- 08 May, 2008 7 commits
-
-
David S. Miller authored
-
Pavel Emelyanov authored
When a net namespace is destroyed, some devices (those, not killed on ns stop explicitly) are moved back to init_net. The problem, is that this net_ns change has one point of failure - the __dev_alloc_name() may be called if a name collision occurs (and this is easy to trigger). This allocator performs a likely-to-fail GFP_ATOMIC allocation to find a suitable number. Other possible conditions that may cause error (for device being ns local or not registered) are always false in this case. So, when this call fails, the device is unregistered. But this is *not* the right thing to do, since after this the device may be released (and kfree-ed) improperly. E. g. bridges require more actions (sysfs update, timer disarming, etc.), some other devices want to remove their private areas from lists, etc. I. e. arbitrary use-after-free cases may occur. The proposed fix is the following: since the only reason for the dev_change_net_namespace to fail is the name generation, we may give it a unique fall-back name w/o %d-s in it - the dev<ifindex> one, since ifindexes are still unique. So make this change, raise the failure-case printk loglevel to EMERG and replace the unregister_netdevice call with BUG(). [ Use snprintf() -DaveM ] Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
When conntrack and DCCP/SCTP protocols are enabled, chances are good that people also want DCCP/SCTP conntrack and NAT support. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
Some Inovaphone PBXs exhibit very stange behaviour: when dialing for example "123", the device sends INVITE requests for "1", "12" and "123" back to back. The first requests will elicit error responses from the receiver, causing the SIP helper to flush the RTP expectations even though we might still see a positive response. Note the sequence number of the last INVITE request that contained a media description and only flush the expectations when receiving a negative response for that sequence number. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Patrick McHardy authored
As noticed by Ben Greear, macvlan crashes the kernel when unloading the module. The reason is that it tries to clean up the macvlan_port pointer on the macvlan device itself instead of the underlying device. A non-NULL pointer is taken as indication that the macvlan_handle_frame_hook is valid, when receiving the next packet on the underlying device it tries to call the NULL hook and crashes. Clean up the macvlan_port on the correct device to fix this. Signed-off-by; Patrick McHardy <kaber@trash.net> Tested-by: Ben Greear <greearb@candelatech.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
J.H.M. Dassen (Ray) authored
RFC 1122 does not have a section 3.1.2.2. The requirement to silently discard datagrams with a bad checksum is in section 3.2.1.2 instead. Addresses http://bugzilla.kernel.org/show_bug.cgi?id=10611Signed-off-by: J.H.M. Dassen (Ray) <jdassen@debian.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ilpo Järvinen authored
Note: there's actually another bug in FRTO's SACK variant, which is the causing failure in NewReno case because of the error that's fixed here. I'll fix the SACK case separately (it's a separate bug really, though related, but in order to fix that I need to audit tp->snd_nxt usage a bit). There were two places where SACK variant of FRTO is getting incorrectly used even if SACK wasn't negotiated by the TCP flow. This leads to incorrect setting of frto_highmark with NewReno if a previous recovery was interrupted by another RTO. An eventual fallback to conventional recovery then incorrectly considers one or couple of segments as forward transmissions though they weren't, which then are not LOST marked during fallback making them "non-retransmittable" until the next RTO. In a bad case, those segments are really lost and are the only one left in the window. Thus TCP needs another RTO to continue. The next FRTO, however, could again repeat the same events making the progress of the TCP flow extremely slow. In order for these events to occur at all, FRTO must occur again in FRTOs step 3 while the key segments must be lost as well, which is not too likely in practice. It seems to most frequently with some small devices such as network printers that *seem* to accept TCP segments only in-order. In cases were key segments weren't lost, things get automatically resolved because those wrongly marked segments don't need to be retransmitted in order to continue. I found a reproducer after digging up relevant reports (few reports in total, none at netdev or lkml I know of), some cases seemed to indicate middlebox issues which seems now to be a false assumption some people had made. Bugzilla #10063 _might_ be related. Damon L. Chesser <damon@damtek.com> had a reproducable case and was kind enough to tcpdump it for me. With the tcpdump log it was quite trivial to figure out. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 06 May, 2008 23 commits
