20 Mar, 2010
11 commits
-
mfc_parent of cache entries is used to index into the vif_table and is
initialised from mfcctl->mfcc_parent. This can take values of to 2^16-1,
while the vif_table has only MAXVIFS (32) entries. The same problem
affects ip6mr.Refuse invalid values to fix a potential out-of-bounds access. Unlike
the other validity checks, this is checked in ipmr_mfc_add() instead of
the setsockopt handler since its unused in the delete path and might be
uninitialized.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
There is no need to adjust the next rx descriptor after each packet,
so do it only once at the end of the routine.Signed-off-by: Eric Dumazet
Signed-off-by: Yegor Yefremov -
Signed-off-by: Carolyn Wyborny
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
Clean up some text output formatting.
Signed-off-by: Greg Rose
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
The recovery from PF reset works better when you shorten up the delay
until the watchdog task executes.Signed-off-by: Greg Rose
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
The counters in the 82599 Virtual Function are not clear on read. They
accumulate to the maximum value and then roll over. They are also not
cleared when the VF executes a soft reset, so it is possible they are
non-zero when the driver loads and starts. This has all been accounted
for in the code that keeps the stats up to date but there is one case
that is not. When the PF driver is reset the counters in the VF are
all reset to zero. This adds an additional accounting overhead into
the VF driver when the PF is reset under its feet. This patch adds
additional counters that are used by the VF driver to accumulate and
save stats after a PF reset has been detected. Prior to this patch
displaying the stats in the VF after the PF has reset would show
bogus data.Signed-off-by: Greg Rose
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
As per Simon Horman's feedback set IXGBE_RSC_CB(skb)->dma to zero
after unmapping HWRSC DMA address to avoid double freeing.Signed-off-by: Mallikarjuna R Chilakala
Acked-by: Peter P Waskiewicz Jr
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
Currently netdev_features_change is called before fcoe tx queues
setup is done, so this patch moves calling of netdev_features_change
after tx queues setup is done in ixgbe_init_interrupt_scheme, so
that real_num_tx_queues is updated correctly on each fcoe enable
or disable.This allows additional fcoe queues updated correctly in vlan driver
for their correct queue selection.Signed-off-by: Vasu Dev
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
This adds RFC5082 checks for TTL on received ICMP packets.
It adds some security against spoofed ICMP packets
disrupting GTSM protected sessions.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
As the only path leading to ip6_dst_check makes an indirect call
through dst->ops, dst cannot be NULL in ip6_dst_check.This patch removes this check in case it misleads people who
come across this code.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller -
Xfrm_dst keeps a reference to ipv4 rtable entries on each
cached bundle. The only way to renew xfrm_dst when the underlying
route has changed, is to implement dst_check for this. This is
what ipv6 side does too.The problems started after 87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9
("ipsec: Fix bogus bundle flowi") which fixed a bug causing xfrm_dst
to not get reused, until that all lookups always generated new
xfrm_dst with new route reference and path mtu worked. But after the
fix, the old routes started to get reused even after they were expired
causing pmtu to break (well it would occationally work if the rtable
gc had run recently and marked the route obsolete causing dst_check to
get called).Signed-off-by: Timo Teras
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
19 Mar, 2010
10 commits
-
TX checksum offload does not work properly when transmitting
UDP packets with 0, 1 or 2 bytes of data. This patch works
around the problem by calculating checksums for these packets
in the driver.Signed-off-by: Steve Glendinning
Signed-off-by: David S. Miller -
Advanced Power Management is disabled for 82599 KX4 connections by
clearing GRC.APME bit, causing it to not wake the system from an
improper system shutdown. By default GRC.APME is enabled and software
is not supposed to clear these settings during adapter probe.Signed-off-by: Mallikarjuna R Chilakala
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
Fix 82599 link issues during driver load and unload test using multi-speed
10G & 1G fiber modules. When connected back to back sometime 82599 multispeed
fiber modules would link at 1G speed instead of 10G highest speed, due to a
race condition in autotry process involving Tx laser flapping. Move autotry
autoneg-37 tx laser flapping process from multispeed module init setup
to driver unload. This will alert the link partner to restart its
autotry process when it tries to establish the link with the link partnerSigned-off-by: Mallikarjuna R Chilakala
Signed-off-by: Jeff Kirsher
Signed-off-by: David S. Miller -
When doing "ifenslave -d bond0 eth0", there is chance to get NULL
dereference in netif_receive_skb(), because dev->master suddenly becomes
NULL after we tested it.We should use ACCESS_ONCE() to avoid this (or rcu_dereference())
Signed-off-by: Eric Dumazet
Signed-off-by: David S. Miller -
Advance driver version number after some bug fix.
