Commit Graph

154529 Commits

Author SHA1 Message Date
Roel Kluin
3d0ccd021b airo: Buffer overflow
SSID_rid has space for only 3 ssids.
txPowerLevels[i] is read before the bounds check for i

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:36 -04:00
Dan Carpenter
2a21f86917 wireless: ERR_PTR vs null
iwm_wdev_alloc() returns an ERR_PTR on failure and not null.  It also
prints its own dev_err() message so I removed that as well.

Compile tested only.  Sorry.
Found by smatch (http://repo.or.cz/w/smatch.git).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:35 -04:00
reinette chatre
45f5fa32b1 iwlagn: fix minimum number of queues setting
We need to provide a reasonable minimum that will result in a
working setup if used. Set minimum to be 10 to provide for
4 standard TX queues + 1 command queue + 2 (unused) HCCA queues +
4 HT queues (one per AC).

We allow the user to change the number of queues used via a module
parameter and use this minimum value to check if it is valid. Without
this patch a user can select a value for the number of queues that
will result in a failing setup.

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:35 -04:00
Johannes Berg
3995bd9332 iwlwifi: fix TX queue race
I had a problem on 4965 hardware (well, probably other hardware too,
but others don't survive my stress testing right now, unfortunately)
where the driver was sending invalid commands to the device, but no
such thing could be seen from the driver's point of view. I could
reproduce this fairly easily by sending multiple TCP streams with
iperf on different TIDs, though sometimes a single iperf stream was
sufficient. It even happened with a single core, but I have forced
preemption turned on.

The culprit was a queue overrun, where we advanced the queue's write
pointer over the read pointer. After careful analysis I've come to
the conclusion that the cause is a race condition between iwlwifi
and mac80211.

mac80211, of course, checks whether the queue is stopped, before
transmitting a frame. This effectively looks like this:

        lock(queues)
        if (stopped(queue)) {
                unlock(queues)
                return busy;
	}
        unlock(queues)
        ...             <-- this place will be important
			    there is some more code here
        drv_tx(frame)

The driver, on the other hand, can stop and start queues, which does

        lock(queues)
        mark_running/stopped(queue)
        unlock(queues)

	[if marked running: wake up tasklet to send pending frames]

Now, however, once the driver starts the queue, mac80211 can see that
and end up at the marked place above, at which point for some reason the
driver seems to stop the queue again (I don't understand that) and then
we end up transmitting while the queue is actually full.

Now, this shouldn't actually matter much, but for some reason I've seen
it happen multiple times in a row and the queue actually overflows, at
which point the queue bites itself in the tail and things go completely
wrong.

This patch fixes this by just dropping the packet should this have
happened, and making the lock in iwlwifi cover everything so iwlwifi
can't race against itself (dropping the lock there might make it more
likely, but it did seem to happen without that too).

Since we can't hold the lock across drv_tx() above, I see no way to fix
this in mac80211, but I also don't understand why I haven't seen this
before -- maybe I just never stress tested it this badly.

With this patch, the device has survived many minutes of simultanously
sending two iperf streams on different TIDs with combined throughput
of about 60 Mbps.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:34 -04:00
Don Skidmore
8bae1b2b13 ixgbe: fix for 82599 errata marking UDP checksum errors
There is an 82599 errata that UDP frames with a zero checksum are
incorrectly marked as checksum invalid by the hardware.  This was
leading to misleading hw_csum_rx_error counts. This patch adds a
test around this counter increase for this condition.

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 20:20:47 -07:00
françois romieu
ca52efd549 r8169: WakeOnLan fix for the 8168
More stuff for http://bugzilla.kernel.org/show_bug.cgi?id=9512

Some 8168 are unable to WoL when receiving is not enabled (plain
old 8169 do not seem to care).

It is not exactly pretty to leave the receiver enabled but we
should now enable DMA late enough for it to be safe. Some late
stage boot failure due to pxe and friends may benefit from the
delayed enabling of bus-mastering as well.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Jaromír Cápík <tavvva@volny.cz>
Cc: Edward Hsu <edward_hsu@realtek.com.tw>
2009-07-26 20:18:52 -07:00
Dhananjay Phadke
c8a5a658b8 netxen: reset ring consumer during cleanup
Reset consumer of status rings to 0 when cleaning
up sw resources. Status rings are not deleted
during suspend since they have napi objects.

This ensures correct rx processing across suspen-resume.

Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 20:17:21 -07:00
Xiaotian Feng
c587aea951 net/bridge: use kobject_put to release kobject in br_add_if error path
kobject_init_and_add will alloc memory for kobj->name, so in br_add_if
error path, simply use kobject_del will not free memory for kobj->name.
Fix by using kobject_put instead, kobject_put will internally calls
kobject_del and frees memory for kobj->name.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 19:20:51 -07:00
Alessandro Rubini
4a29f39642 smc91x.h: add config for Nomadik evaluation kit
Signed-off-by: Alessandro Rubini <rubini@unipv.it>
Acked-by: Andrea Gallo <andrea.gallo@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 19:15:07 -07:00
Ralf Baechle
dcf777f6ed NET: ROSE: Don't use static buffer.
The use of a static buffer in rose2asc() to return its result is not
threadproof and can result in corruption if multiple threads are trying
to use one of the procfs files based on rose2asc().

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 19:11:14 -07:00
Roel Kluin
d513d018e2 eepro: Read buffer overflow
io[i] is read before the bounds check on i, order should be reversed

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 18:53:17 -07:00
roel kluin
c65d3198ad tokenring: Read buffer overflow
io[i] is read before the bounds check on i, order should be reversed

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 18:50:39 -07:00
roel kluin
3b73e79b0d at1700: Read buffer overflow
loop bound looks to be wrong, for an array of length 8

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 18:50:38 -07:00
roel kluin
f83284fe20 fealnx: Write outside array bounds
phy_idx is checked to be < 4, but np->phys[] is 2 elements long

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 18:50:37 -07:00
Andy Gospodarek
ffafa60d49 ixgbe: remove unnecessary call to device_init_wakeup
Calls to device_init_wakeup should not be necessary in drivers that use
device_set_wakeup_enable since pci_pm_init will set the can_wakeup flag
for the device when initialized.

Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-23 11:05:32 -07:00
Lucy Liu
601278659d ixgbe: Don't priority tag control frames in DCB mode
Certain types of control packets (LLDP, LACP, etc.) are not supposed to have a
priority tag or vlan tag inserted.  Ixgbe driver is currently priority
tagging everything (if packet is not on a VLAN interface).

This patch modifies DCB mode, so that packets marked with skb priority
TC_PRIO_CONTROL are not priority tagged.  It also transmits these packets on
the highest priority traffic class.
Programs (like dcbd) can set the skb priority using a socket option.  Or, a tc
filter can be configured to set the priority value. Using the value
TC_PRIO_CONTROL (7) has the benefit that it is already defined in the kernel,
and the bonding LACP code already sets the skb->priority field to this value.

Signed-off-by: Lucy Liu <lucy.liu@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-23 11:05:31 -07:00
Yi Zou
0d5515894f ixgbe: Enable FCoE offload when DCB is enabled for 82599
Currently, FCoE offload feature is turned on when the kernel config has
CONFIG_FCOE or CONFIG_FCOE_MODULE set. However, we really want to turn
FCoE offload on when there is FCoE traffic passing and turn it off when
it's just LAN traffic. Since FCoE depends on a lossless network provided
by DCB, this allows us to have FCoE turned on/off when user turns on DCB
using dcbtool.

Signed-off-by: Yi Zou <yi.zou@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-23 11:05:30 -07:00
Mark Ware
dacac4da52 net: Rework mdio-ofgpio driver to use of_mdio infrastructure
Changes to the fs_enet driver aa73832c5a
("net: Rework fs_enet driver to use of_mdio infrastructure")
cause kernel crashes when using the mdio-ofgpio driver.
 
This patch replicates similar changes made to the fs_enet mii-bitbang
drivers.  It has been tested on a custom mpc8280 based board using an
NFS mounted root.
 
Signed-off-by: Mark Ware <mware@elphinstone.net>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-23 10:56:48 -07:00
Uwe Kleine-König
78a9c9c974 register at91_ether using platform_driver_probe
at91ether_probe lives in .init.text, so using platform_driver_register
to register it is wrong because binding a device after the init memory
is discarded (e.g. via sysfs) results in an oops.

As requested by David Brownell platform_driver_probe is used instead of
moving the probe function to .devinit.text as proposed initially.
This saves some memory, but devices registered after the driver is
probed are not bound (probably there are none) and binding via sysfs
isn't possible.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Acked-by: Andrew Victor <linux@maxim.org.za>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22 11:24:28 -07:00
Rafael J. Wysocki
7b55a4a3f7 skge: Enable WoL by default if supported
If skge hardware is capable of waking up the system from sleep,
enable magic packet WoL during driver initialisation.

