profile/common/kernel-common.git
13 years agomac80211: fix TKIP replay vulnerability
Johannes Berg [Thu, 7 Jul 2011 16:24:54 +0000 (18:24 +0200)]
mac80211: fix TKIP replay vulnerability

Unlike CCMP, the presence or absence of the QoS
field doesn't change the encryption, only the
TID is used. When no QoS field is present, zero
is used as the TID value. This means that it is
possible for an attacker to take a QoS packet
with TID 0 and replay it as a non-QoS packet.

Unfortunately, mac80211 uses different IVs for
checking the validity of the packet's TKIP IV
when it checks TID 0 and when it checks non-QoS
packets. This means it is vulnerable to this
replay attack.

To fix this, use the same replay counter for
TID 0 and non-QoS packets by overriding the
rx->queue value to 0 if it is 16 (non-QoS).

This is a minimal fix for now. I caused this
issue in

commit 1411f9b531f0a910cd1c85a337737c1e6ffbae6a
Author: Johannes Berg <johannes@sipsolutions.net>
Date:   Thu Jul 10 10:11:02 2008 +0200

    mac80211: fix RX sequence number check

while fixing a sequence number issue (there,
a separate counter needs to be used).

Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix ie memory allocation for scheduled scans
Luciano Coelho [Thu, 7 Jul 2011 12:18:27 +0000 (15:18 +0300)]
mac80211: fix ie memory allocation for scheduled scans

We were not allocating memory for the IEs passed in the scheduled_scan
request and this was causing memory corruption (buffer overflow).

Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agossb: fix init regression of hostmode PCI core
Rafał Miłecki [Tue, 5 Jul 2011 15:25:32 +0000 (17:25 +0200)]
ssb: fix init regression of hostmode PCI core

Our workarounds seem to be clientmode PCI specific. Using SPROM
workaround on SoC resulted in Oops:

Data bus error, epc == 8017ed58, ra == 80225838
 Oops[#1]:
 Cpu 0
 $ 0   : 00000000 10008000 b8000000 00000001
 $ 4   : 80293b5c 00000caa ffffffff 00000000
 $ 8   : 0000000a 00000003 00000001 696d6d20
 $12   : ffffffff 00000000 00000000 ffffffff
 $16   : 802d0140 b8004800 802c0000 00000000
 $20   : 00000000 802c0000 00000000 802d04d4
 $24   : 00000018 80151a00
 $28   : 81816000 81817df8 8029bda0 80225838
 Hi    : 00000000
 Lo    : 00000000
 epc   : 8017ed58 ssb_ssb_read16+0x48/0x60
   Not tainted
 ra    : 80225838 ssb_pcicore_init+0x54/0x3b4

Reported-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Tested-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agortlwifi: rtl8192cu: Add new USB ID for Netgear WNA1000M
Yoann DI-RUZZA [Fri, 1 Jul 2011 13:47:17 +0000 (08:47 -0500)]
rtlwifi: rtl8192cu: Add new USB ID for Netgear WNA1000M

Signed-off-by: Yoann DI-RUZZA <y.diruzza@lim.eu>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k: Fix tx throughput drops for AR9003 chips with AES encryption
Rajkumar Manoharan [Fri, 1 Jul 2011 13:07:33 +0000 (18:37 +0530)]
ath9k: Fix tx throughput drops for AR9003 chips with AES encryption

While sending aggregated frames in AES, the AR5416 chips
required additional padding b/w subframes. This workaround
is not needed for edma (AR9003 family) chips. With this patch
~4Mbps thoughput improvement was observed in clear environment.

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocarl9170: add NEC WL300NU-AG usbid
Christian Lamparter [Thu, 30 Jun 2011 19:06:17 +0000 (21:06 +0200)]
carl9170: add NEC WL300NU-AG usbid

Cc: stable@kernel.org
Reported-by: Mark Davis
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: fix deadlock with rfkill/sched_scan by adding new mutex
Luciano Coelho [Thu, 30 Jun 2011 05:32:41 +0000 (08:32 +0300)]
cfg80211: fix deadlock with rfkill/sched_scan by adding new mutex

There was a deadlock when rfkill-blocking a wireless interface,
because we were locking the rdev mutex on NETDEV_GOING_DOWN to stop
sched_scans that were eventually running.  The rfkill block code was
already holding a mutex under rdev:

kernel: =======================================================
kernel: [ INFO: possible circular locking dependency detected ]
kernel: 3.0.0-rc1-00049-g1fa7b6a #57
kernel: -------------------------------------------------------
kernel: kworker/0:1/4525 is trying to acquire lock:
kernel: (&rdev->mtx){+.+.+.}, at: [<ffffffff8164c831>] cfg80211_netdev_notifier_call+0x131/0x5b0
kernel:
kernel: but task is already holding lock:
kernel: (&rdev->devlist_mtx){+.+.+.}, at: [<ffffffff8164dcef>] cfg80211_rfkill_set_block+0x4f/0xa0
kernel:
kernel: which lock already depends on the new lock.

To fix this, add a new mutex specifically for sched_scan, to protect
the sched_scan_req element in the rdev struct, instead of using the
global rdev mutex.

Reported-by: Duane Griffin <duaneg@dghda.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath5k: fix incorrect use of drvdata in PCI suspend/resume code
Pavel Roskin [Wed, 29 Jun 2011 19:39:43 +0000 (15:39 -0400)]
ath5k: fix incorrect use of drvdata in PCI suspend/resume code

Signed-off-by: Pavel Roskin <proski@gnu.org>
Cc: <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath5k: fix incorrect use of drvdata in sysfs code
Pavel Roskin [Wed, 29 Jun 2011 19:39:37 +0000 (15:39 -0400)]
ath5k: fix incorrect use of drvdata in sysfs code

Signed-off-by: Pavel Roskin <proski@gnu.org>
Cc: <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoMerge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/padovan/bluetoot...
John W. Linville [Tue, 5 Jul 2011 18:33:09 +0000 (14:33 -0400)]
Merge branch 'master' of /linux/kernel/git/padovan/bluetooth-2.6

13 years agoBluetooth: Fix memory leak under page timeouts
Tomas Targownik [Thu, 30 Jun 2011 19:30:44 +0000 (16:30 -0300)]
Bluetooth: Fix memory leak under page timeouts

If the remote device is not present, the connections attemp fails and
the struct hci_conn was not freed

Signed-off-by: Tomas Targownik <ttargownik@geicp.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Fix regression with incoming L2CAP connections
Gustavo F. Padovan [Thu, 30 Jun 2011 19:11:30 +0000 (16:11 -0300)]
Bluetooth: Fix regression with incoming L2CAP connections

PTS test A2DP/SRC/SRC_SET/TC_SRC_SET_BV_02_I revealed that
( probably after the df3c3931e commit ) the l2cap connection
could not be established in case when the "Auth Complete" HCI
event does not arive before the initiator send "Configuration
request", in which case l2cap replies with "Command rejected"
since the channel is still in BT_CONNECT2 state.

Based on patch from: Ilia Kolomisnky <iliak@ti.com>

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Fix hidp disconnect deadlocks and lost wakeup
Peter Hurley [Thu, 30 Jun 2011 17:53:53 +0000 (13:53 -0400)]
Bluetooth: Fix hidp disconnect deadlocks and lost wakeup

Partial revert of commit aabf6f89. When the hidp session thread
was converted from kernel_thread to kthread, the atomic/wakeups
were replaced with kthread_stop. kthread_stop has blocking semantics
which are inappropriate for the hidp session kthread. In addition,
the kthread signals itself to terminate in hidp_process_hid_control()
- it cannot do this with kthread_stop().