Signed-off-by: Guo-Fu Tseng
Signed-off-by: David S. Miller -
Temporary stop the RX IRQ, and disable (sync) tasklet or napi.
And restore it after finished the vlgrp pointer assignment.Signed-off-by: Guo-Fu Tseng
Cc: stable@kernel.org
Signed-off-by: David S. Miller -
Fix memory leak while receiving 8021q tagged packet which is not
registered by user.Signed-off-by: Guo-Fu Tseng
Cc: stable@kernel.org
Signed-off-by: David S. Miller -
Kernel NULL pointer dereference when setting mode for IFF_MULTICAST.
Tested on SDP OMAP4430 board.ks8851 spi1.0: message enable is 0
ks8851 spi1.0: revision 0, MAC f2:f4:2f:56:37:de, IRQ 194
Unable to handle kernel NULL pointer dereference at virtual address 00000000
pgd = c0004000
[00000000] *pgd=00000000
Internal error: Oops: 5 [#1] PREEMPT SMP
last sysfs file:
Modules linked in:
CPU: 0 Not tainted (2.6.34-rc1-01039-g38d7ed1-dirty #3)
PC is at ks8851_set_rx_mode+0x88/0x124
LR is at bitrev32+0x24/0x2cBacktrace:
[] ? (ks8851_set_rx_mode+0x0/0x124)
[] (__dev_set_rx_mode+0x0/0x90)
[] (dev_mc_add+0x0/0x78)
[] (igmp_group_added+0x0/0x64)
[] (ip_mc_inc_group+0x0/0x150)
[] (ip_mc_up+0x0/0x64)
[] (inetdev_event+0x0/0x3d4)
[] (notifier_call_chain+0x0/0x78)
[] (__raw_notifier_call_chain+0x0/0x24)
[] (raw_notifier_call_chain+0x0/0x28)
[] (call_netdevice_notifiers+0x0/0x24)
[] (__dev_notify_flags+0x0/0x68)
[] (dev_change_flags+0x0/0x4c)
[] (ip_auto_config+0x0/0xf1c)
[] (do_one_initcall+0x0/0x1bc)
[] (kernel_init+0x0/0x234)
Code: e15130bc e1833012 e14130bc e5943000 (e5934000)
---[ end trace ed0fb00a94142792 ]---
Kernel panic - not syncing: Fatal exception in interruptSigned-off-by: Abraham Arce
Signed-off-by: David S. Miller -
From: Alexandra.Kossovsky@oktetlabs.ru
Fixes kernel bugzilla #15541
Signed-off-by: David S. Miller
18 Mar, 2010
1 commit
-
Update the dummy LL interface to the LL interface change
introduced by commit daab433c03c15fd642c71c94eb51bdd3f32602c8.
This fixes the build failure occurring after that commit when
enabling ISDN_DRV_GIGASET but neither ISDN_I4L nor ISDN_CAPI.Impact: bugfix
Signed-off-by: Tilman Schmidt
Signed-off-by: David S. Miller
17 Mar, 2010
17 commits
-
Otherwise we get a warning from the call in br_forward().