This makes WoL work without calling 'ethtool -s ethX wol g'
for each adapter.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Tested-by: Michael Guntsche <mike@it-loops.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22 11:24:26 -07:00
David S. Miller
d14a7679ae Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-07-22 11:18:40 -07:00
Alexander Beregalov
de72e5de06 net: KS8851 needs to depend on MII
fix this build error when CONFIG_MII is not set
drivers/net/ks8851.c:999: undefined reference to `generic_mii_ioctl'
drivers/net/ks8851.c:1050: undefined reference to `mii_link_ok'
drivers/net/ks8851.c:1056: undefined reference to `mii_nway_restart'
drivers/net/ks8851.c:1044: undefined reference to `mii_ethtool_sset'
drivers/net/ks8851.c:1038: undefined reference to `mii_ethtool_gset'

Signed-off-by: Alexander Beregalov <a.beregalov@gmail.com>
Acked-by: Ben Dooks <ben@simtec.co.uk>
2009-07-22 09:33:08 -07:00
Ajit Khaparde
fa77406aee be2net: Bug fix in the non-lro path. Size of received packet was not updated in statistics properly.
This patch fixes a bug in the non-lro path.  Wrong size of received
packet was being passed for updating receive statistics.  This patch
is against the net-2.6 git.

Signed-off-by: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22 09:28:55 -07:00
Anton Vorontsov
3104a6ff67 ucc_geth: Revive fixed link support
Since commit 0b9da337dc ("Rework
ucc_geth driver to use of_mdio infrastructure") the fixed-link
support is broken.

This patch fixes the support by removing !ug_info->phy_node check,
and adds a call to of_phy_connect_fixed_link() if a phy is not attached
to the MAC.

Also, remove an old fixed-link code that we don't use any longer.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22 09:27:24 -07:00
Anton Vorontsov
1db780f8c7 gianfar: Revive fixed link support
Since commit fe192a4911 ("Rework gianfar
driver to use of_mdio infrastructure") the fixed-link support is
broken, the driver oopses at init_phy():

  Unable to handle kernel paging request for data at address 0x000000e4
  Faulting instruction address: 0xc01cf298
  Oops: Kernel access of bad area, sig: 11 [#1]
  [...]
  NIP [c01cf298] init_phy+0x80/0xdc
  LR [c01cf250] init_phy+0x38/0xdc
  Call Trace:
  [cf81fe80] [c01d1cf8] gfar_enet_open+0x6c/0x19c
  [cf81fea0] [c024494c] dev_open+0xfc/0x134
  [cf81fec0] [c0242edc] dev_change_flags+0x84/0x1ac
  [cf81fee0] [c0399ee0] ic_open_devs+0x168/0x2d8
  [cf81ff20] [c039b2e8] ip_auto_config+0x90/0x2a4
  [cf81ff60] [c0003884] do_one_initcall+0x34/0x1a8

This patch fixes the oops, and removes phy_node checks, and adds a call
to of_phy_connect_fixed_link() if a phy isn't attached..

Also, remove an old fixed-link code that we don't use any longer.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22 09:27:23 -07:00
Anton Vorontsov
eedbc705f9 fs_enet: Revive fixed link support
Since commit aa73832c5a ("Rework
fs_enet driver to use of_mdio infrastructure") the fixed-link support
is broken in the fs_enet driver.

This patch fixes the support by removing a check for phy_node, and adding
a call to of_phy_connect_fixed_link().

Also set netdev parent device via SET_NETDEV_DEV() call, this is needed
so that OF MDIO core could find a node pointer for a device.

Plus, fix "if (IS_ERR(phydev))" check, in case of errors,
of_phy_connect() returns NULL, not ERR_PTR as phy_connect().

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22 09:27:19 -07:00
Anton Vorontsov
24c30dbbcd of/mdio: Add support function for Ethernet fixed-link property
Fixed-link support is broken for the ucc_eth, gianfar, and fs_enet
device drivers.  The "OF MDIO rework" patches removed most of the
support. Instead of re-adding fixed-link stuff to the drivers, this
patch adds a support function for parsing the fixed-link property
and obtaining a dummy phy to match.