Lastly, a wakeup can be lost if the wakeup happens between checking
for the loop exit condition and setting the current state to
TASK_INTERRUPTIBLE. (Without appropriate synchronization mechanisms,
the task state should not be changed between the condition test and
the yield - via schedule() - as this creates a race between the
wakeup and resetting the state back to interruptible.)

Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoath5k: fix memory leak when fewer than N_PD_CURVES are in use
Eugene A. Shatokhin [Wed, 29 Jun 2011 03:04:51 +0000 (23:04 -0400)]
ath5k: fix memory leak when fewer than N_PD_CURVES are in use

We would free the proper number of curves, but in the wrong
slots, due to a missing level of indirection through
the pdgain_idx table.

It's simpler just to try to free all four slots, so do that.

Cc: stable@kernel.org
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k: Fix suspend/resume when no interface is UP
Rajkumar Manoharan [Tue, 28 Jun 2011 12:51:19 +0000 (18:21 +0530)]
ath9k: Fix suspend/resume when no interface is UP

When no interface has been brought up, the chip's power
state continued as AWAKE. So during resume, the chip never
been powered up.

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoBluetooth: Prevent buffer overflow in l2cap config request
Dan Rosenberg [Fri, 24 Jun 2011 12:38:05 +0000 (08:38 -0400)]
Bluetooth: Prevent buffer overflow in l2cap config request

A remote user can provide a small value for the command size field in
the command header of an l2cap configuration request, resulting in an
integer underflow when subtracting the size of the configuration request
header.  This results in copying a very large amount of data via
memcpy() and destroying the kernel heap.  Check for underflow.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoiwlagn: use PCI_DMA_* for pci_* operations
John W. Linville [Mon, 27 Jun 2011 19:38:05 +0000 (15:38 -0400)]
iwlagn: use PCI_DMA_* for pci_* operations

"iwlagn: map command buffers BIDI" uses the DMA_* enumerations for DMA
directions, even though the pci_* DMA API is still in use.  That patch
was undoubtedly developed on top of "iwlagn: don't use the PCI wrappers
for DMA operation", which is due in the next release.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix rx->key NULL dereference during mic failure
Arik Nemtsov [Wed, 22 Jun 2011 21:00:24 +0000 (00:00 +0300)]
mac80211: fix rx->key NULL dereference during mic failure

Sometimes when reporting a MIC failure rx->key may be unset. This
code path is hit when receiving a packet meant for a multicast
address, and decryption is performed in HW.

Fortunately, the failing key_idx is not used for anything up to
(and including) usermode, so we allow ourselves to drop it on the
way up when a key cannot be retrieved.

Signed-off-by: Arik Nemtsov <arik@wizery.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlagn: fix *_UCODE_API_MAX output in the firmware field
Evgeni Golov [Sun, 12 Jun 2011 12:34:31 +0000 (05:34 -0700)]
iwlagn: fix *_UCODE_API_MAX output in the firmware field

Currently (3.0-rc2), modinfo iwlagn shows:
    firmware:       iwlwifi-5150-IWL5150_UCODE_API_MAX.ucode
    firmware:       iwlwifi-5000-IWL5000_UCODE_API_MAX.ucode
    firmware:       iwlwifi-6000g2b-IWL6000G2_UCODE_API_MAX.ucode
    firmware:       iwlwifi-6000g2a-IWL6000G2_UCODE_API_MAX.ucode
    firmware:       iwlwifi-6050-IWL6050_UCODE_API_MAX.ucode
    firmware:       iwlwifi-6000-IWL6000_UCODE_API_MAX.ucode
    firmware:       iwlwifi-100-IWL100_UCODE_API_MAX.ucode
    firmware:       iwlwifi-1000-IWL1000_UCODE_API_MAX.ucode
    firmware:       iwlwifi-105-IWL105_UCODE_API_MAX.ucode
    firmware:       iwlwifi-2030-IWL2030_UCODE_API_MAX.ucode
    firmware:       iwlwifi-2000-IWL2000_UCODE_API_MAX.ucode

which is obviously wrong, the user should not see the *_UCODE_API_MAX
macros but the actual ucode API versions here.

The problem are the
    #define *_MODULE_FIRMWARE(api) *_FW_PRE #api ".ucode"
which do not expand api correctly (because this is a macro itself).

Fixed by using __stringify() from linux/stringify.h.

Further information about macro stringification can be found here:
    http://gcc.gnu.org/onlinedocs/cpp/Stringification.html

Signed-off-by: Evgeni Golov <sargentd@die-welt.net>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoMerge branch 'wireless-2.6' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi...
John W. Linville [Mon, 27 Jun 2011 18:26:04 +0000 (14:26 -0400)]
Merge branch 'wireless-2.6' of git://git./linux/kernel/git/iwlwifi/iwlwifi-2.6

13 years agoiwlagn: map command buffers BIDI
Johannes Berg [Mon, 27 Jun 2011 14:54:49 +0000 (07:54 -0700)]
iwlagn: map command buffers BIDI

Evidently, the device sometimes wants to write back
to command buffers, even if I see no reason why it
should. Allow it to do that.

Tested-by: Andy Lutomirski <luto@mit.edu>
Tested-by: Kyle McMartin <kyle@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
13 years agoiwlagn: fix cmd queue unmap
Johannes Berg [Mon, 27 Jun 2011 14:48:52 +0000 (07:48 -0700)]
iwlagn: fix cmd queue unmap

When we stop the device while a command is in
flight that uses multiple TBs, we can leak the
DMA buffers for the second and higher TBs. Fix
this by using iwlagn_unmap_tfd() as we do when
we normally recover the entry.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
13 years agoiwlagn: fix change_interface for P2P types
Johannes Berg [Tue, 21 Jun 2011 15:28:31 +0000 (08:28 -0700)]
iwlagn: fix change_interface for P2P types

When an interface changes type to a P2P type,
iwlagn will erroneously set vif->type to the
P2P type and not the reduced/split type. Fix
this by keeping "newtype" in another variable
for the assignment to vif->type.

Cc: stable@kernel.org [2.6.38+]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
13 years agoiwlagn: Fix a bug introduced by the HUGE command removal
Emmanuel Grumbach [Tue, 21 Jun 2011 18:03:01 +0000 (11:03 -0700)]
iwlagn: Fix a bug introduced by the HUGE command removal

Since we don't have HUGE command any more, there is no point in adding 1
to the num of slots in the command queue. Doing so is buggy and might corrupt
memory.

Bug introduced by 4ce7cc2b09553a91d4aea014c39674685715173a
iwlagn: support multiple TBs per command

Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
13 years agortl8192cu: Fix missing firmware load
Larry Finger [Tue, 21 Jun 2011 15:48:31 +0000 (10:48 -0500)]
rtl8192cu: Fix missing firmware load

In commit 3ac5e26a1e935469a8bdae1d624bc3b59d1fcdc5 entitled
"rtlwifi: rtl8192c-common: Change common firmware routines for addition
of rtl8192se and rtl8192de", the firmware loading code was moved.
Unfortunately, some necessary code was dropped for rtl8192cu.

