- 08 Feb, 2011 2 commits
-
-
- 07 Feb, 2011 5 commits
-
-
Sven Eckelmann authored
We access the data inside the skbs of two fragments directly using memmove during the merge. The data of the skb could span over multiple skb pages. An direct access without knowledge about the pages would lead to an invalid memory access. Signed-off-by:
Sven Eckelmann <sven@narfation.org> [lindner_marek@yahoo.de: Move return from function to the end] Signed-off-by:
Marek Lindner <lindner_marek@yahoo.de>
-
andrew hendry authored
Originally x25_parse_facilities returned -1 for an error 0 meaning 0 length facilities >0 the length of the facilities parsed. 5ef41308 ("x25: Prevent crashing when parsing bad X.25 facilities") introduced more error checking in x25_parse_facilities however used 0 to indicate bad parsing a6331d6f ("memory corruption in X.25 facilities parsing") followed this further for DTE facilities, again using 0 for bad parsing. The meaning of 0 got confused in the callers. If the facilities are messed up we can't determine where the data starts. So patch makes all parsing errors return -1 and ensures callers close and don't use the skb further. Reported-by:
Andy Whitcroft <apw@canonical.com> Signed-off-by:
Andrew Hendry <andrew.hendry@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Felix Fietkau authored
Using skb_header_cloned to check if it's safe to write to the skb is not enough - mac80211 also touches the tailroom of the skb. Initially this check was only used to increase a counter, however this commit changed the code to also skip skb data reallocation if no extra head/tailroom was needed: commit 4cd06a34 mac80211: skip unnecessary pskb_expand_head calls It added a regression at least with iwl3945, which is fixed by this patch. Reported-by:
Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by:
Felix Fietkau <nbd@openwrt.org> Tested-by:
John W. Linville <linville@tuxdriver.com>
-
Don Fry authored
With commit 554d1d02 only one RF_KILL interrupt will be seen by the driver when the interface is down. Re-enable the interrupt when it occurs to see all transitions. Signed-off-by:
Don Fry <donald.h.fry@intel.com> Signed-off-by:
Wey-Yi Guy <wey-yi.w.guy@intel.com> Cc: stable@kernel.org Signed-off-by:
-
Michael Büsch authored
This fixes parsing of the device invariants (MAC address) for PCMCIA SSB devices. ssb_pcmcia_do_get_invariants expects an iv pointer as data argument. Tested-by:
dylan cristiani <d.cristiani@idem-tech.it> Signed-off-by:
Michael Buesch <mb@bu3sch.de> Cc: stable@kernel.org Signed-off-by:
-
- 06 Feb, 2011 3 commits
-
-
Vladislav Zolotarov authored
Prevent packets duplication for frames targeting FCoE L2 ring: packets were arriving to stack from both L2 RSS and from FCoE L2 in a promiscuous mode. Configure FCoE L2 ring to DROP_ALL rx mode, when interface is configured to PROMISC, and to accept only unicast frames, when interface is configured to ALL_MULTI. Signed-off-by:
Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by:
Eilon Greenstein <eilong@broadcom.com> Signed-off-by:
-
Jesper Juhl authored
Fix memory leak in error path of sis900_rx(). If we don't do this we'll leak the skb we dev_alloc_skb()'ed just a few lines above when the variable goes out of scope. Signed-off-by:
Jesper Juhl <jj@chaosbits.net> Signed-off-by:
-
Ajit Khaparde authored
Found by: Jesper Juhl <jj@chaosbits.net> Signed-off-by:
Ajit Khaparde <ajit.khaparde@emulex.com> Signed-off-by:
-
- 04 Feb, 2011 14 commits
-
-
Mohammed Shafi Shajakhan authored
