Several arrays were read before checking whether the index was within
bounds. ARRAY_SIZE() should be used to determine the size of arrays.
rates->rates has an arraysize of 1, so calling get_common_rates()
with a rates_size of MAX_RATES (14) was causing reads out of bounds.
tmp_size can increment at most to (ARRAY_SIZE(lbs_bg_rates) - 1) *
(*rates_size - 1), so that should be the number of elements of tmp[].
A goto can be eliminated: ret was already set upon its declaration.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
reads bss->rates[j] before checking bounds of index, and should use
ARRAY_SIZE to determine the size of the array.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Holger Schurig <hs4233@mail.mn-solutions.de>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
tid is bounded (above) by the size of default_tid_to_tx_fifo (17 elements), but
the size of priv->stations[].tid[] is MAX_TID_COUNT (9) elements.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Incorrect limits leads to reads outside array bounds.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
SSID_rid has space for only 3 ssids.
txPowerLevels[i] is read before the bounds check for i
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
iwm_wdev_alloc() returns an ERR_PTR on failure and not null. It also
prints its own dev_err() message so I removed that as well.
Compile tested only. Sorry.
Found by smatch (http://repo.or.cz/w/smatch.git).
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
We need to provide a reasonable minimum that will result in a
working setup if used. Set minimum to be 10 to provide for
4 standard TX queues + 1 command queue + 2 (unused) HCCA queues +
4 HT queues (one per AC).
We allow the user to change the number of queues used via a module
parameter and use this minimum value to check if it is valid. Without
this patch a user can select a value for the number of queues that
will result in a failing setup.
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
I had a problem on 4965 hardware (well, probably other hardware too,
but others don't survive my stress testing right now, unfortunately)
where the driver was sending invalid commands to the device, but no
such thing could be seen from the driver's point of view. I could
reproduce this fairly easily by sending multiple TCP streams with
iperf on different TIDs, though sometimes a single iperf stream was
sufficient. It even happened with a single core, but I have forced
preemption turned on.
The culprit was a queue overrun, where we advanced the queue's write
pointer over the read pointer. After careful analysis I've come to
the conclusion that the cause is a race condition between iwlwifi
and mac80211.
mac80211, of course, checks whether the queue is stopped, before
transmitting a frame. This effectively looks like this:
lock(queues)
if (stopped(queue)) {
unlock(queues)
return busy;
}
unlock(queues)
... <-- this place will be important
there is some more code here
drv_tx(frame)
The driver, on the other hand, can stop and start queues, which does
lock(queues)
mark_running/stopped(queue)
unlock(queues)
[if marked running: wake up tasklet to send pending frames]
Now, however, once the driver starts the queue, mac80211 can see that
and end up at the marked place above, at which point for some reason the
driver seems to stop the queue again (I don't understand that) and then
we end up transmitting while the queue is actually full.
Now, this shouldn't actually matter much, but for some reason I've seen
it happen multiple times in a row and the queue actually overflows, at
which point the queue bites itself in the tail and things go completely
wrong.
This patch fixes this by just dropping the packet should this have
happened, and making the lock in iwlwifi cover everything so iwlwifi
can't race against itself (dropping the lock there might make it more
likely, but it did seem to happen without that too).
Since we can't hold the lock across drv_tx() above, I see no way to fix
this in mac80211, but I also don't understand why I haven't seen this
before -- maybe I just never stress tested it this badly.
With this patch, the device has survived many minutes of simultanously
sending two iperf streams on different TIDs with combined throughput
of about 60 Mbps.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
When a net device goes down or when the bnx2i driver is unloaded,
the code was not generating the ISCSI_KEVENT_IF_DOWN message
properly and this could cause the userspace driver to crash.
This is fixed by sending the message properly in the shutdown path.
cnic_uio_stop() is also added to send the message when bnx2i is
unregistering.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
There is an 82599 errata that UDP frames with a zero checksum are
incorrectly marked as checksum invalid by the hardware. This was
leading to misleading hw_csum_rx_error counts. This patch adds a
test around this counter increase for this condition.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
More stuff for http://bugzilla.kernel.org/show_bug.cgi?id=9512
Some 8168 are unable to WoL when receiving is not enabled (plain
old 8169 do not seem to care).
