Joakim Tjernlund [Fri, 12 Nov 2010 03:55:08 +0000 (03:55 +0000)]
ucc_geth: Do not bring the whole IF down when TX failure.
ucc_geth_close lacks a cancel_work_sync(&ugeth->timeout_work)
to stop any outstanding processing of TX fail. However, one
can not call cancel_work_sync without fixing the timeout function
otherwise it will deadlock. This patch brings ucc_geth in line with
gianfar:
Don't bring the interface down and up, just reinit controller HW
and PHY.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Reviewed-by: Anton Vorontsov <cbouatmailru@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mariusz Kozlowski [Mon, 8 Nov 2010 11:58:45 +0000 (11:58 +0000)]
net: Fix header size check for GSO case in recvmsg (af_packet)
Parameter 'len' is size_t type so it will never get negative.
Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 12 Nov 2010 19:04:26 +0000 (11:04 -0800)]
Merge git://git./linux/kernel/git/kaber/nf-2.6
Thomas Graf [Thu, 11 Nov 2010 15:47:59 +0000 (15:47 +0000)]
rtnetlink: Fix message size calculation for link messages
nlmsg_total_size() calculates the length of a netlink message
including header and alignment. nla_total_size() calculates the
space an individual attribute consumes which was meant to be used
in this context.
Also, ensure to account for the attribute header for the
IFLA_INFO_XSTATS attribute as implementations of get_xstats_size()
seem to assume that we do so.
The addition of two message headers minus the missing attribute
header resulted in a calculated message size that was larger than
required. Therefore we never risked running out of skb tailroom.
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Shan Wei [Fri, 12 Nov 2010 07:51:55 +0000 (08:51 +0100)]
netfilter: ipv6: fix overlap check for fragments
The type of FRAG6_CB(prev)->offset is int, skb->len is *unsigned* int,
and offset is int.
Without this patch, type conversion occurred to this expression, when
(FRAG6_CB(prev)->offset + prev->len) is less than offset.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Eric Paris [Fri, 12 Nov 2010 07:26:06 +0000 (08:26 +0100)]
netfilter: NF_HOOK_COND has wrong conditional
The NF_HOOK_COND returns 0 when it shouldn't due to what I believe to be an
error in the code as the order of operations is not what was intended. C will
evalutate == before =. Which means ret is getting set to the bool result,
rather than the return value of the function call. The code says
if (ret = function() == 1)
when it meant to say:
if ((ret = function()) == 1)
Normally the compiler would warn, but it doesn't notice it because its
a actually complex conditional and so the wrong code is wrapped in an explict
set of () [exactly what the compiler wants you to do if this was intentional].
Fixing this means that errors when netfilter denies a packet get propagated
back up the stack rather than lost.
Problem introduced by commit
2249065f (netfilter: get rid of the grossness
in netfilter.h).
Signed-off-by: Eric Paris <eparis@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
David S. Miller [Thu, 11 Nov 2010 06:15:31 +0000 (22:15 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
David S. Miller [Thu, 11 Nov 2010 05:35:37 +0000 (21:35 -0800)]
tcp: Increase TCP_MAXSEG socket option minimum.
As noted by Steve Chen, since commit
f5fff5dc8a7a3f395b0525c02ba92c95d42b7390 ("tcp: advertise MSS
requested by user") we can end up with a situation where
tcp_select_initial_window() does a divide by a zero (or
even negative) mss value.
The problem is that sometimes we effectively subtract
TCPOLEN_TSTAMP_ALIGNED and/or TCPOLEN_MD5SIG_ALIGNED from the mss.
Fix this by increasing the minimum from 8 to 64.
Reported-by: Steve Chen <schen@mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 9 Nov 2010 23:24:26 +0000 (23:24 +0000)]
net: avoid limits overflow
Robin Holt tried to boot a 16TB machine and found some limits were
reached : sysctl_tcp_mem[2], sysctl_udp_mem[2]
We can switch infrastructure to use long "instead" of "int", now
atomic_long_t primitives are available for free.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: Robin Holt <holt@sgi.com>
Reviewed-by: Robin Holt <holt@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vasiliy Kulikov [Wed, 10 Nov 2010 20:09:10 +0000 (12:09 -0800)]
net: packet: fix information leak to userland
packet_getname_spkt() doesn't initialize all members of sa_data field of
sockaddr struct if strlen(dev->name) < 13. This structure is then copied
to userland. It leads to leaking of contents of kernel stack memory.
We have to fully fill sa_data with strncpy() instead of strlcpy().
The same with packet_getname(): it doesn't initialize sll_pkttype field of
sockaddr_ll. Set it to zero.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 10 Nov 2010 18:38:24 +0000 (10:38 -0800)]
filter: make sure filters dont read uninitialized memory
There is a possibility malicious users can get limited information about
uninitialized stack mem array. Even if sk_run_filter() result is bound
to packet length (0 .. 65535), we could imagine this can be used by
hostile user.
Initializing mem[] array, like Dan Rosenberg suggested in his patch is
expensive since most filters dont even use this array.
Its hard to make the filter validation in sk_chk_filter(), because of
the jumps. This might be done later.
In this patch, I use a bitmap (a single long var) so that only filters
using mem[] loads/stores pay the price of added security checks.
For other filters, additional cost is a single instruction.
