Dmitry Popov [Thu, 29 Jul 2010 01:59:36 +0000 (01:59 +0000)]
tcp: cookie transactions setsockopt memory leak
There is a bug in do_tcp_setsockopt(net/ipv4/tcp.c),
TCP_COOKIE_TRANSACTIONS case.
In some cases (when tp->cookie_values == NULL) new tcp_cookie_values
structure can be allocated (at cvp), but not bound to
tp->cookie_values. So a memory leak occurs.
Signed-off-by: Dmitry Popov <dp@highloadlab.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Tue, 27 Jul 2010 08:26:30 +0000 (08:26 +0000)]
bridge: add rcu_read_lock on transmit
Long ago, when bridge was converted to RCU, rcu lock was equivalent
to having preempt disabled. RCU has changed a lot since then and
bridge code was still assuming the since transmit was called with
bottom half disabled, it was RCU safe.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Tue, 27 Jul 2010 12:28:46 +0000 (12:28 +0000)]
e1000e: 82577/82578 PHY register access issues
The MAC-PHY interconnect on 82577/82578 uses a power management feature
(called K1) which must be disabled when in 1Gbps due to a hardware issue on
these parts. The #define bit setting used to enable/disable K1 is
incorrect and can cause PHY register accesses to stop working altogether
until the next device reset. This patch sets the register correctly.
This issue is present in kernels since 2.6.32.
CC: stable@kernel.org
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Breno Leitao [Mon, 26 Jul 2010 22:37:30 +0000 (15:37 -0700)]
s2io: fixing DBG_PRINT() macro
Patch
9e39f7c5b311a306977c5471f9e2ce4c456aa038 changed the
DBG_PRINT() macro and the if clause was wrongly changed. It means
that currently all the DBG_PRINT are being printed, flooding the
kernel log buffer with things like:
s2io: eth6: Next block at:
c0000000b9c90000
s2io: eth6: In Neterion Tx routine
Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Acked-by: Sreenivasa Honnur <Sreenivasa.Honnur@neterion.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 26 Jul 2010 20:26:09 +0000 (13:26 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Ming Lei [Fri, 14 May 2010 13:15:38 +0000 (21:15 +0800)]
ath9k: fix dma direction for map/unmap in ath_rx_tasklet
For edma, we should use DMA_BIDIRECTIONAL, or else use
DMA_FROM_DEVICE.
This is found to address "BUG at arch/x86/mm/physaddr.c:5"
as described here:
http://lkml.org/lkml/2010/7/14/21
Signed-off-by: Ming Lei <tom.leiming@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Ben Greear [Thu, 22 Jul 2010 09:54:47 +0000 (09:54 +0000)]
net: dev_forward_skb should call nf_reset
With conn-track zones and probably with different network
namespaces, the netfilter logic needs to be re-calculated
on packet receive. If the netfilter logic is not reset,
it will not be recalculated properly. This patch adds
the nf_reset logic to dev_forward_skb.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Thu, 22 Jul 2010 18:45:04 +0000 (18:45 +0000)]
net sched: fix race in mirred device removal
This fixes hang when target device of mirred packet classifier
action is removed.
If a mirror or redirection action is configured to cause packets
to go to another device, the classifier holds a ref count, but was assuming
the adminstrator cleaned up all redirections before removing. The fix
is to add a notifier and cleanup during unregister.
The new list is implicitly protected by RTNL mutex because
it is held during filter add/delete as well as notifier.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sun, 25 Jul 2010 03:51:45 +0000 (20:51 -0700)]
Merge branch 'wimax-2.6.35.y' of git://git./linux/kernel/git/inaky/wimax
Michael S. Tsirkin [Wed, 21 Jul 2010 04:32:45 +0000 (04:32 +0000)]
tun: avoid BUG, dump packet on GSO errors
There are still some LRO cards that cause GSO errors in tun,
and BUG on this is an unfriendly way to tell the admin
to disable LRO.
Further, experience shows we might have more GSO bugs lurking.
See https://bugzilla.kernel.org/show_bug.cgi?id=16413
as a recent example.
dumping a packet will make it easier to figure it out.
Replace BUG with warning+dump+drop the packet to make
GSO errors in tun less critical and easier to debug.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Alex Unigovsky <unik@compot.ru>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Greg Edwards [Fri, 23 Jul 2010 10:02:04 +0000 (10:02 +0000)]
bonding: set device in RLB ARP packet handler
After:
commit
6146b1a4da98377e4abddc91ba5856bef8f23f1e
Author: Jay Vosburgh <fubar@us.ibm.com>
Date: Tue Nov 4 17:51:15 2008 -0800
bonding: Fix ALB mode to balance traffic on VLANs
the dev field in the RLB ARP packet handler was set to NULL to wildcard
and accommodate balancing VLANs on top of bonds.
This has the side-effect of the packet handler being called against
other, non RLB-enabled bonds, and a kernel oops results when it tries to
dereference rx_hashtbl in rlb_update_entry_from_arp(), which won't be
set for those bonds, e.g. active-backup.
With the __netif_receive_skb() changes from:
commit
1f3c8804acba841b5573b953f5560d2683d2db0d
Author: Andy Gospodarek <andy@greyhouse.net>
Date: Mon Dec 14 10:48:58 2009 +0000
bonding: allow arp_ip_targets on separate vlans to use arp validation
frames received on VLANs correctly make their way to the bond's handler,
so we no longer need to wildcard the device.
The oops can be reproduced by:
modprobe bonding
echo active-backup > /sys/class/net/bond0/bonding/mode
echo 100 > /sys/class/net/bond0/bonding/miimon
ifconfig bond0 xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx
echo +eth0 > /sys/class/net/bond0/bonding/slaves
echo +eth1 > /sys/class/net/bond0/bonding/slaves
echo +bond1 > /sys/class/net/bonding_masters
echo balance-alb > /sys/class/net/bond1/bonding/mode
echo 100 > /sys/class/net/bond1/bonding/miimon
ifconfig bond1 xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx
echo +eth2 > /sys/class/net/bond1/bonding/slaves
echo +eth3 > /sys/class/net/bond1/bonding/slaves
Pass some traffic on bond0. Boom.
[ Tested, behaves as advertised. I do not believe a test of the bonding
mode is necessary, as there is no race between the packet handler and
the bonding mode changing (the mode can only change when the device is
closed). Also updated the log message to include the reproduction and
full commit ids. -J ]
Signed-off-by: Greg Edwards <greg.edwards@hp.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Acked-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Alexey Shvetsov [Thu, 22 Jul 2010 20:35:16 +0000 (00:35 +0400)]
wimax/i2400m: Add PID & VID for Intel WiMAX 6250
This version of intel wimax device was found in my IBM ThinkPad x201
Signed-off-by: Alexey Shvetsov <alexxy@gentoo.org>
Brian Haley [Tue, 20 Jul 2010 10:34:30 +0000 (10:34 +0000)]
ipv6: Don't add routes to ipv6 disabled interfaces.
