GitHub/moto-9609/android_kernel_motorola_exynos9610.git
13 years agomac80211: fill rate filter for internal scan requests
Simon Wunderlich [Wed, 30 Nov 2011 15:56:30 +0000 (16:56 +0100)]
mac80211: fill rate filter for internal scan requests

The rates bitmap for internal scan requests shoud be filled,
otherwise there will be probe requests with zero rates supported.

Signed-off-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Mathias Kretschmer <mathias.kretschmer@fokus.fraunhofer.de>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: amend regulatory NULL dereference fix
Luis R. Rodriguez [Mon, 28 Nov 2011 21:47:16 +0000 (16:47 -0500)]
cfg80211: amend regulatory NULL dereference fix

Johannes' patch for "cfg80211: fix regulatory NULL dereference"
broke user regulaotry hints and it did not address the fact that
last_request was left populated even if the previous regulatory
hint was stale due to the wiphy disappearing.

Fix user reguluatory hints by only bailing out if for those
regulatory hints where a request_wiphy is expected. The stale last_request
considerations are addressed through the previous fixes on last_request
where we reset the last_request to a static world regdom request upon
reset_regdomains(). In this case though we further enhance the effect
by simply restoring reguluatory settings completely.

Cc: stable@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: fix race on init and driver registration
Luis R. Rodriguez [Mon, 28 Nov 2011 21:47:15 +0000 (16:47 -0500)]
cfg80211: fix race on init and driver registration

There is a theoretical race that if hit will trigger
a crash. The race is between when we issue the first
regulatory hint, regulatory_hint_core(), gets processed
by the workqueue and between when the first device
gets registered to the wireless core. This is not easy
to reproduce but it was easy to do so through the
regulatory simulator I have been working on. This
is a port of the fix I implemented there [1].

[1] https://github.com/mcgrof/regsim/commit/a246ccf81f059cb662eee288aa13100f631e4cc8

Cc: stable@vger.kernel.org
Cc: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix race between the AGG SM and the Tx data path
Emmanuel Grumbach [Sun, 27 Nov 2011 13:29:44 +0000 (15:29 +0200)]
mac80211: fix race between the AGG SM and the Tx data path

When a packet is supposed to sent be as an a-MPDU, mac80211 sets
IEEE80211_TX_CTL_AMPDU to let the driver know. On the other
hand, mac80211 configures the driver for aggregration with the
ampdu_action callback.
There is race between these two mechanisms since the following
scenario can occur when the BA agreement is torn down:

Tx softIRQ   drv configuration
========== =================

check OPERATIONAL bit
Set the TX_CTL_AMPDU bit in the packet

clear OPERATIONAL bit
stop Tx AGG
Pass Tx packet to the driver.

In that case the driver would get a packet with TX_CTL_AMPDU set
although it has already been notified that the BA session has been
torn down.

To fix this, we need to synchronize all the Qdisc activity after we
cleared the OPERATIONAL bit. After that step, all the following
packets will be buffered until the driver reports it is ready to get
new packets for this RA / TID. This buffering allows not to run into
another race that would send packets with TX_CTL_AMPDU unset while
the driver hasn't been requested to tear down the BA session yet.

This race occurs in practice and iwlwifi complains with a WARN_ON
when it happens.

Cc: stable@kernel.org
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix race condition caused by late addBA response
Nikolay Martynov [Mon, 28 Nov 2011 08:18:00 +0000 (09:18 +0100)]
mac80211: fix race condition caused by late addBA response

If addBA responses comes in just after addba_resp_timer has
expired mac80211 will still accept it and try to open the
aggregation session. This causes drivers to be confused and
in some cases even crash.

This patch fixes the race condition and makes sure that if
addba_resp_timer has expired addBA response is not longer
accepted and we do not try to open half-closed session.

Cc: stable@vger.kernel.org
Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
[some adjustments]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k: Revert change that broke AR928X on Acer Ferrari One
Rafael J. Wysocki [Sat, 26 Nov 2011 22:37:43 +0000 (23:37 +0100)]
ath9k: Revert change that broke AR928X on Acer Ferrari One

Revert a hunk in drivers/net/wireless/ath/ath9k/hw.c introduced by
commit 2577c6e8f2320f1d2f09be122efef5b9118efee4 (ath9k_hw: Add
support for AR946/8x chipsets) that caused a nasty regression to
appear on my Acer Ferrari One (the box locks up entirely at random
times after the wireless has been started without any way to get
debug information out of it).

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agortlwifi: fix lps_lock deadlock
Stanislaw Gruszka [Mon, 28 Nov 2011 09:33:40 +0000 (10:33 +0100)]
rtlwifi: fix lps_lock deadlock

rtl_lps_leave can be called from interrupt context, so we have to
disable interrupts when taking lps_lock.

Below is full lockdep info about deadlock:

[   93.815269] =================================
[   93.815390] [ INFO: inconsistent lock state ]
[   93.815472] 2.6.41.1-3.offch.fc15.x86_64.debug #1
[   93.815556] ---------------------------------
[   93.815635] inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
[   93.815743] swapper/0 [HC0[0]:SC1[1]:HE1:SE0] takes:
[   93.815832]  (&(&rtlpriv->locks.lps_lock)->rlock){+.?...}, at: [<ffffffffa025dad6>] rtl_lps_leave+0x26/0x103 [rtlwifi]
[   93.815947] {SOFTIRQ-ON-W} state was registered at:
[   93.815947]   [<ffffffff8108e10d>] __lock_acquire+0x369/0xd0c
[   93.815947]   [<ffffffff8108efb3>] lock_acquire+0xf3/0x13e
[   93.815947]   [<ffffffff814e981d>] _raw_spin_lock+0x45/0x79
[   93.815947]   [<ffffffffa025de34>] rtl_swlps_rf_awake+0x5a/0x76 [rtlwifi]
[   93.815947]   [<ffffffffa025aec0>] rtl_op_config+0x12a/0x32a [rtlwifi]
[   93.815947]   [<ffffffffa01d614b>] ieee80211_hw_config+0x124/0x129 [mac80211]
[   93.815947]   [<ffffffffa01e0af3>] ieee80211_dynamic_ps_disable_work+0x32/0x47 [mac80211]
[   93.815947]   [<ffffffff81075aa5>] process_one_work+0x205/0x3e7
[   93.815947]   [<ffffffff81076753>] worker_thread+0xda/0x15d
[   93.815947]   [<ffffffff8107a119>] kthread+0xa8/0xb0
[   93.815947]   [<ffffffff814f3184>] kernel_thread_helper+0x4/0x10
[   93.815947] irq event stamp: 547822
[   93.815947] hardirqs last  enabled at (547822): [<ffffffff814ea1a7>] _raw_spin_unlock_irqrestore+0x45/0x61
[   93.815947] hardirqs last disabled at (547821): [<ffffffff814e9987>] _raw_spin_lock_irqsave+0x22/0x8e
[   93.815947] softirqs last  enabled at (547790): [<ffffffff810623ed>] _local_bh_enable+0x13/0x15
[   93.815947] softirqs last disabled at (547791): [<ffffffff814f327c>] call_softirq+0x1c/0x30
[   93.815947]
[   93.815947] other info that might help us debug this:
[   93.815947]  Possible unsafe locking scenario:
[   93.815947]
[   93.815947]        CPU0
[   93.815947]        ----
[   93.815947]   lock(&(&rtlpriv->locks.lps_lock)->rlock);
[   93.815947]   <Interrupt>
[   93.815947]     lock(&(&rtlpriv->locks.lps_lock)->rlock);
[   93.815947]
[   93.815947]  *** DEADLOCK ***
[   93.815947]
[   93.815947] no locks held by swapper/0.
[   93.815947]
[   93.815947] stack backtrace:
[   93.815947] Pid: 0, comm: swapper Not tainted 2.6.41.1-3.offch.fc15.x86_64.debug #1
[   93.815947] Call Trace:
[   93.815947]  <IRQ>  [<ffffffff814dfd00>] print_usage_bug+0x1e7/0x1f8
[   93.815947]  [<ffffffff8101a849>] ? save_stack_trace+0x2c/0x49
[   93.815947]  [<ffffffff8108d55c>] ? print_irq_inversion_bug.part.18+0x1a0/0x1a0
[   93.815947]  [<ffffffff8108dc8a>] mark_lock+0x106/0x220
[   93.815947]  [<ffffffff8108e099>] __lock_acquire+0x2f5/0xd0c
[   93.815947]  [<ffffffff810152af>] ? native_sched_clock+0x34/0x36
[   93.830125]  [<ffffffff810152ba>] ? sched_clock+0x9/0xd
[   93.830125]  [<ffffffff81080181>] ? sched_clock_local+0x12/0x75
[   93.830125]  [<ffffffffa025dad6>] ? rtl_lps_leave+0x26/0x103 [rtlwifi]
[   93.830125]  [<ffffffff8108efb3>] lock_acquire+0xf3/0x13e
[   93.830125]  [<ffffffffa025dad6>] ? rtl_lps_leave+0x26/0x103 [rtlwifi]
[   93.830125]  [<ffffffff814e981d>] _raw_spin_lock+0x45/0x79
[   93.830125]  [<ffffffffa025dad6>] ? rtl_lps_leave+0x26/0x103 [rtlwifi]
[   93.830125]  [<ffffffff81422467>] ? skb_dequeue+0x62/0x6d
[   93.830125]  [<ffffffffa025dad6>] rtl_lps_leave+0x26/0x103 [rtlwifi]
[   93.830125]  [<ffffffffa025f677>] _rtl_pci_ips_leave_tasklet+0xe/0x10 [rtlwifi]
[   93.830125]  [<ffffffff8106281f>] tasklet_action+0x8d/0xee
[   93.830125]  [<ffffffff810629ce>] __do_softirq+0x112/0x25a
[   93.830125]  [<ffffffff814f327c>] call_softirq+0x1c/0x30
[   93.830125]  [<ffffffff81010bf6>] do_softirq+0x4b/0xa1
[   93.830125]  [<ffffffff81062d7d>] irq_exit+0x5d/0xcf
[   93.830125]  [<ffffffff814f3b7e>] do_IRQ+0x8e/0xa5
[   93.830125]  [<ffffffff814ea533>] common_interrupt+0x73/0x73
[   93.830125]  <EOI>  [<ffffffff8108b825>] ? trace_hardirqs_off+0xd/0xf
[   93.830125]  [<ffffffff812bb6d5>] ? intel_idle+0xe5/0x10c
[   93.830125]  [<ffffffff812bb6d1>] ? intel_idle+0xe1/0x10c
[   93.830125]  [<ffffffff813f8d5e>] cpuidle_idle_call+0x11c/0x1fe
[   93.830125]  [<ffffffff8100e2ef>] cpu_idle+0xab/0x101
[   93.830125]  [<ffffffff814c6373>] rest_init+0xd7/0xde
[   93.830125]  [<ffffffff814c629c>] ? csum_partial_copy_generic+0x16c/0x16c
[   93.830125]  [<ffffffff81d4bbb0>] start_kernel+0x3dd/0x3ea
[   93.830125]  [<ffffffff81d4b2c4>] x86_64_start_reservations+0xaf/0xb3
[   93.830125]  [<ffffffff81d4b140>] ? early_idt_handlers+0x140/0x140
[   93.830125]  [<ffffffff81d4b3ca>] x86_64_start_kernel+0x102/0x111

