Commit Graph

6 Commits

Author SHA1 Message Date
Ido Yariv
80900d0140 wl12xx: Remove obsolete testmode NVS push command
The testmode NVS push command is no longer in use. In addition, it has
several implementation issues that prevent it from working correctly:

1. wl1271_tm_cmd_configure relies on wl->chip.id being set. However,
   since the device was not necessarily booted by the time the function
   is called, wl->chip.id will be initialized to 0.
2. The NVS file is fetched by calling request_firmware() before it is
   possible to push an NVS file.
3. The maximum allowed size of nl binary payloads is not sufficient for
   pushing NVS files.
4. Pushing 128x NVS files will always fail due to a bug in the
   validation code.
5. In case the pushed NVS file is found invalid, the mutex will be kept
   locked and the nvs member will become a dangling pointer.

Since this feature is not being used, remove it completely instead of
fixing it.

Signed-off-by: Ido Yariv <ido@wizery.com>
Acked-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-08-23 15:54:19 -04:00
Julia Lawall
f8afdf481f drivers/net/wireless/wl12xx: add missing kfree
In each case, the freed data should be freed in the error handling code
as
well.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@exists@
local idexpression x;
statement S,S1;
expression E;
identifier fl;
expression *ptr != NULL;
@@

x = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x == NULL) S
<... when != x
     when != if (...) { <+...kfree(x)...+> }
     when any
     when != true x == NULL
x->fl
...>
(
if (x == NULL) S1
|
if (...) { ... when != x
               when forall
(
 return \(0\|<+...x...+>\|ptr\);
|
* return ...;
)
}
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-08-12 13:33:31 -04:00
Ido Yariv
baacb9aed0 wl12xx: Avoid recovery while one is already in progress
During recovery work commands sent to the FW could fail and schedule
additional recovery work. Since the chip is going to be powered off,
avoid recursive recoveries.

Signed-off-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Arik Nemtsov <arik@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
2011-06-27 15:05:15 +03:00
Shahar Levi
bc765bf3b9 wl12xx: 1281/1283 support - Loading FW & NVS
Take care of FW & NVS with the auto-detection between wl127x and
wl128x.

[Moved some common code outside if statements and added notes about
NVS structure assumptions; Fixed a bug when checking the nvs size: if
the size was incorrect, the local nvs variable was set to NULL, it
should be wl->nvs instead. -- Luca]

[Merged with potential buffer overflow fix -- Luca]

Signed-off-by: Shahar Levi <shahar_levi@ti.com>
Reviewed-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
2011-04-19 16:48:10 +03:00
Luciano Coelho
09b661b332 wl12xx: fix potential buffer overflow in testmode nvs push
We were allocating the size of the NVS file struct and not checking
whether the length of the buffer passed was correct before copying it
into the allocated memory.  This is a security hole because buffer
overflows can occur if the userspace passes a bigger file than what is
expected.

With this patch, we check if the size of the data passed from
userspace matches the size required.

This bug was introduced in 2.6.36.

Cc: stable@kernel.org
Reported-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2011-04-04 15:22:12 -04:00
Shahar Levi
00d201001b wl1271: Change wl12xx Files Names
All files name prefix removed due to the fact that wl12xx driver supports
wl1271 and wl1273.
Also the definition in Kconfig and header files changed respectively.

Signed-off-by: Shahar Levi <shahar_levi@ti.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
2010-11-22 16:45:09 +02:00