rt2x00: Properly reserve room for descriptors in skbs.
Instead of fiddling with the skb->data pointer and thereby risking
out of bounds accesses, properly reserve the space needed in an
skb for descriptors.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
rt2x00: Reverse calling order of bus write_tx_desc and driver write_tx_desc.
For rt2800 reverse the calling order of rt2x00pci_write_data and
rt2800pci_write_data. Currently rt2800pci_write_data calls rt2x00pci_write_data
as there can be only 1 driver callback function specified by the driver.
Reverse this calling order by introducing a new driver callback function,
called write_tx_datadesc, which is called from the bus-specific write_tx_data
functions.
Preparation for futher cleanups in the skb data handling of rt2x00.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
rt2x00: Push beacon TX descriptor writing to drivers.
Not all the devices require a TX descriptor to be written (i.e. rt2800
device don't require them). Push down the creation of the TX descriptor
to the device drivers so that they can decide for themselves whether
a TX descriptor is to be created.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Juuso Oikarinen [Mon, 24 May 2010 08:18:20 +0000 (11:18 +0300)]
wl1271: Fix scan parameter handling for 5GHz
The 5GHz bands were scanned without the proper IE's in place, preventing
proper 5GHz scanning. This patches fixes the problem by storing a pointer
to the scan request (with the IE's) for all iterations of scan.
Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Juuso Oikarinen [Mon, 24 May 2010 08:18:17 +0000 (11:18 +0300)]
wl1271: Flush TX buffers to air before going to idle
The mac80211 changes to idle almost immediately after transmitting some
frames, such as deauth etc. When going to idle, the wl1271 is disconnected,
which causes TX frames already on buffers, but not yet transmitted, to be
deleted.
To make sure deauth frames reach the air, allow the TX buffers to flush
before proceeding to idle.
Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Teemu Paasikivi <ext-teemu.3.paasikivi@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Juuso Oikarinen [Mon, 24 May 2010 08:18:15 +0000 (11:18 +0300)]
wl1271: Prevent dropping of TX frames in joins
The wl1271 uses a session counter in CMD_JOIN and TX frame descriptors. This
counter is used to determine which frames to drop when the CMD_JOIN is
executed.
The driver executes CMD_JOIN multiple times upon association and sometimes
disassociation, and we don't want any frames to get lost.
Fix this by incrementing the session counter only when leaving idle (not every
CMD_JOIN as before.) Also, remove the TX flush flag from the CMD_JOIN options.
Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Teemu Paasikivi <ext-teemu.3.paasikivi@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dan Carpenter [Sat, 22 May 2010 20:33:11 +0000 (22:33 +0200)]
ath9k: cleanup: remove unneeded null check
We dereference "wmi" on the line before and also when we initialize "ah".
This check has always been after a dereference since the first commit a
couple months ago. Looking through the code, it looks like "wmi" can't
actually be null here so I just removed the check.
Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k_rx_skb_preprocess() needs only ieee80211 frame header,
pass only frame headers instead of skb to that function. Also
remove ineffective frame dump in ath9k_process_rate().
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Wed, 19 May 2010 10:17:12 +0000 (12:17 +0200)]
cfg80211: make action channel type optional
When sending action frames, we want to verify
that we do that on the correct channel. However,
checking the channel type in addition can get in
the way, since the channel type could change on
the fly during an association, and it's not
useful to have the channel type anyway since it
has no effect on the transmission. Therefore,
make it optional to specify so that if wanted,
it can still be checked, but is not required.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:31:37 +0000 (10:31 +0900)]
ath5k: always calculate ANI listen time
Calculate 'listen' time also when automatic ANI is off, since this and the
"busy" time is useful information also in manual mode.
Signed-off-by: Bruno Randolf <br1@einfach.org> Acked-by: Nick Kossifidis <mickflemm@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
sysfs has a lot of symlinks, so you can find the files also in other locations,
like (by PCI ID) /sys/devices/pci0000:00/0000:00:11.0/ani and others.