The dmesg output shows the following:

rtl8192c: Loading firmware file rtlwifi/rtl8192cufw.bin
rtl8192c_common:_rtl92c_fw_free_to_go():<0-0> Polling FW ready fail!! REG_MCUFWDL:0x00000006 .
rtl8192c_common:rtl92c_download_fw():<0-0> Firmware is not ready to run!

In addition, the interface will authenticate and associate, but cannot
transfer data.

This is reported as Kernel Bug #38012.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agortlwifi: rtl8192se: Handle duplicate PCI ID 0x10ec:0x8192 conflict with r8192e_pci
Larry Finger [Sun, 19 Jun 2011 03:49:53 +0000 (22:49 -0500)]
rtlwifi: rtl8192se: Handle duplicate PCI ID 0x10ec:0x8192 conflict with r8192e_pci

There are two devices with PCI ID 0x10ec:0x8192, namely RTL8192E and
RTL8192SE. The method of distinguishing them is by the revision ID
at offset 0x8 of the PCI configuration space. If the value is 0x10,
then the device uses rtl8192se for a driver.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoMerge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/padovan/bluetoot...
John W. Linville [Mon, 20 Jun 2011 18:54:20 +0000 (14:54 -0400)]
Merge branch 'master' of /linux/kernel/git/padovan/bluetooth-2.6

13 years agoBluetooth: Fix L2CAP connection establishment
Ilia Kolomisnky [Wed, 15 Jun 2011 03:52:26 +0000 (06:52 +0300)]
Bluetooth: Fix L2CAP connection establishment

In hci_conn_security ( which is used during L2CAP connection
establishment ) test for HCI_CONN_ENCRYPT_PEND state also
sets this state, which is bogus and leads to connection time-out
on L2CAP sockets in certain situations (especially when
using non-ssp devices )

Signed-off-by: Ilia Kolomisnky <iliak@ti.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agomwl8k: Tell firmware to generate CCMP header
Nishant Sarmukadam [Mon, 13 Jun 2011 10:56:15 +0000 (16:26 +0530)]
mwl8k: Tell firmware to generate CCMP header

Post commit e4eefec73ea0a740bfe8736e3ac30dfe92fe392b, the stack is
not generating the CCMP header for us anymore. This broke the CCMP
functionality since firmware was not doing this either. Set a flag
to tell the firmware to generate the CCMP header

Signed-off-by: Nishant Sarmukadam <nishants@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomwifiex: Fixing NULL pointer dereference
Yogesh Ashok Powar [Mon, 13 Jun 2011 04:19:27 +0000 (09:49 +0530)]
mwifiex: Fixing NULL pointer dereference

Following OOPS was seen when booting with card inserted

 BUG: unable to handle kernel NULL pointer dereference at 0000004c
 IP: [<f8b7718c>] cfg80211_get_drvinfo+0x21/0x115 [cfg80211]
 *pde = 00000000
 Oops: 0000 [#1] SMP
 Modules linked in: iwl3945 iwl_legacy mwifiex_sdio mac80211 11 sdhci_pci sdhci pl2303

'ethtool' on the mwifiex device returned this OOPS as
wiphy_dev() returned NULL.

Adding missing set_wiphy_dev() call to fix the problem.

Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoBluetooth: Fix accepting connect requests for defer_setup
Johan Hedberg [Tue, 14 Jun 2011 09:48:19 +0000 (12:48 +0300)]
Bluetooth: Fix accepting connect requests for defer_setup

When authentication completes we shouldn't blindly accept any pending
L2CAP connect requests. If the socket has the defer_setup feature
enabled it should still wait for user space acceptance of the connect
request. The issue only happens for non-SSP connections since with SSP
the L2CAP Connect request may not be sent for non-SDP PSMs before
authentication has completed successfully.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Fix L2CAP security check
Luiz Augusto von Dentz [Mon, 13 Jun 2011 12:37:35 +0000 (15:37 +0300)]
Bluetooth: Fix L2CAP security check

With older userspace versions (using hciops) it might not have the
key type to check if the key has sufficient security for any security
level so it is necessary to check the return of hci_conn_auth to make
sure the connection is authenticated

Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Acked-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoMerge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/padovan/bluetoot...
John W. Linville [Fri, 10 Jun 2011 19:05:34 +0000 (15:05 -0400)]
Merge branch 'master' of /linux/kernel/git/padovan/bluetooth-2.6

13 years agoBluetooth: Do not send SET_EVENT_MASK for 1.1 and earlier devices
Ville Tervo [Fri, 27 May 2011 08:16:21 +0000 (11:16 +0300)]
Bluetooth: Do not send SET_EVENT_MASK for 1.1 and earlier devices

Some old hci controllers do not accept any mask so leave the
default mask on for these devices.

< HCI Command: Set Event Mask (0x03|0x0001) plen 8
    Mask: 0xfffffbff00000000
> HCI Event: Command Complete (0x0e) plen 4
    Set Event Mask (0x03|0x0001) ncmd 1
    status 0x12
    Error: Invalid HCI Command Parameters

Signed-off-by: Ville Tervo <ville.tervo@nokia.com>
Tested-by: Corey Boyle <corey@kansanian.com>
Tested-by: Ed Tomlinson <edt@aei.ca>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Do not ignore errors returned from strict_strtol()
David Miller [Thu, 19 May 2011 21:37:45 +0000 (17:37 -0400)]
Bluetooth: Do not ignore errors returned from strict_strtol()

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: fix shutdown on SCO sockets
Luiz Augusto von Dentz [Thu, 12 May 2011 08:13:15 +0000 (11:13 +0300)]
Bluetooth: fix shutdown on SCO sockets

shutdown should wait for SCO link to be properly disconnected before
detroying the socket, otherwise an application using the socket may
assume link is properly disconnected before it really happens which
can be a problem when e.g synchronizing profile switch.

Signed-off-by: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
Filip Palian [Thu, 12 May 2011 17:32:46 +0000 (19:32 +0200)]
Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.

Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding
byte each. This byte in "cinfo" is copied to userspace uninitialized.

Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoiwlegacy: fix channel switch locking
Stanislaw Gruszka [Wed, 8 Jun 2011 13:26:31 +0000 (15:26 +0200)]
iwlegacy: fix channel switch locking

We use priv->mutex to avoid race conditions between chswitch_done()
and mac_channel_switch(), when marking channel switch in
progress. But chswitch_done() can be called in atomic context
from rx_csa() or with mutex already taken from commit_rxon().

To fix remove mutex from chswitch_done() and use atomic bitops
for marking channel switch pending.

Cc: stable@kernel.org # 2.6.39+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix IBSS teardown race
Johannes Berg [Wed, 8 Jun 2011 11:27:29 +0000 (13:27 +0200)]
mac80211: fix IBSS teardown race

Ignacy reports that sometimes after leaving an IBSS
joining a new one didn't work because there still
were stations on the list. He fixed it by flushing
stations when attempting to join a new IBSS, but
this shouldn't be happening in the first case. When
I looked into it I saw a race condition in teardown
that could cause stations to be added after flush,
and thus cause this situation. Ignacy confirms that
after applying my patch he hasn't seen this happen
again.

