linux-2.6
15 years agolibertas: Read buffer overflow
Roel Kluin [Sun, 2 Aug 2009 07:44:12 +0000 (09:44 +0200)] 
libertas: Read buffer overflow

Check whether index is within bounds before testing the element.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agodrivers/net/wireless: introduce missing kfree
Julia Lawall [Sat, 1 Aug 2009 08:55:53 +0000 (10:55 +0200)] 
drivers/net/wireless: introduce missing kfree

Error handling code following a kzalloc should free the allocated data.

The semantic match that finds the problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@r exists@
local idexpression x;
statement S;
expression E;
identifier f,f1,l;
position p1,p2;
expression *ptr != NULL;
@@

x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x == NULL) S
<... when != x
     when != if (...) { <+...x...+> }
(
x->f1 = E
|
 (x->f1 == NULL || ...)
|
 f(...,x->f1,...)
)
...>
(
 return \(0\|<+...x...+>\|ptr\);
|
 return@p2 ...;
)

@script:python@
p1 << r.p1;
p2 << r.p2;
@@

print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agodrivers/net/wireless/iwlwifi: introduce missing kfree
Julia Lawall [Mon, 3 Aug 2009 09:11:45 +0000 (11:11 +0200)] 
drivers/net/wireless/iwlwifi: introduce missing kfree

Move orthogonal error handling code up before a kzalloc, so that it
doesn't have to free the allocated data.

The semantic match that finds the problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@r exists@
local idexpression x;
statement S;
expression E;
identifier f,f1,l;
position p1,p2;
expression *ptr != NULL;
@@

x@p1 = \(kmalloc\|kzalloc\|kcalloc\)(...);
...
if (x == NULL) S
<... when != x
     when != if (...) { <+...x...+> }
(
x->f1 = E
|
 (x->f1 == NULL || ...)
|
 f(...,x->f1,...)
)
...>
(
 return \(0\|<+...x...+>\|ptr\);
|
 return@p2 ...;
)

@script:python@
p1 << r.p1;
p2 << r.p2;
@@

print "* file: %s kmalloc %s return %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agozd1211rw: fix unaligned access in zd_mac_rx
Patrick Simmons [Sun, 2 Aug 2009 08:46:28 +0000 (02:46 -0600)] 
zd1211rw: fix unaligned access in zd_mac_rx

Fix an unaligned memory access in the zd_mac_rx function of zd1211rw
that causes problems on SPARC64.

Signed-off-by: Patrick Simmons <linuxrocks123@netscape.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agocfg80211: fix regression on beacon world roaming feature
Luis R. Rodriguez [Fri, 31 Jul 2009 00:43:48 +0000 (17:43 -0700)] 
cfg80211: fix regression on beacon world roaming feature

A regression was added through patch a4ed90d6:

"cfg80211: respect API on orig_flags on channel for beacon hint"

We did indeed respect _orig flags but the intention was not clearly
stated in the commit log. This patch fixes firmware issues picked
up by iwlwifi when we lift passive scan of beaconing restrictions
on channels its EEPROM has been configured to always enable.

By doing so though we also disallowed beacon hints on devices
registering their wiphy with custom world regulatory domains
enabled, this happens to be currently ath5k, ath9k and ar9170.
The passive scan and beacon restrictions on those devices would
never be lifted even if we did find a beacon and the hardware did
support such enhancements when world roaming.

Since Johannes indicates iwlwifi firmware cannot be changed to
allow beacon hinting we set up a flag now to specifically allow
drivers to disable beacon hints for devices which cannot use them.

We enable the flag on iwlwifi to disable beacon hints and by default
enable it for all other drivers. It should be noted beacon hints lift
passive scan flags and beacon restrictions when we receive a beacon from
an AP on any 5 GHz non-DFS channels, and channels 12-14 on the 2.4 GHz
band. We don't bother with channels 1-11 as those channels are allowed
world wide.

This should fix world roaming for ath5k, ath9k and ar9170, thereby
improving scan time when we receive the first beacon from any AP,
and also enabling beaconing operation (AP/IBSS/Mesh) on cards which
would otherwise not be allowed to do so. Drivers not using custom
regulatory stuff (wiphy_apply_custom_regulatory()) were not affected
by this as the orig_flags for the channels would have been cleared
upon wiphy registration.

