11 Feb, 2010
3 commits
-
This patch fixes two potential races in the velocity driver:
* Move the ACK and error handler to the interrupt handler. This fixes a
potential race with shared interrupts when the other device interrupts
before the NAPI poll handler has finished. As the velocity driver hasn't
acked it's own interrupt, it will then steal the interrupt from the
other device.* Use spin_lock_irqsave in velocity_poll. In the current code, the
interrupt handler will deadlock if e.g., the NAPI poll handler is
executing when an interrupt (for another device) comes in since it
tries to take the already held lock.Also unlock the spinlock only after enabling the interrupt in
velocity_poll.The error path is moved to the interrupt handler since this is where the
ISR is checked now.Signed-off-by: Simon Kagstrom
Signed-off-by: Anders Grafstrom
Signed-off-by: David S. Miller -
velocity_set_coalesce touches ISR and some other sensitive registers not
covered by the rtnl lock, so take the velocity spinlock.Signed-off-by: Simon Kagstrom
Signed-off-by: David S. Miller -
Signed-off-by: Simon Kagstrom
Signed-off-by: David S. Miller
09 Feb, 2010
11 commits
-
Test the value that was just allocated rather than the previously tested one.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)//
@r@
expression *x;
expression e;
identifier l;
@@if (x == NULL || ...) {
... when forall
return ...; }
... when != goto l;
when != x = e
when != &x
*x == NULL
//Signed-off-by: Julia Lawall
Signed-off-by: David S. Miller -
During the rc period, patches that are not bugfixes
should be done using the net-next tree.Signed-off-by: Joe Perches
Signed-off-by: David S. Miller -
The action modules have been prefixed with 'act_', but the Kconfig
description was not changed.Signed-off-by: Jan Luebbe
Acked-by: Jamal Hadi Salim
Signed-off-by: David S. Miller -
Verify the HW checksum state for frames handed to GRO processing.
Signed-off-by: Divy Le Ray
Signed-off-by: David S. Miller -
Kernel bugzilla #15239
On some workloads, it is quite possible to get a huge dst list to
process in dst_gc_task(), and trigger soft lockup detection.Fix is to call cond_resched(), as we run in process context.
Reported-by: Pawel Staszewski
Tested-by: Pawel Staszewski
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
As noticed by Jon Masters , the conntrack hash
size is global and not per namespace, but modifiable at runtime through
/sys/module/nf_conntrack/hashsize. Changing the hash size will only
resize the hash in the current namespace however, so other namespaces
will use an invalid hash size. This can cause crashes when enlarging
the hashsize, or false negative lookups when shrinking it.Move the hash size into the per-namespace data and only use the global
hash size to initialize the per-namespace value when instanciating a
new namespace. Additionally restrict hash resizing to init_net for
now as other namespaces are not handled currently.Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
As per C99 6.2.4(2) when temporary table data goes out of scope,
the behaviour is undefined:if (compat) {
struct foo tmp;
...
private = &tmp;
}
[dereference private]Signed-off-by: Alexey Dobriyan
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy -
Expectation hashtable size was simply glued to a variable with no code
to rehash expectations, so it was a bug to allow writing to it.
