GitHub/exynos8895/android_kernel_samsung_universal8895.git
14 years agoPhonet: listening socket lock protects the connected socket list
Rémi Denis-Courmont [Wed, 26 May 2010 00:44:44 +0000 (00:44 +0000)]
Phonet: listening socket lock protects the connected socket list

The accept()'d socket need to be unhashed while the (listen()'ing)
socket lock is held. This fixes a race condition that could lead to an
OOPS.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: unlock on error path in cfserl_receive()
Dan Carpenter [Wed, 26 May 2010 05:16:48 +0000 (05:16 +0000)]
caif: unlock on error path in cfserl_receive()

There was an spin_unlock missing on the error path.  The spin_lock was
tucked in with the declarations so it was hard to spot.  I added a new
line.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sjur Brændeland <sjurbren@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: remove superfluous externs
Dan Carpenter [Wed, 26 May 2010 04:47:39 +0000 (04:47 +0000)]
be2net: remove superfluous externs

This fixes some sparse warnings:
drivers/net/benet/be_cmds.c:1503:12: warning: function
'be_cmd_enable_magic_wol' with external linkage has definition
drivers/net/benet/be_cmds.c:1668:12: warning: function
'be_cmd_get_seeprom_data' with external linkage has definition

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sarveshwar Bandi <sarveshwarb@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: add unlock on error path
Dan Carpenter [Wed, 26 May 2010 04:46:35 +0000 (04:46 +0000)]
be2net: add unlock on error path

The unlock accidentally got removed from the error path in dd131e76e5:
"be2net: Bug fix to avoid disabling bottom half during firmware upgrade."

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sarveshwar Bandi <sarveshwarb@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet/rds: Add missing mutex_unlock
Julia Lawall [Wed, 26 May 2010 05:54:21 +0000 (05:54 +0000)]
net/rds: Add missing mutex_unlock

Add a mutex_unlock missing on the error path.  In each case, whenever the
label out is reached from elsewhere in the function, mutex is not locked.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression E1;
@@

* mutex_lock(E1);
  <+... when != E1
  if (...) {
    ... when != E1
*   return ...;
  }
  ...+>
* mutex_unlock(E1);
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Reviewed-by: Zach Brown <zach.brown@oracle.com>
Acked-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodrivers/isdn/hardware/mISDN: Add missing spin_unlock
Julia Lawall [Wed, 26 May 2010 05:55:10 +0000 (05:55 +0000)]
drivers/isdn/hardware/mISDN: Add missing spin_unlock

Add a spin_unlock missing on the error path.  The return value of write_reg
seems to be completely ignored, so it seems that the lock should be
released in every case.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression E1;
@@

* spin_lock(E1,...);
  <+... when != E1
  if (...) {
    ... when != E1
*   return ...;
  }
  ...+>
* spin_unlock(E1,...);
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agofs_enet: Adjust BDs after tx error
Mark Ware [Sat, 29 May 2010 07:16:28 +0000 (00:16 -0700)]
fs_enet: Adjust BDs after tx error

This patch fixes an occasional transmit lockup in the mac-fcc which
occurs after a tx error.  The test scenario had the local port set
to autoneg and the other end fixed at 100FD, resulting in a large
number of late collisions.

According to the MPC8280RM 30.10.1.3 (also 8272RM 29.10.1.3), after
a tx error occurs, TBPTR may sometimes point beyond BDs still marked
as ready.  This patch walks back through the BDs and points TBPTR to
the earliest one marked as ready.

Tested on a custom board with a MPC8280.

Signed-off-by: Mark Ware <mware@elphinstone.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoskb: make skb_recycle_check() return a bool value
Changli Gao [Sat, 29 May 2010 07:12:13 +0000 (00:12 -0700)]
skb: make skb_recycle_check() return a bool value

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoIPv6: fix Mobile IPv6 regression
Brian Haley [Sat, 29 May 2010 06:02:35 +0000 (23:02 -0700)]
IPv6: fix Mobile IPv6 regression

Commit f4f914b5 (net: ipv6 bind to device issue) caused
a regression with Mobile IPv6 when it changed the meaning
of fl->oif to become a strict requirement of the route
lookup.  Instead, only force strict mode when
sk->sk_bound_dev_if is set on the calling socket, getting
the intended behavior and fixing the regression.

Tested-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: Brian Haley <brian.haley@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Sat, 29 May 2010 05:36:41 +0000 (22:36 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agossb: fix NULL ptr deref when pcihost_wrapper is used
Christoph Fritz [Fri, 28 May 2010 08:45:59 +0000 (10:45 +0200)]
ssb: fix NULL ptr deref when pcihost_wrapper is used

Ethernet driver b44 does register ssb by it's pcihost_wrapper
and doesn't set ssb_chipcommon. A check on this value
introduced with commit d53cdbb94a52a920d5420ed64d986c3523a56743
and ea2db495f92ad2cf3301623e60cb95b4062bc484 triggers:

BUG: unable to handle kernel NULL pointer dereference at 00000010
IP: [<c1266c36>] ssb_is_sprom_available+0x16/0x30

Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: make a function static
Johannes Berg [Fri, 28 May 2010 12:26:23 +0000 (14:26 +0200)]
mac80211: make a function static

sparse correctly complains that
__ieee80211_get_channel_mode is not static.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agolibertas: fix uninitialized variable warning
Prarit Bhargava [Thu, 27 May 2010 18:41:20 +0000 (14:41 -0400)]
libertas: fix uninitialized variable warning

Fixes:

drivers/net/wireless/libertas/rx.c: In function process_rxed_802_11_packet:
drivers/net/wireless/libertas/rx.c:354: error: radiotap_hdr.flags may be used uninitialized in this function

Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: Fix bug in the way "bf_tx_aborted" of struct ath_buf is used
Vasanthakumar Thiagarajan [Thu, 27 May 2010 02:06:53 +0000 (19:06 -0700)]
ath9k: Fix bug in the way "bf_tx_aborted" of struct ath_buf is used

This bug was introduced by the following commit

Author: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Date:   Thu Apr 15 17:38:46 2010 -0400

ath9k: Remove ATH9K_TX_SW_ABORTED and introduce a bool for this purpose

Wrong buffer is checked for bf_tx_aborted field in ath_tx_num_badfrms(),
this may result in a rate scaling with wrong feedback (number
of unacked frames in this case). It is the last one in the chain
of buffers for an aggregate frame that should be checked.

