summaryrefslogtreecommitdiff
path: root/net
AgeCommit message (Collapse)Author
2009-08-13mac80211: fix panic when splicing unprepared TIDsLuis R. Rodriguez
We splice skbs from the pending queue for a TID onto the local pending queue when tearing down a block ack request. This is not necessary unless we actually have received a request to start a block ack request (rate control, for example). If we never received that request we should not be splicing the tid pending queue as it would be null, causing a panic. Not sure yet how exactly we allowed through a call when the tid state does not have at least HT_ADDBA_REQUESTED_MSK set, that will require some further review as it is not quite obvious. For more information see the bug report: http://bugzilla.kernel.org/show_bug.cgi?id=13922 This fixes this oops: BUG: unable to handle kernel NULL pointer dereference at 00000030 IP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] *pdpt = 0000000002d1e001 *pde = 0000000000000000 Thread overran stack, or stack corrupted Oops: 0000 [#1] SMP last sysfs file: /sys/module/aes_generic/initstate Modules linked in: <bleh> Pid: 0, comm: swapper Not tainted (2.6.31-rc5-wl #2) Dell DV051 EIP: 0060:[<f8806c70>] EFLAGS: 00010292 CPU: 0 EIP is at ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] EAX: 00000030 EBX: 0000004c ECX: 00000003 EDX: 00000000 ESI: c1c98000 EDI: f745a1c0 EBP: c076be58 ESP: c076be38 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 Process swapper (pid: 0, ti=c076a000 task=c0709160 task.ti=c076a000) Stack: <bleh2> Call Trace: [<f8806edb>] ? ieee80211_stop_tx_ba_cb+0xab/0x150 [mac80211] [<f8802f1e>] ? ieee80211_tasklet_handler+0xce/0x110 [mac80211] [<c04862ff>] ? net_rx_action+0xef/0x1d0 [<c0149378>] ? tasklet_action+0x58/0xc0 [<c014a0f2>] ? __do_softirq+0xc2/0x190 [<c018eb48>] ? handle_IRQ_event+0x58/0x140 [<c01205fe>] ? ack_apic_level+0x7e/0x270 [<c014a1fd>] ? do_softirq+0x3d/0x40 [<c014a345>] ? irq_exit+0x65/0x90 [<c010a6af>] ? do_IRQ+0x4f/0xc0 [<c014a35d>] ? irq_exit+0x7d/0x90 [<c011d547>] ? smp_apic_timer_interrupt+0x57/0x90 [<c01094a9>] ? common_interrupt+0x29/0x30 [<c010fd9e>] ? mwait_idle+0xbe/0x100 [<c0107e42>] ? cpu_idle+0x52/0x90 [<c054b1a5>] ? rest_init+0x55/0x60 [<c077492d>] ? start_kernel+0x315/0x37d [<c07743ce>] ? unknown_bootoption+0x0/0x1f9 [<c0774099>] ? i386_start_kernel+0x79/0x81 Code: <bleh3> EIP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] SS:ESP 0068:c076be38 CR2: 0000000000000030 Cc: stable@kernel.org Testedy-by: Jack Lau <jackelectronics@hotmail.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-09sctp: fix missing destroy of percpu counter variable in sctp_proc_exit()Rafael Laufer
Commit 1748376b6626acf59c24e9592ac67b3fe2a0e026, net: Use a percpu_counter for sockets_allocated added percpu_counter function calls to sctp_proc_init code path, but forgot to add them to sctp_proc_exit(). This resulted in a following Ooops when performing this test # modprobe sctp # rmmod -f sctp # modprobe sctp [ 573.862512] BUG: unable to handle kernel paging request at f8214a24 [ 573.862518] IP: [<c0308b8f>] __percpu_counter_init+0x3f/0x70 [ 573.862530] *pde = 37010067 *pte = 00000000 [ 573.862534] Oops: 