Signed-off-by: Bruno Randolf <br1@einfach.org> Acked-by: Nick Kossifidis <mickflemm@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:31:21 +0000 (10:31 +0900)]
ath5k: clarify logic when to enable spur mitigation filter
The old code logically did not make sense and seems to have been confused by
the fact that we could have newer EEPROMs on older hardware. In any case the
spur mitigation filter was set if the srev was >= AR5K_SREV_AR5424.
Spur info is available only from EEPROM versions bigger than 5.3 but but the
EEPOM routines will use static values for older versions, so that should be
o.k.
Signed-off-by: Bruno Randolf <br1@einfach.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:31:16 +0000 (10:31 +0900)]
ath5k: remove ATH_TRACE macro
Now that we have ftrace, it is not needed any more.
Signed-off-by: Bruno Randolf <br1@einfach.org> Acked-by: Nick Kossifidis <mickflemm@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:31:10 +0000 (10:31 +0900)]
ath5k: run NF calibration only every 60 seconds
Since NF calibration interferes with TX and RX and also has been the cause of
other problems (when it's run concurrently with ath5k_reset) we want to run it
less often - every 60 seconds for now.
Signed-off-by: Bruno Randolf <br1@einfach.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:31:05 +0000 (10:31 +0900)]
ath5k: Stop queues only for NF calibration
As far as we know, only NF calibration interferes with RX/TX so we can
leave the queues enabled for the other calibrations.
BTW: Stopping the queues is not enough for avoiding transmissions, since there
might be packets in the queue + beacons are also sent regularly! But i leave it
like this until we have a better solution (stopping TX DMA?).
Signed-off-by: Bruno Randolf <br1@einfach.org> Acked-by: Nick Kossifidis <mickflemm@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:31:00 +0000 (10:31 +0900)]
ath5k: move noise floor calibration into tasklet
Seperate noise floor calibration from other PHY calibration and move it to the
tasklet. This is the first step to more separation of different calibrations.
Also move out ath5k_hw_request_rfgain_probe(ah) so we have one clean function
for I/Q calibration on 5111x parts.
Signed-off-by: Bruno Randolf <br1@einfach.org> Acked-by: Nick Kossifidis <mickflemm@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:30:55 +0000 (10:30 +0900)]
ath5k: initialize calibration timers
Initialize calibration timers on reset, since otherwise they might be in the
future and the calibration tasklet might not be scheduled for a long time.
Signed-off-by: Bruno Randolf <br1@einfach.org> Acked-by: Nick Kossifidis <mickflemm@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Jussi Kivilinna [Tue, 18 May 2010 08:27:31 +0000 (11:27 +0300)]
rndis_wlan: increase assocbuf size and validate association info offsets from driver
Buffer size for get_association_info was limited to WEXT event size. Since association
info no longer is sent through WEXT, this limit is not needed. Code also did not
check if data get truncated, memory outside buffer might be addressed. Fix all these.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith [Mon, 17 May 2010 06:31:16 +0000 (12:01 +0530)]
ath9k_htc: Cleanup rate initialization
This patch removes a large chunk of code dealing
with rate management within the driver and simplifying
things by removing the hacky method of calculating
HT changes. A subsequent patch would fix this by
just using BSS_CHANGED_HT from mac80211.
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dan Carpenter [Fri, 14 May 2010 13:24:37 +0000 (15:24 +0200)]
ath9k/debug: improve the snprintf() handling
The snprintf() function returns the number of bytes that *would* have
been written (not counting the NULL terminator) and that can potentally
be more than the size of the buffer.
In this patch if there were one liners where string clearly fits into
the buffer, then I changed snprintf to sprintf(). It's confusing to use
the return value of snprintf() as a limitter without verifying that it's
smaller than size. This is what initially caught my attention here.
If we use the return value of sprintf() instead future code auditors will
assume we've verified that it fits already.
Also I did find some places where it made sense to use the return value
after we've verified that it is smaller than the buffer size.
Finally the read_file_rcstat() function added an explicit NULL terminator
before calling snprintf(). That's unnecessary because snprintf() will
add the null terminator automatically.
Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Amitkumar Karwar [Wed, 19 May 2010 10:24:38 +0000 (03:24 -0700)]
libertas: Added callback functions to support SDIO suspend/resume.
