1. 19 Jan, 2010 1 commit
    • Neil Horman's avatar
      dccp: fix dccp rmmod when kernel configured to use slub · de4ef86c
      Neil Horman authored
      Hey all-
      	I was tinkering with dccp recently and noticed that I BUG halted the
      kernel when I rmmod-ed the dccp module.  The bug halt occured because the page
      that I passed to kfree failed the PageCompound and PageSlab test in the slub
      implementation of kfree.  I tracked the problem down to the following set of
      events:
      
      1) dccp, unlike all other uses of kmem_cache_create, allocates a string
      dynamically when registering a slab cache.  This allocated string is freed when
      the cache is destroyed.
      
      2) Normally, (1) is not an issue, but when Slub is in use, it is possible that
      caches are 'merged'.  This process causes multiple caches of simmilar
      configuration to use the same cache data structure.  When this happens, the new
      name of the cache is effectively dropped.
      
      3) (2) results in kmem_cache_name returning an ambigous value (i.e.
      ccid_kmem_cache_destroy, which uses this fuction to retrieve the name pointer
      for freeing), is no longer guaranteed that the string it assigned is what is
      returned.
      
      4) If such merge event occurs, ccid_kmem_cache_destroy frees the wrong pointer,
      which trips over the BUG in the slub implementation of kfree (since its likely
      not a slab allocation, but rather a pointer into the static string table
      section.
      
      So, what to do about this.  At first blush this is pretty clearly a leak in the
      information that slub owns, and as such a slub bug.  Unfortunately, theres no
      really good way to fix it, without exposing slub specific implementation details
      to the generic slab interface.  Also, even if we could fix this in slub cleanly,
      I think the RCU free option would force us to do lots of string duplication, not
      only in slub, but in every slab allocator.  As such, I'd like to propose this
      solution.  Basically, I just move the storage for the kmem cache name to the
      ccid_operations structure.  In so doing, we don't have to do the kstrdup or
      kfree when we allocate/free the various caches for dccp, and so we avoid the
      problem, by storing names with static memory, rather than heap, the way all
      other calls to kmem_cache_create do.
      
      I've tested this out myself here, and it solves the problem quite well.
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      de4ef86c
  2. 18 Jan, 2010 1 commit
  3. 16 Jan, 2010 1 commit
  4. 15 Jan, 2010 3 commits
  5. 14 Jan, 2010 13 commits
  6. 13 Jan, 2010 1 commit
  7. 12 Jan, 2010 3 commits
  8. 11 Jan, 2010 3 commits
  9. 10 Jan, 2010 1 commit
  10. 08 Jan, 2010 13 commits
    • David S. Miller's avatar
    • Abhijeet Kolekar's avatar
      iwlwifi: disable tx on beacon update notification · c91c3efc
      Abhijeet Kolekar authored
      On beacon change update notification from mac we are not disabling
      the tx in adhoc mode. Mac sends BSS_CHANGED_BEACON_ENABLED when
      station leaves IBSS. Driver should indicate uCode to not to send
      anything on receiving this notification.
      
      Functionality to indicate uCode is duplicated across
      two notifications so created a common function called iwl_set_no_assoc.
      
      Fix the issue at
      http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2133.
      Signed-off-by: default avatarAbhijeet Kolekar <abhijeet.kolekar@intel.com>
      Tested-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      c91c3efc
    • Zhu Yi's avatar
      iwlwifi: fix iwl_queue_used bug when read_ptr == write_ptr · c8106d76
      Zhu Yi authored
      When txq read_ptr equals to write_ptr, iwl_queue_used should
      always return false. Because there is no used TFD in this case.
      
      This is a complementary fix to the fix already included in commit "iwl3945:
      fix panic in iwl3945 driver". Both fixes are needed to address the panic
      below.
      
      This problem was discussed on linux-wireless in
      http://thread.gmane.org/gmane.linux.kernel.wireless.general/43568
      