Note: the dummy phy handling in arch/powerpc is a bit of a hack and
needs to be reworked.  This function is being added now to solve the
regression in the Ethernet drivers, but it should be considered a
temporary measure until the fixed link handling can be reworked.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22 09:27:18 -07:00
Mike McCormack
a947a39d52 sky2: Avoid races in sky2_down
Reset rx chain before trying to drain it.
Shut interrupts off last, incase there's something to report.

Signed-off-by: Mike McCormack <mikem@ring3k.org>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 20:57:56 -07:00
Julia Lawall
86669530d9 drivers/net/mlx4: Adjust constant
The values in the advertising field are typically ADVERTISED_xxx, not
SUPPORTED_xxx.  Both SUPPORTED_10000baseT_Full and
ADVERTISED_1000baseT_Full have the same value.

The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
struct ethtool_cmd E;
@@
*E.advertising = SUPPORTED_10000baseT_Full
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 13:00:46 -07:00
Julia Lawall
0376d5b25e drivers/net: Move a dereference below a NULL test
If the NULL test is necessary, then the dereference should be moved below
the NULL test.

The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@

- T i = E->fld;
+ T i;
  ... when != E=E1
      when != i
  if (E == NULL||...) S
+ i = E->fld;
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 13:00:44 -07:00
Julia Lawall
0021195c40 drivers/net: Move a dereference below a NULL test
If the NULL test is necessary, then the dereferences should be moved below
the NULL test.

The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@

- T i = E->fld;
+ T i;
  ... when != E=E1
      when != i
  BUG_ON (E == NULL||...);
+ i = E->fld;
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 13:00:43 -07:00
Marek Vasut
154839962a libertas: Fix problem with broken V4 firmware on CF8381
Firmware V4 on CF8381 reports region code shifted by 1 byte to left.
The following patch checks for this and handles it properly.

Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 15:59:52 -04:00
Luis R. Rodriguez
5d2214ac5e ath: add support for special 0x8000 regulatory domain
Two users of ar9170 devices have now reported their cards
have been programmed with a regulatory domain of 0x8000.
This is not a valid regulatory domain as such these users were
unable to use these devices. Since this doesn't seem to be
a device EEPROM corruption we must treat it specially. It
may have been possible the manufacturer intended to use 0x0
as the regulatory domain and that would ultimately yield
to US but since we cannot get confirmationf or this we
default this special case to one of our world regulatory
domains, specifically 0x64.

Reported-by: DavidFreeman on #linux-wireless
Reported-by: Joerg Albert <jal2@gmx.de>
Cc: Christian Lamparter <chunkeey@web.de>,
Cc: Stephen Chen <stephen.chen@atheros.com>
Cc: David Quan <david.quan@atheros.com>
Cc: Tony Yang <tony.yang@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 15:59:50 -04:00
Dan Carpenter
bfa99bfdda p54spi: fix potential null deref in p54spi.c
Fix a potential NULL dereference bug during
error handling in p54spi_probe.

This bug was discovered by smatch:
(http://repo.or.cz/w/smatch.git).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 15:59:48 -04:00
Alan Jenkins
ed5c8ef3bb acer-wmi: fix rfkill conversion
Fix another polarity error introduced by the rfkill rewrite,
this time in acer_rfkill_set().

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 15:58:54 -04:00
Evgeniy Polyakov
acb9c1b2f4 connector: maintainer/mail update.
Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 12:43:51 -07:00
Rémi Denis-Courmont
87cf65601e USB host CDC Phonet network interface driver
Many Nokia handsets support a Phonet interface to the cellular modem
via a vendor-specific USB interface. CDC Phonet follows the
Communications Device Class model, with one control interface, and
and a pair of inactive and active data alternative interface. The later
has two bulk endpoint, one per direction.

This was tested against Nokia E61, Nokia N95, and the existing Phonet
gadget function for the Linux composite USB gadget framework.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 12:40:39 -07:00
Finn Thain
4564cba716 macsonic, jazzsonic: fix oops on module unload
Set the driver data before using it. Fixes an oops when doing rmmod.

Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 12:21:49 -07:00
Uwe Kleine-König
2517747667 macsonic: move probe function to .devinit.text
A pointer to mac_sonic_probe is passed to the core via
platform_driver_register and so the function must not disappear when the
.init sections are discarded.  Otherwise (if also having HOTPLUG=y)
unbinding and binding a device to the driver via sysfs will result in an
oops as does a device being registered late.