If the interface has IPv6 disabled, don't add a multicast or
link-local route since we won't be adding a link-local address.
Reported-by: Mahesh Kelkar <maheshkelkar@gmail.com>
Signed-off-by: Brian Haley <brian.haley@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Thu, 22 Jul 2010 20:27:09 +0000 (13:27 -0700)]
net: Fix skb_copy_expand() handling of ->csum_start
It should only be adjusted if ip_summed == CHECKSUM_PARTIAL.
Signed-off-by: David S. Miller <davem@davemloft.net>
Andrea Shepard [Thu, 22 Jul 2010 09:12:35 +0000 (09:12 +0000)]
net: Fix corruption of skb csum field in pskb_expand_head() of net/core/skbuff.c
Make pskb_expand_head() check ip_summed to make sure csum_start is really
csum_start and not csum before adjusting it.
This fixes a bug I encountered using a Sun Quad-Fast Ethernet card and VLANs.
On my configuration, the sunhme driver produces skbs with differing amounts
of headroom on receive depending on the packet size. See line 2030 of
drivers/net/sunhme.c; packets smaller than RX_COPY_THRESHOLD have 52 bytes
of headroom but packets larger than that cutoff have only 20 bytes.
When these packets reach the VLAN driver, vlan_check_reorder_header()
calls skb_cow(), which, if the packet has less than NET_SKB_PAD (== 32) bytes
of headroom, uses pskb_expand_head() to make more.
Then, pskb_expand_head() needs to adjust a lot of offsets into the skb,
including csum_start. Since csum_start is a union with csum, if the packet
has a valid csum value this will corrupt it, which was the effect I observed.
The sunhme hardware computes receive checksums, so the skbs would be created
by the driver with ip_summed == CHECKSUM_COMPLETE and a valid csum field, and
then pskb_expand_head() would corrupt the csum field, leading to an "hw csum
error" message later on, for example in icmp_rcv() for pings larger than the
sunhme RX_COPY_THRESHOLD.
On the basis of the comment at the beginning of include/linux/skbuff.h,
I believe that the csum_start skb field is only meaningful if ip_csummed is
CSUM_PARTIAL, so this patch makes pskb_expand_head() adjust it only in that
case to avoid corrupting a valid csum value.
Please see my more in-depth disucssion of tracking down this bug for
more details if you like:
http://puellavulnerata.livejournal.com/112186.html
http://puellavulnerata.livejournal.com/112567.html
http://puellavulnerata.livejournal.com/112891.html
http://puellavulnerata.livejournal.com/113096.html
http://puellavulnerata.livejournal.com/113591.html
I am not subscribed to this list, so please CC me on replies.
Signed-off-by: Andrea Shepard <andrea@persephoneslair.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Wed, 21 Jul 2010 21:44:31 +0000 (21:44 +0000)]
macvtap: Limit packet queue length
Mark Wagner reported OOM symptoms when sending UDP traffic over
a macvtap link to a kvm receiver.
This appears to be caused by the fact that macvtap packet queues
are unlimited in length. This means that if the receiver can't
keep up with the rate of flow, then we will hit OOM. Of course
it gets worse if the OOM killer then decides to kill the receiver.
This patch imposes a cap on the packet queue length, in the same
way as the tuntap driver, using the device TX queue length.
Please note that macvtap currently has no way of giving congestion
notification, that means the software device TX queue cannot be
used and packets will always be dropped once the macvtap driver
queue fills up.
This shouldn't be a great problem for the scenario where macvtap
is used to feed a kvm receiver, as the traffic is most likely
external in origin so congestion notification can't be applied
anyway.
Of course, if anybody decides to complain about guest-to-guest
UDP packet loss down the track, then we may have to revisit this.
Incidentally, this patch also fixes a real memory leak when
macvtap_get_queue fails.
Chris Wright noticed that for this patch to work, we need a
non-zero TX queue length. This patch includes his work to change
the default macvtap TX queue length to 500.
Reported-by: Mark Wagner <mwagner@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Gospodarek [Wed, 21 Jul 2010 06:40:31 +0000 (06:40 +0000)]
ixgbe/igb: catch invalid VF settings
Some ixgbe cards put an invalid VF device ID in the PCIe SR-IOV
capability. The ixgbe driver is only valid for PFs or non SR-IOV
hardware. It seems that the same problem could occur on igb hardware as
well, so if we discover we are trying to initialize a VF in ixbge_probe
or igb_probe, print an error and exit.
Based on a patch for ixgbe from Chris Wright <chrisw@sous-sol.org>.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Cc: Chris Wright <chrisw@sous-sol.org>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladislav Zolotarov [Wed, 21 Jul 2010 05:59:17 +0000 (05:59 +0000)]
bnx2x: Advance a module version
Advance a module version to 1.52.53-2.
Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladislav Zolotarov [Wed, 21 Jul 2010 05:59:14 +0000 (05:59 +0000)]
bnx2x: Protect statistics ramrod and sequence number
Bug fix: Protect statistics ramrod sending code and a statistics counter update
with a spinlock. Otherwise there was a race condition that would allow sending
a statistics ramrods with the same sequence number or with sequence numbers not
in a natural order, which would cause a FW assert.
Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vladislav Zolotarov [Wed, 21 Jul 2010 05:59:01 +0000 (05:59 +0000)]
bnx2x: Protect a SM state change
Bug fix: Protect the statistics state machine state update with a
spinlock. Otherwise there was a race condition that would cause the
statistics to stay enabled despite the fact that they were disabled in
the LINK_DOWN event handler.
Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com>
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Mon, 19 Jul 2010 15:52:59 +0000 (11:52 -0400)]
wireless: use netif_rx_ni in ieee80211_send_layer2_update
These synthetic frames are all triggered from userland requests in
process context.
https://bugzilla.kernel.org/show_bug.cgi?id=16412
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Herbert Xu [Mon, 19 Jul 2010 19:26:45 +0000 (19:26 +0000)]
bridge: Partially disable netpoll support
The new netpoll code in bridging contains use-after-free bugs
that are non-trivial to fix.
This patch fixes this by removing the code that uses skbs after
they're freed.
As a consequence, this means that we can no longer call bridge
from the netpoll path, so this patch also removes the controller
function in order to disable netpoll.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Thanks,
Signed-off-by: David S. Miller <davem@davemloft.net>
Ilpo Järvinen [Mon, 19 Jul 2010 01:16:18 +0000 (01:16 +0000)]
tcp: fix crash in tcp_xmit_retransmit_queue
It can happen that there are no packets in queue while calling
tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns
NULL and that gets deref'ed to get sacked into a local var.
