1. 21 Sep, 2011 4 commits
    • Jouni Malinen's avatar
      cfg80211: Fix validation of AKM suites · 1b9ca027
      Jouni Malinen authored
      Incorrect variable was used in validating the akm_suites array from
      NL80211_ATTR_AKM_SUITES. In addition, there was no explicit
      validation of the array length (we only have room for
      NL80211_MAX_NR_AKM_SUITES).
      
      This can result in a buffer write overflow for stack variables with
      arbitrary data from user space. The nl80211 commands using the affected
      functionality require GENL_ADMIN_PERM, so this is only exposed to admin
      users.
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarJouni Malinen <jouni@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      1b9ca027
    • Stanislaw Gruszka's avatar
      iwlegacy: do not use interruptible waits · 65d0f19e
      Stanislaw Gruszka authored
      iwlegacy version of fix:
      
      commit effd4d9a
      Author: Johannes Berg <johannes.berg@intel.com>
      Date:   Thu Sep 15 11:46:52 2011 -0700
      
          iwlagn: do not use interruptible waits
      
          Since the dawn of its time, iwlwifi has used
          interruptible waits to wait for synchronous
          commands and firmware loading.
      
          This leads to "interesting" bugs, because it
          can't actually handle the interruptions; for
          example when a command sending is interrupted
          it will assume the command completed fully,
          and then leave it pending, which leads to all
          kinds of trouble when the command finishes
          later.
      
          Since there's no easy way to gracefully deal
          with interruptions, fix the driver to not use
          interruptible waits.
      
          This at least fixes the error
          iwlagn 0000:02:00.0: Error: Response NULL in  'REPLY_SCAN_ABORT_CMD'
      
          I have seen in P2P testing, but it is likely
          that there are other errors caused by this.
      
      Cc: stable@kernel.org # 2.6.39+
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      65d0f19e
    • Stanislaw Gruszka's avatar
      iwlegacy: fix command queue timeout · 2e2a41d6
      Stanislaw Gruszka authored
      iwlegacy version of fix:
      
      commit 282cdb32
      Author: Johannes Berg <johannes.berg@intel.com>
      Date:   Mon Sep 12 12:09:10 2011 -0700
      
          iwlagn: fix command queue timeout
      
          If the command queue is constantly busy,
          which can happen in P2P, the hangcheck
          timer will frequently find a command in
          it and will eventually reset the device
          because nothing sets the timestamp for
          this queue when commands are processed.
      
          Fix this by setting the timestamp when
          a command completes.
      
      iwlegacy does not support P2P, but this patch fix possible
      unneeded hardware resets, hence is needed.
      
      Cc: stable@kernel.org  # 2.6.39+
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      2e2a41d6
    • Rajkumar Manoharan's avatar
      ath9k_hw: Fix Rx DMA stuck for AR9003 chips · e9f9530b
      Rajkumar Manoharan authored
      During the endurance testing, rx frames are not getting DMAd from
      MAC whereas pcu rx frame counters are getting updated properly.
      As per systems team input updated the initval to fix rx dma stuck
      issue.
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarRajkumar Manoharan <rmanohar@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      e9f9530b
  2. 19 Sep, 2011 2 commits
  3. 17 Sep, 2011 3 commits
  4. 16 Sep, 2011 6 commits
  5. 15 Sep, 2011 1 commit
  6. 13 Sep, 2011 6 commits
    • Johannes Berg's avatar
      iwlagn: fix command queue timeout · 282cdb32
      Johannes Berg authored
      If the command queue is constantly busy,
      which can happen in P2P, the hangcheck
      timer will frequently find a command in
      it and will eventually reset the device
      because nothing sets the timestamp for
      this queue when commands are processed.
      
      Fix this by setting the timestamp when
      a command completes.
      
      Cc: stable@kernel.org #2.6.39, #3.0.0 #3.1.0
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      SIgned-off-by: default avatarWey-Yi Guy <wey-yi.w.guy@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      282cdb32
    • Johannes Berg's avatar
      iwlagn: fix stack corruption · 456fc37e
      Johannes Berg authored
      Alexander reported a strange crash in iwlagn that
      Meenakshi and Wey couldn't reproduce. I just ran
      into the same issue and tracked it down to stack
      corruption. This fixes it.
      
