1. 07 Oct, 2013 1 commit
  2. 02 Oct, 2013 6 commits
  3. 30 Sep, 2013 4 commits
  4. 26 Sep, 2013 22 commits
    • Johannes Berg's avatar
      cfg80211: fix sysfs registration race · aa5f66d5
      Johannes Berg authored
      My locking rework/race fixes caused a regression in the
      registration, causing uevent notifications for wireless
      devices before the device is really fully registered and
      available in nl80211.
      
      Fix this by moving the device_add() under rtnl and move
      the rfkill to afterwards (it can't be under rtnl.)
      Reported-and-tested-by: default avatarMaxime Bizon <mbizon@freebox.fr>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      aa5f66d5
    • Arend van Spriel's avatar
      brcmsmac: call bcma_core_pci_power_save() from non-atomic context · c7515d23
      Arend van Spriel authored
      This patch adds explicit call to bcma_core_pci_power_save() from
      a non-atomic context resolving 'scheduling while atomic' issue.
      
      [   13.224317] BUG: scheduling while atomic: dhcpcd/1800/0x00000202
      [   13.224322] Modules linked in: brcmsmac nouveau coretemp kvm_intel kvm cordic brcmutil bcma dell_wmi atl1c ttm mxm_wmi wmi
      [   13.224354] CPU: 0 PID: 1800 Comm: dhcpcd Tainted: G        W    3.11.0-wl #1
      [   13.224359] Hardware name: Alienware M11x R2/M11x R2, BIOS A04 11/23/2010
      [   13.224363]  ffff880177c12c40 ffff880170fd1968 ffffffff8169af5b 0000000000000007
      [   13.224374]  ffff880170fd1ad0 ffff880170fd1978 ffffffff81697ee2 ffff880170fd19f8
      [   13.224383]  ffffffff816a19f5 00000000000f4240 000000000000d080 ffff880170fd1fd8
      [   13.224391] Call Trace:
      [   13.224399]  [<ffffffff8169af5b>] dump_stack+0x4f/0x84
      [   13.224403]  [<ffffffff81697ee2>] __schedule_bug+0x43/0x51
      [   13.224409]  [<ffffffff816a19f5>] __schedule+0x6e5/0x810
      [   13.224412]  [<ffffffff816a1c34>] schedule+0x24/0x70
      [   13.224416]  [<ffffffff816a04fc>] schedule_hrtimeout_range_clock+0x10c/0x150
      [   13.224420]  [<ffffffff810684e0>] ? update_rmtp+0x60/0x60
      [   13.224424]  [<ffffffff8106915f>] ? hrtimer_start_range_ns+0xf/0x20
      [   13.224429]  [<ffffffff816a054e>] schedule_hrtimeout_range+0xe/0x10
      [   13.224432]  [<ffffffff8104f6fb>] usleep_range+0x3b/0x40
      [   13.224437]  [<ffffffffa003733a>] bcma_pcie_mdio_read.isra.5+0x8a/0x100 [bcma]
      [   13.224442]  [<ffffffffa00374a5>] bcma_pcie_mdio_writeread.isra.6.constprop.13+0x25/0x30 [bcma]
      [   13.224448]  [<ffffffffa00374f9>] bcma_core_pci_power_save+0x49/0x80 [bcma]
      [   13.224452]  [<ffffffffa003765d>] bcma_core_pci_up+0x2d/0x60 [bcma]
      [   13.224460]  [<ffffffffa03dc17c>] brcms_c_up+0xfc/0x430 [brcmsmac]
      [   13.224467]  [<ffffffffa03d1a7d>] brcms_up+0x1d/0x20 [brcmsmac]
      [   13.224473]  [<ffffffffa03d2498>] brcms_ops_start+0x298/0x340 [brcmsmac]
      [   13.224478]  [<ffffffff81600a12>] ? cfg80211_netdev_notifier_call+0xd2/0x5f0
      [   13.224483]  [<ffffffff815fa53d>] ? packet_notifier+0xad/0x1d0
      [   13.224487]  [<ffffffff81656e75>] ieee80211_do_open+0x325/0xf80
      [   13.224491]  [<ffffffff8106ac09>] ? __raw_notifier_call_chain+0x9/0x10
      [   13.224495]  [<ffffffff81657b41>] ieee80211_open+0x71/0x80
      [   13.224498]  [<ffffffff81526267>] __dev_open+0x87/0xe0
      [   13.224502]  [<ffffffff8152650c>] __dev_change_flags+0x9c/0x180
      [   13.224505]  [<ffffffff815266a3>] dev_change_flags+0x23/0x70
      [   13.224509]  [<ffffffff8158cd68>] devinet_ioctl+0x5b8/0x6a0
      [   13.224512]  [<ffffffff8158d5c5>] inet_ioctl+0x75/0x90
      [   13.224516]  [<ffffffff8150b38b>] sock_do_ioctl+0x2b/0x70
      [   13.224519]  [<ffffffff8150b681>] sock_ioctl+0x71/0x2a0
      [   13.224523]  [<ffffffff8114ed47>] do_vfs_ioctl+0x87/0x520
      [   13.224528]  [<ffffffff8113f159>] ? ____fput+0x9/0x10
      [   13.224533]  [<ffffffff8106228c>] ? task_work_run+0x9c/0xd0
      [   13.224537]  [<ffffffff8114f271>] SyS_ioctl+0x91/0xb0
      [   13.224541]  [<ffffffff816aa252>] system_call_fastpath+0x16/0x1b
      
