Ben Hutchings [Mon, 28 Jun 2010 08:45:58 +0000 (08:45 +0000)]
ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
struct ethtool_rxnfc was originally defined in 2.6.27 for the
ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data
fields. It was then extended in 2.6.30 to support various additional
commands. These commands should have been defined to use a new
structure, but it is too late to change that now.
Since user-space may still be using the old structure definition
for the ETHTOOL_{G,S}RXFH commands, and since they do not need the
additional fields, only copy the originally defined fields to and
from user-space.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Mon, 28 Jun 2010 08:44:07 +0000 (08:44 +0000)]
ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer
overflow and the buffer may be smaller than needed. Since
ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at
least denial of service.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Cc: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Andy Gospodarek [Fri, 25 Jun 2010 09:50:44 +0000 (09:50 +0000)]
bonding: prevent netpoll over bonded interfaces
Support for netpoll over bonded interfaces was added here:
commit
f6dc31a85cd46a959bdd987adad14c3b645e03c1
Author: WANG Cong <amwang@redhat.com>
Date: Thu May 6 00:48:51 2010 -0700
bonding: make bonding support netpoll
but it is bad enough that we should probably just disable netpoll over
bonding until some of the locking logic in the bonding driver is changed
or converted completely to RCU. Simple actions like changing the active
slave in active-backup mode will hang the box if a high enough printk
debugging level is enabled.
Keeping the old code around will be good for anyone that wants to work
on it (and for after the RCU conversion), so I propose this small patch
rather than ripping it all out.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David Woodhouse [Tue, 22 Jun 2010 02:38:13 +0000 (02:38 +0000)]
phylib: Add autoload support for the LXT973 phy.
Commit
e13647c1 (phylib: Add support for the LXT973 phy.) added a new ID
but neglected to also add it to the MODULE_DEVICE_TABLE.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jiri Slaby [Tue, 22 Jun 2010 01:41:36 +0000 (01:41 +0000)]
ISDN: hysdn, fix potential NULL dereference
Stanse found that lp is dereferenced earlier than checked for being
NULL in hysdn_rx_netpkt. Move the initialization below the test.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: netdev@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Michal Schmidt [Thu, 24 Jun 2010 04:13:44 +0000 (04:13 +0000)]
vxge: fix memory leak in vxge_alloc_msix() error path
When pci_enable_msix() returned ret<0, entries and vxge_entries were leaked.
While at it, use the centralized exit idiom in the function.
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Acked-by: Ram Vepa <ram.vepa@exar.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:55:20 +0000 (13:55 +0000)]
isdn/gigaset: correct CAPI connection state storage
CAPI applications can handle several connections in parallel,
so one connection state per application isn't sufficient.
Store the connection state in the channel structure instead.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:55:05 +0000 (13:55 +0000)]
isdn/gigaset: encode HLC and BC together
Adapt to buggy device firmware which accepts setting HLC only in the
same command line as BC, by encoding HLC and BC in a single command
if both are specified, and rejecting HLC without BC.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:54:50 +0000 (13:54 +0000)]
isdn/gigaset: correct CAPI DATA_B3 Delivery Confirmation
The Gigaset CAPI driver handled all DATA_B3_REQ messages as if the
Delivery Confirmation flag bit was set, delaying the emission of the
DATA_B3_CONF reply until the data was actually transmitted. Some
CAPI applications (notably Asterisk) aren't happy with that
behaviour. Change it to actually evaluate the Delivery Confirmation
flag as described the CAPI specification.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:54:35 +0000 (13:54 +0000)]
isdn/gigaset: correct CAPI voice connection encoding
Make the Gigaset CAPI driver select L2_VOICE (AT^SBPR=2) as the
layer 2 encoding for transparent connections, like the ISDN4Linux
variant. L2_BITSYNC (AT^SBPR=0) mutes internal connections and
distorts external ones.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tilman Schmidt [Mon, 21 Jun 2010 13:54:19 +0000 (13:54 +0000)]
isdn/gigaset: honor CAPI application's buffer size request
Fix the Gigaset CAPI driver to limit the length of a connection's
payload data receive buffers to the corresponding CAPI application's
data buffer size, as some real-life CAPI applications tend to be
rather unhappy if they receive bigger data blocks than requested.
Impact: bugfix
Signed-off-by: Tilman Schmidt <tilman@imap.cc>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Fainelli [Sun, 20 Jun 2010 22:07:48 +0000 (22:07 +0000)]
cpmac: do not leak struct net_device on phy_connect errors
If the call to phy_connect fails, we will return directly instead of freeing
the previously allocated struct net_device.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
CC: stable@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
Ken Kawasaki [Sat, 19 Jun 2010 15:24:27 +0000 (15:24 +0000)]
smc91c92_cs: fix the problem that lan & modem does not work simultaneously
smc91c92_cs:
Fix the problem that lan & modem does not work simultaneously
in the Megahertz multi-function card.
We need to write MEGAHERTZ_ISR to retrigger interrupt.
Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
stephen hemminger [Mon, 21 Jun 2010 11:00:13 +0000 (11:00 +0000)]
ipv6: fix NULL reference in proxy neighbor discovery
The addition of TLLAO option created a kernel OOPS regression
for the case where neighbor advertisement is being sent via
proxy path. When using proxy, ipv6_get_ifaddr() returns NULL
causing the NULL dereference.
Change causing the bug was:
commit
f7734fdf61ec6bb848e0bafc1fb8bad2c124bb50
Author: Octavian Purdila <opurdila@ixiacom.com>
Date: Fri Oct 2 11:39:15 2009 +0000
make TLLAO option for NA packets configurable
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Gustavo F. Padovan [Fri, 18 Jun 2010 14:24:00 +0000 (14:24 +0000)]
Bluetooth: Bring back var 'i' increment
commit
ff6e2163f28a1094fb5ca5950fe2b43c3cf6bc7a accidentally added a
regression on the bnep code. Fixing it.
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Timo Teräs [Thu, 24 Jun 2010 21:35:00 +0000 (14:35 -0700)]
xfrm: check bundle policy existance before dereferencing it
Fix the bundle validation code to not assume having a valid policy.
When we have multiple transformations for a xfrm policy, the bundle
instance will be a chain of bundles with only the first one having
the policy reference. When policy_genid is bumped it will expire the
first bundle in the chain which is equivalent of expiring the whole
chain.
Reported-bisected-and-tested-by: Justin P. Mattock <justinmattock@gmail.com>
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Brandon Philips [Wed, 16 Jun 2010 16:21:58 +0000 (16:21 +0000)]
sky2: enable rx/tx in sky2_phy_reinit()
sky2_phy_reinit is called by the ethtool helpers sky2_set_settings,
sky2_nway_reset and sky2_set_pauseparam when netif_running.
However, at the end of sky2_phy_init GM_GP_CTRL has GM_GPCR_RX_ENA and
GM_GPCR_TX_ENA cleared. So, doing these commands causes the device to
stop working:
$ ethtool -r eth0
$ ethtool -A eth0 autoneg off
Fix this issue by enabling Rx/Tx after running sky2_phy_init in
sky2_phy_reinit.
Signed-off-by: Brandon Philips <bphilips@suse.de>
Tested-by: Brandon Philips <bphilips@suse.de>
Cc: stable@kernel.org
Tested-by: Mike McCormack <mikem@ring3k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Kravkov [Wed, 23 Jun 2010 18:57:09 +0000 (11:57 -0700)]
cnic: Disable statistics initialization for eth clients that do not support statistics
Disable statistics initialization for eth clients that do not support
statistics. This prevents memory corruption on bnx2x hw.