I tested this with a world roaming ath5k card.

Cc: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agocfg80211: add two missing NULL pointer checks
Johannes Berg [Wed, 29 Jul 2009 20:07:44 +0000 (22:07 +0200)] 
cfg80211: add two missing NULL pointer checks

These pointers can be NULL, the is_mesh() case isn't
ever hit in the current kernel, but cmp_ies() can be
hit under certain conditions.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29, 2.6.30]
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agomlx4_en: Fix double pci unmapping.
Yevgeny Petrilin [Mon, 3 Aug 2009 03:22:18 +0000 (20:22 -0700)] 
mlx4_en: Fix double pci unmapping.

In cases of fragmented skb, with the data pointers being wrapped around
the TX buffer, the completion handling code would not forward the data
pointer and the firs fragment was unmapped several times, while others
were not unmapped at all.

Signed-off-by: Yevgeny Petrilin <yevgenyp@mellanox.co.il>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agomISDN: Fix handling of receive buffer size in L1oIP
Andreas Eversberg [Mon, 27 Jul 2009 07:24:04 +0000 (07:24 +0000)] 
mISDN: Fix handling of receive buffer size in L1oIP

The size of receive buffer pointer was used to get size of
receive buffer instead of recvbuf_size itself, so only 4/8
bytes could be transfered.

This is a regression to 2.6.30 introduced by commit 8c90e11e3543d7de612194a042a148caeaab5f1d
mISDN: Use kernel_{send,recv}msg instead of open coding

Signed-off-by: Andreas Eversberg <andreas@eversberg.eu>
Signed-off-by: Karsten Keil <keil@b1-systems.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agopcnet32: VLB support fixes
Don Fry [Fri, 31 Jul 2009 08:45:29 +0000 (08:45 +0000)] 
pcnet32: VLB support fixes

VLB support has been broken since at least 2004-2005 period as some
changes introduced back then assumed that ->pci_dev is always valid,
lets try to fix it:

- remove duplicated SET_NETDEV_DEV() call

- call SET_NETDEV_DEV() only for PCI devices

- check for ->pci_dev validity in pcnet32_open()

[ Alternatively we may consider removing VLB support but there would not
  be much gain in it since an extra driver code needed for VLB support is
  minimal and quite simple. ]

This takes care of the following entry from Dan's list:

drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev'

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Acked-by: Don Fry <pcnet32@verizon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agopcnet32: remove superfluous NULL pointer check in pcnet32_probe1()
Don Fry [Fri, 31 Jul 2009 08:40:06 +0000 (08:40 +0000)] 
pcnet32: remove superfluous NULL pointer check in pcnet32_probe1()

Move the debug printk() into the proper place and remove superfluous
NULL pointer check in pcnet32_probe1().

This takes care of the following entry from Dan's list:

drivers/net/pcnet32.c +1889 pcnet32_probe1(298) warning: variable derefenced before check 'pdev'

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Acked-by: Don Fry <pcnet32@verizon.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agonet: restore the original spinlock to protect unicast list
Jiri Pirko [Thu, 30 Jul 2009 01:06:12 +0000 (01:06 +0000)] 
net: restore the original spinlock to protect unicast list

There is a path when an assetion in dev_unicast_sync() appears.

igmp6_group_added -> dev_mc_add -> __dev_set_rx_mode ->
-> vlan_dev_set_rx_mode -> dev_unicast_sync

Therefore we cannot protect this list with rtnl. This patch restores the
original protecting this list with spinlock.

Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Tested-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agonetxen: fix coherent dma mask setting
Dhananjay Phadke [Sat, 1 Aug 2009 21:36:16 +0000 (21:36 +0000)] 
netxen: fix coherent dma mask setting

Change default dma mask for NX3031 to 39 bit with ability
to update it to 64-bit (if firmware indicates support). Old
code was restricting it under 4GB (32-bit), sometimes causing
failure to allocate descriptor rings on heavily populated
system. NX2031 based NICs will still get 32-bit coherent mask.

Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agomISDN: Read buffer overflow
roel kluin [Fri, 31 Jul 2009 03:43:59 +0000 (03:43 +0000)] 
mISDN: Read buffer overflow

Check whether index is within bounds before testing the element.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Karsten Keil <keil@b1-systems.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agos6gmac: Read buffer overflow
roel kluin [Sat, 1 Aug 2009 20:20:13 +0000 (20:20 +0000)] 
s6gmac: Read buffer overflow

Check whether index is within bounds before testing the element.
In the last iteration i is PHY_MAX_ADDR. the condition
`!(p = pd->mii.bus->phy_map[PHY_MAX_ADDR])' is undefined and may
evaluate to false, which leads to a dereference of this invalid
phy_map in the phy_connect() below.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agotulip: Read buffer overflow
roel kluin [Sat, 1 Aug 2009 20:26:52 +0000 (20:26 +0000)] 
tulip: Read buffer overflow

Check whether index is within bounds before testing the element.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agonet: net_assign_generic() fix
Eric Dumazet [Tue, 28 Jul 2009 02:36:15 +0000 (02:36 +0000)] 
net: net_assign_generic() fix

memcpy() should take into account size of pointers,
not only number of pointers to copy.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agopppol2tp: calls unregister_pernet_gen_device() at unload time
Eric Dumazet [Tue, 28 Jul 2009 03:47:39 +0000 (03:47 +0000)] 
pppol2tp: calls unregister_pernet_gen_device() at unload time

Failure to call unregister_pernet_gen_device() can exhaust memory
if module is loaded/unloaded many times.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Cyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoppp: fix lost fragments in ppp_mp_explode() (resubmit)
Ben McKeegan [Tue, 28 Jul 2009 07:43:57 +0000 (07:43 +0000)] 
ppp: fix lost fragments in ppp_mp_explode() (resubmit)

This patch fixes the corner cases where the sum of MTU of the free
channels (adjusted for fragmentation overheads) is less than the MTU
of PPP link.  There are at least 3 situations where this case might
arise:

- some of the channels are busy

- the multilink session is running in a degraded state (i.e. with less
than its full complement of active channels)

- by design, where multilink protocol is being used to artificially
increase the effective link MTU of a single link.

Without this patch, at most 1 fragment is ever sent per free channel
for a given PPP frame and any remaining part of the PPP frame that
does not fit into those fragments is silently discarded.

This patch restores the original behaviour which was broken by commit
9c705260feea6ae329bc6b6d5f6d2ef0227eda0a 'ppp:ppp_mp_explode()
redesign'.  Once all 'free' channels have been given a fragment, an
additional fragment is queued to each available channel in turn, as many
times as necessary, until the entire PPP frame has been consumed.

Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoixgbe: Fix RSC completion delay causing Rx interrupts to stop
Peter P Waskiewicz Jr [Thu, 30 Jul 2009 12:26:00 +0000 (12:26 +0000)] 
ixgbe: Fix RSC completion delay causing Rx interrupts to stop

When a user disables interrupt throttling with ethtool on 82599 devices,
the interrupt timer may not be re-enabled if hardware RSC is running.  The
RSC completions in hardware don't complete before the next ITR event tries
to fire, so the ITR timer never gets re-armed.  This patch increases the
amount of time between interrupts when throttling is disabled (rx-usecs =
0) when the hardware RSC deature is enabled.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoixgbe: Fix usage of second flags bitmap when using LRO/RSC
Peter P Waskiewicz Jr [Thu, 30 Jul 2009 12:25:28 +0000 (12:25 +0000)] 
ixgbe: Fix usage of second flags bitmap when using LRO/RSC

A second set of feature flag bits was added, and the hardware RSC engine
flags were moved there.  However, the code itself didn't make the move
completely to use the new bitmap.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Acked-by: Mallikarjuna R Chilakala <mallikarjuna.chilakala@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoixgbe: Fix netpoll to be properly multiqueue aware
Peter P Waskiewicz Jr [Thu, 30 Jul 2009 12:25:09 +0000 (12:25 +0000)] 
ixgbe: Fix netpoll to be properly multiqueue aware

Our ndo_poll_controller callback is broken for anything but non-multiqueue
setups.  This fixes that issue.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agogianfar: fix coalescing setup in ethtool support
Jiajun Wu [Thu, 30 Jul 2009 21:20:42 +0000 (14:20 -0700)] 
gianfar: fix coalescing setup in ethtool support

Parameter order for using mk_ic_value(count, time) was reversed,
the patch fixes this.

