[PATCH] b43: Fix radio ID register reading
This fixes reading of the high 16 bits of the radio ID
on new devices. 2055 radios want lo16 to be read first.
Signed-off-by: Michael Buesch [EMAIL PROTECTED]
---
For 2.6.25
Index: wireless-2.6/drivers/net/wireless/b43/main.c
===
--- wireless-2.6.orig/drivers/net/wireless/b43/main.c 2008-01-13
13:26:18.0 +0100
+++ wireless-2.6/drivers/net/wireless/b43/main.c2008-01-13
13:59:27.0 +0100
@@ -3136,16 +3136,15 @@ static int b43_phy_versioning(struct b43
else if (dev-dev-bus-chip_rev == 1)
tmp = 0x4205017F;
else
tmp = 0x5205017F;
} else {
b43_write16(dev, B43_MMIO_RADIO_CONTROL, B43_RADIOCTL_ID);
- tmp = b43_read16(dev, B43_MMIO_RADIO_DATA_HIGH);
- tmp = 16;
+ tmp = b43_read16(dev, B43_MMIO_RADIO_DATA_LOW);
b43_write16(dev, B43_MMIO_RADIO_CONTROL, B43_RADIOCTL_ID);
- tmp |= b43_read16(dev, B43_MMIO_RADIO_DATA_LOW);
+ tmp |= (u32)b43_read16(dev, B43_MMIO_RADIO_DATA_HIGH) 16;
}
radio_manuf = (tmp 0x0FFF);
radio_ver = (tmp 0x0000) 12;
radio_rev = (tmp 0xF000) 28;
if (radio_manuf != 0x17F /* Broadcom */)
unsupported = 1;
@@ -3164,13 +3163,13 @@ static int b43_phy_versioning(struct b43
break;
case B43_PHYTYPE_G:
if (radio_ver != 0x2050)
unsupported = 1;
break;
case B43_PHYTYPE_N:
- if (radio_ver != 5)
+ if (radio_ver != 0x2055)
unsupported = 1;
break;
default:
B43_WARN_ON(1);
}
if (unsupported) {
___
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
[PATCH] b43: Add Broadcom 2055 radio register definitions
Add the register definitions for the Broadcom 2055 N-radio. Signed-off-by: Michael Buesch [EMAIL PROTECTED] --- For 2.6.25 Index: wireless-2.6/drivers/net/wireless/b43/nphy.h === --- wireless-2.6.orig/drivers/net/wireless/b43/nphy.h 2008-01-09 17:06:35.0 +0100 +++ wireless-2.6/drivers/net/wireless/b43/nphy.h2008-01-13 16:39:10.0 +0100 @@ -696,11 +696,221 @@ #define B43_NPHY_FINERX2_CGC_DECGC0x0008 /* Decode gated clocks */ #define B43_NPHY_TXPCTL_INIT B43_PHY_N(0x222) /* TX power controll init */ #define B43_NPHY_TXPCTL_INIT_PIDXI1 0x00FF /* Power index init 1 */ #define B43_NPHY_TXPCTL_INIT_PIDXI1_SHIFT 0 + +/* Broadcom 2055 radio registers */ + +#define B2055_GEN_SPARE0x00 /* GEN spare */ +#define B2055_SP_PINPD 0x02 /* SP PIN PD */ +#define B2055_C1_SP_RSSI 0x03 /* SP RSSI Core 1 */ +#define B2055_C1_SP_PDMISC 0x04 /* SP PD MISC Core 1 */ +#define B2055_C2_SP_RSSI 0x05 /* SP RSSI Core 2 */ +#define B2055_C2_SP_PDMISC 0x06 /* SP PD MISC Core 2 */ +#define B2055_C1_SP_RXGC1 0x07 /* SP RX GC1 Core 1 */ +#define B2055_C1_SP_RXGC2 0x08 /* SP RX GC2 Core 1 */ +#define B2055_C2_SP_RXGC1 0x09 /* SP RX GC1 Core 2 */ +#define B2055_C2_SP_RXGC2 0x0A /* SP RX GC2 Core 2 */ +#define B2055_C1_SP_LPFBWSEL 0x0B /* SP LPF BW select Core 1 */ +#define B2055_C2_SP_LPFBWSEL 0x0C /* SP LPF BW select Core 2 */ +#define B2055_C1_SP_TXGC1 0x0D /* SP TX GC1 Core 1 */ +#define B2055_C1_SP_TXGC2 0x0E /* SP TX GC2 Core 1 */ +#define B2055_C2_SP_TXGC1 0x0F /* SP TX GC1 Core 2 */ +#define B2055_C2_SP_TXGC2 0x10 /* SP TX GC2 Core 2 */ +#define B2055_MASTER1 0x11 /* Master control 1 */ +#define B2055_MASTER2 0x12 /* Master control 2 */ +#define B2055_PD_LGEN 0x13 /* PD LGEN */ +#define B2055_PD_PLLTS 0x14 /* PD PLL TS */ +#define B2055_C1_PD_LGBUF 0x15 /* PD Core 1 LGBUF */ +#define B2055_C1_PD_TX 0x16 /* PD Core 1 TX */ +#define B2055_C1_PD_RXTX 0x17 /* PD Core 1 RXTX */ +#define B2055_C1_PD_RSSIMISC 0x18 /* PD Core 1 RSSI MISC */ +#define B2055_C2_PD_LGBUF 0x19 /* PD Core 2 LGBUF */ +#define B2055_C2_PD_TX 0x1A /* PD Core 2 TX */ +#define B2055_C2_PD_RXTX 0x1B /* PD Core 2 RXTX */ +#define B2055_C2_PD_RSSIMISC 0x1C /* PD Core 2 RSSI MISC */ +#define B2055_PWRDET_LGEN 0x1D /* PWRDET LGEN */ +#define B2055_C1_PWRDET_LGBUF 0x1E /* PWRDET LGBUF Core 1 */ +#define B2055_C1_PWRDET_RXTX 0x1F /* PWRDET RXTX Core 1 */ +#define B2055_C2_PWRDET_LGBUF 0x20 /* PWRDET LGBUF Core 2 */ +#define B2055_C2_PWRDET_RXTX 0x21 /* PWRDET RXTX Core 2 */ +#define B2055_RRCCAL_CS0x22 /* RRCCAL Control spare */ +#define B2055_RRCCAL_NOPTSEL 0x23 /* RRCCAL N OPT SEL */ +#define B2055_CAL_MISC 0x24 /* CAL MISC */ +#define B2055_CAL_COUT 0x25 /* CAL Counter out */ +#define B2055_CAL_COUT20x26 /* CAL Counter out 2 */ +#define B2055_CAL_CVARCTL 0x27 /* CAL CVAR Control */ +#define B2055_CAL_RVARCTL 0x28 /* CAL RVAR Control */ +#define B2055_CAL_LPOCTL 0x29 /* CAL LPO Control */ +#define B2055_CAL_TS 0x2A /* CAL TS */ +#define B2055_CAL_RCCALRTS 0x2B /* CAL RCCAL READ TS */ +#define B2055_CAL_RCALRTS 0x2C /* CAL RCAL READ TS */ +#define B2055_PADDRV 0x2D /* PAD driver */ +#define B2055_XOCTL1 0x2E /* XO Control 1 */ +#define B2055_XOCTL2 0x2F /* XO Control 2 */ +#define B2055_XOREGUL 0x30 /* XO Regulator */ +#define B2055_XOMISC 0x31 /* XO misc */ +#define B2055_PLL_LFC1 0x32 /* PLL LF C1 */ +#define B2055_PLL_CALVTH 0x33 /* PLL CAL VTH */ +#define B2055_PLL_LFC2 0x34 /* PLL LF C2 */ +#define B2055_PLL_REF 0x35 /* PLL reference */ +#define B2055_PLL_LFR1 0x36 /* PLL LF R1 */ +#define B2055_PLL_PFDCP0x37 /* PLL PFD CP */ +#define B2055_PLL_IDAC_CPOPAMP 0x38 /* PLL IDAC CPOPAMP */ +#define B2055_PLL_CPREG0x39 /* PLL CP Regulator */ +#define B2055_PLL_RCAL 0x3A /* PLL RCAL */ +#define B2055_RF_PLLMOD0 0x3B /* RF PLL MOD0 */ +#define B2055_RF_PLLMOD1 0x3C /* RF PLL MOD1 */ +#define B2055_RF_MMDIDAC1 0x3D /* RF MMD IDAC 1 */ +#define B2055_RF_MMDIDAC0 0x3E /* RF MMD IDAC 0 */ +#define B2055_RF_MMDSP 0x3F /* RF MMD
Re: b43_suspend problem
On Sunday 13 January 2008 18:08:57 Alan Stern wrote: On Sun, 13 Jan 2008, Rafael J. Wysocki wrote: On Sunday, 13 of January 2008, Michael Buesch wrote: On Sunday 13 January 2008 00:08:29 Rafael J. Wysocki wrote: There is a problem with b43_suspend() that it (indirectly) causes b43_leds_exit() to be called, which attempts to unregister the leds device objects, which is forbidden (ie. you can't unregister and/or register devices during a suspend or resume). Why? Well, the unregistering itself is not really harmful, provided that the device is not registered back during the subsequent resume. The PM core uses a list of active devices that are added to the list in device_add(). The ordering of this list is important, because it is expected