firefly-linux-kernel-4.4.55.git
14 years agoepic100: hamachi: yellowfin: Fix skb allocation size
Jarek Poplawski [Sat, 25 Dec 2010 07:39:59 +0000 (07:39 +0000)]
epic100: hamachi: yellowfin: Fix skb allocation size

Joel Soete reported oopses during pppoe over sundance NIC, caused by
a bug in skb allocation and dma mapping code, where skb_reserve()
bytes weren't taken into account. As a followup to the patch:
"sundance: Fix oopses with corrupted skb_shared_info" very similar
code is fixed here for three other drivers.

Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Cc: Joel Soete <soete.joel@scarlet.be>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosundance: Fix oopses with corrupted skb_shared_info
Jarek Poplawski [Sat, 25 Dec 2010 05:12:17 +0000 (05:12 +0000)]
sundance: Fix oopses with corrupted skb_shared_info

Joel Soete reported oopses at the beginning of pppoe connections since
v2.6.35. After debugging the bug was found in sundance skb allocation
and dma mapping code, where skb_reserve() bytes aren't taken into
account. This is an old bug, only uncovered by some change in 2.6.35.

Initial debugging patch by: Eric Dumazet <eric.dumazet@gmail.com>

Reported-by: Joel Soete <soete.joel@scarlet.be>
Tested-by: Joel Soete <soete.joel@scarlet.be>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoRevert "ipv4: Allow configuring subnets as local addresses"
David S. Miller [Thu, 23 Dec 2010 20:03:57 +0000 (12:03 -0800)]
Revert "ipv4: Allow configuring subnets as local addresses"

This reverts commit 4465b469008bc03b98a1b8df4e9ae501b6c69d4b.

Conflicts:

net/ipv4/fib_frontend.c

As reported by Ben Greear, this causes regressions:

> Change 4465b469008bc03b98a1b8df4e9ae501b6c69d4b caused rules
> to stop matching the input device properly because the
> FLOWI_FLAG_MATCH_ANY_IIF is always defined in ip_dev_find().
>
> This breaks rules such as:
>
> ip rule add pref 512 lookup local
> ip rule del pref 0 lookup local
> ip link set eth2 up
> ip -4 addr add 172.16.0.102/24 broadcast 172.16.0.255 dev eth2
> ip rule add to 172.16.0.102 iif eth2 lookup local pref 10
> ip rule add iif eth2 lookup 10001 pref 20
> ip route add 172.16.0.0/24 dev eth2 table 10001
> ip route add unreachable 0/0 table 10001
>
> If you had a second interface 'eth0' that was on a different
> subnet, pinging a system on that interface would fail:
>
>   [root@ct503-60 ~]# ping 192.168.100.1
>   connect: Invalid argument

Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoUSB: mcs7830: return negative if auto negotiate fails
Dan Carpenter [Fri, 17 Dec 2010 03:25:43 +0000 (03:25 +0000)]
USB: mcs7830: return negative if auto negotiate fails

The original code returns 0 on success and 1 on failure.  In fact, at
this point, "ret" is already either zero or a negative error code so
we can just return it directly.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoirda: prevent integer underflow in IRLMP_ENUMDEVICES
Dan Rosenberg [Wed, 22 Dec 2010 13:58:27 +0000 (13:58 +0000)]
irda: prevent integer underflow in IRLMP_ENUMDEVICES

If the user-provided len is less than the expected offset, the
IRLMP_ENUMDEVICES getsockopt will do a copy_to_user() with a very large
size value.  While this isn't be a security issue on x86 because it will
get caught by the access_ok() check, it may leak large amounts of kernel
heap on other architectures.  In any event, this patch fixes it.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: fix listening_get_next()
Eric Dumazet [Thu, 23 Dec 2010 17:32:46 +0000 (09:32 -0800)]
tcp: fix listening_get_next()

Alexey Vlasov found /proc/net/tcp could sometime loop and display
millions of sockets in LISTEN state.

In 2.6.29, when we converted TCP hash tables to RCU, we left two
sk_next() calls in listening_get_next().

We must instead use sk_nulls_next() to properly detect an end of chain.

Reported-by: Alexey Vlasov <renton@renton.name>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of ssh://master.kernel.org/pub/scm/linux/kernel/git/linville...
David S. Miller [Thu, 23 Dec 2010 01:34:40 +0000 (17:34 -0800)]
Merge branch 'master' of ssh:///linux/kernel/git/linville/wireless-2.6

14 years agoatl1c: Do not use legacy PCI power management
Rafael J. Wysocki [Wed, 22 Dec 2010 03:07:52 +0000 (03:07 +0000)]
atl1c: Do not use legacy PCI power management

The atl1c driver uses the legacy PCI power management, so it has to
do some PCI-specific things in its ->suspend() and ->resume()
callbacks and they are not done correctly.

Convert atl1c to the new PCI power management framework and make it
let the PCI subsystem handle all of the PCI-specific aspects of
device handling during system power transitions.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agomac80211: fix mesh forwarding
Johannes Berg [Wed, 22 Dec 2010 09:15:07 +0000 (10:15 +0100)]
mac80211: fix mesh forwarding

Under memory pressure, the mac80211 mesh code
may helpfully print a message that it failed
to clone a mesh frame and then will proceed
to crash trying to use it anyway. Fix that.

Cc: stable@kernel.org [2.6.27+]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Acked-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoMAINTAINERS: email address change
Don Fry [Wed, 22 Dec 2010 03:58:15 +0000 (19:58 -0800)]
MAINTAINERS: email address change

My ISP has changed and therefore my email address.

Signed-off-by: Don Fry <pcnet32@frontier.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Fix range checks in tcf_valid_offset().
David S. Miller [Tue, 21 Dec 2010 20:43:16 +0000 (12:43 -0800)]
net: Fix range checks in tcf_valid_offset().

This function has three bugs:

1) The offset should be valid most of the time, this is just
   a sanity check, therefore we should use "likely" not "unlikely"

2) This is the only place where we can check for arithmetic overflow
   of the pointer plus the length.

3) The existing range checks are off by one, the valid range is
   skb->head to skb_tail_pointer(), inclusive.

Based almost entirely upon a patch by Ralph Loader.

Reported-by: Ralph Loader <suckfish@ihug.co.nz>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet_sched: sch_sfq: fix allot handling
Eric Dumazet [Mon, 20 Dec 2010 21:18:16 +0000 (13:18 -0800)]
net_sched: sch_sfq: fix allot handling

When deploying SFQ/IFB here at work, I found the allot management was
pretty wrong in sfq, even changing allot from short to int...

We should init allot for each new flow, not using a previous value found
in slot.

