David S. Miller [Thu, 14 Jan 2010 01:27:37 +0000 (17:27 -0800)]
ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
This fixes CERT-FI FICORA #341748
Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.
Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point. We fixed that in commit
e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")
However commit
483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.
Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build. When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.
So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled. Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.
With help from Eugene Teo <eugene@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Tue, 12 Jan 2010 10:11:40 +0000 (10:11 +0000)]
tg3: Update copyright and driver version
This patch updates the copyright notice for 2010 and updates the version
number to 3.106.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Tue, 12 Jan 2010 10:11:39 +0000 (10:11 +0000)]
tg3: Disable 5717 serdes and B0 support
The B0 revision of the 5717 will not get enough testing by the time
2.6.33 ships. Since the kernel is already at RC3, serdes support
will require too many patches to fix. For these reasons, this patch
disables 5717 serdes support and will refuse to attach to all 5717
devices that are later than an A0 revision.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Tue, 12 Jan 2010 10:11:38 +0000 (10:11 +0000)]
tg3: Add reliable serdes detection for 5717 A0
The serdes status bit does not work as intended for the 5717 A0.
This patch implements an alternative detection scheme that will only be
valid for A0 revisions.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Tue, 12 Jan 2010 10:11:37 +0000 (10:11 +0000)]
tg3: Fix std rx prod ring handling
There are some tg3 devices that require the driver to post new rx
buffers in smaller increments. Commit
4361935afe3abc3e5a93006b99197fac1fabbd50, "tg3: Consider
rx_std_prod_idx a hw mailbox" changed how the driver tracks the rx
producer ring updates, but it does not make any special considerations
for the above-mentioned devices. For those devices, it is possible for
the driver to hit the special case path, which updates the hardware
mailbox register but skips updating the shadow software mailbox member.
If the special case path represents the final mailbox update for this
ISR iteration, the hardware and software mailbox values will be out of
sync. Ultimately, this will cause the driver to use a stale mailbox
value on the next iteration, which will appear to the hardware as a
large rx buffer update. Bad things ensue.
The fix is to update the software shadow mailbox member when the special
case path is taken.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Matt Carlson [Tue, 12 Jan 2010 10:11:36 +0000 (10:11 +0000)]
tg3: Fix std prod ring nicaddr for 5787 and 57765
Commit
87668d352aa8d135bd695a050f18bbfc7b50b506, titled "tg3: Don't
touch RCB nic addresses", tried to avoid assigning the nic address of
the standard producer ring. Unfortunately, the default nic address is
not correct for the 5787, the 5755M, or the 57765. This patch
reenables the old behavior and opts out of the assignment only
for the 5717.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Reviewed-by: Michael Chan <mchan@broadcom.com>
Tested-by: Chow Loong Jin <hyperair@ubuntu.com>
Tested-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Wed, 13 Jan 2010 10:59:13 +0000 (10:59 +0000)]
sfc: Fix conditions for MDIO self-test
The MDIO self-test should not be run on boards without an MDIO PHY,
such as SFN5122F-R3 and later revisions. It should also not try to
address a specific MMD in an MDIO clause 22 PHY. Check the
mode_support field to decide which mode to use, if any.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Wed, 13 Jan 2010 04:34:25 +0000 (04:34 +0000)]
sfc: Fix polling for slow MCDI operations
When the interface is down and we are using polled mode for MCDI
operations, we busy-wait for completion for approximately 1 jiffy
using udelay() and then back off to schedule(). But the completion
will not wake the task, since we are using polled mode! We must use
schedule_timeout_uninterruptible() instead.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Wed, 13 Jan 2010 01:53:08 +0000 (01:53 +0000)]
e1000e: workaround link issues on busy hub in half duplex on 82577/82578
This patch removes a delay in hardware after every received packet allowing
more time for transmitted packets to go out in between received packets in
half duplex.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Wed, 13 Jan 2010 01:52:49 +0000 (01:52 +0000)]
e1000e: MDIO slow mode should always be done for 82577
A previous 82577 workaround that set the MDIO access speed to slow mode for
every PHY register read/write when the cable is unplugged should instead
set the access mode to always be slow before any PHY register access.
Since the mode bit gets cleared when the PHY is reset, set the mode after
every PHY reset.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Shannon Nelson [Wed, 13 Jan 2010 01:49:34 +0000 (01:49 +0000)]
ixgbe: update copyright dates
Signed-off-by: Shannon Nelson <shannon.nelson@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexander Duyck [Wed, 13 Jan 2010 01:49:13 +0000 (01:49 +0000)]
ixgbe: Do not attempt to perform interrupts in netpoll when down
This patch resolves issues seen when running netconsole and rebooting via
reboot -f. The issue was due to the fact that we were attempting to
perform interrupt actions when the q_vectors and rings had already been
freed via the ixgbe_shutdown routines.
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Acked-by: Mallikarjuna R Chilakala <mallikarjuna.chilakala@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 13 Jan 2010 05:33:49 +0000 (21:33 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Jarek Poplawski [Mon, 4 Jan 2010 08:48:41 +0000 (08:48 +0000)]
sky2: Fix oops in sky2_xmit_frame() after TX timeout
During TX timeout procedure dev could be awoken too early, e.g. by
sky2_complete_tx() called from sky2_down(). Then sky2_xmit_frame()
can run while buffers are freed causing an oops. This patch fixes it
by adding netif_device_present() test in sky2_tx_complete().
Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14925
With debugging by: Mike McCormack <mikem@ring3k.org>
Reported-by: Berck E. Nash <flyboy@gmail.com>
Tested-by: Berck E. Nash <flyboy@gmail.com>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Johannes Berg [Mon, 11 Jan 2010 15:14:57 +0000 (16:14 +0100)]
cfg80211: fix refcount imbalance when wext is disabled
When CONFIG_CFG80211_WEXT is not set, there is
a refcount imbalance with rdev->opencount, fix
that by moving it out of the ifdef.
Reported-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Mon, 11 Jan 2010 05:47:00 +0000 (06:47 +0100)]
mac80211: fix queue selection for data frames on monitor interfaces
When ieee80211_monitor_select_queue encounters data frames, it selects
the WMM AC based on skb->priority and assumes that skb->priority
contains a valid 802.1d tag. However this assumption is incorrect, since
ieee80211_select_queue has not been called at this point.
If skb->priority > 7, an array overrun occurs, which could lead to
invalid values, resulting in crashes in the tx path.
Fix this by setting skb->priority based on the 802.11 header for QoS
frames and using the default AC for all non-QoS frames.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Ben Hutchings [Mon, 11 Jan 2010 23:53:45 +0000 (15:53 -0800)]
Documentation/3c509: document ethtool support
3c509 was changed to support ethtool in 2002, making the 'xcvr' module
parameter obsolete in most cases. More recently 3c509 was converted
to the modern driver model and this parameter was removed. Fix the
documentation to refer to ethtool rather than the module parameter.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jarek Poplawski [Sun, 10 Jan 2010 22:04:19 +0000 (22:04 +0000)]
af_packet: Don't use skb after dev_queue_xmit()
tpacket_snd() can change and kfree an skb after dev_queue_xmit(),
which is illegal.
