1. 23 9月, 2009 1 次提交
  2. 09 9月, 2009 1 次提交
  3. 03 9月, 2009 1 次提交
    • B
      cfg80211: fix looping soft lockup in find_ie() · fcc6cb0c
      Bob Copeland 提交于
      The find_ie() function uses a size_t for the len parameter, and
      directly uses len as a loop variable.  If any received packets
      are malformed, it is possible for the decrease of len to overflow,
      and since the result is unsigned, the loop will not terminate.
      Change it to a signed int so the loop conditional works for
      negative values.
      
      This fixes the following soft lockup:
      
      [38573.102007] BUG: soft lockup - CPU#0 stuck for 61s! [phy0:2230]
      [38573.102007] Modules linked in: aes_i586 aes_generic fuse af_packet ipt_REJECT xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state iptable_filter ip_tables x_tables acpi_cpufreq binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath dm_mod kvm_intel kvm uinput i915 arc4 ecb drm snd_hda_codec_idt ath5k snd_hda_intel hid_apple mac80211 usbhid appletouch snd_hda_codec snd_pcm ath cfg80211 snd_timer i2c_algo_bit ohci1394 video snd processor ieee1394 rfkill ehci_hcd sg sky2 backlight snd_page_alloc uhci_hcd joydev output ac thermal button battery sr_mod applesmc cdrom input_polldev evdev unix [last unloaded: scsi_wait_scan]
      [38573.102007] irq event stamp: 2547724535
      [38573.102007] hardirqs last  enabled at (2547724534): [<c1002ffc>] restore_all_notrace+0x0/0x18
      [38573.102007] hardirqs last disabled at (2547724535): [<c10038f4>] apic_timer_interrupt+0x28/0x34
      [38573.102007] softirqs last  enabled at (92950144): [<c103ab48>] __do_softirq+0x108/0x210
      [38573.102007] softirqs last disabled at (92950274): [<c1348e74>] _spin_lock_bh+0x14/0x80
      [38573.102007]
      [38573.102007] Pid: 2230, comm: phy0 Tainted: G        W  (2.6.31-rc7-wl #8) MacBook1,1
      [38573.102007] EIP: 0060:[<f8ea2d50>] EFLAGS: 00010292 CPU: 0
      [38573.102007] EIP is at cmp_ies+0x30/0x180 [cfg80211]
      [38573.102007] EAX: 00000082 EBX: 00000000 ECX: ffffffc1 EDX: d8efd014
      [38573.102007] ESI: ffffff7c EDI: 0000004d EBP: eee2dc50 ESP: eee2dc3c
      [38573.102007]  DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
      [38573.102007] CR0: 8005003b CR2: d8efd014 CR3: 01694000 CR4: 000026d0
      [38573.102007] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
      [38573.102007] DR6: ffff0ff0 DR7: 00000400
      [38573.102007] Call Trace:
      [38573.102007]  [<f8ea2f8d>] cmp_bss+0xed/0x100 [cfg80211]
      [38573.102007]  [<f8ea33e4>] cfg80211_bss_update+0x84/0x410 [cfg80211]
      [38573.102007]  [<f8ea3884>] cfg80211_inform_bss_frame+0x114/0x180 [cfg80211]
      [38573.102007]  [<f97255ff>] ieee80211_bss_info_update+0x4f/0x180 [mac80211]
      [38573.102007]  [<f972b118>] ieee80211_rx_bss_info+0x88/0xf0 [mac80211]
      [38573.102007]  [<f9739297>] ? ieee802_11_parse_elems+0x27/0x30 [mac80211]
      [38573.102007]  [<f972b224>] ieee80211_rx_mgmt_probe_resp+0xa4/0x1c0 [mac80211]
      [38573.102007]  [<f972bc59>] ieee80211_sta_rx_queued_mgmt+0x919/0xc50 [mac80211]
      [38573.102007]  [<c1009707>] ? sched_clock+0x27/0xa0
      [38573.102007]  [<c1009707>] ? sched_clock+0x27/0xa0
      [38573.102007]  [<c105ffd0>] ? mark_held_locks+0x60/0x80
      [38573.102007]  [<c1348be5>] ? _spin_unlock_irqrestore+0x55/0x70
      [38573.102007]  [<c134baa5>] ? sub_preempt_count+0x85/0xc0
      [38573.102007]  [<c1348bce>] ? _spin_unlock_irqrestore+0x3e/0x70
      [38573.102007]  [<c12c1c0f>] ? skb_dequeue+0x4f/0x70
      [38573.102007]  [<f972c021>] ieee80211_sta_work+0x91/0xb80 [mac80211]
      [38573.102007]  [<c1009707>] ? sched_clock+0x27/0xa0
      [38573.102007]  [<c134baa5>] ? sub_preempt_count+0x85/0xc0
      [38573.102007]  [<c10479af>] worker_thread+0x18f/0x320
      [38573.102007]  [<c104794e>] ? worker_thread+0x12e/0x320
      [38573.102007]  [<c1348be5>] ? _spin_unlock_irqrestore+0x55/0x70
      [38573.102007]  [<f972bf90>] ? ieee80211_sta_work+0x0/0xb80 [mac80211]
      [38573.102007]  [<c104cbb0>] ? autoremove_wake_function+0x0/0x50
      [38573.102007]  [<c1047820>] ? worker_thread+0x0/0x320
      [38573.102007]  [<c104c854>] kthread+0x84/0x90
      [38573.102007]  [<c104c7d0>] ? kthread+0x0/0x90
      [38573.102007]  [<c1003ab7>] kernel_thread_helper+0x7/0x10
      