[ Since we access fentry->k a lot now, cache it in a local variable
and mark filter entry pointer as const. -DaveM ]
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vasiliy Kulikov [Wed, 10 Nov 2010 18:14:33 +0000 (10:14 -0800)]
net: ax25: fix information leak to userland
Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
field of fsa struct, also the struct has padding bytes between
sax25_call and sax25_ndigis fields. This structure is then copied to
userland. It leads to leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 9 Nov 2010 19:46:33 +0000 (11:46 -0800)]
net/dst: dst_dev_event() called after other notifiers
Followup of commit
ef885afbf8a37689 (net: use rcu_barrier() in
rollback_registered_many)
dst_dev_event() scans a garbage dst list that might be feeded by various
network notifiers at device dismantle time.
Its important to call dst_dev_event() after other notifiers, or we might
enter the infamous msleep(250) in netdev_wait_allrefs(), and wait one
second before calling again call_netdevice_notifiers(NETDEV_UNREGISTER,
dev) to properly remove last device references.
Use priority -10 to let dst_dev_notifier be called after other network
notifiers (they have the default 0 priority)
Reported-by: Ben Greear <greearb@candelatech.com>
Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reported-by: Octavian Purdila <opurdila@ixiacom.com>
Reported-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wey-Yi Guy [Tue, 9 Nov 2010 02:45:21 +0000 (18:45 -0800)]
iwlwifi: dont use pci_dev before it being assign
In order to use build-in debugging macro, pci_dev in priv need to be
assigned first.
This fix iwl3945 driver oopsed at boot with 2.6.37-rc1
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Kulikov Vasiliy [Sun, 31 Oct 2010 07:10:32 +0000 (07:10 +0000)]
net: tipc: fix information leak to userland
Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized. It leads to leaking of
contents of kernel stack memory. We have to initialize them to zero.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
françois romieu [Mon, 8 Nov 2010 13:23:58 +0000 (13:23 +0000)]
r8169: fix sleeping while holding spinlock.
As device_set_wakeup_enable can now sleep, move the call to outside
the critical section.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
françois romieu [Mon, 8 Nov 2010 13:23:05 +0000 (13:23 +0000)]
r8169: revert "Handle rxfifo errors on 8168 chips"
The original patch helps under obscure conditions (no pun) but
some 8168 do not like it. The change needs to be tightened with
a specific 8168 version.
This reverts commit
801e147cde02f04b5c2f42764cd43a89fc7400a2
("r8169: Handle rxfifo errors on 8168 chips").
Regression at https://bugzilla.kernel.org/show_bug.cgi?id=20882
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Andreas Radke <a.radke@arcor.de>
Cc: Matthew Garrett <mjg@redhat.com>
Cc: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 8 Nov 2010 11:15:54 +0000 (11:15 +0000)]
inet: fix ip_mc_drop_socket()
commit
8723e1b4ad9be4444 (inet: RCU changes in inetdev_by_index())
forgot one call site in ip_mc_drop_socket()
We should not decrease idev refcount after inetdev_by_index() call,
since refcount is not increased anymore.
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Reported-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Edgar (gimli) Hucek [Thu, 4 Nov 2010 07:04:33 +0000 (08:04 +0100)]
Bluetooth: Add MacBookAir3,1(2) support
Adding the new MacBookAir3,1(2) to btusb.
Output without the patch and btusb loaded :
T: Bus=03 Lev=02 Prnt=03 Port=02 Cnt=01 Dev#= 6 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=05ac ProdID=821b Rev= 0.34
S: Manufacturer=Apple Inc.
S: Product=Bluetooth USB Host Controller
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=(none)
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 32 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 32 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none)
E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
Output with the patch and btusb loaded :
T: Bus=03 Lev=02 Prnt=03 Port=02 Cnt=01 Dev#= 6 Spd=12 MxCh= 0
D: Ver= 2.00 Cls=ff(vend.) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=05ac ProdID=821b Rev= 0.34
S: Manufacturer=Apple Inc.
S: Product=Bluetooth USB Host Controller
C:* #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr= 0mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 32 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 32 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=83(I) Atr=01(Isoc) MxPS= 64 Ivl=1ms
E: Ad=03(O) Atr=01(Isoc) MxPS= 64 Ivl=1ms
I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E: Ad=84(I) Atr=02(Bulk) MxPS= 32 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS= 32 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=fe(app. ) Sub=01 Prot=01 Driver=(none)
Signed-off-by: Edgar (gimli) Hucek <gimli@dark-green.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Luiz Augusto von Dentz [Thu, 19 Aug 2010 11:06:10 +0000 (14:06 +0300)]
Bluetooth: fix not setting security level when creating a rfcomm session
This cause 'No Bonding' to be used if userspace has not yet been paired
with remote device since the l2cap socket used to create the rfcomm
session does not have any security level set.
Signed-off-by: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Acked-by: Ville Tervo <ville.tervo@nokia.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Gustavo F. Padovan [Mon, 18 Oct 2010 16:25:53 +0000 (14:25 -0200)]
Bluetooth: fix endianness conversion in L2CAP
Last commit added a wrong endianness conversion. Fixing that.
Reported-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
steven miao [Sat, 16 Oct 2010 22:29:47 +0000 (18:29 -0400)]
Bluetooth: fix unaligned access to l2cap conf data
In function l2cap_get_conf_opt() and l2cap_add_conf_opt() the address of
opt->val sometimes is not at the edge of 2-bytes/4-bytes, so 2-bytes/4 bytes
access will cause data misalignment exeception. Use get_unaligned_le16/32
and put_unaligned_le16/32 function to avoid data misalignment execption.