Resolves:
https://bugzilla.redhat.com/show_bug.cgi?id=755154

Reported-by: vjain02@students.poly.edu
Reported-and-tested-by: Oliver Paukstadt <pstadt@sourcentral.org>
Cc: stable@vger.kernel.org
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: don't stop a single aggregation session twice
Johannes Berg [Thu, 24 Nov 2011 19:06:14 +0000 (20:06 +0100)]
mac80211: don't stop a single aggregation session twice

Nikolay noticed (by code review) that mac80211 can
attempt to stop an aggregation session while it is
already being stopped. So to fix it, check whether
stop is already being done and bail out if so.

Also move setting the STOPPING state into the lock
so things are properly atomic.

Cc: stable@vger.kernel.org
Reported-by: Nikolay Martynov <mar.kolya@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agonl80211: fix MAC address validation
Eliad Peller [Thu, 24 Nov 2011 16:13:56 +0000 (18:13 +0200)]
nl80211: fix MAC address validation

MAC addresses have a fixed length. The current
policy allows passing < ETH_ALEN bytes, which
might result in reading beyond the buffer.

Cc: stable@vger.kernel.org
Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoRevert "rt2800pci: handle spurious interrupts"
John W. Linville [Tue, 22 Nov 2011 21:38:19 +0000 (16:38 -0500)]
Revert "rt2800pci: handle spurious interrupts"

This reverts commit 4ba7d9997869d25bd223dea7536fc1ce9fab3b3b.

The original patch was a misguided attempt to improve performance on
some hardware that is apparently prone to spurious interrupt generation.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoRevert "rt2x00: handle spurious pci interrupts"
John W. Linville [Tue, 22 Nov 2011 21:36:35 +0000 (16:36 -0500)]
Revert "rt2x00: handle spurious pci interrupts"

This reverts commit 23085d5796561625db4143a671f1de081f66ef08.

The original patch was a misguided attempt to improve performance on
some hardware that is apparently prone to spurious interrupt generation.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoprism54: potential memory corruption in prism54_get_essid()
Dan Carpenter [Mon, 21 Nov 2011 14:47:13 +0000 (17:47 +0300)]
prism54: potential memory corruption in prism54_get_essid()

"dwrq->length" is the capped version of "essid->length".

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: fix regulatory NULL dereference
Johannes Berg [Mon, 21 Nov 2011 09:44:00 +0000 (10:44 +0100)]
cfg80211: fix regulatory NULL dereference

By the time userspace returns with a response to
the regulatory domain request, the wiphy causing
the request might have gone away. If this is so,
reject the update but mark the request as having
been processed anyway.

Cc: Luis R. Rodriguez <lrodriguez@qca.qualcomm.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: Fix endian bug in radiotap header generation
Helmut Schaa [Fri, 18 Nov 2011 16:02:16 +0000 (17:02 +0100)]
mac80211: Fix endian bug in radiotap header generation

I intoduced this bug in commit a2fe81667410723d941a688e1958a49d67ca3346
"mac80211: Build TX radiotap header dynamically"

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: Fix AMSDU rate printout in debugfs.
Ben Greear [Thu, 17 Nov 2011 22:53:36 +0000 (14:53 -0800)]
mac80211: Fix AMSDU rate printout in debugfs.

It was flipped.  See section 7.3.2.56 of the 802.11n
spec for details.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agop54spi: Fix workqueue deadlock
Michael Büsch [Wed, 16 Nov 2011 22:55:46 +0000 (23:55 +0100)]
p54spi: Fix workqueue deadlock

priv->work must not be synced while priv->mutex is locked, because
the mutex is taken in the work handler.
Move cancel_work_sync down to after the device shutdown code.
This is safe, because the work handler checks fw_state and bails out
early in case of a race.

Signed-off-by: Michael Buesch <m@bues.ch>
Cc: <stable@vger.kernel.org>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agop54spi: Add missing spin_lock_init
Michael Büsch [Wed, 16 Nov 2011 22:48:31 +0000 (23:48 +0100)]
p54spi: Add missing spin_lock_init

The tx_lock is not initialized properly. Add spin_lock_init().

Signed-off-by: Michael Buesch <m@bues.ch>
Cc: <stable@vger.kernel.org>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agort2x00: Fix efuse EEPROM reading on PPC32.
Gertjan van Wingerde [Wed, 16 Nov 2011 22:16:15 +0000 (23:16 +0100)]
rt2x00: Fix efuse EEPROM reading on PPC32.

Fix __le32 to __le16 conversion of the first word of an 8-word block
of EEPROM read via the efuse method.

Reported-and-tested-by: Ingvar Hagelund <ingvar@redpill-linpro.com>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
CC: <stable@vger.kernel.org>
Acked-by: Helmut Schaa <helmut.schaa@googlemail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agort2x00: handle spurious pci interrupts
Stanislaw Gruszka [Wed, 16 Nov 2011 12:58:42 +0000 (13:58 +0100)]
rt2x00: handle spurious pci interrupts

We have documented case of very bad performance issue on rt2800pci
device, because it generate spurious interrupt, what cause irq line
is disabled: https://bugzilla.redhat.com/show_bug.cgi?id=658451

We already address that problem in separate patch by returning
IRQ_HANDLED from interrupt handler. We think similar fix is needed for
other rt2x00 PCI devices, because users report performance problems on
these devices too.

Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agort2800pci: handle spurious interrupts
Stanislaw Gruszka [Wed, 16 Nov 2011 10:09:17 +0000 (11:09 +0100)]
rt2800pci: handle spurious interrupts

Some devices may generate spurious interrupts, we have to handle them
otherwise interrupt line will be disabled with below message and driver
will not work:

[ 2052.114334] irq 17: nobody cared (try booting with the "irqpoll" option)
[ 2052.114339] Pid: 0, comm: swapper Tainted: P           2.6.35.6-48.fc14.x86_64 #1
[ 2052.114341] Call Trace:
[ 2052.114342]  <IRQ>  [<ffffffff810a6e2b>] __report_bad_irq.clone.1+0x3d/0x8b
[ 2052.114349]  [<ffffffff810a6f93>] note_interrupt+0x11a/0x17f
[ 2052.114352]  [<ffffffff810a7a73>] handle_fasteoi_irq+0xa8/0xce
[ 2052.114355]  [<ffffffff8100c2ea>] handle_irq+0x88/0x90
[ 2052.114357]  [<ffffffff8146f034>] do_IRQ+0x5c/0xb4
[ 2052.114360]  [<ffffffff81469593>] ret_from_intr+0x0/0x11
[ 2052.114361]  <EOI>  [<ffffffff8102b7f9>] ? native_safe_halt+0xb/0xd
[ 2052.114366]  [<ffffffff81010f03>] ? need_resched+0x23/0x2d
[ 2052.114367]  [<ffffffff8101102a>] default_idle+0x34/0x4f
[ 2052.114370]  [<ffffffff81008325>] cpu_idle+0xaa/0xcc
[ 2052.114373]  [<ffffffff81461f2a>] start_secondary+0x24d/0x28e
[ 2052.114374] handlers:
[ 2052.114375] [<ffffffff81332944>] (usb_hcd_irq+0x0/0x7c)
[ 2052.114378] [<ffffffffa00697da>] (rt2800pci_interrupt+0x0/0x18d [rt2800pci])
[ 2052.114384] Disabling IRQ #17

Resolve:
https://bugzilla.redhat.com/show_bug.cgi?id=658451

Reported-and-tested-by: Amir Hedayaty <hedayaty@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoNet, libertas: Resolve memory leak in if_spi_host_to_card()
Jesper Juhl [Sun, 13 Nov 2011 21:14:32 +0000 (22:14 +0100)]
Net, libertas: Resolve memory leak in if_spi_host_to_card()

If we hit the default case in the switch in if_spi_host_to_card() we'll leak
the memory we allocated for 'packet'. This patch resolves the leak by freeing
the allocated memory in that case.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Acked-by: Dan Williams <dcbw@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agort2x00: Fix sleep-while-atomic bug in powersaving code.
Gertjan van Wingerde [Sat, 12 Nov 2011 18:10:44 +0000 (19:10 +0100)]
rt2x00: Fix sleep-while-atomic bug in powersaving code.

