- 21 Jan, 2010 3 commits
-
-
Jesse Brandeburg authored
Originally patched by Neil Horman <nhorman@tuxdriver.com> e1000e could with a jumbo frame enabled interface, and packet split disabled, receive a packet that would overflow a single rx buffer. While in practice very hard to craft a packet that could abuse this, it is possible. this is related to CVE-2009-4538 Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> CC: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jesse Brandeburg authored
Originally From: Neil Horman <nhorman@tuxdriver.com> Modified by: Jesse Brandeburg <jesse.brandeburg@intel.com> Hey all- A security discussion was recently given: http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html And a patch that I submitted awhile back was brought up. Apparently some of their testing revealed that they were able to force a buffer fragment in e1000 in which the trailing fragment was greater than 4 bytes. As a result the fragment check I introduced failed to detect the fragement and a partial invalid frame was passed up into the network stack. I've written this patch to correct it. I'm in the process of testing it now, but it makes good logical sense to me. Effectively it maintains a per-adapter state variable which detects a non-EOP frame, and discards it and subsequent non-EOP frames leading up to _and_ _including_ the next positive-EOP frame (as it is by definition the last fragment). This should prevent any and all partial frames from entering the network stack from e1000. Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Roel Kluin authored
The variable count and i are unsigned so the (<|>=)0 tests do not work. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 19 Jan, 2010 8 commits
-
-
Roel Kluin authored
The s-port should be compared. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ram Vepa authored
Fix check to verify if a register bit is set. We have not hit this bug because wait_for_cmd_complete() is always called with S2IO_BIT_RESET. Reported by Roel Kluin <roel.kluin@gmail.com>. Signed-off-by: Ram Vepa <ram.vepa@neterion.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Mike Frysinger authored
This driver tweaks VR_CTL, so pull in the header for the bit defines. Also switch to the new define name as the old one has gone away. Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matthew Slattery authored
Checking the PHY XS MMD here is unnecessary and can give false negatives. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jiajun Wu authored
commit 7583605b ("ucc_geth: Fix empty TX queue processing") fixed empty TX queue mishandling, but didn't account another corner case: when TX queue becomes full. Without this patch the driver will stop transmiting when TX queue becomes full since 'bd == ugeth->txBd[txQ]' actually checks for two things: queue empty or full. Let's better check for NULL skb, which unambiguously signals an empty queue. Signed-off-by: Jiajun Wu <b06378@freescale.com> Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Cc: Stable <stable@vger.kernel.org> [2.6.32] Signed-off-by: David S. Miller <davem@davemloft.net>
-
Anton Vorontsov authored
commit 541cd3ee ("phylib: Fix deadlock on resume") caused TI DaVinci EMAC ethernet driver to oops upon resume: PM: resume of devices complete after 237.098 msecs Restarting tasks ... done. kernel BUG at kernel/workqueue.c:354! Unable to handle kernel NULL pointer dereference at virtual address 00000000 [...] Backtrace: [<c002c598>] (__bug+0x0/0x2c) from [<c0052a54>] (queue_delayed_work_on+0x74/0xf8) [<c00529e0>] (queue_delayed_work_on+0x0/0xf8) from [<c0052b30>] (queue_delayed_work+0x2c/0x30) The oops pops up because TI DaVinci EMAC driver detaches PHY on suspend and attaches it back on resume. Attaching makes phylib call phy_start_machine() that initializes a workqueue. On the other hand, PHY's resume routine will call phy_start_machine() again, and that will cause the oops since we just destroyed the already scheduled workqueue. This patch fixes the issue by moving workqueue initialization to phy_device_create(). p.s. We don't see this oops with ucc_geth and gianfar drivers because they perform a fine-grained suspend, i.e. they just stop the PHYs without detaching. Reported-by: Sekhar Nori <nsekhar@ti.com> Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com> Tested-by: Sekhar Nori <nsekhar@ti.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Neil Horman authored