Signed-off-by: steven miao <realmz6@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Matthew Garrett [Thu, 16 Sep 2010 17:58:15 +0000 (13:58 -0400)]
Bluetooth: Enable USB autosuspend by default on btusb
We've done this for a while in Fedora without any obvious problems other
than some interaction with input devices. Those should be fixed now, so
let's try this in mainline.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Johan Hedberg [Fri, 15 Oct 2010 07:46:09 +0000 (10:46 +0300)]
Bluetooth: Fix non-SSP auth request for HIGH security level sockets
When initiating dedicated bonding a L2CAP raw socket with HIGH security
level is used. The kernel is supposed to trigger the authentication
request in this case but this doesn't happen currently for non-SSP
(pre-2.1) devices. The reason is that the authentication request happens
in the remote extended features callback which never gets called for
non-SSP devices. This patch fixes the issue by requesting also
authentiation in the (normal) remote features callback in the case of
non-SSP devices.
This rule is applied only for HIGH security level which might at first
seem unintuitive since on the server socket side MEDIUM is already
enough for authentication. However, for the clients we really want to
prefer the server side to decide the authentication requrement in most
cases, and since most client sockets use MEDIUM it's better to be
avoided on the kernel side for these sockets. The important socket to
request it for is the dedicated bonding one and that socket uses HIGH
security level.
The patch is based on the initial investigation and patch proposal from
Andrei Emeltchenko <endrei.emeltchenko@nokia.com>.
Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Randy Dunlap [Thu, 14 Oct 2010 01:16:52 +0000 (18:16 -0700)]
Bluetooth: fix hidp kconfig dependency warning
Fix kconfig dependency warning to satisfy dependencies:
warning: (BT_HIDP && NET && BT && BT_L2CAP && INPUT || USB_HID && HID_SUPPORT && USB && INPUT) selects HID which has unmet direct dependencies (HID_SUPPORT && INPUT)
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Rajkumar Manoharan [Mon, 8 Nov 2010 15:10:53 +0000 (20:40 +0530)]
ath9k_hw: Fix memory leak on ath9k_hw_rf_alloc_ext_banks failure
The allocated externel radio banks have to be freed in
case of ath9k_hw_rf_alloc_ext_banks failure.
Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Rajkumar Manoharan [Mon, 8 Nov 2010 07:19:12 +0000 (12:49 +0530)]
ath9k_htc: Fix probe failure if CONFIG_USB_DEBUG enabled
Since the endpoint descriptors (EP3 & EP4) were changed from Interrupt
to Bulk type by firmware, the urb submission done on Bulk pipes.
And the recent commit "check the endpoint type against the pipe type"
added aditional error checking against pipe types under CONFIG_USB_DEBUG.
So bmAttribute has to be updated for both EP3 & EP4 before submitting
urbs on that pipe. This patch resolves the following failure.
[ 2215.710936] usb 1-1: usb_probe_device
[ 2215.710945] usb 1-1: configuration #1 chosen from 1 choice
[ 2215.711152] usb 1-1: adding 1-1:1.0 (config #1, interface 0)
[ 2215.711252] ath9k_hif_usb 1-1:1.0: usb_probe_interface
[ 2215.711255] ath9k_hif_usb 1-1:1.0: usb_probe_interface - got id
[ 2215.712780] usb 1-1: BOGUS urb xfer, pipe 3 != type 1
[ 2215.713782] usb 1-1: ath9k_htc: Unable to allocate URBs
[ 2215.713801] ath9k_hif_usb: probe of 1-1:1.0 failed with error -22
Reported-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Haitao Zhang [Sun, 7 Nov 2010 04:50:24 +0000 (12:50 +0800)]
ath9k_htc: Add support for device ID 3346
This patch adds support for USB dongle with device ID 3346 from IMC Networks.
Signed-off-by: Haitao Zhang <minipanda@linuxrobot.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Vasanthakumar Thiagarajan [Fri, 5 Nov 2010 00:41:25 +0000 (17:41 -0700)]
ath9k_hw: Fix AR9280 surprise removal during frequent idle on/off
Bit 22 of AR_WA should be set to fix the situation where chip reset
is asynchronous to clock of analog shift registers, such that when
reset is released, it could mess up the values of analog shift registers
and cause some hw issue on AR9280.
This bit is write only, but the driver does a read-modify-write
on AR_WA without setting bit 22 in ar9002_hw_configpcipowersave()
during radio disable. This causes surprise removal of hw. It can
never recover from this state and the hw will become usable only
after a power on/off cycle, and sometimes only during a cold reboot.