The generic powersaving code that determines after reception of a frame
whether the device should go back to sleep or whether is could stay
awake was calling rt2x00lib_config directly from RX tasklet context.
On a number of the devices this call can actually sleep, due to having
to confirm that the sleeping commands have been executed successfully.

Fix this by moving the call to rt2x00lib_config to a workqueue call.

This fixes bug https://bugzilla.redhat.com/show_bug.cgi?id=731672

Tested-by: Tomas Trnka <tomastrnka@gmx.com>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Cc: <stable@vger.kernel.org>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agort2x00: Add USB device ID of Buffalo WLI-UC-GNHP.
Gertjan van Wingerde [Sat, 12 Nov 2011 18:10:43 +0000 (19:10 +0100)]
rt2x00: Add USB device ID of Buffalo WLI-UC-GNHP.

This is reported to be an RT3070 based device.

Reported-by: Teika Kazura <teika@lavabit.com>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomwifiex: fix association issue with AP configured in hidden SSID mode
Amitkumar Karwar [Thu, 10 Nov 2011 05:36:21 +0000 (21:36 -0800)]
mwifiex: fix association issue with AP configured in hidden SSID mode

Firmware expects 'max_ssid_length' field in
'struct mwifiex_ie_types_wildcard_ssid_params' to be '0' for
performing SSID specific scan. Currently driver updates it with
an actual SSID length. Hence UUT is not able to find the AP
configured in hidden SSID mode in scan results and association
fails.

max_ssid_length is filled with '0' to fix the issue.

Signed-off-by: Amitkumar Karwar <akarwar@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlwifi: avoid a panic when unloading the module with RF Kill
Emmanuel Grumbach [Thu, 10 Nov 2011 00:50:50 +0000 (16:50 -0800)]
iwlwifi: avoid a panic when unloading the module with RF Kill

When HW RF kill switch is set to kill the radio, our NIC issues an
interrupt after we stop the APM module. When we unload the module,
the driver disables and cleans the interrupts before stopping the
APM. So we have a real interrupt (inta not zero) pending.
When this interrupts pops up the tasklet has already been killed
and we crash.

Here is a logical description of the flow:

disable and clean interrupts
synchronize interrupts
kill the tasklet

stop the APM <<== creates an RF kill interrupt

free_irq <<== somehow our ISR is called here and we crash

Here is the panic message:

[  201.313636] BUG: unable to handle kernel paging request at ffff8800911b7150
[  201.314541] IP: [<ffffffff8106d652>] tasklet_action+0x62/0x130
[  201.315149] PGD 1c06063 PUD db37f067 PMD db408067 PTE 80000000911b7160
[  201.316456] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
[  201.317324] CPU 1
[  201.317495] Modules linked in: arc4 iwlwifi(-) mac80211 cfg80211 netconsole configfs binfmt_misc i915 drm_kms_helper drm uvcvideo i2c_algo_bit videodev dell_laptop dcdbas intel_agp dell_wmi intel_ips psmouse intel_gtt v4l2_compat_ioctl32 asix usbnet mii serio_raw video sparse_keymap firewire_ohci sdhci_pci sdhci firewire_core e1000e crc_itu_t [last unloaded: configfs]
[  201.323839]
[  201.324015] Pid: 2061, comm: modprobe Not tainted 3.1.0-rc9-wl #4 Dell Inc. Latitude E6410/0667CC
[  201.324736] RIP: 0010:[<ffffffff8106d652>]  [<ffffffff8106d652>] tasklet_action+0x62/0x130
[  201.325128] RSP: 0018:ffff88011bc43ea0  EFLAGS: 00010286
[  201.325338] RAX: ffff88008ae70000 RBX: ffff8800911b7150 RCX: ffff88008ae70028
[  201.325555] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88008ae70000
[  201.325775] RBP: ffff88011bc43ec0 R08: 0000000000000000 R09: 0000000000000000
[  201.325994] R10: 0000000000000002 R11: 0000000000000001 R12: 0000000000000001
[  201.326212] R13: 0000000000000006 R14: 0000000000000100 R15: ffff88008e259fd8
[  201.326431] FS:  00007f4b90ea9700(0000) GS:ffff88011bc40000(0000) knlGS:0000000000000000
[  201.326657] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  201.326864] CR2: ffff8800911b7150 CR3: 000000008fd6d000 CR4: 00000000000006e0
[  201.327083] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  201.327302] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  201.327521] Process modprobe (pid: 2061, threadinfo ffff88008e258000, task ffff88008ae70000)
[  201.327747] Stack:
[  201.330494]  0000000000000046 0000000000000030 0000000000000001 0000000000000006
[  201.333870]  ffff88011bc43f30 ffffffff8106cd8a ffffffff811e1016 ffff88011bc43f08
[  201.337186]  0000000100000046 ffff88008e259fd8 0000000a10be2160 0000000000000006
[  201.340458] Call Trace:
[  201.342994]  <IRQ>
[  201.345656]  [<ffffffff8106cd8a>] __do_softirq+0xca/0x250
[  201.348185]  [<ffffffff811e1016>] ? pde_put+0x76/0x90
[  201.350730]  [<ffffffff8131aeae>] ? do_raw_spin_unlock+0x5e/0xb0
[  201.353261]  [<ffffffff811e1016>] ? pde_put+0x76/0x90
[  201.355776]  [<ffffffff8163ccfc>] call_softirq+0x1c/0x30
[  201.358287]  [<ffffffff8101531d>] do_softirq+0x9d/0xd0
[  201.360823]  [<ffffffff8106cb05>] irq_exit+0xd5/0xf0
[  201.363330]  [<ffffffff8163d5d6>] do_IRQ+0x66/0xe0
[  201.365819]  [<ffffffff81632673>] common_interrupt+0x73/0x73
[  201.368257]  <EOI>

Cc: <stable@kernel.org> 3.1+
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix race between connection monitor & suspend
Johannes Berg [Wed, 9 Nov 2011 11:14:16 +0000 (12:14 +0100)]
mac80211: fix race between connection monitor & suspend

When the connection monitor timer fires right before
suspend, the following will happen:
 timer fires -> monitor_work gets queued
 suspend calls ieee80211_sta_quiesce
 ieee80211_sta_quiesce:
  - deletes timer
  - cancels monitor_work synchronously, running it
  [note wrong order of these steps]
 monitor_work runs, re-arming the timer
 later, timer fires while system should be quiesced

This causes a warning:

WARNING: at net/mac80211/util.c:540 ieee80211_can_queue_work+0x35/0x40 [mac80211]()

but is otherwise harmless. I'm not completely sure
this is the scenario Thomas stumbled across, but it
is the only way I can right now see the warning in
a scenario like the one he reported.

Reported-by: Thomas Meyer <thomas@m3y3r.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agowireless: libertas: fix unaligned le64 accesses
Steven Miao [Wed, 9 Nov 2011 08:30:40 +0000 (16:30 +0800)]
wireless: libertas: fix unaligned le64 accesses

use get_unaligned_le64() to get timestamp

Signed-off-by: Steven Miao <realmz6@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: fix bug on regulatory core exit on access to last_request
Luis R. Rodriguez [Tue, 8 Nov 2011 22:28:06 +0000 (14:28 -0800)]
cfg80211: fix bug on regulatory core exit on access to last_request

Commit 4d9d88d1 by Scott James Remnant <keybuk@google.com> added
the .uevent() callback for the regulatory device used during
the platform device registration. The change was done to account
for queuing up udev change requests through udevadm triggers.
The change also meant that upon regulatory core exit we will now
send a uevent() but the uevent() callback, reg_device_uevent(),
also accessed last_request. Right before commiting device suicide
we free'd last_request but never set it to NULL so
platform_device_unregister() would lead to bogus kernel paging
request. Fix this and also simply supress uevents right before
we commit suicide as they are pointless.

This fix is required for kernels >= v2.6.39

$ git describe --contains 4d9d88d1
v2.6.39-rc1~468^2~25^2^2~21

The impact of not having this present is that a bogus paging
access may occur (only read) upon cfg80211 unload time. You
may also get this BUG complaint below. Although Johannes
could not reproduce the issue this fix is theoretically correct.

mac80211_hwsim: unregister radios
mac80211_hwsim: closing netlink
BUG: unable to handle kernel paging request at ffff88001a06b5ab
IP: [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
PGD 1836063 PUD 183a063 PMD 1ffcb067 PTE 1a06b160
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
CPU 0
Modules linked in: cfg80211(-) [last unloaded: mac80211]

Pid: 2279, comm: rmmod Tainted: G        W   3.1.0-wl+ #663 Bochs Bochs
RIP: 0010:[<ffffffffa030df9a>]  [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
RSP: 0000:ffff88001c5f9d58  EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff88001d2eda88 RCX: ffff88001c7468fc
RDX: ffff88001a06b5a0 RSI: ffff88001c7467b0 RDI: ffff88001c7467b0
RBP: ffff88001c5f9d58 R08: 000000000000ffff R09: 000000000000ffff
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88001c7467b0
R13: ffff88001d2eda78 R14: ffffffff8164a840 R15: 0000000000000001
FS:  00007f8a91d8a6e0(0000) GS:ffff88001fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffff88001a06b5ab CR3: 000000001c62e000 CR4: 00000000000006f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process rmmod (pid: 2279, threadinfo ffff88001c5f8000, task ffff88000023c780)
Stack:
 ffff88001c5f9d98 ffffffff812ff7e5 ffffffff8176ab3d ffff88001c7468c2
 000000000000ffff ffff88001d2eda88 ffff88001c7467b0 ffff880000114820
 ffff88001c5f9e38 ffffffff81241dc7 ffff88001c5f9db8 ffffffff81040189
Call Trace:
 [<ffffffff812ff7e5>] dev_uevent+0xc5/0x170
 [<ffffffff81241dc7>] kobject_uevent_env+0x1f7/0x490
 [<ffffffff81040189>] ? sub_preempt_count+0x29/0x60
 [<ffffffff814cab1a>] ? _raw_spin_unlock_irqrestore+0x4a/0x90
 [<ffffffff81305307>] ? devres_release_all+0x27/0x60
 [<ffffffff8124206b>] kobject_uevent+0xb/0x10
 [<ffffffff812fee27>] device_del+0x157/0x1b0
 [<ffffffff8130377d>] platform_device_del+0x1d/0x90
 [<ffffffff81303b76>] platform_device_unregister+0x16/0x30
 [<ffffffffa030fffd>] regulatory_exit+0x5d/0x180 [cfg80211]
 [<ffffffffa032bec3>] cfg80211_exit+0x2b/0x45 [cfg80211]
 [<ffffffff8109a84c>] sys_delete_module+0x16c/0x220
 [<ffffffff8108a23e>] ? trace_hardirqs_on_caller+0x7e/0x120
 [<ffffffff814cba02>] system_call_fastpath+0x16/0x1b
Code: <all your base are belong to me>
RIP  [<ffffffffa030df9a>] reg_device_uevent+0x1a/0x50 [cfg80211]
 RSP <ffff88001c5f9d58>
CR2: ffff88001a06b5ab
---[ end trace 147c5099a411e8c0 ]---