      Cc: stable@kernel.org
      Signed-off-by: NBob Copeland <me@bobcopeland.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      fcc6cb0c
  4. 29 8月, 2009 1 次提交
  5. 14 8月, 2009 3 次提交
    • J
      cfg80211: check for and abort dangling scan requests · 36e6fea8
      Johannes Berg 提交于
      If you trigger a scan request on an interface and then
      take it down, or rmmod the module or unplug the device
      the driver might "forget" to cancel the scan request.
      That is a bug in the driver, but the current behaviour
      is that we just hang endlessly waiting for the netdev
      refcount to become 0 which it never will. To improve
      robustness, check for this situation in cfg80211, warn
      about it and clean up behind the driver. I don't just
      clean up silently because it's likely that the driver
      also has some internal state it has now leaked.
      
      Additionally, this fixes a locking bug, clearing the
      scan_req pointer should be done under the rdev lock.
      
      Finally, we also need to _wait_ for the scan work and
      not just abort it since it might be pending and wanting
      to do a cleanup.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      36e6fea8
    • J
      cfg80211: fix alignment problem in scan request · 5ba63533
      Johannes Berg 提交于
      The memory layout for scan requests was rather wrong,
      we put the scan SSIDs before the channels which could
      lead to the channel pointers being unaligned in memory.
      It turns out that using a pointer to the channel array
      isn't necessary anyway since we can embed a zero-length
      array into the struct.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      5ba63533
    • J
      nl80211: add generation number to all dumps · f5ea9120
      Johannes Berg 提交于
      In order for userspace to be able to figure out whether
      it obtained a consistent snapshot of data or not when
      using netlink dumps, we need to have a generation number
      in each dump message that indicates whether the list has
      changed or not -- its value is arbitrary.
      
      This patch adds such a number to all dumps, this needs
      some mac80211 involvement to keep track of a generation
      number to start with when adding/removing mesh paths or
      stations.
      
      The wiphy and netdev lists can be fully handled within
      cfg80211, of course, but generation numbers need to be
      stored there as well.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      f5ea9120
  6. 04 8月, 2009 1 次提交
  7. 30 7月, 2009 1 次提交
  8. 28 7月, 2009 2 次提交
    • H
      cfg80211: increase scan result expire time · 09f97e0f
      Helmut Schaa 提交于
      Using background scanning in mac80211 the time a scan needs to
      finish can exceed 10 seconds. Hence, increase the scan results
      expire time to 15 seconds which should be sufficient.
      Signed-off-by: NHelmut Schaa <helmut.schaa@googlemail.com>
      Acked-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      09f97e0f
    • J
      cfg80211: make aware of net namespaces · 463d0183
      Johannes Berg 提交于
      In order to make cfg80211/nl80211 aware of network namespaces,
      we have to do the following things:
      
       * del_virtual_intf method takes an interface index rather
         than a netdev pointer - simply change this
      
       * nl80211 uses init_net a lot, it changes to use the sender's
         network namespace
      
       * scan requests use the interface index, hold a netdev pointer
         and reference instead
      
       * we want a wiphy and its associated virtual interfaces to be
         in one netns together, so
          - we need to be able to change ns for a given interface, so
            export dev_change_net_namespace()
          - for each virtual interface set the NETIF_F_NETNS_LOCAL
            flag, and clear that flag only when the wiphy changes ns,
            to disallow breaking this invariant
      
       * when a network namespace goes away, we need to reparent the
         wiphy to init_net
      
