aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* sctp: fix the return value of getting the sctp partial delivery pointWei Yongjun2010-12-16
| | | | | | | | | Get the sctp partial delivery point using SCTP_PARTIAL_DELIVERY_POINT socket option should return 0 if success, not -ENOTSUPP. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/veth: Fix packet checksummingMichał Mirosław2010-12-16
| | | | | | | | | We can't change ip_summed from CHECKSUM_PARTIAL to CHECKSUM_NONE or CHECKSUM_UNNECESSARY because checksum in packet's headers is not valid and will cause invalid checksum when frame is forwarded. Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
* bridge: fix IPv6 queries for bridge multicast snoopingDavid Stevens2010-12-16
| | | | | | | | This patch fixes a missing ntohs() for bridge IPv6 multicast snooping. Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: fix nulls list corruptions in sk_prot_allocOctavian Purdila2010-12-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | Special care is taken inside sk_port_alloc to avoid overwriting skc_node/skc_nulls_node. We should also avoid overwriting skc_bind_node/skc_portaddr_node. The patch fixes the following crash: BUG: unable to handle kernel paging request at fffffffffffffff0 IP: [<ffffffff812ec6dd>] udp4_lib_lookup2+0xad/0x370 [<ffffffff812ecc22>] __udp4_lib_lookup+0x282/0x360 [<ffffffff812ed63e>] __udp4_lib_rcv+0x31e/0x700 [<ffffffff812bba45>] ? ip_local_deliver_finish+0x65/0x190 [<ffffffff812bbbf8>] ? ip_local_deliver+0x88/0xa0 [<ffffffff812eda35>] udp_rcv+0x15/0x20 [<ffffffff812bba45>] ip_local_deliver_finish+0x65/0x190 [<ffffffff812bbbf8>] ip_local_deliver+0x88/0xa0 [<ffffffff812bb2cd>] ip_rcv_finish+0x32d/0x6f0 [<ffffffff8128c14c>] ? netif_receive_skb+0x99c/0x11c0 [<ffffffff812bb94b>] ip_rcv+0x2bb/0x350 [<ffffffff8128c14c>] netif_receive_skb+0x99c/0x11c0 Signed-off-by: Leonard Crestez <lcrestez@ixiacom.com> Signed-off-by: Octavian Purdila <opurdila@ixiacom.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* be2net: use mutex instead of spin lock for mbox_lockIvan Vecera2010-12-16
| | | | | | | | | | Since the mbox polling uses the schedule_timeout, the mbox_lock should be a mutex and not a spin lock. The commit f25b03a replaced udelay() with schedule_timeout() but didn't change mbox_lock to semaphore or mutex. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bonding/vlan: Fix mangled NAs on slaves without VLAN tag insertionBen Hutchings2010-12-16
| | | | | | | | | | | | | | | | bond_na_send() attempts to insert a VLAN tag in between building and sending packets of the respective formats. If the slave does not implement hardware VLAN tag insertion then vlan_put_tag() will mangle the network-layer header because the Ethernet header is not present at this point (unlike in bond_arp_send()). Fix this by adding the tag out-of-line and relying on dev_hard_start_xmit() to insert it inline if necessary. Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Reviewed-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bonding: Change active slave quietly when bond is downBen Hutchings2010-12-16
| | | | | | | | | | | | bond_change_active_slave() may be called when a slave is added, even if the bond has not been brought up yet. It may then attempt to send packets, and further it may use mcast_work which is uninitialised before the bond is brought up. Add the necessary checks for netif_running(bond->dev). Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* bonding/vlan: Remove redundant VLAN tag insertion logicBen Hutchings2010-12-16
| | | | | | | | | | | | | | | | | | | A bond may have a mixture of slave devices with and without hardware VLAN tag insertion capability. Therefore it always claims this capability and performs software VLAN tag insertion if the slave does not. Since commit 7b9c60903714bf0a19d746b228864bad3497284e, this has also been done by dev_hard_start_xmit(). The result is that VLAN- tagged skbs are now double-tagged when transmitted through slave devices without hardware VLAN tag insertion! Remove the now-redundant logic from bond_dev_queue_xmit(). Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Reviewed-by: Jesse Gross <jesse@nicira.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* axnet_cs: move id (0x1bf, 0x2328) to axnet_csKen Kawasaki2010-12-16
| | | | | | | | | axnet_cs: Accton EN2328 or compatible (id: 0x01bf, 0x2328) uses Asix chip. So it works better with axnet_cs instead of pcnet_cs. Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipv6: delete expired route in ip6_pmtu_deliverAndrey Vagin2010-12-16
