From 513a2396d8e8327aff1ce50bea3fb4f16ff3455b Mon Sep 17 00:00:00 2001 From: Zhu Yi Date: Thu, 9 Jul 2009 17:24:15 +0800 Subject: [PATCH 01/21] iwmc3200wifi: fix NULL pointer dereference in iwm_if_free The driver private data is now based on wiphy. So we should not touch the private data after wiphy_free() is called. The patch fixes the potential NULL pointer dereference by making the iwm_wdev_free() the last one on the interface removal path. Signed-off-by: Zhu Yi Signed-off-by: John W. Linville --- drivers/net/wireless/iwmc3200wifi/netdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/iwmc3200wifi/netdev.c b/drivers/net/wireless/iwmc3200wifi/netdev.c index aaa20c6885c8..aea5ccf24ccf 100644 --- a/drivers/net/wireless/iwmc3200wifi/netdev.c +++ b/drivers/net/wireless/iwmc3200wifi/netdev.c @@ -151,8 +151,8 @@ void iwm_if_free(struct iwm_priv *iwm) return; free_netdev(iwm_to_ndev(iwm)); - iwm_wdev_free(iwm); iwm_priv_deinit(iwm); + iwm_wdev_free(iwm); } int iwm_if_add(struct iwm_priv *iwm) From 872ed1902f511a8947021c562f5728a5bf0640b5 Mon Sep 17 00:00:00 2001 From: Reinette Chatre Date: Thu, 9 Jul 2009 10:33:37 -0700 Subject: [PATCH 02/21] iwlwifi: only show active power level via sysfs This changes the power_level file to adhere to the "one value per file" sysfs rule. The user will know which power level was requested as it will be the number just written to this file. It is thus not necessary to create a new sysfs file for this value. In addition it fixes a problem where powertop's parsing expects this value to be the first value in this file without any descriptions. Signed-off-by: Reinette Chatre cc: stable@kernel.org Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl-agn.c | 4 +--- drivers/net/wireless/iwlwifi/iwl3945-base.c | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c index 6d1519e1f011..355f50ea7fef 100644 --- a/drivers/net/wireless/iwlwifi/iwl-agn.c +++ b/drivers/net/wireless/iwlwifi/iwl-agn.c @@ -2675,12 +2675,10 @@ static ssize_t show_power_level(struct device *d, struct device_attribute *attr, char *buf) { struct iwl_priv *priv = dev_get_drvdata(d); - int mode = priv->power_data.user_power_setting; int level = priv->power_data.power_mode; char *p = buf; - p += sprintf(p, "INDEX:%d\t", level); - p += sprintf(p, "USER:%d\n", mode); + p += sprintf(p, "%d\n", level); return p - buf + 1; } diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c index cb9bd4c8f25e..956798f2c80c 100644 --- a/drivers/net/wireless/iwlwifi/iwl3945-base.c +++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c @@ -3643,12 +3643,10 @@ static ssize_t show_power_level(struct device *d, struct device_attribute *attr, char *buf) { struct iwl_priv *priv = dev_get_drvdata(d); - int mode = priv->power_data.user_power_setting; int level = priv->power_data.power_mode; char *p = buf; - p += sprintf(p, "INDEX:%d\t", level); - p += sprintf(p, "USER:%d\n", mode); + p += sprintf(p, "%d\n", level); return p - buf + 1; } From 7b80ece41aea0b73283c6df5a8f25d40aa13135d Mon Sep 17 00:00:00 2001 From: Reinette Chatre Date: Thu, 9 Jul 2009 10:33:39 -0700 Subject: [PATCH 03/21] iwlwifi: only update byte count table during aggregation The byte count table is only used for aggregation. Updating it in other cases caused fragmented frames to be dropped. This fixes http://www.intellinuxwireless.org/bugzilla/show_bug.cgi?id=2004 Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl-tx.