      The problem was introduced in
      commit 4b8b99b6e650d0527f3a123744b7459976581d14
      Author: Wey-Yi Guy <wey-yi.w.guy@intel.com>
      Date:   Fri Jul 8 14:29:48 2011 -0700
      
          iwlagn: radio sensor offset in le16 format
      
      Cc: Wey-Yi Guy <wey-yi.w.guy@intel.com>
      Cc: Meenakshi Venkataraman <meenakshi.venkataraman@intel.com>
      Reported-by: default avatarAlexander Diewald <alex@diewald.cc>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      456fc37e
    • Mohammed Shafi Shajakhan's avatar
      ath9k: Fix kernel panic on unplugging the device · 6a6b3f3e
      Mohammed Shafi Shajakhan authored
      when the device is yanked out ath_pci_remove starts doing the cleanups,
      unregistering the hardware etc. so we should bail out immediately when
      we get drv_flush callback from mac80211 when the card is being unplugged.
      the panic occurs after we had associated to an AP.
      
      	EIP: 0060:[<fb315b00>] EFLAGS: 00010246 CPU: 0
      	EIP is at ath_reset+0xa0/0x1c0 [ath9k]
      	EAX: 00000000 EBX: 000697c0 ECX: 00000002 EDX: f3c3ccf0
      	ESI: 00000000 EDI: 00000000 EBP: f43e7b78 ESP: f43e7b50
       	DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
       	Process kworker/u:2 (pid: 182, ti=f43e6000 task=f3c3c7c0
      	task.ti=f43e6000)
       	Stack:
       	0000002a 00000000 00000000 003e7b78 0000000f eaaa8500
      	ffffffea eaaa97c0
       	eaaaa000 00000001 f43e7ba8 fb315d23 f99e7721 ecece680
      	eaaac738 eaaa8500
       	eaaaa020 000000c8 000000c8 00000000 eaaa8d58 eaaa8500
      	f43e7bd0 fb080b29
       	Call Trace:
      	[<fb315d23>] ath9k_flush+0x103/0x170 [ath9k]
      	[<fb080b29>] __ieee80211_recalc_idle+0x2c9/0x400
      	[mac80211]
      	[<fb080c8e>] ieee80211_recalc_idle+0x2e/0x60 [mac80211]
      	[<fb07aa73>] ieee80211_mgd_deauth+0x173/0x210 [mac80211]
      	[<fb084559>] ieee80211_deauth+0x19/0x20 [mac80211]
      	[<f99dda53>] __cfg80211_mlme_deauth+0xf3/0x140
      	[cfg80211]
      	[<c0633d00>] ? __mutex_lock_common+0x1f0/0x380
      	[<f99e1b5d>] __cfg80211_disconnect+0x18d/0x1f0
      	[cfg80211]
      	[<f99c8199>] cfg80211_netdev_notifier_call+0x159/0x5c0
      	[cfg80211]
      	[<c0608a64>] ? packet_notifier+0x174/0x1f0
      	[<c0639202>] notifier_call_chain+0x82/0xb0
      	[<c0170d8f>] raw_notifier_call_chain+0x1f/0x30
      	[<c053b86c>] call_netdevice_notifiers+0x2c/0x60
      	[<c0182184>] ? trace_hardirqs_on_caller+0xf4/0x180
      	[<c053b8ec>] __dev_close_many+0x4c/0xd0
      	[<c053ba2d>] dev_close_many+0x6d/0xc0
      	[<c053bb53>] rollback_registered_many+0x93/0x1c0
      	[<c018221b>] ? trace_hardirqs_on+0xb/0x10
      	[<c053bc95>] unregister_netdevice_many+0x15/0x50
      	[<fb07f83b>] ieee80211_remove_interfaces+0x7b/0xb0
      	[mac80211]
      	[<fb06a14b>] ieee80211_unregister_hw+0x4b/0x110
      	[mac80211]
      	[<fb311a4a>] ath9k_deinit_device+0x3a/0x60 [ath9k]
      	[<fb31eed6>] ath_pci_remove+0x46/0x90 [ath9k]
      	[<c03b4ac4>] pci_device_remove+0x44/0x100
      	[<c043eb54>] __device_release_driver+0x64/0xb0
      	[<c043ec67>] device_release_driver+0x27/0x40
      	[<c043deeb>] bus_remove_device+0x7b/0xa0
      	[<c043c491>] device_del+0xf1/0x180
      	[<c043c530>] device_unregister+0x10/0x20
      	[<c03afafe>] pci_stop_bus_device+0x6e/0x80
      	[<c03afb72>] pci_remove_bus_device+0x12/0xa0
      	[<c03c2f29>] pciehp_unconfigure_device+0x89/0x180
      	[<c0181e54>] ? mark_held_locks+0x64/0x100
      	[<c063390f>] ? __mutex_unlock_slowpath+0xaf/0x140
      	[<c03c1f84>] pciehp_disable_slot+0x64/0x1b0
      	[<c03c2850>] pciehp_power_thread+0xd0/0x100
      	[<c0164ad0>] ? process_one_work+0x100/0x4d0
      	[<c0164b4c>] process_one_work+0x17c/0x4d0
      	[<c0164ad0>] ? process_one_work+0x100/0x4d0
      	[<c03c2780>] ? queue_interrupt_event+0xa0/0xa0
      	[<c01662bb>] worker_thread+0x13b/0x320
      	[<c018221b>] ? trace_hardirqs_on+0xb/0x10
      	[<c0166180>] ? manage_workers+0x1e0/0x1e0
      	[<c016a654>] kthread+0x84/0x90
      	[<c016a5d0>] ? __init_kthread_worker+0x60/0x60
      	[<c063d106>] kernel_thread_helper+0x6/0x10
      