| | | | | | | | | | | | | | | | | | | | | | The first big packets sent to a "low-MTU" client correctly triggers the creation of a temporary route containing the reduced MTU. But after the temporary route has expired, new ICMP6 "packet too big" will be sent, rt6_pmtu_discovery will find the previous EXPIRED route check that its mtu isn't bigger then in icmp packet and do nothing before the temporary route will not deleted by gc. I make the simple experiment: while :; do time ( dd if=/dev/zero bs=10K count=1 | ssh hostname dd of=/dev/null ) || break; done The "time" reports real 0m0.197s if a temporary route isn't expired, but it reports real 0m52.837s (!!!!) immediately after a temporare route has expired. Signed-off-by: Andrey Vagin <avagin@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* bonding: Fix slave selection bug.Hillf Danton2010-12-16
| | | | | | | | The returned slave is incorrect, if the net device under check is not charged yet by the master. Signed-off-by: Hillf Danton <dhillf@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge branch 'master' of ↵David S. Miller2010-12-15
|\ | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * p54usb: New USB ID for Gemtek WUBI-100GWEduardo Costa2010-12-14
| | | | | | | | | | | | | | | | | | | | This USB ID is for the WUBI-100GW 802.11g Wireless LAN USB Device that uses p54usb. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: Eduardo Costa <ecosta.tmp@gmail.com> Cc: Stable <stable@kernel.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: avoid calling ieee80211_work_work unconditionallyHerton Ronaldo Krzesinski2010-12-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On suspend, there might be usb wireless drivers which wrongly trigger the warning in ieee80211_work_work. If an usb driver doesn't have a suspend hook, the usb stack will disconnect the device. On disconnect, a mac80211 driver calls ieee80211_unregister_hw, which calls dev_close, which calls ieee80211_stop, and in the end calls ieee80211_work_purge-> ieee80211_work_work. The problem is that this call to ieee80211_work_purge comes after mac80211 is suspended, triggering the warning even when we don't have work queued in work_list (the expected case when already suspended), because it always calls ieee80211_work_work. So, just call ieee80211_work_work in ieee80211_work_purge if we really have to abort work. This addresses the warning reported at https://bugzilla.kernel.org/show_bug.cgi?id=24402 Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * p54usb: add 5 more USBIDsChristian Lamparter2010-12-13
| | | | | | | | | | | | | | | | | | | | | | | | This patch adds five more USBIDs to the table. Source: http://www.linuxant.com/pipermail/driverloader/2005q3/002307.html http://wireless.kernel.org/en/users/Drivers/p54/devices (by M. Davis) Cc: <stable@kernel.org> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * mac80211: Fix NULL-pointer deference on ibss merge when not readyTim Harvey2010-12-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | dev_open will eventually call ieee80211_ibss_join which sets up the skb used for beacons/probe-responses however it is possible to receive beacons that attempt to merge before this occurs causing a null pointer dereference. Check ssid_len as that is the last thing set in ieee80211_ibss_join. This occurs quite easily in the presence of adhoc nodes with hidden SSID's revised previous patch to check further up based on irc feedback Signed-off-by: Tim Harvey <harvey.tim@gmail.com> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * libertas: fix potential NULL-pointer dereferenceSven Neumann2010-12-13
| | | | | | | | | | | | | | | | | | | | The code wants to check if there's a channel and it is not disabled, but it used to check if channel is not NULL and accessed the channel struct if this check failed. Signed-off-by: Sven Neumann <s.neumann@raumfeld.com> Acked-by: Dan Williams <dcbw@redhat.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * Merge branch 'master' of ↵John W. Linville2010-12-13
| |\ | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/padovan/bluetooth-2.6
