Re: Cisco Aironet mini-PCI wireless card (MPI-350) [Was: Re: Intel

Jeremy Fitzhardinge (jeremy@goop.org)
12 Jun 2003 10:46:38 -0700


This is a MIME-formatted message. If you see this text it means that your
E-mail software does not support MIME-formatted messages.

--=_courier-19559-1055440240-0001-2
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 7bit

On Thu, 2003-06-12 at 10:20, Jan Mynarik wrote:
> Cisco's linux support is great until you have IBM's ThinkPad R40. With
> this notebook, their newest Linux driver (version 2.0, older ones do not
> support my card) module (mpi350.o) can't be inserted to kernel (oops and
> module remains 'initializing' forever). Module is compiled successfully
> against both 2.4.20 and 2.4.21-rc7 kernels.
>
> I'm just fighting their bureaucracy (in support) and trying to reach
> someone who actually wrote the driver (module says Roland Wilcher). I
> want to help him with testing and provide him with all possible
> information.

Downgrade your firmware. On the Cisco site, there's a Linux driver
paired with a particular firmware version. Use it: there's a bug in the
kernel driver in which it reads stuff out of the card's RIDs into a
local structure, but using the card's RID size. The newer firmware has
increased the structure sizes for some RIDs, which overruns the stack
and crashes.

I have attached a patch for the driver to fix the crash, but I'm not
confident the card works well without the correct firmware.

J

--=_courier-19559-1055440240-0001-2
Content-Type: text/plain; name="rid-size-fix.diff"; charset=iso-8859-15
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=rid-size-fix.diff

--- mpi350.c.orig 2003-05-22 17:20:42.000000000 -0700
+++ mpi350.c 2003-05-23 15:37:26.000000000 -0700
@@ -135,7 +135,7 @@
struct net_device *init_venus_card(struct pci_dev *);
void venus_remove(void);
static int venus_probe(struct pci_dev *);
-static int vreadrid(struct venus_info *,unsigned short,unsigned char *);
+static int vreadrid(struct venus_info *,unsigned short,unsigned char *,unsigned int);
static int vwriterid(struct venus_info *,unsigned short,unsigned char *);
static void venus_interrupt( int irq, void* dev_id, struct pt_regs *regs);
static int venus_ioctl(struct net_device *dev, struct ifreq *rq, int cmd);
@@ -442,7 +442,7 @@
printk(KERN_INFO "MIC interrupt\n");
#endif
venusout(v_info,V_EVACK,EV_MIC);
- vreadrid((struct venus_info *)dev->priv,RID_MIC,(char *)&mic);
+ vreadrid((struct venus_info *)dev->priv,RID_MIC,(char *)&mic,sizeof(mic));
micinit(v_info,&mic);
enable_interrupts(v_info);
spin_unlock(&v_info->mpi_lock);
@@ -845,7 +845,7 @@
memset( data->wbuffer, 0, 33*3 );
data->on_close = proc_ssid_on_close;

- vreadrid(vi,RID_SSLIST,(unsigned char *)SSID_rid);
+ vreadrid(vi,RID_SSLIST,(unsigned char *)SSID_rid,sizeof(blargbuf));

ptr = data->rbuffer;

@@ -881,8 +881,8 @@
data = (struct proc_data *)file->private_data;
data->rbuffer = kmalloc( 2048, GFP_KERNEL );

- vreadrid(vi,RID_STATUS,(unsigned char *)&status_rid);
- vreadrid(vi,RID_CAPABILITIES,(unsigned char *)&cap_rid);
+ vreadrid(vi,RID_STATUS,(unsigned char *)&status_rid,sizeof(status_rid));
+ vreadrid(vi,RID_CAPABILITIES,(unsigned char *)&cap_rid,sizeof(cap_rid));

sprintf( data->rbuffer, "Mode: %x\n"
"Signal Strength: %d\n"
@@ -935,7 +935,7 @@
* Return 0 on sucess or other on failure . Uses the len value of all rids
* in the first 2 bytes .
*/
-static int vreadrid(struct venus_info *v_info,unsigned short rid,unsigned char *ridp){
+static int vreadrid(struct venus_info *v_info,unsigned short rid,unsigned char *ridp,unsigned ridsz){
Cmd cmd;
Resp rsp;
int status;
@@ -962,8 +962,14 @@
return rsp.rsp0; /* return error qualifier */

if(!status){
+ unsigned len = ridsz;
ridlen = VADDR(unsigned short,v_info->ConfigDesc);
- memcpy((char *)ridp,(char *)v_info->ConfigDesc.VirtualHostAddress,*ridlen);
+ if (*ridlen <= len)
+ len = *ridlen;
+ else
+ printk(KERN_INFO "vreadrid: rid=%04x ridlen=%d ridsz=%d\n",
+ rid, *ridlen, ridsz);
+ memcpy((char *)ridp,(char *)v_info->ConfigDesc.VirtualHostAddress,len);
}
return status;
}
@@ -1509,8 +1515,8 @@
pci_set_master (v_info->pcip); /* Gets called twice no harm */

cfg = (ConfigRid *)iobuf;
- vreadrid((struct venus_info *)dev->priv,RID_CAPABILITIES,(char *)&xcaps);
- vreadrid((struct venus_info *)dev->priv,RID_CONFIG,iobuf);
+ vreadrid((struct venus_info *)dev->priv,RID_CAPABILITIES,(char *)&xcaps,sizeof(xcaps));
+ vreadrid((struct venus_info *)dev->priv,RID_CONFIG,iobuf,sizeof(iobuf));

/*
* Find out if an extended capability rid was returned
@@ -1536,7 +1542,7 @@
for(i=0;i!=6;i++){
dev->dev_addr[i] = cfg->macAddr[i];
}
- printk( KERN_INFO "MPI350 start: MAC %x:%x:%x:%x:%x:%x\n",
+ printk( KERN_INFO "MPI350 start: MAC %02x:%02x:%02x:%02x:%02x:%02x\n",
dev->dev_addr[0],dev->dev_addr[1],dev->dev_addr[2],
dev->dev_addr[3],dev->dev_addr[4],dev->dev_addr[5]);

@@ -1735,7 +1741,7 @@
break;
}

- vreadrid((struct venus_info *)dev->priv,ridcode,iobuf);
+ vreadrid((struct venus_info *)dev->priv,ridcode,iobuf,sizeof(iobuf));

if (copy_to_user(comp->data, iobuf, MIN (comp->len, sizeof(iobuf))))
return -EFAULT;
@@ -1799,7 +1805,7 @@
case AIROPSTCLR:
ridcode = RID_STATSDELTACLEAR;
memset((char *)&v_info->micstats,0,sizeof(v_info->micstats)); /*Clear micstats */
- vreadrid((struct venus_info *)dev->priv,ridcode,iobuf);
+ vreadrid((struct venus_info *)dev->priv,ridcode,iobuf,sizeof(iobuf));

if (copy_to_user(comp->data,blargo,MIN(comp->len,sizeof(blargo))))
return -EFAULT;

--=_courier-19559-1055440240-0001-2--