It is not exactly pretty to leave the receiver enabled but we
should now enable DMA late enough for it to be safe. Some late
stage boot failure due to pxe and friends may benefit from the
delayed enabling of bus-mastering as well.
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Jaromír Cápík <tavvva@volny.cz>
Cc: Edward Hsu <edward_hsu@realtek.com.tw>
Reset consumer of status rings to 0 when cleaning
up sw resources. Status rings are not deleted
during suspend since they have napi objects.
This ensures correct rx processing across suspen-resume.
Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Alessandro Rubini <rubini@unipv.it>
Acked-by: Andrea Gallo <andrea.gallo@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
io[i] is read before the bounds check on i, order should be reversed
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
io[i] is read before the bounds check on i, order should be reversed
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
loop bound looks to be wrong, for an array of length 8
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
phy_idx is checked to be < 4, but np->phys[] is 2 elements long
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Calls to device_init_wakeup should not be necessary in drivers that use
device_set_wakeup_enable since pci_pm_init will set the can_wakeup flag
for the device when initialized.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Certain types of control packets (LLDP, LACP, etc.) are not supposed to have a
priority tag or vlan tag inserted. Ixgbe driver is currently priority
tagging everything (if packet is not on a VLAN interface).
This patch modifies DCB mode, so that packets marked with skb priority
TC_PRIO_CONTROL are not priority tagged. It also transmits these packets on
the highest priority traffic class.
Programs (like dcbd) can set the skb priority using a socket option. Or, a tc
filter can be configured to set the priority value. Using the value
TC_PRIO_CONTROL (7) has the benefit that it is already defined in the kernel,
and the bonding LACP code already sets the skb->priority field to this value.
Signed-off-by: Lucy Liu <lucy.liu@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently, FCoE offload feature is turned on when the kernel config has
CONFIG_FCOE or CONFIG_FCOE_MODULE set. However, we really want to turn
FCoE offload on when there is FCoE traffic passing and turn it off when
it's just LAN traffic. Since FCoE depends on a lossless network provided
by DCB, this allows us to have FCoE turned on/off when user turns on DCB
using dcbtool.
Signed-off-by: Yi Zou <yi.zou@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Changes to the fs_enet driver aa73832c5a
("net: Rework fs_enet driver to use of_mdio infrastructure")
cause kernel crashes when using the mdio-ofgpio driver.
This patch replicates similar changes made to the fs_enet mii-bitbang
drivers. It has been tested on a custom mpc8280 based board using an
NFS mounted root.
Signed-off-by: Mark Ware <mware@elphinstone.net>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
at91ether_probe lives in .init.text, so using platform_driver_register
to register it is wrong because binding a device after the init memory
is discarded (e.g. via sysfs) results in an oops.
As requested by David Brownell platform_driver_probe is used instead of
moving the probe function to .devinit.text as proposed initially.
This saves some memory, but devices registered after the driver is
probed are not bound (probably there are none) and binding via sysfs
isn't possible.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Acked-by: Andrew Victor <linux@maxim.org.za>
Signed-off-by: David S. Miller <davem@davemloft.net>
If skge hardware is capable of waking up the system from sleep,
enable magic packet WoL during driver initialisation.
This makes WoL work without calling 'ethtool -s ethX wol g'
for each adapter.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Tested-by: Michael Guntsche <mike@it-loops.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
fix this build error when CONFIG_MII is not set
drivers/net/ks8851.c:999: undefined reference to `generic_mii_ioctl'
drivers/net/ks8851.c:1050: undefined reference to `mii_link_ok'
drivers/net/ks8851.c:1056: undefined reference to `mii_nway_restart'
drivers/net/ks8851.c:1044: undefined reference to `mii_ethtool_sset'
drivers/net/ks8851.c:1038: undefined reference to `mii_ethtool_gset'
Signed-off-by: Alexander Beregalov <a.beregalov@gmail.com>
Acked-by: Ben Dooks <ben@simtec.co.uk>
This patch fixes a bug in the non-lro path. Wrong size of received
packet was being passed for updating receive statistics. This patch
is against the net-2.6 git.