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Cc: Scott James Remnant <keybuk@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix bug in ieee80211_build_probe_req
Johannes Berg [Tue, 8 Nov 2011 12:04:41 +0000 (13:04 +0100)]
mac80211: fix bug in ieee80211_build_probe_req

ieee80211_probereq_get() can return NULL in
which case we should clean up & return NULL
in ieee80211_build_probe_req() as well.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix NULL dereference in radiotap code
Johannes Berg [Tue, 8 Nov 2011 11:28:33 +0000 (12:28 +0100)]
mac80211: fix NULL dereference in radiotap code

When receiving failed PLCP frames is enabled, there
won't be a rate pointer when we add the radiotap
header and thus the kernel will crash. Fix this by
not assuming the rate pointer is always valid. It's
still always valid for frames that have good PLCP
though, and that is checked & enforced.

This was broken by my
commit fc88518916793af8ad6a02e05ff254d95c36d875
Author: Johannes Berg <johannes.berg@intel.com>
Date:   Fri Jul 30 13:23:12 2010 +0200

    mac80211: don't check rates on PLCP error frames

where I removed the check in this case but didn't
take into account that the rate info would be used.

Reported-by: Xiaokang Qin <xiaokang.qin@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agowl12xx: fix wl12xx_scan_sched_scan_ssid_list() check that all given ssids are in...
Eyal Shapira [Tue, 8 Nov 2011 13:54:46 +0000 (15:54 +0200)]
wl12xx: fix wl12xx_scan_sched_scan_ssid_list() check that all given ssids are in filters

A minor fix for the check that verifies that all given SSIDs (in req) exist
in the filters (the match sets)

Signed-off-by: Eyal Shapira <eyal@wizery.com>
Acked-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath: Fix NULL ptr dereference in ath_reg_apply_world_flags
Helmut Schaa [Tue, 8 Nov 2011 13:01:13 +0000 (14:01 +0100)]
ath: Fix NULL ptr dereference in ath_reg_apply_world_flags

This happens with devices using a regulatory domain 0x68 that are only
5Ghz capable because ath_reg_apply_active_scan_flags assumes that we
always have a 2,4Ghz band.

CPU 0 Unable to handle kernel paging request at virtual address 00000000, epc == 82cd838c, ra == 82cd8384
Oops[#1]:
Cpu 0
$ 0 : 00000000 00000061 00000003 00000024
$ 4 : 00000003 000016c1 82f900ac 00000024
$ 8 : 00000000 82cda304 0058bad8 00000005
$12 : 005908f8 001e8481 00000003 1dcd6500
$16 : 00000002 00000000 82c700c0 82c700c0
$20 : 82d415e4 82c70d64 82c70200 82c715bc
$24 : 00000000 11e1a300
$28 : 82ce2000 82ce3c70 82c715a8 82cd8384
Hi : 00000000
Lo : 0000001e
epc : 82cd838c ath_reg_apply_world_flags+0x78/0x17c [ath]
Not tainted
ra : 82cd8384 ath_reg_apply_world_flags+0x70/0x17c [ath]
Status: 1000d403 KERNEL EXL IE
Cause : 80800008
BadVA : 00000000
PrId : 00019374 (MIPS 24Kc)
Modules linked in: ath9k(+) ath9k_common ath9k_hw ath mac80211 cfg80211
compat_firmware_class compat arc4 aes_generic deflate ecb cbc
leds_gpio button_hotplug gpio_buttons input_polldev ie
Process insmod (pid: 464, threadinfo=82ce2000, task=838b31d8, tls=00000000)
Stack : 00000000 00000002 82f900ac 82c700c0 82d415e4 82c70d64 00000000 00000068
82f900ac 82cd88f4 82c700c0 82cda304 00000001 000020f0 82f90000 82c70d40
00000002 82f90000 82f900ac 82d4207c 82d518a0 00000002 7fee6118 8017c0d8
00000008 8397ba00 82c70d40 00000000 82c70200 83813000 83813058 b0010000
82d518a0 00000002 7fee6118 82d4b8c8 83445cc0 80120dc0 83804000 800eeda0
...
Call Trace:
[<82cd838c>] ath_reg_apply_world_flags+0x78/0x17c [ath]
[<82cd88f4>] ath_regd_init+0x464/0x488 [ath]
[<82d4207c>] ath9k_init_device+0x6a4/0x6b4 [ath9k]
[<82d4b8c8>] ath_pci_probe+0x27c/0x358 [ath9k]
[<80181de0>] pci_device_probe+0x64/0xa4
[<8019e874>] driver_probe_device+0xb8/0x190
[<8019e9b8>] __driver_attach+0x6c/0xa4
[<8019dfc0>] bus_for_each_dev+0x60/0xb0
[<8019d744>] bus_add_driver+0xc4/0x25c
[<8019ed6c>] driver_register+0xe0/0x198
[<8018206c>] __pci_register_driver+0x50/0xe0
[<82dd0010>] ath9k_init+0x10/0x54 [ath9k]
[<8006b4a0>] do_one_initcall+0x68/0x1ec
[<800a901c>] sys_init_module+0xec/0x23c
[<80062544>] stack_done+0x20/0x3c

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: fix missing kernel-doc
Johannes Berg [Tue, 8 Nov 2011 08:20:07 +0000 (09:20 +0100)]
cfg80211: fix missing kernel-doc

Two new struct members were not documented, fix that.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth
John W. Linville [Tue, 8 Nov 2011 19:59:14 +0000 (14:59 -0500)]
Merge branch 'master' of git://git./linux/kernel/git/padovan/bluetooth

13 years agoBluetooth: Add support for Broadcom BCM20702A0
Wen-chien Jesse Sung [Tue, 8 Nov 2011 06:30:22 +0000 (14:30 +0800)]
Bluetooth: Add support for Broadcom BCM20702A0

Since this device declares itself as vendor specific, must add
a new entry to device ID table to support it.

usb-device output of this device:

T:  Bus=01 Lev=02 Prnt=02 Port=03 Cnt=01 Dev#=  3 Spd=12  MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
P:  Vendor=413c ProdID=8197 Rev=01.12
S:  Manufacturer=Broadcom Corp
S:  Product=BCM20702A0
S:  SerialNumber=D0DF9AA9C9F1
C:  #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=0mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
I:  If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
I:  If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)

Signed-off-by: Wen-chien Jesse Sung <jesse.sung@canonical.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Use miliseconds for L2CAP channel timeouts
Andrzej Kaczmarek [Mon, 7 Nov 2011 19:19:04 +0000 (17:19 -0200)]
Bluetooth: Use miliseconds for L2CAP channel timeouts

Timers set by __set_chan_timer() should use miliseconds instead of
jiffies. Commit 942ecc9c4643db5ce071562e0a23f99464d6b461 updated
l2cap_set_timer() so it expects timeout to be specified in msecs
instead of jiffies. This makes timeouts unreliable when CONFIG_HZ
is not set to 1000.

Signed-off-by: Andrzej Kaczmarek <andrzej.kaczmarek@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Revert: Fix L2CAP connection establishment
Arek Lichwa [Wed, 26 Oct 2011 09:23:22 +0000 (11:23 +0200)]
Bluetooth: Revert: Fix L2CAP connection establishment

This reverts commit 330605423ca6eafafb8dcc27502bce1c585d1b06.
The commit introduces regression when two 2.1 devices attempt
establish rfcomm channel. Such connection is refused since there's
a security block issue on l2cap. It means the link is unencrypted.

