Phil Blundell [Wed, 24 Nov 2010 19:51:47 +0000 (11:51 -0800)]
econet: fix CVE-2010-3848
Don't declare variable sized array of iovecs on the stack since this
could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
the user-supplied data into a new buffer and use a single iovec for it.
Signed-off-by: Phil Blundell <philb@gnu.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Looking into it I found that the stack was corrupted by the assignment
of the Rev #. The variable rev is given 10 bytes, and in this output the
characters that were copied was: " 1.65.6.8 $". Which was 11 characters
plus the null ending character for a total of 12 bytes, thus corrupting
the stack.
This patch ups the variable size to 20 bytes as well as changes the
strcpy to strncpy. I also added a check to make sure '$' is found.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 24 Nov 2010 17:15:27 +0000 (09:15 -0800)]
af_unix: limit unix_tot_inflight
Vegard Nossum found a unix socket OOM was possible, posting an exploit
program.
My analysis is we can eat all LOWMEM memory before unix_gc() being
called from unix_release_sock(). Moreover, the thread blocked in
unix_gc() can consume huge amount of time to perform cleanup because of
huge working set.
One way to handle this is to have a sensible limit on unix_tot_inflight,
tested from wait_for_unix_gc() and to force a call to unix_gc() if this
limit is hit.
This solves the OOM and also reduce overall latencies, and should not
slowdown normal workloads.
Reported-by: Vegard Nossum <vegard.nossum@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Fix unbalanced call to sdio_release_host() on the error path.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de> Acked-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Daniel Klaffenbach <danielklaffenbach@gmail.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@kernel.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Felix Fietkau [Sat, 20 Nov 2010 02:08:47 +0000 (03:08 +0100)]
ath9k: fix timeout on stopping rx dma
It seems that using ath9k_hw_stoppcurecv to stop rx dma is not enough.
When it's time to stop DMA, the PCU is still busy, so the rx enable
bit never clears.
Using ath9k_hw_abortpcurecv helps with getting rx stopped much faster,
with this change, I cannot reproduce the rx stop related WARN_ON anymore.
Signed-off-by: Felix Fietkau <nbd@openwrt.org> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
David Daney [Fri, 19 Nov 2010 12:13:18 +0000 (12:13 +0000)]
of/phylib: Use device tree properties to initialize Marvell PHYs.
Some aspects of PHY initialization are board dependent, things like
indicator LED connections and some clocking modes cannot be determined
by probing. The dev_flags element of struct phy_device can be used to
control these things if an appropriate value can be passed from the
Ethernet driver. We run into problems however if the PHY connections
are specified by the device tree. There is no way for the Ethernet
driver to know what flags it should pass.
If we are using the device tree, the struct phy_device will be
populated with the device tree node corresponding to the PHY, and we
can extract extra configuration information from there.
The next question is what should the format of that information be?
It is highly device specific, and the device tree representation
should not be tied to any arbitrary kernel defined constants. A
straight forward representation is just to specify the exact bits that
should be set using the "marvell,reg-init" property:
The Marvell PHYs have a page select register at register 22 (0x16), we
can specify any register by its page and register number. These are
the first and second word. The third word contains a mask to be ANDed
with the existing register value, and the fourth word is ORed with the
result to yield the new register value. The new marvell_of_reg_init
function leaves the page select register unchanged, so a call to it
can be dropped into the .config_init functions without unduly
affecting the state of the PHY.
If CONFIG_OF_MDIO is not set, there is no of_node, or no
"marvell,reg-init" property, the PHY initialization is unchanged.
Signed-off-by: David Daney <ddaney@caviumnetworks.com> Cc: Grant Likely <grant.likely@secretlab.ca> Cc: Cyril Chemparathy <cyril@ti.com> Cc: David Daney <ddaney@caviumnetworks.com> Cc: Arnaud Patard <arnaud.patard@rtp-net.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Reviewed-by: Grant Likely <grant.likely@secretlab.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
David Daney [Fri, 19 Nov 2010 11:58:53 +0000 (11:58 +0000)]
phylib: Add support for Marvell 88E1149R devices.
The 88E1149R is 10/100/1000 quad-gigabit Ethernet PHY. The
.config_aneg function can be shared with 88E1118, but it needs its own
.config_init.
Signed-off-by: David Daney <ddaney@caviumnetworks.com> Cc: Cyril Chemparathy <cyril@ti.com> Cc: Arnaud Patard <arnaud.patard@rtp-net.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Wolfram Sang <w.sang@pengutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
David Daney [Fri, 19 Nov 2010 11:58:52 +0000 (11:58 +0000)]
phylib: Use common page register definition for Marvell PHYs.