0002 [#1] SMP [ 573.862537] last sysfs file: /sys/module/libcrc32c/initstate [ 573.862540] Modules linked in: sctp(+) crc32c libcrc32c binfmt_misc bridge stp bnep lp snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss arc4 joydev snd_pcm ecb pcmcia snd_seq_dummy snd_seq_oss iwlagn iwlcore snd_seq_midi snd_rawmidi snd_seq_midi_event yenta_socket rsrc_nonstatic thinkpad_acpi snd_seq snd_timer snd_seq_device mac80211 psmouse sdhci_pci sdhci nvidia(P) ppdev video snd soundcore serio_raw pcspkr iTCO_wdt iTCO_vendor_support led_class ricoh_mmc pcmcia_core intel_agp nvram agpgart usbhid parport_pc parport output snd_page_alloc cfg80211 btusb ohci1394 ieee1394 e1000e [last unloaded: sctp] [ 573.862589] [ 573.862593] Pid: 5373, comm: modprobe Tainted: P R (2.6.31-rc3 #6) 7663B15 [ 573.862596] EIP: 0060:[<c0308b8f>] EFLAGS: 00010286 CPU: 1 [ 573.862599] EIP is at __percpu_counter_init+0x3f/0x70 [ 573.862602] EAX: f8214a20 EBX: f80faa14 ECX: c48c0000 EDX: f80faa20 [ 573.862604] ESI: f80a7000 EDI: 00000000 EBP: f69d5ef0 ESP: f69d5eec [ 573.862606] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 [ 573.862610] Process modprobe (pid: 5373, ti=f69d4000 task=c2130c70 task.ti=f69d4000) [ 573.862612] Stack: [ 573.862613] 00000000 f69d5f18 f80a70a8 f80fa9fc 00000000 fffffffc f69d5f30 c018e2d4 [ 573.862619] <0> 00000000 f80a7000 00000000 f69d5f88 c010112b 00000000 c07029c0 fffffffb [ 573.862626] <0> 00000000 f69d5f38 c018f83f f69d5f54 c0557cad f80fa860 00000001 c07010c0 [ 573.862634] Call Trace: [ 573.862644] [<f80a70a8>] ? sctp_init+0xa8/0x7d4 [sctp] [ 573.862650] [<c018e2d4>] ? marker_update_probe_range+0x184/0x260 [ 573.862659] [<f80a7000>] ? sctp_init+0x0/0x7d4 [sctp] [ 573.862662] [<c010112b>] ? do_one_initcall+0x2b/0x160 [ 573.862666] [<c018f83f>] ? tracepoint_module_notify+0x2f/0x40 [ 573.862671] [<c0557cad>] ? notifier_call_chain+0x2d/0x70 [ 573.862678] [<c01588fd>] ? __blocking_notifier_call_chain+0x4d/0x60 [ 573.862682] [<c016b2f1>] ? sys_init_module+0xb1/0x1f0 [ 573.862686] [<c0102ffc>] ? sysenter_do_call+0x12/0x28 [ 573.862688] Code: 89 48 08 b8 04 00 00 00 e8 df aa ec ff ba f4 ff ff ff 85 c0 89 43 14 74 31 b8 b0 18 71 c0 e8 19 b9 24 00 a1 c4 18 71 c0 8d 53 0c <89> 50 04 89 43 0c b8 b0 18 71 c0 c7 43 10 c4 18 71 c0 89 15 c4 [ 573.862725] EIP: [<c0308b8f>] __percpu_counter_init+0x3f/0x70 SS:ESP 0068:f69d5eec [ 573.862730] CR2: 00000000f8214a24 [ 573.862734] ---[ end trace 39c4e0b55e7cf54d ]--- Signed-off-by: Rafael Laufer <rlaufer@cisco.com> Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-09can: Fix raw_getname() leakEric Dumazet
raw_getname() can leak 10 bytes of kernel memory to user (two bytes hole between can_family and can_ifindex, 8 bytes at the end of sockaddr_can structure) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-09Fix xfrm hash collisions by changing __xfrm4_daddr_saddr_hash to hash ↵Jussi Mäki
addresses with addition This patch fixes hash collisions in cases where number of entries have incrementing IP source and destination addresses from single respective subnets (i.e. 192.168.0.1-172.16.0.1, 192.168.0.2-172.16.0.2, and so on.). Signed-off-by: Jussi Maki <joamaki@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-09Merge branch 'master' of /home/davem/src/GIT/linux-2.6/David S. Miller