2011-09-16 18:08:46.567616 < ACL data: handle 1 flags 0x00 dlen 24
    0000: 14 00 40 00 06 00 02 00  0f 35 03 19 12 00 ff ff
..@......5....˙˙
    0010: 35 05 0a 00 00 ff ff 00                           5....˙˙.
2011-09-16 18:08:46.572377 > HCI Event: Number of Completed Packets
(0x13) plen 5
    handle 1 packets 1
2011-09-16 18:08:46.577931 > ACL data: handle 1 flags 0x02 dlen 88
    L2CAP(d): cid 0x0040 len 84 [psm 0]
      0000: 07 00 02 00 4f 00 4c 35  4a 35 48 09 00 00 0a 00
....O.L5J5H.....
      0010: 01 00 00 09 00 01 35 03  19 12 00 09 00 05 35 03
......5.......5.
      0020: 19 10 02 09 00 09 35 08  35 06 19 12 00 09 01 02
......5.5.......
      0030: 09 02 00 09 01 02 09 02  01 09 00 0a 09 02 02 09
................
      0040: 00 00 09 02 03 09 00 00  09 02 04 28 01 09 02 05
...........(....
      0050: 09 00 02 00                                       ....
2011-09-16 18:08:46.626057 < HCI Command: Authentication Requested
(0x01|0x0011) plen 2
    handle 1
2011-09-16 18:08:46.627614 > HCI Event: Command Status (0x0f) plen 4
    Authentication Requested (0x01|0x0011) status 0x00 ncmd 1
2011-09-16 18:08:46.627675 > HCI Event: Link Key Request (0x17) plen 6
    bdaddr 00:00:F2:6A:29:69
2011-09-16 18:08:46.634999 < HCI Command: Link Key Request Reply
(0x01|0x000b) plen 22
    bdaddr 00:00:F2:6A:29:69 key 58CD393179FC902E5E8F512A855EE532
2011-09-16 18:08:46.683278 > HCI Event: Command Complete (0x0e) plen 10
    Link Key Request Reply (0x01|0x000b) ncmd 1
    status 0x00 bdaddr 00:00:F2:6A:29:69
2011-09-16 18:08:46.764729 > HCI Event: Auth Complete (0x06) plen 3
    status 0x00 handle 1
2011-09-16 18:08:46.764821 < ACL data: handle 1 flags 0x00 dlen 12
    0000: 08 00 01 00 02 05 04 00  03 00 41 00              ..........A.
2011-09-16 18:08:46.764851 > HCI Event: Command Status (0x0f) plen 4
    Unknown (0x00|0x0000) status 0x00 ncmd 2
2011-09-16 18:08:46.768117 > HCI Event: Number of Completed Packets
(0x13) plen 5
    handle 1 packets 1
2011-09-16 18:08:46.770894 > ACL data: handle 1 flags 0x02 dlen 16
    L2CAP(s): Connect rsp: dcid 0x0000 scid 0x0041 result 3 status 0
      Connection refused - security block
2011-09-16 18:08:49.000691 < ACL data: handle 1 flags 0x00 dlen 12
    0000: 08 00 01 00 06 06 04 00  40 00 40 00              ........@.@.
2011-09-16 18:08:49.015675 > HCI Event: Number of Completed Packets
(0x13) plen 5
    handle 1 packets 1
2011-09-16 18:08:49.016927 > ACL data: handle 1 flags 0x02 dlen 12
    L2CAP(s): Disconn rsp: dcid 0x0040 scid 0x0040
2011-09-16 18:08:51.009480 < HCI Command: Disconnect (0x01|0x0006) plen
3
    handle 1 reason 0x13
    Reason: Remote User Terminated Connection
2011-09-16 18:08:51.011525 > HCI Event: Command Status (0x0f) plen 4
    Disconnect (0x01|0x0006) status 0x00 ncmd 1
2011-09-16 18:08:51.123494 > HCI Event: Disconn Complete (0x05) plen 4
    status 0x00 handle 1 reason 0x16
    Reason: Connection Terminated by Local Host

Signed-off-by: Arek Lichwa <arkadiusz.lichwa@tieto.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agomac80211: uAPSD - fix IEEE80211_FCTL_MOREDATA bit setting
Janusz.Dziedzic@tieto.com [Mon, 7 Nov 2011 07:47:47 +0000 (09:47 +0200)]
mac80211: uAPSD - fix IEEE80211_FCTL_MOREDATA bit setting

Set IEEE80211_FCTL_MOREDATA bit also in case we have buffered
frames (more than one) only for one AC.

Signed-off-by: Janusz Dziedzic <janusz.dziedzic@tieto.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agonet, wireless, mwifiex: Fix mem leak in mwifiex_update_curr_bss_params()
Jesper Juhl [Sun, 6 Nov 2011 21:58:31 +0000 (22:58 +0100)]
net, wireless, mwifiex: Fix mem leak in mwifiex_update_curr_bss_params()

If kmemdup() fails we leak the memory allocated to bss_desc.
This patch fixes the leak.
I also removed the pointless default assignment of 'NULL' to 'bss_desc'
while I was there anyway.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Reviewed-by: Srivatsa S. Bhat <srivatsa.bhat@linux.vnet.ibm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: fix cmp_ies
Johannes Berg [Fri, 4 Nov 2011 10:01:46 +0000 (11:01 +0100)]
cfg80211: fix cmp_ies

When comparing two items by IE, the sort order
wasn't stable, which could lead to issues in the
rbtree. Make it stable by making a missing IE
sort before a present IE.

Also sort by length first if it differs and then
by contents.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: allow setting TXQ parameters only in AP mode
Johannes Berg [Thu, 3 Nov 2011 13:50:13 +0000 (14:50 +0100)]
cfg80211: allow setting TXQ parameters only in AP mode

In other modes the parameters should not be set.
Right now, mac80211 will set them, even if the
user asked for setting them on VLANs which the
driver doesn't know about, causing all kinds of
trouble.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agonl80211: fix HT capability attribute validation
Johannes Berg [Thu, 3 Nov 2011 08:27:01 +0000 (09:27 +0100)]
nl80211: fix HT capability attribute validation

Since the NL80211_ATTR_HT_CAPABILITY attribute is
used as a struct, it needs a minimum, not maximum
length. Enforce that properly. Not doing so could
potentially lead to reading after the buffer.

Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: use min rate as basic rate for buggy APs
Eliad Peller [Sun, 30 Oct 2011 13:41:59 +0000 (15:41 +0200)]
mac80211: use min rate as basic rate for buggy APs

Some buggy APs (and even P2P_GO) don't advertise their
basic rates in the association response.

In such case, use the min supported rate as the
basic rate.

Reported-by: Pontus Fuchs <pontus.fuchs@gmail.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agobrcm80211: smac: eliminate a null pointer dereference in dma.c
Arend van Spriel [Sat, 29 Oct 2011 09:30:15 +0000 (11:30 +0200)]
brcm80211: smac: eliminate a null pointer dereference in dma.c

Though it's unlikely, di may be null, so we can't dereference
di->dma.dmactrlflags until we've checked it.

Move this de-reference after the check, and adjust the error
message to not require de-referencing di.

This is based upon Julia's original patch:
<1319846297-2985-2-git-send-email-julia@diku.dk>

Reported-by: Julia Lawall <julia@diku.dk>
Acked-by: Arend van Spriel <arend@broadcom.com>
Signed-off-by: Julian Calaby <julian.calaby@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agob43: HT-PHY: report signal to mac80211
Rafał Miłecki [Mon, 17 Oct 2011 15:15:44 +0000 (17:15 +0200)]
b43: HT-PHY: report signal to mac80211

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agob43: fill ctl1 word on all newer PHYs, fix PHY errors
Rafał Miłecki [Mon, 17 Oct 2011 14:59:25 +0000 (16:59 +0200)]
b43: fill ctl1 word on all newer PHYs, fix PHY errors

This fixes PHY transmission errors reported on some LP-PHY and HT-PHY
cards. For LP-PHY they were quite rare and not really noticable. On
HT-PHY they were critical, OFDM rates were not available at all.

Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: warn only once about not finding a rate
Johannes Berg [Fri, 4 Nov 2011 17:07:43 +0000 (18:07 +0100)]
mac80211: warn only once about not finding a rate

The warning really shouldn't happen, but until we
find the reason why it does don't spew it all the
time, just once is enough to know we've hit it.

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlwifi: don't perform "echo test" when cmd queue stuck
Wey-Yi Guy [Sun, 30 Oct 2011 06:15:15 +0000 (23:15 -0700)]
iwlwifi: don't perform "echo test" when cmd queue stuck

Perform "echo test" when cmd queue stuck detected, somethime it will cause
calltrace. I am not sure how to fix it yet, just remove the action now until
find a better way to handle it.

Reported-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agob43: Remove unneeded message
Larry Finger [Fri, 28 Oct 2011 17:17:49 +0000 (12:17 -0500)]
b43: Remove unneeded message

The driver can spam the logs with "RX: Packet dropped" messages. These drops
originate from 1. a correpted PLCP, 2. decryption errors, and 3. packet
size underruns. Condition #3 logs a separate message, thus no dropped message
is needed.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: disable powersave for broken APs
Johannes Berg [Fri, 28 Oct 2011 09:59:47 +0000 (11:59 +0200)]
mac80211: disable powersave for broken APs

Only AID values 1-2007 are valid, but some APs have been
found to send random bogus values, in the reported case an
AP that was sending the AID field value 0xffff, an AID of
0x3fff (16383).

There isn't much we can do but disable powersave since
there's no way it can work properly in this case.

Cc: stable@vger.kernel.org
Reported-by: Bill C Riemers <briemers@redhat.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlwifi: allow pci_enable_msi fail
Wey-Yi Guy [Fri, 28 Oct 2011 00:19:39 +0000 (17:19 -0700)]
iwlwifi: allow pci_enable_msi fail

Continue the init process even fail to enable msi

out_iounmap is no longer used, remove it

Reported-by: werner <w.landgraf@ru.ru>
Tested-by: werner <w.landgraf@ru.ru>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agolibertas: ensure we clean up a scan request properly
Andres Salomon [Wed, 26 Oct 2011 17:19:26 +0000 (10:19 -0700)]
libertas: ensure we clean up a scan request properly

Commit 2e30168b ("libertas: terminate scan when stopping interface")
adds cleanup code to lbs_eth_stop to call cfg80211_scan_done if there's
an outstanding cfg80211_scan_request.  However, it assumes that the
scan request was allocated via the cfg80211 stack.  Libertas has
its own internal allocation method, kept track of with
priv->internal_scan.  This doesn't set scan_req->wiphy, amongst other
things, which results in hitting a BUG() when we call cfg80211_scan_done
on the request.

This provides a function to take care of the low-level scan_req cleanup
details.  We simply call that to deal with finishing up scan requests.

