (hci_rx_task+0x1d0/0x2d0) from [<c009ee04>] (tasklet_action+0x138/0x1e4) [<c009ee04>] (tasklet_action+0x138/0x1e4) from [<c009f21c>] (__do_softirq+0xcc/0x274) [<c009f21c>] (__do_softirq+0xcc/0x274) from [<c009f6c0>] (do_softirq+0x60/0x6c) [<c009f6c0>] (do_softirq+0x60/0x6c) from [<c009f794>] (local_bh_enable_ip+0xc8/0xd4) [<c009f794>] (local_bh_enable_ip+0xc8/0xd4) from [<c05e5804>] (_raw_spin_unlock_bh+0x48/0x4c) [<c05e5804>] (_raw_spin_unlock_bh+0x48/0x4c) from [<c040d470>] (data_from_chip+0xf4/0xaec) [<c040d470>] (data_from_chip+0xf4/0xaec) from [<c04136c0>] (send_skb_to_core+0x40/0x178) [<c04136c0>] (send_skb_to_core+0x40/0x178) from [<c04139f4>] (cg2900_hu_receive+0x15c/0x2d0) [<c04139f4>] (cg2900_hu_receive+0x15c/0x2d0) from [<c0414cb8>] (hci_uart_tty_receive+0x74/0xa0) [<c0414cb8>] (hci_uart_tty_receive+0x74/0xa0) from [<c02cbd9c>] (flush_to_ldisc+0x188/0x198) [<c02cbd9c>] (flush_to_ldisc+0x188/0x198) from [<c00b2774>] (process_one_work+0x144/0x4b8) [<c00b2774>] (process_one_work+0x144/0x4b8) from [<c00b2e8c>] (worker_thread+0x198/0x468) [<c00b2e8c>] (worker_thread+0x198/0x468) from [<c00b9bc8>] (kthread+0x98/0xa0) [<c00b9bc8>] (kthread+0x98/0xa0) from [<c0061744>] (kernel_thread_exit+0x0/0x8) Signed-off-by: Szymon Janc <szymon.janc@tieto.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
* | vlan: allow nested vlan_do_receive()Eric Dumazet2011-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 2425717b27eb (net: allow vlan traffic to be received under bond) broke ARP processing on vlan on top of bonding. +-------+ eth0 --| bond0 |---bond0.103 eth1 --| | +-------+ 52870.115435: skb_gro_reset_offset <-napi_gro_receive 52870.115435: dev_gro_receive <-napi_gro_receive 52870.115435: napi_skb_finish <-napi_gro_receive 52870.115435: netif_receive_skb <-napi_skb_finish 52870.115435: get_rps_cpu <-netif_receive_skb 52870.115435: __netif_receive_skb <-netif_receive_skb 52870.115436: vlan_do_receive <-__netif_receive_skb 52870.115436: bond_handle_frame <-__netif_receive_skb 52870.115436: vlan_do_receive <-__netif_receive_skb 52870.115436: arp_rcv <-__netif_receive_skb 52870.115436: kfree_skb <-arp_rcv Packet is dropped in arp_rcv() because its pkt_type was set to PACKET_OTHERHOST in the first vlan_do_receive() call, since no eth0.103 exists. We really need to change pkt_type only if no more rx_handler is about to be called for the packet. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Reviewed-by: Jiri Pirko <jpirko@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | ipv6: fix route lookup in addrconf_prefix_rcv()Andreas Hofmeister2011-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The route lookup to find a previously auto-configured route for a prefixes used to use rt6_lookup(), with the prefix from the RA used as an address. However, that kind of lookup ignores routing tables, the prefix length and route flags, so when there were other matching routes, even in different tables and/or with a different prefix length, the wrong route would be manipulated. Now, a new function "addrconf_get_prefix_route()" is used for the route lookup, which searches in RT6_TABLE_PREFIX and takes the prefix-length and route flags into account. Signed-off-by: Andreas Hofmeister <andi@collax.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | bonding: eliminate bond_close race conditionsJay Vosburgh2011-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch resolves two sets of race conditions. Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com> reported the first, as follows: The bond_close() calls cancel_delayed_work() to cancel delayed works. It, however, cannot cancel works that were already queued in workqueue. The bond_open() initializes work->data, and proccess_one_work() refers get_work_cwq(work)->wq->flags. The get_work_cwq() returns NULL when work->data has been initialized. Thus, a panic occurs. He included a patch that converted the cancel_delayed_work calls in bond_close to flush_delayed_work_sync, which eliminated the above problem. His patch is incorporated, at least in principle, into this patch. In this patch, we use cancel_delayed_work_sync in place of flush_delayed_work_sync, and also convert bond_uninit in addition to bond_close. This conversion to _sync, however, opens new races between bond_close and three periodically executing workqueue functions: bond_mii_monitor, bond_alb_monitor and bond_activebackup_arp_mon. The race occurs because bond_close and bond_uninit are always called with RTNL held, and these workqueue functions may acquire RTNL to perform failover-related activities. If bond_close or bond_uninit is waiting in cancel_delayed_work_sync, deadlock occurs. These deadlocks are resolved by having the workqueue functions acquire RTNL conditionally. If the rtnl_trylock() fails, the functions reschedule and return immediately. For the cases that are attempting to perform link failover, a delay of 1 is used; for the other cases, the normal interval is used (as those activities are not as time critical). Additionally, the bond_mii_monitor function now stores the delay in a variable (mimicing the structure of activebackup_arp_mon). Lastly, all of the above renders the kill_timers sentinel moot, and therefore it has been removed. Tested-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | qlcnic: fix beacon and LED test.Sucheta Chakraborty2011-10-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | o Updated version number to 5.0.25 o Do not hold onto RESETTING_BIT for entire duration of LED/ beacon test. Instead, just checking for RESETTING_BIT not set before sending config_led command down to card. o Take rtnl_lock instead of RESETTING_BIT for beacon test while sending config_led command down to make sure interface cannot be brought up/ down. o Allocate and free resources if interface is down before sending the config_led command. This is to make sure config_led command sending doesn't fail. o Clear QLCNIC_LED_ENABLE bit if beacon/ LED test fails to start. Signed-off-by: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com> Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | qlcnic: Updated License fileSritej Velaga2011-10-30
| | | | | | | | | | | | | | | | Updated qlcnic's license file. Signed-off-by: Sritej Velaga <sritej.velaga@qlogic.com> Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | qlcnic: updated reset sequenceSony Chacko2011-10-30
| | | | | | | | | | | | Signed-off-by: Sony Chacko <sony.chacko@qlogic.com> Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>