GitHub/LineageOS/android_kernel_samsung_universal7580.git
14 years agohso: IP checksuming doesn't work on GE0301 option cards
Thomas Bogendoerfer [Tue, 7 Dec 2010 22:21:52 +0000 (22:21 +0000)]
hso: IP checksuming doesn't work on GE0301 option cards

There is definitly a problem, that some option cards send up broken
IP pakets leading to corrupted IP packets. These corruptions aren't
detected, because the driver claims that the packets are already
checksummed. This change removes the CHECKSUM_UNNECESSARY option
and let IP detect broken data.

Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoxfrm: Fix xfrm_state_migrate leak
Thomas Egerer [Mon, 6 Dec 2010 23:28:56 +0000 (23:28 +0000)]
xfrm: Fix xfrm_state_migrate leak

xfrm_state_migrate calls kfree instead of xfrm_state_put to free
a failed state. According to git commit 553f9118 this can cause
memory leaks.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Convert netpoll blocking api in bonding driver to be a counter
Neil Horman [Mon, 6 Dec 2010 09:05:50 +0000 (09:05 +0000)]
net: Convert netpoll blocking api in bonding driver to be a counter

A while back I made some changes to enable netpoll in the bonding driver.  Among
them was a per-cpu flag that indicated we were in a path that held locks which
could cause the netpoll path to block in during tx, and as such the tx path
should queue the frame for later use.  This appears to have given rise to a
regression.  If one of those paths on which we hold the per-cpu flag yields the
cpu, its possible for us to come back on a different cpu, leading to us clearing
a different flag than we set.  This results in odd netpoll drops, and BUG
backtraces appearing in the log, as we check to make sure that we only clear set
bits, and only set clear bits.  I had though briefly about changing the
offending paths so that they wouldn't sleep, but looking at my origional work
more closely, it doesn't appear that a per-cpu flag is warranted.  We alrady
gate the checking of this flag on IFF_IN_NETPOLL, so we don't hit this in the
normal tx case anyway.  And practically speaking, the normal use case for
netpoll is to only have one client anyway, so we're not going to erroneously
queue netpoll frames when its actually safe to do so.  As such, lets just
convert that per-cpu flag to an atomic counter.  It fixes the rescheduling bugs,
is equivalent from a performance perspective and actually eliminates some code
in the process.

Tested by the reporter and myself, successfully

Reported-by: Liang Zheng <lzheng@redhat.com>
CC: Jay Vosburgh <fubar@us.ibm.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: David S. Miller <davem@davemloft.net>
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoeconet: Fix crash in aun_incoming().
David S. Miller [Thu, 9 Dec 2010 02:42:23 +0000 (18:42 -0800)]
econet: Fix crash in aun_incoming().

Unconditional use of skb->dev won't work here,
try to fetch the econet device via skb_dst()->dev
instead.

Suggested by Eric Dumazet.

Reported-by: Nelson Elhage <nelhage@ksplice.com>
Tested-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: protect sysctl_tcp_cookie_size reads
Eric Dumazet [Tue, 7 Dec 2010 12:20:47 +0000 (12:20 +0000)]
tcp: protect sysctl_tcp_cookie_size reads

Make sure sysctl_tcp_cookie_size is read once in
tcp_cookie_size_check(), or we might return an illegal value to caller
if sysctl_tcp_cookie_size is changed by another cpu.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: William Allen Simpson <william.allen.simpson@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: avoid a possible divide by zero
Eric Dumazet [Tue, 7 Dec 2010 12:03:55 +0000 (12:03 +0000)]
tcp: avoid a possible divide by zero

sysctl_tcp_tso_win_divisor might be set to zero while one cpu runs in
tcp_tso_should_defer(). Make sure we dont allow a divide by zero by
reading sysctl_tcp_tso_win_divisor exactly once.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoehea: Fixing LRO configuration
Breno Leitao [Wed, 8 Dec 2010 20:19:14 +0000 (12:19 -0800)]
ehea: Fixing LRO configuration

In order to set LRO on ehea, the user must set a module parameter, which
is not the standard way to do so. This patch adds a way to set LRO using
the ethtool tool.

Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: Replace time wait bucket msg by counter
Tom Herbert [Wed, 8 Dec 2010 20:16:33 +0000 (12:16 -0800)]
tcp: Replace time wait bucket msg by counter

Rather than printing the message to the log, use a mib counter to keep
track of the count of occurences of time wait bucket overflow.  Reduces
spam in logs.

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agox25: decrement netdev reference counts on unload
Apollon Oikonomopoulos [Tue, 7 Dec 2010 09:43:30 +0000 (09:43 +0000)]
x25: decrement netdev reference counts on unload

x25 does not decrement the network device reference counts on module unload.
Thus unregistering any pre-existing interface after unloading the x25 module
hangs and results in

 unregister_netdevice: waiting for tap0 to become free. Usage count = 1

This patch decrements the reference counts of all interfaces in x25_link_free,
the way it is already done in x25_link_device_down for NETDEV_DOWN events.

Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodriver/net/benet: fix be_cmd_multicast_set() memcpy bug
Joe Jin [Mon, 6 Dec 2010 03:00:59 +0000 (03:00 +0000)]
driver/net/benet: fix be_cmd_multicast_set() memcpy bug

Regarding  benet be_cmd_multicast_set() function, now using
netdev_for_each_mc_addr() helper for mac address copy, but
when copying to req->mac[] did not increase of the index.

Cc: Sathya Perla <sathyap@serverengines.com>
Cc: Subbu Seetharaman <subbus@serverengines.com>
Cc: Sarveshwar Bandi <sarveshwarb@serverengines.com>
Cc: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: Joe Jin <joe.jin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agol2tp: Fix modalias of l2tp_ip
Michal Marek [Mon, 6 Dec 2010 02:39:12 +0000 (02:39 +0000)]
l2tp: Fix modalias of l2tp_ip

Using the SOCK_DGRAM enum results in
"net-pf-2-proto-SOCK_DGRAM-type-115", so use the numeric value like it
is done in net/dccp.

Signed-off-by: Michal Marek <mmarek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoeconet: Do the correct cleanup after an unprivileged SIOCSIFADDR.
Nelson Elhage [Wed, 8 Dec 2010 18:13:55 +0000 (10:13 -0800)]
econet: Do the correct cleanup after an unprivileged SIOCSIFADDR.

We need to drop the mutex and do a dev_put, so set an error code and break like
the other paths, instead of returning directly.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'sfc-2.6.37' of git://git.kernel.org/pub/scm/linux/kernel/git/bwh/sfc-2.6
David S. Miller [Wed, 8 Dec 2010 20:13:23 +0000 (12:13 -0800)]
Merge branch 'sfc-2.6.37' of git://git./linux/kernel/git/bwh/sfc-2.6

14 years agollc: fix a device refcount imbalance
Eric Dumazet [Sun, 5 Dec 2010 02:03:26 +0000 (02:03 +0000)]
llc: fix a device refcount imbalance

Le dimanche 05 décembre 2010 à 12:23 +0100, Eric Dumazet a écrit :
> Le dimanche 05 décembre 2010 à 09:19 +0100, Eric Dumazet a écrit :
>
> > Hmm..
> >
> > If somebody can explain why RTNL is held in arp_ioctl() (and therefore
> > in arp_req_delete()), we might first remove RTNL use in arp_ioctl() so
> > that your patch can be applied.
> >
> > Right now it is not good, because RTNL wont be necessarly held when you
> > are going to call arp_invalidate() ?
>
> While doing this analysis, I found a refcount bug in llc, I'll send a
> patch for net-2.6

Oh well, of course I must first fix the bug in net-2.6, and wait David
pull the fix in net-next-2.6 before sending this rcu conversion.