With debugging by: Stephen Hemminger <shemminger@vyatta.com>
Reported-by: Michael Breuer <mbreuer@majjas.com>
With help from: David S. Miller <davem@davemloft.net>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Tested-by: Michael Breuer<mbreuer@majjas.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Sat, 9 Jan 2010 08:41:48 +0000 (11:41 +0300)]
iwlwifi: silence buffer overflow warning
Smatch (and presumably other static checkers) complain that MAX_TID_COUNT is
past the end of the array. In the resulting discussion, Zhu Yi pointed out
that this value is not used in real life and the assignment was only there to
silence a gcc warning.
If there were a bug in the surrounding code and the value were used, the
WARN_ON(!qc) would print a warning before the crash.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Denis Kirjanov [Sun, 10 Jan 2010 21:40:10 +0000 (13:40 -0800)]
vxge: use pci_dma_mapping_error to test return value
pci_dma_mapping_error should be used to test return value of
pci_map_single or pci_map_page.
Signed-off-by: Denis Kirjanov <kirjanov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 8 Jan 2010 21:15:47 +0000 (13:15 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6
Abhijeet Kolekar [Fri, 8 Jan 2010 18:04:31 +0000 (10:04 -0800)]
iwlwifi: disable tx on beacon update notification
On beacon change update notification from mac we are not disabling
the tx in adhoc mode. Mac sends BSS_CHANGED_BEACON_ENABLED when
station leaves IBSS. Driver should indicate uCode to not to send
anything on receiving this notification.
Functionality to indicate uCode is duplicated across
two notifications so created a common function called iwl_set_no_assoc.
Fix the issue at
http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2133.
Signed-off-by: Abhijeet Kolekar <abhijeet.kolekar@intel.com>
Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Zhu Yi [Fri, 8 Jan 2010 18:04:30 +0000 (10:04 -0800)]
iwlwifi: fix iwl_queue_used bug when read_ptr == write_ptr
When txq read_ptr equals to write_ptr, iwl_queue_used should
always return false. Because there is no used TFD in this case.
This is a complementary fix to the fix already included in commit "iwl3945:
fix panic in iwl3945 driver". Both fixes are needed to address the panic
below.
This problem was discussed on linux-wireless in
http://thread.gmane.org/gmane.linux.kernel.wireless.general/43568
<1>[ 7290.414172] IP: [<
ffffffffa0dd53a1>] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
<4>[ 7290.414205] PGD 0
<1>[ 7290.414214] Thread overran stack, or stack corrupted
<0>[ 7290.414229] Oops: 0002 [#1] PREEMPT SMP
<0>[ 7290.414246] last sysfs file: /sys/devices/platform/coretemp.1/temp1_input
<4>[ 7290.414265] CPU 0
<4>[ 7290.414274] Modules linked in: af_packet nfsd usb_storage usb_libusual cpufreq_powersave exportfs cpufreq_conservative iwl3945 nfs cpufreq_userspace snd_hda_codec_realtek acpi_cpufreq uvcvideo lockd iwlcore snd_hda_intel joydev coretemp nfs_acl videodev snd_hda_codec mac80211 v4l1_compat snd_hwdep sbp2 v4l2_compat_ioctl32 uhci_hcd psmouse auth_rpcgss ohci1394 cfg80211 ehci_hcd video ieee1394 snd_pcm serio_raw battery ac nvidia(P) usbcore output sunrpc evdev lirc_ene0100 snd_page_alloc rfkill tg3 libphy fuse lzo lzo_decompress lzo_compress
<6>[ 7290.414486] Pid: 0, comm: swapper Tainted: P 2.6.32-rc8-wl #213 Aspire 5720
<6>[ 7290.414507] RIP: 0010:[<
ffffffffa0dd53a1>] [<
ffffffffa0dd53a1>] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
<6>[ 7290.414541] RSP: 0018:
ffff880002203d60 EFLAGS:
00010246
<6>[ 7290.414557] RAX:
000000000000004f RBX:
ffff880064c11600 RCX:
0000000000000013
<6>[ 7290.414576] RDX:
ffffffffa0ddcf20 RSI:
ffff8800512b7008 RDI:
0000000000000038
<6>[ 7290.414596] RBP:
ffff880002203dd0 R08:
0000000000000000 R09:
0000000000000100
<6>[ 7290.414616] R10:
0000000000000001 R11:
0000000000000000 R12:
00000000000000a0
<6>[ 7290.414635] R13:
0000000000000002 R14:
0000000000000013 R15:
0000000000020201
<6>[ 7290.414655] FS:
0000000000000000(0000) GS:
ffff880002200000(0000) knlGS:
0000000000000000
<6>[ 7290.414677] CS: 0010 DS: 0018 ES: 0018 CR0:
000000008005003b
<6>[ 7290.414693] CR2:
0000000000000041 CR3:
0000000001001000 CR4:
00000000000006f0
<6>[ 7290.414712] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
<6>[ 7290.414732] DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
<4>[ 7290.414752] Process swapper (pid: 0, threadinfo
ffffffff81524000, task
ffffffff81528b60)
<0>[ 7290.414772] Stack:
<4>[ 7290.414780]
ffff880002203da0 0000000000000046 0000000000000000 0000000000000046
<4>[ 7290.414804] <0>
0000000000000282 0000000000000282 0000000000000282 ffff880064c12010
<4>[ 7290.414830] <0>
ffff880002203db0 ffff880064c11600 ffff880064c12e50 ffff8800512b7000
<0>[ 7290.414858] Call Trace:
<0>[ 7290.414867] <IRQ>
<4>[ 7290.414884] [<
ffffffffa0dc8c47>] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945]
<4>[ 7290.414910] [<
ffffffff8138fc60>] ? _spin_unlock+0x30/0x60
<4>[ 7290.414931] [<
ffffffff81049a21>] tasklet_action+0x101/0x110
<4>[ 7290.414950] [<
ffffffff8104a3d0>] __do_softirq+0xc0/0x160
<4>[ 7290.414968] [<
ffffffff8100d01c>] call_softirq+0x1c/0x30
<4>[ 7290.414986] [<
ffffffff8100eff5>] do_softirq+0x75/0xb0
<4>[ 7290.415003] [<
ffffffff81049ee5>] irq_exit+0x95/0xa0
<4>[ 7290.415020] [<
ffffffff8100e547>] do_IRQ+0x77/0xf0
<4>[ 7290.415038] [<
ffffffff8100c7d3>] ret_from_intr+0x0/0xf
<0>[ 7290.415052] <EOI>