In suspend() host sleep is activated using already configured
host sleep parameters through wol command, and in resume() host
sleep is cancelled. Earlier priv->fw_ready flag used to reset and
set in suspend and resume handler respectively. Since after suspend
only host goes into sleep state and firmware is always ready, those
changes in flag state are removed.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Juuso Oikarinen [Fri, 14 May 2010 07:46:23 +0000 (10:46 +0300)]
wl1271: Add support for NVS files with 5GHz band parameters
This patch adds support for NVS files with 5GHz band parameters. The change
is done in a backward compatible manner - if 11a is not enabled in the driver,
the driver will allow also old NVS files to be loaded.
Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Juuso Oikarinen [Fri, 14 May 2010 07:46:22 +0000 (10:46 +0300)]
wl1271: Update handling of the NVS file / INI parameters
This patch updates the handling of the NVS file INI-section, trying to make
it slightly more generic, and exposing the parameters being set. This is done
in preparation for 5GHz parameters.
Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith [Fri, 14 May 2010 05:48:57 +0000 (11:18 +0530)]
ath9k_htc: Remove HW queue translation
There is no need to determine the HW queue
for each packet that is transmitted. The endpoint
can be chosen directly based on the queue type
that mac80211 sends down.
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k: enable the baseband watchdog events for AR9003
This enables the baseband watchdog events for the AR9003
family on ath9k. Upon an a baseband watchdog interrupt we reset
the hardware, this should address corner case conditions where
normal operation can stall. Enable ATH_DBG_RESET to be able
to review details of the bb watchdog interrupt once it happens.
If you're curious how often this happens just grep the debugfs
interrupt file.
Cc: Sam Ng <sam.ng@atheros.com> Cc: Paul Shaw <paul.shaw@atheros.com> Cc: Don Breslin <don.breslin@atheros.com> Cc: Cliff Holden <cliff.holden@atheros.com Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k_hw: add support for the AR9003 baseband watchdog
The baseband watchdog will monitor blocks of the baseband
through timers and will issue an interrupt when things are
detected to be stalled. It is only available on the AR9003
family.
Cc: Sam Ng <sam.ng@atheros.com> Cc: Paul Shaw <paul.shaw@atheros.com> Cc: Don Breslin <don.breslin@atheros.com> Cc: Cliff Holden <cliff.holden@atheros.com Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
rt2x00: Move rt2x00debug_dump_frame declaration to rt2x00.h.
This allows rt2x00debug_dump_frame to be used from everywhere.
This is preparation for beacon writing clean ups.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Prarit Bhargava [Thu, 27 May 2010 18:41:20 +0000 (14:41 -0400)]
libertas: fix uninitialized variable warning
Fixes:
drivers/net/wireless/libertas/rx.c: In function process_rxed_802_11_packet:
drivers/net/wireless/libertas/rx.c:354: error: radiotap_hdr.flags may be used uninitialized in this function
Signed-off-by: Prarit Bhargava <prarit@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k: Remove ATH9K_TX_SW_ABORTED and introduce a bool for this purpose
Wrong buffer is checked for bf_tx_aborted field in ath_tx_num_badfrms(),
this may result in a rate scaling with wrong feedback (number
of unacked frames in this case). It is the last one in the chain
of buffers for an aggregate frame that should be checked.
Also it misses the initialization of this field in the buffer,
this may lead to a situation where we stop the sw retransmission
of failed subframes associated to this buffer.
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath_print in xmit.c should say "Reseting hardware"
instead of Resetting HAL!(since HAL is being fazed out).
dmesg shows:
[ 8660.899624] ath: Failed to stop TX DMA in 100 msec after killing last frame
[ 8660.899676] ath: Unable to stop TxDMA. Reset HAL!
Signed-off-by: Justin P. Mattock <justinmattock@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Commit "ar9170: wait for asynchronous firmware loading"
introduced a bug, which is triggered by fatal errors
while the driver is initializing the device.
BUG: unable to handle kernel paging request at 6b6b6bf7
IP: [<c117b567>] kobject_put+0x7/0x70
*pde = 00000000
Oops: 0000 [#1] PREEMPT
last sysfs file: /sys/devices/platform/hdaps/position
Modules linked in: ar9170usb [...]
