]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
13 years agodrm/i915/crt: Make sure the hotplug interrupt is enabled
Yuanhan Liu [Fri, 8 Oct 2010 09:18:01 +0000 (10:18 +0100)]
drm/i915/crt: Make sure the hotplug interrupt is enabled

commit 1510a97182b4ddb5fe3c4e8d05240f7cd6fd13e7 upstream.

After disabling the hotplug interrupts for VGA detection on Ironlake, be
sure to re-enable them again afterwards.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30378
Signed-off-by: Yuanhan Liu <yuanhan.liu@intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix handling of tex lookup disable in cs checker on r2xx
Alex Deucher [Wed, 27 Oct 2010 05:02:35 +0000 (01:02 -0400)]
drm/radeon/kms: fix handling of tex lookup disable in cs checker on r2xx

commit 43b93fbffc2c080dba2e84df6fce8d7e6c0a2581 upstream.

There are cases when multiple texture units have to be enabled,
but not actually used to sample.  This patch checks to see if
the lookup_disable bit is set and if so, skips the texture check.

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=25544

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: make sure blit addr masks are 64 bit
Alex Deucher [Wed, 6 Oct 2010 04:13:04 +0000 (00:13 -0400)]
drm/radeon/kms: make sure blit addr masks are 64 bit

commit 2126d0a4a205e2d6b763434f892524cd60f74228 upstream.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/i915: Update hotplug interrupts register definitions for Sandybridge
Yuanhan Liu [Fri, 8 Oct 2010 09:21:06 +0000 (10:21 +0100)]
drm/i915: Update hotplug interrupts register definitions for Sandybridge

commit 2d7b8366ae4a9ec2183c30e432a4a9a495c82bcd upstream.

On Sandybridge, the bit definition for hotplug on SDE has changed, so
update the code to new definition.

Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30378
Signed-off-by: Yuanhan Liu <yuanhan.liu@intel.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: properly compute group_size on 6xx/7xx
Alex Deucher [Tue, 19 Oct 2010 03:54:56 +0000 (23:54 -0400)]
drm/radeon/kms: properly compute group_size on 6xx/7xx

commit 881fe6c1d06bf49f4ab7aef212cdaf66bd059614 upstream.

Needed for tiled surfaces.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: MC vram map needs to be >= pci aperture size
Alex Deucher [Mon, 25 Oct 2010 23:44:00 +0000 (19:44 -0400)]
drm/radeon/kms: MC vram map needs to be >= pci aperture size

commit b7d8cce5b558e0c0aa6898c9865356481598b46d upstream.

The vram map in the radeon memory controller needs to be
>= the pci aperture size.  Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=28402

The problematic cards in the above bug have 64 MB of vram,
but the pci aperture is 128 MB and the MC vram map was only
64 MB.  This can lead to hangs.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNFS: Don't SIGBUS if nfs_vm_page_mkwrite races with a cache invalidation
Trond Myklebust [Mon, 4 Oct 2010 21:59:08 +0000 (17:59 -0400)]
NFS: Don't SIGBUS if nfs_vm_page_mkwrite races with a cache invalidation

commit bc4866b6e0b44f8ea0df22a16e5927714beb4983 upstream.

In the case where we lock the page, and then find out that the page has
been thrown out of the page cache, we should just return VM_FAULT_NOPAGE.
This is what block_page_mkwrite() does in these situations.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNFSv4: Fix open recovery
Trond Myklebust [Mon, 4 Oct 2010 21:59:08 +0000 (17:59 -0400)]
NFSv4: Fix open recovery

commit b0ed9dbc24f1fd912b2dd08b995153cafc1d5b1c upstream.

NFSv4 open recovery is currently broken: since we do not clear the
state->flags states before attempting recovery, we end up with the
'can_open_cached()' function triggering. This again leads to no OPEN call
being put on the wire.

Reported-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNFSv4: Don't call nfs4_state_mark_reclaim_reboot() from error handlers
Trond Myklebust [Mon, 4 Oct 2010 21:59:08 +0000 (17:59 -0400)]
NFSv4: Don't call nfs4_state_mark_reclaim_reboot() from error handlers

commit ae1007d37e00144b72906a4bdc47d517ae91bcc1 upstream.

In the case of a server reboot, the state recovery thread starts by calling
nfs4_state_end_reclaim_reboot() in order to avoid edge conditions when
the server reboots while the client is in the middle of recovery.

However, if the client has already marked the nfs4_state as requiring
reboot recovery, then the above behaviour will cause the recovery thread to
treat the open as if it was part of such an edge condition: the open will
be recovered as if it was part of a lease expiration (and all the locks
will be lost).
Fix is to remove the call to nfs4_state_mark_reclaim_reboot from
nfs4_async_handle_error(), and nfs4_handle_exception(). Instead we leave it
to the recovery thread to do this for us.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNFSv4: Don't call nfs4_reclaim_complete() on receiving NFS4ERR_STALE_CLIENTID
Trond Myklebust [Mon, 4 Oct 2010 21:59:08 +0000 (17:59 -0400)]
NFSv4: Don't call nfs4_reclaim_complete() on receiving NFS4ERR_STALE_CLIENTID

commit 6eaa61496fb3b93cceface7a296415fc4c030bce upstream.

If the server sends us an NFS4ERR_STALE_CLIENTID while the state management
thread is busy reclaiming state, we do want to treat all state that wasn't
reclaimed before the STALE_CLIENTID as if a network partition occurred (see
the edge conditions described in RFC3530 and RFC5661).
What we do not want to do is to send an nfs4_reclaim_complete(), since we
haven't yet even started reclaiming state after the server rebooted.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agophy/marvell: fix 88e1121 support
Arnaud Patard [Thu, 21 Oct 2010 10:59:57 +0000 (03:59 -0700)]
phy/marvell: fix 88e1121 support

commit be8c648051048bc66fbca590d00f3e8543ec32af upstream.

Commit c477d0447db08068a497e7beb892b2b2a7bff64b added support for RGMII
rx/tx delays except that it ends up clearing rx/tx delays bit for modes
differents that RGMII*ID. Due to this, ethernet is not working anymore
on my guruplug server +. This patch is fixing that.

Signed-off-by: Arnaud Patard <arnaud.patard@rtp-net.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomicroblaze: Fix build with make 3.82
Thomas Backlund [Thu, 21 Oct 2010 10:19:10 +0000 (13:19 +0300)]
microblaze: Fix build with make 3.82

commit b843e4ec01991a386a9e0e9030703524446e03da upstream.

When running make headers_install_all on x86_64 and make 3.82 I hit this:

arch/microblaze/Makefile:80: *** mixed implicit and normal rules.  Stop.
make: *** [headers_install_all] Error 2

So split the rules to satisfy make 3.82.

Signed-off-by: Thomas Backlund <tmb@mandriva.org>
Signed-off-by: Michal Simek <monstr@monstr.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoSUNRPC: After calling xprt_release(), we must restart from call_reserve
Trond Myklebust [Sun, 24 Oct 2010 21:17:31 +0000 (17:17 -0400)]
SUNRPC: After calling xprt_release(), we must restart from call_reserve

commit 118df3d17f11733b294ea2cd988d56ee376ef9fd upstream.

Rob Leslie reports seeing the following Oops after his Kerberos session
expired.

BUG: unable to handle kernel NULL pointer dereference at 00000058
IP: [<e186ed94>] rpcauth_refreshcred+0x11/0x12c [sunrpc]
*pde = 00000000
Oops: 0000 [#1]
last sysfs file: /sys/devices/platform/pc87360.26144/temp3_input
Modules linked in: autofs4 authenc esp4 xfrm4_mode_transport ipt_LOG ipt_REJECT xt_limit xt_state ipt_REDIRECT xt_owner xt_HL xt_hl xt_tcpudp xt_mark cls_u32 cls_tcindex sch_sfq sch_htb sch_dsmark geodewdt deflate ctr twofish_generic twofish_i586 twofish_common camellia serpent blowfish cast5 cbc xcbc rmd160 sha512_generic sha1_generic hmac crypto_null af_key rpcsec_gss_krb5 nfsd exportfs nfs lockd fscache nfs_acl auth_rpcgss sunrpc ip_gre sit tunnel4 dummy ext3 jbd nf_nat_irc nf_conntrack_irc nf_nat_ftp nf_conntrack_ftp iptable_mangle iptable_nat nf_nat nf_conntrack_ipv4 nf_conntrack nf_defrag_ipv4 iptable_filter ip_tables x_tables pc8736x_gpio nsc_gpio pc87360 hwmon_vid loop aes_i586 aes_generic sha256_generic dm_crypt cs5535_gpio serio_raw cs5535_mfgpt hifn_795x des_generic geode_rng rng_core led_class ext4 mbcache jbd2 crc16 dm_mirror dm_region_hash dm_log dm_snapshot dm_mod sd_mod crc_t10dif ide_pci_generic cs5536 amd74xx ide_core pata_cs5536 ata_generic libata usb_storage via_rhine mii scsi_mod btrfs zlib_deflate crc32c libcrc32c [last unloaded: scsi_wait_scan]

