tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6:
iwlwifi: fix device id registration for 6000 series 2x2 devices
ath5k: update channel in sw state after stopping RX and TX
rtl8187: use DMA-aware buffers with usb_control_msg
mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel
airo: airo_get_encode{,ext} potential buffer overflow

Pulled directly by Linus because Davem is off playing shuffle-board at
some Alaskan cruise, and the NULL ptr deref issue hits people and should
get merged sooner rather than later.

David - make us proud on the shuffle-board tournament!

Linus Torvalds 3346857f 5d41343a

+91 -33
unified split
+8 -2
drivers/net/wireless/airo.c
··· 6501 6501 6502 6502 /* Copy the key to the user buffer */ 6503 6503 dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf)); 6504 - memcpy(extra, buf, dwrq->length); 6504 + if (dwrq->length != -1) 6505 + memcpy(extra, buf, dwrq->length); 6506 + else 6507 + dwrq->length = 0; 6505 6508 6506 6509 return 0; 6507 6510 } ··· 6662 6659 6663 6660 /* Copy the key to the user buffer */ 6664 6661 ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); 6665 - memcpy(extra, buf, ext->key_len); 6662 + if (ext->key_len != -1) 6663 + memcpy(extra, buf, ext->key_len); 6664 + else 6665 + ext->key_len = 0; 6666 6666 6667 6667 return 0; 6668 6668 }
+13 -9
drivers/net/wireless/ath5k/base.c
··· 214 214 * Prototypes - MAC 802.11 stack related functions 215 215 */ 216 216 static int ath5k_tx(struct ieee80211_hw *hw, struct sk_buff *skb); 217 - static int ath5k_reset(struct ath5k_softc *sc, bool stop, bool change_channel); 217 + static int ath5k_reset(struct ath5k_softc *sc, struct ieee80211_channel *chan); 218 218 static int ath5k_reset_wake(struct ath5k_softc *sc); 219 219 static int ath5k_start(struct ieee80211_hw *hw); 220 220 static void ath5k_stop(struct ieee80211_hw *hw); ··· 1038 1038 if (chan->center_freq != sc->curchan->center_freq || 1039 1039 chan->hw_value != sc->curchan->hw_value) { 1040 1040 1041 - sc->curchan = chan; 1042 - sc->curband = &sc->sbands[chan->band]; 1043 - 1044 1041 /* 1045 1042 * To switch channels clear any pending DMA operations; 1046 1043 * wait long enough for the RX fifo to drain, reset the 1047 1044 * hardware at the new frequency, and then re-enable 1048 1045 * the relevant bits of the h/w. 1049 1046 */ 1050 - return ath5k_reset(sc, true, true); 1047 + return ath5k_reset(sc, chan); 1051 1048 } 1052 1049 1053 1050 return 0; ··· 2311 2314 sc->imask = AR5K_INT_RXOK | AR5K_INT_RXERR | AR5K_INT_RXEOL | 2312 2315 AR5K_INT_RXORN | AR5K_INT_TXDESC | AR5K_INT_TXEOL | 2313 2316 AR5K_INT_FATAL | AR5K_INT_GLOBAL; 2314 - ret = ath5k_reset(sc, false, false); 2317 + ret = ath5k_reset(sc, NULL); 2315 2318 if (ret) 2316 2319 goto done; 2317 2320 ··· 2596 2599 return NETDEV_TX_OK; 2597 2600 } 2598 2601 2602 + /* 2603 + * Reset the hardware. If chan is not NULL, then also pause rx/tx 2604 + * and change to the given channel. 