Commit Graph

154573 Commits

Author SHA1 Message Date
David S. Miller
eca4c3d2dd Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-08-03 19:05:50 -07:00
Mike McCormack
f6caa14aa0 sky2: Avoid transmits during sky2_down()
This patch supersedes my previous patch "sky2: Avoid transmitting
during sky2_restart".

I have reworked the patch to avoid crashes during both sky2_restart()
and sky2_set_ringparam().

Without this patch, the sky2 driver can be crashed by doing:

# pktgen eth1 &    (transmit many packets on eth1)
# ethtool -G eth1 tx 510

I am aware you object to storing extra state, but I can't see a way
around this. Without remembering that we're restarting,
netif_wake_queue() is called in the ISR from sky2_tx_complete(), and
netif_tx_lock() is used in sky2_tx_done().  If anybody can see a way
around this, please let me know.

Signed-off-by: Mike McCormack <mikem@ring3k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-03 19:02:36 -07:00
Reinette Chatre
99f1b01562 iwlagn: do not send key clear commands when rfkill enabled
Do all key clearing except sending sommands to device when rfkill
enabled. When rfkill enabled the interface is brought down and will
be brought back up correctly after rfkill is enabled again.

Same change is not needed for iwl3945 as it ignores return code when
sending key clearing command to device.

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=13742

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Tested-by: Frans Pop <elendil@planet.nl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:23 -04:00
Roel Kluin
b929c633b4 libertas: Read buffer overflow
Check whether index is within bounds before testing the element.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:23 -04:00
Julia Lawall
9f9857bb5e drivers/net/wireless: introduce missing kfree
Error handling code following a kzalloc should free the allocated data.

The semantic match that finds the problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@r exists@
local idexpression x;
statement S;
expression E;
identifier f,f1,l;
position p1,p2;
expression *ptr != NULL;
@@

x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x == NULL) S
<... when != x
     when != if (...) { <+...x...+> }
(
x->f1 = E
|
 (x->f1 == NULL || ...)
|
 f(...,x->f1,...)
)
...>
(
 return \(0\|<+...x...+>\|ptr\);
|
 return@p2 ...;
)

@script:python@
p1 << r.p1;
p2 << r.p2;
@@

print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:23 -04:00
Julia Lawall
c37457e69f drivers/net/wireless/iwlwifi: introduce missing kfree
Move orthogonal error handling code up before a kzalloc, so that it
doesn't have to free the allocated data.

The semantic match that finds the problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@r exists@
local idexpression x;
statement S;
expression E;
identifier f,f1,l;
position p1,p2;
expression *ptr != NULL;
@@

x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x == NULL) S
<... when != x
     when != if (...) { <+...x...+> }
(
x->f1 = E
|
 (x->f1 == NULL || ...)
|
 f(...,x->f1,...)
)
...>
(
 return \(0\|<+...x...+>\|ptr\);
|
 return@p2 ...;
)

@script:python@
p1 << r.p1;
p2 << r.p2;
@@

print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:22 -04:00
Patrick Simmons
dbc1eec485 zd1211rw: fix unaligned access in zd_mac_rx
Fix an unaligned memory access in the zd_mac_rx function of zd1211rw
that causes problems on SPARC64.

Signed-off-by: Patrick Simmons <linuxrocks123@netscape.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:22 -04:00
Luis R. Rodriguez
371842448c cfg80211: fix regression on beacon world roaming feature
A regression was added through patch a4ed90d6:

"cfg80211: respect API on orig_flags on channel for beacon hint"

We did indeed respect _orig flags but the intention was not clearly
stated in the commit log. This patch fixes firmware issues picked
up by iwlwifi when we lift passive scan of beaconing restrictions
on channels its EEPROM has been configured to always enable.

By doing so though we also disallowed beacon hints on devices
registering their wiphy with custom world regulatory domains
enabled, this happens to be currently ath5k, ath9k and ar9170.
The passive scan and beacon restrictions on those devices would
never be lifted even if we did find a beacon and the hardware did
support such enhancements when world roaming.

Since Johannes indicates iwlwifi firmware cannot be changed to
allow beacon hinting we set up a flag now to specifically allow
drivers to disable beacon hints for devices which cannot use them.

We enable the flag on iwlwifi to disable beacon hints and by default
enable it for all other drivers. It should be noted beacon hints lift
passive scan flags and beacon restrictions when we receive a beacon from
an AP on any 5 GHz non-DFS channels, and channels 12-14 on the 2.4 GHz
band. We don't bother with channels 1-11 as those channels are allowed
world wide.