      <1>[ 7290.414172] IP: [<ffffffffa0dd53a1>] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
      <4>[ 7290.414205] PGD 0
      <1>[ 7290.414214] Thread overran stack, or stack corrupted
      <0>[ 7290.414229] Oops: 0002 [#1] PREEMPT SMP
      <0>[ 7290.414246] last sysfs file: /sys/devices/platform/coretemp.1/temp1_input
      <4>[ 7290.414265] CPU 0
      <4>[ 7290.414274] Modules linked in: af_packet nfsd usb_storage usb_libusual cpufreq_powersave exportfs cpufreq_conservative iwl3945 nfs cpufreq_userspace snd_hda_codec_realtek acpi_cpufreq uvcvideo lockd iwlcore snd_hda_intel joydev coretemp nfs_acl videodev snd_hda_codec mac80211 v4l1_compat snd_hwdep sbp2 v4l2_compat_ioctl32 uhci_hcd psmouse auth_rpcgss ohci1394 cfg80211 ehci_hcd video ieee1394 snd_pcm serio_raw battery ac nvidia(P) usbcore output sunrpc evdev lirc_ene0100 snd_page_alloc rfkill tg3 libphy fuse lzo lzo_decompress lzo_compress
      <6>[ 7290.414486] Pid: 0, comm: swapper Tainted: P           2.6.32-rc8-wl #213 Aspire 5720
      <6>[ 7290.414507] RIP: 0010:[<ffffffffa0dd53a1>]  [<ffffffffa0dd53a1>] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
      <6>[ 7290.414541] RSP: 0018:ffff880002203d60  EFLAGS: 00010246
      <6>[ 7290.414557] RAX: 000000000000004f RBX: ffff880064c11600 RCX: 0000000000000013
      <6>[ 7290.414576] RDX: ffffffffa0ddcf20 RSI: ffff8800512b7008 RDI: 0000000000000038
      <6>[ 7290.414596] RBP: ffff880002203dd0 R08: 0000000000000000 R09: 0000000000000100
      <6>[ 7290.414616] R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000a0
      <6>[ 7290.414635] R13: 0000000000000002 R14: 0000000000000013 R15: 0000000000020201
      <6>[ 7290.414655] FS:  0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000
      <6>[ 7290.414677] CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      <6>[ 7290.414693] CR2: 0000000000000041 CR3: 0000000001001000 CR4: 00000000000006f0
      <6>[ 7290.414712] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      <6>[ 7290.414732] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      <4>[ 7290.414752] Process swapper (pid: 0, threadinfo ffffffff81524000, task ffffffff81528b60)
      <0>[ 7290.414772] Stack:
      <4>[ 7290.414780]  ffff880002203da0 0000000000000046 0000000000000000 0000000000000046
      <4>[ 7290.414804] <0> 0000000000000282 0000000000000282 0000000000000282 ffff880064c12010
      <4>[ 7290.414830] <0> ffff880002203db0 ffff880064c11600 ffff880064c12e50 ffff8800512b7000
      <0>[ 7290.414858] Call Trace:
      <0>[ 7290.414867]  <IRQ>
      <4>[ 7290.414884]  [<ffffffffa0dc8c47>] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945]
      <4>[ 7290.414910]  [<ffffffff8138fc60>] ? _spin_unlock+0x30/0x60
      <4>[ 7290.414931]  [<ffffffff81049a21>] tasklet_action+0x101/0x110
      <4>[ 7290.414950]  [<ffffffff8104a3d0>] __do_softirq+0xc0/0x160
      <4>[ 7290.414968]  [<ffffffff8100d01c>] call_softirq+0x1c/0x30
      <4>[ 7290.414986]  [<ffffffff8100eff5>] do_softirq+0x75/0xb0
      <4>[ 7290.415003]  [<ffffffff81049ee5>] irq_exit+0x95/0xa0
      <4>[ 7290.415020]  [<ffffffff8100e547>] do_IRQ+0x77/0xf0
      <4>[ 7290.415038]  [<ffffffff8100c7d3>] ret_from_intr+0x0/0xf
      <0>[ 7290.415052]  <EOI>
      <4>[ 7290.415067]  [<ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
      <4>[ 7290.415087]  [<ffffffff81234f04>] ? acpi_idle_enter_bm+0x27a/0x2a5
      <4>[ 7290.415107]  [<ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
      <4>[ 7290.415130]  [<ffffffff812c11f3>] ? cpuidle_idle_call+0x93/0xf0
      <4>[ 7290.415149]  [<ffffffff8100b0d7>] ? cpu_idle+0xa7/0x110
      <4>[ 7290.415168]  [<ffffffff8137b3d5>] ? rest_init+0x75/0x80
      <4>[ 7290.415187]  [<ffffffff8158cd0a>] ? start_kernel+0x3a7/0x3b3
      <4>[ 7290.415206]  [<ffffffff8158c315>] ? x86_64_start_reservations+0x125/0x129
      <4>[ 7290.415227]  [<ffffffff8158c3fd>] ? x86_64_start_kernel+0xe4/0xeb
      <0>[ 7290.415243] Code: 00 41 39 ce 0f 8d e8 01 00 00 48 8b 47 40 48 63 d2 48 69 d2 98 00 00 00 4c 8b 04 02 48 c7 c2 20 cf dd a0 49 8d 78 38 49 8d 40 4f <c6> 47 09 00 c6 47 0c 00 c6 47 0f 00 c6 47 12 00 c6 47 15 00 49
      <1>[ 7290.415382] RIP  [<ffffffffa0dd53a1>] iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
      <4>[ 7290.415410]  RSP <ffff880002203d60>
      <0>[ 7290.415421] CR2: 0000000000000041
      <4>[ 7290.415436] ---[ end trace ec46807277caa515 ]---
      <0>[ 7290.415450] Kernel panic - not syncing: Fatal exception in interrupt
      <4>[ 7290.415468] Pid: 0, comm: swapper Tainted: P      D    2.6.32-rc8-wl #213
