From b25e77fdfa9510a7d47b35ecddc16f5ea583ca4e Mon Sep 17 00:00:00 2001 From: Fariya Fatima Date: Wed, 2 Apr 2014 09:29:50 +0530 Subject: rsi: Potential null pointer derefernce issue fixed. Signed-off-by: Fariya Fatima Signed-off-by: John W. Linville --- drivers/net/wireless/rsi/rsi_91x_debugfs.c | 35 ++++++++++++++---------------- 1 file changed, 16 insertions(+), 19 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/rsi/rsi_91x_debugfs.c b/drivers/net/wireless/rsi/rsi_91x_debugfs.c index 7e4ef4554411..c466246a323f 100644 --- a/drivers/net/wireless/rsi/rsi_91x_debugfs.c +++ b/drivers/net/wireless/rsi/rsi_91x_debugfs.c @@ -289,32 +289,29 @@ int rsi_init_dbgfs(struct rsi_hw *adapter) const struct rsi_dbg_files *files; dev_dbgfs = kzalloc(sizeof(*dev_dbgfs), GFP_KERNEL); + if (!dev_dbgfs) + return -ENOMEM; + adapter->dfsentry = dev_dbgfs; snprintf(devdir, sizeof(devdir), "%s", wiphy_name(adapter->hw->wiphy)); - dev_dbgfs->subdir = debugfs_create_dir(devdir, NULL); - if (IS_ERR(dev_dbgfs->subdir)) { - if (dev_dbgfs->subdir == ERR_PTR(-ENODEV)) - rsi_dbg(ERR_ZONE, - "%s:Debugfs has not been mounted\n", __func__); - else - rsi_dbg(ERR_ZONE, "debugfs:%s not created\n", devdir); + dev_dbgfs->subdir = debugfs_create_dir(devdir, NULL); - adapter->dfsentry = NULL; + if (!dev_dbgfs->subdir) { kfree(dev_dbgfs); - return (int)PTR_ERR(dev_dbgfs->subdir); - } else { - for (ii = 0; ii < adapter->num_debugfs_entries; ii++) { - files = &dev_debugfs_files[ii]; - dev_dbgfs->rsi_files[ii] = - debugfs_create_file(files->name, - files->perms, - dev_dbgfs->subdir, - common, - &files->fops); - } + return -ENOMEM; + } + + for (ii = 0; ii < adapter->num_debugfs_entries; ii++) { + files = &dev_debugfs_files[ii]; + dev_dbgfs->rsi_files[ii] = + debugfs_create_file(files->name, + files->perms, + dev_dbgfs->subdir, + common, + &files->fops); } return 0; } -- cgit v1.2.3 From bff37af7f25919f1af3e8dac5a9263c63b533e74 Mon Sep 17 00:00:00 2001 From: Fariya Fatima Date: Wed, 2 Apr 2014 09:29:51 +0530 Subject: rsi: Fixed signedness bug reported by static code analyzer. Signed-off-by: Fariya Fatima Signed-off-by: John W. Linville --- drivers/net/wireless/rsi/rsi_91x_mgmt.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/rsi/rsi_91x_mgmt.c b/drivers/net/wireless/rsi/rsi_91x_mgmt.c index 2361a6849ad7..73694295648f 100644 --- a/drivers/net/wireless/rsi/rsi_91x_mgmt.c +++ b/drivers/net/wireless/rsi/rsi_91x_mgmt.c @@ -738,7 +738,7 @@ int rsi_hal_load_key(struct rsi_common *common, * * Return: 0 on success, corresponding error code on failure. */ -static u8 rsi_load_bootup_params(struct rsi_common *common) +static int rsi_load_bootup_params(struct rsi_common *common) { struct sk_buff *skb; struct rsi_boot_params *boot_params; @@ -1272,6 +1272,7 @@ int rsi_mgmt_pkt_recv(struct rsi_common *common, u8 *msg) { s32 msg_len = (le16_to_cpu(*(__le16 *)&msg[0]) & 0x0fff); u16 msg_type = (msg[2]); + int ret; rsi_dbg(FSM_ZONE, "%s: Msg Len: %d, Msg Type: %4x\n", __func__, msg_len, msg_type); @@ -1284,8 +1285,9 @@ int rsi_mgmt_pkt_recv(struct rsi_common *common, u8 *msg) if (common->fsm_state == FSM_CARD_NOT_READY) { rsi_set_default_parameters(common); - if (rsi_load_bootup_params(common)) - return -ENOMEM; + ret = rsi_load_bootup_params(common); + if (ret) + return ret; else common->fsm_state = FSM_BOOT_PARAMS_SENT; } else { -- cgit v1.2.3 From 57a2a093b42a2addeb18a22a5eab02579f4dc1d2 Mon Sep 17 00:00:00 2001 From: Fariya Fatima Date: Wed, 2 Apr 2014 09:29:52 +0530 Subject: rsi: Fixed issue relating to variable de-referenced before check 'adapter' Signed-off-by: Fariya Fatima Signed-off-by: John W. Linville --- drivers/net/wireless/rsi/rsi_91x_sdio.