GitHub/exynos8895/android_kernel_samsung_universal8895.git
14 years agonet: avoid limits overflow
Eric Dumazet [Tue, 9 Nov 2010 23:24:26 +0000 (23:24 +0000)]
net: avoid limits overflow

Robin Holt tried to boot a 16TB machine and found some limits were
reached : sysctl_tcp_mem[2], sysctl_udp_mem[2]

We can switch infrastructure to use long "instead" of "int", now
atomic_long_t primitives are available for free.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: Robin Holt <holt@sgi.com>
Reviewed-by: Robin Holt <holt@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: packet: fix information leak to userland
Vasiliy Kulikov [Wed, 10 Nov 2010 20:09:10 +0000 (12:09 -0800)]
net: packet: fix information leak to userland

packet_getname_spkt() doesn't initialize all members of sa_data field of
sockaddr struct if strlen(dev->name) < 13.  This structure is then copied
to userland.  It leads to leaking of contents of kernel stack memory.
We have to fully fill sa_data with strncpy() instead of strlcpy().

The same with packet_getname(): it doesn't initialize sll_pkttype field of
sockaddr_ll.  Set it to zero.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agofilter: make sure filters dont read uninitialized memory
David S. Miller [Wed, 10 Nov 2010 18:38:24 +0000 (10:38 -0800)]
filter: make sure filters dont read uninitialized memory

There is a possibility malicious users can get limited information about
uninitialized stack mem array. Even if sk_run_filter() result is bound
to packet length (0 .. 65535), we could imagine this can be used by
hostile user.

Initializing mem[] array, like Dan Rosenberg suggested in his patch is
expensive since most filters dont even use this array.

Its hard to make the filter validation in sk_chk_filter(), because of
the jumps. This might be done later.

In this patch, I use a bitmap (a single long var) so that only filters
using mem[] loads/stores pay the price of added security checks.

For other filters, additional cost is a single instruction.

[ Since we access fentry->k a lot now, cache it in a local variable
  and mark filter entry pointer as const. -DaveM ]

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: ax25: fix information leak to userland
Vasiliy Kulikov [Wed, 10 Nov 2010 18:14:33 +0000 (10:14 -0800)]
net: ax25: fix information leak to userland

Sometimes ax25_getname() doesn't initialize all members of fsa_digipeater
field of fsa struct, also the struct has padding bytes between
sax25_call and sax25_ndigis fields.  This structure is then copied to
userland.  It leads to leaking of contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet/dst: dst_dev_event() called after other notifiers
Eric Dumazet [Tue, 9 Nov 2010 19:46:33 +0000 (11:46 -0800)]
net/dst: dst_dev_event() called after other notifiers

Followup of commit ef885afbf8a37689 (net: use rcu_barrier() in
rollback_registered_many)

dst_dev_event() scans a garbage dst list that might be feeded by various
network notifiers at device dismantle time.

Its important to call dst_dev_event() after other notifiers, or we might
enter the infamous msleep(250) in netdev_wait_allrefs(), and wait one
second before calling again call_netdevice_notifiers(NETDEV_UNREGISTER,
dev) to properly remove last device references.

Use priority -10 to let dst_dev_notifier be called after other network
notifiers (they have the default 0 priority)

Reported-by: Ben Greear <greearb@candelatech.com>
Reported-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reported-by: Octavian Purdila <opurdila@ixiacom.com>
Reported-by: Benjamin LaHaise <bcrl@kvack.org>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: tipc: fix information leak to userland
Kulikov Vasiliy [Sun, 31 Oct 2010 07:10:32 +0000 (07:10 +0000)]
net: tipc: fix information leak to userland

Structure sockaddr_tipc is copied to userland with padding bytes after
"id" field in union field "name" unitialized.  It leads to leaking of
contents of kernel stack memory.  We have to initialize them to zero.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agor8169: fix sleeping while holding spinlock.
françois romieu [Mon, 8 Nov 2010 13:23:58 +0000 (13:23 +0000)]
r8169: fix sleeping while holding spinlock.

As device_set_wakeup_enable can now sleep, move the call to outside
the critical section.

Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agor8169: revert "Handle rxfifo errors on 8168 chips"
françois romieu [Mon, 8 Nov 2010 13:23:05 +0000 (13:23 +0000)]
r8169: revert "Handle rxfifo errors on 8168 chips"

The original patch helps under obscure conditions (no pun) but
some 8168 do not like it. The change needs to be tightened with
a specific 8168 version.

This reverts commit 801e147cde02f04b5c2f42764cd43a89fc7400a2
("r8169: Handle rxfifo errors on 8168 chips").

Regression at https://bugzilla.kernel.org/show_bug.cgi?id=20882

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Andreas Radke <a.radke@arcor.de>
Cc: Matthew Garrett <mjg@redhat.com>
Cc: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoinet: fix ip_mc_drop_socket()
Eric Dumazet [Mon, 8 Nov 2010 11:15:54 +0000 (11:15 +0000)]
inet: fix ip_mc_drop_socket()

commit 8723e1b4ad9be4444 (inet: RCU changes in inetdev_by_index())
forgot one call site in ip_mc_drop_socket()

We should not decrease idev refcount after inetdev_by_index() call,
since refcount is not increased anymore.

Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Reported-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agords: Fix rds message leak in rds_message_map_pages
Pavel Emelyanov [Mon, 8 Nov 2010 06:20:50 +0000 (06:20 +0000)]
rds: Fix rds message leak in rds_message_map_pages

The sgs allocation error path leaks the allocated message.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoqeth: fix race condition during device startup
Frank Blaschka [Mon, 8 Nov 2010 03:03:49 +0000 (03:03 +0000)]
qeth: fix race condition during device startup

QDIO is running independent from netdevice state. We are not
allowed to schedule NAPI in case the netdevice is not open.

Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoqeth: remove dev_queue_xmit invocation
Ursula Braun [Mon, 8 Nov 2010 03:03:48 +0000 (03:03 +0000)]
qeth: remove dev_queue_xmit invocation

For a certain Hipersockets specific error code in the xmit path, the
qeth driver tries to invoke dev_queue_xmit again.
Commit 79640a4ca6955e3ebdb7038508fa7a0cd7fa5527 introduces a busylock
causing locking problems in case of re-invoked dev_queue_xmit by qeth.
This patch removes the attempts to retry packet sending with
dev_queue_xmit from the qeth driver.

Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agopktgen: correct uninitialized queue_map
Junchang Wang [Sun, 7 Nov 2010 23:19:43 +0000 (23:19 +0000)]
pktgen: correct uninitialized queue_map

This fix a bug reported by backyes.
Right the first time pktgen's using queue_map that's not been initialized
by set_cur_queue_map(pkt_dev);

Signed-off-by: Junchang Wang <junchangwang@gmail.com>
Signed-off-by: Backyes <backyes@mail.ustc.edu.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Detect and ignore netif_stop_queue() calls before register_netdev()
Guillaume Chazarain [Sat, 6 Nov 2010 06:39:32 +0000 (06:39 +0000)]
net: Detect and ignore netif_stop_queue() calls before register_netdev()

After e6484930d7c73d324bccda7d43d131088da697b9: net: allocate tx queues in register_netdevice
These calls make net drivers oops at load time, so let's avoid people
git-bisect'ing known problems.

Signed-off-by: Guillaume Chazarain <guichaz@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoskge: Remove tx queue stopping in skge_devinit()
Guillaume Chazarain [Sat, 6 Nov 2010 06:39:31 +0000 (06:39 +0000)]
skge: Remove tx queue stopping in skge_devinit()

After e6484930d7c73d324bccda7d43d131088da697b9: net: allocate tx queues in register_netdevice
It causes an Oops at skge_probe() time.

