aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* bridge: Replace mp->mglist hlist with a boolHerbert Xu2011-02-123-12/+9
| | | | | | | | | | | | | | As it turns out we never need to walk through the list of multicast groups subscribed by the bridge interface itself (the only time we'd want to do that is when we shut down the bridge, in which case we simply walk through all multicast groups), we don't really need to keep an hlist for mp->mglist. This means that we can replace it with just a single bit to indicate whether the bridge interface is subscribed to a group. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* bridge: Fix timer typo that may render snooping less effectiveHerbert Xu2011-02-111-2/+2
| | | | | | | | | | | | | In a couple of spots where we are supposed to modify the port group timer (p->timer) we instead modify the bridge interface group timer (mp->timer). The effect of this is mostly harmless. However, it can cause port subscriptions to be longer than they should be, thus making snooping less effective. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* bridge: Fix mglist corruption that leads to memory corruptionHerbert Xu2011-02-111-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The list mp->mglist is used to indicate whether a multicast group is active on the bridge interface itself as opposed to one of the constituent interfaces in the bridge. Unfortunately the operation that adds the mp->mglist node to the list neglected to check whether it has already been added. This leads to list corruption in the form of nodes pointing to itself. Normally this would be quite obvious as it would cause an infinite loop when walking the list. However, as this list is never actually walked (which means that we don't really need it, I'll get rid of it in a subsequent patch), this instead is hidden until we perform a delete operation on the affected nodes. As the same node may now be pointed to by more than one node, the delete operations can then cause modification of freed memory. This was observed in practice to cause corruption in 512-byte slabs, most commonly leading to crashes in jbd2. Thanks to Josef Bacik for pointing me in the right direction. Reported-by: Ian Page Hands <ihands@redhat.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* ip_gre: Add IPPROTO_GRE to flowi in ipgre_tunnel_xmitSteffen Klassert2011-02-111-0/+1
| | | | | | | | | | | Commit 5811662b15db018c740c57d037523683fd3e6123 ("net: use the macros defined for the members of flowi") accidentally removed the setting of IPPROTO_GRE from the struct flowi in ipgre_tunnel_xmit. This patch restores it. Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Acked-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* xfrm: avoid possible oopse in xfrm_alloc_dstHiroaki SHIMODA2011-02-101-2/+5
| | | | | | | | Commit 80c802f3073e84 (xfrm: cache bundles instead of policies for outgoing flows) introduced possible oopse when dst_alloc returns NULL. Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: fix ifenslave build flagsRandy Dunlap2011-02-101-0/+2
| | | | | | | | | | -I (include path) should be specified for host builds. This one was overlooked somehow. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=25902 Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Reported-by: Alexey Salmin <alexey.salmin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* virtio_net: Add schedule check to napi_enable callBruce Rogers2011-02-101-11/+16
| | | | | | | | | | | | | | | Under harsh testing conditions, including low memory, the guest would stop receiving packets. With this patch applied we no longer see any problems in the driver while performing these tests for extended periods of time. Make sure napi is scheduled subsequent to each napi_enable. Signed-off-by: Bruce Rogers <brogers@novell.com> Signed-off-by: Olaf Kirch <okir@suse.de> Cc: stable@kernel.org Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* x25: Do not reference freed memory.David S. Miller2011-02-091-1/+4
| | | | | | | | | | In x25_link_free(), we destroy 'nb' before dereferencing 'nb->dev'. Don't do this, because 'nb' might be freed by then. Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Tested-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* pch_can: fix tseg1/tseg2 setting issueTomoya MORINAGA2011-02-091-2/+2
| | | | | | | | | Previous patch "[PATCH 1/3] pch_can: fix 800k comms issue" is wrong. I should have modified tseg1_min not tseg2_min. This patch reverts tseg2_min to 1 and set tseg1_min to 2. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* isdn: hysdn: Kill (partially buggy) CVS regision log reporting.David S. Miller2011-02-094-32/+2
| | | | | | | | | | | Some cases try to modify const strings, and in any event the CVS revision strings have not changed in over ten years making these printouts completely worthless. Just kill all of this stuff off. Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* can: softing_cs needs slab.hRandy Dunlap2011-02-091-0/+1