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/iwlwifi/iwl-tx.c b/drivers/net/wireless/iwlwifi/iwl-tx.c index 85ae7a62109c..9bbeec9427f0 100644 --- a/drivers/net/wireless/iwlwifi/iwl-tx.c +++ b/drivers/net/wireless/iwlwifi/iwl-tx.c @@ -872,7 +872,8 @@ int iwl_tx_skb(struct iwl_priv *priv, struct sk_buff *skb) iwl_print_hex_dump(priv, IWL_DL_TX, (u8 *)tx_cmd->hdr, hdr_len); /* Set up entry for this TFD in Tx byte-count array */ - priv->cfg->ops->lib->txq_update_byte_cnt_tbl(priv, txq, + if (info->flags & IEEE80211_TX_CTL_AMPDU) + priv->cfg->ops->lib->txq_update_byte_cnt_tbl(priv, txq, le16_to_cpu(tx_cmd->len)); pci_dma_sync_single_for_device(priv->pci_dev, txcmd_phys, From e2e414d92397c366396d13f627a98a20be92e509 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 10 Jul 2009 11:38:14 +0200 Subject: [PATCH 04/21] mac80211: disable mesh My kvm instance was complaining a lot about sleeping in atomic contexts in the mesh code, and it turns out that both mesh_path_add() and mpp_path_add() need to be able to sleep (they even use synchronize_rcu()!). I put in a might_sleep() to annotate that, but I see no way, at least right now, of actually making sure those functions are only called from process context since they are both called during TX and RX and the mesh code itself even calls them with rcu_read_lock() "held". Therefore, let's disable it completely for now. It's possible that I'm only seeing this because the hwsim's beaconing is broken and thus the peers aren't discovered right away, but it is possible that this happens even if beaconing is working, for a peer that doesn't exist or so. It should be possible to solve this by deferring the freeing of the tables to call_rcu() instead of using synchronize_rcu(), and also using atomic allocations, but maybe it makes more sense to rework the code to not call these from atomic contexts and defer more of the work to the workqueue. Right now, I can't work on either of those solutions though. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/Kconfig | 1 + net/mac80211/mesh_pathtbl.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/net/mac80211/Kconfig b/net/mac80211/Kconfig index ba2643a43c73..7836ee928983 100644 --- a/net/mac80211/Kconfig +++ b/net/mac80211/Kconfig @@ -83,6 +83,7 @@ endmenu config MAC80211_MESH bool "Enable mac80211 mesh networking (pre-802.11s) support" depends on MAC80211 && EXPERIMENTAL + depends on BROKEN ---help--- This options enables support of Draft 802.11s mesh networking. The implementation is based on Draft 1.08 of the Mesh Networking diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c index 3c72557df45a..02f8709a181e 100644 --- a/net/mac80211/mesh_pathtbl.c +++ b/net/mac80211/mesh_pathtbl.c @@ -175,6 +175,8 @@ int mesh_path_add(u8 *dst, struct ieee80211_sub_if_data *sdata) int err = 0; u32 hash_idx; + might_sleep(); + if (memcmp(dst, sdata->dev->dev_addr, ETH_ALEN) == 0) /* never add ourselves as neighbours */ return -ENOTSUPP; @@ -265,6 +267,7 @@ int mpp_path_add(u8 *dst, u8 *mpp, struct ieee80211_sub_if_data *sdata) int err = 0; u32 hash_idx; + might_sleep(); if (memcmp(dst, sdata->dev->dev_addr, ETH_ALEN) == 0) /* never add ourselves as neighbours */ From f54c142725ad2ba33c3ee627873cb6966bf05447 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 10 Jul 2009 21:41:39 +0200 Subject: [PATCH 05/21] rfkill: allow toggling soft state in sysfs again Apparently there actually _are_ tools that try to set this in sysfs even though it wasn't supposed to be used this way without claiming first. Guess what: now that I've cleaned it all up it doesn't matter and we can simply allow setting the soft-block state in sysfs. Signed-off-by: Johannes Berg Tested-By: Darren Salt Signed-off-by: John W. Linville --- net/rfkill/core.