diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2008-07-07 12:24:28 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2008-07-07 12:24:28 -0400 |
| commit | b2798bf0ec2cb5a17bfc1430c5ba6d971c436a03 (patch) | |
| tree | ef2b01160811d8d6312518a177968d58d5fe9e44 | |
| parent | 3bc5ab9b7f2760d2892fd0a0589e1077e869d4f5 (diff) | |
| parent | 7f2d38eb7a42bea1c1df51bbdaa2ca0f0bdda07f (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
can: add sanity checks
fs_enet: restore promiscuous and multicast settings in restart()
ibm_newemac: Fixes entry of short packets
ibm_newemac: Fixes kernel crashes when speed of cable connected changes
pasemi_mac: Access iph->tot_len with correct endianness
ehea: Access iph->tot_len with correct endianness
ehea: fix race condition
ehea: add MODULE_DEVICE_TABLE
ehea: fix might sleep problem
forcedeth: fix lockdep warning on ethtool -s
Add missing skb->dev assignment in Frame Relay RX code
bridge: fix use-after-free in br_cleanup_bridges()
tcp: fix a size_t < 0 comparison in tcp_read_sock
tcp: net/ipv4/tcp.c needs linux/scatterlist.h
libertas: support USB persistence on suspend/resume (resend)
iwlwifi: drop skb silently for Tx request in monitor mode
iwlwifi: fix incorrect 5GHz rates reported in monitor mode
| -rw-r--r-- | drivers/net/ehea/ehea.h | 8 | ||||
| -rw-r--r-- | drivers/net/ehea/ehea_main.c | 42 | ||||
| -rw-r--r-- | drivers/net/forcedeth.c | 15 | ||||
| -rw-r--r-- | drivers/net/fs_enet/mac-fcc.c | 3 | ||||
| -rw-r--r-- | drivers/net/ibm_newemac/core.c | 8 | ||||
| -rw-r--r-- | drivers/net/pasemi_mac.c | 2 | ||||
| -rw-r--r-- | drivers/net/wan/hdlc_fr.c | 1 | ||||
| -rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-3945.c | 6 | ||||
| -rw-r--r-- | drivers/net/wireless/iwlwifi/iwl-4965.c | 6 | ||||
| -rw-r--r-- | drivers/net/wireless/iwlwifi/iwl3945-base.c | 3 | ||||
| -rw-r--r-- | drivers/net/wireless/iwlwifi/iwl4965-base.c | 3 | ||||
| -rw-r--r-- | drivers/net/wireless/libertas/if_usb.c | 1 | ||||
| -rw-r--r-- | net/bridge/br_if.c | 10 | ||||
| -rw-r--r-- | net/can/af_can.c | 10 | ||||
| -rw-r--r-- | net/can/bcm.c | 23 | ||||
| -rw-r--r-- | net/can/raw.c | 3 | ||||
| -rw-r--r-- | net/ipv4/tcp.c | 4 |
17 files changed, 113 insertions, 35 deletions
diff --git a/drivers/net/ehea/ehea.h b/drivers/net/ehea/ehea.h index fe872fbd671e..e01926b7b5b7 100644 --- a/drivers/net/ehea/ehea.h +++ b/drivers/net/ehea/ehea.h | |||
| @@ -40,7 +40,7 @@ | |||
| 40 | #include <asm/io.h> | 40 | #include <asm/io.h> |
| 41 | 41 | ||
| 42 | #define DRV_NAME "ehea" | 42 | #define DRV_NAME "ehea" |
| 43 | #define DRV_VERSION "EHEA_0091" | 43 | #define DRV_VERSION "EHEA_0092" |
| 44 | 44 | ||
| 45 | /* eHEA capability flags */ | 45 | /* eHEA capability flags */ |
| 46 | #define DLPAR_PORT_ADD_REM 1 | 46 | #define DLPAR_PORT_ADD_REM 1 |
| @@ -452,7 +452,7 @@ struct ehea_bcmc_reg_entry { | |||
| 452 | struct ehea_bcmc_reg_array { | 452 | struct ehea_bcmc_reg_array { |
| 453 | struct ehea_bcmc_reg_entry *arr; | 453 | struct ehea_bcmc_reg_entry *arr; |
| 454 | int num_entries; | 454 | int num_entries; |
| 455 | struct mutex lock; | 455 | spinlock_t lock; |
| 456 | }; | 456 | }; |
| 457 | 457 | ||
| 458 | #define EHEA_PORT_UP 1 | 458 | #define EHEA_PORT_UP 1 |
| @@ -478,6 +478,7 @@ struct ehea_port { | |||
| 478 | int num_add_tx_qps; | 478 | int num_add_tx_qps; |
| 479 | int num_mcs; | 479 | int num_mcs; |
| 480 | int resets; | 480 | int resets; |
| 481 | u64 flags; | ||
| 481 | u64 mac_addr; | 482 | u64 mac_addr; |
| 482 | u32 logical_port_id; | 483 | u32 logical_port_id; |
| 483 | u32 port_speed; | 484 | u32 port_speed; |
| @@ -501,7 +502,8 @@ struct port_res_cfg { | |||
| 501 | }; | 502 | }; |
| 502 | 503 | ||
| 503 | enum ehea_flag_bits { | 504 | enum ehea_flag_bits { |
| 504 | __EHEA_STOP_XFER | 505 | __EHEA_STOP_XFER, |
| 506 | __EHEA_DISABLE_PORT_RESET | ||
| 505 | }; | 507 | }; |
| 506 | 508 | ||
| 507 | void ehea_set_ethtool_ops(struct net_device *netdev); | 509 | void ehea_set_ethtool_ops(struct net_device *netdev); |