to reflect the order in which the devices are to be suspended. This list is manipulated during suspend/resume and devices are moved from it and back to it, so unregistering devices during a suspend and registering them during the subsequent resume generally changes its ordering and may lead to problems during the next suspend/resume cycle. This is also undesirable if we're going to stop using the freezer for suspend/resume at one point in the future. I'm sure Alan can add some more details. Indeed. A system suspend is a delicate operation, and the PM core needs to access all the devices in the system. To have devices being registered and unregistered at the same time would cause a lot of confusion. In self defense, the PM core starts out by acquiring all the device semaphores before calling the suspend routines. This means that if a suspend routine tries to unregister anything, it will deadlock at the point where the driver core tries to acquire the device semaphore prior to invoking the driver's remove method. Besides, if you're going to register the device right back again during the subsequent resume, then why go to the trouble of unregistering it during suspend? Why not just leave it registered the whole time and avoid all the complication (and excess meaningless uevents)? Well, because not doing it complicates code :) Currently suspend/resume calls the same code as init/exit. The b43 init/exit code is really complicated, compared to other drivers, due to dozens of hardware versions. So I just avoided having yet other codepaths for suspend/resume. But I will add a flag to the device structure that's used to avoid unregistering stuff. -- Greetings Michael. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
[PATCH] b43: fix use-after-free rfkill bug
Fix rfkill code which caused a use-after-free bug.
Signed-off-by: Stefano Brivio [EMAIL PROTECTED]
---
Index: wireless-2.6/drivers/net/wireless/b43/rfkill.c
===
--- wireless-2.6.orig/drivers/net/wireless/b43/rfkill.c
+++ wireless-2.6/drivers/net/wireless/b43/rfkill.c
@@ -138,8 +138,11 @@ void b43_rfkill_init(struct b43_wldev *d
rfk-rfkill-user_claim_unsupported = 1;
rfk-poll_dev = input_allocate_polled_device();
- if (!rfk-poll_dev)
- goto err_free_rfk;
+ if (!rfk-poll_dev) {
+ rfkill_free(rfk-rfkill);
+ goto err_freed_rfk;
+ }
+
rfk-poll_dev-private = dev;
rfk-poll_dev-poll = b43_rfkill_poll;
rfk-poll_dev-poll_interval = 1000; /* msecs */
@@ -175,8 +178,7 @@ err_unreg_rfk:
err_free_polldev:
input_free_polled_device(rfk-poll_dev);
rfk-poll_dev = NULL;
-err_free_rfk:
- rfkill_free(rfk-rfkill);
+err_freed_rfk:
rfk-rfkill = NULL;
out_error:
rfk-registered = 0;
@@ -195,6 +197,5 @@ void b43_rfkill_exit(struct b43_wldev *d
rfkill_unregister(rfk-rfkill);
input_free_polled_device(rfk-poll_dev);
rfk-poll_dev = NULL;
- rfkill_free(rfk-rfkill);
rfk-rfkill = NULL;
}
--
Ciao
Stefano
___
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
[PATCH] b43legacy: fix use-after-free rfkill bug
Fix rfkill code which caused a use-after-free bug. Thanks to David
Woodhouse for spotting this out.