Felix Fietkau [Thu, 13 May 2010 18:37:25 +0000 (20:37 +0200)]
ath9k: remove VEOL support for ad-hoc
With VEOL, Beacon transmission in ad-hoc does not currently work.
I believe for larger ad-hoc networks, VEOL is too unreliable, as
it can get beacon transmissions stuck during synchronization.
Use SWBA based beacon trasmission similar to AP mode instead.
Signed-off-by: Felix Fietkau <nbd@openwrt.org> Acked-by: Benoit Papillault <benoit.papillault@free.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k: Fix rx of mcast/bcast frames in PS mode with auto sleep
The functionality to keep the device awake until it is done with
the rx of any mcast/bcast frames which are pending on AP should
also be added to the hardwares which support auto sleep feature.
This patch fixes frequent failures in ARP resolution when it is
initiated by the other end. Currently auto sleep is enabled only
for ar9003 in ath9k.
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Randy Dunlap [Fri, 21 May 2010 18:28:41 +0000 (11:28 -0700)]
wireless: fix sta_info.h kernel-doc warnings
Fix sta_info.h kernel-doc warnings:
Warning(net/mac80211/sta_info.h:164): No description found for parameter 'tid_active_rx[STA_TID_NUM]'
Warning(net/mac80211/sta_info.h:164): Excess struct/union/enum/typedef member 'tid_state_rx' description in 'sta_ampdu_mlme'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Randy Dunlap [Fri, 21 May 2010 18:28:33 +0000 (11:28 -0700)]
wireless: fix mac80211.h kernel-doc warnings
Fix kernel-doc warnings in mac80211.h:
Warning(include/net/mac80211.h:838): No description found for parameter 'ap_addr'
Warning(include/net/mac80211.h:1726): No description found for parameter 'get_survey'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dan Carpenter [Fri, 14 May 2010 14:52:37 +0000 (16:52 +0200)]
ath9k_htc: rare leak in ath9k_hif_usb_alloc_tx_urbs()
This is obviously a small picky thing. The original error handling code
doesn't free the most recent allocations which haven't been added to the
hif_dev->tx.tx_buf list yet.
Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dan Carpenter [Fri, 14 May 2010 14:50:56 +0000 (16:50 +0200)]
ath9k_htc: dereferencing before check in hif_usb_tx_cb()
After c11d8f89d3b7: "ath9k_htc: Simplify TX URB management" we no longer
assume that tx_buf is a non-null pointer.
Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
The recent changes to skb handling introduced a bug in the rt2800usb
TX descriptor writing whereby the length of the USB packet wasn't
calculated correctly.
Found via code inspection, as the devices themselves didn't seem to mind.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
rt2x00: Fix failed SLEEP->AWAKE and AWAKE->SLEEP transitions.
(Based on a patch created by Ondrej Zary)
In some circumstances the Ralink devices do not properly go to sleep
or wake up, with timeouts occurring.
Fix this by retrying telling the device that it has to wake up or
sleep.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Helmut Schaa [Wed, 19 May 2010 06:47:59 +0000 (08:47 +0200)]
rt2x00: don't use to_pci_dev in rt2x00pci_uninitialize
Don't use to_pci_dev in rt2x00pci_uninitialize to get the allocated irq
as it won't work for platform devices (SoC). Instead, use the irq field
that's already used everywhere else.
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Wed, 19 May 2010 01:18:16 +0000 (10:18 +0900)]
ath5k: consistently use rx_bufsize for RX DMA
We should use the same buffer size we set up for DMA also in the hardware
descriptor. Previously we used common->rx_bufsize for setting up the DMA
mapping, but used skb_tailroom(skb) for the size we tell to the hardware in the
descriptor itself. The problem is that skb_tailroom(skb) can give us a larger
value than the size we set up for DMA before. This allows the hardware to write
into memory locations not set up for DMA. In practice this should rarely happen
because all packets should be smaller than the maximum 802.11 packet size.
On the tested platform rx_bufsize is 2528, and we allocated an skb of 2559
bytes length (including padding for cache alignment) but sbk_tailroom() was
2592. Just consistently use rx_bufsize for all RX DMA memory sizes.
Also use the return value of the descriptor setup function.