diff --git a/drivers/net/ehea/ehea_main.c b/drivers/net/ehea/ehea_main.c index 075fd547421e..0920b796bd78 100644 --- a/drivers/net/ehea/ehea_main.c +++ b/drivers/net/ehea/ehea_main.c | |||
| @@ -118,6 +118,7 @@ static struct of_device_id ehea_device_table[] = { | |||
| 118 | }, | 118 | }, |
| 119 | {}, | 119 | {}, |
| 120 | }; | 120 | }; |
| 121 | MODULE_DEVICE_TABLE(of, ehea_device_table); | ||
| 121 | 122 | ||
| 122 | static struct of_platform_driver ehea_driver = { | 123 | static struct of_platform_driver ehea_driver = { |
| 123 | .name = "ehea", | 124 | .name = "ehea", |
| @@ -137,6 +138,12 @@ void ehea_dump(void *adr, int len, char *msg) | |||
| 137 | } | 138 | } |
| 138 | } | 139 | } |
| 139 | 140 | ||
| 141 | void ehea_schedule_port_reset(struct ehea_port *port) | ||
| 142 | { | ||
| 143 | if (!test_bit(__EHEA_DISABLE_PORT_RESET, &port->flags)) | ||
| 144 | schedule_work(&port->reset_task); | ||
| 145 | } | ||
| 146 | |||
| 140 | static void ehea_update_firmware_handles(void) | 147 | static void ehea_update_firmware_handles(void) |
| 141 | { | 148 | { |
| 142 | struct ehea_fw_handle_entry *arr = NULL; | 149 | struct ehea_fw_handle_entry *arr = NULL; |
| @@ -241,7 +248,7 @@ static void ehea_update_bcmc_registrations(void) | |||
| 241 | } | 248 | } |
| 242 | 249 | ||
| 243 | if (num_registrations) { | 250 | if (num_registrations) { |
| 244 | arr = kzalloc(num_registrations * sizeof(*arr), GFP_KERNEL); | 251 | arr = kzalloc(num_registrations * sizeof(*arr), GFP_ATOMIC); |
| 245 | if (!arr) | 252 | if (!arr) |
| 246 | return; /* Keep the existing array */ | 253 | return; /* Keep the existing array */ |
| 247 | } else | 254 | } else |
| @@ -301,7 +308,7 @@ static struct net_device_stats *ehea_get_stats(struct net_device *dev) | |||
| 301 | 308 | ||
| 302 | memset(stats, 0, sizeof(*stats)); | 309 | memset(stats, 0, sizeof(*stats)); |
| 303 | 310 | ||
| 304 | cb2 = kzalloc(PAGE_SIZE, GFP_KERNEL); | 311 | cb2 = kzalloc(PAGE_SIZE, GFP_ATOMIC); |
| 305 | if (!cb2) { | 312 | if (!cb2) { |
| 306 | ehea_error("no mem for cb2"); | 313 | ehea_error("no mem for cb2"); |
| 307 | goto out; | 314 | goto out; |
| @@ -587,7 +594,7 @@ static int ehea_treat_poll_error(struct ehea_port_res *pr, int rq, | |||
| 587 | "Resetting port.", pr->qp->init_attr.qp_nr); | 594 | "Resetting port.", pr->qp->init_attr.qp_nr); |
| 588 | ehea_dump(cqe, sizeof(*cqe), "CQE"); | 595 | ehea_dump(cqe, sizeof(*cqe), "CQE"); |
| 589 | } | 596 | } |
| 590 | schedule_work(&pr->port->reset_task); | 597 | ehea_schedule_port_reset(pr->port); |
| 591 | return 1; | 598 | return 1; |
| 592 | } | 599 | } |
| 593 | 600 | ||
| @@ -616,7 +623,7 @@ static int get_skb_hdr(struct sk_buff *skb, void **iphdr, | |||
| 616 | *tcph = tcp_hdr(skb); | 623 | *tcph = tcp_hdr(skb); |
| 617 | 624 | ||
| 618 | /* check if ip header and tcp header are complete */ | 625 | /* check if ip header and tcp header are complete */ |
| 619 | if (iph->tot_len < ip_len + tcp_hdrlen(skb)) | 626 | if (ntohs(iph->tot_len) < ip_len + tcp_hdrlen(skb)) |
| 620 | return -1; | 627 | return -1; |
| 621 | 628 | ||
| 622 | *hdr_flags = LRO_IPV4 | LRO_TCP; | 629 | *hdr_flags = LRO_IPV4 | LRO_TCP; |
| @@ -765,7 +772,7 @@ static struct ehea_cqe *ehea_proc_cqes(struct ehea_port_res *pr, int my_quota) | |||
| 765 | ehea_error("Send Completion Error: Resetting port"); | 772 | ehea_error("Send Completion Error: Resetting port"); |
| 766 | if (netif_msg_tx_err(pr->port)) | 773 | if (netif_msg_tx_err(pr->port)) |
| 767 | ehea_dump(cqe, sizeof(*cqe), "Send CQE"); | 774 | ehea_dump(cqe, sizeof(*cqe), "Send CQE"); |
| 768 | schedule_work(&pr->port->reset_task); | 775 | ehea_schedule_port_reset(pr->port); |
| 769 | break; | 776 | break; |
| 770 | } | 777 | } |
| 771 | 778 | ||
| @@ -885,7 +892,7 @@ static irqreturn_t ehea_qp_aff_irq_handler(int irq, void *param) | |||
| 885 | eqe = ehea_poll_eq(port->qp_eq); | 892 | eqe = ehea_poll_eq(port->qp_eq); |
| 886 | } | 893 | } |
| 887 | 894 | ||
| 888 | schedule_work(&port->reset_task); | 895 | ehea_schedule_port_reset(port); |
