06 Sep, 2008
1 commit
-
This reverts commit 087d833e5a9f67ba933cb32eaf5a2279c1a5b47c, which was
reported to break wireless at least in some combinations with 32bit user
space and a 64bit kernel. Alex Williamnson bisected it to this commit.Reported-and-bisected-by: Alex Williamson
Acked-by: John W. Linville
Cc: David Miller
Cc: Jouni Malinen
Signed-off-by: Linus Torvalds
04 Sep, 2008
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
bnx2x: Accessing un-mapped page
ath9k: Fix TX control flag use for no ACK and RTS/CTS
ath9k: Fix TX status reporting
iwlwifi: fix STATUS_EXIT_PENDING is not set on pci_remove
iwlwifi: call apm stop on exit
iwlwifi: fix Tx cmd memory allocation failure handling
iwlwifi: fix rx_chain computation
iwlwifi: fix station mimo power save values
iwlwifi: remove false rxon if rx chain changes
iwlwifi: fix hidden ssid discovery in passive channels
iwlwifi: W/A for the TSF correction in IBSS
netxen: Remove workaround for chipset quirk
pcnet-cs, axnet_cs: add new IDs, remove dup ID with less info
ixgbe: initialize interrupt throttle rate
net/usb/pegasus: avoid hundreds of diagnostics
tipc: Don't use structure names which easily globally conflict.
03 Sep, 2008
8 commits
-
Andrew Morton reported a build failure on sparc32, because TIPC
uses names like "struct node" and there is a like named data
structure defined in linux/node.hThis just regexp replaces "struct node*" to "struct tipc_node*"
to avoid this and any future similar problems.Signed-off-by: David S. Miller
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
ipsec: Fix deadlock in xfrm_state management.
ipv: Re-enable IP when MTU > 68
net/xfrm: Use an IS_ERR test rather than a NULL test
ath9: Fix ath_rx_flush_tid() for IRQs disabled kernel warning message.
ath9k: Incorrect key used when group and pairwise ciphers are different.
rt2x00: Compiler warning unmasked by fix of BUILD_BUG_ON
mac80211: Fix debugfs union misuse and pointer corruption
wireless/libertas/if_cs.c: fix memory leaks
orinoco: Multicast to the specified addresses
iwlwifi: fix 64bit platform firmware loading
iwlwifi: fix apm_stop (wrong bit polarity for FLAG_INIT_DONE)
iwlwifi: workaround interrupt handling no some platforms
iwlwifi: do not use GFP_DMA in iwl_tx_queue_init
net/wireless/Kconfig: clarify the description for CONFIG_WIRELESS_EXT_SYSFS
net: Unbreak userspace usage of linux/mroute.h
pkt_sched: Fix locking of qdisc_root with qdisc_root_sleeping_lock()
ipv6: When we droped a packet, we should return NET_RX_DROP instead of 0 -
Ever since commit 4c563f7669c10a12354b72b518c2287ffc6ebfb3
("[XFRM]: Speed up xfrm_policy and xfrm_state walking") it is
illegal to call __xfrm_state_destroy (and thus xfrm_state_put())
with xfrm_state_lock held. If we do, we'll deadlock since we
have the lock already and __xfrm_state_destroy() tries to take
it again.Fix this by pushing the xfrm_state_put() calls after the lock
is dropped.Signed-off-by: David S. Miller
-
Re-enable IP when the MTU gets back to a valid size.
This patch just checks if the in_dev is NULL on a NETDEV_CHANGEMTU event
and if MTU is valid (bigger than 68), then re-enable in_dev.Also a function that checks valid MTU size was created.
Signed-off-by: Breno Leitao
Signed-off-by: David S. Miller -
In case of error, the function xfrm_bundle_create returns an ERR
pointer, but never returns a NULL pointer. So a NULL test that comes
after an IS_ERR test should be deleted.The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)//
@match_bad_null_test@
expression x, E;
statement S1,S2;
@@
x = xfrm_bundle_create(...)