Before patch, I saw bursts of several packets per flow, apparently
denying the default "quantum 1514" limit I had on my SFQ class.

class sfq 11:1 parent 11:
 (dropped 0, overlimits 0 requeues 0)
 backlog 0b 7p requeues 0
 allot 11546

class sfq 11:46 parent 11:
 (dropped 0, overlimits 0 requeues 0)
 backlog 0b 1p requeues 0
 allot -23873

class sfq 11:78 parent 11:
 (dropped 0, overlimits 0 requeues 0)
 backlog 0b 5p requeues 0
 allot 11393

After patch, better fairness among each flow, allot limit being
respected, allot is positive :

class sfq 11:e parent 11:
 (dropped 0, overlimits 0 requeues 86)
 backlog 0b 3p requeues 86
 allot 596

class sfq 11:94 parent 11:
 (dropped 0, overlimits 0 requeues 0)
 backlog 0b 3p requeues 0
 allot 1468

class sfq 11:a4 parent 11:
 (dropped 0, overlimits 0 requeues 0)
 backlog 0b 4p requeues 0
 allot 650

class sfq 11:bb parent 11:
 (dropped 0, overlimits 0 requeues 0)
 backlog 0b 3p requeues 0
 allot 596

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agohostap: remove netif_stop_queue from init
Meelis Roos [Fri, 17 Dec 2010 21:27:50 +0000 (23:27 +0200)]
hostap: remove netif_stop_queue from init

Fix runtime warning with backtrace from hostap by removing
netif_stop_queue() call before register_netdev. Tested to work fine on
hostap_pci Prism 2.5.

(This removes a warning about calling netif_stop_queue before
register_netdev is called. -- JWL)

Signed-off-by: Meelis Roos <mroos@linux.ee>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211/rt2x00: add ieee80211_tx_status_ni()
Johannes Stezenbach [Tue, 30 Nov 2010 15:49:23 +0000 (16:49 +0100)]
mac80211/rt2x00: add ieee80211_tx_status_ni()

All rt2x00 drivers except rt2800pci call ieee80211_tx_status() from
a workqueue, which causes "NOHZ: local_softirq_pending 08" messages.

To fix it, add ieee80211_tx_status_ni() similar to ieee80211_rx_ni()
which can be called from process context, and call it from
rt2x00lib_txdone().  For the rt2800pci special case a driver
flag is introduced.

https://bugzilla.kernel.org/show_bug.cgi?id=24892

Signed-off-by: Johannes Stezenbach <js@sig21.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agotyphoon: memory corruption in typhoon_get_drvinfo()
Dan Carpenter [Mon, 20 Dec 2010 18:43:02 +0000 (10:43 -0800)]
typhoon: memory corruption in typhoon_get_drvinfo()

info->version only has space for 32 characters but my UTS_RELEASE is
"2.6.37-rc6-next-20101217-05817-ge935fc8-dirty" so it doesn't fit.
This is supposed to be the version of the driver, not the kernel
version.  This driver doesn't have a version so lets just leave it
blank.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Add USB PID for new MOSCHIP USB ethernet controller MCS7832 variant
Andreas Mohr [Mon, 20 Dec 2010 18:38:47 +0000 (10:38 -0800)]
net: Add USB PID for new MOSCHIP USB ethernet controller MCS7832 variant

Due to active notification of the new MCS7832 version by the manufacturer
(Mr. Milton; thanks!) -- quote: "functionality same as MCS7830",
I'm now submitting this patch (on -rc6), intended for networking.git and -stable.

- add MCS7832 USB PID to be able to support this new device variant, too
- add related descriptions

Signed-off-by: Andreas Mohr <andi@lisas.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet_sched: always clone skbs
Changli Gao [Mon, 20 Dec 2010 04:35:30 +0000 (04:35 +0000)]
net_sched: always clone skbs

Pawel reported a panic related to handling shared skbs in ixgbe
incorrectly. So we need to revert my previous patch to work around
this bug. Instead of reverting the patch completely, I just revert
the essential lines, so we can add the previous optimization
back more easily in future.

    commit 3511c9132f8b1e1b5634e41a3331c44b0c13be70
    Author: Changli Gao <xiaosuo@gmail.com>
    Date:   Sat Oct 16 13:04:08 2010 +0000

        net_sched: remove the unused parameter of qdisc_create_dflt()

Reported-by: Pawel Staszewski <pstaszewski@itcare.pl>
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6: Fragment locally generated tunnel-mode IPSec6 packets as needed.
David Stevens [Fri, 17 Dec 2010 11:42:42 +0000 (11:42 +0000)]
ipv6: Fragment locally generated tunnel-mode IPSec6 packets as needed.

This patch modifies IPsec6 to fragment IPv6 packets that are
locally generated as needed.

This version of the patch only fragments in tunnel mode, so that fragment
headers will not be obscured by ESP in transport mode.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonetlink: fix gcc -Wconversion compilation warning
Dmitry V. Levin [Fri, 17 Dec 2010 20:03:14 +0000 (12:03 -0800)]
netlink: fix gcc -Wconversion compilation warning

$ cat << EOF | gcc -Wconversion -xc -S -o/dev/null -
unsigned f(void) {return NLMSG_HDRLEN;}
EOF
<stdin>: In function 'f':
<stdin>:3:26: warning: negative integer implicitly converted to unsigned type

Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Signed-off-by: Kirill A. Shutemov <kirill@shutemov.name>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoasix: add USB ID for Logitec LAN-GTJ U2A
Arnaud Ebalard [Wed, 15 Dec 2010 12:16:30 +0000 (12:16 +0000)]
asix: add USB ID for Logitec LAN-GTJ U2A

Logitec LAN-GTJ U2A (http://www.pro.logitec.co.jp/pro/g/gLAN-GTJU2A/)
USB 2.0 10/10/1000 Ethernet adapter is based on ASIX AX88178 chipset.

This patch adds missing USB ID for the device.

Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotehuti: Firmware filename is tehuti/bdx.bin
Ben Hutchings [Fri, 17 Dec 2010 18:16:23 +0000 (10:16 -0800)]
tehuti: Firmware filename is tehuti/bdx.bin

My conversion of tehuti to use request_firmware() was confused about
the filename of the firmware blob.  Change the driver to match the
blob.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6: don't flush routes when setting loopback down
stephen hemminger [Thu, 16 Dec 2010 11:28:12 +0000 (11:28 +0000)]
ipv6: don't flush routes when setting loopback down

When loopback device is being brought down, then keep the route table
entries because they are special. The entries in the local table for
linklocal routes and ::1 address should not be purged.

This is a sub optimal solution to the problem and should be replaced
by a better fix in future.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agosctp: fix the return value of getting the sctp partial delivery point
Wei Yongjun [Tue, 14 Dec 2010 16:10:41 +0000 (16:10 +0000)]
sctp: fix the return value of getting the sctp partial delivery point

Get the sctp partial delivery point using SCTP_PARTIAL_DELIVERY_POINT
socket option should return 0 if success, not -ENOTSUPP.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet/veth: Fix packet checksumming
Michał Mirosław [Tue, 14 Dec 2010 12:35:13 +0000 (12:35 +0000)]
net/veth: Fix packet checksumming

We can't change ip_summed from CHECKSUM_PARTIAL to CHECKSUM_NONE
or CHECKSUM_UNNECESSARY because checksum in packet's headers is
not valid and will cause invalid checksum when frame is forwarded.

Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobridge: fix IPv6 queries for bridge multicast snooping
David Stevens [Tue, 14 Dec 2010 08:42:16 +0000 (08:42 +0000)]
bridge: fix IPv6 queries for bridge multicast snooping

This patch fixes a missing ntohs() for bridge IPv6 multicast snooping.

Signed-off-by: David L Stevens <dlstevens@us.ibm.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: fix nulls list corruptions in sk_prot_alloc
Octavian Purdila [Thu, 16 Dec 2010 22:26:56 +0000 (14:26 -0800)]
net: fix nulls list corruptions in sk_prot_alloc

Special care is taken inside sk_port_alloc to avoid overwriting
skc_node/skc_nulls_node. We should also avoid overwriting
skc_bind_node/skc_portaddr_node.