-
-
Kok, Auke authored
On a read error, e1000e might have returned uninitialized block of eeprom data back to userspace. The convention is that 0xff is "empty", so mark the entire eeprom as empty in case of an error. Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Joakim Tjernlund authored
Commit 9fb1e350, ucc_geth: use rx-clock-name and tx-clock-name device tree properties Introduced a typo that made the driver use the RX clock as TX clock, causing massive TX errors. Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Alan Cox authored
Otherwise theoretically at least CAP_NET_ADMIN Reload new firmware Wait.. Firmware patches kernel So it should be CAY_SYS_RAWIO - not that I suspect this is in fact a credible attack vector! Signed-off-by: Alan Cox <alan@redhat.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Don Fry authored
Delete the non-napi code from the driver and Kconfig. Tested x86_64. Apply at next open opportunity. Signed-off-by: Don Fry <pcnet32@verizon.net> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Scott Wood authored
There are more memory leaks in the !PPC_CPM_NEW_BINDING case, but that code will disappear soon along with arch/ppc. Reported by Daniel Marjamki <danielm77@spray.se> at http://bugzilla.kernel.org/show_bug.cgi?id=10591Signed-off-by: Scott Wood <scottwood@freescale.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Bruce Robson authored
Taken from http://bugzilla.kernel.org/show_bug.cgi?id=10577 I was unable to access a computer containing an Intel EtherExpress 16 network card using IPv6. I traced this to failure of neighbour discovery. When I used an "ip -6 neigh add" command, on the computer attempting access, to insert a binding between the IPv6 address of the computer with the Intel EtherExpress 16 network card and the card's ethernet address, I was able to access that computer using IPv6. Neighbour discovery requires working multicast. The driver sources file eexpress.c contains an approximately 30 line function eexp_setup_filter used when loading multicast addresses. I found 3 problems in this function 1) It wrote the number of multicast addresses to the card instead of the number of bytes in the multicast addresses. 2) When loading multiple multicast addresses it loaded the first one provided multiple times instead of loading each one once. 3) The setting of pointer 'data' from 'dmi->dmi_addr' occured before the test for the error situation of 'dmi' being NULL. Correcting these problems allows the computer with the Intel EtherExpress 16 network card to found by IPv6 neighbour discovery. p.s. There is some information on the Intel EtherExpress 16 at http://www.intel.com/support/etherexpress/vintage/sb/cs-013500.htm Datasheet for the Intel 82586 ethernet controller used by the card http://www.datasheetcatalog.com/datasheets_pdf/8/2/5/8/82586.shtmlSigned-off-by: Bruce Robson <bns_robson@hotmail.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Paulius Zaleckas authored
Use net_device_stats from net_device structure instead of local. Signed-off-by: Paulius Zaleckas <paulius.zaleckas@teltonika.lt> Acked-by: Steffen Klassert <klassert@mathematik.tu-chemnitz.de> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Gunnar Larisch authored
The ethernet card 3c980-TX needs a mdio_sync() to initialize the ethernet properly. This is forced by adding an EXTRA_PREAMBLE to its drv_flags. Without this, the driver did not reconnect after a link loss. Signed-off-by: Gunnar Larisch <Gunnar.Larisch@gmx.de> Acked-by: Steffen Klassert <klassert@mathematik.tu-chemnitz.de> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
-
Jeff Garzik authored
drivers/net/appletalk/cops.c: In function ‘cops_reset’: drivers/net/appletalk/cops.c:507: warning: comparison of distinct pointer types lacks a cast by replacing hand-woven msleep() with call to msleep() Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Bruce Allan authored
This patch adds support for the BM PHY, a new PHY model being used on ICH9-based implementations. This new PHY exposes issues in the ICH9 silicon when receiving jumbo frames large enough to use more than a certain part of the Rx FIFO, and this unfortunately breaks packet split jumbo receives. For this reason we re-introduce (for affected adapters only) the jumbo single-skb receive routine back so that people who do wish to use jumbo frames on these ich9 platforms can do so. Part of this problem has to do with CPU sleep states and to make sure that all the wake up timings are correctly we force them with the recently merged pm_qos infrastructure written by Mark Gross. (See http://lkml.org/lkml/2007/10/4/400). To make code read a bit easier we introduce a _IS_ICH flag so that we don't need to do mac type checks over the code. Signed-off-by: Bruce Allan <bruce.w.allan@intel.com> Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Anton Vorontsov authored
