1. 15 3月, 2013 1 次提交
    • V
      Bluetooth: Fix not closing SCO sockets in the BT_CONNECT2 state · eb20ff9c
      Vinicius Costa Gomes 提交于
      With deferred setup for SCO, it is possible that userspace closes the
      socket when it is in the BT_CONNECT2 state, after the Connect Request is
      received but before the Accept Synchonous Connection is sent.
      
      If this happens the following crash was observed, when the connection is
      terminated:
      
      [  +0.000003] hci_sync_conn_complete_evt: hci0 status 0x10
      [  +0.000005] sco_connect_cfm: hcon ffff88003d1bd800 bdaddr 40:98:4e:32:d7:39 status 16
      [  +0.000003] sco_conn_del: hcon ffff88003d1bd800 conn ffff88003cc8e300, err 110
      [  +0.000015] BUG: unable to handle kernel NULL pointer dereference at 0000000000000199
      [  +0.000906] IP: [<ffffffff810620dd>] __lock_acquire+0xed/0xe82
      [  +0.000000] PGD 3d21f067 PUD 3d291067 PMD 0
      [  +0.000000] Oops: 0002 [#1] SMP
      [  +0.000000] Modules linked in: rfcomm bnep btusb bluetooth
      [  +0.000000] CPU 0
      [  +0.000000] Pid: 1481, comm: kworker/u:2H Not tainted 3.9.0-rc1-25019-gad82cdd1 #1 Bochs Bochs
      [  +0.000000] RIP: 0010:[<ffffffff810620dd>]  [<ffffffff810620dd>] __lock_acquire+0xed/0xe82
      [  +0.000000] RSP: 0018:ffff88003c3c19d8  EFLAGS: 00010002
      [  +0.000000] RAX: 0000000000000001 RBX: 0000000000000246 RCX: 0000000000000000
      [  +0.000000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003d1be868
      [  +0.000000] RBP: ffff88003c3c1a98 R08: 0000000000000002 R09: 0000000000000000
      [  +0.000000] R10: ffff88003d1be868 R11: ffff88003e20b000 R12: 0000000000000002
      [  +0.000000] R13: ffff88003aaa8000 R14: 000000000000006e R15: ffff88003d1be850
      [  +0.000000] FS:  0000000000000000(0000) GS:ffff88003e200000(0000) knlGS:0000000000000000
      [  +0.000000] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [  +0.000000] CR2: 0000000000000199 CR3: 000000003c1cb000 CR4: 00000000000006b0
      [  +0.000000] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  +0.000000] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      [  +0.000000] Process kworker/u:2H (pid: 1481, threadinfo ffff88003c3c0000, task ffff88003aaa8000)
      [  +0.000000] Stack:
      [  +0.000000]  ffffffff81b16342 0000000000000000 0000000000000000 ffff88003d1be868
      [  +0.000000]  ffffffff00000000 00018c0c7863e367 000000003c3c1a28 ffffffff8101efbd
      [  +0.000000]  0000000000000000 ffff88003e3d2400 ffff88003c3c1a38 ffffffff81007c7a
      [  +0.000000] Call Trace:
      [  +0.000000]  [<ffffffff8101efbd>] ? kvm_clock_read+0x34/0x3b
      [  +0.000000]  [<ffffffff81007c7a>] ? paravirt_sched_clock+0x9/0xd
      [  +0.000000]  [<ffffffff81007fd4>] ? sched_clock+0x9/0xb
      [  +0.000000]  [<ffffffff8104fd7a>] ? sched_clock_local+0x12/0x75
      [  +0.000000]  [<ffffffff810632d1>] lock_acquire+0x93/0xb1
      [  +0.000000]  [<ffffffffa0022339>] ? spin_lock+0x9/0xb [bluetooth]
      [  +0.000000]  [<ffffffff8105f3d8>] ? lock_release_holdtime.part.22+0x4e/0x55
      [  +0.000000]  [<ffffffff814f6038>] _raw_spin_lock+0x40/0x74
      [  +0.000000]  [<ffffffffa0022339>] ? spin_lock+0x9/0xb [bluetooth]
      [  +0.000000]  [<ffffffff814f6936>] ? _raw_spin_unlock+0x23/0x36
      [  +0.000000]  [<ffffffffa0022339>] spin_lock+0x9/0xb [bluetooth]
      [  +0.000000]  [<ffffffffa00230cc>] sco_conn_del+0x76/0xbb [bluetooth]
      [  +0.000000]  [<ffffffffa002391d>] sco_connect_cfm+0x2da/0x2e9 [bluetooth]
      [  +0.000000]  [<ffffffffa000862a>] hci_proto_connect_cfm+0x38/0x65 [bluetooth]
      [  +0.000000]  [<ffffffffa0008d30>] hci_sync_conn_complete_evt.isra.79+0x11a/0x13e [bluetooth]
      [  +0.000000]  [<ffffffffa000cd96>] hci_event_packet+0x153b/0x239d [bluetooth]
      [  +0.000000]  [<ffffffff814f68ff>] ? _raw_spin_unlock_irqrestore+0x48/0x5c
      [  +0.000000]  [<ffffffffa00025f6>] hci_rx_work+0xf3/0x2e3 [bluetooth]
      [  +0.000000]  [<ffffffff8103efed>] process_one_work+0x1dc/0x30b
      [  +0.000000]  [<ffffffff8103ef83>] ? process_one_work+0x172/0x30b
      [  +0.000000]  [<ffffffff8103e07f>] ? spin_lock_irq+0x9/0xb
      [  +0.000000]  [<ffffffff8103fc8d>] worker_thread+0x123/0x1d2
      [  +0.000000]  [<ffffffff8103fb6a>] ? manage_workers+0x240/0x240
      [  +0.000000]  [<ffffffff81044211>] kthread+0x9d/0xa5
      [  +0.000000]  [<ffffffff81044174>] ? __kthread_parkme+0x60/0x60
      [  +0.000000]  [<ffffffff814f75bc>] ret_from_fork+0x7c/0xb0
      [  +0.000000]  [<ffffffff81044174>] ? __kthread_parkme+0x60/0x60
      [  +0.000000] Code: d7 44 89 8d 50 ff ff ff 4c 89 95 58 ff ff ff e8 44 fc ff ff 44 8b 8d 50 ff ff ff 48 85 c0 4c 8b 95 58 ff ff ff 0f 84 7a 04 00 00 <f0> ff 80 98 01 00 00 83 3d 25 41 a7 00 00 45 8b b5 e8 05 00 00
      [  +0.000000] RIP  [<ffffffff810620dd>] __lock_acquire+0xed/0xe82
      [  +0.000000]  RSP <ffff88003c3c19d8>
      [  +0.000000] CR2: 0000000000000199
      [  +0.000000] ---[ end trace e73cd3b52352dd34 ]---
      