This should fix world roaming for ath5k, ath9k and ar9170, thereby
improving scan time when we receive the first beacon from any AP,
and also enabling beaconing operation (AP/IBSS/Mesh) on cards which
would otherwise not be allowed to do so. Drivers not using custom
regulatory stuff (wiphy_apply_custom_regulatory()) were not affected
by this as the orig_flags for the channels would have been cleared
upon wiphy registration.

I tested this with a world roaming ath5k card.

Cc: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:21 -04:00
Johannes Berg
cd3468bad9 cfg80211: add two missing NULL pointer checks
These pointers can be NULL, the is_mesh() case isn't
ever hit in the current kernel, but cmp_ies() can be
hit under certain conditions.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29, 2.6.30]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-08-03 16:31:21 -04:00
Mallikarjuna R Chilakala
202ff1ec8e ixgbe: Patch to modify 82598 PCIe completion timeout values
The default completion timeout values for 82598 should be in the
range of 50us to 50ms, however the hardware default for these
parts is 500us to 1ms which is less than the 10ms recommended by
the pcie spec. To address this we need to increase the value to
either 10ms to 250ms for capability version 1 configuration, or
16ms to 55ms for version 2.

Signed-off-by: Mallikarjuna R Chilakala <mallikarjuna.chilakala@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-03 13:24:58 -07:00
Dave Young
af0d3b103b bluetooth: rfcomm_init bug fix
rfcomm tty may be used before rfcomm_tty_driver initilized,
The problem is that now socket layer init before tty layer, if userspace
program do socket callback right here then oops will happen.

reporting in:
http://marc.info/?l=linux-bluetooth&m=124404919324542&w=2

make 3 changes:
1. remove #ifdef in rfcomm/core.c,
make it blank function when rfcomm tty not selected in rfcomm.h

2. tune the rfcomm_init error patch to ensure
tty driver initilized before rfcomm socket usage.

3. remove __exit for rfcomm_cleanup_sockets
because above change need call it in a __init function.

Reported-by: Oliver Hartkopp <oliver@hartkopp.net>
Tested-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-03 13:24:39 -07:00
Yevgeny Petrilin
eb4ad82641 mlx4_en: Fix double pci unmapping.
In cases of fragmented skb, with the data pointers being wrapped around
the TX buffer, the completion handling code would not forward the data
pointer and the firs fragment was unmapped several times, while others
were not unmapped at all.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 20:22:18 -07:00
Andreas Eversberg
b564afcfb8 mISDN: Fix handling of receive buffer size in L1oIP
The size of receive buffer pointer was used to get size of
receive buffer instead of recvbuf_size itself, so only 4/8
bytes could be transfered.

This is a regression to 2.6.30 introduced by commit 8c90e11e35
mISDN: Use kernel_{send,recv}msg instead of open coding

Signed-off-by: Andreas Eversberg <andreas@eversberg.eu>
Signed-off-by: Karsten Keil <keil@b1-systems.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:59:32 -07:00
Don Fry
63097b3ad8 pcnet32: VLB support fixes
VLB support has been broken since at least 2004-2005 period as some
changes introduced back then assumed that ->pci_dev is always valid,
lets try to fix it:

- remove duplicated SET_NETDEV_DEV() call

- call SET_NETDEV_DEV() only for PCI devices

- check for ->pci_dev validity in pcnet32_open()

[ Alternatively we may consider removing VLB support but there would not
  be much gain in it since an extra driver code needed for VLB support is
  minimal and quite simple. ]

This takes care of the following entry from Dan's list:

drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev'

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Acked-by:  Don Fry <pcnet32@verizon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:23:06 -07:00
Don Fry
df4e7f72f5 pcnet32: remove superfluous NULL pointer check in pcnet32_probe1()
Move the debug printk() into the proper place and remove superfluous
NULL pointer check in pcnet32_probe1().

This takes care of the following entry from Dan's list:

drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev'

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Acked-by:  Don Fry <pcnet32@verizon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:23:05 -07:00
Jiri Pirko
a6ac65db23 net: restore the original spinlock to protect unicast list
There is a path when an assetion in dev_unicast_sync() appears.

igmp6_group_added -> dev_mc_add -> __dev_set_rx_mode ->
-> vlan_dev_set_rx_mode -> dev_unicast_sync

Therefore we cannot protect this list with rtnl. This patch restores the
original protecting this list with spinlock.

Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:46 -07:00
Dhananjay Phadke
50c643e765 netxen: fix coherent dma mask setting
Change default dma mask for NX3031 to 39 bit with ability
to update it to 64-bit (if firmware indicates support). Old
code was restricting it under 4GB (32-bit), sometimes causing
failure to allocate descriptor rings on heavily populated
system. NX2031 based NICs will still get 32-bit coherent mask.

Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:44 -07:00
roel kluin
9bfdac94c7 mISDN: Read buffer overflow
Check whether index is within bounds before testing the element.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Karsten Keil <keil@b1-systems.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:42 -07:00
roel kluin
54706d9905 s6gmac: Read buffer overflow
Check whether index is within bounds before testing the element.
In the last iteration i is PHY_MAX_ADDR. the condition
`!(p = pd->mii.bus->phy_map[PHY_MAX_ADDR])' is undefined and may
evaluate to false, which leads to a dereference of this invalid
phy_map in the phy_connect() below.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:40 -07:00
roel kluin
1b994b5a1b tulip: Read buffer overflow
Check whether index is within bounds before testing the element.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:38 -07:00
Eric Dumazet
144586301f net: net_assign_generic() fix
memcpy() should take into account size of pointers,
not only number of pointers to copy.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:36 -07:00
Eric Dumazet
446e72f30e pppol2tp: calls unregister_pernet_gen_device() at unload time
Failure to call unregister_pernet_gen_device() can exhaust memory
if module is loaded/unloaded many times.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:34 -07:00
Ben McKeegan
a53a8b5682 ppp: fix lost fragments in ppp_mp_explode() (resubmit)
This patch fixes the corner cases where the sum of MTU of the free
channels (adjusted for fragmentation overheads) is less than the MTU
of PPP link.  There are at least 3 situations where this case might
arise:

- some of the channels are busy

- the multilink session is running in a degraded state (i.e. with less
than its full complement of active channels)

- by design, where multilink protocol is being used to artificially
increase the effective link MTU of a single link.

Without this patch, at most 1 fragment is ever sent per free channel
for a given PPP frame and any remaining part of the PPP frame that
does not fit into those fragments is silently discarded.

This patch restores the original behaviour which was broken by commit
9c705260fe 'ppp:ppp_mp_explode()
redesign'.  Once all 'free' channels have been given a fragment, an
additional fragment is queued to each available channel in turn, as many
times as necessary, until the entire PPP frame has been consumed.

Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-08-02 12:20:31 -07:00
Peter P Waskiewicz Jr
0a924578bc ixgbe: Fix RSC completion delay causing Rx interrupts to stop
When a user disables interrupt throttling with ethtool on 82599 devices,
the interrupt timer may not be re-enabled if hardware RSC is running.  The
RSC completions in hardware don't complete before the next ITR event tries
to fire, so the ITR timer never gets re-armed.  This patch increases the
amount of time between interrupts when throttling is disabled (rx-usecs =
0) when the hardware RSC deature is enabled.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 19:00:30 -07:00
Peter P Waskiewicz Jr
0c19d6af92 ixgbe: Fix usage of second flags bitmap when using LRO/RSC
A second set of feature flag bits was added, and the hardware RSC engine
flags were moved there.  However, the code itself didn't make the move
completely to use the new bitmap.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Acked-by: Mallikarjuna R Chilakala <mallikarjuna.chilakala@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 19:00:29 -07:00
Peter P Waskiewicz Jr
8f9a71673d ixgbe: Fix netpoll to be properly multiqueue aware
Our ndo_poll_controller callback is broken for anything but non-multiqueue
setups.  This fixes that issue.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 19:00:24 -07:00
Jiajun Wu
accff95c25 gianfar: fix coalescing setup in ethtool support
Parameter order for using mk_ic_value(count, time) was reversed,
the patch fixes this.