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio.c b/drivers/net/wireless/rsi/rsi_91x_sdio.c index 852453f386e2..2e39d38d6a9e 100644 --- a/drivers/net/wireless/rsi/rsi_91x_sdio.c +++ b/drivers/net/wireless/rsi/rsi_91x_sdio.c @@ -756,12 +756,13 @@ fail: static void rsi_disconnect(struct sdio_func *pfunction) { struct rsi_hw *adapter = sdio_get_drvdata(pfunction); - struct rsi_91x_sdiodev *dev = - (struct rsi_91x_sdiodev *)adapter->rsi_dev; + struct rsi_91x_sdiodev *dev; if (!adapter) return; + dev = (struct rsi_91x_sdiodev *)adapter->rsi_dev; + dev->write_fail = 2; rsi_mac80211_detach(adapter); -- cgit v1.2.3 From d50c761aefbd6785fd46ce4f7f387cf2aa749a2a Mon Sep 17 00:00:00 2001 From: Fariya Fatima Date: Wed, 2 Apr 2014 09:29:53 +0530 Subject: rsi: Fixed issue relating to return value. Signed-off-by: Fariya Fatima Signed-off-by: John W. Linville --- drivers/net/wireless/rsi/rsi_91x_sdio_ops.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c b/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c index f1cb99cafed8..20d11ccfffe3 100644 --- a/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c +++ b/drivers/net/wireless/rsi/rsi_91x_sdio_ops.c @@ -247,7 +247,7 @@ static int rsi_process_pkt(struct rsi_common *common) if (!common->rx_data_pkt) { rsi_dbg(ERR_ZONE, "%s: Failed in memory allocation\n", __func__); - return -1; + return -ENOMEM; } status = rsi_sdio_host_intf_read_pkt(adapter, @@ -260,12 +260,10 @@ static int rsi_process_pkt(struct rsi_common *common) } status = rsi_read_pkt(common, rcv_pkt_len); - kfree(common->rx_data_pkt); - return status; fail: kfree(common->rx_data_pkt); - return -1; + return status; } /** -- cgit v1.2.3 From 5156fd24e9aec406ae14f02fc1779e234553fbd3 Mon Sep 17 00:00:00 2001 From: Fariya Fatima Date: Wed, 2 Apr 2014 09:29:54 +0530 Subject: rsi: Fixed issue relating to index of q_num. Signed-off-by: Fariya Fatima Signed-off-by: John W. Linville --- drivers/net/wireless/rsi/rsi_91x_core.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/rsi/rsi_91x_core.c b/drivers/net/wireless/rsi/rsi_91x_core.c index e89535e86caf..1a8d32138593 100644 --- a/drivers/net/wireless/rsi/rsi_91x_core.c +++ b/drivers/net/wireless/rsi/rsi_91x_core.c @@ -102,10 +102,10 @@ static u8 rsi_core_determine_hal_queue(struct rsi_common *common) } get_queue_num: - q_num = 0; recontend_queue = false; q_num = rsi_determine_min_weight_queue(common); + q_len = skb_queue_len(&common->tx_queue[ii]); ii = q_num; @@ -118,7 +118,9 @@ get_queue_num: } } - common->tx_qinfo[q_num].pkt_contended = 0; + if (q_num < NUM_EDCA_QUEUES) + common->tx_qinfo[q_num].pkt_contended = 0; + /* Adjust the back off values for all queues again */ recontend_queue = rsi_recalculate_weights(common); -- cgit v1.2.3 From d453ba81cd2981d0040dad0def161f91f209ddf9 Mon Sep 17 00:00:00 2001 From: Fariya Fatima Date: Wed, 2 Apr 2014 09:29:55 +0530 Subject: rsi: Fixed issue relating to doing dma on stack error. Signed-off-by: Fariya Fatima Signed-off-by: John W. Linville --- drivers/net/wireless/rsi/rsi_91x_usb.c | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/rsi/rsi_91x_usb.c