Also it misses the initialization of this field in the buffer,
this may lead to a situation where we stop the sw retransmission
of failed subframes associated to this buffer.

Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: Fix ath_print in xmit for hardware reset.
Justin P. Mattock [Wed, 26 May 2010 18:00:04 +0000 (11:00 -0700)]
ath9k: Fix ath_print in xmit for hardware reset.

ath_print in xmit.c should say "Reseting hardware"
instead of Resetting HAL!(since HAL is being fazed out).
dmesg shows:
[ 8660.899624] ath: Failed to stop TX DMA in 100 msec after killing last frame
[ 8660.899676] ath: Unable to stop TxDMA. Reset HAL!

Signed-off-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agonetlink: bug fix: wrong size was calculated for vfinfo list blob
Scott Feldman [Fri, 28 May 2010 10:42:43 +0000 (03:42 -0700)]
netlink: bug fix: wrong size was calculated for vfinfo list blob

The wrong size was being calculated for vfinfo.  In one case, it was over-
calculating using nlmsg_total_size on attrs, in another case, it was
under-calculating by assuming ifla_vf_* structs are packed together, but
each struct is it's own attr w/ hdr (and padding).

Signed-off-by: Scott Feldman <scofeldm@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetlink: bug fix: don't overrun skbs on vf_port dump
Scott Feldman [Fri, 28 May 2010 10:42:18 +0000 (03:42 -0700)]
netlink: bug fix: don't overrun skbs on vf_port dump

Noticed by Patrick McHardy: was continuing to fill skb after a
nla_put_failure, ignoring the size calculated by upper layer.  Now,
return -EMSGSIZE on any overruns, but also allow netdev to
fail ndo_get_vf_port with error other than -EMSGSIZE, thus unwinding
nest.

Signed-off-by: Scott Feldman <scofeldm@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoxt_tee: use skb_dst_drop()
Eric Dumazet [Fri, 28 May 2010 10:41:17 +0000 (03:41 -0700)]
xt_tee: use skb_dst_drop()

After commit 7fee226a (net: add a noref bit on skb dst), its wrong to
use : dst_release(skb_dst(skb)), since we could decrement a refcount
while skb dst was not refcounted.

We should use skb_dst_drop(skb) instead.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetdev/fec: fix ifconfig eth0 down hang issue
Bryan Wu [Fri, 28 May 2010 10:40:39 +0000 (03:40 -0700)]
netdev/fec: fix ifconfig eth0 down hang issue

BugLink: http://bugs.launchpad.net/bugs/559065
In fec open/close function, we need to use phy_connect and phy_disconnect
operation before we start/stop phy. Otherwise it will cause system hang.

Only call fec_enet_mii_probe() in open function, because the first open
action will cause NULL pointer error.

Signed-off-by: Bryan Wu <bryan.wu@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocnic: Fix context memory init. on 5709.
Michael Chan [Thu, 27 May 2010 23:31:41 +0000 (16:31 -0700)]
cnic: Fix context memory init. on 5709.

We need to zero context memory on 5709 in the function cnic_init_context().
Without this, iscsid restart on 5709 will not work because of stale data.
TX context blocks should not be initialized by cnic_init_context() because
of the special remapping on 5709.

Update version to 2.1.2.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodrivers/net: Eliminate a NULL pointer dereference
Julia Lawall [Thu, 27 May 2010 23:30:03 +0000 (16:30 -0700)]
drivers/net: Eliminate a NULL pointer dereference

At the point of the print, dev is NULL.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@r exists@
expression E,E1;
identifier f;
statement S1,S2,S3;
@@

if ((E == NULL && ...) || ...)
{
  ... when != if (...) S1 else S2
      when != E = E1
* E->f
  ... when any
  return ...;
}
else S3
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodrivers/net/hamradio: Eliminate a NULL pointer dereference
Julia Lawall [Thu, 27 May 2010 23:29:05 +0000 (16:29 -0700)]
drivers/net/hamradio: Eliminate a NULL pointer dereference

At the point of the print, dev is NULL.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@r exists@
expression E,E1;
identifier f;
statement S1,S2,S3;
@@

if ((E == NULL && ...) || ...)
{
  ... when != if (...) S1 else S2
      when != E = E1
* E->f
  ... when any
  return ...;
}
else S3
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: Patch removes redundant while statement in loop.
Sarveshwar Bandi [Thu, 27 May 2010 23:28:15 +0000 (16:28 -0700)]
be2net: Patch removes redundant while statement in loop.

Signed-off-by: Sarveshwar Bandi <sarveshwarb@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6: Add GSO support on forwarding path
Herbert Xu [Thu, 27 May 2010 23:14:30 +0000 (16:14 -0700)]
ipv6: Add GSO support on forwarding path

Currently we disallow GSO packets on the IPv6 forward path.
This patch fixes this.

Note that I discovered that our existing GSO MTU checks (e.g.,
IPv4 forwarding) are buggy in that they skip the check altogether,
when they really should be checking gso_size + header instead.

I have also been lazy here in that I haven't bothered to segment
the GSO packet by hand before generating an ICMP message.  Someone
should add that to be 100% correct.

Reported-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: fix __neigh_event_send()
Eric Dumazet [Thu, 27 May 2010 23:09:39 +0000 (16:09 -0700)]
net: fix __neigh_event_send()

commit 7fee226ad23 (net: add a noref bit on skb dst) missed one spot
where an skb is enqueued, with a possibly not refcounted dst entry.

__neigh_event_send() inserts skb into arp_queue, so we must make sure
dst entry is refcounted, or dst entry can be freed by garbage collector
after caller exits from rcu protected section.

Reported-by: Ingo Molnar <mingo@elte.hu>
Tested-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agovhost: fix the memory leak which will happen when memory_access_ok fails
Takuya Yoshikawa [Thu, 27 May 2010 10:03:56 +0000 (19:03 +0900)]
vhost: fix the memory leak which will happen when memory_access_ok fails

We need to free newmem when vhost_set_memory() fails to complete.

Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14 years agovhost-net: fix to check the return value of copy_to/from_user() correctly
Takuya Yoshikawa [Thu, 27 May 2010 10:01:58 +0000 (19:01 +0900)]
vhost-net: fix to check the return value of copy_to/from_user() correctly

copy_to/from_user() returns the number of bytes that could not be copied.

So we need to check if it is not zero, and in that case, we should return
the error number -EFAULT rather than directly return the return value from
copy_to/from_user().

Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14 years agovhost: fix to check the return value of copy_to/from_user() correctly
Takuya Yoshikawa [Thu, 27 May 2010 09:58:03 +0000 (18:58 +0900)]
vhost: fix to check the return value of copy_to/from_user() correctly

copy_to/from_user() returns the number of bytes that could not be copied.

So we need to check if it is not zero, and in that case, we should return
the error number -EFAULT rather than directly return the return value from
copy_to/from_user().

Signed-off-by: Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14 years agovhost: Fix host panic if ioctl called with wrong index
Krishna Kumar [Tue, 25 May 2010 05:40:36 +0000 (11:10 +0530)]
vhost: Fix host panic if ioctl called with wrong index

Missed a boundary value check in vhost_set_vring. The host panics if
idx == nvqs is used in ioctl commands in vhost_virtqueue_init.

Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
14 years agonet: fix lock_sock_bh/unlock_sock_bh
Eric Dumazet [Wed, 26 May 2010 19:20:18 +0000 (19:20 +0000)]
net: fix lock_sock_bh/unlock_sock_bh

This new sock lock primitive was introduced to speedup some user context
socket manipulation. But it is unsafe to protect two threads, one using
regular lock_sock/release_sock, one using lock_sock_bh/unlock_sock_bh

This patch changes lock_sock_bh to be careful against 'owned' state.
If owned is found to be set, we must take the slow path.
lock_sock_bh() now returns a boolean to say if the slow path was taken,
and this boolean is used at unlock_sock_bh time to call the appropriate
unlock function.

After this change, BH are either disabled or enabled during the
lock_sock_bh/unlock_sock_bh protected section. This might be misleading,
so we rename these functions to lock_sock_fast()/unlock_sock_fast().

Reported-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet/iucv: Add missing spin_unlock
Julia Lawall [Wed, 26 May 2010 05:56:48 +0000 (05:56 +0000)]
net/iucv: Add missing spin_unlock

Add a spin_unlock missing on the error path.  There seems like no reason
why the lock should continue to be held if the kzalloc fail.

The semantic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@@
expression E1;
@@

* spin_lock(E1,...);
  <+... when != E1
  if (...) {
    ... when != E1
*   return ...;
  }
  ...+>
* spin_unlock(E1,...);
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: ll_temac: fix checksum offload logic
Brian Hill [Thu, 27 May 2010 03:44:30 +0000 (20:44 -0700)]
net: ll_temac: fix checksum offload logic

The current checksum offload code does not work and this corrects
that functionality. It also updates the interrupt coallescing
initialization so than there are fewer interrupts and performance
is increased.

Signed-off-by: Brian Hill <brian.hill@xilinx.com>
Signed-off-by: John Linn <john.linn@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: ll_temac: fix interrupt bug when interrupt 0 is used
Brian Hill [Thu, 27 May 2010 03:42:18 +0000 (20:42 -0700)]
net: ll_temac: fix interrupt bug when interrupt 0 is used

The code is not checking the interrupt for DMA correctly so that an
interrupt number of 0 will cause a false error.

Signed-off-by: Brian Hill <brian.hill@xilinx.com>
Signed-off-by: John Linn <john.linn@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoar9170usb: fix read from freed driver context
Christian Lamparter [Tue, 25 May 2010 21:58:47 +0000 (23:58 +0200)]
ar9170usb: fix read from freed driver context

Commit "ar9170: wait for asynchronous firmware loading"
introduced a bug, which is triggered by fatal errors
while the driver is initializing the device.

BUG: unable to handle kernel paging request at 6b6b6bf7
IP: [<c117b567>] kobject_put+0x7/0x70
*pde = 00000000
Oops: 0000 [#1] PREEMPT
last sysfs file: /sys/devices/platform/hdaps/position
Modules linked in: ar9170usb [...]

Pid: 6246, comm: firmware/ar9170 Not tainted 2.6.34-wl #54
EIP: 0060:[<c117b567>] EFLAGS: 00010206 CPU: 0
EIP is at kobject_put+0x7/0x70
EAX: 6b6b6bd7 EBX: f4d3d0e0 ECX: f5ba9124 EDX: f6af2a7c
ESI: 00000000 EDI: f4d3d0e0 EBP: 00000000 ESP: f5e98f9c
 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
Process firmware/ar9170 (pid: 6246)
Stack:
 c12532ed 00000246 f5bfaa70 f8487353 f4d3d0e0
Call Trace:
 [<c12532ed>] ? device_release_driver+0x1d/0x30
 [<f8487353>] ? ar9170_usb_firmware_failed+0x43/0x70 [ar9170usb]
 [<c125983c>] ? request_firmware_work_func+0x2c/0x70
 [<c1259810>] ? request_firmware_work_func+0x0/0x70
 [<c10413f4>] ? kthread+0x74/0x80
 [<c1041380>] ? kthread+0x0/0x80
 [<c1003136>] ? kernel_thread_helper+0x6/0x10
Code: 40 d3 f2 ff 85 c0 89 c3 74 0a ba 44 86 4c c1 e8 [...]
EIP: [<c117b567>] kobject_put+0x7/0x70 SS:ESP 0068:f5e98f9c
CR2: 000000006b6b6bf7
---[ end trace e81abb992434b410 ]---

Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoRevert "rt2x00: Fix rt2800usb TX descriptor writing."
John W. Linville [Wed, 26 May 2010 18:40:32 +0000 (14:40 -0400)]
Revert "rt2x00: Fix rt2800usb TX descriptor writing."

This reverts commit 663cb47cc2c5acd32850f67d051e47d62ed199c9.

This patch was merged out of the proper order, so instead of fixing a
problem with a prior (unmerged) patch, it creates one.  Ooops!

Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agosctp: dubious bitfields in sctp_transport
Dan Carpenter [Wed, 26 May 2010 07:40:11 +0000 (00:40 -0700)]
sctp: dubious bitfields in sctp_transport

Sparse complains because these one-bit bitfields are signed.
  include/net/sctp/structs.h:879:24: error: dubious one-bit signed bitfield
  include/net/sctp/structs.h:889:31: error: dubious one-bit signed bitfield
  include/net/sctp/structs.h:895:26: error: dubious one-bit signed bitfield
  include/net/sctp/structs.h:898:31: error: dubious one-bit signed bitfield
  include/net/sctp/structs.h:901:27: error: dubious one-bit signed bitfield

It doesn't cause a problem in the current code, but it would be better
to clean it up.  This was introduced by c0058a35aacc7: "sctp: Save some
room in the sctp_transport by using bitfields".

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipmr: off by one in __ipmr_fill_mroute()
Dan Carpenter [Wed, 26 May 2010 07:38:56 +0000 (00:38 -0700)]
ipmr: off by one in __ipmr_fill_mroute()

This fixes a smatch warning:
net/ipv4/ipmr.c +1917 __ipmr_fill_mroute(12) error: buffer overflow
'(mrt)->vif_table' 32 <= 32

The ipv6 version had the same issue.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: increase POST timeout for EEH recovery
Sathya Perla [Wed, 26 May 2010 07:33:43 +0000 (00:33 -0700)]
be2net: increase POST timeout for EEH recovery

Sometimes BE requires longer time for POST completion after an EEH
reset.  Increasing the timeout value accordingly.

Signed-off-by: Sathya Perla <sathyap@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocls_cgroup: Initialise classid when module is absent
Herbert Xu [Wed, 26 May 2010 01:53:57 +0000 (18:53 -0700)]
cls_cgroup: Initialise classid when module is absent

When the cls_cgroup module is not loaded, task_cls_classid will
return an uninitialised classid instead of zero.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodrivers/net/usb/asix.c: Fix pointer cast.
David S. Miller [Tue, 25 May 2010 23:24:03 +0000 (16:24 -0700)]
drivers/net/usb/asix.c: Fix pointer cast.

Stephen Rothwell reports the following new warning:

drivers/net/usb/asix.c: In function 'asix_rx_fixup':
drivers/net/usb/asix.c:325: warning: cast from pointer to integer of different size
drivers/net/usb/asix.c:354: warning: cast from pointer to integer of different size

The code just cares about the low alignment bits, so use
an "unsigned long" cast instead of one to "u32".

Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: Bug fix to avoid disabling bottom half during firmware upgrade.
Sarveshwar Bandi [Tue, 25 May 2010 23:16:32 +0000 (16:16 -0700)]
be2net: Bug fix to avoid disabling bottom half during firmware upgrade.

Certain firmware commands/operations to upgrade firmware could take several
seconds to complete. The code presently disables bottom half during these
operations which could lead to unpredictable behaviour in certain cases. This
patch now does all firmware upgrade operations asynchronously using a
completion variable.

Signed-off-by: Sarveshwar Bandi <sarveshwarb@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoproc_dointvec: write a single value
J. R. Okajima [Tue, 25 May 2010 23:10:14 +0000 (16:10 -0700)]
proc_dointvec: write a single value

The commit 00b7c3395aec3df43de5bd02a3c5a099ca51169f
"sysctl: refactor integer handling proc code"
modified the behaviour of writing to /proc.
Before the commit, write("1\n") to /proc/sys/kernel/printk succeeded. But
now it returns EINVAL.

This commit supports writing a single value to a multi-valued entry.

Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
Reviewed-and-tested-by: WANG Cong <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agohso: add support for new products
Filip Aben [Tue, 25 May 2010 23:09:23 +0000 (16:09 -0700)]
hso: add support for new products

This patch adds a few new product id's for the hso driver.

Signed-off-by: Filip Aben <f.aben@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoPhonet: fix potential use-after-free in pep_sock_close()
Rémi Denis-Courmont [Tue, 25 May 2010 23:08:39 +0000 (16:08 -0700)]
Phonet: fix potential use-after-free in pep_sock_close()

sk_common_release() might destroy our last reference to the socket.
So an extra temporary reference is needed during cleanup.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'wimax-2.6.35.y' of git://git.kernel.org/pub/scm/linux/kernel/git/inaky...
David S. Miller [Tue, 25 May 2010 21:05:24 +0000 (14:05 -0700)]
Merge branch 'wimax-2.6.35.y' of git://git./linux/kernel/git/inaky/wimax

14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Tue, 25 May 2010 20:15:11 +0000 (13:15 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agoath9k: remove VEOL support for ad-hoc
Felix Fietkau [Thu, 13 May 2010 18:37:25 +0000 (20:37 +0200)]
ath9k: remove VEOL support for ad-hoc

With VEOL, Beacon transmission in ad-hoc does not currently work.
I believe for larger ad-hoc networks, VEOL is too unreliable, as
it can get beacon transmissions stuck during synchronization.
Use SWBA based beacon trasmission similar to AP mode instead.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Acked-by: Benoit Papillault <benoit.papillault@free.fr>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: change beacon allocation to prefer the first beacon slot
Felix Fietkau [Thu, 13 May 2010 18:37:24 +0000 (20:37 +0200)]
ath9k: change beacon allocation to prefer the first beacon slot

This fixes IBSS beacon transmissions without VEOL enabled

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agosock.h: fix kernel-doc warning
Randy Dunlap [Tue, 25 May 2010 06:54:18 +0000 (23:54 -0700)]
sock.h: fix kernel-doc warning

Fix sock.h kernel-doc warning:
Warning(include/net/sock.h:1438): No description found for parameter 'wq'

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocls_cgroup: Fix build error when built-in
Herbert Xu [Tue, 25 May 2010 06:53:37 +0000 (23:53 -0700)]
cls_cgroup: Fix build error when built-in

There is a typo in cgroup_cls_state when cls_cgroup is built-in.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agomacvlan: do proper cleanup in macvlan_common_newlink() V2
Jiri Pirko [Mon, 24 May 2010 07:02:25 +0000 (07:02 +0000)]
macvlan: do proper cleanup in macvlan_common_newlink() V2

Fixes possible memory leak.

Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: Bug fix in init code in probe
Sarveshwar Bandi [Tue, 25 May 2010 01:38:25 +0000 (18:38 -0700)]
be2net: Bug fix in init code in probe

PCI function reset needs to invoked after fw init ioctl is issued.

Signed-off-by: Sarveshwar Bandi <sarveshwarb@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet/dccp: expansion of error code size
Yoichi Yuasa [Tue, 25 May 2010 01:37:02 +0000 (18:37 -0700)]
net/dccp: expansion of error code size

Because MIPS's EDQUOT value is 1133(0x46d).
It's larger than u8.

Signed-off-by: Yoichi Yuasa <yuasa@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoath9k: Fix rx of mcast/bcast frames in PS mode with auto sleep
Vasanthakumar Thiagarajan [Sun, 23 May 2010 06:58:13 +0000 (23:58 -0700)]
ath9k: Fix rx of mcast/bcast frames in PS mode with auto sleep

The functionality to keep the device awake until it is done with
the rx of any mcast/bcast frames which are pending on AP should
also be added to the hardwares which support auto sleep feature.
This patch fixes frequent failures in ARP resolution when it is
initiated by the other end. Currently auto sleep is enabled only
for ar9003 in ath9k.

Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agowireless: fix sta_info.h kernel-doc warnings
Randy Dunlap [Fri, 21 May 2010 18:28:41 +0000 (11:28 -0700)]
wireless: fix sta_info.h kernel-doc warnings

Fix sta_info.h kernel-doc warnings:

Warning(net/mac80211/sta_info.h:164): No description found for parameter 'tid_active_rx[STA_TID_NUM]'
Warning(net/mac80211/sta_info.h:164): Excess struct/union/enum/typedef member 'tid_state_rx' description in 'sta_ampdu_mlme'

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agowireless: fix mac80211.h kernel-doc warnings
Randy Dunlap [Fri, 21 May 2010 18:28:33 +0000 (11:28 -0700)]
wireless: fix mac80211.h kernel-doc warnings

Fix kernel-doc warnings in mac80211.h:

Warning(include/net/mac80211.h:838): No description found for parameter 'ap_addr'
Warning(include/net/mac80211.h:1726): No description found for parameter 'get_survey'

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoiwlwifi: testing the wrong variable in iwl_add_bssid_station()
Dan Carpenter [Fri, 14 May 2010 14:53:46 +0000 (16:53 +0200)]
iwlwifi: testing the wrong variable in iwl_add_bssid_station()

The intent here is to test that "sta_id_r" is a valid pointer.  We do
this same test later on in the function.

Btw iwl_add_bssid_station() is called from two places and "sta_id_r" is
a valid pointer from both callers.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k_htc: rare leak in ath9k_hif_usb_alloc_tx_urbs()
Dan Carpenter [Fri, 14 May 2010 14:52:37 +0000 (16:52 +0200)]
ath9k_htc: rare leak in ath9k_hif_usb_alloc_tx_urbs()

This is obviously a small picky thing.  The original error handling code
doesn't free the most recent allocations which haven't been added to the
hif_dev->tx.tx_buf list yet.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k_htc: dereferencing before check in hif_usb_tx_cb()
Dan Carpenter [Fri, 14 May 2010 14:50:56 +0000 (16:50 +0200)]
ath9k_htc: dereferencing before check in hif_usb_tx_cb()

After c11d8f89d3b7: "ath9k_htc: Simplify TX URB management" we no longer
assume that tx_buf is a non-null pointer.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agort2x00: Fix rt2800usb TX descriptor writing.
Gertjan van Wingerde [Thu, 13 May 2010 19:16:04 +0000 (21:16 +0200)]
rt2x00: Fix rt2800usb TX descriptor writing.

The recent changes to skb handling introduced a bug in the rt2800usb
TX descriptor writing whereby the length of the USB packet wasn't
calculated correctly.
Found via code inspection, as the devices themselves didn't seem to mind.

Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agort2x00: Fix failed SLEEP->AWAKE and AWAKE->SLEEP transitions.
Gertjan van Wingerde [Thu, 13 May 2010 19:16:03 +0000 (21:16 +0200)]
rt2x00: Fix failed SLEEP->AWAKE and AWAKE->SLEEP transitions.

(Based on a patch created by Ondrej Zary)

In some circumstances the Ralink devices do not properly go to sleep
or wake up, with timeouts occurring.
Fix this by retrying telling the device that it has to wake up or
sleep.

Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoRevert "ath9k: Group Key fix for VAPs"
John W. Linville [Mon, 24 May 2010 17:36:37 +0000 (13:36 -0400)]
Revert "ath9k: Group Key fix for VAPs"

This reverts commit 03ceedea972a82d343fa5c2528b3952fa9e615d5.

This patch was reported to cause a regression in which connectivity is
lost and cannot be reestablished after a suspend/resume cycle.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agowireless: update gfp/slab.h includes
Tejun Heo [Mon, 29 Mar 2010 17:52:38 +0000 (02:52 +0900)]
wireless: update gfp/slab.h includes

Implicit slab.h inclusion via percpu.h is about to go away.  Make sure
gfp.h or slab.h is included as necessary.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agort2x00: don't use to_pci_dev in rt2x00pci_uninitialize
Helmut Schaa [Wed, 19 May 2010 06:47:59 +0000 (08:47 +0200)]
rt2x00: don't use to_pci_dev in rt2x00pci_uninitialize

Don't use to_pci_dev in rt2x00pci_uninitialize to get the allocated irq
as it won't work for platform devices (SoC). Instead, use the irq field
that's already used everywhere else.

Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath5k: consistently use rx_bufsize for RX DMA
Bruno Randolf [Wed, 19 May 2010 01:18:16 +0000 (10:18 +0900)]
ath5k: consistently use rx_bufsize for RX DMA

We should use the same buffer size we set up for DMA also in the hardware
descriptor. Previously we used common->rx_bufsize for setting up the DMA
mapping, but used skb_tailroom(skb) for the size we tell to the hardware in the
descriptor itself. The problem is that skb_tailroom(skb) can give us a larger
value than the size we set up for DMA before. This allows the hardware to write
into memory locations not set up for DMA. In practice this should rarely happen
because all packets should be smaller than the maximum 802.11 packet size.