Signed-off-by: David S. Miller
-
Without CONFIG_BRIDGE_IGMP_SNOOPING,
BR_INPUT_SKB_CB(skb)->mrouters_only is not appropriately
initialized, so we can see garbage.A clear option to fix this is to set it even without that
config, but we cannot optimize out the branch.Let's introduce a macro that returns value of mrouters_only
and let it return 0 without CONFIG_BRIDGE_IGMP_SNOOPING.Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
route: Fix caught BUG_ON during rt_secret_rebuild_oneshot()
Call rt_secret_rebuild can cause BUG_ON(timer_pending(&net->ipv4.rt_secret_timer)) in
add_timer as there is not any synchronization for call rt_secret_rebuild_oneshot()
for the same net namespace.Also this issue affects to rt_secret_reschedule().
Thus use mod_timer enstead.
Signed-off-by: Vitaliy Gusev
Acked-by: Neil Horman
Signed-off-by: David S. Miller -
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: David S. Miller -
Stanse found that one error path in netpoll_setup dereferences npinfo
even though it is NULL. Avoid that by adding new label and go to that
instead.Signed-off-by: Jiri Slaby
Cc: Daniel Borkmann
Cc: David S. Miller
Acked-by: chavey@google.com
Acked-by: Matt Mackall
Signed-off-by: David S. Miller -
So in the forward porting of various tipc packages, I was constantly
getting this lockdep warning everytime I used tipc-config to set a network
address for the protocol:[ INFO: possible circular locking dependency detected ]
2.6.33 #1
tipc-config/1326 is trying to acquire lock:
(ref_table_lock){+.-...}, at: [] tipc_ref_discard+0x53/0xd4 [tipc]but task is already holding lock:
(&(&entry->lock)->rlock#2){+.-...}, at: [] tipc_ref_lock+0x43/0x63 [tipc]which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (&(&entry->lock)->rlock#2){+.-...}:
[] __lock_acquire+0xb67/0xd0f
[] lock_acquire+0xdc/0x102
[] _raw_spin_lock_bh+0x3b/0x6e
[] tipc_ref_acquire+0xe8/0x11b [tipc]
[] tipc_createport_raw+0x78/0x1b9 [tipc]
[] tipc_createport+0x8b/0x125 [tipc]
[] tipc_subscr_start+0xce/0x126 [tipc]
[] process_signal_queue+0x47/0x7d [tipc]
[] tasklet_action+0x8c/0xf4
[] __do_softirq+0xf8/0x1cd
[] call_softirq+0x1c/0x30
[] _local_bh_enable_ip+0xb8/0xd7
[] local_bh_enable_ip+0xe/0x10
[] _raw_spin_unlock_bh+0x34/0x39
[] spin_unlock_bh.clone.0+0x15/0x17 [tipc]
[] tipc_k_signal+0x8d/0xb1 [tipc]
[] tipc_core_start+0x8a/0xad [tipc]
[] 0xffffffffa01b1087
[] do_one_initcall+0x72/0x18a
[] sys_init_module+0xd8/0x23a
[] system_call_fastpath+0x16/0x1b-> #0 (ref_table_lock){+.-...}:
[] __lock_acquire+0xa11/0xd0f
[] lock_acquire+0xdc/0x102
[] _raw_write_lock_bh+0x3b/0x6e
[] tipc_ref_discard+0x53/0xd4 [tipc]
[] tipc_deleteport+0x40/0x119 [tipc]
[] release+0xeb/0x137 [tipc]
[] sock_release+0x1f/0x6f
[] sock_close+0x27/0x2b
[] __fput+0x12a/0x1df
[] fput+0x1a/0x1c
[] filp_close+0x68/0x72
[] sys_close+0xad/0xe7
[] system_call_fastpath+0x16/0x1bFinally decided I should fix this. Its a straightforward inversion,
tipc_ref_acquire takes two locks in this order:
ref_table_lock
entry->lockwhile tipc_deleteport takes them in this order:
entry->lock (via tipc_port_lock())
ref_table_lock (via tipc_ref_discard())when the same entry is referenced, we get the above warning. The fix is equally
straightforward. Theres no real relation between the entry->lock and the
ref_table_lock (they just are needed at the same time), so move the entry->lock
aquisition in tipc_ref_acquire down, after we unlock ref_table_lock (this is
safe since the ref_table_lock guards changes to the reference table, and we've
already claimed a slot there. I've tested the below fix and confirmed that it
clears up the lockdep issueSigned-off-by: Neil Horman
CC: Allan Stephens
Signed-off-by: David S. Miller -
This patch fixes UDP socket refcnt bugs in the pppol2tp driver.