The definition of the Marvell PHY page register is not specific to 88E1121, so rename the macro to MII_MARVELL_PHY_PAGE, and use it
throughout.
Suggested-by: Cyril Chemparathy <cyril@ti.com> Signed-off-by: David Daney <ddaney@caviumnetworks.com> Cc: Cyril Chemparathy <cyril@ti.com> Cc: Arnaud Patard <arnaud.patard@rtp-net.org> Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Sonny Rao [Thu, 18 Nov 2010 11:50:02 +0000 (11:50 +0000)]
qlge: Fix incorrect usage of module parameters and netdev msg level
Driver appears to be mistaking the permission field with default value
in the case of debug and qlge_irq_type.
Driver is also passing debug as a bitmask into netif_msg_init()
which wants a number of bits. Ron Mercer suggests we should
change this to pass in -1 so the defaults get used instead,
which makes the default much less verbose.
Signed-off-by: Milton Miller <miltonm@bga.com> Signed-off-by: Sonny Rao <sonnyrao@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
ipv6: addrconf: don't remove address state on ifdown if the address
is being kept
Fix logic so that addrconf_ifdown() decrements the inet6_ifaddr
refcnt correctly with in6_ifa_put().
Reported-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Kaiser [Thu, 18 Nov 2010 14:24:02 +0000 (14:24 +0000)]
SuperH IrDA: correct Baud rate error correction
It looks to me as if the second value of rate_err_array is intended
to be a decimal 625. However, with a leading 0 it becomes an octal
constant, and as such evaluates to a decimal 405.
Signed-off-by: Nicolas Kaiser <nikai@nikai.net> Signed-off-by: David S. Miller <davem@davemloft.net>
if (hw->nic_type == athr_l1c || hw->nic_type == athr_l2c_b)
for enabling OTP CLK, and the condition:
if (hw->nic_type == athr_l1c || hw->nic_type == athr_l2c)
for disabling OTP CLK. Since the two previously defined hardware
types are athr_l1c and athr_l2c, the latter condition appears to be
the correct one. Change the former to match.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Anupam Chanda [Sun, 21 Nov 2010 17:54:21 +0000 (09:54 -0800)]
e1000: fix screaming IRQ
VMWare reports that the e1000 driver has a bug when bringing down the
interface, such that interrupts are not disabled in the hardware but the
driver stops reporting that it consumed the interrupt.
The fix is to set the driver's "down" flag later in the routine,
after all the timers and such have exited, preventing the interrupt
handler from being called and exiting early without handling the
interrupt.
CC: Anupam Chanda <anupamc@vmware.com> CC: stable kernel <stable@kernel.org> Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Randy Dunlap [Thu, 18 Nov 2010 13:02:37 +0000 (13:02 +0000)]
net: fix kernel-doc for sk_filter_rcu_release
Fix kernel-doc warning for sk_filter_rcu_release():
Warning(net/core/filter.c:586): missing initial short description on line:
* sk_filter_rcu_release: Release a socket filter by rcu_head
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: netdev@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
Sarveshwar Bandi [Thu, 18 Nov 2010 23:44:45 +0000 (23:44 +0000)]
be2net: Fix to avoid firmware update when interface is not open.
Since interrupts are enabled only when open is called on the interface,
Attempting a firmware update operation when interface is down could lead to
partial success or failure of operation. This fix fails the request if
netif_running is false.
Signed-off-by: Sarveshwar Bandi <Sarveshwar.Bandi@emulex.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Thu, 18 Nov 2010 08:20:57 +0000 (08:20 +0000)]
netfilter: fix IP_VS dependencies
When NF_CONNTRACK is enabled, IP_VS uses conntrack symbols.
Therefore IP_VS can't be linked statically when conntrack
is built modular.
Reported-by: Justin P. Mattock <justinmattock@gmail.com> Tested-by: Justin P. Mattock <justinmattock@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Wolfram Sang [Tue, 16 Nov 2010 09:40:02 +0000 (09:40 +0000)]
net: irda: irttp: sync error paths of data- and udata-requests
irttp_data_request() returns meaningful errorcodes, while irttp_udata_request()
just returns -1 in similar situations. Sync the two and the loglevels of the
accompanying output.
Signed-off-by: Wolfram Sang <w.sang@pengutronix.de> Cc: Samuel Ortiz <sameo@linux.intel.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Wed, 17 Nov 2010 04:12:02 +0000 (04:12 +0000)]
ipv6: Expose reachable and retrans timer values as msecs
Expose reachable and retrans timer values in msecs instead of jiffies.
Both timer values are already exposed as msecs in the neighbour table
netlink interface.
The creation timestamp format with increased precision is kept but
cleaned up.
