Mat Martineau [Wed, 11 Apr 2012 17:48:42 +0000 (10:48 -0700)]
Bluetooth: Add the l2cap_seq_list structure for tracking frames
A sequence list is a data structure used to track frames that need to
be retransmitted, and frames that have been requested for
retransmission by the remote device. It can compactly represent a
list of sequence numbers within the ERTM transmit window. Memory for
the list is allocated once at connection time, and common operations
in ERTM are O(1).
Signed-off-by: Mat Martineau <mathewm@codeaurora.org> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Bluetooth: mgmt: Fix missing connect failed event for LE
This patch adds management connect failed event when LE Create Connection
Command fails to inform user space that LE Connection failed to get
established.
Signed-off-by: Hemant Gupta <hemant.gupta@stericsson.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Bluetooth: Fix clearing discovery type when stopping discovery
This patch prevents resetting of discovery type while stopping
discovery, since otherwise the wrong type might be send in case of
discovery failure. It also doesn't matter that we are "lazy" with
updating the type since it is anyway reset when starting discovery again
and it's not needed to know the current discovery state.
Signed-off-by: Hemant Gupta <hemant.gupta@stericsson.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Don Zickus [Wed, 28 Mar 2012 20:41:11 +0000 (16:41 -0400)]
Bluetooth: btusb: typo in Broadcom SoftSailing id
I was trying to backport the following commit to RHEL-6
From 0cea73465cd22373c5cd43a3edd25fbd4bb532ef Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oliver@neukum.org>
Date: Wed, 21 Sep 2011 11:37:15 +0200
Subject: [PATCH] btusb: add device entry for Broadcom SoftSailing
and noticed it wasn't working on an HP Elitebook. Looking into the patch I
noticed a very subtle typo in the ids. The patch has '0x05ac' instead of
'0x0a5c'. A snippet of the lsusb -v output also shows this:
Don Zickus [Wed, 28 Mar 2012 20:41:11 +0000 (16:41 -0400)]
Bluetooth: btusb: typo in Broadcom SoftSailing id
I was trying to backport the following commit to RHEL-6
From 0cea73465cd22373c5cd43a3edd25fbd4bb532ef Mon Sep 17 00:00:00 2001
From: Oliver Neukum <oliver@neukum.org>
Date: Wed, 21 Sep 2011 11:37:15 +0200
Subject: [PATCH] btusb: add device entry for Broadcom SoftSailing
and noticed it wasn't working on an HP Elitebook. Looking into the patch I
noticed a very subtle typo in the ids. The patch has '0x05ac' instead of
'0x0a5c'. A snippet of the lsusb -v output also shows this:
David Herrmann [Wed, 28 Mar 2012 09:48:42 +0000 (11:48 +0200)]
Bluetooth: vhci: Ignore return code of nonseekable_open()
The comment in ./fs/open.c clearly states that nonseekable_open() will
never fail. Therefore, we can safely ignore the return code. This is the
recommended way to deal with nonseekable_open().
Our current code looks like nonseekable_open() is checked for the return
code. However, if we check the return code, we must also kfree() our
private data if the open fails. To avoid this overhead and to avoid
confusion, we simply drop the return code and return 0.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Tue, 27 Mar 2012 16:49:02 +0000 (18:49 +0200)]
Bluetooth: Update management interface revision
For each kernel release where commands or events are added to the
management interface, the revision field should be increment by one.
The increment should only happen once per kernel release and not
for every command/event that gets added. The revision value is for
informational purposes only, but this simple policy would make any
future debugging a lot simple.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Johan Hedberg [Mon, 26 Mar 2012 11:21:42 +0000 (14:21 +0300)]
Bluetooth: Check for minimum data length in eir_has_data_type()
If passed 0 as data_length the (parsed < data_length - 1) test will be
true and cause a buffer overflow. In practice we need at least two bytes
for the element length and type so add a test for it to the very
beginning of the function.