Note: this patch should be sent to stable teams (2.6.34 and up)

[PATCH net-2.6] llc: fix a device refcount imbalance

commit abf9d537fea225 (llc: add support for SO_BINDTODEVICE) added one
refcount imbalance in llc_ui_bind(), because dev_getbyhwaddr() doesnt
take a reference on device, while dev_get_by_index() does.

Fix this using RCU locking. And since an RCU conversion will be done for
2.6.38 for dev_getbyhwaddr(), put the rcu_read_lock/unlock exactly at
their final place.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stable@kernel.org
Cc: Octavian Purdila <opurdila@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoifb: goto resched directly if error happens and dp->tq isn't empty
Changli Gao [Sat, 4 Dec 2010 14:09:08 +0000 (14:09 +0000)]
ifb: goto resched directly if error happens and dp->tq isn't empty

If we break the loop when there are still skbs in tq and no skb in
rq, the skbs will be left in txq until new skbs are enqueued into rq.
In rare cases, no new skb is queued, then these skbs will stay in rq
forever.

After this patch, if tq isn't empty when we break the loop, we goto
resched directly.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: Bug fix in initialization of receive window.
Nandita Dukkipati [Fri, 3 Dec 2010 13:33:44 +0000 (13:33 +0000)]
tcp: Bug fix in initialization of receive window.

The bug has to do with boundary checks on the initial receive window.
If the initial receive window falls between init_cwnd and the
receive window specified by the user, the initial window is incorrectly
brought down to init_cwnd. The correct behavior is to allow it to
remain unchanged.

Signed-off-by: Nandita Dukkipati <nanditad@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb4: fix MAC address hash filter
Dimitris Michailidis [Fri, 3 Dec 2010 10:39:04 +0000 (10:39 +0000)]
cxgb4: fix MAC address hash filter

Fix the calculation of the inexact hash-based MAC address filter.
It's 64 bits but current code is missing a ULL.  Results in filtering out
some legitimate packets.

Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoCAIF: Fix U5500 compile error for shared memory driver
Kim Lilliestierna XX [Tue, 30 Nov 2010 09:11:22 +0000 (09:11 +0000)]
CAIF: Fix U5500 compile error for shared memory driver

Rearrange pr_fmt so it compiles.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Wed, 8 Dec 2010 16:13:01 +0000 (08:13 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agosfc: Fix NAPI list corruption during ring reallocation
Ben Hutchings [Tue, 7 Dec 2010 19:47:34 +0000 (19:47 +0000)]
sfc: Fix NAPI list corruption during ring reallocation

Call netif_napi_{add,del}() on the NAPI contexts in the new and
old channels, respectively.

Since efx_init_napi() cannot fail, make its return type void.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
14 years agosfc: Fix crash in legacy onterrupt handler during ring reallocation
Ben Hutchings [Tue, 7 Dec 2010 19:24:45 +0000 (19:24 +0000)]
sfc: Fix crash in legacy onterrupt handler during ring reallocation

If we are using a legacy interrupt, our IRQ may be shared and our
interrupt handler may be called even though interrupts are disabled on
the NIC. When we change ring sizes, we reallocate the event queue and
the interrupt handler may use an invalid pointer when called for
another device's interrupt.

Maintain a legacy_irq_enabled flag and test that at the top of the
interrupt handler.  Note that this problem results from the need to
work around broken INT_ISR0 reads, and does not affect the legacy
interrupt handler for Falcon A1.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
14 years agoixgbe: fix possible NULL pointer deference in shutdown path
Don Skidmore [Wed, 1 Dec 2010 20:54:53 +0000 (20:54 +0000)]
ixgbe: fix possible NULL pointer deference in shutdown path

After freeing the rings we were not zeroing out the ring count values.
This patch now clears these counts correctly.

Reported-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agofilter: fix sk_filter rcu handling
Eric Dumazet [Mon, 6 Dec 2010 17:29:43 +0000 (09:29 -0800)]
filter: fix sk_filter rcu handling

Pavel Emelyanov tried to fix a race between sk_filter_(de|at)tach and
sk_clone() in commit 47e958eac280c263397

Problem is we can have several clones sharing a common sk_filter, and
these clones might want to sk_filter_attach() their own filters at the
same time, and can overwrite old_filter->rcu, corrupting RCU queues.

We can not use filter->rcu without being sure no other thread could do
the same thing.

Switch code to a more conventional ref-counting technique : Do the
atomic decrement immediately and queue one rcu call back when last
reference is released.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotulip: fix hang in dmfe driver on sending of big packet
Alexander V. Lukyanov [Tue, 30 Nov 2010 03:57:39 +0000 (03:57 +0000)]
tulip: fix hang in dmfe driver on sending of big packet

This patch fixes hang in dmfe driver on attempt of sending a big packet.
Without this patch the code stops the queue and never wakes it again.

Signed-off-by: Alexander V. Lukyanov <lav@netis.ru>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agostmmac: priv->lock can be used uninitialized
Vlad Lungu [Mon, 29 Nov 2010 22:52:52 +0000 (22:52 +0000)]
stmmac: priv->lock can be used uninitialized

To reproduce: if connman (http://connman.net/) is started,
inserting the stmmac module triggers a "BUG: spinlock bad magic on CPU#0".

Registering the device in stmmac_probe() sends a notification to connman
which brings the interface up before the lock is initialized.

Signed-off-by: Vlad Lungu <vlad.lungu@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoRevert "ath9k: Fix STA disconnect issue due to received MIC failed bcast frames"
John W. Linville [Thu, 2 Dec 2010 19:10:58 +0000 (14:10 -0500)]
Revert "ath9k: Fix STA disconnect issue due to received MIC failed bcast frames"

This reverts commit 916448e77f6bcaaa7f13c3de0c3851783ae2bfd0.

"As far as I can tell, either of these patches breaks multiple VIF
scenarios.  I'm not sure exactly why, but I had to revert this to
get any of my interfaces to associate."
  -- Ben Greear <greearb@candelatech.com>

http://marc.info/?l=linux-wireless&m=129123368719339&w=2

Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k_hw: fix more bitfield related endian issues
Felix Fietkau [Wed, 1 Dec 2010 18:07:47 +0000 (19:07 +0100)]
ath9k_hw: fix more bitfield related endian issues

A few LNA control related flags were also specified as a bitfields, however
for some strange reason they were written in big-endian order this time.
Fix this by using flags instead.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k_hw: fix endian issues with CTLs on AR9003
Felix Fietkau [Wed, 1 Dec 2010 18:07:46 +0000 (19:07 +0100)]
ath9k_hw: fix endian issues with CTLs on AR9003

Parsing data using bitfields is messy, because it makes endian handling
much harder. AR9002 and earlier got it right, AR9003 got it wrong.
This might lead to either using too high or too low tx power values,
depending on frequency and eeprom settings.
Fix it by getting rid of the CTL related bitfields entirely and use
masks instead.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: Fix bug in reading input gpio state for ar9003
Vasanthakumar Thiagarajan [Wed, 1 Dec 2010 07:24:09 +0000 (23:24 -0800)]
ath9k: Fix bug in reading input gpio state for ar9003

The register which gives input gpio state is 0x404c for ar9003,
currently 0x4048 is wrongly used. This will disable RF and make
it unusable on some of AR9003.