2605 + */ 2599 2606 static int 2600 - ath5k_reset(struct ath5k_softc *sc, bool stop, bool change_channel) 2607 + ath5k_reset(struct ath5k_softc *sc, struct ieee80211_channel *chan) 2601 2608 { 2602 2609 struct ath5k_hw *ah = sc->ah; 2603 2610 int ret; 2604 2611 2605 2612 ATH5K_DBG(sc, ATH5K_DEBUG_RESET, "resetting\n"); 2606 2613 2607 - if (stop) { 2614 + if (chan) { 2608 2615 ath5k_hw_set_imr(ah, 0); 2609 2616 ath5k_txq_cleanup(sc); 2610 2617 ath5k_rx_stop(sc); 2618 + 2619 + sc->curchan = chan; 2620 + sc->curband = &sc->sbands[chan->band]; 2611 2621 } 2612 2622 ret = ath5k_hw_reset(ah, sc->opmode, sc->curchan, true); 2613 2623 if (ret) { ··· 2652 2648 { 2653 2649 int ret; 2654 2650 2655 - ret = ath5k_reset(sc, true, true); 2651 + ret = ath5k_reset(sc, sc->curchan); 2656 2652 if (!ret) 2657 2653 ieee80211_wake_queues(sc->hw); 2658 2654
+4 -4
drivers/net/wireless/iwlwifi/iwl-6000.c
··· 101 101 .eeprom_ver = EEPROM_5000_EEPROM_VERSION, 102 102 .eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION, 103 103 .mod_params = &iwl50_mod_params, 104 - .valid_tx_ant = ANT_BC, 105 - .valid_rx_ant = ANT_BC, 104 + .valid_tx_ant = ANT_AB, 105 + .valid_rx_ant = ANT_AB, 106 106 .need_pll_cfg = false, 107 107 }; 108 108 ··· 117 117 .eeprom_ver = EEPROM_5000_EEPROM_VERSION, 118 118 .eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION, 119 119 .mod_params = &iwl50_mod_params, 120 - .valid_tx_ant = ANT_BC, 121 - .valid_rx_ant = ANT_BC, 120 + .valid_tx_ant = ANT_AB, 121 + .valid_rx_ant = ANT_AB, 122 122 .need_pll_cfg = false, 123 123 }; 124 124
+2
drivers/net/wireless/iwlwifi/iwl-agn.c
··· 3636 3636 {IWL_PCI_DEVICE(0x0085, 0x1112, iwl6000_2ag_cfg)}, 3637 3637 {IWL_PCI_DEVICE(0x0082, 0x1122, iwl6000_2ag_cfg)}, 3638 3638 {IWL_PCI_DEVICE(0x422B, PCI_ANY_ID, iwl6000_3agn_cfg)}, 3639 + {IWL_PCI_DEVICE(0x422C, PCI_ANY_ID, iwl6000_2agn_cfg)}, 3639 3640 {IWL_PCI_DEVICE(0x4238, PCI_ANY_ID, iwl6000_3agn_cfg)}, 3641 + {IWL_PCI_DEVICE(0x4239, PCI_ANY_ID, iwl6000_2agn_cfg)}, 3640 3642 {IWL_PCI_DEVICE(0x0082, PCI_ANY_ID, iwl6000_2agn_cfg)}, 3641 3643 {IWL_PCI_DEVICE(0x0085, PCI_ANY_ID, iwl6000_3agn_cfg)}, 3642 3644 {IWL_PCI_DEVICE(0x0086, PCI_ANY_ID, iwl6050_3agn_cfg)},
+43 -14
drivers/net/wireless/rtl818x/rtl8187.h
··· 120 120 __le64 buf; 121 121 struct sk_buff_head queue; 122 122 } b_tx_status; /* This queue is used by both -b and non-b devices */ 123 + struct mutex io_mutex; 124 + union { 125 + u8 bits8; 126 + __le16 bits16; 127 + __le32 bits32; 128 + } *io_dmabuf; 123 129 }; 124 130 125 131 void rtl8187_write_phy(struct ieee80211_hw *dev, u8 addr, u32 data); ··· 135 129 { 136 130 u8 val; 137 131 132 + mutex_lock(&priv->io_mutex); 138 133 usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), 139 134 RTL8187_REQ_GET_REG, RTL8187_REQT_READ, 140 - (unsigned