Signed-off-by: Jiajun Wu <b06378@freescale.com>
Signed-off-by: Li Yang <leoli@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 14:20:42 -07:00
Eric Dumazet
72fc939789 pppoe: fix /proc/net/pppoe
If a socket is hashed in last slot of pppoe hash table (PPPOE_HASH_SIZE-1)
we report it many times (up to filling seq buffer)
(Only the last socket of last slot)

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 14:19:19 -07:00
roel kluin
f0c5b35c6c eexpress: Read buffer overflow
start_code is 69 words, but the code always writes a multiple of 16 words,
so the last 11 words written are outside the array.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 13:27:34 -07:00
roel kluin
a3e8ee6820 ipv4: ARP neigh procfs buffer overflow
If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a
write to hbuffer[-1] occurs.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 13:27:29 -07:00
roel kluin
3d54015b75 3c515: Write outside array bounds
if dev_alloc_skb() fails on the first iteration, a write to
cp->rx_ring[-1] occurs.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 13:27:28 -07:00
Tobias Klauser
2a8aaacda5 docbook: fix printk of ip address
Use the %pI4 format string instead of %d.%d.%d.%d and NIPQUAD.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 13:10:50 -07:00
Michael Chan
a541f8401d iscsi: Use GFP_ATOMIC in iscsi_offload_mesg().
Changing to GFP_ATOMIC because the only caller in cnic/bnx2i may
be calling this function while holding spin_lock.

This problem was discovered by Mike Christie.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Acked-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 11:05:03 -07:00
Julia Lawall
ca7daea612 net/netlabel: Add kmalloc NULL tests
The test on map4 should be a test on map6.

The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
expression *x;
identifier f;
constant char *C;
@@

x = \(kmalloc\|kcalloc\|kzalloc\)(...);
... when != x == NULL
    when != x != NULL
    when != (x || ...)
(
kfree(x)
|
f(...,C,...,x,...)
|
*f(...,x,...)
|
*x->f
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-30 10:58:28 -07:00
David S. Miller
a1b97440ee Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-07-30 10:35:45 -07:00
Johannes Berg
89c3a8aca2 mac80211: fix suspend
Jan reported that his b43-based laptop hangs during suspend.
The problem turned out to be mac80211 asking the driver to
stop the hardware before removing interfaces, and interface
removal caused b43 to touch the hardware (while down, which
causes the hang).

This patch fixes mac80211 to do reorder these operations to
have them in the correct order -- first remove interfaces
and then stop the hardware. Some more code is necessary to
be able to do so in a race-free manner, in particular it is
necessary to not process frames received during quiescing.

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=13337.

Reported-by: Jan Scholz <scholz@fias.uni-frankfurt.de>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-29 14:52:01 -04:00
Roel Kluin
57921c312e libertas: Read buffer overflow
Several arrays were read before checking whether the index was within
bounds. ARRAY_SIZE() should be used to determine the size of arrays.

rates->rates has an arraysize of 1, so calling get_common_rates()
with a rates_size of MAX_RATES (14) was causing reads out of bounds.

tmp_size can increment at most to (ARRAY_SIZE(lbs_bg_rates) - 1) *
(*rates_size - 1), so that should be the number of elements of tmp[].

A goto can be eliminated: ret was already set upon its declaration.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-29 14:52:01 -04:00
Roel Kluin
430453fc2a libertas: Read outside array bounds
reads bss->rates[j] before checking bounds of index, and should use
ARRAY_SIZE to determine the size of the array.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Holger Schurig <hs4233@mail.mn-solutions.de>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-29 14:52:01 -04:00
Stephen Hemminger
27fed4175a ip: fix logic of reverse path filter sysctl
Even though reverse path filter was changed from simple boolean to
trinary control, the loose mode only works if both all and device are
configured because of this logic error.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-27 18:39:45 -07:00
Luis R. Rodriguez
78f1a8b758 mac80211: do not queue work after suspend in the dynamic ps timer
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:38 -04:00
Roel Kluin
082e708acc iwlwifi: Read outside array bounds
tid is bounded (above) by the size of default_tid_to_tx_fifo (17 elements), but
the size of priv->stations[].tid[] is MAX_TID_COUNT (9) elements.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:37 -04:00
Roel Kluin
008749fc99 ath9k: Read outside array bounds
Incorrect limits leads to reads outside array bounds.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:36 -04:00
Roel Kluin
3d0ccd021b airo: Buffer overflow
SSID_rid has space for only 3 ssids.
txPowerLevels[i] is read before the bounds check for i

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:36 -04:00
Dan Carpenter
2a21f86917 wireless: ERR_PTR vs null
iwm_wdev_alloc() returns an ERR_PTR on failure and not null.  It also
prints its own dev_err() message so I removed that as well.