The patch fixes the following crash:

 BUG: unable to handle kernel paging request at fffffffffffffff0
 IP: [<ffffffff812ec6dd>] udp4_lib_lookup2+0xad/0x370
 [<ffffffff812ecc22>] __udp4_lib_lookup+0x282/0x360
 [<ffffffff812ed63e>] __udp4_lib_rcv+0x31e/0x700
 [<ffffffff812bba45>] ? ip_local_deliver_finish+0x65/0x190
 [<ffffffff812bbbf8>] ? ip_local_deliver+0x88/0xa0
 [<ffffffff812eda35>] udp_rcv+0x15/0x20
 [<ffffffff812bba45>] ip_local_deliver_finish+0x65/0x190
 [<ffffffff812bbbf8>] ip_local_deliver+0x88/0xa0
 [<ffffffff812bb2cd>] ip_rcv_finish+0x32d/0x6f0
 [<ffffffff8128c14c>] ? netif_receive_skb+0x99c/0x11c0
 [<ffffffff812bb94b>] ip_rcv+0x2bb/0x350
 [<ffffffff8128c14c>] netif_receive_skb+0x99c/0x11c0

Signed-off-by: Leonard Crestez <lcrestez@ixiacom.com>
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobe2net: use mutex instead of spin lock for mbox_lock
Ivan Vecera [Tue, 14 Dec 2010 05:43:19 +0000 (05:43 +0000)]
be2net: use mutex instead of spin lock for mbox_lock

Since the mbox polling uses the schedule_timeout, the mbox_lock should be
a mutex and not a spin lock.
The commit f25b03a replaced udelay() with schedule_timeout() but didn't
change mbox_lock to semaphore or mutex.

Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobonding/vlan: Fix mangled NAs on slaves without VLAN tag insertion
Ben Hutchings [Mon, 13 Dec 2010 08:20:24 +0000 (08:20 +0000)]
bonding/vlan: Fix mangled NAs on slaves without VLAN tag insertion

bond_na_send() attempts to insert a VLAN tag in between building and
sending packets of the respective formats.  If the slave does not
implement hardware VLAN tag insertion then vlan_put_tag() will mangle
the network-layer header because the Ethernet header is not present at
this point (unlike in bond_arp_send()).

Fix this by adding the tag out-of-line and relying on
dev_hard_start_xmit() to insert it inline if necessary.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Reviewed-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobonding: Change active slave quietly when bond is down
Ben Hutchings [Mon, 13 Dec 2010 08:19:56 +0000 (08:19 +0000)]
bonding: Change active slave quietly when bond is down

bond_change_active_slave() may be called when a slave is added, even
if the bond has not been brought up yet.  It may then attempt to send
packets, and further it may use mcast_work which is uninitialised
before the bond is brought up.  Add the necessary checks for
netif_running(bond->dev).

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobonding/vlan: Remove redundant VLAN tag insertion logic
Ben Hutchings [Mon, 13 Dec 2010 08:19:28 +0000 (08:19 +0000)]
bonding/vlan: Remove redundant VLAN tag insertion logic

A bond may have a mixture of slave devices with and without hardware
VLAN tag insertion capability.  Therefore it always claims this
capability and performs software VLAN tag insertion if the slave does
not.

Since commit 7b9c60903714bf0a19d746b228864bad3497284e, this has
also been done by dev_hard_start_xmit().  The result is that VLAN-
tagged skbs are now double-tagged when transmitted through slave
devices without hardware VLAN tag insertion!

Remove the now-redundant logic from bond_dev_queue_xmit().

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Reviewed-by: Jesse Gross <jesse@nicira.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoaxnet_cs: move id (0x1bf, 0x2328) to axnet_cs
Ken Kawasaki [Mon, 13 Dec 2010 02:27:24 +0000 (02:27 +0000)]
axnet_cs: move id (0x1bf, 0x2328) to axnet_cs

axnet_cs:
    Accton EN2328 or compatible (id: 0x01bf, 0x2328) uses Asix chip.
    So it works better with axnet_cs instead of pcnet_cs.

Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoipv6: delete expired route in ip6_pmtu_deliver
Andrey Vagin [Sat, 11 Dec 2010 15:20:11 +0000 (15:20 +0000)]
ipv6: delete expired route in ip6_pmtu_deliver

The first big packets sent to a "low-MTU" client correctly
triggers the creation of a temporary route containing the reduced MTU.

But after the temporary route has expired, new ICMP6 "packet too big"
will be sent, rt6_pmtu_discovery will find the previous EXPIRED route
check that its mtu isn't bigger then in icmp packet and do nothing
before the temporary route will not deleted by gc.

I make the simple experiment:
while :; do
    time ( dd if=/dev/zero bs=10K count=1 | ssh hostname dd of=/dev/null ) || break;
done

The "time" reports real 0m0.197s if a temporary route isn't expired, but
it reports real 0m52.837s (!!!!) immediately after a temporare route has
expired.

Signed-off-by: Andrey Vagin <avagin@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobonding: Fix slave selection bug.
Hillf Danton [Fri, 10 Dec 2010 18:54:11 +0000 (18:54 +0000)]
bonding: Fix slave selection bug.

The returned slave is incorrect, if the net device under check is not
charged yet by the master.

Signed-off-by: Hillf Danton <dhillf@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Wed, 15 Dec 2010 17:43:13 +0000 (09:43 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agop54usb: New USB ID for Gemtek WUBI-100GW
Eduardo Costa [Tue, 14 Dec 2010 20:37:59 +0000 (14:37 -0600)]
p54usb: New USB ID for Gemtek WUBI-100GW

This USB ID is for the WUBI-100GW 802.11g Wireless LAN USB Device that
uses p54usb.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Eduardo Costa <ecosta.tmp@gmail.com>
Cc: Stable <stable@kernel.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: avoid calling ieee80211_work_work unconditionally
Herton Ronaldo Krzesinski [Mon, 13 Dec 2010 13:43:51 +0000 (11:43 -0200)]
mac80211: avoid calling ieee80211_work_work unconditionally

On suspend, there might be usb wireless drivers which wrongly trigger
the warning in ieee80211_work_work. If an usb driver doesn't have a
suspend hook, the usb stack will disconnect the device. On disconnect,
a mac80211 driver calls ieee80211_unregister_hw, which calls dev_close,
which calls ieee80211_stop, and in the end calls ieee80211_work_purge->
ieee80211_work_work.

The problem is that this call to ieee80211_work_purge comes after
mac80211 is suspended, triggering the warning even when we don't have
work queued in work_list (the expected case when already suspended),
because it always calls ieee80211_work_work.

So, just call ieee80211_work_work in ieee80211_work_purge if we really
have to abort work. This addresses the warning reported at
https://bugzilla.kernel.org/show_bug.cgi?id=24402

Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agop54usb: add 5 more USBIDs
Christian Lamparter [Sat, 11 Dec 2010 11:19:48 +0000 (12:19 +0100)]
p54usb: add 5 more USBIDs

This patch adds five more USBIDs to the table.

