Commit graph

13532 commits

Author SHA1 Message Date
Eric Dumazet
fdd7b4c330 r8169: fix crash when large packets are received
Michael Tokarev reported receiving a large packet could crash
a machine with RTL8169 NIC.
( original thread at http://lkml.org/lkml/2009/6/8/192 )

Problem is this driver tells that NIC frames up to 16383 bytes
can be received but provides skb to rx ring allocated with
smaller sizes (1536 bytes in case standard 1500 bytes MTU is used)

When a frame larger than what was allocated by driver is received,
dma transfert can occurs past the end of buffer and corrupt
kernel memory.

Fix is to tell to NIC what is the maximum size a frame can be.

This bug is very old, (before git introduction, linux-2.6.10), and 
should be backported to stable versions.

Reported-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Tested-by: Michael Tokarev <mjt@tls.msk.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-06-09 04:01:02 -07:00
Neil Horman
ea30e11970 e1000: add missing length check to e1000 receive routine
Patch to fix bad length checking in e1000.  E1000 by default does two
things:

1) Spans rx descriptors for packets that don't fit into 1 skb on recieve
2) Strips the crc from a frame by subtracting 4 bytes from the length prior to
doing an skb_put

Since the e1000 driver isn't written to support receiving packets that span
multiple rx buffers, it checks the End of Packet bit of every frame, and
discards it if its not set.  This places us in a situation where, if we have a
spanning packet, the first part is discarded, but the second part is not (since
it is the end of packet, and it passes the EOP bit test).  If the second part of
the frame is small (4 bytes or less), we subtract 4 from it to remove its crc,
underflow the length, and wind up in skb_over_panic, when we try to skb_put a
huge number of bytes into the skb.  This amounts to a remote DOS attack through
careful selection of frame size in relation to interface MTU.  The fix for this
is already in the e1000e driver, as well as the e1000 sourceforge driver, but no
one ever pushed it to e1000.  This is lifted straight from e1000e, and prevents
small frames from causing the underflow described above

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Tested-by: Andy Gospodarek <andy@greyhouse.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-06-02 01:29:58 -07:00
Ed Swierk
5a9a8e32eb forcedeth: add phy_power_down parameter, leave phy powered up by default (v2)
Add a phy_power_down parameter to forcedeth: set to 1 to power down the
phy and disable the link when an interface goes down; set to 0 to always
leave the phy powered up.

The phy power state persists across reboots; Windows, some BIOSes, and
older versions of Linux don't bother to power up the phy again, forcing
users to remove all power to get the interface working (see
http://bugzilla.kernel.org/show_bug.cgi?id=13072).  Leaving the phy
powered on is the safest default behavior.  Users accustomed to seeing
the link state reflect the interface state and/or wanting to minimize
power consumption can set phy_power_down=1 if compatibility with other
OSes is not an issue.

Signed-off-by: Ed Swierk <eswierk@aristanetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-06-02 00:19:52 -07:00
Maciej W. Rozycki
cf9f6e21c1 3c509: Add missing EISA IDs
Several EISA device IDs for 3c509 family network cards are missing from 
the driver, making the cards unusable in their EISA mode.  Here's a fix to 
add them based on the EISA configuration files distributed by 3Com and our 
eisa.ids database.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-06-01 03:12:04 -07:00
Greg Kroah-Hartman
bdb0e010bf ath1e: add new device id for asus hardware
Gary Lin reports that a new device id needs to be added to the atl1e in
order to get some new Asus hardware to work properly.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-29 22:04:54 -07:00
Yevgeny Petrilin
465440d272 mlx4_en: Fix a kernel panic when waking tx queue
When the transmit queue gets full we enable interrupts for TX completions
There was a race that we handled the TX queue both from the interrupt context
and from the transmit function. Using "spin_trylock_irq()" ensures this
doesn't happen.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-29 22:04:42 -07:00
David S. Miller
e8573758d5 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-05-29 21:56:19 -07:00
John W. Linville
aeeab4ff06 rtl8187: add USB ID for Linksys WUSB54GC-EU v2 USB wifi dongle
http://bugzilla.kernel.org/show_bug.cgi?id=13383

Reported-by: Przemyslaw Kulczycki <azrael@autocom.pl>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-29 12:41:01 +02:00
John W. Linville
21a4cc00e8 at76c50x-usb: avoid mutex deadlock in at76_dwork_hw_scan
http://bugzilla.kernel.org/show_bug.cgi?id=13312

at76_dwork_hw_scan holds a mutex while calling ieee80211_scan_completed,
which then calls at76_config which needs the same mutex.  This reworks
the ordering to not hold the lock while calling ieee80211_scan_completed.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-29 12:41:01 +02:00
Finn Thain
4e0168fa48 mac8390: fix build with NET_POLL_CONTROLLER
Fix the build for CONFIG_NET_POLL_CONTROLLER that I broke with
217cbfa856 ("mac8390: fix regression
caused during net_device_ops conversion").

Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-29 01:56:35 -07:00
Divy Le Ray
c22c814931 cxgb3: link fault fixes
Do not call t3_link_fault() under spinlock, as it calls msleep().
Besides, only the access to pi->link_fault needs to be serialized.

Also initialize local variables before checking the link status,
link state fields might otherwise end up containing garbage.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-29 01:54:41 -07:00
Divy Le Ray
10b6d95612 cxgb3: fix dma mapping regression
Commit 5e68b772e6
  cxgb3: map entire Rx page, feed map+offset to Rx ring.

introduced a regression on platforms defining DECLARE_PCI_UNMAP_ADDR()
and related macros as no-ops.

Rx descriptors are fed with the a page buffer bus address + page chunk offset.
The page buffer bus address is set and retrieved through
pci_unamp_addr_set(), pci_unmap_addr().
These functions being meaningless on x86 (if CONFIG_DMA_API_DEBUG is not set).
The HW ends up with a bogus bus address.

This patch saves the page buffer bus address for all plaftorms.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-29 01:54:37 -07:00
Mike Frysinger
b63dc8fef7 bfin_mac: fix build error due to net_device_ops convert
The previous commit "convert to net_device_ops" broke the Blackfin MAC
driver as it declared the new structure before the function it used:
  CC      drivers/net/bfin_mac.o
drivers/net/bfin_mac.c:984: error: ‘bfin_mac_close’ undeclared here (not in a function)
make[1]: *** [drivers/net/bfin_mac.o] Error 1

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-26 20:55:33 -07:00
Alex Chiang
5ad1890035 atlx: move modinfo data from atlx.h to atl1.c
Both atl1.c and atl2.c include atlx.h, which defines some modinfo
stuff. But atl2.c seems like it doesn't want the modinfo data
from atlx.h, as it defines its own.

Running modinfo on atl2.ko, we get conflicting information:

$ /sbin/modinfo drivers/net/atlx/atl2.ko | egrep "version|description|author"
version:        2.2.3
description:    Atheros Fast Ethernet Network Driver
author:         Atheros Corporation <xiong.huang@atheros.com>, Chris Snook <csnook@redhat.com>
version:        2.1.3
author:         Xiong Huang <xiong.huang@atheros.com>, 	Chris Snook <csnook@redhat.com>, Jay Cliburn <jcliburn@gmail.com>

Move the modinfo data out of atlx.h and into atl1.c to eliminate
the confusion:

$ /sbin/modinfo drivers/net/atlx/atl1.ko | egrep "version|description|author"
version:        2.1.3
author:         Xiong Huang <xiong.huang@atheros.com>, 	Chris Snook <csnook@redhat.com>, Jay Cliburn <jcliburn@gmail.com>
description:    Atheros L1 Gigabit Ethernet Driver

$ /sbin/modinfo drivers/net/atlx/atl2.ko | egrep "version|description|author"
version:        2.2.3
description:    Atheros Fast Ethernet Network Driver
author:         Atheros Corporation <xiong.huang@atheros.com>, Chris Snook <csnook@redhat.com>

Reported-by: Scott Scriven <scott.scriven@hp.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Acked-by: Jay Cliburn <jcliburn@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-26 20:50:12 -07:00
Xiaotian Feng
18a36c1a39 gianfar: fix babbling rx error event bug
Gianfar interrupt handler uses IEVENT_ERR_MASK to check and handle errors.
Babbling RX error (IEVENT_BABR) should be included in IEVENT_ERROR_MASK.
Otherwise if BABR is raised, it never gets handled nor cleared, and an
interrupt storm results. This has been observed to happen on sending a
burst of ethernet frames to a gianfar based board.

Signed-off-by: Xiaotian Feng <xiaotian.feng@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-26 20:48:04 -07:00
David S. Miller
7682455ec3 Merge branch 'linux-2.6.30.y' of git://git.kernel.org/pub/scm/linux/kernel/git/inaky/wimax 2009-05-25 22:56:11 -07:00
David Dillow
f11a377b3f r8169: avoid losing MSI interrupts
The 8169 chip only generates MSI interrupts when all enabled event
sources are quiescent and one or more sources transition to active. If
not all of the active events are acknowledged, or a new event becomes
active while the existing ones are cleared in the handler, we will not
see a new interrupt.

The current interrupt handler masks off the Rx and Tx events once the
NAPI handler has been scheduled, which opens a race window in which we
can get another Rx or Tx event and never ACK'ing it, stopping all
activity until the link is reset (ifconfig down/up). Fix this by always
ACK'ing all event sources, and loop in the handler until we have all
sources quiescent.

Signed-off-by: David Dillow <dave@thedillows.org>
Tested-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-25 22:55:26 -07:00
Finn Thain
217cbfa856 mac8390: fix regression caused during net_device_ops conversion
Changeset ca17584bf2 ("mac8390: update
to net_device_ops") broke mac8390 by adding 8390.o to the link. That
meant that lib8390.c was included twice, once in mac8390.c and once in
8390.c, subject to different macros. This patch reverts that by
avoiding the wrappers in 8390.c. They seem to be of no value since
COMPAT_NET_DEV_OPS is going away soon.