There is no work to do if no packets are outstanding so we just
exit early.
This oops was introduced by
08ebd1721ab8fd (tcp: remove tp->lost_out
guard to make joining diff nicer).
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de>
Tested-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 19 Jul 2010 19:38:51 +0000 (12:38 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Arnaud Ebalard [Fri, 16 Jul 2010 00:38:44 +0000 (00:38 +0000)]
IPv6: fix CoA check in RH2 input handler (mip6_rthdr_input())
The input handler for Type 2 Routing Header (mip6_rthdr_input())
checks if the CoA in the packet matches the CoA in the XFRM state.
Current check is buggy: it compares the adddress in the Type 2
Routing Header, i.e. the HoA, against the expected CoA in the state.
The comparison should be made against the address in the destination
field of the IPv6 header.
The bug remained unnoticed because the main (and possibly only current)
user of the code (UMIP MIPv6 Daemon) initializes the XFRM state with the
unspecified address, i.e. explicitly allows everything.
Yoshifuji-san, can you ack that one?
Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Robert Jennings [Fri, 16 Jul 2010 04:57:25 +0000 (04:57 +0000)]
ibmveth: lost IRQ while closing/opening device leads to service loss
The order of freeing the IRQ and freeing the device in firmware
in ibmveth_close can cause the adapter to become unusable after a
subsequent ibmveth_open. Only a reboot of the OS will make the
network device usable again. This is seen when cycling the adapter
up and down while there is network activity.
There is a window where an IRQ will be left unserviced (H_EOI will not
be called). The solution is to make a VIO_IRQ_DISABLE h_call, free the
device with firmware, and then call free_irq.
Signed-off-by: Robert Jennings <rcj@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 16 Jul 2010 19:41:44 +0000 (12:41 -0700)]
Merge branch 'vhost-net' of git://git./linux/kernel/git/mst/vhost
Stephen Boyd [Fri, 16 Jul 2010 16:50:10 +0000 (09:50 -0700)]
rt2x00: Fix lockdep warning in rt2x00lib_probe_dev()
The rt2x00dev->intf_work workqueue is never initialized when a driver is
probed for a non-existent device (in this case rt2500usb). On such a
path we call rt2x00lib_remove_dev() to free any resources initialized
during the probe before we use INIT_WORK to initialize the workqueue.
This causes lockdep to get confused since the lock used in the workqueue
hasn't been initialized yet but is now being acquired during
cancel_work_sync() called by rt2x00lib_remove_dev().
Fix this by initializing the workqueue first before we attempt to probe
the device. This should make lockdep happy and avoid breaking any
assumptions about how the library cleans up after a probe fails.
phy0 -> rt2x00lib_probe_dev: Error - Failed to allocate device.
INFO: trying to register non-static key.
the code is fine but needs lockdep annotation.
turning off the locking correctness validator.
Pid: 2027, comm: modprobe Not tainted 2.6.35-rc5+ #60
Call Trace:
[<
ffffffff8105fe59>] register_lock_class+0x152/0x31f
[<
ffffffff81344a00>] ? usb_control_msg+0xd5/0x111
[<
ffffffff81061bde>] __lock_acquire+0xce/0xcf4
[<
ffffffff8105f6fd>] ? trace_hardirqs_off+0xd/0xf
[<
ffffffff81492aef>] ? _raw_spin_unlock_irqrestore+0x33/0x41
[<
ffffffff810628d5>] lock_acquire+0xd1/0xf7
[<
ffffffff8104f037>] ? __cancel_work_timer+0x99/0x17e
[<
ffffffff8104f06e>] __cancel_work_timer+0xd0/0x17e
[<
ffffffff8104f037>] ? __cancel_work_timer+0x99/0x17e
[<
ffffffff8104f136>] cancel_work_sync+0xb/0xd
[<
ffffffffa0096675>] rt2x00lib_remove_dev+0x25/0xb0 [rt2x00lib]
[<
ffffffffa0096bf7>] rt2x00lib_probe_dev+0x380/0x3ed [rt2x00lib]
[<
ffffffff811d78a7>] ? __raw_spin_lock_init+0x31/0x52
[<
ffffffffa00bbd2c>] ? T.676+0xe/0x10 [rt2x00usb]
[<
ffffffffa00bbe4f>] rt2x00usb_probe+0x121/0x15e [rt2x00usb]
[<
ffffffff813468bd>] usb_probe_interface+0x151/0x19e
[<
ffffffff812ea08e>] driver_probe_device+0xa7/0x136
[<
ffffffff812ea167>] __driver_attach+0x4a/0x66
[<
ffffffff812ea11d>] ? __driver_attach+0x0/0x66
[<
ffffffff812e96ca>] bus_for_each_dev+0x54/0x89
[<
ffffffff812e9efd>] driver_attach+0x19/0x1b
[<
ffffffff812e9b64>] bus_add_driver+0xb4/0x204
[<
ffffffff812ea41b>] driver_register+0x98/0x109
[<
ffffffff813465dd>] usb_register_driver+0xb2/0x173
[<
ffffffffa00ca000>] ? rt2500usb_init+0x0/0x20 [rt2500usb]
[<
ffffffffa00ca01e>] rt2500usb_init+0x1e/0x20 [rt2500usb]
[<
ffffffff81000203>] do_one_initcall+0x6d/0x17a
[<
ffffffff8106cae8>] sys_init_module+0x9c/0x1e0
[<
ffffffff8100296b>] system_call_fastpath+0x16/0x1b
Signed-off-by: Stephen Boyd <bebarino@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Michael S. Tsirkin [Thu, 24 Jun 2010 14:10:25 +0000 (17:10 +0300)]
vhost: avoid pr_err on condition guest can trigger
Guest can trigger packet truncation by posting
a very short buffer and disabling buffer merging.
Convert pr_err to pr_debug to avoid log from filling
up when this happens.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Ben Greear [Thu, 15 Jul 2010 13:22:33 +0000 (13:22 +0000)]
ipmr: Don't leak memory if fib lookup fails.
This was detected using two mcast router tables. The
pimreg for the second interface did not have a specific
mrule, so packets received by it were handled by the
default table, which had nothing configured.
This caused the ipmr_fib_lookup to fail, causing
the memory leak.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Thu, 15 Jul 2010 12:19:12 +0000 (15:19 +0300)]
vhost-net: avoid flush under lock
We flush under vq mutex when changing backends.
This creates a deadlock as workqueue being flushed
needs this lock as well.
https://bugzilla.redhat.com/show_bug.cgi?id=612421
Drop the vq mutex before flush: we have the device mutex
which is sufficient to prevent another ioctl from touching
the vq.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tom Herbert [Thu, 15 Jul 2010 03:50:29 +0000 (20:50 -0700)]
net: fix problem in reading sock TX queue
Fix problem in reading the tx_queue recorded in a socket. In
dev_pick_tx, the TX queue is read by doing a check with
sk_tx_queue_recorded on the socket, followed by a sk_tx_queue_get.