      Cc: stable@vger.kernel.org [3.8]
      Signed-off-by: NVinicius Costa Gomes <vinicius.gomes@openbossa.org>
      Tested-by: NFrederic Dalleau <frederic.dalleau@intel.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      eb20ff9c
  2. 12 3月, 2013 1 次提交
    • S
      Bluetooth: Device 0cf3:3008 should map AR 3012 · 94a32d10
      Sunguk Lee 提交于
      T:  Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#=  3 Spd=12   MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=0cf3 ProdID=3008 Rev= 0.01
      S:  Manufacturer=Atheros Communications
      S:  Product=Bluetooth USB Host Controller
      S:  SerialNumber=Alaska Day 2006
      C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=81(I) Atr=03(Int.) MxPS=  16 Ivl=1ms
      E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      E:  Ad=02(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
      I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   0 Ivl=1ms
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=   9 Ivl=1ms
      I:  If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  17 Ivl=1ms
      I:  If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  25 Ivl=1ms
      I:  If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  33 Ivl=1ms
      I:  If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      E:  Ad=83(I) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      E:  Ad=03(O) Atr=01(Isoc) MxPS=  49 Ivl=1ms
      Signed-off-by: NSunguk Lee <d3m3vilurr@gmail.com>
      Signed-off-by: NGustavo Padovan <gustavo.padovan@collabora.co.uk>
      94a32d10
  3. 21 2月, 2013 1 次提交
  4. 12 2月, 2013 2 次提交
    • J
      mwl8k: fix band for supported channels · d786f67e
      Jonas Gorski 提交于
      The band field for the supported channels were left unpopulated, making
      them default to 0 == IEEE80211_BAND_2GHZ, even for the 5GHz channels.
      