A bug can cause a kernel stack trace when a tunnel socket is closed.
A way to reproduce the issue is to prepare the UDP socket for L2TP (by
opening a tunnel pppol2tp socket) and then close it before any L2TP
sessions are added to it. The sequence isCreate UDP socket
Create tunnel pppol2tp socket to prepare UDP socket for L2TP
pppol2tp_connect: session_id=0, peer_session_id=0
L2TP SCCRP control frame received (tunnel_id==0)
pppol2tp_recv_core: sock_hold()
pppol2tp_recv_core: sock_put
L2TP ZLB control frame received (tunnel_id=nnn)
pppol2tp_recv_core: sock_hold()
pppol2tp_recv_core: sock_put
Close tunnel management socket
pppol2tp_release: session_id=0, peer_session_id=0
Close UDP socket
udp_lib_close: BUGThe addition of sock_hold() in pppol2tp_connect() solves the problem.
For data frames, two sock_put() calls were added to plug a refcnt leak
per received data frame. The ref that is grabbed at the top of
pppol2tp_recv_core() must always be released, but this wasn't done for
accepted data frames or data frames discarded because of bad UDP
checksums. This leak meant that any UDP socket that had passed L2TP
data traffic (i.e. L2TP data frames, not just L2TP control frames)
using pppol2tp would not be released by the kernel.WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120()
Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8
Call Trace:
[] ? udp_lib_unhash+0x117/0x120
[] ? warn_slowpath_common+0x71/0xd0
[] ? udp_lib_unhash+0x117/0x120
[] ? warn_slowpath_null+0x13/0x20
[] ? udp_lib_unhash+0x117/0x120
[] ? sk_common_release+0x17/0x90
[] ? inet_release+0x33/0x60
[] ? sock_release+0x10/0x60
[] ? sock_close+0xf/0x30
[] ? __fput+0x52/0x150
[] ? filp_close+0x3e/0x70
[] ? put_files_struct+0x62/0xb0
[] ? do_exit+0x5e7/0x650
[] ? mntput_no_expire+0x13/0x70
[] ? filp_close+0x3e/0x70
[] ? do_group_exit+0x2a/0x70
[] ? sys_exit_group+0x11/0x20
[] ? sysenter_do_call+0x12/0x26Signed-off-by: James Chapman
Signed-off-by: David S. Miller -
This patch ensures the PHY correctly completes its reset before
setting register values.Signed-off-by: Steve Glendinning
Signed-off-by: David S. Miller -
When transmitting L2TP frames, we derive the outgoing interface's UDP
checksum hardware assist capabilities from the tunnel dst dev. This
can sometimes be NULL, especially when routing protocols are used and
routing changes occur. This patch just checks for NULL dst or dev
pointers when checking for netdev hardware assist features.BUG: unable to handle kernel NULL pointer dereference at 0000000c
IP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp]
*pde = 00000000
Oops: 0000 [#1] SMP
last sysfs file: /sys/class/net/lo/operstate