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/net/rfkill/core.c b/net/rfkill/core.c index 79693fe2001e..6896c0b45b4a 100644 --- a/net/rfkill/core.c +++ b/net/rfkill/core.c @@ -648,15 +648,26 @@ static ssize_t rfkill_state_store(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { - /* - * The intention was that userspace can only take control over - * a given device when/if rfkill-input doesn't control it due - * to user_claim. Since user_claim is currently unsupported, - * we never support changing the state from userspace -- this - * can be implemented again later. - */ + struct rfkill *rfkill = to_rfkill(dev); + unsigned long state; + int err; - return -EPERM; + if (!capable(CAP_NET_ADMIN)) + return -EPERM; + + err = strict_strtoul(buf, 0, &state); + if (err) + return err; + + if (state != RFKILL_USER_STATE_SOFT_BLOCKED && + state != RFKILL_USER_STATE_UNBLOCKED) + return -EINVAL; + + mutex_lock(&rfkill_global_mutex); + rfkill_set_block(rfkill, state == RFKILL_USER_STATE_SOFT_BLOCKED); + mutex_unlock(&rfkill_global_mutex); + + return err ?: count; } static ssize_t rfkill_claim_show(struct device *dev, From 8ef86c7bfac5b44529b73b84bc50d3cf574bfb4b Mon Sep 17 00:00:00 2001 From: Pavel Roskin Date: Fri, 10 Jul 2009 16:42:29 -0400 Subject: [PATCH 06/21] mac80211: fix injection in monitor mode The location of the 802.11 header is calculated incorrectly due to a wrong placement of parentheses. Found by kmemcheck. Signed-off-by: Pavel Roskin Signed-off-by: John W. Linville --- net/mac80211/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index d238a8939a09..3a8922cd1038 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -1455,7 +1455,7 @@ int ieee80211_master_start_xmit(struct sk_buff *skb, struct net_device *dev) monitor_iface = UNKNOWN_ADDRESS; len_rthdr = ieee80211_get_radiotap_len(skb->data); - hdr = (struct ieee80211_hdr *)skb->data + len_rthdr; + hdr = (struct ieee80211_hdr *)(skb->data + len_rthdr); hdrlen = ieee80211_hdrlen(hdr->frame_control); /* check the header is complete in the frame */ From 48ab3578a65c5168ecaaa3b21292b643b7bcc2d5 Mon Sep 17 00:00:00 2001 From: Alan Jenkins Date: Sun, 12 Jul 2009 17:03:13 +0100 Subject: [PATCH 07/21] rfkill: fix rfkill_set_states() to set the hw state The point of this function is to set the software and hardware state at the same time. When I tried to use it, I found it was only setting the software state. Signed-off-by: Alan Jenkins Reviewed-by: Johannes Berg Signed-off-by: John W. Linville --- net/rfkill/core.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/rfkill/core.c b/net/rfkill/core.c index 6896c0b45b4a..2fc4a1724eb8 100644 --- a/net/rfkill/core.c +++ b/net/rfkill/core.c @@ -549,6 +549,10 @@ void rfkill_set_states(struct rfkill *rfkill, bool sw, bool hw) swprev = !!(rfkill->state & RFKILL_BLOCK_SW); hwprev = !!(rfkill->state & RFKILL_BLOCK_HW); __rfkill_set_sw_state(rfkill, sw); + if (hw) + rfkill->state |= RFKILL_BLOCK_HW; + else + rfkill->state &= ~RFKILL_BLOCK_HW; spin_unlock_irqrestore(&rfkill->lock, flags); From 5d41635195c06fc3116ef3921fe85a9a3ea5ab20 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 13 Jul 2009 13:04:30 +0200 Subject: [PATCH 08/21] mac80211_hwsim: fix unregistration If you rmmod the module while associated, frames might be transmitted during unregistration -- which will crash if the hwsim%d interface is unregistered first, so only do that after all the virtual wiphys are gone. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- drivers/net/wireless/mac80211_hwsim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index a111bda392e2..5bed8241f3cc 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -1167,8 +1167,8 @@ static void __exit exit_mac80211_hwsim(void) { printk(KERN_DEBUG "mac80211_hwsim: unregister radios\n"); - unregister_netdev(hwsim_mon); mac80211_hwsim_free(); + unregister_netdev(hwsim_mon); } From e603d9d824ff0eda98a65708a7e82112becf2dca Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Mon, 13 Jul 2009 13:25:58 +0200 Subject: [PATCH 09/21] mac80211_hwsim: fix use after free Once the "data" pointer is freed, we can't be iterating to the next item in the list any more so we need to use list_for_each_entry_safe with a temporary variable. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- drivers/net/wireless/mac80211_hwsim.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 5bed8241f3cc..7916ca3f84c8 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -709,7 +709,7 @@ static const struct ieee80211_ops mac80211_hwsim_ops = static void mac80211_hwsim_free(void) { struct list_head tmplist, *i, *tmp; - struct mac80211_hwsim_data *data; + struct mac80211_hwsim_data *data, *tmpdata; INIT_LIST_HEAD(&tmplist); @@ -718,7 +718,7 @@ static void mac80211_hwsim_free(void) list_move(i, &tmplist); spin_unlock_bh(&hwsim_radio_lock); - list_for_each_entry(data, &tmplist, list) { + list_for_each_entry_safe(data, tmpdata, &tmplist, list) { debugfs_remove(data->debugfs_group); debugfs_remove(data->debugfs_ps); debugfs_remove(data->debugfs); From 35946a571099a50d2595c8866f07617d29558f53 Mon Sep 17 00:00:00 2001 From: Javier Cardona Date: Mon, 13 Jul 2009 17:00:10 -0700 Subject: [PATCH 10/21] mac80211: use correct address for mesh Path Error For forwarded frames, we save the precursor address in addr1 in case it needs to be used to send a Path Error. mesh_path_discard_frame, however, was using addr2 instead of addr1 to send Path Error frames, so correct that and also make the comment regarding this more clear. Signed-off-by: Andrey Yurovsky Signed-off-by: John W. Linville --- net/mac80211/mesh_pathtbl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/mac80211/mesh_pathtbl.c b/net/mac80211/mesh_pathtbl.c index 02f8709a181e..479597e88583 100644 --- a/net/mac80211/mesh_pathtbl.c +++ b/net/mac80211/mesh_pathtbl.c @@ -494,8 +494,10 @@ void mesh_path_tx_pending(struct mesh_path *mpath) * @skb: frame to discard * @sdata: network subif the frame was to be sent through * - * If the frame was beign forwarded from another MP, a PERR frame will be sent - * to the precursor. + * If the frame was being forwarded from another MP, a PERR frame will be sent + * to the precursor. The precursor's address (i.e. the previous hop) was saved + * in addr1 of the frame-to-be-forwarded, and would only be overwritten once + * the destination is successfully resolved. * * Locking: the function must me called within a rcu_read_lock region */ @@ -510,7 +512,7 @@ void mesh_path_discard_frame(struct sk_buff *skb, u8 *ra, *da; da = hdr->addr3; - ra = hdr->addr2; + ra = hdr->addr1; mpath = mesh_path_lookup(da, sdata); if (mpath) dsn = ++mpath->dsn; From 65b5a69860ed3bc4224368b804d381cd9cafa90a Mon Sep 17 00:00:00 2001 From: Bob Copeland Date: Mon, 13 Jul 2009 21:57:39 -0400 Subject: [PATCH 11/21] ath5k: temporarily disable crypto for AP mode Pavel Roskin reported some issues with using AP mode without nohwcrypt=1. Most likely this is similar to the problem fixed some time ago in ath9k by 3f53dd64f192450cb331c0fecfc26ca952fb242f, "ath9k: Fix hw crypto configuration for TKIP in AP mode." That only affects TKIP but it's easiest to just disable that and WEP too until we get a proper fix in. Signed-off-by: Bob Copeland Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath5k/base.