The bug we were hitting was:

[  964.321495] kernel BUG at net/wireless/core.h:87!
[  964.329970] Unable to handle kernel NULL pointer dereference at virtual address 00000000
[  964.341963] pgd = dcf80000
...
[  964.849998] 9fe0: 00000000 beb417b8 4018e280 401e822c 60000010 00000004 00000000 00000000
[  964.865007] [<c003104c>] (__bug+0x1c/0x28) from [<c0384ffc>] (cfg80211_scan_done+0x54/0x6c)
[  964.895324] [<c0384ffc>] (cfg80211_scan_done+0x54/0x6c) from [<bf028bac>] (lbs_eth_stop+0x10c/0x188 [libertas])
[  964.895324] [<bf028bac>] (lbs_eth_stop+0x10c/0x188 [libertas]) from [<c03002a0>] (__dev_close_many+0x94/0xc4)
[  964.918995] [<c03002a0>] (__dev_close_many+0x94/0xc4) from [<c030037c>] (dev_close_many+0x78/0xe0)

Signed-off-by: Andres Salomon <dilinger@queued.net>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k_hw: Fix noise floor calibration timeout on fast channel change
Rajkumar Manoharan [Tue, 25 Oct 2011 11:17:36 +0000 (16:47 +0530)]
ath9k_hw: Fix noise floor calibration timeout on fast channel change

During the fast channel change noise floor values are being loaded
twice at init_cal and after channel_change. The commit "ath9k_hw:
Improve fast channel change for AR9003 chips" overlooked it that
caused failure to load nf while doing bgscan. This patch performs noise
floor calibration after the fast and full reset.

Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k_hw: Update AR9485 initvals to fix system hang issue
Rajkumar Manoharan [Mon, 24 Oct 2011 12:43:40 +0000 (18:13 +0530)]
ath9k_hw: Update AR9485 initvals to fix system hang issue

This patch fixes system hang when resuming from S3 state
and lower rate sens failure issue.

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: Fix TDLS support validation in add_station handler
Jouni Malinen [Sun, 23 Oct 2011 19:36:04 +0000 (22:36 +0300)]
mac80211: Fix TDLS support validation in add_station handler

We need to verify whether the command is successful before allocating
the station entry to avoid extra processing. This also fixes a memory
leak on the error path.

Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocarl9170: fix AMPDU TX_CTL_REQ_TX_STATUS handling
Christian Lamparter [Fri, 21 Oct 2011 16:38:56 +0000 (18:38 +0200)]
carl9170: fix AMPDU TX_CTL_REQ_TX_STATUS handling

Previously the driver did not care if TX_CTL_REQ_TX_STATUS
was set on aggregated frames or not and it would silently
drop successfully sent frames if possible [much like:
"no news is good news!"].

But, TX_CTL_REQ_TX_STATUS was invented for a reason and
no tx status report should ever be dropped if it is set.

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k_hw: Fix regression of register offset of AR9330/AR9340
Rajkumar Manoharan [Fri, 21 Oct 2011 07:23:51 +0000 (12:53 +0530)]
ath9k_hw: Fix regression of register offset of AR9330/AR9340

The commit ce407afc10 introduced regression for AR9330/AR9340
register offsets. Some of the register offsets are common
for AR9330/AR9340/AR9485 except AR9380. Fix that.

Cc: stable@kernel.org [3.1.0+]
Cc: Senthil Balasubramanian <senthilb@qca.qualcomm.com>
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: config hw when going back on-channel
Eliad Peller [Thu, 20 Oct 2011 17:05:50 +0000 (19:05 +0200)]
mac80211: config hw when going back on-channel

When going back on-channel, we should reconfigure
the hw iff the hardware is not already configured
to the operational channel.

Signed-off-by: Eliad Peller <eliad@wizery.com>
Cc: stable@kernel.org # 2.6.39+
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: fix remain_off_channel regression
Eliad Peller [Thu, 20 Oct 2011 17:05:49 +0000 (19:05 +0200)]
mac80211: fix remain_off_channel regression

The offchannel code is currently broken - we should
remain_off_channel if the work was started, and
the work's channel and channel_type are the same
as local->tmp_channel and local->tmp_channel_type.

However, if wk->chan_type and local->tmp_channel_type
coexist (e.g. have the same channel type), we won't
remain_off_channel.

This behavior was introduced by commit da2fd1f
("mac80211: Allow work items to use existing
channel type.")

Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eliad Peller <eliad@wizery.com>
Cc: stable@kernel.org # 2.6.39+
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k_hw: Fix radio retention for AR9462
Rajkumar Manoharan [Thu, 20 Oct 2011 08:59:38 +0000 (14:29 +0530)]
ath9k_hw: Fix radio retention for AR9462

IQ calibration during fast channel change sometimes failed
with RTT. And also restoring invalid radio retention readings
during init cal could cause failure to set the channel properly.
This patch counts the valid rtt history readings and clears
rtt mask.

Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k_hw: Fix regression of register offset for AR9003 chips
Rajkumar Manoharan [Thu, 20 Oct 2011 08:52:43 +0000 (14:22 +0530)]
ath9k_hw: Fix regression of register offset for AR9003 chips

My recent commits (3782c69d324c74a) introduced regression
for register offset selection that based on the macversion.
Not using parentheses in proper manner for ternary operator
leads to select wrong offset for the registers.

This issue was observed with AR9462 chip that immediate disconnect
after the association with the following message

ieee80211 phy3: wlan0: Failed to send nullfunc to AP 00:23:69:12:ea:47
after 500ms, disconnecting.

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlagn: fix the race in the unmapping of the HCMD
Emmanuel Grumbach [Fri, 14 Oct 2011 19:54:47 +0000 (12:54 -0700)]
iwlagn: fix the race in the unmapping of the HCMD

As Stanislaw pointed out, my patch

iwlagn: fix a race in the unmapping of the TFDs

solved only part of the problem. The race still exists for TFDs of
the host commands. Fix that too.

Reported-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth
John W. Linville [Wed, 2 Nov 2011 19:15:51 +0000 (15:15 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/padovan/bluetooth

13 years agoBluetooth: bfusb: Fix error path on firmware load
David Herrmann [Wed, 26 Oct 2011 09:22:46 +0000 (11:22 +0200)]
Bluetooth: bfusb: Fix error path on firmware load

When loading the usb-configuration we do not signal the end of configuration on
memory allocation error. This patch moves the memory allocation to the top so
every error path uses "goto error" now to correctly send the usb-ctrl message
when detecting some error.

This also replaces GFP_ATOMIC with GFP_KERNEL as we are allowed to sleep here.

Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: bcm203x: Use GFP_KERNEL in workqueue
David Herrmann [Tue, 25 Oct 2011 19:13:36 +0000 (21:13 +0200)]
Bluetooth: bcm203x: Use GFP_KERNEL in workqueue

A workqueue is allowed to sleep so we can safely use GFP_KERNEL instead of
GFP_ATOMIC. This is still legacy code when the driver used timer BHs and not a
worqueue.

Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: bcm203x: Fix race condition on disconnect
David Herrmann [Wed, 26 Oct 2011 09:13:13 +0000 (11:13 +0200)]
Bluetooth: bcm203x: Fix race condition on disconnect

When disconnecting a bcm203x device we kill and destroy the usb-urb, however,
there might still be a pending work-structure which resubmits the now invalid
urb. To avoid this race condition, we simply set a shutdown-flag and
synchronously kill the worker first.

This also adds a comment to all schedule_work()s, as it is really not clear
that they are used as replacement for short timers (which can be seen in the git
history).

Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: ath3k: Use GFP_KERNEL instead of GFP_ATOMIC
David Herrmann [Tue, 25 Oct 2011 10:09:52 +0000 (12:09 +0200)]
Bluetooth: ath3k: Use GFP_KERNEL instead of GFP_ATOMIC

We are allowed to sleep here so no need to use GFP_ATOMIC. The caller
(ath3k_probe) calls request_firmware() which definitely sleeps. Hence, we should
avoid using GFP_ATOMIC.

Signed-off-by: David Herrmann <dh.herrmann@googlemail.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Set HCI_MGMT flag only in read_controller_info
Johan Hedberg [Mon, 24 Oct 2011 20:36:26 +0000 (22:36 +0200)]
Bluetooth: Set HCI_MGMT flag only in read_controller_info

The HCI_MGMT flag should only be set when user space requests the full
controller information. This way we avoid potential issues with setting
change events ariving before the actual read_controller_info command
finishes.

Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agoBluetooth: Increase HCI reset timeout in hci_dev_do_close
Szymon Janc [Mon, 17 Oct 2011 21:05:49 +0000 (23:05 +0200)]
Bluetooth: Increase HCI reset timeout in hci_dev_do_close

I've noticed that my CSR usb dongle was not working if it was plugged in when
PC was booting. It looks like I get two HCI reset command complete events (see
hcidump logs below).
The root cause is reset called from off_timer. Timeout for this reset to
complete is set to 250ms and my bt dongle requires more time for replying with
command complete event. After that, chip seems to reply with reset command
complete event for next non-reset command.

Attached patch increase mentioned timeout to HCI_INIT_TIMEOUT, this value is
already used for timeouting hci_reset_req in hci_dev_reset().

This might also be related to BT not working after suspend that was reported
here some time ago.