Signed-off-by: Dmitry Kravkov <dmitry@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Anirban Chakraborty [Wed, 23 Jun 2010 18:49:42 +0000 (11:49 -0700)]
net: add dependency on fw class module to qlcnic and netxen_nic
netxen_nic and qlcnic driver depends on firmware_class module.
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 23 Jun 2010 00:32:03 +0000 (00:32 +0000)]
snmp: fix SNMP_ADD_STATS()
commit
aa2ea0586d9d (tcp: fix outsegs stat for TSO segments) incorrectly
assumed SNMP_ADD_STATS() was used from BH context.
Fix this using mib[!in_softirq()] instead of mib[0]
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Tue, 22 Jun 2010 17:54:12 +0000 (10:54 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Filip Aben [Tue, 22 Jun 2010 17:10:35 +0000 (10:10 -0700)]
hso: remove setting of low_latency flag
This patch removes the setting of the low_latency flag.
tty_flip_buffer_push() is occasionally being called in irq context, which
causes a hang if the low_latency flag is set.
Removing the low_latency flag only seems to impact the flush to ldisc,
which will now be put on a workqueue.
Signed-off-by: Filip Aben <f.aben@option.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Herbert Xu [Tue, 15 Jun 2010 01:52:25 +0000 (01:52 +0000)]
udp: Fix bogus UFO packet generation
It has been reported that the new UFO software fallback path
fails under certain conditions with NFS. I tracked the problem
down to the generation of UFO packets that are smaller than the
MTU. The software fallback path simply discards these packets.
This patch fixes the problem by not generating such packets on
the UFO path.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Helge Deller [Mon, 21 Jun 2010 20:50:18 +0000 (13:50 -0700)]
lasi82596: fix netdev_mc_count conversion
Fix commit
4cd24eaf0 (net: use netdev_mc_count and netdev_mc_empty when
appropriate)
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ralf Baechle [Mon, 21 Jun 2010 03:44:50 +0000 (03:44 +0000)]
NET: MIPSsim: Fix modpost warning.
$ make CONFIG_DEBUG_SECTION_MISMATCH=y
[...]
WARNING: drivers/net/built-in.o(.data+0x0): Section mismatch in reference from the variable mipsnet_driver to the function .init.text:mipsnet_probe()
The variable mipsnet_driver references
the function __init mipsnet_probe()
If the reference is valid then annotate the
variable with __init* or __refdata (see linux/init.h) or name the variable:
*_template, *_timer, *_sht, *_ops, *_probe, *_probe_one, *_console,
[...]
Fixed by making mipsnet_probe __devinit.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
drivers/net/mipsnet.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
Signed-off-by: David S. Miller <davem@davemloft.net>
Bob Copeland [Fri, 18 Jun 2010 17:15:23 +0000 (13:15 -0400)]
ath5k: initialize ah->ah_current_channel
ath5k assumes ah_current_channel is always a valid pointer in
several places, but a newly created interface may not have a
channel. To avoid null pointer dereferences, set it up to point
to the first available channel until later reconfigured.
This fixes the following oops:
$ rmmod ath5k
$ insmod ath5k
$ iw phy0 set distance 11000
BUG: unable to handle kernel NULL pointer dereference at
00000006
IP: [<
d0a1ff24>] ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k]
*pde =
00000000
Oops: 0000 [#1]
last sysfs file: /sys/devices/pci0000:00/0000:00:0e.0/ieee80211/phy0/index
Modules linked in: usbhid option usb_storage usbserial usblp evdev lm90
scx200_acb i2c_algo_bit i2c_dev i2c_core via_rhine ohci_hcd ne2k_pci
8390 leds_alix2 xt_IMQ imq nf_nat_tftp nf_conntrack_tftp nf_nat_irc nf_cc
Pid: 1597, comm: iw Not tainted (2.6.32.14 #8)
EIP: 0060:[<
d0a1ff24>] EFLAGS:
00010296 CPU: 0
EIP is at ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k]
EAX:
000000c2 EBX:
00000000 ECX:
ffffffff EDX:
c12d2080
ESI:
00000019 EDI:
cf8c0000 EBP:
d0a30edc ESP:
cfa09bf4
DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
Process iw (pid: 1597, ti=
cfa09000 task=
cf88a000 task.ti=
cfa09000)
Stack:
d0a34f35 d0a353f8 d0a30edc 000000fe cf8c0000 00000000 1900063d cfa8c9e0
<0>
cfa8c9e8 cfa8c0c0 cfa8c000 d0a27f0c 199d84b4 cfa8c200 00000010 d09bfdc7
<0>
00000000 00000000 ffffffff d08e0d28 cf9263c0 00000001 cfa09cc4 00000000
Call Trace:
[<
d0a27f0c>] ? ath5k_hw_attach+0xc8c/0x3c10 [ath5k]
[<
d09bfdc7>] ? __ieee80211_request_smps+0x1347/0x1580 [mac80211]
[<
d08e0d28>] ? nl80211_send_scan_start+0x7b8/0x4520 [cfg80211]
[<
c10f5db9>] ? nla_parse+0x59/0xc0
[<
c11ca8d9>] ? genl_rcv_msg+0x169/0x1a0
[<
c11ca770>] ? genl_rcv_msg+0x0/0x1a0
[<
c11c7e68>] ? netlink_rcv_skb+0x38/0x90
[<
c11c9649>] ? genl_rcv+0x19/0x30
[<
c11c7c03>] ? netlink_unicast+0x1b3/0x220
[<
c11c893e>] ? netlink_sendmsg+0x26e/0x290
[<
c11a409e>] ? sock_sendmsg+0xbe/0xf0
[<
c1032780>] ? autoremove_wake_function+0x0/0x50
[<
c104d846>] ? __alloc_pages_nodemask+0x106/0x530
[<
c1074933>] ? do_lookup+0x53/0x1b0
[<
c10766f9>] ? __link_path_walk+0x9b9/0x9e0
[<
c11acab0>] ? verify_iovec+0x50/0x90
[<
c11a42b1>] ? sys_sendmsg+0x1e1/0x270
[<
c1048e50>] ? find_get_page+0x10/0x50
[<
c104a96f>] ? filemap_fault+0x5f/0x370
[<
c1059159>] ? __do_fault+0x319/0x370
[<
c11a55b4>] ? sys_socketcall+0x244/0x290
[<
c101962c>] ? do_page_fault+0x1ec/0x270
[<
c1019440>] ? do_page_fault+0x0/0x270
[<
c1002ae5>] ? syscall_call+0x7/0xb
Code: 00 b8 fe 00 00 00 b9 f8 53 a3 d0 89 5c 24 14 89 7c 24 10 89 44 24
0c 89 6c 24 08 89 4c 24 04 c7 04 24 35 4f a3 d0 e8 7c 30 60 f0 <0f> b7
43 06 ba 06 00 00 00 a8 10 75 0e 83 e0 20 83 f8 01 19 d2
EIP: [<
d0a1ff24>] ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k] SS:ESP
0068:
cfa09bf4
CR2:
0000000000000006
---[ end trace
54f73d6b10ceb87b ]---
Cc: stable@kernel.org
Reported-by: Steve Brown <sbrown@cortland.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
stephen hemminger [Tue, 15 Jun 2010 06:14:12 +0000 (06:14 +0000)]
bridge: fdb cleanup runs too often
It is common in end-node, non STP bridges to set forwarding
delay to zero; which causes the forwarding database cleanup
to run every clock tick. Change to run only as soon as needed
or at next ageing timer interval which ever is sooner.