Pid: 12875, comm: sudo Not tainted 2.6.36-net5501 #1 /
EIP: 0060:[<e186ed94>] EFLAGS: 00010292 CPU: 0
EIP is at rpcauth_refreshcred+0x11/0x12c [sunrpc]
EAX: 00000000 EBX: defb13a0 ECX: 00000006 EDX: e18683b8
ESI: defb13a0 EDI: 00000000 EBP: 00000000 ESP: de571d58
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process sudo (pid: 12875, ti=de570000 task=decd1430 task.ti=de570000)
Stack:
 e186e008 00000000 defb13a0 0000000d deda6000 e1868f22 e196f12b defb13a0
<0> defb13d8 00000000 00000000 e186e0aa 00000000 defb13a0 de571dac 00000000
<0> e186956c de571e34 debea5c0 de571dc8 e186967a 00000000 debea5c0 de571e34
Call Trace:
 [<e186e008>] ? rpc_wake_up_next+0x114/0x11b [sunrpc]
 [<e1868f22>] ? call_decode+0x24a/0x5af [sunrpc]
 [<e196f12b>] ? nfs4_xdr_dec_access+0x0/0xa2 [nfs]
 [<e186e0aa>] ? __rpc_execute+0x62/0x17b [sunrpc]
 [<e186956c>] ? rpc_run_task+0x91/0x97 [sunrpc]
 [<e186967a>] ? rpc_call_sync+0x40/0x5b [sunrpc]
 [<e1969ca2>] ? nfs4_proc_access+0x10a/0x176 [nfs]
 [<e19572fa>] ? nfs_do_access+0x2b1/0x2c0 [nfs]
 [<e186ed61>] ? rpcauth_lookupcred+0x62/0x84 [sunrpc]
 [<e19573b6>] ? nfs_permission+0xad/0x13b [nfs]
 [<c0177824>] ? exec_permission+0x15/0x4b
 [<c0177fbd>] ? link_path_walk+0x4f/0x456
 [<c017867d>] ? path_walk+0x4c/0xa8
 [<c0179678>] ? do_path_lookup+0x1f/0x68
 [<c017a3fb>] ? user_path_at+0x37/0x5f
 [<c016359c>] ? handle_mm_fault+0x229/0x55b
 [<c0170a2d>] ? sys_faccessat+0x93/0x146
 [<c0170aef>] ? sys_access+0xf/0x13
 [<c02cf615>] ? syscall_call+0x7/0xb
Code: 0f 94 c2 84 d2 74 09 8b 44 24 0c e8 6a e9 8b de 83 c4 14 89 d8 5b 5e 5f 5d c3 55 57 56 53 83 ec 1c fc 89 c6 8b 40 10 89 44 24 04 <8b> 58 58 85 db 0f 85 d4 00 00 00 0f b7 46 70 8b 56 20 89 c5 83
EIP: [<e186ed94>] rpcauth_refreshcred+0x11/0x12c [sunrpc] SS:ESP 0068:de571d58
CR2: 0000000000000058

This appears to be caused by the function rpc_verify_header() first
calling xprt_release(), then doing a call_refresh. If we release the
transport slot, we should _always_ jump back to call_reserve before
calling anything else.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopowerpc: Fix call to subpage_protection()
Michael Neuling [Wed, 17 Nov 2010 16:32:59 +0000 (16:32 +0000)]
powerpc: Fix call to subpage_protection()

commit 1c2c25c78740b2796c7c06640784cb6732fa4907 upstream.

In:
  powerpc/mm: Fix pgtable cache cleanup with CONFIG_PPC_SUBPAGE_PROT
  commit d28513bc7f675d28b479db666d572e078ecf182d
  Author: David Gibson <david@gibson.dropbear.id.au>

subpage_protection() was changed to to take an mm rather a pgdir but it
didn't change calling site in hashpage_preload().  The change wasn't
noticed at compile time since hashpage_preload() used a void* as the
parameter to subpage_protection().

This is obviously wrong and can trigger the following crash when
CONFIG_SLAB, CONFIG_DEBUG_SLAB, CONFIG_PPC_64K_PAGES
CONFIG_PPC_SUBPAGE_PROT are enabled.

Freeing unused kernel memory: 704k freed
Unable to handle kernel paging request for data at address 0x6b6b6b6b6b6c49b7
Faulting instruction address: 0xc0000000000410f4
cpu 0x2: Vector: 300 (Data Access) at [c00000004233f590]
    pc: c0000000000410f4: .hash_preload+0x258/0x338
    lr: c000000000041054: .hash_preload+0x1b8/0x338
    sp: c00000004233f810
   msr: 8000000000009032
   dar: 6b6b6b6b6b6c49b7
 dsisr: 40000000
  current = 0xc00000007e2c0070
  paca    = 0xc000000007fe0500
    pid   = 1, comm = init
enter ? for help
[c00000004233f810c000000000041020 .hash_preload+0x184/0x338 (unreliable)
[c00000004233f8f0c00000000003ed98 .update_mmu_cache+0xb0/0xd0
[c00000004233f990c000000000157754 .__do_fault+0x48c/0x5dc
[c00000004233faa0c000000000158fd0 .handle_mm_fault+0x508/0xa8c
[c00000004233fb90c0000000006acdd4 .do_page_fault+0x428/0x6ac
[c00000004233fe30c000000000005260 handle_page_fault+0x20/0x74

Reported-by: Jim Keniston <jkenisto@linux.vnet.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Michael Neuling <mikey@neuling.org>
cc: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: HDA: Enable internal mic on Dell E6410 and Dell E6510
David Henningsson [Mon, 25 Oct 2010 21:52:04 +0000 (23:52 +0200)]
ALSA: HDA: Enable internal mic on Dell E6410 and Dell E6510

[Not upstream as .37 fixes this differently in a much more complete way
that is not able to be backported easily.]

(Ported on top of 2.6.36)

BugLink: http://launchpad.net/bugs/628961
BugLink: http://launchpad.net/bugs/605047
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Diego Elio Pettenò <flameeyes@gmail.com>
Acked-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: OSS mixer emulation - fix locking
Jaroslav Kysela [Fri, 8 Oct 2010 08:48:50 +0000 (10:48 +0200)]
ALSA: OSS mixer emulation - fix locking

commit 838c364ff05c143fd1810e8ad1469935d6c23a7a upstream.

Fix mutex release and cleanup some locking code.

Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda - Add some workarounds for Creative IBG
Takashi Iwai [Thu, 21 Oct 2010 07:03:25 +0000 (09:03 +0200)]
ALSA: hda - Add some workarounds for Creative IBG

commit 14d34f166c57e77e3d7f9bc8b43d349186d922c1 upstream.

Creative HD-audio controller chips require some workarounds:
 - Additional delay before RIRB response
 - Set the initial RIRB counter to 0xc0

The latter seems to be done in general in Windows driver, so we may
use this value later for all types if it's confirmed to work better.

Reported-by: Wai Yew CHAY <wychay@ctl.creative.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda - Fix wrong SPDIF NID assignment for CA0110
Takashi Iwai [Thu, 21 Oct 2010 06:55:13 +0000 (08:55 +0200)]
ALSA: hda - Fix wrong SPDIF NID assignment for CA0110

commit 24b55c69b66eb2a122842820ec14ab215fc8572f upstream.

The dig_out_nid field must take a digital-converter widget, but the current
ca0110 parser passed the pin wrongly instead.

Reported-by: Wai Yew CHAY <wychay@ctl.creative.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda - Add workarounds for CT-IBG controllers
Takashi Iwai [Fri, 22 Oct 2010 15:15:47 +0000 (17:15 +0200)]
ALSA: hda - Add workarounds for CT-IBG controllers

commit 62b7e5e09bcb854ff05e6ee1aa161f8283dc36ee upstream.

Creative IBG controllers require the playback stream-tags to be started
from 1, instead of capture+1.  Otherwise the stream stalls.

Reported-by: Wai Yew CHAY <wychay@ctl.creative.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda - Disable sticky PCM stream assignment for AD codecs
Takashi Iwai [Mon, 25 Oct 2010 08:37:11 +0000 (10:37 +0200)]
ALSA: hda - Disable sticky PCM stream assignment for AD codecs

commit 0e7adbe263f89ea2ef15b5af5e80a812b2a85025 upstream.

The sticky PCM stream assignment introduced in 2.6.36 kernel seems
causing problems on AD codecs.  At some time later, the streaming no
longer works by unknown reason.  A simple workaround is to disable
sticky-assignment for these codecs.

Tested-by: Vasily Khoruzhick <anarsoul@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: register an i2c adapter name for the dp aux bus
Alex Deucher [Wed, 17 Nov 2010 22:56:49 +0000 (17:56 -0500)]
drm/radeon/kms: register an i2c adapter name for the dp aux bus

commit a5193fe50e7f21c26d22c17c8196420fac1a3ca7 upstream.

This causes the connector to not be added since i2c init fails
for the adapter.  Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=31688

Noticed by Ari Savolainen.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: Ari Savolainen <ari.m.savolainen@gmail.com>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoviafb: fix i2c_transfer error handling
Florian Tobias Schandinat [Fri, 17 Sep 2010 01:16:25 +0000 (01:16 +0000)]
viafb: fix i2c_transfer error handling

commit 85c5702ac046b14713f776d59768252d8ed8018f upstream.

i2c_transfer returns negative errno on error and number of messages
processed on success. Just returning this value would give a poor
interface as it is not obvious that you must compare with 2 after reading
1 or n bytes and with 1 after writing 1 byte to determine if it was
successful. To avoid this error prone interface convert the error code
of a successful read/write to zero and all other non-negative values to
an negative error code.
This fixes a regression introduced by
via: Rationalize vt1636 detection
which resulted in no longer detecting a VT1636 chip and therefore has
broken the output in configurations which contain this chip.

Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Acked-by: Jonathan Corbet <corbet@lwn.net>
Cc: Joseph Chan <JosephChan@via.com.tw>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoi2c-pca-platform: Change device name of request_irq
Nobuhiro Iwamatsu [Sun, 24 Oct 2010 16:16:57 +0000 (18:16 +0200)]
i2c-pca-platform: Change device name of request_irq

commit 323584436db0cb05286425d4dfd9516fce88487f upstream.

i2c->adap.name shouldn't be used in request_irq.
Instead the driver name "i2c-pca-platform" should be used.

Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Acked-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoisdn/gigaset: bas_gigaset locking fix
Tilman Schmidt [Thu, 30 Sep 2010 13:34:30 +0000 (13:34 +0000)]
isdn/gigaset: bas_gigaset locking fix

commit b33ffa5cbf52ee751bb8068218ebb3c742c5a515 upstream.

Unlock cs->lock before calling error_hangup() which is marked
"cs->lock must not be held".

