summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* netlink: bug fix: wrong size was calculated for vfinfo list blobScott Feldman2010-05-281-5/+6
| | | | | | | | | | The wrong size was being calculated for vfinfo. In one case, it was over- calculating using nlmsg_total_size on attrs, in another case, it was under-calculating by assuming ifla_vf_* structs are packed together, but each struct is it's own attr w/ hdr (and padding). Signed-off-by: Scott Feldman <scofeldm@cisco.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netlink: bug fix: don't overrun skbs on vf_port dumpScott Feldman2010-05-281-6/+9
| | | | | | | | | | | Noticed by Patrick McHardy: was continuing to fill skb after a nla_put_failure, ignoring the size calculated by upper layer. Now, return -EMSGSIZE on any overruns, but also allow netdev to fail ndo_get_vf_port with error other than -EMSGSIZE, thus unwinding nest. Signed-off-by: Scott Feldman <scofeldm@cisco.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xt_tee: use skb_dst_drop()Eric Dumazet2010-05-281-2/+2
| | | | | | | | | | | After commit 7fee226a (net: add a noref bit on skb dst), its wrong to use : dst_release(skb_dst(skb)), since we could decrement a refcount while skb dst was not refcounted. We should use skb_dst_drop(skb) instead. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* netdev/fec: fix ifconfig eth0 down hang issueBryan Wu2010-05-281-12/+16
| | | | | | | | | | | | | BugLink: http://bugs.launchpad.net/bugs/559065 In fec open/close function, we need to use phy_connect and phy_disconnect operation before we start/stop phy. Otherwise it will cause system hang. Only call fec_enet_mii_probe() in open function, because the first open action will cause NULL pointer error. Signed-off-by: Bryan Wu <bryan.wu@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* cnic: Fix context memory init. on 5709.Michael Chan2010-05-282-9/+5
| | | | | | | | | | | | We need to zero context memory on 5709 in the function cnic_init_context(). Without this, iscsid restart on 5709 will not work because of stale data. TX context blocks should not be initialized by cnic_init_context() because of the special remapping on 5709. Update version to 2.1.2. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* drivers/net: Eliminate a NULL pointer dereferenceJulia Lawall2010-05-281-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | At the point of the print, dev is NULL. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r exists@ expression E,E1; identifier f; statement S1,S2,S3; @@ if ((E == NULL && ...) || ...) { ... when != if (...) S1 else S2 when != E = E1 * E->f ... when any return ...; } else S3 // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
* drivers/net/hamradio: Eliminate a NULL pointer dereferenceJulia Lawall2010-05-281-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | At the point of the print, dev is NULL. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r exists@ expression E,E1; identifier f; statement S1,S2,S3; @@ if ((E == NULL && ...) || ...) { ... when != if (...) S1 else S2 when != E = E1 * E->f ... when any return ...; } else S3 // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
* be2net: Patch removes redundant while statement in loop.Sarveshwar Bandi2010-05-281-1/+1
| | | | | Signed-off-by: Sarveshwar Bandi <sarveshwarb@serverengines.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv6: Add GSO support on forwarding pathHerbert Xu2010-05-281-1/+1
| | | | | | | | | | | | | | | | | Currently we disallow GSO packets on the IPv6 forward path. This patch fixes this. Note that I discovered that our existing GSO MTU checks (e.g., IPv4 forwarding) are buggy in that they skip the check altogether, when they really should be checking gso_size + header instead. I have also been lazy here in that I haven't bothered to segment the GSO packet by hand before generating an ICMP message. Someone should add that to be 100% correct. Reported-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: fix __neigh_event_send()Eric Dumazet2010-05-281-0/+1
| | | | | | | | | | | | | | commit 7fee226ad23 (net: add a noref bit on skb dst) missed one spot where an skb is enqueued, with a possibly not refcounted dst entry. __neigh_event_send() inserts skb into arp_queue, so we must make sure dst entry is refcounted, or dst entry can be freed by garbage collector after caller exits from rcu protected section. Reported-by: Ingo Molnar <mingo@elte.hu> Tested-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* vhost: fix the memory leak which will happen when memory_access_ok failsTakuya Yoshikawa2010-05-271-1/+3
