Florian Westphal [Thu, 17 Feb 2011 10:32:38 +0000 (11:32 +0100)]
netfilter: tproxy: do not assign timewait sockets to skb->sk
Assigning a socket in timewait state to skb->sk can trigger
kernel oops, e.g. in nfnetlink_log, which does:
if (skb->sk) {
read_lock_bh(&skb->sk->sk_callback_lock);
if (skb->sk->sk_socket && skb->sk->sk_socket->file) ...
in the timewait case, accessing sk->sk_callback_lock and sk->sk_socket
is invalid.
Either all of these spots will need to add a test for sk->sk_state != TCP_TIME_WAIT,
or xt_TPROXY must not assign a timewait socket to skb->sk.
This does the latter.
If a TW socket is found, assign the tproxy nfmark, but skip the skb->sk assignment,
thus mimicking behaviour of a '-m socket .. -j MARK/ACCEPT' re-routing rule.
The 'SYN to TW socket' case is left unchanged -- we try to redirect to the
listener socket.
Patrick McHardy [Mon, 14 Feb 2011 16:35:07 +0000 (17:35 +0100)]
netfilter: nf_iterate: fix incorrect RCU usage
As noticed by Eric, nf_iterate doesn't use RCU correctly by
accessing the prev pointer of a RCU protected list element when
a verdict of NF_REPEAT is issued.
Fix by jumping backwards to the hook invocation directly instead
of loading the previous list element before continuing the list
iteration.
Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
However, this is a problem for the iptables' CT target event filtering
which will not work in this case since the conntrack template will not
be there for the new session. To fix this, we reassign the conntrack
template to the packet if we return NF_REPEAT.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Note that the TCP protocol state is not included. For that reason
the CT event filtering is not very useful for conntrackd.
To resolve this issue, instead of conditionally setting the CT events
bits based on the ctmask, we always set them and perform the filtering
in the late stage, just before the delivery.
Thus, the event delivered looks like the following:
netfilter: arpt_mangle: fix return values of checkentry
In 135367b "netfilter: xtables: change xt_target.checkentry return type",
the type returned by checkentry was changed from boolean to int, but the
return values where not adjusted.
arptables: Input/output error
This broke arptables with the mangle target since it returns true
under success, which is interpreted by xtables as >0, thus
returning EIO.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Thomas Jacob [Mon, 24 Jan 2011 20:35:36 +0000 (21:35 +0100)]
netfilter: xt_iprange: Incorrect xt_iprange boundary check for IPv6
iprange_ipv6_sub was substracting 2 unsigned ints and then casting
the result to int to find out whether they are lt, eq or gt each
other, this doesn't work if the full 32 bits of each part
can be used in IPv6 addresses. Patch should remedy that without
significant performance penalties. Also number of ntohl
calls can be reduced this way (Jozsef Kadlecsik).
Signed-off-by: Thomas Jacob <jacob@internet24.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: ctnetlink: fix missing refcount increment during dumps
In 13ee6ac netfilter: fix race in conntrack between dump_table and
destroy, we recovered spinlocks to protect the dump of the conntrack
table according to reports from Stephen and acknowledgments on the
issue from Eric.
In that patch, the refcount bump that allows to keep a reference
to the current ct object was removed. However, we still decrement
the refcount for that object in the output path of
ctnetlink_dump_table():
if (last)
nf_ct_put(last)
Cc: Stephen Hemminger <stephen.hemminger@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Resulted from bonding driver registering packet handlers via dev_add_pack and
then trying to call pskb_may_pull. If another packet handler (like for AF_PACKET
sockets) gets called first, the delivered skb will have a user count > 1, which
causes pskb_may_pull to BUG halt when it does its skb_shared check. Fix this by
calling skb_share_check prior to the may_pull call sites in the bonding driver
to clone the skb when needed. Tested by myself and the reported successfully.
Signed-off-by: Neil Horman CC: Andy Gospodarek <andy@greyhouse.net> CC: Jay Vosburgh <fubar@us.ibm.com> CC: "David S. Miller" <davem@davemloft.net> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: Andy Gospodarek <andy@greyhouse.net> Signed-off-by: David S. Miller <davem@davemloft.net>
cxgb4: fix reported state of interfaces without link
Currently tools like ip and ifconfig report incorrect state for cxgb4
interfaces that are up but do not have link and do so until first link
establishment. This is because the initial netif_carrier_off call is
before register_netdev and it needs to be after to be fully effective.