2009-08-07Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: net: Fix spinlock use in alloc_netdev_mq()
2009-08-06Merge branch 'for-linus' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/lowpan/lowpan
2009-08-06irda: Fix irda_getname() leakEric Dumazet
irda_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-06appletalk: fix atalk_getname() leakEric Dumazet
atalk_getname() can leak 8 bytes of kernel memory to user Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-06netrom: Fix nr_getname() leakEric Dumazet
nr_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-06econet: Fix econet_getname() leakEric Dumazet
econet_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-06rose: Fix rose_getname() leakEric Dumazet
rose_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-06af_ieee802154: provide dummy get/setsockoptDmitry Eremin-Solenikov
Provide dummt get/setsockopt implementations to stop these syscalls from oopsing on our sockets. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
2009-08-06af_ieee802154: fix ioctl processingDmitry Eremin-Solenikov
fix two errors in ioctl processing: 1) if the ioctl isn't supported one should return -ENOIOCTLCMD 2) don't call ndo_do_ioctl if the device doesn't provide it Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
2009-08-05phonet: phonet_device_get() fixEric Dumazet
net/phonet/pn_dev.c: In function `phonet_device_get': net/phonet/pn_dev.c:99: warning: 'dev' might be used uninitialized in this function Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-05dccp: missing destroy of percpu counter variable while unload moduleWei Yongjun
percpu counter dccp_orphan_count is init in dccp_init() by percpu_counter_init() while dccp module is loaded, but the destroy of it is missing while dccp module is unloaded. We can get the kernel WARNING about this. Reproduct by the following commands: $ modprobe dccp $ rmmod dccp $ modprobe dccp WARNING: at lib/list_debug.c:26 __list_add+0x27/0x5c() Hardware name: VMware Virtual Platform list_add corruption. next->prev should be prev (c080c0c4), but was (null). (next =ca7188cc). Modules linked in: dccp(+) nfsd lockd nfs_acl auth_rpcgss exportfs sunrpc Pid: 1956, comm: modprobe Not tainted 2.6.31-rc5 #55 Call Trace: [<c042f8fa>] warn_slowpath_common+0x6a/0x81 [<c053a6cb>] ? __list_add+0x27/0x5c [<c042f94f>] warn_slowpath_fmt+0x29/0x2c [<c053a6cb>] __list_add+0x27/0x5c [<c053c9b3>] __percpu_counter_init+0x4d/0x5d [<ca9c90c7>] dccp_init+0x19/0x2ed [dccp] [<c0401141>] do_one_initcall+0x4f/0x111 [<ca9c90ae>] ? dccp_init+0x0/0x2ed [dccp] [<c06971b5>] ? notifier_call_chain+0x26/0x48 [<c0444943>] ? __blocking_notifier_call_chain+0x45/0x51 [<c04516f7>] sys_init_module+0xac/0x1bd [<c04028e4>] sysenter_do_call+0x12/0x22 Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-05net: Fix spinlock use in alloc_netdev_mq()Ingo Molnar
