From b25bfda38236f349cde0d1b28952f4eea2148d3f Mon Sep 17 00:00:00 2001 From: Mohammed Shafi Shajakhan Date: Mon, 26 Dec 2011 10:42:15 +0530 Subject: ath9k: Fix kernel panic in AR2427 in AP mode don't do aggregation related stuff for 'AP mode client power save handling' if aggregation is not enabled in the driver, otherwise it will lead to panic because those data structures won't be never intialized in 'ath_tx_node_init' if aggregation is disabled EIP is at ath_tx_aggr_wakeup+0x37/0x80 [ath9k] EAX: e8c09a20 EBX: f2a304e8 ECX: 00000001 EDX: 00000000 ESI: e8c085e0 EDI: f2a304ac EBP: f40e1ca4 ESP: f40e1c8c DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 Process swapper/1 (pid: 0, ti=f40e0000 task=f408e860 task.ti=f40dc000) Stack: 0001e966 e8c09a20 00000000 f2a304ac e8c085e0 f2a304ac f40e1cb0 f8186741 f8186700 f40e1d2c f922988d f2a304ac 00000202 00000001 c0b4ba43 00000000 0000000f e8eb75c0 e8c085e0 205b0001 34383220 f2a304ac f2a30000 00010020 Call Trace: [] ath9k_sta_notify+0x41/0x50 [ath9k] [] ? ath9k_get_survey+0x110/0x110 [ath9k] [] ieee80211_sta_ps_deliver_wakeup+0x9d/0x350 [mac80211] [] ? __module_address+0x95/0xb0 [] ap_sta_ps_end+0x63/0xa0 [mac80211] [] ieee80211_rx_h_sta_process+0x156/0x2b0 [mac80211] [] ieee80211_rx_handlers+0xce/0x510 [mac80211] [] ? trace_hardirqs_on+0xb/0x10 [] ? skb_queue_tail+0x3e/0x50 [] ieee80211_prepare_and_rx_handle+0x111/0x750 [mac80211] [] ieee80211_rx+0x349/0xb20 [mac80211] [] ? ieee80211_rx+0x99/0xb20 [mac80211] [] ath_rx_tasklet+0x818/0x1d00 [ath9k] [] ? ath9k_tasklet+0x35/0x1c0 [ath9k] [] ? ath9k_tasklet+0x35/0x1c0 [ath9k] [] ath9k_tasklet+0xf3/0x1c0 [ath9k] [] tasklet_action+0xbe/0x180 Cc: stable@kernel.org Cc: Senthil Balasubramanian Cc: Rajkumar Manoharan Reported-by: Ashwin Mendonca Tested-by: Ashwin Mendonca Signed-off-by: Mohammed Shafi Shajakhan Signed-off-by: John W. Linville --- drivers/net/wireless/ath/ath9k/main.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'drivers/net/wireless') diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c index d2348a5a7809..a9c5ae75277e 100644 --- a/drivers/net/wireless/ath/ath9k/main.c +++ b/drivers/net/wireless/ath/ath9k/main.c @@ -1843,6 +1843,9 @@ static void ath9k_sta_notify(struct ieee80211_hw *hw, struct ath_softc *sc = hw->priv; struct ath_node *an = (struct ath_node *) sta->drv_priv; + if (!(sc->sc_flags & SC_OP_TXAGGR)) + return; + switch (cmd) { case STA_NOTIFY_SLEEP: an->sleeping = true; -- cgit v1.2.3 From 09009512e5e7ab341b1554a256f81dd512c1f4bf Mon Sep 17 00:00:00 2001 From: Guennadi Liakhovetski Date: Mon, 26 Dec 2011 18:28:08 +0100 Subject: b43: fix regression in PIO case This patch fixes the regression, introduced by commit 17030f48e31adde5b043741c91ba143f5f7db0fd From: Rafał Miłecki Date: Thu, 11 Aug 2011 17:16:27 +0200 Subject: [PATCH] b43: support new RX header, noticed to be used in 598.314+ fw in PIO case. Signed-off-by: Guennadi Liakhovetski Signed-off-by: John W. Linville --- drivers/net/wireless/b43/pio.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) (limited to 'drivers/net/wireless') diff --git a/drivers/net/wireless/b43/pio.c b/drivers/net/wireless/b43/pio.c index fcff923b3c18..279a53eae4c5 100644 --- a/drivers/net/wireless/b43/pio.c +++ b/drivers/net/wireless/b43/pio.c @@ -617,9 +617,19 @@ static bool pio_rx_frame(struct b43_pio_rxqueue *q) const char *err_msg = NULL; struct b43_rxhdr_fw4 *rxhdr = (struct b43_rxhdr_fw4 *)wl->pio_scratchspace; + size_t rxhdr_size = sizeof(*rxhdr); BUILD_BUG_ON(sizeof(wl->pio_scratchspace) < sizeof(*rxhdr)); - memset(rxhdr, 0, sizeof(*rxhdr)); + switch (dev->fw.hdr_format) { + case B43_FW_HDR_410: + case B43_FW_HDR_351: + rxhdr_size -= sizeof(rxhdr->format_598) - + sizeof(rxhdr->format_351); + break; + case B43_FW_HDR_598: + break; + } + memset(rxhdr, 0, rxhdr_size); /* Check if we have data and wait for it to get ready. */ if (q->rev >= 8) { @@ -657,11 +667,11 @@ data_ready: /* Get the preamble (RX header) */ if (q->rev >= 8) { - b43_block_read(dev, rxhdr, sizeof(*rxhdr), + b43_block_read(dev, rxhdr, rxhdr_size, q->mmio_base + B43_PIO8_RXDATA, sizeof(u32)); } else { - b43_block_read(dev, rxhdr, sizeof(*rxhdr), + b43_block_read(dev, rxhdr, rxhdr_size, q->mmio_base + B43_PIO_RXDATA, sizeof(u16)); } -- cgit v1.2.3 From b015dbc0f95eef34819515bd403a62569bca23df Mon Sep 17 00:00:00 2001 From: Amitkumar Karwar Date: Mon, 2 Jan 2012 16:18:40 -0800 Subject: mwifiex: fix crash during simultaneous scan and connect If 'iw connect' command is fired when driver is already busy in serving 'iw scan' command, ssid specific scan operation for connect is skipped. In this case cmd wait queue handler gets called with no command in queue (i.e. adapter->cmd_queued = NULL). This patch adds a NULL check in mwifiex_wait_queue_complete() routine to fix crash observed during simultaneous scan and assoc operations. Signed-off-by: Amitkumar Karwar Signed-off-by: Bing Zhao Signed-off-by: John W. Linville --- drivers/net/wireless/mwifiex/sta_ioctl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'drivers/net/wireless') diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c index ea4a29b7e331..1679c2593b7b 100644 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -55,9 +55,14 @@ int mwifiex_wait_queue_complete(struct mwifiex_adapter *adapter) { bool cancel_flag = false; int status = adapter->cmd_wait_q.status; - struct cmd_ctrl_node *cmd_queued = adapter->cmd_queued; + struct cmd_ctrl_node *cmd_queued; + if (!adapter->cmd_queued) + return 0; + + cmd_queued = adapter->cmd_queued; adapter->cmd_queued = NULL; + dev_dbg(adapter->dev, "cmd pending\n"); atomic_inc(&adapter->cmd_pending); -- cgit v1.2.3