b/drivers/net/wireless/rsi/rsi_91x_usb.c index bb1bf96670eb..4c46e5631e2f 100644 --- a/drivers/net/wireless/rsi/rsi_91x_usb.c +++ b/drivers/net/wireless/rsi/rsi_91x_usb.c @@ -154,24 +154,30 @@ static int rsi_usb_reg_read(struct usb_device *usbdev, u16 *value, u16 len) { - u8 temp_buf[4]; - int status = 0; + u8 *buf; + int status = -ENOMEM; + + buf = kmalloc(0x04, GFP_KERNEL); + if (!buf) + return status; status = usb_control_msg(usbdev, usb_rcvctrlpipe(usbdev, 0), USB_VENDOR_REGISTER_READ, USB_TYPE_VENDOR, ((reg & 0xffff0000) >> 16), (reg & 0xffff), - (void *)temp_buf, + (void *)buf, len, HZ * 5); - *value = (temp_buf[0] | (temp_buf[1] << 8)); + *value = (buf[0] | (buf[1] << 8)); if (status < 0) { rsi_dbg(ERR_ZONE, "%s: Reg read failed with error code :%d\n", __func__, status); } + kfree(buf); + return status; } @@ -190,8 +196,12 @@ static int rsi_usb_reg_write(struct usb_device *usbdev, u16 value, u16 len) { - u8 usb_reg_buf[4]; - int status = 0; + u8 *usb_reg_buf; + int status = -ENOMEM; + + usb_reg_buf = kmalloc(0x04, GFP_KERNEL); + if (!usb_reg_buf) + return status; usb_reg_buf[0] = (value & 0x00ff); usb_reg_buf[1] = (value & 0xff00) >> 8; @@ -212,6 +222,8 @@ static int rsi_usb_reg_write(struct usb_device *usbdev, "%s: Reg write failed with error code :%d\n", __func__, status); } + kfree(usb_reg_buf); + return status; } @@ -286,7 +298,7 @@ int rsi_usb_write_register_multiple(struct rsi_hw *adapter, return -ENOMEM; while (count) { - transfer = min_t(int, count, 4096); + transfer = (u8)(min_t(u32, count, 4096)); memcpy(buf, data, transfer); status = usb_control_msg(dev->usbdev, usb_sndctrlpipe(dev->usbdev, 0), -- cgit v1.2.3 From cdacdcc246827fe0aec9cbd4461edf073b4de7d5 Mon Sep 17 00:00:00 2001 From: Chun-Yeow Yeoh Date: Wed, 2 Apr 2014 12:03:18 +0800 Subject: ath9k_htc: set IEEE80211_TX_STAT_AMPDU for acked aggregated frames Frame aggregation requires the IEEE80211_TX_STAT_AMPDU to be set so that mac80211 can report the last_tx_rate correctly. Signed-off-by: Chun-Yeow Yeoh Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'drivers') diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c index e8149e3dbdd5..289f3d8924b5 100644 --- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c @@ -471,8 +471,11 @@ static void ath9k_htc_tx_process(struct ath9k_htc_priv *priv, if (!txok || !vif || !txs) goto send_mac80211; - if (txs->ts_flags & ATH9K_HTC_TXSTAT_ACK) + if (txs->ts_flags & ATH9K_HTC_TXSTAT_ACK) { tx_info->flags |= IEEE80211_TX_STAT_ACK; + if (tx_info->flags & IEEE80211_TX_CTL_AMPDU) + tx_info->flags |= IEEE80211_TX_STAT_AMPDU; + } if (txs->ts_flags & ATH9K_HTC_TXSTAT_FILT) tx_info->flags |= IEEE80211_TX_STAT_TX_FILTERED; -- cgit v1.2.3 From 5212f518ac0f5141d4da3c9c75666a2146c7e772 Mon Sep 17 00:00:00 2001 From: Paul Bolle Date: Thu, 3 Apr 2014 10:12:51 +0200 Subject: rtlwifi: btcoexist: remove undefined Kconfig macros There are references to four undefined Kconfig macros in the code. Commit 8542373dccd2 ("Staging: rtl8812ae: remove undefined Kconfig macros") removed identical references from that staging driver, but they resurfaced in rtlwifi. Remove these again as the checks for them still will always evaluate to false. Signed-off-by: Paul Bolle Signed-off-by: John W. Linville --- drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c | 10 ---------- 1 file changed, 10 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c