Fix this by moving netif_carrier_off into .ndo_open.
Signed-off-by: Dimitris Michailidis <dm@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 19 Jan 2011 00:51:36 +0000 (00:51 +0000)]
net: fix can_checksum_protocol() arguments swap
commit 0363466866d901fbc (net offloading: Convert checksums to use
centrally computed features.) mistakenly swapped can_checksum_protocol()
arguments.
This broke IPv6 on bnx2 for instance, on NIC without TCPv6 checksum
offloads.
Reported-by: Hans de Bruin <jmdebruin@xmsnet.nl> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
sh_irda can not use RX/TX in same time,
but this driver didn't return to RX mode when TX error occurred.
This patch care xmit error case to solve this issue.
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jesse Gross [Mon, 17 Jan 2011 20:46:00 +0000 (20:46 +0000)]
net offloading: Do not mask out NETIF_F_HW_VLAN_TX for vlan.
In netif_skb_features() we return only the features that are valid for vlans
if we have a vlan packet. However, we should not mask out NETIF_F_HW_VLAN_TX
since it enables transmission of vlan tags and is obviously valid.
Reported-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Jesse Gross <jesse@nicira.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Alexey Orishko [Mon, 17 Jan 2011 07:07:25 +0000 (07:07 +0000)]
USB CDC NCM: tx_fixup() race condition fix
- tx_fixup() can be called from either timer callback or from xmit()
in usbnet, so spinlock is added to avoid concurrency-related problem.
- minor correction due to checkpatch warning for some line over 80
chars after previous patch was applied.
Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Juhl [Mon, 17 Jan 2011 10:24:57 +0000 (10:24 +0000)]
ns83820: Avoid bad pointer deref in ns83820_init_one().
In drivers/net/ns83820.c::ns83820_init_one() we dynamically allocate
memory via alloc_etherdev(). We then call PRIV() on the returned storage
which is 'return netdev_priv()'. netdev_priv() takes the pointer it is
passed and adds 'ALIGN(sizeof(struct net_device), NETDEV_ALIGN)' to it and
returns it. Then we test the resulting pointer for NULL, which it is
unlikely to be at this point, and later dereference it. This will go bad
if alloc_etherdev() actually returned NULL.
This patch reworks the code slightly so that we test for a NULL pointer
(and return -ENOMEM) directly after calling alloc_etherdev().
Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: Benjamin LaHaise <bcrl@kvack.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Romain Francoise [Mon, 17 Jan 2011 07:59:18 +0000 (07:59 +0000)]
ipv6: Silence privacy extensions initialization
When a network namespace is created (via CLONE_NEWNET), the loopback
interface is automatically added to the new namespace, triggering a
printk in ipv6_add_dev() if CONFIG_IPV6_PRIVACY is set.
This is problematic for applications which use CLONE_NEWNET as
part of a sandbox, like Chromium's suid sandbox or recent versions of
vsftpd. On a busy machine, it can lead to thousands of useless
"lo: Disabled Privacy Extensions" messages appearing in dmesg.
It's easy enough to check the status of privacy extensions via the
use_tempaddr sysctl, so just removing the printk seems like the most
sensible solution.
Signed-off-by: Romain Francoise <romain@orebokech.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:55 +0000 (04:33 +0000)]
bnx2x: Update bnx2x version to 1.62.00-4
Update bnx2x version to 1.62.00-4
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:52 +0000 (04:33 +0000)]
bnx2x: Fix AER setting for BCM57712
Fix AER settings for BCM57712 to allow accessing all device addresses range in CL45 MDC/MDIO
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:47 +0000 (04:33 +0000)]
bnx2x: Fix BCM84823 LED behavior
Fix BCM84823 LED behavior which may show on some systems
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:42 +0000 (04:33 +0000)]
bnx2x: Mark full duplex on some external PHYs
Device may show incorrect duplex mode for devices with external PHY
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:36 +0000 (04:33 +0000)]
bnx2x: Fix BCM8073/BCM8727 microcode loading
Improve microcode loading verification before proceeding to next stage
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:31 +0000 (04:33 +0000)]
bnx2x: LED fix for BCM8727 over BCM57712
LED on BCM57712+BCM8727 systems requires different settings
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:24 +0000 (04:33 +0000)]
bnx2x: Common init will be executed only once after POR
Common init used to be called by the driver when the first port comes up, mainly to reset and reload external PHY microcode.
