29 Jun, 2012
1 commit
-
Pull networking update from David Miller:
1) Pairing and deadlock fixes in bluetooth from Johan Hedberg.
2) Add device IDs for AR3011 and AR3012 bluetooth chips. From
Giancarlo Formicuccia and Marek Vasut.3) Fix wireless regulatory deadlock, from Eliad Peller.
4) Fix full TX ring panic in bnx2x driver, from Eric Dumazet.
5) Revert the two commits that added skb_orphan_try(), it causes
erratic bonding behavior with UDP clients and the gains it used to
give are mostly no longer happening due to how BQL works. From Eric
Dumazet.6) It took two tries, but Thomas Graf fixed a problem wherein we
registered ipv6 routing procfs files before their backend data were
initialized properly.7) Fix max GSO size setting in be2net, from Sarveshwar Bandi.
8) PHY device id mask is wrong for KSZ9021 and KS8001 chips, fix from
Jason Wang.9) Fix use of stale SKB data pointer after skb_linearize() call in
batman-adv, from Antonio Quartulli.10) Fix memory leak in IXGBE due to missing __GFP_COMP, from Alexander
Duyck.11) Fix probing of Gobi devices in qmi_wwan usbnet driver, from Bjørn
Mork.12) Fix suspend/resume and open failure handling in usbnet from Ming
Lei.13) Attempt to fix device r8169 hangs for certain chips, from Francois
Romieu.14) Fix advancement of RX dirty pointer in some situations in sh_eth
driver, from Yoshihiro Shimoda.15) Attempt to fix restart of IPV6 routing table dumps when there is an
intervening table update. From Eric Dumazet.16) Respect security_inet_conn_request() return value in ipv6 TCP. From
Neal Cardwell.17) Add another iPAD device ID to ipheth driver, from Davide Gerhard.
18) Fix access to freed SKB in l2tp_eth_dev_xmit(), and fix l2tp lockdep
splats, from Eric Dumazet.19) Make sure all bridge devices, regardless of whether they were
created via netlink or ioctls, have their rtnetlink ops hooked up.
From Thomas Graf and Stephen Hemminger.* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (81 commits)
9p: fix min_t() casting in p9pdu_vwritef()
can: flexcan: use be32_to_cpup to handle the value of dt entry
xen/netfront: teardown the device before unregistering it.
bridge: Assign rtnl_link_ops to bridge devices created via ioctl (v2)
vhost: use USER_DS in vhost_worker thread
ixgbe: Do not pad FCoE frames as this can cause issues with FCoE DDP
net: l2tp_eth: use LLTX to avoid LOCKDEP splats
mac802154: add missed braces
net: l2tp_eth: fix l2tp_eth_dev_xmit race
net/mlx4_en: Release QP range in free_resources
net/mlx4: Use single completion vector after NOP failure
net/mlx4_en: Set correct port parameters during device initialization
ipheth: add support for iPad
caif-hsi: Add missing return in error path
caif-hsi: Bugfix - Piggyback'ed embedded CAIF frame lost
caif: Clear shutdown mask to zero at reconnect.
tcp: heed result of security_inet_conn_request() in tcp_v6_conn_request()
ipv6: fib: fix fib dump restart
batman-adv: fix race condition in TT full-table replacement
batman-adv: only drop packets of known wifi clients
...
28 Jun, 2012
1 commit
-
I don't think we're actually likely to hit this limit but if we do
then the comparison should be done as size_t. The original code
is equivalent to:
len = strlen(sptr) % USHRT_MAX;Signed-off-by: Dan Carpenter
Signed-off-by: David S. Miller
27 Jun, 2012
3 commits
-
This ensures that bridges created with brctl(8) or ioctl(2) directly
also carry IFLA_LINKINFO when dumped over netlink. This also allows
to create a bridge with ioctl(2) and delete it with RTM_DELLINK.Signed-off-by: Thomas Graf
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Denys Fedoryshchenko reported a LOCKDEP issue with l2tp code.