Signed-off-by: Thomas Graf <tgraf@infradead.org> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Wed, 17 Nov 2010 01:44:24 +0000 (01:44 +0000)]
ipv6: Expose IFLA_PROTINFO timer values in msecs instead of jiffies
IFLA_PROTINFO exposes timer related per device settings in jiffies.
Change it to expose these values in msecs like the sysctl interface
does.
I did not find any users of IFLA_PROTINFO which rely on any of these
values and even if there are, they are likely already broken because
there is no way for them to reliably convert such a value to another
time format.
Signed-off-by: Thomas Graf <tgraf@infradead.org> Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Namhyung Kim [Tue, 16 Nov 2010 05:27:51 +0000 (05:27 +0000)]
3c59x: fix build failure on !CONFIG_PCI
VORTEX_PCI() could return NULL so it needs to be casted before
accessing any member of struct pci_dev. This fixes following
build failure. Likewise VORTEX_EISA() was changed also.
CC [M] drivers/net/3c59x.o
drivers/net/3c59x.c: In function 'acpi_set_WOL':
drivers/net/3c59x.c:3211:39: warning: dereferencing 'void *' pointer
drivers/net/3c59x.c:3211:39: error: request for member 'current_state' in something not a structure or union
make[3]: *** [drivers/net/3c59x.o] Error 1
make[2]: *** [drivers/net/3c59x.o] Error 2
make[1]: *** [sub-make] Error 2
make: *** [all] Error 2
Signed-off-by: Namhyung Kim <namhyung@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
John Fastabend [Tue, 16 Nov 2010 19:42:53 +0000 (19:42 +0000)]
net: zero kobject in rx_queue_release
netif_set_real_num_rx_queues() can decrement and increment
the number of rx queues. For example ixgbe does this as
features and offloads are toggled. Presumably this could
also happen across down/up on most devices if the available
resources changed (cpu offlined).
The kobject needs to be zero'd in this case so that the
state is not preserved across kobject_put()/kobject_init_and_add().
This resolves the following error report.
ixgbe 0000:03:00.0: eth2: NIC Link is Up 10 Gbps, Flow Control: RX/TX
kobject (ffff880324b83210): tried to init an initialized object, something is seriously wrong.
Pid: 1972, comm: lldpad Not tainted 2.6.37-rc18021qaz+ #169
Call Trace:
[<ffffffff8121c940>] kobject_init+0x3a/0x83
[<ffffffff8121cf77>] kobject_init_and_add+0x23/0x57
[<ffffffff8107b800>] ? mark_lock+0x21/0x267
[<ffffffff813c6d11>] net_rx_queue_update_kobjects+0x63/0xc6
[<ffffffff813b5e0e>] netif_set_real_num_rx_queues+0x5f/0x78
[<ffffffffa0261d49>] ixgbe_set_num_queues+0x1c6/0x1ca [ixgbe]
[<ffffffffa0262509>] ixgbe_init_interrupt_scheme+0x1e/0x79c [ixgbe]
[<ffffffffa0274596>] ixgbe_dcbnl_set_state+0x167/0x189 [ixgbe]
Signed-off-by: John Fastabend <john.r.fastabend@intel.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Mark Mentovai [Wed, 17 Nov 2010 21:34:37 +0000 (16:34 -0500)]
cfg80211: fix can_beacon_sec_chan, reenable HT40
This follows wireless-testing 9236d838c920e90708570d9bbd7bb82d30a38130
("cfg80211: fix extension channel checks to initiate communication") and
fixes accidental case fall-through. Without this fix, HT40 is entirely
blocked.
Signed-off-by: Mark Mentovai <mark@moxienet.com> Cc: stable@kernel.org Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com Signed-off-by: John W. Linville <linville@tuxdriver.com>
Vasiliy Kulikov [Sun, 14 Nov 2010 10:08:34 +0000 (10:08 +0000)]
net: bnx2x: fix error value sign
bnx2x_init_one() should return negative value on error.
By mistake it returns ENODEV instead of -ENODEV.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> Acked-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Shan Wei [Wed, 17 Nov 2010 19:55:08 +0000 (11:55 -0800)]
8139cp: fix checksum broken
I am not family with RealTek RTL-8139C+ series 10/100 PCI Ethernet driver.
I try to guess the meaning of RxProtoIP and IPFail.
RxProtoIP stands for received IPv4 packet that upper protocol is not tcp and udp.
!(status & IPFail) is true means that driver correctly to check checksum in IPv4 header.
If these are right, driver will set ip_summed with CHECKSUM_UNNECESSARY for other
upper protocol, e.g. sctp, igmp protocol. This will cause protocol stack ignores
checksum check for packets with invalid checksum.