Reported-by: Ignacy Gawedzki <i@lri.fr>
Debugged-by: Ignacy Gawedzki <i@lri.fr>
Tested-by: Ignacy Gawedzki <i@lri.fr>
Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlagn: send tx power command if defer cause by RXON not match
Wey-Yi Guy [Fri, 27 May 2011 15:40:24 +0000 (08:40 -0700)]
iwlagn: send tx power command if defer cause by RXON not match

During channge channel, tx power will not send to uCode, the tx power command
should send after scan complete. but should also can send after RXON command.

Stable fix identified by Stanislaw Gruszka <sgruszka@redhat.com>.

Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Cc: stable@kernel.org [2.6.38+]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agonl80211: fix overflow in ssid_len
Luciano Coelho [Tue, 7 Jun 2011 17:42:26 +0000 (20:42 +0300)]
nl80211: fix overflow in ssid_len

When one of the SSID's length passed in a scan or sched_scan request
is larger than 255, there will be an overflow in the u8 that is used
to store the length before checking.  This causes the check to fail
and we overrun the buffer when copying the SSID.

Fix this by checking the nl80211 attribute length before copying it to
the struct.

This is a follow up for the previous commit
208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem
entirely.

Reported-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agortlwifi: Avoid modifying skbs that are resubmitted
Mike McCormack [Mon, 6 Jun 2011 23:58:31 +0000 (08:58 +0900)]
rtlwifi: Avoid modifying skbs that are resubmitted

In the case we fail to allocate a new skb, the old skb should
be resubmitted unmodified.

Fixes bug introduced in a9e12869758430424804.

Signed-off-by: Mike McCormack <mikem@ring3k.org>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agortlwifi: Fix logic in rx_interrupt
Mike McCormack [Mon, 30 May 2011 23:50:24 +0000 (08:50 +0900)]
rtlwifi: Fix logic in rx_interrupt

Should pass along packet if there's no CRC and no hardware error.

Signed-off-by: Mike McCormack <mikem@ring3k.org>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoRevert "mac80211: stop queues before rate control updation"
John W. Linville [Tue, 7 Jun 2011 18:03:08 +0000 (14:03 -0400)]
Revert "mac80211: stop queues before rate control updation"

This reverts commit 1d38c16ce4156f63b45abbd09dd28ca2ef5172b4.

The mac80211 maintainer raised complaints about abuse of the CSA stop
reason, and about whether this patch actually serves its intended
purpose at all.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwl4965: set tx power after rxon_assoc
Stanislaw Gruszka [Mon, 6 Jun 2011 13:11:30 +0000 (15:11 +0200)]
iwl4965: set tx power after rxon_assoc

Setting tx power can be deferred during scan or changing channel.
If after that correct tx power settings will not be sent to device,
we can observe transmission problems and timeouts. Force to send
tx power settings also after partial rxon change, to assure device
always be configured with up-to-date settings.

Resolves:
https://bugzilla.kernel.org/show_bug.cgi?id=36492

Cc: stable@kernel.org # 2.6.39+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agort2x00: fix rmmod crash
Stanislaw Gruszka [Sat, 4 Jun 2011 14:48:54 +0000 (16:48 +0200)]
rt2x00: fix rmmod crash

Avoid queue and run autowakeup_work when device is not present anymore.
That prevent rmmod and device remove crash introduced by:

commit 1c0bcf89d85cc97a0d9ce4cd909351a81fa4fdde
Author: Ivo van Doorn <ivdoorn@gmail.com>
Date:   Sat Apr 30 17:18:18 2011 +0200

    rt2x00: Add autowake support for USB hardware

Signed-off-by: Stanislaw Gruszka <stf_xl@wp.pl>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlagn: use cts-to-self protection on 5000 adapters series
Stanislaw Gruszka [Thu, 26 May 2011 15:14:22 +0000 (17:14 +0200)]
iwlagn: use cts-to-self protection on 5000 adapters series

This patch fixes 802.11n stability and performance regression we have
since 2.6.35. It boost performance on my 5GHz N-only network from about
5MB/s to 8MB/s. Similar percentage boost can be observed on 2.4 GHz.

These are test results of 5x downloading of approximately 700MB iso
image:

vanilla: 5.27 5.22 4.94 4.47 5.31 ; avr 5.0420 std 0.35110
patched: 8.07 7.95 8.06 7.99 7.96 ; avr 8.0060 std 0.055946

This was achieved with NetworkManager configured to do not perform
periodical scans, by configuring constant BSSID. With periodical scans,
after some time, performance downgrade to unpatched driver level, like
in example below:

patched: 7.40 7.61 4.28 4.37 4.80 avr 5.6920 std 1.6683

However patch still make better here, since similar test on unpatched
driver make link disconnects with below messages after some time:

wlan1: authenticate with 00:23:69:35:d1:3f (try 1)
wlan1: authenticate with 00:23:69:35:d1:3f (try 2)
wlan1: authenticate with 00:23:69:35:d1:3f (try 3)
wlan1: authentication with 00:23:69:35:d1:3f timed out

On 2.6.35 kernel patch helps against connection hangs with messages:

iwlagn 0000:20:00.0: queue 10 stuck 3 time. Fw reload.
iwlagn 0000:20:00.0: On demand firmware reload
iwlagn 0000:20:00.0: Stopping AGG while state not ON or starting

Cc: stable@kernel.org # 2.6.35+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoRevert "mac80211: Skip tailroom reservation for full HW-crypto devices"
John W. Linville [Mon, 6 Jun 2011 18:35:27 +0000 (14:35 -0400)]
Revert "mac80211: Skip tailroom reservation for full HW-crypto devices"

This reverts commit aac6af5534fade2b18682a0b9efad1a6c04c34c6.

Conflicts:

net/mac80211/key.c

That commit has a race that causes a warning, as documented in the thread
here:

http://marc.info/?l=linux-wireless&m=130717684914101&w=2

Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agolibertas_sdio: handle spurious interrupts
Daniel Drake [Thu, 2 Jun 2011 23:13:26 +0000 (00:13 +0100)]
libertas_sdio: handle spurious interrupts

Commit 06e8935febe687e2a561707d4c7ca4245d261dbe adds an IRQ handling
optimization for single-function SDIO cards like this one, but at the
same time exposes a small hardware bug.

During hardware init, an interrupt is generated with (apparently) no
source. Previously, mmc threw this interrupt away, but now (due to the
optimization), the mmc layer passes this onto libertas, before it is ready
(and before it has enabled interrupts), causing a crash.

Work around this hardware bug by registering the IRQ handler later and
making it capable of handling interrupts with no cause. The change that
makes the IRQ handler registration happen later actually eliminates
the spurious interrupt as well.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: call dev_alloc_name before copying name to sdata
Thadeu Lima de Souza Cascardo [Thu, 2 Jun 2011 20:28:37 +0000 (17:28 -0300)]
mac80211: call dev_alloc_name before copying name to sdata

This partially reverts 1c5cae815d19ffe02bdfda1260949ef2b1806171, because
the netdev name is copied into sdata->name, which is used for debugging
messages, for example. Otherwise, we get messages like this:

wlan%d: authenticated

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
Cc: Jiri Pirko <jpirko@redhat.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: "John W. Linville" <linville@tuxdriver.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlagn: fix channel switch locking
Stanislaw Gruszka [Thu, 2 Jun 2011 16:17:15 +0000 (18:17 +0200)]
iwlagn: fix channel switch locking

We use priv->mutex to avoid race conditions between iwl_chswitch_done()
and iwlagn_mac_channel_switch(), when marking channel switch in
progress. But iwl_chswitch_done() can be called in atomic context
from iwl_rx_csa() or with mutex already taken from iwlagn_commit_rxon().