[ 8683.927442] ======================================================
[ 8683.927555] [ INFO: possible circular locking dependency detected ]
[ 8683.927672] 3.4.1-build-0061 #14 Not tainted
[ 8683.927782] -------------------------------------------------------
[ 8683.927895] swapper/0/0 is trying to acquire lock:
[ 8683.928007] (slock-AF_INET){+.-...}, at: []
l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121]
[ 8683.928121] but task is already holding lock:
[ 8683.928121] (_xmit_ETHER#2){+.-...}, at: []
sch_direct_xmit+0x36/0x119
[ 8683.928121]
[ 8683.928121] which lock already depends on the new lock.
[ 8683.928121]
[ 8683.928121]
[ 8683.928121] the existing dependency chain (in reverse order) is:
[ 8683.928121]
[ 8683.928121] -> #1 (_xmit_ETHER#2){+.-...}:
[ 8683.928121] [] lock_acquire+0x71/0x85
[ 8683.928121] [] _raw_spin_lock+0x33/0x40
[ 8683.928121] [] ip_send_reply+0xf2/0x1ce
[ 8683.928121] [] tcp_v4_send_reset+0x153/0x16f
[ 8683.928121] [] tcp_v4_do_rcv+0x172/0x194
[ 8683.928121] [] tcp_v4_rcv+0x387/0x5a0
[ 8683.928121] [] ip_local_deliver_finish+0x13a/0x1e9
[ 8683.928121] [] NF_HOOK.clone.11+0x46/0x4d
[ 8683.928121] [] ip_local_deliver+0x41/0x45
[ 8683.928121] [] ip_rcv_finish+0x31a/0x33c
[ 8683.928121] [] NF_HOOK.clone.11+0x46/0x4d
[ 8683.928121] [] ip_rcv+0x201/0x23d
[ 8683.928121] [] __netif_receive_skb+0x329/0x378
[ 8683.928121] [] netif_receive_skb+0x4e/0x7d
[ 8683.928121] [] rtl8139_poll+0x243/0x33d [8139too]
[ 8683.928121] [] net_rx_action+0x90/0x15d
[ 8683.928121] [] __do_softirq+0x7b/0x118
[ 8683.928121]
[ 8683.928121] -> #0 (slock-AF_INET){+.-...}:
[ 8683.928121] [] __lock_acquire+0x9a3/0xc27
[ 8683.928121] [] lock_acquire+0x71/0x85
[ 8683.928121] [] _raw_spin_lock+0x33/0x40
[ 8683.928121] [] l2tp_xmit_skb+0x173/0x47e
[l2tp_core]
[ 8683.928121] [] l2tp_eth_dev_xmit+0x1a/0x2f
[l2tp_eth]
[ 8683.928121] [] dev_hard_start_xmit+0x333/0x3f2
[ 8683.928121] [] sch_direct_xmit+0x55/0x119
[ 8683.928121] [] dev_queue_xmit+0x282/0x418
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_xmit+0x22/0x24
[ 8683.928121] [] arp_send+0x41/0x48
[ 8683.928121] [] arp_process+0x289/0x491
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_rcv+0xb1/0xc3
[ 8683.928121] [] __netif_receive_skb+0x329/0x378
[ 8683.928121] [] process_backlog+0x69/0x130
[ 8683.928121] [] net_rx_action+0x90/0x15d
[ 8683.928121] [] __do_softirq+0x7b/0x118
[ 8683.928121]
[ 8683.928121] other info that might help us debug this:
[ 8683.928121]
[ 8683.928121] Possible unsafe locking scenario:
[ 8683.928121]
[ 8683.928121] CPU0 CPU1
[ 8683.928121] ---- ----
[ 8683.928121] lock(_xmit_ETHER#2);
[ 8683.928121] lock(slock-AF_INET);
[ 8683.928121] lock(_xmit_ETHER#2);
[ 8683.928121] lock(slock-AF_INET);
[ 8683.928121]
[ 8683.928121] *** DEADLOCK ***
[ 8683.928121]
[ 8683.928121] 3 locks held by swapper/0/0:
[ 8683.928121] #0: (rcu_read_lock){.+.+..}, at: []
rcu_lock_acquire+0x0/0x30
[ 8683.928121] #1: (rcu_read_lock_bh){.+....}, at: []
rcu_lock_acquire+0x0/0x30
[ 8683.928121] #2: (_xmit_ETHER#2){+.-...}, at: []
sch_direct_xmit+0x36/0x119
[ 8683.928121]
[ 8683.928121] stack backtrace:
[ 8683.928121] Pid: 0, comm: swapper/0 Not tainted 3.4.1-build-0061 #14
[ 8683.928121] Call Trace:
[ 8683.928121] [] ? printk+0x18/0x1a
[ 8683.928121] [] print_circular_bug+0x1ac/0x1b6
[ 8683.928121] [] __lock_acquire+0x9a3/0xc27
[ 8683.928121] [] lock_acquire+0x71/0x85
[ 8683.928121] [] ? l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121] [] _raw_spin_lock+0x33/0x40
[ 8683.928121] [] ? l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121] [] l2tp_xmit_skb+0x173/0x47e [l2tp_core]
[ 8683.928121] [] l2tp_eth_dev_xmit+0x1a/0x2f [l2tp_eth]
[ 8683.928121] [] dev_hard_start_xmit+0x333/0x3f2
[ 8683.928121] [] sch_direct_xmit+0x55/0x119
[ 8683.928121] [] dev_queue_xmit+0x282/0x418
[ 8683.928121] [] ? dev_hard_start_xmit+0x3f2/0x3f2
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_xmit+0x22/0x24
[ 8683.928121] [] ? dev_hard_start_xmit+0x3f2/0x3f2
[ 8683.928121] [] arp_send+0x41/0x48
[ 8683.928121] [] arp_process+0x289/0x491
[ 8683.928121] [] ? __neigh_lookup.clone.20+0x42/0x42
[ 8683.928121] [] NF_HOOK.clone.19+0x45/0x4c
[ 8683.928121] [] arp_rcv+0xb1/0xc3
[ 8683.928121] [] ? __neigh_lookup.clone.20+0x42/0x42
[ 8683.928121] [] __netif_receive_skb+0x329/0x378
[ 8683.928121] [] process_backlog+0x69/0x130
[ 8683.928121] [] net_rx_action+0x90/0x15d
[ 8683.928121] [] __do_softirq+0x7b/0x118
[ 8683.928121] [] ? local_bh_enable+0xd/0xd
[ 8683.928121] [] ? irq_exit+0x41/0x91
[ 8683.928121] [] ? do_IRQ+0x79/0x8d
[ 8683.928121] [] ? trace_hardirqs_off_caller+0x2e/0x86
[ 8683.928121] [] ? common_interrupt+0x2e/0x34
[ 8683.928121] [] ? default_idle+0x23/0x38
[ 8683.928121] [] ? cpu_idle+0x55/0x6f
[ 8683.928121] [] ? rest_init+0xa1/0xa7
[ 8683.928121] [] ? __read_lock_failed+0x14/0x14
[ 8683.928121] [] ? start_kernel+0x303/0x30a
[ 8683.928121] [] ? repair_env_string+0x51/0x51
[ 8683.928121] [] ? i386_start_kernel+0xa8/0xafIt appears that like most virtual devices, l2tp should be converted to
LLTX mode.This patch takes care of statistics using atomic_long in both RX and TX
paths, and fix a bug in l2tp_eth_dev_recv(), which was caching skb->data
before a pskb_may_pull() call.Signed-off-by: Eric Dumazet
Reported-by: Denys Fedoryshchenko
Cc: James Chapman
Cc: Hong zhi guo
Cc: Francois Romieu
Signed-off-by: David S. Miller -
Pull HID fixes from Jiri Kosina:
"The most important one is a purification of Kconfig for CONFIG_HID;
the inclusion of HID groups and autoloading didn't leave the Kconfig
in a really consistent state. Henrik's patch fixes that. In addition
to that, there are two small fixes for logitech and magicmouse
drivers."* 'upstream-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
HID: Fix the generic Kconfig options
HID: magicmouse: Correct report range of major / minor axes
HID: logitech: don't use stack based dj_report structures
26 Jun, 2012
5 commits
-
Add missed braces after 'if' operator.
Signed-off-by: Alexander Smirnov
Signed-off-by: David S. Miller -
Its illegal to dereference skb after giving it to l2tp_xmit_skb()
as it might be already freed/reused.Signed-off-by: Eric Dumazet
Cc: James Chapman
Signed-off-by: David S. Miller -
Clear caif sockets's shutdown mask at (re)connect.