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoisdn/gigaset: correct bas_gigaset rx buffer handling
Tilman Schmidt [Thu, 30 Sep 2010 13:34:51 +0000 (13:34 +0000)]
isdn/gigaset: correct bas_gigaset rx buffer handling

commit f3d531b99fb30945b4a64d6e2e86e1e62605aca5 upstream.

In transparent data reception, avoid a NULL pointer dereference
in case an skbuff cannot be allocated, remove an inappropriate
call to the HDLC flush routine, and correct the accounting of
received bytes for continued buffers.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoisdn/gigaset: fix bas_gigaset AT read error handling
Tilman Schmidt [Thu, 30 Sep 2010 13:34:40 +0000 (13:34 +0000)]
isdn/gigaset: fix bas_gigaset AT read error handling

commit c8701a08d6a4efeae45d84d0aa87172f23b14e3c upstream.

Rework the handling of USB errors in AT response reads
to fix a possible infinite retry loop and a memory leak,
and silence a few overly verbose kernel messages.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: don't sanitize invalid rates
Christian Lamparter [Sat, 16 Oct 2010 16:49:15 +0000 (18:49 +0200)]
mac80211: don't sanitize invalid rates

commit 5f4e6b2d3c74c1adda1cbfd9d9d30da22c7484fc upstream.

I found this bug while poking around with a pure-gn AP.

Commit:
cfg80211/mac80211: Use more generic bitrate mask for rate control

Added some sanity checks to ensure that each tx rate index
is included in the configured mask and it would change any
rate indexes if it wasn't.

But, the current implementation doesn't take into account
that the invalid rate index "-1" has a special meaning
(= no further attempts) and it should not be "changed".

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: Fix ibss station got expired immediately
Rajkumar Manoharan [Sat, 23 Oct 2010 05:29:57 +0000 (10:59 +0530)]
mac80211: Fix ibss station got expired immediately

commit c8716d9dc13c7f6ee92f2bfc6cc3b723b417bff8 upstream.

Station addition in ieee80211_ibss_rx_queued_mgmt is not updating
sta->last_rx which is causing station expiry in ieee80211_ibss_work
path. So sta addition and deletion happens repeatedly.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: reset probe send counter upon connection timer reset
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:30 +0000 (15:12 -0400)]
mac80211: reset probe send counter upon connection timer reset

commit 0c699c3a75d4e8d0d2c317f83048d8fd3ffe692a upstream.

Upon beacon loss we send probe requests after 30 seconds of idle
time and we wait for each probe response 1/2 second. We send a
total of 3 probe requests before giving up on the AP. In the case
that we reset the connection idle monitor we should reset the probe
requests count to 0. Right now this won't help in any way but
the next patch will.

This patch has fixes for stable kernel [2.6.35+].

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: clear txflags for ps-filtered frames
Christian Lamparter [Tue, 21 Sep 2010 19:36:18 +0000 (21:36 +0200)]
mac80211: clear txflags for ps-filtered frames

commit eb7d3066cf864342e8ae6a5c1126a1602c4d06c0 upstream.

This patch fixes stale mac80211_tx_control_flags for
filtered / retried frames.

Because ieee80211_handle_filtered_frame feeds skbs back
into the tx path, they have to be stripped of some tx
flags so they won't confuse the stack, driver or device.

Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: use correct station flags lock
Johannes Berg [Tue, 14 Sep 2010 20:06:53 +0000 (22:06 +0200)]
mac80211: use correct station flags lock

commit f5521b13880f4f4f612e1d20dd4f565122d16e04 upstream.

This code is modifying the station flags, and
as such should hold the flags lock so it can
do so atomically vs. other flags modifications
and readers. This issue was introduced when
this code was added in eccb8e8f, as it used
the wrong lock (thus not fixing the race that
was previously documented in a comment.)

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: disable beacon monitor while going offchannel
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:33 +0000 (15:12 -0400)]
mac80211: disable beacon monitor while going offchannel

commit 3bc3c0d748402e8c1f31b8569f5924d25d7b8e30 upstream.

The beacon monitor should be disabled when going off channel
to prevent spurious warnings and triggering connection
deterioration work such as sending probe requests. Re-enable
the beacon monitor once we come back to the home channel.

This patch has fixes for stable kernels [2.6.34+].

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: send last 3/5 probe requests as unicast
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:34 +0000 (15:12 -0400)]
mac80211: send last 3/5 probe requests as unicast

commit f01a067d9e4598c71e3c9ee3a84859d2e8af4f8e upstream.

Some buggy APs do not respond to unicast probe requests
or send unicast probe requests very delayed so in the
worst case we should try to send broadcast probe requests,
otherwise we can get disconnected from these APs.

Even if drivers do not have filters to disregard probe
responses from foreign APs mac80211 will only process
probe responses from our associated AP for re-arming
connection monitoring.

We need to do this since the beacon monitor does not
push back the connection monitor by design so even if we
are getting beacons from these type of APs our connection
monitor currently relies heavily on the way the probe
requests are received on the AP. An example of an AP
affected by this is the Nexus One, but this has also been
observed with random APs.

We can probably optimize this later by using null funcs
instead of probe requests.

For more details refer to:

http://code.google.com/p/chromium-os/issues/detail?id=5715

This patch has fixes for stable kernels [2.6.35+].

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: make the beacon monitor available externally
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:32 +0000 (15:12 -0400)]
mac80211: make the beacon monitor available externally

commit d3a910a8e4e846b9a767d35483f4dc7c6de7af82 upstream.

This will be used by other components next. The beacon
monitor was added as of 2.6.34 so these fixes are applicable
only to kernels >= 2.6.34.

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: add helper for reseting the connection monitor
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:29 +0000 (15:12 -0400)]
mac80211: add helper for reseting the connection monitor

commit be099e82e9cf6d5d65d044e9ef6fc8bee3c7a113 upstream.

This will be used in another place later. The connection
monitor was added as of 2.6.35 so these fixes will be
applicable to >= 2.6.35.

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: reset connection idle when going offchannel
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:31 +0000 (15:12 -0400)]
mac80211: reset connection idle when going offchannel

commit 4730d5977f3e12b828d354f7752cffd94bdf39e5 upstream.

When we go offchannel mac80211 currently leaves alive the
connection idle monitor. This should be instead postponed
until we come back to our home channel, otherwise by the
time we get back to the home channel we could be triggering
unecesary probe requests. For APs that do not respond to
unicast probe requests (Nexus One is a simple example) this
means we essentially get disconnected after the probes
fails.

This patch has stable fixes for kernels [2.6.35+]

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: Fix signal strength average initialization for CQM events
Jouni Malinen [Fri, 27 Aug 2010 19:21:13 +0000 (22:21 +0300)]
mac80211: Fix signal strength average initialization for CQM events

commit 3ba06c6fbd651ed3377e584026d1c112b492cc8b upstream.

The ave_beacon_signal value uses 1/16 dB unit and as such, must be
initialized with the signal level of the first Beacon frame multiplied
by 16. This fixes an issue where the initial CQM events are reported
incorrectly with a burst of events while the running average
approaches the correct value after the incorrect initialization. This
could cause user space -based roaming decision process to get quite
confused at the moment when we would like to go through authentication
and DHCP.

Signed-off-by: Jouni Malinen <j@w1.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix offchannel assumption upon association
Luis R. Rodriguez [Sat, 25 Sep 2010 01:59:57 +0000 (21:59 -0400)]
mac80211: fix offchannel assumption upon association

commit 8d4780eb1ece4e8109b4f6b2e5e61f7fc593c3f4 upstream.

Association is dealt with as an atomic offchannel operation,
we do this because we don't know we are associated until we
get the associatin response from the AP. When we do get the
associatin response though we were never clearing the offchannel
state. This has a few implications, we told drivers we were
still offchannel, and the first configured TX power for the
channel does not take into account any power constraints.

For ath9k this meant ANI calibration would not start upon
association, and we'd have to wait until the first bgscan
to be triggered. There may be other issues this resolves
but I'm too lazy to comb the code to check.

Cc: Amod Bodas <amod.bodas@atheros.com>
Cc: Vasanth Thiagarajan <vasanth.thiagarajan@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix channel assumption for association done work
Luis R. Rodriguez [Fri, 1 Oct 2010 21:05:19 +0000 (17:05 -0400)]
mac80211: fix channel assumption for association done work

commit e7480bbb926c5816e4fbfca70748096bbe0e4978 upstream.

Be consistent and use the wk->chan instead of the
local->hw.conf.channel for the association done work.
This prevents any possible races against channel changes
while we run this work.

In the case that the race did happen we would be initializing
the bit rates for the new AP under the assumption of a wrong
channel and in the worst case, wrong band. This could lead
to trying to assuming we could use CCK frames on 5 GHz, for
example.

This patch has a fix for kernels >= v2.6.34

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix possible null-pointer de-reference
Christian Lamparter [Fri, 8 Oct 2010 20:27:07 +0000 (22:27 +0200)]
mac80211: fix possible null-pointer de-reference

commit d12c74528e3065c90df70fbc06ec6ffd6e804738 upstream.

This patch not only fixes a null-pointer de-reference
that would be triggered by a PLINK_OPEN frame with mis-
matching/incompatible mesh configuration, but also
responds correctly to non-compatible PLINK_OPEN frames
by generating a PLINK_CLOSE with the right reason code.

The original bug was detected by smatch.
( http://repo.or.cz/w/smatch.git )

net/mac80211/mesh_plink.c +574 mesh_rx_plink_frame(168)
error: we previously assumed 'sta' could be null.

Reviewed-and-Tested-by: Steve deRosier <steve@cozybit.com>
Reviewed-and-Tested-by: Javier Cardona <javier@cozybit.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: minstrel_ht A-MPDU fix
Björn Smedman [Sun, 10 Oct 2010 20:14:25 +0000 (22:14 +0200)]
mac80211: minstrel_ht A-MPDU fix

commit 15d46f38df87f89242e470f5797120fa384c1fc3 upstream.