Signed-off-by: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since commit 0b9da337dc ("Rework
ucc_geth driver to use of_mdio infrastructure") the fixed-link
support is broken.
This patch fixes the support by removing !ug_info->phy_node check,
and adds a call to of_phy_connect_fixed_link() if a phy is not attached
to the MAC.
Also, remove an old fixed-link code that we don't use any longer.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since commit fe192a4911 ("Rework gianfar
driver to use of_mdio infrastructure") the fixed-link support is
broken, the driver oopses at init_phy():
Unable to handle kernel paging request for data at address 0x000000e4
Faulting instruction address: 0xc01cf298
Oops: Kernel access of bad area, sig: 11 [#1]
[...]
NIP [c01cf298] init_phy+0x80/0xdc
LR [c01cf250] init_phy+0x38/0xdc
Call Trace:
[cf81fe80] [c01d1cf8] gfar_enet_open+0x6c/0x19c
[cf81fea0] [c024494c] dev_open+0xfc/0x134
[cf81fec0] [c0242edc] dev_change_flags+0x84/0x1ac
[cf81fee0] [c0399ee0] ic_open_devs+0x168/0x2d8
[cf81ff20] [c039b2e8] ip_auto_config+0x90/0x2a4
[cf81ff60] [c0003884] do_one_initcall+0x34/0x1a8
This patch fixes the oops, and removes phy_node checks, and adds a call
to of_phy_connect_fixed_link() if a phy isn't attached..
Also, remove an old fixed-link code that we don't use any longer.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since commit aa73832c5a ("Rework
fs_enet driver to use of_mdio infrastructure") the fixed-link support
is broken in the fs_enet driver.
This patch fixes the support by removing a check for phy_node, and adding
a call to of_phy_connect_fixed_link().
Also set netdev parent device via SET_NETDEV_DEV() call, this is needed
so that OF MDIO core could find a node pointer for a device.
Plus, fix "if (IS_ERR(phydev))" check, in case of errors,
of_phy_connect() returns NULL, not ERR_PTR as phy_connect().
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reset rx chain before trying to drain it.
Shut interrupts off last, incase there's something to report.
Signed-off-by: Mike McCormack <mikem@ring3k.org>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The values in the advertising field are typically ADVERTISED_xxx, not
SUPPORTED_xxx. Both SUPPORTED_10000baseT_Full and
ADVERTISED_1000baseT_Full have the same value.
The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
struct ethtool_cmd E;
@@
*E.advertising = SUPPORTED_10000baseT_Full
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
If the NULL test is necessary, then the dereference should be moved below
the NULL test.
The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@
- T i = E->fld;
+ T i;
... when != E=E1
when != i
if (E == NULL||...) S
+ i = E->fld;
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
If the NULL test is necessary, then the dereferences should be moved below
the NULL test.
The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@
- T i = E->fld;
+ T i;
... when != E=E1
when != i
BUG_ON (E == NULL||...);
+ i = E->fld;
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Firmware V4 on CF8381 reports region code shifted by 1 byte to left.
The following patch checks for this and handles it properly.
Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Two users of ar9170 devices have now reported their cards
have been programmed with a regulatory domain of 0x8000.
This is not a valid regulatory domain as such these users were
unable to use these devices. Since this doesn't seem to be
a device EEPROM corruption we must treat it specially. It
may have been possible the manufacturer intended to use 0x0
as the regulatory domain and that would ultimately yield
to US but since we cannot get confirmationf or this we
default this special case to one of our world regulatory
domains, specifically 0x64.
Reported-by: DavidFreeman on #linux-wireless
Reported-by: Joerg Albert <jal2@gmx.de>
Cc: Christian Lamparter <chunkeey@web.de>,
Cc: Stephen Chen <stephen.chen@atheros.com>
Cc: David Quan <david.quan@atheros.com>
Cc: Tony Yang <tony.yang@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Fix a potential NULL dereference bug during
error handling in p54spi_probe.