<4>[ 7290.415067] [<
ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
<4>[ 7290.415087] [<
ffffffff81234f04>] ? acpi_idle_enter_bm+0x27a/0x2a5
<4>[ 7290.415107] [<
ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
<4>[ 7290.415130] [<
ffffffff812c11f3>] ? cpuidle_idle_call+0x93/0xf0
<4>[ 7290.415149] [<
ffffffff8100b0d7>] ? cpu_idle+0xa7/0x110
<4>[ 7290.415168] [<
ffffffff8137b3d5>] ? rest_init+0x75/0x80
<4>[ 7290.415187] [<
ffffffff8158cd0a>] ? start_kernel+0x3a7/0x3b3
<4>[ 7290.415206] [<
ffffffff8158c315>] ? x86_64_start_reservations+0x125/0x129
<4>[ 7290.415227] [<
ffffffff8158c3fd>] ? x86_64_start_kernel+0xe4/0xeb
<0>[ 7290.415243] Code: 00 41 39 ce 0f 8d e8 01 00 00 48 8b 47 40 48 63 d2 48 69 d2 98 00 00 00 4c 8b 04 02 48 c7 c2 20 cf dd a0 49 8d 78 38 49 8d 40 4f <c6> 47 09 00 c6 47 0c 00 c6 47 0f 00 c6 47 12 00 c6 47 15 00 49
<1>[ 7290.415382] RIP [<
ffffffffa0dd53a1>] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
<4>[ 7290.415410] RSP <
ffff880002203d60>
<0>[ 7290.415421] CR2:
0000000000000041
<4>[ 7290.415436] ---[ end trace
ec46807277caa515 ]---
<0>[ 7290.415450] Kernel panic - not syncing: Fatal exception in interrupt
<4>[ 7290.415468] Pid: 0, comm: swapper Tainted: P D 2.6.32-rc8-wl #213
<4>[ 7290.415486] Call Trace:
<4>[ 7290.415495] <IRQ> [<
ffffffff8138c040>] panic+0x7d/0x13a
<4>[ 7290.415519] [<
ffffffff8101071a>] oops_end+0xda/0xe0
<4>[ 7290.415538] [<
ffffffff8102e1ea>] no_context+0xea/0x250
<4>[ 7290.415557] [<
ffffffff81038991>] ? select_task_rq_fair+0x511/0x780
<4>[ 7290.415578] [<
ffffffff8102e475>] __bad_area_nosemaphore+0x125/0x1e0
<4>[ 7290.415597] [<
ffffffff81038d0c>] ? __enqueue_entity+0x7c/0x80
<4>[ 7290.415616] [<
ffffffff81039201>] ? enqueue_task_fair+0x111/0x150
<4>[ 7290.415636] [<
ffffffff8102e53e>] bad_area_nosemaphore+0xe/0x10
<4>[ 7290.415656] [<
ffffffff8102e8fa>] do_page_fault+0x26a/0x320
<4>[ 7290.415674] [<
ffffffff813905df>] page_fault+0x1f/0x30
<4>[ 7290.415697] [<
ffffffffa0dd53a1>] ? iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
<4>[ 7290.415723] [<
ffffffffa0dc8c47>] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945]
<4>[ 7290.415746] [<
ffffffff8138fc60>] ? _spin_unlock+0x30/0x60
<4>[ 7290.415764] [<
ffffffff81049a21>] tasklet_action+0x101/0x110
<4>[ 7290.415783] [<
ffffffff8104a3d0>] __do_softirq+0xc0/0x160
<4>[ 7290.415801] [<
ffffffff8100d01c>] call_softirq+0x1c/0x30
<4>[ 7290.415818] [<
ffffffff8100eff5>] do_softirq+0x75/0xb0
<4>[ 7290.415835] [<
ffffffff81049ee5>] irq_exit+0x95/0xa0
<4>[ 7290.415852] [<
ffffffff8100e547>] do_IRQ+0x77/0xf0
<4>[ 7290.415869] [<
ffffffff8100c7d3>] ret_from_intr+0x0/0xf
<4>[ 7290.415883] <EOI> [<
ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
<4>[ 7290.415911] [<
ffffffff81234f04>] ? acpi_idle_enter_bm+0x27a/0x2a5
<4>[ 7290.415931] [<
ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
<4>[ 7290.415952] [<
ffffffff812c11f3>] ? cpuidle_idle_call+0x93/0xf0
<4>[ 7290.415971] [<
ffffffff8100b0d7>] ? cpu_idle+0xa7/0x110
<4>[ 7290.415989] [<
ffffffff8137b3d5>] ? rest_init+0x75/0x80
<4>[ 7290.416007] [<
ffffffff8158cd0a>] ? start_kernel+0x3a7/0x3b3
<4>[ 7290.416026] [<
ffffffff8158c315>] ? x86_64_start_reservations+0x125/0x129
<4>[ 7290.416047] [<
ffffffff8158c3fd>] ? x86_64_start_kernel+0xe4/0xeb
Reported-by: Maxim Levitsky <maximlevitsky@gmail.com>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
CC: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Fri, 8 Jan 2010 18:00:00 +0000 (19:00 +0100)]
mac80211: fix endian error
I forgot to convert the radiotap length to
CPU endian, which sparse found thankfully.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Thu, 7 Jan 2010 19:23:53 +0000 (20:23 +0100)]
mac80211: add missing sanity checks for action frames
Various missing sanity checks caused rejected action frames to be
interpreted as channel switch announcements, which can cause a client
mode interface to switch away from its operating channel, thereby losing
connectivity. This patch ensures that only spectrum management action
frames are processed by the CSA handling function and prevents rejected
action frames from getting processed by the MLME code.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Lennert Buytenhek [Thu, 7 Jan 2010 14:01:42 +0000 (15:01 +0100)]
mac80211: fix queue selection for packets injected via monitor interface
Commit 'mac80211: fix skb buffering issue' added an ->ndo_select_queue()
for monitor interfaces which can end up dereferencing ieee802_1d_to_ac[]
beyond the end of the array for injected data packets (as skb->priority
isn't guaranteed to be zero or within [0:7]), which then triggers the
WARN_ON in net/core/dev.c:dev_cap_txqueue(). Fix this by always setting
the priority to zero on injected data frames.
Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Florian Westphal [Fri, 8 Jan 2010 16:31:24 +0000 (17:31 +0100)]
netfilter: ebtables: enforce CAP_NET_ADMIN
normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.
Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.
Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
Bruce Allan [Thu, 7 Jan 2010 16:32:13 +0000 (16:32 +0000)]
e1000e: fix and commonize code for setting the receive address registers
Fix e1000e_rar_set() to flush consecutive register writes to avoid write
combining which some parts cannot handle. Update e1000e_init_rx_addrs()
to call the fixed e1000e_rar_set() instead of duplicating code.
