Commit Graph

212699 Commits

Author SHA1 Message Date
Gerrit Renker
0b53d4604a dccp: fix the adjustments to AWL and SWL
This fixes a problem and a potential loophole with regard to seqno/ackno
validity: currently the initial adjustments to AWL/SWL are only performed
once at the begin of the connection, during the handshake.

Since the Sequence Window feature is always greater than Wmin=32 (7.5.2),
it is however necessary to perform these adjustments at least for the first
W/W' (variables as per 7.5.1) packets in the lifetime of a connection.

This requirement is complicated by the fact that W/W' can change at any time
during the lifetime of a connection.

Therefore it is better to perform that safety check each time SWL/AWL are
updated, as implemented by the patch.

A second problem solved by this patch is that the remote/local Sequence Window
feature values (which set the bounds for AWL/SWL/SWH) are undefined until the
feature negotiation has completed.

During the initial handshake we have more stringent sequence number protection;
the changes added by this patch effect that {A,S}W{L,H} are within the correct
bounds at the instant that feature negotiation completes (since the SeqWin
feature activation handlers call dccp_update_gsr/gss()).

Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk>
2010-10-12 06:57:40 +02:00
Eric Dumazet
0ed8ddf404 neigh: Protect neigh->ha[] with a seqlock
Add a seqlock in struct neighbour to protect neigh->ha[], and avoid
dirtying neighbour in stress situation (many different flows / dsts)

Dirtying takes place because of read_lock(&n->lock) and n->used writes.

Switching to a seqlock, and writing n->used only on jiffies changes
permits less dirtying.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 12:54:04 -07:00
David S. Miller
d122179a3c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
Conflicts:
	net/core/ethtool.c
2010-10-11 12:30:34 -07:00
Kees Cook
b00916b189 net: clear heap allocations for privileged ethtool actions
Several other ethtool functions leave heap uncleared (potentially) by
drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
are well controlled. In some situations (e.g. unchecked error conditions),
the heap will remain unchanged in areas before copying back to userspace.
Note that these are less of an issue since these all require CAP_NET_ADMIN.

Cc: stable@kernel.org
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 12:23:25 -07:00
Jiri Slaby
419c20465d NET: pch, fix use after free
Stanse found that pch_gbe_xmit_frame uses skb after it is freed. Fix
that.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Masayuki Ohtake <masa-korg@dsn.okisemi.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 11:13:59 -07:00
Jiri Slaby
0aa7deadff NET: wimax, fix use after free
Stanse found that i2400m_rx frees skb, but still uses skb->len even
though it has skb_len defined. So use skb_len properly in the code.

And also define it unsinged int rather than size_t to solve
compilation warnings.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Cc: linux-wimax@intel.com
Acked-by: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 11:05:43 -07:00
Jiri Slaby
ec622ab072 ATM: iphase, remove sleep-inside-atomic
Stanse found that ia_init_one locks a spinlock and inside of that it
calls ia_start which calls:
* request_irq
* tx_init which does kmalloc(GFP_KERNEL)

Both of them can thus sleep and result in a deadlock. I don't see a
reason to have a per-device spinlock there which is used only there
and inited right before the lock location. So remove it completely.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Chas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 11:05:42 -07:00
Jiri Slaby
5518b29f22 ATM: mpc, fix use after free
Stanse found that mpc_push frees skb and then it dereferences it. It
is a typo, new_skb should be dereferenced there.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 11:05:42 -07:00
Jiri Slaby
f1ee89d5b0 ATM: solos-pci, remove use after free
Stanse found we do in console_show:
  kfree_skb(skb);
  return skb->len;
which is not good. Fix that by remembering the len and use it in the
function instead.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Chas Williams <chas@cmf.nrl.navy.mil>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 11:05:41 -07:00
Eric Dumazet
34d101dd62 neigh: speedup neigh_hh_init()
When a new dst is used to send a frame, neigh_resolve_output() tries to
associate an struct hh_cache to this dst, calling neigh_hh_init() with
the neigh rwlock write locked.

Most of the time, hh_cache is already known and linked into neighbour,
so we find it and increment its refcount.

This patch changes the logic so that we call neigh_hh_init() with
neighbour lock read locked only, so that fast path can be run in
parallel by concurrent cpus.

