- 14 9月, 2011 1 次提交
-
-
由 George 提交于
The driver fails to connect to 802.11n-enabled APs. The patch fixes Bug #42262. Signed-off-by: NGeorge <george0505@realtek.com> Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@kernel.org> [2.6.39+] Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 31 8月, 2011 1 次提交
-
-
由 Felix Fietkau 提交于
ADC calibrations cannot run on 5 GHz with fast clock enabled. They need to be disabled, otherwise they'll hang and IQ mismatch calibration will not be run either. Signed-off-by: NFelix Fietkau <nbd@openwrt.org> Reported-by: NAdrian Chadd <adrian@freebsd.org> Cc: stable@kernel.org Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 30 8月, 2011 2 次提交
-
-
由 Stanislaw Gruszka 提交于
When trying to connect to 5GHz we can provide negative index to mac80211 what trigger BUG_ON. Reason of iwl-3945-rs malfunction on 5GHz is unknown and needs further investigation. For now, to do not trigger a bug, correct value and just print WARNING. Address bug: https://bugzilla.redhat.com/show_bug.cgi?id=730653Reported-and-tested-by: NJan Teichmann <jan.teichmann@gmail.com> Cc: stable@kernel.org Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Rajkumar Manoharan 提交于
The commit 172805ad overwirtes additional clock settings of AR9330 to all AR9300 chips. Cc: stable@kernel.org Signed-off-by: NRajkumar Manoharan <rmanohar@qca.qualcomm.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 25 8月, 2011 2 次提交
-
-
由 Mohammed Shafi Shajakhan 提交于
this callback is called during suspend/resume and also via iw command. it configures parameters like sifs, slottime, acktimeout in ath9k_hw_init_global_settings where few REG_READ, REG_RMW are also done and hence the need for PS wrappers Cc: stable@kernel.org Signed-off-by: NMohammed Shafi Shajakhan <mohammed@qca.qualcomm.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Alexey Khoroshilov 提交于
If is_main_vif(ar, vif) reports that we have to fall back to software encryption, we goto err_softw; before locking ar->mutex. As a result, we have unprotected call to carl9170_set_operating_mode and unmatched mutex_unlock. The patch fix the issue by adding mutex_lock before goto. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: NAlexey Khoroshilov <khoroshilov@ispras.ru> Cc: <stable@kernel.org> Acked-By: NChristian Lamparter <chunkeey@googlemail.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 24 8月, 2011 3 次提交
-
-
由 Luciano Coelho 提交于
After commit 5a865bad, we require a separate value to indicate the number of supported SSIDs in scheduled scans. This patch adds a proper value to the wl12xx driver. This fixes a regression in 3.1-rc3 where scheduled scans were not working properly with the wl12xx driver. Signed-off-by: NLuciano Coelho <coelho@ti.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Ido Yariv 提交于
wl1271_sdio_power_on checks if the return value of pm_runtime_get_sync is non-zero, and if so bails out. However, pm_runtime_get_sync can return a positive number which does not suggest an error has occurred. This is problematic for two reasons: 1. The function will needlessly bail out without decrementing back the runtime PM reference counter. 2. wl1271_power_on only checks if wl1271_power_on return value is negative. This means that wl1271_power_on will continue even if wl1271_sdio_power_on bailed out. As a result, sdio transactions will be initiated without properly enabling the sdio function and claiming the host. This could even lead to a kernel panic. Fix this by only checking that the return value of pm_runtime_get_sync is non-negative. Signed-off-by: NIdo Yariv <ido@wizery.com> Acked-by: NLuciano Coelho <coelho@ti.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Ido Yariv 提交于
