From 9bbb8168ed3d8b946f9c1901a63a675012de88f2 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Wed, 15 Feb 2012 19:31:20 +0100 Subject: [PATCH 1/7] ath9k_hw: prevent writes to const data on AR9160 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Duplicate the data for iniAddac early on, to avoid having to do redundant memcpy calls later. While we're at it, make AR5416 < v2.2 use the same codepath. Fixes a reported crash on x86. Signed-off-by: Felix Fietkau Reported-by: Magnus Määttä Cc: stable@vger.kernel.org Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/ar5008_phy.c | 25 +-------------------- drivers/net/wireless/ath/ath9k/ar9002_hw.c | 19 ++++++++++++++++ drivers/net/wireless/ath/ath9k/hw.h | 1 - 3 files changed, 20 insertions(+), 25 deletions(-) diff --git a/drivers/net/wireless/ath/ath9k/ar5008_phy.c b/drivers/net/wireless/ath/ath9k/ar5008_phy.c index f901a17f76ba..86a891f93fc9 100644 --- a/drivers/net/wireless/ath/ath9k/ar5008_phy.c +++ b/drivers/net/wireless/ath/ath9k/ar5008_phy.c @@ -489,8 +489,6 @@ static int ar5008_hw_rf_alloc_ext_banks(struct ath_hw *ah) ATH_ALLOC_BANK(ah->analogBank6Data, ah->iniBank6.ia_rows); ATH_ALLOC_BANK(ah->analogBank6TPCData, ah->iniBank6TPC.ia_rows); ATH_ALLOC_BANK(ah->analogBank7Data, ah->iniBank7.ia_rows); - ATH_ALLOC_BANK(ah->addac5416_21, - ah->iniAddac.ia_rows * ah->iniAddac.ia_columns); ATH_ALLOC_BANK(ah->bank6Temp, ah->iniBank6.ia_rows); return 0; @@ -519,7 +517,6 @@ static void ar5008_hw_rf_free_ext_banks(struct ath_hw *ah) ATH_FREE_BANK(ah->analogBank6Data); ATH_FREE_BANK(ah->analogBank6TPCData); ATH_FREE_BANK(ah->analogBank7Data); - ATH_FREE_BANK(ah->addac5416_21); ATH_FREE_BANK(ah->bank6Temp); #undef ATH_FREE_BANK @@ -805,27 +802,7 @@ static int ar5008_hw_process_ini(struct ath_hw *ah, if (ah->eep_ops->set_addac) ah->eep_ops->set_addac(ah, chan); - if (AR_SREV_5416_22_OR_LATER(ah)) { - REG_WRITE_ARRAY(&ah->iniAddac, 1, regWrites); - } else { - struct ar5416IniArray temp; - u32 addacSize = - sizeof(u32) * ah->iniAddac.ia_rows * - ah->iniAddac.ia_columns; - - /* For AR5416 2.0/2.1 */ - memcpy(ah->addac5416_21, - ah->iniAddac.ia_array, addacSize); - - /* override CLKDRV value at [row, column] = [31, 1] */ - (ah->addac5416_21)[31 * ah->iniAddac.ia_columns + 1] = 0; - - temp.ia_array = ah->addac5416_21; - temp.ia_columns = ah->iniAddac.ia_columns; - temp.ia_rows = ah->iniAddac.ia_rows; - REG_WRITE_ARRAY(&temp, 1, regWrites); - } - + REG_WRITE_ARRAY(&ah->iniAddac, 1, regWrites); REG_WRITE(ah, AR_PHY_ADC_SERIAL_CTL, AR_PHY_SEL_INTERNAL_ADDAC); ENABLE_REGWRITE_BUFFER(ah); diff --git a/drivers/net/wireless/ath/ath9k/ar9002_hw.c b/drivers/net/wireless/ath/ath9k/ar9002_hw.c index 11f192a1ceb7..d190411ac8f5 100644 --- a/drivers/net/wireless/ath/ath9k/ar9002_hw.c +++ b/drivers/net/wireless/ath/ath9k/ar9002_hw.c @@ -180,6 +180,25 @@ static void ar9002_hw_init_mode_regs(struct ath_hw *ah) INIT_INI_ARRAY(&ah->iniAddac, ar5416Addac, ARRAY_SIZE(ar5416Addac), 2); } + + /* iniAddac needs to be modified for these chips */ + if (AR_SREV_9160(ah) || !AR_SREV_5416_22_OR_LATER(ah)) { + struct ar5416IniArray *addac = &ah->iniAddac; + u32 size = sizeof(u32) * addac->ia_rows * addac->ia_columns; + u32 *data; + + data = kmalloc(size, GFP_KERNEL); + if (!data) + return; + + memcpy(data, addac->ia_array, size); + addac->ia_array = data; + + if (!AR_SREV_5416_22_OR_LATER(ah)) { + /* override CLKDRV value */ + INI_RA(addac, 