This brings part of the speedup we got with commit c7d4426a98
(introduce DST_NOCACHE flag) for non cached dsts, even for cached ones,
removing one of the contention point that routers hit on multiqueue
enabled machines.

Further improvements would need to use a seqlock instead of an rwlock to
protect neigh->ha[], to not dirty neigh too often and remove two atomic
ops.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-11 09:16:57 -07:00
Oskar Schirmer
03c698c93f net/fec: carrier off initially to avoid root mount failure
with hardware slow in negotiation, the system did freeze
while trying to mount root on nfs at boot time.

the link state has not been initialised so network stack
tried to start transmission right away. this caused instant
retries, as the driver solely stated business upon link down,
rendering the system unusable.

notify carrier off initially to prevent transmission until
phylib will report link up.

Signed-off-by: Oskar Schirmer <oskar@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-10 21:12:27 -07:00
Samuel Ortiz
37f9fc452d irda: Fix heap memory corruption in iriap.c
While parsing the GetValuebyClass command frame, we could potentially write
passed the skb->data pointer.

Cc: stable@kernel.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
2010-10-11 02:12:26 +02:00
Samuel Ortiz
efc463eb50 irda: Fix parameter extraction stack overflow
Cc: stable@kernel.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
2010-10-11 02:12:17 +02:00
Roel Kluin
3b06dbbead irda: Test index before read in stir421x_patch_device()
Test whether index exceeds fw->size before reading the element

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
2010-10-11 02:11:58 +02:00
Samuel Ortiz
f8cba16cad irda: Remove BKL instances from irnet
The code intends to lock the irnet_socket, so adding a mutex to it allows
for a complet BKL removal.

Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
2010-10-11 02:11:34 +02:00
Samuel Ortiz
5b40964ead irda: Remove BKL instances from af_irda.c
Most of the times, lock_kernel() was pointless or could simply be replaced
by lock_sock().

Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
2010-10-11 02:11:23 +02:00
Eric Dumazet
7b738b55b2 sundance: get_stats proper locking
sundance get_stats() should not be run concurrently, add a lock to avoid
potential losses.

Note: Remove unused rx_lock field

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-09 09:22:54 -07:00
Nicolas Kaiser
2259dca36a net/tg3: simplify conditional
Simplify: ((a && !b) || (!a && b)) => (a != b)

Signed-off-by: Nicolas Kaiser <nikai@nikai.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-09 09:22:54 -07:00
Nicolas Kaiser
aa3bc6c68e ehea: simplify conditional
Simplify: ((a && b) || (!a && !b)) => (a == b)

Signed-off-by: Nicolas Kaiser <nikai@nikai.net>
Acked-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-09 09:22:53 -07:00
Changli Gao
e18434c457 net_sched: use __TCA_HTB_MAX and TCA_HTB_MAX
Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-09 09:22:53 -07:00
Stanislaw Gruszka
82553bb621 r8169: use device model DMA API
Use DMA API as PCI equivalents will be deprecated. This change also
allow to allocate with GFP_KERNEL where possible.

Tested-by: Neal Becker <ndbecker2@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-09 09:16:13 -07:00
Stanislaw Gruszka
aeb19f6052 r8169: allocate with GFP_KERNEL flag when able to sleep
We have fedora bug report where driver fail to initialize after
suspend/resume because of memory allocation errors:
https://bugzilla.redhat.com/show_bug.cgi?id=629158

To fix use GFP_KERNEL allocation where possible.

Tested-by: Neal Becker <ndbecker2@gmail.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-09 09:15:34 -07:00
Tom Herbert
4315d834c1 net: Fix rxq ref counting
The rx->count reference is used to track reference counts to the
number of rx-queue kobjects created for the device.  This patch
eliminates initialization of the counter in netif_alloc_rx_queues
and instead increments the counter each time a kobject is created.
This is now symmetric with the decrement that is done when an object is
released.

Signed-off-by: Tom Herbert <therbert@google.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 14:34:32 -07:00
Rémi Denis-Courmont
a131d82266 Phonet: mark the pipe controller as EXPERIMENTAL
There are a bunch of issues that need to be fixed, including:
 - GFP_KERNEL allocations from atomic context
   (and GFP_ATOMIC in process context),
 - abuse of the setsockopt() call convention,
 - unprotected/unlocked static variables...