These bugs were introduced by:

commit 79d07325502e73508f917475bc1617b60979dd94
Author: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Date:   Thu May 6 08:54:11 2010 -0700

    iwlwifi: support channel switch offload in driver

To fix remove mutex from iwl_chswitch_done() and use atomic bitops for
marking channel switch pending.

Also remove iwl2030_hw_channel_switch() since 2000 series adapters are
2.4GHz only devices.

Cc: stable@kernel.org # 2.6.36+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath5k: Disable fast channel switching by default
Nick Kossifidis [Thu, 2 Jun 2011 00:09:48 +0000 (03:09 +0300)]
ath5k: Disable fast channel switching by default

Disable fast channel change by default on AR2413/AR5413 due to
some bug reports (it still works for me but it's better to be safe).
Add a module parameter "fastchanswitch" in case anyone wants to enable
it and play with it.

Signed-off-by: Nick Kossifidis <mickflemm@gmail.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agossb: fix PCI(e) driver regression causing oops on PCI cards
Rafał Miłecki [Wed, 1 Jun 2011 09:01:11 +0000 (11:01 +0200)]
ssb: fix PCI(e) driver regression causing oops on PCI cards

We were incorrectly executing PCIe specific workarounds on PCI cards.
This resulted in:
Machine check in kernel mode.
Caused by (from SRR1=149030): Transfer error ack signal
Oops: Machine check, sig: 7 [#1]

Reported-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwl4965: correctly validate temperature value
Stanislaw Gruszka [Wed, 1 Jun 2011 15:17:57 +0000 (17:17 +0200)]
iwl4965: correctly validate temperature value

In some cases we can read wrong temperature value. If after that
temperature value will not be updated to good one, we badly configure
tx power parameters and device is unable to send a data.

Resolves:
https://bugzilla.kernel.org/show_bug.cgi?id=35932

Cc: stable@kernel.org # 2.6.39+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agobluetooth l2cap: fix locking in l2cap_global_chan_by_psm
Johannes Berg [Wed, 1 Jun 2011 06:29:54 +0000 (08:29 +0200)]
bluetooth l2cap: fix locking in l2cap_global_chan_by_psm

read_lock() ... read_unlock_bh() is clearly bogus.
This was broken by

commit 23691d75cdc69c3b285211b4d77746aa20a17d18
Author: Gustavo F. Padovan <padovan@profusion.mobi>
Date:   Wed Apr 27 18:26:32 2011 -0300

    Bluetooth: Remove l2cap_sk_list

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k: fix two more bugs in tx power
Daniel Halperin [Tue, 31 May 2011 18:59:30 +0000 (11:59 -0700)]
ath9k: fix two more bugs in tx power

This is the same fix as

   commit 841051602e3fa18ea468fe5a177aa92b6eb44b56
   Author: Matteo Croce <technoboy85@gmail.com>
   Date:   Fri Dec 3 02:25:08 2010 +0100

   The ath9k driver subtracts 3 dBm to the txpower as with two radios the
   signal power is doubled.
   The resulting value is assigned in an u16 which overflows and makes
   the card work at full power.

in two more places. I grepped the ath tree and didn't find any others.

Cc: stable@kernel.org
Signed-off-by: Daniel Halperin <dhalperi@cs.washington.edu>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: don't drop p2p probe responses
Eliad Peller [Sun, 29 May 2011 12:53:20 +0000 (15:53 +0300)]
cfg80211: don't drop p2p probe responses

Commit 0a35d36 ("cfg80211: Use capability info to detect mesh beacons")
assumed that probe response with both ESS and IBSS bits cleared
means that the frame was sent by a mesh sta.

However, these capabilities are also being used in the p2p_find phase,
and the mesh-validation broke it.

Rename the WLAN_CAPABILITY_IS_MBSS macro, and verify that mesh ies
exist before assuming this frame was sent by a mesh sta.

Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlagn: fix incorrect PCI subsystem id for 6150 devices
Wey-Yi Guy [Mon, 30 May 2011 16:32:52 +0000 (09:32 -0700)]
iwlagn: fix incorrect PCI subsystem id for 6150 devices

For 6150 devices, modify the supported PCI subsystem ID.

Cc: stable@kernel.org
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agozd1211rw: fix to work on OHCI
Jussi Kivilinna [Mon, 30 May 2011 07:15:47 +0000 (10:15 +0300)]
zd1211rw: fix to work on OHCI

zd1211 devices register 'EP 4 OUT' endpoint as Interrupt type on USB 2.0:

      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               1

However on USB 1.1 endpoint becomes Bulk:

      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x04  EP 4 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0

Commit 37939810b937aba830dd751291fcdc51cae1a6cb assumed that endpoint is
always interrupt type and changed usb_bulk_msg() calls to usb_interrupt_msg().

Problem here is that usb_bulk_msg() on interrupt endpoint selfcorrects the
call and changes requested pipe to interrupt type (see usb_bulk_msg).
However with usb_interrupt_msg() on bulk endpoint does not correct the
pipe type to bulk, but instead URB is submitted with interrupt type pipe.

So pre-2.6.39 used usb_bulk_msg() and therefore worked with both endpoint
types, however in 2.6.39 usb_interrupt_msg() with bulk endpoint causes
ohci_hcd to fail submitted URB instantly with -ENOSPC and preventing zd1211rw
from working with OHCI.

Fix this by detecting endpoint type and using correct endpoint/pipe types
for URB. Also fix asynchronous zd_usb_iowrite16v_async() to use right
URB type on 'EP 4 OUT'.

Cc: stable@kernel.org
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agowl12xx: fix oops in sched_scan when forcing a passive scan
Luciano Coelho [Fri, 27 May 2011 12:34:48 +0000 (15:34 +0300)]
wl12xx: fix oops in sched_scan when forcing a passive scan

Fix kernel oops when trying to use passive scheduled scans.  The
reason was that in passive scans there are no SSIDs, so there was a
NULL pointer dereference.

To solve the problem, we now check the number of SSIDs provided in the
sched_scan request and only access the list if there's one or more
(ie. passive scan is not forced).  We also force all the channels to
be passive by adding the IEEE80211_CHAN_PASSIVE_SCAN flag locally
before the checks in the wl1271_scan_get_sched_scan_channels()
function.

Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agowl12xx: add separate config value for DFS dwell time on sched scan
Luciano Coelho [Fri, 27 May 2011 12:34:47 +0000 (15:34 +0300)]
wl12xx: add separate config value for DFS dwell time on sched scan

Use a different value for DFS dwell time when performing a scheduled
scan.  Previously we were using the same value as for normal passive
scans.  This adds some flexibility between these two different types
of passive scan.

For now we use 150 TUs for DFS channel dwell time.  This may need to
be fine-tuned in the future.

Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agowl12xx: fix DFS channels handling in scheduled scan
Luciano Coelho [Fri, 27 May 2011 12:34:46 +0000 (15:34 +0300)]
wl12xx: fix DFS channels handling in scheduled scan

DFS channels were never getting included in the scheduled scans,
because they always contain the passive flag as well and the call was
asking for DFS and active channels.

Fix this by ignoring the passive flag when collecting DFS channels.
Also, move the DFS channels in the channel list before the 5GHz active
channels (this was implemented in the FW differently than specified).

Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agowl12xx: fix passive and radar channel generation for scheduled scan
Luciano Coelho [Fri, 27 May 2011 12:34:45 +0000 (15:34 +0300)]
wl12xx: fix passive and radar channel generation for scheduled scan

We were comparing bitwise AND results with a boolean, so when the
boolean was set to true, it was not matching as it should.

Fix this by booleanizing the bitwise AND results with !!.

Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agolibertas: Set command sequence number later to ensure consistency
Daniel Drake [Thu, 26 May 2011 20:31:08 +0000 (21:31 +0100)]
libertas: Set command sequence number later to ensure consistency

Before this patch, the command sequence number is being set before
lbs_queue_cmd() adds the command to the queue. However, lbs_queue_cmd()
sometimes forces commands to queue-jump (e.g. CMD_802_11_WAKEUP_CONFIRM).
It currently does this without considering that sequence numbers might need
adjusting to keep things running in order.

Fix this by setting the sequence number at a later stage, just before
we're actually submitting the command to the hardware. Also fixes a
possible race where seqnum was being modified outside of the driver
lock.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into...
John W. Linville [Fri, 27 May 2011 19:18:35 +0000 (15:18 -0400)]
Merge git://git./linux/kernel/git/linville/wireless-next-2.6 into for-davem

13 years agonet: Kill ratelimit.h dependency in linux/net.h
David S. Miller [Fri, 27 May 2011 17:41:33 +0000 (13:41 -0400)]
net: Kill ratelimit.h dependency in linux/net.h

Ingo Molnar noticed that we have this unnecessary ratelimit.h
dependency in linux/net.h, which hid compilation problems from
people doing builds only with CONFIG_NET enabled.

Move this stuff out to a seperate net/net_ratelimit.h file and
include that in the only two places where this thing is needed.

Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Ingo Molnar <mingo@elte.hu>
13 years agonet: Add linux/sysctl.h includes where needed.
David S. Miller [Thu, 26 May 2011 20:40:37 +0000 (16:40 -0400)]
net: Add linux/sysctl.h includes where needed.

Several networking headers were depending upon the implicit
linux/sysctl.h include they get when including linux/net.h

Add explicit includes.

Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet: Kill ether_table[] declaration.
David S. Miller [Thu, 26 May 2011 20:30:57 +0000 (16:30 -0400)]
net: Kill ether_table[] declaration.

This got missed back in 2006 when Jes Sorensen deleted
net/ethernet/sysctl_net_ether.c

Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoinetpeer: fix race in unused_list manipulations
Eric Dumazet [Thu, 26 May 2011 17:27:11 +0000 (17:27 +0000)]
inetpeer: fix race in unused_list manipulations

Several crashes in cleanup_once() were reported in recent kernels.

Commit d6cc1d642de9 (inetpeer: various changes) added a race in
unlink_from_unused().

One way to avoid taking unused_peers.lock before doing the list_empty()
test is to catch 0->1 refcnt transitions, using full barrier atomic
operations variants (atomic_cmpxchg() and atomic_inc_return()) instead
of previous atomic_inc() and atomic_add_unless() variants.

We then call unlink_from_unused() only for the owner of the 0->1
transition.

Add a new atomic_add_unless_return() static helper

With help from Arun Sharma.

Refs: https://bugzilla.kernel.org/show_bug.cgi?id=32772

Reported-by: Arun Sharma <asharma@fb.com>
Reported-by: Maximilian Engelhardt <maxi@daemonizer.de>
Reported-by: Yann Dupont <Yann.Dupont@univ-nantes.fr>
Reported-by: Denys Fedoryshchenko <denys@visp.net.lb>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoatm: expose ATM device index in sysfs
Dan Williams [Fri, 27 May 2011 04:51:54 +0000 (04:51 +0000)]
atm: expose ATM device index in sysfs

It's currently exposed only through /proc which, besides requiring
screen-scraping, doesn't allow userspace to distinguish between two
identical ATM adapters with different ATM indexes.  The ATM device index
is required when using PPPoATM on a system with multiple ATM adapters.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Reviewed-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: David Woodhouse <dwmw2@infradead.org>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'pablo/nf-2.6-updates' of git://1984.lsi.us.es/net-2.6
David S. Miller [Fri, 27 May 2011 17:04:40 +0000 (13:04 -0400)]
Merge branch 'pablo/nf-2.6-updates' of git://1984.lsi.us.es/net-2.6

13 years agoath9k: Fix AR9287 calibration
Adrian Chadd [Thu, 26 May 2011 17:08:04 +0000 (01:08 +0800)]
ath9k: Fix AR9287 calibration

The AR9287 calibration code was not being called because of an
incorrect MAC revision check.
This forced the AR9287 to use the AR9285 initial calibration code and
bypass the AR9287 code entirely.

Signed-off-by: Adrian Chadd <adrian@freebsd.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: Remove duplicate linux/slab.h include from net/mac80211/scan.c
Jesper Juhl [Thu, 26 May 2011 08:53:17 +0000 (10:53 +0200)]
mac80211: Remove duplicate linux/slab.h include from net/mac80211/scan.c

Commit 79f460ca49d8d5700756ab7071c951311c7f29cc add a duplicate
linux/slab.h include to net/mac80211/scan.c - remove it.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: clear local->ps_data on disassoc
Eliad Peller [Thu, 26 May 2011 08:46:37 +0000 (11:46 +0300)]
mac80211: clear local->ps_data on disassoc

local->ps_data wasn't cleared on disassociation, which
(in some corner cases) caused reconnections to enter
psm before association completed.

Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agowireless: Default to 'n' for 2 new added devices in Kconfig.
Tao Ma [Wed, 25 May 2011 01:44:05 +0000 (09:44 +0800)]
wireless: Default to 'n' for 2 new added devices in Kconfig.

We make oldconfig every time when a new kernel arrives, but
if we don't have such a device(I guess this is the most common
case for a new device), the default value should be 'n' so
that the kernel size we build doesn't grow up too much quickly.
For anyone who has the device, it is OK for them to turn it on
by themselves.

Cc: "John W. Linville" <linville@tuxdriver.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Tao Ma <boyu.mt@taobao.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwl4965: fix 5GHz operation
Stanislaw Gruszka [Tue, 24 May 2011 14:28:55 +0000 (16:28 +0200)]
iwl4965: fix 5GHz operation

rx_status.band is used uninitialized, what disallow to work on 5GHz .

Cc: stable@kernel.org # 2.6.39+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoIPVS: bug in ip_vs_ftp, same list heaad used in all netns.
Hans Schillstrom [Tue, 24 May 2011 12:11:05 +0000 (14:11 +0200)]
IPVS: bug in ip_vs_ftp, same list heaad used in all netns.

When ip_vs was adapted to netns the ftp application was not adapted
in a correct way.
However this is a fix to avoid kernel errors. In the long term another solution
might be chosen.  I.e the ports that the ftp appl, uses should be per netns.

Signed-off-by: Hans Schillstrom <hans.schillstrom@ericsson.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agomac80211: stop queues before rate control updation
Rajkumar Manoharan [Fri, 20 May 2011 12:22:15 +0000 (17:52 +0530)]
mac80211: stop queues before rate control updation

Stop tx queues before updating rate control to ensure
proper rate selection. Otherwise packets can be transmitted
in 40 Mhz whereas hw is configured in HT20.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k: set 40 Mhz rate only if hw is configured in ht40
Rajkumar Manoharan [Fri, 20 May 2011 12:22:14 +0000 (17:52 +0530)]
ath9k: set 40 Mhz rate only if hw is configured in ht40

Whenever there is a channel width change from 40 Mhz to 20 Mhz,
the hardware is reconfigured to ht20. Meantime before doing
the rate control updation, the packets are being transmitted are
selected rate with IEEE80211_TX_RC_40_MHZ_WIDTH.