31,1) = 0; + } + } } /* Support for Japan ch.14 (2484) spread */ diff --git a/drivers/net/wireless/ath/ath9k/hw.h b/drivers/net/wireless/ath/ath9k/hw.h index 6a29004a71b0..c8261d4fc780 100644 --- a/drivers/net/wireless/ath/ath9k/hw.h +++ b/drivers/net/wireless/ath/ath9k/hw.h @@ -940,7 +940,6 @@ struct ath_hw { u32 *analogBank6Data; u32 *analogBank6TPCData; u32 *analogBank7Data; - u32 *addac5416_21; u32 *bank6Temp; u8 txpower_limit; From 7be081539e540517d5e1fcbf96b8080074afbf08 Mon Sep 17 00:00:00 2001 From: Gabor Juhos Date: Thu, 16 Feb 2012 20:44:59 +0100 Subject: [PATCH 2/7] rt2x00: fix a possible NULL pointer dereference The 'rt2x00lib_probe_dev' function tries to allocate the workqueue. If the allocation fails, 'rt2x00_lib_remove_dev' is called on the error path. Because 'rt2x00dev->workqueue' is NULL in this case, the 'destroy_workqueue' call will cause a NULL pointer dereference. Signed-off-by: Gabor Juhos Acked-by: Gertjan van Wingerde Acked-by: Ivo van Doorn Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2x00dev.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/rt2x00/rt2x00dev.c b/drivers/net/wireless/rt2x00/rt2x00dev.c index c3e1aa7c1a80..d2a1ea98d0f2 100644 --- a/drivers/net/wireless/rt2x00/rt2x00dev.c +++ b/drivers/net/wireless/rt2x00/rt2x00dev.c @@ -1220,7 +1220,8 @@ void rt2x00lib_remove_dev(struct rt2x00_dev *rt2x00dev) cancel_work_sync(&rt2x00dev->rxdone_work); cancel_work_sync(&rt2x00dev->txdone_work); } - destroy_workqueue(rt2x00dev->workqueue); + if (rt2x00dev->workqueue) + destroy_workqueue(rt2x00dev->workqueue); /* * Free the tx status fifo. From 5dcbf480473f6c3f06ad2426b7517038a2a18911 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 17 Feb 2012 09:47:14 -0800 Subject: [PATCH 3/7] iwlwifi: fix key removal When trying to remove a key, we always send key flags just setting the key type, not including the multicast flag and the key ID. As a result, whenever any key was removed, the unicast key 0 would be removed, causing a complete connection loss after the second rekey (the first doesn't cause a key removal). Fix the key removal code to include the key ID and multicast flag, thus removing the correct key. Cc: stable@vger.kernel.org Reported-by: Alexander Schnaidt Tested-by: Alexander Schnaidt Signed-off-by: Johannes Berg Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl-agn-sta.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c index 7353826095f1..e483cfa8d14e 100644 --- a/drivers/net/wireless/iwlwifi/iwl-agn-sta.c +++ b/drivers/net/wireless/iwlwifi/iwl-agn-sta.c @@ -1187,6 +1187,7 @@ int iwl_remove_dynamic_key(struct iwl_priv *priv, unsigned long flags; struct iwl_addsta_cmd sta_cmd; u8 sta_id = iwlagn_key_sta_id(priv, ctx->vif, sta); + __le16 key_flags; /* if station isn't there, neither is the key */ if (sta_id == IWL_INVALID_STATION) @@ -1212,7 +1213,14 @@ int iwl_remove_dynamic_key(struct iwl_priv *priv, IWL_ERR(priv, "offset %d not used in uCode key table.\n", keyconf->hw_key_idx); - sta_cmd.key.key_flags = STA_KEY_FLG_NO_ENC | STA_KEY_FLG_INVALID; + key_flags = cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); + key_flags |= STA_KEY_FLG_MAP_KEY_MSK | STA_KEY_FLG_NO_ENC | + STA_KEY_FLG_INVALID; + + if (!