summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* mac80211: fix use-after-freeJohannes Berg2010-09-241-4/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1 Author: Johannes Berg <johannes@sipsolutions.net> Date: Wed Nov 25 17:46:15 2009 +0100 mac80211: move cmntr flag out of rx flags moved the CMTR flag into the skb's status, and in doing so introduced a use-after-free -- when the skb has been handed to cooked monitors the status setting will touch now invalid memory. Additionally, moving it there has effectively discarded the optimisation -- since the bit is only ever set on freed SKBs, and those were a copy, it could never be checked. For the current release, fixing this properly is a bit too involved, so let's just remove the problematic code and leave userspace with one copy of each frame for each virtual interface. Cc: stable@kernel.org [2.6.33+] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* wext: fix potential private ioctl memory content leakJohannes Berg2010-09-201-1/+1
| | | | | | | | | | | | | | | | | When a driver doesn't fill the entire buffer, old heap contents may remain, and if it also doesn't update the length properly, this old heap content will be copied back to userspace. It is very unlikely that this happens in any of the drivers using private ioctls since it would show up as junk being reported by iwpriv, but it seems better to be safe here, so use kzalloc. Reported-by: Jeff Mahoney <jeffm@suse.com> Cc: stable@kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* iwlwifi: do not perferm force reset while doing scanWey-Yi Guy2010-09-171-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When uCode error condition detected, driver try to perform either rf reset or firmware reload in order bring device back to working condition. If rf reset is required and scan is in process, there is no need to issue rf reset since scan already reset the rf. If firmware reload is required and scan is in process, skip the reload request. There is a possibility firmware reload during scan cause problem. [ 485.804046] WARNING: at net/mac80211/main.c:310 ieee80211_restart_hw+0x28/0x62() [ 485.804049] Hardware name: Latitude E6400 [ 485.804052] ieee80211_restart_hw called with hardware scan in progress [ 485.804054] Modules linked in: iwlagn iwlcore bnep sco rfcomm l2cap crc16 bluetooth [last unloaded: iwlcore] [ 485.804069] Pid: 812, comm: kworker/u:3 Tainted: G W 2.6.36-rc3-wl+ #74 [ 485.804072] Call Trace: [ 485.804079] [<c103019a>] warn_slowpath_common+0x60/0x75 [ 485.804084] [<c1030213>] warn_slowpath_fmt+0x26/0x2a [ 485.804089] [<c145da67>] ieee80211_restart_hw+0x28/0x62 [ 485.804102] [<f8b35dc6>] iwl_bg_restart+0x113/0x150 [iwlagn] [ 485.804108] [<c10415d5>] process_one_work+0x181/0x25c [ 485.804119] [<f8b35cb3>] ? iwl_bg_restart+0x0/0x150 [iwlagn] [ 485.804124] [<c104190a>] worker_thread+0xf9/0x1f2 [ 485.804128] [<c1041811>] ? worker_thread+0x0/0x1f2 [ 485.804133] [<c10451b0>] kthread+0x64/0x69 [ 485.804137] [<c104514c>] ? kthread+0x0/0x69 [ 485.804141] [<c1002df6>] kernel_thread_helper+0x6/0x10 [ 485.804145] ---[ end trace 3d4ebdc02d524bbb ]--- [ 485.804148] WG> 1 [ 485.804153] Pid: 812, comm: kworker/u:3 Tainted: G W 2.6.36-rc3-wl+ #74 [ 485.804156] Call Trace: [ 485.804161] [<c145da9b>] ? ieee80211_restart_hw+0x5c/0x62 [ 485.804172] [<f8b35dcb>] iwl_bg_restart+0x118/0x150 [iwlagn] [ 485.804177] [<c10415d5>] process_one_work+0x181/0x25c [ 485.804188] [<f8b35cb3>] ? iwl_bg_restart+0x0/0x150 [iwlagn] [ 485.804192] [<c104190a>] worker_thread+0xf9/0x1f2 [ 485.804197] [<c1041811>] ? worker_thread+0x0/0x1f2 [ 485.804201] [<c10451b0>] kthread+0x64/0x69 [ 485.804205] [<c104514c>] ? kthread+0x0/0x69 [ 485.804209] [<c1002df6>] kernel_thread_helper+0x6/0x10 Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
* ath9k_hw: fix parsing of HT40 5 GHz CTLsLuis R. Rodriguez2010-08-312-2/+1
| | | | | | | | | | | | | | The 5 GHz CTL indexes were not being read for all hardware devices due to the masking out through the CTL_MODE_M mask being one bit too short. Without this the calibrated regulatory maximum values were not being picked up when devices operate on 5 GHz in HT40 mode. The final output power used for Atheros devices is the minimum between the calibrated CTL values and what CRDA provides. Cc: stable@kernel.org [2.6.27+] Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_hw: Fix EEPROM uncompress block reading on AR9003Luis R. Rodriguez2010-08-311-1/+1