Also change e1000e_rar_set() to _not_ set the Address Valid bit if the MAC
address is all zeros.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Thu, 7 Jan 2010 16:31:54 +0000 (16:31 +0000)]
e1000e: e1000e_enable_tx_pkt_filtering() returns wrong value
e1000e_enable_tx_pkt_filtering() will return a non-zero value if the
driver fails to enable the manageability interface on the host for
any reason; instead it should retun zero to indicate filtering has been
disabled. Also provide a single exit point for the function.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Thu, 7 Jan 2010 16:31:35 +0000 (16:31 +0000)]
e1000e: perform 10/100 adaptive IFS only on parts that support it
Adaptive IFS which involves writing to the Adaptive IFS Throttle register
was being done for all devices supported by the driver even though it is
not supported (i.e. the register doesn't even exist) on some devices. The
feature is supported on 8257x/82583 and ICH/PCH based devices, but not
on ESB2.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Thu, 7 Jan 2010 16:31:16 +0000 (16:31 +0000)]
e1000e: don't accumulate PHY statistics on PHY read failure
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Thu, 7 Jan 2010 16:30:56 +0000 (16:30 +0000)]
e1000e: call pci_save_state() after pci_restore_state()
Due to a change in pci_restore_state()[1] which clears the saved_state
flag, the driver should call pci_save_state() to set the flag once again
to avoid issues with EEH (same fix that recently was submitted for ixgbe).
[1] commmit
4b77b0a2ba27d64f58f16d8d4d48d8319dda36ff
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Kumar Salecha [Thu, 7 Jan 2010 22:10:17 +0000 (22:10 +0000)]
netxen: update version to 4.0.72
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Kumar Salecha [Thu, 7 Jan 2010 22:10:16 +0000 (22:10 +0000)]
netxen: fix set mac addr
o If tx and rx resources are not available, during set mac request.
Then this request wont be passed to firmware and it will be added to
driver mac list and will never make it to firmware.
So if resources are not available, don't add it to driver mac list.
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Kumar Salecha [Thu, 7 Jan 2010 22:10:15 +0000 (22:10 +0000)]
netxen: fix smatch warning
o Fix pointless assignments
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Kumar Salecha [Thu, 7 Jan 2010 22:10:14 +0000 (22:10 +0000)]
netxen: fix tx ring memory leak
o While unloading driver or resetting the context, tx ring was not
getting free.
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Octavian Purdila [Fri, 8 Jan 2010 08:00:09 +0000 (00:00 -0800)]
tcp: update the netstamp_needed counter when cloning sockets
This fixes a netstamp_needed accounting issue when the listen socket
has SO_TIMESTAMP set:
s = socket(AF_INET, SOCK_STREAM, 0);
setsockopt(s, SOL_SOCKET, SO_TIMESTAMP, 1); -> netstamp_needed = 1
bind(s, ...);
listen(s, ...);
s2 = accept(s, ...); -> netstamp_needed = 1
close(s2); -> netstamp_needed = 0
close(s); -> netstamp_needed = -1
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sriram [Thu, 7 Jan 2010 00:22:37 +0000 (00:22 +0000)]
TI DaVinci EMAC: Handle emac module clock correctly.
In the driver probe function the emac module clock needs to
be enabled before calling register_netdev(). As soon as the
device is registered the driver get_stats function can be invoked
by the core - the module clock must be switched on to be able to
read from stats registers. Also explicitly call matching clk_disable
for failure conditions in probe function.
Signed-off-by: Sriramakrishnan <srk@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Thu, 7 Jan 2010 02:41:51 +0000 (02:41 +0000)]
dmfe/tulip: Let dmfe handle DM910x except for SPARC on-board chips
The Davicom DM9100 and DM9102 chips are used on the motherboards of
some SPARC systems (supported by the tulip driver) and also in PCI
expansion cards (supported by the dmfe driver). There is no
difference in the PCI device ids for the two different configurations,
so these drivers both claim the device ids. However, it is possible
to distinguish the two configurations by the presence of Open Firmware
properties for them, so we do that.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Grant Grundler <grundler@parisc-linux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
PJ Waskiewicz [Wed, 6 Jan 2010 17:50:29 +0000 (17:50 +0000)]
ixgbe: Fix compiler warning about variable being used uninitialized
tc is still throwing a warning that is could be used
uninitialized. This fixes it, and properly formats the device ID
checks for the use of this variable.
Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Thu, 7 Jan 2010 17:33:18 +0000 (18:33 +0100)]
netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()
As noticed by Dan Carpenter <error27@gmail.com>, update_nl_seq()
currently contains an out of bounds read of the seq_aft_nl array
when looking for the oldest sequence number position.
Fix it to only compare valid positions.
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
Saeed Bishara [Tue, 5 Jan 2010 09:15:32 +0000 (09:15 +0000)]
mv643xx_eth: don't include cache padding in rx desc buffer size
If NET_SKB_PAD is not a multiple of the cache line size, mv643xx_eth
allocates a couple of extra bytes at the start of each receive buffer
to make the data payload end up on a cache line boundary.
These extra bytes are skb_reserve()'d before DMA mapping, so they
should not be included in the DMA map byte count (as the mapping is
done starting at skb->data), nor should they be included in the
receive descriptor buffer size field, or the hardware can end up
DMAing beyond the end of the buffer, which can happen if someone
sends us a larger-than-MTU sized packet.
This problem was introduced in commit
7fd96ce47ff ("mv643xx_eth:
rework receive skb cache alignment", May 6 2009), but hasn't appeared
to be problematic so far, probably as the main users of mv643xx_eth
all have NET_SKB_PAD == L1_CACHE_BYTES.
Signed-off-by: Saeed Bishara <saeed@marvell.com>
Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Slaby [Wed, 6 Jan 2010 06:54:16 +0000 (06:54 +0000)]
NET: atlx, fix memory leak
Stanse found a memory leak in atl2_get_eeprom. eeprom_buff is not
freed/assigned on all paths. Fix that.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Jay Cliburn <jcliburn@gmail.com>
Cc: Chris Snook <chris.snook@gmail.com>
Cc: Jie Yang <jie.yang@atheros.com>
Cc: atl1-devel@lists.sourceforge.net
Cc: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexander Beregalov [Wed, 6 Jan 2010 13:05:46 +0000 (13:05 +0000)]
pcmcia: ncmlan_cs: remove odd bracket
Signed-off-by: Alexander Beregalov <a.beregalov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Mark Brown [Thu, 7 Jan 2010 08:53:05 +0000 (00:53 -0800)]
cs89x0: Always report failure to request interrupt
A failure on request_irq() is always fatal but unlike other fatal
errors it's only reported to the user if net_debug is set. Make the
diagnostic unconditional and raise the priority so that errors are
more obvious to the user.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Dumon [Tue, 5 Jan 2010 04:53:00 +0000 (04:53 +0000)]
hso: fixed missing newlines
Fixed missing newlines in calls to dev_warn & dev_err.
