From b578bb490fb605c23c20b63995f26d3ab2cfb6e0 Mon Sep 17 00:00:00 2001 From: "John W. Linville" Date: Wed, 26 May 2010 14:40:32 -0400 Subject: Revert "rt2x00: Fix rt2800usb TX descriptor writing." This reverts commit 663cb47cc2c5acd32850f67d051e47d62ed199c9. This patch was merged out of the proper order, so instead of fixing a problem with a prior (unmerged) patch, it creates one. Ooops! Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2800usb.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c index 699161327d65..0f8b84b7224c 100644 --- a/drivers/net/wireless/rt2x00/rt2800usb.c +++ b/drivers/net/wireless/rt2x00/rt2800usb.c @@ -413,7 +413,7 @@ static void rt2800usb_write_tx_desc(struct rt2x00_dev *rt2x00dev, */ rt2x00_desc_read(txi, 0, &word); rt2x00_set_field32(&word, TXINFO_W0_USB_DMA_TX_PKT_LEN, - skb->len - TXINFO_DESC_SIZE); + skb->len + TXWI_DESC_SIZE); rt2x00_set_field32(&word, TXINFO_W0_WIV, !test_bit(ENTRY_TXD_ENCRYPT_IV, &txdesc->flags)); rt2x00_set_field32(&word, TXINFO_W0_QSEL, 2); -- cgit v1.2.3 From 5001960016bb53a1075bd9d62d7c067cd38c5a68 Mon Sep 17 00:00:00 2001 From: Christian Lamparter Date: Tue, 25 May 2010 23:58:47 +0200 Subject: ar9170usb: fix read from freed driver context Commit "ar9170: wait for asynchronous firmware loading" introduced a bug, which is triggered by fatal errors while the driver is initializing the device. BUG: unable to handle kernel paging request at 6b6b6bf7 IP: [] kobject_put+0x7/0x70 *pde = 00000000 Oops: 0000 [#1] PREEMPT last sysfs file: /sys/devices/platform/hdaps/position Modules linked in: ar9170usb [...] Pid: 6246, comm: firmware/ar9170 Not tainted 2.6.34-wl #54 EIP: 0060:[] EFLAGS: 00010206 CPU: 0 EIP is at kobject_put+0x7/0x70 EAX: 6b6b6bd7 EBX: f4d3d0e0 ECX: f5ba9124 EDX: f6af2a7c ESI: 00000000 EDI: f4d3d0e0 EBP: 00000000 ESP: f5e98f9c DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 Process firmware/ar9170 (pid: 6246) Stack: c12532ed 00000246 f5bfaa70 f8487353 f4d3d0e0 Call Trace: [] ? device_release_driver+0x1d/0x30 [] ? ar9170_usb_firmware_failed+0x43/0x70 [ar9170usb] [] ? request_firmware_work_func+0x2c/0x70 [] ? request_firmware_work_func+0x0/0x70 [] ? kthread+0x74/0x80 [] ? kthread+0x0/0x80 [] ? kernel_thread_helper+0x6/0x10 Code: 40 d3 f2 ff 85 c0 89 c3 74 0a ba 44 86 4c c1 e8 [...] EIP: [] kobject_put+0x7/0x70 SS:ESP 0068:f5e98f9c CR2: 000000006b6b6bf7 ---[ end trace e81abb992434b410 ]--- Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ar9170/usb.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/ath/ar9170/usb.c b/drivers/net/wireless/ath/ar9170/usb.c index 82ab532a4923..a93dc18a45c3 100644 --- a/drivers/net/wireless/ath/ar9170/usb.c +++ b/drivers/net/wireless/ath/ar9170/usb.c @@ -739,17 +739,27 @@ err_out: static void ar9170_usb_firmware_failed(struct ar9170_usb *aru) { struct device *parent = aru->udev->dev.parent; + struct usb_device *udev; + + /* + * Store a copy of the usb_device pointer locally. + * This is because device_release_driver initiates + * ar9170_usb_disconnect, which in turn frees our + * driver context (aru). + */ + udev = aru->udev; complete(&aru->firmware_loading_complete); /* unbind anything failed */ if (parent) device_lock(parent); - device_release_driver(&aru->udev->dev); + + device_release_driver(&udev->dev); if (parent) device_unlock(parent); - usb_put_dev(aru->udev); + usb_put_dev(udev); } static void ar9170_usb_firmware_finish(const struct firmware *fw, void *context) -- cgit v1.2.3 From 9be8ab2ea81f84c1726d79613c342141f5d19a3b Mon Sep 17 00:00:00 2001 From: "Justin P. Mattock" Date: Wed, 26 May 2010 11:00:04 -0700 Subject: ath9k: Fix ath_print in xmit for hardware reset. ath_print in xmit.c should say "Reseting hardware" instead of Resetting HAL!(since HAL is being fazed out). dmesg shows: [ 8660.899624] ath: Failed to stop TX DMA in 100 msec after killing last frame [ 8660.899676] ath: Unable to stop TxDMA. Reset HAL! Signed-off-by: Justin P. Mattock Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/xmit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 3db19172b43b..09cb13c4854c 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -1198,7 +1198,7 @@ void ath_drain_all_txq(struct ath_softc *sc, bool retry_tx) int r; ath_print(common, ATH_DBG_FATAL, - "Unable to stop TxDMA. Reset HAL!\n"); + "Failed to stop TX DMA. Resetting hardware!\n"); spin_lock_bh(&sc->sc_resetlock); r = ath9k_hw_reset(ah, sc->sc_ah->curchan, false); -- cgit v1.2.3 From 7c9fd60f9764373414c0a64f500a78635b0a0a7b Mon Sep 17 00:00:00 2001 From: Vasanthakumar Thiagarajan Date: Wed, 26 May 2010 19:06:53 -0700 Subject: ath9k: Fix bug in the way "bf_tx_aborted" of struct ath_buf is used This bug was introduced by the following commit Author: Vasanthakumar Thiagarajan Date: Thu Apr 15 17:38:46 2010 -0400 ath9k: Remove ATH9K_TX_SW_ABORTED and introduce a bool for this purpose Wrong buffer is checked for bf_tx_aborted field in ath_tx_num_badfrms(), this may result in a rate scaling with wrong feedback (number of unacked frames in this case). It is the last one in the chain of buffers for an aggregate frame that should be checked. Also it misses the initialization of this field in the buffer, this may lead to a situation where we stop the sw retransmission of failed subframes associated to this buffer. Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/xmit.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c index 09cb13c4854c..859aa4ab0769 100644 --- a/drivers/net/wireless/ath/ath9k/xmit.c +++ b/drivers/net/wireless/ath/ath9k/xmit.c @@ -1728,6 +1728,8 @@ static int ath_tx_setup_buffer(struct ieee80211_hw *hw, struct ath_buf *bf, } else bf->bf_isnullfunc = false; + bf->bf_tx_aborted = false; + return 0; } @@ -1989,7 +1991,7 @@ static int ath_tx_num_badfrms(struct ath_softc *sc, struct ath_buf *bf, int nbad = 0; int isaggr = 0; - if (bf->bf_tx_aborted) + if (bf->bf_lastbf->bf_tx_aborted) return 0; isaggr = bf_isaggr(bf); -- cgit v1.2.3 From c6a6368b32aa4fd145e840c8d8dac6923fae2688 Mon Sep 17 00:00:00 2001 From: Prarit Bhargava Date: Thu, 27 May 2010 14:41:20 -0400 Subject: libertas: fix uninitialized variable warning Fixes: drivers/net/wireless/libertas/rx.c: In function process_rxed_802_11_packet: drivers/net/wireless/libertas/rx.c:354: error: radiotap_hdr.flags may be used uninitialized in this function Signed-off-by: Prarit Bhargava Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/rx.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/libertas/rx.c b/drivers/net/wireless/libertas/rx.c index a115bfa9513a..7a377f5b7662 100644 --- a/drivers/net/wireless/libertas/rx.c +++ b/drivers/net/wireless/libertas/rx.c @@ -329,9 +329,8 @@ static int process_rxed_802_11_packet(struct lbs_private *priv, /* create the exported radio header */ /* radiotap header */ - radiotap_hdr.hdr.it_version = 0; - /* XXX must check this value for pad */ - radiotap_hdr.hdr.it_pad = 0; + memset(&radiotap_hdr, 0, sizeof(radiotap_hdr)); + /* XXX must check radiotap_hdr.hdr.it_pad for pad */ radiotap_hdr.hdr.it_len = cpu_to_le16 (sizeof(struct rx_radiotap_hdr)); radiotap_hdr.hdr.it_present = cpu_to_le32 (RX_RADIOTAP_PRESENT); radiotap_hdr.rate = convert_mv_rate_to_radiotap(prxpd->rx_rate); -- cgit v1.2.3 From 368a07d26ae99c80678a968946744fd83e7708d0 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 28 May 2010 14:26:23 +0200 Subject: mac80211: make a function static sparse correctly complains that __ieee80211_get_channel_mode is not static. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/chan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index 5d218c530a4e..32be11e4c4d9 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -5,7 +5,7 @@ #include #include "ieee80211_i.h" -enum ieee80211_chan_mode +static enum ieee80211_chan_mode __ieee80211_get_channel_mode(struct ieee80211_local *local, struct ieee80211_sub_if_data *ignore) { -- cgit v1.2.3 From da1fdb02d9200ff28b6f3a380d21930335fe5429 Mon Sep 17 00:00:00 2001 From: Christoph Fritz Date: Fri, 28 May 2010 10:45:59 +0200 Subject: ssb: fix NULL ptr deref when pcihost_wrapper is used Ethernet driver b44 does register ssb by it's pcihost_wrapper and doesn't set ssb_chipcommon. A check on this value introduced with commit d53cdbb94a52a920d5420ed64d986c3523a56743 and ea2db495f92ad2cf3301623e60cb95b4062bc484 triggers: BUG: unable to handle kernel NULL pointer dereference at 00000010 IP: [] ssb_is_sprom_available+0x16/0x30 Signed-off-by: Christoph Fritz Signed-off-by: John W. Linville --- drivers/ssb/pci.c | 9 ++++++--- drivers/ssb/sprom.c | 1 + 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c index 989e2752cc36..6dcda86be6eb 100644 --- a/drivers/ssb/pci.c +++ b/drivers/ssb/pci.c @@ -625,9 +625,12 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus, ssb_printk(KERN_ERR PFX "No SPROM available!\n"); return -ENODEV; } - - bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? - SSB_SPROM_BASE1 : SSB_SPROM_BASE31; + if (bus->chipco.dev) { /* can be unavailible! */ + bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? + SSB_SPROM_BASE1 : SSB_SPROM_BASE31; + } else { + bus->sprom_offset = SSB_SPROM_BASE1; + } buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); if (!buf) diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c index 007bc3a03486..4f7cc8d13277 100644 --- a/drivers/ssb/sprom.c +++ b/drivers/ssb/sprom.c @@ -185,6 +185,7 @@ bool ssb_is_sprom_available(struct ssb_bus *bus) /* this routine differs from specs as we do not access SPROM directly on PCMCIA */ if (bus->bustype == SSB_BUSTYPE_PCI && + bus->chipco.dev && /* can be unavailible! */ bus->chipco.dev->id.revision >= 31) return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM; -- cgit v1.2.3