      This resulted in null pointer accesses if anything tries to access
      wiphy->bands[channel->band] of a 5GHz channel on 5GHz only cards, since
      wiphy->bands[2GHZ] is NULL for them (e.g. cfg80211_chandef_usable does).
      
      Example kernel OOPS:
      
      [  665.669993] Unable to handle kernel NULL pointer dereference at virtual address 00000016
      [  665.678194] pgd = c6d58000
      [  665.680941] [00000016] *pgd=06f8a831, *pte=00000000, *ppte=00000000
      [  665.687303] Internal error: Oops: 17 [#1]
      (...)
      [  666.116373] Backtrace:
      [  666.118866] [<bf0368dc>] (cfg80211_chandef_usable+0x0/0x1bc [cfg80211]) from [<bf025e64>] (nl80211_leave_mesh+0x244/0x264 [cfg80211])
      [  666.130919]  r7:c6d12100 r6:0000143c r5:c0611c48 r4:c0611b98
      [  666.136668] [<bf025d84>] (nl80211_leave_mesh+0x164/0x264 [cfg80211]) from [<bf02634c>] (nl80211_remain_on_channel+0x2a0/0x358 [cfg80211])
      [  666.149074]  r7:c6d12000 r6:c6d12000 r5:c6f4f368 r4:00000003
      [  666.154814] [<bf0262ec>] (nl80211_remain_on_channel+0x240/0x358 [cfg80211]) from [<bf02ddb0>] (nl80211_set_wiphy+0x264/0x560 [cfg80211])
      [  666.167150] [<bf02db4c>] (nl80211_set_wiphy+0x0/0x560 [cfg80211]) from [<c01f94e0>] (genl_rcv_msg+0x1b8/0x1f8)
      [  666.177205] [<c01f9328>] (genl_rcv_msg+0x0/0x1f8) from [<c01f89a0>] (netlink_rcv_skb+0x58/0xb4)
      [  666.185949] [<c01f8948>] (netlink_rcv_skb+0x0/0xb4) from [<c01f931c>] (genl_rcv+0x20/0x2c)
      [  666.194251]  r6:c6f70780 r5:0000002c r4:c6f70780 r3:00000001
      [  666.199973] [<c01f92fc>] (genl_rcv+0x0/0x2c) from [<c01f8418>] (netlink_unicast+0x154/0x1f4)
      [  666.208449]  r4:c785ea00 r3:c01f92fc
      [  666.212057] [<c01f82c4>] (netlink_unicast+0x0/0x1f4) from [<c01f8790>] (netlink_sendmsg+0x230/0x2b0)
      [  666.221240] [<c01f8560>] (netlink_sendmsg+0x0/0x2b0) from [<c01cccf8>] (sock_sendmsg+0x90/0xa4)
      [  666.229986] [<c01ccc68>] (sock_sendmsg+0x0/0xa4) from [<c01cdcb0>] (__sys_sendmsg+0x290/0x298)
      [  666.238637]  r9:00000000 r8:c0611ec8 r6:0000002c r5:c0610000 r4:c0611f64
      [  666.245411] [<c01cda20>] (__sys_sendmsg+0x0/0x298) from [<c01cf52c>] (sys_sendmsg+0x44/0x6c)
      [  666.253897] [<c01cf4e8>] (sys_sendmsg+0x0/0x6c) from [<c00090a0>] (ret_fast_syscall+0x0/0x2c)
      [  666.262460]  r6:00000000 r5:beeff96c r4:00000005
      Signed-off-by: NJonas Gorski <jogo@openwrt.org>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      d786f67e
    • J
  5. 11 2月, 2013 1 次提交
    • J
      mac80211: fix channel selection bug · 3d9646d0
      Johannes Berg 提交于
      When trying to connect to an AP that advertises HT but not
      VHT, the mac80211 code erroneously uses the configuration
      from the AP as is instead of checking it against regulatory
      and local capabilities. This can lead to using an invalid
      or even inexistent channel (like 11/HT40+).
      