Cc:stable@kernel.org
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/blueto...
John W. Linville [Thu, 2 Dec 2010 19:00:51 +0000 (14:00 -0500)]
Merge branch 'master' of git://git./linux/kernel/git/padovan/bluetooth-2.6

14 years agonet/ipv6/sit.c: return unhandled skb to tunnel4_rcv
David McCullough [Mon, 29 Nov 2010 19:32:34 +0000 (19:32 +0000)]
net/ipv6/sit.c: return unhandled skb to tunnel4_rcv

I found a problem using an IPv6 over IPv4 tunnel.  When CONFIG_IPV6_SIT
was enabled, the packets would be rejected as net/ipv6/sit.c was catching
all IPPROTO_IPV6 packets and returning an ICMP port unreachable error.

I think this patch fixes the problem cleanly.  I believe the code in
net/ipv4/tunnel4.c:tunnel4_rcv takes care of it properly if none of the
handlers claim the skb.

Signed-off-by: David McCullough <david_mccullough@mcafee.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobonding: check for assigned mac before adopting the slaves mac address
David Strand [Wed, 1 Dec 2010 19:43:08 +0000 (11:43 -0800)]
bonding: check for assigned mac before adopting the slaves mac address

Restore the check for an unassigned mac address before adopting the
first slaves as it's own. The change in behavior was introduced by:

commit c20811a79e671a6a1fe86a8c1afe04aca8a7f085
Author: Jiri Pirko <jpirko@redhat.com>

    bonding: move dev_addr cpy to bond_enslave

Signed-off-by: David Strand <dpstrand@gmail.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agob44: fix workarround for wap54g10
Hauke Mehrtens [Sat, 27 Nov 2010 06:47:43 +0000 (06:47 +0000)]
b44: fix workarround for wap54g10

The code for the b44_wap54g10_workaround was never included, because
the config option was wrong. The nvram_get function was never in
mainline kernel, only in external OpenWrt patches.

The code should be compiled in when CONFIG_BCM47XX is selected and not
when CONFIG_SSB_DRIVER_MIPS is selected, because nvram_getenv is only
available on bcm47xx platforms and now in the mainline kernel code.
Using an include is better than a second function declaration, to fix
this when the function signature changes.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMake the ip6_tunnel reflect the true mtu.
Anders Franzen [Wed, 24 Nov 2010 05:47:18 +0000 (05:47 +0000)]
Make the ip6_tunnel reflect the true mtu.

The ip6_tunnel always assumes it consumes 40 bytes (ip6 hdr) of the mtu of the
underlaying device. So for a normal ethernet bearer, the mtu of the ip6_tunnel is
1460.
However, when creating a tunnel the encap limit option is enabled by default, and it
consumes 8 bytes more, so the true mtu shall be 1452.

I dont really know if this breaks some statement in some RFC, so this is a request for
comments.

Signed-off-by: Anders Franzen <anders.franzen@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoBluetooth: Add new PID for Atheros 3011
Bala Shanmugam [Fri, 26 Nov 2010 12:05:46 +0000 (17:35 +0530)]
Bluetooth: Add new PID for Atheros 3011

Atheros 3011 has small sflash firmware and needs to be
blacklisted in transport driver to load actual firmware
in DFU driver.

Signed-off-by: Bala Shanmugam <sbalashanmugam@atheros.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
14 years agoBluetooth: Fix log spamming in btusb due to autosuspend
Stefan Seyfried [Tue, 30 Nov 2010 20:49:08 +0000 (21:49 +0100)]
Bluetooth: Fix log spamming in btusb due to autosuspend

If a device is autosuspended an inability to resubmit URBs is
to be expected. Check the error code and only log real errors.
(Now that autosuspend is default enabled for btusb, those log
messages were happening all the time e.g. with a BT mouse)

Signed-off-by: Stefan Seyfried <seife+kernel@b1-systems.com>
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
14 years agoath9k: Fix STA disconnect issue due to received MIC failed bcast frames
Senthil Balasubramanian [Tue, 30 Nov 2010 14:45:39 +0000 (20:15 +0530)]
ath9k: Fix STA disconnect issue due to received MIC failed bcast frames

AR_RxKeyIdxValid will not be set for bcast/mcast frames and so relying
this status for MIC failed frames is buggy.

Due to this, MIC failure events for broadcast frames are not sent to
supplicant resulted in AP disconnecting the STA.

Able to pass Wifi Test case 5.2.18 with this fix.

Cc: Stable <stable@kernel.org> (2.6.36+)
Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: Fix STA disconnect due to MIC failure
Senthil Balasubramanian [Tue, 30 Nov 2010 14:45:38 +0000 (20:15 +0530)]
mac80211: Fix STA disconnect due to MIC failure

Th commit titled "mac80211: clean up rx handling wrt. found_sta"
removed found_sta variable which caused a MIC failure event
to be reported twice for a single failure to supplicant resulted
in STA disconnect.

This should fix WPA specific countermeasures WiFi test case (5.2.17)
issues with mac80211 based drivers which report MIC failure events in
rx status.

Cc: Stable <stable@kernel.org> (2.6.37)
Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: ignore non-bcast mcast deauth/disassoc franes
Christian Lamparter [Mon, 29 Nov 2010 19:53:23 +0000 (20:53 +0100)]
mac80211: ignore non-bcast mcast deauth/disassoc franes

This patch fixes an curious issue due to insufficient
rx frame filtering.

Saqeb Akhter reported frequent disconnects while streaming
videos over samba: <http://marc.info/?m=128600031109136>
> [ 1166.512087] wlan1: deauthenticated from 30:46:9a:10:49:f7 (Reason: 7)
> [ 1526.059997] wlan1: deauthenticated from 30:46:9a:10:49:f7 (Reason: 7)
> [ 2125.324356] wlan1: deauthenticated from 30:46:9a:10:49:f7 (Reason: 7)
> [...]

The reason is that the device generates frames with slightly
bogus SA/TA addresses.

e.g.:
 [ 2314.402316] Ignore 9f:1f:31:f8:64:ff
 [ 2314.402321] Ignore 9f:1f:31:f8:64:ff
 [ 2352.453804] Ignore 0d:1f:31:f8:64:ff
 [ 2352.453808] Ignore 0d:1f:31:f8:64:ff
     ^^ the group-address flag is set!
 (the correct SA/TA would be: 00:1f:31:f8:64:ff)

Since the AP does not know from where the frames come, it
generates a DEAUTH response for the (invalid) mcast address.
This mcast deauth frame then passes through all filters and
tricks the stack into thinking that the AP brutally kicked
us!

This patch fixes the problem by simply ignoring
non-broadcast, group-addressed deauth/disassoc frames.