Use round_jiffies_up macro rather than attempting round up
by changing value.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
FUJITA Tomonori [Thu, 17 Jun 2010 15:56:05 +0000 (08:56 -0700)]
bnx2: fix dma_get_ops compilation breakage
This removes dma_get_ops() prefetch optimization in bnx2.
bnx2 uses dma_get_ops() to see if dma_sync_single_for_cpu() is
noop. bnx2 does prefetch if it's noop.
But dma_get_ops() isn't available on all the architectures (only the
architectures that uses dma_map_ops struct have it). Using
dma_get_ops() in drivers leads to compilation breakage on many
architectures.
This patch removes dma_get_ops() and changes bnx2 to do prefetch on
all the architectures. This adds useless prefetch on non-coherent
architectures but this is harmless. It is also unlikely to cause the
performance drop.
[ Remove now unused local variable 'pdev' -DaveM ]
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Acked-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sergey Matyukevich [Mon, 14 Jun 2010 06:35:20 +0000 (06:35 +0000)]
ucc_geth: fix for RX skb buffers recycling
This patch implements a proper modification of RX skb buffers before
recycling. Adjusting only skb->data is not enough because after that
skb->tail and skb->len become incorrect.
Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ken Kawasaki [Sat, 12 Jun 2010 00:17:28 +0000 (00:17 +0000)]
pcnet_cs: add new id (TOSHIBA Modem/LAN Card)
pcnet_cs:
serial_cs:
add new id (TOSHIBA Modem/LAN Card)
Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Anton Vorontsov [Fri, 11 Jun 2010 10:51:03 +0000 (10:51 +0000)]
gianfar: Fix oversized packets handling
Issuing the following command on host:
$ ifconfig eth2 mtu 1600 ; ping 10.0.0.27 -s 1485 -c 1
Makes some boards (tested with MPC8315 rev 1.1 and MPC8313 rev 1.0)
oops like this:
skb_over_panic: text:
c0195914 len:1537 put:1537 head:
c79e4800 data:
c79e4880 tail:0xc79e4e81 end:0xc79e4e80 dev:eth1
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:127!
Oops: Exception in kernel mode, sig: 5 [#1]
MPC831x RDB
last sysfs file: /sys/kernel/uevent_seqnum
Modules linked in:
NIP:
c01c1840 LR:
c01c1840 CTR:
c016d918
[...]
NIP [
c01c1840] skb_over_panic+0x48/0x5c
LR [
c01c1840] skb_over_panic+0x48/0x5c
Call Trace:
[
c0339d50] [
c01c1840] skb_over_panic+0x48/0x5c (unreliable)
[
c0339d60] [
c01c3020] skb_put+0x5c/0x60
[
c0339d70] [
c0195914] gfar_clean_rx_ring+0x25c/0x3d0
[
c0339dc0] [
c01976e8] gfar_poll+0x170/0x1bc
Dumped buffer descriptors showed that eTSEC's length/truncation
logic sometimes passes oversized packets, i.e. for the above ICMP
packet the following two buffer descriptors may become ready:
status=1400 length=1536
status=1800 length=1541
So, it seems that gianfar actually receives the whole big frame,
and it tries to place the packet into two BDs. This situation
confuses the driver, and so the skb_put() sanity check fails.
This patch fixes the issue by adding an appropriate check, i.e.
the driver should not try to process frames with buffer
descriptor's length over rx_buffer_size (i.e. maxfrm and mrblr).
Note that sometimes eTSEC works correctly, i.e. in the second
(last) buffer descriptor bits 'truncated' and 'crcerr' are set,
and so there's no oops. Though I couldn't find any logic when
it works correctly and when not.
Signed-off-by: Anton Vorontsov <avorontsov@mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan-Bernd Themann [Tue, 15 Jun 2010 05:35:42 +0000 (05:35 +0000)]
ehea: Fix kernel deadlock in DLPAR-mem processing
Port reset operations and memory add/remove operations need to
be serialized to avoid a kernel deadlock. The deadlock is caused
by calling the napi_disable() function twice.
Therefore we have to employ the dlpar_mem_lock in the ehea_reset_port
function as well
Signed-off-by: Jan-Bernd Themann <themann@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jan-Bernd Themann [Tue, 15 Jun 2010 05:35:16 +0000 (05:35 +0000)]
ehea: fix delayed packet processing
In the eHEA poll function an rmb() is required. Without that some packets
on the receive queue are not seen and thus delayed until the next interrupt
is handled for the same receive queue.
Signed-off-by: Jan-Bernd Themann <themann@de.ibm.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Don Skidmore [Tue, 15 Jun 2010 09:23:17 +0000 (09:23 +0000)]
ixgbe: add comment on SFP+ ID for Active DA
These comments were forgotten in the initial patch to add this
functionality. This patch corrects that.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tom Hughes [Tue, 15 Jun 2010 22:24:28 +0000 (22:24 +0000)]
Clear IFF_XMIT_DST_RELEASE for teql interfaces
https://bugzilla.kernel.org/show_bug.cgi?id=16183
The sch_teql module, which can be used to load balance over a set of
underlying interfaces, stopped working after 2.6.30 and has been
broken in all kernels since then for any underlying interface which
requires the addition of link level headers.
The problem is that the transmit routine relies on being able to
access the destination address in the skb in order to do address
resolution once it has decided which underlying interface it is going
to transmit through.
In 2.6.31 the IFF_XMIT_DST_RELEASE flag was introduced, and set by
default for all interfaces, which causes the destination address to be
released before the transmit routine for the interface is called.
The solution is to clear that flag for teql interfaces.
Signed-off-by: Tom Hughes <tom@compton.nu>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Manfred Rudigier [Fri, 11 Jun 2010 01:49:05 +0000 (01:49 +0000)]
gianfar: Fix setup of RX time stamping
Previously the RCTRL_TS_ENABLE bit was set unconditionally. However, if
the RCTRL_TS_ENABLE is set without TMR_CTRL[TE], the driver does not work
properly on some boards (Anton had problems with the MPC8313ERDB and
MPC8568EMDS).
With this patch the bit will only be set if requested from user space
with the SIOCSHWTSTAMP ioctl command, meaning that time stamping is
disabled during normal operation. Users who are not interested in time
stamps will not experience problems with buggy CPU revisions or
performance drops any more.
The setting of TMR_CTRL[TE] is still up to the user. This is considered
safe because users wanting HW timestamps must initialize the eTSEC clock
first anyway, e.g. with the recently submitted PTP clock driver.
Signed-off-by: Manfred Rudigier <manfred.rudigier@omicron.at>
Reviewed-by: Anton Vorontsov <cbouatmailru@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 16 Jun 2010 20:41:55 +0000 (13:41 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Christoph Fritz [Wed, 16 Jun 2010 14:37:34 +0000 (16:37 +0200)]
mac80211: fix warn, enum may be used uninitialized
regression introduced by
b8d92c9c141ee3dc9b3537b1f0ffb4a54ea8d9b2
In function ‘ieee80211_work_rx_queued_mgmt’:
warning: ‘rma’ may be used uninitialized in this function
this re-adds default value WORK_ACT_NONE back to rma
Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Herbert Xu [Wed, 16 Jun 2010 04:43:07 +0000 (21:43 -0700)]
bridge: Fix OOM crash in deliver_clone
The bridge multicast patches introduced an OOM crash in the forward
path, when deliver_clone fails to clone the skb.