      Cc: <stable@vger.kernel.org> # 3.11.x
      Cc: Tod Jackson <tod.jackson@gmail.com>
      Cc: Joe Perches <joe@perches.com>
      Cc: Rafal Milecki <zajec5@gmail.com>
      Cc: Hauke Mehrtens <hauke@hauke-m.de>
      Reviewed-by: default avatarHante Meuleman <meuleman@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      c7515d23
    • Arend van Spriel's avatar
      bcma: make bcma_core_pci_{up,down}() callable from atomic context · 2bedea8f
      Arend van Spriel authored
      This patch removes the bcma_core_pci_power_save() call from
      the bcma_core_pci_{up,down}() functions as it tries to schedule
      thus requiring to call them from non-atomic context. The function
      bcma_core_pci_power_save() is now exported so the calling module
      can explicitly use it in non-atomic context. This fixes the
      'scheduling while atomic' issue reported by Tod Jackson and
      Joe Perches.
      
      [   13.210710] BUG: scheduling while atomic: dhcpcd/1800/0x00000202
      [   13.210718] Modules linked in: brcmsmac nouveau coretemp kvm_intel kvm cordic brcmutil bcma dell_wmi atl1c ttm mxm_wmi wmi
      [   13.210756] CPU: 2 PID: 1800 Comm: dhcpcd Not tainted 3.11.0-wl #1
      [   13.210762] Hardware name: Alienware M11x R2/M11x R2, BIOS A04 11/23/2010
      [   13.210767]  ffff880177c92c40 ffff880170fd1948 ffffffff8169af5b 0000000000000007
      [   13.210777]  ffff880170fd1ab0 ffff880170fd1958 ffffffff81697ee2 ffff880170fd19d8
      [   13.210785]  ffffffff816a19f5 00000000000f4240 000000000000d080 ffff880170fd1fd8
      [   13.210794] Call Trace:
      [   13.210813]  [<ffffffff8169af5b>] dump_stack+0x4f/0x84
      [   13.210826]  [<ffffffff81697ee2>] __schedule_bug+0x43/0x51
      [   13.210837]  [<ffffffff816a19f5>] __schedule+0x6e5/0x810
      [   13.210845]  [<ffffffff816a1c34>] schedule+0x24/0x70
      [   13.210855]  [<ffffffff816a04fc>] schedule_hrtimeout_range_clock+0x10c/0x150
      [   13.210867]  [<ffffffff810684e0>] ? update_rmtp+0x60/0x60
      [   13.210877]  [<ffffffff8106915f>] ? hrtimer_start_range_ns+0xf/0x20
      [   13.210887]  [<ffffffff816a054e>] schedule_hrtimeout_range+0xe/0x10
      [   13.210897]  [<ffffffff8104f6fb>] usleep_range+0x3b/0x40
      [   13.210910]  [<ffffffffa00371af>] bcma_pcie_mdio_set_phy.isra.3+0x4f/0x80 [bcma]
      [   13.210921]  [<ffffffffa003729f>] bcma_pcie_mdio_write.isra.4+0xbf/0xd0 [bcma]
      [   13.210932]  [<ffffffffa0037498>] bcma_pcie_mdio_writeread.isra.6.constprop.13+0x18/0x30 [bcma]
      [   13.210942]  [<ffffffffa00374ee>] bcma_core_pci_power_save+0x3e/0x80 [bcma]
      [   13.210953]  [<ffffffffa003765d>] bcma_core_pci_up+0x2d/0x60 [bcma]
      [   13.210975]  [<ffffffffa03dc17c>] brcms_c_up+0xfc/0x430 [brcmsmac]
      [   13.210989]  [<ffffffffa03d1a7d>] brcms_up+0x1d/0x20 [brcmsmac]
      [   13.211003]  [<ffffffffa03d2498>] brcms_ops_start+0x298/0x340 [brcmsmac]
      [   13.211020]  [<ffffffff81600a12>] ? cfg80211_netdev_notifier_call+0xd2/0x5f0
      [   13.211030]  [<ffffffff815fa53d>] ? packet_notifier+0xad/0x1d0
      [   13.211064]  [<ffffffff81656e75>] ieee80211_do_open+0x325/0xf80
      [   13.211076]  [<ffffffff8106ac09>] ? __raw_notifier_call_chain+0x9/0x10
      [   13.211086]  [<ffffffff81657b41>] ieee80211_open+0x71/0x80
      [   13.211101]  [<ffffffff81526267>] __dev_open+0x87/0xe0
      [   13.211109]  [<ffffffff8152650c>] __dev_change_flags+0x9c/0x180
      [   13.211117]  [<ffffffff815266a3>] dev_change_flags+0x23/0x70
      [   13.211127]  [<ffffffff8158cd68>] devinet_ioctl+0x5b8/0x6a0
      [   13.211136]  [<ffffffff8158d5c5>] inet_ioctl+0x75/0x90
      [   13.211147]  [<ffffffff8150b38b>] sock_do_ioctl+0x2b/0x70
      [   13.211155]  [<ffffffff8150b681>] sock_ioctl+0x71/0x2a0
      [   13.211169]  [<ffffffff8114ed47>] do_vfs_ioctl+0x87/0x520
      [   13.211180]  [<ffffffff8113f159>] ? ____fput+0x9/0x10
      [   13.211198]  [<ffffffff8106228c>] ? task_work_run+0x9c/0xd0
      [   13.211202]  [<ffffffff8114f271>] SyS_ioctl+0x91/0xb0
      [   13.211208]  [<ffffffff816aa252>] system_call_fastpath+0x16/0x1b
      [   13.211217] NOHZ: local_softirq_pending 202
      
