- 06 Oct, 2010 2 commits
-
-
Eric Dumazet authored
caif_connect() might dereference a netdevice after dev_put() it. It also doesnt check dev_get_by_index() return value and could dereference a NULL pointer. Fix it, using RCU to avoid taking a reference. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Neil Horman authored
Fix a WARN_ON failure in bond_masters sysfs file Got a report of this warning recently bonding: bond0 is being created... ------------[ cut here ]------------ WARNING: at fs/proc/generic.c:590 proc_register+0x14d/0x185() Hardware name: ProLiant BL465c G1 proc_dir_entry 'bonding/bond0' already registered Modules linked in: bonding ipv6 tg3 bnx2 shpchp amd64_edac_mod edac_core ipmi_si ipmi_msghandler serio_raw i2c_piix4 k8temp edac_mce_amd hpwdt microcode hpsa cc iss radeon ttm drm_kms_helper drm i2c_algo_bit i2c_core [last unloaded: scsi_wai t_scan] Pid: 935, comm: ifup-eth Not tainted 2.6.33.5-124.fc13.x86_64 #1 Call Trace: [<ffffffff8104b54c>] warn_slowpath_common+0x77/0x8f [<ffffffff8104b5b1>] warn_slowpath_fmt+0x3c/0x3e [<ffffffff8114bf0b>] proc_register+0x14d/0x185 [<ffffffff8114c20c>] proc_create_data+0x87/0xa1 [<ffffffffa0211e9b>] bond_create_proc_entry+0x55/0x95 [bonding] [<ffffffffa0215e5d>] bond_init+0x95/0xd0 [bonding] [<ffffffff8138cd97>] register_netdevice+0xdd/0x29e [<ffffffffa021240b>] bond_create+0x8e/0xb8 [bonding] [<ffffffffa021c4be>] bonding_store_bonds+0xb3/0x1c1 [bonding] [<ffffffff812aec85>] class_attr_store+0x27/0x29 [<ffffffff8115423d>] sysfs_write_file+0x10f/0x14b [<ffffffff81101acf>] vfs_write+0xa9/0x106 [<ffffffff81101be2>] sys_write+0x45/0x69 [<ffffffff81009b02>] system_call_fastpath+0x16/0x1b ---[ end trace a677c3f7f8b16b1e ]--- bonding: Bond creation failed. It happens because a user space writer to bond_master can try to register an already existing bond interface name. Fix it by teaching bond_create to check for the existance of devices with that name first in cases where a non-NULL name parameter has been passed in Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 05 Oct, 2010 6 commits
-
-
Stanislaw Gruszka authored
Skge devices installed on some Gigabyte motherboards are not able to perform 64 dma correctly due to board PCI implementation, so limit DMA to 32bit if such boards are detected. Bug was reported here: https://bugzilla.redhat.com/show_bug.cgi?id=447489Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> Tested-by: Luya Tshimbalanga <luya@fedoraproject.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
- Add ixgbevf and docs files to the maintainers file Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
Adds documentation for the e1000e networking driver. Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
Updated the e1000 networking driver documentation. Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jeff Kirsher authored
Update the documentation for the ixgbevf (ixgbe virtual function driver). Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dan Carpenter authored
skb_headroom() is unsigned so "skb_headroom(skb) + toff" is also unsigned and can't be less than zero. This test was added in 66d50d25: "u32: negative offset fix" It was supposed to fix a regression. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 04 Oct, 2010 6 commits
-
-
Dan Rosenberg authored
The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids array and attempts to ensure that only a supported hmac entry is returned. The current code fails to do this properly - if the last id in the array is out of range (greater than SCTP_AUTH_HMAC_ID_MAX), the id integer remains set after exiting the loop, and the address of an out-of-bounds entry will be returned and subsequently used in the parent function, causing potentially ugly memory corruption. This patch resets the id integer to 0 on encountering an invalid id so that NULL will be returned after finishing the loop if no valid ids are found. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Dan Rosenberg authored
Two user-controlled allocations in SCTP are subsequently dereferenced as sockaddr structs, without checking if the dereferenced struct members fall beyond the end of the allocated chunk. There doesn't appear to be any information leakage here based on how these members are used and additional checking, but it's still worth fixing. [akpm@linux-foundation.org: remove unfashionable newlines, fix gmail tab->space conversion] Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com> Cc: David Miller <davem@davemloft.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David Stevens authored
A recent patch to allow IGMPv2 responses to IGMPv3 queries bypasses length checks for valid query lengths, incorrectly resets the v2_seen timer, and does not support IGMPv1. The following patch responds with a v2 report as required by IGMPv2 while correcting the other problems introduced by the patch. Signed-Off-By: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ben Hutchings authored