This issue can be triggered by doing frequent roaming with the
simple/test-roam script available from the wifi-test project [1]
when roaming between APs quickly. When roaming there is a is a high
possibility that the device being put into idle (radio disable) state
by mac80211 during AUTH->ASSOC. A device hardware reset would fail
and the kernel would output:
[40251.363799] ath: AWAKE -> FULL-SLEEP
[40251.363815] ieee80211 phy17: device no longer idle - working
[40251.363817] ath: Marking phy17 as not-idle
[40251.363819] ath: FULL-SLEEP -> AWAKE
[40251.415978] pciehp 0000:00:1c.3:pcie04: Card not present on Slot(3)
[40251.419896] ath: ah->misc_mode 0x4
[40251.428138] pciehp 0000:00:1c.3:pcie04: Card present on Slot(3)
[40251.532247] ath: timeout (100000 us) on reg 0x9860: 0xffffffff & 0x00000001 != 0x00000000
[40251.532250] ath: Unable to reset channel (2462 MHz), reset status -5
[40251.532422] ath: Set channel: 5745 MHz
[40251.540639] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.548826] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.557023] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.565211] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.573415] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.581603] ath: Failed to stop TX DMA in 100 msec after killing last frame
[40251.581606] ath: Failed to stop TX DMA. Resetting hardware!
[40251.592679] ath: DMA failed to stop in 10 ms AR_CR=0xffffffff AR_DIAG_SW=0xffffffff
[40251.703330] ath: timeout (100000 us) on reg 0x7000: 0xffffffff & 0x00000003 != 0x00000000
[40251.703333] ath: RTC stuck in MAC reset
[40251.703334] ath: Chip reset failed
[40251.703335] ath: Unable to reset hardware; reset status -22
This is currently only reproducible with some HB92 (Half Mini-PCIE)
cards but the fix applies to all AR9280 cards. This patch fixes this
issue by setting bit 22 during radio disable.
This patch has fixes for all kernels that has ath9k.
[1] http://wireless.kernel.org/en/developers/Testing/wifi-test
Cc: kyungwan.nam@atheros.com
Cc: amod.bodas@atheros.com
Cc: david.quan@atheros.com
Cc: stable@kernel.org
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Daniel Drake [Thu, 4 Nov 2010 21:21:52 +0000 (21:21 +0000)]
libertas: terminate scan when stopping interface
There are currently no provisions in place to ensure that the scanning
task has been stopped when the interface is stopped or removed.
This can result in a WARNING at net/wireless/core.c:643 and other badness
when you remove the module while a scan is happening.
Terminate the scanning task during interface stop.
Signed-off-by: Daniel Drake <dsd@laptop.org>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Brian Cavagnolo [Thu, 4 Nov 2010 23:59:28 +0000 (16:59 -0700)]
mac80211: unset SDATA_STATE_OFFCHANNEL when cancelling a scan
For client STA interfaces, ieee80211_do_stop unsets the relevant
interface's SDATA_STATE_RUNNING state bit prior to cancelling an
interrupted scan. When ieee80211_offchannel_return is invoked as
part of cancelling the scan, it doesn't bother unsetting the
SDATA_STATE_OFFCHANNEL bit because it sees that the interface is
down. Normally this doesn't matter because when the client STA
interface is brought back up, it will probably issue a scan. But
in some cases (e.g., the user changes the interface type while it
is down), the SDATA_STATE_OFFCHANNEL bit will remain set. This
prevents the interface queues from being started. So we
cancel the scan before unsetting the SDATA_STATE_RUNNING bit.
Signed-off-by: Brian Cavagnolo <brian@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Wed, 3 Nov 2010 00:36:51 +0000 (01:36 +0100)]
ath9k: check old power mode before clearing cycle counters
ath9k_ps_wakeup() clears the cycle counters after waking up the
hardware using ath9k_hw_setpower, however if power save is disabled,
then the counters will contain useful data, which then gets discarded.
Fix this by checking the old power mode before discarding any data.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Sun, 31 Oct 2010 14:31:54 +0000 (15:31 +0100)]
cfg80211: fix a crash in dev lookup on dump commands
IS_ERR and PTR_ERR were called with the wrong pointer, leading to a
crash when cfg80211_get_dev_from_ifindex fails.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Christian Lamparter [Sat, 30 Oct 2010 17:46:37 +0000 (19:46 +0200)]
carl9170: usbid table updates
This patch includes the following updates:
* add D-Link DWA-130 Rev D
* Netgear has three WNDA3100 versions.
the original WNDA3100 is now called WNDA3100v1.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Vivek Natarajan [Sat, 30 Oct 2010 16:35:13 +0000 (22:05 +0530)]
ath9k: Fix a DMA latency issue for Intel Pinetrail platforms.
Throughput was severely affected in Intel Pinetrail platforms
because of a DMA problem in C3 state. This patch fixes this
issue.
Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com>
CC: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Rajkumar Manoharan [Wed, 27 Oct 2010 13:01:15 +0000 (18:31 +0530)]
ath9k: Avoid HW opmode overridden on monitor mode changes
The HW opmode is blindly set to monitor type on monitor mode
change notification. This overrides the opmode when one of the
interfaces is still running as non-monitor iftype. So the monitoring
information needs to be maintained seperately.
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Linus Torvalds [Mon, 8 Nov 2010 21:27:12 +0000 (16:27 -0500)]
libipw: fix proc entry removal
This bug seems to be due to commit
27ae60f8f7aac ("ipw2x00: replace
"ieee80211" with "libipw" where appropriate"), where Pavel did this:
- libipw_proc = proc_mkdir(DRV_NAME, init_net.proc_net);
+ libipw_proc = proc_mkdir("ieee80211", init_net.proc_net);
but then the cleanup was kept as
remove_proc_entry(DRV_NAME, init_net.proc_net);
in both places (both in the failure case and in the unload case). The
error string is also total crap, and says
"Unable to create " DRV_NAME " proc directory\n");
Even though it doesn't actually create a proc directory named DRV_NAME at all.
