wl1271: Fix overflow in wl1271_boot_upload_nvs

[pandora-kernel.git] / drivers / net / wireless / wl12xx / wl1271_boot.c

diff --git a/drivers/net/wireless/wl12xx/wl1271_boot.c b/drivers/net/wireless/wl12xx/wl1271_boot.c
index 1a36d8a..e5a7f04 100644 (file)
--- a/drivers/net/wireless/wl12xx/wl1271_boot.c
+++ b/drivers/net/wireless/wl12xx/wl1271_boot.c
@@ -274,11 +274,11 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
 
        /*
         * We've reached the first zero length, the first NVS table
-        * is 7 bytes further.
+        * is located at an aligned offset which is at least 7 bytes further.
         */
-       nvs_ptr += 7;
+       nvs_ptr = (u8 *)wl->nvs->nvs +
+                       ALIGN(nvs_ptr - (u8 *)wl->nvs->nvs + 7, 4);
        nvs_len -= nvs_ptr - (u8 *)wl->nvs->nvs;
-       nvs_len = ALIGN(nvs_len, 4);
 
        /* FIXME: The driver sets the partition here, but this is not needed,
           since it sets to the same one as currently in use */
@@ -286,14 +286,9 @@ static int wl1271_boot_upload_nvs(struct wl1271 *wl)
        wl1271_set_partition(wl, &part_table[PART_WORK]);
 
        /* Copy the NVS tables to a new block to ensure alignment */
-       /* FIXME: We jump 3 more bytes before uploading the NVS.  It seems
-       that our NVS files have three extra zeros here.  I'm not sure whether
-       the problem is in our NVS generation or we should really jumpt these
-       3 bytes here */
-       nvs_ptr += 3;
-
-       nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL); if
-       (!nvs_aligned) return -ENOMEM;
+       nvs_aligned = kmemdup(nvs_ptr, nvs_len, GFP_KERNEL);
+       if (!nvs_aligned)
+               return -ENOMEM;
 
        /* And finally we upload the NVS tables */
        /* FIXME: In wl1271, we upload everything at once.
@@ -414,7 +409,9 @@ static int wl1271_boot_run_firmware(struct wl1271 *wl)
                PS_REPORT_EVENT_ID |
                JOIN_EVENT_COMPLETE_ID |
                DISCONNECT_EVENT_COMPLETE_ID |
-               RSSI_SNR_TRIGGER_0_EVENT_ID;
+               RSSI_SNR_TRIGGER_0_EVENT_ID |
+               PSPOLL_DELIVERY_FAILURE_EVENT_ID |
+               SOFT_GEMINI_SENSE_EVENT_ID;
 
        ret = wl1271_event_unmask(wl);
        if (ret < 0) {
@@ -455,17 +452,20 @@ int wl1271_boot(struct wl1271 *wl)
 {
        int ret = 0;
        u32 tmp, clk, pause;
+       int ref_clock = wl->ref_clock;
 
        wl1271_boot_hw_version(wl);
 
-       if (REF_CLOCK == 0 || REF_CLOCK == 2 || REF_CLOCK == 4)
+       if (ref_clock == 0 || ref_clock == 2 || ref_clock == 4)
                /* ref clk: 19.2/38.4/38.4-XTAL */
                clk = 0x3;
-       else if (REF_CLOCK == 1 || REF_CLOCK == 3)
+       else if (ref_clock == 1 || ref_clock == 3)
                /* ref clk: 26/52 */
                clk = 0x5;
+       else
+               return -EINVAL;
 
-       if (REF_CLOCK != 0) {
+       if (ref_clock != 0) {
                u16 val;
                /* Set clock type (open drain) */
                val = wl1271_top_reg_read(wl, OCP_REG_CLK_TYPE);
@@ -514,7 +514,7 @@ int wl1271_boot(struct wl1271 *wl)
        wl1271_debug(DEBUG_BOOT, "clk2 0x%x", clk);
 
        /* 2 */
-       clk |= (REF_CLOCK << 1) << 4;
+       clk |= (ref_clock << 1) << 4;
        wl1271_write32(wl, DRPW_SCRATCH_START, clk);
 
        wl1271_set_partition(wl, &part_table[PART_WORK]);