From ff458edc0c5ec42b299547fb7eb9790a4aecc632 Mon Sep 17 00:00:00 2001 From: Wey-Yi Guy Date: Mon, 31 Jan 2011 13:56:03 -0800 Subject: iwlagn: overwrite EEPROM chain setting for 6250 devices 6250 2x2 devices have 2 tx chain and 2 rx chain. For some reason, the EEPROM contain incorrect information and indicate it only has single tx chain. overwrite it with .cfg parameter to make sure both chain 'A' and chain 'B' can be used for transmit and receive Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl-6000.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/net/wireless/iwlwifi/iwl-6000.c b/drivers/net/wireless/iwlwifi/iwl-6000.c index af505bcd7ae0..ef36aff1bb43 100644 --- a/drivers/net/wireless/iwlwifi/iwl-6000.c +++ b/drivers/net/wireless/iwlwifi/iwl-6000.c @@ -681,6 +681,8 @@ struct iwl_cfg iwl6000i_2bg_cfg = { .fw_name_pre = IWL6050_FW_PRE, \ .ucode_api_max = IWL6050_UCODE_API_MAX, \ .ucode_api_min = IWL6050_UCODE_API_MIN, \ + .valid_tx_ant = ANT_AB, /* .cfg overwrite */ \ + .valid_rx_ant = ANT_AB, /* .cfg overwrite */ \ .ops = &iwl6050_ops, \ .eeprom_ver = EEPROM_6050_EEPROM_VERSION, \ .eeprom_calib_ver = EEPROM_6050_TX_POWER_VERSION, \ -- cgit v1.2.3 From 4334ec8518cec3f7a4feeb3dacb46acfb24904d4 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Wed, 2 Feb 2011 16:58:06 +0100 Subject: mac80211: fix TX status cookie in HW offload case When the off-channel TX is done with remain-on-channel offloaded to hardware, the reported cookie is wrong as in that case we shouldn't use the SKB as the cookie but need to instead use the corresponding r-o-c cookie (XOR'ed with 2 to prevent API mismatches). Fix this by keeping track of the hw_roc_skb pointer just for the status processing and use the correct cookie to report in this case. We can't use the hw_roc_skb pointer itself because it is NULL'ed when the frame is transmitted to prevent it being used twice. This fixes a bug where the P2P state machine in the supplicant gets stuck because it never gets a correct result for its transmitted frame. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/cfg.c | 2 ++ net/mac80211/ieee80211_i.h | 2 +- net/mac80211/status.c | 7 ++++++- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c index 4bc8a9250cfd..9cd73b11506e 100644 --- a/net/mac80211/cfg.c +++ b/net/mac80211/cfg.c @@ -1822,6 +1822,7 @@ static int ieee80211_mgmt_tx(struct wiphy *wiphy, struct net_device *dev, *cookie ^= 2; IEEE80211_SKB_CB(skb)->flags |= IEEE80211_TX_CTL_TX_OFFCHAN; local->hw_roc_skb = skb; + local->hw_roc_skb_for_status = skb; mutex_unlock(&local->mtx); return 0; @@ -1875,6 +1876,7 @@ static int ieee80211_mgmt_tx_cancel_wait(struct wiphy *wiphy, if (ret == 0) { kfree_skb(local->hw_roc_skb); local->hw_roc_skb = NULL; + local->hw_roc_skb_for_status = NULL; } mutex_unlock(&local->mtx); diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index c47d7c0e48a4..533fd32f49ff 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -953,7 +953,7 @@ struct ieee80211_local { struct ieee80211_channel *hw_roc_channel; struct net_device *hw_roc_dev; - struct sk_buff *hw_roc_skb; + struct sk_buff *hw_roc_skb, *hw_roc_skb_for_status; struct work_struct hw_roc_start, hw_roc_done; enum nl80211_channel_type hw_roc_channel_type; unsigned int hw_roc_duration; diff --git a/net/mac80211/status.c b/net/mac80211/status.c index 38a797217a91..071ac95c4aa0 100644 --- a/net/mac80211/status.c +++ b/net/mac80211/status.c @@ -323,6 +323,7 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb) if (info->flags & IEEE80211_TX_INTFL_NL80211_FRAME_TX) { struct ieee80211_work *wk; + u64 cookie = (unsigned long)skb; rcu_read_lock(); list_for_each_entry_rcu(wk, &local->work_list, list) { @@ -334,8 +335,12 @@ void ieee80211_tx_status(struct ieee80211_hw *hw, struct sk_buff *skb) break; } rcu_read_unlock(); + if (local->hw_roc_skb_for_status == skb) { + cookie = local->hw_roc_cookie ^ 2; + local->hw_roc_skb_for_status = NULL; + } cfg80211_mgmt_tx_status( - skb->dev, (unsigned long) skb, skb->data, skb->len, + skb->dev, cookie, skb->data, skb->len, !!