This patch is only compile-test.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Shan Wei [Fri, 12 Nov 2010 00:15:25 +0000 (00:15 +0000)]
r8169: fix checksum broken
If r8196 received packets with invalid sctp/igmp(not tcp, udp) checksum, r8196 set skb->ip_summed
wit CHECKSUM_UNNECESSARY. This cause that upper protocol don't check checksum field.
I am not family with r8196 driver. I try to guess the meaning of RxProtoIP and IPFail.
RxProtoIP stands for received IPv4 packet that upper protocol is not tcp and udp.
!(opts1 & IPFail) is true means that driver correctly to check checksum in IPv4 header.
If it's right, I think we should not set ip_summed wit CHECKSUM_UNNECESSARY for my sctp packets
with invalid checksum.
If it's not right, please tell me.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com> Acked-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Rosenberg [Wed, 17 Nov 2010 06:37:16 +0000 (06:37 +0000)]
rds: Integer overflow in RDS cmsg handling
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: David S. Miller <davem@davemloft.net>
cfg80211: fix extension channel checks to initiate communication
When operating in a mode that initiates communication and using
HT40 we should fail if we cannot use both primary and secondary
channels to initiate communication. Our current ht40 allowmap
only covers STA mode of operation, for beaconing modes we need
a check on the fly as the mode of operation is dynamic and
there other flags other than disable which we should read
to check if we can initiate communication.
Do not allow for initiating communication if our secondary HT40
channel has is either disabled, has a passive scan flag, a
no-ibss flag or is a radar channel. Userspace now has similar
checks but this is also needed in-kernel.
Reported-by: Jouni Malinen <jouni.malinen@atheros.com> Cc: stable@kernel.org Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Wolfram Sang [Tue, 16 Nov 2010 17:50:47 +0000 (09:50 -0800)]
irda: irttp: allow zero byte packets
Sending zero byte packets is not neccessarily an error (AF_INET accepts it,
too), so just apply a shortcut. This was discovered because of a non-working
software with WINE. See
for very detailed debugging information and a testcase. Kudos to Wolfgang for
those!
Reported-by: Wolfgang Schwotzer <wolfgang.schwotzer@gmx.net> Signed-off-by: Wolfram Sang <w.sang@pengutronix.de> Tested-by: Mike Evans <mike.evans@cardolan.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jussi Kivilinna [Fri, 12 Nov 2010 06:53:56 +0000 (08:53 +0200)]
cfg80211: fix WIPHY_FLAG_IBSS_RSN bit
WIPHY_FLAG_IBSS_RSN is BIT(7) as is WIPHY_FLAG_CONTROL_PORT_PROTOCOL. Change
to BIT(8).
Signed-off-by: Jussi Kivilinna <jussi.kivilinna@mbnet.fi> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Arnd Hannemann [Thu, 11 Nov 2010 17:44:32 +0000 (11:44 -0600)]
b43legacy: Fix compile on ARM architecture
When b43legacy is compiled on the arm platform, the following errors are seen:
CC [M] drivers/net/wireless/b43legacy/xmit.o
In file included from include/net/dst.h:11,
from drivers/net/wireless/b43legacy/xmit.c:31:
include/net/dst_ops.h:28: error: expected ':', ',', ';', '}' or '__attribute__'
before '____cacheline_aligned_in_smp'
include/net/dst_ops.h: In function 'dst_entries_get_fast':
include/net/dst_ops.h:33: error: 'struct dst_ops' has no member named
'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_get_slow':
include/net/dst_ops.h:41: error: 'struct dst_ops' has no member named
'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_add':
include/net/dst_ops.h:49: error: 'struct dst_ops' has no member named
'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_init':
include/net/dst_ops.h:55: error: 'struct dst_ops' has no member named
'pcpuc_entries'
include/net/dst_ops.h: In function 'dst_entries_destroy':
include/net/dst_ops.h:60: error: 'struct dst_ops' has no member named
'pcpuc_entries'
make[4]: *** [drivers/net/wireless/b43legacy/xmit.o] Error 1
make[3]: *** [drivers/net/wireless/b43legacy] Error 2
make[2]: *** [drivers/net/wireless] Error 2
make[1]: *** [drivers/net] Error 2
make: *** [drivers] Error 2
The cause is a missing include of <linux/cache.h>, which is present for
i386 and x86_64 architectures, but not for arm.