| | | | | | | | | | | | | The EEPROM is compressed on AR9003, upon decompression the wrong upper limit was being used for the block which prevented the 5 GHz CTL indexes from being used, which are stored towards the end of the EEPROM block. This fix allows the actual intended regulatory limits to be used on AR9003 hardware. Cc: stable@kernel.org [2.6.36+] Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* wireless: register wiphy rfkill w/o holding cfg80211_mutexJohn W. Linville2010-08-311-9/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise lockdep complains... https://bugzilla.kernel.org/show_bug.cgi?id=17311 [ INFO: possible circular locking dependency detected ] 2.6.36-rc2-git4 #12 ------------------------------------------------------- kworker/0:3/3630 is trying to acquire lock: (rtnl_mutex){+.+.+.}, at: [<ffffffff813396c7>] rtnl_lock+0x12/0x14 but task is already holding lock: (rfkill_global_mutex){+.+.+.}, at: [<ffffffffa014b129>] rfkill_switch_all+0x24/0x49 [rfkill] which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (rfkill_global_mutex){+.+.+.}: [<ffffffff81079ad7>] lock_acquire+0x120/0x15b [<ffffffff813ae869>] __mutex_lock_common+0x54/0x52e [<ffffffff813aede9>] mutex_lock_nested+0x34/0x39 [<ffffffffa014b4ab>] rfkill_register+0x2b/0x29c [rfkill] [<ffffffffa0185ba0>] wiphy_register+0x1ae/0x270 [cfg80211] [<ffffffffa0206f01>] ieee80211_register_hw+0x1b4/0x3cf [mac80211] [<ffffffffa0292e98>] iwl_ucode_callback+0x9e9/0xae3 [iwlagn] [<ffffffff812d3e9d>] request_firmware_work_func+0x54/0x6f [<ffffffff81065d15>] kthread+0x8c/0x94 [<ffffffff8100ac24>] kernel_thread_helper+0x4/0x10 -> #1 (cfg80211_mutex){+.+.+.}: [<ffffffff81079ad7>] lock_acquire+0x120/0x15b [<ffffffff813ae869>] __mutex_lock_common+0x54/0x52e [<ffffffff813aede9>] mutex_lock_nested+0x34/0x39 [<ffffffffa018605e>] cfg80211_get_dev_from_ifindex+0x1b/0x7c [cfg80211] [<ffffffffa0189f36>] cfg80211_wext_giwscan+0x58/0x990 [cfg80211] [<ffffffff8139a3ce>] ioctl_standard_iw_point+0x1a8/0x272 [<ffffffff8139a529>] ioctl_standard_call+0x91/0xa7 [<ffffffff8139a687>] T.723+0xbd/0x12c [<ffffffff8139a727>] wext_handle_ioctl+0x31/0x6d [<ffffffff8133014e>] dev_ioctl+0x63d/0x67a [<ffffffff8131afd9>] sock_ioctl+0x48/0x21d [<ffffffff81102abd>] do_vfs_ioctl+0x4ba/0x509 [<ffffffff81102b5d>] sys_ioctl+0x51/0x74 [<ffffffff81009e02>] system_call_fastpath+0x16/0x1b -> #0 (rtnl_mutex){+.+.+.}: [<ffffffff810796b0>] __lock_acquire+0xa93/0xd9a [<ffffffff81079ad7>] lock_acquire+0x120/0x15b [<ffffffff813ae869>] __mutex_lock_common+0x54/0x52e [<ffffffff813aede9>] mutex_lock_nested+0x34/0x39 [<ffffffff813396c7>] rtnl_lock+0x12/0x14 [<ffffffffa0185cb5>] cfg80211_rfkill_set_block+0x1a/0x7b [cfg80211] [<ffffffffa014aed0>] rfkill_set_block+0x80/0xd5 [rfkill] [<ffffffffa014b07e>] __rfkill_switch_all+0x3f/0x6f [rfkill] [<ffffffffa014b13d>] rfkill_switch_all+0x38/0x49 [rfkill] [<ffffffffa014b821>] rfkill_op_handler+0x105/0x136 [rfkill] [<ffffffff81060708>] process_one_work+0x248/0x403 [<ffffffff81062620>] worker_thread+0x139/0x214 [<ffffffff81065d15>] kthread+0x8c/0x94 [<ffffffff8100ac24>] kernel_thread_helper+0x4/0x10 Signed-off-by: John W. Linville <linville@tuxdriver.com> Acked-by: Johannes Berg <johannes@sipsolutions.net>
* wireless extensions: fix kernel heap content leakJohannes Berg2010-08-302-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Wireless extensions have an unfortunate, undocumented requirement which requires drivers to always fill iwp->length when returning a successful status. When a driver doesn't do this, it leads to a kernel heap content leak when userspace offers a larger buffer than would have been necessary. Arguably, this is a driver bug, as it should, if it returns 0, fill iwp->length, even if it separately indicated that the buffer contents was not valid. However, we can also at least avoid the memory content leak if the driver doesn't do this by setting the iwp length to max_tokens, which then reflects how big the buffer is that the driver may fill, regardless of how big the userspace buffer is. To illustrate the point, this patch also fixes a corresponding cfg80211 bug (since this requirement isn't documented nor was ever pointed out by anyone during code review, I don't trust all drivers nor all cfg80211 handlers to implement it correctly). Cc: stable@kernel.org [all the way back] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* MAINTAINERS: change broken url for prism54John W. Linville2010-08-301-1/+1
| | | | | Reported-by: Joe Perches <joe@perches.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* mac80211: delete work timerJohannes Berg2010-08-301-0/+6