Cc: Jouni Malinen <j@w1.fi>
Cc: Johannes Berg <johannes@sipsolutions.net>
Reported-by: Saqeb Akhter <saqeb.akhter@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoorinoco: abort scan on interface down
David Kilroy [Wed, 24 Nov 2010 20:33:02 +0000 (20:33 +0000)]
orinoco: abort scan on interface down

This fixes the problem causing the following trace:

------------[ cut here ]------------
WARNING: at linux-2.6.34/net/wireless/core.c:633 wdev_cleanup_work+0xb7/0xe0 [cfg80211]()
Hardware name: Latitude C840
Pid: 707, comm: cfg80211 Not tainted 2.6.34.7-0.5-desktop #1
Call Trace:
 [<c02065c3>] try_stack_unwind+0x173/0x190
 [<c02051cf>] dump_trace+0x3f/0xe0
 [<c020662b>] show_trace_log_lvl+0x4b/0x60
 [<c0206658>] show_trace+0x18/0x20
 [<c064e0b3>] dump_stack+0x6d/0x72
 [<c02443ae>] warn_slowpath_common+0x6e/0xb0
 [<c0244403>] warn_slowpath_null+0x13/0x20
 [<e2db5497>] wdev_cleanup_work+0xb7/0xe0 [cfg80211]
 [<c025cfa9>] run_workqueue+0x79/0x170
 [<c025d123>] worker_thread+0x83/0xe0
 [<c025fef4>] kthread+0x74/0x80
 [<c0203826>] kernel_thread_helper+0x6/0x10
---[ end trace 3f0348b3b0c6f4ff ]---

Reported by: Giacomo Comes <comes@naic.edu>
Signed-off-by: David Kilroy <kilroyd@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agocarl9170: fix carl9170_tx_prepare typo
Christian Lamparter [Fri, 26 Nov 2010 22:29:23 +0000 (23:29 +0100)]
carl9170: fix carl9170_tx_prepare typo

commit: "carl9170: revamp carl9170_tx_prepare"
introduced a peculiar bug that would only show
up if the the module parameter noht is set to 1.

Then all outbound voice, video and background
frames would each invoke a (bogus) RTS/CTS
handshake.

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: Fix frame injection using non-AP vif
Jouni Malinen [Fri, 26 Nov 2010 18:41:55 +0000 (20:41 +0200)]
mac80211: Fix frame injection using non-AP vif

In order for frame injection to work properly for some use cases
(e.g., finding the station entry and keys for encryption), mac80211
needs to find the correct sdata entry. This works when the main vif
is in AP mode, but commit a2c1e3dad516618cb0fbfb1a62c36d0b0744573a
broke this particular use case for station main vif. While this type of
injection is quite unusual operation, it has some uses and we should fix
it. Do this by changing the monitor vif sdata selection to allow station
vif to be selected instead of limiting it to just AP vifs. We still need
to skip some iftypes to avoid selecting unsuitable vif for injection.

Signed-off-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: Disable SWBA interrupt on remove_interface
Rajkumar Manoharan [Fri, 26 Nov 2010 17:54:31 +0000 (23:24 +0530)]
ath9k: Disable SWBA interrupt on remove_interface

while removing beaconing mode interface, SWBA interrupt
was never disabled when there are no other beaconing interfaces.

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k/carl9170: advertise P2P
Johannes Berg [Fri, 26 Nov 2010 10:38:04 +0000 (11:38 +0100)]
ath9k/carl9170: advertise P2P

With some upcoming changes we'd like to use
the interface types for P2P capability tests.
Enable them now so that when we add those
tests in wpa_supplicant, nothing will break.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: use per-device struct for pm_qos_* operations
Gabor Juhos [Thu, 25 Nov 2010 17:26:07 +0000 (18:26 +0100)]
ath9k: use per-device struct for pm_qos_* operations

The ath9k driver uses a shared pm_qos_request_list structure for all
devices. This causes the following warning if more than one device is
present in the system:

WARNING: at kernel/pm_qos_params.c:234 ath9k_init_device+0x5e8/0x6b0()
pm_qos_add_request() called for already added request
Modules linked in:
Call Trace:
[<802b1cdc>] dump_stack+0x8/0x34
[<8007dd90>] warn_slowpath_common+0x78/0xa4
[<8007de44>] warn_slowpath_fmt+0x2c/0x38
[<801b0828>] ath9k_init_device+0x5e8/0x6b0
[<801bc508>] ath_pci_probe+0x2dc/0x39c
[<80176254>] pci_device_probe+0x64/0xa4
[<8019471c>] driver_probe_device+0xbc/0x188
[<80194854>] __driver_attach+0x6c/0xa4
[<80193e20>] bus_for_each_dev+0x60/0xb0
[<80193580>] bus_add_driver+0xcc/0x268
[<80194c08>] driver_register+0xe0/0x198
[<801764e0>] __pci_register_driver+0x50/0xe0
[<80365f48>] ath9k_init+0x3c/0x6c
[<8006050c>] do_one_initcall+0xfc/0x1d8
[<80355340>] kernel_init+0xd4/0x174
[<800639a4>] kernel_thread_helper+0x10/0x18

---[ end trace 5345fc6f870564a6 ]---

This patch fixes that warning by using a separate pm_qos_request_list
sructure for each device.

Signed-off-by: Gabor Juhos <juhosg@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agolibertas: fix invalid access
Sven Neumann [Wed, 24 Nov 2010 16:02:00 +0000 (16:02 +0000)]
libertas: fix invalid access

card->priv must not be accessed after lbs_remove_card() was called
as lbs_remove_card() frees card->priv via free_netdev().

For libertas_sdio this is a regression introduced by 23b149c1890f9.
The correct fix to the issue described there is simply to remove the
assignment. This flag is set at the appropriate time inside
lbs_remove_card anyway.

Reported-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Sven Neumann <s.neumann@raumfeld.com>
Signed-off-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agolibertas: fix memory corruption in lbs_remove_card()
Daniel Drake [Wed, 24 Nov 2010 16:00:49 +0000 (16:00 +0000)]
libertas: fix memory corruption in lbs_remove_card()

"priv" is stored at the end of the wiphy structure, which is freed
during the call to lbs_cfg_free(). It must not be touched afterwards.

Remove the unnecessary NULL assignment causing this memory corruption.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoaf_unix: limit recursion level
Eric Dumazet [Thu, 25 Nov 2010 04:11:39 +0000 (04:11 +0000)]
af_unix: limit recursion level

Its easy to eat all kernel memory and trigger NMI watchdog, using an
exploit program that queues unix sockets on top of others.

lkml ref : http://lkml.org/lkml/2010/11/25/8

This mechanism is used in applications, one choice we have is to have a
recursion limit.

Other limits might be needed as well (if we queue other types of files),
since the passfd mechanism is currently limited by socket receive queue
sizes only.

Add a recursion_level to unix socket, allowing up to 4 levels.

Each time we send an unix socket through sendfd mechanism, we copy its
recursion level (plus one) to receiver. This recursion level is cleared
when socket receive queue is emptied.

Reported-by: Марк Коренберг <socketpair@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agopch_gbe driver: The wrong of initializer entry
Toshiharu Okada [Mon, 29 Nov 2010 06:18:07 +0000 (06:18 +0000)]
pch_gbe driver: The wrong of initializer entry

The wrong of initializer entry was modified.

Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Reported-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agopch_gbe dreiver: chang author
Toshiharu Okada [Sun, 21 Nov 2010 19:58:37 +0000 (19:58 +0000)]
pch_gbe dreiver: chang author

This driver's AUTHOR was changed to "Toshiharu Okada" from "Masayuki Ohtake".
I update the Kconfig, renamed "Topcliff" to "EG20T".

Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoucc_geth: fix ucc halt problem in half duplex mode
Yang Li [Thu, 25 Nov 2010 23:29:58 +0000 (23:29 +0000)]
ucc_geth: fix ucc halt problem in half duplex mode

In commit 58933c64(ucc_geth: Fix the wrong the Rx/Tx FIFO size),
the UCC_GETH_UTFTT_INIT is set to 512 based on the recommendation
of the QE Reference Manual.  But that will sometimes cause tx halt
while working in half duplex mode.

According to errata draft QE_GENERAL-A003(High Tx Virtual FIFO
threshold size can cause UCC to halt), setting UTFTT less than
[(UTFS x (M - 8)/M) - 128] will prevent this from happening
(M is the minimum buffer size).

The patch changes UTFTT back to 256.

Signed-off-by: Li Yang <leoli@freescale.com>
Cc: Jean-Denis Boyer <jdboyer@media5corp.com>
Cc: Andreas Schmitz <Andreas.Schmitz@riedel.net>
Cc: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoinet: Fix __inet_inherit_port() to correctly increment bsockets and num_owners
Nagendra Tomar [Fri, 26 Nov 2010 14:26:27 +0000 (14:26 +0000)]
inet: Fix __inet_inherit_port() to correctly increment bsockets and num_owners

inet sockets corresponding to passive connections are added to the bind hash
using ___inet_inherit_port(). These sockets are later removed from the bind
hash using __inet_put_port(). These two functions are not exactly symmetrical.
__inet_put_port() decrements hashinfo->bsockets and tb->num_owners, whereas
___inet_inherit_port() does not increment them. This results in both of these
going to -ve values.

This patch fixes this by calling inet_bind_hash() from ___inet_inherit_port(),
which does the right thing.

'bsockets' and 'num_owners' were introduced by commit a9d8f9110d7e953c
(inet: Allowing more than 64k connections and heavily optimize bind(0))

Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoehea: Add some info messages and fix an issue
Breno Leitao [Fri, 26 Nov 2010 07:26:27 +0000 (07:26 +0000)]
ehea: Add some info messages and fix an issue

This patch adds some debug information about ehea not being able to
allocate enough spaces. Also it correctly updates the amount of available
skb.

Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agohso: fix disable_net
Filip Aben [Thu, 25 Nov 2010 03:40:50 +0000 (03:40 +0000)]
hso: fix disable_net

The HSO driver incorrectly creates a serial device instead of a net
device when disable_net is set. It shouldn't create anything for the
network interface.

Signed-off-by: Filip Aben <f.aben@option.com>
Reported-by: Piotr Isajew <pki@ex.com.pl>
Reported-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoNET: wan/x25_asy, move lapb_unregister to x25_asy_close_tty
Jiri Slaby [Wed, 24 Nov 2010 13:54:54 +0000 (13:54 +0000)]
NET: wan/x25_asy, move lapb_unregister to x25_asy_close_tty

We register lapb when tty is created, but unregister it only when the
device is UP. So move the lapb_unregister to x25_asy_close_tty after
the device is down.

The old behaviour causes ldisc switching to fail each second attempt,
because we noted for us that the device is unused, so we use it the
second time, but labp layer still have it registered, so it fails
obviously.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Reported-by: Sergey Lapin <slapin@ossfans.org>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Tested-by: Sergey Lapin <slapin@ossfans.org>
Tested-by: Mikhail Ulyanov <ulyanov.mikhail@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb4vf: fix setting unicast/multicast addresses ...
Casey Leedom [Wed, 24 Nov 2010 12:23:57 +0000 (12:23 +0000)]
cxgb4vf: fix setting unicast/multicast addresses ...

We were truncating the number of unicast and multicast MAC addresses
supported.  Additionally, we were incorrectly computing the MAC Address
hash (a "1 << N" where we needed a "1ULL << N").

Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet, ppp: Report correct error code if unit allocation failed
Cyrill Gorcunov [Tue, 23 Nov 2010 11:43:44 +0000 (11:43 +0000)]
net, ppp: Report correct error code if unit allocation failed

Allocating unit from ird might return several error codes
not only -EAGAIN, so it should not be changed and returned
precisely. Same time unit release procedure should be invoked
only if device is unregistering.

Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
CC: Paul Mackerras <paulus@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoDECnet: don't leak uninitialized stack byte
Dan Rosenberg [Tue, 23 Nov 2010 11:02:13 +0000 (11:02 +0000)]
DECnet: don't leak uninitialized stack byte

A single uninitialized padding byte is leaked to userspace.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
CC: stable <stable@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoau1000_eth: fix invalid address accessing the MAC enable register
Wolfgang Grandegger [Tue, 23 Nov 2010 06:40:25 +0000 (06:40 +0000)]
au1000_eth: fix invalid address accessing the MAC enable register

"aup->enable" holds already the address pointing to the MAC enable
register. The bug was introduced by commit d0e7cb:

"au1000-eth: remove volatiles, switch to I/O accessors".

CC: Florian Fainelli <florian@openwrt.org>
Signed-off-by: Wolfgang Grandegger <wg@denx.de>
Acked-by: Florian Fainelli <florian@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodccp: fix error in updating the GAR
Gerrit Renker [Tue, 23 Nov 2010 02:36:56 +0000 (02:36 +0000)]
dccp: fix error in updating the GAR

This fixes a bug in updating the Greatest Acknowledgment number Received (GAR):
the current implementation does not track the greatest received value -
lower values in the range AWL..AWH (RFC 4340, 7.5.1) erase higher ones.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'vhost-net' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
David S. Miller [Sun, 28 Nov 2010 19:27:44 +0000 (11:27 -0800)]
Merge branch 'vhost-net' of git://git./linux/kernel/git/mst/vhost

14 years agotcp: restrict net.ipv4.tcp_adv_win_scale (#20312)
Alexey Dobriyan [Mon, 22 Nov 2010 12:54:21 +0000 (12:54 +0000)]
tcp: restrict net.ipv4.tcp_adv_win_scale (#20312)

tcp_win_from_space() does the following:

      if (sysctl_tcp_adv_win_scale <= 0)
              return space >> (-sysctl_tcp_adv_win_scale);
      else
              return space - (space >> sysctl_tcp_adv_win_scale);

"space" is int.

As per C99 6.5.7 (3) shifting int for 32 or more bits is
undefined behaviour.

Indeed, if sysctl_tcp_adv_win_scale is exactly 32,
space >> 32 equals space and function returns 0.

Which means we busyloop in tcp_fixup_rcvbuf().

Restrict net.ipv4.tcp_adv_win_scale to [-31, 31].

Fix https://bugzilla.kernel.org/show_bug.cgi?id=20312

Steps to reproduce:

      echo 32 >/proc/sys/net/ipv4/tcp_adv_win_scale
      wget www.kernel.org
      [softlockup]

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetns: Don't leak others' openreq-s in proc
Pavel Emelyanov [Mon, 22 Nov 2010 03:26:12 +0000 (03:26 +0000)]
netns: Don't leak others' openreq-s in proc

The /proc/net/tcp leaks openreq sockets from other namespaces.

Signed-off-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoNet: ceph: Makefile: Remove unnessary code
Tracey Dent [Sun, 21 Nov 2010 15:23:50 +0000 (15:23 +0000)]
Net: ceph: Makefile: Remove unnessary code

Remove the if and else conditional because the code is in mainline and there
is no need in it being there.