      The issue was introduced in v3.11 kernel by following commit:
      
      commit aa51e598
      Author: Hauke Mehrtens <hauke@hauke-m.de>
      Date:   Sat Aug 24 00:32:31 2013 +0200
      
          brcmsmac: use bcma PCIe up and down functions
      
          replace the calls to bcma_core_pci_extend_L1timer() by calls to the
          newly introduced bcma_core_pci_ip() and bcma_core_pci_down()
      Signed-off-by: default avatarHauke Mehrtens <hauke@hauke-m.de>
          Cc: Arend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      
      This fix has been discussed with Hauke Mehrtens [1] selection
      option 3) and is intended for v3.12.
      
      Ref:
      [1] http://mid.gmane.org/5239B12D.3040206@hauke-m.de
      
      Cc: <stable@vger.kernel.org> # 3.11.x
      Cc: Tod Jackson <tod.jackson@gmail.com>
      Cc: Joe Perches <joe@perches.com>
      Cc: Rafal Milecki <zajec5@gmail.com>
      Cc: Hauke Mehrtens <hauke@hauke-m.de>
      Reviewed-by: default avatarHante Meuleman <meuleman@broadcom.com>
      Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      2bedea8f
    • Arend van Spriel's avatar
      brcmfmac: obtain platform data upon module initialization · db4efbbe
      Arend van Spriel authored
      The driver uses platform_driver_probe() to obtain platform data
      if any. However, that function is placed in the .init section so
      it must be called upon driver module initialization.
      
      The problem was reported by Fenguang Wu resulting in a kernel
      oops because the .init section was already freed.
      