| | | | | | | We need to free newmem when vhost_set_memory() fails to complete. Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* vhost-net: fix to check the return value of copy_to/from_user() correctlyTakuya Yoshikawa2010-05-271-7/+7
| | | | | | | | | | | copy_to/from_user() returns the number of bytes that could not be copied. So we need to check if it is not zero, and in that case, we should return the error number -EFAULT rather than directly return the return value from copy_to/from_user(). Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* vhost: fix to check the return value of copy_to/from_user() correctlyTakuya Yoshikawa2010-05-271-23/+28
| | | | | | | | | | | copy_to/from_user() returns the number of bytes that could not be copied. So we need to check if it is not zero, and in that case, we should return the error number -EFAULT rather than directly return the return value from copy_to/from_user(). Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* vhost: Fix host panic if ioctl called with wrong indexKrishna Kumar2010-05-271-1/+1
| | | | | | | | Missed a boundary value check in vhost_set_vring. The host panics if idx == nvqs is used in ioctl commands in vhost_virtqueue_init. Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* net: fix lock_sock_bh/unlock_sock_bhEric Dumazet2010-05-275-16/+62
| | | | | | | | | | | | | | | | | | | | | This new sock lock primitive was introduced to speedup some user context socket manipulation. But it is unsafe to protect two threads, one using regular lock_sock/release_sock, one using lock_sock_bh/unlock_sock_bh This patch changes lock_sock_bh to be careful against 'owned' state. If owned is found to be set, we must take the slow path. lock_sock_bh() now returns a boolean to say if the slow path was taken, and this boolean is used at unlock_sock_bh time to call the appropriate unlock function. After this change, BH are either disabled or enabled during the lock_sock_bh/unlock_sock_bh protected section. This might be misleading, so we rename these functions to lock_sock_fast()/unlock_sock_fast(). Reported-by: Anton Blanchard <anton@samba.org> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Tested-by: Anton Blanchard <anton@samba.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/iucv: Add missing spin_unlockJulia Lawall2010-05-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Add a spin_unlock missing on the error path. There seems like no reason why the lock should continue to be held if the kzalloc fail. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression E1; @@ * spin_lock(E1,...); <+... when != E1 if (...) { ... when != E1 * return ...; } ...+> * spin_unlock(E1,...); // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: ll_temac: fix checksum offload logicBrian Hill2010-05-262-24/+63
| | | | | | | | | | | The current checksum offload code does not work and this corrects that functionality. It also updates the interrupt coallescing initialization so than there are fewer interrupts and performance is increased. Signed-off-by: Brian Hill <brian.hill@xilinx.com> Signed-off-by: John Linn <john.linn@xilinx.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: ll_temac: fix interrupt bug when interrupt 0 is usedBrian Hill2010-05-261-1/+1
| | | | | | | | | The code is not checking the interrupt for DMA correctly so that an interrupt number of 0 will cause a false error. Signed-off-by: Brian Hill <brian.hill@xilinx.com> Signed-off-by: John Linn <john.linn@xilinx.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* sctp: dubious bitfields in sctp_transportDan Carpenter2010-05-261-1/+1
| | | | | | | | | | | | | | | | Sparse complains because these one-bit bitfields are signed. include/net/sctp/structs.h:879:24: error: dubious one-bit signed bitfield include/net/sctp/structs.h:889:31: error: dubious one-bit signed bitfield include/net/sctp/structs.h:895:26: error: dubious one-bit signed bitfield include/net/sctp/structs.h:898:31: error: dubious one-bit signed bitfield include/net/sctp/structs.h:901:27: error: dubious one-bit signed bitfield It doesn't cause a problem in the current code, but it would be better to clean it up. This was introduced by c0058a35aacc7: "sctp: Save some room in the sctp_transport by using bitfields". Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipmr: off by one in __ipmr_fill_mroute()Dan Carpenter2010-05-262-2/+2
| | | | | | | | | | | This fixes a smatch warning: net/ipv4/ipmr.c +1917 __ipmr_fill_mroute(12) error: buffer overflow '(mrt)->vif_table' 32 <= 32 The ipv6 version had the same issue. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* be2net: increase POST timeout for EEH recoverySathya Perla2010-05-261-1/+1
