The list mp->mglist is used to indicate whether a multicast group
is active on the bridge interface itself as opposed to one of the
constituent interfaces in the bridge.

Unfortunately the operation that adds the mp->mglist node to the
list neglected to check whether it has already been added.  This
leads to list corruption in the form of nodes pointing to itself.

Normally this would be quite obvious as it would cause an infinite
loop when walking the list.  However, as this list is never actually
walked (which means that we don't really need it, I'll get rid of
it in a subsequent patch), this instead is hidden until we perform
a delete operation on the affected nodes.

As the same node may now be pointed to by more than one node, the
delete operations can then cause modification of freed memory.

This was observed in practice to cause corruption in 512-byte slabs,
most commonly leading to crashes in jbd2.

Thanks to Josef Bacik for pointing me in the right direction.
Reported-by: Ian Page Hands <ihands@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

Commit 5811662b ("net: use the macros
defined for the members of flowi") accidentally removed the setting of
IPPROTO_GRE from the struct flowi in ipgre_tunnel_xmit. This patch
restores it.
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Commit 80c802f3 (xfrm: cache bundles instead of policies for
outgoing flows) introduced possible oopse when dst_alloc returns NULL.
Signed-off-by: Hiroaki SHIMODA <shimoda.hiroaki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

-I (include path) should be specified for host builds.
This one was overlooked somehow.  Fixes
https://bugzilla.kernel.org/show_bug.cgi?id=25902Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Reported-by: Alexey Salmin <alexey.salmin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Under harsh testing conditions, including low memory, the guest would
stop receiving packets. With this patch applied we no longer see any
problems in the driver while performing these tests for extended periods
of time.

Make sure napi is scheduled subsequent to each napi_enable.
Signed-off-by: Bruce Rogers <brogers@novell.com>
Signed-off-by: Olaf Kirch <okir@suse.de>
Cc: stable@kernel.org
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

In x25_link_free(), we destroy 'nb' before dereferencing
'nb->dev'.  Don't do this, because 'nb' might be freed
by then.
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Previous patch "[PATCH 1/3] pch_can: fix 800k comms issue" is wrong.
I should have modified tseg1_min not tseg2_min.
This patch reverts tseg2_min to 1 and set tseg1_min to 2.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Some cases try to modify const strings, and in any event the
CVS revision strings have not changed in over ten years making
these printouts completely worthless.

Just kill all of this stuff off.
Reported-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

From: Randy Dunlap <randy.dunlap@oracle.com>

softing_cs.c uses kzalloc & kfree, so it needs to include linux/slab.h.

drivers/net/can/softing/softing_cs.c:234: error: implicit declaration of function 'kfree'
drivers/net/can/softing/softing_cs.c:271: error: implicit declaration of function 'kzalloc'
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

This driver will be in a deadlock, When the rx offload is set by ethtool.
The pch_gbe_reinit_locked function was modified.
Signed-off-by: Toshiharu Okada <toshiharu-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

The TCP tracking code has a special case that allows to return
NF_REPEAT if we receive a new SYN packet while in TIME_WAIT state.

In this situation, the TCP tracking code destroys the existing
conntrack to start a new clean session.

[DESTROY] tcp      6 src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 [ASSURED]
    [NEW] tcp      6 120 SYN_SENT src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925

However, this is a problem for the iptables' CT target event filtering
which will not work in this case since the conntrack template will not
be there for the new session. To fix this, we reassign the conntrack
template to the packet if we return NF_REPEAT.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>

Currently, in case reload pch_can,
pch_can not to be able to catch interrupt.

The cause is bus-master is not set in pch_can.
Thus, add enabling bus-master processing.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Currently, when rmmod pch_can, kernel failure occurs.
The cause is pci_iounmap executed before pch_can_reset.
Thus pci_iounmap moves after pch_can_reset.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Currently, 800k comms fails since prop_seg set zero.
(EG20T PCH CAN register of prop_seg must be set more than 1)
To prevent prop_seg set to zero, change tseg2_min 1 to 2.
Signed-off-by: Tomoya MORINAGA <tomoya-linux@dsn.okisemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

In commit aa942104 ("net: init ingress
queue") we moved the allocation and lock initialization of the queues
into alloc_netdev_mq() since register_netdevice() is way too late.

The problem is that dev->type is not setup until the setup()
callback is invoked by alloc_netdev_mq(), and the dev->type is
what determines the lockdep class to use for the locks in the
queues.

Fix this by doing the queue allocation after the setup() callback
runs.

This is safe because the setup() callback is not allowed to make any
state changes that need to be undone on error (memory allocations,
etc.).  It may, however, make state changes that are undone by
free_netdev() (such as netif_napi_add(), which is done by the
ipoib driver's setup routine).

The previous code also leaked a reference to the &init_net namespace
object on RX/TX queue allocation failures.
Signed-off-by: David S. Miller <davem@davemloft.net>

rtnl_link_ops->setup(), and the "setup" callback passed to alloc_netdev*(),
cannot make state changes which need to be undone on failure.  There is
no cleanup mechanism available at this point.