Signed-off-by: Arnd Hannemann <arnd@arndnet.de> Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Cc: Stable <stable@kernel.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
However this include triggers issues for applications in userspace
which use the rtnetlink interfaces. Commonly this requires they include
'net/if.h' and 'linux/rtnetlink.h' leading to a compiler error as below:
In file included from /usr/include/linux/netdevice.h:28:0,
from /usr/include/linux/rtnetlink.h:9,
from t.c:2:
/usr/include/linux/if.h:135:8: error: redefinition of ‘struct ifmap’
/usr/include/net/if.h:112:8: note: originally defined here
/usr/include/linux/if.h:169:8: error: redefinition of ‘struct ifreq’
/usr/include/net/if.h:127:8: note: originally defined here
/usr/include/linux/if.h:218:8: error: redefinition of ‘struct ifconf’
/usr/include/net/if.h:177:8: note: originally defined here
The new helper is only defined for the kernel and protected by __KERNEL__
therefore we can simply pull the include down into the same protected
section.
Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (66 commits)
can-bcm: fix minor heap overflow
gianfar: Do not call device_set_wakeup_enable() under a spinlock
ipv6: Warn users if maximum number of routes is reached.
docs: Add neigh/gc_thresh3 and route/max_size documentation.
axnet_cs: fix resume problem for some Ax88790 chip
ipv6: addrconf: don't remove address state on ifdown if the address is being kept
tcp: Don't change unlocked socket state in tcp_v4_err().
x25: Prevent crashing when parsing bad X.25 facilities
cxgb4vf: add call to Firmware to reset VF State.
cxgb4vf: Fail open if link_start() fails.
cxgb4vf: flesh out PCI Device ID Table ...
cxgb4vf: fix some errors in Gather List to skb conversion
cxgb4vf: fix bug in Generic Receive Offload
cxgb4vf: don't implement trivial (and incorrect) ndo_select_queue()
ixgbe: Look inside vlan when determining offload protocol.
bnx2x: Look inside vlan when determining checksum proto.
vlan: Add function to retrieve EtherType from vlan packets.
virtio-net: init link state correctly
ucc_geth: Fix deadlock
ucc_geth: Do not bring the whole IF down when TX failure.
...
Linus Torvalds [Sat, 13 Nov 2010 01:13:28 +0000 (17:13 -0800)]
Merge branch 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6
* 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: (28 commits)
Revert "USB: xhci: Use GFP_ATOMIC under spin_lock"
USB: ohci-jz4740: Fix spelling in MODULE_ALIAS
UWB: Return UWB_RSV_ALLOC_NOT_FOUND rather than crashing on NULL dereference if kzalloc fails
usb: core: fix information leak to userland
usb: misc: iowarrior: fix information leak to userland
usb: misc: sisusbvga: fix information leak to userland
usb: subtle increased memory usage in u_serial
USB: option: fix when the driver is loaded incorrectly for some Huawei devices.
USB: xhci: Use GFP_ATOMIC under spin_lock
usb: gadget: goku_udc: add registered flag bit, fixing build
USB: ehci/mxc: compile fix
USB: Fix FSL USB driver on non Open Firmware systems
USB: the development of the usb tree is now in git
usb: musb: fail unaligned DMA transfers on v1.8 and above
USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial
usb.h: fix ioctl kernel-doc info
usb: musb: gadget: kill duplicate code in musb_gadget_queue()
usb: musb: Fix handling of spurious SESSREQ
usb: musb: fix kernel oops when loading musb_hdrc module for the 2nd time
USB: musb: blackfin: push clkin value to platform resources
...
Linus Torvalds [Sat, 13 Nov 2010 00:02:30 +0000 (16:02 -0800)]
Merge branch 'tty-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6
* 'tty-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6:
n_gsm: Fix length handling
n_gsm: Copy n2 over when configuring via ioctl interface
serial: bfin_5xx: grab port lock before making port termios changes
serial: bfin_5xx: disable CON_PRINTBUFFER for consoles
serial: bfin_5xx: remove redundant SSYNC to improve TX speed
serial: bfin_5xx: always include DMA headers
vcs: make proper usage of the poll flags
amiserial: Remove unused variable icount
8250: Fix tcsetattr to avoid ioctl(TIOCMIWAIT) hang
tty_ldisc: Fix BUG() on hangup
TTY: restore tty_ldisc_wait_idle
SERIAL: blacklist si3052 chip
drivers/serial/bfin_5xx.c: Fix line continuation defects
tty: prevent DOS in the flush_to_ldisc
8250: add support for Kouwell KW-L221N-2
nozomi: Fix warning from the previous TIOCGCOUNT changes
tty: fix warning in synclink driver
tty: Fix formatting in tty.h
tty: the development tree is now done in git
Linus Torvalds [Sat, 13 Nov 2010 00:01:55 +0000 (16:01 -0800)]
Merge branch 'upstream/core' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen
* 'upstream/core' of git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen:
xen: do not release any memory under 1M in domain 0
xen: events: do not unmask event channels on resume
xen: correct size of level2_kernel_pgt
Linus Torvalds [Fri, 12 Nov 2010 23:54:39 +0000 (15:54 -0800)]
Merge branch 'stable/xen-pcifront-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen
* 'stable/xen-pcifront-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/konrad/xen:
MAINTAINERS: Mark XEN lists as moderated
xen-pcifront: fix PCI reference leak
xen-pcifront: Remove duplicate inclusion of headers.
xen: fix memory leak in Xen PCI MSI/MSI-X allocator.