Signed-off-by: Jiajun Wu <b06378@freescale.com>
Signed-off-by: Li Yang <leoli@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agopppoe: fix /proc/net/pppoe
Eric Dumazet [Tue, 28 Jul 2009 23:43:08 +0000 (23:43 +0000)] 
pppoe: fix /proc/net/pppoe

If a socket is hashed in last slot of pppoe hash table (PPPOE_HASH_SIZE-1)
we report it many times (up to filling seq buffer)
(Only the last socket of last slot)

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoeexpress: Read buffer overflow
roel kluin [Wed, 29 Jul 2009 03:18:56 +0000 (03:18 +0000)] 
eexpress: Read buffer overflow

start_code is 69 words, but the code always writes a multiple of 16 words,
so the last 11 words written are outside the array.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoipv4: ARP neigh procfs buffer overflow
roel kluin [Wed, 29 Jul 2009 23:46:59 +0000 (23:46 +0000)] 
ipv4: ARP neigh procfs buffer overflow

If arp_format_neigh_entry() can be called with n->dev->addr_len == 0, then a
write to hbuffer[-1] occurs.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years ago3c515: Write outside array bounds
roel kluin [Thu, 30 Jul 2009 00:26:32 +0000 (00:26 +0000)] 
3c515: Write outside array bounds

if dev_alloc_skb() fails on the first iteration, a write to
cp->rx_ring[-1] occurs.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agodocbook: fix printk of ip address
Tobias Klauser [Thu, 30 Jul 2009 20:10:50 +0000 (13:10 -0700)] 
docbook: fix printk of ip address

Use the %pI4 format string instead of %d.%d.%d.%d and NIPQUAD.

Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoiscsi: Use GFP_ATOMIC in iscsi_offload_mesg().
Michael Chan [Wed, 29 Jul 2009 08:49:52 +0000 (08:49 +0000)] 
iscsi: Use GFP_ATOMIC in iscsi_offload_mesg().

Changing to GFP_ATOMIC because the only caller in cnic/bnx2i may
be calling this function while holding spin_lock.

This problem was discovered by Mike Christie.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Acked-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agonet/netlabel: Add kmalloc NULL tests
Julia Lawall [Thu, 30 Jul 2009 04:38:19 +0000 (04:38 +0000)] 
net/netlabel: Add kmalloc NULL tests

The test on map4 should be a test on map6.

The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
expression *x;
identifier f;
constant char *C;
@@

x = \(kmalloc\|kcalloc\|kzalloc\)(...);
... when != x == NULL
    when != x != NULL
    when != (x || ...)
(
kfree(x)
|
f(...,C,...,x,...)
|
*f(...,x,...)
|
*x->f
)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Thu, 30 Jul 2009 17:35:45 +0000 (10:35 -0700)] 
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

15 years agomac80211: fix suspend
Johannes Berg [Tue, 28 Jul 2009 16:10:17 +0000 (18:10 +0200)] 
mac80211: fix suspend

Jan reported that his b43-based laptop hangs during suspend.
The problem turned out to be mac80211 asking the driver to
stop the hardware before removing interfaces, and interface
removal caused b43 to touch the hardware (while down, which
causes the hang).

This patch fixes mac80211 to do reorder these operations to
have them in the correct order -- first remove interfaces
and then stop the hardware. Some more code is necessary to
be able to do so in a race-free manner, in particular it is
necessary to not process frames received during quiescing.

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=13337.

Reported-by: Jan Scholz <scholz@fias.uni-frankfurt.de>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agolibertas: Read buffer overflow
Roel Kluin [Tue, 28 Jul 2009 10:05:00 +0000 (12:05 +0200)] 
libertas: Read buffer overflow

Several arrays were read before checking whether the index was within
bounds. ARRAY_SIZE() should be used to determine the size of arrays.

rates->rates has an arraysize of 1, so calling get_common_rates()
with a rates_size of MAX_RATES (14) was causing reads out of bounds.

tmp_size can increment at most to (ARRAY_SIZE(lbs_bg_rates) - 1) *
(*rates_size - 1), so that should be the number of elements of tmp[].