| | | | | | | | | | | | | | | | The new workqueue changes helped me find this bug that's been lingering since the changes to the work processing in mac80211 -- the work timer is never deleted properly. Do that to avoid having it fire after all data structures have been freed. It can't be re-armed because all it will do, if running, is schedule the work, but that gets flushed later and won't have anything to do since all work items are gone by now (by way of interface removal). Cc: stable@kernel.org [2.6.34+] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* p54: fix tx feedback status flag checkChristian Lamparter2010-08-301-1/+1
| | | | | | | | | | | | | | | | | | | Michael reported that p54* never really entered power save mode, even tough it was enabled. It turned out that upon a power save mode change the firmware will set a special flag onto the last outgoing frame tx status (which in this case is almost always the designated PSM nullfunc frame). This flag confused the driver; It erroneously reported transmission failures to the stack, which then generated the next nullfunc. and so on... Cc: <stable@kernel.org> Reported-by: Michael Buesch <mb@bu3sch.de> Tested-by: Michael Buesch <mb@bu3sch.de> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath5k: check return value of ieee80211_get_tx_rateJohn W. Linville2010-08-301-0/+4
| | | | | | | | | | | | | | This avoids a NULL pointer dereference as reported here: https://bugzilla.redhat.com/show_bug.cgi?id=625889 When the WARN condition is hit in ieee80211_get_tx_rate, it will return NULL. So, we need to check the return value and avoid dereferencing it in that case. Signed-off-by: John W. Linville <linville@tuxdriver.com> Cc: stable@kernel.org Acked-by: Bob Copeland <me@bobcopeland.com>
* libertas: if_sdio: fix buffer alignment in struct if_sdio_cardMike Rapoport2010-08-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | The commit 886275ce41a9751117367fb387ed171049eb6148 (param: lock if_sdio's lbs_helper_name and lbs_fw_name against sysfs changes) introduced new fields into the if_sdio_card structure. It caused missalignment of the if_sdio_card.buffer field and failure at driver load time: ~# modprobe libertas_sdio [ 62.315124] libertas_sdio: Libertas SDIO driver [ 62.319976] libertas_sdio: Copyright Pierre Ossman [ 63.020629] DMA misaligned error with device 48 [ 63.025207] mmci-omap-hs mmci-omap-hs.1: unexpected dma status 800 [ 66.005035] libertas: command 0x0003 timed out [ 66.009826] libertas: Timeout submitting command 0x0003 [ 66.016296] libertas: PREP_CMD: command 0x0003 failed: -110 Adding explicit alignment attribute for the if_sdio_card.buffer field fixes this problem. Signed-off-by: Mike Rapoport <mike@compulab.co.il> Acked-by: Marek Vasut <marek.vasut@gmail.com> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* iwlwifi: use long monitor timer for 5300 seriesWey-Yi Guy2010-08-181-2/+2
| | | | | | | | | | | | For 5000 series of devices, use long monitor timer to check stuck tx queues. This modification apply to all the 5000 series including 5300 and others. Cc: stable@kernel.org [2.6.35] Reported-by: drago01 <drago01@gmail.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* drivers/net/wireless: Restore upper case words in wiphy_<level> messagesJoe Perches2010-08-1813-50/+50
| | | | | | | | | | Commit c96c31e499b70964cfc88744046c998bb710e4b8 "(drivers/net/wireless: Use wiphy_<level>)" inadvertently changed some upper case words to lower case. Restore the original case. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* iwlwifi: fix 3945 filter flagsJohannes Berg2010-08-174-50/+94
| | | | | | | | | | | | | | | | | | | | | | | Applying the filter flags directly as done since commit 3474ad635db371b0d8d0ee40086f15d223d5b6a4 Author: Johannes Berg <johannes.berg@intel.com> Date: Thu Apr 29 04:43:05 2010 -0700 iwlwifi: apply filter flags directly broke 3945 under some unknown circumstances, as reported by Alex. Since I want to keep the direct application of filter flags on iwlagn, duplicate the code into both 3945 and agn and remove committing the RXON that broke things from the 3945 version. Cc: stable@kernel.org [2.6.35] Reported-by: Alex Romosan <romosan@sycorax.lbl.gov> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ipw2100: don't sync status queue entriesJohn W. Linville2010-08-171-8/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These are allocated with pci_alloc_consistent, so calling pci_dma_sync_single_for_cpu is incorrect usage of the API. Remove this misuse and consequently avoid the following backtrace: WARNING: at lib/dma-debug.c:902 check_sync+0xce/0x43a() Hardware name: 2373HU6 ipw2100 0000:02:02.0: DMA-API: device driver tries to sync DMA memory it has not allocated [device address=0x0000000034e88008] [size=8 bytes] Modules linked in: microcode ipw2100(+) snd_seq_device ppdev libipw nsc_ircc snd_pcm lib80211 video output irda parport_pc cfg80211 parport thinkpad_acpi e1000 iTCO_wdt crc_ccitt