While transmitting ht40 rate packets in ht20 mode is causing
baseband panic with AR9003 based chips.

==== BB update: BB status=0x02001109 ====
ath: ** BB state: wd=1 det=1 rdar=0 rOFDM=1 rCCK=1 tOFDM=0 tCCK=0 agc=2
src=0 **
ath: ** BB WD cntl: cntl1=0xffff0085 cntl2=0x00000004 **
ath: ** BB mode: BB_gen_controls=0x000033c0 **
ath: ** BB busy times: rx_clear=99%, rx_frame=0%, tx_frame=0% **
ath: ==== BB update: done ====

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k_hw: disable phy restart on baseband panic caused by RXSM
Rajkumar Manoharan [Fri, 20 May 2011 12:22:13 +0000 (17:52 +0530)]
ath9k_hw: disable phy restart on baseband panic caused by RXSM

While receiving unsupported rate frame rx state machine
gets into a state 0xb and if phy_restart happens in that
state, BB would go hang. If RXSM is in 0xb state after
first bb panic, ensure to disable the phy_restart.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k: Reset chip on baseband hang
Rajkumar Manoharan [Fri, 20 May 2011 12:22:10 +0000 (17:52 +0530)]
ath9k: Reset chip on baseband hang

Resetting hardware helps to recover from baseband
hang/panic for AR9003 based chips.

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agob43: N-PHY: initialize last var in calibration function
Rafał Miłecki [Thu, 19 May 2011 23:04:46 +0000 (01:04 +0200)]
b43: N-PHY: initialize last var in calibration function

Reported-by: Larry Finger <larry.finger@lwfinger.net>
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agortlwifi: Use order 2 RX buffer allocation only if necessary
Larry Finger [Thu, 19 May 2011 16:48:45 +0000 (11:48 -0500)]
rtlwifi: Use order 2 RX buffer allocation only if necessary

Although a previous fix handles the kernel panics that result from
failure to allocate a new RX buffer, memory fragmentation can be
reduced if the amsdu_8k capability is disabled as new buffers need only
be of O(0), not O(2).

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agortlwifi: Fix kernel panic resulting from RX buffer allocation failure
Larry Finger [Thu, 19 May 2011 15:17:04 +0000 (10:17 -0500)]
rtlwifi: Fix kernel panic resulting from RX buffer allocation failure

To handle amsdu_8k capability, the PCI routine of this driver must
allocate receive buffers of order 2. Under heavy load, this causes
fragmentation of memory. The present code releases the current buffer
before checking to see if a new one is availble. Recovery from
allocation failures is not possible, which results in kernel panics.

The fix is to reorder the code to check that a new buffer can be
allocated before the old one is released. If not possible, the
received frame is dropped and the old one is reused. Without this
change, it is impossible to transfer a 2 GB file without a kernel panic.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@vger.kernel.org> [2.6.{37,38,39}]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agonl80211: fix check for valid SSID size in scan operations
Luciano Coelho [Wed, 18 May 2011 21:43:38 +0000 (00:43 +0300)]
nl80211: fix check for valid SSID size in scan operations

In both trigger_scan and sched_scan operations, we were checking for
the SSID length before assigning the value correctly.  Since the
memory was just kzalloc'ed, the check was always failing and SSID with
over 32 characters were allowed to go through.

This was causing a buffer overflow when copying the actual SSID to the
proper place.

This bug has been there since 2.6.29-rc4.

Cc: stable@kernel.org
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomwifiex: correct event header length
Yogesh Ashok Powar [Wed, 18 May 2011 19:02:03 +0000 (12:02 -0700)]
mwifiex: correct event header length

While decoding received event packet from firmware, 4 bytes
of interface header are already removed unconditionally.
So for handling event only 4 more bytes needs to be pulled.
This is achieved by changing event header length to 4.

Almost all the events, except BA stream related and AMSDU
aggregation control events, do not have the payload in their
event skb. Such events handling depends only on the event ID.
This event ID is the first four bytes of the event skb, which
is copied to a separate variable before pulling the skb header.
Hence event handling worked only for those events that didn't
have payload in event skb.

This patch fixes the broken event path of the events with
payload in their event skb without harming existing working
event path for the events without payload.

Signed-off-by: Yogesh Ashok Powar <yogeshp@marvell.com>
Signed-off-by: Kiran Divekar <dkiran@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agobug.h: Move ratelimit warn interfaces to ratelimit.h
David S. Miller [Thu, 26 May 2011 19:00:31 +0000 (15:00 -0400)]
bug.h: Move ratelimit warn interfaces to ratelimit.h

As reported by Ingo Molnar, we still have configuration combinations
where use of the WARN_RATELIMIT interfaces break the build because
dependencies don't get met.

Instead of going down the long road of trying to make it so that
ratelimit.h can get included by kernel.h or asm-generic/bug.h,
just move the interface into ratelimit.h and make users have
to include that.

Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Randy Dunlap <randy.dunlap@oracle.com>
13 years agobonding: cleanup module option descriptions
Andy Gospodarek [Wed, 25 May 2011 04:41:59 +0000 (04:41 +0000)]
bonding: cleanup module option descriptions

Weiping Pan noticed that the module option description for
xmit_hash_policy was incorrect and was nice enough to post a patch to
fix it.  The text was correct, but created a line over 80 characters and
I would rather not add those.  I realized I could take a few minutes and
clean up all the descriptions and things would look much better.  This
is the result.

Based on patch from Weiping Pan <panweiping3@gmail.com>.

Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
CC: Weiping Pan <panweiping3@gmail.com>
Reviewed-by: Weiping Pan <panweiping3@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet:8021q:vlan.c Fix pr_info to just give the vlan fullname and version.
Justin Mattock [Mon, 23 May 2011 20:43:48 +0000 (20:43 +0000)]
net:8021q:vlan.c Fix pr_info to just give the vlan fullname and version.

The below patch removes vlan_buggyright and vlan_copyright from vlan_proto_init,
so that it prints out just the fullname of vlan and the version number.

before:

[   30.438203] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
[   30.441542] All bugs added by David S. Miller <davem@redhat.com>

after:

[   31.513910] 802.1Q VLAN Support v1.8

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
CC: Joe Perches <joe@perches.com>
CC: David S. Miller <davem@davemloft.net>
CC: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet: davinci_emac: fix dev_err use at probe
Johan Hovold [Thu, 26 May 2011 04:37:32 +0000 (04:37 +0000)]
net: davinci_emac: fix dev_err use at probe

Use platform device rather than net device in dev_err calls before net
device has been registered to avoid messages such as

(null): DaVinci EMAC: Failed to get EMAC clock

Also replace remaining printks in probe with dev_{err,warn}.

Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agocan: convert to %pK for kptr_restrict support
Oliver Hartkopp [Thu, 26 May 2011 04:57:53 +0000 (04:57 +0000)]
can: convert to %pK for kptr_restrict support

As these pointers have been printed without using %p they were missed in the
big network kptr_restrict conversion patch %p -> %pK from Dan Rosenberg.