Reported-by: Mark Wagner <mwagner@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Kumar Salecha [Sun, 13 Jun 2010 23:39:05 +0000 (23:39 +0000)]
netxen: fix caching window register
CRB window register is not per pci-func for NX3031,
so caching can result in incorrect values.
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Kumar Salecha [Sun, 13 Jun 2010 23:39:04 +0000 (23:39 +0000)]
netxen: fix rcv buffer leak
Rcv producer should be read in spin-lock.
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Amit Kumar Salecha [Sun, 13 Jun 2010 23:39:03 +0000 (23:39 +0000)]
netxen: fix memory leaks in error path
Fixes memory leak in error path when memory allocation
for adapter data structures fails.
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dominik Brodowski [Fri, 11 Jun 2010 04:44:55 +0000 (04:44 +0000)]
pcmcia: dev_node removal bugfix
Patch
c7c2fa07 removed one line too much from smc91c92_cs.c.
Reported-by: Komuro <komurojun-mbn@nifty.com>
CC: netdev@vger.kernel.org
CC: linux-wireless@vger.kernel.org
Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tim Gardner [Tue, 8 Jun 2010 17:33:02 +0000 (11:33 -0600)]
hostap: Protect against initialization interrupt
Use an irq spinlock to hold off the IRQ handler until
enough early card init is complete such that the handler
can run without faulting.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
David S. Miller [Tue, 15 Jun 2010 18:58:02 +0000 (11:58 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/kaber/nf-2.6
John W. Linville [Mon, 14 Jun 2010 18:30:25 +0000 (14:30 -0400)]
iwlwifi: cancel scan watchdog in iwl_bg_abort_scan
Avoids this:
WARNING: at net/mac80211/scan.c:312 ieee80211_scan_completed+0x5f/0x1f1
[mac80211]()
Hardware name: Latitude E5400
Modules linked in: aes_x86_64 aes_generic fuse ipt_MASQUERADE iptable_nat
nf_nat rfcomm sco bridge stp llc bnep l2cap sunrpc cpufreq_ondemand
acpi_cpufreq freq_table xt_physdev ip6t_REJECT nf_conntrack_ipv6
ip6table_filter ip6_tables ipv6 kvm_intel kvm uinput arc4 ecb
snd_hda_codec_intelhdmi snd_hda_codec_idt snd_hda_intel iwlagn snd_hda_codec
snd_hwdep snd_seq snd_seq_device iwlcore snd_pcm dell_wmi sdhci_pci sdhci
iTCO_wdt tg3 dell_laptop mmc_core i2c_i801 wmi mac80211 snd_timer
iTCO_vendor_support btusb joydev dcdbas cfg80211 bluetooth snd soundcore
microcode rfkill snd_page_alloc firewire_ohci firewire_core crc_itu_t
yenta_socket rsrc_nonstatic i915 drm_kms_helper drm i2c_algo_bit i2c_core video
output [last unloaded: scsi_wait_scan]
Pid: 979, comm: iwlagn Tainted: G W 2.6.33.3-85.fc13.x86_64 #1
Call Trace:
[<
ffffffff8104b558>] warn_slowpath_common+0x77/0x8f
[<
ffffffff8104b57f>] warn_slowpath_null+0xf/0x11
[<
ffffffffa01bb7d9>] ieee80211_scan_completed+0x5f/0x1f1 [mac80211]
[<
ffffffffa02a23f0>] iwl_bg_scan_completed+0xbb/0x17a [iwlcore]
[<
ffffffff81060d3d>] worker_thread+0x1a4/0x232
[<
ffffffffa02a2335>] ? iwl_bg_scan_completed+0x0/0x17a [iwlcore]
[<
ffffffff81064817>] ? autoremove_wake_function+0x0/0x34
[<
ffffffff81060b99>] ? worker_thread+0x0/0x232
[<
ffffffff810643c7>] kthread+0x7a/0x82
[<
ffffffff8100a924>] kernel_thread_helper+0x4/0x10
[<
ffffffff8106434d>] ? kthread+0x0/0x82
[<
ffffffff8100a920>] ? kernel_thread_helper+0x0/0x10
Reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=590436
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Reported-by: Mihai Harpau <mishu@piatafinanciara.ro>
Cc: stable@kernel.org
Acked-by: Reinette Chatre <reinette.chatre@intel.com>
Zhu Yi [Thu, 10 Jun 2010 01:44:29 +0000 (09:44 +0800)]
wireless: orphan ipw2x00 drivers
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Joerg Albert [Sun, 13 Jun 2010 12:22:23 +0000 (14:22 +0200)]
p54pci: add Symbol AP-300 minipci adapters pciid
Cc: stable@kernel.org
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Prarit Bhargava [Thu, 10 Jun 2010 12:08:42 +0000 (08:08 -0400)]
libertas_tf: Fix warning in lbtf_rx for stats struct
Fixes linux-2.6 warning:
drivers/net/wireless/libertas_tf/main.c: In function 'lbtf_rx':
drivers/net/wireless/libertas_tf/main.c:578: warning: 'stats.antenna' is used uninitialized in this function
drivers/net/wireless/libertas_tf/main.c:578: warning: 'stats.mactime' is used uninitialized in this function
stats struct needs to be set to 0 before use.
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Shanyu Zhao [Wed, 2 Jun 2010 00:13:58 +0000 (17:13 -0700)]
iwlagn: verify flow id in compressed BA packet
The flow id (scd_flow) in a compressed BA packet should match the txq_id
of the queue from which the aggregated packets were sent. However, in
some hardware like the 1000 series, sometimes the flow id is 0 for the
txq_id (10 to 19). This can cause the annoying message:
[ 2213.306191] iwlagn 0000:01:00.0: Received BA when not expected
[ 2213.310178] iwlagn 0000:01:00.0: Read index for DMA queue txq id (0),
index 5, is out of range [0-256] 7 7.
And even worse, if agg->wait_for_ba is true when the bad BA is arriving,
this can cause system hang due to NULL pointer dereference because the
code is operating in a wrong tx queue!
Signed-off-by: Shanyu Zhao <shanyu.zhao@intel.com>
Signed-off-by: Pradeep Kulkarni <pradeepx.kulkarni@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reinette Chatre [Fri, 28 May 2010 16:28:39 +0000 (09:28 -0700)]
iwlwifi: serialize station management actions
We are seeing some race conditions between incoming station management
requests (station add/remove) and the internal unassoc RXON command that
modifies station table. Modify these flows to require the mutex to be held
and thus serializing them.
This fixes http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2207
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Andy Gospodarek [Fri, 11 Jun 2010 12:47:03 +0000 (12:47 +0000)]
ixgbe: fix automatic LRO/RSC settings for low latency
This patch added to 2.6.34:
commit
f8d1dcaf88bddc7f282722ec1fdddbcb06a72f18
Author: Jesse Brandeburg <jesse.brandeburg@intel.com>
Date: Tue Apr 27 01:37:20 2010 +0000
ixgbe: enable extremely low latency
introduced a feature where LRO (called RSC on the hardware) was disabled
automatically when setting rx-usecs to 0 via ethtool. Some might not
like the fact that LRO was disabled automatically, but I'm fine with
that. What I don't like is that LRO/RSC is automatically enabled when
rx-usecs is set >0 via ethtool.