However, in case management driver is active on the other port, traffic would halted. So limit the common init to be done only once after POR.
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Yaniv Rosner [Tue, 18 Jan 2011 04:33:18 +0000 (04:33 +0000)]
bnx2x: Swap BCM8073 PHY polarity if required
Enable controlling BCM8073 PN polarity swap through nvm configuration, which is required in certain systems
Signed-off-by: Yaniv Rosner <yanivr@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Wey-Yi Guy [Tue, 18 Jan 2011 15:59:13 +0000 (07:59 -0800)]
iwlwifi: fix valid chain reading from EEPROM
When read valid tx/rx chains from EEPROM, there is a bug to use the
tx chain value for both tx and rx, the result of this cause low
receive throughput on 1x2 devices becuase rx will only utilize single
chain instead of two chains
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Bob Copeland [Tue, 18 Jan 2011 13:06:43 +0000 (08:06 -0500)]
ath5k: fix locking in tx_complete_poll_work
ath5k_reset must be called with sc->lock. Since the tx queue
watchdog runs in a workqueue and accesses sc, it's appropriate
to just take the lock over the whole function.
Signed-off-by: Bob Copeland <me@bobcopeland.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k_hw: do PA offset calibration only on longcal interval
The power detector adc offset calibration has to be done
on 4 minutes interval (longcal * pa_skip_count). But the commit
"ath9k_hw: fix a noise floor calibration related race condition"
makes the PA calibration executed more frequently beased on
nfcal_pending value. Running PAOffset calibration lesser than
longcal interval doesn't help anything and the worse part is that
it causes NF load timeouts and RX deaf conditions.
In a very noisy environment, where the distance b/w AP & station
is ~10 meter and running a downlink udp traffic with frequent
background scan causes "Timeout while waiting for nf to load:
AR_PHY_AGC_CONTROL=0x40d1a" and moves the chip into deaf state.
This issue was originaly reported in Android platform where
the network-manager application does bgscan more frequently
on AR9271 chips. (AR9285 family usb device).
Cc: stable@kernel.org Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
ath9k_hw: ASPM interoperability fix for AR9380/AR9382
There is an interoperability with AR9382/AR9380 in L1 state with a
few root complexes which can cause a hang. This is fixed by
setting some work around bits on the PCIE PHY. We fix by using
a new ini array to modify these bits when the radio is idle.
Cc: stable@kernel.org Cc: Jack Lee <jack.lee@atheros.com> Cc: Carl Huang <carl.huang@atheros.com> Cc: David Quan <david.quan@atheros.com> Cc: Nael Atallah <nael.atallah@atheros.com> Cc: Sarvesh Shrivastava <sarvesh.shrivastava@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
vmxnet3: Add locking for access to command register
Access to cmd register is racey, especially in smp environments. Protect
it using a spinlock.
Signed-off-by: Matthieu Bucchianeri <matthieu@vmware.com> Signed-off-by: Shreyas N Bhatewara <sbhatewara@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
vmxnet3: Disable napi in suspend, reenable in resume.
There is a small possibility of a race where the suspend routine gets
called, while a napi callback is still pending and when that comes up,
it enables interrupts which just got disabled in the suspend routine.
This change adds napi disable call in suspend and enable in resume to
avoid race.
Signed-off-by: Shreyas N Bhatewara <sbhatewara@vmware.com> Acked-by: Dmitry Torokhov <dtor@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
vmxnet3: Provide required number of bytes in first SG buffer
This is a performance enhancement fix. vmxnet3 device performs better when
provided with at least 54 bytes (ethernet 14 + IP 20+ TCP 20) in the first SG
buffer. For UDP packets driver provides lesser than that in first sg. This
change fixes the same. Also avoid the redundant pskb_may_pull() call.
Signed-off-by: Shreyas N Bhatewara <sbhatewara@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Make hw vlan tag stripping as enabled by default. Thereby remove
the code to conditionally enable it later.