IMHO, we will need to alter the userspace ABI when we fix it. So mark
the configuration option as EXPERIMENTAL for the time being (or should
it be BROKEN instead?).

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 14:09:10 -07:00
Rémi Denis-Courmont
03789f2672 Phonet: cleanup pipe enable socket option
The current code works like this:

  int garbage, status;
  socklen_t len = sizeof(status);

  /* enable pipe */
  setsockopt(fd, SOL_PNPIPE, PNPIPE_ENABLE, &garbage, sizeof(garbage));
  /* disable pipe */
  setsockopt(fd, SOL_PNPIPE, PNPIPE_DISABLE, &garbage, sizeof(garbage));
  /* get status */
  getsockopt(fd, SOL_PNPIPE, PNPIPE_INQ, &status, &len);

...which does not follow the usual socket option pattern. This patch
merges all three "options" into a single gettable&settable option,
before Linux 2.6.37 gets out:

  int status;
  socklen_t len = sizeof(status);

  /* enable pipe */
  status = 1;
  setsockopt(fd, SOL_PNPIPE, PNPIPE_ENABLE, &status, sizeof(status));
  /* disable pipe */
  status = 0;
  setsockopt(fd, SOL_PNPIPE, PNPIPE_ENABLE, &status, sizeof(status));
  /* get status */
  getsockopt(fd, SOL_PNPIPE, PNPIPE_ENABLE, &status, &len);

This also fixes the error code from EFAULT to ENOTCONN.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Cc: Kumar Sanghvi <kumar.sanghvi@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 14:09:10 -07:00
Rémi Denis-Courmont
6d8e74ed37 Phonet: advise against enabling the pipe controller
As it currently is, the new code path is not compatible with existing
Nokia modems. This would break existing userspace for Nokia modem, such
as the existing oFono ISI driver.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 14:09:09 -07:00
Rémi Denis-Courmont
838e7a03a3 Phonet: add to MAINTAINERS and add myself
Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 14:09:09 -07:00
Amit Kumar Salecha
b1091fea29 qlcnic: update driver version 5.0.11
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 13:59:11 -07:00
Sritej Velaga
ff1b1bf867 qlcnic: change all P3 references to P3P
This patch just rename all P3 #define to P3P.

Signed-off-by: Sritej Velaga <sritej.velaga@qlogic.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 13:59:11 -07:00
Rajesh Borundia
ee07c1a701 qlcnic: fix promiscous mode for VF
o Allow promiscous mode setting for VF's depending upon the configuration.

Signed-off-by: Rajesh Borundia <rajesh.borundia@qlogic.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 13:59:10 -07:00
Sritej Velaga
6336acd552 qlcnic: fix board description
Remove "Flex-10" from board description.

Signed-off-by: Sritej Velaga <sritej.velaga@qlogic.com>
Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 13:59:09 -07:00
Amit Kumar Salecha
a2152d096e qlcnic: remove private LRO flag
LRO was not getting enable after interface down/up.

Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 13:59:09 -07:00
Amit Kumar Salecha
b8c1762045 qlcnic: support quiescent mode
Put device in quiescent mode during internal loopback test.
Before running test, set state to NEED_QUISCENT. After getting
ack from all function, change state to QUISCENT and perform test.

Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 13:59:08 -07:00
Amit Kumar Salecha
f7ec804a3e qlcnic: driver private workqueue
Currently fw recovery usage global workqueue.
As same workqueue used by kernel for ethtool and etc., supporting
quiescent mode is not possible, without driver private workqueue.

Signed-off-by: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 13:59:08 -07:00
David S. Miller
9cf8d1a3b8 Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 2010-10-08 13:51:11 -07:00
John W. Linville
e9a68707d7 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem
Conflicts:
	Documentation/feature-removal-schedule.txt
	drivers/net/wireless/ipw2x00/ipw2200.c
2010-10-08 15:39:28 -04:00
Dimitris Michailidis
8391d07b80 ipv4: Remove leftover rcu_read_unlock calls from __mkroute_output()
Commit "fib: RCU conversion of fib_lookup()" removed rcu_read_lock() from
__mkroute_output but left a couple of calls to rcu_read_unlock() in there.
This causes lockdep to complain that the rcu_read_unlock() call in
__ip_route_output_key causes a lock inbalance and quickly crashes the
kernel. The below fixes this for me.

