- 06 Aug, 2009 9 commits
-
-
-
Eric Dumazet authored
irda_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
atalk_getname() can leak 8 bytes of kernel memory to user Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
nr_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
econet_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
rose_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dmitry Eremin-Solenikov authored
Provide dummt get/setsockopt implementations to stop these syscalls from oopsing on our sockets. Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
-
Dmitry Eremin-Solenikov authored
fix two errors in ioctl processing: 1) if the ioctl isn't supported one should return -ENOIOCTLCMD 2) don't call ndo_do_ioctl if the device doesn't provide it Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
-
Pascal Terjan authored
We found this old card which was not supported, and physically looks similar to the other 3C905B we have (9055). After adding the IDs it seems to work fine (MII report, dhcp, scp, ...) Acked-by: Steffen Klassert <klassert@mathematik.tu-chemnitz.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 05 Aug, 2009 4 commits
-
-
Eric Dumazet authored
net/phonet/pn_dev.c: In function `phonet_device_get': net/phonet/pn_dev.c:99: warning: 'dev' might be used uninitialized in this function Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Wei Yongjun authored
percpu counter dccp_orphan_count is init in dccp_init() by percpu_counter_init() while dccp module is loaded, but the destroy of it is missing while dccp module is unloaded. We can get the kernel WARNING about this. Reproduct by the following commands: $ modprobe dccp $ rmmod dccp $ modprobe dccp WARNING: at lib/list_debug.c:26 __list_add+0x27/0x5c() Hardware name: VMware Virtual Platform list_add corruption. next->prev should be prev (c080c0c4), but was (null). (next =ca7188cc). Modules linked in: dccp(+) nfsd lockd nfs_acl auth_rpcgss exportfs sunrpc Pid: 1956, comm: modprobe Not tainted 2.6.31-rc5 #55 Call Trace: [<c042f8fa>] warn_slowpath_common+0x6a/0x81 [<c053a6cb>] ? __list_add+0x27/0x5c [<c042f94f>] warn_slowpath_fmt+0x29/0x2c [<c053a6cb>] __list_add+0x27/0x5c [<c053c9b3>] __percpu_counter_init+0x4d/0x5d [<ca9c90c7>] dccp_init+0x19/0x2ed [dccp] [<c0401141>] do_one_initcall+0x4f/0x111 [<ca9c90ae>] ? dccp_init+0x0/0x2ed [dccp] [<c06971b5>] ? notifier_call_chain+0x26/0x48 [<c0444943>] ? __blocking_notifier_call_chain+0x45/0x51 [<c04516f7>] sys_init_module+0xac/0x1bd [<c04028e4>] sysenter_do_call+0x12/0x22 Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dhananjay Phadke authored
Fix dma mask calculation that caps at 63-bit addressing even when firmware advertises full 64-bit support. Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ingo Molnar authored
-tip testing found this lockdep warning: [ 2.272010] calling net_dev_init+0x0/0x164 @ 1 [ 2.276033] device class 'net': registering [ 2.280191] INFO: trying to register non-static key. [ 2.284005] the code is fine but needs lockdep annotation. [ 2.284005] turning off the locking correctness validator. [ 2.284005] Pid: 1, comm: swapper Not tainted 2.6.31-rc5-tip #1145 [ 2.284005] Call Trace: [ 2.284005] [<7958eb4e>] ? printk+0xf/0x11 [ 2.284005] [<7904f83c>] __lock_acquire+0x11b/0x622 [ 2.284005] [<7908c9b7>] ? alloc_debug_processing+0xf9/0x144 [ 2.284005] [<7904e2be>] ? mark_held_locks+0x3a/0x52 [ 2.284005] [<7908dbc4>] ? kmem_cache_alloc+0xa8/0x13f [ 2.284005] [<7904e475>] ? trace_hardirqs_on_caller+0xa2/0xc3 [ 2.284005] [<7904fdf6>] lock_acquire+0xb3/0xd0 [ 2.284005] [<79489678>] ? alloc_netdev_mq+0xf5/0x1ad [ 2.284005] [<79591514>] _spin_lock_bh+0x2d/0x5d [ 2.284005] [<79489678>] ? alloc_netdev_mq+0xf5/0x1ad [ 2.284005] [<79489678>] alloc_netdev_mq+0xf5/0x1ad [ 2.284005] [<793a38f2>] ? loopback_setup+0x0/0x74 [ 2.284005] [<798eecd0>] loopback_net_init+0x20/0x5d [ 2.284005] [<79483efb>] register_pernet_device+0x23/0x4b [ 2.284005] [<798f5c9f>] net_dev_init+0x115/0x164 [ 2.284005] [<7900104f>] do_one_initcall+0x4a/0x11a [ 2.284005] [<798f5b8a>] ? net_dev_init+0x0/0x164 [ 2.284005] [<79066f6d>] ? register_irq_proc+0x8c/0xa8 [ 2.284005] [<798cc29a>] do_basic_setup+0x42/0x52 [ 2.284005] [<798cc30a>] kernel_init+0x60/0xa1 [ 2.284005] [<798cc2aa>] ? kernel_init+0x0/0xa1 [ 2.284005] [<79003e03>] kernel_thread_helper+0x7/0x10 [ 2.284078] device: 'lo': device_add [ 2.288248] initcall net_dev_init+0x0/0x164 returned 0 after 11718 usecs [ 2.292010] calling neigh_init+0x0/0x66 @ 1 [ 2.296010] initcall neigh_init+0x0/0x66 returned 0 after 0 usecs it's using an zero-initialized spinlock. This is a side-effect of: dev_unicast_init(dev); in alloc_netdev_mq() making use of dev->addr_list_lock. The device has just been allocated freshly, it's not accessible anywhere yet so no locking is needed at all - in fact it's wrong to lock it here (the lock isnt initialized yet). This bug was introduced via: | commit a6ac65db | Date: Thu Jul 30 01:06:12 2009 +0000 | | net: restore the original spinlock to protect unicast list Signed-off-by: Ingo Molnar <mingo@elte.hu> Acked-by: Jiri Pirko <jpirko@redhat.com> Tested-by: Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 04 Aug, 2009 5 commits