Signed-off-by: Guolin Yang <gyang@vmware.com> Signed-off-by: Shreyas N Bhatewara <sbhatewara@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Fix a bug while changing ring size when MTU is changed.
Signed-off-by: Shreyas N Bhatewara <sbhatewara@vmware.com> Acked-by: Dmitry Torokhov <dtor@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Dan Carpenter [Sat, 15 Jan 2011 03:06:39 +0000 (03:06 +0000)]
caif: checking the wrong variable
In the original code we check if (servl == NULL) twice. The first time
should print the message that cfmuxl_remove_uplayer() failed and set
"ret" correctly, but instead it just returns success. The second check
should be checking the value of "ret" instead of "servl".
Signed-off-by: Dan Carpenter <error27@gmail.com> Acked-by: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Kurt Van Dijck [Sun, 16 Jan 2011 04:56:42 +0000 (20:56 -0800)]
can: test size of struct sockaddr in sendmsg
This patch makes the CAN socket code conform to the manpage of sendmsg.
Signed-off-by: Kurt Van Dijck <kurt.van.dijck@eia.be> Acked-by: Oliver Hartkopp <socketcan@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Ursula Braun [Wed, 12 Jan 2011 20:42:24 +0000 (20:42 +0000)]
qeth: postpone open till recovery is finished
The open function of qeth is not executed if the qeth device is in
state DOWN or HARDSETUP. A recovery switches from state SOFTSETUP to
HARDSETUP to DOWN to HARDSETUP and back to SOFTSETUP. If open and
recover are running concurrently, open fails if it hits the states
HARDSETUP or DOWN. This patch inserts waiting for recovery finish
in the qeth open functions to enable successful qeth device opening
in spite of a running recovery.
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Frank Blaschka <frank.blaschka@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Sven Eckelmann [Sat, 15 Jan 2011 14:39:43 +0000 (14:39 +0000)]
batman-adv: Use "__attribute__" shortcut macros
Linux 2.6.21 defines different macros for __attribute__ which are also
used inside batman-adv. The next version of checkpatch.pl warns about
the usage of __attribute__((packed))).
Linux 2.6.33 defines an extra macro __always_unused which is used to
assist source code analyzers and can be used to removed the last
existing __attribute__ inside the source code.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Daniel Hellstrom [Fri, 14 Jan 2011 03:02:43 +0000 (03:02 +0000)]
GRETH: resolve SMP issues and other problems
Fixes the following:
1. POLL should not enable IRQ when work is not completed
2. No locking between TX descriptor cleaning and XMIT descriptor handling
3. No locking between RX POLL and XMIT modifying control register
4. Since TX cleaning (called from POLL) is running in parallel with XMIT
unnecessary locking is needed.
5. IRQ handler looks at RX frame status solely, this is wrong when IRQ is
temporarily disabled (in POLL), and when IRQ is shared.
6. IRQ handler clears IRQ status, which is unnecessary
7. TX queue was stopped in preventing cause when not MAX_SKB_FRAGS+1
descriptors were available after a SKB been scheduled by XMIT. Instead
the TX queue is stopped first when not enough descriptors are available
upon entering XMIT.
It was hard to split up this patch in smaller pieces since all are tied
together somehow.
Note the RX flag used in the interrupt handler does not signal that
interrupt was asserted, but that a frame was received. Same goes for TX.
Also, IRQ is not asserted when the RX flag is set before enabling IRQ
enable until a new frame is received. So extra care must be taken to
avoid enabling IRQ and all descriptors are already used, hence dead lock
will upon us. See new POLL implementation that enableds IRQ then look at
the RX flag to determine if one or more IRQs may have been missed. TX/RX
flags are cleared before handling previously enabled descriptors, this
ensures that the RX/TX flags are valid when determining if IRQ should be
turned on again.
By moving TX cleaning from POLL to XMIT in the standard case, removes some
locking trouble. Enabling TX cleaning from poll only when not enough TX
descriptors are available is safe because the TX queue is at the same time
stopped, thus XMIT will not be called. The TX queue is woken up again when
enough descriptrs are available.
TX Frames are always enabled with IRQ, however the TX IRQ Enable flag will
not be enabled until XMIT must wait for free descriptors.
Locking RX and XMIT parts of the driver from each other is needed because
the RX/TX enable bits share the same register.
