Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3346857f authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 

* git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6:
  iwlwifi: fix device id registration for 6000 series 2x2 devices
  ath5k: update channel in sw state after stopping RX and TX
  rtl8187: use DMA-aware buffers with usb_control_msg
  mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel
  airo: airo_get_encode{,ext} potential buffer overflow

Pulled directly by Linus because Davem is off playing shuffle-board at
some Alaskan cruise, and the NULL ptr deref issue hits people and should
get merged sooner rather than later.

David - make us proud on the shuffle-board tournament!
parents 5d41343a 542cc793

drivers/net/wireless/airo.c

+8 −2
Original line number Diff line number Diff line
@@ -6501,7 +6501,10 @@ static int airo_get_encode(struct net_device *dev, 


	/* Copy the key to the user buffer */

	dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf));

	if (dwrq->length != -1)

		memcpy(extra, buf, dwrq->length);

	else

		dwrq->length = 0;



	return 0;

}
@@ -6659,7 +6662,10 @@ static int airo_get_encodeext(struct net_device *dev, 
	

	/* Copy the key to the user buffer */

	ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf));

	if (ext->key_len != -1)

		memcpy(extra, buf, ext->key_len);

	else

		ext->key_len = 0;



	return 0;

}

drivers/net/wireless/ath5k/base.c

+13 −9
Original line number Diff line number Diff line
@@ -214,7 +214,7 @@ static struct pci_driver ath5k_pci_driver = { 
 * Prototypes - MAC 802.11 stack related functions

 */

static int ath5k_tx(struct ieee80211_hw *hw, struct sk_buff *skb);

static int ath5k_reset(struct ath5k_softc *sc, bool stop, bool change_channel);

static int ath5k_reset(struct ath5k_softc *sc, struct ieee80211_channel *chan);

static int ath5k_reset_wake(struct ath5k_softc *sc);

static int ath5k_start(struct ieee80211_hw *hw);

static void ath5k_stop(struct ieee80211_hw *hw);
@@ -1038,16 +1038,13 @@ ath5k_chan_set(struct ath5k_softc *sc, struct ieee80211_channel *chan) 
	if (chan->center_freq != sc->curchan->center_freq ||

		chan->hw_value != sc->curchan->hw_value) {



		sc->curchan = chan;

		sc->curband = &sc->sbands[chan->band];



		/*

		 * To switch channels clear any pending DMA operations;

		 * wait long enough for the RX fifo to drain, reset the

		 * hardware at the new frequency, and then re-enable

		 * the relevant bits of the h/w.

		 */

		return ath5k_reset(sc, true, true);

		return ath5k_reset(sc, chan);

	}



	return 0;
@@ -2314,7 +2311,7 @@ ath5k_init(struct ath5k_softc *sc) 
	sc->imask = AR5K_INT_RXOK | AR5K_INT_RXERR | AR5K_INT_RXEOL |

		AR5K_INT_RXORN | AR5K_INT_TXDESC | AR5K_INT_TXEOL |

		AR5K_INT_FATAL | AR5K_INT_GLOBAL;

	ret = ath5k_reset(sc, false, false);

	ret = ath5k_reset(sc, NULL);

	if (ret)

		goto done;
@@ -2599,18 +2596,25 @@ ath5k_tx(struct ieee80211_hw *hw, struct sk_buff *skb) 
	return NETDEV_TX_OK;

}



/*

 * Reset the hardware.  If chan is not NULL, then also pause rx/tx

 * and change to the given channel.

 */

static int

ath5k_reset(struct ath5k_softc *sc, bool stop, bool change_channel)

ath5k_reset(struct ath5k_softc *sc, struct ieee80211_channel *chan)

{

	struct ath5k_hw *ah = sc->ah;

	int ret;



	ATH5K_DBG(sc, ATH5K_DEBUG_RESET, "resetting\n");



	if (stop) {

	if (chan) {

		ath5k_hw_set_imr(ah, 0);

		ath5k_txq_cleanup(sc);

		ath5k_rx_stop(sc);



		sc->curchan = chan;

		sc->curband = &sc->sbands[chan->band];