On the tested platform rx_bufsize is 2528, and we allocated an skb of 2559
bytes length (including padding for cache alignment) but sbk_tailroom() was
2592. Just consistently use rx_bufsize for all RX DMA memory sizes.

Also use the return value of the descriptor setup function.

Cc: stable@kernel.org
Signed-off-by: Bruno Randolf <br1@einfach.org>
Reviewed-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agofec: add support for PHY interface platform data
Baruch Siach [Mon, 24 May 2010 07:36:13 +0000 (00:36 -0700)]
fec: add support for PHY interface platform data

The i.MX25 PDK uses RMII to communicate with its PHY. This patch adds
the ability to configure RMII, based on platform data.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Acked-by: Greg Ungerer <gerg@uclinux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotun: Update classid on packet injection
Herbert Xu [Mon, 24 May 2010 07:14:10 +0000 (00:14 -0700)]
tun: Update classid on packet injection

This patch makes tun update its socket classid every time we
inject a packet into the network stack.  This is so that any
updates made by the admin to the process writing packets to
tun is effected.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocls_cgroup: Store classid in struct sock
Herbert Xu [Mon, 24 May 2010 07:12:34 +0000 (00:12 -0700)]
cls_cgroup: Store classid in struct sock

Up until now cls_cgroup has relied on fetching the classid out of
the current executing thread.  This runs into trouble when a packet
processing is delayed in which case it may execute out of another
thread's context.

Furthermore, even when a packet is not delayed we may fail to
classify it if soft IRQs have been disabled, because this scenario
is indistinguishable from one where a packet unrelated to the
current thread is processed by a real soft IRQ.

In fact, the current semantics is inherently broken, as a single
skb may be constructed out of the writes of two different tasks.
A different manifestation of this problem is when the TCP stack
transmits in response of an incoming ACK.  This is currently
unclassified.

As we already have a concept of packet ownership for accounting
purposes in the skb->sk pointer, this is a natural place to store
the classid in a persistent manner.

This patch adds the cls_cgroup classid in struct sock, filling up
an existing hole on 64-bit :)

The value is set at socket creation time.  So all sockets created
via socket(2) automatically gains the ID of the thread creating it.
Whenever another process touches the socket by either reading or
writing to it, we will change the socket classid to that of the
process if it has a valid (non-zero) classid.

For sockets created on inbound connections through accept(2), we
inherit the classid of the original listening socket through
sk_clone, possibly preceding the actual accept(2) call.

In order to minimise risks, I have not made this the authoritative
classid.  For now it is only used as a backup when we execute
with soft IRQs disabled.  Once we're completely happy with its
semantics we can use it as the sole classid.

Footnote: I have rearranged the error path on cls_group module
creation.  If we didn't do this, then there is a window where
someone could create a tc rule using cls_group before the cgroup
subsystem has been registered.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet/irda: bfin_sir: IRDA is not affected by anomaly 05000230
Graf Yang [Sat, 22 May 2010 22:00:10 +0000 (22:00 +0000)]
net/irda: bfin_sir: IRDA is not affected by anomaly 05000230

Anomaly 05000230 (over sampling of the UART STOP bit) applies only when
the peripheral is operating in UART mode.  So drop the anomaly handling
in the IRDA code.

Signed-off-by: Graf Yang <graf.yang@analog.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoisdn/gigaset: remove dummy CAPI method implementations
Tilman Schmidt [Sun, 23 May 2010 01:02:38 +0000 (01:02 +0000)]
isdn/gigaset: remove dummy CAPI method implementations

Dummy implementations for the optional CAPI controller operations
load_firmware and reset_ctr can cause userspace callers to hang
indefinitely. It's better not to implement them at all.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Acked-by: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoisdn/capi: make reset_ctr op truly optional
Tilman Schmidt [Sun, 23 May 2010 01:02:08 +0000 (01:02 +0000)]
isdn/capi: make reset_ctr op truly optional

The CAPI controller operation reset_ctr is marked as optional, and
not all drivers do implement it. Add a check to the kernel CAPI
whether it exists before trying to call it.

Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Acked-by: Karsten Keil <isdn@linux-pingi.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agopppoe: uninitialized variable in pppoe_flush_dev()
Dan Carpenter [Sat, 22 May 2010 10:27:48 +0000 (10:27 +0000)]
pppoe: uninitialized variable in pppoe_flush_dev()

This assignment got deleted along with the checks by mistake.  This
comes from:  8753d29fd "pppoe: remove unnecessary checks in
pppoe_flush_dev"

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix - use MSG_TRUNC in receive
Sjur Braendeland [Fri, 21 May 2010 02:16:12 +0000 (02:16 +0000)]
caif: Bugfix - use MSG_TRUNC in receive

Fixed handling when skb don't fit in user buffer,
instead of returning -EMSGSIZE, the buffer is truncated (just
as unix seqpakcet does).

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix - missing spin_unlock
Sjur Braendeland [Fri, 21 May 2010 02:16:11 +0000 (02:16 +0000)]
caif: Bugfix - missing spin_unlock

Splint found missing spin_unlock.
Corrected this an some other trivial split warnings.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix - Poll can't return POLLHUP while connecting.
Sjur Braendeland [Fri, 21 May 2010 02:16:10 +0000 (02:16 +0000)]
caif: Bugfix - Poll can't return POLLHUP while connecting.

Discovered bug when testing async connect.
While connecting poll should not return POLLHUP,
but POLLOUT when connected.
Also fixed the sysfs flow-control-counters.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix - handle mem-allocation failures
Sjur Braendeland [Fri, 21 May 2010 02:16:09 +0000 (02:16 +0000)]
caif: Bugfix - handle mem-allocation failures

Discovered bugs when injecting slab allocation failures.
Add checks on all memory allocation.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix - use standard Linux lists
Sjur Braendeland [Fri, 21 May 2010 02:16:08 +0000 (02:16 +0000)]
caif: Bugfix - use standard Linux lists

Discovered bug when running high number of parallel connect requests.
Replace buggy home brewed list with linux/list.h.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix - wait_ev*_timeout returns long.
Sjur Braendeland [Fri, 21 May 2010 02:16:07 +0000 (02:16 +0000)]
caif: Bugfix - wait_ev*_timeout returns long.