Source:
http://www.linuxant.com/pipermail/driverloader/2005q3/002307.html
http://wireless.kernel.org/en/users/Drivers/p54/devices (by M. Davis)

Cc: <stable@kernel.org>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: Fix NULL-pointer deference on ibss merge when not ready
Tim Harvey [Thu, 9 Dec 2010 18:43:13 +0000 (10:43 -0800)]
mac80211: Fix NULL-pointer deference on ibss merge when not ready

dev_open will eventually call ieee80211_ibss_join which sets up the
skb used for beacons/probe-responses however it is possible to
receive beacons that attempt to merge before this occurs causing
a null pointer dereference.  Check ssid_len as that is the last
thing set in ieee80211_ibss_join.

This occurs quite easily in the presence of adhoc nodes with hidden SSID's

revised previous patch to check further up based on irc feedback

Signed-off-by: Tim Harvey <harvey.tim@gmail.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agolibertas: fix potential NULL-pointer dereference
Sven Neumann [Thu, 9 Dec 2010 08:38:36 +0000 (09:38 +0100)]
libertas: fix potential NULL-pointer dereference

The code wants to check if there's a channel and it is not disabled,
but it used to check if channel is not NULL and accessed the channel
struct if this check failed.

Signed-off-by: Sven Neumann <s.neumann@raumfeld.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/padovan/blueto...
John W. Linville [Mon, 13 Dec 2010 19:41:23 +0000 (14:41 -0500)]
Merge branch 'master' of git://git./linux/kernel/git/padovan/bluetooth-2.6

14 years agopppoe.c: Fix kernel panic caused by __pppoe_xmit
Andrej Ota [Sun, 12 Dec 2010 23:06:16 +0000 (15:06 -0800)]
pppoe.c: Fix kernel panic caused by __pppoe_xmit

__pppoe_xmit function return value was invalid resulting in
additional call to kfree_skb on already freed skb. This resulted in
memory corruption and consequent kernel panic after PPPoE peer
terminated the link.

This fixes commit 55c95e738da85373965cb03b4f975d0fd559865b.

Reported-by: Gorik Van Steenberge <gvs@zemos.net>
Reported-by: Daniel Kenzelmann <kernel.bugzilla@kenzelmann.dyndns.info>
Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Reported-by: Pawel Staszewski <pstaszewski@artcom.pl>
Diagnosed-by: Andrej Ota <andrej@ota.si>
Diagnosed-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com>
Tested-by: Pawel Staszewski <pstaszewski@artcom.pl>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Andrej Ota <andrej@ota.si>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoWAN: Fix a TX IRQ causing BUG() in PC300 and PCI200SYN drivers.
Krzysztof Halasa [Sun, 12 Dec 2010 12:06:47 +0000 (12:06 +0000)]
WAN: Fix a TX IRQ causing BUG() in PC300 and PCI200SYN drivers.

We must not wake the TX queue without free TX descriptors.
sca_xmit() expects at least one free descriptor and BUGs otherwise.

Problem reported and fix tested by Bernie Innocenti and Ward Vandewege.

Signed-off-by: Krzysztof Hałasa <khc@pm.waw.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Advance a version number to 1.60.01-0
Vladislav Zolotarov [Sun, 12 Dec 2010 04:12:29 +0000 (04:12 +0000)]
bnx2x: Advance a version number to 1.60.01-0

Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: Fixed a compilation warning
Vladislav Zolotarov [Sun, 12 Dec 2010 04:12:12 +0000 (04:12 +0000)]
bnx2x: Fixed a compilation warning

bnx2x_src_init_t2() is used only when BCM_CNIC is defined.
So, to avoid a compilation warning, we won't define it unless
BCM_CNIC is defined.

Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agobnx2x: LSO code was broken on BE platforms
Vladislav Zolotarov [Sun, 12 Dec 2010 04:11:45 +0000 (04:11 +0000)]
bnx2x: LSO code was broken on BE platforms

Make the LSO code work on BE platforms: parsing_data field of
a parsing BD (PBD) for 57712 was improperly composed which made FW read wrong
values for TCP header's length and offset and, as a result, the corresponding
PCI device was performing bad DMA reads triggering EEH.

Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoqlge: Fix deadlock when cancelling worker.
Ron Mercer [Sat, 11 Dec 2010 11:06:50 +0000 (11:06 +0000)]
qlge: Fix deadlock when cancelling worker.

Removing usage of rtnl_lock() to protect firmware interface registers.
These registers are accessed in some worker threads and can create a
deadlock if rtnl_lock is taken by upper layers while the worker is still
pending.
We remove rtnl_lock and use a driver mutex just while mailboxes are
accessed.

Signed-off-by: Ron Mercer <ron.mercer@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'vhost-net' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
David S. Miller [Sun, 12 Dec 2010 22:16:51 +0000 (14:16 -0800)]
Merge branch 'vhost-net' of git://git./linux/kernel/git/mst/vhost

14 years agonet: fix skb_defer_rx_timestamp()
Eric Dumazet [Sun, 5 Dec 2010 18:50:32 +0000 (18:50 +0000)]
net: fix skb_defer_rx_timestamp()

After commit c1f19b51d1d8 (net: support time stamping in phy devices.),
kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and
skb_defer_rx_timestamp() handles a packet without an ethernet header.

Fixes kernel bugzilla #24102

Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102
Reported-and-tested-by: Andrew Watts <akwatts@ymail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb4vf: Ingress Queue Entry Size needs to be 64 bytes
Casey Leedom [Thu, 9 Dec 2010 09:38:24 +0000 (09:38 +0000)]
cxgb4vf: Ingress Queue Entry Size needs to be 64 bytes

Was using L1_CACHE_BYTES for the Ingress Queue Entry Size but it really
needs to be 64 bytes in order to support the largest message sizes.

Signed-off-by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agophy: add the IC+ IP1001 driver
Giuseppe CAVALLARO [Wed, 8 Dec 2010 23:05:13 +0000 (23:05 +0000)]
phy: add the IC+ IP1001 driver

This patch adds the IC+ IP1001 (Gigabit Ethernet Transceiver) driver.
I've had to add an additional delay (2ns) to adjust RX clock phase at
GMII/ RGMII interface (according to the PHY data-sheet). This helps to
have the RGMII working on some ST platforms.

Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoatm: correct sysfs 'device' link creation and parent relationships
Dan Williams [Wed, 8 Dec 2010 19:40:47 +0000 (19:40 +0000)]
atm: correct sysfs 'device' link creation and parent relationships

The ATM subsystem was incorrectly creating the 'device' link for ATM
nodes in sysfs.  This led to incorrect device/parent relationships
exposed by sysfs and udev.  Instead of rolling the 'device' link by hand
in the generic ATM code, pass each ATM driver's bus device down to the
sysfs code and let sysfs do this stuff correctly.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMAINTAINERS: remove me from tulip
Kyle McMartin [Thu, 9 Dec 2010 09:50:08 +0000 (09:50 +0000)]
MAINTAINERS: remove me from tulip

It was a nice idea, but -ENOTIME and -ENOHW. I never got around to doing
a lot of the clean up that I intended to.

Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
Acked-by: Grant Grundler <grundler@parisc-linux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoSCTP: Fix SCTP_SET_PEER_PRIMARY_ADDR to accpet v4mapped address
Wei Yongjun [Tue, 7 Dec 2010 17:11:09 +0000 (17:11 +0000)]
SCTP: Fix SCTP_SET_PEER_PRIMARY_ADDR to accpet v4mapped address

SCTP_SET_PEER_PRIMARY_ADDR does not accpet v4mapped address, using
v4mapped address in SCTP_SET_PEER_PRIMARY_ADDR socket option will
get -EADDRNOTAVAIL error if v4map is enabled. This patch try to
fix it by mapping v4mapped address to v4 address if allowed.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoenic: Bug Fix: Pass napi reference to the isr that services receive queue
Vasanthy Kolluri [Wed, 8 Dec 2010 13:05:45 +0000 (13:05 +0000)]
enic: Bug Fix: Pass napi reference to the isr that services receive queue

Pass reference to napi instead of enic device to the isr that services receive queue.

Signed-off-by: Vasanthy Kolluri <vkolluri@cisco.com>
Signed-off-by: Roopa Prabhu <roprabhu@cisco.com>
Signed-off-by: David Wang <dwang2@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Fri, 10 Dec 2010 20:51:02 +0000 (12:51 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agoipv6: fix nl group when advertising a new link
Nicolas Dichtel [Tue, 7 Dec 2010 23:38:31 +0000 (23:38 +0000)]
ipv6: fix nl group when advertising a new link

New idev are advertised with NL group RTNLGRP_IPV6_IFADDR, but
should use RTNLGRP_IPV6_IFINFO.
Bug was introduced by commit 8d7a76c9.

Signed-off-by: Wang Xuefu <xuefu.wang@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoconnector: add module alias
Stephen Hemminger [Fri, 10 Dec 2010 20:27:49 +0000 (12:27 -0800)]
connector: add module alias

Since connector can be built as a module and uses netlink socket
to communicate. The module should have an alias to autoload when socket
of NETLINK_CONNECTOR type is requested.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Document the kernel_recvmsg() function
Martin Lucina [Fri, 10 Dec 2010 00:04:05 +0000 (00:04 +0000)]
net: Document the kernel_recvmsg() function

Signed-off-by: Martin Lucina <mato@kotelna.sk>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agor8169: Fix runtime power management
Rafael J. Wysocki [Wed, 8 Dec 2010 15:32:14 +0000 (15:32 +0000)]
r8169: Fix runtime power management

I noticed that one of the post-2.6.36 patches broke runtime PM of the
r8169 on my MSI Wind test machine in such a way that the link was not
brought up after reconnecting the network cable.

In the process of debugging the issue I realized that we only should
invoke the runtime PM functions in rtl8169_check_link_status() when
link change is reported and if we do so, the problem goes away.
Moreover, this allows rtl8169_runtime_idle() to be simplified quite
a bit.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agohso: IP checksuming doesn't work on GE0301 option cards
Thomas Bogendoerfer [Tue, 7 Dec 2010 22:21:52 +0000 (22:21 +0000)]
hso: IP checksuming doesn't work on GE0301 option cards

There is definitly a problem, that some option cards send up broken
IP pakets leading to corrupted IP packets. These corruptions aren't
detected, because the driver claims that the packets are already
checksummed. This change removes the CHECKSUM_UNNECESSARY option
and let IP detect broken data.

Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoxfrm: Fix xfrm_state_migrate leak
Thomas Egerer [Mon, 6 Dec 2010 23:28:56 +0000 (23:28 +0000)]
xfrm: Fix xfrm_state_migrate leak

xfrm_state_migrate calls kfree instead of xfrm_state_put to free
a failed state. According to git commit 553f9118 this can cause
memory leaks.

Signed-off-by: Thomas Egerer <thomas.egerer@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agonet: Convert netpoll blocking api in bonding driver to be a counter
Neil Horman [Mon, 6 Dec 2010 09:05:50 +0000 (09:05 +0000)]
net: Convert netpoll blocking api in bonding driver to be a counter

A while back I made some changes to enable netpoll in the bonding driver.  Among
them was a per-cpu flag that indicated we were in a path that held locks which
could cause the netpoll path to block in during tx, and as such the tx path
should queue the frame for later use.  This appears to have given rise to a
regression.  If one of those paths on which we hold the per-cpu flag yields the
cpu, its possible for us to come back on a different cpu, leading to us clearing
a different flag than we set.  This results in odd netpoll drops, and BUG
backtraces appearing in the log, as we check to make sure that we only clear set
bits, and only set clear bits.  I had though briefly about changing the
offending paths so that they wouldn't sleep, but looking at my origional work
more closely, it doesn't appear that a per-cpu flag is warranted.  We alrady
gate the checking of this flag on IFF_IN_NETPOLL, so we don't hit this in the
normal tx case anyway.  And practically speaking, the normal use case for
netpoll is to only have one client anyway, so we're not going to erroneously
queue netpoll frames when its actually safe to do so.  As such, lets just
convert that per-cpu flag to an atomic counter.  It fixes the rescheduling bugs,
is equivalent from a performance perspective and actually eliminates some code
in the process.

Tested by the reporter and myself, successfully

Reported-by: Liang Zheng <lzheng@redhat.com>
CC: Jay Vosburgh <fubar@us.ibm.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: David S. Miller <davem@davemloft.net>
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoiwlagn: implement layout-agnostic EEPROM reading
Wey-Yi Guy [Thu, 9 Dec 2010 18:09:14 +0000 (10:09 -0800)]
iwlagn: implement layout-agnostic EEPROM reading

From: Johannes Berg <johannes.berg@intel.com>

The current EEPROM reading code has some layout
assumptions that now turned out to be false with
some newer versions of the EEPROM. Luckily, we
can avoid all such assumptions by using data in
the EEPROM itself, so implement using that.

However, for risk mitigation purposes, keep the
old reading code for current hardware for now.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
14 years agoiwlagn: rename enhanced txpower fields
Johannes Berg [Tue, 30 Nov 2010 19:03:44 +0000 (11:03 -0800)]
iwlagn: rename enhanced txpower fields

Some fields we didn't previously use from the
enhanced TX power structure will be needed in
the next patch, so rename them to their correct
names to be able to use them and change code
reading them accordingly.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
14 years agoeconet: Fix crash in aun_incoming().
David S. Miller [Thu, 9 Dec 2010 02:42:23 +0000 (18:42 -0800)]
econet: Fix crash in aun_incoming().

Unconditional use of skb->dev won't work here,
try to fetch the econet device via skb_dst()->dev
instead.

Suggested by Eric Dumazet.

Reported-by: Nelson Elhage <nelhage@ksplice.com>
Tested-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: protect sysctl_tcp_cookie_size reads
Eric Dumazet [Tue, 7 Dec 2010 12:20:47 +0000 (12:20 +0000)]
tcp: protect sysctl_tcp_cookie_size reads

Make sure sysctl_tcp_cookie_size is read once in
tcp_cookie_size_check(), or we might return an illegal value to caller
if sysctl_tcp_cookie_size is changed by another cpu.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: William Allen Simpson <william.allen.simpson@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: avoid a possible divide by zero
Eric Dumazet [Tue, 7 Dec 2010 12:03:55 +0000 (12:03 +0000)]
tcp: avoid a possible divide by zero

sysctl_tcp_tso_win_divisor might be set to zero while one cpu runs in
tcp_tso_should_defer(). Make sure we dont allow a divide by zero by
reading sysctl_tcp_tso_win_divisor exactly once.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoorinoco: fix TKIP countermeasure behaviour
David Kilroy [Sun, 5 Dec 2010 15:43:55 +0000 (15:43 +0000)]
orinoco: fix TKIP countermeasure behaviour

Enable the port when disabling countermeasures, and disable it on
enabling countermeasures.