MAINTAINERS: Update mailing list name for Xen pieces.
Tejun Heo [Mon, 1 Nov 2010 10:39:19 +0000 (11:39 +0100)]
libata: fix NULL sdev dereference race in atapi_qc_complete()
SCSI commands may be issued between __scsi_add_device() and dev->sdev
assignment, so it's unsafe for ata_qc_complete() to dereference
dev->sdev->locked without checking whether it's NULL or not. Fix it.
Signed-off-by: Tejun Heo <tj@kernel.org> Cc: stable@kernel.org Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> CC: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
gianfar: Do not call device_set_wakeup_enable() under a spinlock
The gianfar driver calls device_set_wakeup_enable() under a spinlock,
which causes a problem to happen after the recent core power
management changes, because this function can sleep now. Fix this
by moving the device_set_wakeup_enable() call out of the
spinlock-protected area.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
Lorenzo Colitti [Wed, 27 Oct 2010 18:16:49 +0000 (18:16 +0000)]
ipv6: addrconf: don't remove address state on ifdown if the address is being kept
Currently, addrconf_ifdown does not delete statically configured IPv6
addresses when the interface is brought down. The intent is that when
the interface comes back up the address will be usable again. However,
this doesn't actually work, because the system stops listening on the
corresponding solicited-node multicast address, so the address cannot
respond to neighbor solicitations and thus receive traffic. Also, the
code notifies the rest of the system that the address is being deleted
(e.g, RTM_DELADDR), even though it is not. Fix it so that none of this
state is updated if the address is being kept on the interface.
Tested: Added a statically configured IPv6 address to an interface,
started ping, brought link down, brought link up again. When link came
up ping kept on going and "ip -6 maddr" showed that the host was still
subscribed to there
Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 12 Nov 2010 21:35:00 +0000 (13:35 -0800)]
tcp: Don't change unlocked socket state in tcp_v4_err().
Alexey Kuznetsov noticed a regression introduced by
commit f1ecd5d9e7366609d640ff4040304ea197fbc618
("Revert Backoff [v3]: Revert RTO on ICMP destination unreachable")
The RTO and timer modification code added to tcp_v4_err()
doesn't check sock_owned_by_user(), which if true means we
don't have exclusive access to the socket and therefore cannot
modify it's critical state.
Just skip this new code block if sock_owned_by_user() is true
and eliminate the now superfluous sock_owned_by_user() code
block contained within.
Reported-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net> CC: Damian Lukowski <damian@tvk.rwth-aachen.de> Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Dan Rosenberg [Fri, 12 Nov 2010 20:44:42 +0000 (12:44 -0800)]
x25: Prevent crashing when parsing bad X.25 facilities
Now with improved comma support.
On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow. Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.
This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Casey Leedom [Thu, 11 Nov 2010 09:06:50 +0000 (09:06 +0000)]
cxgb4vf: fix some errors in Gather List to skb conversion
There were some errors in the way that internal Gather Lists were being
translated into skb's. This also makes the VF Driver look more like the PF
Driver to facilitate easier comarison.
Signed-off-by: Casey Leedom <leedom@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Don't implement (struct net_device_ops *)->ndo_select_queue() with simple
call to skb_tx_hash(). This leads to non-persistent TX queue selection in
the Linux dev_pick_tx() routine for TCP connections.
Signed-off-by: Casey Leedom <leedom@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Hao Zheng [Thu, 11 Nov 2010 13:47:59 +0000 (13:47 +0000)]
ixgbe: Look inside vlan when determining offload protocol.
Currently the skb->protocol field is used to setup various
offloading parameters on transmit for the correct protocol.
However, if vlan offloading is disabled or otherwise not used,
the protocol field will be ETH_P_8021Q, not the actual protocol.
This will cause the offloading to be not performed correctly,
even though the hardware is capable of looking inside vlan tags.
Instead, look inside the header if necessary to determine the
correct protocol type.
To some extent this fixes a regression from 2.6.36 because it
was previously not possible to disable vlan offloading and this
error case was not exposed.