This would certainly be a problem if the device was used for forwarding
and it was determined that the low latency wasn't needed after the
device was already forwarding. I played around with saving the state of
LRO in the driver, but it just didn't seem worthwhile and would require
a small change to dev_disable_lro() that I did not like.
This patch simply leaves LRO disabled when setting rx-usecs >0 and
requires that the user enable it again. An extra informational message
will also now appear in the log so users can understand why LRO isn't
being enabled as they expect.
Inconsistency of LRO setting first noticed by Stanislaw Gruszka.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
CC: Stanislaw Gruszka <sgruszka@redhat.com>
CC: stable@kernel.org
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Joe Perches [Fri, 11 Jun 2010 12:51:49 +0000 (12:51 +0000)]
e1000: Fix message logging defect
commit
675ad47375c76a7c3be4ace9554d92cd55518ced
removed the capability to use ethtool.set_msglevel to
control the types of messages emitted by the driver.
That commit should probably be reverted.
If not, then this patch fixes a message logging defect
introduced by converting a printk without KERN_<level>
to e_info.
This also reduces text by about 200 bytes.
Signed-off-by: Joe Perches <joe@perches.com>
Tested-by: Emil Tantilov <emil.s.tantilov@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Don Skidmore [Fri, 11 Jun 2010 13:20:29 +0000 (13:20 +0000)]
ixgbe: fix for race with 8259(8|9) during shutdown
There is a small window where the watchdog could be running as the
interface is brought down on a NIC with two ports wired back to back.
If ixgbe_update_status is then called can lead to a panic. This patch
allows the update to bail if we are in that condition.
This issue was orignally reported and fix proposed by Akihiko Saitou.
CC: Akihiko Saitou <asaitou@users.sourceforge.net>
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sun, 13 Jun 2010 10:50:46 +0000 (10:50 +0000)]
net: rxhash already set in __copy_skb_header
No need to copy rxhash again in __skb_clone()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Sun, 13 Jun 2010 10:36:30 +0000 (10:36 +0000)]
net: fix deliver_no_wcard regression on loopback device
deliver_no_wcard is not being set in skb_copy_header.
In the skb_cloned case it is not being cleared and
may cause the skb to be dropped when the loopback device
pushes it back up the stack.
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Randy Dunlap [Tue, 8 Jun 2010 07:00:20 +0000 (07:00 +0000)]
enic: fix pci_alloc_consistent argument
Fix build warning on i386 (32-bit) with 32-bit dma_addr_t:
drivers/net/enic/vnic_dev.c: In function 'vnic_dev_init_prov':
drivers/net/enic/vnic_dev.c:716: warning: passing argument 3 of 'pci_alloc_consistent' from incompatible pointer type
include/asm-generic/pci-dma-compat.h:16: note: expected 'dma_addr_t *' but argument is of type 'u64 *'
Now builds without warnings on i386 and on x86_64.
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Scott Feldman <scofeldm@cisco.com>
Cc: Vasanthy Kolluri <vkolluri@cisco.com>
Cc: Roopa Prabhu <roprabhu@cisco.com>
Acked-by: Scott Feldman <scofeldm@cisco.com>
David S. Miller [Fri, 11 Jun 2010 19:38:23 +0000 (12:38 -0700)]
Merge branch 'wimax-2.6.35.y' of git://git./linux/kernel/git/inaky/wimax
Inaky Perez-Gonzalez [Fri, 11 Jun 2010 18:51:20 +0000 (11:51 -0700)]
wimax/i2400m: fix missing endian correction read in fw loader
i2400m_fw_hdr_check() was accessing hardware field
bcf_hdr->module_type (little endian 32) without converting to host
byte sex.
Reported-by: Данилин Михаил <mdanilin@nsg.net.ru>
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Figo.zhang [Mon, 7 Jun 2010 21:13:22 +0000 (21:13 +0000)]
net8139: fix a race at the end of NAPI
fix a race at the end of NAPI complete processing, it had
better do __napi_complete() first before re-enable interrupt.
Signed-off-by:Figo.zhang <figo1802@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Turull [Fri, 11 Jun 2010 06:08:11 +0000 (23:08 -0700)]
pktgen: Fix accuracy of inter-packet delay.
This patch correct a bug in the delay of pktgen.
It makes sure the inter-packet interval is accurate.
Signed-off-by: Daniel Turull <daniel.turull@gmail.com>
Signed-off-by: Robert Olsson <robert.olsson@its.uu.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Tue, 8 Jun 2010 23:39:10 +0000 (23:39 +0000)]
pkt_sched: gen_estimator: add a new lock
gen_kill_estimator() / gen_new_estimator() is not always called with
RTNL held.
net/netfilter/xt_RATEEST.c is one user of these API that do not hold
RTNL, so random corruptions can occur between "tc" and "iptables".
Add a new fine grained lock instead of trying to use RTNL in netfilter.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Thu, 3 Jun 2010 09:30:11 +0000 (09:30 +0000)]
net: deliver skbs on inactive slaves to exact matches
Currently, the accelerated receive path for VLAN's will
drop packets if the real device is an inactive slave and
is not one of the special pkts tested for in
skb_bond_should_drop(). This behavior is different then
the non-accelerated path and for pkts over a bonded vlan.
For example,
vlanx -> bond0 -> ethx
will be dropped in the vlan path and not delivered to any
packet handlers at all. However,
bond0 -> vlanx -> ethx
and
bond0 -> ethx
will be delivered to handlers that match the exact dev,
because the VLAN path checks the real_dev which is not a
slave and netif_recv_skb() doesn't drop frames but only
delivers them to exact matches.
This patch adds a sk_buff flag which is used for tagging
skbs that would previously been dropped and allows the
skb to continue to skb_netif_recv(). Here we add
logic to check for the deliver_no_wcard flag and if it
is set only deliver to handlers that match exactly. This
makes both paths above consistent and gives pkt handlers
a way to identify skbs that come from inactive slaves.
Without this patch in some configurations skbs will be
delivered to handlers with exact matches and in others
be dropped out right in the vlan path.
I have tested the following 4 configurations in failover modes
and load balancing modes.
# bond0 -> ethx
# vlanx -> bond0 -> ethx
# bond0 -> vlanx -> ethx
# bond0 -> ethx
|
vlanx -> --
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Mon, 7 Jun 2010 22:24:44 +0000 (22:24 +0000)]
ipv6: fix ICMP6_MIB_OUTERRORS
In commit
1f8438a85366 (icmp: Account for ICMP out errors), I did a typo
on IPV6 side, using ICMP6_MIB_OUTMSGS instead of ICMP6_MIB_OUTERRORS
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Timo Teräs [Thu, 10 Jun 2010 00:31:48 +0000 (17:31 -0700)]
r8169: fix mdio_read and update mdio_write according to hw specs
Realtek confirmed that a 20us delay is needed after mdio_read and
mdio_write operations. Reduce the delay in mdio_write, and add it
to mdio_read too. Also add a comment that the 20us is from hw specs.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Wed, 9 Jun 2010 23:28:25 +0000 (16:28 -0700)]
Merge branch 'num_rx_queues' of git://kernel.ubuntu.com/rtg/net-2.6
Anton Vorontsov [Wed, 9 Jun 2010 23:27:08 +0000 (16:27 -0700)]
gianfar: Revive the driver for eTSEC devices (disable timestamping)
Since commit
cc772ab7cdcaa24d1fae332d92a1602788644f7a ("gianfar: Add
hardware RX timestamping support"), the driver no longer works on
at least MPC8313ERDB and MPC8568EMDS boards (and possibly much more
boards as well).