This bug was discovered by smatch:
(http://repo.or.cz/w/smatch.git).
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Many Nokia handsets support a Phonet interface to the cellular modem
via a vendor-specific USB interface. CDC Phonet follows the
Communications Device Class model, with one control interface, and
and a pair of inactive and active data alternative interface. The later
has two bulk endpoint, one per direction.
This was tested against Nokia E61, Nokia N95, and the existing Phonet
gadget function for the Linux composite USB gadget framework.
Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Set the driver data before using it. Fixes an oops when doing rmmod.
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
A pointer to mac_sonic_probe is passed to the core via
platform_driver_register and so the function must not disappear when the
.init sections are discarded. Otherwise (if also having HOTPLUG=y)
unbinding and binding a device to the driver via sysfs will result in an
oops as does a device being registered late.
Various other functions that are called by mac_sonic_probe need to move
to .devinit.text, too.
An alternative to this patch is using platform_driver_probe instead of
platform_driver_register plus removing the pointer to the probe function
from the struct platform_driver.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
For AP mode we must tune ANI specially for 2 GHz and
for 5 GHz. We mask in only the flags we want to toggle
on ath9k_hw_ani_control() through the ah->ani_function
bitmask, this will take care of ignoring changes during
ANI reset which we were disabling before.
Testedy-by: Steven Luo <steven@steven676.net>
Cc: Bennyam Malavazi <bennyam.malavazi@atheros.com>
Cc: Jouni Malinen <jouni.malinen@Atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
The commit below changed the semantics of rt2x00_check_rev so that it no
longer checked the bottom 4 bits of the rev were non-zero. During that
conversion this part of the check was not propogated to the rt2500usb
initialisation.
commit 358623c22c
Author: Ivo van Doorn <ivdoorn@gmail.com>
Date: Tue May 5 19:46:08 2009 +0200
rt2x00: Simplify rt2x00_check_rev
Without this check rt73 devices are miss recognised as rt2500 devices and
two drivers are loaded. Preventing the device being used. Reinstate this
check.
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
When rtl8187 is unloaded and CONFIG_RTL8187_LEDS is set, the kernel
may oops when the module is unloaded as the workqueue for led_on was
not being cancelled.
This patch fixes the problem reported in
http://marc.info/?l=linux-wireless&m=124742957615781&w=2.
Reported-by: Gábor Stefanik <netrolller.3d@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Pavel Roskin reported some issues with using AP mode without
nohwcrypt=1. Most likely this is similar to the problem fixed
some time ago in ath9k by 3f53dd64f1,
"ath9k: Fix hw crypto configuration for TKIP in AP mode."
That only affects TKIP but it's easiest to just disable that and
WEP too until we get a proper fix in.
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Once the "data" pointer is freed, we can't be iterating
to the next item in the list any more so we need to use
list_for_each_entry_safe with a temporary variable.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
If you rmmod the module while associated, frames might
be transmitted during unregistration -- which will crash
if the hwsim%d interface is unregistered first, so only
do that after all the virtual wiphys are gone.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
The byte count table is only used for aggregation. Updating it
in other cases caused fragmented frames to be dropped.
This fixes http://www.intellinuxwireless.org/bugzilla/show_bug.cgi?id=2004
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This changes the power_level file to adhere to the "one value
per file" sysfs rule. The user will know which power level was
requested as it will be the number just written to this file. It
is thus not necessary to create a new sysfs file for this value.
In addition it fixes a problem where powertop's parsing expects
this value to be the first value in this file without any descriptions.
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
The driver private data is now based on wiphy. So we should not
touch the private data after wiphy_free() is called. The patch
fixes the potential NULL pointer dereference by making the
iwm_wdev_free() the last one on the interface removal path.
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This patch fixes a problem when a device is stopped while in the
bus-off state. Then the carrier remains off forever.
Signed-off-by: Kurt Van Dijck <kurt.van.dijck@skynet.be>
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: David S. Miller <davem@davemloft.net>