      [   48.966342] Switched to clocksource tsc
      [   48.970002] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
      [   48.970851] BUG: unable to handle kernel paging request at ffffffff82196446
      [   48.970957] IP: [<ffffffff82196446>] classes_init+0x26/0x26
      [   48.970957] PGD 1e76067 PUD 1e77063 PMD f388063 PTE 8000000002196163
      [   48.970957] Oops: 0011 [#1]
      [   48.970957] CPU: 0 PID: 17 Comm: kworker/0:1 Not tainted 3.11.0-rc7-00444-gc52dd7f #23
      [   48.970957] Workqueue: events brcmf_driver_init
      [   48.970957] task: ffff8800001d2000 ti: ffff8800001d4000 task.ti: ffff8800001d4000
      [   48.970957] RIP: 0010:[<ffffffff82196446>]  [<ffffffff82196446>] classes_init+0x26/0x26
      [   48.970957] RSP: 0000:ffff8800001d5d40  EFLAGS: 00000286
      [   48.970957] RAX: 0000000000000001 RBX: ffffffff820c5620 RCX: 0000000000000000
      [   48.970957] RDX: 0000000000000001 RSI: ffffffff816f7380 RDI: ffffffff820c56c0
      [   48.970957] RBP: ffff8800001d5d50 R08: ffff8800001d2508 R09: 0000000000000002
      [   48.970957] R10: 0000000000000000 R11: 0001f7ce298c5620 R12: ffff8800001c76b0
      [   48.970957] R13: ffffffff81e91d40 R14: 0000000000000000 R15: ffff88000e0ce300
      [   48.970957] FS:  0000000000000000(0000) GS:ffffffff81e84000(0000) knlGS:0000000000000000
      [   48.970957] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [   48.970957] CR2: ffffffff82196446 CR3: 0000000001e75000 CR4: 00000000000006b0
      [   48.970957] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   48.970957] DR3: 0000000000000000 DR6: 0000000000000000 DR7: 0000000000000000
      [   48.970957] Stack:
      [   48.970957]  ffffffff816f7df8 ffffffff820c5620 ffff8800001d5d60 ffffffff816eeec9
      [   48.970957]  ffff8800001d5de0 ffffffff81073dc5 ffffffff81073d68 ffff8800001d5db8
      [   48.970957]  0000000000000086 ffffffff820c5620 ffffffff824f7fd0 0000000000000000
      [   48.970957] Call Trace:
      [   48.970957]  [<ffffffff816f7df8>] ? brcmf_sdio_init+0x18/0x70
      [   48.970957]  [<ffffffff816eeec9>] brcmf_driver_init+0x9/0x10
      [   48.970957]  [<ffffffff81073dc5>] process_one_work+0x1d5/0x480
      [   48.970957]  [<ffffffff81073d68>] ? process_one_work+0x178/0x480
      [   48.970957]  [<ffffffff81074188>] worker_thread+0x118/0x3a0
      [   48.970957]  [<ffffffff81074070>] ? process_one_work+0x480/0x480
      [   48.970957]  [<ffffffff8107aa17>] kthread+0xe7/0xf0
      [   48.970957]  [<ffffffff810829f7>] ? finish_task_switch.constprop.57+0x37/0xd0
      [   48.970957]  [<ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
      [   48.970957]  [<ffffffff81a6923a>] ret_from_fork+0x7a/0xb0
      [   48.970957]  [<ffffffff8107a930>] ? __kthread_parkme+0x80/0x80
      [   48.970957] Code: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
      cc cc cc cc cc cc <cc> cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
      [   48.970957] RIP  [<ffffffff82196446>] classes_init+0x26/0x26
      [   48.970957]  RSP <ffff8800001d5d40>
      [   48.970957] CR2: ffffffff82196446
      [   48.970957] ---[ end trace 62980817cd525f14 ]---
      
      Cc: <stable@vger.kernel.org> # 3.10.x, 3.11.x
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Reviewed-by: default avatarHante Meuleman <meuleman@broadcom.com>
      Reviewed-by: default avatarPieter-Paul Giesberts <pieterpg@broadcom.com>
      Tested-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarArend van Spriel <arend@broadcom.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      db4efbbe
    • Bing Zhao's avatar
      mwifiex: fix NULL pointer dereference in usb suspend handler · 346ece0b
      Bing Zhao authored
      Bug 60815 - Interface hangs in mwifiex_usb
      https://bugzilla.kernel.org/show_bug.cgi?id=60815
      
      [ 2.883807] BUG: unable to handle kernel NULL pointer dereference
                  at 0000000000000048
      [ 2.883813] IP: [<ffffffff815a65e0>] pfifo_fast_enqueue+0x90/0x90
      
      [ 2.883834] CPU: 1 PID: 3220 Comm: kworker/u8:90 Not tainted
                  3.11.1-monotone-l0 #6
      [ 2.883834] Hardware name: Microsoft Corporation Surface with
                  Windows 8 Pro/Surface with Windows 8 Pro,
                  BIOS 1.03.0450 03/29/2013
      
      On Surface Pro, suspend to ram gives a NULL pointer dereference in
      pfifo_fast_enqueue(). The stack trace reveals that the offending
      call is clearing carrier in mwifiex_usb suspend handler.
      
      Since commit 1499d9fa "mwifiex: don't drop carrier flag over suspend"
      has removed the carrier flag handling over suspend/resume in SDIO
      and PCIe drivers, I'm removing it in USB driver too. This also fixes
      the bug for Surface Pro.
      