Signed-off-by: Tracey Dent <tdent48227@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agovhost/net: fix rcu check usage
Michael S. Tsirkin [Sun, 14 Nov 2010 15:31:52 +0000 (17:31 +0200)]
vhost/net: fix rcu check usage

Incorrect rcu check was used as rcu isn't done
under mutex here. Force check to 1 for now,
to stop it from complaining.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14 years agoeconet: fix CVE-2010-3848
Phil Blundell [Wed, 24 Nov 2010 19:51:47 +0000 (11:51 -0800)]
econet: fix CVE-2010-3848

Don't declare variable sized array of iovecs on the stack since this
could cause stack overflow if msg->msgiovlen is large.  Instead, coalesce
the user-supplied data into a new buffer and use a single iovec for it.

Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoeconet: fix CVE-2010-3850
Phil Blundell [Wed, 24 Nov 2010 19:49:53 +0000 (11:49 -0800)]
econet: fix CVE-2010-3850

Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.

Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoeconet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
Phil Blundell [Wed, 24 Nov 2010 19:49:19 +0000 (11:49 -0800)]
econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

Later parts of econet_sendmsg() rely on saddr != NULL, so return early
with EINVAL if NULL was passed otherwise an oops may occur.

Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: Make TCP_MAXSEG minimum more correct.
David S. Miller [Wed, 24 Nov 2010 19:47:22 +0000 (11:47 -0800)]
tcp: Make TCP_MAXSEG minimum more correct.

Use TCP_MIN_MSS instead of constant 64.

Reported-by: Min Zhang <mzhang@mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoisdn: icn: Fix stack corruption bug.
Steven Rostedt [Wed, 24 Nov 2010 19:19:05 +0000 (11:19 -0800)]
isdn: icn: Fix stack corruption bug.

Running randconfig with ktest.pl I hit this bug:

[   16.101158] ICN-ISDN-driver Rev 1.65.6.8 mem=0x000d0000
[   16.106376] icn: (line0) ICN-2B, port 0x320 added
[   16.111064] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c1642880
[   16.111066]
[   16.121214] Pid: 1, comm: swapper Not tainted 2.6.37-rc2-test-00124-g6656b3f #8
[   16.128499] Call Trace:
[   16.130942]  [<c0f51662>] ? printk+0x1d/0x23
[   16.135200]  [<c0f5153f>] panic+0x5c/0x162
[   16.139286]  [<c0d62a9a>] ? icn_addcard+0x6d/0xbe
[   16.143975]  [<c0445783>] print_tainted+0x0/0x8c
[   16.148582]  [<c1642880>] ? icn_init+0xd8/0xdf
[   16.153012]  [<c1642880>] icn_init+0xd8/0xdf
[   16.157271]  [<c04012e5>] do_one_initcall+0x8c/0x143
[   16.162222]  [<c16427a8>] ? icn_init+0x0/0xdf
[   16.166566]  [<c15f1a05>] kernel_init+0x13f/0x1da
[   16.171256]  [<c15f18c6>] ? kernel_init+0x0/0x1da
[   16.175945]  [<c0403bfe>] kernel_thread_helper+0x6/0x10
[   16.181181] panic occurred, switching back to text console

Looking into it I found that the stack was corrupted by the assignment
of the Rev #. The variable rev is given 10 bytes, and in this output the
characters that were copied was: " 1.65.6.8 $". Which was 11 characters
plus the null ending character for a total of 12 bytes, thus corrupting
the stack.

This patch ups the variable size to 20 bytes as well as changes the
strcpy to strncpy. I also added a check to make sure '$' is found.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Wed, 24 Nov 2010 17:16:14 +0000 (09:16 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agoaf_unix: limit unix_tot_inflight
Eric Dumazet [Wed, 24 Nov 2010 17:15:27 +0000 (09:15 -0800)]
af_unix: limit unix_tot_inflight

Vegard Nossum found a unix socket OOM was possible, posting an exploit
program.

My analysis is we can eat all LOWMEM memory before unix_gc() being
called from unix_release_sock(). Moreover, the thread blocked in
unix_gc() can consume huge amount of time to perform cleanup because of
huge working set.

One way to handle this is to have a sensible limit on unix_tot_inflight,
tested from wait_for_unix_gc() and to force a call to unix_gc() if this
limit is hit.

This solves the OOM and also reduce overall latencies, and should not
slowdown normal workloads.

Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agowireless: b43: fix error path in SDIO
Guennadi Liakhovetski [Tue, 23 Nov 2010 16:10:24 +0000 (17:10 +0100)]
wireless: b43: fix error path in SDIO

Fix unbalanced call to sdio_release_host() on the error path.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoBluetooth: Fix not returning proper error in SCO
Gustavo F. Padovan [Mon, 1 Nov 2010 19:08:50 +0000 (19:08 +0000)]
Bluetooth: Fix not returning proper error in SCO

Return 0 in that situation could lead to errors in the caller.

Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
14 years agocarl9170: fix virtual interface setup crash
Christian Lamparter [Sat, 20 Nov 2010 12:15:27 +0000 (13:15 +0100)]
carl9170: fix virtual interface setup crash

This patch fixes a faulty bound check which caused a
crash when too many virtual interface were brought up.

BUG: unable to handle kernel NULL pointer dereference at 00000004
IP: [<f8125f67>] carl9170_op_add_interface+0x1d7/0x2c0 [carl9170]
*pde = 00000000
Oops: 0002 [#1] PREEMPT
Modules linked in: carl9170 [...]
Pid: 4720, comm: wpa_supplicant Not tainted 2.6.37-rc2-wl+
EIP: 0060:[<f8125f67>] EFLAGS: 00210206 CPU: 0
EIP is at carl9170_op_add_interface+0x1d7/0x2c0 [carl9170]
EAX: 00000000 ...
Process wpa_supplicant
Stack:
 f4f88f34 fffffff4 ..
Call Trace:
 [<f8f4e666>] ? ieee80211_do_open+0x406/0x5c0 [mac80211]
 [...]
Code: <89> 42 04 ...
EIP: [<f8125f67>] carl9170_op_add_interface+0x1d7/0x2c0 [carl9170]
CR2: 0000000000000004

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agossb: b43-pci-bridge: Add new vendor for BCM4318
Daniel Klaffenbach [Sat, 20 Nov 2010 03:25:21 +0000 (21:25 -0600)]
ssb: b43-pci-bridge: Add new vendor for BCM4318

Add new vendor for Broadcom 4318.

Signed-off-by: Daniel Klaffenbach <danielklaffenbach@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Cc: Stable <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: fix timeout on stopping rx dma
Felix Fietkau [Sat, 20 Nov 2010 02:08:47 +0000 (03:08 +0100)]
ath9k: fix timeout on stopping rx dma

It seems that using ath9k_hw_stoppcurecv to stop rx dma is not enough.
When it's time to stop DMA, the PCU is still busy, so the rx enable
bit never clears.
Using ath9k_hw_abortpcurecv helps with getting rx stopped much faster,
with this change, I cannot reproduce the rx stop related WARN_ON anymore.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoof/phylib: Use device tree properties to initialize Marvell PHYs.
David Daney [Fri, 19 Nov 2010 12:13:18 +0000 (12:13 +0000)]
of/phylib: Use device tree properties to initialize Marvell PHYs.

Some aspects of PHY initialization are board dependent, things like
indicator LED connections and some clocking modes cannot be determined
by probing.  The dev_flags element of struct phy_device can be used to
control these things if an appropriate value can be passed from the
Ethernet driver.  We run into problems however if the PHY connections
are specified by the device tree.  There is no way for the Ethernet
driver to know what flags it should pass.