Signed-off-by: Guillaume Chazarain <guichaz@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6: fix overlap check for fragments
Shan Wei [Fri, 5 Nov 2010 01:56:34 +0000 (01:56 +0000)]
ipv6: fix overlap check for fragments

The type of FRAG6_CB(prev)->offset is int, skb->len is *unsigned* int,
and offset is int.

Without this patch, type conversion occurred to this expression, when
(FRAG6_CB(prev)->offset + prev->len) is less than offset.

Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoclassifier: report statistics for basic classifier
stephen hemminger [Thu, 4 Nov 2010 11:47:04 +0000 (11:47 +0000)]
classifier: report statistics for basic classifier

The basic classifier keeps statistics but does not report it to user space.
This showed up when using basic classifier (with police) as a default catch
all on ingress; no statistics were reported.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosolos: Refuse to upgrade firmware with older FPGA. It doesn't work.
David Woodhouse [Mon, 1 Nov 2010 10:35:28 +0000 (10:35 +0000)]
solos: Refuse to upgrade firmware with older FPGA. It doesn't work.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosolos: Add 'Firmware' attribute for Traverse overall firmware version
David Woodhouse [Mon, 1 Nov 2010 10:34:29 +0000 (10:34 +0000)]
solos: Add 'Firmware' attribute for Traverse overall firmware version

The existing 'FirmwareVersion' attribute only covers the DSP firmware as
provided by Conexant; not the overall version of the device firmware. We
do want to be able to see the full version number too.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet dst: need linux/cache.h for ____cacheline_aligned_in_smp.
Paul Mundt [Mon, 8 Nov 2010 03:58:05 +0000 (19:58 -0800)]
net dst: need linux/cache.h for ____cacheline_aligned_in_smp.

Presently the b43legacy build fails on an sh randconfig:

In file included from include/net/dst.h:12,
                 from drivers/net/wireless/b43legacy/xmit.c:32:
include/net/dst_ops.h:28: error: expected ':', ',', ';', '}' or '__attribute__' before '____cacheline_aligned_in_smp'
include/net/dst_ops.h: In function 'dst_entries_get_fast':
include/net/dst_ops.h:33: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_get_slow':
include/net/dst_ops.h:41: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_add':
include/net/dst_ops.h:49: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_init':
include/net/dst_ops.h:55: error: 'struct dst_ops' has no member named 'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_destroy':
include/net/dst_ops.h:60: error: 'struct dst_ops' has no member named 'pcpuc_entries'
make[5]: *** [drivers/net/wireless/b43legacy/xmit.o] Error 1
make[5]: *** Waiting for unfinished jobs....

Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoNET: pktgen - fix compile warning
Dmitry Torokhov [Sat, 6 Nov 2010 20:11:38 +0000 (20:11 +0000)]
NET: pktgen - fix compile warning

This should fix the following warning:

net/core/pktgen.c: In function ‘pktgen_if_write’:
net/core/pktgen.c:890: warning: comparison of distinct pointer types lacks a cast

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Reviewed-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoinet_diag: Make sure we actually run the same bytecode we audited.
Nelson Elhage [Wed, 3 Nov 2010 16:35:41 +0000 (16:35 +0000)]
inet_diag: Make sure we actually run the same bytecode we audited.

We were using nlmsg_find_attr() to look up the bytecode by attribute when
auditing, but then just using the first attribute when actually running
bytecode. So, if we received a message with two attribute elements, where only
the second had type INET_DIAG_REQ_BYTECODE, we would validate and run different
bytecode strings.

Fix this by consistently using nlmsg_find_attr everywhere.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetlink: Make nlmsg_find_attr take a const nlmsghdr*.
Nelson Elhage [Wed, 3 Nov 2010 16:35:40 +0000 (16:35 +0000)]
netlink: Make nlmsg_find_attr take a const nlmsghdr*.

This will let us use it on a nlmsghdr stored inside a netlink_callback.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agofib: fib_result_assign() should not change fib refcounts
Eric Dumazet [Thu, 4 Nov 2010 01:21:39 +0000 (01:21 +0000)]
fib: fib_result_assign() should not change fib refcounts

After commit ebc0ffae5 (RCU conversion of fib_lookup()),
fib_result_assign()  should not change fib refcounts anymore.

Thanks to Michael who did the bisection and bug report.

Reported-by: Michael Ellerman <michael@ellerman.id.au>
Tested-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetfilter: ip6_tables: fix information leak to userspace
Jan Engelhardt [Thu, 4 Nov 2010 01:55:39 +0000 (18:55 -0700)]
netfilter: ip6_tables: fix information leak to userspace

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
David S. Miller [Thu, 4 Nov 2010 01:52:32 +0000 (18:52 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6

14 years agocls_cgroup: Fix crash on module unload
Herbert Xu [Wed, 3 Nov 2010 13:31:05 +0000 (13:31 +0000)]
cls_cgroup: Fix crash on module unload

Somewhere along the lines net_cls_subsys_id became a macro when
cls_cgroup is built as a module.  Not only did it make cls_cgroup
completely useless, it also causes it to crash on module unload.

This patch fixes this by removing that macro.

Thanks to Eric Dumazet for diagnosing this problem.

Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agomemory corruption in X.25 facilities parsing
andrew hendry [Wed, 3 Nov 2010 12:54:53 +0000 (12:54 +0000)]
memory corruption in X.25 facilities parsing

Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet dst: fix percpu_counter list corruption and poison overwritten
Xiaotian Feng [Tue, 2 Nov 2010 16:11:05 +0000 (16:11 +0000)]
net dst: fix percpu_counter list corruption and poison overwritten

There're some percpu_counter list corruption and poison overwritten warnings
in recent kernel, which is resulted by fc66f95c.

commit fc66f95c switches to use percpu_counter, in ip6_route_net_init, kernel
init the percpu_counter for dst entries, but, the percpu_counter is never destroyed
in ip6_route_net_exit. So if the related data is freed by kernel, the freed percpu_counter
is still on the list, then if we insert/remove other percpu_counter, list corruption
resulted. Also, if the insert/remove option modifies the ->prev,->next pointer of
the freed value, the poison overwritten is resulted then.

With the following patch, the percpu_counter list corruption and poison overwritten
warnings disappeared.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agords: Remove kfreed tcp conn from list
Pavel Emelyanov [Tue, 2 Nov 2010 01:54:01 +0000 (01:54 +0000)]
rds: Remove kfreed tcp conn from list

All the rds_tcp_connection objects are stored list, but when
being freed it should be removed from there.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agords: Lost locking in loop connection freeing
Pavel Emelyanov [Tue, 2 Nov 2010 01:52:05 +0000 (01:52 +0000)]
rds: Lost locking in loop connection freeing

The conn is removed from list in there and this requires
proper lock protection.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agode2104x: fix panic on load
Eric Dumazet [Wed, 3 Nov 2010 12:25:32 +0000 (12:25 +0000)]
de2104x: fix panic on load

Its now illegal to call netif_stop_queue() before register_netdev()

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoatl1 : fix panic on load
Eric Dumazet [Wed, 3 Nov 2010 12:11:21 +0000 (12:11 +0000)]
atl1 : fix panic on load

Its now illegal to call netif_stop_queue() before register_netdev()

Reported-by: Tom Gundersen <teg@jklm.no>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetxen: remove unused firmware exports
Amerigo Wang [Tue, 2 Nov 2010 18:25:31 +0000 (18:25 +0000)]
netxen: remove unused firmware exports

Quote from Amit Salecha:

"Actually I was not updated, NX_UNIFIED_ROMIMAGE_NAME (phanfw.bin) is already
submitted and its present in linux-firmware.git.