This patch fixes two problems with the minstrel_ht rate control
algorithms handling of A-MPDU frames:

1. The ampdu_len field of the tx status is not always initialized for
non-HT frames (and it would probably be unreasonable to require all
drivers to do so). This could cause rate control statistics to be
corrupted. We now trust the ampdu_len and ampdu_ack_len fields only when
the frame is marked with the IEEE80211_TX_STAT_AMPDU flag.

2. Successful transmission attempts where only recognized when the A-MPDU
subframe carrying the rate control status information was marked with the
IEEE80211_TX_STAT_ACK flag. If this information happed to be carried on a
frame that failed to be ACKed then the other subframes (which may have
succeeded) where not correctly registered. We now update rate control
statistics regardless of whether the subframe carrying the information was
ACKed or not.

Signed-off-by: Björn Smedman <bjorn.smedman@venatech.se>
Acked-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocfg80211: fix regression on processing country IEs
Luis R. Rodriguez [Tue, 19 Oct 2010 00:44:51 +0000 (17:44 -0700)]
cfg80211: fix regression on processing country IEs

commit a171fba491f54216e356efa46096171a7ed01d10 upstream.

The patch 4f366c5:

wireless: only use alpha2 regulatory information from country IE

removed some complex intersection we were always doing between the AP's
country IE info and what we got from CRDA. When CRDA sent us back a
regulatory domain we would do some sanity checks on that regulatory
domain response we just got. Part of these sanity checks included
checking that we already had performed an intersection for the
request of NL80211_REGDOM_SET_BY_COUNTRY_IE type.

This mean that cfg80211 was only processing country IEs for cases
where we already had an intersection, but since we removed enforcing
this this is no longer required, we should just apply the country
IE country hint with the data received from CRDA.

This patch has fixes intended for kernels >= 2.6.36.

Reported-by: Easwar Krishnan <easwar.krishnan@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocfg80211: fix locking
Johannes Berg [Thu, 30 Sep 2010 20:17:43 +0000 (22:17 +0200)]
cfg80211: fix locking

commit 2234362c427e2ef667595b9b81c0125003ac5607 upstream.

Add missing unlocking of the wiphy in set_channel,
and don't try to unlock a non-existing wiphy in
set_cqm.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocfg80211: fix BSS double-unlinking
Johannes Berg [Wed, 6 Oct 2010 19:18:04 +0000 (21:18 +0200)]
cfg80211: fix BSS double-unlinking

commit 3207390a8b58bfc1335750f91cf6783c48ca19ca upstream.

When multiple interfaces are actively trying
to associate with the same BSS, they may both
find that the BSS isn't there and then try to
unlink it. This can cause errors since the
unlinking code can't currently deal with items
that have already been unlinked.

Normally this doesn't happen as most people
don't try to use multiple station interfaces
that associate at the same time too.

Fix this by using the list entry as a flag to
see if the item is still on a list.

Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Hun-Kyi Wynn <hkwynn@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: lock reset and PCU start/stopping
Luis R. Rodriguez [Wed, 20 Oct 2010 23:07:06 +0000 (16:07 -0700)]
ath9k: lock reset and PCU start/stopping

commit 5e848f789d60000d39d9a5f26ab02dbdd963f6cd upstream.

Apart from locking the start and stop PCU we need
to ensure we also content starting and stopping the PCU
between hardware resets.

This is part of a series that will help resolve the bug:

https://bugzilla.kernel.org/show_bug.cgi?id=14624

For more details about this issue refer to:

http://marc.info/?l=linux-wireless&m=128629803703756&w=2

Cc: Ben Greear <greearb@candelatech.com>
Cc: Kyungwan Nam <kyungwan.nam@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_htc: Update usb device ID list
Rajkumar Manoharan [Wed, 10 Nov 2010 12:21:24 +0000 (17:51 +0530)]
ath9k_htc: Update usb device ID list

commit 32b089558c54792028f14ae830ca7c0a8d9ac9a3 upstream.

Added new VID/PIDs into supported devices list

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_htc: Add support for device ID 3346
Haitao Zhang [Sun, 7 Nov 2010 04:50:24 +0000 (12:50 +0800)]
ath9k_htc: Add support for device ID 3346

commit ac618d70aeb681df7b77c1107fdf26f3249f855f upstream.

This patch adds support for USB dongle with device ID 3346 from IMC Networks.

Signed-off-by: Haitao Zhang <minipanda@linuxrobot.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_htc: Add new devices into AR7010
Rajkumar Manoharan [Wed, 10 Nov 2010 12:21:25 +0000 (17:51 +0530)]
ath9k_htc: Add new devices into AR7010

commit 7cbf2611dac8d5f76fe64795a9426b8c97e6c3f8 upstream.

Treat new PIDs (0xA704, 0x1200) as AR7010 devices.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: Set proper eeprom offset for AR9287 HTC devices
Rajkumar Manoharan [Wed, 10 Nov 2010 12:21:26 +0000 (17:51 +0530)]
ath9k_hw: Set proper eeprom offset for AR9287 HTC devices

commit b5261cf4f3860bd772346a3e692683b6144dd44c upstream.

AR9287 based PCI & USB devices are differed in eeprom start offset.
So set proper the offset for HTC devices to read nvram correctly.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: add locking for starting the PCU on RX
Luis R. Rodriguez [Wed, 20 Oct 2010 23:07:04 +0000 (16:07 -0700)]
ath9k: add locking for starting the PCU on RX

commit 7583c550c3e635dcc61ab127c36ecefd59fb8dc8 upstream.

There was some locking for starting some parts of
RX but not for starting the PCU. Include this otherwise
we can content against stopping the PCU.

This can potentially lead to races against different
buffers on the PCU which can lead to to the DMA RX
engine writing to buffers which are already freed.

This is part of a series that will help resolve the bug:

https://bugzilla.kernel.org/show_bug.cgi?id=14624

For more details about this issue refer to:

http://marc.info/?l=linux-wireless&m=128629803703756&w=2

Cc: Ben Greear <greearb@candelatech.com>
Cc: Kyungwan Nam <kyungwan.nam@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
index e581b1f..b3c9baf 100644

13 years agoath9k_htc: Avoid setting QoS control for non-QoS frames
Rajkumar Manoharan [Thu, 18 Nov 2010 06:49:52 +0000 (12:19 +0530)]
ath9k_htc: Avoid setting QoS control for non-QoS frames

commit 3bf30b56c4f0a1c4fae34050b7db4527c92891e8 upstream.

Setting tid information in the TX header is required only for QoS
frames. Not handling this case causes severe data loss with some APs.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: Fix AR9280 surprise removal during frequent idle on/off
Vasanthakumar Thiagarajan [Fri, 5 Nov 2010 00:41:25 +0000 (17:41 -0700)]
ath9k_hw: Fix AR9280 surprise removal during frequent idle on/off

commit f119da3015712dc32bdf1c311652479e02dcb49a upstream.

Bit 22 of AR_WA should be set to fix the situation where chip reset
is asynchronous to clock of analog shift registers, such that when
reset is released, it could mess up the values of analog shift registers
and cause some hw issue on AR9280.

This bit is write only, but the driver does a read-modify-write
on AR_WA without setting bit 22 in ar9002_hw_configpcipowersave()
during radio disable. This causes surprise removal of hw. It can
never recover from this state and the hw will become usable only
after a power on/off cycle, and sometimes only during a cold reboot.

This issue can be triggered by doing frequent roaming with the
simple/test-roam script available from the wifi-test project [1]
when roaming between APs quickly. When roaming there is a is a high
possibility that the device being put into idle (radio disable) state
by mac80211 during AUTH->ASSOC. A device hardware reset would fail
and the kernel would output:

[40251.363799] ath: AWAKE -> FULL-SLEEP
[40251.363815] ieee80211 phy17: device no longer idle - working
[40251.363817] ath: Marking phy17 as not-idle
[40251.363819] ath: FULL-SLEEP -> AWAKE
[40251.415978] pciehp 0000:00:1c.3:pcie04: Card not present on Slot(3)
[40251.419896] ath: ah->misc_mode 0x4
[40251.428138] pciehp 0000:00:1c.3:pcie04: Card present on Slot(3)
[40251.532247] ath: timeout (100000 us) on reg 0x9860: 0xffffffff & 0x00000001 != 0x00000000
[40251.532250] ath: Unable to reset channel (2462 MHz), reset status -5
[40251.532422] ath: Set channel: 5745 MHz
[40251.540639] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.548826] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.557023] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.565211] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.573415] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.581603] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.581606] ath: Failed to stop TX DMA. Resetting hardware!
[40251.592679] ath: DMA failed to stop in 10 ms AR_CR=0xffffffff AR_DIAG_SW=0xffffffff
[40251.703330] ath: timeout (100000 us) on reg 0x7000: 0xffffffff & 0x00000003 != 0x00000000
[40251.703333] ath: RTC stuck in MAC reset
[40251.703334] ath: Chip reset failed
[40251.703335] ath: Unable to reset hardware; reset status -22

This is currently only reproducible with some HB92 (Half Mini-PCIE)
cards but the fix applies to all AR9280 cards. This patch fixes this
issue by setting bit 22 during radio disable.

This patch has fixes for all kernels that has ath9k.

[1] http://wireless.kernel.org/en/developers/Testing/wifi-test

Cc: kyungwan.nam@atheros.com
Cc: amod.bodas@atheros.com
Cc: david.quan@atheros.com
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: Fix memory leak on ath9k_hw_rf_alloc_ext_banks failure
Rajkumar Manoharan [Mon, 8 Nov 2010 15:10:53 +0000 (20:40 +0530)]
ath9k_hw: Fix memory leak on ath9k_hw_rf_alloc_ext_banks failure

commit 48a7c3df14d0cda850337a9b3f9e667a0b12a996 upstream.