If we are using the device tree, the struct phy_device will be
populated with the device tree node corresponding to the PHY, and we
can extract extra configuration information from there.

The next question is what should the format of that information be?
It is highly device specific, and the device tree representation
should not be tied to any arbitrary kernel defined constants.  A
straight forward representation is just to specify the exact bits that
should be set using the "marvell,reg-init" property:

      phy5: ethernet-phy@5 {
        reg = <5>;
        compatible = "marvell,88e1149r";
        marvell,reg-init =
                /* led[0]:1000, led[1]:100, led[2]:10, led[3]:tx */
                <3 0x10 0 0x5777>, /* Reg 3,16 <- 0x5777 */
                /* mix %:0, led[0123]:drive low off hiZ */
                <3 0x11 0 0x00aa>, /* Reg 3,17 <- 0x00aa */
                /* default blink periods. */
                <3 0x12 0 0x4105>, /* Reg 3,18 <- 0x4105 */
                /* led[4]:rx, led[5]:dplx, led[45]:drive low off hiZ */
                <3 0x13 0 0x0a60>; /* Reg 3,19 <- 0x0a60 */
      };

      phy6: ethernet-phy@6 {
        reg = <6>;
        compatible = "marvell,88e1118";
        marvell,reg-init =
                /* Fix rx and tx clock transition timing */
                <2 0x15 0xffcf 0>, /* Reg 2,21 Clear bits 4, 5 */
                /* Adjust LED drive. */
                <3 0x11 0 0x442a>, /* Reg 3,17 <- 0442a */
                /* irq, blink-activity, blink-link */
                <3 0x10 0 0x0242>; /* Reg 3,16 <- 0x0242 */
      };

The Marvell PHYs have a page select register at register 22 (0x16), we
can specify any register by its page and register number.  These are
the first and second word.  The third word contains a mask to be ANDed
with the existing register value, and the fourth word is ORed with the
result to yield the new register value.  The new marvell_of_reg_init
function leaves the page select register unchanged, so a call to it
can be dropped into the .config_init functions without unduly
affecting the state of the PHY.

If CONFIG_OF_MDIO is not set, there is no of_node, or no
"marvell,reg-init" property, the PHY initialization is unchanged.

Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Cc: Grant Likely <grant.likely@secretlab.ca>
Cc: Cyril Chemparathy <cyril@ti.com>
Cc: David Daney <ddaney@caviumnetworks.com>
Cc: Arnaud Patard <arnaud.patard@rtp-net.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Reviewed-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agophylib: Add support for Marvell 88E1149R devices.
David Daney [Fri, 19 Nov 2010 11:58:53 +0000 (11:58 +0000)]
phylib: Add support for Marvell 88E1149R devices.

The 88E1149R is 10/100/1000 quad-gigabit Ethernet PHY.  The
.config_aneg function can be shared with 88E1118, but it needs its own
.config_init.

Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Cc: Cyril Chemparathy <cyril@ti.com>
Cc: Arnaud Patard <arnaud.patard@rtp-net.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agophylib: Use common page register definition for Marvell PHYs.
David Daney [Fri, 19 Nov 2010 11:58:52 +0000 (11:58 +0000)]
phylib: Use common page register definition for Marvell PHYs.

The definition of the Marvell PHY page register is not specific to
88E1121, so rename the macro to MII_MARVELL_PHY_PAGE, and use it
throughout.

Suggested-by: Cyril Chemparathy <cyril@ti.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Cc: Cyril Chemparathy <cyril@ti.com>
Cc: Arnaud Patard <arnaud.patard@rtp-net.org>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoqlge: Fix incorrect usage of module parameters and netdev msg level
Sonny Rao [Thu, 18 Nov 2010 11:50:02 +0000 (11:50 +0000)]
qlge: Fix incorrect usage of module parameters and netdev msg level

Driver appears to be mistaking the permission field with default value
in the case of debug and qlge_irq_type.

Driver is also passing debug as a bitmask into netif_msg_init()
which wants a number of bits.  Ron Mercer suggests we should
change this to pass in -1 so the defaults get used instead,
which makes the default much less verbose.

Signed-off-by: Milton Miller <miltonm@bga.com>
Signed-off-by: Sonny Rao <sonnyrao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6: fix missing in6_ifa_put in addrconf
John Fastabend [Mon, 15 Nov 2010 20:29:21 +0000 (20:29 +0000)]
ipv6: fix missing in6_ifa_put in addrconf

Fix ref count bug introduced by

commit 2de795707294972f6c34bae9de713e502c431296
Author: Lorenzo Colitti <lorenzo@google.com>
Date:   Wed Oct 27 18:16:49 2010 +0000

ipv6: addrconf: don't remove address state on ifdown if the address
is being kept

Fix logic so that addrconf_ifdown() decrements the inet6_ifaddr
refcnt correctly with in6_ifa_put().

Reported-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoSuperH IrDA: correct Baud rate error correction
Nicolas Kaiser [Thu, 18 Nov 2010 14:24:02 +0000 (14:24 +0000)]
SuperH IrDA: correct Baud rate error correction

It looks to me as if the second value of rate_err_array is intended
to be a decimal 625. However, with a leading 0 it becomes an octal
constant, and as such evaluates to a decimal 405.

Signed-off-by: Nicolas Kaiser <nikai@nikai.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoatl1c: Fix hardware type check for enabling OTP CLK
Ben Hutchings [Sun, 21 Nov 2010 18:06:48 +0000 (10:06 -0800)]
atl1c: Fix hardware type check for enabling OTP CLK

Commit 496c185c9495629ef1c65387cb2594578393cfe0 "atl1c: Add support
for Atheros AR8152 and AR8152" added the condition:

             if (hw->nic_type == athr_l1c || hw->nic_type == athr_l2c_b)

for enabling OTP CLK, and the condition:

             if (hw->nic_type == athr_l1c || hw->nic_type == athr_l2c)

for disabling OTP CLK.  Since the two previously defined hardware
types are athr_l1c and athr_l2c, the latter condition appears to be
the correct one.  Change the former to match.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: allow GFP_HIGHMEM in __vmalloc()
Eric Dumazet [Sat, 20 Nov 2010 07:46:35 +0000 (07:46 +0000)]
net: allow GFP_HIGHMEM in __vmalloc()

We forgot to use __GFP_HIGHMEM in several __vmalloc() calls.

In ceph, add the missing flag.

In fib_trie.c, xfrm_hash.c and request_sock.c, using vzalloc() is
cleaner and allows using HIGHMEM pages as well.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobonding: change list contact to netdev@vger.kernel.org
Simon Horman [Sun, 21 Nov 2010 17:58:04 +0000 (09:58 -0800)]
bonding: change list contact to netdev@vger.

bonding-devel@lists.sourceforge.net seems only receive spam
and discussion seems to already occur on netdev@vger.kernel.org.

Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoe1000: fix screaming IRQ
Anupam Chanda [Sun, 21 Nov 2010 17:54:21 +0000 (09:54 -0800)]
e1000: fix screaming IRQ

VMWare reports that the e1000 driver has a bug when bringing down the
interface, such that interrupts are not disabled in the hardware but the
driver stops reporting that it consumed the interrupt.

The fix is to set the driver's "down" flag later in the routine,
after all the timers and such have exited, preventing the interrupt
handler from being called and exiting early without handling the
interrupt.

