Commit Graph

65300 Commits

Author SHA1 Message Date
Benjamin Herrenschmidt
71e4eda8ce Fix non-terminated PCI match table in PowerMac IDE
The PCI device table in the powermac IDE driver isn't properly
terminated.  Depending on how your kernel is linked and other random
factors, you can end up with this driver matched against any other PCI
device in your system, possibly crashing at boot.

Thanks to Heikki for tracking this down with me, the bug have been there
for some time, though it rarely hurts due to luck.  In this case, the
switch from .22 to .23-rc9 is causing it to show up due to differences
in the resulting layout of .data I suppose.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <pmac@au1.ibm.com>
Cc: Bartlomiej Zolnierkiewicz <B.Zolnierkiewicz@elka.pw.edu.pl>
Cc: Heikki Lindholm <holindho@cs.helsinki.fi>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-06 09:32:56 -07:00
Jeremy Fitzhardinge
67dd5a25f4 xen: disable split pte locks for now
When pinning and unpinning pagetables, we must protect them against
being used by other CPUs, lest they see the pagetable in an
intermediate read-only-but-not-pinned state.

When using split pte locks, doing this properly would require taking
all the pte locks for the pagetable while pinning, but this may overflow
the PREEMPT_BITS part of the preempt counter if the process has mapped
more than about 512M of memory.

However, failing to take the pte locks causes write-protect faults when
the pageout code is trying to clear the Access bit on a pte which is part
of a freshy created and still being pinned process after fork.

This is a short-term fix until the problem is solved properly.

Signed-off-by: Jeremy Fitzhardinge <jeremy@xensource.com>
Acked-by: Rik van Riel <riel@redhat.com>
Acked-by: Hugh Dickins <hugh@veritas.com>
Cc: David Rientjes <rientjes@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andi Kleen <ak@suse.de>
Cc: Keir Fraser <keir@xensource.com>
Cc: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-06 09:31:30 -07:00
Linus Torvalds
9f34073b4e Merge master.kernel.org:/home/rmk/linux-2.6-arm
* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] 4598/2: OSIRIS: Ensure we do not get nRSTOUT during suspend
  [ARM] 4597/2: OSIRIS: ensure CPLD0 is preserved after suspend
2007-10-05 14:09:10 -07:00
Ben Dooks
4afcddae4c [ARM] 4598/2: OSIRIS: Ensure we do not get nRSTOUT during suspend
Ensure nRSTOUT is not asserted during or on resume.

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2007-10-05 21:21:43 +01:00
Ben Dooks
28047eced8 [ARM] 4597/2: OSIRIS: ensure CPLD0 is preserved after suspend
Ensure that CPLD is restored to the original state
on resume, and that before going into suspend we
select the NAND bank we booted from for restarting.

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2007-10-05 21:21:40 +01:00
Francois Romieu
c946b30472 r8169: revert part of 6dccd16b7c
The 8169/8110SC currently announces itself as:
[...]
eth0: RTL8169sc/8110sc at 0x........, ..:..:..:..:..:.., XID 18000000 IRQ ..
                                                             ^^^^^^^^
It uses RTL_GIGA_MAC_VER_05 and this part of the changeset can cut
its performance by a factor of 2~2.5 as reported by Timo.

(the driver includes code just before the hunk to write the ChipCmd
register when mac_version == RTL_GIGA_MAC_VER_0[1-4])

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Timo Jantunen <jeti@welho.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-05 14:05:48 -04:00
Linus Torvalds
af299901ef Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
  [SPARC64]: Fix 'niu' complex IRQ probing.
  [SPARC64]: check fork_idle() error
  [SPARC64]: Temporary workaround for PCI-E slot on T1000.
  [SPARC64]: VIO device addition log message level is too high.
  [SPARC64]: Fix domain-services port probing.
  [SPARC64]: Don't use in/local regs for ldx/stx data in N1 memcpy.
2007-10-05 08:08:08 -07:00
Serge Belyshev
4ecbca8554 Remove unnecessary cast in prefetch()
It is ok to call prefetch() function with NULL argument, as specifically
commented in include/linux/prefetch.h.  But in standard C, it is invalid
to dereference NULL pointer (see C99 standard 6.5.3.2 paragraph 4 and
note #84).

prefetch() has a memory reference for its argument.