The problem is that there is not mutual exclusion across these
calls in the socket so it it is possible that the queue in the
sock can be invalidated after sk_tx_queue_recorded is called so
that sk_tx_queue get returns -1, which sets 65535 in queue_index
and thus dev_pick_tx returns 65536 which is a bogus queue and
can cause crash in dev_queue_xmit.
We fix this by only calling sk_tx_queue_get which does the proper
checks. The interface is that sk_tx_queue_get returns the TX queue
if the sock argument is non-NULL and TX queue is recorded, else it
returns -1. sk_tx_queue_recorded is no longer used so it can be
completely removed.
Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Doug Kehn [Thu, 15 Jul 2010 01:02:16 +0000 (18:02 -0700)]
net/core: neighbour update Oops
When configuring DMVPN (GRE + openNHRP) and a GRE remote
address is configured a kernel Oops is observed. The
obserseved Oops is caused by a NULL header_ops pointer
(neigh->dev->header_ops) in neigh_update_hhs() when
void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *)
= neigh->dev->header_ops->cache_update;
is executed. The dev associated with the NULL header_ops is
the GRE interface. This patch guards against the
possibility that header_ops is NULL.
This Oops was first observed in kernel version 2.6.26.8.
Signed-off-by: Doug Kehn <rdkehn@yahoo.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 13 Jul 2010 05:24:20 +0000 (05:24 +0000)]
net: skb_tx_hash() fix relative to skb_orphan_try()
commit
fc6055a5ba31e2 (net: Introduce skb_orphan_try()) added early
orphaning of skbs.
This unfortunately added a performance regression in skb_tx_hash() in
case of stacked devices (bonding, vlans, ...)
Since skb->sk is now NULL, we cannot access sk->sk_hash anymore to
spread tx packets to multiple NIC queues on multiqueue devices.
skb_tx_hash() in this case only uses skb->protocol, same value for all
flows.
skb_orphan_try() can copy sk->sk_hash into skb->rxhash and skb_tx_hash()
can use this saved sk_hash value to compute its internal hash value.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Changli Gao [Mon, 12 Jul 2010 21:00:12 +0000 (21:00 +0000)]
rfs: call sock_rps_record_flow() in tcp_splice_read()
rfs: call sock_rps_record_flow() in tcp_splice_read()
call sock_rps_record_flow() in tcp_splice_read(), so the applications using
splice(2) or sendfile(2) can utilize RFS.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
----
net/ipv4/tcp.c | 1 +
1 file changed, 1 insertion(+)
Signed-off-by: David S. Miller <davem@davemloft.net>
Timo Teräs [Mon, 12 Jul 2010 21:29:42 +0000 (21:29 +0000)]
xfrm: do not assume that template resolving always returns xfrms
xfrm_resolve_and_create_bundle() assumed that, if policies indicated
presence of xfrms, bundle template resolution would always return
some xfrms. This is not true for 'use' level policies which can
result in no xfrm's being applied if there is no suitable xfrm states.
This fixes a crash by this incorrect assumption.
Reported-by: George Spelvin <linux@horizon.com>
Bisected-by: George Spelvin <linux@horizon.com>
Tested-by: George Spelvin <linux@horizon.com>
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
John W. Linville [Tue, 13 Jul 2010 18:06:32 +0000 (14:06 -0400)]
hostap_pci: set dev->base_addr during probe
"hostap: Protect against initialization interrupt" (which reinstated
"wireless: hostap, fix oops due to early probing interrupt")
reintroduced Bug 16111. This is because hostap_pci wasn't setting
dev->base_addr, which is now checked in prism2_interrupt. As a result,
initialization was failing for PCI-based hostap devices. This corrects
that oversight.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Ken Kawasaki [Sat, 10 Jul 2010 01:18:13 +0000 (01:18 +0000)]
axnet_cs: use spin_lock_irqsave in ax_interrupt
Use spin_lock_irqsave instead of spin_lock in ax_interrupt because
the interrupt handler can also be invoked from ei_watchdog.
Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 13 Jul 2010 03:03:42 +0000 (20:03 -0700)]
dsa: Fix Kconfig dependencies.
Based upon a report by Randy Dunlap.
DSA needs PHYLIB, but PHYLIB needs NET_ETHERNET. So, in order
to select PHYLIB we have to make DSA depend upon NET_ETHERNET.
Signed-off-by: David S. Miller <davem@davemloft.net>
Changli Gao [Fri, 9 Jul 2010 15:33:25 +0000 (15:33 +0000)]
act_nat: not all of the ICMP packets need an IP header payload
not all of the ICMP packets need an IP header payload, so we check the length
of the skbs only when the packets should have an IP header payload.
Based upon analysis and initial patch by Rodrigo Partearroyo González.
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
----
net/sched/act_nat.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Mon, 12 Jul 2010 22:17:29 +0000 (15:17 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Francois Romieu [Mon, 12 Jul 2010 00:10:09 +0000 (17:10 -0700)]
r8169: incorrect identifier for a 8168dp
Merge error.
See CFG_METHOD_8 (0x3c800000 + 0x00300000) since version 8.002.00
of Realtek's driver.
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Hayes <hayeswang@realtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rémi Denis-Courmont [Wed, 7 Jul 2010 20:56:53 +0000 (20:56 +0000)]
Phonet: fix skb leak in pipe endpoint accept()
Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ville Tervo [Tue, 15 Jun 2010 12:56:05 +0000 (15:56 +0300)]
Bluetooth: Update sec_level/auth_type for already existing connections
Update auth level for already existing connections if it is lower
than required by new connection.
Signed-off-by: Ville Tervo <ville.tervo@nokia.com>
Reviewed-by: Emeltchenko Andrei <andrei.emeltchenko@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Johan Hedberg [Fri, 18 Jun 2010 08:08:56 +0000 (11:08 +0300)]
Bluetooth: Reset the security level after an authentication failure
When authentication fails for a connection the assumed security level
should be set back to BT_SECURITY_LOW so that subsequent connect
attempts over the same link don't falsely assume that security is
adequate enough.
Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Andrei Emeltchenko [Thu, 8 Jul 2010 09:14:41 +0000 (12:14 +0300)]
Bluetooth: Check L2CAP pending status before sending connect request
Due to race condition in L2CAP state machine L2CAP Connection Request
may be sent twice for SDP with the same source channel id. Problems
reported connecting to Apple products, some carkit, Blackberry phones.
...
