1. 24 Nov, 2010 3 commits
    • Steven Rostedt's avatar
      isdn: icn: Fix stack corruption bug. · 4448008e
      Steven Rostedt authored
      Running randconfig with ktest.pl I hit this bug:
      
      [   16.101158] ICN-ISDN-driver Rev 1.65.6.8 mem=0x000d0000
      [   16.106376] icn: (line0) ICN-2B, port 0x320 added
      [   16.111064] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: c1642880
      [   16.111066] 
      [   16.121214] Pid: 1, comm: swapper Not tainted 2.6.37-rc2-test-00124-g6656b3fc #8
      [   16.128499] Call Trace:
      [   16.130942]  [<c0f51662>] ? printk+0x1d/0x23
      [   16.135200]  [<c0f5153f>] panic+0x5c/0x162
      [   16.139286]  [<c0d62a9a>] ? icn_addcard+0x6d/0xbe
      [   16.143975]  [<c0445783>] print_tainted+0x0/0x8c
      [   16.148582]  [<c1642880>] ? icn_init+0xd8/0xdf
      [   16.153012]  [<c1642880>] icn_init+0xd8/0xdf
      [   16.157271]  [<c04012e5>] do_one_initcall+0x8c/0x143
      [   16.162222]  [<c16427a8>] ? icn_init+0x0/0xdf
      [   16.166566]  [<c15f1a05>] kernel_init+0x13f/0x1da
      [   16.171256]  [<c15f18c6>] ? kernel_init+0x0/0x1da
      [   16.175945]  [<c0403bfe>] kernel_thread_helper+0x6/0x10
      [   16.181181] panic occurred, switching back to text console
      
      Looking into it I found that the stack was corrupted by the assignment
      of the Rev #. The variable rev is given 10 bytes, and in this output the
      characters that were copied was: " 1.65.6.8 $". Which was 11 characters
      plus the null ending character for a total of 12 bytes, thus corrupting
      the stack.
      
      This patch ups the variable size to 20 bytes as well as changes the
      strcpy to strncpy. I also added a check to make sure '$' is found.
      Signed-off-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4448008e
    • David S. Miller's avatar
    • Eric Dumazet's avatar
      af_unix: limit unix_tot_inflight · 9915672d
      Eric Dumazet authored
      Vegard Nossum found a unix socket OOM was possible, posting an exploit
      program.
      
      My analysis is we can eat all LOWMEM memory before unix_gc() being
      called from unix_release_sock(). Moreover, the thread blocked in
      unix_gc() can consume huge amount of time to perform cleanup because of
      huge working set.
      
      One way to handle this is to have a sensible limit on unix_tot_inflight,
      tested from wait_for_unix_gc() and to force a call to unix_gc() if this
      limit is hit.
      
      This solves the OOM and also reduce overall latencies, and should not
      slowdown normal workloads.
      Reported-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9915672d
  2. 23 Nov, 2010 1 commit
  3. 22 Nov, 2010 8 commits
    • Christian Lamparter's avatar
      carl9170: fix virtual interface setup crash · b397492a
      Christian Lamparter authored
      This patch fixes a faulty bound check which caused a
      crash when too many virtual interface were brought up.
      
      BUG: unable to handle kernel NULL pointer dereference at 00000004
      IP: [<f8125f67>] carl9170_op_add_interface+0x1d7/0x2c0 [carl9170]
      *pde = 00000000
      Oops: 0002 [#1] PREEMPT
      Modules linked in: carl9170 [...]
      Pid: 4720, comm: wpa_supplicant Not tainted 2.6.37-rc2-wl+
      EIP: 0060:[<f8125f67>] EFLAGS: 00210206 CPU: 0
      EIP is at carl9170_op_add_interface+0x1d7/0x2c0 [carl9170]
      EAX: 00000000 ...
      Process wpa_supplicant
      Stack:
       f4f88f34 fffffff4 ..
      Call Trace:
       [<f8f4e666>] ? ieee80211_do_open+0x406/0x5c0 [mac80211]
       [...]
      Code: <89> 42 04 ...
      EIP: [<f8125f67>] carl9170_op_add_interface+0x1d7/0x2c0 [carl9170]
      CR2: 0000000000000004
      Signed-off-by: default avatarChristian Lamparter <chunkeey@googlemail.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      b397492a
    • Daniel Klaffenbach's avatar
      ssb: b43-pci-bridge: Add new vendor for BCM4318 · 1d8638d4
      Daniel Klaffenbach authored
      Add new vendor for Broadcom 4318.
      Signed-off-by: default avatarDaniel Klaffenbach <danielklaffenbach@gmail.com>
      Signed-off-by: default avatarLarry Finger <Larry.Finger@lwfinger.net>
      Cc: Stable <stable@kernel.org>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      1d8638d4
    • Felix Fietkau's avatar
      ath9k: fix timeout on stopping rx dma · d47844a0
      Felix Fietkau authored
      It seems that using ath9k_hw_stoppcurecv to stop rx dma is not enough.
      When it's time to stop DMA, the PCU is still busy, so the rx enable
      bit never clears.
      Using ath9k_hw_abortpcurecv helps with getting rx stopped much faster,
      with this change, I cannot reproduce the rx stop related WARN_ON anymore.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      d47844a0
    • David Daney's avatar
      of/phylib: Use device tree properties to initialize Marvell PHYs. · cf41a51d
      David Daney authored
      Some aspects of PHY initialization are board dependent, things like
      indicator LED connections and some clocking modes cannot be determined
      by probing.  The dev_flags element of struct phy_device can be used to
      control these things if an appropriate value can be passed from the
      Ethernet driver.  We run into problems however if the PHY connections
      are specified by the device tree.  There is no way for the Ethernet
      driver to know what flags it should pass.
      