       * cfg80211 users that support creating virtual interfaces must
         create them in the wiphy's namespace, currently this affects
         only mac80211
      
      The end result is that you can now switch an entire wiphy into
      a different network namespace with the new command
      	iw phy#<idx> set netns <pid>
      and all virtual interfaces will follow (or the operation fails).
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      463d0183
  9. 22 7月, 2009 1 次提交
    • C
      cfg80211: double free in __cfg80211_scan_done · 9e81eccf
      Christian Lamparter 提交于
      This patch fixes a double free corruption in __cfg80211_scan_done:
      
       ================================================
       BUG kmalloc-512: Object already free
       ------------------------------------------------
      
       INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
       INFO: Freed in load_elf_binary+0x104e/0x19af age=5
       INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
       INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488
      
       Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
       [...]
       Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
       Call Trace:
        [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
        [<ffffffff810daa56>] object_err+0x42/0x61
        [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
        [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
        [<ffffffff810dd5e3>] kfree+0x13c/0x17a
        [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
        [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
        [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
        [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
        [...]
       FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed
      
      The code path which leads to the *funny* double free:
      
             request = rdev->scan_req;
             dev = dev_get_by_index(&init_net, request->ifidx);
      	/*
      	 * the driver was unloaded recently and
      	 * therefore dev_get_by_index will return NULL!
      	 */
              if (!dev)
                      goto out;
      	[...]
      	rdev->scan_req = NULL; /* not executed... */
      	[...]
       out:
              kfree(request);
      Signed-off-by: NChristian Lamparter <chunkeey@web.de>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      9e81eccf
  10. 11 7月, 2009 5 次提交
  11. 08 7月, 2009 1 次提交
  12. 04 6月, 2009 1 次提交
  13. 07 5月, 2009 2 次提交
  14. 05 5月, 2009 1 次提交
  15. 23 4月, 2009 2 次提交
  16. 18 4月, 2009 2 次提交
  17. 28 3月, 2009 1 次提交
  18. 28 2月, 2009 4 次提交
    • L
      cfg80211: Add AP beacon regulatory hints · e38f8a7a
      Luis R. Rodriguez 提交于
      When devices are world roaming they cannot beacon or do active scan
      on 5 GHz or on channels 12, 13 and 14 on the 2 GHz band. Although
      we have a good regulatory API some cards may _always_ world roam, this
      is also true when a system does not have CRDA present. Devices doing world
      roaming can still passive scan, if they find a beacon from an AP on
      one of the world roaming frequencies we make the assumption we can do
      the same and we also remove the passive scan requirement.
      
      This adds support for providing beacon regulatory hints based on scans.
      This works for devices that do either hardware or software scanning.
      If a channel has not yet been marked as having had a beacon present
      on it we queue the beacon hint processing into the workqueue.
      
      All wireless devices will benefit from beacon regulatory hints from
      any wireless device on a system including new devices connected to
      the system at a later time.
      Signed-off-by: NLuis R. Rodriguez <lrodriguez@atheros.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      e38f8a7a
    • J
      cfg80211: clean up signal type · 77965c97
      Johannes Berg 提交于
      It wasn't a good idea to make the signal type a per-BSS option,
      although then it is closer to the actual value. Move it to be
      a per-wiphy setting, update mac80211 to match.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      77965c97
    • J
      cfg80211/mac80211: fill qual.qual value/adjust max_qual.qual · a77b8552
      Johannes Berg 提交于
      Due to various bugs in the software stack we end up having
      to fill qual.qual; level should be used, but wpa_supplicant
      doesn't properly ignore qual.qual, NM should use qual.level
      regardless of that because qual.qual is 0 but doesn't handle
      IW_QUAL_DBM right now.
      
      So fill qual.qual with the qual.level value clamped to
      -110..-40 dBm or just the regular 'unspecified' signal level.
      This requires a mac80211 change to properly announce the
      max_qual.qual and avg_qual.qual values.
      Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      a77b8552
    • D
      cfg80211: age scan results on resume · cb3a8eec
      Dan Williams 提交于
      Scanned BSS entries are timestamped with jiffies, which doesn't
      increment across suspend and hibernate.  On resume, every BSS in the
      scan list looks like it was scanned within the last 10 seconds,
      irregardless of how long the machine was actually asleep.  Age scan
      results on resume with the time spent during sleep so userspace has a
      clue how old they really are.
      Signed-off-by: NDan Williams <dcbw@redhat.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      cb3a8eec
  19. 14 2月, 2009 4 次提交