So we have to add the caif private instance to the global list once we
are sure that register_netdev() has succedded in ->newlink().

Otherwise, if register_netdev() fails, the caller will invoke free_netdev()
and we will have a reference to freed up memory on the chnl_net_list.
Signed-off-by: David S. Miller <davem@davemloft.net>

Specification links:
- CDC NCM errata link:
  http://www.usb.org/developers/devclass_docs/NCM10_012011.zip
- CDC and WMC errata link:
  http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zip

Changes:
- driver updated to match cdc.h header with errata changes
- added support for USB_CDC_SET_NTB_INPUT_SIZE control request with
  8 byte length
- fixes to comply with specification: send only control requests supported by
  device, set number of datagrams for IN direction, connection speed structure
  update, etc.
- packet loss fixed for tx direction; misleading flag renamed.
- adjusted hard_mtu value.
Signed-off-by: Alexey Orishko <alexey.orishko@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Changes are based on the following documents:
- CDC NCM errata:
http://www.usb.org/developers/devclass_docs/NCM10_012011.zip
- CDC and WMC errata link:
http://www.usb.org/developers/devclass_docs/CDC1.2_WMC1.1_012011.zipSigned-off-by: Alexey Orishko <alexey.orishko@stericsson.com>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

This will synchronize the version string with that of the latest source
forge driver which shares its functionality.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

The ixgbe_fcoe_ddp_get function wasn't initializing one of its variables
and this was producing compiler warnings.  This patch cleans that up.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

This change fixes VM pool allocation issues based on MAC address filtering,
as well as limits the scope of VF access to promiscuous mode.
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Acked-by: Greg Rose <gregory.v.rose@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

We have found a hardware erratum on 82599 hardware that can lead to
unpredictable behavior when Header Splitting mode is enabled.  So
we are no longer enabling this feature on affected hardware.

Please see the 82599 Specification Update for more information.

CC: stable@kernel.org
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

Caught with gcc 4.6 -Wunused-but-set-variable

Remove unused napi_vectors variable.

Fix the use of reset_bit in ixgbe_reset_hw_X540()
Signed-off-by: Emil Tantilov <emil.s.tantilov@intel.com>
Tested-by: Stephen Ko <stephen.s.ko@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

This patch adds support for Marvell Alask M88E188R PHY chips. Support for
other M88* PHYs is already there, so there is nothing more to add than its
PHY id.

CC: Dirk Brandewie <dirk.j.brandewie@intel.com>
Signed-off-by: Florian Fainelli <ffainelli@freebox.fr>
Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

Currently the driver increments the tx_timeout counter (an error counter)
when simply resetting the part with outstanding transmit work pending.
This is an unnecessary count of an error, when all we should be doing is
just resetting the part and discarding the transmits.  With this change the
only increment of tx_timeout is when the stack calls the watchdog reset
function due to a true Tx timeout.
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Reviewed-by: Bruce Allan <bruce.w.allan@intel.com>
Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>

We access the data inside the skbs of two fragments directly using memmove
during the merge. The data of the skb could span over multiple skb pages. An
direct access without knowledge about the pages would lead to an invalid memory
access.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
[lindner_marek@yahoo.de: Move return from function to the end]
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>

Originally x25_parse_facilities returned
-1 for an error
 0 meaning 0 length facilities
>0 the length of the facilities parsed.

5ef41308 ("x25: Prevent crashing when parsing bad X.25 facilities") introduced more
error checking in x25_parse_facilities however used 0 to indicate bad parsing
a6331d6f ("memory corruption in X.25 facilities parsing") followed this further for
DTE facilities, again using 0 for bad parsing.

The meaning of 0 got confused in the callers.
If the facilities are messed up we can't determine where the data starts.
So patch makes all parsing errors return -1 and ensures callers close and don't use the skb further.
Reported-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Using skb_header_cloned to check if it's safe to write to the skb is not
enough - mac80211 also touches the tailroom of the skb.
Initially this check was only used to increase a counter, however this
commit changed the code to also skip skb data reallocation if no extra
head/tailroom was needed:

commit 4cd06a34
mac80211: skip unnecessary pskb_expand_head calls

It added a regression at least with iwl3945, which is fixed by this patch.
Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Tested-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

With commit 554d1d02 only one RF_KILL
interrupt will be seen by the driver when the interface is down.

Re-enable the interrupt when it occurs to see all transitions.
Signed-off-by: Don Fry <donald.h.fry@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>

This fixes parsing of the device invariants (MAC address)
for PCMCIA SSB devices.

ssb_pcmcia_do_get_invariants expects an iv pointer as data
argument.
Tested-by: dylan cristiani <d.cristiani@idem-tech.it>
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>

Prevent packets duplication for frames targeting FCoE L2 ring:
packets were arriving to stack from both L2 RSS and from FCoE
L2 in a promiscuous mode.