| 889 | 896 | ||
| 890 | return IRQ_HANDLED; | 897 | return IRQ_HANDLED; |
| 891 | } | 898 | } |
| @@ -1763,7 +1770,7 @@ static int ehea_set_mac_addr(struct net_device *dev, void *sa) | |||
| 1763 | 1770 | ||
| 1764 | memcpy(dev->dev_addr, mac_addr->sa_data, dev->addr_len); | 1771 | memcpy(dev->dev_addr, mac_addr->sa_data, dev->addr_len); |
| 1765 | 1772 | ||
| 1766 | mutex_lock(&ehea_bcmc_regs.lock); | 1773 | spin_lock(&ehea_bcmc_regs.lock); |
| 1767 | 1774 | ||
| 1768 | /* Deregister old MAC in pHYP */ | 1775 | /* Deregister old MAC in pHYP */ |
| 1769 | if (port->state == EHEA_PORT_UP) { | 1776 | if (port->state == EHEA_PORT_UP) { |
| @@ -1785,7 +1792,7 @@ static int ehea_set_mac_addr(struct net_device *dev, void *sa) | |||
| 1785 | 1792 | ||
| 1786 | out_upregs: | 1793 | out_upregs: |
| 1787 | ehea_update_bcmc_registrations(); | 1794 | ehea_update_bcmc_registrations(); |
| 1788 | mutex_unlock(&ehea_bcmc_regs.lock); | 1795 | spin_unlock(&ehea_bcmc_regs.lock); |
| 1789 | out_free: | 1796 | out_free: |
| 1790 | kfree(cb0); | 1797 | kfree(cb0); |
| 1791 | out: | 1798 | out: |
| @@ -1947,7 +1954,7 @@ static void ehea_set_multicast_list(struct net_device *dev) | |||
| 1947 | } | 1954 | } |
| 1948 | ehea_promiscuous(dev, 0); | 1955 | ehea_promiscuous(dev, 0); |
| 1949 | 1956 | ||
| 1950 | mutex_lock(&ehea_bcmc_regs.lock); | 1957 | spin_lock(&ehea_bcmc_regs.lock); |
| 1951 | 1958 | ||
| 1952 | if (dev->flags & IFF_ALLMULTI) { | 1959 | if (dev->flags & IFF_ALLMULTI) { |
| 1953 | ehea_allmulti(dev, 1); | 1960 | ehea_allmulti(dev, 1); |
| @@ -1978,7 +1985,7 @@ static void ehea_set_multicast_list(struct net_device *dev) | |||
| 1978 | } | 1985 | } |
| 1979 | out: | 1986 | out: |
| 1980 | ehea_update_bcmc_registrations(); | 1987 | ehea_update_bcmc_registrations(); |
| 1981 | mutex_unlock(&ehea_bcmc_regs.lock); | 1988 | spin_unlock(&ehea_bcmc_regs.lock); |
| 1982 | return; | 1989 | return; |
| 1983 | } | 1990 | } |
| 1984 | 1991 | ||
| @@ -2497,7 +2504,7 @@ static int ehea_up(struct net_device *dev) | |||
| 2497 | } | 2504 | } |
| 2498 | } | 2505 | } |
| 2499 | 2506 | ||
| 2500 | mutex_lock(&ehea_bcmc_regs.lock); | 2507 | spin_lock(&ehea_bcmc_regs.lock); |
| 2501 | 2508 | ||
| 2502 | ret = ehea_broadcast_reg_helper(port, H_REG_BCMC); | 2509 | ret = ehea_broadcast_reg_helper(port, H_REG_BCMC); |
| 2503 | if (ret) { | 2510 | if (ret) { |
| @@ -2520,7 +2527,7 @@ out: | |||
| 2520 | ehea_info("Failed starting %s. ret=%i", dev->name, ret); | 2527 | ehea_info("Failed starting %s. ret=%i", dev->name, ret); |
| 2521 | 2528 | ||
| 2522 | ehea_update_bcmc_registrations(); | 2529 | ehea_update_bcmc_registrations(); |
| 2523 | mutex_unlock(&ehea_bcmc_regs.lock); | 2530 | spin_unlock(&ehea_bcmc_regs.lock); |
| 2524 | 2531 | ||
| 2525 | ehea_update_firmware_handles(); | 2532 | ehea_update_firmware_handles(); |
| 2526 | mutex_unlock(&ehea_fw_handles.lock); | 2533 | mutex_unlock(&ehea_fw_handles.lock); |
| @@ -2575,7 +2582,7 @@ static int ehea_down(struct net_device *dev) | |||
| 2575 | 2582 | ||
| 2576 | mutex_lock(&ehea_fw_handles.lock); | 2583 | mutex_lock(&ehea_fw_handles.lock); |
| 2577 | 2584 | ||
| 2578 | mutex_lock(&ehea_bcmc_regs.lock); | 2585 | spin_lock(&ehea_bcmc_regs.lock); |
| 2579 | ehea_drop_multicast_list(dev); | 2586 | ehea_drop_multicast_list(dev); |
| 2580 | ehea_broadcast_reg_helper(port, H_DEREG_BCMC); | 2587 | ehea_broadcast_reg_helper(port, H_DEREG_BCMC); |
| 2581 | 2588 | ||
| @@ -2584,7 +2591,7 @@ static int ehea_down(struct net_device *dev) | |||
| 2584 | port->state = EHEA_PORT_DOWN; | 2591 | port->state = EHEA_PORT_DOWN; |
| 2585 | 2592 | ||
| 2586 | ehea_update_bcmc_registrations(); | 2593 | ehea_update_bcmc_registrations(); |
| 2587 | mutex_unlock(&ehea_bcmc_regs.lock); | 2594 | spin_unlock(&ehea_bcmc_regs.lock); |
| 2588 | 2595 | ||
| 2589 | ret = ehea_clean_all_portres(port); | 2596 | ret = ehea_clean_all_portres(port); |
| 2590 | if (ret) | 2597 | if (ret) |
| @@ -2605,13 +2612,14 @@ static int ehea_stop(struct net_device *dev) | |||