Signed-off-by: Sjur Brændeland
Signed-off-by: David S. Miller -
If security_inet_conn_request() returns non-zero then TCP/IPv6 should
drop the request, just as in TCP/IPv4 and DCCP in both IPv4 and IPv6.Signed-off-by: Neal Cardwell
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller -
Commit 2bec5a369ee79576a3 (ipv6: fib: fix crash when changing large fib
while dumping it) introduced ability to restart the dump at tree root,
but failed to skip correctly a count of already dumped entries. Code
didn't match Patrick intent.We must skip exactly the number of already dumped entries.
Note that like other /proc/net files or netlink producers, we could
still dump some duplicates entries.Reported-by: Debabrata Banerjee
Reported-by: Josh Hunt
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller
25 Jun, 2012
1 commit
-
The generic HID driver is obviously not a special driver, so move it
outside of the special drivers menu. Explain the usage and make the
default follow the HID setting. This should simplify migration from
older kernels. While at it, remove the redundant HID_SUPPORT option
and modify the HID and USB_HID entries to better explain the bus
structure.Reported-by: Jan Beulich
Signed-off-by: Henrik Rydberg
Signed-off-by: Jiri Kosina
23 Jun, 2012
3 commits
-
bug introduced with cea194d90b11aff7fc289149e4c7f305fad3535a
In the current TT code, when a TT_Response containing a full table is received
from an originator, first the node purges all the clients for that originator in
the global translation-table and then merges the newly received table.
During the purging phase each client deletion is done by means of a call_rcu()
invocation and at the end of this phase the global entry counter for that
originator is set to 0. However the invoked rcu function decreases the global
entry counter for that originator by one too and since the rcu invocation is
likely to be postponed, the node will end up in first setting the counter to 0
and then decreasing it one by one for each deleted client.This bug leads to having a wrong global entry counter for the related node, say
X. Then when the node with the broken counter will answer to a TT_REQUEST on
behalf of node X, it will create faulty TT_RESPONSE that will generate an
unrecoverable situation on the node that asked for the full table recover.The non-recoverability is given by the fact that the node with the broken
counter will keep answering on behalf of X because its knowledge about X's state
(ttvn + tt_crc) is correct.To solve this problem the counter is not explicitly set to 0 anymore and the
counter decrement is performed right before the invocation of call_rcu().Signed-off-by: Antonio Quartulli
-
bug introduced with 59b699cdee039d75915c354da06937102d1f9a84
If the source or destination mac address of an ethernet packet
could not be found in the translation table the packet was
dropped if AP isolation was turned on. This behavior would
make it impossible to send broadcast packets over the mesh as
the broadcast address will never enter the translation table.Signed-off-by: Marek Lindner
Acked-by: Antonio Quartulli -
…wireless into for-davem
20 Jun, 2012
6 commits
-
We need to flush the msgr workqueue during mon_client shutdown to
ensure that any work affecting our embedded ceph_connection is
finished so that we can be safely destroyed.Previously, we were flushing the work queue after osd_client
shutdown and before mon_client shutdown to ensure that any osd
connection refs to authorizers are flushed. Remove the redundant
flush, and document in the comment that the mon_client flush is
needed to cover that case as well.Signed-off-by: Sage Weil
Reviewed-by: Alex Elder
(cherry picked from commit f3dea7edd3d449fe7a6d402c1ce56a294b985261) -
The bug can cause NULL pointer dereference in write_partial_msg_pages
Signed-off-by: Zheng Yan
Reviewed-by: Alex Elder
(cherry picked from commit 43643528cce60ca184fe8197efa8e8da7c89a037) -