CC: Anupam Chanda <anupamc@vmware.com>
CC: stable kernel <stable@kernel.org>
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: fix kernel-doc for sk_filter_rcu_release
Randy Dunlap [Thu, 18 Nov 2010 13:02:37 +0000 (13:02 +0000)]
net: fix kernel-doc for sk_filter_rcu_release

Fix kernel-doc warning for sk_filter_rcu_release():

Warning(net/core/filter.c:586): missing initial short description on line:
 *  sk_filter_rcu_release: Release a socket filter by rcu_head

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: Fix to avoid firmware update when interface is not open.
Sarveshwar Bandi [Thu, 18 Nov 2010 23:44:45 +0000 (23:44 +0000)]
be2net: Fix to avoid firmware update when interface is not open.

Since interrupts are enabled only when open is called on the interface,
Attempting a firmware update operation when interface is down could lead to
partial success or failure of operation. This fix fails the request if
netif_running is false.

Signed-off-by: Sarveshwar Bandi <Sarveshwar.Bandi@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetfilter: fix IP_VS dependencies
Patrick McHardy [Thu, 18 Nov 2010 08:20:57 +0000 (08:20 +0000)]
netfilter: fix IP_VS dependencies

When NF_CONNTRACK is enabled, IP_VS uses conntrack symbols.
Therefore IP_VS can't be linked statically when conntrack
is built modular.

Reported-by: Justin P. Mattock <justinmattock@gmail.com>
Tested-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: irda: irttp: sync error paths of data- and udata-requests
Wolfram Sang [Tue, 16 Nov 2010 09:40:02 +0000 (09:40 +0000)]
net: irda: irttp: sync error paths of data- and udata-requests

irttp_data_request() returns meaningful errorcodes, while irttp_udata_request()
just returns -1 in similar situations. Sync the two and the loglevels of the
accompanying output.

Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6: Expose reachable and retrans timer values as msecs
Thomas Graf [Wed, 17 Nov 2010 04:12:02 +0000 (04:12 +0000)]
ipv6: Expose reachable and retrans timer values as msecs

Expose reachable and retrans timer values in msecs instead of jiffies.
Both timer values are already exposed as msecs in the neighbour table
netlink interface.

The creation timestamp format with increased precision is kept but
cleaned up.

Signed-off-by: Thomas Graf <tgraf@infradead.org>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Thu, 18 Nov 2010 19:56:09 +0000 (11:56 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agoipv6: Expose IFLA_PROTINFO timer values in msecs instead of jiffies
Thomas Graf [Wed, 17 Nov 2010 01:44:24 +0000 (01:44 +0000)]
ipv6: Expose IFLA_PROTINFO timer values in msecs instead of jiffies

IFLA_PROTINFO exposes timer related per device settings in jiffies.
Change it to expose these values in msecs like the sysctl interface
does.

I did not find any users of IFLA_PROTINFO which rely on any of these
values and even if there are, they are likely already broken because
there is no way for them to reliably convert such a value to another
time format.

Signed-off-by: Thomas Graf <tgraf@infradead.org>
Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years ago3c59x: fix build failure on !CONFIG_PCI
Namhyung Kim [Tue, 16 Nov 2010 05:27:51 +0000 (05:27 +0000)]
3c59x: fix build failure on !CONFIG_PCI

VORTEX_PCI() could return NULL so it needs to be casted before
accessing any member of struct pci_dev. This fixes following
build failure. Likewise VORTEX_EISA() was changed also.

  CC [M]  drivers/net/3c59x.o
drivers/net/3c59x.c: In function 'acpi_set_WOL':
drivers/net/3c59x.c:3211:39: warning: dereferencing 'void *' pointer
drivers/net/3c59x.c:3211:39: error: request for member 'current_state' in something not a structure or union
make[3]: *** [drivers/net/3c59x.o] Error 1
make[2]: *** [drivers/net/3c59x.o] Error 2
make[1]: *** [sub-make] Error 2
make: *** [all] Error 2

Signed-off-by: Namhyung Kim <namhyung@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipg.c: remove id [SUNDANCE, 0x1021]
Ken Kawasaki [Sat, 13 Nov 2010 13:42:08 +0000 (13:42 +0000)]
ipg.c: remove id [SUNDANCE, 0x1021]

ipg.c:
  The id [SUNDANCE, 0x1021] (=[0x13f0, 0x1021]) is defined
  at dl2k.h and ipg.c.
  But this device works better with dl2k driver.

  This problem is similar with the commit
  [25cca5352712561fba97bd37c495593d641c1d39
  ipg: Remove device claimed by dl2k from pci id table]
  at 11 Feb 2010.

Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: caif: spi: fix potential NULL dereference
Vasiliy Kulikov [Thu, 18 Nov 2010 18:35:58 +0000 (10:35 -0800)]
net: caif: spi: fix potential NULL dereference

alloc_netdev() is not checked here for NULL return value.  dev is
check instead.  It might lead to NULL dereference of ndev.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoath9k_htc: Avoid setting QoS control for non-QoS frames
Rajkumar Manoharan [Thu, 18 Nov 2010 06:49:52 +0000 (12:19 +0530)]
ath9k_htc: Avoid setting QoS control for non-QoS frames

Setting tid information in the TX header is required only for QoS
frames. Not handling this case causes severe data loss with some APs.

Cc: stable@kernel.org
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agonet: zero kobject in rx_queue_release
John Fastabend [Tue, 16 Nov 2010 19:42:53 +0000 (19:42 +0000)]
net: zero kobject in rx_queue_release

netif_set_real_num_rx_queues() can decrement and increment
the number of rx queues. For example ixgbe does this as
features and offloads are toggled. Presumably this could
also happen across down/up on most devices if the available
resources changed (cpu offlined).

The kobject needs to be zero'd in this case so that the
state is not preserved across kobject_put()/kobject_init_and_add().

This resolves the following error report.

ixgbe 0000:03:00.0: eth2: NIC Link is Up 10 Gbps, Flow Control: RX/TX
kobject (ffff880324b83210): tried to init an initialized object, something is seriously wrong.
Pid: 1972, comm: lldpad Not tainted 2.6.37-rc18021qaz+ #169
Call Trace:
 [<ffffffff8121c940>] kobject_init+0x3a/0x83
 [<ffffffff8121cf77>] kobject_init_and_add+0x23/0x57
 [<ffffffff8107b800>] ? mark_lock+0x21/0x267
 [<ffffffff813c6d11>] net_rx_queue_update_kobjects+0x63/0xc6
 [<ffffffff813b5e0e>] netif_set_real_num_rx_queues+0x5f/0x78
 [<ffffffffa0261d49>] ixgbe_set_num_queues+0x1c6/0x1ca [ixgbe]
 [<ffffffffa0262509>] ixgbe_init_interrupt_scheme+0x1e/0x79c [ixgbe]
 [<ffffffffa0274596>] ixgbe_dcbnl_set_state+0x167/0x189 [ixgbe]

Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Fix duplicate volatile warning.
Tetsuo Handa [Thu, 18 Nov 2010 17:40:04 +0000 (09:40 -0800)]
net: Fix duplicate volatile warning.

jiffies is defined as "volatile".

  extern unsigned long volatile __jiffy_data jiffies;

ACCESS_ONCE() uses "volatile".
As a result, some compilers warn duplicate `volatile' for ACCESS_ONCE(jiffies).

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>