This bug causes the response of the system to certain attacks to be
ineffective.

It also prevents wpa_supplicant from getting scan results, as
wpa_supplicant disables countermeasures on startup - preventing the
hardware from scanning.

wpa_supplicant works with ap_mode=2 despite this bug because the commit
handler re-enables the port.

The log tends to look like:

State: DISCONNECTED -> SCANNING
Starting AP scan for wildcard SSID
Scan requested (ret=0) - scan timeout 5 seconds
EAPOL: disable timer tick
EAPOL: Supplicant port status: Unauthorized
Scan timeout - try to get results
Failed to get scan results
Failed to get scan results - try scanning again
Setting scan request: 1 sec 0 usec
Starting AP scan for wildcard SSID
Scan requested (ret=-1) - scan timeout 5 seconds
Failed to initiate AP scan.

Reported by: Giacomo Comes <comes@naic.edu>
Signed-off by: David Kilroy <kilroyd@googlemail.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoorinoco: clear countermeasure setting on commit
David Kilroy [Sun, 5 Dec 2010 15:45:58 +0000 (15:45 +0000)]
orinoco: clear countermeasure setting on commit

... and interface up.

In these situations, you are usually trying to connect to a new AP, so
keeping TKIP countermeasures active is confusing. This is already how
the driver behaves (inadvertently). However, querying SIOCGIWAUTH may
tell userspace that countermeasures are active when they aren't.

Clear the setting so that the reporting matches what the driver has
done..

Signed-off by: David Kilroy <kilroyd@googlemail.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agomac80211: Fix BUG in pskb_expand_head when transmitting shared skbs
Helmut Schaa [Thu, 2 Dec 2010 17:44:09 +0000 (18:44 +0100)]
mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs

mac80211 doesn't handle shared skbs correctly at the moment. As a result
a possible resize can trigger a BUG in pskb_expand_head.

[  676.030000] Kernel bug detected[#1]:
[  676.030000] Cpu 0
[  676.030000] $ 0   : 00000000 00000000 819662ff 00000002
[  676.030000] $ 4   : 81966200 00000020 00000000 00000020
[  676.030000] $ 8   : 819662e0 800043c0 00000002 00020000
[  676.030000] $12   : 3b9aca00 00000000 00000000 00470000
[  676.030000] $16   : 80ea2000 00000000 00000000 00000000
[  676.030000] $20   : 818aa200 80ea2018 80ea2000 00000008
[  676.030000] $24   : 00000002 800ace5c
[  676.030000] $28   : 8199a000 8199bd20 81938f88 80f180d4
[  676.030000] Hi    : 0000026e
[  676.030000] Lo    : 0000757e
[  676.030000] epc   : 801245e4 pskb_expand_head+0x44/0x1d8
[  676.030000]     Not tainted
[  676.030000] ra    : 80f180d4 ieee80211_skb_resize+0xb0/0x114 [mac80211]
[  676.030000] Status: 1000a403    KERNEL EXL IE
[  676.030000] Cause : 10800024
[  676.030000] PrId  : 0001964c (MIPS 24Kc)
[  676.030000] Modules linked in: mac80211_hwsim rt2800lib rt2x00soc rt2x00pci rt2x00lib mac80211 crc_itu_t crc_ccitt cfg80211 compat arc4 aes_generic deflate ecb cbc [last unloaded: rt2800pci]
[  676.030000] Process kpktgend_0 (pid: 97, threadinfo=8199a000, task=81879f48, tls=00000000)
[  676.030000] Stack : ffffffff 00000000 00000000 00000014 00000004 80ea2000 00000000 00000000
[  676.030000]         818aa200 80f180d4 ffffffff 0000000a 81879f78 81879f48 81879f48 00000018
[  676.030000]         81966246 80ea2000 818432e0 80f1a420 80203050 81814d98 00000001 81879f48
[  676.030000]         81879f48 00000018 81966246 818432e0 0000001a 8199bdd4 0000001c 80f1b72c
[  676.030000]         80203020 8001292c 80ef4aa2 7f10b55d 801ab5b8 81879f48 00000188 80005c90
[  676.030000]         ...
[  676.030000] Call Trace:
[  676.030000] [<801245e4>] pskb_expand_head+0x44/0x1d8
[  676.030000] [<80f180d4>] ieee80211_skb_resize+0xb0/0x114 [mac80211]
[  676.030000] [<80f1a420>] ieee80211_xmit+0x150/0x22c [mac80211]
[  676.030000] [<80f1b72c>] ieee80211_subif_start_xmit+0x6f4/0x73c [mac80211]
[  676.030000] [<8014361c>] pktgen_thread_worker+0xfac/0x16f8
[  676.030000] [<8002ebe8>] kthread+0x7c/0x88
[  676.030000] [<80008e0c>] kernel_thread_helper+0x10/0x18
[  676.030000]
[  676.030000]
[  676.030000] Code: 24020001  10620005  2502001f <0200000d0804917a  00000000  2502001f  00441023  00531021

Fix this by making a local copy of shared skbs prior to mangeling them.
To avoid copying the skb unnecessarily move the skb_copy call below the
checks that don't need write access to the skb.

Also, move the assignment of nh_pos and h_pos below the skb_copy to point
to the correct skb.

It would be possible to avoid another resize of the copied skb by using
skb_copy_expand instead of skb_copy but that would make the patch more
complex. Also, shared skbs are a corner case right now, so the resize
shouldn't matter much.

Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k_htc: Fix suspend/resume
Sujith Manoharan [Wed, 1 Dec 2010 07:00:27 +0000 (12:30 +0530)]
ath9k_htc: Fix suspend/resume

The HW has to be set to FULLSLEEP mode during suspend,
when no interface has been brought up. Not doing this would
break resume, as the chip won't be powered up at all.

Signed-off-by: Sujith Manoharan <Sujith.Manoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath5k: Put the right tsf value in mesh beacons
Javier Cardona [Tue, 7 Dec 2010 21:37:56 +0000 (13:37 -0800)]
ath5k: Put the right tsf value in mesh beacons

Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath5k: Prevent mesh interfaces from being counted as ad-hoc
Javier Cardona [Tue, 7 Dec 2010 21:36:55 +0000 (13:36 -0800)]
ath5k: Prevent mesh interfaces from being counted as ad-hoc

This results in an erroneus num_adhoc_vifs count, as the this counter
was incremented but not decremented for mesh interfaces.

Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath5k: Fix beaconing in mesh mode
Javier Cardona [Tue, 7 Dec 2010 21:35:55 +0000 (13:35 -0800)]
ath5k: Fix beaconing in mesh mode

This patch fixes the oops below when attempting to bring up a mesh
interface on ath5k hardware.