2010-06-07 21:18:03.651031 < ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
2010-06-07 21:18:03.653473 > HCI Event: Number of Completed Packets (0x13) plen 5
handle 1 packets 1
2010-06-07 21:18:03.653808 > HCI Event: Auth Complete (0x06) plen 3
status 0x00 handle 1
2010-06-07 21:18:03.653869 < ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Connect req: psm 1 scid 0x0040
...
Patch uses L2CAP_CONF_CONNECT_PEND flag to mark that L2CAP Connection
Request has been sent already.
Modified version of patch from Ville Tervo.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Ralf Baechle [Tue, 6 Jul 2010 05:18:11 +0000 (05:18 +0000)]
NET: SB1250: Initialize .owner
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
drivers/net/sb1250-mac.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
Signed-off-by: David S. Miller <davem@davemloft.net>
Wu Fengguang [Tue, 6 Jul 2010 03:02:03 +0000 (03:02 +0000)]
vxge: show startup message with KERN_INFO
The original KERN_CRIT will mess up terminals.
CC: Sreenivasa Honnur <Sreenivasa.Honnur@neterion.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Kirjanov [Mon, 5 Jul 2010 21:44:20 +0000 (21:44 +0000)]
ll_temac: Fix missing iounmaps
Fix missing iounmaps.
Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Mon, 5 Jul 2010 21:29:28 +0000 (21:29 +0000)]
bridge: Clear IPCB before possible entry into IP stack
The bridge protocol lives dangerously by having incestuous relations
with the IP stack. In this instance an abomination has been created
where a bogus IPCB area from a bridged packet leads to a crash in
the IP stack because it's interpreted as IP options.
This patch papers over the problem by clearing the IPCB area in that
particular spot. To fix this properly we'd also need to parse any
IP options if present but I'm way too lazy for that.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cheers,
Signed-off-by: David S. Miller <davem@davemloft.net>
Rajkumar Manoharan [Wed, 7 Jul 2010 09:49:18 +0000 (15:19 +0530)]
ath9k_htc: fix memory leak in ath9k_hif_usb_alloc_urbs
Failure cases within ath9k_hif_usb_alloc_urbs are failed
to release allocated memory.
Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Herbert Xu [Mon, 5 Jul 2010 14:50:08 +0000 (14:50 +0000)]
bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference
On Tue, Jul 06, 2010 at 08:48:35AM +0800, Herbert Xu wrote:
>
> bridge: Restore NULL check in br_mdb_ip_get
Resend with proper attribution.
bridge: Restore NULL check in br_mdb_ip_get
Somewhere along the line the NULL check in br_mdb_ip_get went
AWOL, causing crashes when we receive an IGMP packet with no
multicast table allocated.
This patch restores it and ensures all br_mdb_*_get functions
use it.
Reported-by: Frank Arnold <frank.arnold@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Thanks,
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Fri, 2 Jul 2010 07:08:44 +0000 (07:08 +0000)]
net: Fix definition of netif_vdbg() when VERBOSE_DEBUG is defined
netif_vdbg() was originally defined as entirely equivalent to
netdev_vdbg(), but I assume that it was intended to take the same
parameters as netif_dbg() etc. (Currently it is only used by the
sfc driver, in which I worked on that assumption.)
In commit
a4ed89c I changed the definition used when VERBOSE_DEBUG is
not defined, but I failed to notice that the definition used when
VERBOSE_DEBUG is defined was also not as I expected. Change that to
match netif_dbg() as well.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Kulikov Vasiliy [Sat, 3 Jul 2010 05:20:42 +0000 (05:20 +0000)]
net/ne: fix memory leak in ne_drv_probe()
net_device allocated with alloc_eip_netdev() must be freed.
Signed-off-by: Kulikov Vasiliy <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Peter Kosyh [Fri, 2 Jul 2010 07:47:55 +0000 (07:47 +0000)]
xfrm: fix xfrm by MARK logic
While using xfrm by MARK feature in
2.6.34 - 2.6.35 kernels, the mark
is always cleared in flowi structure via memset in
_decode_session4 (net/ipv4/xfrm4_policy.c), so
the policy lookup fails.
IPv6 code is affected by this bug too.
Signed-off-by: Peter Kosyh <p.kosyh@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sat, 3 Jul 2010 05:29:22 +0000 (22:29 -0700)]
Merge branch 'vhost-net' of git://git./linux/kernel/git/mst/vhost
Rusty Russell [Fri, 2 Jul 2010 16:34:01 +0000 (16:34 +0000)]
virtio_net: fix oom handling on tx
virtio net will never try to overflow the TX ring, so the only reason
add_buf may fail is out of memory. Thus, we can not stop the
device until some request completes - there's no guarantee anything
at all is outstanding.
Make the error message clearer as well: error here does not
indicate queue full.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> (...and avoid TX_BUSY)
Cc: stable@kernel.org # .34.x (s/virtqueue_/vi->svq->vq_ops->/)
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Fri, 2 Jul 2010 16:32:55 +0000 (16:32 +0000)]
virtio_net: do not reschedule rx refill forever
We currently fill all of RX ring, then add_buf
returns ENOSPC, which gets mis-detected as an out of
memory condition and causes us to reschedule the work,
and so on forever. Fix this by oom = err == -ENOMEM;
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Cc: stable@kernel.org # .34.x
Signed-off-by: David S. Miller <davem@davemloft.net>
Jon Mason [Fri, 2 Jul 2010 09:13:49 +0000 (09:13 +0000)]
s2io: resolve statistics issues
This patch resolves a number of issues in the statistics gathering of
the s2io driver.
On Xframe adapters, the received multicast statistics counter includes
pause frames which are not indicated to the driver. This can cause
issues where the multicast packet count is higher than what has actually
been received, possibly higher than the number of packets received.
The driver software counters are replaced with the adapter hardware
statistics for rx_packets, rx_bytes, and tx_bytes. It also uses the
overflow registers to determine if the statistics wrapped the 32bit
register (removing the window of having a statistic value less than the
previous call). rx_length_errors statistic now includes undersized
packets in addition to oversized packets in its counting. Finally,
rx_crc_errors are now being counted.
Signed-off-by: Jon Mason <jon.mason@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Sat, 3 Jul 2010 05:04:49 +0000 (22:04 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6
Randy Dunlap [Thu, 1 Jul 2010 13:18:58 +0000 (13:18 +0000)]
linux/net.h: fix kernel-doc warnings
Fix kernel-doc warnings in linux/net.h:
Warning(include/linux/net.h:151): No description found for parameter 'wq'
Warning(include/linux/net.h:151): Excess struct/union/enum/typedef member 'fasync_list' description in 'socket'
Warning(include/linux/net.h:151): Excess struct/union/enum/typedef member 'wait' description in 'socket'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Thu, 1 Jul 2010 13:21:57 +0000 (13:21 +0000)]
net: decreasing real_num_tx_queues needs to flush qdisc
Reducing real_num_queues needs to flush the qdisc otherwise
skbs with queue_mappings greater then real_num_tx_queues can
be sent to the underlying driver.