snd_timer iTCO_vendor_support snd i2c_i801 pcspkr rfkill soundcore joydev snd_page_alloc yenta_socket radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wait_scan] Pid: 0, comm: swapper Tainted: G W 2.6.35-wl+ #8 Call Trace: [<c043aa42>] warn_slowpath_common+0x6a/0x7f [<c05d252a>] ? check_sync+0xce/0x43a [<c043aaca>] warn_slowpath_fmt+0x2b/0x2f [<c05d252a>] check_sync+0xce/0x43a [<c046189a>] ? print_lock_contention_bug+0x11/0xb2 [<c05d2b6f>] debug_dma_sync_single_for_cpu+0x47/0x49 [<c06cbd3c>] ? ehci_irq+0x31/0x331 [<f82a224a>] ? ipw2100_irq_tasklet+0x24/0x5e9 [ipw2100] [<f82a224a>] ? ipw2100_irq_tasklet+0x24/0x5e9 [ipw2100] [<f82a221d>] pci_dma_sync_single_for_cpu.clone.1+0x42/0x4b [ipw2100] [<f82a23a2>] ipw2100_irq_tasklet+0x17c/0x5e9 [ipw2100] [<c043fd87>] tasklet_action+0x78/0xcb [<c0440293>] __do_softirq+0xc4/0x183 [<c044038d>] do_softirq+0x3b/0x5f [<c04404d0>] irq_exit+0x3a/0x6d [<c0404423>] do_IRQ+0x8b/0x9f [<c04038b5>] common_interrupt+0x35/0x3c [<c062ecfa>] ? acpi_idle_enter_simple+0xfe/0x13c [<c045007b>] ? exit_itimers+0x2d/0x73 [<c062ecfc>] ? acpi_idle_enter_simple+0x100/0x13c [<c070bf10>] cpuidle_idle_call+0x78/0xdc [<c040251c>] cpu_idle+0x9b/0xb7 [<c07b1dd2>] rest_init+0xa6/0xab [<c0a4b96d>] start_kernel+0x389/0x38e [<c0a4b0c9>] i386_start_kernel+0xc9/0xd0 Signed-off-by: John W. Linville <linville@tuxdriver.com>
* iwlwifi: use long monitor timer to avoid un-necessary reloadWey-Yi Guy2010-08-142-11/+11
| | | | | | | | | | | | | For 5000 and 6000g2b series of devices, use long monitor timer to check stuck tx queues. .6000g2b series device, it is WiFi/BT combo device, there are some cases, tx queues are not move for a period of time because the WiFi/BT coex. .5000 series device, it is being reported firmware got reload more often than necessary, so extend the timer to avoid un-necessary reload. Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
* iwlwifi: long monitor timerWey-Yi Guy2010-08-146-29/+30
| | | | | | | | Change the name for monitor timer, also adding define for long monitor timer; long monitor timer can be used for the type of devices require longer time to determine the uCode is stuck on tx and needed reload. Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
* ath5k: disable ASPM L0s for all cardsMaxim Levitsky2010-08-131-0/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Atheros PCIe wireless cards handled by ath5k do require L0s disabled. For distributions shipping with CONFIG_PCIEASPM (this will be enabled by default in the future in 2.6.36) this will also mean both L1 and L0s will be disabled when a pre 1.1 PCIe device is detected. We do know L1 works correctly even for all ath5k pre 1.1 PCIe devices though but cannot currently undue the effect of a blacklist, for details you can read pcie_aspm_sanity_check() and see how it adjusts the device link capability. It may be possible in the future to implement some PCI API to allow drivers to override blacklists for pre 1.1 PCIe but for now it is best to accept that both L0s and L1 will be disabled completely for distributions shipping with CONFIG_PCIEASPM rather than having this issue present. Motivation for adding this new API will be to help with power consumption for some of these devices. Example of issues you'd see: - On the Acer Aspire One (AOA150, Atheros Communications Inc. AR5001 Wireless Network Adapter [168c:001c] (rev 01)) doesn't work well with ASPM enabled, the card will eventually stall on heavy traffic with often 'unsupported jumbo' warnings appearing. Disabling ASPM L0s in ath5k fixes these problems. - On the same card you would see a storm of RXORN interrupts even though medium is idle. Credit for root causing and fixing the bug goes to Jussi Kivilinna. Cc: David Quan <David.Quan@atheros.com> Cc: Matthew Garrett <mjg59@srcf.ucam.org> Cc: Tim Gardner <tim.gardner@canonical.com> Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Cc: stable@kernel.org Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: Maxim Levitsky <maximlevitsky@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_htc: load proper firmware for device ID 7015Rajkumar Manoharan2010-08-135-7/+11
| | | | | | | | This patch handles the firmware loading properly for device ID 7015. Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* wl1251: fix trigger scan timeout usageYuri Kululin2010-08-131-1/+1
| | | | | | | | | | | | | | | | | Use appropriate command (CMD_TRIGGER_SCAN_TO) instead of scan command (CMD_SCAN) to configure trigger scan timeout. This was broken in commit 3a98c30f3e8bb1f32b5bcb74a39647b3670de275. This fix address the bug reported here: https://bugzilla.kernel.org/show_bug.cgi?id=16554 Cc: stable@kernel.org Signed-off-by: Yuri Ershov <ext-yuri.ershov@nokia.com> Signed-off-by: Yuri Kululin <ext-yuri.kululin@nokia.com> Acked-by: Kalle Valo <kvalo@adurom.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_htc: Fix disconnect issue in HT40 mode.Vivek Natarajan2010-08-131-1/+2