      Cc: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
      Signed-off-by: default avatarMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      6a6b3f3e
    • Johannes Berg's avatar
      mac80211: fix missing sta_lock in __sta_info_destroy · 4bae7d97
      Johannes Berg authored
      Since my commit 34e89507
      ("mac80211: allow station add/remove to sleep") there is
      a race in mac80211 when it clears the TIM bit because a
      sleeping station disconnected, the spinlock isn't held
      around the relevant code any more. Use the right API to
      acquire the spinlock correctly.
      
      Cc: stable@kernel.org [2.6.34+]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      4bae7d97
    • George's avatar
      rtlwifi: Fix problem when switching connections · bac2555c
      George authored
      The driver fails to clear encryption keys making it impossible
      to switch connections.
      Signed-off-by: default avatarGeorge <george0505@realtek.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Stable <stable@kernel.org>        [2.6.39+]
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      bac2555c
    • George's avatar
      rtlwifi: rtl8192su: Fix problem connecting to HT-enabled AP · 3401dc6e
      George authored
      The driver fails to connect to 802.11n-enabled APs. The patch fixes
      Bug #42262.
      Signed-off-by: default avatarGeorge <george0505@realtek.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Stable <stable@kernel.org>        [2.6.39+]
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      3401dc6e
  7. 30 Aug, 2011 1 commit
  8. 29 Aug, 2011 2 commits
  9. 24 Aug, 2011 2 commits
  10. 23 Aug, 2011 3 commits
    • Luciano Coelho's avatar
      wl12xx: add max_sched_scan_ssids value to the hw description · 7a5e4877
      Luciano Coelho authored
      After commit 5a865bad, we require a separate value to indicate the
      number of supported SSIDs in scheduled scans.  This patch adds a
      proper value to the wl12xx driver.
      
      This fixes a regression in 3.1-rc3 where scheduled scans were not
      working properly with the wl12xx driver.
      Signed-off-by: default avatarLuciano Coelho <coelho@ti.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      7a5e4877
    • Ido Yariv's avatar
      wl12xx: Fix validation of pm_runtime_get_sync return value · a15f1c45
      Ido Yariv authored
      wl1271_sdio_power_on checks if the return value of pm_runtime_get_sync
      is non-zero, and if so bails out.
      However, pm_runtime_get_sync can return a positive number which does not
      suggest an error has occurred. This is problematic for two reasons:
      
      1. The function will needlessly bail out without decrementing back the
         runtime PM reference counter.
      2. wl1271_power_on only checks if wl1271_power_on return value is
         negative. This means that wl1271_power_on will continue even if
         wl1271_sdio_power_on bailed out. As a result, sdio transactions will
         be initiated without properly enabling the sdio function and claiming
         the host. This could even lead to a kernel panic.
      