long)addr, idx & 0x03, &val, 141 - sizeof(val), HZ / 2); 135 + (unsigned long)addr, idx & 0x03, 136 + &priv->io_dmabuf->bits8, sizeof(val), HZ / 2); 137 + 138 + val = priv->io_dmabuf->bits8; 139 + mutex_unlock(&priv->io_mutex); 142 140 143 141 return val; 144 142 } ··· 157 147 { 158 148 __le16 val; 159 149 150 + mutex_lock(&priv->io_mutex); 160 151 usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), 161 152 RTL8187_REQ_GET_REG, RTL8187_REQT_READ, 162 - (unsigned long)addr, idx & 0x03, &val, 163 - sizeof(val), HZ / 2); 153 + (unsigned long)addr, idx & 0x03, 154 + &priv->io_dmabuf->bits16, sizeof(val), HZ / 2); 155 + 156 + val = priv->io_dmabuf->bits16; 157 + mutex_unlock(&priv->io_mutex); 164 158 165 159 return le16_to_cpu(val); 166 160 } ··· 179 165 { 180 166 __le32 val; 181 167 168 + mutex_lock(&priv->io_mutex); 182 169 usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0), 183 170 RTL8187_REQ_GET_REG, RTL8187_REQT_READ, 184 - (unsigned long)addr, idx & 0x03, &val, 185 - sizeof(val), HZ / 2); 171 + (unsigned long)addr, idx & 0x03, 172 + &priv->io_dmabuf->bits32, sizeof(val), HZ / 2); 173 + 174 + val = priv->io_dmabuf->bits32; 175 + mutex_unlock(&priv->io_mutex); 186 176 187 177 return le32_to_cpu(val); 188 178 } ··· 199 181 static inline void rtl818x_iowrite8_idx(struct rtl8187_priv *priv, 200 182 u8 *addr, u8 val, u8 idx) 201 183 { 184 + mutex_lock(&priv->io_mutex); 185 + 186 + priv->io_dmabuf->bits8 = val; 202 187 usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), 203 188 RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, 204 - (unsigned long)addr, idx & 0x03, &val, 205 - sizeof(val), HZ / 2); 189 + (unsigned long)addr, idx & 0x03, 190 + &priv->io_dmabuf->bits8, sizeof(val), HZ / 2); 191 + 192 + mutex_unlock(&priv->io_mutex); 206 193 } 207 194 208 195 static inline void rtl818x_iowrite8(struct rtl8187_priv *priv, u8 *addr, u8 val) ··· 218 195 static inline void rtl818x_iowrite16_idx(struct rtl8187_priv *priv, 219 196 __le16 *addr, u16 val, u8 idx) 220 197 { 221 - __le16 buf = cpu_to_le16(val); 198 + mutex_lock(&priv->io_mutex); 222 199 200 + priv->io_dmabuf->bits16 = cpu_to_le16(val); 223 201 usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), 224 202 RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, 225 - (unsigned long)addr, idx & 0x03, &buf, sizeof(buf), 226 - HZ / 2); 203 + (unsigned long)addr, idx & 0x03, 204 + &priv->io_dmabuf->bits16, sizeof(val), HZ / 2); 205 + 206 + mutex_unlock(&priv->io_mutex); 227 207 } 228 208 229 209 static inline void rtl818x_iowrite16(struct rtl8187_priv *priv, __le16 *addr, ··· 238 212 static inline void rtl818x_iowrite32_idx(struct rtl8187_priv *priv, 239 213 __le32 *addr, u32 val, u8 idx) 240 214 { 241 - __le32 buf = cpu_to_le32(val); 215 + mutex_lock(&priv->io_mutex); 242 216 217 + priv->io_dmabuf->bits32 = cpu_to_le32(val); 243 218 usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), 244 219 RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, 245 - (unsigned long)addr, idx & 0x03, &buf, sizeof(buf), 246 - HZ / 2); 220 + (unsigned long)addr, idx & 0x03, 221 + &priv->io_dmabuf->bits32, sizeof(val), HZ / 2); 222 + 223 + mutex_unlock(&priv->io_mutex); 247 224 } 248 225 249 226 static inline void rtl818x_iowrite32(struct rtl8187_priv *priv, __le32 *addr,
+12 -1
drivers/net/wireless/rtl818x/rtl8187_dev.c
··· 1329 1329 priv = dev->priv; 1330 1330 priv->is_rtl8187b = (id->driver_info == DEVICE_RTL8187B); 1331 1331 1332 + /* allocate "DMA aware" buffer for register accesses */ 1333 + priv->io_dmabuf = kmalloc(sizeof(*priv->io_dmabuf), GFP_KERNEL); 1334 + if (!priv->io_dmabuf) { 1335 + err = -ENOMEM; 1336 + goto err_free_dev; 1337 + } 1338 + mutex_init(&priv->io_mutex); 1339 + 1332 1340 SET_IEEE80211_DEV(dev, &intf->dev); 1333 1341 usb_set_intfdata(intf, dev); 1334 1342 priv->udev = udev; ··· 1503 1495 err = ieee80211_register_hw(dev); 1504 1496 if (err) { 1505 1497 printk(KERN_ERR "rtl8187: Cannot register device\n"); 1506 - goto err_free_dev; 1498 + goto err_free_dmabuf; 1507 1499 } 1508 1500 mutex_init(&priv->conf_mutex); 1509 1501 skb_queue_head_init(&priv->b_tx_status.queue); ··· 1514 1506 1515 1507 return 0; 1516 1508 1509 + err_free_dmabuf: 1510 + kfree(priv->io_dmabuf); 1517 1511 err_free_dev: 1518 1512 ieee80211_free_hw(dev); 1519 1513 usb_set_intfdata(intf, NULL); ··· 1536 1526 priv = dev->priv; 1537 1527 usb_reset_device(priv->udev); 1538 1528 usb_put_dev(interface_to_usbdev(intf)); 1529 + kfree(priv->io_dmabuf); 1539 1530 ieee80211_free_hw(dev); 1540 1531 } 1541 1532
+7 -1
drivers/net/wireless/rtl818x/rtl8187_rtl8225.c
··· 88 88 rtl818x_iowrite16(priv, &priv->map->RFPinsOutput, reg80); 89 89 udelay(10); 90 90 91 + mutex_lock(&priv->io_mutex); 92 + 93 + priv->io_dmabuf->bits16 = data; 91 94 usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0), 92 95 RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE, 93 - addr, 0x8225, &data, sizeof(data), HZ / 2); 96 + addr, 0x8225, &priv->io_dmabuf->bits16, sizeof(data), 97 + HZ / 2); 98 + 99 + mutex_unlock(&priv->io_mutex); 94 100 95 101 rtl818x_iowrite16(priv, &priv->map->RFPinsOutput, reg80 | (1 << 2)); 96 102 udelay(10);
+1 -1
net/mac80211/rc80211_minstrel.c
··· 477 477 478 478 for (i = 0; i < IEEE80211_NUM_BANDS; i++) { 479 479 sband = hw->wiphy->bands[i]; 480 - if (sband->n_bitrates > max_rates) 480 + if (sband && sband->n_bitrates > max_rates) 481 481 max_rates = sband->n_bitrates; 482 482 } 483 483
+1 -1
net/mac80211/rc80211_pid_algo.c
··· 378 378 379 379 for (i = 0; i < IEEE80211_NUM_BANDS; i++) { 380 380 sband = hw->wiphy->bands[i]; 381 - if (sband->n_bitrates > max_rates) 381 + if (sband && sband->n_bitrates > max_rates) 382 382 max_rates = sband->n_bitrates; 383 383 } 384 384