| 2605 | if (netif_msg_ifdown(port)) | 2612 | if (netif_msg_ifdown(port)) |
| 2606 | ehea_info("disabling port %s", dev->name); | 2613 | ehea_info("disabling port %s", dev->name); |
| 2607 | 2614 | ||
| 2615 | set_bit(__EHEA_DISABLE_PORT_RESET, &port->flags); | ||
| 2608 | cancel_work_sync(&port->reset_task); | 2616 | cancel_work_sync(&port->reset_task); |
| 2609 | |||
| 2610 | mutex_lock(&port->port_lock); | 2617 | mutex_lock(&port->port_lock); |
| 2611 | netif_stop_queue(dev); | 2618 | netif_stop_queue(dev); |
| 2612 | port_napi_disable(port); | 2619 | port_napi_disable(port); |
| 2613 | ret = ehea_down(dev); | 2620 | ret = ehea_down(dev); |
| 2614 | mutex_unlock(&port->port_lock); | 2621 | mutex_unlock(&port->port_lock); |
| 2622 | clear_bit(__EHEA_DISABLE_PORT_RESET, &port->flags); | ||
| 2615 | return ret; | 2623 | return ret; |
| 2616 | } | 2624 | } |
| 2617 | 2625 | ||
| @@ -2941,7 +2949,7 @@ static void ehea_tx_watchdog(struct net_device *dev) | |||
| 2941 | 2949 | ||
| 2942 | if (netif_carrier_ok(dev) && | 2950 | if (netif_carrier_ok(dev) && |
| 2943 | !test_bit(__EHEA_STOP_XFER, &ehea_driver_flags)) | 2951 | !test_bit(__EHEA_STOP_XFER, &ehea_driver_flags)) |
| 2944 | schedule_work(&port->reset_task); | 2952 | ehea_schedule_port_reset(port); |
| 2945 | } | 2953 | } |
| 2946 | 2954 | ||
| 2947 | int ehea_sense_adapter_attr(struct ehea_adapter *adapter) | 2955 | int ehea_sense_adapter_attr(struct ehea_adapter *adapter) |
| @@ -3590,7 +3598,7 @@ int __init ehea_module_init(void) | |||
| 3590 | memset(&ehea_bcmc_regs, 0, sizeof(ehea_bcmc_regs)); | 3598 | memset(&ehea_bcmc_regs, 0, sizeof(ehea_bcmc_regs)); |
| 3591 | 3599 | ||
| 3592 | mutex_init(&ehea_fw_handles.lock); | 3600 | mutex_init(&ehea_fw_handles.lock); |
| 3593 | mutex_init(&ehea_bcmc_regs.lock); | 3601 | spin_lock_init(&ehea_bcmc_regs.lock); |
| 3594 | 3602 | ||
| 3595 | ret = check_module_parm(); | 3603 | ret = check_module_parm(); |
| 3596 | if (ret) | 3604 | if (ret) |
diff --git a/drivers/net/forcedeth.c b/drivers/net/forcedeth.c index 2cb244763292..20d4fe96a81c 100644 --- a/drivers/net/forcedeth.c +++ b/drivers/net/forcedeth.c | |||
| @@ -4194,12 +4194,23 @@ static int nv_set_settings(struct net_device *dev, struct ethtool_cmd *ecmd) | |||
| 4194 | 4194 | ||
| 4195 | netif_carrier_off(dev); | 4195 | netif_carrier_off(dev); |
| 4196 | if (netif_running(dev)) { | 4196 | if (netif_running(dev)) { |
| 4197 | unsigned long flags; | ||
| 4198 | |||
| 4197 | nv_disable_irq(dev); | 4199 | nv_disable_irq(dev); |
| 4198 | netif_tx_lock_bh(dev); | 4200 | netif_tx_lock_bh(dev); |
| 4199 | spin_lock(&np->lock); | 4201 | /* with plain spinlock lockdep complains */ |
| 4202 | spin_lock_irqsave(&np->lock, flags); | ||
| 4200 | /* stop engines */ | 4203 | /* stop engines */ |
| 4204 | /* FIXME: | ||
| 4205 | * this can take some time, and interrupts are disabled | ||
| 4206 | * due to spin_lock_irqsave, but let's hope no daemon | ||
| 4207 | * is going to change the settings very often... | ||
| 4208 | * Worst case: | ||
| 4209 | * NV_RXSTOP_DELAY1MAX + NV_TXSTOP_DELAY1MAX | ||
| 4210 | * + some minor delays, which is up to a second approximately | ||
| 4211 | */ | ||
| 4201 | nv_stop_rxtx(dev); | 4212 | nv_stop_rxtx(dev); |
| 4202 | spin_unlock(&np->lock); | 4213 | spin_unlock_irqrestore(&np->lock, flags); |
| 4203 | netif_tx_unlock_bh(dev); | 4214 | netif_tx_unlock_bh(dev); |
| 4204 | } | 4215 | } |
| 4205 | 4216 | ||
diff --git a/drivers/net/fs_enet/mac-fcc.c b/drivers/net/fs_enet/mac-fcc.c index e36321152d50..8268b3535b30 100644 --- a/drivers/net/fs_enet/mac-fcc.c +++ b/drivers/net/fs_enet/mac-fcc.c | |||
| @@ -463,6 +463,9 @@ static void restart(struct net_device *dev) | |||
| 463 | else | 463 | else |
| 464 | C32(fccp, fcc_fpsmr, FCC_PSMR_FDE | FCC_PSMR_LPB); | 464 | C32(fccp, fcc_fpsmr, FCC_PSMR_FDE | FCC_PSMR_LPB); |
| 465 | 465 | ||
| 466 | /* Restore multicast and promiscuous settings */ | ||
| 467 | set_multicast_list(dev); | ||
| 468 | |||
| 466 | S32(fccp, fcc_gfmr, FCC_GFMR_ENR | FCC_GFMR_ENT); | 469 | S32(fccp, fcc_gfmr, FCC_GFMR_ENR | FCC_GFMR_ENT); |