This patch reverts the following commit ath9k: remove bfs_paprd_timestamp from struct ath_buf_state Under high interference/noisy environment conditions where PAPRD frames fails heavily introduces a possibility of double freeing skb's and causes kernel panic after some time.This patch reverts back to the original approach of using paprd_timestamp before freeing the PAPRD frame skb's [ 194.193705] Pid: 0, comm: swapper Tainted: G D WC 2.6.35-22-generic #33-Ubuntu [ 194.193712] Call Trace: [ 194.193722] [<c05c6468>] ? printk+0x2d/0x35 [ 194.193732] [<c05c63c3>] panic+0x5a/0xd2 [ 194.193741] [<c05ca3ed>] oops_end+0xcd/0xd0 [ 194.193750] [<c0105f74>] die+0x54/0x80 [ 194.193758] [<c05c9a16>] do_trap+0x96/0xc0 [ 194.193837] [<c0103fb0>] ? do_invalid_op+0x0/0xa0 [ 194.193846] [<c010403b>] do_invalid_op+0x8b/0xa0 [ 194.193856] [<c020bd4c>] ? kfree+0xec/0xf0 [ 194.193866] [<c012ce18>] ? default_spin_lock_flags+0x8/0x10 [ 194.193877] [<c01de47a>] ? free_one_page+0x12a/0x2d0 [ 194.193888] [<c01e04dc>] ? __free_pages+0x1c/0x40 [ 194.193897] [<c05c97a7>] error_code+0x73/0x78 [ 194.193906] [<c020bd4c>] ? kfree+0xec/0xf0 [ 194.193915] [<c04ecdd0>] ? skb_release_data+0x70/0xa0 [ 194.193924] [<c04ecdd0>] skb_release_data+0x70/0xa0 [ 194.193933] [<c04ec997>] __kfree_skb+0x17/0x90 [ 194.193941] [<c04eca31>] consume_skb+0x21/0x40 [ 194.193964] [<f85e0b70>] ieee80211_tx_status+0x760/0x860 [mac80211] [ 194.193979] [<f85caddf>] ath_tx_complete_buf+0x1bf/0x2c0 [ath9k] [ 194.193988] [<c05c8b9f>] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.193997] [<c04ec40e>] ? skb_queue_tail+0x3e/0x50 [ 194.194010] [<f85cc803>] ath_tx_complete_aggr+0x823/0x940 [ath9k] [ 194.194021] [<c0108a28>] ? sched_clock+0x8/0x10 [ 194.194030] [<c016bf14>] ? sched_clock_local+0xa4/0x180 [ 194.194040] [<c0139f57>] ? enqueue_sleeper+0x1e7/0x2b0 [ 194.194051] [<c013a194>] ? enqueue_entity+0x174/0x200 [ 194.194064] [<f85ce83d>] ath_tx_edma_tasklet+0x2bd/0x3b0 [ath9k] [ 194.194074] [<c05c8b9f>] ? _raw_spin_lock_irqsave+0x2f/0x50 [ 194.194088] [<f85c7b9f>] ath9k_tasklet+0x9f/0x190 [ath9k] [ 194.194097] [<c01505d7>] tasklet_action+0xa7/0xb0 [ 194.194107] [<c015127c>] __do_softirq+0x9c/0x1b0 [ 194.194117] [<c01a7f64>] ? irq_to_desc+0x14/0x20 [ 194.194126] [<c0124fc4>] ? ack_apic_level+0x64/0x1f0 [ 194.194136] [<c01513d5>] do_softirq+0x45/0x50 [ 194.194145] [<c0151545>] irq_exit+0x65/0x70 [ 194.194153] [<c05cf665>] do_IRQ+0x55/0xc0 [ 194.194162] [<c016a6c7>] ? hrtimer_start+0x27/0x30 [ 194.194171] [<c0103630>] common_interrupt+0x30/0x38 [ 194.194181] [<c012c21a>] ? native_safe_halt+0xa/0x10 [ 194.194268] [<c010a2f9>] default_idle+0x49/0xb0 [ 194.194277] [<c0101fcc>] cpu_idle+0x8c/0xd0 [ 194.194286] [<c05b2431>] rest_init+0x71/0x80 [ 194.194295] [<c081981a>] start_kernel+0x36e/0x374 [ 194.194305] [<c08199dd>] ? pass_all_bootoptions+0x0/0xa [ 194.194314] [<c08190d7>] i386_start_kernel+0xd7/0xdf [ 194.194364] panic occurred, switching back to text console Signed-off-by:
Mohammed Shafi Shajakhan <mshajakhan@atheros.com> Signed-off-by:
-
Christian Lamparter authored
This patch fixes a off-by-one bug which bugged the driver's PS-POLL capability. Cc: <stable@kernel.org> Signed-off-by:
Christian Lamparter <chunkeey@googlemail.com> Signed-off-by:
-
Vasiliy Kulikov authored
Don't allow everybody to set terminator via sysfs. Signed-off-by:
Vasiliy Kulikov <segoon@openwall.com> Signed-off-by:
-
Vasiliy Kulikov authored
Don't allow everybody to write to mb0_id file. Signed-off-by:
Kurt Van Dijck <kurt.van.dijck@eia.be> Signed-off-by:
-
Ajit Khaparde authored
Signed-off-by:
-
Pavel Emelyanov authored
The fdb_create() puts a new fdb into hash with only addr set. This is not good, since there are callers, that search the hash w/o the lock and access all the other its fields. Applies to current netdev tree. Signed-off-by:
Pavel Emelyanov <xemul@openvz.org> Signed-off-by:
-
Francois Romieu authored
While the RxFIFO interruption is masked for most 8168, nothing prevents it to appear in the irq status word. This is no excuse to crash. Signed-off-by:Francois Romieu <romieu@fr.zoreil.com> Cc: Ivan Vecera <ivecera@redhat.com> Cc: Hayes <hayeswang@realtek.com>
-
Francois Romieu authored
Some experiment-based action to prevent my 8168 chipsets locking-up hard in the irq handler under load (pktgen ~1Mpps). Apparently a reset is not always mandatory (is it at all ?). - RTL_GIGA_MAC_VER_12 - RTL_GIGA_MAC_VER_25 Missed ~55% packets. Note: - this is an old SiS 965L motherboard - the 8168 chipset emits (lots of) control frames towards the sender - RTL_GIGA_MAC_VER_26 The chipset does not go into a frenzy of mac control pause when it crashes yet but it can still be crashed. It needs more work. Signed-off-by: -