Tested with a Kinetics EtherPort card.

Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-25 22:43:49 -07:00
Lennert Buytenhek
4e2fd55519 gianfar: fix BUG under load after introduction of skb recycling
Since commit 0fd56bb5be ("gianfar:
Add support for skb recycling"), gianfar puts skbuffs that are in
the rx ring back onto the recycle list as-is in case there was a
receive error, but this breaks the following invariant: that all
skbuffs on the recycle list have skb->data = skb->head + NET_SKB_PAD.

The RXBUF_ALIGNMENT realignment done in gfar_new_skb() will be done
twice on skbuffs recycled in this way, causing there not to be enough
room in the skb anymore to receive a full packet, eventually leading
to an skb_over_panic from gfar_clean_rx_ring() -> skb_put().

Resetting the skb->data pointer to skb->head + NET_SKB_PAD before
putting the skb back onto the recycle list restores the mentioned
invariant, and should fix this issue.

Reported-by: Michael Guntsche <mike@it-loops.com>
Tested-by: Michael Guntsche <mike@it-loops.com>
Signed-off-by: Lennert Buytenhek <buytenh@wantstofly.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-25 00:42:34 -07:00
Inaky Perez-Gonzalez
e069c0cf7c wimax/i2400m: usb: fix device reset on autosuspend while not yet idle
When the i2400m is connected to a network, the host interface (USB)
cannot be suspended. For that to happen, the device has to have
negotiated with the basestation to put the link on IDLE state.

If the host tries to put the device in standby while it is connected
but not idle, the device resets, as the driver should not do that.

To avoid triggering that, when the USB susbsytem requires the driver
to autosuspend the device, the driver checks if the device is not yet
idle. If it is not, the request is rejected (will be retried again
later on after the autosuspend timeout). At some point the device will
enter idle and the request will succeed (unless of course, there is
network traffic, but at that point, there is no idle neither in the
link or the host interface).

Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
2009-05-22 00:13:18 -07:00
Roel Kluin
a6c6733978 wireless: beyond ARRAY_SIZE of intf->crypto_stats
Do not go beyond ARRAY_SIZE of intf->crypto_stats

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:29:55 -04:00
Jay Sternberg
c9d2fbf36d iwlwifi: update 5000 ucode support to version 2 of API
enable iwl driver to support 5000 ucode having version 2 of API

Signed-off-by: Jay Sternberg <jay.e.sternberg@linux.intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:29:55 -04:00
John W. Linville
267d493b32 airo: fix airo_get_encode{,ext} buffer overflow like I mean it...
"airo: airo_get_encode{,ext} potential buffer overflow" was actually a
no-op, due to an unrecognized type overflow in an assignment.  Oddly,
gcc only seems to tell me about it when using -Wextra...grrr...

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:29:54 -04:00
Fabio Rossi
875690c378 ath5k: fix interpolation with equal power levels
When the EEPROM contains weird values for the power levels we have to
fix the interpolation process.

Signed-off-by: Fabio Rossi <rossi.f@inwind.it>
Acked-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:29:53 -04:00
Reinette Chatre
fbc9f97bbf iwlwifi: do not cancel delayed work inside spin_lock_irqsave
Calling cancel_delayed_work() from inside
spin_lock_irqsave, introduces a potential deadlock.

As explained by Johannes Berg <johannes@sipsolutions.net>

A - lock
T - timer

phase                   CPU 1           CPU 2
---------------------------------------------

some place that calls
cancel_timer_sync()
(which is the | code)
                                        lock-irq(A)
|                                       "lock-irq"(T)
|                                       "unlock"(T)
|                                       wait(T)
                                        unlock(A)

timer softirq
                        "lock"(T)
                        run(T)
                        "unlock"(T)

irq handler
          lock(A)
          unlock(A)

Now all that again, interleaved, leading to deadlock:

                                        lock-irq(A)
                        "lock"(T)
                         run(T)
IRQ during or maybe
before run(T) -->        lock(A)
                                        "lock-irq"(T)
                                        wait(T)

We fix this by moving the call to cancel_delayed_work() into workqueue.
There are cases where the work may not actually be queued or running
at the time we are trying to cancel it, but cancel_delayed_work() is
able to deal with this.

Also cleanup iwl_set_mode related to this call. This function
(iwl_set_mode) is only called when bringing interface up and there will
thus not be any scanning done. No need to try to cancel scanning.

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=13224, which was also
reported at http://marc.info/?l=linux-wireless&m=124081921903223&w=2 .

Tested-by: Miles Lane <miles.lane@gmail.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:29:53 -04:00
Forrest Zhang
a54be5d43a ath5k: fix exp off-by-one when computing OFDM delta slope
Commit e8f055f0c3 ("ath5k: Update reset code") subtly changed the
code that computes floating point values for the PHY3_TIMING register
such that the exponent is off by a decimal point, which can cause
problems with OFDM channel operation.

get_bitmask_order() actually returns the highest bit set plus one,
whereas the previous code wanted the highest bit set.  Instead, use
ilog2 which is what this code is really calculating.  Also check
coef_scaled to handle the (invalid) case where we need log2(0).