[  128.933099] kernel BUG at drivers/net/wireless/ath/ath5k/base.c:197!
[  128.933099] invalid opcode: 0000 [#1]
(...)
[  128.933099] Call Trace:
[  128.933099]  [<c83b77fa>] ? ath5k_beacon_update+0x57/0x1f8 [ath5k]
[  128.933099]  [<c02d9a40>] ? __sysfs_add_one+0x28/0x76
[  128.933099]  [<c83b830e>] ? ath5k_bss_info_changed+0x13f/0x173
[ath5k]
[  128.933099]  [<c82ff629>] ? ieee80211_config_beacon+0xc0/0x17e
[mac80211]
[  128.933099]  [<c82f073e>] ?
ieee80211_bss_info_change_notify+0x182/0x18b [mac80211]
[  128.933099]  [<c83b81cf>] ? ath5k_bss_info_changed+0x0/0x173 [ath5k]
[  128.933099]  [<c82ff6d6>] ? ieee80211_config_beacon+0x16d/0x17e
[mac80211]
[  128.933099]  [<c82ff753>] ? ieee80211_add_beacon+0x34/0x39 [mac80211]
[  128.933099]  [<c830a4ed>] ? ieee80211s_init+0xf8/0x10f [mac80211]
[  128.933099]  [<c830a5df>] ? ieee80211_mesh_init_sdata+0xdb/0x154 [mac80211]

Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoorinoco: initialise priv->hw before assigning the interrupt
David Kilroy [Tue, 7 Dec 2010 18:50:42 +0000 (18:50 +0000)]
orinoco: initialise priv->hw before assigning the interrupt

The interrupt handler takes a lock - but since commit bcad6e80f3f this
lock goes through an indirection specified in the hermes_t structure.
We must therefore initialise the structure before setting up the
interrupt handler.

Fix orinoco_cs and spectrum_cs

<https://bugzilla.kernel.org/show_bug.cgi?id=23932>

Bisected by: Matt Domsch <Matt_Domsch@dell.com>
Signed-off by: David Kilroy <kilroyd@googlemail.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoehea: Fixing LRO configuration
Breno Leitao [Wed, 8 Dec 2010 20:19:14 +0000 (12:19 -0800)]
ehea: Fixing LRO configuration

In order to set LRO on ehea, the user must set a module parameter, which
is not the standard way to do so. This patch adds a way to set LRO using
the ethtool tool.

Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: Replace time wait bucket msg by counter
Tom Herbert [Wed, 8 Dec 2010 20:16:33 +0000 (12:16 -0800)]
tcp: Replace time wait bucket msg by counter

Rather than printing the message to the log, use a mib counter to keep
track of the count of occurences of time wait bucket overflow.  Reduces
spam in logs.

Signed-off-by: Tom Herbert <therbert@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agox25: decrement netdev reference counts on unload
Apollon Oikonomopoulos [Tue, 7 Dec 2010 09:43:30 +0000 (09:43 +0000)]
x25: decrement netdev reference counts on unload

x25 does not decrement the network device reference counts on module unload.
Thus unregistering any pre-existing interface after unloading the x25 module
hangs and results in

 unregister_netdevice: waiting for tap0 to become free. Usage count = 1

This patch decrements the reference counts of all interfaces in x25_link_free,
the way it is already done in x25_link_device_down for NETDEV_DOWN events.

Signed-off-by: Apollon Oikonomopoulos <apollon@noc.grnet.gr>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agodriver/net/benet: fix be_cmd_multicast_set() memcpy bug
Joe Jin [Mon, 6 Dec 2010 03:00:59 +0000 (03:00 +0000)]
driver/net/benet: fix be_cmd_multicast_set() memcpy bug

Regarding  benet be_cmd_multicast_set() function, now using
netdev_for_each_mc_addr() helper for mac address copy, but
when copying to req->mac[] did not increase of the index.

Cc: Sathya Perla <sathyap@serverengines.com>
Cc: Subbu Seetharaman <subbus@serverengines.com>
Cc: Sarveshwar Bandi <sarveshwarb@serverengines.com>
Cc: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: Joe Jin <joe.jin@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agol2tp: Fix modalias of l2tp_ip
Michal Marek [Mon, 6 Dec 2010 02:39:12 +0000 (02:39 +0000)]
l2tp: Fix modalias of l2tp_ip

Using the SOCK_DGRAM enum results in
"net-pf-2-proto-SOCK_DGRAM-type-115", so use the numeric value like it
is done in net/dccp.

Signed-off-by: Michal Marek <mmarek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoeconet: Do the correct cleanup after an unprivileged SIOCSIFADDR.
Nelson Elhage [Wed, 8 Dec 2010 18:13:55 +0000 (10:13 -0800)]
econet: Do the correct cleanup after an unprivileged SIOCSIFADDR.

We need to drop the mutex and do a dev_put, so set an error code and break like
the other paths, instead of returning directly.

Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'sfc-2.6.37' of git://git.kernel.org/pub/scm/linux/kernel/git/bwh/sfc-2.6
David S. Miller [Wed, 8 Dec 2010 20:13:23 +0000 (12:13 -0800)]
Merge branch 'sfc-2.6.37' of git://git./linux/kernel/git/bwh/sfc-2.6

14 years agollc: fix a device refcount imbalance
Eric Dumazet [Sun, 5 Dec 2010 02:03:26 +0000 (02:03 +0000)]
llc: fix a device refcount imbalance

Le dimanche 05 décembre 2010 à 12:23 +0100, Eric Dumazet a écrit :
> Le dimanche 05 décembre 2010 à 09:19 +0100, Eric Dumazet a écrit :
>
> > Hmm..
> >
> > If somebody can explain why RTNL is held in arp_ioctl() (and therefore
> > in arp_req_delete()), we might first remove RTNL use in arp_ioctl() so
> > that your patch can be applied.
> >
> > Right now it is not good, because RTNL wont be necessarly held when you
> > are going to call arp_invalidate() ?
>
> While doing this analysis, I found a refcount bug in llc, I'll send a
> patch for net-2.6

Oh well, of course I must first fix the bug in net-2.6, and wait David
pull the fix in net-next-2.6 before sending this rcu conversion.

Note: this patch should be sent to stable teams (2.6.34 and up)

[PATCH net-2.6] llc: fix a device refcount imbalance

commit abf9d537fea225 (llc: add support for SO_BINDTODEVICE) added one
refcount imbalance in llc_ui_bind(), because dev_getbyhwaddr() doesnt
take a reference on device, while dev_get_by_index() does.

Fix this using RCU locking. And since an RCU conversion will be done for
2.6.38 for dev_getbyhwaddr(), put the rcu_read_lock/unlock exactly at
their final place.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: stable@kernel.org
Cc: Octavian Purdila <opurdila@ixiacom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoifb: goto resched directly if error happens and dp->tq isn't empty
Changli Gao [Sat, 4 Dec 2010 14:09:08 +0000 (14:09 +0000)]
ifb: goto resched directly if error happens and dp->tq isn't empty

If we break the loop when there are still skbs in tq and no skb in
rq, the skbs will be left in txq until new skbs are enqueued into rq.
In rare cases, no new skb is queued, then these skbs will stay in rq
forever.

After this patch, if tq isn't empty when we break the loop, we goto
resched directly.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotcp: Bug fix in initialization of receive window.
Nandita Dukkipati [Fri, 3 Dec 2010 13:33:44 +0000 (13:33 +0000)]
tcp: Bug fix in initialization of receive window.