      Additionally, the return flags from downgrading must be
      ORed together, to collect them from all of the downgrades.
      Also clarify the message.
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      3d9646d0
  6. 08 2月, 2013 1 次提交
  7. 07 2月, 2013 1 次提交
  8. 05 2月, 2013 5 次提交
  9. 01 2月, 2013 2 次提交
  10. 31 1月, 2013 1 次提交
    • B
      mwifiex: fix incomplete scan in case of IE parsing error · 8a7d7cbf
      Bing Zhao 提交于
      A scan request is split into multiple scan commands queued in
      scan_pending_q. Each scan command will be sent to firmware and
      its response is handlded one after another.
      
      If any error is detected while parsing IE in command response
      buffer the remaining data will be ignored and error is returned.
      
      We should check if there is any more scan commands pending in
      the queue before returning error. This ensures that we will call
      cfg80211_scan_done if this is the last scan command, or send
      next scan command in scan_pending_q to firmware.
      
      Cc: "3.6+" <stable@vger.kernel.org>
      Signed-off-by: NBing Zhao <bzhao@marvell.com>
      Signed-off-by: NAmitkumar Karwar <akarwar@marvell.com>
      Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>
      8a7d7cbf
  11. 29 1月, 2013 5 次提交
  12. 24 1月, 2013 2 次提交
  13. 23 1月, 2013 8 次提交
  14. 17 1月, 2013 2 次提交
    • B
      mac80211: add encrypt headroom to PERR frames · 8680451f
      Bob Copeland 提交于
      Mesh PERR action frames are robust and thus may be encrypted, so add
      proper head/tailroom to allow this.  Fixes this warning when operating
      a Mesh STA on ath5k:
      
      WARNING: at net/mac80211/wpa.c:427 ccmp_encrypt_skb.isra.5+0x7b/0x1a0 [mac80211]()
      Call Trace:
       [<c011c5e7>] warn_slowpath_common+0x63/0x78
       [<c011c60b>] warn_slowpath_null+0xf/0x13
       [<e090621d>] ccmp_encrypt_skb.isra.5+0x7b/0x1a0 [mac80211]
       [<e090685c>] ieee80211_crypto_ccmp_encrypt+0x1f/0x37 [mac80211]
       [<e0917113>] invoke_tx_handlers+0xcad/0x10bd [mac80211]
       [<e0917665>] ieee80211_tx+0x87/0xb3 [mac80211]
       [<e0918932>] ieee80211_tx_pending+0xcc/0x170 [mac80211]
       [<c0121c43>] tasklet_action+0x3e/0x65
      Signed-off-by: NBob Copeland <me@bobcopeland.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      8680451f
    • B
      mac80211: set NEED_TXPROCESSING for PERR frames · 9cbbffe2
      Bob Copeland 提交于
      A user reported warnings in ath5k due to transmitting frames with no
      rates set up.  The frames were Mesh PERR frames, and some debugging
      showed an empty control block with just the vif pointer:
      
      >  [  562.522682] XXX txinfo: 00000000: 00 00 00 00 00 00 00 00 00 00 00
      >  00 00 00 00 00  ................
      >  [  562.522688] XXX txinfo: 00000010: 00 00 00 00 00 00 00 00 54 b8 f2
      >  db 00 00 00 00  ........T.......
      >  [  562.522693] XXX txinfo: 00000020: 00 00 00 00 00 00 00 00 00 00 00
      >  00 00 00 00 00  ................
      