Configure FCoE L2 ring to DROP_ALL rx mode, when interface is
configured to PROMISC, and to accept only unicast frames, when
interface is configured to ALL_MULTI.
Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Fix memory leak in error path of sis900_rx(). If we don't do this we'll
leak the skb we dev_alloc_skb()'ed just a few lines above when the
variable goes out of scope.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Found by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Ajit Khaparde <ajit.khaparde@emulex.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

This patch reverts the following commit
ath9k: remove bfs_paprd_timestamp from struct ath_buf_state

Under high interference/noisy environment conditions where PAPRD frames
fails heavily introduces a possibility of double freeing skb's and causes
kernel panic after some time.This patch reverts back to the original approach
of using paprd_timestamp before freeing the PAPRD frame skb's

[  194.193705] Pid: 0, comm: swapper Tainted: G      D WC
2.6.35-22-generic #33-Ubuntu
[  194.193712] Call Trace:
[  194.193722]  [<c05c6468>] ? printk+0x2d/0x35
[  194.193732]  [<c05c63c3>] panic+0x5a/0xd2
[  194.193741]  [<c05ca3ed>] oops_end+0xcd/0xd0
[  194.193750]  [<c0105f74>] die+0x54/0x80
[  194.193758]  [<c05c9a16>] do_trap+0x96/0xc0
[  194.193837]  [<c0103fb0>] ? do_invalid_op+0x0/0xa0
[  194.193846]  [<c010403b>] do_invalid_op+0x8b/0xa0
[  194.193856]  [<c020bd4c>] ? kfree+0xec/0xf0
[  194.193866]  [<c012ce18>] ? default_spin_lock_flags+0x8/0x10
[  194.193877]  [<c01de47a>] ? free_one_page+0x12a/0x2d0
[  194.193888]  [<c01e04dc>] ? __free_pages+0x1c/0x40
[  194.193897]  [<c05c97a7>] error_code+0x73/0x78
[  194.193906]  [<c020bd4c>] ? kfree+0xec/0xf0
[  194.193915]  [<c04ecdd0>] ? skb_release_data+0x70/0xa0
[  194.193924]  [<c04ecdd0>] skb_release_data+0x70/0xa0
[  194.193933]  [<c04ec997>] __kfree_skb+0x17/0x90
[  194.193941]  [<c04eca31>] consume_skb+0x21/0x40
[  194.193964]  [<f85e0b70>] ieee80211_tx_status+0x760/0x860 [mac80211]
[  194.193979]  [<f85caddf>] ath_tx_complete_buf+0x1bf/0x2c0 [ath9k]
[  194.193988]  [<c05c8b9f>] ? _raw_spin_lock_irqsave+0x2f/0x50
[  194.193997]  [<c04ec40e>] ? skb_queue_tail+0x3e/0x50
[  194.194010]  [<f85cc803>] ath_tx_complete_aggr+0x823/0x940 [ath9k]
[  194.194021]  [<c0108a28>] ? sched_clock+0x8/0x10
[  194.194030]  [<c016bf14>] ? sched_clock_local+0xa4/0x180
[  194.194040]  [<c0139f57>] ? enqueue_sleeper+0x1e7/0x2b0
[  194.194051]  [<c013a194>] ? enqueue_entity+0x174/0x200
[  194.194064]  [<f85ce83d>] ath_tx_edma_tasklet+0x2bd/0x3b0 [ath9k]
[  194.194074]  [<c05c8b9f>] ? _raw_spin_lock_irqsave+0x2f/0x50
[  194.194088]  [<f85c7b9f>] ath9k_tasklet+0x9f/0x190 [ath9k]
[  194.194097]  [<c01505d7>] tasklet_action+0xa7/0xb0
[  194.194107]  [<c015127c>] __do_softirq+0x9c/0x1b0
[  194.194117]  [<c01a7f64>] ? irq_to_desc+0x14/0x20
[  194.194126]  [<c0124fc4>] ? ack_apic_level+0x64/0x1f0
[  194.194136]  [<c01513d5>] do_softirq+0x45/0x50
[  194.194145]  [<c0151545>] irq_exit+0x65/0x70
[  194.194153]  [<c05cf665>] do_IRQ+0x55/0xc0
[  194.194162]  [<c016a6c7>] ? hrtimer_start+0x27/0x30
[  194.194171]  [<c0103630>] common_interrupt+0x30/0x38
[  194.194181]  [<c012c21a>] ? native_safe_halt+0xa/0x10
[  194.194268]  [<c010a2f9>] default_idle+0x49/0xb0
[  194.194277]  [<c0101fcc>] cpu_idle+0x8c/0xd0
[  194.194286]  [<c05b2431>] rest_init+0x71/0x80
[  194.194295]  [<c081981a>] start_kernel+0x36e/0x374
[  194.194305]  [<c08199dd>] ? pass_all_bootoptions+0x0/0xa
[  194.194314]  [<c08190d7>] i386_start_kernel+0xd7/0xdf
[  194.194364] panic occurred, switching back to text console
Signed-off-by: Mohammed Shafi Shajakhan <mshajakhan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

This patch fixes a off-by-one bug which bugged
the driver's PS-POLL capability.

Cc: <stable@kernel.org>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

Don't allow everybody to set terminator via sysfs.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: David S. Miller <davem@davemloft.net>