The allocated externel radio banks have to be freed in
case of ath9k_hw_rf_alloc_ext_banks failure.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix enabling ANI / tx monitor after bg scan
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:28 +0000 (15:12 -0400)]
ath9k: fix enabling ANI / tx monitor after bg scan

commit 48a6a468198aadb54bc5d3fdd065364d43ff5197 upstream.

ath9k's entire logic with SC_OP_SCANNING is incorrect due to the
way mac80211 currently implements the scan complete callback and
we handle it in ath9k. This patch removes the flag completely in
preference for the SC_OP_OFFCHANNEL which is really what we wanted.

The scanning flag was used to ensure we reset ANI to the old values
when we go back to the home channel, but if we are offchannel we
use some defaults. The flag was also used to re-enable the TX monitor.

Without this patch we simply never re-enabled ANI and the TX monitor
after going offchannel. This means that after one background
scan we are prone to noise issues and if we had a TX hang we would
not recover. To get this to work properly we must enable ANI after
we have configured the beacon timers, otherwise hardware acts really
oddly.

This patch has stable fixes which apply down to [2.6.36+], there
*may* be a to fix this on older kernels but requires a bit of
work since this patch relies on the new mac80211 flag
IEEE80211_CONF_OFFCHANNEL which was introduced as of 2.6.36.

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: add locking for stopping RX
Luis R. Rodriguez [Wed, 20 Oct 2010 23:07:03 +0000 (16:07 -0700)]
ath9k: add locking for stopping RX

commit 1e450285281bdf766272c181ecd43d4f2f0711ce upstream.

ath9k locks for starting RX but not for stopping RX. We could
potentially run into a situation where tried to stop RX
but immediately started RX. This allows for races on the
the RX engine deciding what buffer we last left off on
and could potentially cause ath9k to DMA into already
free'd memory or in the worst case at a later time to
already given memory to other drivers.

Fix this by locking stopping RX.

This is part of a series that will help resolve the bug:

https://bugzilla.kernel.org/show_bug.cgi?id=14624

For more details about this issue refer to:

http://marc.info/?l=linux-wireless&m=128629803703756&w=2

Cc: Ben Greear <greearb@candelatech.com>
Cc: Kyungwan Nam <kyungwan.nam@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix tx aggregation flush on AR9003
Felix Fietkau [Wed, 27 Oct 2010 00:15:05 +0000 (02:15 +0200)]
ath9k: fix tx aggregation flush on AR9003

commit e609e2ea2cdb3448e7849703179cd792a28dcc55 upstream.

Completing aggregate frames can lead to new buffers being pushed into
the tid queues due to software retransmission.
When the tx queues are being drained, all pending aggregates must be
completed before the tid queues get drained, otherwise buffers might be
leaked.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: rename rxflushlock to pcu_lock
Luis R. Rodriguez [Wed, 20 Oct 2010 23:07:05 +0000 (16:07 -0700)]
ath9k: rename rxflushlock to pcu_lock

commit b79b33c4baf2532aac2c0924dce5a738099b888c upstream.

The real way to lock RX is to contend on the PCU
and reset, this will be fixed in the next patch but for
now just do the renames so that the next patch which changes
the locking order is crystal clear.

This is part of a series that will help resolve the bug:

https://bugzilla.kernel.org/show_bug.cgi?id=14624

For more details about this issue refer to:

http://marc.info/?l=linux-wireless&m=128629803703756&w=2

Cc: Ben Greear <greearb@candelatech.com>
Cc: Kyungwan Nam <kyungwan.nam@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: Fix incorrect access of rate flags in RC
Mohammed Shafi Shajakhan [Thu, 28 Oct 2010 14:21:47 +0000 (19:51 +0530)]
ath9k: Fix incorrect access of rate flags in RC

commit 4fc4fbd1d9a05fa4f348b499aca3a6f8d3c9bbe6 upstream.

The index variable to access the rate flags should be obtained from the
inner loop counter which corresponds to the rate table structure.This
fixes the invalid rate selection i.e when the supported basic rate is
invalid on a particular band and also the following warning message.
Thanks to Raj for finding this out.

Call Trace:

 [<ffffffff8104ee4a>] warn_slowpath_common+0x7a/0xb0

 [<ffffffff8104ee95>] warn_slowpath_null+0x15/0x20

 [<ffffffffa0583c45>] ath_get_rate+0x595/0x5b0 [ath9k]

 [<ffffffff811a0636>] ? cpumask_next_and+0x36/0x50

 [<ffffffffa0405186>] rate_control_get_rate+0x86/0x160 [mac80211]

 [<ffffffffa040dfac>] invoke_tx_handlers+0x81c/0x12d0 [mac80211]

 [<ffffffffa040eae9>] ieee80211_tx+0x89/0x2b0 [mac80211]

 [<ffffffff812891bc>] ? pskb_expand_head+0x1cc/0x1f0

 [<ffffffffa040edc5>] ieee80211_xmit+0xb5/0x1c0 [mac80211]

 [<ffffffffa041026f>] ieee80211_tx_skb+0x4f/0x60 [mac80211]

 [<ffffffffa03fe016>] ieee80211_send_nullfunc+0x46/0x60 [mac80211]

 [<ffffffffa03f91d7>] ieee80211_offchannel_stop_station+0x107/0x150
[mac80211]

 [<ffffffff812891bc>] ? pskb_expand_head+0x1cc/0x1f0

 [<ffffffffa040edc5>] ieee80211_xmit+0xb5/0x1c0 [mac80211]

 [<ffffffffa041026f>] ieee80211_tx_skb+0x4f/0x60 [mac80211]

 [<ffffffffa03fe016>] ieee80211_send_nullfunc+0x46/0x60 [mac80211]

 [<ffffffffa03f91d7>] ieee80211_offchannel_stop_station+0x107/0x150
[mac80211]

 [<ffffffffa03f8896>] ieee80211_scan_work+0x146/0x600 [mac80211]

 [<ffffffff8133a375>] ? schedule+0x2f5/0x8e0

 [<ffffffffa03f8750>] ? ieee80211_scan_work+0x0/0x600 [mac80211]

 [<ffffffff81064fcf>] process_one_work+0x10f/0x380

 [<ffffffff81066bc2>] worker_thread+0x162/0x340

 [<ffffffff81066a60>] ? worker_thread+0x0/0x340

Signed-off-by: Mohammed Shafi Shajakhan <mshajakhan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_htc: Set proper firmware offset for Netgear WNDA3200
Rajkumar Manoharan [Wed, 27 Oct 2010 06:32:54 +0000 (12:02 +0530)]
ath9k_htc: Set proper firmware offset for Netgear WNDA3200

commit d654567dec75782d6fd9add4b7b9c50e0926d369 upstream.

Netgear WNDA3200 device uses ar7010 firmware but it is failed to set
correct firmware offset on firmware download which causes device initialization
failure.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: Fix TX carrier leakage for IEEE compliance on AR9003 2.2
Luis R. Rodriguez [Tue, 19 Oct 2010 05:47:54 +0000 (22:47 -0700)]
ath9k_hw: Fix TX carrier leakage for IEEE compliance on AR9003 2.2

commit 0dfa6dbb7372e581d3beb38b11772152114796b8 upstream.

This updates the initvals for the AR9003 2.2 chipsets. The initvals
are the initial register values we use for our registers upon hardware
reset. This synchs up the initvals to match what our latest recommendation
from our systems engineering team.

The description of changes in this update:

        Improves ability to support very strong Rx conditions.
        Enhances DFS support for AP-mode.
        Improves performance of Tx carrier leak calibration.
        Adds support for Japan channel 14 Tx filtering requirements.
        Improves Tx power accuracy.

Impact:

        Update required to address degraded throughput at very short range.
        Update required for AP-mode DFS certification.
        Update required to comply to IEEE Tx carrier leak specification.
        May not meet expected +/- 2 dB Tx power accuracy without update.

The most important fix here would be the TX carrier leakage required
to comply with IEEE 802.11 specifications. The group of changes have
been tested all together in one release.

References:

Osprey 2.2 header file ver #33

Checksums:

$ ./initvals -f ar9003-2p2
0x000000004a488fc7        ar9300_2p2_radio_postamble
0x0000000046cb1300        ar9300Modes_lowest_ob_db_tx_gain_table_2p2
0x00000000e912711f        ar9300Modes_fast_clock_2p2
0x0000000037ac0ee8        ar9300_2p2_radio_core
0x00000000047a7700        ar9300Common_rx_gain_table_merlin_2p2
0x0000000003f783bb        ar9300_2p2_mac_postamble
0x00000000301fc841        ar9300_2p2_soc_postamble
0x000000005ec8075f        ar9200_merlin_2p2_radio_core
0x0000000083372ffa        ar9300_2p2_baseband_postamble
0x00000000c4f59974        ar9300_2p2_baseband_core
0x00000000e20d2e72        ar9300Modes_high_power_tx_gain_table_2p2
0x000000007fd55c70        ar9300Modes_high_ob_db_tx_gain_table_2p2
0x0000000029495000        ar9300Common_rx_gain_table_2p2
0x0000000042cb1300        ar9300Modes_low_ob_db_tx_gain_table_2p2
0x00000000c4739cd6        ar9300_2p2_mac_core
0x000000003521a300        ar9300Common_wo_xlna_rx_gain_table_2p2
0x00000000a15ccf1b        ar9300_2p2_soc_preamble
0x0000000029734396        ar9300PciePhy_pll_on_clkreq_disable_L1_2p2
0x000000002d834396        ar9300PciePhy_clkreq_enable_L1_2p2
0x0000000029834396        ar9300PciePhy_clkreq_disable_L1_2p2

$ ./initvals -f ar9003-2p2 | sha1sum
0ceddb5cf66737610fb51f04cf3e9ff71870c7b4  -

Cc: Yixiang Li <yixiang.li@atheros.com>
Cc: Don Breslin <don.breslin@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: Fix divide by zero cases in paprd.
Senthil Balasubramanian [Tue, 19 Oct 2010 14:31:41 +0000 (20:01 +0530)]
ath9k_hw: Fix divide by zero cases in paprd.

commit 2d3fca180710c6832de22c44155ce6a3a4953c6b upstream.