      Cc: <stable@vger.kernel.org> # 3.5+
      Tested-by: default avatarDmitry Khromov <icechrome@gmail.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      346ece0b
    • Amitkumar Karwar's avatar
      mwifiex: fix hang issue for USB chipsets · bd1c6142
      Amitkumar Karwar authored
      Bug 60815 - Interface hangs in mwifiex_usb
      https://bugzilla.kernel.org/show_bug.cgi?id=60815
      
      We have 4 bytes of interface header for packets delivered to SDIO
      and PCIe, but not for USB interface.
      
      In Tx AMSDU case, currently 4 bytes of garbage data is unnecessarily
      appended for USB packets. This sometimes leads to a firmware hang,
      because it may not interpret the data packet correctly.
      
      Problem is fixed by removing this redundant headroom for USB.
      
      Cc: <stable@vger.kernel.org> # 3.5+
      Tested-by: default avatarDmitry Khromov <icechrome@gmail.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      bd1c6142
    • Christian Lamparter's avatar
      p54usb: add USB ID for Corega WLUSB2GTST USB adapter · 1e43692c
      Christian Lamparter authored
      Added USB ID for Corega WLUSB2GTST USB adapter.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarJoerg Kalisch <the_force@gmx.de>
      Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      1e43692c
    • Solomon Peachy's avatar
      cw1200: Use a threaded oneshot irq handler for cw1200_spi · 87421cb6
      Solomon Peachy authored
      This supercedes the older patch ("cw1200: Don't perform SPI transfers in
      interrupt context") that badly attempted to fix this problem.
      
      This is a far simpler solution, which has the added benefit of
      actually working.
      Signed-off-by: default avatarSolomon Peachy <pizza@shaftnet.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      87421cb6
    • Solomon Peachy's avatar
      Revert "cw1200: Don't perform SPI transfers in interrupt context" · c4fb19d2
      Solomon Peachy authored
      This reverts commit aec8e88c.
      
      This solution turned out to cause interrupt delivery problems, and
      rather than trying to fix this approach, it has been scrapped in favor
      of an alternative (and far simpler) implementation.
      Signed-off-by: default avatarSolomon Peachy <pizza@shaftnet.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      c4fb19d2
    • Bing Zhao's avatar
      mwifiex: fix PCIe hs_cfg cancel cmd timeout · b7be1522
      Bing Zhao authored
      For pcie8897, the hs_cfg cancel command (0xe5) times out when host
      comes out of suspend. This is caused by an incompleted host sleep
      handshake between driver and firmware.
      
      Like SDIO interface, PCIe also needs to go through firmware power
      save events to complete the handshake for host sleep configuration.
      Only USB interface doesn't require power save events for hs_cfg.
      
      Cc: <stable@vger.kernel.org> # 3.10+
      Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
      Signed-off-by: default avatarAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      b7be1522
    • Larry Finger's avatar
      rtlwifi: Align private space in rtl_priv struct · 60ce314d
      Larry Finger authored
      The private array at the end of the rtl_priv struct is not aligned.
      On ARM architecture, this causes an alignment trap and is fixed by aligning
      that array with __align(sizeof(void *)). That should properly align that
      space according to the requirements of all architectures.
      Reported-by: default avatarJason Andrews <jasona@cadence.com>
      Tested-by: default avatarJason Andrews <jasona@cadence.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      60ce314d
    • Felix Fietkau's avatar
      ath9k: add txq locking for ath_tx_aggr_start · 919123d2
      Felix Fietkau authored
      Prevents race conditions when un-aggregated frames are pending in the
      driver.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      919123d2
    • Alexey Khoroshilov's avatar
      p54usb: fix leak at failure path in p54u_load_firmware() · e78641c1
      Alexey Khoroshilov authored
      If request_firmware_nowait() fails in p54u_load_firmware(),
      p54u_load_firmware_cb is not called and no one decrements usb_dev refcnt.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      e78641c1
    • Felix Fietkau's avatar
      ath9k: don't use BAW tracking on PS responses for non-AMPDU packets · 20e6e55a
      Felix Fietkau authored
      When .release_buffered_frames was implemented, only A-MPDU packets were
      buffered internally. Now that this has changed, the BUF_AMPDU flag needs
      to be checked before calling ath_tx_addto_baw
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      20e6e55a
    • Sujith Manoharan's avatar
      ath9k: Fix regression in LNA diversity · d29a5fd8
      Sujith Manoharan authored
      The commit "ath9k: Optimize LNA check" tried
      to use the "rs_firstaggr" flag to optimize the LNA
      combining algorithm when processing subframes in
      an A-MPDU. This doesn't appear to work well in practice,
      so revert it and use the old method of relying on
      "rs_moreaggr".
      