(keyconf->flags & IEEE80211_KEY_FLAG_PAIRWISE)) + key_flags |= STA_KEY_MULTICAST_MSK; + + sta_cmd.key.key_flags = key_flags; sta_cmd.key.key_offset = WEP_INVALID_OFFSET; sta_cmd.sta.modify_mask = STA_MODIFY_KEY_MASK; sta_cmd.mode = STA_CONTROL_MODIFY_MSK; From 8617b093d0031837a7be9b32bc674580cfb5f6b5 Mon Sep 17 00:00:00 2001 From: Mohammed Shafi Shajakhan Date: Mon, 20 Feb 2012 10:05:31 +0530 Subject: [PATCH 4/7] mac80211: zero initialize count field in ieee80211_tx_rate rate control algorithms concludes the rate as invalid with rate[i].idx < -1 , while they do also check for rate[i].count is non-zero. it would be safer to zero initialize the 'count' field. recently we had a ath9k rate control crash where the ath9k rate control in ath_tx_status assumed to check only for rate[i].count being non-zero in one instance and ended up in using invalid rate index for 'connection monitoring NULL func frames' which eventually lead to the crash. thanks to Pavel Roskin for fixing it and finding the root cause. https://bugzilla.redhat.com/show_bug.cgi?id=768639 Cc: stable@vger.kernel.org Cc: Pavel Roskin Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville --- net/mac80211/rate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/rate.c b/net/mac80211/rate.c index ad64f4d5271a..f9b8e819ca63 100644 --- a/net/mac80211/rate.c +++ b/net/mac80211/rate.c @@ -344,7 +344,7 @@ void rate_control_get_rate(struct ieee80211_sub_if_data *sdata, for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) { info->control.rates[i].idx = -1; info->control.rates[i].flags = 0; - info->control.rates[i].count = 1; + info->control.rates[i].count = 0; } if (sdata->local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) From 0dee00686da88cc32753e02e4e8efdd9e326e4d2 Mon Sep 17 00:00:00 2001 From: Mohammed Shafi Shajakhan Date: Mon, 20 Feb 2012 14:44:01 +0530 Subject: [PATCH 5/7] mac80211: Fix a warning on changing to monitor mode from STA nothing needs to be done for monitor/AP_VLAN mode on calling ieee80211_bss_info_change_notify -> drv_bss_info_changed with the change flag 'BSS_CHANGED_IDLE'. 'wl1271' seems to use BSS_CHANGED_IDLE only for STA and IBSS mode. further the non-idle state of the monitor mode is taken care by the 'count' variable which counts non-idle interfaces. ieee80211_idle_off(local, "in use") will be called. this fixes the following WARNING when we have initially STA mode (network manager running) and not associated, and change it to monitor mode with network manager disabled and bringing up the monitor mode. this changes the idle state from 'true' (STA unassociated) to 'false' (MONITOR mode) exposed by the commit 405385f8ce7a2ed8f82e216d88b5282142e1288b "mac80211: set bss_conf.idle when vif is connected" WARNING: net/mac80211/main.c:212 ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211]() Hardware name: 64756D6 Pid: 3835, comm: ifconfig Tainted: G O 3.3.0-rc3-wl #9 Call Trace: [] warn_slowpath_common+0x72/0xa0 [] ? ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] [] ? ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] [] warn_slowpath_null+0x22/0x30 [] ieee80211_bss_info_change_notify+0x1cf/0x330 [mac80211] [] __ieee80211_recalc_idle+0x113/0x430 [mac80211] [] ieee80211_do_open+0x156/0x7e0 [mac80211] [] ? ieee80211_check_concurrent_iface+0x25/0x180 [mac80211] [] ? raw_notifier_call_chain+0x1f/0x30 [] ieee80211_open+0x40/0x80 [mac80211] [] __dev_open+0x96/0xe0 [] ? _raw_spin_unlock_bh+0x35/0x40 [] __dev_change_flags+0x109/0x170 [] dev_change_flags+0x23/0x60 [] devinet_ioctl+0x6a0/0x770 ieee80211 phy0: device no longer idle - in use Cc: Eliad Peller Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville --- net/mac80211/iface.