The bug has to do with boundary checks on the initial receive window.
If the initial receive window falls between init_cwnd and the
receive window specified by the user, the initial window is incorrectly
brought down to init_cwnd. The correct behavior is to allow it to
remain unchanged.

Signed-off-by: Nandita Dukkipati <nanditad@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agocxgb4: fix MAC address hash filter
Dimitris Michailidis [Fri, 3 Dec 2010 10:39:04 +0000 (10:39 +0000)]
cxgb4: fix MAC address hash filter

Fix the calculation of the inexact hash-based MAC address filter.
It's 64 bits but current code is missing a ULL.  Results in filtering out
some legitimate packets.

Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoCAIF: Fix U5500 compile error for shared memory driver
Kim Lilliestierna XX [Tue, 30 Nov 2010 09:11:22 +0000 (09:11 +0000)]
CAIF: Fix U5500 compile error for shared memory driver

Rearrange pr_fmt so it compiles.

Signed-off-by: Sjur Braendeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Wed, 8 Dec 2010 16:13:01 +0000 (08:13 -0800)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

14 years agoBluetooth: add NULL pointer check in HCI
Jun Nie [Tue, 7 Dec 2010 06:03:38 +0000 (14:03 +0800)]
Bluetooth: add NULL pointer check in HCI

If we fail to find a hci device pointer in hci_uart, don't try
to deref the NULL one we do have.

Signed-off-by: Jun Nie <njun@marvell.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
14 years agosfc: Fix NAPI list corruption during ring reallocation
Ben Hutchings [Tue, 7 Dec 2010 19:47:34 +0000 (19:47 +0000)]
sfc: Fix NAPI list corruption during ring reallocation

Call netif_napi_{add,del}() on the NAPI contexts in the new and
old channels, respectively.

Since efx_init_napi() cannot fail, make its return type void.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
14 years agoath9k: fix beacon resource related race condition
Rajkumar Manoharan [Tue, 7 Dec 2010 12:12:18 +0000 (17:42 +0530)]
ath9k: fix beacon resource related race condition

The beacon tasklet is accesssing the bslot info for beacon generation.
Meanwhile the same slot can be freed on interface deletion.
Current the remove_interface disables the beacon alert after freeing the slot.
This may leads to null pointer access.

This patch disables SWBA and kills the beacon tasklet to prevent access
to the slot to be freed. After releasing the slot, swba will be enabled again
upon the availablity of beaconing interfaces.

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: Fix STA disconnect issue due to received MIC failed bcast frames
Senthil Balasubramanian [Mon, 6 Dec 2010 13:39:27 +0000 (19:09 +0530)]
ath9k: Fix STA disconnect issue due to received MIC failed bcast frames

AR_RxKeyIdxValid will not be set for bcast/mcast frames and so relying
this status for MIC failed frames is buggy.

Due to this, MIC failure events for broadcast frames are not sent to
supplicant resulted in AP disconnecting the STA.

Able to pass Wifi Test case 5.2.18 with this fix.

Cc: Stable <stable@kernel.org> (2.6.36+)
Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: fix a DMA related race condition on reset
Felix Fietkau [Sun, 5 Dec 2010 19:17:53 +0000 (20:17 +0100)]
ath9k: fix a DMA related race condition on reset

When ath_drain_all_txq fails to stop DMA, it issues a hw reset. This reset
happens at a very problematic point in time, when the hardware rx path has
not been stopped yet. This could lead to memory corruption, hardware hangs
or other issues.
To fix these issues, simply remove the reset entirely and check the tx DMA
stop status to prevent problems with fast channel changes.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agoath9k: fix bug in tx power
Matteo Croce [Fri, 3 Dec 2010 01:25:08 +0000 (02:25 +0100)]
ath9k: fix bug in tx power

The ath9k driver subtracts 3 dBm to the txpower as with two radios the
signal power is doubled.
The resulting value is assigned in an u16 which overflows and makes
the card work at full power.

Cc: stable@kernel.org
Signed-off-by: Matteo Croce <matteo@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agosfc: Fix crash in legacy onterrupt handler during ring reallocation
Ben Hutchings [Tue, 7 Dec 2010 19:24:45 +0000 (19:24 +0000)]
sfc: Fix crash in legacy onterrupt handler during ring reallocation

If we are using a legacy interrupt, our IRQ may be shared and our
interrupt handler may be called even though interrupts are disabled on
the NIC. When we change ring sizes, we reallocate the event queue and
the interrupt handler may use an invalid pointer when called for
another device's interrupt.

Maintain a legacy_irq_enabled flag and test that at the top of the
interrupt handler.  Note that this problem results from the need to
work around broken INT_ISR0 reads, and does not affect the legacy
interrupt handler for Falcon A1.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
14 years agoixgbe: fix possible NULL pointer deference in shutdown path
Don Skidmore [Wed, 1 Dec 2010 20:54:53 +0000 (20:54 +0000)]
ixgbe: fix possible NULL pointer deference in shutdown path

After freeing the rings we were not zeroing out the ring count values.
This patch now clears these counts correctly.

Reported-by: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agoBluetooth: Fix initial RFCOMM DLC security level
Johan Hedberg [Mon, 6 Dec 2010 13:56:17 +0000 (15:56 +0200)]
Bluetooth: Fix initial RFCOMM DLC security level

Due to commit 63ce0900 connections initiated through TTYs created with
"rfcomm bind ..." would have security level BT_SECURITY_SDP instead of
BT_SECURITY_LOW. This would cause instant connection failure between any
two SSP capable devices due to the L2CAP connect request to RFCOMM being
sent before authentication has been performed. This patch fixes the
regression by always initializing the DLC security level to
BT_SECURITY_LOW.

Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
Acked-by: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
14 years agofilter: fix sk_filter rcu handling
Eric Dumazet [Mon, 6 Dec 2010 17:29:43 +0000 (09:29 -0800)]
filter: fix sk_filter rcu handling

Pavel Emelyanov tried to fix a race between sk_filter_(de|at)tach and
sk_clone() in commit 47e958eac280c263397

Problem is we can have several clones sharing a common sk_filter, and
these clones might want to sk_filter_attach() their own filters at the
same time, and can overwrite old_filter->rcu, corrupting RCU queues.

We can not use filter->rcu without being sure no other thread could do
the same thing.

Switch code to a more conventional ref-counting technique : Do the
atomic decrement immediately and queue one rcu call back when last
reference is released.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agotulip: fix hang in dmfe driver on sending of big packet
Alexander V. Lukyanov [Tue, 30 Nov 2010 03:57:39 +0000 (03:57 +0000)]
tulip: fix hang in dmfe driver on sending of big packet

This patch fixes hang in dmfe driver on attempt of sending a big packet.
Without this patch the code stops the queue and never wakes it again.

Signed-off-by: Alexander V. Lukyanov <lav@netis.ru>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
14 years agostmmac: priv->lock can be used uninitialized
Vlad Lungu [Mon, 29 Nov 2010 22:52:52 +0000 (22:52 +0000)]
stmmac: priv->lock can be used uninitialized

To reproduce: if connman (http://connman.net/) is started,
inserting the stmmac module triggers a "BUG: spinlock bad magic on CPU#0".

Registering the device in stmmac_probe() sends a notification to connman
which brings the interface up before the lock is initialized.

Signed-off-by: Vlad Lungu <vlad.lungu@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>