This patch fixes uli526x driver's issues on a PowerPC boards: uli chip is unable to receive the packets. It appears that send_frame_filter prepares the setup frame in the endianness unsafe manner. On a big endian machines we should shift the address nibble by two bytes. Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Anton Vorontsov authored
The firmware on MPC8610HPCD boards enables ULI ethernet and leaves it in some funky state before booting Linux. For drivers, it's always good idea to (re)initialize the hardware prior to requesting interrupts. This patch fixes the following oops: Oops: Kernel access of bad area, sig: 11 [#1] MPC86xx HPCD NIP: c0172820 LR: c017287c CTR: 00000000 [...] NIP [c0172820] allocate_rx_buffer+0x2c/0xb0 LR [c017287c] allocate_rx_buffer+0x88/0xb0 Call Trace: [df82bdc0] [c017287c] allocate_rx_buffer+0x88/0xb0 (unreliable) [df82bde0] [c0173000] uli526x_interrupt+0xe4/0x49c [df82be20] [c0045418] request_irq+0xf0/0x114 [df82be50] [c01737b0] uli526x_open+0x48/0x160 [df82be70] [c0201184] dev_open+0xb0/0xe8 [df82be80] [c0200104] dev_change_flags+0x90/0x1bc [df82bea0] [c035fab0] ip_auto_config+0x214/0xef4 [df82bf60] [c03421c8] kernel_init+0xc4/0x2ac [df82bff0] [c0010834] kernel_thread+0x44/0x60 Instruction dump: 4e800020 9421ffe0 7c0802a6 bfa10014 7c7e1b78 90010024 80030060 83e30054 2b80002f 419d0078 3fa0c039 48000058 <907f0010> 80630088 2f830000 419e0014 Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Andy Fleming authored
ucc_geth didn't have anything marked as __iomem. It was also inconsistent with its use of in/out accessors (using them sometimes, not using them other times). Cleaning this up cuts the warnings down from hundreds to just over a dozen. Signed-off-by: Andy Fleming <afleming@freescale.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Andy Fleming authored
Declared some things static, declared some things in the header. Signed-off-by: Andy Fleming <afleming@freescale.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Andy Fleming authored
During sparse cleanup, found a locking bug. Some of the sysfs functions were acquiring a lock, and then returning in the event of an error. We rearrange the code so that the lock is released in error conditions, too. Signed-off-by: Andy Fleming <afleming@freescale.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Jay Vosburgh authored
As part of: commit c2edacf8 Author: Jay Vosburgh <fubar@us.ibm.com> Date: Mon Jul 9 10:42:47 2007 -0700 bonding / ipv6: no addrconf for slaves separately from master two steps were rearranged in the enslavement process: netdev_set_master is now before the call to dev_open to open the slave. This patch updates the error cases and unwind process at the end of bond_enslave to match the new order. Without this patch, it is possible for the enslavement to fail, but leave the slave with IFF_SLAVE set in its flags. Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Pavel Emelyanov authored
The sysfs layer has an internal protection, that ensures, that all the process sitting inside ->sore/->show callback exits before the appropriate entry is unregistered (the calltraces are rather big, but I can provide them if required). On the other hand, bonding takes rtnl_lock in a) the bonding_store_bonds, i.e. in ->store callback, b) module exit before calling the sysfs unregister routines. Thus, the classical AB-BA deadlock may occur. To reproduce run # while :; do modprobe bonding; rmmod bonding; done and # while :; do echo '+bond%d' > /sys/class/net/bonding_masters ; done in parallel. The fix is to move the bond_destroy_sysfs out of the rtnl_lock, but _before_ bond_free_all to make sure no bonding devices exist after module unload. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Acked-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Jay Vosburgh authored
Fixed an error unwind in bonding_store_bonds that didn't release the locks it held, and consolidated unwinds into a common block at the end of the function. Bug reported by Pavel Emelyanov <xemul@openvz.org>, who provided a different fix. Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Pavel Emelyanov authored
If the call to bond_create_sysfs_entry in bond_create fails, the proper rollback is to call unregister_netdevice, not free_netdev. Otherwise - kernel BUG at net/core/dev.c:4057! Checked with artificial failures injected into bond_create_sysfs_entry. Pavel's original patch modified by Jay Vosburgh to move code around for clarity (remove goto-hopping within the unwind block). Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
-
Jamal Hadi Salim authored