We are not handling all divide by zero cases in paprd.
Add additional checks for divide by zero cases in papard.

This patch has fixes intended for kernel 2.6.36.

Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: resume aggregation immediately after a hardware reset
Felix Fietkau [Sat, 23 Oct 2010 15:45:38 +0000 (17:45 +0200)]
ath9k: resume aggregation immediately after a hardware reset

commit fac6b6a065da42f826088c58bddad82e1b1ccb40 upstream.

Since aggregation is usually triggered by tx completion, a hardware
reset (because of beacon stuck, tx hang or baseband hang) can
significantly delay the transmission of the next AMPDU (until the next
tx completion event).
Fix this by rescheduling aggregation after such a reset.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix spurious MIC failure reports
Felix Fietkau [Sat, 28 Aug 2010 16:21:21 +0000 (18:21 +0200)]
ath9k: fix spurious MIC failure reports

commit 56363ddeeed3afc5277ca227209773bc1042cc7b upstream.

According to the hardware documentation, the MIC failure bit is only
valid if the frame was decrypted using a valid TKIP key and is not a
fragment.
In some setups I've seen hardware-reported MIC failures on an AP that
was configured for CCMP only, so it's clear that additional checks are
necessary.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix regression on beacon loss after bgscan
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:27 +0000 (15:12 -0400)]
ath9k: fix regression on beacon loss after bgscan

commit 52b8ac92496e03d6b5619204d7f3bae6ce6eae45 upstream.

When we return to the home channel we were never reseting our beacon
timers, this was casued by the fact that the scanning flag was still
on even after we returned to our home channel. There are also other
reasons why we would get a reset and if we are not off channel
we always need to resynch our beacon timers, because a reset will
clear them.

This bug is a regression introduced on 2.6.36. The order of the
changes are as follows:

5ee08656 - Sat Jul 31 - ath9k: prevent calibration during off-channel activity
a0daa0e7 - Tue Jul 27 - Revert "mac80211: fix sw scan bracketing"
543708be - Fri Jun 18 - mac80211: fix sw scan bracketing

mcgrof@tux ~/linux-2.6-allstable (git::master)$ git describe \
        --contains 5ee0865615f65f84e6ee9174771a6716c29e08e1
v2.6.36-rc1~43^2~34^2~22

mcgrof@tux ~/linux-2.6-allstable (git::master)$ git describe \
        --contains a0daa0e7592ada797d6835f11529097aabc27ad2
v2.6.36-rc1~571^2~64^2~13

mcgrof@tux ~/linux-2.6-allstable (git::master)$ git describe \
        --contains 543708be320d7df692d24b349ca01a947b340764
v2.6.36-rc1~571^2~107^2~187

So 5ee08656 would have worked if a0daa0e7 was not committed but
it was so this means 5ee08656 was broken since it assumed that
when we were in the channel change routine the scan flag would
be lifted. As it turns out the scan flag will be set when we
are already on the home channel.

For more details refer to:

http://code.google.com/p/chromium-os/issues/detail?id=5715

These issues will need to be considered for our solution on
reshifting the scan complete callback location on mac80211 on
current development kernel work.

This patch has stable fixes which apply down to [2.6.36+]

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix regression which disabled ps on ath9k
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:36 +0000 (15:12 -0400)]
ath9k: fix regression which disabled ps on ath9k

commit 008443def34db1dcc8016763587a288254ea5735 upstream.

The patch titled "ath9k: Add new file init.c" shuffled some code
around but in dong so for some reason also removed the revision
check for disablign power save. Add this revision check again
so we can get power save re-enabled again by default on cards
newer than AR5416 and AR5418.

$ git describe --contains 556242049cc3992d0ee625e9f15c4b00ea4baac8
v2.6.34-rc1~233^2~49^2~343

This patch has fixes for stable kernels [2.6.34+].

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k_hw: handle rx key miss
Felix Fietkau [Tue, 14 Sep 2010 16:38:26 +0000 (18:38 +0200)]
ath9k_hw: handle rx key miss

commit 3ae74c33c4f799f6bf6d67240a94a0814a8f1944 upstream.

If AR_KeyMiss is set in the rx descriptor and AR_RxFrameOK is unset,
the hardware could not locate a valid key during a decryption attempt.

In this case, the frame must not be reported as decrypted, otherwise
mac80211 sees only random garbage.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix regression which prevents chip sleep after CAB data
Senthil Balasubramanian [Thu, 16 Sep 2010 19:12:35 +0000 (15:12 -0400)]
ath9k: fix regression which prevents chip sleep after CAB data

commit 3fac6dfdcd2b893c22b20a03dd1bf1af8b627c4b upstream.

The patch:

commit 293dc5dfdbcc16cde06e40a688394cc8ab083e48
Author: Gabor Juhos <juhosg@openwrt.org>
Date:   Fri Jun 19 12:17:48 2009 +0200

    ath9k: remove ath_rx_ps_back_to_sleep helper

    This helper only clears the SC_OP_WAIT_FOR_{BEACON,CAB} flags.
    Remove it and clear these flags directly in the approptiate
    places instead.

    Changes-licensed-under: ISC
Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
introduced a regression which forgot to lift the beacon flag
after we received all broadcast and multicast data. This meant
we never went to sleep consuming about ~650mW on idle. This pretty
much broke power save completely.

This patch has fixes for stable kernels [2.6.32+].

Cc: Paul Stewart <pstew@google.com>
Cc: Sameer Nanda <snanda@google.com>
Cc: Gabor Juhos <juhosg@openwrt.org>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix an aggregation start related race condition
Felix Fietkau [Mon, 20 Sep 2010 17:35:28 +0000 (19:35 +0200)]
ath9k: fix an aggregation start related race condition

commit 231c3a1f0630c07a584905507a1cb7b705a56ab7 upstream.

A new aggregation session start can be issued by mac80211, even when the
cleanup of the previous session has not completed yet. Since the data structure
for the session is not recreated, this could corrupt the block ack window
and lock up the aggregation session. Fix this by delaying the new session
until the old one has been cleaned up.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix power save race conditions
Luis R. Rodriguez [Thu, 16 Sep 2010 19:12:26 +0000 (15:12 -0400)]
ath9k: fix power save race conditions

commit 8ab2cd09fecc8819bbaee2d0fd8f3a092d866ce3 upstream.

ath9k has a race on putting the chip into network sleep and
having registers read from hardware. The race occurs because
although ath9k_ps_restore() locks its own callers it makes use
of some variables which get altered in the driver at different
code paths. The variables are the ps_enabled and ps_flags.

This is easily reprodicible in large network environments when
roaming with the wpa_supplicant simple bgscan. You'd get some
0xdeadbeef read out on certain registers such as:

ath: timeout (100000 us) on reg 0x806c: 0xdeadbeef & 0x01f00000 != 0x00000000
ath: RX failed to go idle in 10 ms RXSM=0xdeadbeef

ath: timeout (100000 us) on reg 0x7000: 0xdeadbeef & 0x00000003 != 0x00000000
ath: Chip reset failed

The fix is to protect the ath9k_config(hw, IEEE80211_CONF_CHANGE_PS)
calls with a spin_lock_irqsave() which will disable contendors for
these variables from interrupt context, timers, re-entry from mac80211
on the same callback, and most importantly from ath9k_ps_restore()
which is the only call which will put the device into network sleep.

There are quite a few threads and bug reports on these a few of them are:

https://bugs.launchpad.net/ubuntu/karmic/+source/linux/+bug/407040
http://code.google.com/p/chromium-os/issues/detail?id=5709
http://code.google.com/p/chromium-os/issues/detail?id=5943

Stable fixes apply to [2.6.32+]

Cc: Paul Stewart <pstew@google.com>
Cc: Amod Bodas <amod.bodas@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: clean up / fix aggregation session flush
Felix Fietkau [Mon, 20 Sep 2010 11:45:38 +0000 (13:45 +0200)]
ath9k: clean up / fix aggregation session flush

commit 90fa539ca3f07323da5a90f5c8f4e5cd952875e7 upstream.

The tid aggregation cleanup is a bit fragile, as it discards failed
subframes in some places, and retransmits them in others. This could
block the cleanup of an existing aggregation session, if a retransmission
for a tid is issued, yet the tid is never scheduled again because of
the cleanup state.

Fix this by getting rid of as many subframes as possible, as early
as possible, and immediately transmitting pending subframes as regular
HT frames instead of waiting for the cleanup to complete.

Drop all pending subframes while keeping track of the Block ACK window
during aggregate tx completion to prevent sending out stale subframes,
which could confuse the receiver side.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: Fix tx struck state with paprd
Vasanthakumar Thiagarajan [Tue, 21 Sep 2010 05:54:46 +0000 (22:54 -0700)]
ath9k: Fix tx struck state with paprd

commit 9094537c3a9ef9e127e844254a74186735c9a90b upstream.

Paprd needs to be done only on active chains(not for all the chains
that hw can support). The paprd training frames which are sent
for inactive chains would be hanging on the hw queue without
getting transmitted and would make the connection so unstable.
This issue happens only with the hw which supports paprd cal(ar9003).

Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: A-MPDU rate control info fix
Björn Smedman [Sun, 10 Oct 2010 20:44:39 +0000 (22:44 +0200)]
ath9k: A-MPDU rate control info fix

commit ebd022873aa61937603d2c4dfea19ce63ea1a3c8 upstream.

This patch fixes the following problems with the rate control feedback
generated by ath9k for A-MPDU frames:

1. Rate control feedback is carried on the first frame of an aggregate
that is either ACKed, or has execeeded the software retry count and is
considered failed. However, ath9k would incorrectly assume the aggregate
had the length 1 if one of these conditions did not apply to the first
frame of the aggregate, but instead a later frame. This fix therefor
copies the bf_nframes field of the buffer in the same manner as the rates
field of the tx status.