That's how MPC8313 Reference Manual describes RCTRL_TS_ENABLE bit:
Timestamp incoming packets as padding bytes. PAL field is set
to 8 if the PAL field is programmed to less than 8. Must be set
to zero if TMR_CTRL[TE]=0.
I see that the commit above sets this bit, but it doesn't handle
TMR_CTRL. Manfred probably had this bit set by the firmware for
his boards. But obviously this isn't true for all boards in the
wild.
Also, I recall that Freescale BSPs were explicitly disabling the
timestamping because of a performance drop.
For now, the best way to deal with this is just disable the
timestamping, and later we can discuss proper device tree bindings
and implement enabling this feature via some property.
Signed-off-by: Anton Vorontsov <avorontsov@mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Mon, 7 Jun 2010 04:51:58 +0000 (04:51 +0000)]
caif: fix a couple range checks
The extra ! character means that these conditions are always false.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Richard Cochran [Mon, 7 Jun 2010 05:39:32 +0000 (05:39 +0000)]
phylib: Add support for the LXT973 phy.
This patch implements a work around for Erratum 5, "3.3 V Fiber Speed
Selection." If the hardware wiring does not respect this erratum, then
fiber optic mode will not work properly.
Signed-off-by: Richard Cochran <richard.cochran@omicron.at>
Signed-off-by: David S. Miller <davem@davemloft.net>
Tim Gardner [Tue, 8 Jun 2010 23:51:27 +0000 (17:51 -0600)]
net: Print num_rx_queues imbalance warning only when there are allocated queues
BugLink: http://bugs.launchpad.net/bugs/591416
There are a number of network drivers (bridge, bonding, etc) that are not yet
receive multi-queue enabled and use alloc_netdev(), so don't print a
num_rx_queues imbalance warning in that case.
Also, only print the warning once for those drivers that _are_ multi-queue
enabled.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
David S. Miller [Wed, 9 Jun 2010 18:13:23 +0000 (11:13 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6
Sven Wegener [Wed, 9 Jun 2010 14:10:57 +0000 (16:10 +0200)]
ipvs: Add missing locking during connection table hashing and unhashing
The code that hashes and unhashes connections from the connection table
is missing locking of the connection being modified, which opens up a
race condition and results in memory corruption when this race condition
is hit.
Here is what happens in pretty verbose form:
CPU 0 CPU 1
------------ ------------
An active connection is terminated and
we schedule ip_vs_conn_expire() on this
CPU to expire this connection.
IRQ assignment is changed to this CPU,
but the expire timer stays scheduled on
the other CPU.
New connection from same ip:port comes
in right before the timer expires, we
find the inactive connection in our
connection table and get a reference to
it. We proper lock the connection in
tcp_state_transition() and read the
connection flags in set_tcp_state().
ip_vs_conn_expire() gets called, we
unhash the connection from our
connection table and remove the hashed
flag in ip_vs_conn_unhash(), without
proper locking!
While still holding proper locks we
write the connection flags in
set_tcp_state() and this sets the hashed
flag again.
ip_vs_conn_expire() fails to expire the
connection, because the other CPU has
incremented the reference count. We try
to re-insert the connection into our
connection table, but this fails in
ip_vs_conn_hash(), because the hashed
flag has been set by the other CPU. We
re-schedule execution of
ip_vs_conn_expire(). Now this connection
has the hashed flag set, but isn't
actually hashed in our connection table
and has a dangling list_head.
We drop the reference we held on the
connection and schedule the expire timer
for timeouting the connection on this
CPU. Further packets won't be able to
find this connection in our connection
table.
ip_vs_conn_expire() gets called again,
we think it's already hashed, but the
list_head is dangling and while removing
the connection from our connection table
we write to the memory location where
this list_head points to.
The result will probably be a kernel oops at some other point in time.
This race condition is pretty subtle, but it can be triggered remotely.
It needs the IRQ assignment change or another circumstance where packets
coming from the same ip:port for the same service are being processed on
different CPUs. And it involves hitting the exact time at which
ip_vs_conn_expire() gets called. It can be avoided by making sure that
all packets from one connection are always processed on the same CPU and
can be made harder to exploit by changing the connection timeouts to
some custom values.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Cc: stable@kernel.org
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Johannes Berg [Mon, 7 Jun 2010 19:50:07 +0000 (21:50 +0200)]
mac80211: fix deauth before assoc
When we receive a deauthentication frame before
having successfully associated, we neither print
a message nor abort assocation. The former makes
it hard to debug, while the latter later causes
a warning in cfg80211 when, as will typically be
the case, association timed out.
This warning was reported by many, e.g. in
https://bugzilla.kernel.org/show_bug.cgi?id=15981,
but I couldn't initially pinpoint it. I verified
the fix by hacking hostapd to send a deauth frame
instead of an association response.
Cc: stable@kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Tested-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Mon, 7 Jun 2010 19:20:38 +0000 (21:20 +0200)]
iwlwifi: add missing rcu_read_lock
Using ieee80211_find_sta() needs to be under
RCU read lock, which iwlwifi currently misses,
so fix it.
Cc: stable@kernel.org
Reported-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Reinette Chatre <reinette.chatre@intel.com>
Tested-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Holger Schurig [Mon, 7 Jun 2010 14:33:49 +0000 (16:33 +0200)]
mac80211: fix function pointer check
This makes "iw wlan0 dump survey" work again with
mac80211-based drivers that support it, e.g. ath5k.
Signed-off-by: Holger Schurig <holgerschurig@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Zhu Yi [Mon, 7 Jun 2010 06:15:43 +0000 (14:15 +0800)]
wireless: remove my name from the maintainer list
Remove my name from the MAINTAINERS file.
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bruno Randolf [Mon, 7 Jun 2010 04:11:19 +0000 (13:11 +0900)]
ath5k: fix NULL pointer in antenna configuration
If the channel is not set yet and we configure the antennas just store the
setting. It will be activated during the next reset, when the channel is set.
Signed-off-by: Bruno Randolf <br1@einfach.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Jason Dravet [Sat, 5 Jun 2010 20:08:29 +0000 (15:08 -0500)]
p54usb: Add device ID for Dell WLA3310 USB
Add Dell WLA3310 USB wireless card, which has a Z-Com XG-705A chipset, to the
USB Ids in p54usb.
Signed-off-by: Jason Dravet <dravet@hotmail.com>
Tested-by: Richard Gregory Tillmore <rtillmore@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Cc: <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Grazvydas Ignotas [Fri, 4 Jun 2010 23:25:47 +0000 (02:25 +0300)]
wl1251: fix a memory leak in probe
wl1251_sdio_probe() error path is missing wl1251_free_hw, add it.
Signed-off-by: Grazvydas Ignotas <notasas@gmail.com>
Acked-by: Kalle Valo <kvalo@adurom.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Eric Dumazet [Sun, 6 Jun 2010 23:48:40 +0000 (23:48 +0000)]
ipmr: dont corrupt lists
ipmr_rules_exit() and ip6mr_rules_exit() free a list of items, but
forget to properly remove these items from list. List head is not
changed and still points to freed memory.
This can trigger a fault later when icmpv6_sk_exit() is called.