| | * Bluetooth: add NULL pointer check in HCIJun Nie2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | If we fail to find a hci device pointer in hci_uart, don't try to deref the NULL one we do have. Signed-off-by: Jun Nie <njun@marvell.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| | * Bluetooth: Fix initial RFCOMM DLC security levelJohan Hedberg2010-12-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to commit 63ce0900 connections initiated through TTYs created with "rfcomm bind ..." would have security level BT_SECURITY_SDP instead of BT_SECURITY_LOW. This would cause instant connection failure between any two SSP capable devices due to the L2CAP connect request to RFCOMM being sent before authentication has been performed. This patch fixes the regression by always initializing the DLC security level to BT_SECURITY_LOW. Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com> Acked-by: Luiz Augusto von Dentz <luiz.dentz-von@nokia.com> Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
| * | iwlagn: implement layout-agnostic EEPROM readingWey-Yi Guy2010-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | From: Johannes Berg <johannes.berg@intel.com> The current EEPROM reading code has some layout assumptions that now turned out to be false with some newer versions of the EEPROM. Luckily, we can avoid all such assumptions by using data in the EEPROM itself, so implement using that. However, for risk mitigation purposes, keep the old reading code for current hardware for now. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
| * | iwlagn: rename enhanced txpower fieldsJohannes Berg2010-12-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some fields we didn't previously use from the enhanced TX power structure will be needed in the next patch, so rename them to their correct names to be able to use them and change code reading them accordingly. Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
* | | pppoe.c: Fix kernel panic caused by __pppoe_xmitAndrej Ota2010-12-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | __pppoe_xmit function return value was invalid resulting in additional call to kfree_skb on already freed skb. This resulted in memory corruption and consequent kernel panic after PPPoE peer terminated the link. This fixes commit 55c95e738da85373965cb03b4f975d0fd559865b. Reported-by: Gorik Van Steenberge <gvs@zemos.net> Reported-by: Daniel Kenzelmann <kernel.bugzilla@kenzelmann.dyndns.info> Reported-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Reported-by: Pawel Staszewski <pstaszewski@artcom.pl> Diagnosed-by: Andrej Ota <andrej@ota.si> Diagnosed-by: Eric Dumazet <eric.dumazet@gmail.com> Tested-by: Denys Fedoryshchenko <nuclearcat@nuclearcat.com> Tested-by: Pawel Staszewski <pstaszewski@artcom.pl> Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> Signed-off-by: Andrej Ota <andrej@ota.si> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | WAN: Fix a TX IRQ causing BUG() in PC300 and PCI200SYN drivers.Krzysztof Halasa2010-12-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We must not wake the TX queue without free TX descriptors. sca_xmit() expects at least one free descriptor and BUGs otherwise. Problem reported and fix tested by Bernie Innocenti and Ward Vandewege. Signed-off-by: Krzysztof Hałasa <khc@pm.waw.pl> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | bnx2x: Advance a version number to 1.60.01-0Vladislav Zolotarov2010-12-12
| | | | | | | | | | | | | | | | | | Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | bnx2x: Fixed a compilation warningVladislav Zolotarov2010-12-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | bnx2x_src_init_t2() is used only when BCM_CNIC is defined. So, to avoid a compilation warning, we won't define it unless BCM_CNIC is defined. Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | bnx2x: LSO code was broken on BE platformsVladislav Zolotarov2010-12-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make the LSO code work on BE platforms: parsing_data field of a parsing BD (PBD) for 57712 was improperly composed which made FW read wrong values for TCP header's length and offset and, as a result, the corresponding PCI device was performing bad DMA reads triggering EEH. Signed-off-by: Vladislav Zolotarov <vladz@broadcom.com> Signed-off-by: Eilon Greenstein <eilong@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | qlge: Fix deadlock when cancelling worker.Ron Mercer2010-12-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Removing usage of rtnl_lock() to protect firmware interface registers. These registers are accessed in some worker threads and can create a deadlock if rtnl_lock is taken by upper layers while the worker is still pending. We remove rtnl_lock and use a driver mutex just while mailboxes are accessed. Signed-off-by: Ron Mercer <ron.mercer@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | Merge branch 'vhost-net' of ↵David S. Miller2010-12-12