The testmode NVS push command is no longer in use. In addition, it has several implementation issues that prevent it from working correctly: 1. wl1271_tm_cmd_configure relies on wl->chip.id being set. However, since the device was not necessarily booted by the time the function is called, wl->chip.id will be initialized to 0. 2. The NVS file is fetched by calling request_firmware() before it is possible to push an NVS file. 3. The maximum allowed size of nl binary payloads is not sufficient for pushing NVS files. 4. Pushing 128x NVS files will always fail due to a bug in the validation code. 5. In case the pushed NVS file is found invalid, the mutex will be kept locked and the nvs member will become a dangling pointer. Since this feature is not being used, remove it completely instead of fixing it. Signed-off-by: NIdo Yariv <ido@wizery.com> Acked-by: NLuciano Coelho <coelho@ti.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 23 8月, 2011 5 次提交
-
-
由 David Woodhouse 提交于
Signed-off-by: NDavid Woodhouse <David.Woodhouse@intel.com> Acked-by: NRafał Miłecki <zajec5@gmail.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Senthil Balasubramanian 提交于
Due to some recent optimization done in the way the mac address bytes are written into the OTP memory, some AR9485 chipsets were forced to use the first byte from the eeprom template and the remaining bytes are read from OTP. AR9485 happens to use generic eeprom template which has 0x1 as the first byte causes issues in bringing up the card. So fixed the eeprom template accordingly to address the issue. Cc: stable@kernel.org Cc: Paul Stewart <pstew@google.com> Signed-off-by: NSenthil Balasubramanian <senthilb@qca.qualcomm.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Stanislaw Gruszka 提交于
When hibernating ->resume may not be called by usb core, but disconnect and probe instead, so we do not increase the counter after decreasing it in ->supend. As a result we free memory early, and get crash when unplugging usb dongle. BUG: unable to handle kernel paging request at 6b6b6b9f IP: [<c06909b0>] driver_sysfs_remove+0x10/0x30 *pdpt = 0000000034f21001 *pde = 0000000000000000 Pid: 20, comm: khubd Not tainted 3.1.0-rc1-wl+ #20 LENOVO 6369CTO/6369CTO EIP: 0060:[<c06909b0>] EFLAGS: 00010202 CPU: 1 EIP is at driver_sysfs_remove+0x10/0x30 EAX: 6b6b6b6b EBX: f52bba34 ECX: 00000000 EDX: 6b6b6b6b ESI: 6b6b6b6b EDI: c0a0ea20 EBP: f61c9e68 ESP: f61c9e64 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process khubd (pid: 20, ti=f61c8000 task=f6138270 task.ti=f61c8000) Call Trace: [<c06909ef>] __device_release_driver+0x1f/0xa0 [<c0690b20>] device_release_driver+0x20/0x40 [<c068fd64>] bus_remove_device+0x84/0xe0 [<c068e12a>] ? device_remove_attrs+0x2a/0x80 [<c068e267>] device_del+0xe7/0x170 [<c06d93d4>] usb_disconnect+0xd4/0x180 [<c06d9d61>] hub_thread+0x691/0x1600 [<c0473260>] ? wake_up_bit+0x30/0x30 [<c0442a39>] ? complete+0x49/0x60 [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 [<c0472eb4>] kthread+0x74/0x80 [<c0472e40>] ? kthread_worker_fn+0x150/0x150 [<c0809b3e>] kernel_thread_helper+0x6/0x10 Cc: stable@kernel.org Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com> Acked-by: NIvo van Doorn <IvDoorn@gmail.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Stanislaw Gruszka 提交于
Do not call ->suspend, ->resume methods after we unregister wiphy. Also delete sta_clanup timer after we finish wiphy unregister to avoid this: WARNING: at lib/debugobjects.c:262 debug_print_object+0x85/0xa0() Hardware name: 6369CTO ODEBUG: free active (active state 0) object type: timer_list hint: sta_info_cleanup+0x0/0x180 [mac80211] Modules linked in: aes_i586 aes_generic fuse bridge stp llc autofs4 sunrpc cpufreq_ondemand acpi_cpufreq mperf ext2 dm_mod uinput thinkpad_acpi hwmon sg arc4 rt2800usb rt2800lib crc_ccitt rt2x00usb rt2x00lib mac80211 cfg80211 i2c_i801 iTCO_wdt iTCO_vendor_support e1000e ext4 mbcache jbd2 sd_mod crc_t10dif sr_mod cdrom yenta_socket ahci libahci pata_acpi ata_generic ata_piix i915 drm_kms_helper drm i2c_algo_bit video [last unloaded: microcode] Pid: 5663, comm: pm-hibernate Not tainted 3.1.0-rc1-wl+ #19 Call Trace: [<c0454cfd>] warn_slowpath_common+0x6d/0xa0 [<c05e05e5>] ? debug_print_object+0x85/0xa0 [<c05e05e5>] ? debug_print_object+0x85/0xa0 [<c0454dae>] warn_slowpath_fmt+0x2e/0x30 [<c05e05e5>] debug_print_object+0x85/0xa0 [<f8a808e0>] ? sta_info_alloc+0x1a0/0x1a0 [mac80211] [<c05e0bd2>] debug_check_no_obj_freed+0xe2/0x180 [<c051175b>] kfree+0x8b/0x150 [<f8a126ae>] cfg80211_dev_free+0x7e/0x90 [cfg80211] [<f8a13afd>] wiphy_dev_release+0xd/0x10 [cfg80211] [<c068d959>] device_release+0x19/0x80 [<c05d06ba>] kobject_release+0x7a/0x1c0 [<c07646a8>] ? rtnl_unlock+0x8/0x10 [<f8a13adb>] ? wiphy_resume+0x6b/0x80 [cfg80211] [<c05d0640>] ? kobject_del+0x30/0x30 [<c05d1a6d>] kref_put+0x2d/0x60 [<c05d056d>] kobject_put+0x1d/0x50 [<c08015f4>] ? mutex_lock+0x14/0x40 [<c068d60f>] put_device+0xf/0x20 [<c069716a>] dpm_resume+0xca/0x160 [<c04912bd>] hibernation_snapshot+0xcd/0x260 [<c04903df>] ? freeze_processes+0x3f/0x90 [<c049151b>] hibernate+0xcb/0x1e0 [<c048fdc0>] ? pm_async_store+0x40/0x40 [<c048fe60>] state_store+0xa0/0xb0 [<c048fdc0>] ? pm_async_store+0x40/0x40 [<c05d0200>] kobj_attr_store+0x20/0x30 [<c0575ea4>] sysfs_write_file+0x94/0xf0 [<c051e26a>] vfs_write+0x9a/0x160 [<c0575e10>] ? sysfs_open_file+0x200/0x200 [<c051e3fd>] sys_write+0x3d/0x70 [<c080959f>] sysenter_do_call+0x12/0x28 Cc: stable@kernel.org Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 John W. Linville 提交于
-
- 14 8月, 2011 2 次提交
-
-
由 Emmanuel Grumbach 提交于
This bug has been introduced by: d5934110 Author: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Date: Mon Jul 11 10:48:51 2011 +0300 iwlagn: simplify the bus architecture Revert part of the buggy patch: dev_get_drvdata will now return iwl_priv as it did before the patch. Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: NWey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Emmanuel Grumbach 提交于
This reverts commit cc1a93e6. This fix introduced a bug: bad pointer in unload. Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: NWey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 13 8月, 2011 1 次提交
-
-
由 Julia Lawall 提交于
In each case, the freed data should be freed in the error handling code as well. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @exists@ local idexpression x; statement S,S1; expression E; identifier fl; expression *ptr != NULL; @@ x = \(kmalloc\|kzalloc\|kcalloc\)(...); ... if (x == NULL) S <... when != x when != if (...) { <+...kfree(x)...+> } when any when != true x == NULL x->fl ...> ( if (x == NULL) S1 | if (...) { ... when != x when forall ( return \(0\|<+...x...+>\|ptr\); | * return ...; ) } ) // </smpl> Signed-off-by: NJulia Lawall <julia@diku.dk> Acked-by: NLuciano Coelho <coelho@ti.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
- 12 8月, 2011 23 次提交
-
-
由 Peter Hurley 提交于
Once the session thread is running, cleanup must be handled by the session thread only. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
When an hidp connection is added for a boot protocol input device, don't release a device reference that was never acquired. The device reference is acquired when the session is linked to the session list (which hasn't happened yet when hidp_setup_input is called). Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
When an hidp connection is added for a boot protocol input device, only free the allocated device if device registration fails. Subsequent failures should only unregister the device (the input device api documents that unregister will also free the allocated device). Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Free the cached HID report descriptor on thread terminate. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Once the session thread is running, cleanup must be handled by the session thread only. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Commit fada4ac3 introduced the usage of kthread API. kthread_stop is a blocking function which returns only when the thread exits. In this case, the thread can't exit because it's waiting for the write lock, which is being held by cmtp_del_connection() which is waiting for the thread to exit -- deadlock. Revert cmtp_reset_ctr to its original behavior: non-blocking signalling for the session to terminate. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Commit f4d7cd4a introduced the usage of kthread API. kthread_stop is a blocking function which returns only when the thread exits. In this case, the thread can't exit because it's waiting for the write lock, which is being held by bnep_del_connection() which is waiting for the thread to exit -- deadlock. Use atomic_t/wake_up_process instead to signal to the thread to exit. Signed-off-by: NJaikumar Ganesh <jaikumar@google.com> Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Szymon Janc 提交于