Cc: stable@kernel.org Signed-off-by: Bruno Randolf <br1@einfach.org> Reviewed-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Tue, 18 May 2010 12:36:34 +0000 (14:36 +0200)]
cfg80211: add missing braces
Specifying a valid channel type will get
goto out rather than continuing, due to
missing braces. This affects both remain
on channel and action frame TX commands.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
We tried to squeeze as much AR9003 support into this kernel
release cycle but there are a few features which are still
being tested and developed. Some of these features are critical
to the stable operation of AR9003 so for now disable AR9003 support
all together. This will get re-enabled once all necessary features
are in place but very likely will not happen for 2.6.35.
Reviewed-by: Don Breslin <don.breslin@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Juuso Oikarinen [Fri, 14 May 2010 07:46:24 +0000 (10:46 +0300)]
wl1271: Fix RX data path frame lengths
The current frame length used by the driver for RX frames is the SPI bus
transfer length. This length has padding bytes, which do not belong to the
WLAN frame.
As there is no other length information in the WLAN frame except the skb
length this problem caused for instance extra ESSID's to be listed at the
end of scan results (IE id 0) with zero length.
Fix the frame length by removing padding.
Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com> Reviewed-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Reinette Chatre [Thu, 13 May 2010 21:49:44 +0000 (14:49 -0700)]
iwlwifi: fix internal scan race
It is possible for internal scan to race against itself if the device is
not returning the scan results from first requests. What happens in this
case is the cleanup done during the abort of the first internal scan also
cleans up part of the new scan, causing it to access memory it shouldn't.
Here are details:
* First internal scan is triggered and scan command sent to device.
* After seven seconds there is no scan results so the watchdog timer
triggers a scan abort.
* The scan abort succeeds and a SCAN_COMPLETE_NOTIFICATION is received for
failed scan.
* During processing of SCAN_COMPLETE_NOTIFICATION we clear STATUS_SCANNING
and queue the "scan_completed" work.
** At this time, since the problem that caused the internal scan in first
place is still present, a new internal scan is triggered.
The behavior at this point is a bit different between 2.6.34 and 2.6.35
since 2.6.35 has a lot of this synchronized. The rest of the race
description will thus be generalized.
** As part of preparing for the scan "is_internal_short_scan" is set to
true.
* At this point the completion work for fist scan is run. As part of this
there is some locking missing around the "is_internal_short_scan"
variable and it is set to "false".
** Now the second scan runs and it considers itself a real (not internal0
scan and thus causes problems with wrong memory being accessed.
The fix is twofold.
* Since "is_internal_short_scan" should be protected by mutex, fix this in
scan completion work so that changes to it can be serialized.
* Do not queue a new internal scan if one is in progress.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=15824
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith [Thu, 13 May 2010 05:04:08 +0000 (10:34 +0530)]
cfg80211: Fix signal_type comparison
signal_type is enum cfg80211_signal_type.
This fixes the gcc warning:
scan.c: In function `cfg80211_inform_bss':
scan.c:518:6: warning: comparison between `enum cfg80211_signal_type' and `enum nl80211_bss'
scan.c: In function `cfg80211_inform_bss_frame':
scan.c:574:6: warning: comparison between `enum cfg80211_signal_type' and `enum nl80211_bss'
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Tom Herbert [Thu, 20 May 2010 18:37:59 +0000 (18:37 +0000)]
net: fix problem in dequeuing from input_pkt_queue
Fix some issues introduced in batch skb dequeuing for input_pkt_queue.
The primary issue it that the queue head must be incremented only
after a packet has been processed, that is only after
__netif_receive_skb has been called. This is needed for the mechanism
to prevent OOO packet in RFS. Also when flushing the input_pkt_queue
and process_queue, the process queue should be done first to prevent
OOO packets.
Because the input_pkt_queue has been effectively split into two queues,
the calculation of the tail ptr is no longer correct. The correct value
would be head+input_pkt_queue->len+process_queue->len. To avoid
this calculation we added an explict input_queue_tail in softnet_data.
The tail value is simply incremented when queuing to input_pkt_queue.
Signed-off-by: Tom Herbert <therbert@google.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>