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:07:51 -04:00
Pavel Roskin
2b611cb6ee ath5k: fix scanning in AR2424
AR5K_PHY_PLL_40MHZ_5413 should not be ORed with AR5K_PHY_MODE_RAD_RF5112
for 5 GHz channels.

The incorrect PLL value breaks scanning in the countries where 5 GHz
channels are allowed.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Acked-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-20 14:07:50 -04:00
Ajit Khaparde
c4ca237431 be2net: add two new pci device ids to pci device table
Signed-off-by: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-18 15:38:55 -07:00
roel kluin
d77dd8d27e Neterion: *FIFO1_DMA_ERR set twice, should 2nd be *FIFO2_DMA_ERR?
FIFO1_DMA_ERR is set twice, the second should be FIFO2_DMA_ERR.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Ram Vepa <ram.vepa@neterion.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-17 21:18:05 -07:00
Gabriel Paubert
eb0519b5a1 mv643xx_eth: fix PPC DMA breakage
After 2.6.29, PPC no more admits passing NULL to the dev parameter of
the DMA API. The result is a BUG followed by solid lock-up when the 
mv643xx_eth driver brings an interface up. The following patch makes 
the driver work on my Pegasos again; it is mostly a search and replace 
of NULL by mp->dev->dev.parent in dma allocation/freeing/mapping/unmapping
functions.

Signed-off-by: Gabriel Paubert <paubert@iram.es>
Acked-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-17 21:16:47 -07:00
Stephen Hemminger
4cd6fe1c64 bonding: fix link down handling in 802.3ad mode
One of the purposes of bonding is to allow for redundant links, and failover
correctly if the cable is pulled. If all the members of a bonded device have
no carrier present, the bonded device itself needs to report no carrier present
to user space so management tools (like routing daemons) can respond.

Bonding in 802.3ad mode does not work correctly for this because it incorrectly
chooses a link that is down as a possible aggregator.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-17 21:15:54 -07:00
David S. Miller
ffc7a86494 Merge branch 'linux-2.6.30.y' of git://git.kernel.org/pub/scm/linux/kernel/git/inaky/wimax 2009-05-17 21:14:33 -07:00
Ralf Baechle
a8f492c6ac NET: Meth: Fix unsafe mix of irq and non-irq spinlocks.
Mixing of normal and irq spinlocks results in the following lockdep messages
on bootup on IP32:

[...]
Sending DHCP requests .
======================================================
[ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]
2.6.30-rc5-00164-g41baeef #30
------------------------------------------------------
swapper/1 [HC0[0]:SC0[1]:HE0:SE0] is trying to acquire:
 (&priv->meth_lock){+.+...}, at: [<ffffffff8026388c>] meth_tx+0x48/0x43c

and this task is already holding:
 (_xmit_ETHER#2){+.-...}, at: [<ffffffff802d3a00>] __qdisc_run+0x118/0x30c
which would create a new lock dependency:
 (_xmit_ETHER#2){+.-...} -> (&priv->meth_lock){+.+...}

but this new dependency connects a SOFTIRQ-irq-safe lock:
 (_xmit_ETHER#2){+.-...}
... which became SOFTIRQ-irq-safe at:
  [<ffffffff80061458>] __lock_acquire+0x784/0x1a14
  [<ffffffff800627e0>] lock_acquire+0xf8/0x150
  [<ffffffff800128d0>] _spin_lock+0x30/0x44
  [<ffffffff802d2b88>] dev_watchdog+0x70/0x398
  [<ffffffff800433b8>] run_timer_softirq+0x1a8/0x248
  [<ffffffff8003da5c>] __do_softirq+0xec/0x208
  [<ffffffff8003dbd8>] do_softirq+0x60/0xe4
  [<ffffffff8003dda0>] irq_exit+0x54/0x9c
  [<ffffffff80004420>] ret_from_irq+0x0/0x4
  [<ffffffff80004720>] r4k_wait+0x20/0x40
  [<ffffffff80015418>] cpu_idle+0x30/0x60
  [<ffffffff804cd934>] start_kernel+0x3ec/0x404

to a SOFTIRQ-irq-unsafe lock:
 (&priv->meth_lock){+.+...}
... which became SOFTIRQ-irq-unsafe at:
...  [<ffffffff800614f8>] __lock_acquire+0x824/0x1a14
  [<ffffffff800627e0>] lock_acquire+0xf8/0x150
  [<ffffffff800128d0>] _spin_lock+0x30/0x44
  [<ffffffff80263f20>] meth_reset+0x118/0x2d8
  [<ffffffff8026424c>] meth_open+0x28/0x140
  [<ffffffff802c1ae8>] dev_open+0xe0/0x18c
  [<ffffffff802c1268>] dev_change_flags+0xd8/0x1d4
  [<ffffffff804e7770>] ip_auto_config+0x1d4/0xf28
  [<ffffffff80012e68>] do_one_initcall+0x58/0x170
  [<ffffffff804cd190>] kernel_init+0x98/0x104
  [<ffffffff8001520c>] kernel_thread_helper+0x10/0x18

other info that might help us debug this:

2 locks held by swapper/1:
 #0:  (rcu_read_lock){.+.+..}, at: [<ffffffff802c0954>] dev_queue_xmit+0x1e0/0x4b0
 #1:  (_xmit_ETHER#2){+.-...}, at: [<ffffffff802d3a00>] __qdisc_run+0x118/0x30c

the SOFTIRQ-irq-safe lock's dependencies:
-> (_xmit_ETHER#2){+.-...} ops: 0 {
   HARDIRQ-ON-W at:
                        [<ffffffff800614d0>] __lock_acquire+0x7fc/0x1a14
                        [<ffffffff800627e0>] lock_acquire+0xf8/0x150
                        [<ffffffff800128d0>] _spin_lock+0x30/0x44
                        [<ffffffff802d2b88>] dev_watchdog+0x70/0x398
                        [<ffffffff800433b8>] run_timer_softirq+0x1a8/0x248
                        [<ffffffff8003da5c>] __do_softirq+0xec/0x208
                        [<ffffffff8003dbd8>] do_softirq+0x60/0xe4
                        [<ffffffff8003dda0>] irq_exit+0x54/0x9c
                        [<ffffffff80004420>] ret_from_irq+0x0/0x4
                        [<ffffffff80004720>] r4k_wait+0x20/0x40
                        [<ffffffff80015418>] cpu_idle+0x30/0x60
                        [<ffffffff804cd934>] start_kernel+0x3ec/0x404
   IN-SOFTIRQ-W at:
                        [<ffffffff80061458>] __lock_acquire+0x784/0x1a14
                        [<ffffffff800627e0>] lock_acquire+0xf8/0x150
                        [<ffffffff800128d0>] _spin_lock+0x30/0x44
                        [<ffffffff802d2b88>] dev_watchdog+0x70/0x398
                        [<ffffffff800433b8>] run_timer_softirq+0x1a8/0x248
                        [<ffffffff8003da5c>] __do_softirq+0xec/0x208
                        [<ffffffff8003dbd8>] do_softirq+0x60/0xe4
                        [<ffffffff8003dda0>] irq_exit+0x54/0x9c
                        [<ffffffff80004420>] ret_from_irq+0x0/0x4
                        [<ffffffff80004720>] r4k_wait+0x20/0x40
                        [<ffffffff80015418>] cpu_idle+0x30/0x60
                        [<ffffffff804cd934>] start_kernel+0x3ec/0x404
   INITIAL USE at:
                       [<ffffffff80061570>] __lock_acquire+0x89c/0x1a14
                       [<ffffffff800627e0>] lock_acquire+0xf8/0x150
                       [<ffffffff800128d0>] _spin_lock+0x30/0x44
                       [<ffffffff802d2b88>] dev_watchdog+0x70/0x398
                       [<ffffffff800433b8>] run_timer_softirq+0x1a8/0x248
                       [<ffffffff8003da5c>] __do_softirq+0xec/0x208
                       [<ffffffff8003dbd8>] do_softirq+0x60/0xe4
                       [<ffffffff8003dda0>] irq_exit+0x54/0x9c
                       [<ffffffff80004420>] ret_from_irq+0x0/0x4
                       [<ffffffff80004720>] r4k_wait+0x20/0x40
                       [<ffffffff80015418>] cpu_idle+0x30/0x60
                       [<ffffffff804cd934>] start_kernel+0x3ec/0x404
 }
 ... key      at: [<ffffffff80cf93f0>] netdev_xmit_lock_key+0x8/0x1c8