Newer gcc versions (4.3 and above) will use that to conclude that "x"
argument is non-null and thus wreaking havok everywhere prefetch() was
inlined.

Fixed by removing cast and changing asm constraint.

[ It seems in theory gcc 4.2 could miscompile this too; although no
  cases known.  In 2.6.24 we should probably switch to
  __builtin_prefetch() instead, but this is a simpler fix for now.
				-- AK ]

Signed-off-by: Serge Belyshev <belyshev@depni.sinp.msu.ru>
Signed-off-by: Andi Kleen <ak@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-05 08:04:35 -07:00
David S. Miller
b2b27757b6 [SPARC64]: Fix 'niu' complex IRQ probing.
They should be computed the same as how we compute
them under 'virtual-devices'.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-04 15:03:35 -07:00
Akinobu Mita
1177bf9704 [SPARC64]: check fork_idle() error
Check the return value of fork_idle() to catch error.

Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-04 14:55:59 -07:00
Linus Torvalds
9cdcaa2c93 Merge master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6
* master.kernel.org:/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] megaraid_old: fix READ_CAPACITY
2007-10-04 10:29:19 -07:00
Hugh Dickins
16abfa0860 Fix sys_remap_file_pages BUG at highmem.c:15!
Gurudas Pai reports kernel BUG at arch/i386/mm/highmem.c:15! below
sys_remap_file_pages, while running Oracle database test on x86 in 6GB
RAM: kunmap thinks we're in_interrupt because the preempt count has
wrapped.

That's because __do_fault expected to unmap page_table, but one of its
two callers do_nonlinear_fault already unmapped it: let do_linear_fault
unmap it first too, and then there's no need to pass the page_table arg
down.

Why have we been so slow to notice this? Probably through forgetting
that the mapping_cap_account_dirty test means that sys_remap_file_pages
nowadays only goes the full nonlinear vma route on a few memory-backed
filesystems like ramfs, tmpfs and hugetlbfs.

[ It also depends on CONFIG_HIGHPTE, so it becomes even harder to
  trigger in practice. Many who have need of large memory have probably
  migrated to x86-64..

  Problem introduced by commit d0217ac04c
  ("mm: fault feedback #1")                -- Linus ]

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: gurudas pai <gurudas.pai@oracle.com>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-04 10:13:09 -07:00
FUJITA Tomonori
d5e89385e9 [SCSI] megaraid_old: fix READ_CAPACITY
The bulk transfer mode got eleminated by
3f6270ef76.  Unfortunately, this mode is
required for READ_CAPACITY commands on certain cards, so put it back
again.  This fixes a boot failure regression reported by Burton
Windle.

Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
2007-10-04 12:08:49 -04:00
David S. Miller
27097ef9ff [SPARC64]: Temporary workaround for PCI-E slot on T1000.
The PCI-E slot on T1000 connects directly to the Fire PCI chip with no
intervening bridges visible in the OBP tree.

Unfortunately the bus numbering of the device in that slot is
different (2) from the PCI host controller (0), and thus the
pci_bus_{read,write}_config_*() calls don't work out.

Complicating things further the Fire PCI controller has no config
space it responds to either.

For now treat this case specially so that devices in the slot work.