| | | | | | | | | | | | | Some APs advertise that they may be HT40 capable in the capabilites but the current operating channel configuration may be only HT20. This causes disconnection as ath9k_htc sets WLAN_RC_40_FLAG despite the AP operating in HT20 mode. Hence set this flag only if the current channel configuration is HT40 enabled. Cc: stable@kernel.org Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ath9k_htc: fix panic on packet injection using airbase-ng tool.Rajkumar Manoharan2010-08-111-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This should fix the oops which occurs during the packet injection on monitor interface. EIP is at ath9k_htc_tx_start+0x69/0x220 [ath9k_htc] [<f84dc8ea>] ? invoke_tx_handlers+0xa5a/0xee0 [mac80211] [<f82c84f4>] ? ath9k_htc_tx+0x44/0xe0 [ath9k_htc] [<f84db7b8>] ? __ieee80211_tx+0xf8/0x190 [mac80211] [<f84dce0d>] ? ieee80211_tx+0x9d/0x1a0 [mac80211] [<f84dcfac>] ? ieee80211_xmit+0x9c/0x1c0 [mac80211] [<f84dd1b5>] ? ieee80211_monitor_start_xmit+0x85/0xb0 [mac80211] [<c04c30cd>] ? dev_hard_start_xmit+0x1ad/0x210 [<c04b97c2>] ? __alloc_skb+0x52/0x130 [<c04d7cd5>] ? sch_direct_xmit+0x105/0x170 [<c04c5e9f>] ? dev_queue_xmit+0x37f/0x4b0 [<c0567e1e>] ? packet_snd+0x21e/0x250 [<c05684a2>] ? packet_sendmsg+0x32/0x40 [<c04b4c63>] ? sock_aio_write+0x113/0x130 [<c0207934>] ? do_sync_write+0xc4/0x100 [<c0167740>] ? autoremove_wake_function+0x0/0x50 [<c02f4414>] ? security_file_permission+0x14/0x20 [<c0207ad4>] ? rw_verify_area+0x64/0xe0 [<c01e6458>] ? handle_mm_fault+0x338/0x390 [<c0207cd5>] ? vfs_write+0x185/0x1a0 [<c058db20>] ? do_page_fault+0x160/0x3a0 [<c0208512>] ? sys_write+0x42/0x70 [<c01033ec>] ? syscall_call+0x7/0xb Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
* ipw2100: register pm_qos request before registering pci driverJohn W. Linville2010-08-111-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is necessary to call pm_qos_add_request prior to calling pm_qos_update_request. It was revealed that ipw2100 has been doing this wrong since "pm_qos: Get rid of the allocation in pm_qos_add_request()" (commit 82f682514a5df89ffb3890627eebf0897b7a84ec) added a WARN that results in the following backtrace: WARNING: at kernel/pm_qos_params.c:264 pm_qos_update_request+0x5e/0x70() pm_qos_update_request() called for unknown object Call Trace: [<c1024088>] ? warn_slowpath_common+0x78/0xb0 [<c1041c9e>] ? pm_qos_update_request+0x5e/0x70 [<c1041c9e>] ? pm_qos_update_request+0x5e/0x70 [<c1024153>] ? warn_slowpath_fmt+0x33/0x40 [<c1041c9e>] ? pm_qos_update_request+0x5e/0x70 [<f89fe15f>] ? ipw2100_up+0x3f/0xf10 [ipw2100] [<c11961c9>] ? vsnprintf+0xc9/0x530 [<f89ff36c>] ? ipw2100_net_init+0x2c/0x1c0 [ipw2100] [<c12f542d>] ? register_netdevice+0x7d/0x3c0 [<f89f9b00>] ? ipw2100_irq_tasklet+0x910/0x9a0 [ipw2100] [<c12f579f>] ? register_netdev+0x2f/0x40 [<f89fd471>] ? ipw2100_pci_init_one+0xd21/0x1060 [ipw2100] [<c11a5ebb>] ? local_pci_probe+0xb/0x10 [<c11a6d49>] ? pci_device_probe+0x69/0x90 [<c1224704>] ? driver_probe_device+0x74/0x180 [<c10dd15a>] ? sysfs_create_dir+0x6a/0xb0 [<c1224889>] ? __driver_attach+0x79/0x80 [<c1224810>] ? __driver_attach+0x0/0x80 [<c1223fa2>] ? bus_for_each_dev+0x52/0x80 [<c1224586>] ? driver_attach+0x16/0x20 [<c1224810>] ? __driver_attach+0x0/0x80 [<c122395f>] ? bus_add_driver+0x17f/0x250 [<c11a5ec0>] ? pci_device_shutdown+0x0/0x20 [<c11a6c80>] ? pci_device_remove+0x0/0x40 [<c1224b13>] ? driver_register+0x63/0x120 [<c11a6f96>] ? __pci_register_driver+0x36/0xa0 [<f84f9048>] ? ipw2100_init+0x48/0x67 [ipw2100] [<c1001122>] ? do_one_initcall+0x32/0x170 [<c1087078>] ? __vunmap+0xb8/0xf0 [<f84f9000>] ? ipw2100_init+0x0/0x67 [ipw2100] [<c10510c1>] ? sys_init_module+0x161/0x1000 [<c108f847>] ? sys_close+0x67/0xe0 [<c13647c1>] ? syscall_call+0x7/0xb This patch moves pm_qos_add_request prior to pci_register_driver in ipw2100 in order to avoid this problem. Reported-by: Christoph Fritz <chf.fritz@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* Merge branch 'master' of ↵John W. Linville2010-08-102-8/+7
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/holtmann/bluetooth-2.6