The flow for this is,
dev_queue_xmit()
dev_pick_tx()
skb_tx_hash() => hash using real_num_tx_queues
skb_set_queue_mapping()
...
qdisc_enqueue_root() => enqueue skb on txq from hash
...
dev->real_num_tx_queues -= n
...
sch_direct_xmit()
dev_hard_start_xmit()
ndo_start_xmit(skb,dev) => skb queue set with old hash
skbs are enqueued on the qdisc with skb->queue_mapping set
0 < queue_mappings < real_num_tx_queues. When the driver
decreases real_num_tx_queues skb's may be dequeued from the
qdisc with a queue_mapping greater then real_num_tx_queues.
This fixes a case in ixgbe where this was occurring with DCB
and FCoE. Because the driver is using queue_mapping to map
skbs to tx descriptor rings we can potentially map skbs to
rings that no longer exist.
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Tested-by: Ross Brattain <ross.b.brattain@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Thu, 1 Jul 2010 13:21:35 +0000 (13:21 +0000)]
sched: qdisc_reset_all_tx is calling qdisc_reset without qdisc_lock
When calling qdisc_reset() the qdisc lock needs to be held. In
this case there is at least one driver i4l which is using this
without holding the lock. Add the locking here.
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Breno Leitao [Thu, 1 Jul 2010 03:00:18 +0000 (03:00 +0000)]
qlge: fix a eeh handler to not add a pending timer
On some ocasions the function qlge_io_resume() tries to add a
pending timer, which causes the system to hit the BUG() on
add_timer() function.
This patch removes the timer during the EEH recovery.
Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: Ron Mercer <ron.mercer@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Breno Leitao [Thu, 1 Jul 2010 03:00:17 +0000 (03:00 +0000)]
qlge: Replacing add_timer() to mod_timer()
Currently qlge driver calls add_timer() instead of mod_timer().
This patch changes add_timer() to mod_timer(), which seems a better
solution.
Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: Ron Mercer <ron.mercer@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Sat, 3 Jul 2010 04:49:02 +0000 (21:49 -0700)]
usbnet: Set parent device early for netdev_printk()
netdev_printk() follows the net_device's parent device pointer, so
we must set that earlier than we previously did.
Reported-by: Luís Picciochi Oliveira <pitxyoki@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Sat, 3 Jul 2010 04:47:54 +0000 (21:47 -0700)]
net: Revert "rndis_host: Poll status channel before control channel"
This reverts commit
c17b274dc2aa538b68c1f02b01a3c4e124b435ba.
That change was reported to break rndis_wlan support for the WUSB54GS.
Reported-by: Luís Picciochi Oliveira <pitxyoki@gmail.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reinette Chatre [Mon, 21 Jun 2010 21:23:47 +0000 (14:23 -0700)]
iwlwifi: remove key information during device restart
When there is a firmware error or the firmware is reloaded for some other
reason we currently clear all station information, including keys
associated with them. A problem is that we do not clear some other
information regarding keys that are not stored in the station structs.
The consequence of this is that when the device is reconfigured after the
firmware reload we can, among other things, run out of key indices.
This fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=16232
http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2221
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Eric Dumazet [Fri, 2 Jul 2010 08:05:01 +0000 (10:05 +0200)]
netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT
We should release dst if dst->error is set.
Bug introduced in 2.6.14 by commit
e104411b82f5c
([XFRM]: Always release dst_entry on error in xfrm_lookup)
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy <kaber@trash.net>
Cody Rester [Fri, 2 Jul 2010 04:27:44 +0000 (21:27 -0700)]
drivers: bluetooth: bluecard_cs.c: Fixed include error, changed to linux/io.h
Fixed include error, changed to linux/io.h
Signed-off-by: Cody Rester <codyrester@gmail.com>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Thu, 1 Jul 2010 15:40:12 +0000 (18:40 +0300)]
vhost: add unlikely annotations to error path
patch 'break out of polling loop on error' caused
a minor performance regression on my machine: recover
that performance by adding a bunch of unlikely annotations
in the error handling.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Flavio Leitner [Tue, 29 Jun 2010 08:24:39 +0000 (08:24 +0000)]
bonding: check if clients MAC addr has changed
When two systems using bonding devices in adaptive load
balancing (ALB) communicates with each other, an endless
ping-pong of ARP replies starts between these two systems.
What happens? In the ALB mode, bonding driver keeps track
of each client connected in a hash table, so it can do the
receive load balancing (RLB). This hash table is updated
when an ARP reply is received, then it scans for the client
entry, updates its MAC address and flag it to be announced
later. Therefore, two seconds later, the alb monitor runs
and send for each updated client entry two ARP replies
updating this specific client. The same process happens on
the receiving system, causing the endless ping-pong of arp
replies.
See more information including the relevant functions below:
System 1 System 2
bond0 bond0
ping <system2>
ARP request --------->
<--------- ARP reply
+->rlb_arp_recv <---------------------+ <--- loop begins
| rlb_update_entry_from_arp |
| client_info->ntt = 1; |
| bond_info->rx_ntt = 1; |
| |
| <communication succeed> |
| |
| bond_alb_monitor |
| rlb_update_rx_clients |
| rlb_update_client |
| arp_create(ARPOP_REPLY) |
| send ARP reply --------------> V
| send ARP reply -------------->
| rlb_arp_recv
| rlb_update_entry_from_arp
| client_info->ntt = 1;
| bond_info->rx_ntt = 1;
| < snipped, same as in system 1>
+------- <-------------- send ARP reply
<-------------- send ARP reply
Besides the unneeded networking traffic, this loop breaks
a cluster because a backup system can't take over the IP
address. There is always one system sending an ARP reply
poisoning the network.
This patch fixes the problem adding a check for the MAC
address before updating it. Thus, if the MAC address didn't
change, there is no need to update neither to announce it later.
Signed-off-by: Flavio Leitner <fleitner@redhat.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Howells [Wed, 30 Jun 2010 20:10:09 +0000 (13:10 -0700)]
Bluetooth: Fix abuse of the preincrement operator
Fix abuse of the preincrement operator as detected when building with gcc
4.6.0:
CC [M] drivers/bluetooth/hci_bcsp.o
drivers/bluetooth/hci_bcsp.c: In function 'bcsp_prepare_pkt':
drivers/bluetooth/hci_bcsp.c:247:20: warning: operation on 'bcsp->msgq_txseq' may be undefined
Reported-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Saeed Bishara [Sun, 27 Jun 2010 00:26:43 +0000 (00:26 +0000)]
mv643xx_eth: use sw csum for big packets
Some controllers (KW, Dove) limits the TX IP/layer4 checksum offloading to a max size.