Modules linked in: pppol2tp pppox ppp_generic slhc ipv6 dummy loop snd_hda_codec_atihdmi snd_hda_intel snd_hda_codec snd_pcm snd_timer snd soundcore snd_page_alloc evdev psmouse serio_raw processor button i2c_piix4 i2c_core ati_agp agpgart pcspkr ext3 jbd mbcache sd_mod ide_pci_generic atiixp ide_core ahci ata_generic floppy ehci_hcd ohci_hcd libata e1000e scsi_mod usbcore nls_base thermal fan thermal_sys [last unloaded: scsi_wait_scan]Pid: 0, comm: swapper Not tainted (2.6.32.8 #1)
EIP: 0060:[] EFLAGS: 00010297 CPU: 3
EIP is at pppol2tp_xmit+0x341/0x4da [pppol2tp]
EAX: 00000000 EBX: f64d1680 ECX: 000005b9 EDX: 00000000
ESI: f6b91850 EDI: f64d16ac EBP: f6a0c4c0 ESP: f70a9cac
DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=f70a8000 task=f70a31c0 task.ti=f70a8000)
Stack:
000005a9 000005b9 f734c400 f66652c0 f7352e00 f67dc800 00000000 f6b91800
000005a3 f70ef6c4 f67dcda9 000005a3 f89b192e 00000246 000005a3 f64d1680
f63633e0 f6363320 f64d1680 f65a7320 f65a7364 f65856c0 f64d1680 f679f02f
Call Trace:
[] ? ppp_push+0x459/0x50e [ppp_generic]
[] ? ppp_xmit_process+0x3b6/0x430 [ppp_generic]
[] ? ppp_start_xmit+0x10d/0x120 [ppp_generic]
[] ? dev_hard_start_xmit+0x21f/0x2b2
[] ? sch_direct_xmit+0x48/0x10e
[] ? dev_queue_xmit+0x263/0x3a6
[] ? ip_finish_output+0x1f7/0x221
[] ? ip_forward_finish+0x2e/0x30
[] ? ip_rcv_finish+0x295/0x2a9
[] ? netif_receive_skb+0x3e9/0x404
[] ? e1000_clean_rx_irq+0x253/0x2fc [e1000e]
[] ? e1000_clean+0x63/0x1fc [e1000e]
[] ? sched_clock_local+0x15/0x11b
[] ? net_rx_action+0x96/0x195
[] ? __do_softirq+0xaa/0x151
[] ? do_softirq+0x31/0x3c
[] ? irq_exit+0x26/0x58
[] ? do_IRQ+0x78/0x89
[] ? common_interrupt+0x29/0x30
[] ? native_safe_halt+0x2/0x3
[] ? default_idle+0x55/0x75
[] ? c1e_idle+0xd2/0xd5
[] ? cpu_idle+0x46/0x62
Code: 8d 45 08 f0 ff 45 08 89 6b 08 c7 43 68 7e fb 9c f8 8a 45 24 83 e0 0c 3c 04 75 09 80 63 64 f3 e9 b4 00 00 00 8b 43 18 8b 4c 24 04 40 0c 8d 79 11 f6 40 44 0e 8a 43 64 75 51 6a 00 8b 4c 24 08
EIP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp] SS:ESP 0068:f70a9cac
CR2: 000000000000000cSigned-off-by: James Chapman
Signed-off-by: David S. Miller -
This patch adds a driver for SMSC's LAN7500 family of USB 2.0
to gigabit ethernet adapters. It's loosely based on the smsc95xx
driver but the device registers for LAN7500 are completely different.Signed-off-by: Steve Glendinning
Signed-off-by: David S. Miller -
This patch fixes following warning introduced by commit
12bac0d9f4dbf3445a0319beee848d15fa32775e ("proc: warn on non-existing
proc entries"):WARNING: at /work/mips-linux/make/linux/fs/proc/generic.c:316 __xlate_proc_name+0xe0/0xe8()
name 'RBHMA4X00/RTL8019'Signed-off-by: Atsushi Nemoto
Signed-off-by: David S. Miller -
Stanse found that one error path (when alloc_skb fails) in netdev_tx
omits to unlock hw_priv->hwlock. Fix that.Signed-off-by: Jiri Slaby
Cc: Tristram Ha
Cc: David S. Miller
Signed-off-by: David S. Miller -
Correct a potential array overrun due to an off by one error in the
range check on the CAPI CONNECT_REQ CIPValue parameter.