Cc: David Woodhouse [EMAIL PROTECTED]
Signed-off-by: Stefano Brivio [EMAIL PROTECTED]
---
Index: wireless-2.6/drivers/net/wireless/b43legacy/rfkill.c
===
--- wireless-2.6.orig/drivers/net/wireless/b43legacy/rfkill.c
+++ wireless-2.6/drivers/net/wireless/b43legacy/rfkill.c
@@ -141,8 +141,11 @@ void b43legacy_rfkill_init(struct b43leg
rfk-rfkill-user_claim_unsupported = 1;
rfk-poll_dev = input_allocate_polled_device();
- if (!rfk-poll_dev)
- goto err_free_rfk;
+ if (!rfk-poll_dev) {
+ rfkill_free(rfk-rfkill);
+ goto err_freed_rfk;
+ }
+
rfk-poll_dev-private = dev;
rfk-poll_dev-poll = b43legacy_rfkill_poll;
rfk-poll_dev-poll_interval = 1000; /* msecs */
@@ -178,8 +181,7 @@ err_unreg_rfk:
err_free_polldev:
input_free_polled_device(rfk-poll_dev);
rfk-poll_dev = NULL;
-err_free_rfk:
- rfkill_free(rfk-rfkill);
+err_freed_rfk:
rfk-rfkill = NULL;
out_error:
rfk-registered = 0;
@@ -198,7 +200,6 @@ void b43legacy_rfkill_exit(struct b43leg
rfkill_unregister(rfk-rfkill);
input_free_polled_device(rfk-poll_dev);
rfk-poll_dev = NULL;
- rfkill_free(rfk-rfkill);
rfk-rfkill = NULL;
}
--
Ciao
Stefano
___
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: [PATCH] b43: fix use-after-free rfkill bug
On Sunday 13 January 2008 18:30:14 Stefano Brivio wrote:
Fix rfkill code which caused a use-after-free bug.
Signed-off-by: Stefano Brivio [EMAIL PROTECTED]
---
Index: wireless-2.6/drivers/net/wireless/b43/rfkill.c
===
--- wireless-2.6.orig/drivers/net/wireless/b43/rfkill.c
+++ wireless-2.6/drivers/net/wireless/b43/rfkill.c
@@ -138,8 +138,11 @@ void b43_rfkill_init(struct b43_wldev *d
rfk-rfkill-user_claim_unsupported = 1;
rfk-poll_dev = input_allocate_polled_device();
- if (!rfk-poll_dev)
- goto err_free_rfk;
+ if (!rfk-poll_dev) {
+ rfkill_free(rfk-rfkill);
+ goto err_freed_rfk;
+ }
+
rfk-poll_dev-private = dev;
rfk-poll_dev-poll = b43_rfkill_poll;
rfk-poll_dev-poll_interval = 1000; /* msecs */
@@ -175,8 +178,7 @@ err_unreg_rfk:
err_free_polldev:
input_free_polled_device(rfk-poll_dev);
rfk-poll_dev = NULL;
-err_free_rfk:
- rfkill_free(rfk-rfkill);
+err_freed_rfk:
rfk-rfkill = NULL;
out_error:
rfk-registered = 0;
@@ -195,6 +197,5 @@ void b43_rfkill_exit(struct b43_wldev *d
rfkill_unregister(rfk-rfkill);
input_free_polled_device(rfk-poll_dev);
rfk-poll_dev = NULL;
- rfkill_free(rfk-rfkill);
rfk-rfkill = NULL;
}
Acked-by: Michael Buesch [EMAIL PROTECTED]
--
Greetings Michael.
___
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
[PATCH] ssb: Add boardflags_hi field to the sprom data structure
Add boardflags-high.
Signed-off-by: Michael Buesch [EMAIL PROTECTED]
---
For 2.6.25
Index: wireless-2.6/drivers/ssb/pci.c
===
--- wireless-2.6.orig/drivers/ssb/pci.c 2008-01-09 16:59:33.0 +0100
+++ wireless-2.6/drivers/ssb/pci.c 2008-01-13 21:01:14.0 +0100
@@ -374,12 +374,14 @@ static void sprom_extract_r123(struct ss
SSB_SPROM1_MAXPWR_A_SHIFT);
SPEX(maxpwr_bg, SSB_SPROM1_MAXPWR, SSB_SPROM1_MAXPWR_BG, 0);
SPEX(itssi_a, SSB_SPROM1_ITSSI, SSB_SPROM1_ITSSI_A,
SSB_SPROM1_ITSSI_A_SHIFT);
SPEX(itssi_bg, SSB_SPROM1_ITSSI, SSB_SPROM1_ITSSI_BG, 0);
SPEX(boardflags_lo, SSB_SPROM1_BFLLO, 0x, 0);
+ if (out-revision = 2)
+ SPEX(boardflags_hi, SSB_SPROM2_BFLHI, 0x, 0);
/* Extract the antenna gain values. */