Longer term we need to perhaps cons up a dummy bridge between the Fire
and the PCI-E slot so that the bus hierarchy is complete inside of the
kernel and thus the bus numbering all works out right.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-03 21:37:57 -07:00
David S. Miller
e2fd58d06f [SPARC64]: VIO device addition log message level is too high.
There is no reason this should be KERN_ERR, KERN_INFO is
just fine.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-03 21:23:40 -07:00
David S. Miller
07607c5492 [SPARC64]: Fix domain-services port probing.
We should only use ports underneath "domain-services", other DS ports
in the MDESC aren't for us to use.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-03 21:08:11 -07:00
Linus Torvalds
804b3f9a16 Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  drivers/ata/pata_ixp4xx_cf.c: ioremap return code check
  Ata: pata_marvell, use ioread* for iomap-ped memory
  libata: fix for sata_mv >64KB DMA segments
2007-10-03 15:44:10 -07:00
Linus Torvalds
3e0ca2f148 Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6:
  sky2: jumbo frame regression fix
  [PATCH] softmac: Fix compiler-warning
  [PATCH] bcm43xx: Correct printk with PFX before KERN_
2007-10-03 15:43:36 -07:00
Linus Torvalds
c7659e2c13 Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
  [MIPS] Terminally fix local_{dec,sub}_if_positive
  [MIPS] Type proof reimplementation of cmpxchg.
  [MIPS] pg-r4k.c: Fix a typo in an R4600 v2 erratum workaround
2007-10-03 15:43:17 -07:00
Linus Torvalds
66b1f1a982 Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/cooloney/blackfin-2.6
* 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/cooloney/blackfin-2.6:
  Blackfin arch: fix PORT_J BUG for BF537/6 EMAC driver reported by Kalle Pokki <kalle.pokki@iki.fi>
  Blackfin arch: gpio pinmux and resource allocation API required by BF537 on chip ethernet mac driver
  Blackfin arch: add some missing syscall
  binfmt_flat: checkpatch fixing minimum support for the blackfin relocations
  Binfmt_flat: Add minimum support for the Blackfin relocations
2007-10-03 15:34:07 -07:00
Scott Thompson
991bf528f6 drivers/ata/pata_ixp4xx_cf.c: ioremap return code check
Add missing ioremap return checks.

Signed-off-by: Scott Thompson <postfail <at> hushmail.com>
Acked-by: Tejun Heo <htejun@gmail.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-03 14:43:28 -04:00
Jiri Slaby
90925d3050 Ata: pata_marvell, use ioread* for iomap-ped memory
pata_marvell, use ioread* for iomap-ped memory

read* on pci_iomapped memory is incorrect, fix it

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-03 14:43:27 -04:00
Olof Johansson
4007b493ee libata: fix for sata_mv >64KB DMA segments
Fix bug in sata_mv for cases where the IOMMU layer has merged SG entries
to larger than 64KB. They need to be split up before being sent to
the driver.

Just for simplicity's sake, split up at 64K boundary instead of 64K size,
since that's what the common code does anyway.

Signed-off-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-03 14:41:20 -04:00
Sunil Mushran
bda0233b89 ocfs2: Unlock mutex in local alloc failure case
The fs was not unlocking the local alloc inode mutex in the code path in
which it failed to find a window of free bits in the global bitmap.