| 467 | } | 470 | } |
| 468 | 471 | ||
diff --git a/drivers/net/ibm_newemac/core.c b/drivers/net/ibm_newemac/core.c index 5d2108c5ac7c..babc79ad490b 100644 --- a/drivers/net/ibm_newemac/core.c +++ b/drivers/net/ibm_newemac/core.c | |||
| @@ -1636,6 +1636,12 @@ static int emac_poll_rx(void *param, int budget) | |||
| 1636 | goto next; | 1636 | goto next; |
| 1637 | } | 1637 | } |
| 1638 | 1638 | ||
| 1639 | if (len < ETH_HLEN) { | ||
| 1640 | ++dev->estats.rx_dropped_stack; | ||
| 1641 | emac_recycle_rx_skb(dev, slot, len); | ||
| 1642 | goto next; | ||
| 1643 | } | ||
| 1644 | |||
| 1639 | if (len && len < EMAC_RX_COPY_THRESH) { | 1645 | if (len && len < EMAC_RX_COPY_THRESH) { |
| 1640 | struct sk_buff *copy_skb = | 1646 | struct sk_buff *copy_skb = |
| 1641 | alloc_skb(len + EMAC_RX_SKB_HEADROOM + 2, GFP_ATOMIC); | 1647 | alloc_skb(len + EMAC_RX_SKB_HEADROOM + 2, GFP_ATOMIC); |
| @@ -2719,6 +2725,8 @@ static int __devinit emac_probe(struct of_device *ofdev, | |||
| 2719 | /* Clean rings */ | 2725 | /* Clean rings */ |
| 2720 | memset(dev->tx_desc, 0, NUM_TX_BUFF * sizeof(struct mal_descriptor)); | 2726 | memset(dev->tx_desc, 0, NUM_TX_BUFF * sizeof(struct mal_descriptor)); |
| 2721 | memset(dev->rx_desc, 0, NUM_RX_BUFF * sizeof(struct mal_descriptor)); | 2727 | memset(dev->rx_desc, 0, NUM_RX_BUFF * sizeof(struct mal_descriptor)); |
| 2728 | memset(dev->tx_skb, 0, NUM_TX_BUFF * sizeof(struct sk_buff *)); | ||
| 2729 | memset(dev->rx_skb, 0, NUM_RX_BUFF * sizeof(struct sk_buff *)); | ||
| 2722 | 2730 | ||
| 2723 | /* Attach to ZMII, if needed */ | 2731 | /* Attach to ZMII, if needed */ |
| 2724 | if (emac_has_feature(dev, EMAC_FTR_HAS_ZMII) && | 2732 | if (emac_has_feature(dev, EMAC_FTR_HAS_ZMII) && |
diff --git a/drivers/net/pasemi_mac.c b/drivers/net/pasemi_mac.c index 3b2a6c598088..993d87c9296f 100644 --- a/drivers/net/pasemi_mac.c +++ b/drivers/net/pasemi_mac.c | |||
| @@ -277,7 +277,7 @@ static int get_skb_hdr(struct sk_buff *skb, void **iphdr, | |||
| 277 | *tcph = tcp_hdr(skb); | 277 | *tcph = tcp_hdr(skb); |
| 278 | 278 | ||
| 279 | /* check if ip header and tcp header are complete */ | 279 | /* check if ip header and tcp header are complete */ |
| 280 | if (iph->tot_len < ip_len + tcp_hdrlen(skb)) | 280 | if (ntohs(iph->tot_len) < ip_len + tcp_hdrlen(skb)) |
| 281 | return -1; | 281 | return -1; |
| 282 | 282 | ||
| 283 | *hdr_flags = LRO_IPV4 | LRO_TCP; | 283 | *hdr_flags = LRO_IPV4 | LRO_TCP; |
diff --git a/drivers/net/wan/hdlc_fr.c b/drivers/net/wan/hdlc_fr.c index 520bb0b1a9a2..6d35155c7145 100644 --- a/drivers/net/wan/hdlc_fr.c +++ b/drivers/net/wan/hdlc_fr.c | |||
| @@ -1008,6 +1008,7 @@ static int fr_rx(struct sk_buff *skb) | |||
| 1008 | stats->rx_bytes += skb->len; | 1008 | stats->rx_bytes += skb->len; |
| 1009 | if (pvc->state.becn) | 1009 | if (pvc->state.becn) |
| 1010 | stats->rx_compressed++; | 1010 | stats->rx_compressed++; |
| 1011 | skb->dev = dev; | ||
| 1011 | netif_rx(skb); | 1012 | netif_rx(skb); |
| 1012 | return NET_RX_SUCCESS; | 1013 | return NET_RX_SUCCESS; |
| 1013 | } else { | 1014 | } else { |
diff --git a/drivers/net/wireless/iwlwifi/iwl-3945.c b/drivers/net/wireless/iwlwifi/iwl-3945.c index 62a3d8f8563e..f5387a7a76c0 100644 --- a/drivers/net/wireless/iwlwifi/iwl-3945.c +++ b/drivers/net/wireless/iwlwifi/iwl-3945.c | |||
| @@ -588,8 +588,12 @@ static void iwl3945_add_radiotap(struct iwl3945_priv *priv, | |||
| 588 | 588 | ||
| 589 | if (rate == -1) | 589 | if (rate == -1) |
| 590 | iwl3945_rt->rt_rate = 0; | 590 | iwl3945_rt->rt_rate = 0; |
| 591 | else | 591 | else { |
| 592 | if (stats->band == IEEE80211_BAND_5GHZ) | ||
| 593 | rate += IWL_FIRST_OFDM_RATE; | ||
| 594 | |||
| 592 | iwl3945_rt->rt_rate = iwl3945_rates[rate].ieee; | 595 | iwl3945_rt->rt_rate = iwl3945_rates[rate].ieee; |
| 596 | } | ||
| 593 | 597 | ||
| 594 | /* antenna number */ | 598 | /* antenna number */ |
| 595 | antenna = phy_flags_hw & RX_RES_PHY_FLAGS_ANTENNA_MSK; | 599 | antenna = phy_flags_hw & RX_RES_PHY_FLAGS_ANTENNA_MSK; |