| | | | | | | | Sometimes BE requires longer time for POST completion after an EEH reset. Increasing the timeout value accordingly. Signed-off-by: Sathya Perla <sathyap@serverengines.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* cls_cgroup: Initialise classid when module is absentHerbert Xu2010-05-251-1/+1
| | | | | | | | | When the cls_cgroup module is not loaded, task_cls_classid will return an uninitialised classid instead of zero. Reported-by: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* drivers/net/usb/asix.c: Fix pointer cast.David S. Miller2010-05-251-2/+2
| | | | | | | | | | | | | Stephen Rothwell reports the following new warning: drivers/net/usb/asix.c: In function 'asix_rx_fixup': drivers/net/usb/asix.c:325: warning: cast from pointer to integer of different size drivers/net/usb/asix.c:354: warning: cast from pointer to integer of different size The code just cares about the low alignment bits, so use an "unsigned long" cast instead of one to "u32". Signed-off-by: David S. Miller <davem@davemloft.net>
* be2net: Bug fix to avoid disabling bottom half during firmware upgrade.Sarveshwar Bandi2010-05-253-2/+20
| | | | | | | | | | | Certain firmware commands/operations to upgrade firmware could take several seconds to complete. The code presently disables bottom half during these operations which could lead to unpredictable behaviour in certain cases. This patch now does all firmware upgrade operations asynchronously using a completion variable. Signed-off-by: Sarveshwar Bandi <sarveshwarb@serverengines.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* proc_dointvec: write a single valueJ. R. Okajima2010-05-251-1/+3
| | | | | | | | | | | | | | The commit 00b7c3395aec3df43de5bd02a3c5a099ca51169f "sysctl: refactor integer handling proc code" modified the behaviour of writing to /proc. Before the commit, write("1\n") to /proc/sys/kernel/printk succeeded. But now it returns EINVAL. This commit supports writing a single value to a multi-valued entry. Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp> Reviewed-and-tested-by: WANG Cong <amwang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* hso: add support for new productsFilip Aben2010-05-251-0/+3
| | | | | | | This patch adds a few new product id's for the hso driver. Signed-off-by: Filip Aben <f.aben@option.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Phonet: fix potential use-after-free in pep_sock_close()Rémi Denis-Courmont2010-05-251-0/+2
| | | | | | | | sk_common_release() might destroy our last reference to the socket. So an extra temporary reference is needed during cleanup. Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'wimax-2.6.35.y' of ↵David S. Miller2010-05-251-2/+2
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/inaky/wimax
| * wimax/i2400m: fix bad race condition check in RX pathInaky Perez-Gonzalez2010-05-201-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The i2400m->rx_roq data structure is protected against race conditions with a reference count (i2400m->rx_roq_refcount); the pointer can be read-referenced under the i2400m->rx_lock spinlock. The code in i2400m_rx_edata() wasn't properly following access protocol, performing an invalid check on i2400m->rx_roq (which is cleared to NULL when the refcount drops to zero). As such, it was missing to detect when the data structure is no longer valid and oopsing with a NULL pointer dereference. This commit fixes said check by verifying, under the rx_lock spinlock, that i2400m->rx_roq is non-NULL and then increasing the reference count before dropping the spinlock. Signed-off-by: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
* | Merge branch 'master' of ↵David S. Miller2010-05-2524-132/+104
|\ \ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * | ath9k: remove VEOL support for ad-hocFelix Fietkau2010-05-251-53/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With VEOL, Beacon transmission in ad-hoc does not currently work. I believe for larger ad-hoc networks, VEOL is too unreliable, as it can get beacon transmissions stuck during synchronization. Use SWBA based beacon trasmission similar to AP mode instead. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Acked-by: Benoit Papillault <benoit.papillault@free.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ath9k: change beacon allocation to prefer the first beacon slotFelix Fietkau2010-05-251-9/+3