      Cc: stable@vger.kernel.org # 3.11
      Signed-off-by: default avatarSujith Manoharan <c_manoha@qca.qualcomm.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      d29a5fd8
    • Felix Fietkau's avatar
      ath9k: do not link bf_next across multiple A-MPDUs · 440c1c87
      Felix Fietkau authored
      This might trip up tx completion processing, although the condition that
      triggers this should not (yet) occur in practice.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      440c1c87
    • Felix Fietkau's avatar
      ath9k: fix stale flag handling on buffer clone · 86c7d8d4
      Felix Fietkau authored
      Fixes a regression from commit
      "ath9k: shrink a few data structures by reordering fields"
      
      When cloning a buffer, the stale flag (part of bf_state now) needs to be
      reset after copying the state to prevent tx processing hangs.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      86c7d8d4
    • Chun-Yeow Yeoh's avatar
      mac80211: fix the setting of extended supported rate IE · cc63ec76
      Chun-Yeow Yeoh authored
      The patch "mac80211: select and adjust bitrates according to
      channel mode" causes regression and breaks the extended supported rate
      IE setting. Since "i" is starting with 8, so this is not necessary
      to introduce "skip" here.
      Signed-off-by: default avatarChun-Yeow Yeoh <yeohchunyeow@cozybit.com>
      Signed-off-by: default avatarColleen Twitty <colleen@cozybit.com>
      Reviewed-by: default avatarJason Abele <jason@cozybit.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      cc63ec76
    • Felix Fietkau's avatar
      mac80211: drop spoofed packets in ad-hoc mode · 6329b8d9
      Felix Fietkau authored
      If an Ad-Hoc node receives packets with the Cell ID or its own MAC
      address as source address, it hits a WARN_ON in sta_info_insert_check()
      With many packets, this can massively spam the logs. One way that this
      can easily happen is through having Cisco APs in the area with rouge AP
      detection and countermeasures enabled.
      Such Cisco APs will regularly send fake beacons, disassoc and deauth
      packets that trigger these warnings.
      
      To fix this issue, drop such spoofed packets early in the rx path.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarThomas Huehn <thomas@net.t-labs.tu-berlin.de>
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6329b8d9
    • John W. Linville's avatar
    • Bruno Randolf's avatar
      cfg80211: fix warning when using WEXT for IBSS · f478f33a
      Bruno Randolf authored
      Fix kernel warning when using WEXT for configuring ad-hoc mode,
      e.g.  "iwconfig wlan0 essid test channel 1"
      
      WARNING: at net/wireless/chan.c:373 cfg80211_chandef_usable+0x50/0x21c [cfg80211]()
      
      The warning is caused by an uninitialized variable center_freq1.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBruno Randolf <br1@einfach.org>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      f478f33a
    • Luciano Coelho's avatar
      cfg80211: use the correct macro to check for active monitor support · 18003297
      Luciano Coelho authored
      Use MONITOR_FLAG_ACTIVE, which is a flag mask, instead of
      NL80211_MNTR_FLAG_ACTIVE, which is a flag index, when checking if the
      hardware supports active monitoring.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLuciano Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      18003297
  5. 23 Sep, 2013 1 commit
    • Ken O'Brien's avatar
      Bluetooth: btusb: Add support for Belkin F8065bf · 5bcecf32
      Ken O'Brien authored
      Add generic rule on encountering Belkin bluetooth usb device F8065bf.
      
      Relevant section from /sys/kernel/debug/usb/devices:
      
      T:  Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#=  2 Spd=12   MxCh= 0
      D:  Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=050d ProdID=065a Rev= 1.12
      S:  Manufacturer=Broadcom Corp
      S:  Product=BCM20702A0
      S:  SerialNumber=0002723E2D29
      C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      Signed-off-by: default avatarKen O'Brien <kernel@kenobrien.org>
      Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
      5bcecf32
  6. 20 Sep, 2013 1 commit
    • Gianluca Anzolin's avatar
      Bluetooth: don't release the port in rfcomm_dev_state_change() · 29cd718b
      Gianluca Anzolin authored
      When the dlc is closed, rfcomm_dev_state_change() tries to release the
      port in the case it cannot get a reference to the tty. However this is
      racy and not even needed.
      