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/ath/ath5k/base.c b/drivers/net/wireless/ath/ath5k/base.c index ea045151f953..029c1bc7468f 100644 --- a/drivers/net/wireless/ath/ath5k/base.c +++ b/drivers/net/wireless/ath/ath5k/base.c @@ -2970,6 +2970,9 @@ ath5k_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd, if (modparam_nohwcrypt) return -EOPNOTSUPP; + if (sc->opmode == NL80211_IFTYPE_AP) + return -EOPNOTSUPP; + switch (key->alg) { case ALG_WEP: case ALG_TKIP: From 3da7429ce92abd79b14e2275a28be144ce2c3013 Mon Sep 17 00:00:00 2001 From: Larry Finger Date: Tue, 14 Jul 2009 15:55:16 -0500 Subject: [PATCH 12/21] rtl8187: Fix for kernel oops when unloading with LEDs enabled MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When rtl8187 is unloaded and CONFIG_RTL8187_LEDS is set, the kernel may oops when the module is unloaded as the workqueue for led_on was not being cancelled. This patch fixes the problem reported in http://marc.info/?l=linux-wireless&m=124742957615781&w=2. Reported-by: Gábor Stefanik Signed-off-by: Larry Finger Signed-off-by: John W. Linville --- drivers/net/wireless/rtl818x/rtl8187_leds.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/rtl818x/rtl8187_leds.c b/drivers/net/wireless/rtl818x/rtl8187_leds.c index b44253592243..cf9f899fe0e6 100644 --- a/drivers/net/wireless/rtl818x/rtl8187_leds.c +++ b/drivers/net/wireless/rtl818x/rtl8187_leds.c @@ -208,11 +208,12 @@ void rtl8187_leds_exit(struct ieee80211_hw *dev) { struct rtl8187_priv *priv = dev->priv; - rtl8187_unregister_led(&priv->led_tx); /* turn the LED off before exiting */ queue_delayed_work(dev->workqueue, &priv->led_off, 0); cancel_delayed_work_sync(&priv->led_off); + cancel_delayed_work_sync(&priv->led_on); rtl8187_unregister_led(&priv->led_rx); + rtl8187_unregister_led(&priv->led_tx); } #endif /* def CONFIG_RTL8187_LED */ From 6c95e2a2f0f0bf4c8880d5b74b2f7f359d352d03 Mon Sep 17 00:00:00 2001 From: Niko Jokinen Date: Wed, 15 Jul 2009 11:00:53 +0300 Subject: [PATCH 13/21] nl80211: Memory leak fixed Potential memory leak via msg pointer in nl80211_get_key() function. Signed-off-by: Niko Jokinen Signed-off-by: Luciano Coelho Signed-off-by: John W. Linville --- net/wireless/nl80211.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 43bdb1372cae..634496b3ed77 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -997,7 +997,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info) if (IS_ERR(hdr)) { err = PTR_ERR(hdr); - goto out; + goto free_msg; } cookie.msg = msg; @@ -1011,7 +1011,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info) &cookie, get_key_callback); if (err) - goto out; + goto free_msg; if (cookie.error) goto nla_put_failure; @@ -1022,6 +1022,7 @@ static int nl80211_get_key(struct sk_buff *skb, struct genl_info *info) nla_put_failure: err = -ENOBUFS; + free_msg: nlmsg_free(msg); out: cfg80211_put_dev(drv); From 7adfd5c71693b81e995283805b17aa4a2ee0ecd9 Mon Sep 17 00:00:00 2001 From: Andy Whitcroft Date: Thu, 16 Jul 2009 16:28:11 +0100 Subject: [PATCH 14/21] rt2x00: Fix chipset detection for rt2500usb The commit below changed the semantics of rt2x00_check_rev so that it no longer checked the bottom 4 bits of the rev were non-zero. During that conversion this part of the check was not propogated to the rt2500usb initialisation. commit 358623c22c9fd837b3b1b444377037f72553dc9f Author: Ivo van Doorn Date: Tue May 5 19:46:08 2009 +0200 rt2x00: Simplify rt2x00_check_rev Without this check rt73 devices are miss recognised as rt2500 devices and two drivers are loaded. Preventing the device being used. Reinstate this check. Signed-off-by: Andy Whitcroft Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2500usb.