Ivan Vecera authored
I found that one of the 8168c chipsets (concretely XID 1c4000c0) starts generating RxFIFO overflow errors. The result is an infinite loop in interrupt handler as the RxFIFOOver is handled only for ...MAC_VER_11. With the workaround everything goes fine. Signed-off-by:
Ivan Vecera <ivecera@redhat.com> Acked-by:
-
Julia Lawall authored
nlmsg_cancel can accept NULL as its second argument, so for similarity, this patch extends genlmsg_cancel to be able to accept a NULL second argument as well. Signed-off-by:
Julia Lawall <julia@diku.dk> Signed-off-by:
-
David S. Miller authored
Signed-off-by: -
David S. Miller authored
Signed-off-by: -
David S. Miller authored
Commit 709b46e8 ("net: Add compat ioctl support for the ipv4 multicast ioctl SIOCGETSGCNT") added the correct plumbing to handle SIOCGETSGCNT properly. However, whilst definiting a proper "struct compat_sioc_sg_req" it isn't actually used in ipmr_compat_ioctl(). Correct this oversight. Signed-off-by:
-
David S. Miller authored
As reported by Flavio Leitner, there is no synchronization to protect NIU's get_stats method from seeing a NULL pointer in either np->rx_rings or np->tx_rings. In fact, as far as ->ndo_get_stats is concerned, these values are set completely asynchronously. Flavio attempted to fix this using a RW semaphore, which in fact works most of the time. However, dev_get_stats() can be invoked from non-sleepable contexts in some cases, so this fix doesn't work in all cases. So instead, control the visibility of the np->{rx,tx}_ring pointers when the device is being brough up, and use properties of the device down sequence to our advantage. In niu_get_stats(), return immediately if netif_running() is false. The device shutdown sequence first marks the device as not running (by clearing the __LINK_STATE_START bit), then it performans a synchronize_rcu() (in dev_deactive_many()), and then finally it invokes the driver ->ndo_stop() method. This guarentees that all invocations of niu_get_stats() either see netif_running() as false, or they see the channel pointers before ->ndo_stop() clears them out. If netif_running() is true, protect against startup races by loading the np->{rx,tx}_rings pointer into a local variable, and punting if it is NULL. Use ACCESS_ONCE to prevent the compiler from reloading the pointer on us. Also, during open, control the order in which the pointers and the ring counts become visible globally using SMP write memory barriers. We make sure the np->num_{rx,tx}_rings value is stable and visible before np->{rx,tx}_rings is. Such visibility control is not necessary on the niu_free_channels() side because of the RCU sequencing that happens during device down as described above. We are always guarenteed that all niu_get_stats calls are finished, or will see netif_running() false, by the time ->ndo_stop is invoked. Reported-by:Flavio Leitner <fleitner@redhat.com> Signed-off-by:
-
- 03 Feb, 2011 1 commit
-
-
Jesper Juhl authored
In drivers/net/wireless/wl1251/main.c:wl1251_op_bss_info_changed() we make a call to ieee80211_beacon_get() which may return NULL, but we do not check the return value before dereferencing the pointer. Signed-off-by:
-
- 02 Feb, 2011 12 commits
-
-
-
Peter Chubb authored
There was some confusion at LCA as to why the sysctl tcp_ecn took one of three values when it was documented as a Boolean. This patch fixes the documentation. Signed-off-by:
Peter Chubb <peter.chubb@nicta.com.au> Signed-off-by:
-
Chuck Ebbert authored
Commit 8f574b35 ("atl1c: Add AR8151 v2 support and change L0s/L1 routine") added support for a new adapter but failed to add it to the PCI device table. Signed-Off-By:
Chuck Ebbert <cebbert@redhat.com> Signed-off-by:
-
Stefan Weil authored
This error was reported by cppcheck: drivers/s390/net/smsgiucv.c:63: error: Using sizeof for array given as function argument returns the size of pointer. Although there is no runtime problem as long as sizeof(u8 *) == 8, this misleading code should get fixed. Signed-off-by:
Stefan Weil <weil@mail.berlios.de> Signed-off-by:
Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by:
-
Stefan Weil authored
This error was reported by cppcheck: drivers/s390/net/netiucv.c:568: error: Using sizeof for array given as function argument returns the size of pointer. sizeof(ipuser) did not result in 16 (as many programmers would have expected) but sizeof(u8 *), so it is 4 or 8, too small here. Signed-off-by:
-
Ursula Braun authored
For OSA the CHPARM-definition determines the number of available outbound queues. A CHPARM-change may occur while a Linux system with probed OSA device is in suspend state. This patch enables proper resuming of an OSA device in this case. Signed-off-by:
Ursula braun <ursula.braun@de.ibm.com> Signed-off-by:
-
Ursula Braun authored
For HiperSockets the framesize-definition determines the selected mtu-size and the size of the allocated qdio buffers. A framesize-change may occur while a Linux system with probed HiperSockets device is in suspend state. This patch enables proper resuming of a HiperSockets device in this case. Signed-off-by:
-
Frank Blaschka authored
HiperSockets and OSA hardware report a maximum MTU size. Add checking to reject larger MTUs than allowed by hardware. Signed-off-by:
-
Ursula Braun authored
Setting of a MAC-address may fail because an already used MAC-address is to bet set or because of authorization problems. In those cases qeth issues a message, but the mentioned MAC-address is not the new MAC-address to be set, but the actual MAC-address. This patch chooses now the new MAC-address to be set for the error messages. Signed-off-by:
-
Andy Gospodarek authored
Like Herbert's change from a few days ago: 66c46d74 gro: Reset dev pointer on reuse this may not be necessary at this point, but we should still clean up the skb->skb_iif. If not we may end up with an invalid valid for skb->skb_iif when the skb is reused and the check is done in __netif_receive_skb. Signed-off-by:
Andy Gospodarek <andy@greyhouse.net> Signed-off-by:
-
Johannes Berg authored
When the off-channel TX is done with remain-on-channel offloaded to hardware, the reported cookie is wrong as in that case we shouldn't use the SKB as the cookie but need to instead use the corresponding r-o-c cookie (XOR'ed with 2 to prevent API mismatches). Fix this by keeping track of the hw_roc_skb pointer just for the status processing and use the correct cookie to report in this case. We can't use the hw_roc_skb pointer itself because it is NULL'ed when the frame is transmitted to prevent it being used twice. This fixes a bug where the P2P state machine in the supplicant gets stuck because it never gets a correct result for its transmitted frame. Signed-off-by:
Johannes Berg <johannes.berg@intel.com> Signed-off-by:
-
Wey-Yi Guy authored
6250 2x2 devices have 2 tx chain and 2 rx chain. For some reason, the EEPROM contain incorrect information and indicate it only has single tx chain. overwrite it with .cfg parameter to make sure both chain 'A' and chain 'B' can be used for transmit and receive Signed-off-by:
-
- 01 Feb, 2011 3 commits
-
-
Ajit Khaparde authored
It is illegal to call netif_stop_queue before register_netdev. Signed-off-by:
-
Ajit Khaparde authored
While running insmod/rmood in a loop, an unnecessary netif_stop_queue causes the system to crash. Remove the netif_stop_queue call and netif_start_queue in the link status update path. Signed-off-by:
-
Stefan Weil authored
This warning was reported by cppcheck: drivers/isdn/icn/icn.c:1641: error: Dangerous usage of 'rev' (strncpy doesn't always 0-terminate it) If strncpy copied 20 bytes, the destination string rev was not terminated. The patch adds one more byte to rev and makes sure that this byte is always 0. Cc: Karsten Keil <isdn@linux-pingi.de> Cc: "David S. Miller" <davem@davemloft.net> Cc: Tejun Heo <tj@kernel.org> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by:
-
