From f9721ed2707661af75a414d09cdcd71f99a13f62 Mon Sep 17 00:00:00 2001 From: Jesper Juhl Date: Sun, 29 Jan 2012 21:34:04 +0100 Subject: [PATCH 1/6] bcma: Fix mem leak in bcma_bus_scan() bcma_bus_scan() leaks 'struct bcma_device' bytes if bcma_get_next_core() returns error. Restructure the code so we always kfree() the memory we allocate to the variable 'core' before it goes out of scope. Signed-off-by: Jesper Juhl Signed-off-by: John W. Linville --- drivers/bcma/scan.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/drivers/bcma/scan.c b/drivers/bcma/scan.c index cad99485768..3a2f672db9a 100644 --- a/drivers/bcma/scan.c +++ b/drivers/bcma/scan.c @@ -399,15 +399,18 @@ int bcma_bus_scan(struct bcma_bus *bus) core->bus = bus; err = bcma_get_next_core(bus, &eromptr, NULL, core_num, core); - if (err == -ENODEV) { - core_num++; - continue; - } else if (err == -ENXIO) - continue; - else if (err == -ESPIPE) - break; - else if (err < 0) + if (err < 0) { + kfree(core); + if (err == -ENODEV) { + core_num++; + continue; + } else if (err == -ENXIO) { + continue; + } else if (err == -ESPIPE) { + break; + } return err; + } core->core_index = core_num++; bus->nr_cores++; From 7fc417556473f15efac269523c17eb92103c6484 Mon Sep 17 00:00:00 2001 From: Luigi Tarenga Date: Tue, 31 Jan 2012 18:51:23 +0100 Subject: [PATCH 2/6] rt2800lib: fix wrong -128dBm when signal is stronger than -12dBm This patch correct the type of variables containing the rssi values read from the rxwi. In function rt2800_agc_to_rssi() 3 variables (rssi0, rssi1, rss2) defined as int was assigned a 16bit signed values as unsigned. From a test with a hi-gain antenna I verified that the rxwi contains signed rssi values in the range -13/+81 (inclusive) with 0 as an error condition. In case of negative values a condition is triggered and the function return -128dBm while the signal is at its maximum. This patch correct the cast so negative values are not treated as very high positive values (ex. -13 does not become 243). Signed-off-by: Luigi Tarenga Reviewed-by: Stanislaw Gruszka Signed-off-by: John W. Linville --- drivers/net/wireless/rt2x00/rt2800lib.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c index 22a1a8fc6e0..7bef66def10 100644 --- a/drivers/net/wireless/rt2x00/rt2800lib.c +++ b/drivers/net/wireless/rt2x00/rt2800lib.c @@ -514,9 +514,9 @@ EXPORT_SYMBOL_GPL(rt2800_write_tx_data); static int rt2800_agc_to_rssi(struct rt2x00_dev *rt2x00dev, u32 rxwi_w2) { - int rssi0 = rt2x00_get_field32(rxwi_w2, RXWI_W2_RSSI0); - int rssi1 = rt2x00_get_field32(rxwi_w2, RXWI_W2_RSSI1); - int rssi2 = rt2x00_get_field32(rxwi_w2, RXWI_W2_RSSI2); + s8 rssi0 = rt2x00_get_field32(rxwi_w2, RXWI_W2_RSSI0); + s8 rssi1 = rt2x00_get_field32(rxwi_w2, RXWI_W2_RSSI1); + s8 rssi2 = rt2x00_get_field32(rxwi_w2, RXWI_W2_RSSI2); u16 eeprom; u8 offset0; u8 offset1; @@ -552,7 +552,7 @@ static int rt2800_agc_to_rssi(struct rt2x00_dev *rt2x00dev, u32 rxwi_w2) * which gives less energy... */ rssi0 = max(rssi0, rssi1); - return max(rssi0, rssi2); + return (int)max(rssi0, rssi2); } void rt2800_process_rxwi(struct queue_entry *entry, From 5fb8c182d26472ea24cbbadb6a3e355d7621cca4 Mon Sep 17 00:00:00 2001 From: "John W. Linville" Date: Tue, 31 Jan 2012 14:40:49 -0500 Subject: [PATCH 3/6] iwlwifi: make "Tx aggregation enabled on ra =" be at DEBUG level Average users either don't care or they think that message indicates a problem... Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl-agn-tx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-tx.c b/drivers/net/wireless/iwlwifi/iwl-agn-tx.c index c664c272655..339e8d96b65 100644 --- a/drivers/net/wireless/iwlwifi/iwl-agn-tx.c +++ b/drivers/net/wireless/iwlwifi/iwl-agn-tx.c @@ -620,7 +620,7 @@ int iwlagn_tx_agg_oper(struct iwl_priv *priv, struct ieee80211_vif *vif, sta_priv->lq_sta.lq.agg_params.agg_frame_cnt_limit = sta_priv->max_agg_bufsize; - IWL_INFO(priv, "Tx aggregation enabled on ra = %pM tid = %d\n", + IWL_DEBUG_HT(priv, "Tx aggregation enabled on ra = %pM tid = %d\n", sta->addr, tid); return iwl_send_lq_cmd(priv, ctx, From a6c84622b7fa3ea5417a9d1d0ce0bc3e7fbe3be1 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Wed, 1 Feb 2012 00:13:53 +0100 Subject: [PATCH 4/6] ssb: fix cardbus slot in hostmode ssb supports one extra device on the cardbus. This results in two devices in total, one beeing the host controller itself and the other the external device connected to the hostcontroller over cardbus. This makes the cardbus slot work on the Linksys WRT150N. Reported-by: Aaron Z Signed-off-by: Hauke Mehrtens Signed-off-by: John W. Linville --- drivers/ssb/driver_pcicore.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/ssb/driver_pcicore.c b/drivers/ssb/driver_pcicore.c index 520e8286db2..49d209173f5 100644 --- a/drivers/ssb/driver_pcicore.c +++ b/drivers/ssb/driver_pcicore.c @@ -75,7 +75,7 @@ static u32 get_cfgspace_addr(struct ssb_pcicore *pc, u32 tmp; /* We do only have one cardbus device behind the bridge. */ - if (pc->cardbusmode && (dev >= 1)) + if (pc->cardbusmode && (dev > 1)) goto out; if (bus == 0) { From 3d29dd9b5b160ba4542a9b8f869a220559e633a0 Mon Sep 17 00:00:00 2001 From: Emmanuel Grumbach Date: Wed, 1 Feb 2012 07:01:32 -0800 Subject: [PATCH 5/6] iwlwifi: don't mess up QoS counters with non-QoS frames In my AMPDU rework, I rely on the sequence numbers of frames. But I didn't check that the frame has a valid tid before updating the tracking counters. As a result, the Tx queues were stalled. People who hit this bug saw that we simply didn't let any data out. This bug was introduced in 3.3. This patch fixes that and checks that the frame is a QoS frame before looking at its tid and changing the counters. Signed-off-by: Emmanuel Grumbach Signed-off-by: Wey-Yi Guy Signed-off-by: John W. Linville --- drivers/net/wireless/iwlwifi/iwl-agn-tx.c | 12 +++++++++--- drivers/net/wireless/iwlwifi/iwl-commands.h | 1 + drivers/net/wireless/iwlwifi/iwl-trans-pcie.c | 1 + 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/iwlwifi/iwl-agn-tx.c b/drivers/net/wireless/iwlwifi/iwl-agn-tx.c index 339e8d96b65..63bbc60be28 100644 --- a/drivers/net/wireless/iwlwifi/iwl-agn-tx.c +++ b/drivers/net/wireless/iwlwifi/iwl-agn-tx.c @@ -91,6 +91,7 @@ static void