So that patch looks like total and utter crap to me. The commit message says
"Keep /proc/net/ieee80211 under the original name to avoid breaking user
interface."
but the thing is, it really didn't fix anything but that one create
thing. It needs to fix all the other cases too.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Pavel Emelyanov [Mon, 8 Nov 2010 06:20:50 +0000 (06:20 +0000)]
rds: Fix rds message leak in rds_message_map_pages
The sgs allocation error path leaks the allocated message.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Frank Blaschka [Mon, 8 Nov 2010 03:03:49 +0000 (03:03 +0000)]
qeth: fix race condition during device startup
QDIO is running independent from netdevice state. We are not
allowed to schedule NAPI in case the netdevice is not open.
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ursula Braun [Mon, 8 Nov 2010 03:03:48 +0000 (03:03 +0000)]
qeth: remove dev_queue_xmit invocation
For a certain Hipersockets specific error code in the xmit path, the
qeth driver tries to invoke dev_queue_xmit again.
Commit
79640a4ca6955e3ebdb7038508fa7a0cd7fa5527 introduces a busylock
causing locking problems in case of re-invoked dev_queue_xmit by qeth.
This patch removes the attempts to retry packet sending with
dev_queue_xmit from the qeth driver.
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Junchang Wang [Sun, 7 Nov 2010 23:19:43 +0000 (23:19 +0000)]
pktgen: correct uninitialized queue_map
This fix a bug reported by backyes.
Right the first time pktgen's using queue_map that's not been initialized
by set_cur_queue_map(pkt_dev);
Signed-off-by: Junchang Wang <junchangwang@gmail.com>
Signed-off-by: Backyes <backyes@mail.ustc.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guillaume Chazarain [Sat, 6 Nov 2010 06:39:32 +0000 (06:39 +0000)]
net: Detect and ignore netif_stop_queue() calls before register_netdev()
After
e6484930d7c73d324bccda7d43d131088da697b9: net: allocate tx queues in register_netdevice
These calls make net drivers oops at load time, so let's avoid people
git-bisect'ing known problems.
Signed-off-by: Guillaume Chazarain <guichaz@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guillaume Chazarain [Sat, 6 Nov 2010 06:39:31 +0000 (06:39 +0000)]
skge: Remove tx queue stopping in skge_devinit()
After
e6484930d7c73d324bccda7d43d131088da697b9: net: allocate tx queues in register_netdevice
It causes an Oops at skge_probe() time.
Signed-off-by: Guillaume Chazarain <guichaz@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Shan Wei [Fri, 5 Nov 2010 01:56:34 +0000 (01:56 +0000)]
ipv6: fix overlap check for fragments
The type of FRAG6_CB(prev)->offset is int, skb->len is *unsigned* int,
and offset is int.
Without this patch, type conversion occurred to this expression, when
(FRAG6_CB(prev)->offset + prev->len) is less than offset.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Thu, 4 Nov 2010 11:47:04 +0000 (11:47 +0000)]
classifier: report statistics for basic classifier
The basic classifier keeps statistics but does not report it to user space.
This showed up when using basic classifier (with police) as a default catch
all on ingress; no statistics were reported.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Mon, 1 Nov 2010 10:35:28 +0000 (10:35 +0000)]
solos: Refuse to upgrade firmware with older FPGA. It doesn't work.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Mon, 1 Nov 2010 10:34:29 +0000 (10:34 +0000)]
solos: Add 'Firmware' attribute for Traverse overall firmware version
The existing 'FirmwareVersion' attribute only covers the DSP firmware as
provided by Conexant; not the overall version of the device firmware. We
do want to be able to see the full version number too.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Mundt [Mon, 8 Nov 2010 03:58:05 +0000 (19:58 -0800)]
net dst: need linux/cache.h for ____cacheline_aligned_in_smp.
Presently the b43legacy build fails on an sh randconfig:
In file included from include/net/dst.h:12,
from drivers/net/wireless/b43legacy/xmit.c:32:
include/net/dst_ops.h:28: error: expected ':', ',', ';', '}' or '__attribute__' before '____cacheline_aligned_in_smp'
include/net/dst_ops.h: In function 'dst_entries_get_fast':
include/net/dst_ops.h:33: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_get_slow':
include/net/dst_ops.h:41: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_add':
include/net/dst_ops.h:49: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_init':
include/net/dst_ops.h:55: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_destroy':
include/net/dst_ops.h:60: error: 'struct dst_ops' has no member named 'pcpuc_entries'
make[5]: *** [drivers/net/wireless/b43legacy/xmit.o] Error 1
make[5]: *** Waiting for unfinished jobs....
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Torokhov [Sat, 6 Nov 2010 20:11:38 +0000 (20:11 +0000)]
NET: pktgen - fix compile warning
This should fix the following warning:
net/core/pktgen.c: In function ‘pktgen_if_write’:
net/core/pktgen.c:890: warning: comparison of distinct pointer types lacks a cast
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Reviewed-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nelson Elhage [Wed, 3 Nov 2010 16:35:41 +0000 (16:35 +0000)]
inet_diag: Make sure we actually run the same bytecode we audited.
We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.
Fix this by consistently using nlmsg_find_attr everywhere.
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Nelson Elhage [Wed, 3 Nov 2010 16:35:40 +0000 (16:35 +0000)]
netlink: Make nlmsg_find_attr take a const nlmsghdr*.
