ath5k: Fix loop variable initializations
authorBob Copeland <me@bobcopeland.com>
Tue, 13 May 2008 01:16:44 +0000 (21:16 -0400)
committerJohn W. Linville <linville@tuxdriver.com>
Tue, 20 May 2008 21:48:12 +0000 (17:48 -0400)
In ath5k_tasklet_rx, both status structures 'rxs' and 'rs' are
initialized at the top of the tasklet, but not within the loop.
If the loop is executed multiple times in the tasklet then the
variables may see changes from previous packets.

For TKIP, this results in 'Invalid Michael MIC' errors if two packets
are processed in the tasklet: rxs.flag gets set to RX_DECRYPTED by
mac80211 when it decrypts the first encrypted packet.  The subsequent
packet will have RX_DECRYPTED set upon entry to mac80211, so mac80211
will not try to decrypt it.

We currently initialize all but two fields in the structures, so fix
the other two.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/ath5k/base.c
drivers/net/wireless/ath5k/hw.c

index 4e5c8fc35200a8b0abcaaefe4e8148cf85cb20b5..635b9ac9aaa17589e40f41e7c455ecffc2558357 100644 (file)
@@ -1787,6 +1787,8 @@ ath5k_tasklet_rx(unsigned long data)
 
        spin_lock(&sc->rxbuflock);
        do {
+               rxs.flag = 0;
+
                if (unlikely(list_empty(&sc->rxbuf))) {
                        ATH5K_WARN(sc, "empty rx buf pool\n");
                        break;
index 5fb1ae6ad3e23edb6357a2da5a8610539e8e4a10..77990b56860b9109caaa978b451c7898406f2092 100644 (file)
@@ -4119,6 +4119,7 @@ static int ath5k_hw_proc_5210_rx_status(struct ath5k_hw *ah,
        rs->rs_tstamp = AR5K_REG_MS(rx_status->rx_status_1,
                AR5K_5210_RX_DESC_STATUS1_RECEIVE_TIMESTAMP);
        rs->rs_status = 0;
+       rs->rs_phyerr = 0;
 
        /*
         * Key table status
@@ -4145,7 +4146,7 @@ static int ath5k_hw_proc_5210_rx_status(struct ath5k_hw *ah,
                if (rx_status->rx_status_1 &
                                AR5K_5210_RX_DESC_STATUS1_PHY_ERROR) {
                        rs->rs_status |= AR5K_RXERR_PHY;
-                       rs->rs_phyerr = AR5K_REG_MS(rx_status->rx_status_1,
+                       rs->rs_phyerr |= AR5K_REG_MS(rx_status->rx_status_1,
                                           AR5K_5210_RX_DESC_STATUS1_PHY_ERROR);
                }
 
@@ -4193,6 +4194,7 @@ static int ath5k_hw_proc_5212_rx_status(struct ath5k_hw *ah,
        rs->rs_tstamp = AR5K_REG_MS(rx_status->rx_status_1,
                AR5K_5212_RX_DESC_STATUS1_RECEIVE_TIMESTAMP);
        rs->rs_status = 0;
+       rs->rs_phyerr = 0;
 
        /*
         * Key table status
@@ -4215,7 +4217,7 @@ static int ath5k_hw_proc_5212_rx_status(struct ath5k_hw *ah,
                if (rx_status->rx_status_1 &
                                AR5K_5212_RX_DESC_STATUS1_PHY_ERROR) {
                        rs->rs_status |= AR5K_RXERR_PHY;
-                       rs->rs_phyerr = AR5K_REG_MS(rx_err->rx_error_1,
+                       rs->rs_phyerr |= AR5K_REG_MS(rx_err->rx_error_1,
                                           AR5K_RX_DESC_ERROR1_PHY_ERROR_CODE);
                }