Johan Hedberg [Mon, 26 Mar 2012 11:21:41 +0000 (14:21 +0300)]
Bluetooth: Don't increment twice in eir_has_data_type()
The parsed variable is already incremented inside the for-loop so there
no need to increment it again (not to mention that the code was
incrementing it the wrong amount).
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
Mat Martineau [Fri, 23 Mar 2012 23:56:56 +0000 (16:56 -0700)]
Bluetooth: Add a structure to carry ERTM data in skb control blocks
Every field from ERTM control headers is now carried in the control
block so it only has to be parsed or generated once, and can be
efficiently accessed throughout the ERTM code.
Mat Martineau [Fri, 23 Mar 2012 23:56:55 +0000 (16:56 -0700)]
Bluetooth: Add definitions and struct members for new ERTM state machine
Adds some missing values for control field parsing, additional data
for the new state machine, and enumerations for states, incoming
packet classification, and state machine events.
...
net/bluetooth/l2cap_core.c:302:6: warning: symbol '__l2cap_chan_add' was
not declared. Should it be static?
net/bluetooth/l2cap_core.c:351:6: warning: symbol 'l2cap_chan_add' was
not declared. Should it be static?
...
Andre Guedes [Wed, 21 Mar 2012 03:03:37 +0000 (00:03 -0300)]
Bluetooth: Check HCI_PERIODIC_INQ in start_discovery
This patch adds a HCI_PERIODIC_INQ check to start_discovery.
If periodic inquiry is enabled, we fail MGMT Start Discovery
command with MGMT_STATUS_BUSY code.
Johan Hovold [Thu, 15 Mar 2012 13:48:41 +0000 (14:48 +0100)]
Bluetooth: hci_core: fix NULL-pointer dereference at unregister
Make sure hci_dev_open returns immediately if hci_dev_unregister has
been called.
This fixes a race between hci_dev_open and hci_dev_unregister which can
lead to a NULL-pointer dereference.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n /dev/ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in
hci_dev_do_close
5. hci_dev_open (1) releases req lock
6. hci_dev_do_close grabs req lock and returns as device is not up
7. hci_dev_unregister sleeps in destroy_workqueue
8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps
9. hci_dev_unregister finishes, while hci_dev_open is still running...
Johan Hovold [Thu, 15 Mar 2012 13:48:40 +0000 (14:48 +0100)]
Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
Do not close protocol driver until device has been unregistered.
This fixes a race between tty_close and hci_dev_open which can result in
a NULL-pointer dereference.
The line discipline closes the protocol driver while we may still have
hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
dereference when lock is acquired and hci_init_req called.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close detaches protocol driver and cancels init req
5. hci_dev_open (1) releases req lock
6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
when request is prepared in hci_uart_send_frame
Johan Hedberg [Mon, 26 Mar 2012 11:21:42 +0000 (14:21 +0300)]
Bluetooth: Check for minimum data length in eir_has_data_type()
If passed 0 as data_length the (parsed < data_length - 1) test will be
true and cause a buffer overflow. In practice we need at least two bytes
for the element length and type so add a test for it to the very
beginning of the function.
Johan Hedberg [Mon, 26 Mar 2012 11:21:41 +0000 (14:21 +0300)]
Bluetooth: Don't increment twice in eir_has_data_type()
The parsed variable is already incremented inside the for-loop so there
no need to increment it again (not to mention that the code was
incrementing it the wrong amount).
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Gustavo Padovan <gustavo@padovan.org>
Johan Hovold [Thu, 15 Mar 2012 13:48:41 +0000 (14:48 +0100)]
Bluetooth: hci_core: fix NULL-pointer dereference at unregister
Make sure hci_dev_open returns immediately if hci_dev_unregister has
been called.
This fixes a race between hci_dev_open and hci_dev_unregister which can
lead to a NULL-pointer dereference.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n /dev/ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close calls hci_dev_unregister and sleeps on req lock in
hci_dev_do_close
5. hci_dev_open (1) releases req lock
6. hci_dev_do_close grabs req lock and returns as device is not up
7. hci_dev_unregister sleeps in destroy_workqueue
8. hci_dev_open (3) grabs req lock, calls hci_init_req and eventually sleeps
9. hci_dev_unregister finishes, while hci_dev_open is still running...