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/rt2x00/rt2500usb.c b/drivers/net/wireless/rt2x00/rt2500usb.c index 66daf68ff0ee..ce75426764a1 100644 --- a/drivers/net/wireless/rt2x00/rt2500usb.c +++ b/drivers/net/wireless/rt2x00/rt2500usb.c @@ -1550,7 +1550,9 @@ static int rt2500usb_init_eeprom(struct rt2x00_dev *rt2x00dev) rt2500usb_register_read(rt2x00dev, MAC_CSR0, ®); rt2x00_set_chip(rt2x00dev, RT2570, value, reg); - if (!rt2x00_check_rev(&rt2x00dev->chip, 0x000ffff0, 0)) { + if (!rt2x00_check_rev(&rt2x00dev->chip, 0x000ffff0, 0) || + rt2x00_check_rev(&rt2x00dev->chip, 0x0000000f, 0)) { + ERROR(rt2x00dev, "Invalid RT chipset detected.\n"); return -ENODEV; } From c66284f2a421f6aebbafd56cb8b90b8e6a9cb2de Mon Sep 17 00:00:00 2001 From: "Luis R. Rodriguez" Date: Thu, 16 Jul 2009 10:17:35 -0700 Subject: [PATCH 15/21] ath9k: Tune ANI function processing on AP mode during ANI reset For AP mode we must tune ANI specially for 2 GHz and for 5 GHz. We mask in only the flags we want to toggle on ath9k_hw_ani_control() through the ah->ani_function bitmask, this will take care of ignoring changes during ANI reset which we were disabling before. Testedy-by: Steven Luo Cc: Bennyam Malavazi Cc: Jouni Malinen Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/ani.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/drivers/net/wireless/ath/ath9k/ani.c b/drivers/net/wireless/ath/ath9k/ani.c index 1aeafb511ddd..aad259b4c197 100644 --- a/drivers/net/wireless/ath/ath9k/ani.c +++ b/drivers/net/wireless/ath/ath9k/ani.c @@ -478,6 +478,18 @@ void ath9k_ani_reset(struct ath_hw *ah) "Reset ANI state opmode %u\n", ah->opmode); ah->stats.ast_ani_reset++; + if (ah->opmode == NL80211_IFTYPE_AP) { + /* + * ath9k_hw_ani_control() will only process items set on + * ah->ani_function + */ + if (IS_CHAN_2GHZ(chan)) + ah->ani_function = (ATH9K_ANI_SPUR_IMMUNITY_LEVEL | + ATH9K_ANI_FIRSTEP_LEVEL); + else + ah->ani_function = 0; + } + ath9k_hw_ani_control(ah, ATH9K_ANI_NOISE_IMMUNITY_LEVEL, 0); ath9k_hw_ani_control(ah, ATH9K_ANI_SPUR_IMMUNITY_LEVEL, 0); ath9k_hw_ani_control(ah, ATH9K_ANI_FIRSTEP_LEVEL, 0); From e56f0975360369347725c49654ecfe3792710429 Mon Sep 17 00:00:00 2001 From: Alan Jenkins Date: Sat, 18 Jul 2009 19:20:20 +0100 Subject: [PATCH 16/21] rfkill: remove too-strict __must_check Some drivers don't need the return value of rfkill_set_hw_state(), so it should not be marked as __must_check. Signed-off-by: Alan Jenkins Acked-by: Johannes Berg Signed-off-by: John W. Linville --- include/linux/rfkill.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/rfkill.h b/include/linux/rfkill.h index 2ce29831feb6..278777fa8a3a 100644 --- a/include/linux/rfkill.h +++ b/include/linux/rfkill.h @@ -224,7 +224,7 @@ void rfkill_destroy(struct rfkill *rfkill); * should be blocked) so that drivers need not keep track of the soft * block state -- which they might not be able to. */ -bool __must_check rfkill_set_hw_state(struct rfkill *rfkill, bool blocked); +bool rfkill_set_hw_state(struct rfkill *rfkill, bool blocked); /** * rfkill_set_sw_state - Set the internal rfkill software block state From 9e81eccf199d910e5ea8db377a43478e4eccd033 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Sun, 19 Jul 2009 05:05:37 +0200 Subject: [PATCH 17/21] cfg80211: double free in __cfg80211_scan_done This patch fixes a double free corruption in __cfg80211_scan_done: ================================================ BUG kmalloc-512: Object already free ------------------------------------------------ INFO: Allocated in load_elf_binary+0x18b/0x19af age=6 INFO: Freed in load_elf_binary+0x104e/0x19af age=5 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488 Bytes b4 0xffff88007e8a9908: 00 00 00 00 00 00 00 00 5a 5a [...] Pid: 28705, comm: rmmod Tainted: P C 2.6.31-rc2-wl #1 Call