This will let us use it on a nlmsghdr stored inside a netlink_callback.
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Thu, 4 Nov 2010 01:21:39 +0000 (01:21 +0000)]
fib: fib_result_assign() should not change fib refcounts
After commit
ebc0ffae5 (RCU conversion of fib_lookup()),
fib_result_assign() should not change fib refcounts anymore.
Thanks to Michael who did the bisection and bug report.
Reported-by: Michael Ellerman <michael@ellerman.id.au>
Tested-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Engelhardt [Thu, 4 Nov 2010 01:55:39 +0000 (18:55 -0700)]
netfilter: ip6_tables: fix information leak to userspace
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 4 Nov 2010 01:52:32 +0000 (18:52 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6
Herbert Xu [Wed, 3 Nov 2010 13:31:05 +0000 (13:31 +0000)]
cls_cgroup: Fix crash on module unload
Somewhere along the lines net_cls_subsys_id became a macro when
cls_cgroup is built as a module. Not only did it make cls_cgroup
completely useless, it also causes it to crash on module unload.
This patch fixes this by removing that macro.
Thanks to Eric Dumazet for diagnosing this problem.
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
andrew hendry [Wed, 3 Nov 2010 12:54:53 +0000 (12:54 +0000)]
memory corruption in X.25 facilities parsing
Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Xiaotian Feng [Tue, 2 Nov 2010 16:11:05 +0000 (16:11 +0000)]
net dst: fix percpu_counter list corruption and poison overwritten
There're some percpu_counter list corruption and poison overwritten warnings
in recent kernel, which is resulted by
fc66f95c.
commit
fc66f95c switches to use percpu_counter, in ip6_route_net_init, kernel
init the percpu_counter for dst entries, but, the percpu_counter is never destroyed
in ip6_route_net_exit. So if the related data is freed by kernel, the freed percpu_counter
is still on the list, then if we insert/remove other percpu_counter, list corruption
resulted. Also, if the insert/remove option modifies the ->prev,->next pointer of
the freed value, the poison overwritten is resulted then.
With the following patch, the percpu_counter list corruption and poison overwritten
warnings disappeared.
Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pavel Emelyanov [Tue, 2 Nov 2010 01:54:01 +0000 (01:54 +0000)]
rds: Remove kfreed tcp conn from list
All the rds_tcp_connection objects are stored list, but when
being freed it should be removed from there.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pavel Emelyanov [Tue, 2 Nov 2010 01:52:05 +0000 (01:52 +0000)]
rds: Lost locking in loop connection freeing
The conn is removed from list in there and this requires
proper lock protection.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 3 Nov 2010 12:25:32 +0000 (12:25 +0000)]
de2104x: fix panic on load
Its now illegal to call netif_stop_queue() before register_netdev()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 3 Nov 2010 12:11:21 +0000 (12:11 +0000)]
atl1 : fix panic on load
Its now illegal to call netif_stop_queue() before register_netdev()
Reported-by: Tom Gundersen <teg@jklm.no>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amerigo Wang [Tue, 2 Nov 2010 18:25:31 +0000 (18:25 +0000)]
netxen: remove unused firmware exports
Quote from Amit Salecha:
"Actually I was not updated, NX_UNIFIED_ROMIMAGE_NAME (phanfw.bin) is already
submitted and its present in linux-firmware.git.
I will get back to you on NX_P2_MN_ROMIMAGE_NAME, NX_P3_CT_ROMIMAGE_NAME and
NX_P3_MN_ROMIMAGE_NAME. Whether this will be submitted ?"
We have to remove these, otherwise we will get wrong info from modinfo.
Signed-off-by: WANG Cong <amwang@redhat.com>
Cc: Amit Kumar Salecha <amit.salecha@qlogic.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Dhananjay Phadke <dhananjay.phadke@qlogic.com>
Cc: Narender Kumar <narender.kumar@qlogic.com>
Acked-by: Amit Kumar Salecha <amit.salecha@qlogic.com>--
Signed-off-by: David S. Miller <davem@davemloft.net>
sjur.brandeland@stericsson.com [Wed, 3 Nov 2010 10:19:25 +0000 (10:19 +0000)]
caif: Remove noisy printout when disconnecting caif socket
Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sjur Brændeland [Mon, 1 Nov 2010 11:52:48 +0000 (11:52 +0000)]
caif: SPI-driver bugfix - incorrect padding.
Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
André Carvalho de Matos [Mon, 1 Nov 2010 11:52:47 +0000 (11:52 +0000)]
caif: Bugfix for socket priority, bindtodev and dbg channel.
Changes:
o Bugfix: SO_PRIORITY for SOL_SOCKET could not be handled
in caif's setsockopt, using the struct sock attribute priority instead.
o Bugfix: SO_BINDTODEVICE for SOL_SOCKET could not be handled
in caif's setsockopt, using the struct sock attribute ifindex instead.
o Wrong assert statement for RFM layer segmentation.
o CAIF Debug channels was not working over SPI, caif_payload_info
containing padding info must be initialized.
o Check on pointer before dereferencing when unregister dev in caif_dev.c
Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Faith [Mon, 1 Nov 2010 11:30:08 +0000 (11:30 +0000)]
smsc911x: Set Ethernet EEPROM size to supported device's size
The SMSC911x supports 128 x 8-bit EEPROMs. Increase the EEPROM size
so more than just the MAC address can be stored.