| * Bluetooth: Use 3-DH5 payload size for default ERTM max PDU sizeMat Martineau2010-08-101-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The previous value of 672 for L2CAP_DEFAULT_MAX_PDU_SIZE is based on the default L2CAP MTU. That default MTU is calculated from the size of two DH5 packets, minus ACL and L2CAP b-frame header overhead. ERTM is used with newer basebands that typically support larger 3-DH5 packets, and i-frames and s-frames have more header overhead. With clean RF conditions, basebands will typically attempt to use 1021-byte 3-DH5 packets for maximum throughput. Adjusting for 2 bytes of ACL headers plus 10 bytes of worst-case L2CAP headers yields 1009 bytes of payload. This PDU size imposes less overhead for header bytes and gives the baseband the option to choose 3-DH5 packets, but is small enough for ERTM traffic to interleave well with other L2CAP or SCO data. 672-byte payloads do not allow the most efficient over-the-air packet choice, and cannot achieve maximum throughput over BR/EDR. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * Bluetooth: Fix incorrect setting of remote_tx_win for L2CAP ERTMMat Martineau2010-08-101-2/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | remote_tx_win is intended to be set on receipt of an L2CAP configuration request. The value is used to determine the size of the transmit window on the remote side of an ERTM connection, so L2CAP can stop sending frames when that remote window is full. An incorrect remote_tx_win value will cause the stack to not fully utilize the tx window (performance impact), or to overfill the remote tx window (causing dropped frames or a disconnect). This patch removes an extra setting of remote_tx_win when a configuration response is received. The transmit window has a different meaning in a response - it is an informational value less than or equal to the local tx_win. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * Bluetooth: Change default L2CAP ERTM retransmit timeoutMat Martineau2010-08-101-1/+1
| | | | | | | | | | | | | | | | The L2CAP specification requires that the ERTM retransmit timeout be at least 2 seconds for BR/EDR connections. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
| * Bluetooth: Fix endianness issue with L2CAP MPS configurationMat Martineau2010-08-101-4/+5
| | | | | | | | | | | | | | | | | | | | | | | | Incoming configuration values must be converted to native CPU order before use. This fixes a bug where a little-endian MPS value is compared to a native CPU value. On big-endian processors, this can cause ERTM and streaming mode segmentation to produce PDUs that are larger than the remote stack is expecting, or that would produce fragmented skbs that the current FCS code cannot handle. Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
* | iwlagn: fix rts cts protectionJohannes Berg2010-08-0911-133/+87
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the driver will try to protect all frames, which leads to a lot of odd things like sending an RTS with a zeroed RA before multicast frames, which is clearly bogus. In order to fix all of this, we need to take a step back and see what we need to achieve: * we need RTS/CTS protection if requested by the AP for the BSS, mac80211 tells us this * in that case, CTS-to-self should only be enabled when mac80211 tells us * additionally, as a hardware workaround, on some devices we have to protect aggregated frames with RTS To achieve the first two items, set up the RXON accordingly and set the protection required flag in the transmit command when mac80211 requests protection for the frame. To achieve the last item, set the rate-control RTS-requested flag for all stations that we have aggregation sessions with, and set the protection required flag when sending aggregated frames (on those devices where this is required). Since otherwise bugs can occur, do not allow the user to override the RTS-for-aggregation setting from sysfs any more. Finally, also clean up the way all these flags get set in the driver and move everything into the device-specific functions. Cc: stable@kernel.org [2.6.35] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | cfg80211: fix locking in action frame TXJohannes Berg2010-08-091-1/+7
| | | | | | | | | | | | | | | | | | | | Accesses to "wdev->current_bss" must be locked with the wdev lock, which action frame transmission is missing. Cc: stable@kernel.org [2.6.33+] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | libertas: fix build break by including linux/sched.hJohn W. Linville2010-08-091-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | CC [M] drivers/net/wireless/libertas/cfg.o /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c: In function ‘lbs_scan_worker’: /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c:722: error: ‘TASK_NORMAL’ undeclared (first use in this function) /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c:722: error: (Each undeclared identifier is reported only once /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c:722: error: for each function it appears in.) /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c: In function ‘lbs_cfg_connect’: /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c:1267: error: ‘TASK_INTERRUPTIBLE’ undeclared (first use in this function) /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c:1267: error: implicit declaration of function ‘signal_pending’ /home/greearb/git/wireless-testing/drivers/net/wireless/libertas/cfg.c:1267: error: implicit declaration of function ‘schedule_timeout’ Reported-by: Ben Greear <greearb@candelatech.com> Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | Revert "p54pci: Add PCI ID for SMC2802W"John W. Linville2010-08-091-2/+0
|/ | | | | | | | | This reverts commit 5f7aebd845a9d2ed42f36b7333579ec3534b4713. Apparently, that PCI ID data was incorrectly taken from the subsystem information. The actual ID matches another already known ID. Signed-off-by: John W. Linville <linville@tuxdriver.com>
* igbvf.txt: Add igbvf DocumentationJeff Kirsher2010-08-081-0/+78
| | | | | | | | | | | | Adds documentation for the igbvf (igb virtual function driver). v2: - Removed trailing white space - Removed Ethtool version info Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* igb.txt: Add igb documentationJeff Kirsher2010-08-081-0/+132
| | | | | | | | | | | | | Add documentation for the igb networking driver. v2: - Removed trailing white space - Removed Ethtool version info - Removed LRO kernel version info Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* e100/e1000*/igb*/ixgb*: Add missing read memory barrierJeff Kirsher2010-08-088-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Based on patches from Sonny Rao and Milton Miller... Combined the patches to fix up clean_tx_irq and clean_rx_irq. The PowerPC architecture does not require loads to independent bytes to be ordered without adding an explicit barrier. In ixgbe_clean_rx_irq we load the status bit then load the packet data. With packet split disabled if these loads go out of order we get a stale packet, but we will notice the bad sequence numbers and drop it. The problem occurs with packet split enabled where the TCP/IP header and data are in different descriptors. If the reads go out of order we may have data that doesn't match the TCP/IP header. Since we use hardware checksumming this bad data is never verified and it makes it all the way to the application. This bug was found during stress testing and adding this barrier has been shown to fix it. The bug can manifest as a data integrity issue (bad payload data) or as a BUG in skb_pull(). This was a nasty bug to hunt down, if people agree with the fix I think it's a candidate for stable. Previously Submitted to e1000-devel only for ixgbe http://marc.info/?l=e1000-devel&m=126593062701537&w=3 We've now seen this problem hit with other device drivers (e1000e mostly) So I'm resubmitting with fixes for other Intel Device Drivers with similar issues. CC: Milton Miller <miltonm@bga.com> CC: Anton Blanchard <anton@samba.org> CC: Sonny Rao <sonnyrao@us.ibm.com> CC: stable <stable@kernel.org> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ixgbe: fix build error with FCOE_CONFIG without DCB_CONFIGJohn Fastabend2010-08-081-4/+10
| | | | | | | | | | | | | | | | | | Building ixgbe without DCB_CONFIG and FCOE_CONFIG will cause a build error. This resolves the build error by wrapping the fcoe.up in CONFIG_IXGBE_DCB ifdefs. Also frames were being priority VLAN tagged even without DCB enabled. This fixes this so that 8021Q priority tags are only added with DCB actually enabled. Reported-by: divya <dipraksh@linux.vnet.ibm.com> Reported-by: Jon Mason <jon.mason@exar.com> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Tested-by: Stephen Ko <stephen.s.ko@intel.com> Tested-by: Ross Brattain <ross.b.brattain@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netxen: protect tx timeout recovery by rtnl lockAmit Kumar Salecha2010-08-071-8/+7
| | | | | Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* isdn: gigaset: use after freeDan Carpenter2010-08-071-2/+4
| | | | | | | I moved the kfree(cb) below the dereferences. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* isdn: gigaset: add missing unlockDan Carpenter2010-08-071-0/+1