Hey all- I was tinkering with dccp recently and noticed that I BUG halted the kernel when I rmmod-ed the dccp module. The bug halt occured because the page that I passed to kfree failed the PageCompound and PageSlab test in the slub implementation of kfree. I tracked the problem down to the following set of events: 1) dccp, unlike all other uses of kmem_cache_create, allocates a string dynamically when registering a slab cache. This allocated string is freed when the cache is destroyed. 2) Normally, (1) is not an issue, but when Slub is in use, it is possible that caches are 'merged'. This process causes multiple caches of simmilar configuration to use the same cache data structure. When this happens, the new name of the cache is effectively dropped. 3) (2) results in kmem_cache_name returning an ambigous value (i.e. ccid_kmem_cache_destroy, which uses this fuction to retrieve the name pointer for freeing), is no longer guaranteed that the string it assigned is what is returned. 4) If such merge event occurs, ccid_kmem_cache_destroy frees the wrong pointer, which trips over the BUG in the slub implementation of kfree (since its likely not a slab allocation, but rather a pointer into the static string table section. So, what to do about this. At first blush this is pretty clearly a leak in the information that slub owns, and as such a slub bug. Unfortunately, theres no really good way to fix it, without exposing slub specific implementation details to the generic slab interface. Also, even if we could fix this in slub cleanly, I think the RCU free option would force us to do lots of string duplication, not only in slub, but in every slab allocator. As such, I'd like to propose this solution. Basically, I just move the storage for the kmem cache name to the ccid_operations structure. In so doing, we don't have to do the kstrdup or kfree when we allocate/free the various caches for dccp, and so we avoid the problem, by storing names with static memory, rather than heap, the way all other calls to kmem_cache_create do. I've tested this out myself here, and it solves the problem quite well. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 18 Jan, 2010 6 commits
-
-
Hin-Tak Leung authored
Yasuhiro ABE <yadiary@gmail.com> reported success in sourceforge zd1211-dev list. The device is a NEC Aterm WL54GU usb wireless stick. The brand and retail product name NEC, Aterm PA-WL54GU The USB ID's (duh) ID 0409:0248 The chip ID string zd1211rw 1-1:1.0: zd1211b chip 0409:0248 v4810 high 00-1b-8b AL2230S_RF pa0 g--N- The FCC ID unknown Signed-off-by: Hin-Tak Leung <htl10@users.sourceforge.net> Signed-off-by: Yasuhiro ABE <yadiary@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Christian Lamparter authored
A long time ago, a user reported several crashes due to data corruptions which are likely the result of a not-100%-supported, or faulty? PCI bridge. ( http://patchwork.kernel.org/patch/53004/ ) This patch fixes entry #1. "1. p54p_check_rx_ring - skb_over_panic: Under a ping flood or just left running for a bit would panic with a skb_over_panic." As described in the mail: The invalid frame length causes skb_put to bailout and trigger a crash. Note: Simply dropping the frame is problematic, because if its content contains a tx feedback we would lose some portion of the device memory space.... And the driver/mac80211 should handle all other invalid data. Reported-by: Quintin Pitts <geek4linux@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Bob Copeland authored
While testing the pid rate controller in mac80211_hwsim, I noticed that once the controller reached 54 Mbit rates, it would fail to lower the rate when necessary. The debug log shows: 1945 186786 pf_sample 50 3534 3577 50 My interpretation is that the fixed point scaling of the target error value (pf) is incorrect: the error value of 50 compared to a target of 14 case should result in a scaling value of (14-50) = -36 * 256 or -9216, but instead it is (14 * 256)-50, or 3534. Correct this by doing fixed point scaling after subtraction. Signed-off-by: Bob Copeland <me@bobcopeland.com> Acked-by: Stefano Brivio <stefano.brivio@polimi.it> Acked-by: Mattias Nissler <mattias.nissler@gmx.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Reinette Chatre authored
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Wey-Yi Guy authored
Similar to 6000 and 1000 series, RTS/CTS is the recommended protection mechanism for 5000 series in HT mode based on the HW design. Using RTS/CTS will better protect the inner exchange from interference, especially in highly-congested environment, it also prevent uCode encounter TX FIFO underrun and other HT mode related performance issues. Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com> Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> CC: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Alexey Dobriyan authored
/proc/net/rt_acct is not created if NET_CLS_ROUTE=n. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 16 Jan, 2010 1 commit
-
-