the SOFTIRQ-irq-unsafe lock's dependencies:
-> (&priv->meth_lock){+.+...} ops: 0 {
   HARDIRQ-ON-W at:
                        [<ffffffff800614d0>] __lock_acquire+0x7fc/0x1a14
                        [<ffffffff800627e0>] lock_acquire+0xf8/0x150
                        [<ffffffff800128d0>] _spin_lock+0x30/0x44
                        [<ffffffff80263f20>] meth_reset+0x118/0x2d8
                        [<ffffffff8026424c>] meth_open+0x28/0x140
                        [<ffffffff802c1ae8>] dev_open+0xe0/0x18c
                        [<ffffffff802c1268>] dev_change_flags+0xd8/0x1d4
                        [<ffffffff804e7770>] ip_auto_config+0x1d4/0xf28
                        [<ffffffff80012e68>] do_one_initcall+0x58/0x170
                        [<ffffffff804cd190>] kernel_init+0x98/0x104
                        [<ffffffff8001520c>] kernel_thread_helper+0x10/0x18
   SOFTIRQ-ON-W at:
                        [<ffffffff800614f8>] __lock_acquire+0x824/0x1a14
                        [<ffffffff800627e0>] lock_acquire+0xf8/0x150
                        [<ffffffff800128d0>] _spin_lock+0x30/0x44
                        [<ffffffff80263f20>] meth_reset+0x118/0x2d8
                        [<ffffffff8026424c>] meth_open+0x28/0x140
                        [<ffffffff802c1ae8>] dev_open+0xe0/0x18c
                        [<ffffffff802c1268>] dev_change_flags+0xd8/0x1d4
                        [<ffffffff804e7770>] ip_auto_config+0x1d4/0xf28
                        [<ffffffff80012e68>] do_one_initcall+0x58/0x170
                        [<ffffffff804cd190>] kernel_init+0x98/0x104
                        [<ffffffff8001520c>] kernel_thread_helper+0x10/0x18
   INITIAL USE at:
                       [<ffffffff80061570>] __lock_acquire+0x89c/0x1a14
                       [<ffffffff800627e0>] lock_acquire+0xf8/0x150
                       [<ffffffff800128d0>] _spin_lock+0x30/0x44
                       [<ffffffff80263f20>] meth_reset+0x118/0x2d8
                       [<ffffffff8026424c>] meth_open+0x28/0x140
                       [<ffffffff802c1ae8>] dev_open+0xe0/0x18c
                       [<ffffffff802c1268>] dev_change_flags+0xd8/0x1d4
                       [<ffffffff804e7770>] ip_auto_config+0x1d4/0xf28
                       [<ffffffff80012e68>] do_one_initcall+0x58/0x170
                       [<ffffffff804cd190>] kernel_init+0x98/0x104
                       [<ffffffff8001520c>] kernel_thread_helper+0x10/0x18
 }
 ... key      at: [<ffffffff80cf6ce8>] __key.32424+0x0/0x8

stack backtrace:
Call Trace:
[<ffffffff8000ed0c>] dump_stack+0x8/0x34
[<ffffffff80060b74>] check_usage+0x470/0x4a0
[<ffffffff80060c34>] check_irq_usage+0x90/0x130
[<ffffffff80061f78>] __lock_acquire+0x12a4/0x1a14
[<ffffffff800627e0>] lock_acquire+0xf8/0x150
[<ffffffff80012a0c>] _spin_lock_irqsave+0x60/0x84
[<ffffffff8026388c>] meth_tx+0x48/0x43c
[<ffffffff802d3a38>] __qdisc_run+0x150/0x30c
[<ffffffff802c0aa8>] dev_queue_xmit+0x334/0x4b0
[<ffffffff804e7e6c>] ip_auto_config+0x8d0/0xf28
[<ffffffff80012e68>] do_one_initcall+0x58/0x170
[<ffffffff804cd190>] kernel_init+0x98/0x104
[<ffffffff8001520c>] kernel_thread_helper+0x10/0x18

..... timed out!
IP-Config: Retrying forever (NFS root)...
Sending DHCP requests ., OK
[...]

Fixed by converting all locks to irq locks.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Tested-by: Andrew Randrianasulu <randrik_a@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-17 21:11:36 -07:00
Yevgeny Petrilin
72876a6034 mlx4_en: Fix not deleted napi structures
Napi structures are being created each time we open a port, but when
the port is closed the napi structure is only disabled but not removed.
This bug caused hang while removing the driver.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-17 20:48:59 -07:00
Linus Torvalds
3346857f6f Merge git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6:
  iwlwifi: fix device id registration for 6000 series 2x2 devices
  ath5k: update channel in sw state after stopping RX and TX
  rtl8187: use DMA-aware buffers with usb_control_msg
  mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel
  airo: airo_get_encode{,ext} potential buffer overflow

Pulled directly by Linus because Davem is off playing shuffle-board at
some Alaskan cruise, and the NULL ptr deref issue hits people and should
get merged sooner rather than later.

David - make us proud on the shuffle-board tournament!
2009-05-15 12:02:06 -07:00
Inaky Perez-Gonzalez
4e5b6d006b wimax/i2400m: fix device crash: fix optimization in _roq_queue_update_ws
When the i2400m receives data and the device indicates there has to be
reordering, we keep an sliding window implementation to sort the
packets before sending them to the network stack.

One of the "operations" that the device indicates is "queue a packet
and update the window start". When the queue is empty, this is
equivalent to "deliver the packet and update the window start".

That case was optimized in i2400m_roq_queue_update_ws() so that we
would not pointlessly queue and dequeue a packet. However, when the
optimization was active, it wasn't updating the window start. That
caused the reorder management code to get confused later on with what
seemed to be wrong reorder requests from the device.

Thus the fix implemented is to do the right thing and update the
window start in both cases, when the queue is empty (and the
optimization is done) and when not.

Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
2009-05-14 18:00:32 -07:00
Dan Carpenter
34fd5dad46 Remove unreached code in drivers/net/mlx4/en_rx.c
Remove the return after the goto.  We want the goto because it frees
memory as well as returning err.

