- 03 Aug, 2009 6 commits
-
-
Julia Lawall authored
Error handling code following a kzalloc should free the allocated data. The semantic match that finds the problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @r exists@ local idexpression x; statement S; expression E; identifier f,f1,l; position p1,p2; expression *ptr != NULL; @@ x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); ... if (x == NULL) S <... when != x when != if (...) { <+...x...+> } ( x->f1 = E | (x->f1 == NULL || ...) | f(...,x->f1,...) ) ...> ( return \(0\|<+...x...+>\|ptr\); | return@p2 ...; ) @script:python@ p1 << r.p1; p2 << r.p2; @@ print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Julia Lawall authored
Move orthogonal error handling code up before a kzalloc, so that it doesn't have to free the allocated data. The semantic match that finds the problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @r exists@ local idexpression x; statement S; expression E; identifier f,f1,l; position p1,p2; expression *ptr != NULL; @@ x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); ... if (x == NULL) S <... when != x when != if (...) { <+...x...+> } ( x->f1 = E | (x->f1 == NULL || ...) | f(...,x->f1,...) ) ...> ( return \(0\|<+...x...+>\|ptr\); | return@p2 ...; ) @script:python@ p1 << r.p1; p2 << r.p2; @@ print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Patrick Simmons authored
Fix an unaligned memory access in the zd_mac_rx function of zd1211rw that causes problems on SPARC64. Signed-off-by: Patrick Simmons <linuxrocks123@netscape.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Luis R. Rodriguez authored
A regression was added through patch a4ed90d6: "cfg80211: respect API on orig_flags on channel for beacon hint" We did indeed respect _orig flags but the intention was not clearly stated in the commit log. This patch fixes firmware issues picked up by iwlwifi when we lift passive scan of beaconing restrictions on channels its EEPROM has been configured to always enable. By doing so though we also disallowed beacon hints on devices registering their wiphy with custom world regulatory domains enabled, this happens to be currently ath5k, ath9k and ar9170. The passive scan and beacon restrictions on those devices would never be lifted even if we did find a beacon and the hardware did support such enhancements when world roaming. Since Johannes indicates iwlwifi firmware cannot be changed to allow beacon hinting we set up a flag now to specifically allow drivers to disable beacon hints for devices which cannot use them. We enable the flag on iwlwifi to disable beacon hints and by default enable it for all other drivers. It should be noted beacon hints lift passive scan flags and beacon restrictions when we receive a beacon from an AP on any 5 GHz non-DFS channels, and channels 12-14 on the 2.4 GHz band. We don't bother with channels 1-11 as those channels are allowed world wide. This should fix world roaming for ath5k, ath9k and ar9170, thereby improving scan time when we receive the first beacon from any AP, and also enabling beaconing operation (AP/IBSS/Mesh) on cards which would otherwise not be allowed to do so. Drivers not using custom regulatory stuff (wiphy_apply_custom_regulatory()) were not affected by this as the orig_flags for the channels would have been cleared upon wiphy registration. I tested this with a world roaming ath5k card. Cc: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
These pointers can be NULL, the is_mesh() case isn't ever hit in the current kernel, but cmp_ies() can be hit under certain conditions. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org [2.6.29, 2.6.30] Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Yevgeny Petrilin authored
In cases of fragmented skb, with the data pointers being wrapped around the TX buffer, the completion handling code would not forward the data pointer and the firs fragment was unmapped several times, while others were not unmapped at all. Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 02 Aug, 2009 11 commits
-
-
Andreas Eversberg authored
The size of receive buffer pointer was used to get size of receive buffer instead of recvbuf_size itself, so only 4/8 bytes could be transfered. This is a regression to 2.6.30 introduced by commit 8c90e11e mISDN: Use kernel_{send,recv}msg instead of open coding Signed-off-by: Andreas Eversberg <andreas@eversberg.eu> Signed-off-by: Karsten Keil <keil@b1-systems.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Don Fry authored
VLB support has been broken since at least 2004-2005 period as some changes introduced back then assumed that ->pci_dev is always valid, lets try to fix it: - remove duplicated SET_NETDEV_DEV() call - call SET_NETDEV_DEV() only for PCI devices - check for ->pci_dev validity in pcnet32_open() [ Alternatively we may consider removing VLB support but there would not be much gain in it since an extra driver code needed for VLB support is minimal and quite simple. ] This takes care of the following entry from Dan's list: drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev' Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Acked-by: Don Fry <pcnet32@verizon.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Don Fry authored
Move the debug printk() into the proper place and remove superfluous NULL pointer check in pcnet32_probe1(). This takes care of the following entry from Dan's list: drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev' Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Acked-by: Don Fry <pcnet32@verizon.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jiri Pirko authored