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet: fix ETHTOOL_SFEATURES compatibility with old ethtool_ops.set_flags
Michał Mirosław [Thu, 26 May 2011 00:42:57 +0000 (00:42 +0000)]
net: fix ETHTOOL_SFEATURES compatibility with old ethtool_ops.set_flags

Current code squashes flags to bool - this makes set_flags fail whenever
some ETH_FLAG_* equivalent features are set. Fix this.

Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonetfilter: Fix several warnings in compat_mtw_from_user().
David Miller [Thu, 19 May 2011 22:14:39 +0000 (18:14 -0400)]
netfilter: Fix several warnings in compat_mtw_from_user().

Kill set but not used 'entry_offset'.

Add a default case to the switch statement so the compiler
can see that we always initialize off and size_kern before
using them.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: ipset: fix ip_set_flush return code
Jozsef Kadlecsik [Tue, 24 May 2011 08:20:19 +0000 (10:20 +0200)]
netfilter: ipset: fix ip_set_flush return code

ip_set_flush returned -EPROTO instead of -IPSET_ERR_PROTOCOL, fixed

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: ipset: remove unused variable from type_pf_tdel()
Jozsef Kadlecsik [Tue, 24 May 2011 08:20:18 +0000 (10:20 +0200)]
netfilter: ipset: remove unused variable from type_pf_tdel()

Variable 'ret' is set in type_pf_tdel() but not used, remove.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: ipset: Use proper timeout value to jiffies conversion
Jozsef Kadlecsik [Tue, 24 May 2011 08:20:17 +0000 (10:20 +0200)]
netfilter: ipset: Use proper timeout value to jiffies conversion

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agobonding: documentation and code cleanup for resend_igmp
Flavio Leitner [Wed, 25 May 2011 08:38:58 +0000 (08:38 +0000)]
bonding: documentation and code cleanup for resend_igmp

Improves the documentation about how IGMP resend parameter
works, fix two missing checks and coding style issues.

Signed-off-by: Flavio Leitner <fbl@redhat.com>
Acked-by: Rick Jones <rick.jones2@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobonding: prevent deadlock on slave store with alb mode (v3)
Neil Horman [Wed, 25 May 2011 08:13:01 +0000 (08:13 +0000)]
bonding: prevent deadlock on slave store with alb mode (v3)

This soft lockup was recently reported:

[root@dell-per715-01 ~]# echo +bond5 > /sys/class/net/bonding_masters
[root@dell-per715-01 ~]# echo +eth1 > /sys/class/net/bond5/bonding/slaves
bonding: bond5: doing slave updates when interface is down.
bonding bond5: master_dev is not up in bond_enslave
[root@dell-per715-01 ~]# echo -eth1 > /sys/class/net/bond5/bonding/slaves
bonding: bond5: doing slave updates when interface is down.

BUG: soft lockup - CPU#12 stuck for 60s! [bash:6444]
CPU 12:
Modules linked in: bonding autofs4 hidp rfcomm l2cap bluetooth lockd sunrpc
be2d
Pid: 6444, comm: bash Not tainted 2.6.18-262.el5 #1
RIP: 0010:[<ffffffff80064bf0>]  [<ffffffff80064bf0>]
.text.lock.spinlock+0x26/00
RSP: 0018:ffff810113167da8  EFLAGS: 00000286
RAX: ffff810113167fd8 RBX: ffff810123a47800 RCX: 0000000000ff1025
RDX: 0000000000000000 RSI: ffff810123a47800 RDI: ffff81021b57f6f8
RBP: ffff81021b57f500 R08: 0000000000000000 R09: 000000000000000c
R10: 00000000ffffffff R11: ffff81011d41c000 R12: ffff81021b57f000
R13: 0000000000000000 R14: 0000000000000282 R15: 0000000000000282
FS:  00002b3b41ef3f50(0000) GS:ffff810123b27940(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00002b3b456dd000 CR3: 000000031fc60000 CR4: 00000000000006e0

Call Trace:
 [<ffffffff80064af9>] _spin_lock_bh+0x9/0x14
 [<ffffffff886937d7>] :bonding:tlb_clear_slave+0x22/0xa1
 [<ffffffff8869423c>] :bonding:bond_alb_deinit_slave+0xba/0xf0
 [<ffffffff8868dda6>] :bonding:bond_release+0x1b4/0x450
 [<ffffffff8006457b>] __down_write_nested+0x12/0x92
 [<ffffffff88696ae4>] :bonding:bonding_store_slaves+0x25c/0x2f7
 [<ffffffff801106f7>] sysfs_write_file+0xb9/0xe8
 [<ffffffff80016b87>] vfs_write+0xce/0x174
 [<ffffffff80017450>] sys_write+0x45/0x6e
 [<ffffffff8005d28d>] tracesys+0xd5/0xe0

It occurs because we are able to change the slave configuarion of a bond while
the bond interface is down.  The bonding driver initializes some data structures
only after its ndo_open routine is called.  Among them is the initalization of
the alb tx and rx hash locks.  So if we add or remove a slave without first
opening the bond master device, we run the risk of trying to lock/unlock a
spinlock that has garbage for data in it, which results in our above softlock.

Note that sometimes this works, because in many cases an unlocked spinlock has
the raw_lock parameter initialized to zero (meaning that the kzalloc of the
net_device private data is equivalent to calling spin_lock_init), but thats not
true in all cases, and we aren't guaranteed that condition, so we need to pass
the relevant spinlocks through the spin_lock_init function.

Fix it by moving the spin_lock_init calls for the tx and rx hashtable locks to
the ndo_init path, so they are ready for use by the bond_store_slaves path.

Change notes:
v2) Based on conversation with Jay and Nicolas it seems that the ability to
enslave devices while the bond master is down should be safe to do.  As such
this is an outlier bug, and so instead we'll just initalize the errant spinlocks
in the init path rather than the open path, solving the problem.  We'll also
remove the warnings about the bond being down during enslave operations, since
it should be safe

v3) Fix spelling error

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: jtluka@redhat.com
CC: Jay Vosburgh <fubar@us.ibm.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: nicolas.2p.debian@gmail.com
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet: hold rtnl again in dump callbacks
Eric Dumazet [Wed, 25 May 2011 07:34:04 +0000 (07:34 +0000)]
net: hold rtnl again in dump callbacks

Commit e67f88dd12f6 (dont hold rtnl mutex during netlink dump callbacks)
missed fact that rtnl_fill_ifinfo() must be called with rtnl held.

Because of possible deadlocks between two mutexes (cb_mutex and rtnl),
its not easy to solve this problem, so revert this part of the patch.

It also forgot one rcu_read_unlock() in FIB dump_rules()

Add one ASSERT_RTNL() in rtnl_fill_ifinfo() to remind us the rule.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Patrick McHardy <kaber@trash.net>
CC: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoAdd Fujitsu 1000base-SX PCI ID to tg3
Meelis Roos [Wed, 25 May 2011 05:43:47 +0000 (05:43 +0000)]
Add Fujitsu 1000base-SX PCI ID to tg3

This patch adds the PCI ID of Fujitsu 1000base-SX NIC to tg3 driver.
Tested to detect the card, MAC and serdes, not tested with link at the
moment since I have no fiber switch here. I did not add new constants to
the pci_ids.h header file since these constants are used only here.

Signed-off-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>