iwlagn_tx_cmd_build_basic(struct iwl_priv *priv, tx_cmd->tid_tspec = qc[0] & 0xf; tx_flags &= ~TX_CMD_FLG_SEQ_CTL_MSK; } else { + tx_cmd->tid_tspec = IWL_TID_NON_QOS; if (info->flags & IEEE80211_TX_CTL_ASSIGN_SEQ) tx_flags |= TX_CMD_FLG_SEQ_CTL_MSK; else @@ -808,6 +809,8 @@ static void iwl_rx_reply_tx_agg(struct iwl_priv *priv, u32 status = le16_to_cpu(tx_resp->status.status); int i; + WARN_ON(tid == IWL_TID_NON_QOS); + if (agg->wait_for_ba) IWL_DEBUG_TX_REPLY(priv, "got tx response w/o block-ack\n"); @@ -1035,10 +1038,13 @@ int iwlagn_rx_reply_tx(struct iwl_priv *priv, struct iwl_rx_mem_buffer *rxb, } __skb_queue_head_init(&skbs); - priv->tid_data[sta_id][tid].next_reclaimed = next_reclaimed; - IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d", - next_reclaimed); + if (tid != IWL_TID_NON_QOS) { + priv->tid_data[sta_id][tid].next_reclaimed = + next_reclaimed; + IWL_DEBUG_TX_REPLY(priv, "Next reclaimed packet:%d", + next_reclaimed); + } /*we can free until ssn % q.n_bd not inclusive */ WARN_ON(iwl_trans_reclaim(trans(priv), sta_id, tid, txq_id, diff --git a/drivers/net/wireless/iwlwifi/iwl-commands.h b/drivers/net/wireless/iwlwifi/iwl-commands.h index 265de39d394..f822ac447c3 100644 --- a/drivers/net/wireless/iwlwifi/iwl-commands.h +++ b/drivers/net/wireless/iwlwifi/iwl-commands.h @@ -815,6 +815,7 @@ struct iwl_qosparam_cmd { #define IWL_INVALID_STATION 255 #define IWL_MAX_TID_COUNT 8 +#define IWL_TID_NON_QOS IWL_MAX_TID_COUNT #define STA_FLG_TX_RATE_MSK cpu_to_le32(1 << 2) #define STA_FLG_PWR_SAVE_MSK cpu_to_le32(1 << 8) diff --git a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c index 67d6e324e26..324d06dfb69 100644 --- a/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c +++ b/drivers/net/wireless/iwlwifi/iwl-trans-pcie.c @@ -1262,6 +1262,7 @@ static int iwl_trans_pcie_reclaim(struct iwl_trans *trans, int sta_id, int tid, txq->time_stamp = jiffies; if (unlikely(txq_id >= IWLAGN_FIRST_AMPDU_QUEUE && + tid != IWL_TID_NON_QOS && txq_id != trans_pcie->agg_txq[sta_id][tid])) { /* * FIXME: this is a uCode bug which need to be addressed, From 07ae2dfcf4f7143ce191c6436da1c33f179af0d6 Mon Sep 17 00:00:00 2001 From: Eliad Peller Date: Wed, 1 Feb 2012 18:48:09 +0200 Subject: [PATCH 6/6] mac80211: timeout a single frame in the rx reorder buffer The current code checks for stored_mpdu_num > 1, causing the reorder_timer to be triggered indefinitely, but the frame is never timed-out (until the next packet is received) Signed-off-by: Eliad Peller Cc: Acked-by: Johannes Berg Signed-off-by: John W. Linville --- net/mac80211/rx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/mac80211/rx.c b/net/mac80211/rx.c index 75140912076..5a5e504a8ff 100644 --- a/net/mac80211/rx.c +++ b/net/mac80211/rx.c @@ -611,7 +611,7 @@ static void ieee80211_sta_reorder_release(struct ieee80211_hw *hw, index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) % tid_agg_rx->buf_size; if (!tid_agg_rx->reorder_buf[index] && - tid_agg_rx->stored_mpdu_num > 1) { + tid_agg_rx->stored_mpdu_num) { /* * No buffers ready to be released, but check whether any * frames in the reorder buffer have timed out.