      Infact as Peter Hurley points out:
      
      1. Only consider dlcs that are 'stolen' from a connected socket, ie.
         reused. Allocated dlcs cannot have been closed prior to port
         activate and so for these dlcs a tty reference will always be avail
         in rfcomm_dev_state_change() -- except for the conditions covered by
         #2b below.
      2. If a tty was at some point previously created for this rfcomm, then
         either
         (a) the tty reference is still avail, so rfcomm_dev_state_change()
             will perform a hangup. So nothing to do, or,
         (b) the tty reference is no longer avail, and the tty_port will be
             destroyed by the last tty_port_put() in rfcomm_tty_cleanup.
             Again, no action required.
      3. Prior to obtaining the dlc lock in rfcomm_dev_add(),
         rfcomm_dev_state_change() will not 'see' a rfcomm_dev so nothing to
         do here.
      4. After releasing the dlc lock in rfcomm_dev_add(),
         rfcomm_dev_state_change() will 'see' an incomplete rfcomm_dev if a
         tty reference could not be obtained. Again, the best thing to do here
         is nothing. Any future attempted open() will block on
         rfcomm_dev_carrier_raised(). The unconnected device will exist until
         released by ioctl(RFCOMMRELEASEDEV).
      
      The patch removes the aforementioned code and uses the
      tty_port_tty_hangup() helper to hangup the tty.
      Signed-off-by: default avatarGianluca Anzolin <gianluca@sottospazio.it>
      Reviewed-by: default avatarPeter Hurley <peter@hurleysoftware.com>
      Signed-off-by: default avatarGustavo Padovan <gustavo.padovan@collabora.co.uk>
      29cd718b
  7. 19 Sep, 2013 5 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b75ff5e8
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) If the local_df boolean is set on an SKB we have to allocate a
          unique ID even if IP_DF is set in the ipv4 headers, from Ansis
          Atteka.
      
       2) Some fixups for the new chipset support that went into the sfc
          driver, from Ben Hutchings.
      
       3) Because SCTP bypasses a good chunk of, and actually duplicates, the
          logic of the ipv6 output path, some IPSEC things don't get done
          properly.  Integrate SCTP better into the ipv6 output path so that
          these problems are fixed and such issues don't get missed in the
          future either.  From Daniel Borkmann.
      
       4) Fix skge regressions added by the DMA mapping error return checking
          added in v3.10, from Mikulas Patocka.
      
       5) Kill some more IRQF_DISABLED references, from Michael Opdenacker.
      
       6) Fix races and deadlocks in the bridging code, from Hong Zhiguo.
      
       7) Fix error handling in tun_set_iff(), in particular don't leak
          resources.  From Jason Wang.
      
       8) Prevent format-string injection into xen-netback driver, from Kees
          Cook.
      
       9) Fix regression added to netpoll ARP packet handling, in particular
          check for the right ETH_P_ARP protocol code.  From Sonic Zhang.
      
      10) Try to deal with AMD IOMMU errors when using r8169 chips, from
          Francois Romieu.
      
      11) Cure freezes due to recent changes in the rt2x00 wireless driver,
          from Stanislaw Gruszka.
      
      12) Don't do SPI transfers (which can sleep) in interrupt context in
          cw1200 driver, from Solomon Peachy.
      
      13) Fix LEDs handling bug in 5720 tg3 chips already handled for 5719.
          From Nithin Sujir.
      
      14) Make xen_netbk_count_skb_slots() count the actual number of slots
          that will be used, taking into consideration packing and other
          issues that the transmit path will run into.  From David Vrabel.
      
      15) Use the correct maximum age when calculating the bridge
          message_age_timer, from Chris Healy.
      
      16) Get rid of memory leaks in mcs7780 IRDA driver, from Alexey
          Khoroshilov.
      
      17) Netfilter conntrack extensions were converted to RCU but are not
          always freed properly using kfree_rcu().  Fix from Michal Kubecek.
      
      18) VF reset recovery not being done correctly in qlcnic driver, from
          Manish Chopra.
      
      19) Fix inverted test in ATM nicstar driver, from Andy Shevchenko.
      
      20) Missing workqueue destroy in cxgb4 error handling, from Wei Yang.
      
      21) Internal switch not initialized properly in bgmac driver, from Rafał
          Miłecki.
      
      22) Netlink messages report wrong local and remote addresses in IPv6
          tunneling, from Ding Zhi.
      
      23) ICMP redirects should not generate socket errors in DCCP and SCTP.
          We're still working out how this should be handled for RAW and UDP
          sockets.  From Daniel Borkmann and Duan Jiong.
      
      24) We've had several bugs wherein the network namespace's loopback
          device gets accessed after it is free'd, NULL it out so that we can
          catch these problems more readily.  From Eric W Biederman.
      
      25) Fix regression in TCP RTO calculations, from Neal Cardwell.
      
