From 9480550ecaeccb6024d6c425908c6032e6106cae Mon Sep 17 00:00:00 2001 From: Andrew Thompson Date: Sat, 14 Feb 2009 22:29:54 +0000 Subject: [PATCH] - ieee80211_chan2ieee returns an int - avoid null deref in detach - update pause timings Obtained from: //depot/projects/usb --- sys/dev/usb2/wlan/if_rum2.c | 60 ++++++++++++++++++++++++------------ sys/dev/usb2/wlan/if_ural2.c | 44 +++++++++++++++++++------- 2 files changed, 74 insertions(+), 30 deletions(-) diff --git a/sys/dev/usb2/wlan/if_rum2.c b/sys/dev/usb2/wlan/if_rum2.c index 4e78c37cb8b0..1577a079da78 100644 --- a/sys/dev/usb2/wlan/if_rum2.c +++ b/sys/dev/usb2/wlan/if_rum2.c @@ -192,6 +192,7 @@ static int rum_get_rssi(struct rum_softc *, uint8_t); static void rum_amrr_start(struct rum_softc *, struct ieee80211_node *); static void rum_amrr_timeout(void *); +static int rum_pause(struct rum_softc *, int); static void rum_queue_command(struct rum_softc *, usb2_proc_callback_t *, struct usb2_proc_msg *, struct usb2_proc_msg *); @@ -446,12 +447,13 @@ rum_attach_post(struct usb2_proc_msg *pm) uint8_t bands; /* retrieve RT2573 rev. no */ - for (ntries = 0; ntries != 1000; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if ((tmp = rum_read(sc, RT2573_MAC_CSR0)) != 0) break; - usb2_pause_mtx(&sc->sc_mtx, hz / 1000); + if (rum_pause(sc, hz / 100)) + break; } - if (ntries == 1000) { + if (ntries == 100) { device_printf(sc->sc_dev, "timeout waiting for chip to settle\n"); return; } @@ -547,7 +549,7 @@ rum_detach(device_t self) { struct rum_softc *sc = device_get_softc(self); struct ifnet *ifp = sc->sc_ifp; - struct ieee80211com *ic = ifp->if_l2com; + struct ieee80211com *ic; /* wait for any post attach or other command to complete */ usb2_proc_drain(&sc->sc_tq); @@ -562,6 +564,7 @@ rum_detach(device_t self) RUM_UNLOCK(sc); if (ifp) { + ic = ifp->if_l2com; bpfdetach(ifp); ieee80211_ifdetach(ic); if_free(ifp); @@ -1452,11 +1455,13 @@ rum_bbp_write(struct rum_softc *sc, uint8_t reg, uint8_t val) uint32_t tmp; int ntries; - for (ntries = 0; ntries < 5; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if (!(rum_read(sc, RT2573_PHY_CSR3) & RT2573_BBP_BUSY)) break; + if (rum_pause(sc, hz / 100)) + break; } - if (ntries == 5) { + if (ntries == 100) { device_printf(sc->sc_dev, "could not write to BBP\n"); return; } @@ -1471,11 +1476,13 @@ rum_bbp_read(struct rum_softc *sc, uint8_t reg) uint32_t val; int ntries; - for (ntries = 0; ntries < 5; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if (!(rum_read(sc, RT2573_PHY_CSR3) & RT2573_BBP_BUSY)) break; + if (rum_pause(sc, hz / 100)) + break; } - if (ntries == 5) { + if (ntries == 100) { device_printf(sc->sc_dev, "could not read BBP\n"); return 0; } @@ -1487,7 +1494,8 @@ rum_bbp_read(struct rum_softc *sc, uint8_t reg) val = rum_read(sc, RT2573_PHY_CSR3); if (!(val & RT2573_BBP_BUSY)) return val & 0xff; - DELAY(1); + if (rum_pause(sc, hz / 100)) + break; } device_printf(sc->sc_dev, "could not read BBP\n"); @@ -1500,11 +1508,13 @@ rum_rf_write(struct rum_softc *sc, uint8_t reg, uint32_t val) uint32_t tmp; int ntries; - for (ntries = 0; ntries < 5; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if (!