diff --git a/drivers/net/wireless/iwlwifi/iwl-4965.c b/drivers/net/wireless/iwlwifi/iwl-4965.c index bf19eb8aafd0..de330ae0ca95 100644 --- a/drivers/net/wireless/iwlwifi/iwl-4965.c +++ b/drivers/net/wireless/iwlwifi/iwl-4965.c | |||
| @@ -3528,8 +3528,12 @@ static void iwl4965_add_radiotap(struct iwl_priv *priv, | |||
| 3528 | 3528 | ||
| 3529 | if (rate == -1) | 3529 | if (rate == -1) |
| 3530 | iwl4965_rt->rt_rate = 0; | 3530 | iwl4965_rt->rt_rate = 0; |
| 3531 | else | 3531 | else { |
| 3532 | if (stats->band == IEEE80211_BAND_5GHZ) | ||
| 3533 | rate += IWL_FIRST_OFDM_RATE; | ||
| 3534 | |||
| 3532 | iwl4965_rt->rt_rate = iwl4965_rates[rate].ieee; | 3535 | iwl4965_rt->rt_rate = iwl4965_rates[rate].ieee; |
| 3536 | } | ||
| 3533 | 3537 | ||
| 3534 | /* | 3538 | /* |
| 3535 | * "antenna number" | 3539 | * "antenna number" |
diff --git a/drivers/net/wireless/iwlwifi/iwl3945-base.c b/drivers/net/wireless/iwlwifi/iwl3945-base.c index b1b3c523185d..6027e1119c3f 100644 --- a/drivers/net/wireless/iwlwifi/iwl3945-base.c +++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c | |||
| @@ -6687,7 +6687,8 @@ static int iwl3945_mac_tx(struct ieee80211_hw *hw, struct sk_buff *skb, | |||
| 6687 | 6687 | ||
| 6688 | if (priv->iw_mode == IEEE80211_IF_TYPE_MNTR) { | 6688 | if (priv->iw_mode == IEEE80211_IF_TYPE_MNTR) { |
| 6689 | IWL_DEBUG_MAC80211("leave - monitor\n"); | 6689 | IWL_DEBUG_MAC80211("leave - monitor\n"); |
| 6690 | return -1; | 6690 | dev_kfree_skb_any(skb); |
| 6691 | return 0; | ||
| 6691 | } | 6692 | } |
| 6692 | 6693 | ||
| 6693 | IWL_DEBUG_TX("dev->xmit(%d bytes) at rate 0x%02x\n", skb->len, | 6694 | IWL_DEBUG_TX("dev->xmit(%d bytes) at rate 0x%02x\n", skb->len, |
diff --git a/drivers/net/wireless/iwlwifi/iwl4965-base.c b/drivers/net/wireless/iwlwifi/iwl4965-base.c index 5ed16ce78468..0bd55bb19739 100644 --- a/drivers/net/wireless/iwlwifi/iwl4965-base.c +++ b/drivers/net/wireless/iwlwifi/iwl4965-base.c | |||
| @@ -6237,7 +6237,8 @@ static int iwl4965_mac_tx(struct ieee80211_hw *hw, struct sk_buff *skb, | |||
| 6237 | 6237 | ||
| 6238 | if (priv->iw_mode == IEEE80211_IF_TYPE_MNTR) { | 6238 | if (priv->iw_mode == IEEE80211_IF_TYPE_MNTR) { |
| 6239 | IWL_DEBUG_MAC80211("leave - monitor\n"); | 6239 | IWL_DEBUG_MAC80211("leave - monitor\n"); |
| 6240 | return -1; | 6240 | dev_kfree_skb_any(skb); |
| 6241 | return 0; | ||
| 6241 | } | 6242 | } |
| 6242 | 6243 | ||
| 6243 | IWL_DEBUG_TX("dev->xmit(%d bytes) at rate 0x%02x\n", skb->len, | 6244 | IWL_DEBUG_TX("dev->xmit(%d bytes) at rate 0x%02x\n", skb->len, |
diff --git a/drivers/net/wireless/libertas/if_usb.c b/drivers/net/wireless/libertas/if_usb.c index 8032df72aaab..36288b29abf7 100644 --- a/drivers/net/wireless/libertas/if_usb.c +++ b/drivers/net/wireless/libertas/if_usb.c | |||
| @@ -925,6 +925,7 @@ static struct usb_driver if_usb_driver = { | |||
| 925 | .id_table = if_usb_table, | 925 | .id_table = if_usb_table, |
| 926 | .suspend = if_usb_suspend, | 926 | .suspend = if_usb_suspend, |
| 927 | .resume = if_usb_resume, | 927 | .resume = if_usb_resume, |
| 928 | .reset_resume = if_usb_resume, | ||
| 928 | }; | 929 | }; |
| 929 | 930 | ||
| 930 | static int __init if_usb_init_module(void) | 931 | static int __init if_usb_init_module(void) |
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c index c2397f503b0f..f38cc5317b88 100644 --- a/net/bridge/br_if.c +++ b/net/bridge/br_if.c | |||
| @@ -442,12 +442,16 @@ int br_del_if(struct net_bridge *br, struct net_device *dev) | |||
| 442 | 442 | ||
| 443 | void __exit br_cleanup_bridges(void) | 443 | void __exit br_cleanup_bridges(void) |
| 444 | { | 444 | { |
| 445 | struct net_device *dev, *nxt; | 445 | struct net_device *dev; |
| 446 | 446 | ||
| 447 | rtnl_lock(); | 447 | rtnl_lock(); |
| 448 | for_each_netdev_safe(&init_net, dev, nxt) | 448 | restart: |
| 449 | if (dev->priv_flags & IFF_EBRIDGE) | 449 | for_each_netdev(&init_net, dev) { |
| 450 | if (dev->priv_flags & IFF_EBRIDGE) { | ||