Signed-off-by: Jan Dumon <j.dumon@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Dumon [Tue, 5 Jan 2010 04:52:42 +0000 (04:52 +0000)]
hso: Fix for 5 sec timeouts with v2.x firmware
Don't send flow control settings to any port other than the modem port.
Older firmware ignored this request but did sent a reply. Newer firmware just
ignores it without reply and causes a 5 second timeout every time a port
(except for the modem port) is opened or if tiocm settings are changed.
Signed-off-by: Jan Dumon <j.dumon@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Dumon [Tue, 5 Jan 2010 04:52:13 +0000 (04:52 +0000)]
hso: Attempt to recover from usb bus errors
Attempt to reset the usb device when we receive usb bus errors.
Signed-off-by: Jan Dumon <j.dumon@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Dumon [Tue, 5 Jan 2010 04:51:28 +0000 (04:51 +0000)]
hso: don't change the state of a closed port
Don't change the state of a port if it's not open. This fixes an issue where a
port sometimes has to be opened twice before data can be received.
Signed-off-by: Jan Dumon <j.dumon@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Dumon [Tue, 5 Jan 2010 04:51:02 +0000 (04:51 +0000)]
hso: Fix for endian issues on big endian machines
Some fields are always little endian and have to be converted on big endian
machines.
Signed-off-by: Jan Dumon <j.dumon@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan Dumon [Tue, 5 Jan 2010 04:50:31 +0000 (04:50 +0000)]
hso: Add Vendor/Product ID's for new devices
Add product ID's for new devices.
Signed-off-by: Jan Dumon <j.dumon@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ursula Braun [Mon, 4 Jan 2010 03:14:45 +0000 (03:14 +0000)]
claw: use "claw" as root device name
Claw module cannot be loaded together with qeth, because "qeth" has
been errorneously used as root device name. It is changed into "claw".
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ken Kawasaki [Thu, 7 Jan 2010 04:37:58 +0000 (20:37 -0800)]
pcnet_cs: add cis of KTI PE520 pcmcia network card
pcnet_cs,serial_cs:
add cis of KTI PE520 pcmcia network card,
and serial card(Sierra Wireless AC860).
Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Octavian Purdila [Thu, 7 Jan 2010 04:37:01 +0000 (20:37 -0800)]
ip: fix mc_loop checks for tunnels with multicast outer addresses
When we have L3 tunnels with different inner/outer families
(i.e. IPV4/IPV6) which use a multicast address as the outer tunnel
destination address, multicast packets will be loopbacked back to the
sending socket even if IP*_MULTICAST_LOOP is set to disabled.
The mc_loop flag is present in the family specific part of the socket
(e.g. the IPv4 or IPv4 specific part). setsockopt sets the inner
family mc_loop flag. When the packet is pushed through the L3 tunnel
it will eventually be processed by the outer family which if different
will check the flag in a different part of the socket then it was set.
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dave Liu [Thu, 7 Jan 2010 04:32:38 +0000 (20:32 -0800)]
ucc_geth: Fix the wrong the Rx/Tx FIFO size
current the Rx/Tx FIFO size settings cause problem
when four UEC ethernets work simultaneously.
eg: GETH1, UEM-J15, GETH2, UEC-J5 on 8569MDS board
$ ifconfig eth0 10.193.20.166
$ ifconfig eth1 10.193.20.167
$ ifconfig eth2 10.193.20.168
then
$ ifconfig eth3 10.193.20.169
The fourth ethernet will cause all of interface broken,
you cann't ping successfully any more.
The patch fix this issue for MPC8569 Rev1.0 and Rev2.0
Signed-off-by: Dave Liu <daveliu@freescale.com>
Acked-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Wed, 6 Jan 2010 20:39:39 +0000 (15:39 -0500)]
Revert "mac80211: replace netif_tx_{start,stop,wake}_all_queues"
This reverts commit
53623f1a09c7a7d23b74f0f7d93dba0ebde1006b.
This was inadvertantly missed in "mac80211: fix skb buffering issue",
and is required with that patch to restore proper queue operation.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Wed, 6 Jan 2010 20:35:49 +0000 (15:35 -0500)]
mac80211: fix-up build breakage in 2.6.33
"mac80211: fix skb buffering issue" is based on what will become 2.6.34,
so it includes an incompatible usage of sta_info_get. This patch will
need to be effectively reverted when merging for 2.6.34.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Gertjan van Wingerde [Wed, 30 Dec 2009 10:36:30 +0000 (11:36 +0100)]
rt2x00: Properly request tx headroom for alignment operations.
Current rt2x00 drivers may result in a "ieee80211_tx_status: headroom too
small" error message when a frame needs to be properly aligned before
transmitting it.
This is because the space needed to ensure proper alignment isn't
requested from mac80211.
Fix this by adding sufficient amount of alignment space to the amount
of headroom requested for TX frames.
Reported-by: David Ellingsworth <david@identd.dyndns.org>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <ivdoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Tue, 5 Jan 2010 17:00:58 +0000 (18:00 +0100)]
mac80211: fix skb buffering issue
Since I removed the master netdev, we've been
keeping internal queues only, and even before
that we never told the networking stack above
the virtual interfaces about congestion. This
means that packets are queued in mac80211 and
the upper layers never know, possibly leading
to memory exhaustion and other problems.
This patch makes all interfaces multiqueue and
uses ndo_select_queue to put the packets into
queues per AC. Additionally, when the driver
stops a queue, we now stop all corresponding
queues for the virtual interfaces as well.
The injection case will use VO by default for
non-data frames, and BE for data frames, but
downgrade any data frames according to ACM. It
needs to be fleshed out in the future to allow
chosing the queue/AC in radiotap.
Reported-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.32]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Gertjan van Wingerde [Wed, 30 Dec 2009 10:36:33 +0000 (11:36 +0100)]
rt2x00: Fix LED configuration setting for rt2800.
rt2800_blink_set uses an illegal value to set the LED_CFG_G_LED_MODE
field of the LED_CFG register. This field is only 2 bits large, so
should be initialized with value that fits. Use default value from
the vendor driver.
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Pavel Roskin [Wed, 30 Dec 2009 10:36:29 +0000 (11:36 +0100)]
rt2x00: use correct headroom for transmission
Use rt2x00dev->ops->extra_tx_headroom, not rt2x00dev->hw->extra_tx_headroom
in the tx code, as the later may include other headroom not to be used in
the chipset driver.
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
David S. Miller [Mon, 4 Jan 2010 22:36:40 +0000 (14:36 -0800)]
cxgb3i: Fix flags test.