Make "expect_hashsize" readonly.Signed-off-by: Alexey Dobriyan
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy -
nf_conntrack_cachep is currently shared by all netns instances, but
because of SLAB_DESTROY_BY_RCU special semantics, this is wrong.If we use a shared slab cache, one object can instantly flight between
one hash table (netns ONE) to another one (netns TWO), and concurrent
reader (doing a lookup in netns ONE, 'finding' an object of netns TWO)
can be fooled without notice, because no RCU grace period has to be
observed between object freeing and its reuse.We dont have this problem with UDP/TCP slab caches because TCP/UDP
hashtables are global to the machine (and each object has a pointer to
its netns).If we use per netns conntrack hash tables, we also *must* use per netns
conntrack slab caches, to guarantee an object can not escape from one
namespace to another one.Signed-off-by: Eric Dumazet
[Patrick: added unique slab name allocation]
Cc: stable@kernel.org
Signed-off-by: Patrick McHardy -
As discovered by Jon Masters , the "untracked"
conntrack, which is located in the data section, might be accidentally
freed when a new namespace is instantiated while the untracked conntrack
is attached to a skb because the reference count it re-initialized.The best fix would be to use a seperate untracked conntrack per
namespace since it includes a namespace pointer. Unfortunately this is
not possible without larger changes since the namespace is not easily
available everywhere we need it. For now move the untracked conntrack
initialization to the init_net setup function to make sure the reference
count is not re-initialized and handle cleanup in the init_net cleanup
function to make sure namespaces can exit properly while the untracked
conntrack is in use in other namespaces.Cc: stable@kernel.org
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
06 Feb, 2010
1 commit
-
The report descriptor is read by user space (via the Service
Discovery Protocol), so it is only available during the ioctl
to connect. However, the HID probe function that needs the
descriptor might not be called until a specific module is
loaded. Keep a copy of the descriptor so it is available for
later use.Signed-off-by: Michael Poole
Signed-off-by: Marcel Holtmann
05 Feb, 2010
2 commits
-
Add missing try_to_freeze() to one of the pktgen_thread_worker() code
paths so that it doesn't block suspend/hibernation.Fixes http://bugzilla.kernel.org/show_bug.cgi?id=15006
Signed-off-by: Rafael J. Wysocki
Reported-and-tested-by: Ciprian Dorin Craciun
Signed-off-by: David S. Miller -
This change corrects an issue that will cause false hangs when using either
82575 or 82580 in legacy interrupt mode. The issue is caused when there is
a slow traffic flow and an "ethtool -r" is executed while using legacy or
MSI interrupts. MSI-X is not affected by this issue due to the fact that
we were already reconfiguring the vectors after reset.If possible it would be best to push this for net-2.6 since it is resolving
a bug but if that is not possible then net-next-2.6 will be fine.Signed-off-by: Alexander Duyck
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller
04 Feb, 2010
16 commits
-
One ioctl has been forgotten when the BKL was push down into irnet_ppp
ioctl function.Signed-off-by: Thadeu Lima de Souza Cascardo
Signed-off-by: David S. Miller -
Add the missing unlock_kernel in one ioctl operation.
Signed-off-by: Thadeu Lima de Souza Cascardo
Signed-off-by: David S. Miller -
a developer had complained of getting lots of warnings:
"eth16 selects TX queue 98, but real number of TX queues is 64"
http://www.mail-archive.com/e1000-devel@lists.sourceforge.net/msg02200.html
As there was no follow up on that bug, I am submitting this
patch assuming that the other return points will not return
invalid txq's, and also that this fixes the bug (not tested).Signed-off-by: Krishna Kumar
Signed-off-by: Jesse Brandeburg
Acked-by: Peter P Waskiewicz Jr
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
Commit e5a43549f7a58509a91b299a51337d386697b92c (ixgbe: remove
skb_dma_map/unmap calls from driver) looks to have introduced a bug in
ixgbe_tx_map. If we get an error from a PCI DMA call, we loop backwards
through count until it becomes -1 and return that.The caller of ixgbe_tx_map expects 0 on error, so return that instead.
Signed-off-by: Anton Blanchard
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
o context resources can be in used, while resource cleanup is in progress,
during fw recover.
o Null pointer execption can occur in send_cmd_desc, if fw recovery
module frees tx ring without rtnl lock.