|\ \ \ | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
| * | | vhost: correctly set bits of dirty pagesMichael S. Tsirkin2010-11-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix two bugs in dirty page logging: When counting pages we should increase address by 1 instead of VHOST_PAGE_SIZE. Make log_write() correctly process requests that cross pages with write_address not starting at page boundary. Reported-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
* | | | net: fix skb_defer_rx_timestamp()Eric Dumazet2010-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After commit c1f19b51d1d8 (net: support time stamping in phy devices.), kernel might crash if CONFIG_NETWORK_PHY_TIMESTAMPING=y and skb_defer_rx_timestamp() handles a packet without an ethernet header. Fixes kernel bugzilla #24102 Reference: https://bugzilla.kernel.org/show_bug.cgi?id=24102 Reported-and-tested-by: Andrew Watts <akwatts@ymail.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | cxgb4vf: Ingress Queue Entry Size needs to be 64 bytesCasey Leedom2010-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Was using L1_CACHE_BYTES for the Ingress Queue Entry Size but it really needs to be 64 bytes in order to support the largest message sizes. Signed-off-by: Casey Leedom <leedom@chelsio.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | phy: add the IC+ IP1001 driverGiuseppe CAVALLARO2010-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch adds the IC+ IP1001 (Gigabit Ethernet Transceiver) driver. I've had to add an additional delay (2ns) to adjust RX clock phase at GMII/ RGMII interface (according to the PHY data-sheet). This helps to have the RGMII working on some ST platforms. Signed-off-by: Giuseppe Cavallaro <peppe.cavallaro@st.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | atm: correct sysfs 'device' link creation and parent relationshipsDan Williams2010-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ATM subsystem was incorrectly creating the 'device' link for ATM nodes in sysfs. This led to incorrect device/parent relationships exposed by sysfs and udev. Instead of rolling the 'device' link by hand in the generic ATM code, pass each ATM driver's bus device down to the sysfs code and let sysfs do this stuff correctly. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | MAINTAINERS: remove me from tulipKyle McMartin2010-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It was a nice idea, but -ENOTIME and -ENOHW. I never got around to doing a lot of the clean up that I intended to. Signed-off-by: Kyle McMartin <kyle@mcmartin.ca> Acked-by: Grant Grundler <grundler@parisc-linux.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | SCTP: Fix SCTP_SET_PEER_PRIMARY_ADDR to accpet v4mapped addressWei Yongjun2010-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | SCTP_SET_PEER_PRIMARY_ADDR does not accpet v4mapped address, using v4mapped address in SCTP_SET_PEER_PRIMARY_ADDR socket option will get -EADDRNOTAVAIL error if v4map is enabled. This patch try to fix it by mapping v4mapped address to v4 address if allowed. Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | enic: Bug Fix: Pass napi reference to the isr that services receive queueVasanthy Kolluri2010-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pass reference to napi instead of enic device to the isr that services receive queue. Signed-off-by: Vasanthy Kolluri <vkolluri@cisco.com> Signed-off-by: Roopa Prabhu <roprabhu@cisco.com> Signed-off-by: David Wang <dwang2@cisco.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | Merge branch 'master' of ↵David S. Miller2010-12-10