I will get back to you on NX_P2_MN_ROMIMAGE_NAME, NX_P3_CT_ROMIMAGE_NAME and
NX_P3_MN_ROMIMAGE_NAME. Whether this will be submitted ?"

We have to remove these, otherwise we will get wrong info from modinfo.

Signed-off-by: WANG Cong <amwang@redhat.com>
Cc: Amit Kumar Salecha <amit.salecha@qlogic.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Dhananjay Phadke <dhananjay.phadke@qlogic.com>
Cc: Narender Kumar <narender.kumar@qlogic.com>
Acked-by: Amit Kumar Salecha <amit.salecha@qlogic.com>--
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Remove noisy printout when disconnecting caif socket
sjur.brandeland@stericsson.com [Wed, 3 Nov 2010 10:19:25 +0000 (10:19 +0000)]
caif: Remove noisy printout when disconnecting caif socket

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: SPI-driver bugfix - incorrect padding.
Sjur Brændeland [Mon, 1 Nov 2010 11:52:48 +0000 (11:52 +0000)]
caif: SPI-driver bugfix - incorrect padding.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocaif: Bugfix for socket priority, bindtodev and dbg channel.
André Carvalho de Matos [Mon, 1 Nov 2010 11:52:47 +0000 (11:52 +0000)]
caif: Bugfix for socket priority, bindtodev and dbg channel.

Changes:
o Bugfix: SO_PRIORITY for SOL_SOCKET could not be handled
  in caif's setsockopt,  using the struct sock attribute priority instead.

o Bugfix: SO_BINDTODEVICE for SOL_SOCKET could not be handled
  in caif's setsockopt,  using the struct sock attribute ifindex instead.

o Wrong assert statement for RFM layer segmentation.

o CAIF Debug channels was not working over SPI, caif_payload_info
  containing padding info must be initialized.

o Check on pointer before dereferencing when unregister dev in caif_dev.c

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosmsc911x: Set Ethernet EEPROM size to supported device's size
John Faith [Mon, 1 Nov 2010 11:30:08 +0000 (11:30 +0000)]
smsc911x: Set Ethernet EEPROM size to supported device's size

The SMSC911x supports 128 x 8-bit EEPROMs.  Increase the EEPROM size
so more than just the MAC address can be stored.

Signed-off-by: John Faith <jfaith7@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv4: netfilter: ip_tables: fix information leak to userland
Vasiliy Kulikov [Wed, 3 Nov 2010 07:45:06 +0000 (08:45 +0100)]
ipv4: netfilter: ip_tables: fix information leak to userland

Structure ipt_getinfo is copied to userland with the field "name"
that has the last elements unitialized.  It leads to leaking of
contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
14 years agoipv4: netfilter: arp_tables: fix information leak to userland
Vasiliy Kulikov [Wed, 3 Nov 2010 07:44:12 +0000 (08:44 +0100)]
ipv4: netfilter: arp_tables: fix information leak to userland

Structure arpt_getinfo is copied to userland with the field "name"
that has the last elements unitialized.  It leads to leaking of
contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
14 years agocxgb4vf: remove call to stop TX queues at load time.
Divy Le Ray [Mon, 1 Nov 2010 10:59:51 +0000 (10:59 +0000)]
cxgb4vf: remove call to stop TX queues at load time.

Stopping TX queues at driver load time is not necessary.

Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb4: remove call to stop TX queues at load time.
Divy Le Ray [Mon, 1 Nov 2010 10:59:46 +0000 (10:59 +0000)]
cxgb4: remove call to stop TX queues at load time.

Remove racy queue stopping after device registration.

Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb3: remove call to stop TX queues at load time.
Divy Le Ray [Mon, 1 Nov 2010 10:59:41 +0000 (10:59 +0000)]
cxgb3: remove call to stop TX queues at load time.

Remove racy queue stopping after device registration.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: check queue_index from sock is valid for device
Tom Herbert [Mon, 1 Nov 2010 19:55:52 +0000 (12:55 -0700)]
net: check queue_index from sock is valid for device

In dev_pick_tx recompute the queue index if the value stored in the
socket is greater than or equal to the number of real queues for the
device.  The saved index in the sock structure is not guaranteed to
be appropriate for the egress device (this could happen on a route
change or in presence of tunnelling).  The result of the queue index
being bad would be to return a bogus queue (crash could prersumably
follow).

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoUSB: gadget: fix ethernet gadget crash in gether_setup
Dmitry Artamonow [Mon, 1 Nov 2010 16:33:53 +0000 (09:33 -0700)]
USB: gadget: fix ethernet gadget crash in gether_setup

Crash is triggered by commit e6484930d7 ("net: allocate tx queues in
register_netdevice"), which moved tx netqueue creation into register_netdev.
So now calling netif_stop_queue() before register_netdev causes an oops.
Move netif_stop_queue() after net device registration to fix crash.

Signed-off-by: Dmitry Artamonow <mad_soft@inbox.ru>
Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoibm_newemac: Remove netif_stop_queue() in emac_probe().
David S. Miller [Mon, 1 Nov 2010 15:49:51 +0000 (08:49 -0700)]
ibm_newemac: Remove netif_stop_queue() in emac_probe().

Touching the queue state before register_netdev is not
allowed, and besides the queue state before ->open()
is "don't care"

Reported-by: Josh Boyer <jwboyer@gmail.com>
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agousbnet: fix usb_autopm_get_interface failure(v1)
Ming Lei [Mon, 1 Nov 2010 14:11:54 +0000 (07:11 -0700)]
usbnet: fix usb_autopm_get_interface failure(v1)

Since usbnet already took usb runtime pm, we have to
enable runtime pm for usb interface of usbnet, otherwise
usb_autopm_get_interface may return failure and cause
'ifconfig usb0 up' failed if USB_SUSPEND(RUNTIME_PM) is
enabled.

Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Joe Perches <joe@perches.com>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: Andy Shevchenko <andy.shevchenko@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agol2tp: kzalloc with swapped params in l2tp_dfs_seq_open
Dr. David Alan Gilbert [Sun, 31 Oct 2010 07:26:03 +0000 (07:26 +0000)]
l2tp: kzalloc with swapped params in l2tp_dfs_seq_open

  'sparse' spotted that the parameters to kzalloc in l2tp_dfs_seq_open
were swapped.

Tested on current git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git
at 1792f17b7210280a3d7ff29da9614ba779cfcedb  build, boots and I can see that directory,
but there again I could see /sys/kernel/debug/l2tp with it swapped; I don't have
any l2tp in use.

Signed-off-by: Dr. David Alan Gilbert <linux@treblig.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotrivial: fix typos concerning "function"
Uwe Kleine-König [Tue, 26 Oct 2010 09:57:07 +0000 (09:57 +0000)]
trivial: fix typos concerning "function"

I'm a bit unsure about this patch.  I'm unable to parse both statements.