-
-
Hannes Hering authored
This patch fixes the napi list handling when an ehea interface is shut down to avoid corruption of the napi list. Signed-off-by: Hannes Hering <hering2@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alexander Duyck authored
The VF driver was not correctly recognizing that it did not correctly set it's mac address. As a result the VF driver was unable to receive network traffic until being unloaded and reloaded. The issue was root caused to the fact that the CTS bit was not taken into account when checking for the request being NAKed. Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jean Delvare authored
Fix the following build failure with gcc 3.2: CC [M] drivers/net/3c59x.o drivers/net/3c59x.c:2726:1: directives may not be used inside a macro argument drivers/net/3c59x.c:2725:59: unterminated argument list invoking macro "pr_err" drivers/net/3c59x.c: In function `dump_tx_ring': drivers/net/3c59x.c:2727: implicit declaration of function `pr_err' drivers/net/3c59x.c:2731: syntax error before ')' token Apparently gcc 3.2 doesn't like #if interleaved with a macro call. Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Mike McCormack authored
This patch supersedes my previous patch "sky2: Avoid transmitting during sky2_restart". I have reworked the patch to avoid crashes during both sky2_restart() and sky2_set_ringparam(). Without this patch, the sky2 driver can be crashed by doing: # pktgen eth1 & (transmit many packets on eth1) # ethtool -G eth1 tx 510 I am aware you object to storing extra state, but I can't see a way around this. Without remembering that we're restarting, netif_wake_queue() is called in the ISR from sky2_tx_complete(), and netif_tx_lock() is used in sky2_tx_done(). If anybody can see a way around this, please let me know. Signed-off-by: Mike McCormack <mikem@ring3k.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 03 Aug, 2009 10 commits
-
-
Reinette Chatre authored
Do all key clearing except sending sommands to device when rfkill enabled. When rfkill enabled the interface is brought down and will be brought back up correctly after rfkill is enabled again. Same change is not needed for iwl3945 as it ignores return code when sending key clearing command to device. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=13742Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Tested-by: Frans Pop <elendil@planet.nl> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Roel Kluin authored
Check whether index is within bounds before testing the element. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Julia Lawall authored
Error handling code following a kzalloc should free the allocated data. The semantic match that finds the problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @r exists@ local idexpression x; statement S; expression E; identifier f,f1,l; position p1,p2; expression *ptr != NULL; @@ x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); ... if (x == NULL) S <... when != x when != if (...) { <+...x...+> } ( x->f1 = E | (x->f1 == NULL || ...) | f(...,x->f1,...) ) ...> ( return \(0\|<+...x...+>\|ptr\); | return@p2 ...; ) @script:python@ p1 << r.p1; p2 << r.p2; @@ print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Julia Lawall authored
Move orthogonal error handling code up before a kzalloc, so that it doesn't have to free the allocated data. The semantic match that finds the problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @r exists@ local idexpression x; statement S; expression E; identifier f,f1,l; position p1,p2; expression *ptr != NULL; @@ x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...); ... if (x == NULL) S <... when != x when != if (...) { <+...x...+> } ( x->f1 = E | (x->f1 == NULL || ...) | f(...,x->f1,...) ) ...> ( return \(0\|<+...x...+>\|ptr\); | return@p2 ...; ) @script:python@ p1 << r.p1; p2 << r.p2; @@ print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Patrick Simmons authored