... when != x = E
* if (x != NULL)
S1 else S2
//Signed-off-by: Julien Brunel
Signed-off-by: Julia Lawall
Signed-off-by: David S. Miller -
debugfs union in struct ieee80211_sub_if_data is misused by including a
common default_key dentry as a union member. This ends occupying the same
memory area with the first dentry in other union members (structures;
usually drop_unencrypted). Consequently, debugfs operations on
default_key symlinks and drop_unencrypted entry are using the same
dentry pointer even though they are supposed to be separate ones. This
can lead to removing entries incorrectly or potentially leaving
something behind since one of the dentry pointers gets lost.Fix this by moving the default_key dentry to a new struct
(common_debugfs) that contains dentries (more to be added in future)
that are shared by all vif types. The debugfs union must only be used
for vif type-specific entries to avoid this type of pointer corruption.Signed-off-by: Jouni Malinen
Acked-by: Johannes Berg
Signed-off-by: John W. Linville -
Current setup with hal and NetworkManager will fail to work
without newest hal version with this config option disabled.Although this will solve itself by time, at the moment it is
dishonest to say that we don't know any software that uses it,
if there are many many people relying on old hal versions.Signed-off-by: Florian Mickler
Signed-off-by: John W. Linville -
* 'for-2.6.27' of git://linux-nfs.org/~bfields/linux:
nfsd: fix buffer overrun decoding NFSv4 acl
sunrpc: fix possible overrun on read of /proc/sys/sunrpc/transports
nfsd: fix compound state allocation error handling
svcrdma: Fix race between svc_rdma_recvfrom thread and the dto_tasklet
02 Sep, 2008
1 commit
-
Vegard Nossum reported
----------------------
> I noticed that something weird is going on with /proc/sys/sunrpc/transports.
> This file is generated in net/sunrpc/sysctl.c, function proc_do_xprt(). When
> I "cat" this file, I get the expected output:
> $ cat /proc/sys/sunrpc/transports
> tcp 1048576
> udp 32768> But I think that it does not check the length of the buffer supplied by
> userspace to read(). With my original program, I found that the stack was
> being overwritten by the characters above, even when the length given to
> read() was just 1.David Wagner added (among other things) that copy_to_user could be
probably used here.Ingo Oeser suggested to use simple_read_from_buffer() here.
The conclusion is that proc_do_xprt doesn't check for userside buffer
size indeed so fix this by using Ingo's suggestion.Reported-by: Vegard Nossum
Signed-off-by: Cyrill Gorcunov
CC: Ingo Oeser
Cc: Neil Brown
Cc: Chuck Lever
Cc: Greg Banks
Cc: Tom Tucker
Signed-off-by: J. Bruce Fields
30 Aug, 2008
2 commits
-
Use qdisc_root_sleeping_lock() instead of qdisc_root_lock() where
appropriate. The only difference is while dev is deactivated, when
currently we can use a sleeping qdisc with the lock of noop_qdisc.
This shouldn't be dangerous since after deactivation root lock could
be used only by gen_estimator code, but looks wrong anyway.Signed-off-by: Jarek Poplawski
Signed-off-by: David S. Miller -
Signed-off-by: Yang Hongyang
Signed-off-by: David S. Miller
28 Aug, 2008
2 commits
-
The number of identifiers needs to be checked against the option
length. Also, the identifier index provided needs to be verified
to make sure that it doesn't exceed the bounds of the array.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
The bonds check to prevent buffer overlflow was not exactly
right. It still allowed overflow of up to 8 bytes which is
sizeof(struct sctp_authkey).Since optlen is already checked against the size of that struct,
we are guaranteed not to cause interger overflow either.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
27 Aug, 2008
12 commits
-
vpnc on today's kernel says Cannot open "/proc/sys/net/ipv4/route/flush":
d--------- 0 root root 0 2008-08-26 11:32 /proc/sys/net/ipv4/route
d--------- 0 root root 0 2008-08-26 19:16 /proc/sys/net/ipv4/neighSigned-off-by: Hugh Dickins
Acked-by: Al Viro
Signed-off-by: David S. Miller -
The size of the TCP header is miscalculated when the window scale ends
up being 0. Additionally, this can be induced by sending a SYN to a
passive open port with a window scale option with value 0.Signed-off-by: Philip Love
Signed-off-by: Adam Langley
Signed-off-by: David S. Miller -
While passing a qdisc root lock to gen_new_estimator() and
gen_replace_estimator() dev could be deactivated or even before
grafting proper root qdisc as qdisc_sleeping (e.g. qdisc_create), so
using qdisc_root_lock() is not enough. This patch adds
qdisc_root_sleeping_lock() for this, plus additional checks, where
necessary.Signed-off-by: Jarek Poplawski
Signed-off-by: David S. Miller -
These pointers are RCU protected, so proper primitives should be used.
Signed-off-by: Jarek Poplawski
Signed-off-by: David S. Miller -
During dev_graft_qdisc() dev is deactivated, so qdisc_root_lock()
returns wrong lock of noop_qdisc instead of qdisc_sleeping.Signed-off-by: Jarek Poplawski
Acked-by: Herbert Xu
Signed-off-by: David S. Miller -
It seems obvious that this #ifndef should be the opposite polarity...
Signed-off-by: John W. Linville
-
The association request includes a list of supported data rates.
