1. 09 Jul, 2012 9 commits
    • John W. Linville's avatar
    • John W. Linville's avatar
      635d999f
    • Emmanuel Grumbach's avatar
      iwlegacy: don't mess up the SCD when removing a key · b48d9665
      Emmanuel Grumbach authored
      When we remove a key, we put a key index which was supposed
      to tell the fw that we are actually removing the key. But
      instead the fw took that index as a valid index and messed
      up the SRAM of the device.
      
      This memory corruption on the device mangled the data of
      the SCD. The impact on the user is that SCD queue 2 got
      stuck after having removed keys.
      Reported-by: default avatarPaul Bolle <pebolle@tiscali.nl>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      b48d9665
    • Stanislaw Gruszka's avatar
      iwlegacy: always monitor for stuck queues · c2ca7d92
      Stanislaw Gruszka authored
      This is iwlegacy version of:
      
      commit 342bbf3f
      Author: Johannes Berg <johannes.berg@intel.com>
      Date:   Sun Mar 4 08:50:46 2012 -0800
      
          iwlwifi: always monitor for stuck queues
      
          If we only monitor while associated, the following
          can happen:
           - we're associated, and the queue stuck check
             runs, setting the queue "touch" time to X
           - we disassociate, stopping the monitoring,
             which leaves the time set to X
           - almost 2s later, we associate, and enqueue
             a frame
           - before the frame is transmitted, we monitor
             for stuck queues, and find the time set to
             X, although it is now later than X + 2000ms,
             so we decide that the queue is stuck and
             erroneously restart the device
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      c2ca7d92
    • Stanislaw Gruszka's avatar
      rt2x00usb: fix indexes ordering on RX queue kick · efd82118
      Stanislaw Gruszka authored
      On rt2x00_dmastart() we increase index specified by Q_INDEX and on
      rt2x00_dmadone() we increase index specified by Q_INDEX_DONE. So entries
      between Q_INDEX_DONE and Q_INDEX are those we currently process in the
      hardware. Entries between Q_INDEX and Q_INDEX_DONE are those we can
      submit to the hardware.
      
      According to that fix rt2x00usb_kick_queue(), as we need to submit RX
      entries that are not processed by the hardware. It worked before only
      for empty queue, otherwise was broken.
      
      Note that for TX queues indexes ordering are ok. We need to kick entries
      that have filled skb, but was not submitted to the hardware, i.e.
      started from Q_INDEX_DONE and have ENTRY_DATA_PENDING bit set.
      
      From practical standpoint this fixes RX queue stall, usually reproducible
      in AP mode, like for example reported here:
      https://bugzilla.redhat.com/show_bug.cgi?id=828824Reported-and-tested-by: default avatarFranco Miceli <fmiceli@plan.ceibal.edu.uy>
      Reported-and-tested-by: default avatarTom Horsley <horsley1953@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      efd82118
    • Bing Zhao's avatar
      mwifiex: fix Coverity SCAN CID 709078: Resource leak (RESOURCE_LEAK) · b3190466
      Bing Zhao authored
      > *. CID 709078: Resource leak (RESOURCE_LEAK)
      > 	- drivers/net/wireless/mwifiex/cfg80211.c, line: 935
      > Assigning: "bss_cfg" = storage returned from "kzalloc(132UL, 208U)"
      > 	- but was not free
      > drivers/net/wireless/mwifiex/cfg80211.c:935
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      b3190466
    • Eliad Peller's avatar
      mac80211: destroy assoc_data correctly if assoc fails · 10a9109f
      Eliad Peller authored
      If association failed due to internal error (e.g. no
      supported rates IE), we call ieee80211_destroy_assoc_data()
      with assoc=true, while we actually reject the association.
      
      This results in the BSSID not being zeroed out.
      
      After passing assoc=false, we no longer have to call
      sta_info_destroy_addr() explicitly. While on it, move
      the "associated" message after the assoc_success check.
      
      Cc: stable@vger.kernel.org [3.4+]
      Signed-off-by: default avatarEliad Peller <eliad@wizery.com>
      Reviewed-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      10a9109f
    • Sasha Levin's avatar
      NFC: Prevent NULL deref when getting socket name · 147f20e3
      Sasha Levin authored
      llcp_sock_getname can be called without a device attached to the nfc_llcp_sock.
      