Fix an unaligned memory access in the zd_mac_rx function of zd1211rw that causes problems on SPARC64. Signed-off-by: Patrick Simmons <linuxrocks123@netscape.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Luis R. Rodriguez authored
A regression was added through patch a4ed90d6: "cfg80211: respect API on orig_flags on channel for beacon hint" We did indeed respect _orig flags but the intention was not clearly stated in the commit log. This patch fixes firmware issues picked up by iwlwifi when we lift passive scan of beaconing restrictions on channels its EEPROM has been configured to always enable. By doing so though we also disallowed beacon hints on devices registering their wiphy with custom world regulatory domains enabled, this happens to be currently ath5k, ath9k and ar9170. The passive scan and beacon restrictions on those devices would never be lifted even if we did find a beacon and the hardware did support such enhancements when world roaming. Since Johannes indicates iwlwifi firmware cannot be changed to allow beacon hinting we set up a flag now to specifically allow drivers to disable beacon hints for devices which cannot use them. We enable the flag on iwlwifi to disable beacon hints and by default enable it for all other drivers. It should be noted beacon hints lift passive scan flags and beacon restrictions when we receive a beacon from an AP on any 5 GHz non-DFS channels, and channels 12-14 on the 2.4 GHz band. We don't bother with channels 1-11 as those channels are allowed world wide. This should fix world roaming for ath5k, ath9k and ar9170, thereby improving scan time when we receive the first beacon from any AP, and also enabling beaconing operation (AP/IBSS/Mesh) on cards which would otherwise not be allowed to do so. Drivers not using custom regulatory stuff (wiphy_apply_custom_regulatory()) were not affected by this as the orig_flags for the channels would have been cleared upon wiphy registration. I tested this with a world roaming ath5k card. Cc: Jouni Malinen <jouni.malinen@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Johannes Berg authored
These pointers can be NULL, the is_mesh() case isn't ever hit in the current kernel, but cmp_ies() can be hit under certain conditions. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: stable@kernel.org [2.6.29, 2.6.30] Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
Mallikarjuna R Chilakala authored
The default completion timeout values for 82598 should be in the range of 50us to 50ms, however the hardware default for these parts is 500us to 1ms which is less than the 10ms recommended by the pcie spec. To address this we need to increase the value to either 10ms to 250ms for capability version 1 configuration, or 16ms to 55ms for version 2. Signed-off-by: Mallikarjuna R Chilakala <mallikarjuna.chilakala@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dave Young authored
rfcomm tty may be used before rfcomm_tty_driver initilized, The problem is that now socket layer init before tty layer, if userspace program do socket callback right here then oops will happen. reporting in: http://marc.info/?l=linux-bluetooth&m=124404919324542&w=2 make 3 changes: 1. remove #ifdef in rfcomm/core.c, make it blank function when rfcomm tty not selected in rfcomm.h 2. tune the rfcomm_init error patch to ensure tty driver initilized before rfcomm socket usage. 3. remove __exit for rfcomm_cleanup_sockets because above change need call it in a __init function. Reported-by: Oliver Hartkopp <oliver@hartkopp.net> Tested-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: Dave Young <hidave.darkstar@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yevgeny Petrilin authored
In cases of fragmented skb, with the data pointers being wrapped around the TX buffer, the completion handling code would not forward the data pointer and the firs fragment was unmapped several times, while others were not unmapped at all. Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 02 Aug, 2009 11 commits
-
-
Andreas Eversberg authored
The size of receive buffer pointer was used to get size of receive buffer instead of recvbuf_size itself, so only 4/8 bytes could be transfered. This is a regression to 2.6.30 introduced by commit 8c90e11e mISDN: Use kernel_{send,recv}msg instead of open coding Signed-off-by: Andreas Eversberg <andreas@eversberg.eu> Signed-off-by: Karsten Keil <keil@b1-systems.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Don Fry authored