There were a few direct calls to ceph_con_{get,put}() instead of the con
ops from osd_client.c. This is a bug since those ops aren't defined to
be ceph_con_get/put.This breaks refcounting on the ceph_osd structs that contain the
ceph_connections, and could lead to all manner of strangeness.The purpose of the ->get and ->put methods in a ceph connection are
to allow the connection to indicate it has a reference to something
external to the messaging system, *not* to indicate something
external has a reference to the connection.[elder@inktank.com: added that last sentence]
Signed-off-by: Sage Weil
Reviewed-by: Alex Elder
(cherry picked from commit 0d47766f14211a73eaf54cab234db134ece79f49) -
In ceph_osdc_release_request(), a reference to the r_reply message
is dropped. But just after that, that same message is revoked if it
was in use to receive an incoming reply. Reorder these so we are
sure we hold a reference until we're actually done with the message.Signed-off-by: Alex Elder
Reviewed-by: Sage Weil
(cherry picked from commit ab8cb34a4b2f60281a4b18b1f1ad23bc2313d91b) -
skb_linearize(skb) possibly rearranges the skb internal data and then changes
the skb->data pointer value. For this reason any other pointer in the code that
was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.In the current tt_query message handling code this is not done and therefore, in
case of skb linearization, the pointer used to handle the packet header ends up
in pointing to free'd memory.This bug was introduced by a73105b8d4c765d9ebfb664d0a66802127d8e4c7
(batman-adv: improved client announcement mechanism)Signed-off-by: Antonio Quartulli
Cc:
Signed-off-by: David S. Miller
19 Jun, 2012
4 commits
-
net/sctp/protocol.c: In function ‘sctp_addr_wq_timeout_handler’:
net/sctp/protocol.c:676: warning: label ‘free_next’ defined but not usedSigned-off-by: Daniel Halperin
Signed-off-by: David S. Miller -
/proc/net/ipv6_route reflects the contents of fib_table_hash. The proc
handler is installed in ip6_route_net_init() whereas fib_table_hash is
allocated in fib6_net_init() _after_ the proc handler has been installed.This opens up a short time frame to access fib_table_hash with its pants
down.Move the registration of the proc files to a later point in the init
order to avoid the race.Tested :-)
Signed-off-by: Thomas Graf
Signed-off-by: David S. Miller -
Pull a 9p bugfix from Eric Van Hensbergen.
* 'v9fs-devel' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs:
9p: BUG before corrupting memory -
…wireless into for-davem
18 Jun, 2012
1 commit
-
Signed-off-by: Rémi Denis-Courmont
Cc: Sakari Ailus
Signed-off-by: David S. Miller
16 Jun, 2012
4 commits
-
This reverts commit 2a0c451ade8e1783c5d453948289e4a978d417c9.
It causes crashes, because now ip6_null_entry is used before
it is initialized.Signed-off-by: David S. Miller
-
Pull NFS client bugfixes from Trond Myklebust:
"Highlights include:- Fix a couple of mount regressions due to the recent cleanups.
- Fix an Oops in the open recovery code
- Fix an rpc_pipefs upcall hang that results from some of the net
namespace work from 3.4.x (stable kernel candidate).
- Fix a couple of write and o_direct regressions that were found at
last weeks Bakeathon testing event in Ann Arbor."* tag 'nfs-for-3.5-2' of git://git.linux-nfs.org/projects/trondmy/linux-nfs:
NFS: add an endian notation for sparse
NFSv4.1: integer overflow in decode_cb_sequence_args()
rpc_pipefs: allow rpc_purge_list to take a NULL waitq pointer
NFSv4 do not send an empty SETATTR compound
NFSv2: EOF incorrectly set on short read
NFS: Use the NFS_DEFAULT_VERSION for v2 and v3 mounts
NFS: fix directio refcount bug on commit
NFSv4: Fix unnecessary delegation returns in nfs4_do_open
NFSv4.1: Convert another trivial printk into a dprintk
NFS4: Fix open bug when pnfs module blacklisted
NFS: Remove incorrect BUG_ON in nfs_found_client
NFS: Map minor mismatch error to protocol not support error.