gain = r123_extract_antgain(out-revision, in,
SSB_SPROM1_AGAIN_BG,
SSB_SPROM1_AGAIN_BG_SHIFT);
out-antenna_gain.ghz24.a0 = gain;
@@ -415,12 +417,13 @@ static void sprom_extract_r4(struct ssb_
}
SPEX(et0phyaddr, SSB_SPROM4_ETHPHY, SSB_SPROM4_ETHPHY_ET0A, 0);
SPEX(et1phyaddr, SSB_SPROM4_ETHPHY, SSB_SPROM4_ETHPHY_ET1A,
SSB_SPROM4_ETHPHY_ET1A_SHIFT);
SPEX(country_code, SSB_SPROM4_CCODE, 0x, 0);
SPEX(boardflags_lo, SSB_SPROM4_BFLLO, 0x, 0);
+ SPEX(boardflags_hi, SSB_SPROM4_BFLHI, 0x, 0);
SPEX(ant_available_a, SSB_SPROM4_ANTAVAIL, SSB_SPROM4_ANTAVAIL_A,
SSB_SPROM4_ANTAVAIL_A_SHIFT);
SPEX(ant_available_bg, SSB_SPROM4_ANTAVAIL, SSB_SPROM4_ANTAVAIL_BG,
SSB_SPROM4_ANTAVAIL_BG_SHIFT);
SPEX(maxpwr_bg, SSB_SPROM4_MAXP_BG, SSB_SPROM4_MAXP_BG_MASK, 0);
SPEX(itssi_bg, SSB_SPROM4_MAXP_BG, SSB_SPROM4_ITSSI_BG,
Index: wireless-2.6/include/linux/ssb/ssb.h
===
--- wireless-2.6.orig/include/linux/ssb/ssb.h 2008-01-09 16:59:33.0
+0100
+++ wireless-2.6/include/linux/ssb/ssb.h2008-01-13 21:00:39.0
+0100
@@ -40,12 +40,13 @@ struct ssb_sprom {
u8 gpio3; /* GPIO pin 3 */
u16 maxpwr_a; /* A-PHY Amplifier Max Power (in dBm Q5.2) */
u16 maxpwr_bg; /* B/G-PHY Amplifier Max Power (in dBm Q5.2) */
u8 itssi_a; /* Idle TSSI Target for A-PHY */
u8 itssi_bg;/* Idle TSSI Target for B/G-PHY */
u16 boardflags_lo; /* Boardflags (low 16 bits) */
+ u16 boardflags_hi; /* Boardflags (high 16 bits) */
/* Antenna gain values for up to 4 antennas
* on each band. Values in dBm/4 (Q5.2). Negative gain means the
* loss in the connectors is bigger than the gain. */
struct {
struct {
___
Bcm43xx-dev mailing list
Bcm43xx-dev@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
Re: [PATCH] b43: rfkill use after free
On Sunday 13 January 2008 22:20:52 Eric Paris wrote: inside b43_rfkill_exit() we call rfkill_unregister() which puts the last reference and frees the rfkill struct. Then just 3 lines later the code explicitly calls rfkill_free() on the struct we already freed. This showed up as slub corruption (what should have been 6b was showing up as 6a) since the rfkill_free had dec'ed the are that should have been the use counter. stop using the already freed rfkill struct. = BUG kmalloc-1024 (Not tainted): Poison overwritten - INFO: 0xf40b89e8-0xf40b89e8. First byte 0x6a instead of 0x6b INFO: Allocated in rfkill_allocate+0x1b/0x8b [rfkill] age=231032011 cpu=0 pid=2403 INFO: Freed in rfkill_release+0xd/0x19 [rfkill] age=366 cpu=0 pid=2403 INFO: Slab 0xc1b62840 used=6 fp=0xf40b8860 flags=0x400040c3 INFO: Object 0xf40b8860 @offset=2144 fp=0x Signed-off-by: Eric Paris [EMAIL PROTECTED] --- drivers/net/wireless/b43/rfkill.c |1 - 1 file changed, 1 deletion(-) diff --git a/drivers/net/wireless/b43/rfkill.c b/drivers/net/wireless/b43/rfkill.c index 98cf70c..a19be53 100644 --- a/drivers/net/wireless/b43/rfkill.c +++ b/drivers/net/wireless/b43/rfkill.c @@ -195,6 +195,5 @@ void b43_rfkill_exit(struct b43_wldev *dev) rfkill_unregister(rfk-rfkill); input_free_polled_device(rfk-poll_dev); rfk-poll_dev = NULL; - rfkill_free(rfk-rfkill); rfk-rfkill = NULL; } NACK. Better patch available from Stefano. -- Greetings Michael. ___ Bcm43xx-dev mailing list Bcm43xx-dev@lists.berlios.de https://lists.berlios.de/mailman/listinfo/bcm43xx-dev