Since 'select' ignores dependencies, drivers that select INET_LRO must depend on INET. This fixes the broken configuration reported in <http://article.gmane.org/gmane.linux.kernel/825646>. Reported-by: Subrata Modak <subrata@linux.vnet.ibm.com> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ben Hutchings authored
This reverts commit e81963b1. LRO is now deprecated in favour of GRO, and only a few drivers use it, so it is desirable to build it as a module in distribution kernels. The original change to prevent building it as a module was made in an attempt to avoid the case where some dependents are set to y and some to m, and INET_LRO can be set to m rather than y. However, the Kconfig system will reliably set INET_LRO=y in this case. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Nagendra Tomar authored
This patch fixes the condition (3rd arg) passed to sk_wait_event() in sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory() causes the following soft lockup in tcp_sendmsg() when the global tcp memory pool has exhausted. >>> snip <<< localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429] localhost kernel: CPU 3: localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200 localhost kernel: localhost kernel: Call Trace: localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200 localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40 localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0 localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140 localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130 localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40 localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170 localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190 localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90 localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83 >>> snip <<< What is happening is, that the sk_wait_event() condition passed from sk_stream_wait_memory() evaluates to true for the case of tcp global memory exhaustion. This is because both sk_stream_memory_free() and vm_wait are true which causes sk_wait_event() to *not* call schedule_timeout(). Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping. This causes the caller to again try allocation, which again fails and again calls sk_stream_wait_memory(), and so on. [ Bug introduced by commit c1cbe4b7 ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ] Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 03 Oct, 2010 1 commit
-
-
Maciej Żenczykowski authored
Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 01 Oct, 2010 1 commit
-
-
Eric Dumazet authored
Roger Luethi noticed packets for unknown VLANs getting silently dropped even in promiscuous mode. Check for promiscuous mode in __vlan_hwaccel_rx() and vlan_gro_common() before drops. As suggested by Patrick, mark such packets to have skb->pkt_type set to PACKET_OTHERHOST to make sure they are dropped by IP stack. Reported-by: Roger Luethi <rl@hellgate.ch> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 30 Sep, 2010 3 commits
-
-
Kumar Sanghvi authored
Retrieve the header after doing pskb_may_pull since, pskb_may_pull could change the buffer structure. This is based on the comment given by Eric Dumazet on Phonet Pipe controller patch for a similar problem. Signed-off-by: Kumar Sanghvi <kumar.sanghvi@stericsson.com> Acked-by: Linus Walleij <linus.walleij@stericsson.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Boaz Harrosh authored
uml_net_set_mac() was broken and luckily it was never used, before. What it was trying to do is spin_lock before memcopy the mac address. Linus attempted to fix it in assumption that someone decided the lock was needed. But since it was never ever used at all, and was just dead code, I think we can assume that it is not needed, after all. On the other hand patch [f25c80a4] was trying to use eth_mac_addr() in eth_configure(), *which was the real fallout*. Because of state checks done inside eth_mac_addr() the address was never set. I have not reintroduced the memcpy wrapper, but I've put a comment for future cats. The code now is back to exactly as it was before [f25c80a4]. With the cleanup applied. If the spin_lock is indeed needed then a contender should supply a test case that fails, then fix it with the proper locking, as a separate unrelated patch. CC: Julia Lawall <julia@diku.dk> CC: David S. Miller <davem@davemloft.net> CC: Andrew Morton <akpm@linux-foundation.org> CC: Al Viro <viro@ZenIV.linux.org.uk> Tested-by: Boaz Harrosh <bharrosh@panasas.com> Signed-off-by: Boaz Harrosh <bharrosh@panasas.com> Signed-off-by: David S. Miller <davem@davemloft.net>
- 29 Sep, 2010 1 commit