b/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c index b6722de64a31..33da3dfcfa4f 100644 --- a/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c +++ b/drivers/net/wireless/rtlwifi/btcoexist/halbtcoutsrc.c @@ -625,17 +625,7 @@ bool exhalbtc_initlize_variables(struct rtl_priv *adapter) else btcoexist->binded = true; -#if (defined(CONFIG_PCI_HCI)) - btcoexist->chip_interface = BTC_INTF_PCI; -#elif (defined(CONFIG_USB_HCI)) - btcoexist->chip_interface = BTC_INTF_USB; -#elif (defined(CONFIG_SDIO_HCI)) - btcoexist->chip_interface = BTC_INTF_SDIO; -#elif (defined(CONFIG_GSPI_HCI)) - btcoexist->chip_interface = BTC_INTF_GSPI; -#else btcoexist->chip_interface = BTC_INTF_UNKNOWN; -#endif if (NULL == btcoexist->adapter) btcoexist->adapter = adapter; -- cgit v1.2.3 From 12cd43c6ed6da7bf7c5afbd74da6959cda6d056b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Sat, 5 Apr 2014 18:08:25 +0200 Subject: b43: Fix machine check error due to improper access of B43_MMIO_PSM_PHY_HDR MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Register B43_MMIO_PSM_PHY_HDR is 16 bit one, so accessing it with 32b functions isn't safe. On my machine it causes delayed (!) CPU exception: Disabling lock debugging due to kernel taint mce: [Hardware Error]: CPU 0: Machine Check Exception: 4 Bank 4: b200000000070f0f mce: [Hardware Error]: TSC 164083803dc mce: [Hardware Error]: PROCESSOR 2:20fc2 TIME 1396650505 SOCKET 0 APIC 0 microcode 0 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Processor context corrupt Kernel panic - not syncing: Fatal machine check on current CPU Kernel Offset: 0x0 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffff9fffffff) Signed-off-by: Rafał Miłecki Acked-by: Larry Finger Cc: Stable [2.6.35+] Signed-off-by: John W. Linville --- drivers/net/wireless/b43/phy_n.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/b43/phy_n.c b/drivers/net/wireless/b43/phy_n.c index 05ee7f10cc8f..24ccbe96e0c8 100644 --- a/drivers/net/wireless/b43/phy_n.c +++ b/drivers/net/wireless/b43/phy_n.c @@ -5176,22 +5176,22 @@ static void b43_nphy_channel_setup(struct b43_wldev *dev, int ch = new_channel->hw_value; u16 old_band_5ghz; - u32 tmp32; + u16 tmp16; old_band_5ghz = b43_phy_read(dev, B43_NPHY_BANDCTL) & B43_NPHY_BANDCTL_5GHZ; if (new_channel->band == IEEE80211_BAND_5GHZ && !old_band_5ghz) { - tmp32 = b43_read32(dev, B43_MMIO_PSM_PHY_HDR); - b43_write32(dev, B43_MMIO_PSM_PHY_HDR, tmp32 | 4); + tmp16 = b43_read16(dev, B43_MMIO_PSM_PHY_HDR); + b43_write16(dev, B43_MMIO_PSM_PHY_HDR, tmp16 | 4); b43_phy_set(dev, B43_PHY_B_BBCFG, 0xC000); - b43_write32(dev, B43_MMIO_PSM_PHY_HDR, tmp32); + b43_write16(dev, B43_MMIO_PSM_PHY_HDR, tmp16); b43_phy_set(dev, B43_NPHY_BANDCTL, B43_NPHY_BANDCTL_5GHZ); } else if (new_channel->band == IEEE80211_BAND_2GHZ && old_band_5ghz) { b43_phy_mask(dev, B43_NPHY_BANDCTL, ~B43_NPHY_BANDCTL_5GHZ); - tmp32 = b43_read32(dev, B43_MMIO_PSM_PHY_HDR); - b43_write32(dev, B43_MMIO_PSM_PHY_HDR, tmp32 | 4); + tmp16 = b43_read16(dev, B43_MMIO_PSM_PHY_HDR); + b43_write16(dev, B43_MMIO_PSM_PHY_HDR, tmp16 | 4); b43_phy_mask(dev, B43_PHY_B_BBCFG, 0x3FFF); - b43_write32(dev, B43_MMIO_PSM_PHY_HDR, tmp32); + b43_write16(dev, B43_MMIO_PSM_PHY_HDR, tmp16); } b43_chantab_phy_upload(dev, e); -- cgit v1.2.3 From 4d76248013dbb1948429555208900a585b0f351d Mon Sep 17 00:00:00 2001 From: Janusz Dziedzic Date: Tue, 8 Apr 2014 13:38:43 +0200 Subject: ath9k: Enable DFS only when ATH9K_DFS_CERTIFIED Add DFS interface combination only when CONFIG_ATH9K_DFS_CERTIFIED is set. In other case user can run CAC/beaconing without proper handling of pulse events (without radar detection activated). Reported-by: Cedric Voncken Signed-off-by: Janusz Dziedzic Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/init.