Cc: netdev@vger.kernel.org
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Update version number
Yaniv Rosner [Mon, 1 Nov 2010 05:32:43 +0000 (05:32 +0000)]
bnx2x: Update version number

Update bnx2x version number.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Reset 8073 phy during common init
Yaniv Rosner [Mon, 1 Nov 2010 05:32:41 +0000 (05:32 +0000)]
bnx2x: Reset 8073 phy during common init

Resetting 8073 during common init is required on boards in which the
8073 reset pin is not asserted by default.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Do not enable CL37 BAM unless it is explicitly enabled
Yaniv Rosner [Mon, 1 Nov 2010 05:32:38 +0000 (05:32 +0000)]
bnx2x: Do not enable CL37 BAM unless it is explicitly enabled

Enabling CL37 BAM on BCM8073 by default may lead to link issues since
not all switches support it. So enable CL37 BAM only if explicitly
selected.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Fix resetting BCM8726 PHY during common init
Yaniv Rosner [Mon, 1 Nov 2010 05:32:36 +0000 (05:32 +0000)]
bnx2x: Fix resetting BCM8726 PHY during common init

On BCM8726 based designs, the ports are swapped, hence the reset needs
to be asserted through port0 and not port1.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Clear latch indication on link reset
Yaniv Rosner [Mon, 1 Nov 2010 05:32:34 +0000 (05:32 +0000)]
bnx2x: Clear latch indication on link reset

When using latch indication for link change notification, need to
clear it when port is unloaded, otherwise it might generate false
indication on next load.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Fix port selection in case of E2
Yaniv Rosner [Mon, 1 Nov 2010 05:32:31 +0000 (05:32 +0000)]
bnx2x: Fix port selection in case of E2

On E2 flavor, dual-port mode, the port argument used for some
functions is needed as the global port number rather than the port per
path.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Fix waiting for reset complete on BCM848x3 PHYs
Yaniv Rosner [Mon, 1 Nov 2010 05:32:27 +0000 (05:32 +0000)]
bnx2x: Fix waiting for reset complete on BCM848x3 PHYs

BCM848x3 requires additional of 50ms after reset done indication,
instead of fixed time of 200ms

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Restore appropriate delay during BMAC reset
Yaniv Rosner [Mon, 1 Nov 2010 05:32:25 +0000 (05:32 +0000)]
bnx2x: Restore appropriate delay during BMAC reset

Fix delay during BMAC reset from 10usec to 1ms.

Signed-off-by: Yaniv Rosner <yanivr@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotext ematch: check for NULL pointer before destroying textsearch config
Thomas Graf [Sun, 31 Oct 2010 16:37:38 +0000 (09:37 -0700)]
text ematch: check for NULL pointer before destroying textsearch config

While validating the configuration em_ops is already set, thus the
individual destroy functions are called, but the ematch data has
not been allocated and associated with the ematch yet.

Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoqlcnic: fix panic on load
Eric Dumazet [Sun, 31 Oct 2010 05:50:38 +0000 (05:50 +0000)]
qlcnic: fix panic on load

Its now illegal to call netif_stop_queue() before register_netdev()

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agojme: fix panic on load
Eric Dumazet [Sun, 31 Oct 2010 05:46:18 +0000 (05:46 +0000)]
jme: fix panic on load

Its now illegal to call netif_stop_queue() before register_netdev()

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoisdn: mISDN: socket: fix information leak to userland
Kulikov Vasiliy [Fri, 29 Oct 2010 23:04:33 +0000 (23:04 +0000)]
isdn: mISDN: socket: fix information leak to userland

Structure mISDN_devinfo is copied to userland with the field "name"
that has the last elements unitialized.  It leads to leaking of
contents of kernel stack memory.

Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetdev: can: Change mail address of Hans J. Koch
Hans J. Koch [Fri, 29 Oct 2010 12:33:57 +0000 (12:33 +0000)]
netdev: can: Change mail address of Hans J. Koch

My old mail address doesn't exist anymore. This changes all occurrences
to my new address.

Signed-off-by: Hans J. Koch <hjk@hansjkoch.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agopcnet_cs: add new_id
Ken Kawasaki [Fri, 29 Oct 2010 12:17:51 +0000 (12:17 +0000)]
pcnet_cs: add new_id

pcnet_cs:
    add new_id: "corega Ether CF-TD" 10Base-T PCMCIA card.

Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Truncate recvfrom and sendto length to INT_MAX.
Linus Torvalds [Sat, 30 Oct 2010 23:43:10 +0000 (16:43 -0700)]
net: Truncate recvfrom and sendto length to INT_MAX.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoRDS: Let rds_message_alloc_sgs() return NULL
Andy Grover [Thu, 28 Oct 2010 15:40:59 +0000 (15:40 +0000)]
RDS: Let rds_message_alloc_sgs() return NULL

Even with the previous fix, we still are reading the iovecs once
to determine SGs needed, and then again later on. Preallocating
space for sg lists as part of rds_message seemed like a good idea
but it might be better to not do this. While working to redo that
code, this patch attempts to protect against userspace rewriting
the rds_iovec array between the first and second accesses.

The consequences of this would be either a too-small or too-large
sg list array. Too large is not an issue. This patch changes all
callers of message_alloc_sgs to handle running out of preallocated
sgs, and fail gracefully.

Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoRDS: Copy rds_iovecs into kernel memory instead of rereading from userspace
Andy Grover [Thu, 28 Oct 2010 15:40:58 +0000 (15:40 +0000)]
RDS: Copy rds_iovecs into kernel memory instead of rereading from userspace

Change rds_rdma_pages to take a passed-in rds_iovec array instead
of doing copy_from_user itself.

Change rds_cmsg_rdma_args to copy rds_iovec array once only. This
eliminates the possibility of userspace changing it after our
sanity checks.

Implement stack-based storage for small numbers of iovecs, based
on net/socket.c, to save an alloc in the extremely common case.

Although this patch reduces iovec copies in cmsg_rdma_args to 1,
we still do another one in rds_rdma_extra_size. Getting rid of
that one will be trickier, so it'll be a separate patch.

Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoRDS: Clean up error handling in rds_cmsg_rdma_args
Andy Grover [Thu, 28 Oct 2010 15:40:57 +0000 (15:40 +0000)]
RDS: Clean up error handling in rds_cmsg_rdma_args

We don't need to set ret = 0 at the end -- it's initialized to 0.

Also, don't increment s_send_rdma stat if we're exiting with an
error.

Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoRDS: Return -EINVAL if rds_rdma_pages returns an error
Andy Grover [Thu, 28 Oct 2010 15:40:56 +0000 (15:40 +0000)]
RDS: Return -EINVAL if rds_rdma_pages returns an error

rds_cmsg_rdma_args would still return success even if rds_rdma_pages
returned an error (or overflowed).

Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: fix rds_iovec page count overflow
Linus Torvalds [Thu, 28 Oct 2010 15:40:55 +0000 (15:40 +0000)]
net: fix rds_iovec page count overflow

As reported by Thomas Pollet, the rdma page counting can overflow.  We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).

So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.

Catch the case of tot_pages turning negative, and return the appropriate
error code.

Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocan: pch_can: fix section mismatch warning by using a whitelisted name
Marc Kleine-Budde [Sat, 30 Oct 2010 23:28:16 +0000 (16:28 -0700)]
can: pch_can: fix section mismatch warning by using a whitelisted name

This patch fixes the following section mismatch warning:

WARNING: drivers/net/can/pch_can.o(.data+0x18):
Section mismatch in reference from the variable pch_can_pcidev
to the variable .devinit.rodata:pch_pci_tbl
The variable pch_can_pcidev references
the variable __devinitconst pch_pci_tbl

This is actually a false positive which is fixed by giving the offending
variable a whitelisted name, it's renamed to "pch_can_pci_driver".
This makes sense because the variable is of the type "struct pci_driver".

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocan: pch_can: fix sparse warning
Marc Kleine-Budde [Sat, 30 Oct 2010 23:27:48 +0000 (16:27 -0700)]
can: pch_can: fix sparse warning

This patch fixes the following sparse warning:

drivers/net/can/pch_can.c:231:26: warning: incorrect type in argument 1 (different address spaces)
drivers/net/can/pch_can.c:231:26:    expected unsigned int [usertype] *addr
drivers/net/can/pch_can.c:231:26:    got unsigned int [noderef] <asn:2>*<noident>

Let pch_can_bit_{set,clear} first parameter be a void __iomem pointer.