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index 01a21c2f6ab3..8e2137bd87e2 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -1332,6 +1332,9 @@ u32 __ieee80211_recalc_idle(struct ieee80211_local *local) hw_roc = true; list_for_each_entry(sdata, &local->interfaces, list) { + if (sdata->vif.type == NL80211_IFTYPE_MONITOR || + sdata->vif.type == NL80211_IFTYPE_AP_VLAN) + continue; if (sdata->old_idle == sdata->vif.bss_conf.idle) continue; if (!ieee80211_sdata_running(sdata)) From 85091fc0a75653e239dc8379658515e577544927 Mon Sep 17 00:00:00 2001 From: Arend van Spriel Date: Thu, 23 Feb 2012 18:38:22 +0100 Subject: [PATCH 6/7] brcm80211: smac: fix endless retry of A-MPDU transmissions The A-MPDU code checked against a retry limit, but it was using the wrong variable to do so. This patch fixes this to assure proper retry mechanism. This problem had a side-effect causing the mac80211 flush callback to remain waiting forever as well. That side effect has been fixed by commit by Stanislaw Gruszka: commit f96b08a7e6f69c0f0a576554df3df5b1b519c479 Date: Tue Jan 17 12:38:50 2012 +0100 brcmsmac: fix tx queue flush infinite loop Reference: https://bugzilla.kernel.org/show_bug.cgi?id=42576 Cc: Stanislaw Gruszka Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Alwin Beukers Signed-off-by: Arend van Spriel Signed-off-by: John W. Linville --- drivers/net/wireless/brcm80211/brcmsmac/ampdu.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c index 90911eec0cf5..92652264f205 100644 --- a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c +++ b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c @@ -1051,17 +1051,13 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb, } /* either retransmit or send bar if ack not recd */ if (!ack_recd) { - struct ieee80211_tx_rate *txrate = - tx_info->status.rates; - if (retry && (txrate[0].count < (int)retry_limit)) { + if (retry && (ini->txretry[index] < (int)retry_limit)) { ini->txretry[index]++; ini->tx_in_transit--; /* * Use high prededence for retransmit to * give some punch */ - /* brcms_c_txq_enq(wlc, scb, p, - * BRCMS_PRIO_TO_PREC(tid)); */ brcms_c_txq_enq(wlc, scb, p, BRCMS_PRIO_TO_HI_PREC(tid)); } else { From 2b0a53d51b5f263bb581bbdb40ebb9f7e09609b1 Mon Sep 17 00:00:00 2001 From: Arend van Spriel Date: Thu, 23 Feb 2012 18:38:23 +0100 Subject: [PATCH 7/7] brcm80211: smac: only print block-ack timeout message at trace level In regular use block-ack timeouts can happen so it does not make sense to fill the log with these messages. Reviewed-by: Pieter-Paul Giesberts Reviewed-by: Alwin Beukers Signed-off-by: Arend van Spriel Signed-off-by: John W. Linville --- drivers/net/wireless/brcm80211/brcmsmac/ampdu.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c index 92652264f205..30b58870b1b6 100644 --- a/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c +++ b/drivers/net/wireless/brcm80211/brcmsmac/ampdu.c @@ -1070,9 +1070,9 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb, IEEE80211_TX_STAT_AMPDU_NO_BACK; skb_pull(p, D11_PHY_HDR_LEN); skb_pull(p, D11_TXH_LEN); - wiphy_err(wiphy, "%s: BA Timeout, seq %d, in_" - "transit %d\n", "AMPDU status", seq, - ini->tx_in_transit); + BCMMSG(wiphy, + "BA Timeout, seq %d, in_transit %d\n", + seq, ini->tx_in_transit); ieee80211_tx_status_irqsafe(wlc->pub->ieee_hw, p); }