o Same applies to ethtool register dump.Signed-off-by: Amit Kumar Salecha
Signed-off-by: David S. Miller -
For NX2031, first try to scrub interrupt before requesting firmware
reset. Return statement was missing after scrubbbing interrupt.Signed-off-by: Vernon Mauery
Signed-off-by: Amit Kumar Salecha
Signed-off-by: David S. Miller -
When in sniff mode with a long interval time (1.28s) it can take 4+ seconds
to establish a SCO link. Fix by requesting active mode before requesting
SCO connection. This improves SCO setup time to ~500ms.Bluetooth headsets that use a long interval time, and exhibit the long
SCO connection time include Motorola H790, HX1 and H17. They have a
CSR 2.1 chipset.Verified this behavior and fix with host Bluetooth chipsets: BCM4329 and
TI1271.2009-10-13 14:17:46.183722 > HCI Event: Mode Change (0x14) plen 6
status 0x00 handle 1 mode 0x02 interval 2048
Mode: Sniff
2009-10-13 14:17:53.436285 < HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
handle 1 voice setting 0x0060
2009-10-13 14:17:53.445593 > HCI Event: Command Status (0x0f) plen 4
Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1
2009-10-13 14:17:57.788855 > HCI Event: Synchronous Connect Complete 0x2c) plen 17
status 0x00 handle 257 bdaddr 00:1A:0E:F1:A4:7F type eSCO
Air mode: CVSDSigned-off-by: Nick Pelly
Signed-off-by: Marcel Holtmann -
Signed-off-by: Yoichi Yuasa
Signed-off-by: Marcel Holtmann -
This fixes commit (38ff3e6bb987ec583268da8eb22628293095d43b) ("dccp_probe:
Fix module load dependencies between dccp and dccp_probe", from 15 Jan).It fixes the construction of the first argument of try_then_request_module(),
where only valid return codes from the first argument should be returned.What we do now is assign the result of register_jprobe() to ret, without
the side effect of the comparison.Acked-by: Gerrit Renker
Signed-off-by: Neil Horman
Signed-off-by: David S. Miller -
This fixes a bug introduced in commit de4ef86cfce60d2250111f34f8a084e769f23b16
("dccp: fix dccp rmmod when kernel configured to use slub", 17 Jan): the
vsnprintf used sizeof(slab_name_fmt), which became truncated to 4 bytes, since
slab_name_fmt is now a 4-byte pointer and no longer a 32-character array.This lead to error messages such as
FATAL: Error inserting dccp: No buffer space available>> kernel: [ 1456.341501] kmem_cache_create: duplicate cache cci
generated due to the truncation after the 3rd character.Fixed for the moment by introducing a symbolic constant. Tested to fix the bug.
Signed-off-by: Gerrit Renker
Acked-by: Neil Horman
Signed-off-by: David S. Miller -
The book keeping structure for transmit always had the flags value
cleared so transmit DMA maps were never released correctly.
Based on patch by Jarek Poplawski, problem observed by Michael Breuer.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Netlink code does module autoload if protocol userspace is asking for is
not ready. However, module can dissapear right after it was autoloaded.
Example: modprobe/rmmod stress-testing and xfrm_user.ko providing NETLINK_XFRM.netlink_create() in such situation _will_ create userspace socket and
_will_not_ pin module. Now if module was removed and we're going to call
->netlink_rcv into nothing:BUG: unable to handle kernel paging request at ffffffffa02f842a
^^^^^^^^^^^^^^^^
modules are loaded near these addresses hereIP: [] 0xffffffffa02f842a
PGD 161f067 PUD 1623063 PMD baa12067 PTE 0
Oops: 0010 [#1] PREEMPT SMP DEBUG_PAGEALLOC
last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda/uevent
CPU 1
Pid: 11515, comm: ip Not tainted 2.6.33-rc5-netns-00594-gaaa5728-dirty #6 P5E/P5E
RIP: 0010:[] [] 0xffffffffa02f842a
RSP: 0018:ffff8800baa3db48 EFLAGS: 00010292
RAX: ffff8800baa3dfd8 RBX: ffff8800be353640 RCX: 0000000000000000
RDX: ffffffff81959380 RSI: ffff8800bab7f130 RDI: 0000000000000001
RBP: ffff8800baa3db58 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000011
R13: ffff8800be353640 R14: ffff8800bcdec240 R15: ffff8800bd488010
FS: 00007f93749656f0(0000) GS:ffff880002300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: ffffffffa02f842a CR3: 00000000ba82b000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process ip (pid: 11515, threadinfo ffff8800baa3c000, task ffff8800bab7eb30)
Stack:
ffffffff813637c0 ffff8800bd488000 ffff8800baa3dba8 ffffffff8136397d
0000000000000000 ffffffff81344adc 7fffffffffffffff 0000000000000000
ffff8800baa3ded8 ffff8800be353640 ffff8800bcdec240 0000000000000000
Call Trace:
[] ? netlink_unicast+0x100/0x2d0
[] netlink_unicast+0x2bd/0x2d0netlink_unicast_kernel:
nlk->netlink_rcv(skb);[] ? memcpy_fromiovec+0x6c/0x90
[] netlink_sendmsg+0x1d3/0x2d0
[] sock_sendmsg+0xbb/0xf0
[] ? __lock_acquire+0x27b/0xa60
[] ? might_fault+0x73/0xd0
[] ? might_fault+0x73/0xd0
[] ? __lock_release+0x82/0x170
[] ? might_fault+0xbe/0xd0
[] ? might_fault+0x73/0xd0
[] ? verify_iovec+0x47/0xd0
[] sys_sendmsg+0x1a9/0x360
[] ? _raw_spin_unlock_irqrestore+0x65/0x70
[] ? trace_hardirqs_on+0xd/0x10
[] ? _raw_spin_unlock_irqrestore+0x42/0x70
[] ? __up_read+0x84/0xb0
[] ? trace_hardirqs_on_caller+0x145/0x190
[] ? trace_hardirqs_on_thunk+0x3a/0x3f
[] system_call_fastpath+0x16/0x1b
Code: Bad RIP value.