2. Sometimes the ampdu_len and ampdu_ack_len fields of the tx status was
left uninitialized eventhough the IEEE80211_TX_STAT_AMPDU flag was set.
This is now avoid by setting flag and fields in the same place.

3. Even if a frame has been selected for aggregation by mac80211 and
marked with the IEEE80211_TX_CTL_AMPDU flag it can sometimes happen that
ath9k transmits the frame without aggregation. In these cases the
ampdu_ack_len field could be incorrectly computed because the nbad
parameter to ath_tx_rc_status was incorrect.

Signed-off-by: Björn Smedman <bjorn.smedman@venatech.se>
Acked-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix channel flag / regd issues with multiple cards
Felix Fietkau [Thu, 30 Sep 2010 23:06:53 +0000 (01:06 +0200)]
ath9k: fix channel flag / regd issues with multiple cards

commit f209f5298217cf54cd5a9163e18b08d093faf8d9 upstream.

Since the regulatory code touches the channel array, it needs to be
copied for each device instance. That way the original channel array
can also be made const.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: built-in rate control A-MPDU fix
Björn Smedman [Sun, 10 Oct 2010 20:51:54 +0000 (22:51 +0200)]
ath9k: built-in rate control A-MPDU fix

commit a8909cfb1832ac623142898df2a9374722cfe68f upstream.

This patch attempts to ensure that ath9k's built-in rate control algorithm
does not rely on the value of the ampdu_len and ampdu_ack_len tx status
fields unless the IEEE80211_TX_STAT_AMPDU flag is set.

This patch has not been tested.

Signed-off-by: Björn Smedman <bjorn.smedman@venatech.se>
Acked-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix 2D tile height alignment in the r600 CS checker
Alex Deucher [Tue, 19 Oct 2010 03:45:39 +0000 (23:45 -0400)]
drm/radeon/kms: fix 2D tile height alignment in the r600 CS checker

commit 354da653233898ed1e51f20cebac9705456bf9b1 upstream.

macro tile heights are aligned to num channels, not num banks.

Noticed by Dave Airlie.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agor6040: Fix multicast filter some more
Ben Hutchings [Thu, 14 Oct 2010 17:41:53 +0000 (17:41 +0000)]
r6040: Fix multicast filter some more

commit e2269308359d5863b6aa1fcb95a425a2ab255f1f upstream.

This code has been broken forever, but in several different and
creative ways.

So far as I can work out, the R6040 MAC filter has 4 exact-match
entries, the first of which the driver uses for its assigned unicast
address, plus a 64-entry hash-based filter for multicast addresses
(maybe unicast as well?).

The original version of this code would write the first 4 multicast
addresses as exact-match entries from offset 1 (bug #1: there is no
entry 4 so this could write to some PHY registers).  It would fill the
remainder of the exact-match entries with the broadcast address (bug #2:
this would overwrite the last used entry).  If more than 4 multicast
addresses were configured, it would set up the hash table, write some
random crap to the MAC control register (bug #3) and finally walk off
the end of the list when filling the exact-match entries (bug #4).

All of this seems to be pointless, since it sets the promiscuous bit
when the interface is made promiscuous or if >4 multicast addresses
are enabled, and never clears it (bug #5, masking bug #2).

The recent(ish) changes to the multicast list fixed bug #4, but
completely removed the limit on iteration over the exact-match entries
(bug #6).

Bug #4 was reported as
<https://bugzilla.kernel.org/show_bug.cgi?id=15355> and more recently
as <http://bugs.debian.org/600155>.  Florian Fainelli attempted to fix
these in commit 3bcf8229a8c49769e48d3e0bd1e20d8e003f8106, but that
actually dealt with bugs #1-3, bug #4 having been fixed in mainline at
that point.

That commit fixes the most important current bug #6.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoirda: Fix heap memory corruption in iriap.c
Samuel Ortiz [Tue, 5 Oct 2010 23:03:12 +0000 (01:03 +0200)]
irda: Fix heap memory corruption in iriap.c

commit 37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.

While parsing the GetValuebyClass command frame, we could potentially write
passed the skb->data pointer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoirda: Fix parameter extraction stack overflow
Samuel Ortiz [Sun, 10 Oct 2010 23:17:56 +0000 (01:17 +0200)]
irda: Fix parameter extraction stack overflow

commit efc463eb508798da4243625b08c7396462cabf9f upstream.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agojme: Fix PHY power-off error
Guo-Fu Tseng [Mon, 18 Oct 2010 14:10:40 +0000 (14:10 +0000)]
jme: Fix PHY power-off error

commit c8a8684d5cfb0f110a962c93586630c0bf91ebc1 upstream.

Adding phy_on in opposition to phy_off.

Signed-off-by: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: don't disable shared encoders on pre-DCE3 display blocks
Alex Deucher [Tue, 2 Nov 2010 05:26:48 +0000 (05:26 +0000)]
drm/radeon/kms: don't disable shared encoders on pre-DCE3 display blocks

commit a0ae5864d42b41c411368bd689462bf063c029c8 upstream.

The A/B links aren't independantly useable on these blocks so when
we disable the encoders, make sure to only disable the encoder when
there is no connector using it.

Should fix:
https://bugs.freedesktop.org/show_bug.cgi?id=18564

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoblock: check for proper length of iov entries in blk_rq_map_user_iov()
Jens Axboe [Fri, 29 Oct 2010 14:10:18 +0000 (08:10 -0600)]
block: check for proper length of iov entries in blk_rq_map_user_iov()

commit 9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream.

Ensure that we pass down properly validated iov segments before
calling into the mapping or copy functions.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoblock: take care not to overflow when calculating total iov length
Jens Axboe [Fri, 29 Oct 2010 17:31:42 +0000 (11:31 -0600)]
block: take care not to overflow when calculating total iov length

commit 9f864c80913467312c7b8690e41fb5ebd1b50e92 upstream.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoblock: limit vec count in bio_kmalloc() and bio_alloc_map_data()
Jens Axboe [Fri, 29 Oct 2010 17:46:56 +0000 (11:46 -0600)]
block: limit vec count in bio_kmalloc() and bio_alloc_map_data()

commit f3f63c1c28bc861a931fac283b5bc3585efb8967 upstream.

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoblock: Fix race during disk initialization
Jan Kara [Thu, 16 Sep 2010 18:36:36 +0000 (20:36 +0200)]
block: Fix race during disk initialization

commit 01ea50638bc04ca5259f5711fcdedefcdde1cf43 upstream.

When a new disk is being discovered, add_disk() first ties the bdev to gendisk
(via register_disk()->blkdev_get()) and only after that calls
bdi_register_bdev(). Because register_disk() also creates disk's kobject, it
can happen that userspace manages to open and modify the device's data (or
inode) before its BDI is properly initialized leading to a warning in
__mark_inode_dirty().

Fix the problem by registering BDI early enough.

This patch addresses https://bugzilla.kernel.org/show_bug.cgi?id=16312

Reported-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoblock: Ensure physical block size is unsigned int
Martin K. Petersen [Wed, 13 Oct 2010 19:18:03 +0000 (21:18 +0200)]
block: Ensure physical block size is unsigned int

commit 892b6f90db81cccb723d5d92f4fddc2d68b206e1 upstream.

Physical block size was declared unsigned int to accomodate the maximum
size reported by READ CAPACITY(16).  Make sure we use the right type in
the related functions.

Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoLinux 2.6.36.1 v2.6.36.1
Greg Kroah-Hartman [Mon, 22 Nov 2010 19:03:49 +0000 (11:03 -0800)]
Linux 2.6.36.1

13 years agosgi-xp: incoming XPC channel messages can come in after the channel's partition struc...
Robin Holt [Tue, 26 Oct 2010 21:21:15 +0000 (14:21 -0700)]
sgi-xp: incoming XPC channel messages can come in after the channel's partition structures have been torn down

commit 09358972bff5ce99de496bbba97c85d417b3c054 upstream.

Under some workloads, some channel messages have been observed being
delayed on the sending side past the point where the receiving side has
been able to tear down its partition structures.

This condition is already detected in xpc_handle_activate_IRQ_uv(), but
that information is not given to xpc_handle_activate_mq_msg_uv().  As a
result, xpc_handle_activate_mq_msg_uv() assumes the structures still exist
and references them, causing a NULL-pointer deref.

Signed-off-by: Robin Holt <holt@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: cns3xxx: Fixup the missing second parameter to addruart macro to allow them...
Mac Lin [Sun, 14 Nov 2010 22:17:23 +0000 (22:17 +0000)]
ARM: cns3xxx: Fixup the missing second parameter to addruart macro to allow them to build.

It can't be merged into Linus' tree because this file has already been
changed in incompatible ways.

Fixup the missing second parameter to addruart macro to allow them to build,
according to to commit 0e17226f7cd289504724466f4298abc9bdfca3fe.

Enabling DEBUG in head.S would cause:
rch/arm/boot/compressed/head.S: Assembler messages:
arch/arm/boot/compressed/head.S:1037: Error: too many positional arguments
arch/arm/boot/compressed/head.S:1055: Error: too many positional arguments

Signed-off-by: Mac Lin <mkl0301@gmail.com>
Acked-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agokgdb,arm: fix register dump
Rabin Vincent [Tue, 26 Oct 2010 17:49:00 +0000 (12:49 -0500)]
kgdb,arm: fix register dump

commit 834b2964b7ab047610da038e42d61dc8dac6339a upstream.

DBG_MAX_REG_NUM incorrectly had the number of indices in the GDB regs
array rather than the number of registers, leading to an oops when the
"rd" command is used in KDB.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosecmark: do not return early if there was no error
Eric Paris [Tue, 12 Oct 2010 15:40:08 +0000 (11:40 -0400)]
secmark: do not return early if there was no error

commit 15714f7b58011cf3948cab2988abea560240c74f upstream.