No command should be send before Command Complete event for HCI reset is received. This fix regression introduced by commit 6bd32326(Bluetooth: Use proper timer for hci command timout) for chips whose reset command takes longer to complete (e.g. CSR) resulting in next command being send before HCI reset completed. Signed-off-by: NSzymon Janc <szymon@janc.net.pl> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Chen Ganir 提交于
L2CAP connection timeout needs to be assigned as miliseconds and not as jiffies. Signed-off-by: NChen Ganir <chen.ganir@ti.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Fix race condition which can result in missing wakeup during l2cap socket shutdown. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Fix race condition which can result in missing the wakeup intended to stop the session thread. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Fix race condition which can result in missing the wakeup intended to stop the session thread. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Fix race conditions which can cause lost wakeups (or missed signals) while waiting to accept a sco socket connection. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Fix race conditions which can cause lost wakeups (or misssed signals) while waiting to accept an l2cap socket connection. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Fix race conditions which can cause lost wakeups while waiting for sock state to change. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Fix race conditions which can cause lost wakeups (or missed signals) while waiting to accept an rfcomm socket connection. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Peter Hurley 提交于
Removed superfluous event handling which was used to signal that the rfcomm kthread had been woken. This appears to have been used to prevent lost wakeups. Correctly ordering when the task state is set to TASK_INTERRUPTIBLE is sufficient to prevent lost wakeups. To prevent wakeups which occurred prior to initially setting TASK_INTERRUPTIBLE from being lost, the main work of the thread loop - rfcomm_process_sessions() - is performed prior to sleeping. Signed-off-by: NPeter Hurley <peter@hurleysoftware.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Ricardo Mendoza 提交于
Blacklist Toshiba-branded AR3011 based AR5B195 [0930:0215] and add to ath3k.c for firmware loading. Signed-off-by: NRicardo Mendoza <ricmm@gentoo.org> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Paul Bolle 提交于
Disabling the bluetooth usb device embedded in (some) ThinkPads tends to lead to errors like these: btusb_bulk_complete: hci0 urb ffff88011b9bfd68 failed to resubmit (19) btusb_intr_complete: hci0 urb ffff88011b46a318 failed to resubmit (19) btusb_bulk_complete: hci0 urb ffff88011b46a000 failed to resubmit (19) That is because usb_disconnect() doesn't "quiesces" pending urbs. Disconnecting a device is a normal thing to happen so it's no big deal that usb_submit_urb() returns -ENODEV. The simplest way to get rid of these errors is to stop treating that return as an error. Trivial, actually. While we're at it, add comments to be explicit about the reasons we're not complaining about -EPERM and -ENODEV. Signed-off-by: NPaul Bolle <pebolle@tiscali.nl> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Dan Carpenter 提交于
There was a small typo here so we never actually hit the goto which would call hci_dev_unlock_bh(). Signed-off-by: NDan Carpenter <error27@gmail.com> Signed-off-by: NGustavo F. Padovan <padovan@profusion.mobi>
-
由 Stanislaw Gruszka 提交于