-tip testing found this lockdep warning: [ 2.272010] calling net_dev_init+0x0/0x164 @ 1 [ 2.276033] device class 'net': registering [ 2.280191] INFO: trying to register non-static key. [ 2.284005] the code is fine but needs lockdep annotation. [ 2.284005] turning off the locking correctness validator. [ 2.284005] Pid: 1, comm: swapper Not tainted 2.6.31-rc5-tip #1145 [ 2.284005] Call Trace: [ 2.284005] [<7958eb4e>] ? printk+0xf/0x11 [ 2.284005] [<7904f83c>] __lock_acquire+0x11b/0x622 [ 2.284005] [<7908c9b7>] ? alloc_debug_processing+0xf9/0x144 [ 2.284005] [<7904e2be>] ? mark_held_locks+0x3a/0x52 [ 2.284005] [<7908dbc4>] ? kmem_cache_alloc+0xa8/0x13f [ 2.284005] [<7904e475>] ? trace_hardirqs_on_caller+0xa2/0xc3 [ 2.284005] [<7904fdf6>] lock_acquire+0xb3/0xd0 [ 2.284005] [<79489678>] ? alloc_netdev_mq+0xf5/0x1ad [ 2.284005] [<79591514>] _spin_lock_bh+0x2d/0x5d [ 2.284005] [<79489678>] ? alloc_netdev_mq+0xf5/0x1ad [ 2.284005] [<79489678>] alloc_netdev_mq+0xf5/0x1ad [ 2.284005] [<793a38f2>] ? loopback_setup+0x0/0x74 [ 2.284005] [<798eecd0>] loopback_net_init+0x20/0x5d [ 2.284005] [<79483efb>] register_pernet_device+0x23/0x4b [ 2.284005] [<798f5c9f>] net_dev_init+0x115/0x164 [ 2.284005] [<7900104f>] do_one_initcall+0x4a/0x11a [ 2.284005] [<798f5b8a>] ? net_dev_init+0x0/0x164 [ 2.284005] [<79066f6d>] ? register_irq_proc+0x8c/0xa8 [ 2.284005] [<798cc29a>] do_basic_setup+0x42/0x52 [ 2.284005] [<798cc30a>] kernel_init+0x60/0xa1 [ 2.284005] [<798cc2aa>] ? kernel_init+0x0/0xa1 [ 2.284005] [<79003e03>] kernel_thread_helper+0x7/0x10 [ 2.284078] device: 'lo': device_add [ 2.288248] initcall net_dev_init+0x0/0x164 returned 0 after 11718 usecs [ 2.292010] calling neigh_init+0x0/0x66 @ 1 [ 2.296010] initcall neigh_init+0x0/0x66 returned 0 after 0 usecs it's using an zero-initialized spinlock. This is a side-effect of: dev_unicast_init(dev); in alloc_netdev_mq() making use of dev->addr_list_lock. The device has just been allocated freshly, it's not accessible anywhere yet so no locking is needed at all - in fact it's wrong to lock it here (the lock isnt initialized yet). This bug was introduced via: | commit a6ac65db2329e7685299666f5f7b6093c7b0f3a0 | Date: Thu Jul 30 01:06:12 2009 +0000 | | net: restore the original spinlock to protect unicast list Signed-off-by: Ingo Molnar <mingo@elte.hu> Acked-by: Jiri Pirko <jpirko@redhat.com> Tested-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-04Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (47 commits) ehea: Fix napi list corruption on ifconfig down igbvf: Allow VF driver to correctly recognize failure to set mac 3c59x: Fix build failure with gcc 3.2 sky2: Avoid transmits during sky2_down() iwlagn: do not send key clear commands when rfkill enabled libertas: Read buffer overflow drivers/net/wireless: introduce missing kfree drivers/net/wireless/iwlwifi: introduce missing kfree zd1211rw: fix unaligned access in zd_mac_rx cfg80211: fix regression on beacon world roaming feature cfg80211: add two missing NULL pointer checks ixgbe: Patch to modify 82598 PCIe completion timeout values bluetooth: rfcomm_init bug fix mlx4_en: Fix double pci unmapping. mISDN: Fix handling of receive buffer size in L1oIP pcnet32: VLB support fixes pcnet32: remove superfluous NULL pointer check in pcnet32_probe1() net: restore the original spinlock to protect unicast list netxen: fix coherent dma mask setting mISDN: Read buffer overflow ...