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'drivers') diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c index c0a4e866edca..cbbb02a6b13b 100644 --- a/drivers/net/wireless/ath/ath9k/init.c +++ b/drivers/net/wireless/ath/ath9k/init.c @@ -670,6 +670,7 @@ static const struct ieee80211_iface_combination if_comb[] = { .num_different_channels = 1, .beacon_int_infra_match = true, }, +#ifdef CONFIG_ATH9K_DFS_CERTIFIED { .limits = if_dfs_limits, .n_limits = ARRAY_SIZE(if_dfs_limits), @@ -679,6 +680,7 @@ static const struct ieee80211_iface_combination if_comb[] = { .radar_detect_widths = BIT(NL80211_CHAN_WIDTH_20_NOHT) | BIT(NL80211_CHAN_WIDTH_20), } +#endif }; static void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw) -- cgit v1.2.3 From 09efc56345be4146ab9fc87a55c837ed5d6ea1ab Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 8 Apr 2014 23:44:25 +0200 Subject: ath9k_hw: reduce ANI firstep range for older chips Use 0-8 instead of 0-16, which is closer to the old implementation. Also drop the overwrite of the firstep_low parameter to improve stability. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/ar5008_phy.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/ath/ath9k/ar5008_phy.c b/drivers/net/wireless/ath/ath9k/ar5008_phy.c index 3b3e91057a4c..00fb8badbacc 100644 --- a/drivers/net/wireless/ath/ath9k/ar5008_phy.c +++ b/drivers/net/wireless/ath/ath9k/ar5008_phy.c @@ -1004,11 +1004,9 @@ static bool ar5008_hw_ani_control_new(struct ath_hw *ah, case ATH9K_ANI_FIRSTEP_LEVEL:{ u32 level = param; - value = level * 2; + value = level; REG_RMW_FIELD(ah, AR_PHY_FIND_SIG, AR_PHY_FIND_SIG_FIRSTEP, value); - REG_RMW_FIELD(ah, AR_PHY_FIND_SIG_LOW, - AR_PHY_FIND_SIG_FIRSTEP_LOW, value); if (level != aniState->firstepLevel) { ath_dbg(common, ANI, -- cgit v1.2.3 From 5869e795e07ded955744ab99765d0f183f825f97 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 8 Apr 2014 23:44:26 +0200 Subject: ath9k: fix a scheduling while atomic bug in CSA handling Commit "ath9k: prepare for multi-interface CSA support" added a call to ieee80211_iterate_active_interfaces in atomic context (beacon tasklet), which is crashing. Use ieee80211_iterate_active_interfaces_atomic instead. Signed-off-by: Felix Fietkau Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/beacon.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) (limited to 'drivers') diff --git a/drivers/net/wireless/ath/ath9k/beacon.c b/drivers/net/wireless/ath/ath9k/beacon.c index 471e0f624e81..bd9e634879e6 100644 --- a/drivers/net/wireless/ath/ath9k/beacon.c +++ b/drivers/net/wireless/ath/ath9k/beacon.c @@ -312,10 +312,9 @@ static void ath9k_csa_update_vif(void *data, u8 *mac, struct ieee80211_vif *vif) void ath9k_csa_update(struct ath_softc *sc) { - ieee80211_iterate_active_interfaces(sc->hw, - IEEE80211_IFACE_ITER_NORMAL, - ath9k_csa_update_vif, - sc); + ieee80211_iterate_active_interfaces_atomic(sc->hw, + IEEE80211_IFACE_ITER_NORMAL, + ath9k_csa_update_vif, sc); } void ath9k_beacon_tasklet(unsigned long data) -- cgit v1.2.3