Various other functions that are called by mac_sonic_probe need to move
to .devinit.text, too.

An alternative to this patch is using platform_driver_probe instead of
platform_driver_register plus removing the pointer to the probe function
from the struct platform_driver.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-21 12:20:18 -07:00
Christian Lamparter
9e81eccf19 cfg80211: double free in __cfg80211_scan_done
This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
	/*
	 * the driver was unloaded recently and
	 * therefore dev_get_by_index will return NULL!
	 */
        if (!dev)
                goto out;
	[...]
	rdev->scan_req = NULL; /* not executed... */
	[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:44 -04:00
Alan Jenkins
e56f097536 rfkill: remove too-strict __must_check
Some drivers don't need the return value of rfkill_set_hw_state(),
so it should not be marked as __must_check.

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:43 -04:00
Luis R. Rodriguez
c66284f2a4 ath9k: Tune ANI function processing on AP mode during ANI reset
For AP mode we must tune ANI specially for 2 GHz and
for 5 GHz. We mask in only the flags we want to toggle
on ath9k_hw_ani_control() through the ah->ani_function
bitmask, this will take care of ignoring changes during
ANI reset which we were disabling before.

Testedy-by: Steven Luo <steven@steven676.net>
Cc: Bennyam Malavazi <bennyam.malavazi@atheros.com>
Cc: Jouni Malinen <jouni.malinen@Atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:43 -04:00
Andy Whitcroft
7adfd5c716 rt2x00: Fix chipset detection for rt2500usb
The commit below changed the semantics of rt2x00_check_rev so that it no
longer checked the bottom 4 bits of the rev were non-zero.  During that
conversion this part of the check was not propogated to the rt2500usb
initialisation.

    commit 358623c22c
    Author: Ivo van Doorn <ivdoorn@gmail.com>
    Date:   Tue May 5 19:46:08 2009 +0200

        rt2x00: Simplify rt2x00_check_rev

Without this check rt73 devices are miss recognised as rt2500 devices and
two drivers are loaded.  Preventing the device being used.  Reinstate this
check.

Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:43 -04:00
Niko Jokinen
6c95e2a2f0 nl80211: Memory leak fixed
Potential memory leak via msg pointer in nl80211_get_key() function.

Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:42 -04:00
Larry Finger
3da7429ce9 rtl8187: Fix for kernel oops when unloading with LEDs enabled
When rtl8187 is unloaded and CONFIG_RTL8187_LEDS is set, the kernel
may oops when the module is unloaded as the workqueue for led_on was
not being cancelled.

This patch fixes the problem reported in
http://marc.info/?l=linux-wireless&m=124742957615781&w=2.

Reported-by: Gábor Stefanik <netrolller.3d@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:42 -04:00
Bob Copeland
65b5a69860 ath5k: temporarily disable crypto for AP mode
Pavel Roskin reported some issues with using AP mode without
nohwcrypt=1.  Most likely this is similar to the problem fixed
some time ago in ath9k by 3f53dd64f1,
"ath9k: Fix hw crypto configuration for TKIP in AP mode."

That only affects TKIP but it's easiest to just disable that and
WEP too until we get a proper fix in.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:42 -04:00
Javier Cardona
35946a5710 mac80211: use correct address for mesh Path Error
For forwarded frames, we save the precursor address in addr1 in case it
needs to be used to send a Path Error.  mesh_path_discard_frame,
however, was using addr2 instead of addr1 to send Path Error frames, so
correct that and also make the comment regarding this more clear.

Signed-off-by: Andrey Yurovsky <andrey@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:40 -04:00
Johannes Berg
e603d9d824 mac80211_hwsim: fix use after free
Once the "data" pointer is freed, we can't be iterating
to the next item in the list any more so we need to use
list_for_each_entry_safe with a temporary variable.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:40 -04:00
Johannes Berg
5d41635195 mac80211_hwsim: fix unregistration
If you rmmod the module while associated, frames might
be transmitted during unregistration -- which will crash
if the hwsim%d interface is unregistered first, so only
do that after all the virtual wiphys are gone.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:39 -04:00
Alan Jenkins
48ab3578a6 rfkill: fix rfkill_set_states() to set the hw state
The point of this function is to set the software and hardware state at
the same time.  When I tried to use it, I found it was only setting the
software state.

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21 12:07:38 -04:00