As noticed by Stephen Rothwell.
Signed-off-by: David S. Miller <davem@davemloft.net>
Luis R. Rodriguez [Mon, 4 Jan 2010 16:37:39 +0000 (11:37 -0500)]
cfg80211: fix syntax error on user regulatory hints
This fixes a syntax error when setting up the user regulatory
hint. This change yields the same exact binary object though
so it ends up just being a syntax typo fix, fortunately.
Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Luis R. Rodriguez [Mon, 4 Jan 2010 15:40:39 +0000 (10:40 -0500)]
ath5k: Fix eeprom checksum check for custom sized eeproms
Commit
8bf3d79bc401ca417ccf9fc076d3295d1a71dbf5 enabled EEPROM
checksum checks to avoid bogus bug reports but failed to address
updating the code to consider devices with custom EEPROM sizes.
Devices with custom sized EEPROMs have the upper limit size stuffed
in the EEPROM. Use this as the upper limit instead of the static
default size. In case of a checksum error also provide back the
max size and whether or not this was the default size or a custom
one. If the EEPROM is busted we add a failsafe check to ensure
we don't loop forever or try to read bogus areas of hardware.
This closes bug 14874
http://bugzilla.kernel.org/show_bug.cgi?id=14874
Cc: stable@kernel.org
Cc: David Quan <david.quan@atheros.com>
Cc: Stephen Beahm <stephenbeahm@comcast.net>
Reported-by: Joshua Covington <joshuacov@googlemail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Benoit Papillault [Sun, 3 Jan 2010 09:20:01 +0000 (10:20 +0100)]
zd1211rw: Fix multicast filtering.
If multicast parameter (as returned by zd_op_prepare_multicast) has
changed, no bit in changed_flags is set. To handle this situation, we do
not return if changed_flags is 0. If we do so, we will have some issue
with IPv6 which uses multicast for link layer address resolution.
Signed-off-by: Benoit Papillault <benoit.papillault@free.fr>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dan Carpenter [Sun, 3 Jan 2010 09:19:35 +0000 (11:19 +0200)]
iwl: off by one bug
tid is used as an array offset.
agg = &priv->stations[sta_id].tid[tid].agg;
iwl4965_tx_status_reply_tx(priv, agg, tx_resp, txq_id, index);
It should be limitted to MAX_TID_COUNT - 1;
struct iwl_tid_data tid[MAX_TID_COUNT];
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
CC: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Lennert Buytenhek [Sat, 2 Jan 2010 09:31:42 +0000 (10:31 +0100)]
mwl8k: fix configure_filter() memory leak on error
If there was an error acquiring the firmware lock in
mwl8k_configure_filter(), we would end up leaking the multicast
command packet prepared by mwl8k_prepare_multicast().
Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Ming Lei [Tue, 29 Dec 2009 14:57:28 +0000 (22:57 +0800)]
ath9k: fix ito64
The unit of sizeof() is byte instead of bit, so fix it.
The patch can fix debug output of some dma_addr_t variables.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Dominik Geyer [Tue, 29 Dec 2009 07:27:57 +0000 (08:27 +0100)]
ath9k: Fix Kconfig depends for ATH9K_DEBUGFS
Add missing DEBUG_FS dependency for ATH9K_DEBUGFS in ath9k's Kconfig.
Signed-off-by: Dominik D. Geyer <dominik.geyer@gmx.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arjan van de Ven [Mon, 4 Jan 2010 15:37:12 +0000 (16:37 +0100)]
ipvs: Add boundary check on ioctl arguments
The ipvs code has a nifty system for doing the size of ioctl command
copies; it defines an array with values into which it indexes the cmd
to find the right length.
Unfortunately, the ipvs code forgot to check if the cmd was in the
range that the array provides, allowing for an index outside of the
array, which then gives a "garbage" result into the length, which
then gets used for copying into a stack buffer.
Fix this by adding sanity checks on these as well as the copy size.
[ horms@verge.net.au: adjusted limit to IP_VS_SO_GET_MAX ]
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Sucheta Chakraborty [Sat, 2 Jan 2010 03:25:19 +0000 (03:25 +0000)]
netxen: fix ethtool link test
o Fix ethtool link test for NX3031 chip.
o Remove unused code from phy interrupt callback
Signed-off-by: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sucheta Chakraborty [Sat, 2 Jan 2010 03:25:18 +0000 (03:25 +0000)]
netxen: fix ethtool register dump
o Dump registers such as tx ring and rx ring counter, firmware state,
niu regs, etc. which can be useful for debugging purpose.
Signed-off-by: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Sat, 2 Jan 2010 04:08:46 +0000 (04:08 +0000)]
rrunner: fix buffer overflow
tx_skbuff is define as:
struct sk_buff *tx_skbuff[TX_RING_ENTRIES];
EVT_RING_ENTRIES is 64 and TX_RING_ENTRIES is 32.
This function is in a error path so that's why it wasn't noticed.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
roel kluin [Wed, 30 Dec 2009 06:43:06 +0000 (06:43 +0000)]
broadcom: Fix &&/|| confusion in bcm54xx_adjust_rxrefclk()
This always evaluates to true.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
roel kluin [Wed, 30 Dec 2009 01:43:45 +0000 (01:43 +0000)]
net: Test off by one in sh_eth_reset()
If no break occurred, cnt reaches 0 after the loop.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
roel kluin [Sun, 27 Dec 2009 04:10:59 +0000 (04:10 +0000)]
niu: timeout ignored in tcam_wait_bit()
With `while (--limit > 0)' i reaches 0 after the loop, so upon timeout the
error was not returned.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
roel kluin [Sun, 27 Dec 2009 03:26:12 +0000 (03:26 +0000)]
atarilance: timeout ignored in lance_open()
With `while (--i > 0)' i reaches 0 after the loop, so upon timeout the
error was not issued.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julia Lawall [Tue, 29 Dec 2009 09:15:42 +0000 (09:15 +0000)]
drivers/net : Correct the size argument to kzalloc
lp->rx_skb has type struct sk_buff **, not struct sk_buff *, so the
elements of the array should have pointer type, not structure type.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@disable sizeof_type_expr@
type T;
T **x;
@@
x =
<+...sizeof(
- T
+ *x
)...+>
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rakesh Ranjan [Sun, 27 Dec 2009 07:03:08 +0000 (12:33 +0530)]
cxgb3i: Fix a login over vlan issue
Fix a target login issue, when parent interface is vlan and we are using cxgb3i sepecific
private ip address in '/etc/iscsi/ifaces/' iface file.
Acked-by: Karen Xie <kxie@chelsio.com>
Signed-off-by: Rakesh Ranjan <rakesh@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Mon, 28 Dec 2009 06:54:55 +0000 (06:54 +0000)]
hamradio: avoid null deref v3
This should address the problems in version 1 (lazy) and version 2 (ugly).