      <4>[ 7290.415486] Call Trace:
      <4>[ 7290.415495]  <IRQ>  [<ffffffff8138c040>] panic+0x7d/0x13a
      <4>[ 7290.415519]  [<ffffffff8101071a>] oops_end+0xda/0xe0
      <4>[ 7290.415538]  [<ffffffff8102e1ea>] no_context+0xea/0x250
      <4>[ 7290.415557]  [<ffffffff81038991>] ? select_task_rq_fair+0x511/0x780
      <4>[ 7290.415578]  [<ffffffff8102e475>] __bad_area_nosemaphore+0x125/0x1e0
      <4>[ 7290.415597]  [<ffffffff81038d0c>] ? __enqueue_entity+0x7c/0x80
      <4>[ 7290.415616]  [<ffffffff81039201>] ? enqueue_task_fair+0x111/0x150
      <4>[ 7290.415636]  [<ffffffff8102e53e>] bad_area_nosemaphore+0xe/0x10
      <4>[ 7290.415656]  [<ffffffff8102e8fa>] do_page_fault+0x26a/0x320
      <4>[ 7290.415674]  [<ffffffff813905df>] page_fault+0x1f/0x30
      <4>[ 7290.415697]  [<ffffffffa0dd53a1>] ? iwl3945_rx_reply_tx+0xc1/0x450 [iwl3945]
      <4>[ 7290.415723]  [<ffffffffa0dc8c47>] iwl3945_irq_tasklet+0x657/0x1740 [iwl3945]
      <4>[ 7290.415746]  [<ffffffff8138fc60>] ? _spin_unlock+0x30/0x60
      <4>[ 7290.415764]  [<ffffffff81049a21>] tasklet_action+0x101/0x110
      <4>[ 7290.415783]  [<ffffffff8104a3d0>] __do_softirq+0xc0/0x160
      <4>[ 7290.415801]  [<ffffffff8100d01c>] call_softirq+0x1c/0x30
      <4>[ 7290.415818]  [<ffffffff8100eff5>] do_softirq+0x75/0xb0
      <4>[ 7290.415835]  [<ffffffff81049ee5>] irq_exit+0x95/0xa0
      <4>[ 7290.415852]  [<ffffffff8100e547>] do_IRQ+0x77/0xf0
      <4>[ 7290.415869]  [<ffffffff8100c7d3>] ret_from_intr+0x0/0xf
      <4>[ 7290.415883]  <EOI>  [<ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
      <4>[ 7290.415911]  [<ffffffff81234f04>] ? acpi_idle_enter_bm+0x27a/0x2a5
      <4>[ 7290.415931]  [<ffffffff81234efa>] ? acpi_idle_enter_bm+0x270/0x2a5
      <4>[ 7290.415952]  [<ffffffff812c11f3>] ? cpuidle_idle_call+0x93/0xf0
      <4>[ 7290.415971]  [<ffffffff8100b0d7>] ? cpu_idle+0xa7/0x110
      <4>[ 7290.415989]  [<ffffffff8137b3d5>] ? rest_init+0x75/0x80
      <4>[ 7290.416007]  [<ffffffff8158cd0a>] ? start_kernel+0x3a7/0x3b3
      <4>[ 7290.416026]  [<ffffffff8158c315>] ? x86_64_start_reservations+0x125/0x129
      <4>[ 7290.416047]  [<ffffffff8158c3fd>] ? x86_64_start_kernel+0xe4/0xeb
      Reported-by: default avatarMaxim Levitsky <maximlevitsky@gmail.com>
      Tested-by: default avatarMaxim Levitsky <maximlevitsky@gmail.com>
      Signed-off-by: default avatarZhu Yi <yi.zhu@intel.com>
      Signed-off-by: default avatarReinette Chatre <reinette.chatre@intel.com>
      CC: stable@kernel.org
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      c8106d76
    • Johannes Berg's avatar
      mac80211: fix endian error · b49bb574
      Johannes Berg authored
      I forgot to convert the radiotap length to
      CPU endian, which sparse found thankfully.
      Signed-off-by: default avatarJohannes Berg <johannes@sipsolutions.net>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      b49bb574
    • Felix Fietkau's avatar
      mac80211: add missing sanity checks for action frames · d7907448
      Felix Fietkau authored
      Various missing sanity checks caused rejected action frames to be
      interpreted as channel switch announcements, which can cause a client
      mode interface to switch away from its operating channel, thereby losing
      connectivity. This patch ensures that only spectrum management action
      frames are processed by the CSA handling function and prevents rejected
      action frames from getting processed by the MLME code.
      Signed-off-by: default avatarFelix Fietkau <nbd@openwrt.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      d7907448
    • Lennert Buytenhek's avatar
      mac80211: fix queue selection for packets injected via monitor interface · 045cfb71
      Lennert Buytenhek authored
      Commit 'mac80211: fix skb buffering issue' added an ->ndo_select_queue()
      for monitor interfaces which can end up dereferencing ieee802_1d_to_ac[]
      beyond the end of the array for injected data packets (as skb->priority
      isn't guaranteed to be zero or within [0:7]), which then triggers the
      WARN_ON in net/core/dev.c:dev_cap_txqueue().  Fix this by always setting
      the priority to zero on injected data frames.
      Signed-off-by: default avatarLennert Buytenhek <buytenh@marvell.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      045cfb71
    • Florian Westphal's avatar
      netfilter: ebtables: enforce CAP_NET_ADMIN · dce766af
      Florian Westphal authored
      normal users are currently allowed to set/modify ebtables rules.
      Restrict it to processes with CAP_NET_ADMIN.
      