RIP [] 0xffffffffa02f842a
RSP
CR2: ffffffffa02f842aIf module was quickly removed after autoloading, return -E.
Return -EPROTONOSUPPORT if module was quickly removed after autoloading.
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller -
1. After sock_register() returns, it's possible to create sockets,
even if module still not initialized fully (blame generic module code
for that!)
2. Consequently, pfkey_create() can be called with pfkey_net_id still not
initialized which will BUG_ON in net_generic():
kernel BUG at include/net/netns/generic.h:43!
3. During netns shutdown, netns ops should be unregistered after
key manager unregistered because key manager calls can be triggered
from xfrm_user module:general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
pfkey_broadcast+0x111/0x210 [af_key]
pfkey_send_notify+0x16a/0x300 [af_key]
km_state_notify+0x41/0x70
xfrm_flush_sa+0x75/0x90 [xfrm_user]
4. Unregister netns ops after socket ops just in case and for symmetry.Reported by Luca Tettamanti.
Signed-off-by: Alexey Dobriyan
Tested-by: Luca Tettamanti
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
When processing a RFCOMM UA frame when the socket is closed and we were
not the RFCOMM initiator would cause rfcomm_session_put() to be called
twice during rfcomm_process_rx(). This would cause a kernel panic in
rfcomm_session_close() then.This could be easily reproduced during disconnect with devices such as
Motorola H270 that send RFCOMM UA followed quickly by L2CAP disconnect
request. This trace for this looks like:2009-09-21 17:22:37.788895 < ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 3]
RFCOMM(s): DISC: cr 0 dlci 20 pf 1 ilen 0 fcs 0x7d
2009-09-21 17:22:37.906204 > HCI Event: Number of Completed Packets (0x13) plen 5
handle 1 packets 1
2009-09-21 17:22:37.933090 > ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0040 len 4 [psm 3]
RFCOMM(s): UA: cr 0 dlci 20 pf 1 ilen 0 fcs 0x57
2009-09-21 17:22:38.636764 < ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0041 len 4 [psm 3]
RFCOMM(s): DISC: cr 0 dlci 0 pf 1 ilen 0 fcs 0x9c
2009-09-21 17:22:38.744125 > HCI Event: Number of Completed Packets (0x13) plen 5
handle 1 packets 1
2009-09-21 17:22:38.763687 > ACL data: handle 1 flags 0x02 dlen 8
L2CAP(d): cid 0x0040 len 4 [psm 3]
RFCOMM(s): UA: cr 0 dlci 0 pf 1 ilen 0 fcs 0xb6
2009-09-21 17:22:38.783554 > ACL data: handle 1 flags 0x02 dlen 12
L2CAP(s): Disconn req: dcid 0x0040 scid 0x0041Avoid calling rfcomm_session_put() twice by skipping this call
in rfcomm_recv_ua() if the socket is closed.Signed-off-by: Nick Pelly
Signed-off-by: Marcel Holtmann -
With the commit 9e726b17422bade75fba94e625cd35fd1353e682 the
rfcomm_session_put() gets accidentially called from a timeout
callback and results in this:BUG: sleeping function called from invalid context at net/core/sock.c:1897
in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper
Pid: 0, comm: swapper Tainted: P 2.6.32 #31
Call Trace:
[] __might_sleep+0xf8/0xfa
[] lock_sock_nested+0x29/0xc4
[] lock_sock+0xb/0xd [l2cap]
[] l2cap_sock_shutdown+0x1c/0x76 [l2cap]
[] ? clockevents_program_event+0x75/0x7e
[] ? tick_dev_program_event+0x37/0xa5
[] l2cap_sock_release+0x27/0x67 [l2cap]
[] sock_release+0x1a/0x67
[] rfcomm_session_del+0x34/0x53 [rfcomm]
[] rfcomm_session_put+0x14/0x16 [rfcomm]
[] rfcomm_session_timeout+0xe/0x1a [rfcomm]
[] run_timer_softirq+0x1e2/0x29a
[] ? rfcomm_session_timeout+0x0/0x1a [rfcomm]
[] __do_softirq+0xfe/0x1c5
[] ? timer_interrupt+0x1a/0x21
[] call_softirq+0x1c/0x28
[] do_softirq+0x33/0x6b
[] irq_exit+0x36/0x85