Commit 4a5a5c73 attempted to pass decent error messages back to userspace for
netfilter errors.  In xt_SECMARK.c however the patch screwed up and returned
on 0 (aka no error) early and didn't finish setting up secmark.  This results
in a kernel BUG if you use SECMARK.

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoFixed Regression in NFS Direct I/O path
Steve Dickson [Thu, 28 Oct 2010 12:17:54 +0000 (08:17 -0400)]
Fixed Regression in NFS Direct I/O path

commit 568a810d7edd58bd505222dd1c7e48895532290b upstream.

A typo, introduced by commit f11ac8db, in the nfs_direct_write()
routine causes writes with O_DIRECT set to fail with a ENOMEM error.

Found-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoFix regressions in scsi_internal_device_block
Mike Christie [Wed, 6 Oct 2010 08:10:59 +0000 (03:10 -0500)]
Fix regressions in scsi_internal_device_block

commit 986fe6c7f50974e871b8ab5a800f5310ea25b361 upstream.

Deleting a SCSI device on a blocked fc_remote_port (before
fast_io_fail_tmo fires) results in a hanging thread:

  STACK:
  0 schedule+1108 [0x5cac48]
  1 schedule_timeout+528 [0x5cb7fc]
  2 wait_for_common+266 [0x5ca6be]
  3 blk_execute_rq+160 [0x354054]
  4 scsi_execute+324 [0x3b7ef4]
  5 scsi_execute_req+162 [0x3b80ca]
  6 sd_sync_cache+138 [0x3cf662]
  7 sd_shutdown+138 [0x3cf91a]
  8 sd_remove+112 [0x3cfe4c]
  9 __device_release_driver+124 [0x3a08b8]
10 device_release_driver+60 [0x3a0a5c]
11 bus_remove_device+266 [0x39fa76]
12 device_del+340 [0x39d818]
13 __scsi_remove_device+204 [0x3bcc48]
14 scsi_remove_device+66 [0x3bcc8e]
15 sysfs_schedule_callback_work+50 [0x260d66]
16 worker_thread+622 [0x162326]
17 kthread+160 [0x1680b0]
18 kernel_thread_starter+6 [0x10aaea]

During the delete, the SCSI device is in moved to SDEV_CANCEL.  When
the FC transport class later calls scsi_target_unblock, this has no
effect, since scsi_internal_device_unblock ignores SCSI devics in this
state.

It looks like all these are regressions caused by:
5c10e63c943b4c67561ddc6bf61e01d4141f881f
[SCSI] limit state transitions in scsi_internal_device_unblock

Fix by rejecting offline and cancel in the state transition.

Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
[jejb: Original patch by Christof Schmitt, modified by Mike Christie]
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoFix race when removing SCSI devices
Christof Schmitt [Wed, 6 Oct 2010 11:19:44 +0000 (13:19 +0200)]
Fix race when removing SCSI devices

commit 546ae796bfac6399e30da4b5af2cf7a6d0f8a4ec upstream.

Removing SCSI devices through
echo 1 > /sys/bus/scsi/devices/ ... /delete

while the FC transport class removes the SCSI target can lead to an
oops:

Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000
Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipath scsi_dh dm_mod ipv6 qeth ccwgroup [last unloaded: scsi_wait_scan]
CPU: 1 Not tainted 2.6.35.5-45.x.20100924-s390xdefault #1
Process fc_wq_0 (pid: 861, task: 00000000b7331240, ksp: 00000000b735bac0)
Krnl PSW : 0704200180000000 00000000003ff6e4 (__scsi_remove_device+0x24/0xd0)
           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
Krnl GPRS: 0000000000000001 0000000000000000 00000000b6815000 00000000bc24a8c0
           00000000003ff7c8 000000000056dbb8 0000000000000002 0000000000835d80
           ffffffff00000000 0000000000001000 00000000b6815000 00000000bc24a7f0
           00000000b68151a0 00000000b6815000 00000000b735bc20 00000000b735bbf8
Krnl Code: 00000000003ff6d6a7840001            brc 8,3ff6d8
           00000000003ff6daa7fbffd8            aghi %r15,-40
           00000000003ff6dee3e0f0980024        stg %r14,152(%r15)
          >00000000003ff6e4e31021200004        lg %r1,288(%r2)
           00000000003ff6eaa71f0000            cghi    %r1,0
           00000000003ff6eea7a40011            brc 10,3ff710
           00000000003ff6f2a7390003            lghi    %r3,3
           00000000003ff6f6c0e5ffffc8b1        brasl %r14,3f8858
Call Trace:
([<0000000000001000>] 0x1000)
 [<00000000003ff7d2>] scsi_remove_device+0x42/0x54
 [<00000000003ff8ba>] __scsi_remove_target+0xca/0xfc
 [<00000000003ff99a>] __remove_child+0x3a/0x48
 [<00000000003e3246>] device_for_each_child+0x72/0xbc
 [<00000000003ff93a>] scsi_remove_target+0x4e/0x74
 [<0000000000406586>] fc_rport_final_delete+0xb2/0x23c
 [<000000000015d080>] worker_thread+0x200/0x344
 [<000000000016330c>] kthread+0xa0/0xa8
 [<0000000000106c1a>] kernel_thread_starter+0x6/0xc
 [<0000000000106c14>] kernel_thread_starter+0x0/0xc
INFO: lockdep is turned off.
Last Breaking-Event-Address:
 [<00000000003ff7cc>] scsi_remove_device+0x3c/0x54

The function __scsi_remove_target iterates through the SCSI devices on
the host, but it drops the host_lock before calling
scsi_remove_device. When the SCSI device is deleted from another
thread, the pointer to the SCSI device in scsi_remove_device can
become invalid. Fix this by getting a reference to the SCSI device
before dropping the host_lock to keep the SCSI device alive for the
call to scsi_remove_device.

Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agogdth: integer overflow in ioctl
Dan Carpenter [Fri, 8 Oct 2010 07:03:07 +0000 (09:03 +0200)]
gdth: integer overflow in ioctl

commit f63ae56e4e97fb12053590e41a4fa59e7daa74a4 upstream.

gdth_ioctl_alloc() takes the size variable as an int.
copy_from_user() takes the size variable as an unsigned long.
gen.data_len and gen.sense_len are unsigned longs.
On x86_64 longs are 64 bit and ints are 32 bit.

We could pass in a very large number and the allocation would truncate
the size to 32 bits and allocate a small buffer.  Then when we do the
copy_from_user(), it would result in a memory corruption.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopmcraid: remove duplicate struct member
Anil Ravindranath [Mon, 25 Oct 2010 22:41:54 +0000 (15:41 -0700)]
pmcraid: remove duplicate struct member

commit df30e5059681ed0671c9cc6ff702fe9ca7f20042 upstream.

sense_buffer is both a direct member of struct pmcraid_cmd as well as
an indirect one via an anonymous union and struct.  Fix this clash by
eliminating the direct member in favour of the anonymous struct/union
one.  The name duplication apparently isn't noticed by gcc versions
earlier than 4.4

Reported-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Anil Ravindranath <anil_ravindranath@pmc-sierra.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoqla4xxx: fix build on PPC
Jiri Slaby [Tue, 14 Sep 2010 12:12:54 +0000 (14:12 +0200)]
qla4xxx: fix build on PPC

commit a6751ccb9ba85180c84135cc921eea11d83d5689 upstream.

We use read/write[bslq] but do not include linux/io.h. This causes
build failures on PPC. Include that file.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Vikas Chaudhary <vikas.chaudhary@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agolibsas: fix NCQ mixing with non-NCQ
David Milburn [Fri, 3 Sep 2010 22:13:03 +0000 (17:13 -0500)]
libsas: fix NCQ mixing with non-NCQ

commit f0ad30d3d2dc924decc0e10b1ff6dc32525a5d99 upstream.

Some cards (like mvsas) have issue troubles if non-NCQ commands are
mixed with NCQ ones.  Fix this by using the libata default NCQ check
routine which waits until all NCQ commands are complete before issuing
a non-NCQ one.  The impact to cards (like aic94xx) which don't need
this logic should be minimal

Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosd name space exhaustion causes system hang
Michael Reed [Mon, 20 Sep 2010 16:20:22 +0000 (11:20 -0500)]
sd name space exhaustion causes system hang

commit 1a03ae0f556a931aa3747b70e44b78308f5b0590 upstream.

Following a site power outage which re-enabled all the ports on my FC
switches, my system subsequently booted with far too many luns!  I had
let it run hoping it would make multi-user.  It didn't.  :(  It hung solid
after exhausting the last sd device, sdzzz, and attempting to create sdaaaa
and beyond.  I was unable to get a dump.

Discovered using a 2.6.32.13 based system.

correct this by detecting when the last index is utilized and failing
the sd probe of the device.  Patch applies to scsi-misc-2.6.

Signed-off-by: Michael Reed <mdr@sgi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoasus-laptop: fix gps rfkill
Corentin Chary [Tue, 24 Aug 2010 07:30:46 +0000 (09:30 +0200)]
asus-laptop: fix gps rfkill

commit 23f45c3a76e715217f40ac397c15815c774cad7f upstream.

The GPS rfkill crappy code. The ops_data argument wasn't
set, and was totally misused. The fix have been tested
on an Asus R2H.

Signed-off-by: Corentin Chary <corentincj@iksaif.net>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUSB: accept some invalid ep0-maxpacket values
Alan Stern [Thu, 14 Oct 2010 19:25:21 +0000 (15:25 -0400)]
USB: accept some invalid ep0-maxpacket values

commit 56626a72a47bf3e50875d960d6b5f17b9bee0ab2 upstream.

A few devices (such as the RCA VR5220 voice recorder) are so
non-compliant with the USB spec that they have invalid maxpacket sizes
for endpoint 0.  Nevertheless, as long as we can safely use them, we
may as well do so.

This patch (as1432) softens our acceptance criterion by allowing
high-speed devices to have ep0-maxpacket sizes other than 64.  A
warning is printed in the system log when this happens, and the
existing error message is clarified.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: James <bjlockie@lockie.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>