reallocation of the policy data was being ignored. It could fail. Simplify so that there is no need for reallocating. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Adrian Bunk authored
IWLWIFI should be a tristate so that if IWLCORE and/or IWL3945 are m and none of them is y kbuild doesn't create an empty drivers/net/wireless/built-in.o This patch also removes the pointless "default n". Signed-off-by: Adrian Bunk <bunk@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
This reverts commit 65e41136. Unlike the other cases Pavel fixed, this case did not setup a netdev->destructor of free_netdev, therefore this change was not correct. Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 05 May, 2008 10 commits
-
-
Chris Wright authored
dccp_feat_change() validates length and on error is returning 1. This happens to work since call chain is checking for 0 == success, but this is returned to userspace, so make it a real error value. Signed-off-by: Chris Wright <chrisw@sous-sol.org> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ingo Molnar authored
x86.git testing found this build bug on v2.6.26-rc1: ERROR: "pnp_get_resource" [drivers/net/irda/smsc-ircc2.ko] undefined! make[1]: *** [__modpost] Error 1 make: *** [modules] Error 2 the driver did not anticipate the case of !CONFIG_PNP which is rare but still possible. Instead of restricting the driver to PNP-only in the Kconfig space, add the (trivial) dummy struct pnp_driver - this is that other drivers use in the !PNP case too. The driver itself can in theory be initialized on !PNP too in certain cases, via smsc_ircc_legacy_probe(). Patch only minimally build tested, i dont have this hardware. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ingo Molnar authored
x86.git testing found the following build failure in latest -git: drivers/built-in.o: In function `nsc_ircc_pnp_probe': nsc-ircc.c:(.text+0xdf1b6): undefined reference to `pnp_get_resource' nsc-ircc.c:(.text+0xdf1d4): undefined reference to `pnp_get_resource' nsc-ircc.c:(.text+0xdf1ee): undefined reference to `pnp_get_resource' nsc-ircc.c:(.text+0xdf237): undefined reference to `pnp_get_resource' nsc-ircc.c:(.text+0xdf24c): undefined reference to `pnp_get_resource' drivers/built-in.o:nsc-ircc.c:(.text+0xdf266): more undefined references to `pnp_get_resource' follow make: *** [.tmp_vmlinux1] Error 1 triggered via this config: http://redhat.com/~mingo/misc/config-Sat_May__3_20_53_13_CEST_2008.bad while generally most users will have PNP enabled, drivers can support non-PNP build mode too - and most drivers implement it. That is typically done by providing a dummy pnp_driver structure that will not probe anything. The fallback routines in the driver will handle this dumber mode of operation too. This patch implements that. I have not tested whether this actually works on real hardware so take care. It does resolve the build bug. [ Another solution that is used by a few drivers is to exclude the driver in the Kconfig if PNP is disabled, via "depends on PNP", but this would limit the availability of the driver needlessly. ] Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jamal Hadi Salim authored
Convert to netlink helpers by using netlink policy validation. As a side effect fixes a leak. Signed-off-by: Jamal Hadi Salim <hadi@cyberus.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Satoru SATOH authored
There are functions to refer to the value of dst->metric[THE_METRIC-1] directly without use of a inline function "dst_metric" defined in net/dst.h. The following patch changes them to use the inline function consistently. Signed-off-by: Satoru SATOH <satoru.satoh@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Satoru SATOH authored
Signed-off-by: Satoru SATOH <satoru.satoh@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pavel Emelyanov authored
The list_del happens under read-locked devs_lock. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pavel Emelyanov authored
Both br2684_push and br2684_exit do so, but unregister_netdev() releases the device itself. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pavel Emelyanov authored
The error path in ieee80211_register_hw() may call the unregister_netdev() and right after it - the free_netdev(), which is wrong, since the unregister releases the device itself. So the proposed fix is to NULL the local->mdev after unregister is done and check this before calling free_netdev(). I checked - no code uses the local->mdev after unregister in this error path (but even if some did this would be a BUG). Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pavel Emelyanov authored
This actually had to be merged with the patch #1, but I decided not to mix two changes in one patch. There are already two calls to free_netdev() in there, so merge them into one. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-