Hcidump log:

2011-09-12 23:13:27.379465 < HCI Command: Reset (0x03|0x0003) plen 0
2011-09-12 23:13:27.380797 > HCI Event: Command Complete (0x0e) plen 4
    Reset (0x03|0x0003) ncmd 1
    status 0x00
2011-09-12 23:13:27.380859 < HCI Command: Read Local Supported Features (0x04|0x000
3) plen 0
2011-09-12 23:13:27.760789 > HCI Event: Command Complete (0x0e) plen 4
    Reset (0x03|0x0003) ncmd 1
    status 0x00
2011-09-12 23:13:27.760831 < HCI Command: Read Local Version Information (0x04|0x00
01) plen 0
2011-09-12 23:13:27.764780 > HCI Event: Command Complete (0x0e) plen 12
    Read Local Version Information (0x04|0x0001) ncmd 1
    status 0x00
    HCI Version: 1.1 (0x1) HCI Revision: 0x36f
    LMP Version: 1.1 (0x1) LMP Subversion: 0x36f
    Manufacturer: Cambridge Silicon Radio (10)

Signed-off-by: Szymon Janc <szymon@janc.net.pl>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
13 years agovlan: allow nested vlan_do_receive()
Eric Dumazet [Sat, 29 Oct 2011 06:13:39 +0000 (06:13 +0000)]
vlan: allow nested vlan_do_receive()

commit 2425717b27eb (net: allow vlan traffic to be received under bond)
broke ARP processing on vlan on top of bonding.

       +-------+
eth0 --| bond0 |---bond0.103
eth1 --|       |
       +-------+

52870.115435: skb_gro_reset_offset <-napi_gro_receive
52870.115435: dev_gro_receive <-napi_gro_receive
52870.115435: napi_skb_finish <-napi_gro_receive
52870.115435: netif_receive_skb <-napi_skb_finish
52870.115435: get_rps_cpu <-netif_receive_skb
52870.115435: __netif_receive_skb <-netif_receive_skb
52870.115436: vlan_do_receive <-__netif_receive_skb
52870.115436: bond_handle_frame <-__netif_receive_skb
52870.115436: vlan_do_receive <-__netif_receive_skb
52870.115436: arp_rcv <-__netif_receive_skb
52870.115436: kfree_skb <-arp_rcv

Packet is dropped in arp_rcv() because its pkt_type was set to
PACKET_OTHERHOST in the first vlan_do_receive() call, since no eth0.103
exists.

We really need to change pkt_type only if no more rx_handler is about to
be called for the packet.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoipv6: fix route lookup in addrconf_prefix_rcv()
Andreas Hofmeister [Wed, 26 Oct 2011 03:24:29 +0000 (03:24 +0000)]
ipv6: fix route lookup in addrconf_prefix_rcv()

The route lookup to find a previously auto-configured route for a prefixes used
to use rt6_lookup(), with the prefix from the RA used as an address. However,
that kind of lookup ignores routing tables, the prefix length and route flags,
so when there were other matching routes, even in different tables and/or with
a different prefix length, the wrong route would be manipulated.

Now, a new function "addrconf_get_prefix_route()" is used for the route lookup,
which searches in RT6_TABLE_PREFIX and takes the prefix-length and route flags
into account.

Signed-off-by: Andreas Hofmeister <andi@collax.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobonding: eliminate bond_close race conditions
Jay Vosburgh [Fri, 28 Oct 2011 15:42:50 +0000 (15:42 +0000)]
bonding: eliminate bond_close race conditions

This patch resolves two sets of race conditions.

Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com> reported the
first, as follows:

The bond_close() calls cancel_delayed_work() to cancel delayed works.
It, however, cannot cancel works that were already queued in workqueue.
The bond_open() initializes work->data, and proccess_one_work() refers
get_work_cwq(work)->wq->flags. The get_work_cwq() returns NULL when
work->data has been initialized. Thus, a panic occurs.

He included a patch that converted the cancel_delayed_work calls
in bond_close to flush_delayed_work_sync, which eliminated the above
problem.

His patch is incorporated, at least in principle, into this
patch.  In this patch, we use cancel_delayed_work_sync in place of
flush_delayed_work_sync, and also convert bond_uninit in addition to
bond_close.

This conversion to _sync, however, opens new races between
bond_close and three periodically executing workqueue functions:
bond_mii_monitor, bond_alb_monitor and bond_activebackup_arp_mon.

The race occurs because bond_close and bond_uninit are always
called with RTNL held, and these workqueue functions may acquire RTNL to
perform failover-related activities.  If bond_close or bond_uninit is
waiting in cancel_delayed_work_sync, deadlock occurs.

These deadlocks are resolved by having the workqueue functions
acquire RTNL conditionally.  If the rtnl_trylock() fails, the functions
reschedule and return immediately.  For the cases that are attempting to
perform link failover, a delay of 1 is used; for the other cases, the
normal interval is used (as those activities are not as time critical).

Additionally, the bond_mii_monitor function now stores the delay
in a variable (mimicing the structure of activebackup_arp_mon).

Lastly, all of the above renders the kill_timers sentinel moot,
and therefore it has been removed.

Tested-by: Mitsuo Hayasaka <mitsuo.hayasaka.hu@hitachi.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoqlcnic: fix beacon and LED test.
Sucheta Chakraborty [Fri, 28 Oct 2011 12:57:15 +0000 (12:57 +0000)]
qlcnic: fix beacon and LED test.

o Updated version number to 5.0.25

o Do not hold onto RESETTING_BIT for entire duration of LED/ beacon test.
  Instead, just checking for RESETTING_BIT not set before sending config_led
  command down to card.

o Take rtnl_lock instead of RESETTING_BIT for beacon test while sending
  config_led command down to make sure interface cannot be brought up/ down.

o Allocate and free resources if interface is down before
  sending the config_led command. This is to make sure config_led
  command sending doesn't fail.

o Clear QLCNIC_LED_ENABLE bit if beacon/ LED test fails to start.

Signed-off-by: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoqlcnic: Updated License file
Sritej Velaga [Fri, 28 Oct 2011 12:57:14 +0000 (12:57 +0000)]
qlcnic: Updated License file

Updated qlcnic's license file.

Signed-off-by: Sritej Velaga <sritej.velaga@qlogic.com>
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoqlcnic: updated reset sequence
Sony Chacko [Fri, 28 Oct 2011 12:57:13 +0000 (12:57 +0000)]
qlcnic: updated reset sequence

Signed-off-by: Sony Chacko <sony.chacko@qlogic.com>
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoqlcnic: reset loopback mode if promiscous mode setting fails.
Sucheta Chakraborty [Fri, 28 Oct 2011 12:57:12 +0000 (12:57 +0000)]
qlcnic: reset loopback mode if promiscous mode setting fails.

If promiscous mode setting fails, reset loopback mode setting in firmware.

Signed-off-by: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoqlcnic: skip IDC ack check in fw reset path.
Sritej Velaga [Fri, 28 Oct 2011 12:57:11 +0000 (12:57 +0000)]
qlcnic: skip IDC ack check in fw reset path.

In fw reset path, we should consider any change in device state as an
ack from the other driver. When that happens, we don't have to wait for
an explicit ack.

Signed-off-by: Sritej Velaga <sritej.velaga@qlogic.com>
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'batman-adv/maint' of git://git.open-mesh.org/linux-merge
David S. Miller [Sun, 30 Oct 2011 07:05:07 +0000 (03:05 -0400)]
Merge branch 'batman-adv/maint' of git://git.open-mesh.org/linux-merge

13 years agoi825xx: Fix incorrect dependency for BVME6000_NET
Geert Uytterhoeven [Fri, 28 Oct 2011 10:53:32 +0000 (10:53 +0000)]
i825xx: Fix incorrect dependency for BVME6000_NET

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoipv6: fix route error binding peer in func icmp6_dst_alloc
Gao feng [Fri, 28 Oct 2011 02:46:57 +0000 (02:46 +0000)]
ipv6: fix route error binding peer in func icmp6_dst_alloc

in func icmp6_dst_alloc,dst_metric_set call ipv6_cow_metrics to set metric.
ipv6_cow_metrics may will call rt6_bind_peer to set rt6_info->rt6i_peer.
So,we should move ipv6_addr_copy before dst_metric_set to make sure rt6_bind_peer success.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoipv6: fix error propagation in ip6_ufo_append_data()
Zheng Yan [Fri, 28 Oct 2011 04:26:00 +0000 (00:26 -0400)]
ipv6: fix error propagation in ip6_ufo_append_data()

We should return errcode from sock_alloc_send_skb()

Signed-off-by: Zheng Yan <zheng.z.yan@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agostmmac: update normal descriptor structure (v2)
Giuseppe CAVALLARO [Wed, 26 Oct 2011 19:43:09 +0000 (19:43 +0000)]
stmmac: update normal descriptor structure (v2)

This patch updates the normal descriptor structure
to work fine on new GMAC Synopsys chips.

Normal descriptors were designed on the old MAC10/100
databook 1.91 where some bits were reserved: for example
the tx checksum insertion and rx checksum offload.

The patch maintains the back-compatibility with old
MAC devices (tested on STx7109 MAC10/100) and adds new
fields that actually new GMAC devices can use.

For example, STx7109 (MAC10/100) will pass from the platform
  tx_coe = 0, enh_desc = 0, has_gmac = 0.
A platform like Loongson1B (GMAC) will pass:
  tx_coe = 1, enh_desc = 0, has_gmac = 1.

Thanks to Kelvin, he enhanced the normal descriptors for
GMAC (on MIPS Loongson1B platform).

Signed-off-by: Kelvin Cheung <keguang.zhang@gmail.com>
Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agostmmac: fix NULL pointer dereference in capabilities fixup (v2)
Angus Clark [Wed, 26 Oct 2011 19:43:08 +0000 (19:43 +0000)]
stmmac: fix NULL pointer dereference in capabilities fixup (v2)

Signed-off-by: Angus Clark <angus.clark@st.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agostmmac: fix a bug while checking the HW cap reg (v2)
Giuseppe CAVALLARO [Wed, 26 Oct 2011 19:43:07 +0000 (19:43 +0000)]
stmmac: fix a bug while checking the HW cap reg (v2)

The patch fixes a bug while checking the HW cap reg
on old MAC10/100 where this feature is not available.

Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobe2net: Changing MAC Address of a VF was broken.
Somnath Kotur [Thu, 27 Oct 2011 07:14:05 +0000 (07:14 +0000)]
be2net: Changing MAC Address of a VF was broken.