2009-08-03Merge branch 'master' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
2009-08-03cfg80211: fix regression on beacon world roaming featureLuis R. Rodriguez
A regression was added through patch a4ed90d6: "cfg80211: respect API on orig_flags on channel for beacon hint" We did indeed respect _orig flags but the intention was not clearly stated in the commit log. This patch fixes firmware issues picked up by iwlwifi when we lift passive scan of beaconing restrictions on channels its EEPROM has been configured to always enable. By doing so though we also disallowed beacon hints on devices registering their wiphy with custom world regulatory domains enabled, this happens to be currently ath5k, ath9k and ar9170. The passive scan and beacon restrictions on those devices would never be lifted even if we did find a beacon and the hardware did support such enhancements when world roaming. Since Johannes indicates iwlwifi firmware cannot be changed to allow beacon hinting we set up a flag now to specifically allow drivers to disable beacon hints for devices which cannot use them. We enable the flag on iwlwifi to disable beacon hints and by default enable it for all other drivers. It should be noted beacon hints lift passive scan flags and beacon restrictions when we receive a beacon from an AP on any 5 GHz non-DFS channels, and channels 12-14 on the 2.4 GHz band. We don't bother with channels 1-11 as those channels are allowed world wide. This should fix world roaming for ath5k, ath9k and ar9170, thereby improving scan time when we receive the first beacon from any AP, and also enabling beaconing operation (AP/IBSS/Mesh) on cards which would otherwise not be allowed to do so. Drivers not using custom regulatory stuff (wiphy_apply_custom_regulatory()) were not affected by this as the orig_flags for the channels would have been cleared upon wiphy registration. I tested this with a world roaming ath5k card. Cc: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03cfg80211: add two missing NULL pointer checksJohannes Berg
These pointers can be NULL, the is_mesh() case isn't ever hit in the current kernel, but cmp_ies() can be hit under certain conditions. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org [2.6.29, 2.6.30] Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03bluetooth: rfcomm_init bug fixDave Young
rfcomm tty may be used before rfcomm_tty_driver initilized, The problem is that now socket layer init before tty layer, if userspace program do socket callback right here then oops will happen. reporting in: http://marc.info/?l=linux-bluetooth&m=124404919324542&w=2 make 3 changes: 1. remove #ifdef in rfcomm/core.c, make it blank function when rfcomm tty not selected in rfcomm.h 2. tune the rfcomm_init error patch to ensure tty driver initilized before rfcomm socket usage. 3. remove __exit for rfcomm_cleanup_sockets because above change need call it in a __init function. Reported-by: Oliver Hartkopp <oliver@hartkopp.net> Tested-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: Dave Young <hidave.darkstar@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02net: restore the original spinlock to protect unicast listJiri Pirko
There is a path when an assetion in dev_unicast_sync() appears. igmp6_group_added -> dev_mc_add -> __dev_set_rx_mode -> -> vlan_dev_set_rx_mode -> dev_unicast_sync Therefore we cannot protect this list with rtnl. This patch restores the original protecting this list with spinlock. Signed-off-by: Jiri Pirko <jpirko@redhat.com> Tested-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02net: net_assign_generic() fixEric Dumazet
memcpy() should take into account size of pointers, not only number of pointers to copy. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30ipv4: ARP neigh procfs buffer overflowroel kluin
If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a write to hbuffer[-1] occurs. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30net/netlabel: Add kmalloc NULL testsJulia Lawall
The test on map4 should be a test on map6. The semantic match that finds this problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @@ expression *x; identifier f; constant char *C; @@ x = \(kmalloc\|kcalloc\|kzalloc\)(...); ... when != x == NULL when != x != NULL when != (x || ...) ( kfree(x) | f(...,C,...,x,...) | *f(...,x,...) | *x->f ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30Merge branch 'master' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
2009-07-29net-dccp: suppress warning about large allocations from DCCPMel Gorman
The DCCP protocol tries to allocate some large hash tables during initialisation using the largest size possible. This can be larger than what the page allocator can provide so it prints a warning. However, the caller is able to handle the situation so this patch suppresses the warning. Signed-off-by: Mel Gorman <mel@csn.ul.ie> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: "Rafael J. Wysocki" <rjw@sisk.pl> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-07-29mac80211: fix suspendJohannes Berg
Jan reported that his b43-based laptop hangs during suspend. The problem turned out to be mac80211 asking the driver to stop the hardware before removing interfaces, and interface removal caused b43 to touch the hardware (while down, which causes the hang). This patch fixes mac80211 to do reorder these operations to have them in the correct order -- first remove interfaces and then stop the hardware. Some more code is necessary to be able to do so in a race-free manner, in particular it is necessary to not process frames received during quiescing. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=13337. Reported-by: Jan Scholz <scholz@fias.uni-frankfurt.de> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (45 commits) cnic: Fix ISCSI_KEVENT_IF_DOWN message handling. net: irda: init spinlock after memcpy ixgbe: fix for 82599 errata marking UDP checksum errors r8169: WakeOnLan fix for the 8168 netxen: reset ring consumer during cleanup net/bridge: use kobject_put to release kobject in br_add_if error path smc91x.h: add config for Nomadik evaluation kit NET: ROSE: Don't use static buffer. eepro: Read buffer overflow tokenring: Read buffer overflow at1700: Read buffer overflow fealnx: Write outside array bounds ixgbe: remove unnecessary call to device_init_wakeup ixgbe: Don't priority tag control frames in DCB mode ixgbe: Enable FCoE offload when DCB is enabled for 82599 net: Rework mdio-ofgpio driver to use of_mdio infrastructure register at91_ether using platform_driver_probe skge: Enable WoL by default if supported net: KS8851 needs to depend on MII be2net: Bug fix in the non-lro path. Size of received packet was not updated in statistics properly. ...