(info->flags & IEEE80211_TX_STAT_ACK), GFP_ATOMIC); } -- cgit v1.2.3 From 4d048aac990d587c81fc1002e28502e6f95371ee Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Thu, 3 Feb 2011 21:14:01 +0100 Subject: wireless, wl1251: Fix potential NULL pointer dereference in wl1251_op_bss_info_changed() In drivers/net/wireless/wl1251/main.c:wl1251_op_bss_info_changed() we make a call to ieee80211_beacon_get() which may return NULL, but we do not check the return value before dereferencing the pointer. Signed-off-by: Jesper Juhl Signed-off-by: John W. Linville --- drivers/net/wireless/wl1251/main.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/net/wireless/wl1251/main.c b/drivers/net/wireless/wl1251/main.c index 012e1a4016fe..40372bac9482 100644 --- a/drivers/net/wireless/wl1251/main.c +++ b/drivers/net/wireless/wl1251/main.c @@ -1039,6 +1039,9 @@ static void wl1251_op_bss_info_changed(struct ieee80211_hw *hw, if (changed & BSS_CHANGED_BEACON) { beacon = ieee80211_beacon_get(hw, vif); + if (!beacon) + goto out_sleep; + ret = wl1251_cmd_template_set(wl, CMD_BEACON, beacon->data, beacon->len); -- cgit v1.2.3 From 5820de5303f73d48dcc3a053c875d1f0da7eef67 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Thu, 3 Feb 2011 22:22:55 +0100 Subject: carl9170: fix typo in PS code This patch fixes a off-by-one bug which bugged the driver's PS-POLL capability. Cc: Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- drivers/net/wireless/ath/carl9170/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/carl9170/rx.c b/drivers/net/wireless/ath/carl9170/rx.c index 939a0e96ed1f..84866a4b8350 100644 --- a/drivers/net/wireless/ath/carl9170/rx.c +++ b/drivers/net/wireless/ath/carl9170/rx.c @@ -564,7 +564,7 @@ static void carl9170_ps_beacon(struct ar9170 *ar, void *data, unsigned int len) cam = ieee80211_check_tim(tim_ie, tim_len, ar->common.curaid); /* 2. Maybe the AP wants to send multicast/broadcast data? */ - cam = !!(tim_ie->bitmap_ctrl & 0x01); + cam |= !!(tim_ie->bitmap_ctrl & 0x01); if (!cam) { /* back to low-power land. */ -- cgit v1.2.3 From 9cf04dcc9c5ef884e952b2f461f39f682ef5c051 Mon Sep 17 00:00:00 2001 From: Mohammed Shafi Shajakhan Date: Fri, 4 Feb 2011 18:38:23 +0530 Subject: ath9k: Fix possible double free of PAPRD skb's This patch reverts the following commit ath9k: remove bfs_paprd_timestamp from struct ath_buf_state Under high interference/noisy environment conditions where PAPRD frames fails heavily introduces a possibility of double freeing skb's and causes kernel panic after some time.This patch reverts back to the original approach of using paprd_timestamp before freeing the PAPRD frame skb's [ 194.193705] Pid: 0, comm: swapper Tainted: G D WC 2.6.35-22-generic #33-Ubuntu [ 194.193712] Call Trace: [ 194.193722] [] ? printk+0x2d/0x35 [ 194.193732] [] panic+0x5a/0xd2 [ 194.193741] [] oops_end+0xcd/0xd0 [ 194.193750] [] die+0x54/0x80 [ 194.193758] [] do_trap+0x96/0xc0 [ 194.193837] [] ? do_invalid_op+0x0/0xa0 [ 194.193846] [] do_invalid_op+0x8b/0xa0 [ 194.193856] [] ? kfree+0xec/0xf0 [ 194.193866] [] ? default_spin_lock_flags+0x8/0x10 [ 194.193877] [] ? free_one_page+0x12a/0x2d0 [ 194.193888] [] ? __free_pages+0x1c/0x40 [ 194.193897] [] error_code+0x73/0x78 [ 194.193906] [] ? kfree+0xec/0xf0 [ 194.193915] [] ? skb_release_data+0x70/0xa0 [ 194.193924] [] skb_release_data+0x70/0xa0 [ 194.193933] [] __kfree_skb+0x17/0x90 [ 194.193941] [] consume_skb+0x21/0x40 [ 194.193964] [] ieee80211_tx_status+0x760/0x860 [mac80211] [ 194.193979] [] ath_tx_complete_buf+0x1bf/0x2c0 [ath9k] [ 194.193988] [] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.193997] [] ? skb_queue_tail+0x3e/0x50 [ 194.194010] [] ath_tx_complete_aggr+0x823/0x940 [ath9k] [ 194.194021] [] ? sched_clock+0x8/0x10 [ 194.194030] [] ? sched_clock_local+0xa4/0x180 [ 194.194040] [] ? enqueue_sleeper+0x1e7/0x2b0 [ 194.194051] [] ? enqueue_entity+0x174/0x200 [ 194.194064] [] ath_tx_edma_tasklet+0x2bd/0x3b0 [ath9k] [ 194.194074] [] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.194088] [] ath9k_tasklet+0x9f/0x190 [ath9k] [ 194.194097] [] tasklet_action+0xa7/0xb0 [ 194.194107] [] __do_softirq+0x9c/0x1b0 [ 194.194117] [] ? irq_to_desc+0x14/0x20 [ 194.194126] [] ? ack_apic_level+0x64/0x1f0 [ 194.194136] [] do_softirq+0x45/0x50 [ 194.194145] [] irq_exit+0x65/0x70 [ 194.194153] [] do_IRQ+0x55/0xc0 [ 194.194162] [] ? hrtimer_start+0x27/0x30 [ 194.194171] [] common_interrupt+0x30/0x38 [ 194.194181] [] ? native_safe_halt+0xa/0x10 [ 194.194268] [] default_idle+0x49/0xb0 [ 194.194277] [] cpu_idle+0x8c/0xd0 [ 194.194286] [] rest_init+0x71/0x80 [ 194.194295] [] start_kernel+0x36e/0x374 [ 194.194305] [] ? pass_all_bootoptions+0x0/0xa [ 194.194314] [] i386_start_kernel+0xd7/0xdf [ 194.194364] panic occurred, switching back to text console Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/ath9k.h | 2 +- drivers/net/wireless/ath/ath9k/main.c | 2 -- drivers/net/wireless/ath/ath9k/xmit.c | 7 ++++++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/ath9k.h b/drivers/net/wireless/ath/ath9k/ath9k.h index 3681caf54282..23838e37d45f 100644 --- a/drivers/net/wireless/ath/ath9k/ath9k.h +++ b/drivers/net/wireless/ath/ath9k/ath9k.h @@ -218,6 +218,7 @@ struct ath_frame_info { struct ath_buf_state { u8 bf_type; u8 bfs_paprd; + unsigned long bfs_paprd_timestamp; enum ath9k_internal_frame_type bfs_ftype; }; @@ -593,7 +594,6 @@ struct ath_softc { struct work_struct paprd_work; struct work_struct hw_check_work; struct completion paprd_complete; - bool paprd_pending; u32 intrstatus; u32 sc_flags; /* SC_OP_* */ diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c index 9040c2ff1909..da5c64597c1f 100644 --- a/drivers/net/wireless/ath/ath9k/main.c +++ b/drivers/net/wireless/ath/ath9k/main.c @@ -342,7 +342,6 @@ static bool ath_paprd_send_frame(struct ath_softc *sc, struct sk_buff *skb, int tx_info->control.rates[1].idx = -1; init_completion(&sc->paprd_complete); - sc->paprd_pending = true; txctl.paprd = BIT(chain); if (ath_tx_start(hw, skb, &txctl) != 0) { @@ -353,7 +352,6 @@ static bool ath_paprd_send_frame(struct ath_softc *sc, struct sk_buff *skb, int time_left = wait_for_completion_timeout(&sc->paprd_complete, msecs_to_jiffies(ATH_PAPRD_TIMEOUT)); - sc->paprd_pending = false; if (!time_left) ath_dbg(ath9k_hw_common(sc->sc_ah), ATH_DBG_CALIBRATE, diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 33a37edbaf79..07b7804aec5b 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -1725,6 +1725,9 @@ static void ath_tx_start_dma(struct ath_softc *sc, struct ath_buf *bf, ar9003_hw_set_paprd_txdesc(sc->sc_ah, bf->bf_desc, bf->bf_state.bfs_paprd); + if (txctl->paprd) + bf->bf_state.bfs_paprd_timestamp = jiffies; + ath_tx_send_normal(sc, txctl->txq, tid, &bf_head); } @@ -1886,7 +1889,9 @@ static void ath_tx_complete_buf(struct ath_softc *sc, struct ath_buf *bf, bf->bf_buf_addr = 0; if (bf->bf_state.bfs_paprd) { - if (!sc->paprd_pending) + if (time_after(jiffies, + bf->bf_state.bfs_paprd_timestamp + + msecs_to_jiffies(ATH_PAPRD_TIMEOUT))) dev_kfree_skb_any(skb); else complete(&sc->paprd_complete); -- cgit v1.2.3 From dd3cb633078fb12e06ce6cebbdfbf55a7562e929 Mon Sep 17 00:00:00 2001 From: Michael Büsch Date: Fri, 4 Feb 2011 23:34:45 +0100 Subject: ssb-pcmcia: Fix parsing of invariants tuples This fixes parsing of the device invariants (MAC address) for PCMCIA SSB devices. ssb_pcmcia_do_get_invariants expects an iv pointer as data argument. Tested-by: dylan cristiani Signed-off-by: Michael Buesch Cc: stable@kernel.org Signed-off-by: John W. Linville --- drivers/ssb/pcmcia.