[] do_IRQ+0xa6/0xbd
[] ret_from_intr+0x0/0xa
[] ? acpi_idle_enter_bm+0x269/0x294
[] ? acpi_idle_enter_bm+0x25f/0x294
[] ? cpuidle_idle_call+0x97/0x107
[] ? cpu_idle+0x53/0xaa
[] ? rest_init+0x7a/0x7c
[] ? start_kernel+0x389/0x394
[] ? x86_64_start_reservations+0xac/0xb0
[] ? x86_64_start_kernel+0xe4/0xebTo fix this, the rfcomm_session_put() needs to be moved out of
rfcomm_session_timeout() into rfcomm_process_sessions(). In that
context it is perfectly fine to sleep and disconnect the socket.Signed-off-by: Marcel Holtmann
Tested-by: David John -
General Motors carkits that use LGE BT chipsets return this error code
when an eSCO is attempted, despite advertising eSCO support.2009-08-13 14:41:39.755518 < HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
handle 1 voice setting 0x0060
2009-08-13 14:41:39.757563 > HCI Event: Command Status (0x0f) plen 4
Setup Synchronous Connection (0x01|0x0028) status 0x00 ncmd 1
2009-08-13 14:41:39.789484 > HCI Event: Synchronous Connect Complete (0x2c) plen 17
status 0x1a handle 257 bdaddr 00:1E:B2:23:5E:B3 type eSCO
Error: Unsupported Remote Feature / Unsupported LMP FeatureSigned-off-by: Jaikumar Ganesh
Signed-off-by: Nick Pelly
Signed-off-by: Marcel Holtmann
03 Feb, 2010
2 commits
-
On Tue, Feb 02, 2010 at 02:57:14PM -0800, Greg KH (gregkh@suse.de) wrote:
> > There are at least two ways to fix it: using a big cannon and a small
> > one. The former way is to disable notification registration, since it is
> > not used by anyone at all. Second way is to check whether calling
> > process is root and its destination group is -1 (kind of priveledged
> > one) before command is dispatched to workqueue.
>
> Well if no one is using it, removing it makes the most sense, right?
>
> No objection from me, care to make up a patch either way for this?Getting it is not used, let's drop support for notifications about
(un)registered events from connector.
Another option was to check credentials on receiving, but we can always
restore it without bugs if needed, but genetlink has a wider code base
and none complained, that userspace can not get notification when some
other clients were (un)registered.Kudos for Sebastian Krahmer , who found a bug in the
code.Signed-off-by: Evgeniy Polyakov
Acked-by: Greg Kroah-Hartman
Signed-off-by: David S. Miller
02 Feb, 2010
1 commit
-
cev-isr reg offset for each function is better calculated using (any) eq-id
alloted to that function instead of using pci-func number(which
does not work in some configurations...)Signed-off-by: Sathya Perla
Signed-off-by: David S. Miller
01 Feb, 2010
1 commit
30 Jan, 2010
3 commits
-
In commit 2da31939a42f7a676a0bc5155d6a0a39ed8451f2, support
for Bluetooth hid_output_raw_report was added, but it pushes
the data to the interrupt channel instead of the contol one.This patch makes hid_output_raw_report use the control channel
instead. Using the interrupt channel was a mistake.Signed-off-by: Bastien Nocera
Signed-off-by: Marcel Holtmann -
Signed-off-by: Vikram Kandukuri
Signed-off-by: Alicke Xu
Reviewed-by: Luis R. Rodriguez
Signed-off-by: Marcel Holtmann -
Commit ac019360fe3 changed the irq handler logic to BUG_ON rather than
returning IRQ_NONE when the incoming argument is invalid. While this
works in most cases, it doesn't work when the IRQ is shared with other
devices (or when DEBUG_SHIRQ is enabled).So revert the previous change and replace the warning message with a
comment explaining that we want this behavior.Signed-off-by: Michael Hennerich
Signed-off-by: Mike Frysinger
Signed-off-by: Marcel Holtmann