| | | | | | | | | | | | From: Randy Dunlap <randy.dunlap@oracle.com> softing_cs.c uses kzalloc & kfree, so it needs to include linux/slab.h. drivers/net/can/softing/softing_cs.c:234: error: implicit declaration of function 'kfree' drivers/net/can/softing/softing_cs.c:271: error: implicit declaration of function 'kzalloc' Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2011-02-091-2/+9
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
| * netfilter: nf_conntrack: set conntrack templates again if we return NF_REPEATPablo Neira Ayuso2011-02-091-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The TCP tracking code has a special case that allows to return NF_REPEAT if we receive a new SYN packet while in TIME_WAIT state. In this situation, the TCP tracking code destroys the existing conntrack to start a new clean session. [DESTROY] tcp 6 src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 [ASSURED] [NEW] tcp 6 120 SYN_SENT src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 However, this is a problem for the iptables' CT target event filtering which will not work in this case since the conntrack template will not be there for the new session. To fix this, we reassign the conntrack template to the packet if we return NF_REPEAT. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
* | pch_gbe: Fix the issue which a driver locks when rx offload is set by ethtoolToshiharu Okada2011-02-091-8/+4
| | | | | | | | | | | | | | | | This driver will be in a deadlock, When the rx offload is set by ethtool. The pch_gbe_reinit_locked function was modified. Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | pch_can: fix module reload issue with MSITomoya2011-02-081-0/+1
| | | | | | | | | | | | | | | | | | | | | | Currently, in case reload pch_can, pch_can not to be able to catch interrupt. The cause is bus-master is not set in pch_can. Thus, add enabling bus-master processing. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | pch_can: fix rmmod issueTomoya2011-02-081-1/+1
| | | | | | | | | | | | | | | | | | Currently, when rmmod pch_can, kernel failure occurs. The cause is pci_iounmap executed before pch_can_reset. Thus pci_iounmap moves after pch_can_reset. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | pch_can: fix 800k comms issueTomoya2011-02-081-1/+1
| | | | | | | | | | | | | | | | | | Currently, 800k comms fails since prop_seg set zero. (EG20T PCH CAN register of prop_seg must be set more than 1) To prevent prop_seg set to zero, change tseg2_min 1 to 2. Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Fix lockdep regression caused by initializing netdev queues too early.David S. Miller2011-02-081-11/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In commit aa9421041128abb4d269ee1dc502ff65fb3b7d69 ("net: init ingress queue") we moved the allocation and lock initialization of the queues into alloc_netdev_mq() since register_netdevice() is way too late. The problem is that dev->type is not setup until the setup() callback is invoked by alloc_netdev_mq(), and the dev->type is what determines the lockdep class to use for the locks in the queues. Fix this by doing the queue allocation after the setup() callback runs. This is safe because the setup() callback is not allowed to make any state changes that need to be undone on error (memory allocations, etc.). It may, however, make state changes that are undone by free_netdev() (such as netif_napi_add(), which is done by the ipoib driver's setup routine). The previous code also leaked a reference to the &init_net namespace object on RX/TX queue allocation failures. Signed-off-by: David S. Miller <davem@davemloft.net>
* | net/caif: Fix dangling list pointer in freed object on error.David S. Miller2011-02-081-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(), cannot make state changes which need to be undone on failure. There is no cleanup mechanism available at this point. So we have to add the caif private instance to the global list once we are sure that register_netdev() has succedded in ->newlink(). Otherwise, if register_netdev() fails, the caller will invoke free_netdev() and we will have a reference to freed up memory on the chnl_net_list. Signed-off-by: David S. Miller <davem@davemloft.net>
* | USB CDC NCM errata updates for cdc_ncm host driverAlexey Orishko2011-02-081-80/+147
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Specification links: - CDC NCM errata link: http://www.usb.org/developers/devclass_docs/NCM10_012011.zip - CDC and WMC errata link: http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zip Changes: - driver updated to match cdc.h header with errata changes - added support for USB_CDC_SET_NTB_INPUT_SIZE control request with 8 byte length - fixes to comply with specification: send only control requests supported by device, set number of datagrams for IN direction, connection speed structure update, etc. - packet loss fixed for tx direction; misleading flag renamed. - adjusted hard_mtu value. Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | CDC NCM errata updates for cdc.hAlexey Orishko2011-02-081-5/+18