| | | | | | | | We should unlock here. This is the only place where we return from the function with the lock held. The caller isn't expecting it. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* solos-pci: Fix race condition in tasklet RX handlingDavid Woodhouse2010-08-071-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We were seeing faults in the solos-pci receive tasklet when packets arrived for a VCC which was currently being closed: [18842.727906] EIP: [<e082f490>] br2684_push+0x19/0x234 [br2684] SS:ESP 0068:dfb89d14 [18845.090712] [<c13ecff3>] ? do_page_fault+0x0/0x2e1 [18845.120042] [<e082f490>] ? br2684_push+0x19/0x234 [br2684] [18845.153530] [<e084fa13>] solos_bh+0x28b/0x7c8 [solos_pci] [18845.186488] [<e084f711>] ? solos_irq+0x2d/0x51 [solos_pci] [18845.219960] [<c100387b>] ? handle_irq+0x3b/0x48 [18845.247732] [<c10265cb>] ? irq_exit+0x34/0x57 [18845.274437] [<c1025720>] tasklet_action+0x42/0x69 [18845.303247] [<c102643f>] __do_softirq+0x8e/0x129 [18845.331540] [<c10264ff>] do_softirq+0x25/0x2a [18845.358274] [<c102664c>] _local_bh_enable_ip+0x5e/0x6a [18845.389677] [<c102666d>] local_bh_enable+0xb/0xe [18845.417944] [<e08490a8>] ppp_unregister_channel+0x32/0xbb [ppp_generic] [18845.458193] [<e08731ad>] pppox_unbind_sock+0x18/0x1f [pppox] This patch uses an RCU-inspired approach to fix it. In the RX tasklet's find_vcc() function we first refuse to use a VCC which already has the ATM_VF_READY bit cleared. And in the VCC close function, we synchronise with the tasklet to ensure that it can't still be using the VCC before we continue and allow the VCC to be destroyed. Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Tested-by: Nathan Williams <nathan@traverse.com.au> Cc: stable@kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
* pkt_sched: Fix sch_sfq vs tcf_bind_filter oopsJarek Poplawski2010-08-071-0/+7
| | | | | | | | | | | | | Since there was added ->tcf_chain() method without ->bind_tcf() to sch_sfq class options, there is oops when a filter is added with the classid parameter. Fixes commit 7d2681a6ff4f9ab5e48d02550b4c6338f1638998 netdev thread: null pointer at cls_api.c Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Reported-by: Franchoze Eric <franchoze@yandex.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: disable preemption before call smp_processor_id()Changli Gao2010-08-071-0/+2
| | | | | | | | | | | Although netif_rx() isn't expected to be called in process context with preemption enabled, it'd better handle this case. And this is why get_cpu() is used in the non-RPS #ifdef branch. If tree RCU is selected, rcu_read_lock() won't disable preemption, so preempt_disable() should be called explictly. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* tcp: no md5sig option size check bugDmitry Popov2010-08-071-1/+1
| | | | | | | | | tcp_parse_md5sig_option doesn't check md5sig option (TCPOPT_MD5SIG) length, but tcp_v[46]_inbound_md5_hash assume that it's at least 16 bytes long. Signed-off-by: Dmitry Popov <dp@highloadlab.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2010-08-0641-301/+866
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * iwlwifi: fix locking assertionsJohannes Berg2010-08-064-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | spin_is_locked() can return zero on some (UP?) configurations because locks don't exist, and that causes an endless amount of warnings. Use lockdep_assert_held() instead, which has two advantages: 1) it verifies the current task is holding the lock or mutex 2) it compiles away completely when lockdep is not enabled Cc: stable@kernel.org [2.6.34+, maybe only parts of patch] Reported-by: Thomas Meyer <thomas@m3y3r.de> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * iwlwifi: fix TX tracerJohannes Berg2010-08-061-1/+1
| | | | | | | | | | | | | | | | | | | | The TX tracing code copies with the wrong length, which will typically copy too little data. Fix this by using the correct length variable. Cc: stable@kernel.org [2.6.32+] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * rtl8180: avoid potential NULL deref in rtl8180_beacon_workJohn W. Linville2010-08-051-0/+2
| | | | | | | | | | | | | | ieee80211_beacon_get can return NULL... Signed-off-by: John W. Linville <linville@tuxdriver.com> Cc: stable@kernel.org
| * ath9k: Remove myself from the MAINTAINERS listSujith2010-08-051-1/+0
| | | | | | | | | | | | | | So long. Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * libertas: scan before assocation if no BSSID was givenDan Williams2010-08-053-33/+121
| | | | | | | | | | | | | | | | | | | | | | | | Fix this leftover TODO from the cfg80211 conversion by doing a scan if cfg80211 didn't pass in the BSSID for us. Since the scan code uses so much of the cfg80211_scan_request structure to build up the firmware command, we just fake one when the scan request is triggered internally. But we need to make sure that internal 'fake' cfg82011 scan request does not get back to cfg82011 via cfg80211_scan_done(). Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
OpenPOWER on IntegriCloud