1. 11 Aug, 2011 4 commits
    • Dan Carpenter's avatar
      Bluetooth: unlock if allocation fails in hci_blacklist_add() · 8475e233
      Dan Carpenter authored
      There was a small typo here so we never actually hit the goto which
      would call hci_dev_unlock_bh().
      Signed-off-by: default avatarDan Carpenter <error27@gmail.com>
      Signed-off-by: default avatarGustavo F. Padovan <padovan@profusion.mobi>
      8475e233
    • Stanislaw Gruszka's avatar
      rt2x00: fix crash in rt2800usb_get_txwi · 674db134
      Stanislaw Gruszka authored
      Patch should fix this oops:
      
      BUG: unable to handle kernel NULL pointer dereference at 000000a0
      IP: [<f81b30c9>] rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
      *pdpt = 0000000000000000 *pde = f000ff53f000ff53
      Oops: 0000 [#1] SMP
      Pid: 198, comm: kworker/u:3 Tainted: G        W   3.0.0-wl+ #9 LENOVO 6369CTO/6369CTO
      EIP: 0060:[<f81b30c9>] EFLAGS: 00010283 CPU: 1
      EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
      EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8
      ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000)
      Call Trace:
       [<f804790f>] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib]
       [<c045110d>] ? warn_slowpath_common+0x7d/0xa0
       [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
       [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
       [<f81b3a13>] rt2800usb_work_txdone+0x263/0x360 [rt2800usb]
       [<c046a8d6>] process_one_work+0x186/0x440
       [<c046a85a>] ? process_one_work+0x10a/0x440
       [<f81b37b0>] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb]
       [<c046c283>] worker_thread+0x133/0x310
       [<c04885db>] ? trace_hardirqs_on+0xb/0x10
       [<c046c150>] ? manage_workers+0x1e0/0x1e0
       [<c047054c>] kthread+0x7c/0x90
       [<c04704d0>] ? __init_kthread_worker+0x60/0x60
       [<c0826b42>] kernel_thread_helper+0x6/0x1
      
      Oops might happen because we check rt2x00queue_empty(queue) twice,
      but this condition can change and we can process entry in
      rt2800_txdone_entry(), which was already processed by
      rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and
      has nullify entry->skb .
      Reported-by: default avatarJustin Piszcz <jpiszcz@lucidpixels.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: default avatarIvo van Doorn <IvDoorn@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      674db134
    • Stanislaw Gruszka's avatar
      rt2x00: fix order of entry flags modification · df71c9cf
      Stanislaw Gruszka authored
      In rt2800usb_work_txdone we check flags in order:
      
      - ENTRY_OWNER_DEVICE_DATA
      - ENTRY_DATA_STATUS_PENDING
      - ENTRY_DATA_IO_FAILED
      
      Modify flags in separate order in rt2x00usb_interrupt_txdone, to avoid
      processing entries in _txdone with wrong flags or skip processing
      ready entries.
      Reported-by: default avatarJustin Piszcz <jpiszcz@lucidpixels.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: default avatarIvo van Doorn <IvDoorn@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      df71c9cf
    • Stanislaw Gruszka's avatar
      rt2x00: fix crash in rt2800usb_write_tx_desc · 4b1bfb7d
      Stanislaw Gruszka authored
      Patch should fix this oops:
      
      BUG: unable to handle kernel NULL pointer dereference at 000000a0
      IP: [<f8e06078>] rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb]
      *pdpt = 000000002408c001 *pde = 0000000024079067 *pte = 0000000000000000
      Oops: 0000 [#1] SMP
      EIP: 0060:[<f8e06078>] EFLAGS: 00010282 CPU: 0
      EIP is at rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb]
      EAX: 00000035 EBX: ef2bef10 ECX: 00000000 EDX: d40958a0
      ESI: ef1865f8 EDI: ef1865f8 EBP: d4095878 ESP: d409585c
       DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
      Call Trace:
       [<f8da5e85>] rt2x00queue_write_tx_frame+0x155/0x300 [rt2x00lib]
       [<f8da424c>] rt2x00mac_tx+0x7c/0x370 [rt2x00lib]
       [<c04882b2>] ? mark_held_locks+0x62/0x90
       [<c081f645>] ? _raw_spin_unlock_irqrestore+0x35/0x60
       [<c04884ba>] ? trace_hardirqs_on_caller+0x5a/0x170
       [<c04885db>] ? trace_hardirqs_on+0xb/0x10
       [<f8d618ac>] __ieee80211_tx+0x5c/0x1e0 [mac80211]
       [<f8d631fc>] ieee80211_tx+0xbc/0xe0 [mac80211]
       [<f8d63163>] ? ieee80211_tx+0x23/0xe0 [mac80211]
       [<f8d632e1>] ieee80211_xmit+0xc1/0x200 [mac80211]
       [<f8d63220>] ? ieee80211_tx+0xe0/0xe0 [mac80211]
       [<c0487d45>] ? lock_release_holdtime+0x35/0x1b0
       [<f8d63986>] ? ieee80211_subif_start_xmit+0x446/0x5f0 [mac80211]
       [<f8d637dd>] ieee80211_subif_start_xmit+0x29d/0x5f0 [mac80211]
       [<f8d63924>] ? ieee80211_subif_start_xmit+0x3e4/0x5f0 [mac80211]
       [<c0760188>] ? sock_setsockopt+0x6a8/0x6f0
       [<c0760000>] ? sock_setsockopt+0x520/0x6f0
       [<c076daef>] dev_hard_start_xmit+0x2ef/0x650
      
      Oops might happen because we perform parallel putting new entries in a
      queue (rt2x00queue_write_tx_frame()) and removing entries after
      finishing transmitting (rt2800usb_work_txdone()). There are cases when
      _txdone may process an entry that was not fully send and nullify
      entry->skb .
      
      To fix check in _txdone if entry has flags that indicate pending
      transmission and wait until flags get cleared.
      Reported-by: default avatarJustin Piszcz <jpiszcz@lucidpixels.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarStanislaw Gruszka <sgruszka@redhat.com>
      Acked-by: default avatarIvo van Doorn <IvDoorn@gmail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      4b1bfb7d
  2. 10 Aug, 2011 1 commit
    • Julia Lawall's avatar
      drivers/net/wireless/wl1251: add missing kfree · 059c4383
      Julia Lawall authored
      In each case, the kfree already at the end of the function is also needed
      in the error case.
      
      A simplified version of the semantic match that finds this problem is as
      follows: (http://coccinelle.lip6.fr/)
      
      // <smpl>
      @exists@
      local idexpression x;
      statement S,S1;
      expression E;
      identifier fl;
      expression *ptr != NULL;
      @@
      
      x = \(kmalloc\|kzalloc\|kcalloc\)(...);
      ...
      if (x == NULL) S
      <... when != x
           when != if (...) { <+...kfree(x)...+> }
           when any
           when != true x == NULL
      x->fl
      ...>
      (
      if (x == NULL) S1
      |
      if (...) { ... when != x
                     when forall
      (
       return \(0\|<+...x...+>\|ptr\);
      |
      * return ...;
      )
      }
      )
      // </smpl>
      Signed-off-by: default avatarJulia Lawall <julia@diku.dk>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      059c4383
  3. 09 Aug, 2011 8 commits
  4. 03 Aug, 2011 1 commit
  5. 02 Aug, 2011 4 commits
  6. 01 Aug, 2011 6 commits
  7. 28 Jul, 2011 16 commits