      Fix this by only checking that the return value of pm_runtime_get_sync
      is non-negative.
      Signed-off-by: default avatarIdo Yariv <ido@wizery.com>
      Acked-by: default avatarLuciano Coelho <coelho@ti.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      a15f1c45
    • Ido Yariv's avatar
      wl12xx: Remove obsolete testmode NVS push command · 80900d01
      Ido Yariv authored
      The testmode NVS push command is no longer in use. In addition, it has
      several implementation issues that prevent it from working correctly:
      
      1. wl1271_tm_cmd_configure relies on wl->chip.id being set. However,
         since the device was not necessarily booted by the time the function
         is called, wl->chip.id will be initialized to 0.
      2. The NVS file is fetched by calling request_firmware() before it is
         possible to push an NVS file.
      3. The maximum allowed size of nl binary payloads is not sufficient for
         pushing NVS files.
      4. Pushing 128x NVS files will always fail due to a bug in the
         validation code.
      5. In case the pushed NVS file is found invalid, the mutex will be kept
         locked and the nvs member will become a dangling pointer.
      
      Since this feature is not being used, remove it completely instead of
      fixing it.
      Signed-off-by: default avatarIdo Yariv <ido@wizery.com>
      Acked-by: default avatarLuciano Coelho <coelho@ti.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      80900d01
  11. 22 Aug, 2011 5 commits
    • David Woodhouse's avatar
    • Senthil Balasubramanian's avatar
      ath9k_hw: Fix STA (AR9485) bringup issue due to incorrect MAC address · b503c7a2
      Senthil Balasubramanian authored
      Due to some recent optimization done in the way the mac address
      bytes are written into the OTP memory, some AR9485 chipsets were
      forced to use the first byte from the eeprom template and the
      remaining bytes are read from OTP.
      
      AR9485 happens to use generic eeprom template which has 0x1 as
      the first byte causes issues in bringing up the card.
      
      So fixed the eeprom template accordingly to address the issue.
      
      Cc: stable@kernel.org
      Cc: Paul Stewart <pstew@google.com>
      Signed-off-by: default avatarSenthil Balasubramanian <senthilb@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      b503c7a2
    • Stanislaw Gruszka's avatar
      rt2x00: do not drop usb dev reference counter on suspend · 543cc38c
      Stanislaw Gruszka authored
      When hibernating ->resume may not be called by usb core, but disconnect
      and probe instead, so we do not increase the counter after decreasing
      it in ->supend. As a result we free memory early, and get crash when
      unplugging usb dongle.
      
      BUG: unable to handle kernel paging request at 6b6b6b9f
      IP: [<c06909b0>] driver_sysfs_remove+0x10/0x30
      *pdpt = 0000000034f21001 *pde = 0000000000000000
      Pid: 20, comm: khubd Not tainted 3.1.0-rc1-wl+ #20 LENOVO 6369CTO/6369CTO
      EIP: 0060:[<c06909b0>] EFLAGS: 00010202 CPU: 1
      EIP is at driver_sysfs_remove+0x10/0x30
      EAX: 6b6b6b6b EBX: f52bba34 ECX: 00000000 EDX: 6b6b6b6b
      ESI: 6b6b6b6b EDI: c0a0ea20 EBP: f61c9e68 ESP: f61c9e64
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      Process khubd (pid: 20, ti=f61c8000 task=f6138270 task.ti=f61c8000)
      Call Trace:
       [<c06909ef>] __device_release_driver+0x1f/0xa0
       [<c0690b20>] device_release_driver+0x20/0x40
       [<c068fd64>] bus_remove_device+0x84/0xe0
       [<c068e12a>] ? device_remove_attrs+0x2a/0x80
       [<c068e267>] device_del+0xe7/0x170
       [<c06d93d4>] usb_disconnect+0xd4/0x180
       [<c06d9d61>] hub_thread+0x691/0x1600
       [<c0473260>] ? wake_up_bit+0x30/0x30
       [<c0442a39>] ? complete+0x49/0x60
       [<c06d96d0>] ? hub_disconnect+0xd0/0xd0
       [<c06d96d0>] ? hub_disconnect+0xd0/0xd0
       [<c0472eb4>] kthread+0x74/0x80
       [<c0472e40>] ? kthread_worker_fn+0x150/0x150
       [<c0809b3e>] kernel_thread_helper+0x6/0x10
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: default avatarIvo van Doorn <IvDoorn@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      543cc38c
    • Stanislaw Gruszka's avatar
      mac80211: fix suspend/resume races with unregister hw · ecb44335
      Stanislaw Gruszka authored
      Do not call ->suspend, ->resume methods after we unregister wiphy. Also
      delete sta_clanup timer after we finish wiphy unregister to avoid this:
      