Fix is to either reinit list, or use list_del() to properly remove items
from list before freeing them.
bugzilla report : https://bugzilla.kernel.org/show_bug.cgi?id=16120
Introduced by commit
d1db275dd3f6e4 (ipv6: ip6mr: support multiple
tables) and commit
f0ad0860d01e (ipv4: ipmr: support multiple tables)
Reported-by: Alex Zhavnerchik <alex.vizor@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Denis Kirjanov [Mon, 7 Jun 2010 08:13:57 +0000 (01:13 -0700)]
8139too: fix buffer overrun in rtl8139_init_board
Fix rtl_chip_info buffer overrun when we can't identify the chip.
(i = ARRAY_SIZE (rtl_chip_info) in this case)
Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Jussi Kivilinna [Mon, 7 Jun 2010 07:56:27 +0000 (00:56 -0700)]
asix: check packet size against mtu+ETH_HLEN instead of ETH_FRAME_LEN
Driver checks received packet is too large in asix_rx_fixup() and fails if it is. Problem is
that MTU might be set larger than 1500 and asix fails to work correctly with VLAN tagged
packets. The check should be 'dev->net->mtu + ETH_HLEN' instead.
Tested with AX88772.
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Timo Teräs [Sun, 6 Jun 2010 22:38:47 +0000 (15:38 -0700)]
r8169: fix random mdio_write failures
Some configurations need delay between the "write completed" indication
and new write to work reliably.
Realtek driver seems to use longer delay when polling the "write complete"
bit, so it waits long enough between writes with high probability (but
could probably break too). This patch adds a new udelay to make sure we
wait unconditionally some time after the write complete indication.
This caused a regression with XID
18000000 boards when the board specific
phy configuration writing many mdio registers was added in commit
2e955856ff (r8169: phy init for the 8169scd). Some of the configration
mdio writes would almost always fail, and depending on failure might leave
the PHY in non-working state.
Signed-off-by: Timo Teräs <timo.teras@iki.fi>
Acked-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Sun, 6 Jun 2010 22:34:40 +0000 (15:34 -0700)]
ip6mr: fix a typo in ip6mr_for_each_table()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Emmanuel Grumbach [Sun, 23 May 2010 07:14:08 +0000 (00:14 -0700)]
iwlwifi: move sysfs_create_group to post request firmware
Move the sysfs_create_group to iwl_ucode_callback after we
have safely got the firmware.
The motivation to do this comes from a warning from lockdep which detected
that we request priv->mutex while holding s_active during a sysfs request
(show_statistics in the example copy pasted). The reverse order exists upon
request_firmware: request_firmware which is a sysfs operation
that requires s_active is run under priv->mutex.
This ensures that we don't get sysfs request before we finish to request
the firmware, avoiding this deadlock.
=======================================================
[ INFO: possible circular locking dependency detected ]
-------------------------------------------------------
cat/2595 is trying to acquire lock:
(&priv->mutex){+.+.+.}, at: [<
facfa598>] show_statistics+0x48/0x100 [iwlagn]
but task is already holding lock:
(s_active){++++.+}, at: [<
c0580ebd>] sysfs_get_active_two+0x1d/0x50
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (s_active){++++.+}:
[<
c0489b74>] __lock_acquire+0xc44/0x1230
[<
c048a1ed>] lock_acquire+0x8d/0x110
[<
c0581499>] sysfs_addrm_finish+0xe9/0x180
[<
c057f64a>] sysfs_hash_and_remove+0x4a/0x80
[<
c05829d4>] sysfs_remove_group+0x44/0xd0
[<
c0714b75>] dpm_sysfs_remove+0x15/0x20
[<
c070dac8>] device_del+0x38/0x170
[<
c070dc1e>] device_unregister+0x1e/0x60
[<
c071838d>] _request_firmware+0x29d/0x550
[<
c07186c7>] request_firmware+0x17/0x20
[<
fad01bf1>] iwl_mac_start+0xb1/0x1230 [iwlagn]
[<
fa46ba06>] ieee80211_open+0x436/0x6f0 [mac80211]
[<
c0808cd2>] dev_open+0x92/0xf0
[<
c0808b2b>] dev_change_flags+0x7b/0x190
[<
c08148e8>] do_setlink+0x178/0x3b0
[<
c0815169>] rtnl_setlink+0xf9/0x130
[<
c081453b>] rtnetlink_rcv_msg+0x1bb/0x1f0
[<
c0827ce6>] netlink_rcv_skb+0x86/0xa0
[<
c081436c>] rtnetlink_rcv+0x1c/0x30
[<
c08279c3>] netlink_unicast+0x263/0x290
[<
c0828768>] netlink_sendmsg+0x1c8/0x2a0
[<
c07f85fd>] sock_sendmsg+0xcd/0x100
[<
c07f964d>] sys_sendmsg+0x15d/0x290
[<
c07f9e6b>] sys_socketcall+0xeb/0x2a0
[<
c040ad9f>] sysenter_do_call+0x12/0x38
-> #0 (&priv->mutex){+.+.+.}:
[<
c0489f84>] __lock_acquire+0x1054/0x1230
[<
c048a1ed>] lock_acquire+0x8d/0x110
[<
c08bb358>] __mutex_lock_common+0x58/0x470
[<
c08bb84a>] mutex_lock_nested+0x3a/0x50
[<
facfa598>] show_statistics+0x48/0x100 [iwlagn]
[<
c070d219>] dev_attr_show+0x29/0x50
[<
c057fecd>] sysfs_read_file+0xdd/0x190
[<
c052880f>] vfs_read+0x9f/0x190
[<
c0528d22>] sys_read+0x42/0x70
[<
c040ad9f>] sysenter_do_call+0x12/0x38
other info that might help us debug this:
3 locks held by cat/2595:
#0: (&buffer->mutex){+.+.+.}, at: [<
c057fe25>] sysfs_read_file+0x35/0x190
#1: (s_active){++++.+}, at: [<
c0580ecd>] sysfs_get_active_two+0x2d/0x50
#2: (s_active){++++.+}, at: [<
c0580ebd>] sysfs_get_active_two+0x1d/0x50
stack backtrace:
Pid: 2595, comm: cat Not tainted 2.6.33-tp-rc4 #2
Call Trace:
[<
c08b99ab>] ? printk+0x1d/0x22
[<
c0487752>] print_circular_bug+0xc2/0xd0
[<
c0489f84>] __lock_acquire+0x1054/0x1230
[<
c0478d81>] ? sched_clock_cpu+0x121/0x180
[<
c048a1ed>] lock_acquire+0x8d/0x110
[<
facfa598>] ? show_statistics+0x48/0x100 [iwlagn]
[<
c08bb358>] __mutex_lock_common+0x58/0x470
[<
facfa598>] ? show_statistics+0x48/0x100 [iwlagn]
[<
c08bb84a>] mutex_lock_nested+0x3a/0x50
[<
facfa598>] ? show_statistics+0x48/0x100 [iwlagn]
[<
facfa598>] show_statistics+0x48/0x100 [iwlagn]
[<
c0580cf9>] ? sysfs_get_active+0x69/0xb0
[<
facfa550>] ? show_statistics+0x0/0x100 [iwlagn]
[<
c070d219>] dev_attr_show+0x29/0x50
[<
c057fecd>] sysfs_read_file+0xdd/0x190
[<
c05ff314>] ? security_file_permission+0x14/0x20
[<
c0528242>] ? rw_verify_area+0x62/0xd0
[<
c052880f>] vfs_read+0x9f/0x190
[<
c047745b>] ? up_read+0x1b/0x30
[<
c057fdf0>] ? sysfs_read_file+0x0/0x190
[<
c04af3b4>] ? audit_syscall_entry+0x1f4/0x220
[<
c0528d22>] sys_read+0x42/0x70
[<
c040ad9f>] sysenter_do_call+0x12/0x38
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Wey-Yi Guy [Wed, 2 Jun 2010 22:17:49 +0000 (15:17 -0700)]
iwlwifi: add name to Maintainers list
Add "Wey-Yi Guy" to maintainers list for iwlwifi.
