- 29 May, 2010 6 commits
-
-
Julia Lawall authored
Add a mutex_unlock missing on the error path. In each case, whenever the label out is reached from elsewhere in the function, mutex is not locked. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression E1; @@ * mutex_lock(E1); <+... when != E1 if (...) { ... when != E1 * return ...; } ...+> * mutex_unlock(E1); // </smpl> Signed-off-by:
Julia Lawall <julia@diku.dk> Reviewed-by:
Zach Brown <zach.brown@oracle.com> Acked-by:
Andy Grover <andy.grover@oracle.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Julia Lawall authored
Add a spin_unlock missing on the error path. The return value of write_reg seems to be completely ignored, so it seems that the lock should be released in every case. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression E1; @@ * spin_lock(E1,...); <+... when != E1 if (...) { ... when != E1 * return ...; } ...+> * spin_unlock(E1,...); // </smpl> Signed-off-by:
-
Mark Ware authored
This patch fixes an occasional transmit lockup in the mac-fcc which occurs after a tx error. The test scenario had the local port set to autoneg and the other end fixed at 100FD, resulting in a large number of late collisions. According to the MPC8280RM 30.10.1.3 (also 8272RM 29.10.1.3), after a tx error occurs, TBPTR may sometimes point beyond BDs still marked as ready. This patch walks back through the BDs and points TBPTR to the earliest one marked as ready. Tested on a custom board with a MPC8280. Signed-off-by:
Mark Ware <mware@elphinstone.net> Signed-off-by:
-
Changli Gao authored
Signed-off-by:
Changli Gao <xiaosuo@gmail.com> Signed-off-by:
-
Brian Haley authored
Commit f4f914b5 (net: ipv6 bind to device issue) caused a regression with Mobile IPv6 when it changed the meaning of fl->oif to become a strict requirement of the route lookup. Instead, only force strict mode when sk->sk_bound_dev_if is set on the calling socket, getting the intended behavior and fixing the regression. Tested-by:
Arnaud Ebalard <arno@natisbad.org> Signed-off-by:
Brian Haley <brian.haley@hp.com> Signed-off-by:
-
-
- 28 May, 2010 15 commits
-
-
Christoph Fritz authored
Ethernet driver b44 does register ssb by it's pcihost_wrapper and doesn't set ssb_chipcommon. A check on this value introduced with commit d53cdbb9 and ea2db495 triggers: BUG: unable to handle kernel NULL pointer dereference at 00000010 IP: [<c1266c36>] ssb_is_sprom_available+0x16/0x30 Signed-off-by:
Christoph Fritz <chf.fritz@googlemail.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
sparse correctly complains that __ieee80211_get_channel_mode is not static. Signed-off-by:
Johannes Berg <johannes@sipsolutions.net> Signed-off-by:
-
Prarit Bhargava authored
Fixes: drivers/net/wireless/libertas/rx.c: In function process_rxed_802_11_packet: drivers/net/wireless/libertas/rx.c:354: error: radiotap_hdr.flags may be used uninitialized in this function Signed-off-by:
Prarit Bhargava <prarit@redhat.com> Signed-off-by:
-
Vasanthakumar Thiagarajan authored
This bug was introduced by the following commit Author: Vasanthakumar Thiagarajan <vasanth@atheros.com> Date: Thu Apr 15 17:38:46 2010 -0400 ath9k: Remove ATH9K_TX_SW_ABORTED and introduce a bool for this purpose Wrong buffer is checked for bf_tx_aborted field in ath_tx_num_badfrms(), this may result in a rate scaling with wrong feedback (number of unacked frames in this case). It is the last one in the chain of buffers for an aggregate frame that should be checked. Also it misses the initialization of this field in the buffer, this may lead to a situation where we stop the sw retransmission of failed subframes associated to this buffer. Signed-off-by:
Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by:
-
Justin P. Mattock authored
ath_print in xmit.c should say "Reseting hardware" instead of Resetting HAL!(since HAL is being fazed out). dmesg shows: [ 8660.899624] ath: Failed to stop TX DMA in 100 msec after killing last frame [ 8660.899676] ath: Unable to stop TxDMA. Reset HAL! Signed-off-by:
Justin P. Mattock <justinmattock@gmail.com> Signed-off-by:
-
Scott Feldman authored
The wrong size was being calculated for vfinfo. In one case, it was over- calculating using nlmsg_total_size on attrs, in another case, it was under-calculating by assuming ifla_vf_* structs are packed together, but each struct is it's own attr w/ hdr (and padding). Signed-off-by:
Scott Feldman <scofeldm@cisco.com> Signed-off-by:
-
Scott Feldman authored
Noticed by Patrick McHardy: was continuing to fill skb after a nla_put_failure, ignoring the size calculated by upper layer. Now, return -EMSGSIZE on any overruns, but also allow netdev to fail ndo_get_vf_port with error other than -EMSGSIZE, thus unwinding nest. Signed-off-by:
-
Eric Dumazet authored
After commit 7fee226a (net: add a noref bit on skb dst), its wrong to use : dst_release(skb_dst(skb)), since we could decrement a refcount while skb dst was not refcounted. We should use skb_dst_drop(skb) instead. Signed-off-by:
Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by:
-
Bryan Wu authored
BugLink: http://bugs.launchpad.net/bugs/559065 In fec open/close function, we need to use phy_connect and phy_disconnect operation before we start/stop phy. Otherwise it will cause system hang. Only call fec_enet_mii_probe() in open function, because the first open action will cause NULL pointer error. Signed-off-by:
Bryan Wu <bryan.wu@canonical.com> Signed-off-by:
-
Michael Chan authored
We need to zero context memory on 5709 in the function cnic_init_context(). Without this, iscsid restart on 5709 will not work because of stale data. TX context blocks should not be initialized by cnic_init_context() because of the special remapping on 5709. Update version to 2.1.2. Signed-off-by:
Michael Chan <mchan@broadcom.com> Signed-off-by:
-
Julia Lawall authored
At the point of the print, dev is NULL. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r exists@ expression E,E1; identifier f; statement S1,S2,S3; @@ if ((E == NULL && ...) || ...) { ... when != if (...) S1 else S2 when != E = E1 * E->f ... when any return ...; } else S3 // </smpl> Signed-off-by:
-
Julia Lawall authored
At the point of the print, dev is NULL. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r exists@ expression E,E1; identifier f; statement S1,S2,S3; @@ if ((E == NULL && ...) || ...) { ... when != if (...) S1 else S2 when != E = E1 * E->f ... when any return ...; } else S3 // </smpl> Signed-off-by:
-
Sarveshwar Bandi authored
Signed-off-by:
Sarveshwar Bandi <sarveshwarb@serverengines.com> Signed-off-by:
-
Herbert Xu authored
Currently we disallow GSO packets on the IPv6 forward path. This patch fixes this. Note that I discovered that our existing GSO MTU checks (e.g., IPv4 forwarding) are buggy in that they skip the check altogether, when they really should be checking gso_size + header instead. I have also been lazy here in that I haven't bothered to segment the GSO packet by hand before generating an ICMP message. Someone should add that to be 100% correct. Reported-by:
Ralf Baechle <ralf@linux-mips.org> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by:
-
Eric Dumazet authored
commit 7fee226a (net: add a noref bit on skb dst) missed one spot where an skb is enqueued, with a possibly not refcounted dst entry. __neigh_event_send() inserts skb into arp_queue, so we must make sure dst entry is refcounted, or dst entry can be freed by garbage collector after caller exits from rcu protected section. Reported-by:
Ingo Molnar <mingo@elte.hu> Tested-by:
-
- 27 May, 2010 8 commits
-
-
Takuya Yoshikawa authored
We need to free newmem when vhost_set_memory() fails to complete. Signed-off-by:
Takuya Yoshikawa <yoshikawa.takuya@oss.ntt.co.jp> Signed-off-by:
Michael S. Tsirkin <mst@redhat.com>
-
Takuya Yoshikawa authored
copy_to/from_user() returns the number of bytes that could not be copied. So we need to check if it is not zero, and in that case, we should return the error number -EFAULT rather than directly return the return value from copy_to/from_user(). Signed-off-by:
-
Takuya Yoshikawa authored
copy_to/from_user() returns the number of bytes that could not be copied. So we need to check if it is not zero, and in that case, we should return the error number -EFAULT rather than directly return the return value from copy_to/from_user(). Signed-off-by:
-
Krishna Kumar authored
Missed a boundary value check in vhost_set_vring. The host panics if idx == nvqs is used in ioctl commands in vhost_virtqueue_init. Signed-off-by:
Krishna Kumar <krkumar2@in.ibm.com> Signed-off-by:
-
Eric Dumazet authored
This new sock lock primitive was introduced to speedup some user context socket manipulation. But it is unsafe to protect two threads, one using regular lock_sock/release_sock, one using lock_sock_bh/unlock_sock_bh This patch changes lock_sock_bh to be careful against 'owned' state. If owned is found to be set, we must take the slow path. lock_sock_bh() now returns a boolean to say if the slow path was taken, and this boolean is used at unlock_sock_bh time to call the appropriate unlock function. After this change, BH are either disabled or enabled during the lock_sock_bh/unlock_sock_bh protected section. This might be misleading, so we rename these functions to lock_sock_fast()/unlock_sock_fast(). Reported-by:
Anton Blanchard <anton@samba.org> Signed-off-by:
-
Julia Lawall authored
Add a spin_unlock missing on the error path. There seems like no reason why the lock should continue to be held if the kzalloc fail. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression E1; @@ * spin_lock(E1,...); <+... when != E1 if (...) { ... when != E1 * return ...; } ...+> * spin_unlock(E1,...); // </smpl> Signed-off-by:
-
Brian Hill authored
The current checksum offload code does not work and this corrects that functionality. It also updates the interrupt coallescing initialization so than there are fewer interrupts and performance is increased. Signed-off-by:
Brian Hill <brian.hill@xilinx.com> Signed-off-by:
John Linn <john.linn@xilinx.com> Signed-off-by:
-
Brian Hill authored
The code is not checking the interrupt for DMA correctly so that an interrupt number of 0 will cause a false error. Signed-off-by:
-
- 26 May, 2010 6 commits
-
-
Christian Lamparter authored
Commit "ar9170: wait for asynchronous firmware loading" introduced a bug, which is triggered by fatal errors while the driver is initializing the device. BUG: unable to handle kernel paging request at 6b6b6bf7 IP: [<c117b567>] kobject_put+0x7/0x70 *pde = 00000000 Oops: 0000 [#1] PREEMPT last sysfs file: /sys/devices/platform/hdaps/position Modules linked in: ar9170usb [...] Pid: 6246, comm: firmware/ar9170 Not tainted 2.6.34-wl #54 EIP: 0060:[<c117b567>] EFLAGS: 00010206 CPU: 0 EIP is at kobject_put+0x7/0x70 EAX: 6b6b6bd7 EBX: f4d3d0e0 ECX: f5ba9124 EDX: f6af2a7c ESI: 00000000 EDI: f4d3d0e0 EBP: 00000000 ESP: f5e98f9c DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 Process firmware/ar9170 (pid: 6246) Stack: c12532ed 00000246 f5bfaa70 f8487353 f4d3d0e0 Call Trace: [<c12532ed>] ? device_release_driver+0x1d/0x30 [<f8487353>] ? ar9170_usb_firmware_failed+0x43/0x70 [ar9170usb] [<c125983c>] ? request_firmware_work_func+0x2c/0x70 [<c1259810>] ? request_firmware_work_func+0x0/0x70 [<c10413f4>] ? kthread+0x74/0x80 [<c1041380>] ? kthread+0x0/0x80 [<c1003136>] ? kernel_thread_helper+0x6/0x10 Code: 40 d3 f2 ff 85 c0 89 c3 74 0a ba 44 86 4c c1 e8 [...] EIP: [<c117b567>] kobject_put+0x7/0x70 SS:ESP 0068:f5e98f9c CR2: 000000006b6b6bf7 ---[ end trace e81abb992434b410 ]--- Signed-off-by:
Christian Lamparter <chunkeey@googlemail.com> Signed-off-by:
-
John W. Linville authored
This reverts commit 663cb47c. This patch was merged out of the proper order, so instead of fixing a problem with a prior (unmerged) patch, it creates one. Ooops! Signed-off-by:
-
Dan Carpenter authored
Sparse complains because these one-bit bitfields are signed. include/net/sctp/structs.h:879:24: error: dubious one-bit signed bitfield include/net/sctp/structs.h:889:31: error: dubious one-bit signed bitfield include/net/sctp/structs.h:895:26: error: dubious one-bit signed bitfield include/net/sctp/structs.h:898:31: error: dubious one-bit signed bitfield include/net/sctp/structs.h:901:27: error: dubious one-bit signed bitfield It doesn't cause a problem in the current code, but it would be better to clean it up. This was introduced by c0058a35: "sctp: Save some room in the sctp_transport by using bitfields". Signed-off-by:
Dan Carpenter <error27@gmail.com> Signed-off-by:
-
Dan Carpenter authored
This fixes a smatch warning: net/ipv4/ipmr.c +1917 __ipmr_fill_mroute(12) error: buffer overflow '(mrt)->vif_table' 32 <= 32 The ipv6 version had the same issue. Signed-off-by:
-
Sathya Perla authored
Sometimes BE requires longer time for POST completion after an EEH reset. Increasing the timeout value accordingly. Signed-off-by:
Sathya Perla <sathyap@serverengines.com> Signed-off-by:
-
Herbert Xu authored
When the cls_cgroup module is not loaded, task_cls_classid will return an uninitialised classid instead of zero. Reported-by:
Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
-
- 25 May, 2010 5 commits
-
-
David S. Miller authored
Stephen Rothwell reports the following new warning: drivers/net/usb/asix.c: In function 'asix_rx_fixup': drivers/net/usb/asix.c:325: warning: cast from pointer to integer of different size drivers/net/usb/asix.c:354: warning: cast from pointer to integer of different size The code just cares about the low alignment bits, so use an "unsigned long" cast instead of one to "u32". Signed-off-by: -
Sarveshwar Bandi authored
Certain firmware commands/operations to upgrade firmware could take several seconds to complete. The code presently disables bottom half during these operations which could lead to unpredictable behaviour in certain cases. This patch now does all firmware upgrade operations asynchronously using a completion variable. Signed-off-by:
-
J. R. Okajima authored
The commit 00b7c339 "sysctl: refactor integer handling proc code" modified the behaviour of writing to /proc. Before the commit, write("1\n") to /proc/sys/kernel/printk succeeded. But now it returns EINVAL. This commit supports writing a single value to a multi-valued entry. Signed-off-by:
J. R. Okajima <hooanon05@yahoo.co.jp> Reviewed-and-tested-by:
WANG Cong <amwang@redhat.com> Signed-off-by:
-
Filip Aben authored
This patch adds a few new product id's for the hso driver. Signed-off-by:
Filip Aben <f.aben@option.com> Signed-off-by:
-
Rémi Denis-Courmont authored
sk_common_release() might destroy our last reference to the socket. So an extra temporary reference is needed during cleanup. Signed-off-by:
Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by:
-