Signed-off-by: John Faith <jfaith7@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vasiliy Kulikov [Wed, 3 Nov 2010 07:45:06 +0000 (08:45 +0100)]
ipv4: netfilter: ip_tables: fix information leak to userland
Structure ipt_getinfo is copied to userland with the field "name"
that has the last elements unitialized. It leads to leaking of
contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Vasiliy Kulikov [Wed, 3 Nov 2010 07:44:12 +0000 (08:44 +0100)]
ipv4: netfilter: arp_tables: fix information leak to userland
Structure arpt_getinfo is copied to userland with the field "name"
that has the last elements unitialized. It leads to leaking of
contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Divy Le Ray [Mon, 1 Nov 2010 10:59:51 +0000 (10:59 +0000)]
cxgb4vf: remove call to stop TX queues at load time.
Stopping TX queues at driver load time is not necessary.
Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Divy Le Ray [Mon, 1 Nov 2010 10:59:46 +0000 (10:59 +0000)]
cxgb4: remove call to stop TX queues at load time.
Remove racy queue stopping after device registration.
Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Divy Le Ray [Mon, 1 Nov 2010 10:59:41 +0000 (10:59 +0000)]
cxgb3: remove call to stop TX queues at load time.
Remove racy queue stopping after device registration.
Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tom Herbert [Mon, 1 Nov 2010 19:55:52 +0000 (12:55 -0700)]
net: check queue_index from sock is valid for device
In dev_pick_tx recompute the queue index if the value stored in the
socket is greater than or equal to the number of real queues for the
device. The saved index in the sock structure is not guaranteed to
be appropriate for the egress device (this could happen on a route
change or in presence of tunnelling). The result of the queue index
being bad would be to return a bogus queue (crash could prersumably
follow).
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Artamonow [Mon, 1 Nov 2010 16:33:53 +0000 (09:33 -0700)]
USB: gadget: fix ethernet gadget crash in gether_setup
Crash is triggered by commit
e6484930d7 ("net: allocate tx queues in
register_netdevice"), which moved tx netqueue creation into register_netdev.
So now calling netif_stop_queue() before register_netdev causes an oops.
Move netif_stop_queue() after net device registration to fix crash.
Signed-off-by: Dmitry Artamonow <mad_soft@inbox.ru>
Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 1 Nov 2010 15:49:51 +0000 (08:49 -0700)]
ibm_newemac: Remove netif_stop_queue() in emac_probe().
Touching the queue state before register_netdev is not
allowed, and besides the queue state before ->open()
is "don't care"
Reported-by: Josh Boyer <jwboyer@gmail.com>
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ming Lei [Mon, 1 Nov 2010 14:11:54 +0000 (07:11 -0700)]
usbnet: fix usb_autopm_get_interface failure(v1)
Since usbnet already took usb runtime pm, we have to
enable runtime pm for usb interface of usbnet, otherwise
usb_autopm_get_interface may return failure and cause
'ifconfig usb0 up' failed if USB_SUSPEND(RUNTIME_PM) is
enabled.
Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Joe Perches <joe@perches.com>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dr. David Alan Gilbert [Sun, 31 Oct 2010 07:26:03 +0000 (07:26 +0000)]
l2tp: kzalloc with swapped params in l2tp_dfs_seq_open
'sparse' spotted that the parameters to kzalloc in l2tp_dfs_seq_open
were swapped.
Tested on current git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
at
1792f17b7210280a3d7ff29da9614ba779cfcedb build, boots and I can see that directory,
but there again I could see /sys/kernel/debug/l2tp with it swapped; I don't have
any l2tp in use.
Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Uwe Kleine-König [Tue, 26 Oct 2010 09:57:07 +0000 (09:57 +0000)]
trivial: fix typos concerning "function"
I'm a bit unsure about this patch. I'm unable to parse both statements.
Cc: netdev@vger.kernel.org
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:43 +0000 (05:32 +0000)]
bnx2x: Update version number
Update bnx2x version number.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:41 +0000 (05:32 +0000)]
bnx2x: Reset 8073 phy during common init
Resetting 8073 during common init is required on boards in which the
8073 reset pin is not asserted by default.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:38 +0000 (05:32 +0000)]
bnx2x: Do not enable CL37 BAM unless it is explicitly enabled
Enabling CL37 BAM on BCM8073 by default may lead to link issues since
not all switches support it. So enable CL37 BAM only if explicitly
selected.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:36 +0000 (05:32 +0000)]
bnx2x: Fix resetting BCM8726 PHY during common init
On BCM8726 based designs, the ports are swapped, hence the reset needs
to be asserted through port0 and not port1.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:34 +0000 (05:32 +0000)]
bnx2x: Clear latch indication on link reset
When using latch indication for link change notification, need to
clear it when port is unloaded, otherwise it might generate false
indication on next load.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:31 +0000 (05:32 +0000)]
bnx2x: Fix port selection in case of E2
On E2 flavor, dual-port mode, the port argument used for some
functions is needed as the global port number rather than the port per
path.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:27 +0000 (05:32 +0000)]
bnx2x: Fix waiting for reset complete on BCM848x3 PHYs
BCM848x3 requires additional of 50ms after reset done indication,
instead of fixed time of 200ms
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Mon, 1 Nov 2010 05:32:25 +0000 (05:32 +0000)]
bnx2x: Restore appropriate delay during BMAC reset
Fix delay during BMAC reset from 10usec to 1ms.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Sun, 31 Oct 2010 16:37:38 +0000 (09:37 -0700)]
text ematch: check for NULL pointer before destroying textsearch config
While validating the configuration em_ops is already set, thus the
individual destroy functions are called, but the ematch data has
not been allocated and associated with the ematch yet.