802.11b: 4 supported rates.
802.11g: 12 (8 + 4) supported rates.
802.11a: 8 supported rates.The rates tag of the assoc request has room for only 8 rates. In case of
802.11g an extended rate tag is appended. However in net/wireless/mlme.c
an extended (empty) rate tag is also appended if the number of rates is
exact 8. This empty (length=0) extended rates tag causes some APs to
deny association with code 18 (unsupported rates). These APs include my
ZyXEL G-570U, and according to Tomas Winkler som Cisco APs.'If count == 8' has been used to check for the need for an extended rates
tag. But count would also be equal to 8 if the for loop exited because of
no more supported rates. Therefore a check for count being less than
rates_len would seem more correct.Thanks to:
* Dan Williams for newbie guidance
* Tomas Winkler for confirming the problemSigned-off-by: Jan-Espen Pettersen
Signed-off-by: John W. Linville -
Previous version was using incorrect union structures for non-AP
interfaces when adding and removing max_ratectrl_rateidx and
force_unicast_rateidx entries. Depending on the vif type, this ended
up in corrupting debugfs entries since the dentries inside different
union structures ended up going being on top of eachother.. As the
end result, debugfs files were being left behind with references to
freed data (instant kernel oops on access) and directories were not
removed properly when unloading mac80211 drivers. This patch fixes
those issues by using only a single union structure based on the vif
type.Signed-off-by: Jouni Malinen
Signed-off-by: John W. Linville -
In the function mesh_table_grow, it is the new table not the argument table
that should be freed if the function fails (cf commit
bd9b448f4c0a514559bdae4ca18ca3e8cd999c6d)The semantic match that detects this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)//
@r exists@
local idexpression x;
expression E,f;
position p1,p2,p3;
identifier l;
statement S;
@@x = mesh_table_alloc@p1(...)
...
if (x == NULL) S
... when != E = x
when != mesh_table_free(x)
goto@p2 l;
... when != E = x
when != f(...,x,...)
when any
(
return \(0\|x\);
|
return@p3 ...;
)@script:python@
p1 << r.p1;
p2 << r.p2;
p3 << r.p3;
@@print "%s: call on line %s not freed or saved before return on line %s via line %s" % (p1[0].file,p1[0].line,p3[0].line,p2[0].line)
//Signed-off-by: Julia Lawall
Signed-off-by: John W. Linville -
The previous code was using IWEVCUSTOM to report IEs from AssocReq and
AssocResp frames into user space. This can easily hit the 256 byte
limit (IW_CUSTOM_MAX) with APs that include number of vendor IEs in
AssocResp. This results in the event message not being sent and dmesg
showing "wlan0 (WE) : Wireless Event too big (366)" type of errors.Convert mac80211 to use IWEVASSOCREQIE/IWEVASSOCRESPIE to avoid the
issue of being unable to send association IEs as wireless events. These
newer event types use binary encoding and larger maximum size
(IW_GENERIC_IE_MAX = 1024), so the likelyhood of not being able to send
the IEs is much smaller than with IWEVCUSTOM. As an extra benefit, the
code is also quite a bit simpler since there is no need to allocate an
extra buffer for hex encoding.Signed-off-by: Jouni Malinen
Signed-off-by: John W. Linville -
Trivial patch adding a missing line break on
rfkill_claim_show().Signed-off-by: Felipe Balbi
Acked-by: Ivo van Doorn
Signed-off-by: John W. Linville
26 Aug, 2008
3 commits
-
Braino: net.ipv6 in ipv6 skeleton has no business in rotable
classSigned-off-by: Al Viro
Signed-off-by: David S. Miller -
net.ipv4.neigh should be a part of skeleton to avoid ordering problems
Signed-off-by: Al Viro
Signed-off-by: David S. Miller -
The structure used for SCTP_AUTH_KEY option contains a
length that needs to be verfied to prevent buffer overflow
conditions. Spoted by Eugene Teo .Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
23 Aug, 2008
2 commits
-
This fixes a problem spotted with zebra, but not sure if it is
necessary a kernel problem. With IPV6 when an address is added to an
interface, Zebra creates a duplicate RIB entry, one as a connected
route, and other as a kernel route.When an address is added to an interface the RTN_NEWADDR message
causes Zebra to create a connected route. In IPV4 when an address is