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetxen_nic: Fix the tx queue manipulation bug in netxen_nic_probe
Denis Kirjanov [Sat, 30 Oct 2010 23:24:25 +0000 (16:24 -0700)]
netxen_nic: Fix the tx queue manipulation bug in netxen_nic_probe

We should not stop the egress queue during probe because it is wrong.

Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoip_gre: fix fallback tunnel setup
Eric Dumazet [Sat, 30 Oct 2010 23:21:28 +0000 (16:21 -0700)]
ip_gre: fix fallback tunnel setup

Before making the fallback tunnel visible to lookups, we should make
sure it is completely setup, once ipgre_tunnel_init() had been called
and tstats per_cpu pointer allocated.

move rcu_assign_pointer(ign->tunnels_wc[0], tunnel); from
ipgre_fb_tunnel_init() to ipgre_init_net()

Based on a patch from Pavel Emelyanov

Reported-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agovmxnet: trivial annotation of protocol constant
Harvey Harrison [Sat, 30 Oct 2010 23:19:45 +0000 (16:19 -0700)]
vmxnet: trivial annotation of protocol constant

Noticed by sparse:
drivers/net/vmxnet3/vmxnet3_drv.c:876:38: warning: cast from restricted __be16
drivers/net/vmxnet3/vmxnet3_drv.c:876:38: warning: cast from restricted __be16
drivers/net/vmxnet3/vmxnet3_drv.c:876:24: warning: restricted __be16 degrades to integer

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agovmxnet3: remove unnecessary byteswapping in BAR writing macros
Harvey Harrison [Sat, 30 Oct 2010 23:19:18 +0000 (16:19 -0700)]
vmxnet3: remove unnecessary byteswapping in BAR writing macros

readl/writel swap to little-endian internally.

Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6/udp: report SndbufErrors and RcvbufErrors
Eric Dumazet [Sat, 30 Oct 2010 23:17:23 +0000 (16:17 -0700)]
ipv6/udp: report SndbufErrors and RcvbufErrors

commit a18135eb9389 (Add UDP_MIB_{SND,RCV}BUFERRORS handling.)
forgot to make the necessary changes in net/ipv6/proc.c to report
additional counters in /proc/net/snmp6

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agophy/marvell: rename 88ec048 to 88e1318s and fix mscr1 addr
Cyril Chemparathy [Fri, 29 Oct 2010 20:50:25 +0000 (13:50 -0700)]
phy/marvell: rename 88ec048 to 88e1318s and fix mscr1 addr

The marvell 88ec048's official part number is 88e1318s.  This patch renames
definitions in the driver to reflect this.

In addition, a minor bug fix has been added to write back the MSCR1 register
value properly.

Signed-off-by: Cyril Chemparathy <cyril@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Fri, 29 Oct 2010 19:23:15 +0000 (12:23 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agob43: Fix warning at drivers/mmc/core/core.c:237 in mmc_wait_for_cmd
Larry Finger [Thu, 28 Oct 2010 15:43:26 +0000 (10:43 -0500)]
b43: Fix warning at drivers/mmc/core/core.c:237 in mmc_wait_for_cmd

On module removal, the sdio version of b43 generates the following warning:

[  851.560519] ------------[ cut here ]------------
[  851.560531] WARNING: at drivers/mmc/core/core.c:237 mmc_wait_for_cmd+0x88/0x90()
[  851.560534] Hardware name: 20552PG
[  851.560536] Modules linked in: b43(-) ssb mmc_block binfmt_misc rfcomm sco bnep ppdev l2cap ipt_MASQUERADE iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_state nf_conntrack ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp kvm_intel kvm arc4 iwlagn snd_hda_codec_conexant snd_hda_intel snd_hda_codec iwlcore snd_hwdep snd_pcm thinkpad_acpi mac80211 snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq r852 joydev snd_timer sm_common pcmcia nand snd_seq_device cfg80211 sdhci_pci btusb psmouse tpm_tis yenta_socket nand_ids lp snd pcmcia_rsrc nand_ecc bluetooth sdhci tpm pcmcia_core parport mtd snd_page_alloc serio_raw tpm_bios soundcore nvram led_class sha256_generic aes_i586 aes_generic dm_crypt i915 drm_kms_helper drm ahci intel_agp i2c_algo_bit intel_gtt e1000e libahci video agpgart output
[  851.560620] Pid: 2504, comm: rmmod Not tainted 2.6.36-titan0+ #1
[  851.560622] Call Trace:
[  851.560631]  [<c014a102>] warn_slowpath_common+0x72/0xa0
[  851.560636]  [<c04d94c8>] ? mmc_wait_for_cmd+0x88/0x90
[  851.560641]  [<c04d94c8>] ? mmc_wait_for_cmd+0x88/0x90
[  851.560645]  [<c014a152>] warn_slowpath_null+0x22/0x30
[  851.560649]  [<c04d94c8>] mmc_wait_for_cmd+0x88/0x90
[  851.560655]  [<c0401585>] ? device_release+0x25/0x80
[  851.560660]  [<c04df210>] mmc_io_rw_direct_host+0xa0/0x150
[  851.560665]  [<c04df370>] mmc_io_rw_direct+0x30/0x40
[  851.560669]  [<c04e06e7>] sdio_disable_func+0x37/0xa0
[  851.560683]  [<f8dfcb80>] b43_sdio_remove+0x30/0x50 [b43]
[  851.560687]  [<c04df8cc>] sdio_bus_remove+0x1c/0x60
[  851.560692]  [<c016d39f>] ? blocking_notifier_call_chain+0x1f/0x30
[  851.560697]  [<c0404991>] __device_release_driver+0x51/0xb0
[  851.560701]  [<c0404a7f>] driver_detach+0x8f/0xa0
[  851.560705]  [<c0403c83>] bus_remove_driver+0x63/0xa0
[  851.560709]  [<c0405039>] driver_unregister+0x49/0x80
[  851.560713]  [<c0405039>] ? driver_unregister+0x49/0x80
[  851.560718]  [<c04dfad7>] sdio_unregister_driver+0x17/0x20
[  851.560727]  [<f8dfcb42>] b43_sdio_exit+0x12/0x20 [b43]
[  851.560734]  [<f8dfe76f>] b43_exit+0x17/0x3c [b43]
[  851.560740]  [<c017fb8d>] sys_delete_module+0x13d/0x200
[  851.560747]  [<c01fd7d2>] ? do_munmap+0x212/0x300
[  851.560752]  [<c010311f>] sysenter_do_call+0x12/0x28
[  851.560757] ---[ end trace 31e14488072d2f7d ]---
[  851.560759] ------------[ cut here ]------------

The warning is caused by b43 not claiming the device before calling
sdio_disable_func().

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Arnd Hannemann <arnd@arndnet.de>
Tested-by: Arnd Hannemann <arnd@arndnet.de>
Cc: Stable <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: fix failure to check kmalloc return value in key_key_read
Jesper Juhl [Fri, 29 Oct 2010 14:10:26 +0000 (16:10 +0200)]
mac80211: fix failure to check kmalloc return value in key_key_read

I noticed two small issues in mac80211/debugfs_key.c::key_key_read while
reading through the code. Patch below.

The key_key_read() function returns ssize_t and the value that's actually
returned is the return value of simple_read_from_buffer() which also
returns ssize_t, so let's hold the return value in a ssize_t local
variable rather than a int one.

Also, memory is allocated dynamically with kmalloc() which can fail, but
the return value of kmalloc() is not checked, so we may end up operating
on a null pointer further on. So check for a NULL return and bail out with
-ENOMEM in that case.

Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agolibertas: Fix sd8686 firmware reload
Paul Fox [Fri, 29 Oct 2010 13:57:28 +0000 (14:57 +0100)]
libertas: Fix sd8686 firmware reload

For the SD8686, we cannot rely on the scratch register to read the firmware
load status, because the same register is used for storing RX packet length.
Broaden the check to account for this.

The module can now be unloaded/reloaded successfully.

Based on the implementation from libertas_tf.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Steve deRosier <steve@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: Fix incorrect access of rate flags in RC
Mohammed Shafi Shajakhan [Thu, 28 Oct 2010 14:21:47 +0000 (19:51 +0530)]
ath9k: Fix incorrect access of rate flags in RC

The index variable to access the rate flags should be obtained from the
inner loop counter which corresponds to the rate table structure.This
fixes the invalid rate selection i.e when the supported basic rate is
invalid on a particular band and also the following warning message.
Thanks to Raj for finding this out.

Call Trace:

 [<ffffffff8104ee4a>] warn_slowpath_common+0x7a/0xb0

 [<ffffffff8104ee95>] warn_slowpath_null+0x15/0x20

 [<ffffffffa0583c45>] ath_get_rate+0x595/0x5b0 [ath9k]

 [<ffffffff811a0636>] ? cpumask_next_and+0x36/0x50

 [<ffffffffa0405186>] rate_control_get_rate+0x86/0x160 [mac80211]

 [<ffffffffa040dfac>] invoke_tx_handlers+0x81c/0x12d0 [mac80211]

 [<ffffffffa040eae9>] ieee80211_tx+0x89/0x2b0 [mac80211]

 [<ffffffff812891bc>] ? pskb_expand_head+0x1cc/0x1f0

 [<ffffffffa040edc5>] ieee80211_xmit+0xb5/0x1c0 [mac80211]

 [<ffffffffa041026f>] ieee80211_tx_skb+0x4f/0x60 [mac80211]

 [<ffffffffa03fe016>] ieee80211_send_nullfunc+0x46/0x60 [mac80211]

 [<ffffffffa03f91d7>] ieee80211_offchannel_stop_station+0x107/0x150
[mac80211]

 [<ffffffff812891bc>] ? pskb_expand_head+0x1cc/0x1f0

 [<ffffffffa040edc5>] ieee80211_xmit+0xb5/0x1c0 [mac80211]

 [<ffffffffa041026f>] ieee80211_tx_skb+0x4f/0x60 [mac80211]

 [<ffffffffa03fe016>] ieee80211_send_nullfunc+0x46/0x60 [mac80211]

 [<ffffffffa03f91d7>] ieee80211_offchannel_stop_station+0x107/0x150
[mac80211]

 [<ffffffffa03f8896>] ieee80211_scan_work+0x146/0x600 [mac80211]

 [<ffffffff8133a375>] ? schedule+0x2f5/0x8e0

 [<ffffffffa03f8750>] ? ieee80211_scan_work+0x0/0x600 [mac80211]

 [<ffffffff81064fcf>] process_one_work+0x10f/0x380

 [<ffffffff81066bc2>] worker_thread+0x162/0x340

 [<ffffffff81066a60>] ? worker_thread+0x0/0x340

Cc: stable@kernel.org
Signed-off-by: Mohammed Shafi Shajakhan <mshajakhan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agonetfilter: fix nf_conntrack_l4proto_register()
Eric Dumazet [Fri, 29 Oct 2010 17:59:40 +0000 (19:59 +0200)]
netfilter: fix nf_conntrack_l4proto_register()

While doing __rcu annotations work on net/netfilter I found following
bug. On some arches, it is possible we publish a table while its content
is not yet committed to memory, and lockless reader can dereference wild
pointer.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
14 years agonetfilter: nf_nat: fix compiler warning with CONFIG_NF_CT_NETLINK=n
Patrick McHardy [Fri, 29 Oct 2010 14:28:07 +0000 (16:28 +0200)]
netfilter: nf_nat: fix compiler warning with CONFIG_NF_CT_NETLINK=n

net/ipv4/netfilter/nf_nat_core.c:52: warning: 'nf_nat_proto_find_get' defined but not used
net/ipv4/netfilter/nf_nat_core.c:66: warning: 'nf_nat_proto_put' defined but not used

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
14 years agonetfilter: xt_socket: Make tproto signed in socket_mt6_v1().
David S. Miller [Thu, 28 Oct 2010 19:59:53 +0000 (12:59 -0700)]
netfilter: xt_socket: Make tproto signed in socket_mt6_v1().

Otherwise error indications from ipv6_find_hdr() won't be noticed.

This required making the protocol argument to extract_icmp6_fields()
signed too.

Reported-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agostmmac: enable/disable rx/tx in the core with a single write.
avisconti [Mon, 25 Oct 2010 18:58:14 +0000 (18:58 +0000)]
stmmac: enable/disable rx/tx in the core with a single write.

This patch enables and disables the rx and tx bits in the MAC control reg
by using a single write operation.
This also solves a possible problem (spotted on SPEAr platforms) at 10Mbps
where two consecutive writes to a MAC control register can take more than
4 phy_clk cycles.

Signed-off-by: Armando Visconti <armando.visconti@st.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: atarilance - flags should be unsigned long
Geert Uytterhoeven [Thu, 28 Oct 2010 18:34:58 +0000 (11:34 -0700)]
net: atarilance - flags should be unsigned long

drivers/net/atarilance.c: In function ‘addr_accessible’:
drivers/net/atarilance.c:413: warning: comparison of distinct pointer types lacks a cast
drivers/net/atarilance.c:450: warning: comparison of distinct pointer types lacks a cast

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetxen: fix kdump
Rajesh Borundia [Tue, 26 Oct 2010 22:51:50 +0000 (22:51 +0000)]
netxen: fix kdump

Reset the whole hw instead of freeing hw resources
consumed by each pci function.

Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agopktgen: Limit how much data we copy onto the stack.
Nelson Elhage [Thu, 28 Oct 2010 18:31:07 +0000 (11:31 -0700)]
pktgen: Limit how much data we copy onto the stack.

A program that accidentally writes too much data to the pktgen file can overflow
the kernel stack and oops the machine. This is only triggerable by root, so
there's no security issue, but it's still an unfortunate bug.

printk() won't print more than 1024 bytes in a single call, anyways, so let's
just never copy more than that much data. We're on a fairly shallow stack, so
that should be safe even with CONFIG_4KSTACKS.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Limit socket I/O iovec total length to INT_MAX.
David S. Miller [Thu, 28 Oct 2010 18:41:55 +0000 (11:41 -0700)]
net: Limit socket I/O iovec total length to INT_MAX.

This helps protect us from overflow issues down in the
individual protocol sendmsg/recvmsg handlers.  Once
we hit INT_MAX we truncate out the rest of the iovec
by setting the iov_len members to zero.

This works because:

1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
   writes are allowed and the application will just continue
   with another write to send the rest of the data.

2) For datagram oriented sockets, where there must be a
   one-to-one correspondance between write() calls and
   packets on the wire, INT_MAX is going to be far larger
   than the packet size limit the protocol is going to
   check for and signal with -EMSGSIZE.

Based upon a patch by Linus Torvalds.

Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoUSB: gadget: fix ethernet gadget crash in gether_setup
Dmitry Artamonow [Thu, 28 Oct 2010 17:31:58 +0000 (10:31 -0700)]
USB: gadget: fix ethernet gadget crash in gether_setup

Crash is triggered by commit e6484930d7 ("net: allocate tx queues in
register_netdevice"), which moved tx netqueue creation into register_netdev.
So now calling netif_stop_queue() before register_netdev causes an oops.
Move netif_stop_queue() after net device registration to fix crash.