Johan Hovold [Thu, 15 Mar 2012 13:48:40 +0000 (14:48 +0100)]
Bluetooth: hci_ldisc: fix NULL-pointer dereference on tty_close
Do not close protocol driver until device has been unregistered.
This fixes a race between tty_close and hci_dev_open which can result in
a NULL-pointer dereference.
The line discipline closes the protocol driver while we may still have
hci_dev_open sleeping on the req_lock mutex resulting in a NULL-pointer
dereference when lock is acquired and hci_init_req called.
Bug is 100% reproducible using hciattach and a disconnected serial port:
0. # hciattach -n ttyO1 any noflow
1. hci_dev_open called from hci_power_on grabs req lock
2. hci_init_req executes but device fails to initialise (times out
eventually)
3. hci_dev_open is called from hci_sock_ioctl and sleeps on req lock
4. hci_uart_tty_close detaches protocol driver and cancels init req
5. hci_dev_open (1) releases req lock
6. hci_dev_open (3) grabs req lock, calls hci_init_req, which triggers oops
when request is prepared in hci_uart_send_frame
Signed-off-by: João Paulo Rechi Vita <jprvita@openbossa.org> Acked-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: João Paulo Rechi Vita <jprvita@openbossa.org> Acked-by: Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Fix sparse warnings related to incorrect type in assignment and static
symbol. Also use const keyword. Warnings are shown below:
...
net/bluetooth/mgmt.c:305:28: warning: incorrect type in assignment
(different base types)
net/bluetooth/mgmt.c:305:28: expected unsigned short [usertype] *opcode
net/bluetooth/mgmt.c:305:28: got restricted __le16 *<noident>
...
net/bluetooth/mgmt.c:2609:3: warning: symbol 'mgmt_handlers' was not declared.
Should it be static?
...
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@intel.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Marcel Holtmann [Wed, 14 Mar 2012 16:08:46 +0000 (18:08 +0200)]
Bluetooth: Fix broken usage of put_unaligned_le16
In case the struct is already __packed, there is no need to use
unaligned access to the data. So just use cpu_to_le16 or
__constant_cpu_to_le16 in these cases.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
David Herrmann [Fri, 9 Mar 2012 14:53:42 +0000 (15:53 +0100)]
Bluetooth: Remove redundant hdev->parent field
We initialize the "struct device" in hci_alloc_dev() for a long time now
so we can access hdev->dev.parent directly. Hence, we can drop the
temporary field hdev->parent which is used in no other place than
hci_add_sysfs().
SET_HCIDEV_DEV() is never called after registering a device by the
drivers so we do not overwrite internal device-state. Furthermore,
hdev->dev is initialized to 0 by kzalloc() inside hci_alloc_dev() so the
default behavior with dev.parent = NULL is kept.
Signed-off-by: David Herrmann <dh.herrmann@googlemail.com> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Larry Finger [Mon, 26 Mar 2012 14:59:48 +0000 (09:59 -0500)]
rtlwifi: rtl8192ce: rtl8192cu: rtl8192de: Fix low-gain setting when scanning
In https://bugzilla.redhat.com/show_bug.cgi?id=770207, slowdowns of driver
rtl8192ce are reported. One fix (commit a9b89e2) has already been applied,
and it helped, but the maximum RX speed would still drop to 1 Mbps. As in
the previous fix, the initial gain was determined to be the problem; however,
the problem arises from a setting of the gain when scans are started.
Driver rtl8192de also has the same code structure - this one is fixed as well.