(rum_read(sc, RT2573_PHY_CSR4) & RT2573_RF_BUSY)) break; + if (rum_pause(sc, hz / 100)) + break; } - if (ntries == 5) { + if (ntries == 100) { device_printf(sc->sc_dev, "could not write to RF\n"); return; } @@ -1651,7 +1661,7 @@ rum_set_chan(struct rum_softc *sc, struct ieee80211_channel *c) const struct rfprog *rfprog; uint8_t bbp3, bbp94 = RT2573_BBPR94_DEFAULT; int8_t power; - u_int i, chan; + int i, chan; chan = ieee80211_chan2ieee(ic, c); if (chan == 0 || chan == IEEE80211_CHAN_ANY) @@ -1698,7 +1708,7 @@ rum_set_chan(struct rum_softc *sc, struct ieee80211_channel *c) rum_rf_write(sc, RT2573_RF3, rfprog[i].r3 | power << 7); rum_rf_write(sc, RT2573_RF4, rfprog[i].r4 | sc->rffreq << 10); - DELAY(10); + rum_pause(sc, hz / 100); /* enable smart mode for MIMO-capable RFs */ bbp3 = rum_bbp_read(sc, 3); @@ -1914,7 +1924,8 @@ rum_bbp_init(struct rum_softc *sc) const uint8_t val = rum_bbp_read(sc, 0); if (val != 0 && val != 0xff) break; - DELAY(1000); + if (rum_pause(sc, hz / 100)) + break; } if (ntries == 100) { device_printf(sc->sc_dev, "timeout waiting for BBP\n"); @@ -1961,13 +1972,14 @@ rum_init_task(struct usb2_proc_msg *pm) rum_write(sc, RT2573_MAC_CSR1, 0); /* wait for BBP/RF to wakeup */ - for (ntries = 0; ntries < 1000; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if (rum_read(sc, RT2573_MAC_CSR12) & 8) break; rum_write(sc, RT2573_MAC_CSR12, 4); /* force wakeup */ - DELAY(1000); + if (rum_pause(sc, hz / 100)) + break; } - if (ntries == 1000) { + if (ntries == 100) { device_printf(sc->sc_dev, "timeout waiting for BBP/RF to wakeup\n"); goto fail; @@ -2011,6 +2023,7 @@ rum_init_task(struct usb2_proc_msg *pm) ifp->if_drv_flags &= ~IFF_DRV_OACTIVE; ifp->if_drv_flags |= IFF_DRV_RUNNING; + usb2_transfer_set_stall(sc->sc_xfer[RUM_BULK_WR]); usb2_transfer_start(sc->sc_xfer[RUM_BULK_RD]); return; @@ -2279,10 +2292,9 @@ rum_set_channel(struct ieee80211com *ic) RUM_LOCK(sc); /* do it in a process context */ sc->sc_scan_action = RUM_SET_CHANNEL; + sc->sc_rates = ieee80211_get_ratetable(ic->ic_curchan); rum_queue_command(sc, rum_scantask, &sc->sc_scantask[0].hdr, &sc->sc_scantask[1].hdr); - - sc->sc_rates = ieee80211_get_ratetable(ic->ic_curchan); RUM_UNLOCK(sc); } @@ -2363,6 +2375,16 @@ rum_get_rssi(struct rum_softc *sc, uint8_t raw) return rssi; } +static int +rum_pause(struct rum_softc *sc, int timeout) +{ + if (usb2_proc_is_gone(&sc->sc_tq)) + return (1); + + usb2_pause_mtx(&sc->sc_mtx, timeout); + return (0); +} + static void rum_queue_command(struct rum_softc *sc, usb2_proc_callback_t *fn, struct usb2_proc_msg *t0, struct usb2_proc_msg *t1) diff --git a/sys/dev/usb2/wlan/if_ural2.c b/sys/dev/usb2/wlan/if_ural2.c index 34bb1b37ac33..46cd4df0f7f9 100644 --- a/sys/dev/usb2/wlan/if_ural2.c +++ b/sys/dev/usb2/wlan/if_ural2.c @@ -165,6 +165,7 @@ static int ural_raw_xmit(struct ieee80211_node *, struct mbuf *, static void ural_amrr_start(struct ural_softc *, struct ieee80211_node *); static void ural_amrr_timeout(void *); +static int ural_pause(struct ural_softc *sc, int timeout); static void ural_queue_command(struct ural_softc *, usb2_proc_callback_t *, struct usb2_proc_msg *, struct usb2_proc_msg *); @@ -533,7 +534,7 @@ ural_detach(device_t self) { struct ural_softc *sc = device_get_softc(self); struct ifnet *ifp = sc->sc_ifp; - struct ieee80211com *ic = ifp->if_l2com; + struct ieee80211com *ic; /* wait for any post attach or other command to complete */ usb2_proc_drain(&sc->sc_tq); @@ -548,6 +549,7 @@ ural_detach(device_t self) RAL_UNLOCK(sc); if (ifp) { + ic = ifp->if_l2com; bpfdetach(ifp); ieee80211_ifdetach(ic); if_free(ifp); @@ -1566,11 +1568,13 @@ ural_bbp_write(struct ural_softc *sc, uint8_t reg, uint8_t val) uint16_t tmp; int ntries; - for (ntries = 0; ntries < 5; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if (!