Signed-off-by: Dmitry Artamonow <mad_soft@inbox.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agofib: Fix fib zone and its hash leak on namespace stop
Pavel Emelyanov [Thu, 28 Oct 2010 02:00:43 +0000 (02:00 +0000)]
fib: Fix fib zone and its hash leak on namespace stop

When we stop a namespace we flush the table and free one, but the
added fn_zone-s (and their hashes if grown) are leaked. Need to free.
Tries releases all its stuff in the flushing code.

Shame on us - this bug exists since the very first make-fib-per-net
patches in 2.6.27 :(

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb3: Fix panic in free_tx_desc()
Krishna Kumar [Wed, 27 Oct 2010 19:10:31 +0000 (19:10 +0000)]
cxgb3: Fix panic in free_tx_desc()

I got a few of these panics (on 2.6.36-rc7) when running high
number of netperf sessions:

BUG: unable to handle kernel paging request at 0000100000000000
IP: [<ffffffff813125f0>] skb_release_data+0xa0/0xd0
Oops: 0000 [#1] SMP
Pid: 2155, comm: vhost-2115 Not tainted 2.6.36-rc7-ORG #1 49Y6512     /System x3650 M2 -[7947AC1]-
RIP: 0010:[<ffffffff813125f0>]  [<ffffffff813125f0>] skb_release_data+0xa0/0xd0
RSP: 0018:ffff880001803738  EFLAGS: 00010206
RAX: ffff880179b0fc00 RBX: ffff880178b441c0 RCX: 0000000000000000
RSP: 0018:ffff880001803738  EFLAGS: 00010206
RAX: ffff880179b0fc00 RBX: ffff880178b441c0 RCX: 0000000000000000
RDX: ffff880179b0fd40 RSI: 0000000000000000 RDI: 0000100000000000
RBP: ffff880001803748 R08: 0000000000000001 R09: ffff88017f117000
R10: ffff88017b990608 R11: ffff88017f117090 R12: ffff880178b441c0
R13: ffff88017f117090 R14: 0000000000000000 R15: ffff880178b441c0
FS:  0000000000000000(0000) GS:ffff880001800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000100000000000 CR3: 000000017ea64000 CR4: 00000000000026e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process vhost-2115 (pid: 2155, threadinfo ffff88017d872000, task ffff88017e954680)
Stack:
ffff880178b441c0 0000000000000007 ffff880001803768 ffffffff81312119
<0> 0000000000000000 0000000000000002 ffff880001803778 ffffffff813121f9
<0> ffff880001803818 ffffffffa012d14c ffffffffa02de076 ffff880001803700
Call Trace:
<IRQ>
[<ffffffff81312119>] __kfree_skb+0x19/0xa0
[<ffffffff813121f9>] kfree_skb+0x19/0x40
[<ffffffffa012d14c>] free_tx_desc+0x2fc/0x350 [cxgb3]
[<ffffffffa02de076>] ? vhost_poll_wakeup+0x16/0x20 [vhost_net]
[<ffffffffa01323db>] t3_eth_xmit+0x28b/0x380 [cxgb3]
[<ffffffff8131ce47>] dev_hard_start_xmit+0x377/0x5a0
[<ffffffff81335a4a>] sch_direct_xmit+0xfa/0x1d0
[<ffffffff8131d1a9>] dev_queue_xmit+0x139/0x450
[<ffffffff81326225>] neigh_resolve_output+0x125/0x340
[<ffffffff8135a77c>] ip_finish_output+0x14c/0x320
[<ffffffff8135a9fe>] ip_output+0xae/0xc0
[<ffffffff8135620f>] ip_forward_finish+0x3f/0x50
[<ffffffff8135641f>] ip_forward+0x1ff/0x400
[<ffffffff81354789>] ip_rcv_finish+0x119/0x3e0
[<ffffffff81354c7d>] ip_rcv+0x22d/0x300
[<ffffffff8131a95b>] __netif_receive_skb+0x29b/0x570
[<ffffffff8131ba70>] ? netif_receive_skb+0x0/0x80
[<ffffffff8131bae8>] netif_receive_skb+0x78/0x80
[<ffffffffa02a96d8>] br_handle_frame_finish+0x198/0x260 [bridge]
[<ffffffffa02aebc8>] br_nf_pre_routing_finish+0x238/0x380 [bridge]
[<ffffffff813424bc>] ? nf_hook_slow+0x6c/0x100
[<ffffffffa02ae990>] ? br_nf_pre_routing_finish+0x0/0x380 [bridge]
[<ffffffffa02afb08>] br_nf_pre_routing+0x698/0x7a0 [bridge]
[<ffffffff81342414>] nf_iterate+0x64/0xa0
[<ffffffffa02a9540>] ? br_handle_frame_finish+0x0/0x260 [bridge]
[<ffffffff813424bc>] nf_hook_slow+0x6c/0x100
[<ffffffffa02a9540>] ? br_handle_frame_finish+0x0/0x260 [bridge]
[<ffffffffa02a9931>] br_handle_frame+0x191/0x240 [bridge]
[<ffffffffa02a97a0>] ? br_handle_frame+0x0/0x240 [bridge]
[<ffffffff8131a863>] __netif_receive_skb+0x1a3/0x570
[<ffffffff812ef3f6>] ? dma_issue_pending_all+0x76/0xa0
[<ffffffff8131ad32>] process_backlog+0x102/0x200
[<ffffffff8131c2d0>] net_rx_action+0x100/0x220
[<ffffffff810548ef>] __do_softirq+0xaf/0x140
[<ffffffff8100bcdc>] call_softirq+0x1c/0x30
[<ffffffff8100dfc5>] ? do_softirq+0x65/0xa0
[<ffffffff8131c6b8>] netif_rx_ni+0x28/0x30
[<ffffffffa02c305d>] tun_sendmsg+0x2cd/0x4b0 [tun]
[<ffffffffa02e01af>] handle_tx+0x1df/0x340 [vhost_net]
[<ffffffffa02e0340>] handle_tx_kick+0x10/0x20 [vhost_net]
[<ffffffffa02de29b>] vhost_worker+0xbb/0x130 [vhost_net]
[<ffffffffa02de1e0>] ? vhost_worker+0x0/0x130 [vhost_net]
[<ffffffffa02de1e0>] ? vhost_worker+0x0/0x130 [vhost_net]
[<ffffffff81069686>] kthread+0x96/0xa0
[<ffffffff8100bbe4>] kernel_thread_helper+0x4/0x10
[<ffffffff810695f0>] ? kthread+0x0/0xa0
[<ffffffff8100bbe0>] ? kernel_thread_helper+0x0/0x10
Code: 8b 94 24 d0 00 00 00 49 8b 84 24 d8 00 00 00 48 8d 14 10 0f b7 0a 39 d9 7f d1 48 8b 7a 10 48 85 ff 74 20 48 c7 42 10 00 00 00 00 <48> 8b 1f e8 e8 fb ff ff 48 85 db 48 89 df 75 f0 49 8b 84 24 d8

Patch below fixes the panic. cxgb4 and cxgb4vf already have this fix.

Signed-off-by: Krishna Kumar <krkumar2@in.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb3: fix crash due to manipulating queues before registration
Nishanth Aravamudan [Wed, 27 Oct 2010 19:06:30 +0000 (19:06 +0000)]
cxgb3: fix crash due to manipulating queues before registration

Along the same lines as "cxgb4: fix crash due to manipulating queues
before registration" (8f6d9f40476895571df039b6f1f5230ec7faebad), before
commit "net: allocate tx queues in register_netdevice"
netif_tx_stop_all_queues and related functions could be used between
device allocation and registration but now only after registration.
cxgb4 has such a call before registration and crashes now.  Move it
after register_netdev.