Bump the stats on orig_dev not on the newly assigned NULL dev variable.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
roel kluin [Sun, 27 Dec 2009 11:22:08 +0000 (11:22 +0000)]
usbnet: test off by one
With `while (i++ < MII_TIMEOUT)' i reaches MII_TIMEOUT + 1 after the loop
This is probably unlikely a problem in practice.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julia Lawall [Sun, 27 Dec 2009 11:27:44 +0000 (11:27 +0000)]
drivers/net/can: Correct NULL test
Test the just-allocated value for NULL rather than some other value.
The semantic patch that makes this change is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression x,y;
statement S;
@@
x = \(kmalloc\|kcalloc\|kzalloc\)(...);
(
if ((x) == NULL) S
|
if (
- y
+ x
== NULL)
S
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julia Lawall [Mon, 21 Dec 2009 14:25:32 +0000 (14:25 +0000)]
drivers/isdn: eliminate duplicated test
The code checked slot_rx twice. Check slot_tx by analogy with the bank
case.
The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)
// <smpl>
@@
expression E;
@@
(
*E && E
|
*E || E
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Cc: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Morton [Mon, 21 Dec 2009 14:25:06 +0000 (14:25 +0000)]
net/sctp/socket.c: squish warning
net/sctp/socket.c: In function 'sctp_setsockopt_autoclose':
net/sctp/socket.c:2090: warning: comparison is always false due to limited range of data type
Cc: Andrei Pelinescu-Onciul <andrei@iptel.org>
Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bernard Pidoux F6BVP [Thu, 17 Dec 2009 05:25:18 +0000 (05:25 +0000)]
rose_loopback_timer sets VC number <= ROSE_DEFAULT_MAXVC
cat /proc/net/rose displayed a rose sockets abnormal lci value, i.e.
greater than maximum number of VCs per neighbour allowed.
This number prevents further test of lci value during rose operations.
Example (lines shortened) :
[bernard]# cat /proc/net/rose
dest_addr dest_call src_addr src_call dev lci neigh st vs vr va
* *
2080175520 F6BVP-1 rose0 000 00000 0 0 0 0
2080175520 FPAD-0
2080175520 WP-0 rose0 FFE 00001 3 0 0 0
Here are the default parameters :
linux/include/net/rose.h:#define ROSE_DEFAULT_MAXVC 50 /* Maximum number of VCs per neighbour */
linux/net/rose/af_rose.c:int sysctl_rose_maximum_vcs = ROSE_DEFAULT_MAXVC;
With the following patch, rose_loopback_timer() attributes a VC number
within limits.
Signed-off-by: Bernard Pidoux <f6bvp@amsat.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Mon, 14 Dec 2009 16:05:09 +0000 (16:05 +0000)]
via-velocity: Give RX descriptors to the NIC later on open or MTU change
velocity_open() calls velocity_give_many_rx_descs(), which gives RX
descriptors to the NIC, before installing an interrupt handler or
calling velocity_init_registers(). I think this is very unsafe and it
appears to explain the bug report <http://bugs.debian.org/508527>.
On MTU change, velocity_give_many_rx_descs() is again called before
velocity_init_registers(). I'm not sure whether this is unsafe but
it does look wrong.
Therefore, move the calls to velocity_give_many_rx_descs() after
request_irq() and velocity_init_registers().
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Tested-by: Jan Ceuleers <jan.ceuleers@computer.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Vorontsov [Wed, 30 Dec 2009 08:23:34 +0000 (08:23 +0000)]
fsl_pq_mdio: Fix iomem unmapping for non-eTSEC2.0 controllers
We use a rather complicated logic to support eTSEC and eTSEC2.0
registers maps in a single driver. Currently, the code tries to
unmap 'regs', but for non-eTSEC2.0 controllers 'regs' doesn't
point to a mapping start, and this might cause badness on probe
failure or module removal:
Freescale PowerQUICC MII Bus: probed
Trying to vfree() nonexistent vm area (
e107f000)
------------[ cut here ]------------
Badness at
c00a7754 [verbose debug info unavailable]
NIP:
c00a7754 LR:
c00a7754 CTR:
c02231ec
[...]
NIP [
c00a7754] __vunmap+0xec/0xf4
LR [
c00a7754] __vunmap+0xec/0xf4
Call Trace:
[
df827e50] [
c00a7754] __vunmap+0xec/0xf4 (unreliable)
[
df827e70] [
c001519c] iounmap+0x44/0x54
[
df827e80] [
c028b924] fsl_pq_mdio_probe+0x1cc/0x2fc
[
df827eb0] [
c02fb9b4] of_platform_device_probe+0x5c/0x84
[
df827ed0] [
c0229928] really_probe+0x78/0x1a8
[
df827ef0] [
c0229b20] __driver_attach+0xa4/0xa8
Fix this by introducing a proper priv structure (finally!), which
now holds 'regs' and 'map' fields separately.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Vorontsov [Wed, 30 Dec 2009 08:23:32 +0000 (08:23 +0000)]
ucc_geth: Fix netdev watchdog triggering on suspend
Sometimes ucc_geth fails to suspend with the following trace:
ucc_geth
e0103000.ucc: suspend
ucc_geth
e0102000.ucc: suspend
NETDEV WATCHDOG: eth0 (ucc_geth): transmit queue 0 timed out
------------[ cut here ]------------
Badness at net/sched/sch_generic.c:255
NIP:
c021cb5c LR:
c021cb5c CTR:
c01ab4b4
[...]
NIP [
c021cb5c] dev_watchdog+0x298/0x2a8
LR [
c021cb5c] dev_watchdog+0x298/0x2a8
Call Trace:
[
c0389da0] [
c021cb5c] dev_watchdog+0x298/0x2a8 (unreliable)
[
c0389e00] [
c0031ed8] run_timer_softirq+0x16c/0x1dc
[
c0389e50] [
c002c638] __do_softirq+0xa4/0x11c
[...]
This patch fixes the issue by properly detaching the device on
suspend, and attaching it back on resume.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Vorontsov [Wed, 30 Dec 2009 08:23:30 +0000 (08:23 +0000)]
phylib: Properly reinitialize PHYs after hibernation
Since hibernation assumes power loss, we should fully reinitialize
PHYs (including platform fixups), as if PHYs were just attached.