Discovered bug when testing on 64bit architecture.
Fixed by using long to store result from wait_event_interruptible_timeout.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet-2.6 : V2 - fix dev_get_valid_name
Daniel Lezcano [Wed, 19 May 2010 10:12:19 +0000 (10:12 +0000)]
net-2.6 : V2 - fix dev_get_valid_name

the commit:

commit d90310243fd750240755e217c5faa13e24f41536
Author: Octavian Purdila <opurdila@ixiacom.com>
Date:   Wed Nov 18 02:36:59 2009 +0000

    net: device name allocation cleanups

introduced a bug when there is a hash collision making impossible
to rename a device with eth%d. This bug is very hard to reproduce
and appears rarely.

The problem is coming from we don't pass a temporary buffer to
__dev_alloc_name but 'dev->name' which is modified by the function.

A detailed explanation is here:

http://marc.info/?l=linux-netdev&m=127417784011987&w=2

Changelog:
 V2 : replaced strings comparison by pointers comparison

Signed-off-by: Daniel Lezcano <daniel.lezcano@free.fr>
Reviewed-by: Octavian Purdila <opurdila@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Fix definition of netif_vdbg() when VERBOSE_DEBUG is not defined
Ben Hutchings [Tue, 18 May 2010 06:56:32 +0000 (06:56 +0000)]
net: Fix definition of netif_vdbg() when VERBOSE_DEBUG is not defined

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobfin_mac: fix memleak in mii_bus{probe|remove}
Denis Kirjanov [Tue, 18 May 2010 01:34:46 +0000 (01:34 +0000)]
bfin_mac: fix memleak in mii_bus{probe|remove}

Fix memory leak with miibus->irq

Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoethoc: fix null dereference in ethoc_probe
Thomas Chou [Sun, 23 May 2010 16:44:02 +0000 (16:44 +0000)]
ethoc: fix null dereference in ethoc_probe

Dan reported the patch 0baa080c75c: "ethoc: use system memory
as buffer" introduced a potential null dereference.

  1060  free:
  1061          if (priv->dma_alloc)
                    ^^^^^^^^^^^^^^^
priv can be null here.

He also suggested that the error handling is not complete.

This patch fixes the null priv issue and improves resources
releasing in ethoc_probe() and ethoc_remove().

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Thomas Chou <thomas@wytron.com.tw>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agortnetlink: Fix error handling in do_setlink()
David Howells [Fri, 21 May 2010 02:25:27 +0000 (02:25 +0000)]
rtnetlink: Fix error handling in do_setlink()

Commit c02db8c6290bb992442fec1407643c94cc414375:

Author:  Chris Wright <chrisw@sous-sol.org>
Date:    Sun May 16 01:05:45 2010 -0700
Subject: rtnetlink: make SR-IOV VF interface symmetric

adds broken error handling to do_setlink() in net/core/rtnetlink.c.  The
problem is the following chunk of code:

if (tb[IFLA_VFINFO_LIST]) {
struct nlattr *attr;
int rem;
nla_for_each_nested(attr, tb[IFLA_VFINFO_LIST], rem) {
if (nla_type(attr) != IFLA_VF_INFO)
  ----> goto errout;
err = do_setvfinfo(dev, attr);
if (err < 0)
goto errout;
modified = 1;
}
}

which can get to errout without setting err, resulting in the following error:

net/core/rtnetlink.c: In function 'do_setlink':
net/core/rtnetlink.c:904: warning: 'err' may be used uninitialized in this function

Change the code to return -EINVAL in this case.  Note that this might not be
the appropriate error though.

Signed-off-by: David Howells <dhowells@redhat.com>
cc: Chris Wright <chrisw@sous-sol.org>
cc: David S. Miller <davem@davemloft.net>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet-caif: drop redundant Kconfig entries
Mike Frysinger [Fri, 21 May 2010 10:45:20 +0000 (10:45 +0000)]
net-caif: drop redundant Kconfig entries

There is already a submenu entry that is always displayed, so there is
no need to also show a dedicated CAIF comment.

Drop dead commented code while we're here, and change the submenu text
to better match the style everyone else is using.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet_sched: Fix qdisc_notify()
Eric Dumazet [Sat, 22 May 2010 20:37:44 +0000 (20:37 +0000)]
net_sched: Fix qdisc_notify()

Ben Pfaff reported a kernel oops and provided a test program to
reproduce it.

https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805

tc_fill_qdisc() should not be called for builtin qdisc, or it
dereference a NULL pointer to get device ifindex.

Fix is to always use tc_qdisc_dump_ignore() before calling
tc_fill_qdisc().

Reported-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoieee802154: Fix possible NULL pointer dereference in wpan_phy_alloc
Denis Kirjanov [Sun, 23 May 2010 05:45:45 +0000 (05:45 +0000)]
ieee802154: Fix possible NULL pointer dereference in wpan_phy_alloc

Check for NULL pointer after kzalloc

Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoenic: Use random mac addr when associating port-profile
Scott Feldman [Sat, 22 May 2010 17:29:58 +0000 (17:29 +0000)]
enic: Use random mac addr when associating port-profile

Use random mac addr for interface when associating port-profile to
dynamic enic device, in the case no mac addr was previous assigned.

Signed-off-by: Scott Feldman <scofeldm@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoenic: bug fix: sprintf UUID to string as u8[] rather than u16[] array
Scott Feldman [Sat, 22 May 2010 17:29:52 +0000 (17:29 +0000)]
enic: bug fix: sprintf UUID to string as u8[] rather than u16[] array

Signed-off-by: Scott Feldman <scofeldm@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocfg80211: add missing braces
Johannes Berg [Tue, 18 May 2010 12:36:34 +0000 (14:36 +0200)]
cfg80211: add missing braces

Specifying a valid channel type will get
goto out rather than continuing, due to
missing braces. This affects both remain
on channel and action frame TX commands.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agorndis_wlan: replace wireless_send_event with cfg80211_disconnected
Jussi Kivilinna [Tue, 18 May 2010 08:20:51 +0000 (11:20 +0300)]
rndis_wlan: replace wireless_send_event with cfg80211_disconnected

Remove (hopefully) last use of WEXT in rndis_wlan. Replace wireless_send_event
with missing cfg80211_disconnected in rndis_wlan_do_link_down_work.