| | | | | | | | | | | | | | | | | | | | | | | | Changes are based on the following documents: - CDC NCM errata: http://www.usb.org/developers/devclass_docs/NCM10_012011.zip - CDC and WMC errata link: http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zip Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com> Acked-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵David S. Miller2011-02-088-14/+21
|\ \ | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/jkirsher/net-2.6
| * | ixgbe: update version stringDon Skidmore2011-02-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | This will synchronize the version string with that of the latest source forge driver which shares its functionality. Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * | ixgbe: cleanup variable initializationDon Skidmore2011-02-081-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | The ixgbe_fcoe_ddp_get function wasn't initializing one of its variables and this was producing compiler warnings. This patch cleans that up. Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com> Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * | ixgbe: limit VF access to network trafficAlexander Duyck2011-02-082-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | This change fixes VM pool allocation issues based on MAC address filtering, as well as limits the scope of VF access to promiscuous mode. Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com> Acked-by: Greg Rose <gregory.v.rose@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * | ixgbe: fix for 82599 erratum on Header SplittingDon Skidmore2011-02-081-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We have found a hardware erratum on 82599 hardware that can lead to unpredictable behavior when Header Splitting mode is enabled. So we are no longer enabling this feature on affected hardware. Please see the 82599 Specification Update for more information. CC: stable@kernel.org Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com> Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * | ixgbe: fix variable set but not used warnings by gcc 4.6Emil Tantilov2011-02-082-6/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Caught with gcc 4.6 -Wunused-but-set-variable Remove unused napi_vectors variable. Fix the use of reset_bit in ixgbe_reset_hw_X540() Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: Stephen Ko <stephen.s.ko@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * | e1000: add support for Marvell Alaska M88E1118R PHYFlorian Fainelli2011-02-082-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds support for Marvell Alask M88E188R PHY chips. Support for other M88* PHYs is already there, so there is nothing more to add than its PHY id. CC: Dirk Brandewie <dirk.j.brandewie@intel.com> Signed-off-by: Florian Fainelli <ffainelli@freebox.fr> Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
| * | e1000e: tx_timeout should not increment for non-hang eventsJesse Brandeburg2011-02-081-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently the driver increments the tx_timeout counter (an error counter) when simply resetting the part with outstanding transmit work pending. This is an unnecessary count of an error, when all we should be doing is just resetting the part and discarding the transmits. With this change the only increment of tx_timeout is when the stack calls the watchdog reset function due to a true Tx timeout. Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Reviewed-by: Bruce Allan <bruce.w.allan@intel.com> Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
* | | Merge branch 'master' of ↵David S. Miller2011-02-0812-9/+30
|\ \ \ | |/ / |/| | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * | mac80211: fix the skb cloned check in the tx pathFelix Fietkau2011-02-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Using skb_header_cloned to check if it's safe to write to the skb is not enough - mac80211 also touches the tailroom of the skb. Initially this check was only used to increase a counter, however this commit changed the code to also skip skb data reallocation if no extra head/tailroom was needed: commit 4cd06a344db752f513437138953af191cbe9a691 mac80211: skip unnecessary pskb_expand_head calls It added a regression at least with iwl3945, which is fixed by this patch. Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: Felix Fietkau <nbd@openwrt.org> Tested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | iwlagn: Re-enable RF_KILL interrupt when downDon Fry2011-02-071-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With commit 554d1d027b19265c4aa3f718b3126d2b86e09a08 only one RF_KILL interrupt will be seen by the driver when the interface is down. Re-enable the interrupt when it occurs to see all transitions. Signed-off-by: Don Fry <donald.h.fry@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ssb-pcmcia: Fix parsing of invariants tuplesMichael Büsch2011-02-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes parsing of the device invariants (MAC address) for PCMCIA SSB devices. ssb_pcmcia_do_get_invariants expects an iv pointer as data argument. Tested-by: dylan cristiani <d.cristiani@idem-tech.it> Signed-off-by: Michael Buesch <mb@bu3sch.de> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | ath9k: Fix possible double free of PAPRD skb'sMohammed Shafi Shajakhan2011-02-043-4/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts the following commit ath9k: remove bfs_paprd_timestamp from struct ath_buf_state Under high interference/noisy environment conditions where PAPRD frames fails heavily introduces a possibility of double freeing skb's and causes kernel panic after some time.This patch reverts back to the original approach of using paprd_timestamp before freeing the PAPRD frame skb's [ 194.193705] Pid: 0, comm: swapper Tainted: G D WC 2.6.35-22-generic #33-Ubuntu [ 194.193712] Call Trace: [ 194.193722] [<c05c6468>] ? printk+0x2d/0x35 [ 194.193732] [<c05c63c3>] panic+0x5a/0xd2 [ 194.193741] [<c05ca3ed>] oops_end+0xcd/0xd0 [ 194.193750] [<c0105f74>] die+0x54/0x80 [ 194.193758] [<c05c9a16>] do_trap+0x96/0xc0 [ 194.193837] [<c0103fb0>] ? do_invalid_op+0x0/0xa0 [ 194.193846] [<c010403b>] do_invalid_op+0x8b/0xa0 [ 194.193856] [<c020bd4c>] ? kfree+0xec/0xf0 [ 194.193866] [<c012ce18>] ? default_spin_lock_flags+0x8/0x10 [ 194.193877] [<c01de47a>] ? free_one_page+0x12a/0x2d0 [ 194.193888] [<c01e04dc>] ? __free_pages+0x1c/0x40 [ 194.193897] [<c05c97a7>] error_code+0x73/0x78 [ 194.193906] [<c020bd4c>] ? kfree+0xec/0xf0 [ 194.193915] [<c04ecdd0>] ? skb_release_data+0x70/0xa0 [ 194.193924] [<c04ecdd0>] skb_release_data+0x70/0xa0 [ 194.193933] [<c04ec997>] __kfree_skb+0x17/0x90 [ 194.193941] [<c04eca31>] consume_skb+0x21/0x40 [ 194.193964] [<f85e0b70>] ieee80211_tx_status+0x760/0x860 [mac80211] [ 194.193979] [<f85caddf>] ath_tx_complete_buf+0x1bf/0x2c0 [ath9k] [ 194.193988] [<c05c8b9f>] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.193997] [<c04ec40e>] ? skb_queue_tail+0x3e/0x50 [ 194.194010] [<f85cc803>] ath_tx_complete_aggr+0x823/0x940 [ath9k] [ 194.194021] [<c0108a28>] ? sched_clock+0x8/0x10 [ 194.194030] [<c016bf14>] ? sched_clock_local+0xa4/0x180 [ 194.194040] [<c0139f57>] ? enqueue_sleeper+0x1e7/0x2b0 [ 194.194051] [<c013a194>] ? enqueue_entity+0x174/0x200 [ 194.194064] [<f85ce83d>] ath_tx_edma_tasklet+0x2bd/0x3b0 [ath9k] [ 194.194074] [<c05c8b9f>] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.194088] [<f85c7b9f>] ath9k_tasklet+0x9f/0x190 [ath9k] [ 194.194097] [<c01505d7>] tasklet_action+0xa7/0xb0 [ 194.194107] [<c015127c>] __do_softirq+0x9c/0x1b0 [ 194.194117] [<c01a7f64>] ? irq_to_desc+0x14/0x20 [ 194.194126] [<c0124fc4>] ? ack_apic_level+0x64/0x1f0 [ 194.194136] [<c01513d5>] do_softirq+0x45/0x50 [ 194.194145] [<c0151545>] irq_exit+0x65/0x70 [ 194.194153] [<c05cf665>] do_IRQ+0x55/0xc0 [ 194.194162] [<c016a6c7>] ? hrtimer_start+0x27/0x30 [ 194.194171] [<c0103630>] common_interrupt+0x30/0x38 [ 194.194181] [<c012c21a>] ? native_safe_halt+0xa/0x10 [ 194.194268] [<c010a2f9>] default_idle+0x49/0xb0 [ 194.194277] [<c0101fcc>] cpu_idle+0x8c/0xd0 [ 194.194286] [<c05b2431>] rest_init+0x71/0x80 [ 194.194295] [<c081981a>] start_kernel+0x36e/0x374 [ 194.194305] [<c08199dd>] ? pass_all_bootoptions+0x0/0xa [ 194.194314] [<c08190d7>] i386_start_kernel+0xd7/0xdf [ 194.194364] panic occurred, switching back to text console Signed-off-by: Mohammed Shafi Shajakhan <mshajakhan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | carl9170: fix typo in PS codeChristian Lamparter2011-02-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a off-by-one bug which bugged the driver's PS-POLL capability. Cc: <stable@kernel.org> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | wireless, wl1251: Fix potential NULL pointer dereference in ↵Jesper Juhl2011-02-031-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | wl1251_op_bss_info_changed() In drivers/net/wireless/wl1251/main.c:wl1251_op_bss_info_changed() we make a call to ieee80211_beacon_get() which may return NULL, but we do not check the return value before dereferencing the pointer. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | mac80211: fix TX status cookie in HW offload caseJohannes Berg2011-02-023-2/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the off-channel TX is done with remain-on-channel offloaded to hardware, the reported cookie is wrong as in that case we shouldn't use the SKB as the cookie but need to instead use the corresponding r-o-c cookie (XOR'ed with 2 to prevent API mismatches). Fix this by keeping track of the hw_roc_skb pointer just for the status processing and use the correct cookie to report in this case. We can't use the hw_roc_skb pointer itself because it is NULL'ed when the frame is transmitted to prevent it being used twice. This fixes a bug where the P2P state machine in the supplicant gets stuck because it never gets a correct result for its transmitted frame. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | iwlagn: overwrite EEPROM chain setting for 6250 devicesWey-Yi Guy2011-02-021-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 6250 2x2 devices have 2 tx chain and 2 rx chain. For some reason, the EEPROM contain incorrect information and indicate it only has single tx chain. overwrite it with .cfg parameter to make sure both chain 'A' and chain 'B' can be used for transmit and receive Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