Signed-off-by: Daniel Hellstrom <daniel@gaisler.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Hellstrom [Fri, 14 Jan 2011 03:02:42 +0000 (03:02 +0000)]
GRETH: handle frame error interrupts
Frame error interrupts must also be handled since the RX flag only indicates
successful reception, it is unlikely but the old code may lead to dead lock
if 128 error frames are recieved in a row.
Signed-off-by: Daniel Hellstrom <daniel@gaisler.com> Signed-off-by: David S. Miller <davem@davemloft.net>
It is safe to enable all fragments before enabling the first descriptor,
this way all descriptors don't have to be processed twice, added extra
memory barrier.
Signed-off-by: Daniel Hellstrom <daniel@gaisler.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Bruce Allan [Fri, 31 Dec 2010 06:10:01 +0000 (06:10 +0000)]
e1000e: consistent use of Rx/Tx vs. RX/TX/rx/tx in comments/logs
Some minor comment errors and whitespace issues discovered while looking
into this are also addressed.
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com> Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Bruce Allan [Tue, 4 Jan 2011 01:16:44 +0000 (01:16 +0000)]
e1000e: update Copyright for 2011
Signed-off-by: Bruce Allan <bruce.w.allan@intel.com> Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Jesse Brandeburg [Thu, 13 Jan 2011 07:48:13 +0000 (07:48 +0000)]
e1000: Avoid unhandled IRQ
If hardware asserted an interrupt and driver is down,
then there is nothing to do so return IRQ_HANDLED
instead of IRQ_NONE. Returning IRQ_NONE in above
situation causes screaming IRQ on virtual machines.
CC: Andy Gospodarek <gospo@redhat.com> Signed-off-by: Tushar Dave <tushar.n.dave@intel.com> Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Tested-by: <jeffrey.e.pieper@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
close() is run during resume through rtl8169_reset_task(), whence the
mildly natural release of firmware in the driver removal method instead.
It will help with http://bugs.debian.org/609538. It will not avoid
the 60 seconds delay when:
- there is no firmware
- the driver is loaded and the device is not up before a suspend/resume
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Tested-by: Jarek Kamiński <jarek@vilo.eu.org> Cc: Hayes <hayeswang@realtek.com> Cc: Ben Hutchings <benh@debian.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Tobias Klauser [Wed, 12 Jan 2011 22:14:56 +0000 (22:14 +0000)]
etherdevice.h: Add is_unicast_ether_addr function
From a check for !is_multicast_ether_addr it is not always obvious that
we're checking for a unicast address. So add this helper function to
make those code paths easier to read.
Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Acked-by: Chris Metcalf <cmetcalf@tilera.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Ben Hutchings [Thu, 13 Jan 2011 07:50:14 +0000 (07:50 +0000)]
ks8695net: Disable non-working ethtool operations
Some ethtool operations can only be implemented for the WAN port, and
not all such operations are allowed to return an error code such as
-EOPNOTSUPP. Therefore, define two separate ethtool_ops structures
for WAN and non-WAN ports; simplify and rename the WAN-only functions.
This is completely untested as I don't have an ARM build environment.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Juhl [Thu, 13 Jan 2011 11:40:11 +0000 (11:40 +0000)]
USB CDC NCM: Don't deref NULL in cdc_ncm_rx_fixup() and don't use uninitialized variable.
skb_clone() dynamically allocates memory and may fail. If it does it
returns NULL. This means we'll dereference a NULL pointer in
drivers/net/usb/cdc_ncm.c::cdc_ncm_rx_fixup().
As far as I can tell, the proper way to deal with this is simply to goto
the error label.
Furthermore gcc complains that 'skb' may be used uninitialized:
drivers/net/usb/cdc_ncm.c: In function ‘cdc_ncm_rx_fixup’:
drivers/net/usb/cdc_ncm.c:922:18: warning: ‘skb’ may be used uninitialized in this function
and I believe it is right. On the line where we
pr_debug("invalid frame detected (ignored)" ...
we are using the local variable 'skb' but nothing has ever been assigned
to that variable yet. I believe the correct fix for that is to use
'skb_in' instead.
Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Juhl [Thu, 13 Jan 2011 10:25:20 +0000 (10:25 +0000)]
vxge: Remember to release firmware after upgrading firmware
Regardless of whether the firmware update being performed by
vxge_fw_upgrade() is a success or not we must still remember to always
release_firmware() before returning.
Signed-off-by: Jesper Juhl <jj@chaosbits.net> Acked-by: Ram Vepa <ram.vepa@exar.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Eric Dumazet [Wed, 12 Jan 2011 12:13:14 +0000 (12:13 +0000)]
net: remove dev_txq_stats_fold()
After recent changes, (percpu stats on vlan/tunnels...), we dont need
anymore per struct netdev_queue tx_bytes/tx_packets/tx_dropped counters.
Only remaining users are ixgbe, sch_teql, gianfar & macvlan :
1) ixgbe can be converted to use existing tx_ring counters.
2) macvlan incremented txq->tx_dropped, it can use the
dev->stats.tx_dropped counter.
3) sch_teql : almost revert ab35cd4b8f42 (Use net_device internal stats)
Now we have ndo_get_stats64(), use it, even for "unsigned long"
fields (No need to bring back a struct net_device_stats)
4) gianfar adds a stats structure per tx queue to hold
tx_bytes/tx_packets
This removes a lockdep warning (and possible lockup) in rndis gadget,
calling dev_get_stats() from hard IRQ context.
Reported-by: Neil Jones <neiljay@gmail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Jarek Poplawski <jarkao2@gmail.com> CC: Alexander Duyck <alexander.h.duyck@intel.com> CC: Jeff Kirsher <jeffrey.t.kirsher@intel.com> CC: Sandeep Gopalpet <sandeep.kumar@freescale.com> CC: Michal Nazarewicz <mina86@mina86.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Jesper Juhl [Thu, 13 Jan 2011 20:53:38 +0000 (21:53 +0100)]
batman-adv: Even Batman should not dereference NULL pointers
There's a problem in net/batman-adv/unicast.c::frag_send_skb().
dev_alloc_skb() allocates memory and may fail, thus returning NULL. If
this happens we'll pass a NULL pointer on to skb_split() which in turn
hands it to skb_split_inside_header() from where it gets passed to
skb_put() that lets skb_tail_pointer() play with it and that function
dereferences it. And thus the bat dies.
While I was at it I also moved the call to dev_alloc_skb() above the
assignment to 'unicast_packet' since there's no reason to do that
assignment if the memory allocation fails.
Signed-off-by: Jesper Juhl <jj@chaosbits.net> Signed-off-by: Sven Eckelmann <sven@narfation.org>
Luciano Coelho [Wed, 12 Jan 2011 13:18:11 +0000 (15:18 +0200)]
mac80211: use maximum number of AMPDU frames as default in BA RX
When the buffer size is set to zero in the block ack parameter set
field, we should use the maximum supported number of subframes. The
existing code was bogus and was doing some unnecessary calculations
that lead to wrong values.
Thanks Johannes for helping me figure this one out.
Cc: stable@kernel.org Cc: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Luciano Coelho <coelho@ti.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Johannes Berg [Wed, 12 Jan 2011 12:40:33 +0000 (13:40 +0100)]
mac80211: fix lockdep warning
Since the introduction of the fixes for the
reorder timer, mac80211 will cause lockdep
warnings because lockdep confuses
local->skb_queue and local->rx_skb_queue
and treats their lock as the same.
However, their locks are different, and are
valid in different contexts (the former is
used in IRQ context, the latter in BH only)
and the only thing to be done is mark the
former as a different lock class so that
lockdep can tell the difference.
Reported-by: Larry Finger <Larry.Finger@lwfinger.net> Reported-by: Sujith <m.sujith@gmail.com> Reported-by: Miles Lane <miles.lane@gmail.com> Tested-by: Sujith <m.sujith@gmail.com> Tested-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
It is defined in include/linux/ieee80211.h. As per IEEE spec.
bit6 to bit15 in block ack parameter represents buffer size.
So the bitmask should be 0xFFC0.
Signed-off-by: Amitkumar Karwar <akarwar@marvell.com> Signed-off-by: Bing Zhao <bzhao@marvell.com> Cc: stable@kernel.org Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Jesper Juhl [Mon, 10 Jan 2011 23:47:44 +0000 (00:47 +0100)]
rt2x00: Don't leak mem in error path of rt2x00lib_request_firmware()
We need to release_firmware() in order not to leak memory.