|\ \ \ \ | | |/ / | |/| | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| * | | orinoco: fix TKIP countermeasure behaviourDavid Kilroy2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Enable the port when disabling countermeasures, and disable it on enabling countermeasures. This bug causes the response of the system to certain attacks to be ineffective. It also prevents wpa_supplicant from getting scan results, as wpa_supplicant disables countermeasures on startup - preventing the hardware from scanning. wpa_supplicant works with ap_mode=2 despite this bug because the commit handler re-enables the port. The log tends to look like: State: DISCONNECTED -> SCANNING Starting AP scan for wildcard SSID Scan requested (ret=0) - scan timeout 5 seconds EAPOL: disable timer tick EAPOL: Supplicant port status: Unauthorized Scan timeout - try to get results Failed to get scan results Failed to get scan results - try scanning again Setting scan request: 1 sec 0 usec Starting AP scan for wildcard SSID Scan requested (ret=-1) - scan timeout 5 seconds Failed to initiate AP scan. Reported by: Giacomo Comes <comes@naic.edu> Signed-off by: David Kilroy <kilroyd@googlemail.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | orinoco: clear countermeasure setting on commitDavid Kilroy2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ... and interface up. In these situations, you are usually trying to connect to a new AP, so keeping TKIP countermeasures active is confusing. This is already how the driver behaves (inadvertently). However, querying SIOCGIWAUTH may tell userspace that countermeasures are active when they aren't. Clear the setting so that the reporting matches what the driver has done.. Signed-off by: David Kilroy <kilroyd@googlemail.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | mac80211: Fix BUG in pskb_expand_head when transmitting shared skbsHelmut Schaa2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | mac80211 doesn't handle shared skbs correctly at the moment. As a result a possible resize can trigger a BUG in pskb_expand_head. [ 676.030000] Kernel bug detected[#1]: [ 676.030000] Cpu 0 [ 676.030000] $ 0 : 00000000 00000000 819662ff 00000002 [ 676.030000] $ 4 : 81966200 00000020 00000000 00000020 [ 676.030000] $ 8 : 819662e0 800043c0 00000002 00020000 [ 676.030000] $12 : 3b9aca00 00000000 00000000 00470000 [ 676.030000] $16 : 80ea2000 00000000 00000000 00000000 [ 676.030000] $20 : 818aa200 80ea2018 80ea2000 00000008 [ 676.030000] $24 : 00000002 800ace5c [ 676.030000] $28 : 8199a000 8199bd20 81938f88 80f180d4 [ 676.030000] Hi : 0000026e [ 676.030000] Lo : 0000757e [ 676.030000] epc : 801245e4 pskb_expand_head+0x44/0x1d8 [ 676.030000] Not tainted [ 676.030000] ra : 80f180d4 ieee80211_skb_resize+0xb0/0x114 [mac80211] [ 676.030000] Status: 1000a403 KERNEL EXL IE [ 676.030000] Cause : 10800024 [ 676.030000] PrId : 0001964c (MIPS 24Kc) [ 676.030000] Modules linked in: mac80211_hwsim rt2800lib rt2x00soc rt2x00pci rt2x00lib mac80211 crc_itu_t crc_ccitt cfg80211 compat arc4 aes_generic deflate ecb cbc [last unloaded: rt2800pci] [ 676.030000] Process kpktgend_0 (pid: 97, threadinfo=8199a000, task=81879f48, tls=00000000) [ 676.030000] Stack : ffffffff 00000000 00000000 00000014 00000004 80ea2000 00000000 00000000 [ 676.030000] 818aa200 80f180d4 ffffffff 0000000a 81879f78 81879f48 81879f48 00000018 [ 676.030000] 81966246 80ea2000 818432e0 80f1a420 80203050 81814d98 00000001 81879f48 [ 676.030000] 81879f48 00000018 81966246 818432e0 0000001a 8199bdd4 0000001c 80f1b72c [ 676.030000] 80203020 8001292c 80ef4aa2 7f10b55d 801ab5b8 81879f48 00000188 80005c90 [ 676.030000] ... [ 676.030000] Call Trace: [ 676.030000] [<801245e4>] pskb_expand_head+0x44/0x1d8 [ 676.030000] [<80f180d4>] ieee80211_skb_resize+0xb0/0x114 [mac80211] [ 676.030000] [<80f1a420>] ieee80211_xmit+0x150/0x22c [mac80211] [ 676.030000] [<80f1b72c>] ieee80211_subif_start_xmit+0x6f4/0x73c [mac80211] [ 676.030000] [<8014361c>] pktgen_thread_worker+0xfac/0x16f8 [ 676.030000] [<8002ebe8>] kthread+0x7c/0x88 [ 676.030000] [<80008e0c>] kernel_thread_helper+0x10/0x18 [ 676.030000] [ 676.030000] [ 676.030000] Code: 24020001 10620005 2502001f <0200000d> 0804917a 00000000 2502001f 00441023 00531021 Fix this by making a local copy of shared skbs prior to mangeling them. To avoid copying the skb unnecessarily move the skb_copy call below the checks that don't need write access to the skb. Also, move the assignment of nh_pos and h_pos below the skb_copy to point to the correct skb. It would be possible to avoid another resize of the copied skb by using skb_copy_expand instead of skb_copy but that would make the patch more complex. Also, shared skbs are a corner case right now, so the resize shouldn't matter much. Cc: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath9k_htc: Fix suspend/resumeSujith Manoharan2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The HW has to be set to FULLSLEEP mode during suspend, when no interface has been brought up. Not doing this would break resume, as the chip won't be powered up at all. Signed-off-by: Sujith Manoharan <Sujith.Manoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath5k: Put the right tsf value in mesh beaconsJavier Cardona2010-12-08
| | | | | | | | | | | | | | | | | | | | Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath5k: Prevent mesh interfaces from being counted as ad-hocJavier Cardona2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This results in an erroneus num_adhoc_vifs count, as the this counter was incremented but not decremented for mesh interfaces. Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath5k: Fix beaconing in mesh modeJavier Cardona2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the oops below when attempting to bring up a mesh interface on ath5k hardware. [ 128.933099] kernel BUG at drivers/net/wireless/ath/ath5k/base.c:197! [ 128.933099] invalid opcode: 0000 [#1] (...) [ 128.933099] Call Trace: [ 128.933099] [<c83b77fa>] ? ath5k_beacon_update+0x57/0x1f8 [ath5k] [ 128.933099] [<c02d9a40>] ? __sysfs_add_one+0x28/0x76 [ 128.933099] [<c83b830e>] ? ath5k_bss_info_changed+0x13f/0x173 [ath5k] [ 128.933099] [<c82ff629>] ? ieee80211_config_beacon+0xc0/0x17e [mac80211] [ 128.933099] [<c82f073e>] ? ieee80211_bss_info_change_notify+0x182/0x18b [mac80211] [ 128.933099] [<c83b81cf>] ? ath5k_bss_info_changed+0x0/0x173 [ath5k] [ 128.933099] [<c82ff6d6>] ? ieee80211_config_beacon+0x16d/0x17e [mac80211] [ 128.933099] [<c82ff753>] ? ieee80211_add_beacon+0x34/0x39 [mac80211] [ 128.933099] [<c830a4ed>] ? ieee80211s_init+0xf8/0x10f [mac80211] [ 128.933099] [<c830a5df>] ? ieee80211_mesh_init_sdata+0xdb/0x154 [mac80211] Signed-off-by: Javier Cardona <javier@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | orinoco: initialise priv->hw before assigning the interruptDavid Kilroy2010-12-08
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The interrupt handler takes a lock - but since commit bcad6e80f3f this lock goes through an indirection specified in the hermes_t structure. We must therefore initialise the structure before setting up the interrupt handler. Fix orinoco_cs and spectrum_cs <https://bugzilla.kernel.org/show_bug.cgi?id=23932> Bisected by: Matt Domsch <Matt_Domsch@dell.com> Signed-off by: David Kilroy <kilroyd@googlemail.com> Cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath9k: fix beacon resource related race conditionRajkumar Manoharan2010-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The beacon tasklet is accesssing the bslot info for beacon generation. Meanwhile the same slot can be freed on interface deletion. Current the remove_interface disables the beacon alert after freeing the slot. This may leads to null pointer access. This patch disables SWBA and kills the beacon tasklet to prevent access to the slot to be freed. After releasing the slot, swba will be enabled again upon the availablity of beaconing interfaces. Signed-off-by: Rajkumar Manoharan <rmanoharan@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath9k: Fix STA disconnect issue due to received MIC failed bcast framesSenthil Balasubramanian2010-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | AR_RxKeyIdxValid will not be set for bcast/mcast frames and so relying this status for MIC failed frames is buggy. Due to this, MIC failure events for broadcast frames are not sent to supplicant resulted in AP disconnecting the STA. Able to pass Wifi Test case 5.2.18 with this fix. Cc: Stable <stable@kernel.org> (2.6.36+) Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath9k: fix a DMA related race condition on resetFelix Fietkau2010-12-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When ath_drain_all_txq fails to stop DMA, it issues a hw reset. This reset happens at a very problematic point in time, when the hardware rx path has not been stopped yet. This could lead to memory corruption, hardware hangs or other issues. To fix these issues, simply remove the reset entirely and check the tx DMA stop status to prevent problems with fast channel changes. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| * | | ath9k: fix bug in tx powerMatteo Croce2010-12-07
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | The ath9k driver subtracts 3 dBm to the txpower as with two radios the signal power is doubled. The resulting value is assigned in an u16 which overflows and makes the card work at full power. Cc: stable@kernel.org Signed-off-by: Matteo Croce <matteo@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>