-
-
David S. Miller authored
The GRE tunnel driver needs to invoke icmpv6 helpers in the ipv6 stack when ipv6 support is enabled. Therefore if IPV6 is enabled, we have to enforce that GRE's enabling (modular or static) matches that of ipv6. Reported-by: Patrick McHardy <kaber@trash.net> Reported-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 28 Sep, 2010 3 commits
-
-
Damian Lukowski authored
Fixes kernel Bugzilla Bug 18952 This patch adds a syn_set parameter to the retransmits_timed_out() routine and updates its callers. If not set, TCP_RTO_MIN is taken as the calculation basis as before. If set, TCP_TIMEOUT_INIT is used instead, so that sysctl_syn_retries represents the actual amount of SYN retransmissions in case no SYNACKs are received when establishing a new connection. Signed-off-by: Damian Lukowski <damian@tvk.rwth-aachen.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Florian Mickler authored
iwl3945's scan_completed calls into the mac80211 stack which triggers a warn on if there is no scan outstanding. This can be avoided by not calling scan_completed but abort_scan in iwl3945_request_scan in the done: branch of the function which is used as an error out. The done: branch seems to be an error-out branch, as, for example, if iwl_is_ready(priv) returns false the done: branch is executed. NOTE: I'm not familiar with the driver at all. I just quickly scanned as a reaction to https://bugzilla.kernel.org/show_bug.cgi?id=17722 the users of scan_completed in the iwl3945 driver and noted the odd discrepancy between the comment above this instance and the comment in mac80211 scan_completed function. Signed-off-by: Florian Mickler <florian@mickler.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
-
David S. Miller authored
Fixes kernel bugzilla #16603 tcp_sendmsg() truncates iov_len to an 'int' which a 4GB write to write zero bytes, for example. There is also the problem higher up of how verify_iovec() works. It wants to prevent the total length from looking like an error return value. However it does this using 'int', but syscalls return 'long' (and thus signed 64-bit on 64-bit machines). So it could trigger false-positives on 64-bit as written. So fix it to use 'long'. Reported-by: Olaf Bonorden <bono@onlinehome.de> Reported-by: Daniel Büse <dbuese@gmx.de> Reported-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 27 Sep, 2010 15 commits
-
-
Sven Eckelmann authored
p9_virtio_create will only compare the the channel's tag characters against the device name till the end of the channel's tag but not till the end of the device name. This means that if a user defines channels with the tags foo and foobar then he would mount foo when he requested foonot and may mount foo when he requested foobar. Thus it is necessary to check both string lengths against each other in case of a successful partial string match. Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ondrej Zary authored
When the interface is up, using ethtool breaks it because: a) link is put down but media_timer interval is not shortened to NO_LINK b) rxtx is stopped but not restarted Also manual 10baseT-HD (and probably FD too - untested) mode does not work - the link is forced up, packets are transmitted but nothing is received. Changing CSR14 value to match documentation (not disabling link check) fixes this. Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Acked-by: Jeff Garzik <jgarzik@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
-
Ulrich Weber authored
as done in ip_route_connect() Signed-off-by: Ulrich Weber <uweber@astaro.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ulrich Weber authored
IPv4 and IPv6 have separate neighbour tables, so the warning messages should be distinguishable. [ Add a suitable message prefix on the ipv4 side as well -DaveM ] Signed-off-by: Ulrich Weber <uweber@astaro.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yuchung Cheng authored
When TCP uses FACK algorithm to mark lost packets in tcp_mark_head_lost(), if the number of packets in the (TSO) skb is greater than the number of packets that should be marked lost, TCP incorrectly exits the loop and marks no packets lost in the skb. This underestimates tp->lost_out and affects the recovery/retransmission. This patch fargments the skb and marks the correct amount of packets lost. Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jan Beulich authored