      26) Fix too early free of xen-netback network device when VIFs still
          exist.  From Paul Durrant.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        netconsole: fix a deadlock with rtnl and netconsole's mutex
        netpoll: fix NULL pointer dereference in netpoll_cleanup
        skge: fix broken driver
        ip: generate unique IP identificator if local fragmentation is allowed
        ip: use ip_hdr() in __ip_make_skb() to retrieve IP header
        xen-netback: Don't destroy the netdev until the vif is shut down
        net:dccp: do not report ICMP redirects to user space
        cnic: Fix crash in cnic_bnx2x_service_kcq()
        bnx2x, cnic, bnx2i, bnx2fc: Fix bnx2i and bnx2fc regressions.
        vxlan: Avoid creating fdb entry with NULL destination
        tcp: fix RTO calculated from cached RTT
        drivers: net: phy: cicada.c: clears warning Use #include <linux/io.h> instead of <asm/io.h>
        net loopback: Set loopback_dev to NULL when freed
        batman-adv: set the TAG flag for the vid passed to BLA
        netfilter: nfnetlink_queue: use network skb for sequence adjustment
        net: sctp: rfc4443: do not report ICMP redirects to user space
        net: usb: cdc_ether: use usb.h macros whenever possible
        net: usb: cdc_ether: fix checkpatch errors and warnings
        net: usb: cdc_ether: Use wwan interface for Telit modules
        ip6_tunnels: raddr and laddr are inverted in nl msg
        ...
      b75ff5e8
    • Nikolay Aleksandrov's avatar
      netconsole: fix a deadlock with rtnl and netconsole's mutex · c71380ff
      Nikolay Aleksandrov authored
      This bug was introduced by commit
      7a163bfb ("netconsole: avoid a crash with
      multiple sysfs writers"). In store_enabled() we have the following
      sequence: acquire nt->mutex then rtnl, but in the netconsole netdev
      notifier we have rtnl then nt->mutex effectively leading to a deadlock.
      The NULL pointer dereference that the above commit tries to fix is
      actually due to another bug in netpoll_cleanup(). This is fixed by dropping
      the mutex from the netdev notifier as it's already protected by rtnl.
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c71380ff
    • Nikolay Aleksandrov's avatar
      netpoll: fix NULL pointer dereference in netpoll_cleanup · d0fe8c88
      Nikolay Aleksandrov authored
      I've been hitting a NULL ptr deref while using netconsole because the
      np->dev check and the pointer manipulation in netpoll_cleanup are done
      without rtnl and the following sequence happens when having a netconsole
      over a vlan and we remove the vlan while disabling the netconsole:
      	CPU 1					CPU2
      					removes vlan and calls the notifier
      enters store_enabled(), calls
      netdev_cleanup which checks np->dev
      and then waits for rtnl
      					executes the netconsole netdev
      					release notifier making np->dev
      					== NULL and releases rtnl
      continues to dereference a member of
      np->dev which at this point is == NULL
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0fe8c88
    • Mikulas Patocka's avatar
      skge: fix broken driver · c194992c
      Mikulas Patocka authored
      The patch 136d8f37 broke the skge driver.
      Note this part of the patch:
      +               if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) {
      +                       dev_kfree_skb(nskb);
      +                       goto resubmit;
      +               }
      +
                      pci_unmap_single(skge->hw->pdev,
                                       dma_unmap_addr(e, mapaddr),
                                       dma_unmap_len(e, maplen),
                                       PCI_DMA_FROMDEVICE);
                      skb = e->skb;
                      prefetch(skb->data);
      -               skge_rx_setup(skge, e, nskb, skge->rx_buf_size);
      
      The function skge_rx_setup modifies e->skb to point to the new skb. Thus,
      after this change, the new buffer, not the old, is returned to the
      networking stack.
      
      This bug is present in kernels 3.11, 3.11.1 and 3.12-rc1. The patch should
      be queued for 3.11-stable.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Reported-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Reported-by: default avatarVasiliy Glazov <vascom2@gmail.com>
      Tested-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c194992c
    • Ansis Atteka's avatar
      ip: generate unique IP identificator if local fragmentation is allowed · 703133de
      Ansis Atteka authored
      If local fragmentation is allowed, then ip_select_ident() and
      ip_select_ident_more() need to generate unique IDs to ensure
      correct defragmentation on the peer.
      
      For example, if IPsec (tunnel mode) has to encrypt large skbs
      that have local_df bit set, then all IP fragments that belonged
      to different ESP datagrams would have used the same identificator.
      If one of these IP fragments would get lost or reordered, then
      peer could possibly stitch together wrong IP fragments that did
      not belong to the same datagram. This would lead to a packet loss
      or data corruption.
      Signed-off-by: default avatarAnsis Atteka <aatteka@nicira.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      703133de