Allow for MAC Address change of VF(SR-IOV case) on the fly- First add and then
delete MAC Address to allow for 'out of pool' errors.
When MAC Addr configured from a VM, the MAC on the NIC will aleady have
the supplied MAC,so just copy the supplied MAC to the netdev structure
before returning success to the stack

Signed-off-by: Somnath Kotur <somnath.kotur@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobe2net: Refactored be_cmds.c file.
Somnath Kotur [Thu, 27 Oct 2011 07:12:13 +0000 (07:12 +0000)]
be2net: Refactored be_cmds.c file.

Moved the .sge. field's population inside be_cmd_hdr_prepare.
Populating wrb->tag0 and tag1 inside be_cmd_hdr_prepare

Signed-off-by: Somnath Kotur <somnath.kotur@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobnx2x: update driver version to 1.70.30-0
Dmitry Kravkov [Thu, 27 Oct 2011 05:13:54 +0000 (05:13 +0000)]
bnx2x: update driver version to 1.70.30-0

Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobnx2x: use FW 7.0.29.0
Dmitry Kravkov [Thu, 27 Oct 2011 05:13:53 +0000 (05:13 +0000)]
bnx2x: use FW 7.0.29.0

The FW includes the following fixes:
  1. (iSCSI) Arrival of un-solicited ASYNC message causes
     firmware to abort the connection with RST.
  2. (FCoE) There is a probability that truncated FCoE packet on
     RX path won't get detected which might lead to FW assert.
  3. (iSCSI) Arrival of target-initiated NOP-IN during intense
     ISCSI traffic might lead to FW assert.
  4. (iSCSI) Chip hangs when in case of retransmission not aligned
     to 4-bytes from the beginning of iSCSI PDU.
  5. (FCoE) Arrival of packets beyond task IO size can lead to crash.

Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobnx2x: Enable changing speed when port type is PORT_DA
Yaniv Rosner [Thu, 27 Oct 2011 05:13:52 +0000 (05:13 +0000)]
bnx2x: Enable changing speed when port type is PORT_DA

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobnx2x: Fix 54618se LED behavior
Yaniv Rosner [Thu, 27 Oct 2011 05:09:48 +0000 (05:09 +0000)]
bnx2x: Fix 54618se LED behavior

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobnx2x: Fix RX/TX problem caused by the MAC layer
Yaniv Rosner [Thu, 27 Oct 2011 05:09:47 +0000 (05:09 +0000)]
bnx2x: Fix RX/TX problem caused by the MAC layer

This patch fixes a problem in which the host stops receiving data after
restarting the interface. This issue is caused by combination of incorrect
data path tap closure, along with missing MAC reset.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobnx2x: Add link retry to 578xx-KR
Yaniv Rosner [Thu, 27 Oct 2011 05:09:46 +0000 (05:09 +0000)]
bnx2x: Add link retry to 578xx-KR

This fix solves a problem of no link on 578xx-KR by retrying to link up to
four timer using the periodic function.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agobnx2x: Fix LED blink rate for 578xx
Yaniv Rosner [Thu, 27 Oct 2011 05:09:45 +0000 (05:09 +0000)]
bnx2x: Fix LED blink rate for 578xx

Adjust blink rate on 578xx to fit its clock rate.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoipv6: tcp: fix TCLASS value in ACK messages sent from TIME_WAIT
Eric Dumazet [Thu, 27 Oct 2011 04:44:35 +0000 (00:44 -0400)]
ipv6: tcp: fix TCLASS value in ACK messages sent from TIME_WAIT

commit 66b13d99d96a (ipv4: tcp: fix TOS value in ACK messages sent from
TIME_WAIT) fixed IPv4 only.

This part is for the IPv6 side, adding a tclass param to ip6_xmit()

We alias tw_tclass and tw_tos, if socket family is INET6.

[ if sockets is ipv4-mapped, only IP_TOS socket option is used to fill
TOS field, TCLASS is not taken into account ]

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'slab/for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/penber...
Linus Torvalds [Wed, 26 Oct 2011 19:46:18 +0000 (21:46 +0200)]
Merge branch 'slab/for-linus' of git://git./linux/kernel/git/penberg/linux

* 'slab/for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/penberg/linux:
  tools, slub: Fix off-by-one buffer corruption after readlink() call
  slub: Discard slab page when node partial > minimum partial number
  slub: correct comments error for per cpu partial
  mm: restrict access to slab files under procfs and sysfs
  slub: Code optimization in get_partial_node()
  slub: doc: update the slabinfo.c file path
  slub: explicitly document position of inserting slab to partial list
  slub: update slabinfo tools to report per cpu partial list statistics
  slub: per cpu cache for partial pages
  slub: return object pointer from get_partial() / new_slab().
  slub: pass kmem_cache_cpu pointer to get_partial()
  slub: Prepare inuse field in new_slab()
  slub: Remove useless statements in __slab_alloc
  slub: free slabs without holding locks
  slub: use print_hex_dump
  slab: use print_hex_dump

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier...
Linus Torvalds [Wed, 26 Oct 2011 19:43:07 +0000 (21:43 +0200)]
Merge branch 'for-linus' of git://git./linux/kernel/git/vapier/blackfin

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin:
  Blackfin: irq: remove IRQF_DISABLED
  Blackfin: boards: clean up i2c_board_info
  Blackfin: drop unused Kconfig symbol
  Blackfin: bf537-stamp: register ASoC EVAL-ADAU1373 board driver
  Blackfin: bf537-stamp: Register adav801 codec and ASoC machine driver
  Blackfin: bf537-stamp: register adau1701 codec and asoc machine driver
  Blackfin: merge asm/mutex.h into kbuild too
  Blackfin: bf537-stamp: fix ad73311 codec config macro
  Blackfin: bf537-stamp: fix ad1836 name
  Blackfin: kgdb_test: rework code to avoid -O0 usage
  Blackfin: fix sparse warnings in copy_to/from_user
  Blackfin: bf548-ezkit: update defconfig
  Blackfin: SMP: fix scheduling deadlock
  Blackfin: H8606: fixup bogus ioresource init
  Blackfin: SMP: convert to common asm-generic/atomic.h

13 years agoMerge branch 'for-linus' of git://neil.brown.name/md
Linus Torvalds [Wed, 26 Oct 2011 19:39:42 +0000 (21:39 +0200)]
Merge branch 'for-linus' of git://neil.brown.name/md

* 'for-linus' of git://neil.brown.name/md: (34 commits)
  md: Fix some bugs in recovery_disabled handling.
  md/raid5: fix bug that could result in reads from a failed device.
  lib/raid6: Fix filename emitted in generated code
  md.c: trivial comment fix
  MD: Allow restarting an interrupted incremental recovery.
  md: clear In_sync bit on devices added to an active array.
  md: add proper write-congestion reporting to RAID1 and RAID10.
  md: rename "mdk_personality" to "md_personality"
  md/bitmap remove fault injection options.
  md/raid5: typedef removal: raid5_conf_t -> struct r5conf
  md/raid1: typedef removal: conf_t -> struct r1conf
  md/raid10: typedef removal: conf_t -> struct r10conf
  md/raid0: typedef removal: raid0_conf_t -> struct r0conf
  md/multipath: typedef removal: multipath_conf_t -> struct mpconf
  md/linear: typedef removal: linear_conf_t -> struct linear_conf
  md/faulty: remove typedef: conf_t -> struct faulty_conf
  md/linear: remove typedefs: dev_info_t -> struct dev_info
  md: remove typedefs: mirror_info_t -> struct mirror_info
  md: remove typedefs: r10bio_t -> struct r10bio and r1bio_t -> struct r1bio
  md: remove typedefs: mdk_thread_t -> struct md_thread
  ...

13 years agoMerge branch 'for-linus' of git://git.open-osd.org/linux-open-osd
Linus Torvalds [Wed, 26 Oct 2011 19:33:50 +0000 (21:33 +0200)]
Merge branch 'for-linus' of git://git.open-osd.org/linux-open-osd

* 'for-linus' of git://git.open-osd.org/linux-open-osd: (21 commits)
  ore: Enable RAID5 mounts
  exofs: Support for RAID5 read-4-write interface.
  ore: RAID5 Write
  ore: RAID5 read
  fs/Makefile: Always inspect exofs/
  ore: Make ore_calc_stripe_info EXPORT_SYMBOL
  ore/exofs: Change ore_check_io API
  ore/exofs: Define new ore_verify_layout
  ore: Support for partial component table
  ore: Support for short read/writes
  exofs: Support for short read/writes
  ore: Remove check for ios->kern_buff in _prepare_for_striping to later
  ore: cleanup: Embed an ore_striping_info inside ore_io_state
  ore: Only IO one group at a time (API change)
  ore/exofs: Change the type of the devices array (API change)
  ore: Make ore_striping_info and ore_calc_stripe_info public
  exofs: Remove unused data_map member from exofs_sb_info
  exofs: Rename struct ore_components comps => oc
  exofs/super.c: local functions should be static
  exofs/ore.c: local functions should be static
  ...

13 years agoMerge branch 'x86-cleanups-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Wed, 26 Oct 2011 15:43:08 +0000 (17:43 +0200)]
Merge branch 'x86-cleanups-for-linus' of git://git./linux/kernel/git/tip/tip

* 'x86-cleanups-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86-64, unistd: Remove bogus __IGNORE_getcpu
  x86, mm, trivial: Remove unnecessary get_order() in free_thread_info()
  x86, cleanup: Remove unneeded version.h include from arch/x86/

13 years agoMerge branch 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Wed, 26 Oct 2011 15:42:03 +0000 (17:42 +0200)]
Merge branch 'x86-asm-for-linus' of git://git./linux/kernel/git/tip/tip

* 'x86-asm-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  x86-64: Fix CFI data for interrupt frames
  x86-64: Don't apply destructive erratum workaround on unaffected CPUs