Signed-off-by: Jesper Juhl <jj@chaosbits.net> Acked-by: Ivo van Doorn <IvDoorn@gmail.com> Acked-by: Pekka Enberg <penberg@kernel.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Axel Lin [Mon, 10 Jan 2011 02:26:00 +0000 (10:26 +0800)]
iwmc3200wifi: Return proper error for iwm_if_alloc
In the case of alloc_netdev_mq failure and kmalloc failure,
current implementation returns ERR_PTR(0).
As a result, the caller of iwm_if_alloc does not catch the error by IS_ERR
macro. Fix it by setting proper error code for ret variable in the failure
cases.
Signed-off-by: Axel Lin <axel.lin@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
netfilter: ctnetlink: fix loop in ctnetlink_get_conntrack()
This patch fixes a loop in ctnetlink_get_conntrack() that can be
triggered if you use the same socket to receive events and to
perform a GET operation. Under heavy load, netlink_unicast()
may return -EAGAIN, this error code is reserved in nfnetlink for
the module load-on-demand. Instead, we return -ENOBUFS which is
the appropriate error code that has to be propagated to
user-space.
Reported-by: Holger Eitzenberger <holger@eitzenberger.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Alexey Kuznetsov [Wed, 12 Jan 2011 08:34:08 +0000 (08:34 +0000)]
inet6: prevent network storms caused by linux IPv6 routers
Linux IPv6 forwards unicast packets, which are link layer multicasts...
The hole was present since day one. I was 100% this check is there, but it is not.
The problem shows itself, f.e. when Microsoft Network Load Balancer runs on a network.
This software resolves IPv6 unicast addresses to multicast MAC addresses.
Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
KOVACS Krisztian [Wed, 12 Jan 2011 19:25:08 +0000 (20:25 +0100)]
netfilter: fix compilation when conntrack is disabled but tproxy is enabled
The IPv6 tproxy patches split IPv6 defragmentation off of conntrack, but
failed to update the #ifdef stanzas guarding the defragmentation related
fields and code in skbuff and conntrack related code in nf_defrag_ipv6.c.
This patch adds the required #ifdefs so that IPv6 tproxy can truly be used
without connection tracking.
Original report:
http://marc.info/?l=linux-netdev&m=129010118516341&w=2
Reported-by: Randy Dunlap <randy.dunlap@oracle.com> Acked-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: KOVACS Krisztian <hidden@balabit.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Reported-by: Brad Spengler <spender@grsecurity.net> Signed-off-by: Kees Cook <kees.cook@canonical.com> Cc: stable@kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: fix race in conntrack between dump_table and destroy
The netlink interface to dump the connection tracking table has a race
when entries are deleted at the same time. A customer reported a crash
and the backtrace showed thatctnetlink_dump_table was running while a
conntrack entry was being destroyed.
(see https://bugzilla.vyatta.com/show_bug.cgi?id=6402).
According to RCU documentation, when using hlist_nulls the reader
must handle the case of seeing a deleted entry and not proceed
further down the linked list. The old code would continue
which caused the scan to walk into the free list.
This patch uses locking (rather than RCU) for this operation which
is guaranteed safe, and no longer requires getting reference while
doing dump operation.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Dang Hongwu [Tue, 11 Jan 2011 07:13:33 +0000 (07:13 +0000)]
ah: reload pointers to skb data after calling skb_cow_data()
skb_cow_data() may allocate a new data buffer, so pointers on
skb should be set after this function.
Bug was introduced by commit dff3bb06 ("ah4: convert to ahash")
and 8631e9bd ("ah6: convert to ahash").
Signed-off-by: Wang Xuefu <xuefu.wang@6wind.com> Acked-by: Krzysztof Witek <krzysztof.witek@6wind.com> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Nicolas Dichtel [Tue, 11 Jan 2011 08:04:12 +0000 (08:04 +0000)]
xfrm: check trunc_len in XFRMA_ALG_AUTH_TRUNC
Maximum trunc length is defined by MAX_AH_AUTH_LEN (in bytes)
and need to be checked when this value is set (in bits) by
the user. In ah4.c and ah6.c a BUG_ON() checks this condiftion.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net>