From 4581d91b7717152001192112027596fbdeec06f6 Mon Sep 17 00:00:00 2001 From: Thomas Huehn Date: Tue, 17 Jul 2012 22:16:13 +0200 Subject: [PATCH 1/3] mac80211_hwsim: fix possible race condition in usage of info->control.sta & control.vif info->control.sta and control.vif may only be dereferenced during the drv_tx call otherwise could lead to use-after-free bugs. Signed-off-by: Thomas Huehn Signed-off-by: John W. Linville --- drivers/net/wireless/mac80211_hwsim.c | 5 ----- 1 file changed, 5 deletions(-) diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c index 643f968b05e..00838395778 100644 --- a/drivers/net/wireless/mac80211_hwsim.c +++ b/drivers/net/wireless/mac80211_hwsim.c @@ -739,11 +739,6 @@ static void mac80211_hwsim_tx(struct ieee80211_hw *hw, struct sk_buff *skb) txi = IEEE80211_SKB_CB(skb); - if (txi->control.vif) - hwsim_check_magic(txi->control.vif); - if (txi->control.sta) - hwsim_check_sta_magic(txi->control.sta); - ieee80211_tx_info_clear_status(txi); /* frame was transmitted at most favorable rate at first attempt */ From d8f1bd2ffcce6af1ace4f1efb327765144aa0755 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Thu, 26 Jul 2012 17:44:12 +0200 Subject: [PATCH 2/3] bcma: fix regression in interrupt assignment on mips MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The wrong interrupts where assigned to the cores in bcma_core_mips_init(). This caused at least my serial console not to response to any input. This was caused by this patch which changed the order of the cores in the list: commit c334e25c9f3a95f2bd6b79fedc5170f17245b1c7 Author: Rafał Miłecki Date: Wed Jul 11 12:37:00 2012 +0200 bcma: add new cores at the end of list This should be fixed properly later so that the correct interrupt numbers are assigned to the cores independently from the ordering of the list. This patch restores the old behavior again. I will look into the problem more deeply later. I also changed the order of the list with the cores and their assigned interrupt number which gets printed to the log. Now they are printed in the same order like all the other lists of cores and like it was done before the patch which changed the order. Signed-off-by: Hauke Mehrtens Signed-off-by: John W. Linville --- drivers/bcma/driver_mips.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/bcma/driver_mips.c b/drivers/bcma/driver_mips.c index b013b049476..cc65b45b436 100644 --- a/drivers/bcma/driver_mips.c +++ b/drivers/bcma/driver_mips.c @@ -131,7 +131,7 @@ static void bcma_core_mips_set_irq(struct bcma_device *dev, unsigned int irq) /* backplane irq line is in use, find out who uses * it and set user to irq 0 */ - list_for_each_entry_reverse(core, &bus->cores, list) { + list_for_each_entry(core, &bus->cores, list) { if ((1 << bcma_core_mips_irqflag(core)) == oldirqflag) { bcma_core_mips_set_irq(core, 0); @@ -161,7 +161,7 @@ static void bcma_core_mips_dump_irq(struct bcma_bus *bus) { struct bcma_device *core; - list_for_each_entry_reverse(core, &bus->cores, list) { + list_for_each_entry(core, &bus->cores, list) { bcma_core_mips_print_irq(core, bcma_core_mips_irq(core)); } } @@ -224,7 +224,7 @@ void bcma_core_mips_init(struct bcma_drv_mips *mcore) mcore->assigned_irqs = 1; /* Assign IRQs to all cores on the bus */ - list_for_each_entry_reverse(core, &bus->cores, list) { + list_for_each_entry(core, &bus->cores, list) { int mips_irq; if (core->irq) continue; From 9dbf5f55f8d35ff9aedc75267f4e4042aaf89755 Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Thu, 26 Jul 2012 17:45:52 +0200 Subject: [PATCH 3/3] bcma: add missing iounmap on error path This should fix the problem reported by Fengguang: The coccinelle static checker emits these warnings: drivers/bcma/scan.c:466:3-9: ERROR: missing iounmap; ioremap on line 451 and execution via conditional on line 465 drivers/bcma/scan.c:540:3-9: ERROR: missing iounmap; ioremap on line 515 and execution via conditional on line 539 Reported-by: Fengguang Wu Signed-off-by: Hauke Mehrtens Signed-off-by: John W. Linville --- drivers/bcma/scan.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/drivers/bcma/scan.c b/drivers/bcma/scan.c index 5672b13d095..8d0b5716401 100644 --- a/drivers/bcma/scan.c +++ b/drivers/bcma/scan.c @@ -462,8 +462,10 @@ int bcma_bus_scan(struct bcma_bus *bus) while (eromptr < eromend) { struct bcma_device *other_core; struct bcma_device *core = kzalloc(sizeof(*core), GFP_KERNEL); - if (!core) - return -ENOMEM; + if (!core) { + err = -ENOMEM; + goto out; + } INIT_LIST_HEAD(&core->list); core->bus = bus; @@ -478,7 +480,7 @@ int bcma_bus_scan(struct bcma_bus *bus) } else if (err == -ESPIPE) { break; } - return err; + goto out; } core->core_index = core_num++; @@ -494,10 +496,12 @@ int bcma_bus_scan(struct bcma_bus *bus) list_add_tail(&core->list, &bus->cores); } + err = 0; +out: if (bus->hosttype == BCMA_HOSTTYPE_SOC) iounmap(eromptr); - return 0; + return err; } int __init bcma_bus_scan_early(struct bcma_bus *bus, @@ -537,7 +541,7 @@ int __init bcma_bus_scan_early(struct bcma_bus *bus, else if (err == -ESPIPE) break; else if (err < 0) - return err; + goto out; core->core_index = core_num++; bus->nr_cores++; @@ -551,6 +555,7 @@ int __init bcma_bus_scan_early(struct bcma_bus *bus, break; } +out: if (bus->hosttype == BCMA_HOSTTYPE_SOC) iounmap(eromptr);