	}

	ret = ath5k_hw_reset(ah, sc->opmode, sc->curchan, true);

	if (ret) {
@@ -2648,7 +2652,7 @@ ath5k_reset_wake(struct ath5k_softc *sc) 
{

	int ret;



	ret = ath5k_reset(sc, true, true);

	ret = ath5k_reset(sc, sc->curchan);

	if (!ret)

		ieee80211_wake_queues(sc->hw);

drivers/net/wireless/iwlwifi/iwl-6000.c

+4 −4
Original line number Diff line number Diff line
@@ -101,8 +101,8 @@ struct iwl_cfg iwl6000_2agn_cfg = { 
	.eeprom_ver = EEPROM_5000_EEPROM_VERSION,

	.eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION,

	.mod_params = &iwl50_mod_params,

	.valid_tx_ant = ANT_BC,

	.valid_rx_ant = ANT_BC,

	.valid_tx_ant = ANT_AB,

	.valid_rx_ant = ANT_AB,

	.need_pll_cfg = false,

};
@@ -117,8 +117,8 @@ struct iwl_cfg iwl6050_2agn_cfg = { 
	.eeprom_ver = EEPROM_5000_EEPROM_VERSION,

	.eeprom_calib_ver = EEPROM_5000_TX_POWER_VERSION,

	.mod_params = &iwl50_mod_params,

	.valid_tx_ant = ANT_BC,

	.valid_rx_ant = ANT_BC,

	.valid_tx_ant = ANT_AB,

	.valid_rx_ant = ANT_AB,

	.need_pll_cfg = false,

};

drivers/net/wireless/iwlwifi/iwl-agn.c

+2 −0
Original line number Diff line number Diff line
@@ -3636,7 +3636,9 @@ static struct pci_device_id iwl_hw_card_ids[] = { 
	{IWL_PCI_DEVICE(0x0085, 0x1112, iwl6000_2ag_cfg)},

	{IWL_PCI_DEVICE(0x0082, 0x1122, iwl6000_2ag_cfg)},

	{IWL_PCI_DEVICE(0x422B, PCI_ANY_ID, iwl6000_3agn_cfg)},

	{IWL_PCI_DEVICE(0x422C, PCI_ANY_ID, iwl6000_2agn_cfg)},

	{IWL_PCI_DEVICE(0x4238, PCI_ANY_ID, iwl6000_3agn_cfg)},

	{IWL_PCI_DEVICE(0x4239, PCI_ANY_ID, iwl6000_2agn_cfg)},

	{IWL_PCI_DEVICE(0x0082, PCI_ANY_ID, iwl6000_2agn_cfg)},

	{IWL_PCI_DEVICE(0x0085, PCI_ANY_ID, iwl6000_3agn_cfg)},

	{IWL_PCI_DEVICE(0x0086, PCI_ANY_ID, iwl6050_3agn_cfg)},

drivers/net/wireless/rtl818x/rtl8187.h

+43 −14
Original line number Diff line number Diff line
@@ -120,6 +120,12 @@ struct rtl8187_priv { 
		__le64 buf;

		struct sk_buff_head queue;

	} b_tx_status; /* This queue is used by both -b and non-b devices */

	struct mutex io_mutex;

	union {

		u8 bits8;

		__le16 bits16;

		__le32 bits32;

	} *io_dmabuf;

};



void rtl8187_write_phy(struct ieee80211_hw *dev, u8 addr, u32 data);
@@ -129,10 +135,14 @@ static inline u8 rtl818x_ioread8_idx(struct rtl8187_priv *priv, 
{

	u8 val;



	mutex_lock(&priv->io_mutex);

	usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0),

			RTL8187_REQ_GET_REG, RTL8187_REQT_READ,

			(unsigned long)addr, idx & 0x03, &val,

			sizeof(val), HZ / 2);

			(unsigned long)addr, idx & 0x03,

			&priv->io_dmabuf->bits8, sizeof(val), HZ / 2);



	val = priv->io_dmabuf->bits8;

	mutex_unlock(&priv->io_mutex);



	return val;