Reported-and-Tested-by: Ivan Pesin <ivan.pesin@gmail.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@vger.kernel.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
mac80211: fix possible tid_rx->reorder_timer use after free
Is possible that we will arm the tid_rx->reorder_timer after
del_timer_sync() in ___ieee80211_stop_rx_ba_session(). We need to stop
timer after RCU grace period finish, so move it to
ieee80211_free_tid_rx(). Timer will not be armed again, as
rcu_dereference(sta->ampdu_mlme.tid_rx[tid]) will return NULL.
Debug object detected problem with the following warning:
ODEBUG: free active (active state 0) object type: timer_list hint: sta_rx_agg_reorder_timer_expired+0x0/0xf0 [mac80211]
Bug report (with all warning messages):
https://bugzilla.redhat.com/show_bug.cgi?id=804007
Reported-by: "jan p. springer" <jsd@igroup.org> Cc: stable@vger.kernel.org Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
We should reread status register only when nobody else start already
reading status i.e. test_and_set_bit(TX_STATUS_READING, flags) return 0.
Reported-by: Jakub Kicinski <moorray@wp.pl> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Acked-by: Gertjan van Wingerde <gwingerde@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
We should schedule txdone work on timeout, otherwise if newer get
tx status from hardware, we will never report tx status to mac80211
and eventually never wakeup tx queue.
Reported-by: Jakub Kicinski <moorray@wp.pl> Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Acked-by: Gertjan van Wingerde <gwingerde@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Eric Dumazet [Thu, 15 Mar 2012 20:43:29 +0000 (13:43 -0700)]
ath9k: fix a memory leak in ath_rx_tasklet()
commit 0d95521ea7 (ath9k: use split rx buffers to get rid of order-1 skb
allocations) added in memory leak in error path.
sc->rx.frag should be cleared after the pskb_expand_head() call, or else
we jump to requeue_drop_frag and leak an skb.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Cc: Jouni Malinen <jouni@qca.qualcomm.com> Cc: Felix Fietkau <nbd@openwrt.org> Cc: John W. Linville <linville@tuxdriver.com> Cc: Trond Wuellner <trond@chromium.org> Cc: Grant Grundler <grundler@chromium.org> Cc: Paul Stewart <pstew@chromium.org> Cc: David Miller <davem@davemloft.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
When we have downlink traffic alone and the station is going thru
bgscan, the client is out of operating channel for around 1000ms which
is too long. The mac80211 decides when to switch back to oper channel
based on tx queue, bad latency and listen time. As the station does not
have tx traffic, the bgscan can easily affect downlink throughput. By
reducing the listen time, it helps the associated AP to retain the
downstream rate.
Cc: Paul Stewart <pstew@google.com> Tested-by: Gary Morain <gmorain@google.com> Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Thu, 15 Mar 2012 17:25:41 +0000 (13:25 -0400)]
cfg80211: allow CFG80211_SIGNAL_TYPE_UNSPEC in station_info
The station_info struct had demanded dBm signal values, but the
cfg80211 wireless extensions implementation was also accepting
"unspecified" (i.e. RSSI) unit values while the nl80211 code was
completely unaware of them. Resolve this by formally allowing the
"unspecified" units while making nl80211 ignore them.
Signed-off-by: John W. Linville <linville@tuxdriver.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Current commit 0775f9f90cdaf40fbf69b3192b3dddb2b3436f45
"mac80211: remove spurious BSSID change flag" exposed bug on iwlegacy,
that we do not set BSSID address correctly and then device was not able
to receive frames after successful associate.
On the way fix scan canceling comment. Apparently ->post_associate()
do cancel scan itself, but scan cancel on BSS_CHANGED_BSSID is needed.
I'm not sure why, but when I removed it, I had frequent auth failures:
wlan4: send auth to 54:e6:fc:98:63:fe (try 1/3)
wlan4: send auth to 54:e6:fc:98:63:fe (try 2/3)
wlan4: send auth to 54:e6:fc:98:63:fe (try 3/3)
wlan4: authentication with 54:e6:fc:98:63:fe timed out
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Currently the maximum noise floor limit is set as too high (-60dB). The
assumption of having a higher threshold limit is that it would help
de-sensitize the receiver (reduce phy errors) from continuous
interference. But when we have a bursty interference where there are
collisions and then free air time and if the receiver is desensitized too
much, it will miss the normal packets too. Lets make use of chips
specific min, nom and max limits always. This patch helps to improve the
connection stability in congested networks.