NFS: Fix a commit bug
NFS4: Set parsed mount data version to 4
NFSv4.1: Ensure we clear session state flags after a session creation
NFSv4.1: Convert a trivial printk into a dprintk
NFSv4: Fix up decode_attr_mdsthreshold
NFSv4: Fix an Oops in the open recovery code
NFSv4.1: Fix a request leak on the back channel -
/proc/net/ipv6_route reflects the contents of fib_table_hash. The proc
handler is installed in ip6_route_net_init() whereas fib_table_hash is
allocated in fib6_net_init() _after_ the proc handler has been installed.This opens up a short time frame to access fib_table_hash with its pants
down.fib6_init() as a whole can't be moved to an earlier position as it also
registers the rtnetlink message handlers which should be registered at
the end. Therefore split it into fib6_init() which is run early and
fib6_init_late() to register the rtnetlink message handlers.Signed-off-by: Thomas Graf
Reviewed-by: Neil Horman
Signed-off-by: David S. Miller -
Orphaning skb in dev_hard_start_xmit() makes bonding behavior
unfriendly for applications sending big UDP bursts : Once packets
pass the bonding device and come to real device, they might hit a full
qdisc and be dropped. Without orphaning, the sender is automatically
throttled because sk->sk_wmemalloc reaches sk->sk_sndbuf (assuming
sk_sndbuf is not too big)We could try to defer the orphaning adding another test in
dev_hard_start_xmit(), but all this seems of little gain,
now that BQL tends to make packets more likely to be parked
in Qdisc queues instead of NIC TX ring, in cases where performance
matters.Reverts commits :
fc6055a5ba31 net: Introduce skb_orphan_try()
87fd308cfc6b net: skb_tx_hash() fix relative to skb_orphan_try()
and removes SKBTX_DRV_NEEDS_SK_REF flagReported-and-bisected-by: Jean-Michel Hautbois
Signed-off-by: Eric Dumazet
Tested-by: Oliver Hartkopp
Acked-by: Oliver Hartkopp
Signed-off-by: David S. Miller
14 Jun, 2012
3 commits
-
HCI_Disconnect should only be sent after connection is established.
If connection is not yet established and HCI_Disconnect is called
then disconnection complete will be received with a handle which
does not exist and hence this event will be ignored.
But as mgmt.c will not receive this event, its variable for pending
command is not cleared.This will result in future Disconnect commands
for that BD Address to be blocked with error busy.Signed-off-by: Vishal Agarwal
Acked-by: Johan Hedberg
Signed-off-by: Gustavo Padovan -
Bogdan Hamciuc diagnosed and fixed following bug in netpoll_send_udp() :
"skb->len += len;" instead of "skb_put(skb, len);"
Meaning that _if_ a network driver needs to call skb_realloc_headroom(),
only packet headers would be copied, leaving garbage in the payload.However the skb_realloc_headroom() must be avoided as much as possible
since it requires memory and netpoll tries hard to work even if memory
is exhausted (using a pool of preallocated skbs)It appears netpoll_send_udp() reserved 16 bytes for the ethernet header,
which happens to work for typicall drivers but not all.Right thing is to use LL_RESERVED_SPACE(dev)
(And also add dev->needed_tailroom of tailroom)This patch combines both fixes.
Many thanks to Bogdan for raising this issue.
Reported-by: Bogdan Hamciuc
Signed-off-by: Eric Dumazet
Tested-by: Bogdan Hamciuc
Cc: Herbert Xu
Cc: Neil Horman
Reviewed-by: Neil Horman
Reviewed-by: Cong Wang
Signed-off-by: David S. Miller
13 Jun, 2012
4 commits
-
Stop connection monitor poll during disassociation.