Compile tested only.  Sorry.
Found by smatch (http://repo.or.cz/w/smatch.git).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:35 -04:00
reinette chatre
45f5fa32b1 iwlagn: fix minimum number of queues setting
We need to provide a reasonable minimum that will result in a
working setup if used. Set minimum to be 10 to provide for
4 standard TX queues + 1 command queue + 2 (unused) HCCA queues +
4 HT queues (one per AC).

We allow the user to change the number of queues used via a module
parameter and use this minimum value to check if it is valid. Without
this patch a user can select a value for the number of queues that
will result in a failing setup.

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:35 -04:00
Johannes Berg
3995bd9332 iwlwifi: fix TX queue race
I had a problem on 4965 hardware (well, probably other hardware too,
but others don't survive my stress testing right now, unfortunately)
where the driver was sending invalid commands to the device, but no
such thing could be seen from the driver's point of view. I could
reproduce this fairly easily by sending multiple TCP streams with
iperf on different TIDs, though sometimes a single iperf stream was
sufficient. It even happened with a single core, but I have forced
preemption turned on.

The culprit was a queue overrun, where we advanced the queue's write
pointer over the read pointer. After careful analysis I've come to
the conclusion that the cause is a race condition between iwlwifi
and mac80211.

mac80211, of course, checks whether the queue is stopped, before
transmitting a frame. This effectively looks like this:

        lock(queues)
        if (stopped(queue)) {
                unlock(queues)
                return busy;
	}
        unlock(queues)
        ...             <-- this place will be important
			    there is some more code here
        drv_tx(frame)

The driver, on the other hand, can stop and start queues, which does

        lock(queues)
        mark_running/stopped(queue)
        unlock(queues)

	[if marked running: wake up tasklet to send pending frames]

Now, however, once the driver starts the queue, mac80211 can see that
and end up at the marked place above, at which point for some reason the
driver seems to stop the queue again (I don't understand that) and then
we end up transmitting while the queue is actually full.

Now, this shouldn't actually matter much, but for some reason I've seen
it happen multiple times in a row and the queue actually overflows, at
which point the queue bites itself in the tail and things go completely
wrong.

This patch fixes this by just dropping the packet should this have
happened, and making the lock in iwlwifi cover everything so iwlwifi
can't race against itself (dropping the lock there might make it more
likely, but it did seem to happen without that too).

Since we can't hold the lock across drv_tx() above, I see no way to fix
this in mac80211, but I also don't understand why I haven't seen this
before -- maybe I just never stress tested it this badly.

With this patch, the device has survived many minutes of simultanously
sending two iperf streams on different TIDs with combined throughput
of about 60 Mbps.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-27 15:19:34 -04:00
Michael Chan
6d7760a88c cnic: Fix ISCSI_KEVENT_IF_DOWN message handling.
When a net device goes down or when the bnx2i driver is unloaded,
the code was not generating the ISCSI_KEVENT_IF_DOWN message
properly and this could cause the userspace driver to crash.

This is fixed by sending the message properly in the shutdown path.
cnic_uio_stop() is also added to send the message when bnx2i is
unregistering.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-27 11:25:58 -07:00
Deepak Saxena
0cbb0a781a net: irda: init spinlock after memcpy
irttp_dup() copies a tsap_cb struct, but does not initialize the
spinlock in the new structure, which confuses lockdep.

Signed-off-by: Deepak Saxena <dsaxena@mvista.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-27 10:49:44 -07:00
Don Skidmore
8bae1b2b13 ixgbe: fix for 82599 errata marking UDP checksum errors
There is an 82599 errata that UDP frames with a zero checksum are
incorrectly marked as checksum invalid by the hardware.  This was
leading to misleading hw_csum_rx_error counts. This patch adds a
test around this counter increase for this condition.

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-26 20:20:47 -07:00
françois romieu
ca52efd549 r8169: WakeOnLan fix for the 8168
More stuff for http://bugzilla.kernel.org/show_bug.cgi?id=9512

Some 8168 are unable to WoL when receiving is not enabled (plain
old 8169 do not seem to care).

It is not exactly pretty to leave the receiver enabled but we
should now enable DMA late enough for it to be safe. Some late
stage boot failure due to pxe and friends may benefit from the
delayed enabling of bus-mastering as well.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Jaromír Cápík <tavvva@volny.cz>
Cc: Edward Hsu <edward_hsu@realtek.com.tw>
2009-07-26 20:18:52 -07:00