Found by smatch (http://repo.or.cz/w/smatch.git).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-05-12 07:38:09 -07:00
Jay Sternberg
542cc7937e iwlwifi: fix device id registration for 6000 series 2x2 devices
Add device ids for 2x2 devices. Also fix antenna usage because these devices use
antennas A and B, not B and C.

Signed-off-by: Jay Sternberg <jay.e.sternberg@linux.intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-11 15:07:02 -04:00
Bob Copeland
209d889bab ath5k: update channel in sw state after stopping RX and TX
This fixes a non-theoretical race condition when transmitting and
receiving frames during a scan.  If the channel or operating band
changes while processing status descriptors in the tasklets, ath5k
will incorrectly use the new channel and band when reporting the
rates, even if the frame was actually sent on a previous channel.

Typically this will manifest as a beacon found on an incorrect
frequency and/or a warning in the driver while scanning:

[ 4773.891944] cfg80211: Found new beacon on frequency: 5805 MHz (Ch 161) on phy0
[ 4785.461125] ------------[ cut here ]------------
[ 4785.461135] WARNING: at drivers/net/wireless/ath/ath5k/base.c:1141 ath5k_tasklet_rx+0x2ff/0x577 [ath5k]()
[ 4785.461143] Hardware name: MacBook1,1
[ 4785.461148] invalid hw_rix: 1b
[ 4785.461152] Modules linked in: fuse i915 drm af_packet acpi_cpufreq binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath dm_mod arc4 ecb snd_hda_codec_idt snd_hda_intel snd_hda_codec snd_seq_dummy snd_seq_oss snd_seq_midi_event ath5k snd_seq hid_apple usbhid snd_seq_device mac80211 appletouch snd_pcm_oss sky2 ohci1394 snd_mixer_oss ath ieee1394 snd_pcm bitrev snd_timer cfg80211 crc32 snd snd_page_alloc button processor ac ehci_hcd joydev uhci_hcd sg battery thermal sr_mod cdrom applesmc evdev input_polldev unix [last unloaded: microcode]
[ 4785.461296] Pid: 0, comm: swapper Tainted: G        W  2.6.30-rc3-wl #112
[ 4785.461302] Call Trace:
[ 4785.461316]  [<c012590f>] warn_slowpath+0x76/0xa5
[ 4785.461331]  [<c0219839>] ? debug_dma_unmap_page+0x5a/0x62
[ 4785.461357]  [<f9982f88>] ath5k_tasklet_rx+0x2ff/0x577 [ath5k]
[ 4785.461371]  [<c01446f7>] ? trace_hardirqs_off+0xb/0xd
[ 4785.461381]  [<c0129928>] ? __tasklet_schedule+0x6e/0x7c
[ 4785.461392]  [<c0129b02>] tasklet_action+0x92/0xe5
[ 4785.461402]  [<c0129f91>] __do_softirq+0xb1/0x182
[ 4785.461411]  [<c012a092>] do_softirq+0x30/0x48
[ 4785.461428]  [<c012a20a>] irq_exit+0x3d/0x74
[ 4785.461435]  [<c035a0de>] do_IRQ+0x76/0x8c
[ 4785.461440]  [<c010312e>] common_interrupt+0x2e/0x34
[ 4785.461445]  [<c014007b>] ? timer_list_show+0x1ab/0x939
[ 4785.461457]  [<f85fd25c>] ? acpi_idle_enter_bm+0x27c/0x2b9 [processor]
[ 4785.461463]  [<c02d1ed6>] cpuidle_idle_call+0x6a/0x9c
[ 4785.461468]  [<c0101cc8>] cpu_idle+0x53/0x87
[ 4785.461473]  [<c0346584>] rest_init+0x6c/0x6e
[ 4785.461479]  [<c04df74d>] start_kernel+0x286/0x28b
[ 4785.461484]  [<c04df037>] __init_begin+0x37/0x3c
[ 4785.461487] ---[ end trace aaf8496ba3679dfb ]---

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-11 15:07:01 -04:00
John W. Linville
9be6f0d40d rtl8187: use DMA-aware buffers with usb_control_msg
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-11 15:07:01 -04:00
John W. Linville
aedec92268 airo: airo_get_encode{,ext} potential buffer overflow
Feeding the return code of get_wep_key directly to the length parameter
of memcpy is a bad idea since it could be -1...