      Set the IEEE80211_TX_INTFL_NEED_TXPROCESSING flag to ensure that
      rate control gets run before the frame is sent.
      Signed-off-by: NBob Copeland <me@bobcopeland.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      9cbbffe2
  15. 16 1月, 2013 4 次提交
    • F
      mac80211: fix monitor mode injection · b4a7ff75
      Felix Fietkau 提交于
      Channel contexts are not always used with monitor interfaces. If no channel
      context is set, use the oper channel, otherwise tx fails.
      Signed-off-by: NFelix Fietkau <nbd@openwrt.org>
      [check local->use_chanctx]
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      b4a7ff75
    • S
      mac80211: synchronize scan off/on-channel and PS states · aacde9ee
      Stanislaw Gruszka 提交于
      Since:
      
      commit b23b025f
      Author: Ben Greear <greearb@candelatech.com>
      Date:   Fri Feb 4 11:54:17 2011 -0800
      
          mac80211: Optimize scans on current operating channel.
      
      we do not disable PS while going back to operational channel (on
      ieee80211_scan_state_suspend) and deffer that until scan finish.
      But since we are allowed to send frames, we can send a frame to AP
      without PM bit set, so disable PS on AP side. Then when we switch
      to off-channel (in ieee80211_scan_state_resume) we do not enable PS.
      Hence we are off-channel with PS disabled, frames are not buffered
      by AP.
      
      To fix remove offchannel_ps_disable argument and always enable PS when
      going off-channel and disable it when going on-channel, like it was
      before.
      
      Cc: stable@vger.kernel.org # 2.6.39+
      Signed-off-by: NStanislaw Gruszka <sgruszka@redhat.com>
      Tested-by: NSeth Forshee <seth.forshee@canonical.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      aacde9ee
    • J
      mac80211: fix FT roaming · 1626e0fa
      Johannes Berg 提交于
      During FT roaming, wpa_supplicant attempts to set the
      key before association. This used to be rejected, but
      as a side effect of my commit 66e67e41
      ("mac80211: redesign auth/assoc") the key was accepted
      causing hardware crypto to not be used for it as the
      station isn't added to the driver yet.
      
      It would be possible to accept the key and then add it
      to the driver when the station has been added. However,
      this may run into issues with drivers using the state-
      based station adding if they accept the key only after
      association like it used to be.
      
      For now, revert to the behaviour from before the auth
      and assoc change.
      
      Cc: stable@vger.kernel.org
      Reported-by: NCédric Debarge <cedric.debarge@acksys.fr>
      Tested-by: NCédric Debarge <cedric.debarge@acksys.fr>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      1626e0fa
    • E
      iwlwifi: audit single frames from AGG queue in RS · c3e5d718
      Emmanuel Grumbach 提交于
      The rate scaling won't treat the information in a frame
      with IEEE80211_TX_CTL_AMPDU set if IEEE80211_TX_STAT_AMPDU
      is cleared. But all the frames coming from an AGG tx queue
      have IEEE80211_TX_CTL_AMPDU set, and IEEE80211_TX_STAT_AMPDU
      is set only if the frame was sent in an AMPDU.
      This means that all the data in frames in AGG tx queues that
      aren't sent as an AMPDU is thrown away.
      This is even more harmful when in bad link conditions, the
      frames are sent in an AMPDU and then finally sent as single
      frame. So a lot of failures weren't reported and the rate
      scaling got stuck in high rates leading to very poor
      connectivity.
      
      Fix that by clearing IEEE80211_TX_CTL_AMPDU when the frame
      isn't part of an AMPDU.
      
      This bug was introduced by
      
      2eb81a40
      iwlwifi: don't clear CTL_AMPDU on frame status
      
      This fix basically reverts the aforementioned commit.
      Signed-off-by: NEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      c3e5d718
  16. 15 1月, 2013 2 次提交
  17. 12 1月, 2013 1 次提交