A goto can be eliminated: ret was already set upon its declaration.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agolibertas: Read outside array bounds
Roel Kluin [Tue, 28 Jul 2009 07:59:47 +0000 (09:59 +0200)] 
libertas: Read outside array bounds

reads bss->rates[j] before checking bounds of index, and should use
ARRAY_SIZE to determine the size of the array.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Holger Schurig <hs4233@mail.mn-solutions.de>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoip: fix logic of reverse path filter sysctl
Stephen Hemminger [Tue, 28 Jul 2009 01:39:45 +0000 (18:39 -0700)] 
ip: fix logic of reverse path filter sysctl

Even though reverse path filter was changed from simple boolean to
trinary control, the loose mode only works if both all and device are
configured because of this logic error.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agomac80211: do not queue work after suspend in the dynamic ps timer
Luis R. Rodriguez [Mon, 27 Jul 2009 15:38:25 +0000 (08:38 -0700)] 
mac80211: do not queue work after suspend in the dynamic ps timer

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoiwlwifi: Read outside array bounds
Roel Kluin [Sat, 25 Jul 2009 21:34:31 +0000 (23:34 +0200)] 
iwlwifi: Read outside array bounds

tid is bounded (above) by the size of default_tid_to_tx_fifo (17 elements), but
the size of priv->stations[].tid[] is MAX_TID_COUNT (9) elements.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoath9k: Read outside array bounds
Roel Kluin [Sat, 25 Jul 2009 21:21:22 +0000 (23:21 +0200)] 
ath9k: Read outside array bounds

Incorrect limits leads to reads outside array bounds.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoairo: Buffer overflow
Roel Kluin [Sat, 25 Jul 2009 21:02:32 +0000 (23:02 +0200)] 
airo: Buffer overflow

SSID_rid has space for only 3 ssids.
txPowerLevels[i] is read before the bounds check for i

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agowireless: ERR_PTR vs null
Dan Carpenter [Sat, 25 Jul 2009 12:22:59 +0000 (15:22 +0300)] 
wireless: ERR_PTR vs null

iwm_wdev_alloc() returns an ERR_PTR on failure and not null.  It also
prints its own dev_err() message so I removed that as well.

Compile tested only.  Sorry.
Found by smatch (http://repo.or.cz/w/smatch.git).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoiwlagn: fix minimum number of queues setting
reinette chatre [Tue, 21 Jul 2009 16:29:07 +0000 (09:29 -0700)] 
iwlagn: fix minimum number of queues setting

We need to provide a reasonable minimum that will result in a
working setup if used. Set minimum to be 10 to provide for
4 standard TX queues + 1 command queue + 2 (unused) HCCA queues +
4 HT queues (one per AC).

We allow the user to change the number of queues used via a module
parameter and use this minimum value to check if it is valid. Without
this patch a user can select a value for the number of queues that
will result in a failing setup.

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoiwlwifi: fix TX queue race
Johannes Berg [Fri, 24 Jul 2009 18:13:14 +0000 (11:13 -0700)] 
iwlwifi: fix TX queue race

I had a problem on 4965 hardware (well, probably other hardware too,
but others don't survive my stress testing right now, unfortunately)
where the driver was sending invalid commands to the device, but no
such thing could be seen from the driver's point of view. I could
reproduce this fairly easily by sending multiple TCP streams with
iperf on different TIDs, though sometimes a single iperf stream was
sufficient. It even happened with a single core, but I have forced
preemption turned on.

The culprit was a queue overrun, where we advanced the queue's write
pointer over the read pointer. After careful analysis I've come to
the conclusion that the cause is a race condition between iwlwifi
and mac80211.

mac80211, of course, checks whether the queue is stopped, before
transmitting a frame. This effectively looks like this:

        lock(queues)
        if (stopped(queue)) {
                unlock(queues)
                return busy;
}
        unlock(queues)
        ...             <-- this place will be important
    there is some more code here
        drv_tx(frame)

The driver, on the other hand, can stop and start queues, which does

        lock(queues)
        mark_running/stopped(queue)
        unlock(queues)

[if marked running: wake up tasklet to send pending frames]

Now, however, once the driver starts the queue, mac80211 can see that
and end up at the marked place above, at which point for some reason the
driver seems to stop the queue again (I don't understand that) and then
we end up transmitting while the queue is actually full.

Now, this shouldn't actually matter much, but for some reason I've seen
it happen multiple times in a row and the queue actually overflows, at
which point the queue bites itself in the tail and things go completely
wrong.

This patch fixes this by just dropping the packet should this have
happened, and making the lock in iwlwifi cover everything so iwlwifi
can't race against itself (dropping the lock there might make it more
likely, but it did seem to happen without that too).