(ural_read(sc, RAL_PHY_CSR8) & RAL_BBP_BUSY)) break; + if (ural_pause(sc, hz / 100)) + break; } - if (ntries == 5) { + if (ntries == 100) { device_printf(sc->sc_dev, "could not write to BBP\n"); return; } @@ -1588,11 +1592,13 @@ ural_bbp_read(struct ural_softc *sc, uint8_t reg) val = RAL_BBP_WRITE | reg << 8; ural_write(sc, RAL_PHY_CSR7, val); - for (ntries = 0; ntries < 5; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if (!(ural_read(sc, RAL_PHY_CSR8) & RAL_BBP_BUSY)) break; + if (ural_pause(sc, hz / 100)) + break; } - if (ntries == 5) { + if (ntries == 100) { device_printf(sc->sc_dev, "could not read BBP\n"); return 0; } @@ -1606,11 +1612,13 @@ ural_rf_write(struct ural_softc *sc, uint8_t reg, uint32_t val) uint32_t tmp; int ntries; - for (ntries = 0; ntries < 5; ntries++) { + for (ntries = 0; ntries < 100; ntries++) { if (!(ural_read(sc, RAL_PHY_CSR10) & RAL_RF_LOBUSY)) break; + if (ural_pause(sc, hz / 100)) + break; } - if (ntries == 5) { + if (ntries == 100) { device_printf(sc->sc_dev, "could not write to RF\n"); return; } @@ -1693,7 +1701,7 @@ ural_set_chan(struct ural_softc *sc, struct ieee80211_channel *c) struct ifnet *ifp = sc->sc_ifp; struct ieee80211com *ic = ifp->if_l2com; uint8_t power, tmp; - u_int i, chan; + int i, chan; chan = ieee80211_chan2ieee(ic, c); if (chan == 0 || chan == IEEE80211_CHAN_ANY) @@ -1784,7 +1792,7 @@ ural_set_chan(struct ural_softc *sc, struct ieee80211_channel *c) /* clear CRC errors */ ural_read(sc, RAL_STA_CSR0); - DELAY(10000); + ural_pause(sc, hz / 100); ural_disable_rf_tune(sc); } @@ -2009,7 +2017,8 @@ ural_bbp_init(struct ural_softc *sc) for (ntries = 0; ntries < 100; ntries++) { if (ural_bbp_read(sc, RAL_BBP_VERSION) != 0) break; - DELAY(1000); + if (ural_pause(sc, hz / 100)) + break; } if (ntries == 100) { device_printf(sc->sc_dev, "timeout waiting for BBP\n"); @@ -2110,7 +2119,8 @@ ural_init_task(struct usb2_proc_msg *pm) if ((tmp & (RAL_BBP_AWAKE | RAL_RF_AWAKE)) == (RAL_BBP_AWAKE | RAL_RF_AWAKE)) break; - DELAY(1000); + if (ural_pause(sc, hz / 100)) + break; } if (ntries == 100) { device_printf(sc->sc_dev, @@ -2205,6 +2215,8 @@ ural_stop_task(struct usb2_proc_msg *pm) ural_write(sc, RAL_TXRX_CSR2, RAL_DISABLE_RX); /* reset ASIC and BBP (but won't reset MAC registers!) */ ural_write(sc, RAL_MAC_CSR1, RAL_RESET_ASIC | RAL_RESET_BBP); + /* wait a little */ + ural_pause(sc, hz / 10); ural_write(sc, RAL_MAC_CSR1, 0); } @@ -2310,6 +2322,16 @@ ural_amrr_task(struct usb2_proc_msg *pm) usb2_callout_reset(&uvp->amrr_ch, hz, ural_amrr_timeout, uvp); } +static int +ural_pause(struct ural_softc *sc, int timeout) +{ + if (usb2_proc_is_gone(&sc->sc_tq)) + return (1); + + usb2_pause_mtx(&sc->sc_mtx, timeout); + return (0); +} + static void ural_queue_command(struct ural_softc *sc, usb2_proc_callback_t *fn, struct usb2_proc_msg *t0, struct usb2_proc_msg *t1)