      WARNING: at lib/debugobjects.c:262 debug_print_object+0x85/0xa0()
      Hardware name: 6369CTO
      ODEBUG: free active (active state 0) object type: timer_list hint: sta_info_cleanup+0x0/0x180 [mac80211]
      Modules linked in: aes_i586 aes_generic fuse bridge stp llc autofs4 sunrpc cpufreq_ondemand acpi_cpufreq mperf ext2 dm_mod uinput thinkpad_acpi hwmon sg arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00lib mac80211 cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support e1000e ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom yenta_socket ahci libahci pata_acpi ata_generic ata_piix i915 drm_kms_helper drm i2c_algo_bit video [last unloaded: microcode]
      Pid: 5663, comm: pm-hibernate Not tainted 3.1.0-rc1-wl+ #19
      Call Trace:
       [<c0454cfd>] warn_slowpath_common+0x6d/0xa0
       [<c05e05e5>] ? debug_print_object+0x85/0xa0
       [<c05e05e5>] ? debug_print_object+0x85/0xa0
       [<c0454dae>] warn_slowpath_fmt+0x2e/0x30
       [<c05e05e5>] debug_print_object+0x85/0xa0
       [<f8a808e0>] ? sta_info_alloc+0x1a0/0x1a0 [mac80211]
       [<c05e0bd2>] debug_check_no_obj_freed+0xe2/0x180
       [<c051175b>] kfree+0x8b/0x150
       [<f8a126ae>] cfg80211_dev_free+0x7e/0x90 [cfg80211]
       [<f8a13afd>] wiphy_dev_release+0xd/0x10 [cfg80211]
       [<c068d959>] device_release+0x19/0x80
       [<c05d06ba>] kobject_release+0x7a/0x1c0
       [<c07646a8>] ? rtnl_unlock+0x8/0x10
       [<f8a13adb>] ? wiphy_resume+0x6b/0x80 [cfg80211]
       [<c05d0640>] ? kobject_del+0x30/0x30
       [<c05d1a6d>] kref_put+0x2d/0x60
       [<c05d056d>] kobject_put+0x1d/0x50
       [<c08015f4>] ? mutex_lock+0x14/0x40
       [<c068d60f>] put_device+0xf/0x20
       [<c069716a>] dpm_resume+0xca/0x160
       [<c04912bd>] hibernation_snapshot+0xcd/0x260
       [<c04903df>] ? freeze_processes+0x3f/0x90
       [<c049151b>] hibernate+0xcb/0x1e0
       [<c048fdc0>] ? pm_async_store+0x40/0x40
       [<c048fe60>] state_store+0xa0/0xb0
       [<c048fdc0>] ? pm_async_store+0x40/0x40
       [<c05d0200>] kobj_attr_store+0x20/0x30
       [<c0575ea4>] sysfs_write_file+0x94/0xf0
       [<c051e26a>] vfs_write+0x9a/0x160
       [<c0575e10>] ? sysfs_open_file+0x200/0x200
       [<c051e3fd>] sys_write+0x3d/0x70
       [<c080959f>] sysenter_do_call+0x12/0x28
      
      Cc: stable@kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      ecb44335
    • John W. Linville's avatar
  12. 13 Aug, 2011 2 commits
  13. 12 Aug, 2011 1 commit
  14. 11 Aug, 2011 2 commits