* | | Merge branch 'batman-adv/merge' of git://git.open-mesh.org/ecsv/linux-mergeDavid S. Miller2011-02-071-5/+10
|\ \ \
| * | | batman-adv: Linearize fragment packets before mergeSven Eckelmann2011-02-081-5/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We access the data inside the skbs of two fragments directly using memmove during the merge. The data of the skb could span over multiple skb pages. An direct access without knowledge about the pages would lead to an invalid memory access. Signed-off-by: Sven Eckelmann <sven@narfation.org> [lindner_marek@yahoo.de: Move return from function to the end] Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
* | | | x25: possible skb leak on bad facilitiesandrew hendry2011-02-072-12/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Originally x25_parse_facilities returned -1 for an error 0 meaning 0 length facilities >0 the length of the facilities parsed. 5ef41308f94dc ("x25: Prevent crashing when parsing bad X.25 facilities") introduced more error checking in x25_parse_facilities however used 0 to indicate bad parsing a6331d6f9a429 ("memory corruption in X.25 facilities parsing") followed this further for DTE facilities, again using 0 for bad parsing. The meaning of 0 got confused in the callers. If the facilities are messed up we can't determine where the data starts. So patch makes all parsing errors return -1 and ensures callers close and don't use the skb further. Reported-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | bnx2x: Duplication in promisc modeVladislav Zolotarov2011-02-061-9/+23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Prevent packets duplication for frames targeting FCoE L2 ring: packets were arriving to stack from both L2 RSS and from FCoE L2 in a promiscuous mode. Configure FCoE L2 ring to DROP_ALL rx mode, when interface is configured to PROMISC, and to accept only unicast frames, when interface is configured to ALL_MULTI. Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | sis900: Fix mem leak in sis900_rx error pathJesper Juhl2011-02-051-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix memory leak in error path of sis900_rx(). If we don't do this we'll leak the skb we dev_alloc_skb()'ed just a few lines above when the variable goes out of scope. Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | benet: Avoid potential null deref in be_cmd_get_seeprom_data()Ajit Khaparde2011-02-051-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Found by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: Ajit Khaparde <ajit.khaparde@emulex.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | net: can: janz-ican3: world-writable sysfs termination fileVasiliy Kulikov2011-02-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't allow everybody to set terminator via sysfs. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | net: can: at91_can: world-writable sysfs filesVasiliy Kulikov2011-02-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't allow everybody to write to mb0_id file. Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Kurt Van Dijck <kurt.van.dijck@eia.be> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | MAINTAINERS: update email ids of the be2net driver maintainers.Ajit Khaparde2011-02-041-5/+4
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Ajit Khaparde <ajit.khaparde@emulex.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | bridge: Don't put partly initialized fdb into hashPavel Emelyanov2011-02-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fdb_create() puts a new fdb into hash with only addr set. This is not good, since there are callers, that search the hash w/o the lock and access all the other its fields. Applies to current netdev tree. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | r8169: prevent RxFIFO induced loops in the irq handler.Francois Romieu2011-02-041-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | While the RxFIFO interruption is masked for most 8168, nothing prevents it to appear in the irq status word. This is no excuse to crash. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Cc: Ivan Vecera <ivecera@redhat.com> Cc: Hayes <hayeswang@realtek.com>
* | | | r8169: RxFIFO overflow oddities with 8168 chipsets.Francois Romieu2011-02-041-9/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some experiment-based action to prevent my 8168 chipsets locking-up hard in the irq handler under load (pktgen ~1Mpps). Apparently a reset is not always mandatory (is it at all ?). - RTL_GIGA_MAC_VER_12 - RTL_GIGA_MAC_VER_25 Missed ~55% packets. Note: - this is an old SiS 965L motherboard - the 8168 chipset emits (lots of) control frames towards the sender - RTL_GIGA_MAC_VER_26 The chipset does not go into a frenzy of mac control pause when it crashes yet but it can still be crashed. It needs more work. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Cc: Ivan Vecera <ivecera@redhat.com> Cc: Hayes <hayeswang@realtek.com>