2009-07-27mac80211: do not queue work after suspend in the dynamic ps timerLuis R. Rodriguez
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27net: irda: init spinlock after memcpyDeepak Saxena
irttp_dup() copies a tsap_cb struct, but does not initialize the spinlock in the new structure, which confuses lockdep. Signed-off-by: Deepak Saxena <dsaxena@mvista.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26net/bridge: use kobject_put to release kobject in br_add_if error pathXiaotian Feng
kobject_init_and_add will alloc memory for kobj->name, so in br_add_if error path, simply use kobject_del will not free memory for kobj->name. Fix by using kobject_put instead, kobject_put will internally calls kobject_del and frees memory for kobj->name. Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26NET: ROSE: Don't use static buffer.Ralf Baechle
The use of a static buffer in rose2asc() to return its result is not threadproof and can result in corruption if multiple threads are trying to use one of the procfs files based on rose2asc(). Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-22Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (37 commits) sky2: Avoid races in sky2_down drivers/net/mlx4: Adjust constant drivers/net: Move a dereference below a NULL test drivers/net: Move a dereference below a NULL test connector: maintainer/mail update. USB host CDC Phonet network interface driver macsonic, jazzsonic: fix oops on module unload macsonic: move probe function to .devinit.text can: switch carrier on if device was stopped while in bus-off state can: restart device even if dev_alloc_skb() fails can: sja1000: remove duplicated includes New device ID for sc92031 [1088:2031] 3c589_cs: re-initialize the multicast in the tc589_reset Fix error return for setsockopt(SO_TIMESTAMPING) netxen: fix thermal check and shutdown netxen: fix deadlock on dev close netxen: fix context deletion sequence net: Micrel KS8851 SPI network driver tcp: Use correct peer adr when copying MD5 keys tcp: Fix MD5 signature checking on IPv4 mapped sockets ...
2009-07-21cfg80211: double free in __cfg80211_scan_doneChristian Lamparter
This patch fixes a double free corruption in __cfg80211_scan_done: ================================================ BUG kmalloc-512: Object already free ------------------------------------------------ INFO: Allocated in load_elf_binary+0x18b/0x19af age=6 INFO: Freed in load_elf_binary+0x104e/0x19af age=5 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488 Bytes b4 0xffff88007e8a9908: 00 00 00 00 00 00 00 00 5a 5a [...] Pid: 28705, comm: rmmod Tainted: P C 2.6.31-rc2-wl #1 Call Trace: [<ffffffff810da9f4>] print_trailer+0x14e/0x16e [<ffffffff810daa56>] object_err+0x42/0x61 [<ffffffff810dbcd9>] __slab_free+0x2af/0x396 [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffff810dd5e3>] kfree+0x13c/0x17a [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211] [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common] [...] FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed The code path which leads to the *funny* double free: request = rdev->scan_req; dev = dev_get_by_index(&init_net, request->ifidx); /* * the driver was unloaded recently and * therefore dev_get_by_index will return NULL! */ if (!dev) goto out; [...] rdev->scan_req = NULL; /* not executed... */ [...] out: kfree(request); Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21nl80211: Memory leak fixedNiko Jokinen
Potential memory leak via msg pointer in nl80211_get_key() function. Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211: use correct address for mesh Path ErrorJavier Cardona
For forwarded frames, we save the precursor address in addr1 in case it needs to be used to send a Path Error. mesh_path_discard_frame, however, was using addr2 instead of addr1 to send Path Error frames, so correct that and also make the comment regarding this more clear. Signed-off-by: Andrey Yurovsky <andrey@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21rfkill: fix rfkill_set_states() to set the hw stateAlan Jenkins
The point of this function is to set the software and hardware state at the same time. When I tried to use it, I found it was only setting the software state. Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211: fix injection in monitor modePavel Roskin
The location of the 802.11 header is calculated incorrectly due to a wrong placement of parentheses. Found by kmemcheck. Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21rfkill: allow toggling soft state in sysfs againJohannes Berg