Reported-by: Eugene Teo <eugeneteo@kernel.sg>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-05-11 15:07:01 -04:00
Linus Torvalds
2ad20802b7 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (26 commits)
  bonding: fix panic if initialization fails
  IXP4xx: complete Ethernet netdev setup before calling register_netdev().
  IXP4xx: use "ENODEV" instead of "ENOSYS" in module initialization.
  ipvs: Fix IPv4 FWMARK virtual services
  ipv4: Make INET_LRO a bool instead of tristate.
  net: remove stale reference to fastroute from Kconfig help text
  net: update skb_recycle_check() for hardware timestamping changes
  bnx2: Fix panic in bnx2_poll_work().
  net-sched: fix bfifo default limit
  igb: resolve panic on shutdown when SR-IOV is enabled
  wimax: oops: wimax_dev_add() is the only one that can initialize the state
  wimax: fix oops if netlink fails to add attribute
  Bluetooth: Move dev_set_name() to a context that can sleep
  netfilter: ctnetlink: fix wrong message type in user updates
  netfilter: xt_cluster: fix use of cluster match with 32 nodes
  netfilter: ip6t_ipv6header: fix match on packets ending with NEXTHDR_NONE
  netfilter: add missing linux/types.h include to xt_LED.h
  mac80211: pid, fix memory corruption
  mac80211: minstrel, fix memory corruption
  cfg80211: fix comment on regulatory hint processing
  ...
2009-05-10 10:46:45 -07:00
David S. Miller
e1cc1c5780 Merge branch 'net-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/chris/linux-2.6 2009-05-09 13:20:46 -07:00
Florian Westphal
9d34d1a20e bonding: fix panic if initialization fails
If module initialisation failed (e.g. because the bonding sysfs entry
cannot be created), kernel panics:
 IP: [<ffffffff8024910a>] destroy_workqueue+0x2d/0x146
Call Trace:
 [<ffffffff808268c4>] bond_destructor+0x28/0x78
 [<ffffffff80b64471>] netdev_run_todo+0x231/0x25a
 [<ffffffff80b6dbcd>] rtnl_unlock+0x9/0xb
 [<ffffffff81567907>] bonding_init+0x83e/0x84a

Remove the calls to bond_work_cancel_all() and destroy_workqueue();
both are also called/scheduled via bond_free_all().

bond_destroy_sysfs is unecessary because the sysfs entry has
not been created in the error case.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-09 13:19:47 -07:00
Krzysztof Hałasa
7aa6a4786e IXP4xx: complete Ethernet netdev setup before calling register_netdev().
Signed-off-by: Krzysztof Hałasa <khc@pm.waw.pl>
2009-05-09 14:57:57 +02:00
Krzysztof Hałasa
3ba8c79205 IXP4xx: use "ENODEV" instead of "ENOSYS" in module initialization.
ENOSYS makes modutils complain about missing kernel module support.

Signed-off-by: Krzysztof Hałasa <khc@pm.waw.pl>
2009-05-09 14:55:52 +02:00
Michael Chan
581daf7e00 bnx2: Fix panic in bnx2_poll_work().
Add barrier() to bnx2_get_hw_{tx|rx}_cons() to fix this issue:

http://bugzilla.kernel.org/show_bug.cgi?id=12698

This issue was reported by multiple i386 users.  Without barrier(),
the compiled code looks like the following where %eax contains the
address of the tx_cons or rx_cons in the DMA status block.  The
status block contents can change between the cmpb and the movzwl
instruction.  The driver would crash if the value was not 0xff during
the cmpb instruction, but changed to 0xff during the movzwl
instruction.

6828:	80 38 ff             	cmpb   $0xff,(%eax)
682b:	0f b7 10             	movzwl (%eax),%edx

With the added barrier(), the compiled code now looks correct:

683d:	0f b7 10             	movzwl (%eax),%edx
6840:	0f b6 c2             	movzbl %dl,%eax
6843:	3d ff 00 00 00       	cmp    $0xff,%eax

Thanks to Pascal de Bruijn <pmjdebruijn@pcode.nl> for reporting the
problem and Holger Noefer <hnoefer@pironet-ndh.com> for patiently
testing test patches for us.

Also updated version to 2.0.1.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-06 16:46:47 -07:00
Alexander Duyck
77a22941f9 igb: resolve panic on shutdown when SR-IOV is enabled
The setup_rctl call was making a call into the ring structure after it had
been freed.  This was causing a panic on shutdown.  This call wasn't
necessary since it is possible to get the needed index from
adapter->vfs_allocated_count.

Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-05-06 16:43:48 -07:00
David S. Miller
86b698b8cb Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2009-05-05 11:56:07 -07:00
Linus Torvalds
80445de577 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (30 commits)
  e1000: fix virtualization bug
  bonding: fix alb mode locking regression
  Bluetooth: Fix issue with sysfs handling for connections
  usbnet: CDC EEM support (v5)
  tcp: Fix tcp_prequeue() to get correct rto_min value
  ehea: fix invalid pointer access
  ne2k-pci: Do not register device until initialized.
  Subject: [PATCH] br2684: restore net_dev initialization
  net: Only store high 16 bits of kernel generated filter priorities
  virtio_net: Fix function name typo
  virtio_net: Cleanup command queue scatterlist usage
  bonding: correct the cleanup in bond_create()
  virtio: add missing include to virtio_net.h
  smsc95xx: add support for LAN9512 and LAN9514
  smsc95xx: configure LED outputs
  netconsole: take care of NETDEV_UNREGISTER event
  xt_socket: checks for the state of nf_conntrack
  bonding: bond_slave_info_query() fix
  cxgb3: fixing gcc 4.4 compiler warning: suggest parentheses around operand of ‘!’
  netfilter: use likely() in xt_info_rdlock_bh()
  ...
2009-05-05 08:26:10 -07:00