Trace: [] print_trailer+0x14e/0x16e [] object_err+0x42/0x61 [] __slab_free+0x2af/0x396 [] ? wiphy_unregister+0x92/0x142 [cfg80211] [] kfree+0x13c/0x17a [] ? wiphy_unregister+0x92/0x142 [cfg80211] [] wiphy_unregister+0x92/0x142 [cfg80211] [] ieee80211_unregister_hw+0xc8/0xff [mac80211] [] p54_unregister_common+0x31/0x66 [p54common] [...] FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed The code path which leads to the *funny* double free: request = rdev->scan_req; dev = dev_get_by_index(&init_net, request->ifidx); /* * the driver was unloaded recently and * therefore dev_get_by_index will return NULL! */ if (!dev) goto out; [...] rdev->scan_req = NULL; /* not executed... */ [...] out: kfree(request); Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- net/wireless/scan.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/wireless/scan.c b/net/wireless/scan.c index f8e71b300001..9271118e1fc4 100644 --- a/net/wireless/scan.c +++ b/net/wireless/scan.c @@ -35,8 +35,6 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted) else nl80211_send_scan_done(wiphy_to_dev(request->wiphy), dev); - wiphy_to_dev(request->wiphy)->scan_req = NULL; - #ifdef CONFIG_WIRELESS_EXT if (!aborted) { memset(&wrqu, 0, sizeof(wrqu)); @@ -48,6 +46,7 @@ void cfg80211_scan_done(struct cfg80211_scan_request *request, bool aborted) dev_put(dev); out: + wiphy_to_dev(request->wiphy)->scan_req = NULL; kfree(request); } EXPORT_SYMBOL(cfg80211_scan_done); From ed5c8ef3bb2de277b7885072e0e981c41a022be5 Mon Sep 17 00:00:00 2001 From: Alan Jenkins Date: Sun, 19 Jul 2009 09:48:28 +0100 Subject: [PATCH 18/21] acer-wmi: fix rfkill conversion Fix another polarity error introduced by the rfkill rewrite, this time in acer_rfkill_set(). Signed-off-by: Alan Jenkins Signed-off-by: John W. Linville --- drivers/platform/x86/acer-wmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/platform/x86/acer-wmi.c b/drivers/platform/x86/acer-wmi.c index be2fd6f91639..fb45f5ee8df1 100644 --- a/drivers/platform/x86/acer-wmi.c +++ b/drivers/platform/x86/acer-wmi.c @@ -973,7 +973,7 @@ static int acer_rfkill_set(void *data, bool blocked) { acpi_status status; u32 cap = (unsigned long)data; - status = set_u32(!!blocked, cap); + status = set_u32(!blocked, cap); if (ACPI_FAILURE(status)) return -ENODEV; return 0; From bfa99bfdda1ce8a60f1f0fba7a04162a66d4ecfa Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sun, 19 Jul 2009 21:26:13 +0200 Subject: [PATCH 19/21] p54spi: fix potential null deref in p54spi.c Fix a potential NULL dereference bug during error handling in p54spi_probe. This bug was discovered by smatch: (http://repo.or.cz/w/smatch.git). Signed-off-by: Dan Carpenter Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- drivers/net/wireless/p54/p54spi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/p54/p54spi.c b/drivers/net/wireless/p54/p54spi.c index 83116baeb110..72c7dbd39d0a 100644 --- a/drivers/net/wireless/p54/p54spi.c +++ b/drivers/net/wireless/p54/p54spi.c @@ -635,7 +635,7 @@ static int __devinit p54spi_probe(struct spi_device *spi) hw = p54_init_common(sizeof(*priv)); if (!hw) { - dev_err(&priv->spi->dev, "could not alloc ieee80211_hw"); + dev_err(&spi->dev, "could not alloc ieee80211_hw"); return -ENOMEM; } From 5d2214ac5e7f72c9ae70b2444649e8d1d3e1086d Mon Sep 17 00:00:00 2001 From: "Luis R. Rodriguez" Date: Mon, 20 Jul 2009 08:32:47 -0700 Subject: [PATCH 20/21] ath: add support for special 0x8000 regulatory domain Two users of ar9170 devices have now reported their cards have been programmed with a regulatory domain of 0x8000. This is not a valid regulatory domain as such these users were unable to use these devices. Since this