Signed-off-by: Saeed Bishara <saeed@marvell.com>
Acked-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 30 Jun 2010 19:04:58 +0000 (12:04 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Andreas Steffen [Wed, 30 Jun 2010 17:41:15 +0000 (10:41 -0700)]
xfrm: fix XFRMA_MARK extraction in xfrm_mark_get
Determine the size of the xfrm_mark struct, not of its pointer.
Signed-off-by: Andreas Steffen <andreas.steffen@strongswan.org>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Guillaume Gaudonville [Tue, 29 Jun 2010 18:29:00 +0000 (18:29 +0000)]
ixgbe: skip non IPv4 packets in ATR filter
In driver ixgbe, ixgbe_atr may cause crashes for non-ipv4 packets. Just
add a test to check skb->protocol. It may crash on short packets due
to ip_hdr() access.
Signed-off-by: Guillaume Gaudonville <guillaume.gaudonville@6wind.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Tue, 29 Jun 2010 18:28:36 +0000 (18:28 +0000)]
ixgbe: disable tx engine before disabling tx laser
Disabling the tx laser while receiving DMA requests
can hang the device. After this occurs the device
is in a bad state. The GPIO bit never clears when
PCI master access is disabled and a reboot is required
to get the device in a good state again.
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Gospodarek [Tue, 29 Jun 2010 18:28:12 +0000 (18:28 +0000)]
ixgbe: fix panic when shutting down system with WoL enabled
This patch added to 2.6.34:
commit
5f6c01819979afbfec7e0b15fe52371b8eed87e8
Author: Jesse Brandeburg <jesse.brandeburg@intel.com>
Date: Wed Apr 14 16:04:23 2010 -0700
ixgbe: fix bug with vlan strip in promsic mode
among other things added a function called ixgbe_vlan_filter_enable.
This new function wants to access and set some rx_ring parameters, but
adapter->rx_ring has already been freed. This simply moves the free
until after the access and makes __ixgbe_shutdown look more like
ixgbe_remove.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Tested-by: Emil Tantilov <emil.s.tantilov@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Mon, 28 Jun 2010 08:45:58 +0000 (08:45 +0000)]
ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
struct ethtool_rxnfc was originally defined in 2.6.27 for the
ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data
fields. It was then extended in 2.6.30 to support various additional
commands. These commands should have been defined to use a new
structure, but it is too late to change that now.
Since user-space may still be using the old structure definition
for the ETHTOOL_{G,S}RXFH commands, and since they do not need the
additional fields, only copy the originally defined fields to and
from user-space.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Mon, 28 Jun 2010 08:44:07 +0000 (08:44 +0000)]
ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer
overflow and the buffer may be smaller than needed. Since
ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at
least denial of service.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Gospodarek [Fri, 25 Jun 2010 09:50:44 +0000 (09:50 +0000)]
bonding: prevent netpoll over bonded interfaces
Support for netpoll over bonded interfaces was added here:
commit
f6dc31a85cd46a959bdd987adad14c3b645e03c1
Author: WANG Cong <amwang@redhat.com>
Date: Thu May 6 00:48:51 2010 -0700
bonding: make bonding support netpoll
but it is bad enough that we should probably just disable netpoll over
bonding until some of the locking logic in the bonding driver is changed
or converted completely to RCU. Simple actions like changing the active
slave in active-backup mode will hang the box if a high enough printk
debugging level is enabled.
Keeping the old code around will be good for anyone that wants to work
on it (and for after the RCU conversion), so I propose this small patch
rather than ripping it all out.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Michael S. Tsirkin [Thu, 24 Jun 2010 13:59:59 +0000 (16:59 +0300)]
vhost: break out of polling loop on error
When ring parsing fails, we currently handle this
as ring empty condition. This means that we enable
kicks and recheck ring empty: if this not empty,
we re-start polling which of course will fail again.
Instead, let's return a negative error code and stop polling.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
David Woodhouse [Tue, 22 Jun 2010 02:38:13 +0000 (02:38 +0000)]
phylib: Add autoload support for the LXT973 phy.
Commit
e13647c1 (phylib: Add support for the LXT973 phy.) added a new ID
but neglected to also add it to the MODULE_DEVICE_TABLE.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Slaby [Tue, 22 Jun 2010 01:41:36 +0000 (01:41 +0000)]
ISDN: hysdn, fix potential NULL dereference
Stanse found that lp is dereferenced earlier than checked for being
NULL in hysdn_rx_netpkt. Move the initialization below the test.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Schmidt [Thu, 24 Jun 2010 04:13:44 +0000 (04:13 +0000)]
vxge: fix memory leak in vxge_alloc_msix() error path
When pci_enable_msix() returned ret<0, entries and vxge_entries were leaked.
While at it, use the centralized exit idiom in the function.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Acked-by: Ram Vepa <ram.vepa@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:55:20 +0000 (13:55 +0000)]
isdn/gigaset: correct CAPI connection state storage
CAPI applications can handle several connections in parallel,
so one connection state per application isn't sufficient.
Store the connection state in the channel structure instead.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:55:05 +0000 (13:55 +0000)]
isdn/gigaset: encode HLC and BC together
Adapt to buggy device firmware which accepts setting HLC only in the
same command line as BC, by encoding HLC and BC in a single command
if both are specified, and rejecting HLC without BC.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:54:50 +0000 (13:54 +0000)]
isdn/gigaset: correct CAPI DATA_B3 Delivery Confirmation
The Gigaset CAPI driver handled all DATA_B3_REQ messages as if the
Delivery Confirmation flag bit was set, delaying the emission of the
DATA_B3_CONF reply until the data was actually transmitted. Some
CAPI applications (notably Asterisk) aren't happy with that
behaviour. Change it to actually evaluate the Delivery Confirmation
flag as described the CAPI specification.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:54:35 +0000 (13:54 +0000)]
isdn/gigaset: correct CAPI voice connection encoding
Make the Gigaset CAPI driver select L2_VOICE (AT^SBPR=2) as the
layer 2 encoding for transparent connections, like the ISDN4Linux
variant. L2_BITSYNC (AT^SBPR=0) mutes internal connections and
distorts external ones.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:54:19 +0000 (13:54 +0000)]
isdn/gigaset: honor CAPI application's buffer size request
Fix the Gigaset CAPI driver to limit the length of a connection's
payload data receive buffers to the corresponding CAPI application's
data buffer size, as some real-life CAPI applications tend to be
rather unhappy if they receive bigger data blocks than requested.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Sun, 20 Jun 2010 22:07:48 +0000 (22:07 +0000)]
cpmac: do not leak struct net_device on phy_connect errors
If the call to phy_connect fails, we will return directly instead of freeing
the previously allocated struct net_device.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
CC: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Ken Kawasaki [Sat, 19 Jun 2010 15:24:27 +0000 (15:24 +0000)]
smc91c92_cs: fix the problem that lan & modem does not work simultaneously
smc91c92_cs:
Fix the problem that lan & modem does not work simultaneously
in the Megahertz multi-function card.