Jarek Poplawski authored
Wrong ax25_cb refcounting in ax25_send_frame() and by its callers can cause timer oopses (first reported with 2.6.29.6 kernel). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14905Reported-by: Bernard Pidoux <bpidoux@free.fr> Tested-by: Bernard Pidoux <bpidoux@free.fr> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 15 Jan, 2010 4 commits
-
-
Benoit Papillault authored
ieee80211_set_power_mgmt is meant for STA interfaces only. Moreover, since sdata->u.mgd.mtx is only initialized for STA interfaces, using this code for any other type of interface (like creating a monitor interface) will result in a oops. Cc: stable@kernel.org Signed-off-by: Benoit Papillault <benoit.papillault@free.fr> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Roel Kluin authored
da.s_net was not copied but assigned to itself. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dan Williams authored
Dan Williams takes over I/OAT from Maciej Sosnowski Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Maciej Sosnowski <maciej.sosnowski@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Neil Horman authored
This was just recently reported to me. When built as modules, the dccp_probe module has a silent dependency on the dccp module. This stems from the fact that the module_init routine of dccp_probe registers a jprobe on the dccp_sendmsg symbol. Since the symbol is only referenced as a text string (the .symbol_name field in the jprobe struct) rather than the address of the symbol itself, depmod never picks this dependency up, and so if you load the dccp_probe module without the dccp module loaded, the register_jprobe call fails with an -EINVAL, and the whole module load fails. The fix is pretty easy, we can just wrap the register_jprobe call in a try_then_request_module call, which forces the dependency to get satisfied prior to the probe registration. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 14 Jan, 2010 15 commits
-
-
Abhijeet Kolekar authored
Patch fixes the bug at http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2139 Currently we cannot set the channel using wext extension if we have already associated and disconnected. As cfg80211_mgd_wext_siwfreq will not switch the channel if ssid is set. This fixes it by clearing the ssid. Following is the sequence which it tries to fix. modprobe iwlagn iwconfig wlan0 essid "" ifconfig wlan0 down iwconfig wlan0 chan X wext is marked as deprecate.If we use nl80211 we can easily play with setting the channel. Signed-off-by: Abhijeet Kolekar <abhijeet.kolekar@intel.com> Acked-by: Samuel Ortiz <sameo@linux.intel.com> cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Samuel Ortiz authored
Without this header, we can trigger a UMAC crash with debug enabled UMACs. Signed-off-by: Samuel Ortiz <sameo@linux.intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Octavian Purdila authored
Fixed build errors introduced by commit 7ad6848c (ip: fix mc_loop checks for tunnels with multicast outer addresses) Signed-off-by: Octavian Purdila <opurdila@ixiacom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
This fixes CERT-FI FICORA #341748 Discovered by Olli Jarva and Tuomo Untinen from the CROSS project at Codenomicon Ltd. Just like in CVE-2007-4567, we can't rely upon skb_dst() being non-NULL at this point. We fixed that in commit e76b2b25 ("[IPV6]: Do no rely on skb->dst before it is assigned.") However commit 483a47d2 ("ipv6: added net argument to IP6_INC_STATS_BH") put a new version of the same bug into this function. Complicating analysis further, this bug can only trigger when network namespaces are enabled in the build. When namespaces are turned off, the dev_net() does not evaluate it's argument, so the dereference would not occur. So, for a long time, namespaces couldn't be turned on unless SYSFS was disabled. Therefore, this code has largely been disabled except by people turning it on explicitly for namespace development. With help from Eugene Teo <eugene@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matt Carlson authored
This patch updates the copyright notice for 2010 and updates the version number to 3.106. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Reviewed-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matt Carlson authored
The B0 revision of the 5717 will not get enough testing by the time 2.6.33 ships. Since the kernel is already at RC3, serdes support will require too many patches to fix. For these reasons, this patch disables 5717 serdes support and will refuse to attach to all 5717 devices that are later than an A0 revision. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Reviewed-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matt Carlson authored