Signed-off-by: Dimitris Michailidis <dm@chelsio.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 10:51:08 -07:00
Kees Cook
ae6df5f96a net: clear heap allocation for ETHTOOL_GRXCLSRLALL
Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
heap without clearing it. For the one driver (niu) that implements it,
it will leave the unused portion of heap unchanged and copy the full
contents back to userspace.

Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 10:48:28 -07:00
David S. Miller
94b105723a Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2010-10-08 10:36:51 -07:00
Ben Hutchings
993284dfff sfc: Don't try to set filters with search depths we know won't work
The filter engine will time-out and ignore filters beyond
200-something hops.  We also need to avoid infinite loops in
efx_filter_search() when the table is full.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 10:36:10 -07:00
Ben Hutchings
4e7f79511e net: Update kernel-doc for netif_set_real_num_rx_queues()
Synchronise the comment with the preceding implementation change.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 10:33:39 -07:00
Dan Carpenter
b530fb69cf isdn: strcpy() => strlcpy()
setup.phone and setup.eazmsn are 32 character buffers.
rcvmsg.msg_data.byte_array is a 48 character buffer.
sc_adapter[card]->channel[rcvmsg.phy_link_no - 1].dn is 50 chars.

The rcvmsg struct comes from the memcpy_fromio() in receivemessage().
I guess that means it's data off the wire.  I'm not very familiar with
this code but I don't see any reason to assume these strings are NULL
terminated.

Also it's weird that "dn" in a 50 character buffer but we only seem to
use 32 characters.  In drivers/isdn/sc/scioc.h, "dn" is only a 49
character buffer.  So potentially there is still an issue there.

The important thing for now is to prevent the memory corruption.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-10-08 10:21:22 -07:00
Rajkumar Manoharan
15a6321d1c ath9k_hw: Fix hw reset failure with HTC driver
The following commit removed DISABLE_REGWRITE_BUFFER ops. The unnecessary
REGWRITE_BUFFER_FLUSH was not removed properly which is causing failure on
hw reset.

Author: Felix Fietkau <nbd@openwrt.org>
Date:   Tue Oct 5 12:03:42 2010 +0200

    ath9k_hw: clean up register write buffering

Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-10-07 14:41:28 -04:00
Johannes Berg
388ac775be cfg80211: constify WDS address
There's no need for the WDS peer address
to not be const, so make it const.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-10-07 14:41:28 -04:00
Johannes Berg
43b19952de nl80211: use new genl helpers for WDS
Bill Jordan's patch to allow setting the WDS
peer crossed with my patch removing all the
boilerplate code in nl80211, and consequently
he didn't make use of it yet. Fix that.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-10-07 14:41:27 -04:00
Johannes Berg
7b99a7c2da mac80211: fix sw scan locking
The recent scan overhaul broke locking
because now we can jump to code that
attempts to unlock, while we don't have
the mutex held. Fix this by holding the
mutex around all the relevant code.

Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-10-07 14:41:27 -04:00
Juuso Oikarinen
4b34d432b0 wl1271: Support FEM autodetection
In the NVS/INI-parameters for the driver/firmware there is the FEM
(front end module) selection option, which may configure the hardware FEM
via autodetection or manual selection. So far, there has been support for
manual selection only.

Add support for FEM autodetection.

Signed-off-by: Juuso Oikarinen <juuso.oikarinen@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-10-07 14:41:27 -04:00
John W. Linville
edbe4073a8 Merge branch 'wireless-next-2.6' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-2.6 2010-10-07 14:40:26 -04:00
John W. Linville
7573eac762 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2010-10-07 14:39:03 -04:00
John W. Linville
4efe7f51be Revert "mac80211: use netif_receive_skb in ieee80211_tx_status callpath"
This reverts commit 5ed3bc7288.

It turns-out that not all drivers are calling ieee80211_tx_status from a
compatible context.  Revert this for now and try again later...

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2010-10-07 11:35:40 -04:00