There is a path when an assetion in dev_unicast_sync() appears. igmp6_group_added -> dev_mc_add -> __dev_set_rx_mode -> -> vlan_dev_set_rx_mode -> dev_unicast_sync Therefore we cannot protect this list with rtnl. This patch restores the original protecting this list with spinlock. Signed-off-by: Jiri Pirko <jpirko@redhat.com> Tested-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dhananjay Phadke authored
Change default dma mask for NX3031 to 39 bit with ability to update it to 64-bit (if firmware indicates support). Old code was restricting it under 4GB (32-bit), sometimes causing failure to allocate descriptor rings on heavily populated system. NX2031 based NICs will still get 32-bit coherent mask. Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
Check whether index is within bounds before testing the element. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Acked-by: Karsten Keil <keil@b1-systems.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
Check whether index is within bounds before testing the element. In the last iteration i is PHY_MAX_ADDR. the condition `!(p = pd->mii.bus->phy_map[PHY_MAX_ADDR])' is undefined and may evaluate to false, which leads to a dereference of this invalid phy_map in the phy_connect() below. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
Check whether index is within bounds before testing the element. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
memcpy() should take into account size of pointers, not only number of pointers to copy. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Failure to call unregister_pernet_gen_device() can exhaust memory if module is loaded/unloaded many times. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ben McKeegan authored
This patch fixes the corner cases where the sum of MTU of the free channels (adjusted for fragmentation overheads) is less than the MTU of PPP link. There are at least 3 situations where this case might arise: - some of the channels are busy - the multilink session is running in a degraded state (i.e. with less than its full complement of active channels) - by design, where multilink protocol is being used to artificially increase the effective link MTU of a single link. Without this patch, at most 1 fragment is ever sent per free channel for a given PPP frame and any remaining part of the PPP frame that does not fit into those fragments is silently discarded. This patch restores the original behaviour which was broken by commit 9c705260 'ppp:ppp_mp_explode() redesign'. Once all 'free' channels have been given a fragment, an additional fragment is queued to each available channel in turn, as many times as necessary, until the entire PPP frame has been consumed. Signed-off-by: Ben McKeegan <ben@netservers.co.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 31 Jul, 2009 3 commits
-
-
Peter P Waskiewicz Jr authored
When a user disables interrupt throttling with ethtool on 82599 devices, the interrupt timer may not be re-enabled if hardware RSC is running. The RSC completions in hardware don't complete before the next ITR event tries to fire, so the ITR timer never gets re-armed. This patch increases the amount of time between interrupts when throttling is disabled (rx-usecs = 0) when the hardware RSC deature is enabled. Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Peter P Waskiewicz Jr authored
A second set of feature flag bits was added, and the hardware RSC engine flags were moved there. However, the code itself didn't make the move completely to use the new bitmap. Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Acked-by: Mallikarjuna R Chilakala <mallikarjuna.chilakala@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Peter P Waskiewicz Jr authored
Our ndo_poll_controller callback is broken for anything but non-multiqueue setups. This fixes that issue. Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 30 Jul, 2009 9 commits
-
-
Jiajun Wu authored
Parameter order for using mk_ic_value(count, time) was reversed, the patch fixes this. Signed-off-by: Jiajun Wu <b06378@freescale.com> Signed-off-by: Li Yang <leoli@freescale.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
If a socket is hashed in last slot of pppoe hash table (PPPOE_HASH_SIZE-1) we report it many times (up to filling seq buffer) (Only the last socket of last slot) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
start_code is 69 words, but the code always writes a multiple of 16 words, so the last 11 words written are outside the array. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a write to hbuffer[-1] occurs. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
if dev_alloc_skb() fails on the first iteration, a write to cp->rx_ring[-1] occurs. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Tobias Klauser authored
Use the %pI4 format string instead of %d.%d.%d.%d and NIPQUAD. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Michael Chan authored
Changing to GFP_ATOMIC because the only caller in cnic/bnx2i may be calling this function while holding spin_lock. This problem was discovered by Mike Christie. Signed-off-by: Michael Chan <mchan@broadcom.com> Acked-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Julia Lawall authored
The test on map4 should be a test on map6. The semantic match that finds this problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @@ expression *x; identifier f; constant char *C; @@ x = \(kmalloc\|kcalloc\|kzalloc\)(...); ... when != x == NULL when != x != NULL when != (x || ...) ( kfree(x) | f(...,C,...,x,...) | *f(...,x,...) | *x->f ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 29 Jul, 2009 3 commits
-
-
Johannes Berg authored