This clears the polling flags and if a scan was
deferred it will be run.Without this fix, if a scan was deferred due to
connection monitoring while disassociation happens,
this scan blocks further scan requests until interface
down/up which causes problems connecting to another AP.Signed-off-by: David Spinadel
Signed-off-by: Johannes Berg -
Otherwise, we might call the driver callback before
the interface was uploaded.Solves the following warning:
WARNING: at net/mac80211/driver-ops.h:12 ieee80211_set_bitrate_mask+0xbc/0x18c [mac80211]()
wlan0: Failed check-sdata-in-driver check, flags: 0x0
Modules linked in: wlcore_sdio wl12xx wl18xx wlcore mac80211 cfg80211 [last unloaded: cfg80211]
[] (unwind_backtrace+0x0/0x12c) from [] (dump_stack+0x20/0x24)
[] (dump_stack+0x20/0x24) from [] (warn_slowpath_common+0x5c/0x74)
[] (warn_slowpath_common+0x5c/0x74) from [] (warn_slowpath_fmt+0x40/0x48)
[] (warn_slowpath_fmt+0x40/0x48) from [] (ieee80211_set_bitrate_mask+0xbc/0x18c [mac80211])
[] (ieee80211_set_bitrate_mask+0xbc/0x18c [mac80211]) from [] (nl80211_set_tx_bitrate_mask+0x350/0x358 [cfg80211])
[] (nl80211_set_tx_bitrate_mask+0x350/0x358 [cfg80211]) from [] (genl_rcv_msg+0x1a8/0x1e8)
[] (genl_rcv_msg+0x1a8/0x1e8) from [] (netlink_rcv_skb+0x5c/0xc0)
[] (netlink_rcv_skb+0x5c/0xc0) from [] (genl_rcv+0x28/0x34)
[] (genl_rcv+0x28/0x34) from [] (netlink_unicast+0x158/0x234)
[] (netlink_unicast+0x158/0x234) from [] (netlink_sendmsg+0x218/0x298)
[] (netlink_sendmsg+0x218/0x298) from [] (sock_sendmsg+0xa4/0xc0)
[] (sock_sendmsg+0xa4/0xc0) from [] (__sys_sendmsg+0x1d8/0x254)
[] (__sys_sendmsg+0x1d8/0x254) from [] (sys_sendmsg+0x4c/0x70)
[] (sys_sendmsg+0x4c/0x70) from [] (ret_fast_syscall+0x0/0x3c)Note that calling the driver can also result
in undefined behaviour since it doesn't have
to deal with calls while down.Signed-off-by: Eliad Peller
[removed timestamps, added note - Johannes]
Signed-off-by: Johannes Berg -
reg_timeout_work() calls restore_regulatory_settings() which
takes cfg80211_mutex.reg_set_request_processed() already holds cfg80211_mutex
before calling cancel_delayed_work_sync(reg_timeout),
so it might deadlock.Call the async cancel_delayed_work instead, in order
to avoid the potential deadlock.This is the relevant lockdep warning:
cfg80211: Calling CRDA for country: XX
======================================================
[ INFO: possible circular locking dependency detected ]
3.4.0-rc5-wl+ #26 Not tainted
-------------------------------------------------------
kworker/0:2/1391 is trying to acquire lock:
(cfg80211_mutex){+.+.+.}, at: [] restore_regulatory_settings+0x34/0x418 [cfg80211]but task is already holding lock:
((reg_timeout).work){+.+...}, at: [] process_one_work+0x1f0/0x480which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 ((reg_timeout).work){+.+...}:
[] validate_chain+0xb94/0x10f0
[] __lock_acquire+0x8c8/0x9b0
[] lock_acquire+0xf0/0x114
[] wait_on_work+0x4c/0x154
[] __cancel_work_timer+0xd4/0x11c
[] cancel_delayed_work_sync+0x1c/0x20
[] reg_set_request_processed+0x50/0x78 [cfg80211]
[] set_regdom+0x550/0x600 [cfg80211]
[] nl80211_set_reg+0x218/0x258 [cfg80211]
[] genl_rcv_msg+0x1a8/0x1e8
[] netlink_rcv_skb+0x5c/0xc0
[] genl_rcv+0x28/0x34
[] netlink_unicast+0x15c/0x228
[] netlink_sendmsg+0x218/0x298
[] sock_sendmsg+0xa4/0xc0
[] __sys_sendmsg+0x1e4/0x268
[] sys_sendmsg+0x4c/0x70
[] ret_fast_syscall+0x0/0x3c-> #1 (reg_mutex){+.+.+.}:
[] validate_chain+0xb94/0x10f0
[] __lock_acquire+0x8c8/0x9b0
[] lock_acquire+0xf0/0x114
[] mutex_lock_nested+0x48/0x320
[] reg_todo+0x30/0x538 [cfg80211]
[] process_one_work+0x2a0/0x480
