1. 04 Oct, 2010 1 commit
    • Nagendra Tomar's avatar
      net: Fix the condition passed to sk_wait_event() · 482964e5
      Nagendra Tomar authored
      This patch fixes the condition (3rd arg) passed to sk_wait_event() in
      sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
      causes the following soft lockup in tcp_sendmsg() when the global tcp
      memory pool has exhausted.
      
      >>> snip <<<
      
      localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
      localhost kernel: CPU 3:
      localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200]  [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
      localhost kernel:
      localhost kernel: Call Trace:
      localhost kernel:  [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
      localhost kernel:  [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
      localhost kernel:  [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
      localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
      localhost kernel:  [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
      localhost kernel:  [vfs_write+0x185/0x190] vfs_write+0x185/0x190
      localhost kernel:  [sys_write+0x50/0x90] sys_write+0x50/0x90
      localhost kernel:  [system_call+0x7e/0x83] system_call+0x7e/0x83
      
      >>> snip <<<
      
      What is happening is, that the sk_wait_event() condition passed from
      sk_stream_wait_memory() evaluates to true for the case of tcp global memory
      exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
      which causes sk_wait_event() to *not* call schedule_timeout().
      Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
      This causes the caller to again try allocation, which again fails and again
      calls sk_stream_wait_memory(), and so on.
      
      [ Bug introduced by commit c1cbe4b7
        ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
      Signed-off-by: default avatarNagendra Singh Tomar <tomer_iisc@yahoo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      482964e5
  2. 03 Oct, 2010 1 commit
  3. 01 Oct, 2010 1 commit
  4. 30 Sep, 2010 3 commits
  5. 29 Sep, 2010 1 commit
  6. 28 Sep, 2010 3 commits
  7. 27 Sep, 2010 15 commits
  8. 26 Sep, 2010 2 commits
    • Ondrej Zary's avatar
      de2104x: fix TP link detection · ca9a7835
      Ondrej Zary authored
      Compex FreedomLine 32 PnP-PCI2 cards have only TP and BNC connectors but the
      SROM contains AUI port too. When TP loses link, the driver switches to
      non-existing AUI port (which reports that carrier is always present).
      
      Connecting TP back generates LinkPass interrupt but de_media_interrupt() is
      broken - it only updates the link state of currently connected media, ignoring
      the fact that LinkPass and LinkFail bits of MacStatus register belong to the
      TP port only (the chip documentation says that).
      
      This patch changes de_media_interrupt() to switch media to TP when link goes
      up (and media type is not locked) and also to update the link state only when
      the TP port is used.
      
      Also the NonselPortActive (and also SelPortActive) bits of SIAStatus register
      need to be cleared (by writing 1) after reading or they're useless.
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca9a7835
    • Ondrej Zary's avatar
      de2104x: fix power management · b0255a02
      Ondrej Zary authored
      At least my 21041 cards come out of suspend with bus mastering disabled so
      they did not work after resume(no data transferred).
      After adding pci_set_master(), the driver oopsed immediately on resume -
      because de_clean_rings() is called on suspend but de_init_rings() call
      was missing in resume.
      
      Also disable link (reset SIA) before sleep (de4x5 does this too).
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b0255a02
  9. 25 Sep, 2010 2 commits
    • Ondrej Zary's avatar
      de2104x: disable autonegotiation on broken hardware · e0f9c4f3
      Ondrej Zary authored
      At least on older 21041-AA chips (mine is rev. 11), TP duplex autonegotiation
      causes the card not to work at all (link is up but no packets are transmitted).
      
      de4x5 disables autonegotiation completely. But it seems to work on newer
      (21041-PA rev. 21) so disable it only on rev<20 chips.
      Signed-off-by: default avatarOndrej Zary <linux@rainbow-software.org>
      Acked-by: default avatarJeff Garzik <jgarzik@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e0f9c4f3
    • Eric Dumazet's avatar
      net: fix a lockdep splat · f064af1e
      Eric Dumazet authored
      We have for each socket :
      
      One spinlock (sk_slock.slock)
      One rwlock (sk_callback_lock)
      
      Possible scenarios are :
      
      (A) (this is used in net/sunrpc/xprtsock.c)
      read_lock(&sk->sk_callback_lock) (without blocking BH)
      <BH>
      spin_lock(&sk->sk_slock.slock);
      ...
      read_lock(&sk->sk_callback_lock);
      ...
      
      (B)
      write_lock_bh(&sk->sk_callback_lock)
      stuff
      write_unlock_bh(&sk->sk_callback_lock)
      
      (C)
      spin_lock_bh(&sk->sk_slock)
      ...
      write_lock_bh(&sk->sk_callback_lock)
      stuff
      write_unlock_bh(&sk->sk_callback_lock)
      spin_unlock_bh(&sk->sk_slock)
      
      This (C) case conflicts with (A) :
      
      CPU1 [A]                         CPU2 [C]
      read_lock(callback_lock)
      <BH>                             spin_lock_bh(slock)
      <wait to spin_lock(slock)>
                                       <wait to write_lock_bh(callback_lock)>
      
      We have one problematic (C) use case in inet_csk_listen_stop() :
      
      local_bh_disable();
      bh_lock_sock(child); // spin_lock_bh(&sk->sk_slock)
      WARN_ON(sock_owned_by_user(child));
      ...
      sock_orphan(child); // write_lock_bh(&sk->sk_callback_lock)
      
      lockdep is not happy with this, as reported by Tetsuo Handa
      
      It seems only way to deal with this is to use read_lock_bh(callbacklock)
      everywhere.
      
      Thanks to Jarek for pointing a bug in my first attempt and suggesting
      this solution.
      Reported-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Tested-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Jarek Poplawski <jarkao2@gmail.com>
      Tested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f064af1e
  10. 24 Sep, 2010 1 commit
    • Johannes Berg's avatar
      mac80211: fix use-after-free · cd87a2d3
      Johannes Berg authored
      commit 8c0c709e
      Author: Johannes Berg <johannes@sipsolutions.net>
      Date:   Wed Nov 25 17:46:15 2009 +0100
      
          mac80211: move cmntr flag out of rx flags
      
      moved the CMTR flag into the skb's status, and
      in doing so introduced a use-after-free -- when
      the skb has been handed to cooked monitors the
      status setting will touch now invalid memory.
      
      Additionally, moving it there has effectively
      discarded the optimisation -- since the bit is
      only ever set on freed SKBs, and those were a
      copy, it could never be checked.
      
      For the current release, fixing this properly
      is a bit too involved, so let's just remove the
      problematic code and leave userspace with one
      copy of each frame for each virtual interface.
      
      Cc: stable@kernel.org [2.6.33+]
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      cd87a2d3
  11. 23 Sep, 2010 7 commits
  12. 22 Sep, 2010 3 commits