Found and reported by Dan Carpenter using smatch.Impact: bugfix
Signed-off-by: Tilman Schmidt
Signed-off-by: David S. Miller -
Commit a239a8b47cc0e5e6d7416a89f340beac06d5edaa introduced a
noisy message, that fills up the log very fast.The error seems not to be fatal (the connection is stable and
performance is ok), so make it IWL_DEBUG_TX rather than IWL_ERR.Signed-off-by: Adel Gadllah
Cc: stable@kernel.org
Acked-by: Reinette Chatre
Signed-off-by: John W. Linville -
When I initially stumbled upon sequence number problems with PAE frames
in ath9k, I submitted a patch to remove all special cases for PAE
frames and let them go through the normal transmit path.
Out of concern about crypto incompatibility issues, this change was
merged instead:commit 6c8afef551fef87a3bf24f8a74c69a7f2f72fc82
Author: Sujith
Date: Tue Feb 9 10:07:00 2010 +0530ath9k: Fix sequence numbers for PAE frames
After a lot of testing, I'm able to reliably trigger a driver crash on
rekeying with current versions with this change in place.
It seems that the driver does not support sending out regular MPDUs with
the same TID while an A-MPDU session is active.
This leads to duplicate entries in the TID Tx buffer, which hits the
following BUG_ON in ath_tx_addto_baw():index = ATH_BA_INDEX(tid->seq_start, bf->bf_seqno);
cindex = (tid->baw_head + index) & (ATH_TID_MAX_BUFS - 1);BUG_ON(tid->tx_buf[cindex] != NULL);
I believe until we actually have a reproducible case of an
incompatibility with another AP using no PAE special cases, we should
simply get rid of this mess.This patch completely fixes my crash issues in STA mode and makes it
stay connected without throughput drops or connectivity issues even
when the AP is configured to a very short group rekey interval.Signed-off-by: Felix Fietkau
Cc: stable@kernel.org
Signed-off-by: John W. Linville -
In case debugfs does not init for some reason (or is disabled
on older kernels) driver does not allocate stats.fw_stats
structure, but tries to clear it later and trips on a NULL
pointer:Unable to handle kernel NULL pointer dereference at virtual address
00000000
PC is at __memzero+0x24/0x80
Backtrace:
[] (wl1251_debugfs_reset+0x0/0x30 [wl1251])
[] (wl1251_op_stop+0x0/0x12c [wl1251])
[] (ieee80211_stop_device+0x0/0x74 [mac80211])
[] (ieee80211_stop+0x0/0x4ac [mac80211])
[] (dev_close+0x0/0xb4)
[] (dev_change_flags+0x0/0x184)
[] (devinet_ioctl+0x0/0x704)
[] (inet_ioctl+0x0/0x100)Add a NULL pointer check to fix this.
Signed-off-by: Grazvydas Ignotas
Acked-by: Kalle Valo
Cc: stable@kernel.org
Signed-off-by: John W. Linville
16 Mar, 2010
1 commit
-
From: Michael Braun
bridge: Fix br_forward crash in promiscuous mode
It's a linux-next kernel from 2010-03-12 on an x86 system and it
OOPs in the bridge module in br_pass_frame_up (called by
br_handle_frame_finish) because brdev cannot be dereferenced (its set to
a non-null value).Adding some BUG_ON statements revealed that
BR_INPUT_SKB_CB(skb)->brdev == br-dev
(as set in br_handle_frame_finish first)
only holds until br_forward is called.
The next call to br_pass_frame_up then fails.Digging deeper it seems that br_forward either frees the skb or passes
it to NF_HOOK which will in turn take care of freeing the skb. The
same is holds for br_pass_frame_ip. So it seems as if two independent
skb allocations are required. As far as I can see, commit
b33084be192ee1e347d98bb5c9e38a53d98d35e2 ("bridge: Avoid unnecessary
clone on forward path") removed skb duplication and so likely causes
this crash. This crash does not happen on 2.6.33.I've therefore modified br_forward the same way br_flood has been
modified so that the skb is not freed if skb0 is going to be used
and I can confirm that the attached patch resolves the issue for me.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