Signed-off-by: Hao Zheng <hzheng@nicira.com> CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com> CC: Alex Duyck <alexander.h.duyck@intel.com> CC: Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Hao Zheng [Thu, 11 Nov 2010 13:47:58 +0000 (13:47 +0000)]
bnx2x: Look inside vlan when determining checksum proto.
Currently the skb->protocol field is used to setup checksum
offloading on transmit for the correct protocol. However, if
vlan offloading is disabled or otherwise not used, the protocol
field will be ETH_P_8021Q, not the actual protocol. This will
cause the checksum to be not computed correctly, even though the
hardware is capable of looking inside vlan tags. Instead,
look inside the header if necessary to determine the correct
protocol type.
To some extent this fixes a regression from 2.6.36 because it
was previously not possible to disable vlan offloading and this
error case was not exposed.
Signed-off-by: Hao Zheng <hzheng@nicira.com> CC: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Hao Zheng [Thu, 11 Nov 2010 13:47:57 +0000 (13:47 +0000)]
vlan: Add function to retrieve EtherType from vlan packets.
Depending on how a packet is vlan tagged (i.e. hardware accelerated or
not), the encapsulated protocol is stored in different locations. This
provides a consistent method of accessing that protocol, which is needed
by drivers, security checks, etc.
Signed-off-by: Hao Zheng <hzheng@nicira.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jason Wang [Wed, 10 Nov 2010 14:45:41 +0000 (14:45 +0000)]
virtio-net: init link state correctly
For device that supports VIRTIO_NET_F_STATUS, there's no need to
assume the link is up and we need to call nerif_carrier_off() before
querying device status, otherwise we may get wrong operstate after
diver was loaded because the link watch event was not fired as
expected.
For device that does not support VIRITO_NET_F_STATUS, we could not get
its status through virtnet_update_status() and what we can only do is
always assuming the link is up.
Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David S. Miller <davem@davemloft.net>
The reason appears to be ucc_geth_stop meets adjust_link as the
PHY reports PHY changes. I belive adjust_link hangs somewhere,
holding the PHY lock, because ucc_geth_stop disabled the
controller HW.
Fix is to stop the PHY before disabling the controller.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Reviewed-by: Anton Vorontsov <cbouatmailru@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Joakim Tjernlund [Fri, 12 Nov 2010 03:55:08 +0000 (03:55 +0000)]
ucc_geth: Do not bring the whole IF down when TX failure.
ucc_geth_close lacks a cancel_work_sync(&ugeth->timeout_work)
to stop any outstanding processing of TX fail. However, one
can not call cancel_work_sync without fixing the timeout function
otherwise it will deadlock. This patch brings ucc_geth in line with
gianfar:
Don't bring the interface down and up, just reinit controller HW
and PHY.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Reviewed-by: Anton Vorontsov <cbouatmailru@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Thomas Graf [Thu, 11 Nov 2010 15:47:59 +0000 (15:47 +0000)]
rtnetlink: Fix message size calculation for link messages
nlmsg_total_size() calculates the length of a netlink message
including header and alignment. nla_total_size() calculates the
space an individual attribute consumes which was meant to be used
in this context.
Also, ensure to account for the attribute header for the
IFLA_INFO_XSTATS attribute as implementations of get_xstats_size()
seem to assume that we do so.
The addition of two message headers minus the missing attribute
header resulted in a calculated message size that was larger than
required. Therefore we never risked running out of skb tailroom.