[] worker_thread+0x1bc/0x2bc
[] kthread+0x98/0xa4
[] kernel_thread_exit+0x0/0x8-> #0 (cfg80211_mutex){+.+.+.}:
[] print_circular_bug+0x68/0x2cc
[] validate_chain+0x978/0x10f0
[] __lock_acquire+0x8c8/0x9b0
[] lock_acquire+0xf0/0x114
[] mutex_lock_nested+0x48/0x320
[] restore_regulatory_settings+0x34/0x418 [cfg80211]
[] reg_timeout_work+0x1c/0x20 [cfg80211]
[] process_one_work+0x2a0/0x480
[] worker_thread+0x1bc/0x2bc
[] kthread+0x98/0xa4
[] kernel_thread_exit+0x0/0x8other info that might help us debug this:
Chain exists of:
cfg80211_mutex --> reg_mutex --> (reg_timeout).workPossible unsafe locking scenario:
CPU0 CPU1
---- ----
lock((reg_timeout).work);
lock(reg_mutex);
lock((reg_timeout).work);
lock(cfg80211_mutex);*** DEADLOCK ***
2 locks held by kworker/0:2/1391:
#0: (events){.+.+.+}, at: [] process_one_work+0x1f0/0x480
#1: ((reg_timeout).work){+.+...}, at: [] process_one_work+0x1f0/0x480stack backtrace:
[] (unwind_backtrace+0x0/0x12c) from [] (dump_stack+0x20/0x24)
[] (dump_stack+0x20/0x24) from [] (print_circular_bug+0x280/0x2cc)
[] (print_circular_bug+0x280/0x2cc) from [] (validate_chain+0x978/0x10f0)
[] (validate_chain+0x978/0x10f0) from [] (__lock_acquire+0x8c8/0x9b0)
[] (__lock_acquire+0x8c8/0x9b0) from [] (lock_acquire+0xf0/0x114)
[] (lock_acquire+0xf0/0x114) from [] (mutex_lock_nested+0x48/0x320)
[] (mutex_lock_nested+0x48/0x320) from [] (restore_regulatory_settings+0x34/0x418 [cfg80211])
[] (restore_regulatory_settings+0x34/0x418 [cfg80211]) from [] (reg_timeout_work+0x1c/0x20 [cfg80211])
[] (reg_timeout_work+0x1c/0x20 [cfg80211]) from [] (process_one_work+0x2a0/0x480)
[] (process_one_work+0x2a0/0x480) from [] (worker_thread+0x1bc/0x2bc)
[] (worker_thread+0x1bc/0x2bc) from [] (kthread+0x98/0xa4)
[] (kthread+0x98/0xa4) from [] (kernel_thread_exit+0x0/0x8)
cfg80211: Calling CRDA to update world regulatory domain
cfg80211: World regulatory domain updated:
cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
cfg80211: (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)Cc: stable@kernel.org
Signed-off-by: Eliad Peller
Signed-off-by: Johannes Berg
12 Jun, 2012
4 commits
-
Add a few kernel-doc descriptions that were missed
during mesh development.Reported-by: Randy Dunlap
Signed-off-by: Ashok Nagarajan
Acked-by: Randy Dunlap
Signed-off-by: Johannes Berg -
If remote device sends bogus RFC option with invalid length,
undefined options values are used. Fix this by using defaults when
remote misbehaves.This also fixes the following warning reported by gcc 4.7.0:
net/bluetooth/l2cap_core.c: In function 'l2cap_config_rsp':
net/bluetooth/l2cap_core.c:3302:13: warning: 'rfc.max_pdu_size' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.max_pdu_size' was declared here
net/bluetooth/l2cap_core.c:3298:25: warning: 'rfc.monitor_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.monitor_timeout' was declared here
net/bluetooth/l2cap_core.c:3297:25: warning: 'rfc.retrans_timeout' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.retrans_timeout' was declared here
net/bluetooth/l2cap_core.c:3295:2: warning: 'rfc.mode' may be used uninitialized in this function [-Wmaybe-uninitialized]
net/bluetooth/l2cap_core.c:3266:24: note: 'rfc.mode' was declared hereSigned-off-by: Szymon Janc
Signed-off-by: Gustavo Padovan -
In the event that we don't have a dentry for a rpc_pipefs pipe, we still
need to allow the queue_timeout job to clean out the queue. There's just
no waitq to wake up in that event.Cc: stable@kernel.org
Reported-by: Hans de Bruin
Reported-by: Joerg Platte
Signed-off-by: Jeff Layton
Signed-off-by: Trond Myklebust -
…wireless into for-davem