The serdes status bit does not work as intended for the 5717 A0. This patch implements an alternative detection scheme that will only be valid for A0 revisions. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Reviewed-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matt Carlson authored
There are some tg3 devices that require the driver to post new rx buffers in smaller increments. Commit 4361935a, "tg3: Consider rx_std_prod_idx a hw mailbox" changed how the driver tracks the rx producer ring updates, but it does not make any special considerations for the above-mentioned devices. For those devices, it is possible for the driver to hit the special case path, which updates the hardware mailbox register but skips updating the shadow software mailbox member. If the special case path represents the final mailbox update for this ISR iteration, the hardware and software mailbox values will be out of sync. Ultimately, this will cause the driver to use a stale mailbox value on the next iteration, which will appear to the hardware as a large rx buffer update. Bad things ensue. The fix is to update the software shadow mailbox member when the special case path is taken. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Reviewed-by: Michael Chan <mchan@broadcom.com> Reported-by: Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matt Carlson authored
Commit 87668d35, titled "tg3: Don't touch RCB nic addresses", tried to avoid assigning the nic address of the standard producer ring. Unfortunately, the default nic address is not correct for the 5787, the 5755M, or the 57765. This patch reenables the old behavior and opts out of the assignment only for the 5717. Signed-off-by: Matt Carlson <mcarlson@broadcom.com> Reviewed-by: Michael Chan <mchan@broadcom.com> Tested-by: Chow Loong Jin <hyperair@ubuntu.com> Tested-by: Dmitry Torokhov <dtor@mail.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ben Hutchings authored
The MDIO self-test should not be run on boards without an MDIO PHY, such as SFN5122F-R3 and later revisions. It should also not try to address a specific MMD in an MDIO clause 22 PHY. Check the mode_support field to decide which mode to use, if any. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ben Hutchings authored
When the interface is down and we are using polled mode for MCDI operations, we busy-wait for completion for approximately 1 jiffy using udelay() and then back off to schedule(). But the completion will not wake the task, since we are using polled mode! We must use schedule_timeout_uninterruptible() instead. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Bruce Allan authored
This patch removes a delay in hardware after every received packet allowing more time for transmitted packets to go out in between received packets in half duplex. Signed-off-by: Bruce Allan <bruce.w.allan@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Bruce Allan authored
A previous 82577 workaround that set the MDIO access speed to slow mode for every PHY register read/write when the cable is unplugged should instead set the access mode to always be slow before any PHY register access. Since the mode bit gets cleared when the PHY is reset, set the mode after every PHY reset. Signed-off-by: Bruce Allan <bruce.w.allan@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Shannon Nelson authored
Signed-off-by: Shannon Nelson <shannon.nelson@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alexander Duyck authored
This patch resolves issues seen when running netconsole and rebooting via reboot -f. The issue was due to the fact that we were attempting to perform interrupt actions when the q_vectors and rings had already been freed via the ixgbe_shutdown routines. Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com> Acked-by: Mallikarjuna R Chilakala <mallikarjuna.chilakala@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 13 Jan, 2010 1 commit
-
- 12 Jan, 2010 2 commits
-
-
Jarek Poplawski authored
During TX timeout procedure dev could be awoken too early, e.g. by sky2_complete_tx() called from sky2_down(). Then sky2_xmit_frame() can run while buffers are freed causing an oops. This patch fixes it by adding netif_device_present() test in sky2_tx_complete(). Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=14925 With debugging by: Mike McCormack <mikem@ring3k.org> Reported-by: Berck E. Nash <flyboy@gmail.com> Tested-by: Berck E. Nash <flyboy@gmail.com> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Johannes Berg authored
When CONFIG_CFG80211_WEXT is not set, there is a refcount imbalance with rdev->opencount, fix that by moving it out of the ifdef. Reported-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-