added to an interface a RTN_NEWROUTE message is set to user space with
the protocol RTPROT_KERNEL. Zebra ignores these messages, because it
already has the connected route.The problem is that route created in IPV6 has route protocol ==
RTPROT_BOOT. Was this a design decision or a bug? This fixes it. Same
patch applies to both net-2.6 and stable.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Pass namespace into icmp_xmit_lock, obtain socket inside and return
it as a result for caller.Thanks Alexey Dobryan for this report:
Steps to reproduce:
CONFIG_PREEMPT=y
CONFIG_DEBUG_PREEMPT=y
tracepathBUG: using smp_processor_id() in preemptible [00000000] code: tracepath/3205
caller is icmp_sk+0x15/0x30
Pid: 3205, comm: tracepath Not tainted 2.6.27-rc4 #1Call Trace:
[] debug_smp_processor_id+0xe4/0xf0
[] icmp_sk+0x15/0x30
[] icmp_send+0x4b/0x3f0
[] ? trace_hardirqs_on_caller+0xd5/0x160
[] ? trace_hardirqs_on+0xd/0x10
[] ? local_bh_enable_ip+0x95/0x110
[] ? _spin_unlock_bh+0x39/0x40
[] ? mark_held_locks+0x4c/0x90
[] ? trace_hardirqs_on+0xd/0x10
[] ? trace_hardirqs_on_caller+0xd5/0x160
[] ip_fragment+0x8d4/0x900
[] ? ip_finish_output2+0x0/0x290
[] ? ip_finish_output+0x0/0x60
[] ? dst_output+0x0/0x10
[] ip_finish_output+0x4c/0x60
[] ip_output+0xa3/0xf0
[] ip_local_out+0x20/0x30
[] ip_push_pending_frames+0x27f/0x400
[] udp_push_pending_frames+0x233/0x3d0
[] udp_sendmsg+0x321/0x6f0
[] inet_sendmsg+0x45/0x80
[] sock_sendmsg+0xdf/0x110
[] ? autoremove_wake_function+0x0/0x40
[] ? validate_chain+0x415/0x1010
[] ? __do_fault+0x140/0x450
[] ? __lock_acquire+0x260/0x590
[] ? sockfd_lookup_light+0x45/0x80
[] sys_sendto+0xea/0x120
[] ? _spin_unlock_irqrestore+0x42/0x80
[] ? __up_read+0x4c/0xb0
[] ? up_read+0x26/0x30
[] system_call_fastpath+0x16/0x1bicmp6_sk() is similar.
Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller
22 Aug, 2008
1 commit
-
Since some qdiscs call qdisc_tree_decrease_qlen() (so qdisc_lookup())
without rtnl_lock(), adding and deleting from a qdisc list needs
additional locking. This patch adds global spinlock qdisc_list_lock
and wrapper functions for modifying the list. It is considered as a
temporary solution until hfsc_dequeue(), netem_dequeue() and
tbf_dequeue() (or qdisc_tree_decrease_qlen()) are redone.With feedback from Herbert Xu and David S. Miller.
Signed-off-by: Jarek Poplawski
Acked-by: Herbert Xu
Signed-off-by: David S. Miller
21 Aug, 2008
2 commits
-
dev_deactivate() can skip rescheduling of a qdisc by qdisc_watchdog()
or other timer calling netif_schedule() after dev_queue_deactivate().
We prevent this checking aliveness before scheduling the timer. Since
during deactivation the root qdisc is available only as qdisc_sleeping
additional accessor qdisc_root_sleeping() is created.With feedback from Herbert Xu
Signed-off-by: Jarek Poplawski
Signed-off-by: David S. Miller -
All of the SCTP-AUTH socket options could cause a panic
if the extension is disabled and the API is envoked.Additionally, there were some additional assumptions that
certain pointers would always be valid which may not
always be the case.This patch hardens the API and address all of the crash
scenarios.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
19 Aug, 2008
5 commits
-
If dev_deactivate() is trying to quiesce the queue, it
is theoretically possible for another cpu to livelock
trying to process that queue. This happens because
dev_deactivate() grabs the queue spinlock as it checks
the queue state, whereas net_tx_action() does a trylock
and reschedules the qdisc if it hits the lock.This breaks the livelock by adding a check on
__QDISC_STATE_DEACTIVATED to net_tx_action() when
the trylock fails.Based upon feedback from Herbert Xu and Jarek Poplawski.
Signed-off-by: David S. Miller
-
This reverts commit 1cfa26661a85549063e369e2b40275eeaa7b923c.
qdisc_destroy() runs fully under RTNL again and not from softint any
longer, so this change is no longer needed.Signed-off-by: David S. Miller
-
This reverts commit d4766692e72422f3b0f0e9ac6773d92baad07d51.
qdisc_destroy() now runs in RTNL fully again, so this
change is no longer needed.Signed-off-by: David S. Miller
-
...Last block local var got just deleted.
Signed-off-by: Ilpo Järvinen
Signed-off-by: David S. Miller