We need to write MEGAHERTZ_ISR to retrigger interrupt.
Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Mon, 21 Jun 2010 11:00:13 +0000 (11:00 +0000)]
ipv6: fix NULL reference in proxy neighbor discovery
The addition of TLLAO option created a kernel OOPS regression
for the case where neighbor advertisement is being sent via
proxy path. When using proxy, ipv6_get_ifaddr() returns NULL
causing the NULL dereference.
Change causing the bug was:
commit
f7734fdf61ec6bb848e0bafc1fb8bad2c124bb50
Author: Octavian Purdila <opurdila@ixiacom.com>
Date: Fri Oct 2 11:39:15 2009 +0000
make TLLAO option for NA packets configurable
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Wey-Yi Guy [Fri, 18 Jun 2010 18:33:17 +0000 (11:33 -0700)]
iwlwifi: set TX_CMD_FLAG_PROT_REQUIRE_MSK in tx_flag
When building tx command, always set TX_CMD_FLAG_PROT_REQUIRE_MSK
for 5000 series and up.
Without setting this bit the firmware will not examine the RTS/CTS setting
and thus not send traffic with the appropriate protection. RTS/CTS is is
required for HT traffic in a noisy environment where, without this setting,
connections will stall on some hardware as documented in the patch that
initially attempted to address this:
commit
1152dcc28c66a74b5b3f1a3ede0aa6729bfd48e4
Author: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Date: Fri Jan 15 13:42:58 2010 -0800
iwlwifi: Fix throughput stall issue in HT mode for 5000
Similar to 6000 and 1000 series, RTS/CTS is the recommended
protection mechanism for 5000 series in HT mode based on the HW design.
Using RTS/CTS will better protect the inner exchange from interference,
especially in highly-congested environment, it also prevent uCode encounter
TX FIFO underrun and other HT mode related performance issues.
For 3945 and 4965, different flags are used for RTS/CTS or CTS-to-Self
protection.
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Johannes Berg [Fri, 18 Jun 2010 10:41:25 +0000 (03:41 -0700)]
iwlwifi: fix multicast
commit
3474ad635db371b0d8d0ee40086f15d223d5b6a4
Author: Johannes Berg <johannes.berg@intel.com>
Date: Thu Apr 29 04:43:05 2010 -0700
iwlwifi: apply filter flags directly
broke multicast. The reason, it turns out, is that
the code previously checked if ALLMULTI _changed_,
which the new code no longer did, and normally it
_never_ changes. Had somebody changed it manually,
the code prior to my patch there would have been
broken already.
The reason is that we always, unconditionally, ask
the device to pass up all multicast frames, but the
new code made it depend on ALLMULTI which broke it
since now we'd pass up multicast frames depending
on the default filter in the device, which isn't
necessarily what we want (since we don't program it
right now).
Fix this by simply not checking allmulti as we have
allmulti behaviour enabled already anyway.
Reported-by: Maxim Levitsky <maximlevitsky@gmail.com>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Gustavo F. Padovan [Fri, 18 Jun 2010 14:24:00 +0000 (14:24 +0000)]
Bluetooth: Bring back var 'i' increment
commit
ff6e2163f28a1094fb5ca5950fe2b43c3cf6bc7a accidentally added a
regression on the bnep code. Fixing it.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Timo Teräs [Thu, 24 Jun 2010 21:35:00 +0000 (14:35 -0700)]
xfrm: check bundle policy existance before dereferencing it
Fix the bundle validation code to not assume having a valid policy.
When we have multiple transformations for a xfrm policy, the bundle
instance will be a chain of bundles with only the first one having
the policy reference. When policy_genid is bumped it will expire the
first bundle in the chain which is equivalent of expiring the whole
chain.
Reported-bisected-and-tested-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Brandon Philips [Wed, 16 Jun 2010 16:21:58 +0000 (16:21 +0000)]
sky2: enable rx/tx in sky2_phy_reinit()
sky2_phy_reinit is called by the ethtool helpers sky2_set_settings,
sky2_nway_reset and sky2_set_pauseparam when netif_running.
However, at the end of sky2_phy_init GM_GP_CTRL has GM_GPCR_RX_ENA and
GM_GPCR_TX_ENA cleared. So, doing these commands causes the device to
stop working:
$ ethtool -r eth0
$ ethtool -A eth0 autoneg off
Fix this issue by enabling Rx/Tx after running sky2_phy_init in
sky2_phy_reinit.
Signed-off-by: Brandon Philips <bphilips@suse.de>
Tested-by: Brandon Philips <bphilips@suse.de>
Cc: stable@kernel.org
Tested-by: Mike McCormack <mikem@ring3k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Vasanthakumar Thiagarajan [Wed, 23 Jun 2010 13:49:21 +0000 (06:49 -0700)]
ath9k: Fix bug in starting ani
There are few places where ANI is started without checking
if it is right to start. This might lead to a case where ani
timer would be left undeleted and cause improper memory acccess
during module unload. This bug is clearly exposed with
paprd support where the driver detects tx hang and does a
chip reset. During this reset ani is (re)started without checking
if it needs to be started. This would leave a timer scheduled
even after all the resources are freed and cause a panic.
This patch introduces a bit in sc_flags to indicate if ani
needs to be started in sw_scan_start() and ath_reset().
This would fix the following panic. This issue is easily seen
with ar9003 + paprd.
BUG: unable to handle kernel paging request at
0000000000003f38
[<
ffffffff81075391>] ? __queue_work+0x41/0x50
[<
ffffffff8106afaa>] run_timer_softirq+0x17a/0x370
[<
ffffffff81088be8>] ? tick_dev_program_event+0x48/0x110
[<
ffffffff81061f69>] __do_softirq+0xb9/0x1f0
[<
ffffffff810ba060>] ? handle_IRQ_event+0x50/0x160
[<
ffffffff8100af5c>] call_softirq+0x1c/0x30
[<
ffffffff8100c9f5>] do_softirq+0x65/0xa0
[<
ffffffff81061e25>] irq_exit+0x85/0x90
[<
ffffffff8155e095>] do_IRQ+0x75/0xf0
[<
ffffffff815570d3>] ret_from_intr+0x0/0x11
<EOI>
[<
ffffffff812fd67b>] ? acpi_idle_enter_simple+0xe4/0x119
[<
ffffffff812fd674>] ? acpi_idle_enter_simple+0xdd/0x119
[<
ffffffff81441c87>] cpuidle_idle_call+0xa7/0x140
[<
ffffffff81008da3>] cpu_idle+0xb3/0x110
[<
ffffffff81550722>] start_secondary+0x1ee/0x1f5
Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>