This patch factors phy_init_hw() out of phy_attach_direct(), then
converts mdio_bus to dev_pm_ops and adds an appropriate restore()
callback.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Vorontsov [Wed, 30 Dec 2009 08:23:28 +0000 (08:23 +0000)]
phylib: Fix deadlock on resume
Sometimes kernel hangs on resume with the following trace:
ucc_geth
e0102000.ucc: resume
INFO: task bash:1764 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
bash D
0fecf43c 0 1764 1763 0x00000000
Call Trace:
[
cf9a7c10] [
c0012868] ret_from_except+0x0/0x14 (unreliable)
--- Exception:
cf9a7ce0 at __switch_to+0x4c/0x6c
LR = 0xcf9a7cc0
[
cf9a7cd0] [
c0008c14] __switch_to+0x4c/0x6c (unreliable)
[
cf9a7ce0] [
c028bcfc] schedule+0x158/0x260
[
cf9a7d10] [
c028c720] __mutex_lock_slowpath+0x80/0xd8
[
cf9a7d40] [
c01cf388] phy_stop+0x20/0x70
[
cf9a7d50] [
c01d514c] ugeth_resume+0x6c/0x13c
[...]
Here is why.
On suspend:
- PM core starts suspending devices, ucc_geth_suspend gets called;
- ucc_geth calls phy_stop() on suspend. Note that phy_stop() is
mostly asynchronous so it doesn't block ucc_geth's suspend routine,
it just sets PHY_HALTED state and disables PHY's interrupts;
- Suddenly the state machine gets scheduled, it grabs the phydev->lock
mutex and tries to process the PHY_HALTED state, so it calls
phydev->adjust_link(phydev->attached_dev). In ucc_geth case
adjust_link() calls msleep(), which reschedules the code flow back to
PM core, which now finishes suspend and so we end up sleeping with
phydev->lock mutex held.
On resume:
- PM core starts resuming devices (notice that nobody rescheduled
the state machine yet, so the mutex is still held), the core calls
ucc_geth's resume routine;
- ucc_geth_resume restarts the PHY with phy_stop()/phy_start()
sequence, and the phy_*() calls are trying to grab the phydev->lock
mutex. Here comes the deadlock.
This patch fixes the issue by stopping the state machine on suspend
and starting it again on resume.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 30 Dec 2009 03:44:25 +0000 (19:44 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
John W. Linville [Tue, 29 Dec 2009 19:07:42 +0000 (14:07 -0500)]
Revert "b43: Enforce DMA descriptor memory constraints"
This reverts commit
9bd568a50c446433038dec2a5186c5c57c3dbd23.
That commit is shown to cause allocation failures during initialization
on some machines.
http://bugzilla.kernel.org/show_bug.cgi?id=14844
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Zhu Yi [Mon, 28 Dec 2009 06:23:11 +0000 (14:23 +0800)]
iwmc3200wifi: fix array out-of-boundary access
Allocate priv->rx_packets[IWM_RX_ID_HASH + 1] because the max array
index is IWM_RX_ID_HASH according to IWM_RX_ID_GET_HASH().
Cc: stable@kernel.org
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Roel Kluin [Sat, 26 Dec 2009 19:31:59 +0000 (20:31 +0100)]
wl1251: timeout one too soon in wl1251_boot_run_firmware()
`loop' reaches INIT_LOOP + 1 after the loop. so if ACX_INTR_INIT_COMPLETE
occurs in the last iteration the write occurs but also the error out as if a
timeout occurred. This is probably very unlikely to ever occur.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Kalle Valo <kalle.valo@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Luis R. Rodriguez [Thu, 24 Dec 2009 20:38:22 +0000 (15:38 -0500)]
mac80211: fix propagation of failed hardware reconfigurations
mac80211 does not propagate failed hardware reconfiguration
requests. For suspend and resume this is important due to all
the possible issues that can come out of the suspend <-> resume
cycle. Not propagating the error means cfg80211 will assume
the resume for the device went through fine and mac80211 will
continue on trying to poke at the hardware, enable timers,
queue work, and so on for a device which is completley
unfunctional.
The least we can do is to propagate device start issues and
warn when this occurs upon resume. A side effect of this patch
is we also now propagate the start errors upon harware
reconfigurations (non-suspend), but this should also be desirable
anyway, there is not point in continuing to reconfigure a
device if mac80211 was unable to start the device.
For further details refer to the thread:
http://marc.info/?t=
126151038700001&r=1&w=2
Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Luis R. Rodriguez [Thu, 24 Dec 2009 20:26:09 +0000 (15:26 -0500)]
mac80211: fix race with suspend and dynamic_ps_disable_work
When mac80211 suspends it calls a driver's suspend callback
as a last step and after that the driver assumes no calls will
be made to it until we resume and its start callback is kicked.
If such calls are made, however, suspend can end up throwing
hardware in an unexpected state and making the device unusable
upon resume.
Fix this by preventing mac80211 to schedule dynamic_ps_disable_work
by checking for when mac80211 starts to suspend and starts
quiescing. Frames should be allowed to go through though as
that is part of the quiescing steps and we do not flush the
mac80211 workqueue since it was already done towards the
beginning of suspend cycle.
The other mac80211 issue will be hanled in the next patch.
For further details see refer to the thread:
http://marc.info/?t=
126144866100001&r=1&w=2
Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Thu, 24 Dec 2009 13:04:32 +0000 (14:04 +0100)]
ath9k: fix missed error codes in the tx status check
My previous change added in:
commit
815833e7ecf0b9a017315cae6aef4d7cd9517681
ath9k: fix tx status reporting
was not checking all possible tx error conditions. This could possibly
lead to throughput issues due to slow rate control adaption or missed
retransmissions of failed A-MPDU frames.
This patch adds a mask for all possible error conditions and uses it
in the xmit ok check.
Cc: stable@kernel.org
Reported-by: Björn Smedman <bjorn.smedman@venatech.se>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Luis R. Rodriguez [Thu, 24 Dec 2009 01:03:29 +0000 (20:03 -0500)]
ath9k: wake hardware during AMPDU TX actions
AMDPDU actions poke hardware for TX operation, as such
we want to turn hardware on for these actions. AMDPU RX operations
do not require hardware on as nothing is done in hardware for
those actions. Without this we cannot guarantee hardware has
been programmed correctly for each AMPDU TX action.
Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Luis R. Rodriguez [Thu, 24 Dec 2009 01:03:28 +0000 (20:03 -0500)]
ath9k: wake hardware for interface IBSS/AP/Mesh removal
When we remove a IBSS/AP/Mesh interface we stop DMA
but to do this we should ensure hardware is on. Awaken
the device prior to these calls. This should ensure
DMA is stopped upon suspend and plain device removal.
Cc: stable@kernel.org
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Sujith [Thu, 24 Dec 2009 01:03:27 +0000 (20:03 -0500)]
ath9k: fix suspend by waking device prior to stop
Ensure the device is awake prior to trying to tell hardware
to stop it. Impact of not doing this is we can likely leave
the device in an undefined state likely causing issues with
suspend and resume. This patch ensures harware is where it
should be prior to suspend.
Cc: stable@kernel.org
Signed-off-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>