Signed-off-by: Thomas Graf <tgraf@infradead.org> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Linus Torvalds [Fri, 12 Nov 2010 18:30:49 +0000 (10:30 -0800)]
Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
ARM: GIC: don't disable software generated interrupts
ARM: 6472/1: vexpress ct-ca9x4: only set twd_base if local timers are being used
ARM: arch/arm/kernel/traps.c: Convert sprintf_symbol to %pS
ARM: arch/arm/kernel/hw_breakpoint.c: Convert WARN_ON to WARN
ARM: 6462/1: EP93xx: Document DMA M2P API
ARM: 6470/1: atomic64: use generic implementation for OABI configurations
ARM: 6469/1: perf-events: squash compiler warning
ARM: 6468/1: backtrace: fix calculation of thread stack base
ARM: Fix DMA coherent allocator alignment
ARM: orion5x/kirkwood/mv78xx0: fix MPP configuration corner cases
[ARM] TS-78xxx NAND resource type should be IORESOURCE_MEM
ARM: pxa/saar: fix the building failure caused by typo
ARM: pxa/cm-x2xx: remove duplicate call to pxa27x_init_irq
ARM: pxa: fix the missing definition of IRQ_BOARD_END
ARM: mmp: fix cpuid detection on mmp2
[ARM] Kirkwood: restrict the scope of the PCIe reset workaround
[ARM] Kirkwood: fix timer initialization for LaCie boards
[ARM] Kirkwood: enhance TCLK detection
Linus Torvalds [Fri, 12 Nov 2010 17:52:31 +0000 (09:52 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: do not pass injected events back to the originating handler
Input: pcf8574_keypad - fix error handling in pcf8574_kp_probe
Input: acecad - fix a memory leak in usb_acecad_probe error path
Input: atkbd - add 'terminal' parameter for IBM Terminal keyboards
Input: i8042 - add Sony VAIOs to MUX blacklist
kgdboc: reset input devices (keyboards) when exiting debugger
Input: export input_reset_device() for use in KGDB
Input: adp5588-keys - unify common header defines
Linus Torvalds [Fri, 12 Nov 2010 16:52:47 +0000 (08:52 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block: (27 commits)
block: remove unused copy_io_context()
Documentation: remove anticipatory scheduler info
block: remove REQ_HARDBARRIER
ioprio: rcu_read_lock/unlock protect find_task_by_vpid call (V2)
ioprio: fix RCU locking around task dereference
block: ioctl: fix information leak to userland
block: read i_size with i_size_read()
cciss: fix proc warning on attempt to remove non-existant directory
bio: take care not overflow page count when mapping/copying user data
block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
block: take care not to overflow when calculating total iov length
block: check for proper length of iov entries in blk_rq_map_user_iov()
cciss: remove controllers supported by hpsa
cciss: use usleep_range not msleep for small sleeps
cciss: limit commands allocated on reset_devices
cciss: Use kernel provided PCI state save and restore functions
cciss: fix board status waiting code
drbd: Removed checks for REQ_HARDBARRIER on incomming BIOs
drbd: REQ_HARDBARRIER -> REQ_FUA transition for meta data accesses
drbd: Removed the BIO_RW_BARRIER support form the receiver/epoch code
...
Linus Torvalds [Fri, 12 Nov 2010 16:39:52 +0000 (08:39 -0800)]
Merge branch 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
* 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
perf, amd: Use kmalloc_node(,__GFP_ZERO) for northbridge structure allocation
perf_events: Fix time tracking in samples
perf trace: update usage
perf trace: update Documentation with new perf trace variants
perf trace: live-mode command-line cleanup
perf trace record: handle commands correctly
perf record: make the record options available outside perf record
perf trace scripting: remove system-wide param from shell scripts
perf trace scripting: fix some small memory leaks and missing error checks
perf: Fix usages of profile_cpu in builtin-top.c to use cpu_list
perf, ui: Eliminate stack-smashing protection compiler complaint
Linus Torvalds [Fri, 12 Nov 2010 16:11:58 +0000 (08:11 -0800)]
Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: (39 commits)
drm/ttm: Be consistent on ttm_bo_init() failures
drm/radeon/kms: Fix retrying ttm_bo_init() after it failed once.
drm/radeon/kms: fix thermal sensor reporting on rv6xx
drm/radeon/kms: fix bugs in ddc and cd path router code
drm/radeon/kms: add support for clock/data path routers
drm: vmwgfx: fix information leak to userland
drivers/gpu: Use vzalloc
drm/vmwgfx: Fix oops on failing bo pin
drm/ttm: Remove the CAP_SYS_ADMIN requirement for bo pinning
drm/ttm: Make sure a sync object doesn't disappear while we use it
drm/radeon/kms: don't disable shared encoders on pre-DCE3 display blocks
drivers/gpu/drm: Update WARN uses
drivers/gpu/drm/vmwgfx: Fix k.alloc switched arguments
DRM: ignore invalid EDID extensions
drm/radeon/kms: make the connector code less verbose
drm/ttm: remove failed ttm binding error printout
drm/ttm: Add a barrier when unreserving
drm/ttm: Remove mm init error printouts and checks
drm/ttm: Remove pointless list_empty check
drm/ttm: Use private locks for the default bo range manager
...
Linus Torvalds [Fri, 12 Nov 2010 16:11:03 +0000 (08:11 -0800)]
Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs
* 'for-linus' of git://oss.sgi.com/xfs/xfs:
xfs: remove incorrect assert in xfs_vm_writepage
xfs: use hlist_add_fake
xfs: fix a few compiler warnings with CONFIG_XFS_QUOTA=n
xfs: tell lockdep about parent iolock usage in filestreams
xfs: move delayed write buffer trace
xfs: fix per-ag reference counting in inode reclaim tree walking
xfs: xfs_ioctl: fix information leak to userland
xfs: remove experimental tag from the delaylog option