      This would lead to the following BUG:
      
      [  362.341807] BUG: unable to handle kernel NULL pointer dereference at           (null)
      [  362.341815] IP: [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0
      [  362.341818] PGD 31b35067 PUD 30631067 PMD 0
      [  362.341821] Oops: 0000 [#627] PREEMPT SMP DEBUG_PAGEALLOC
      [  362.341826] CPU 3
      [  362.341827] Pid: 7816, comm: trinity-child55 Tainted: G      D W    3.5.0-rc4-next-20120628-sasha-00005-g9f23eb7 #479
      [  362.341831] RIP: 0010:[<ffffffff836258e5>]  [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0
      [  362.341832] RSP: 0018:ffff8800304fde88  EFLAGS: 00010286
      [  362.341834] RAX: 0000000000000000 RBX: ffff880033cb8000 RCX: 0000000000000001
      [  362.341835] RDX: ffff8800304fdec4 RSI: ffff8800304fdec8 RDI: ffff8800304fdeda
      [  362.341836] RBP: ffff8800304fdea8 R08: 7ebcebcb772b7ffb R09: 5fbfcb9c35bdfd53
      [  362.341838] R10: 4220020c54326244 R11: 0000000000000246 R12: ffff8800304fdec8
      [  362.341839] R13: ffff8800304fdec4 R14: ffff8800304fdec8 R15: 0000000000000044
      [  362.341841] FS:  00007effa376e700(0000) GS:ffff880035a00000(0000) knlGS:0000000000000000
      [  362.341843] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  362.341844] CR2: 0000000000000000 CR3: 0000000030438000 CR4: 00000000000406e0
      [  362.341851] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  362.341856] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  362.341858] Process trinity-child55 (pid: 7816, threadinfo ffff8800304fc000, task ffff880031270000)
      [  362.341858] Stack:
      [  362.341862]  ffff8800304fdea8 ffff880035156780 0000000000000000 0000000000001000
      [  362.341865]  ffff8800304fdf78 ffffffff83183b40 00000000304fdec8 0000006000000000
      [  362.341868]  ffff8800304f0027 ffffffff83729649 ffff8800304fdee8 ffff8800304fdf48
      [  362.341869] Call Trace:
      [  362.341874]  [<ffffffff83183b40>] sys_getpeername+0xa0/0x110
      [  362.341877]  [<ffffffff83729649>] ? _raw_spin_unlock_irq+0x59/0x80
      [  362.341882]  [<ffffffff810f342b>] ? do_setitimer+0x23b/0x290
      [  362.341886]  [<ffffffff81985ede>] ? trace_hardirqs_on_thunk+0x3a/0x3f
      [  362.341889]  [<ffffffff8372a539>] system_call_fastpath+0x16/0x1b
      [  362.341921] Code: 84 00 00 00 00 00 b8 b3 ff ff ff 48 85 db 74 54 66 41 c7 04 24 27 00 49 8d 7c 24 12 41 c7 45 00 60 00 00 00 48 8b 83 28 05 00 00 <8b> 00 41 89 44 24 04 0f b6 83 41 05 00 00 41 88 44 24 10 0f b6
      [  362.341924] RIP  [<ffffffff836258e5>] llcp_sock_getname+0x75/0xc0
      [  362.341925]  RSP <ffff8800304fde88>
      [  362.341926] CR2: 0000000000000000
      [  362.341928] ---[ end trace 6d450e935ee18bf3 ]---
      Signed-off-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      147f20e3
    • Thomas Huehn's avatar
      mac80211: correct size the argument to kzalloc in minstrel_ht · 472dd35c
      Thomas Huehn authored
      msp has type struct minstrel_ht_sta_priv not struct minstrel_ht_sta.
      
      (This incorporates the fixup originally posted as "mac80211: fix kzalloc
      memory corruption introduced in minstrel_ht". -- JWL)
      Reported-by: default avatarFengguang Wu <wfg@linux.intel.com>
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarThomas Huehn <thomas@net.t-labs.tu-berlin.de>
      Acked-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      472dd35c
  2. 06 Jul, 2012 4 commits
  3. 05 Jul, 2012 2 commits
  4. 04 Jul, 2012 1 commit
  5. 03 Jul, 2012 3 commits
  6. 02 Jul, 2012 6 commits
  7. 29 Jun, 2012 13 commits
  8. 28 Jun, 2012 2 commits