Patch should fix this oops: BUG: unable to handle kernel NULL pointer dereference at 000000a0 IP: [<f81b30c9>] rt2800usb_get_txwi+0x19/0x70 [rt2800usb] *pdpt = 0000000000000000 *pde = f000ff53f000ff53 Oops: 0000 [#1] SMP Pid: 198, comm: kworker/u:3 Tainted: G W 3.0.0-wl+ #9 LENOVO 6369CTO/6369CTO EIP: 0060:[<f81b30c9>] EFLAGS: 00010283 CPU: 1 EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb] EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8 ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000) Call Trace: [<f804790f>] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib] [<c045110d>] ? warn_slowpath_common+0x7d/0xa0 [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] [<f81b3a13>] rt2800usb_work_txdone+0x263/0x360 [rt2800usb] [<c046a8d6>] process_one_work+0x186/0x440 [<c046a85a>] ? process_one_work+0x10a/0x440 [<f81b37b0>] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb] [<c046c283>] worker_thread+0x133/0x310 [<c04885db>] ? trace_hardirqs_on+0xb/0x10 [<c046c150>] ? manage_workers+0x1e0/0x1e0 [<c047054c>] kthread+0x7c/0x90 [<c04704d0>] ? __init_kthread_worker+0x60/0x60 [<c0826b42>] kernel_thread_helper+0x6/0x1 Oops might happen because we check rt2x00queue_empty(queue) twice, but this condition can change and we can process entry in rt2800_txdone_entry(), which was already processed by rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and has nullify entry->skb . Reported-by: NJustin Piszcz <jpiszcz@lucidpixels.com> Cc: stable@kernel.org Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com> Acked-by: NIvo van Doorn <IvDoorn@gmail.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Stanislaw Gruszka 提交于
In rt2800usb_work_txdone we check flags in order: - ENTRY_OWNER_DEVICE_DATA - ENTRY_DATA_STATUS_PENDING - ENTRY_DATA_IO_FAILED Modify flags in separate order in rt2x00usb_interrupt_txdone, to avoid processing entries in _txdone with wrong flags or skip processing ready entries. Reported-by: NJustin Piszcz <jpiszcz@lucidpixels.com> Cc: stable@kernel.org Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com> Acked-by: NIvo van Doorn <IvDoorn@gmail.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-
由 Stanislaw Gruszka 提交于
Patch should fix this oops: BUG: unable to handle kernel NULL pointer dereference at 000000a0 IP: [<f8e06078>] rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] *pdpt = 000000002408c001 *pde = 0000000024079067 *pte = 0000000000000000 Oops: 0000 [#1] SMP EIP: 0060:[<f8e06078>] EFLAGS: 00010282 CPU: 0 EIP is at rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] EAX: 00000035 EBX: ef2bef10 ECX: 00000000 EDX: d40958a0 ESI: ef1865f8 EDI: ef1865f8 EBP: d4095878 ESP: d409585c DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Call Trace: [<f8da5e85>] rt2x00queue_write_tx_frame+0x155/0x300 [rt2x00lib] [<f8da424c>] rt2x00mac_tx+0x7c/0x370 [rt2x00lib] [<c04882b2>] ? mark_held_locks+0x62/0x90 [<c081f645>] ? _raw_spin_unlock_irqrestore+0x35/0x60 [<c04884ba>] ? trace_hardirqs_on_caller+0x5a/0x170 [<c04885db>] ? trace_hardirqs_on+0xb/0x10 [<f8d618ac>] __ieee80211_tx+0x5c/0x1e0 [mac80211] [<f8d631fc>] ieee80211_tx+0xbc/0xe0 [mac80211] [<f8d63163>] ? ieee80211_tx+0x23/0xe0 [mac80211] [<f8d632e1>] ieee80211_xmit+0xc1/0x200 [mac80211] [<f8d63220>] ? ieee80211_tx+0xe0/0xe0 [mac80211] [<c0487d45>] ? lock_release_holdtime+0x35/0x1b0 [<f8d63986>] ? ieee80211_subif_start_xmit+0x446/0x5f0 [mac80211] [<f8d637dd>] ieee80211_subif_start_xmit+0x29d/0x5f0 [mac80211] [<f8d63924>] ? ieee80211_subif_start_xmit+0x3e4/0x5f0 [mac80211] [<c0760188>] ? sock_setsockopt+0x6a8/0x6f0 [<c0760000>] ? sock_setsockopt+0x520/0x6f0 [<c076daef>] dev_hard_start_xmit+0x2ef/0x650 Oops might happen because we perform parallel putting new entries in a queue (rt2x00queue_write_tx_frame()) and removing entries after finishing transmitting (rt2800usb_work_txdone()). There are cases when _txdone may process an entry that was not fully send and nullify entry->skb . To fix check in _txdone if entry has flags that indicate pending transmission and wait until flags get cleared. Reported-by: NJustin Piszcz <jpiszcz@lucidpixels.com> Cc: stable@kernel.org Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com> Acked-by: NIvo van Doorn <IvDoorn@gmail.com> Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
-