Cc: stable@vger.kernel.org Cc: Paul Stewart <pstew@google.com> Tested-by: Gary Morain <gmorain@google.com> Signed-off-by: Madhan Jaganathan <madhanj@qca.qualcomm.com> Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
This il->vif is dereferenced in different part of iwlegacy code, so do
not nullify it. This should fix random crashes observed in companion
with microcode errors i.e. crash in il3945_config_ap().
Additionally this should address also
WARNING: at drivers/net/wireless/iwlegacy/common.c:4656 il_mac_remove_interface
at least one of the possible reasons of that warning.
Cc: stable@vger.kernel.org Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Andy Gospodarek [Thu, 22 Mar 2012 16:14:29 +0000 (16:14 +0000)]
bonding: remove entries for master_ip and vlan_ip and query devices instead
The following patch aimed to resolve an issue where secondary, tertiary,
etc. addresses added to bond interfaces could overwrite the
bond->master_ip and vlan_ip values.
That patch was good because it prevented bonds using ARP monitoring from
sending frames with an invalid source IP address. Unfortunately, it
didn't always work as expected.
When using an ioctl (like ifconfig does) to set the IP address and
netmask, 2 separate ioctls are actually called to set the IP and netmask
if the mask chosen doesn't match the standard mask for that class of
address. The first ioctl did not have a mask that matched the one in
the primary address and would still cause the device address to be
overwritten. The second ioctl that was called to set the mask would
then detect as secondary and ignored, but the damage was already done.
This was not an issue when using an application that used netlink
sockets as the setting of IP and netmask came down at once. The
inconsistent behavior between those two interfaces was something that
needed to be resolved.
While I was thinking about how I wanted to resolve this, Ralf Zeidler
came with a patch that resolved this on a RHEL kernel by keeping a full
shadow of the entries in dev->ifa_list for the bonding device and vlan
devices in the bonding driver. I didn't like the duplication of the
list as I want to see the 'bonding' struct and code shrink rather than
grow, but liked the general idea.
As the Subject indicates this patch drops the master_ip and vlan_ip
elements from the 'bonding' and 'vlan_entry' structs, respectively.
This can be done because a device's address-list is now traversed to
determine the optimal source IP address for ARP requests and for checks
to see if the bonding device has a particular IP address. This code
could have all be contained inside the bonding driver, but it made more
sense to me to EXPORT and call inet_confirm_addr since it did exactly
what was needed.
I tested this and a backported patch and everything works as expected.
Ralf also helped with verification of the backported patch.
Thanks to Ralf for all his help on this.
v2: Whitespace and organizational changes based on suggestions from Jay
Vosburgh and Dave Miller.
v3: Fixup incorrect usage of rcu_read_unlock based on Dave Miller's
suggestion.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net> CC: Ralf Zeidler <ralf.zeidler@nsn.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Rusty Russell [Thu, 22 Mar 2012 12:27:06 +0000 (12:27 +0000)]
netfilter: remove forward module param confusion.
It used to be an int, and it got changed to a bool parameter at least
7 years ago. It happens that NF_ACCEPT and NF_DROP are 0 and 1, so
this works, but it's unclear, and the check that it's in range is not
required.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
URB unlinking is always racing with its completion and tx_complete
may be called before or during running usb_unlink_urb, so tx_complete
must not clear urb->dev since it will be used in unlink path,
otherwise invalid memory accesses or usb device leak may be caused
inside usb_unlink_urb.
Cc: stable@kernel.org Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Oliver Neukum <oliver@neukum.org> Signed-off-by: Ming Lei <tom.leiming@gmail.com> Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
projects / karo-tx-linux.git / log