Signed-off-by: Nishanth Aravamudan <nacc@us.ibm.com>
Cc: eric.dumazet@gmail.com
Cc: sonnyrao@us.ibm.com
Cc: Divy Le Ray <divy@chelsio.com>
Cc: Dimitris Michailidis <dm@chelsio.com>
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Tested-by: Nishanth Aravamudan <nacc@us.ibm.com>
Acked-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years ago8390: Don't oops on starting dev queue
Pavel Emelyanov [Wed, 27 Oct 2010 23:01:02 +0000 (23:01 +0000)]
8390: Don't oops on starting dev queue

The __NS8390_init tries to start the device queue before the
device is registered. This results in an oops (snipped):

[    2.865493] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[    2.866106] IP: [<ffffffffa000602a>] netif_start_queue+0xb/0x12 [8390]
[    2.881267] Call Trace:
[    2.881437]  [<ffffffffa000624d>] __NS8390_init+0x102/0x15a [8390]
[    2.881999]  [<ffffffffa00062ae>] NS8390_init+0x9/0xb [8390]
[    2.882237]  [<ffffffffa000d820>] ne2k_pci_init_one+0x297/0x354 [ne2k_pci]
[    2.882955]  [<ffffffff811c7a0e>] local_pci_probe+0x12/0x16
[    2.883308]  [<ffffffff811c85ad>] pci_device_probe+0xc3/0xef
[    2.884049]  [<ffffffff8129218d>] driver_probe_device+0xbe/0x14b
[    2.884937]  [<ffffffff81292260>] __driver_attach+0x46/0x62
[    2.885170]  [<ffffffff81291788>] bus_for_each_dev+0x49/0x78
[    2.885781]  [<ffffffff81291fbb>] driver_attach+0x1c/0x1e
[    2.886089]  [<ffffffff812912ab>] bus_add_driver+0xba/0x227
[    2.886330]  [<ffffffff8129259a>] driver_register+0x9e/0x115
[    2.886933]  [<ffffffff811c8815>] __pci_register_driver+0x50/0xac
[    2.887785]  [<ffffffffa001102c>] ne2k_pci_init+0x2c/0x2e [ne2k_pci]
[    2.888093]  [<ffffffff81000212>] do_one_initcall+0x7c/0x130
[    2.888693]  [<ffffffff8106d74f>] sys_init_module+0x99/0x1da
[    2.888946]  [<ffffffff81002a2b>] system_call_fastpath+0x16/0x1b

This happens because the netif_start_queue sets respective bit on the dev->_tx
array which is not yet allocated.

As far as I understand the code removing the netif_start_queue from __NS8390_init
is OK, since queue will be started later on device open. Plz, correct me if I'm wrong.

Found in the Dave's current tree, so he's in Cc.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodccp ccid-2: Stop polling
Gerrit Renker [Wed, 27 Oct 2010 19:16:28 +0000 (19:16 +0000)]
dccp ccid-2: Stop polling

This updates CCID-2 to use the CCID dequeuing mechanism, converting from
previous continuous-polling to a now event-driven mechanism.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodccp: Refine the wait-for-ccid mechanism
Gerrit Renker [Wed, 27 Oct 2010 19:16:27 +0000 (19:16 +0000)]
dccp: Refine the wait-for-ccid mechanism

This extends the existing wait-for-ccid routine so that it may be used with
different types of CCID, addressing the following problems:

 1) The queue-drain mechanism only works with rate-based CCIDs. If CCID-2 for
    example has a full TX queue and becomes network-limited just as the
    application wants to close, then waiting for CCID-2 to become unblocked
    could lead to an indefinite  delay (i.e., application "hangs").
 2) Since each TX CCID in turn uses a feedback mechanism, there may be changes
    in its sending policy while the queue is being drained. This can lead to
    further delays during which the application will not be able to terminate.
 3) The minimum wait time for CCID-3/4 can be expected to be the queue length
    times the current inter-packet delay. For example if tx_qlen=100 and a delay
    of 15 ms is used for each packet, then the application would have to wait
    for a minimum of 1.5 seconds before being allowed to exit.
 4) There is no way for the user/application to control this behaviour. It would
    be good to use the timeout argument of dccp_close() as an upper bound. Then
    the maximum time that an application is willing to wait for its CCIDs to can
    be set via the SO_LINGER option.

These problems are addressed by giving the CCID a grace period of up to the
`timeout' value.

The wait-for-ccid function is, as before, used when the application
 (a) has read all the data in its receive buffer and
 (b) if SO_LINGER was set with a non-zero linger time, or
 (c) the socket is either in the OPEN (active close) or in the PASSIVE_CLOSEREQ
     state (client application closes after receiving CloseReq).

In addition, there is a catch-all case of __skb_queue_purge() after waiting for
the CCID. This is necessary since the write queue may still have data when
 (a) the host has been passively-closed,
 (b) abnormal termination (unread data, zero linger time),
 (c) wait-for-ccid could not finish within the given time limit.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodccp: Extend CCID packet dequeueing interface
Gerrit Renker [Wed, 27 Oct 2010 19:16:26 +0000 (19:16 +0000)]
dccp: Extend CCID packet dequeueing interface

This extends the packet dequeuing interface of dccp_write_xmit() to allow
 1. CCIDs to take care of timing when the next packet may be sent;
 2. delayed sending (as before, with an inter-packet gap up to 65.535 seconds).

The main purpose is to take CCID-2 out of its polling mode (when it is network-
limited, it tries every millisecond to send, without interruption).

The mode of operation for (2) is as follows:
 * new packet is enqueued via dccp_sendmsg() => dccp_write_xmit(),
 * ccid_hc_tx_send_packet() detects that it may not send (e.g. window full),
 * it signals this condition via `CCID_PACKET_WILL_DEQUEUE_LATER',
 * dccp_write_xmit() returns without further action;
 * after some time the wait-condition for CCID becomes true,
 * that CCID schedules the tasklet,
 * tasklet function calls ccid_hc_tx_send_packet() via dccp_write_xmit(),
 * since the wait-condition is now true, ccid_hc_tx_packet() returns "send now",
 * packet is sent, and possibly more (since dccp_write_xmit() loops).

Code reuse: the taskled function calls dccp_write_xmit(), the timer function
            reduces to a wrapper around the same code.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodccp: Return-value convention of hc_tx_send_packet()
Gerrit Renker [Wed, 27 Oct 2010 19:16:25 +0000 (19:16 +0000)]
dccp: Return-value convention of hc_tx_send_packet()

This patch reorganises the return value convention of the CCID TX sending
function, to permit more flexible schemes, as required by subsequent patches.

Currently the convention is
 * values < 0     mean error,
 * a value == 0   means "send now", and
 * a value x > 0  means "send in x milliseconds".

The patch provides symbolic constants and a function to interpret return values.

In addition, it caps the maximum positive return value to 0xFFFF milliseconds,
corresponding to 65.535 seconds.  This is possible since in CCID-3/4 the
maximum possible inter-packet gap is fixed at t_mbi = 64 sec.

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoigbvf: fix panic on load
Emil Tantilov [Thu, 28 Oct 2010 00:59:51 +0000 (00:59 +0000)]
igbvf: fix panic on load

Introduced by commit:e6484930d7c73d324bccda7d43d131088da697b9
net: allocate tx queues in register_netdevice

Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Acked-by: Greg Rose <greg.v.rose@intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>