Signed-off-by: Sunil Mushran <sunil.mushran@oracle.com>
Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com>
2007-10-03 11:14:45 -07:00
Stephen Hemminger
529d303e07 sky2: jumbo frame regression fix
Remove unneeded check that caused problems with jumbo frame sizes.
The check was recently added and is wrong.
When using jumbo frames the sky2 driver does fragmentation, so
rx_data_size is less than mtu.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-03 13:39:42 -04:00
Jeff Garzik
5c55c43491 Merge branch 'fixes-jgarzik' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 into upstream-fixes 2007-10-03 13:39:16 -04:00
Michael Hennerich
cda6a20b68 Blackfin arch: fix PORT_J BUG for BF537/6 EMAC driver reported by Kalle Pokki <kalle.pokki@iki.fi>
Cc: Kalle Pokki <kalle.pokki@iki.fi>
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Bryan Wu <bryan.wu@analog.com>
2007-10-04 00:36:18 +08:00
Michael Hennerich
c58c2140f0 Blackfin arch: gpio pinmux and resource allocation API required by BF537 on chip ethernet mac driver
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Bryan Wu <bryan.wu@analog.com>
2007-10-04 00:35:05 +08:00
Ralf Baechle
9ea0f043fe [MIPS] Terminally fix local_{dec,sub}_if_positive
They contain 64-bit instructions so wouldn't work on 32-bit kernels or
32-bit hardware.  Since there are no users, blow them away.  They
probably were only ever created because there are atomic_sub_if_positive
and atomic_dec_if_positive which exist only for sake of semaphores.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2007-10-03 14:30:52 +01:00
Ralf Baechle
fef74705ea [MIPS] Type proof reimplementation of cmpxchg.
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2007-10-03 14:30:52 +01:00
Maciej W. Rozycki
f6a9e6dec5 [MIPS] pg-r4k.c: Fix a typo in an R4600 v2 erratum workaround
Restore a load from KSEG1 done as a workaround for an R4600 v2
erratum, dropped with 211be16de99a7424e66c0b6c0d00e2c970508ac2.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2007-10-03 14:30:51 +01:00
Richard Knutsson
ee0a8169b6 [PATCH] softmac: Fix compiler-warning
CC      net/ieee80211/softmac/ieee80211softmac_wx.o
/home/kernel/src/net/ieee80211/softmac/ieee80211softmac_wx.c: In function ‘ieee80211softmac_wx_set_essid’:
/home/kernel/src/net/ieee80211/softmac/ieee80211softmac_wx.c:117: warning: label ‘out’ defined but not used

due to commit: efe870f9f4. Removing the label.

Signed-off-by: Richard Knutsson <ricknu-0@student.ltu.se>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-10-02 19:41:33 -04:00
David S. Miller
a4aa2e867c [SPARC64]: Don't use in/local regs for ldx/stx data in N1 memcpy.
It doesn't matter for use in 64-bit objects, but when used in
32-bit environments the top 32-bits of the local and in
registers will get chopped off on the next register window
spill/restore which leads to difficult to track down and
subtle bugs.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-02 16:17:17 -07:00
Joe Perches
4365e99f95 [PATCH] bcm43xx: Correct printk with PFX before KERN_
Correct printk with PFX before KERN_ in bcm43xx_wx.c

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2007-10-02 17:04:22 -04:00
Linus Torvalds
f778089cb2 Merge branch 'sas-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/misc-2.6
* 'sas-fixes' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/misc-2.6:
  aic94xx: fix DMA data direction for SMP requests
2007-10-02 10:41:06 -07:00
Linus Torvalds
db7a89db5e Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6:
  dm9601: Fix receive MTU
  mv643xx_eth: Do not modify struct netdev tx_queue_len
  qla3xxx: bugfix: Fix VLAN rx completion handling.
  qla3xxx: bugfix: Add memory barrier before accessing rx completion.
2007-10-02 10:40:40 -07:00
Linus Torvalds
2910ca6f8a Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  ata_piix: add another TECRA M3 entry to broken suspend list
2007-10-02 10:40:20 -07:00
Linus Torvalds
d237098c03 Merge git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched
* git://git.kernel.org/pub/scm/linux/kernel/git/mingo/linux-2.6-sched:
  sched: fix profile=sleep
2007-10-02 10:38:13 -07:00
Linus Torvalds
114d5b1ca2 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
  [SPARC64]: Fix missing load-twin usage in Niagara-1 memcpy.
  [SPARC64]: Fix put_user() calls in binfmt_aout32.c
  [SPARC]: Fix EBUS use of uninitialized variable.
2007-10-02 10:35:28 -07:00
Linus Torvalds
2b3b29080d Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [IEEE80211]: avoid integer underflow for runt rx frames
  [TCP]: secure_tcp_sequence_number() should not use a too fast clock
  [SFQ]: Remove artificial limitation for queue limit.
2007-10-02 10:34:49 -07:00
Linus Torvalds
e80eaf9904 Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
  [POWERPC] Fix xics set_affinity code
2007-10-02 10:33:49 -07:00
Jeff Garzik
d136552e8b aic94xx: fix DMA data direction for SMP requests
DMA-mapped SMP (scsi management protocol) requests going /to/ the device
need the PCI DMA data direction to indicate such.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2007-10-02 13:16:10 -04:00
Peter Korsgaard
f662fe5a0b dm9601: Fix receive MTU
dm9601 didn't take the ethernet header into account when calculating
RX MTU, causing packets bigger than 1486 to fail.

Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-02 12:59:10 -04:00
Dale Farnsworth
593ff56ef2 mv643xx_eth: Do not modify struct netdev tx_queue_len
This driver erroneously zeros dev->tx_queue_len, since
mp->tx_ring_size has not yet been initialized.  Actually,
the driver shouldn't modify tx_queue_len at all and should
leave the value set by alloc_etherdev(), currently 1000.

Signed-off-by: Dale Farnsworth <dale@farnsworth.org>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-02 12:55:10 -04:00
Ron Mercer
50626297b1 qla3xxx: bugfix: Fix VLAN rx completion handling.
Fix 4032 chip undocumented "feature" where bit-8 is set
if the inbound completion is for a VLAN.

Signed-off-by: Ron Mercer <ron.mercer@qlogic.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-02 12:55:10 -04:00
Ron Mercer
b323e0e49f qla3xxx: bugfix: Add memory barrier before accessing rx completion.
Signed-off-by: Ron Mercer <ron.mercer@qlogic.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-02 12:55:10 -04:00
Tejun Heo
4c74d4ec35 ata_piix: add another TECRA M3 entry to broken suspend list
There's a different version of DMI table for TECRA M3 where it has
proper vendor and product name entry.  Add the entry to the broken
suspend list.

Angus Turnbull reported and provided initial patch.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Angus Turnbull <angus@twinhelix.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
2007-10-02 10:54:02 -04:00
Ingo Molnar
30084fbd1c sched: fix profile=sleep
fix sleep profiling - we lost this chunk in the CFS merge.

Found-by: Mel Gorman <mel@csn.ul.ie>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
2007-10-02 14:13:08 +02:00
David S. Miller
25e5566ed3 [SPARC64]: Fix missing load-twin usage in Niagara-1 memcpy.
For the case where the source is not aligned modulo 8
we don't use load-twins to suck the data in and this
kills performance since normal loads allocate in the
L1 cache (unlike load-twin) and thus big memcpys swipe
the entire L1 D-cache.

We need to allocate a register window to implement this
properly, but that actually simplifies a lot of things
as a nice side-effect.

Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-02 01:03:09 -07:00
John W. Linville
04045f98e0 [IEEE80211]: avoid integer underflow for runt rx frames
Reported by Chris Evans <scarybeasts@gmail.com>:

> The summary is that an evil 80211 frame can crash out a victim's
> machine. It only applies to drivers using the 80211 wireless code, and
> only then to certain drivers (and even then depends on a card's
> firmware not dropping a dubious packet). I must confess I'm not
> keeping track of Linux wireless support, and the different protocol
> stacks etc.
>
> Details are as follows:
>
> ieee80211_rx() does not explicitly check that "skb->len >= hdrlen".
> There are other skb->len checks, but not enough to prevent a subtle
> off-by-two error if the frame has the IEEE80211_STYPE_QOS_DATA flag
> set.
>
> This leads to integer underflow and crash here:
>
> if (frag != 0)
>    flen -= hdrlen;
>
> (flen is subsequently used as a memcpy length parameter).

How about this?

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2007-10-01 21:03:54 -07:00