1. 10 Dec, 2015 1 commit
    • Johannes Berg's avatar
      rfkill: copy the name into the rfkill struct · b7bb1100
      Johannes Berg authored
      Some users of rfkill, like NFC and cfg80211, use a dynamic name when
      allocating rfkill, in those cases dev_name(). Therefore, the pointer
      passed to rfkill_alloc() might not be valid forever, I specifically
      found the case that the rfkill name was quite obviously an invalid
      pointer (or at least garbage) when the wiphy had been renamed.
      
      Fix this by making a copy of the rfkill name in rfkill_alloc().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      b7bb1100
  2. 02 Dec, 2015 3 commits
    • Johannes Berg's avatar
      mac80211: fix off-channel mgmt-tx uninitialized variable usage · c1df932c
      Johannes Berg authored
      In the last change here, I neglected to update the cookie in one code
      path: when a mgmt-tx has no real cookie sent to userspace as it doesn't
      wait for a response, but is off-channel. The original code used the SKB
      pointer as the cookie and always assigned the cookie to the TX SKB in
      ieee80211_start_roc_work(), but my change turned this around and made
      the code rely on a valid cookie being passed in.
      
      Unfortunately, the off-channel no-wait TX path wasn't assigning one at
      all, resulting in an uninitialized stack value being used. This wasn't
      handed back to userspace as a cookie (since in the no-wait case there
      isn't a cookie), but it was tested for non-zero to distinguish between
      mgmt-tx and off-channel.
      
      Fix this by assigning a dummy non-zero cookie unconditionally, and get
      rid of a misleading comment and some dead code while at it. I'll clean
      up the ACK SKB handling separately later.
      
      Fixes: 3b79af97 ("mac80211: stop using pointers as userspace cookies")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      c1df932c
    • Antonio Quartulli's avatar
      mac80211: do not actively scan DFS channels · 4e39ccac
      Antonio Quartulli authored
      DFS channels should not be actively scanned as we can't be sure
      if we are allowed or not.
      
      If the current channel is in the DFS band, active scan might be
      performed after CSA, but we have no guarantee about other channels,
      therefore it is safer to prevent active scanning at all.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAntonio Quartulli <antonio@open-mesh.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      4e39ccac
    • Eliad Peller's avatar
      mac80211: don't teardown sdata on sdata stop · 835112b2
      Eliad Peller authored
      Interfaces are being initialized (setup) on addition,
      and torn down on removal.
      
      However, p2p device is being torn down when stopped,
      resulting in the next p2p start operation being done
      on uninitialized interface.
      
      Solve it by calling ieee80211_teardown_sdata() only
      on interface removal (for the non-netdev case).
      Signed-off-by: default avatarEliad Peller <eliadx.peller@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      [squashed in fix to call teardown after unregister]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      835112b2
  3. 20 Nov, 2015 2 commits
  4. 17 Nov, 2015 2 commits
    • Johannes Berg's avatar
      mac80211: mesh: fix call_rcu() usage · c2e703a5
      Johannes Berg authored
      When using call_rcu(), the called function may be delayed quite
      significantly, and without a matching rcu_barrier() there's no
      way to be sure it has finished.
      Therefore, global state that could be gone/freed/reused should
      never be touched in the callback.
      
      Fix this in mesh by moving the atomic_dec() into the caller;
      that's not really a problem since we already unlinked the path
      and it will be destroyed anyway.
      
      This fixes a crash Jouni observed when running certain tests in
      a certain order, in which the mesh interface was torn down, the
      memory reused for a function pointer (work struct) and running
      that then crashed since the pointer had been decremented by 1,
      resulting in an invalid instruction byte stream.
      
      Cc: stable@vger.kernel.org
      Fixes: eb2b9311 ("mac80211: mesh path table implementation")
      Reported-by: default avatarJouni Malinen <j@w1.fi>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      c2e703a5
    • Johannes Berg's avatar
      mac80211: don't advertise NL80211_FEATURE_FULL_AP_CLIENT_STATE · 45bb780a
      Johannes Berg authored
      For now, this feature doesn't actually work. To avoid shipping a
      kernel that has it enabled but where it can't be used disable it
      for now - we can re-enable it when it's fixed.
      
      This partially reverts 44674d9c ("mac80211: advertise support
      for full station state in AP mode").
      
      Cc: Ayala Beker <ayala.beker@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      45bb780a
  5. 16 Nov, 2015 7 commits
  6. 15 Nov, 2015 24 commits
  7. 12 Nov, 2015 1 commit
    • Arnd Bergmann's avatar
      stmmac: avoid ipq806x constant overflow warning · 49e4a229
      Arnd Bergmann authored
      Building dwmac-ipq806x on a 64-bit architecture produces a harmless
      warning from gcc:
      
      stmmac/dwmac-ipq806x.c: In function 'ipq806x_gmac_probe':
      include/linux/bitops.h:6:19: warning: overflow in implicit constant conversion [-Woverflow]
        val = QSGMII_PHY_CDR_EN |
      stmmac/dwmac-ipq806x.c:333:8: note: in expansion of macro 'QSGMII_PHY_CDR_EN'
       #define QSGMII_PHY_CDR_EN   BIT(0)
       #define BIT(nr)   (1UL << (nr))
      
      This is a result of the type conversion rules in C, when we take the
      logical OR of multiple different types. In particular, we have
      and unsigned long
      
      	QSGMII_PHY_CDR_EN == BIT(0) == (1ul << 0) == 0x0000000000000001ul
      
      and a signed int
      
      	0xC << QSGMII_PHY_TX_DRV_AMP_OFFSET == 0xc0000000
      
      which together gives a signed long value
      
      	0xffffffffc0000001l
      
      and when this is passed into a function that takes an unsigned int type,
      gcc warns about the signed overflow and the loss of the upper 32-bits that
      are all ones.
      
      This patch adds 'ul' type modifiers to the literal numbers passed in
      here, so now the expression remains an 'unsigned long' with the upper
      bits all zero, and that avoids the signed overflow and the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: b1c17215 ("stmmac: add ipq806x glue layer")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49e4a229