      If we are using the device tree, the struct phy_device will be
      populated with the device tree node corresponding to the PHY, and we
      can extract extra configuration information from there.
      
      The next question is what should the format of that information be?
      It is highly device specific, and the device tree representation
      should not be tied to any arbitrary kernel defined constants.  A
      straight forward representation is just to specify the exact bits that
      should be set using the "marvell,reg-init" property:
      
            phy5: ethernet-phy@5 {
              reg = <5>;
              compatible = "marvell,88e1149r";
              marvell,reg-init =
                      /* led[0]:1000, led[1]:100, led[2]:10, led[3]:tx */
                      <3 0x10 0 0x5777>, /* Reg 3,16 <- 0x5777 */
                      /* mix %:0, led[0123]:drive low off hiZ */
                      <3 0x11 0 0x00aa>, /* Reg 3,17 <- 0x00aa */
                      /* default blink periods. */
                      <3 0x12 0 0x4105>, /* Reg 3,18 <- 0x4105 */
                      /* led[4]:rx, led[5]:dplx, led[45]:drive low off hiZ */
                      <3 0x13 0 0x0a60>; /* Reg 3,19 <- 0x0a60 */
            };
      
            phy6: ethernet-phy@6 {
              reg = <6>;
              compatible = "marvell,88e1118";
              marvell,reg-init =
                      /* Fix rx and tx clock transition timing */
                      <2 0x15 0xffcf 0>, /* Reg 2,21 Clear bits 4, 5 */
                      /* Adjust LED drive. */
                      <3 0x11 0 0x442a>, /* Reg 3,17 <- 0442a */
                      /* irq, blink-activity, blink-link */
                      <3 0x10 0 0x0242>; /* Reg 3,16 <- 0x0242 */
            };
      
      The Marvell PHYs have a page select register at register 22 (0x16), we
      can specify any register by its page and register number.  These are
      the first and second word.  The third word contains a mask to be ANDed
      with the existing register value, and the fourth word is ORed with the
      result to yield the new register value.  The new marvell_of_reg_init
      function leaves the page select register unchanged, so a call to it
      can be dropped into the .config_init functions without unduly
      affecting the state of the PHY.
      
      If CONFIG_OF_MDIO is not set, there is no of_node, or no
      "marvell,reg-init" property, the PHY initialization is unchanged.
      Signed-off-by: default avatarDavid Daney <ddaney@caviumnetworks.com>
      Cc: Grant Likely <grant.likely@secretlab.ca>
      Cc: Cyril Chemparathy <cyril@ti.com>
      Cc: David Daney <ddaney@caviumnetworks.com>
      Cc: Arnaud Patard <arnaud.patard@rtp-net.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Reviewed-by: default avatarGrant Likely <grant.likely@secretlab.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cf41a51d
    • David Daney's avatar
      phylib: Add support for Marvell 88E1149R devices. · 90600732
      David Daney authored
      The 88E1149R is 10/100/1000 quad-gigabit Ethernet PHY.  The
      .config_aneg function can be shared with 88E1118, but it needs its own
      .config_init.
      Signed-off-by: default avatarDavid Daney <ddaney@caviumnetworks.com>
      Cc: Cyril Chemparathy <cyril@ti.com>
      Cc: Arnaud Patard <arnaud.patard@rtp-net.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Wolfram Sang <w.sang@pengutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      90600732
    • David Daney's avatar
      phylib: Use common page register definition for Marvell PHYs. · 27d916d6
      David Daney authored
      The definition of the Marvell PHY page register is not specific to
      88E1121, so rename the macro to MII_MARVELL_PHY_PAGE, and use it
      throughout.
      Suggested-by: default avatarCyril Chemparathy <cyril@ti.com>
      Signed-off-by: default avatarDavid Daney <ddaney@caviumnetworks.com>
      Cc: Cyril Chemparathy <cyril@ti.com>
      Cc: Arnaud Patard <arnaud.patard@rtp-net.org>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      27d916d6
    • Sonny Rao's avatar
      qlge: Fix incorrect usage of module parameters and netdev msg level · 84cf7029
      Sonny Rao authored
      Driver appears to be mistaking the permission field with default value
      in the case of debug and qlge_irq_type.
      
      Driver is also passing debug as a bitmask into netif_msg_init()
      which wants a number of bits.  Ron Mercer suggests we should
      change this to pass in -1 so the defaults get used instead,
      which makes the default much less verbose.
      Signed-off-by: default avatarMilton Miller <miltonm@bga.com>
      Signed-off-by: default avatarSonny Rao <sonnyrao@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84cf7029
    • John Fastabend's avatar
      ipv6: fix missing in6_ifa_put in addrconf · 88b2a9a3
      John Fastabend authored
      Fix ref count bug introduced by
      
      commit 2de79570
      Author: Lorenzo Colitti <lorenzo@google.com>
      Date:   Wed Oct 27 18:16:49 2010 +0000
      
      ipv6: addrconf: don't remove address state on ifdown if the address
      is being kept
      
      Fix logic so that addrconf_ifdown() decrements the inet6_ifaddr
      refcnt correctly with in6_ifa_put().
      Reported-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Acked-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      88b2a9a3
  4. 21 Nov, 2010 5 commits
  5. 19 Nov, 2010 2 commits
  6. 18 Nov, 2010 14 commits
  7. 17 Nov, 2010 5 commits
  8. 16 Nov, 2010 2 commits