| | | | | | | | | | | | | | | | | | | | | This fixes IBSS beacon transmissions without VEOL enabled Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ath9k: Fix rx of mcast/bcast frames in PS mode with auto sleepVasanthakumar Thiagarajan2010-05-241-5/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The functionality to keep the device awake until it is done with the rx of any mcast/bcast frames which are pending on AP should also be added to the hardwares which support auto sleep feature. This patch fixes frequent failures in ARP resolution when it is initiated by the other end. Currently auto sleep is enabled only for ar9003 in ath9k. Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | wireless: fix sta_info.h kernel-doc warningsRandy Dunlap2010-05-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix sta_info.h kernel-doc warnings: Warning(net/mac80211/sta_info.h:164): No description found for parameter 'tid_active_rx[STA_TID_NUM]' Warning(net/mac80211/sta_info.h:164): Excess struct/union/enum/typedef member 'tid_state_rx' description in 'sta_ampdu_mlme' Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | wireless: fix mac80211.h kernel-doc warningsRandy Dunlap2010-05-241-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix kernel-doc warnings in mac80211.h: Warning(include/net/mac80211.h:838): No description found for parameter 'ap_addr' Warning(include/net/mac80211.h:1726): No description found for parameter 'get_survey' Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | iwlwifi: testing the wrong variable in iwl_add_bssid_station()Dan Carpenter2010-05-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The intent here is to test that "sta_id_r" is a valid pointer. We do this same test later on in the function. Btw iwl_add_bssid_station() is called from two places and "sta_id_r" is a valid pointer from both callers. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ath9k_htc: rare leak in ath9k_hif_usb_alloc_tx_urbs()Dan Carpenter2010-05-241-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is obviously a small picky thing. The original error handling code doesn't free the most recent allocations which haven't been added to the hif_dev->tx.tx_buf list yet. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ath9k_htc: dereferencing before check in hif_usb_tx_cb()Dan Carpenter2010-05-241-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | After c11d8f89d3b7: "ath9k_htc: Simplify TX URB management" we no longer assume that tx_buf is a non-null pointer. Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | rt2x00: Fix rt2800usb TX descriptor writing.Gertjan van Wingerde2010-05-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The recent changes to skb handling introduced a bug in the rt2800usb TX descriptor writing whereby the length of the USB packet wasn't calculated correctly. Found via code inspection, as the devices themselves didn't seem to mind. Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | rt2x00: Fix failed SLEEP->AWAKE and AWAKE->SLEEP transitions.Gertjan van Wingerde2010-05-244-14/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | (Based on a patch created by Ondrej Zary) In some circumstances the Ralink devices do not properly go to sleep or wake up, with timeouts occurring. Fix this by retrying telling the device that it has to wake up or sleep. Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | Revert "ath9k: Group Key fix for VAPs"John W. Linville2010-05-243-27/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 03ceedea972a82d343fa5c2528b3952fa9e615d5. This patch was reported to cause a regression in which connectivity is lost and cannot be reestablished after a suspend/resume cycle. Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | wireless: update gfp/slab.h includesTejun Heo2010-05-242-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | Implicit slab.h inclusion via percpu.h is about to go away. Make sure gfp.h or slab.h is included as necessary. Signed-off-by: Tejun Heo <tj@kernel.org> Cc: Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | rt2x00: don't use to_pci_dev in rt2x00pci_uninitializeHelmut Schaa2010-05-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't use to_pci_dev in rt2x00pci_uninitialize to get the allocated irq as it won't work for platform devices (SoC). Instead, use the irq field that's already used everywhere else. Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ath5k: consistently use rx_bufsize for RX DMABruno Randolf2010-05-241-3/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We should use the same buffer size we set up for DMA also in the hardware descriptor. Previously we used common->rx_bufsize for setting up the DMA mapping, but used skb_tailroom(skb) for the size we tell to the hardware in the descriptor itself. The problem is that skb_tailroom(skb) can give us a larger value than the size we set up for DMA before. This allows the hardware to write into memory locations not set up for DMA. In practice this should rarely happen because all packets should be smaller than the maximum 802.11 packet size. On the tested platform rx_bufsize is 2528, and we allocated an skb of 2559 bytes length (including padding for cache alignment) but sbk_tailroom() was 2592. Just consistently use rx_bufsize for all RX DMA memory sizes. Also use the return value of the descriptor setup function. Cc: stable@kernel.org Signed-off-by: Bruno Randolf <br1@einfach.org> Reviewed-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | cfg80211: add missing bracesJohannes Berg2010-05-211-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Specifying a valid channel type will get goto out rather than continuing, due to missing braces. This affects both remain on channel and action frame TX commands. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | rndis_wlan: replace wireless_send_event with cfg80211_disconnectedJussi Kivilinna2010-05-211-6/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | Remove (hopefully) last use of WEXT in rndis_wlan. Replace wireless_send_event with missing cfg80211_disconnected in rndis_wlan_do_link_down_work. Reported-by: "Rogério Brito" <rbrito@ime.usp.br> Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ath9k: remove AR9003 from PCI IDs for nowLuis R. Rodriguez2010-05-211-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We tried to squeeze as much AR9003 support into this kernel release cycle but there are a few features which are still being tested and developed. Some of these features are critical to the stable operation of AR9003 so for now disable AR9003 support all together. This will get re-enabled once all necessary features are in place but very likely will not happen for 2.6.35. Reviewed-by: Don Breslin <don.breslin@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | cfg80211: fix crash in cfg80211_set_freq()Felix Fietkau2010-05-211-1/+1
| | | | | | | | | | | | | | | | | | | | | Since wdev can be NULL, check it before dereferencing it Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | wl1271: Fix RX data path frame lengthsJuuso Oikarinen2010-05-211-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The current frame length used by the driver for RX frames is the SPI bus transfer length. This length has padding bytes, which do not belong to the WLAN frame. As there is no other length information in the WLAN frame except the skb length this problem caused for instance extra ESSID's to be listed at the end of scan results (IE id 0) with zero length. Fix the frame length by removing padding. Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | iwlwifi: fix internal scan raceReinette Chatre2010-05-211-3/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is possible for internal scan to race against itself if the device is not returning the scan results from first requests. What happens in this case is the cleanup done during the abort of the first internal scan also cleans up part of the new scan, causing it to access memory it shouldn't. Here are details: * First internal scan is triggered and scan command sent to device. * After seven seconds there is no scan results so the watchdog timer triggers a scan abort. * The scan abort succeeds and a SCAN_COMPLETE_NOTIFICATION is received for failed scan. * During processing of SCAN_COMPLETE_NOTIFICATION we clear STATUS_SCANNING and queue the "scan_completed" work. ** At this time, since the problem that caused the internal scan in first place is still present, a new internal scan is triggered. The behavior at this point is a bit different between 2.6.34 and 2.6.35 since 2.6.35 has a lot of this synchronized. The rest of the race description will thus be generalized. ** As part of preparing for the scan "is_internal_short_scan" is set to true. * At this point the completion work for fist scan is run. As part of this there is some locking missing around the "is_internal_short_scan" variable and it is set to "false". ** Now the second scan runs and it considers itself a real (not internal0 scan and thus causes problems with wrong memory being accessed. The fix is twofold. * Since "is_internal_short_scan" should be protected by mutex, fix this in scan completion work so that changes to it can be serialized. * Do not queue a new internal scan if one is in progress. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=15824 Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>