doesn't seem to be a device EEPROM corruption we must treat it specially. It may have been possible the manufacturer intended to use 0x0 as the regulatory domain and that would ultimately yield to US but since we cannot get confirmationf or this we default this special case to one of our world regulatory domains, specifically 0x64. Reported-by: DavidFreeman on #linux-wireless Reported-by: Joerg Albert Cc: Christian Lamparter , Cc: Stephen Chen Cc: David Quan Cc: Tony Yang Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville --- drivers/net/wireless/ath/regd.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/drivers/net/wireless/ath/regd.c b/drivers/net/wireless/ath/regd.c index eef370bd1211..bf3d25ba7be1 100644 --- a/drivers/net/wireless/ath/regd.c +++ b/drivers/net/wireless/ath/regd.c @@ -474,6 +474,21 @@ ath_regd_init_wiphy(struct ath_regulatory *reg, return 0; } +/* + * Some users have reported their EEPROM programmed with + * 0x8000 set, this is not a supported regulatory domain + * but since we have more than one user with it we need + * a solution for them. We default to 0x64, which is the + * default Atheros world regulatory domain. + */ +static void ath_regd_sanitize(struct ath_regulatory *reg) +{ + if (reg->current_rd != COUNTRY_ERD_FLAG) + return; + printk(KERN_DEBUG "ath: EEPROM regdomain sanitized\n"); + reg->current_rd = 0x64; +} + int ath_regd_init(struct ath_regulatory *reg, struct wiphy *wiphy, @@ -486,6 +501,8 @@ ath_regd_init(struct ath_regulatory *reg, if (!reg) return -EINVAL; + ath_regd_sanitize(reg); + printk(KERN_DEBUG "ath: EEPROM regdomain: 0x%0x\n", reg->current_rd); if (!ath_regd_is_eeprom_valid(reg)) { From 154839962a582b8eb661cde94ef3af0e03b374d7 Mon Sep 17 00:00:00 2001 From: Marek Vasut Date: Thu, 16 Jul 2009 19:19:53 +0200 Subject: [PATCH 21/21] libertas: Fix problem with broken V4 firmware on CF8381 Firmware V4 on CF8381 reports region code shifted by 1 byte to left. The following patch checks for this and handles it properly. Signed-off-by: Marek Vasut Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/cmd.c | 8 +++++++- drivers/net/wireless/libertas/defs.h | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/libertas/cmd.c b/drivers/net/wireless/libertas/cmd.c index 01db705a38ec..685098148e10 100644 --- a/drivers/net/wireless/libertas/cmd.c +++ b/drivers/net/wireless/libertas/cmd.c @@ -135,8 +135,14 @@ int lbs_update_hw_spec(struct lbs_private *priv) /* Clamp region code to 8-bit since FW spec indicates that it should * only ever be 8-bit, even though the field size is 16-bit. Some firmware * returns non-zero high 8 bits here. + * + * Firmware version 4.0.102 used in CF8381 has region code shifted. We + * need to check for this problem and handle it properly. */ - priv->regioncode = le16_to_cpu(cmd.regioncode) & 0xFF; + if (MRVL_FW_MAJOR_REV(priv->fwrelease) == MRVL_FW_V4) + priv->regioncode = (le16_to_cpu(cmd.regioncode) >> 8) & 0xFF; + else + priv->regioncode = le16_to_cpu(cmd.regioncode) & 0xFF; for (i = 0; i < MRVDRV_MAX_REGION_CODE; i++) { /* use the region code to search for the index */ diff --git a/drivers/net/wireless/libertas/defs.h b/drivers/net/wireless/libertas/defs.h index 48da157d6cda..72f3479a4d70 100644 --- a/drivers/net/wireless/libertas/defs.h +++ b/drivers/net/wireless/libertas/defs.h @@ -234,6 +234,8 @@ static inline void lbs_deb_hex(unsigned int grp, const char *prompt, u8 *buf, in /** Mesh enable bit in FW capability */ #define MESH_CAPINFO_ENABLE_MASK (1<<16) +/** FW definition from Marvell v4 */ +#define MRVL_FW_V4 (0x04) /** FW definition from Marvell v5 */ #define MRVL_FW_V5 (0x05) /** FW definition from Marvell v10 */