| 450 | del_br(dev->priv); | 451 | del_br(dev->priv); |
| 452 | goto restart; | ||
| 453 | } | ||
| 454 | } | ||
| 451 | rtnl_unlock(); | 455 | rtnl_unlock(); |
| 452 | 456 | ||
| 453 | } | 457 | } |
diff --git a/net/can/af_can.c b/net/can/af_can.c index 7e8ca2836452..484bbf6dd032 100644 --- a/net/can/af_can.c +++ b/net/can/af_can.c | |||
| @@ -205,12 +205,19 @@ static int can_create(struct net *net, struct socket *sock, int protocol) | |||
| 205 | * -ENOBUFS on full driver queue (see net_xmit_errno()) | 205 | * -ENOBUFS on full driver queue (see net_xmit_errno()) |
| 206 | * -ENOMEM when local loopback failed at calling skb_clone() | 206 | * -ENOMEM when local loopback failed at calling skb_clone() |
| 207 | * -EPERM when trying to send on a non-CAN interface | 207 | * -EPERM when trying to send on a non-CAN interface |
| 208 | * -EINVAL when the skb->data does not contain a valid CAN frame | ||
| 208 | */ | 209 | */ |
| 209 | int can_send(struct sk_buff *skb, int loop) | 210 | int can_send(struct sk_buff *skb, int loop) |
| 210 | { | 211 | { |
| 211 | struct sk_buff *newskb = NULL; | 212 | struct sk_buff *newskb = NULL; |
| 213 | struct can_frame *cf = (struct can_frame *)skb->data; | ||
| 212 | int err; | 214 | int err; |
| 213 | 215 | ||
| 216 | if (skb->len != sizeof(struct can_frame) || cf->can_dlc > 8) { | ||
| 217 | kfree_skb(skb); | ||
| 218 | return -EINVAL; | ||
| 219 | } | ||
| 220 | |||
| 214 | if (skb->dev->type != ARPHRD_CAN) { | 221 | if (skb->dev->type != ARPHRD_CAN) { |
| 215 | kfree_skb(skb); | 222 | kfree_skb(skb); |
| 216 | return -EPERM; | 223 | return -EPERM; |
| @@ -605,6 +612,7 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev, | |||
| 605 | struct packet_type *pt, struct net_device *orig_dev) | 612 | struct packet_type *pt, struct net_device *orig_dev) |
| 606 | { | 613 | { |
| 607 | struct dev_rcv_lists *d; | 614 | struct dev_rcv_lists *d; |
| 615 | struct can_frame *cf = (struct can_frame *)skb->data; | ||
| 608 | int matches; | 616 | int matches; |
| 609 | 617 | ||
| 610 | if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) { | 618 | if (dev->type != ARPHRD_CAN || dev_net(dev) != &init_net) { |
| @@ -612,6 +620,8 @@ static int can_rcv(struct sk_buff *skb, struct net_device *dev, | |||
| 612 | return 0; | 620 | return 0; |
| 613 | } | 621 | } |
| 614 | 622 | ||
| 623 | BUG_ON(skb->len != sizeof(struct can_frame) || cf->can_dlc > 8); | ||
| 624 | |||
| 615 | /* update statistics */ | 625 | /* update statistics */ |
| 616 | can_stats.rx_frames++; | 626 | can_stats.rx_frames++; |
| 617 | can_stats.rx_frames_delta++; | 627 | can_stats.rx_frames_delta++; |
diff --git a/net/can/bcm.c b/net/can/bcm.c index d9a3a9d13bed..72c2ce904f83 100644 --- a/net/can/bcm.c +++ b/net/can/bcm.c | |||
| @@ -298,7 +298,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head, | |||
| 298 | 298 | ||
| 299 | if (head->nframes) { | 299 | if (head->nframes) { |
| 300 | /* can_frames starting here */ | 300 | /* can_frames starting here */ |
| 301 | firstframe = (struct can_frame *) skb_tail_pointer(skb); | 301 | firstframe = (struct can_frame *)skb_tail_pointer(skb); |
| 302 | 302 | ||
| 303 | memcpy(skb_put(skb, datalen), frames, datalen); | 303 | memcpy(skb_put(skb, datalen), frames, datalen); |
| 304 | 304 | ||
| @@ -826,6 +826,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, | |||
| 826 | for (i = 0; i < msg_head->nframes; i++) { | 826 | for (i = 0; i < msg_head->nframes; i++) { |
| 827 | err = memcpy_fromiovec((u8 *)&op->frames[i], | 827 | err = memcpy_fromiovec((u8 *)&op->frames[i], |
| 828 | msg->msg_iov, CFSIZ); | 828 | msg->msg_iov, CFSIZ); |
| 829 | |||
| 830 | if (op->frames[i].can_dlc > 8) | ||
| 831 | err = -EINVAL; | ||
| 832 | |||
| 829 | if (err < 0) | 833 | if (err < 0) |
| 830 | return err; | 834 | return err; |
| 831 | 835 | ||
| @@ -858,6 +862,10 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, | |||
| 858 | for (i = 0; i < msg_head->nframes; i++) { | 862 | for (i = 0; i < msg_head->nframes; i++) { |