This patch (commit 690a1f20) added a new call site for acpi_set_WOL() without checking that the function is actually suitable to be called via vortex_set_wol+0xcd/0xe0 [3c59x] dev_ethtool+0xa5a/0xb70 dev_ioctl+0x2e0/0x4b0 T.961+0x49/0x50 sock_ioctl+0x47/0x290 do_vfs_ioctl+0x7f/0x340 sys_ioctl+0x80/0xa0 system_call_fastpath+0x16/0x1b i.e. outside of code paths run when the device is not yet enabled or already disabled. In particular, putting the device into D3hot is a pretty bad idea when it was already brought up. Furthermore, all prior callers of the function made sure they're actually dealing with a PCI device, while the newly added one didn't. In the same spirit, the .get_wol handler shouldn't indicate support for WOL for non-PCI devices. Signed-off-by: Jan Beulich <jbeulich@novell.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Neil Horman authored
Clean up a missing exit path in the ipv6 module init routines. In addrconf_init we call ipv6_addr_label_init which calls register_pernet_subsys for the ipv6_addr_label_ops structure. But if module loading fails, or if the ipv6 module is removed, there is no corresponding unregister_pernet_subsys call, which leaves a now-bogus address on the pernet_list, leading to oopses in subsequent registrations. This patch cleans up both the failed load path and the unload path. Tested by myself with good results. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> include/net/addrconf.h | 1 + net/ipv6/addrconf.c | 11 ++++++++--- net/ipv6/addrlabel.c | 5 +++++ 3 files changed, 14 insertions(+), 3 deletions(-) Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vasiliy Kulikov authored
Freeing netdev without free_netdev() leads to net, tx leaks. I might lead to dereferencing freed pointer. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) @@ struct net_device* dev; @@ -kfree(dev) +free_netdev(dev) Signed-off-by: David S. Miller <davem@davemloft.net>
-
Kulikov Vasiliy authored
Freeing netdev without free_netdev() leads to net, tx leaks. I might lead to dereferencing freed pointer. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) @@ struct net_device* dev; @@ -kfree(dev) +free_netdev(dev) Signed-off-by: David S. Miller <davem@davemloft.net>
-
Kulikov Vasiliy authored
Freeing netdev without free_netdev() leads to net, tx leaks. I might lead to dereferencing freed pointer. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) @@ struct net_device* dev; @@ -kfree(dev) +free_netdev(dev) Signed-off-by: David S. Miller <davem@davemloft.net>
-
Kulikov Vasiliy authored
Freeing netdev without free_netdev() leads to net, tx leaks. I might lead to dereferencing freed pointer. The semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) @@ struct net_device* dev; @@ -kfree(dev) +free_netdev(dev) Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vincent Stehlé authored
This enables auto loading for the smsc911x ethernet driver. Signed-off-by: Vincent Stehlé <vincent.stehle@laposte.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Tom Herbert authored
Reset queue mapping when an skb is reentering the stack via a tunnel. On second pass, the queue mapping from the original device is no longer valid. Signed-off-by: Tom Herbert <therbert@google.com> Acked-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Karl Hiramoto authored
You can't call atomic_notifier_chain_unregister() while in atomic context. Fix, call un/register_atmdevice_notifier in module __init and __exit. Bug report: http://comments.gmane.org/gmane.linux.network/172603Reported-by: Mikko Vinni <mmvinni@yahoo.com> Tested-by: Mikko Vinni <mmvinni@yahoo.com> Signed-off-by: Karl Hiramoto <karl@hiramoto.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 26 Sep, 2010 2 commits
-
-
Ondrej Zary authored
Compex FreedomLine 32 PnP-PCI2 cards have only TP and BNC connectors but the SROM contains AUI port too. When TP loses link, the driver switches to non-existing AUI port (which reports that carrier is always present). Connecting TP back generates LinkPass interrupt but de_media_interrupt() is broken - it only updates the link state of currently connected media, ignoring the fact that LinkPass and LinkFail bits of MacStatus register belong to the TP port only (the chip documentation says that). This patch changes de_media_interrupt() to switch media to TP when link goes up (and media type is not locked) and also to update the link state only when the TP port is used. Also the NonselPortActive (and also SelPortActive) bits of SIAStatus register need to be cleared (by writing 1) after reading or they're useless. Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Acked-by: Jeff Garzik <jgarzik@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ondrej Zary authored
At least my 21041 cards come out of suspend with bus mastering disabled so they did not work after resume(no data transferred). After adding pci_set_master(), the driver oopsed immediately on resume - because de_clean_rings() is called on suspend but de_init_rings() call was missing in resume. Also disable link (reset SIA) before sleep (de4x5 does this too). Signed-off-by: Ondrej Zary <linux@rainbow-software.org> Acked-by: Jeff Garzik <jgarzik@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-