Since we can't hold the lock across drv_tx() above, I see no way to fix
this in mac80211, but I also don't understand why I haven't seen this
before -- maybe I just never stress tested it this badly.

With this patch, the device has survived many minutes of simultanously
sending two iperf streams on different TIDs with combined throughput
of about 60 Mbps.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agocnic: Fix ISCSI_KEVENT_IF_DOWN message handling.
Michael Chan [Mon, 27 Jul 2009 18:25:58 +0000 (11:25 -0700)] 
cnic: Fix ISCSI_KEVENT_IF_DOWN message handling.

When a net device goes down or when the bnx2i driver is unloaded,
the code was not generating the ISCSI_KEVENT_IF_DOWN message
properly and this could cause the userspace driver to crash.

This is fixed by sending the message properly in the shutdown path.
cnic_uio_stop() is also added to send the message when bnx2i is
unregistering.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agonet: irda: init spinlock after memcpy
Deepak Saxena [Mon, 27 Jul 2009 17:49:44 +0000 (10:49 -0700)] 
net: irda: init spinlock after memcpy

irttp_dup() copies a tsap_cb struct, but does not initialize the
spinlock in the new structure, which confuses lockdep.

Signed-off-by: Deepak Saxena <dsaxena@mvista.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoixgbe: fix for 82599 errata marking UDP checksum errors
Don Skidmore [Thu, 23 Jul 2009 18:00:39 +0000 (18:00 +0000)] 
ixgbe: fix for 82599 errata marking UDP checksum errors

There is an 82599 errata that UDP frames with a zero checksum are
incorrectly marked as checksum invalid by the hardware.  This was
leading to misleading hw_csum_rx_error counts. This patch adds a
test around this counter increase for this condition.

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agor8169: WakeOnLan fix for the 8168
françois romieu [Fri, 24 Jul 2009 12:34:19 +0000 (12:34 +0000)] 
r8169: WakeOnLan fix for the 8168

More stuff for http://bugzilla.kernel.org/show_bug.cgi?id=9512

Some 8168 are unable to WoL when receiving is not enabled (plain
old 8169 do not seem to care).

It is not exactly pretty to leave the receiver enabled but we
should now enable DMA late enough for it to be safe. Some late
stage boot failure due to pxe and friends may benefit from the
delayed enabling of bus-mastering as well.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Jaromír Cápík <tavvva@volny.cz>
Cc: Edward Hsu <edward_hsu@realtek.com.tw>
15 years agonetxen: reset ring consumer during cleanup
Dhananjay Phadke [Mon, 27 Jul 2009 03:17:21 +0000 (20:17 -0700)] 
netxen: reset ring consumer during cleanup

Reset consumer of status rings to 0 when cleaning
up sw resources. Status rings are not deleted
during suspend since they have napi objects.

This ensures correct rx processing across suspen-resume.

Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agonet/bridge: use kobject_put to release kobject in br_add_if error path
Xiaotian Feng [Thu, 23 Jul 2009 23:06:32 +0000 (23:06 +0000)] 
net/bridge: use kobject_put to release kobject in br_add_if error path

kobject_init_and_add will alloc memory for kobj->name, so in br_add_if
error path, simply use kobject_del will not free memory for kobj->name.
Fix by using kobject_put instead, kobject_put will internally calls
kobject_del and frees memory for kobj->name.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agosmc91x.h: add config for Nomadik evaluation kit
Alessandro Rubini [Wed, 22 Jul 2009 12:49:08 +0000 (12:49 +0000)] 
smc91x.h: add config for Nomadik evaluation kit

Signed-off-by: Alessandro Rubini <rubini@unipv.it>
Acked-by: Andrea Gallo <andrea.gallo@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoNET: ROSE: Don't use static buffer.
Ralf Baechle [Mon, 27 Jul 2009 02:11:14 +0000 (19:11 -0700)] 
NET: ROSE: Don't use static buffer.

The use of a static buffer in rose2asc() to return its result is not
threadproof and can result in corruption if multiple threads are trying
to use one of the procfs files based on rose2asc().