Reported-by: "Rogério Brito" <rbrito@ime.usp.br>
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: remove AR9003 from PCI IDs for now
Luis R. Rodriguez [Mon, 17 May 2010 17:15:30 +0000 (13:15 -0400)]
ath9k: remove AR9003 from PCI IDs for now

We tried to squeeze as much AR9003 support into this kernel
release cycle but there are a few features which are still
being tested and developed. Some of these features are critical
to the stable operation of AR9003 so for now disable AR9003 support
all together. This will get re-enabled once all necessary features
are in place but very likely will not happen for 2.6.35.

Reviewed-by: Don Breslin <don.breslin@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agocfg80211: fix crash in cfg80211_set_freq()
Felix Fietkau [Sat, 15 May 2010 13:46:17 +0000 (15:46 +0200)]
cfg80211: fix crash in cfg80211_set_freq()

Since wdev can be NULL, check it before dereferencing it

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agowl1271: Fix RX data path frame lengths
Juuso Oikarinen [Fri, 14 May 2010 07:46:24 +0000 (10:46 +0300)]
wl1271: Fix RX data path frame lengths

The current frame length used by the driver for RX frames is the SPI bus
transfer length. This length has padding bytes, which do not belong to the
WLAN frame.

As there is no other length information in the WLAN frame except the skb
length this problem caused for instance extra ESSID's to be listed at the
end of scan results (IE id 0) with zero length.

Fix the frame length by removing padding.

Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com>
Reviewed-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoiwlwifi: fix internal scan race
Reinette Chatre [Thu, 13 May 2010 21:49:44 +0000 (14:49 -0700)]
iwlwifi: fix internal scan race

It is possible for internal scan to race against itself if the device is
not returning the scan results from first requests. What happens in this
case is the cleanup done during the abort of the first internal scan also
cleans up part of the new scan, causing it to access memory it shouldn't.

Here are details:
* First internal scan is triggered and scan command sent to device.
* After seven seconds there is no scan results so the watchdog timer
  triggers a scan abort.
* The scan abort succeeds and a SCAN_COMPLETE_NOTIFICATION is received for
 failed scan.
* During processing of SCAN_COMPLETE_NOTIFICATION we clear STATUS_SCANNING
  and queue the "scan_completed" work.
** At this time, since the problem that caused the internal scan in first
   place is still present, a new internal scan is triggered.
The behavior at this point is a bit different between 2.6.34 and 2.6.35
since 2.6.35 has a lot of this synchronized. The rest of the race
description will thus be generalized.
** As part of preparing for the scan "is_internal_short_scan" is set to
true.
* At this point the completion work for fist scan is run. As part of this
  there is some locking missing around the "is_internal_short_scan"
  variable and it is set to "false".
** Now the second scan runs and it considers itself a real (not internal0
   scan and thus causes problems with wrong memory being accessed.

The fix is twofold.
* Since "is_internal_short_scan" should be protected by mutex, fix this in
  scan completion work so that changes to it can be serialized.
* Do not queue a new internal scan if one is in progress.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=15824

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agocfg80211: Fix signal_type comparison
Sujith [Thu, 13 May 2010 05:04:08 +0000 (10:34 +0530)]
cfg80211: Fix signal_type comparison

signal_type is enum cfg80211_signal_type.

This fixes the gcc warning:

scan.c: In function `cfg80211_inform_bss':
scan.c:518:6: warning: comparison between `enum cfg80211_signal_type' and `enum nl80211_bss'
scan.c: In function `cfg80211_inform_bss_frame':
scan.c:574:6: warning: comparison between `enum cfg80211_signal_type' and `enum nl80211_bss'

Signed-off-by: Sujith <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agonet: fix problem in dequeuing from input_pkt_queue
Tom Herbert [Thu, 20 May 2010 18:37:59 +0000 (18:37 +0000)]
net: fix problem in dequeuing from input_pkt_queue

Fix some issues introduced in batch skb dequeuing for input_pkt_queue.
The primary issue it that the queue head must be incremented only
after a packet has been processed, that is only after
__netif_receive_skb has been called.  This is needed for the mechanism
to prevent OOO packet in RFS.  Also when flushing the input_pkt_queue
and process_queue, the process queue should be done first to prevent
OOO packets.

Because the input_pkt_queue has been effectively split into two queues,
the calculation of the tail ptr is no longer correct.  The correct value
would be head+input_pkt_queue->len+process_queue->len.  To avoid
this calculation we added an explict input_queue_tail in softnet_data.
The tail value is simply incremented when queuing to input_pkt_queue.

Signed-off-by: Tom Herbert <therbert@google.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocan: SJA1000 add missing spin_lock_init()
Oliver Hartkopp [Wed, 19 May 2010 06:46:38 +0000 (06:46 +0000)]
can: SJA1000 add missing spin_lock_init()

As remarked by Sam Ravnborg the spin_lock variable, that has been introduced
in commit 57c8a456640fa3ca777652f11f2db4179a3e66b6 ("can: Fix SJA1000 command
register writes on SMP systems") has not been initialized properly.

This patch adds the initialization to allow spinlock debugging.

Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
CC: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosh_eth: Fix memleak in sh_mdio_release
Denis Kirjanov [Thu, 20 May 2010 04:00:59 +0000 (04:00 +0000)]
sh_eth: Fix memleak in sh_mdio_release

Allocated memory for IRQs should be freed when releasing the mii_bus

Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Acked-by: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
David S. Miller [Fri, 21 May 2010 06:12:18 +0000 (23:12 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-next-2.6

14 years agogro: Fix bogus gso_size on the first fraglist entry
Herbert Xu [Fri, 21 May 2010 06:07:56 +0000 (23:07 -0700)]
gro: Fix bogus gso_size on the first fraglist entry

When GRO produces fraglist entries, and the resulting skb hits
an interface that is incapable of TSO but capable of FRAGLIST,
we end up producing a bogus packet with gso_size non-zero.

This was reported in the field with older versions of KVM that
did not set the TSO bits on tuntap.

This patch fixes that.

Reported-by: Igor Zhang <yugzhang@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>