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sun, 31 Oct 2010 05:50:38 +0000 (05:50 +0000)]
qlcnic: fix panic on load
Its now illegal to call netif_stop_queue() before register_netdev()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sun, 31 Oct 2010 05:46:18 +0000 (05:46 +0000)]
jme: fix panic on load
Its now illegal to call netif_stop_queue() before register_netdev()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Kulikov Vasiliy [Fri, 29 Oct 2010 23:04:33 +0000 (23:04 +0000)]
isdn: mISDN: socket: fix information leak to userland
Structure mISDN_devinfo is copied to userland with the field "name"
that has the last elements unitialized. It leads to leaking of
contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Hans J. Koch [Fri, 29 Oct 2010 12:33:57 +0000 (12:33 +0000)]
netdev: can: Change mail address of Hans J. Koch
My old mail address doesn't exist anymore. This changes all occurrences
to my new address.
Signed-off-by: Hans J. Koch <hjk@hansjkoch.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ken Kawasaki [Fri, 29 Oct 2010 12:17:51 +0000 (12:17 +0000)]
pcnet_cs: add new_id
pcnet_cs:
add new_id: "corega Ether CF-TD" 10Base-T PCMCIA card.
Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Sat, 30 Oct 2010 23:43:10 +0000 (16:43 -0700)]
net: Truncate recvfrom and sendto length to INT_MAX.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Grover [Thu, 28 Oct 2010 15:40:59 +0000 (15:40 +0000)]
RDS: Let rds_message_alloc_sgs() return NULL
Even with the previous fix, we still are reading the iovecs once
to determine SGs needed, and then again later on. Preallocating
space for sg lists as part of rds_message seemed like a good idea
but it might be better to not do this. While working to redo that
code, this patch attempts to protect against userspace rewriting
the rds_iovec array between the first and second accesses.
The consequences of this would be either a too-small or too-large
sg list array. Too large is not an issue. This patch changes all
callers of message_alloc_sgs to handle running out of preallocated
sgs, and fail gracefully.
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Grover [Thu, 28 Oct 2010 15:40:58 +0000 (15:40 +0000)]
RDS: Copy rds_iovecs into kernel memory instead of rereading from userspace
Change rds_rdma_pages to take a passed-in rds_iovec array instead
of doing copy_from_user itself.
Change rds_cmsg_rdma_args to copy rds_iovec array once only. This
eliminates the possibility of userspace changing it after our
sanity checks.
Implement stack-based storage for small numbers of iovecs, based
on net/socket.c, to save an alloc in the extremely common case.
Although this patch reduces iovec copies in cmsg_rdma_args to 1,
we still do another one in rds_rdma_extra_size. Getting rid of
that one will be trickier, so it'll be a separate patch.
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Grover [Thu, 28 Oct 2010 15:40:57 +0000 (15:40 +0000)]
RDS: Clean up error handling in rds_cmsg_rdma_args
We don't need to set ret = 0 at the end -- it's initialized to 0.
Also, don't increment s_send_rdma stat if we're exiting with an
error.
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Grover [Thu, 28 Oct 2010 15:40:56 +0000 (15:40 +0000)]
RDS: Return -EINVAL if rds_rdma_pages returns an error
rds_cmsg_rdma_args would still return success even if rds_rdma_pages
returned an error (or overflowed).
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Thu, 28 Oct 2010 15:40:55 +0000 (15:40 +0000)]
net: fix rds_iovec page count overflow
As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).
So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.
Catch the case of tot_pages turning negative, and return the appropriate
error code.
Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marc Kleine-Budde [Sat, 30 Oct 2010 23:28:16 +0000 (16:28 -0700)]
can: pch_can: fix section mismatch warning by using a whitelisted name
This patch fixes the following section mismatch warning:
WARNING: drivers/net/can/pch_can.o(.data+0x18):
Section mismatch in reference from the variable pch_can_pcidev
to the variable .devinit.rodata:pch_pci_tbl
The variable pch_can_pcidev references
the variable __devinitconst pch_pci_tbl
This is actually a false positive which is fixed by giving the offending
variable a whitelisted name, it's renamed to "pch_can_pci_driver".
This makes sense because the variable is of the type "struct pci_driver".
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Marc Kleine-Budde [Sat, 30 Oct 2010 23:27:48 +0000 (16:27 -0700)]
can: pch_can: fix sparse warning
This patch fixes the following sparse warning:
drivers/net/can/pch_can.c:231:26: warning: incorrect type in argument 1 (different address spaces)
drivers/net/can/pch_can.c:231:26: expected unsigned int [usertype] *addr
drivers/net/can/pch_can.c:231:26: got unsigned int [noderef] <asn:2>*<noident>
Let pch_can_bit_{set,clear} first parameter be a void __iomem pointer.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Kirjanov [Sat, 30 Oct 2010 23:24:25 +0000 (16:24 -0700)]
netxen_nic: Fix the tx queue manipulation bug in netxen_nic_probe
We should not stop the egress queue during probe because it is wrong.
Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>