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Abhijeet Kolekar [Thu, 3 Jun 2010 04:15:10 +0000 (21:15 -0700)]
iwl3945: fix internal scan
Port of internal scan to iwl3945 missed introduction
of iwl3945_get_single_channel_for_scan.
Fix the following bug by introducing the iwl3945_get_single_channel_for_scan
http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2208
Signed-off-by: Abhijeet Kolekar <abhijeet.kolekar@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reinette Chatre [Thu, 20 May 2010 17:54:40 +0000 (10:54 -0700)]
iwl3945: enable stuck queue detection on 3945
We learn from
http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=1834 and
https://bugzilla.redhat.com/show_bug.cgi?id=589777
that 3945 can also suffer from a stuck command queue. Enable stuck queue
detection for iwl3945 to enable recovery in this case.
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Eric Dumazet [Sat, 5 Jun 2010 10:03:30 +0000 (03:03 -0700)]
ipv6: avoid high order allocations
With mtu=9000, mld_newpack() use order-2 GFP_ATOMIC allocations, that
are very unreliable, on machines where PAGE_SIZE=4K
Limit allocated skbs to be at most one page. (order-0 allocations)
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Huang Weiyi [Fri, 4 Jun 2010 23:14:15 +0000 (16:14 -0700)]
X25: remove duplicated #include
Remove duplicated #include('s) in drivers/net/wan/x25_asy.c
Signed-off-by: Huang Weiyi <weiyi.huang@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Thu, 3 Jun 2010 05:45:47 +0000 (05:45 +0000)]
tcp: use correct net ns in cookie_v4_check()
Its better to make a route lookup in appropriate namespace.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Thu, 3 Jun 2010 09:03:58 +0000 (09:03 +0000)]
rps: tcp: fix rps_sock_flow_table table updates
I believe a moderate SYN flood attack can corrupt RFS flow table
(rps_sock_flow_table), making RPS/RFS much less effective.
Even in a normal situation, server handling short lived sessions suffer
from bad steering for the first data packet of a session, if another SYN
packet is received for another session.
We do following action in tcp_v4_rcv() :
sock_rps_save_rxhash(sk, skb->rxhash);
We should _not_ do this if sk is a LISTEN socket, as about each
packet received on a LISTEN socket has a different rxhash than
previous one.
-> RPS_NO_CPU markers are spread all over rps_sock_flow_table.
Also, it makes sense to protect sk->rxhash field changes with socket
lock (We currently can change it even if user thread owns the lock
and might use rxhash)
This patch moves sock_rps_save_rxhash() to a sock locked section,
and only for non LISTEN sockets.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ben McKeegan [Wed, 2 Jun 2010 23:14:33 +0000 (23:14 +0000)]
ppp_generic: fix multilink fragment sizes
Fix bug in multilink fragment size calculation introduced by
commit
9c705260feea6ae329bc6b6d5f6d2ef0227eda0a
"ppp: ppp_mp_explode() redesign"
Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Florian Westphal [Thu, 3 Jun 2010 00:42:30 +0000 (00:42 +0000)]
syncookies: remove Kconfig text line about disabled-by-default
syncookies default to on since
e994b7c901ded7200b525a707c6da71f2cf6d4bb
(tcp: Don't make syn cookies initial setting depend on CONFIG_SYSCTL).
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Thu, 3 Jun 2010 17:03:45 +0000 (17:03 +0000)]
ixgbe: only check pfc bits in hang logic if pfc is enabled
Only check pfc bits in hang logic if PFC is enabled. Previously,
if DCB was enabled but PFC was disabled the incorrect pause
bits would be checked.
Signed-off-by: John Fastabend <john.r.fastabend@intel.com>
Acked-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steffen Klassert [Fri, 4 Jun 2010 01:57:38 +0000 (01:57 +0000)]
net: check for refcount if pop a stacked dst_entry
xfrm triggers a warning if dst_pop() drops a refcount
on a noref dst. This patch changes dst_pop() to
skb_dst_pop(). skb_dst_pop() drops the refcnt only
on a refcounted dst. Also we don't clone the child
dst_entry, so it is not refcounted and we can use
skb_dst_set_noref() in xfrm_output_one().
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bob Copeland [Fri, 4 Jun 2010 12:14:14 +0000 (08:14 -0400)]
ath5k: retain promiscuous setting
Commit
56d1de0a21db28e41741cfa0a66e18bc8d920554, "ath5k: clean up
filter flags setting" introduced a regression in monitor mode such
that the promisc filter flag would get lost.
Although we set the promisc flag when it changed, we did not
preserve it across subsequent calls to configure_filter. This patch
restores the original functionality.
Cc: stable@kernel.org
Bisected-by: weedy2887@gmail.com
Tested-by: weedy2887@gmail.com
Tested-by: Rick Farina <sidhayn@gmail.com>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Tobias Doerffel [Sat, 29 May 2010 22:02:18 +0000 (00:02 +0200)]
ath5k: depend on CONFIG_PM_SLEEP for suspend/resume functions
When building a kernel with CONFIG_PM=y but neither suspend nor
hibernate support, the compiler complains about the static functions
ath5k_pci_suspend() and ath5k_pci_resume() not being used:
drivers/net/wireless/ath/ath5k/base.c:713:12: warning: ‘ath5k_pci_suspend’ defined but not used
drivers/net/wireless/ath/ath5k/base.c:722:12: warning: ‘ath5k_pci_resume’ defined but not used
Depending on CONFIG_PM_SLEEP rather than CONFIG_PM fixes the issue.
Signed-off-by: Tobias Doerffel <tobias.doerffel@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Fri, 28 May 2010 13:22:58 +0000 (15:22 +0200)]
mac80211: process station blockack action frames from work
Processing an association response could take a bit
of time while we set up the hardware etc. During that
time, the AP might already send a blockack request.
If this happens very quickly on a fairly slow machine,
we can end up processing the blockack request before
the association processing has finished. Since the
blockack processing cannot sleep right now, we also
cannot make it wait in the driver.
As a result, sometimes on slow machines the iwlagn
driver gets totally confused, and no traffic can pass
when the aggregation setup was done before the assoc
setup completed.
I'm working on a proper fix for this, which involves
queuing all blockack category action frames from a
work struct, and also allowing the ampdu_action driver
callback to sleep, which will generally clean up the
code and make things easier.
However, this is a very involved and complex change.
To fix the problem at hand in a way that can also be
backported to stable, I've come up with this patch.
Here, I simply process all aggregation action frames
from the managed interface skb queue, which means
their processing will be serialized with processing
the association response, thereby fixing the problem.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
John W. Linville [Fri, 4 Jun 2010 18:47:35 +0000 (14:47 -0400)]
Revert "wireless: hostap, fix oops due to early probing interrupt"
This reverts commit
15920d8afc87861672e16fa95ae2764b065d6dd3.
This patch was discovered to cause some hostap devices to fail to
initialized.
https://bugzilla.kernel.org/show_bug.cgi?id=16111
Signed-off-by: John W. Linville <linville@tuxdriver.com>