| 859 | err = memcpy_fromiovec((u8 *)&op->frames[i], | 863 | err = memcpy_fromiovec((u8 *)&op->frames[i], |
| 860 | msg->msg_iov, CFSIZ); | 864 | msg->msg_iov, CFSIZ); |
| 865 | |||
| 866 | if (op->frames[i].can_dlc > 8) | ||
| 867 | err = -EINVAL; | ||
| 868 | |||
| 861 | if (err < 0) { | 869 | if (err < 0) { |
| 862 | if (op->frames != &op->sframe) | 870 | if (op->frames != &op->sframe) |
| 863 | kfree(op->frames); | 871 | kfree(op->frames); |
| @@ -1164,9 +1172,12 @@ static int bcm_tx_send(struct msghdr *msg, int ifindex, struct sock *sk) | |||
| 1164 | 1172 | ||
| 1165 | skb->dev = dev; | 1173 | skb->dev = dev; |
| 1166 | skb->sk = sk; | 1174 | skb->sk = sk; |
| 1167 | can_send(skb, 1); /* send with loopback */ | 1175 | err = can_send(skb, 1); /* send with loopback */ |
| 1168 | dev_put(dev); | 1176 | dev_put(dev); |
| 1169 | 1177 | ||
| 1178 | if (err) | ||
| 1179 | return err; | ||
| 1180 | |||
| 1170 | return CFSIZ + MHSIZ; | 1181 | return CFSIZ + MHSIZ; |
| 1171 | } | 1182 | } |
| 1172 | 1183 | ||
| @@ -1185,6 +1196,10 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 1185 | if (!bo->bound) | 1196 | if (!bo->bound) |
| 1186 | return -ENOTCONN; | 1197 | return -ENOTCONN; |
| 1187 | 1198 | ||
| 1199 | /* check for valid message length from userspace */ | ||
| 1200 | if (size < MHSIZ || (size - MHSIZ) % CFSIZ) | ||
| 1201 | return -EINVAL; | ||
| 1202 | |||
| 1188 | /* check for alternative ifindex for this bcm_op */ | 1203 | /* check for alternative ifindex for this bcm_op */ |
| 1189 | 1204 | ||
| 1190 | if (!ifindex && msg->msg_name) { | 1205 | if (!ifindex && msg->msg_name) { |
| @@ -1259,8 +1274,8 @@ static int bcm_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 1259 | break; | 1274 | break; |
| 1260 | 1275 | ||
| 1261 | case TX_SEND: | 1276 | case TX_SEND: |
| 1262 | /* we need at least one can_frame */ | 1277 | /* we need exactly one can_frame behind the msg head */ |
| 1263 | if (msg_head.nframes < 1) | 1278 | if ((msg_head.nframes != 1) || (size != CFSIZ + MHSIZ)) |
| 1264 | ret = -EINVAL; | 1279 | ret = -EINVAL; |
| 1265 | else | 1280 | else |
| 1266 | ret = bcm_tx_send(msg, ifindex, sk); | 1281 | ret = bcm_tx_send(msg, ifindex, sk); |
diff --git a/net/can/raw.c b/net/can/raw.c index 69877b8e7e9c..3e46ee36a1aa 100644 --- a/net/can/raw.c +++ b/net/can/raw.c | |||
| @@ -632,6 +632,9 @@ static int raw_sendmsg(struct kiocb *iocb, struct socket *sock, | |||
| 632 | } else | 632 | } else |
| 633 | ifindex = ro->ifindex; | 633 | ifindex = ro->ifindex; |
| 634 | 634 | ||
| 635 | if (size != sizeof(struct can_frame)) | ||
| 636 | return -EINVAL; | ||
| 637 | |||
| 635 | dev = dev_get_by_index(&init_net, ifindex); | 638 | dev = dev_get_by_index(&init_net, ifindex); |
| 636 | if (!dev) | 639 | if (!dev) |
| 637 | return -ENXIO; | 640 | return -ENXIO; |
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index 850825dc86e6..1d723de18686 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c | |||
| @@ -255,6 +255,7 @@ | |||
| 255 | #include <linux/init.h> | 255 | #include <linux/init.h> |
| 256 | #include <linux/fs.h> | 256 | #include <linux/fs.h> |
| 257 | #include <linux/skbuff.h> | 257 | #include <linux/skbuff.h> |
| 258 | #include <linux/scatterlist.h> | ||
| 258 | #include <linux/splice.h> | 259 | #include <linux/splice.h> |
| 259 | #include <linux/net.h> | 260 | #include <linux/net.h> |
| 260 | #include <linux/socket.h> | 261 | #include <linux/socket.h> |
| @@ -1208,7 +1209,8 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, | |||
| 1208 | return -ENOTCONN; | 1209 | return -ENOTCONN; |
| 1209 | while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) { | 1210 | while ((skb = tcp_recv_skb(sk, seq, &offset)) != NULL) { |
| 1210 | if (offset < skb->len) { | 1211 | if (offset < skb->len) { |
| 1211 | size_t used, len; | 1212 | int used; |
| 1213 | size_t len; | ||
| 1212 | 1214 | ||
| 1213 | len = skb->len - offset; | 1215 | len = skb->len - offset; |
| 1214 | /* Stop reading if we hit a patch of urgent data */ | 1216 | /* Stop reading if we hit a patch of urgent data */ |