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoeepro: Read buffer overflow
Roel Kluin [Mon, 27 Jul 2009 01:53:17 +0000 (18:53 -0700)] 
eepro: Read buffer overflow

io[i] is read before the bounds check on i, order should be reversed

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agotokenring: Read buffer overflow
roel kluin [Sat, 25 Jul 2009 12:38:33 +0000 (12:38 +0000)] 
tokenring: Read buffer overflow

io[i] is read before the bounds check on i, order should be reversed

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoat1700: Read buffer overflow
roel kluin [Sat, 25 Jul 2009 12:01:50 +0000 (12:01 +0000)] 
at1700: Read buffer overflow

loop bound looks to be wrong, for an array of length 8

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agofealnx: Write outside array bounds
roel kluin [Sat, 25 Jul 2009 07:41:12 +0000 (07:41 +0000)] 
fealnx: Write outside array bounds

phy_idx is checked to be < 4, but np->phys[] is 2 elements long

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoixgbe: remove unnecessary call to device_init_wakeup
Andy Gospodarek [Wed, 22 Jul 2009 09:34:00 +0000 (09:34 +0000)] 
ixgbe: remove unnecessary call to device_init_wakeup

Calls to device_init_wakeup should not be necessary in drivers that use
device_set_wakeup_enable since pci_pm_init will set the can_wakeup flag
for the device when initialized.

Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoixgbe: Don't priority tag control frames in DCB mode
Lucy Liu [Wed, 22 Jul 2009 14:07:33 +0000 (14:07 +0000)] 
ixgbe: Don't priority tag control frames in DCB mode

Certain types of control packets (LLDP, LACP, etc.) are not supposed to have a
priority tag or vlan tag inserted.  Ixgbe driver is currently priority
tagging everything (if packet is not on a VLAN interface).

This patch modifies DCB mode, so that packets marked with skb priority
TC_PRIO_CONTROL are not priority tagged.  It also transmits these packets on
the highest priority traffic class.
Programs (like dcbd) can set the skb priority using a socket option.  Or, a tc
filter can be configured to set the priority value. Using the value
TC_PRIO_CONTROL (7) has the benefit that it is already defined in the kernel,
and the bonding LACP code already sets the skb->priority field to this value.

Signed-off-by: Lucy Liu <lucy.liu@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoixgbe: Enable FCoE offload when DCB is enabled for 82599
Yi Zou [Wed, 22 Jul 2009 14:07:12 +0000 (14:07 +0000)] 
ixgbe: Enable FCoE offload when DCB is enabled for 82599

Currently, FCoE offload feature is turned on when the kernel config has
CONFIG_FCOE or CONFIG_FCOE_MODULE set. However, we really want to turn
FCoE offload on when there is FCoE traffic passing and turn it off when
it's just LAN traffic. Since FCoE depends on a lossless network provided
by DCB, this allows us to have FCoE turned on/off when user turns on DCB
using dcbtool.

Signed-off-by: Yi Zou <yi.zou@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agonet: Rework mdio-ofgpio driver to use of_mdio infrastructure
Mark Ware [Thu, 23 Jul 2009 17:56:48 +0000 (10:56 -0700)] 
net: Rework mdio-ofgpio driver to use of_mdio infrastructure

Changes to the fs_enet driver aa73832c5a80d6c52c69b18af858d88fa595dd3c
("net: Rework fs_enet driver to use of_mdio infrastructure")
cause kernel crashes when using the mdio-ofgpio driver.

This patch replicates similar changes made to the fs_enet mii-bitbang
drivers.  It has been tested on a custom mpc8280 based board using an
NFS mounted root.

Signed-off-by: Mark Ware <mware@elphinstone.net>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoregister at91_ether using platform_driver_probe
Uwe Kleine-König [Tue, 21 Jul 2009 10:11:39 +0000 (10:11 +0000)] 
register at91_ether using platform_driver_probe

at91ether_probe lives in .init.text, so using platform_driver_register
to register it is wrong because binding a device after the init memory
is discarded (e.g. via sysfs) results in an oops.

As requested by David Brownell platform_driver_probe is used instead of
moving the probe function to .devinit.text as proposed initially.
This saves some memory, but devices registered after the driver is
probed are not bound (probably there are none) and binding via sysfs
isn't possible.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Acked-by: Andrew Victor <linux@maxim.org.za>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoskge: Enable WoL by default if supported
Rafael J. Wysocki [Wed, 22 Jul 2009 02:58:55 +0000 (02:58 +0000)] 
skge: Enable WoL by default if supported

If skge hardware is capable of waking up the system from sleep,
enable magic packet WoL during driver initialisation.