      Note that this cannot be reproduced with unmodified ebtables binary
      because it uses SOCK_RAW.
      Signed-off-by: default avatarFlorian Westphal <fwestphal@astaro.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      dce766af
    • Bruce Allan's avatar
      e1000e: fix and commonize code for setting the receive address registers · b7a9216c
      Bruce Allan authored
      Fix e1000e_rar_set() to flush consecutive register writes to avoid write
      combining which some parts cannot handle.  Update e1000e_init_rx_addrs()
      to call the fixed e1000e_rar_set() instead of duplicating code.
      
      Also change e1000e_rar_set() to _not_ set the Address Valid bit if the MAC
      address is all zeros.
      Signed-off-by: default avatarBruce Allan <bruce.w.allan@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7a9216c
    • Bruce Allan's avatar
      e1000e: e1000e_enable_tx_pkt_filtering() returns wrong value · ca777f9c
      Bruce Allan authored
      e1000e_enable_tx_pkt_filtering() will return a non-zero value if the
      driver fails to enable the manageability interface on the host for
      any reason; instead it should retun zero to indicate filtering has been
      disabled.  Also provide a single exit point for the function.
      Signed-off-by: default avatarBruce Allan <bruce.w.allan@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca777f9c
    • Bruce Allan's avatar
      e1000e: perform 10/100 adaptive IFS only on parts that support it · f464ba87
      Bruce Allan authored
      Adaptive IFS which involves writing to the Adaptive IFS Throttle register
      was being done for all devices supported by the driver even though it is
      not supported (i.e. the register doesn't even exist) on some devices.  The
      feature is supported on 8257x/82583 and ICH/PCH based devices, but not
      on ESB2.
      Signed-off-by: default avatarBruce Allan <bruce.w.allan@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f464ba87
    • Bruce Allan's avatar
    • Bruce Allan's avatar
      e1000e: call pci_save_state() after pci_restore_state() · 28b8f04a
      Bruce Allan authored
      Due to a change in pci_restore_state()[1] which clears the saved_state
      flag, the driver should call pci_save_state() to set the flag once again
      to avoid issues with EEH (same fix that recently was submitted for ixgbe).
      
      [1] commmit 4b77b0a2Signed-off-by: default avatarBruce Allan <bruce.w.allan@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28b8f04a
    • Amit Kumar Salecha's avatar
      c651a8c1