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ssb/pcmcia.c b/drivers/ssb/pcmcia.c index c7345dbf43fa..f8533795ee7f 100644 --- a/drivers/ssb/pcmcia.c +++ b/drivers/ssb/pcmcia.c @@ -733,7 +733,7 @@ int ssb_pcmcia_get_invariants(struct ssb_bus *bus, /* Fetch the vendor specific tuples. */ res = pcmcia_loop_tuple(bus->host_pcmcia, SSB_PCMCIA_CIS, - ssb_pcmcia_do_get_invariants, sprom); + ssb_pcmcia_do_get_invariants, iv); if ((res == 0) || (res == -ENOSPC)) return 0; -- cgit v1.2.3 From 3dd823e6b86407aed1a025041d8f1df77e43a9c8 Mon Sep 17 00:00:00 2001 From: Don Fry Date: Sun, 6 Feb 2011 09:29:45 -0800 Subject: iwlagn: Re-enable RF_KILL interrupt when down With commit 554d1d027b19265c4aa3f718b3126d2b86e09a08 only one RF_KILL interrupt will be seen by the driver when the interface is down. Re-enable the interrupt when it occurs to see all transitions. Signed-off-by: Don Fry Signed-off-by: Wey-Yi Guy Cc: stable@kernel.org Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl-agn.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/wireless/iwlwifi/iwl-agn.c b/drivers/net/wireless/iwlwifi/iwl-agn.c index f13a83a7e62b..a236b8b14da1 100644 --- a/drivers/net/wireless/iwlwifi/iwl-agn.c +++ b/drivers/net/wireless/iwlwifi/iwl-agn.c @@ -1157,6 +1157,9 @@ static void iwl_irq_tasklet_legacy(struct iwl_priv *priv) /* only Re-enable if diabled by irq */ if (test_bit(STATUS_INT_ENABLED, &priv->status)) iwl_enable_interrupts(priv); + /* Re-enable RF_KILL if it occurred */ + else if (handled & CSR_INT_BIT_RF_KILL) + iwl_enable_rfkill_int(priv); #ifdef CONFIG_IWLWIFI_DEBUG if (iwl_get_debug_level(priv) & (IWL_DL_ISR)) { @@ -1371,6 +1374,9 @@ static void iwl_irq_tasklet(struct iwl_priv *priv) /* only Re-enable if diabled by irq */ if (test_bit(STATUS_INT_ENABLED, &priv->status)) iwl_enable_interrupts(priv); + /* Re-enable RF_KILL if it occurred */ + else if (handled & CSR_INT_BIT_RF_KILL) + iwl_enable_rfkill_int(priv); } /* the threshold ratio of actual_ack_cnt to expected_ack_cnt in percent */ -- cgit v1.2.3 From fc7c976dc7a565213393ce700d4a6105f037bf20 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Mon, 7 Feb 2011 12:05:00 +0100 Subject: mac80211: fix the skb cloned check in the tx path Using skb_header_cloned to check if it's safe to write to the skb is not enough - mac80211 also touches the tailroom of the skb. Initially this check was only used to increase a counter, however this commit changed the code to also skip skb data reallocation if no extra head/tailroom was needed: commit 4cd06a344db752f513437138953af191cbe9a691 mac80211: skip unnecessary pskb_expand_head calls It added a regression at least with iwl3945, which is fixed by this patch. Reported-by: Dmitry Torokhov Signed-off-by: Felix Fietkau Tested-by: Dmitry Torokhov Signed-off-by: John W. Linville --- net/mac80211/tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c index b64b42bc774b..b0beaa58246b 100644 --- a/net/mac80211/tx.c +++ b/net/mac80211/tx.c @@ -1547,7 +1547,7 @@ static int ieee80211_skb_resize(struct ieee80211_local *local, skb_orphan(skb); } - if (skb_header_cloned(skb)) + if (skb_cloned(skb)) I802_DEBUG_INC(local->tx_expand_skb_head_cloned); else if (head_need || tail_need) I802_DEBUG_INC(local->tx_expand_skb_head); -- cgit v1.2.3