}
@@ -147,10 +157,14 @@ static inline u16 rtl818x_ioread16_idx(struct rtl8187_priv *priv, 
{

	__le16 val;



	mutex_lock(&priv->io_mutex);

	usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0),

			RTL8187_REQ_GET_REG, RTL8187_REQT_READ,

			(unsigned long)addr, idx & 0x03, &val,

			sizeof(val), HZ / 2);

			(unsigned long)addr, idx & 0x03,

			&priv->io_dmabuf->bits16, sizeof(val), HZ / 2);



	val = priv->io_dmabuf->bits16;

	mutex_unlock(&priv->io_mutex);



	return le16_to_cpu(val);

}
@@ -165,10 +179,14 @@ static inline u32 rtl818x_ioread32_idx(struct rtl8187_priv *priv, 
{

	__le32 val;



	mutex_lock(&priv->io_mutex);

	usb_control_msg(priv->udev, usb_rcvctrlpipe(priv->udev, 0),

			RTL8187_REQ_GET_REG, RTL8187_REQT_READ,

			(unsigned long)addr, idx & 0x03, &val,

			sizeof(val), HZ / 2);

			(unsigned long)addr, idx & 0x03,

			&priv->io_dmabuf->bits32, sizeof(val), HZ / 2);



	val = priv->io_dmabuf->bits32;

	mutex_unlock(&priv->io_mutex);



	return le32_to_cpu(val);

}
@@ -181,10 +199,15 @@ static inline u32 rtl818x_ioread32(struct rtl8187_priv *priv, __le32 *addr) 
static inline void rtl818x_iowrite8_idx(struct rtl8187_priv *priv,

					u8 *addr, u8 val, u8 idx)

{

	mutex_lock(&priv->io_mutex);



	priv->io_dmabuf->bits8 = val;

	usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0),

			RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE,

			(unsigned long)addr, idx & 0x03, &val,

			sizeof(val), HZ / 2);

			(unsigned long)addr, idx & 0x03,

			&priv->io_dmabuf->bits8, sizeof(val), HZ / 2);



	mutex_unlock(&priv->io_mutex);

}



static inline void rtl818x_iowrite8(struct rtl8187_priv *priv, u8 *addr, u8 val)
@@ -195,12 +218,15 @@ static inline void rtl818x_iowrite8(struct rtl8187_priv *priv, u8 *addr, u8 val) 
static inline void rtl818x_iowrite16_idx(struct rtl8187_priv *priv,

					 __le16 *addr, u16 val, u8 idx)

{

	__le16 buf = cpu_to_le16(val);

	mutex_lock(&priv->io_mutex);



	priv->io_dmabuf->bits16 = cpu_to_le16(val);

	usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0),

			RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE,

			(unsigned long)addr, idx & 0x03, &buf, sizeof(buf),

			HZ / 2);

			(unsigned long)addr, idx & 0x03,

			&priv->io_dmabuf->bits16, sizeof(val), HZ / 2);



	mutex_unlock(&priv->io_mutex);

}



static inline void rtl818x_iowrite16(struct rtl8187_priv *priv, __le16 *addr,
@@ -212,12 +238,15 @@ static inline void rtl818x_iowrite16(struct rtl8187_priv *priv, __le16 *addr, 
static inline void rtl818x_iowrite32_idx(struct rtl8187_priv *priv,

					 __le32 *addr, u32 val, u8 idx)

{

	__le32 buf = cpu_to_le32(val);

	mutex_lock(&priv->io_mutex);



	priv->io_dmabuf->bits32 = cpu_to_le32(val);

	usb_control_msg(priv->udev, usb_sndctrlpipe(priv->udev, 0),

			RTL8187_REQ_SET_REG, RTL8187_REQT_WRITE,

			(unsigned long)addr, idx & 0x03, &buf, sizeof(buf),

			HZ / 2);

			(unsigned long)addr, idx & 0x03,

			&priv->io_dmabuf->bits32, sizeof(val), HZ / 2);



	mutex_unlock(&priv->io_mutex);

}



static inline void rtl818x_iowrite32(struct rtl8187_priv *priv, __le32 *addr,