VLB support has been broken since at least 2004-2005 period as some changes introduced back then assumed that ->pci_dev is always valid, lets try to fix it: - remove duplicated SET_NETDEV_DEV() call - call SET_NETDEV_DEV() only for PCI devices - check for ->pci_dev validity in pcnet32_open() [ Alternatively we may consider removing VLB support but there would not be much gain in it since an extra driver code needed for VLB support is minimal and quite simple. ] This takes care of the following entry from Dan's list: drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev' Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Acked-by: Don Fry <pcnet32@verizon.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Don Fry authored
Move the debug printk() into the proper place and remove superfluous NULL pointer check in pcnet32_probe1(). This takes care of the following entry from Dan's list: drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev' Reported-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Acked-by: Don Fry <pcnet32@verizon.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jiri Pirko authored
There is a path when an assetion in dev_unicast_sync() appears. igmp6_group_added -> dev_mc_add -> __dev_set_rx_mode -> -> vlan_dev_set_rx_mode -> dev_unicast_sync Therefore we cannot protect this list with rtnl. This patch restores the original protecting this list with spinlock. Signed-off-by: Jiri Pirko <jpirko@redhat.com> Tested-by: Meelis Roos <mroos@linux.ee> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dhananjay Phadke authored
Change default dma mask for NX3031 to 39 bit with ability to update it to 64-bit (if firmware indicates support). Old code was restricting it under 4GB (32-bit), sometimes causing failure to allocate descriptor rings on heavily populated system. NX2031 based NICs will still get 32-bit coherent mask. Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
Check whether index is within bounds before testing the element. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Acked-by: Karsten Keil <keil@b1-systems.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
Check whether index is within bounds before testing the element. In the last iteration i is PHY_MAX_ADDR. the condition `!(p = pd->mii.bus->phy_map[PHY_MAX_ADDR])' is undefined and may evaluate to false, which leads to a dereference of this invalid phy_map in the phy_connect() below. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
roel kluin authored
Check whether index is within bounds before testing the element. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
memcpy() should take into account size of pointers, not only number of pointers to copy. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Eric Dumazet authored
Failure to call unregister_pernet_gen_device() can exhaust memory if module is loaded/unloaded many times. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Cyrill Gorcunov <gorcunov@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ben McKeegan authored
This patch fixes the corner cases where the sum of MTU of the free channels (adjusted for fragmentation overheads) is less than the MTU of PPP link. There are at least 3 situations where this case might arise: - some of the channels are busy - the multilink session is running in a degraded state (i.e. with less than its full complement of active channels) - by design, where multilink protocol is being used to artificially increase the effective link MTU of a single link. Without this patch, at most 1 fragment is ever sent per free channel for a given PPP frame and any remaining part of the PPP frame that does not fit into those fragments is silently discarded. This patch restores the original behaviour which was broken by commit 9c705260 'ppp:ppp_mp_explode() redesign'. Once all 'free' channels have been given a fragment, an additional fragment is queued to each available channel in turn, as many times as necessary, until the entire PPP frame has been consumed. Signed-off-by: Ben McKeegan <ben@netservers.co.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 31 Jul, 2009 1 commit
-
-
Peter P Waskiewicz Jr authored
When a user disables interrupt throttling with ethtool on 82599 devices, the interrupt timer may not be re-enabled if hardware RSC is running. The RSC completions in hardware don't complete before the next ITR event tries to fire, so the ITR timer never gets re-armed. This patch increases the amount of time between interrupts when throttling is disabled (rx-usecs = 0) when the hardware RSC deature is enabled. Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-