Jan reported that his b43-based laptop hangs during suspend. The problem turned out to be mac80211 asking the driver to stop the hardware before removing interfaces, and interface removal caused b43 to touch the hardware (while down, which causes the hang). This patch fixes mac80211 to do reorder these operations to have them in the correct order -- first remove interfaces and then stop the hardware. Some more code is necessary to be able to do so in a race-free manner, in particular it is necessary to not process frames received during quiescing. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=13337. Reported-by: Jan Scholz <scholz@fias.uni-frankfurt.de> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Roel Kluin authored
Several arrays were read before checking whether the index was within bounds. ARRAY_SIZE() should be used to determine the size of arrays. rates->rates has an arraysize of 1, so calling get_common_rates() with a rates_size of MAX_RATES (14) was causing reads out of bounds. tmp_size can increment at most to (ARRAY_SIZE(lbs_bg_rates) - 1) * (*rates_size - 1), so that should be the number of elements of tmp[]. A goto can be eliminated: ret was already set upon its declaration. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Roel Kluin authored
reads bss->rates[j] before checking bounds of index, and should use ARRAY_SIZE to determine the size of the array. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Acked-by: Holger Schurig <hs4233@mail.mn-solutions.de> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
- 28 Jul, 2009 1 commit
-
-
Stephen Hemminger authored
Even though reverse path filter was changed from simple boolean to trinary control, the loose mode only works if both all and device are configured because of this logic error. Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 27 Jul, 2009 7 commits
-
-
Luis R. Rodriguez authored
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Roel Kluin authored
tid is bounded (above) by the size of default_tid_to_tx_fifo (17 elements), but the size of priv->stations[].tid[] is MAX_TID_COUNT (9) elements. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Roel Kluin authored
Incorrect limits leads to reads outside array bounds. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Roel Kluin authored
SSID_rid has space for only 3 ssids. txPowerLevels[i] is read before the bounds check for i Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Dan Carpenter authored
iwm_wdev_alloc() returns an ERR_PTR on failure and not null. It also prints its own dev_err() message so I removed that as well. Compile tested only. Sorry. Found by smatch (http://repo.or.cz/w/smatch.git). Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
reinette chatre authored
We need to provide a reasonable minimum that will result in a working setup if used. Set minimum to be 10 to provide for 4 standard TX queues + 1 command queue + 2 (unused) HCCA queues + 4 HT queues (one per AC). We allow the user to change the number of queues used via a module parameter and use this minimum value to check if it is valid. Without this patch a user can select a value for the number of queues that will result in a failing setup. Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Reviewed-by: Tomas Winkler <tomas.winkler@intel.com> Acked-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
I had a problem on 4965 hardware (well, probably other hardware too, but others don't survive my stress testing right now, unfortunately) where the driver was sending invalid commands to the device, but no such thing could be seen from the driver's point of view. I could reproduce this fairly easily by sending multiple TCP streams with iperf on different TIDs, though sometimes a single iperf stream was sufficient. It even happened with a single core, but I have forced preemption turned on. The culprit was a queue overrun, where we advanced the queue's write pointer over the read pointer. After careful analysis I've come to the conclusion that the cause is a race condition between iwlwifi and mac80211. mac80211, of course, checks whether the queue is stopped, before transmitting a frame. This effectively looks like this: lock(queues) if (stopped(queue)) { unlock(queues) return busy; } unlock(queues) ... <-- this place will be important there is some more code here drv_tx(frame) The driver, on the other hand, can stop and start queues, which does lock(queues) mark_running/stopped(queue) unlock(queues) [if marked running: wake up tasklet to send pending frames] Now, however, once the driver starts the queue, mac80211 can see that and end up at the marked place above, at which point for some reason the driver seems to stop the queue again (I don't understand that) and then we end up transmitting while the queue is actually full. Now, this shouldn't actually matter much, but for some reason I've seen it happen multiple times in a row and the queue actually overflows, at which point the queue bites itself in the tail and things go completely wrong. This patch fixes this by just dropping the packet should this have happened, and making the lock in iwlwifi cover everything so iwlwifi can't race against itself (dropping the lock there might make it more likely, but it did seem to happen without that too). Since we can't hold the lock across drv_tx() above, I see no way to fix this in mac80211, but I also don't understand why I haven't seen this before -- maybe I just never stress tested it this badly. With this patch, the device has survived many minutes of simultanously sending two iperf streams on different TIDs with combined throughput of about 60 Mbps. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-