Apparently there actually _are_ tools that try to set this in sysfs even though it wasn't supposed to be used this way without claiming first. Guess what: now that I've cleaned it all up it doesn't matter and we can simply allow setting the soft-block state in sysfs. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Tested-By: Darren Salt <linux@youmustbejoking.demon.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211: disable meshJohannes Berg
My kvm instance was complaining a lot about sleeping in atomic contexts in the mesh code, and it turns out that both mesh_path_add() and mpp_path_add() need to be able to sleep (they even use synchronize_rcu()!). I put in a might_sleep() to annotate that, but I see no way, at least right now, of actually making sure those functions are only called from process context since they are both called during TX and RX and the mesh code itself even calls them with rcu_read_lock() "held". Therefore, let's disable it completely for now. It's possible that I'm only seeing this because the hwsim's beaconing is broken and thus the peers aren't discovered right away, but it is possible that this happens even if beaconing is working, for a peer that doesn't exist or so. It should be possible to solve this by deferring the freeing of the tables to call_rcu() instead of using synchronize_rcu(), and also using atomic allocations, but maybe it makes more sense to rework the code to not call these from atomic contexts and defer more of the work to the workqueue. Right now, I can't work on either of those solutions though. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-20Fix error return for setsockopt(SO_TIMESTAMPING)Rémi Denis-Courmont
I guess it should be -EINVAL rather than EINVAL. I have not checked when the bug came in. Perhaps a candidate for -stable? Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20tcp: Use correct peer adr when copying MD5 keysJohn Dykstra
When the TCP connection handshake completes on the passive side, a variety of state must be set up in the "child" sock, including the key if MD5 authentication is being used. Fix TCP for both address families to label the key with the peer's destination address, rather than the address from the listening sock, which is usually the wildcard. Reported-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: John Dykstra <john.dykstra1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20tcp: Fix MD5 signature checking on IPv4 mapped socketsJohn Dykstra
Fix MD5 signature checking so that an IPv4 active open to an IPv6 socket can succeed. In particular, use the correct address family's signature generation function for the SYN/ACK. Reported-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: John Dykstra <john.dykstra1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16net: sock_copy() fixesEric Dumazet
Commit e912b1142be8f1e2c71c71001dc992c6e5eb2ec1 (net: sk_prot_alloc() should not blindly overwrite memory) took care of not zeroing whole new socket at allocation time. sock_copy() is another spot where we should be very careful. We should not set refcnt to a non null value, until we are sure other fields are correctly setup, or a lockless reader could catch this socket by mistake, while not fully (re)initialized. This patch puts sk_node & sk_refcnt to the very beginning of struct sock to ease sock_copy() & sk_prot_alloc() job. We add appropriate smp_wmb() before sk_refcnt initializations to match our RCU requirements (changes to sock keys should be committed to memory before sk_refcnt setting) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16Merge branch 'master' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
2009-07-16netfilter: nf_conntrack: nf_conntrack_alloc() fixesEric Dumazet
When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating objects, since slab allocator could give a freed object still used by lockless readers. In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next being always valid (ie containing a valid 'nulls' value, or a valid pointer to next object in hash chain.) kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid for ct->tuplehash[xxx].hnnode.next. Fix is to call kmem_cache_alloc() and do the zeroing ourself. As spotted by Patrick, we also need to make sure lookup keys are committed to memory before setting refcount to 1, or a lockless reader could get a reference on the old version of the object. Its key re-check could then pass the barrier. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-07-16netfilter: xt_osf: fix nf_log_packet() argumentsPatrick McHardy
The first argument is the address family, the second one the hook number. Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-07-15net/can: add module alias to can protocol driversLothar Waßmann
Add appropriate MODULE_ALIAS() to facilitate autoloading of can protocol drivers Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>