This makes WoL work without calling 'ethtool -s ethX wol g'
for each adapter.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Tested-by: Michael Guntsche <mike@it-loops.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Wed, 22 Jul 2009 18:18:40 +0000 (11:18 -0700)] 
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

15 years agonet: KS8851 needs to depend on MII
Alexander Beregalov [Wed, 22 Jul 2009 01:16:51 +0000 (01:16 +0000)] 
net: KS8851 needs to depend on MII

fix this build error when CONFIG_MII is not set
drivers/net/ks8851.c:999: undefined reference to `generic_mii_ioctl'
drivers/net/ks8851.c:1050: undefined reference to `mii_link_ok'
drivers/net/ks8851.c:1056: undefined reference to `mii_nway_restart'
drivers/net/ks8851.c:1044: undefined reference to `mii_ethtool_sset'
drivers/net/ks8851.c:1038: undefined reference to `mii_ethtool_gset'

Signed-off-by: Alexander Beregalov <a.beregalov@gmail.com>
Acked-by: Ben Dooks <ben@simtec.co.uk>
15 years agobe2net: Bug fix in the non-lro path. Size of received packet was not updated in stati...
Ajit Khaparde [Wed, 22 Jul 2009 16:28:55 +0000 (09:28 -0700)] 
be2net: Bug fix in the non-lro path. Size of received packet was not updated in statistics properly.

This patch fixes a bug in the non-lro path.  Wrong size of received
packet was being passed for updating receive statistics.  This patch
is against the net-2.6 git.

Signed-off-by: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoucc_geth: Revive fixed link support
Anton Vorontsov [Thu, 16 Jul 2009 21:31:47 +0000 (21:31 +0000)] 
ucc_geth: Revive fixed link support

Since commit 0b9da337dca972e7a4144e298ec3adb8f244d4a4 ("Rework
ucc_geth driver to use of_mdio infrastructure") the fixed-link
support is broken.

This patch fixes the support by removing !ug_info->phy_node check,
and adds a call to of_phy_connect_fixed_link() if a phy is not attached
to the MAC.

Also, remove an old fixed-link code that we don't use any longer.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agogianfar: Revive fixed link support
Anton Vorontsov [Thu, 16 Jul 2009 21:31:42 +0000 (21:31 +0000)] 
gianfar: Revive fixed link support

Since commit fe192a49118f5b1272317d60c7930ece4e13ae49 ("Rework gianfar
driver to use of_mdio infrastructure") the fixed-link support is
broken, the driver oopses at init_phy():

  Unable to handle kernel paging request for data at address 0x000000e4
  Faulting instruction address: 0xc01cf298
  Oops: Kernel access of bad area, sig: 11 [#1]
  [...]
  NIP [c01cf298] init_phy+0x80/0xdc
  LR [c01cf250] init_phy+0x38/0xdc
  Call Trace:
  [cf81fe80] [c01d1cf8] gfar_enet_open+0x6c/0x19c
  [cf81fea0] [c024494c] dev_open+0xfc/0x134
  [cf81fec0] [c0242edc] dev_change_flags+0x84/0x1ac
  [cf81fee0] [c0399ee0] ic_open_devs+0x168/0x2d8
  [cf81ff20] [c039b2e8] ip_auto_config+0x90/0x2a4
  [cf81ff60] [c0003884] do_one_initcall+0x34/0x1a8

This patch fixes the oops, and removes phy_node checks, and adds a call
to of_phy_connect_fixed_link() if a phy isn't attached..

Also, remove an old fixed-link code that we don't use any longer.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agofs_enet: Revive fixed link support
Anton Vorontsov [Thu, 16 Jul 2009 21:31:36 +0000 (21:31 +0000)] 
fs_enet: Revive fixed link support

Since commit aa73832c5a80d6c52c69b18af858d88fa595dd3c ("Rework
fs_enet driver to use of_mdio infrastructure") the fixed-link support
is broken in the fs_enet driver.

This patch fixes the support by removing a check for phy_node, and adding
a call to of_phy_connect_fixed_link().

Also set netdev parent device via SET_NETDEV_DEV() call, this is needed
so that OF MDIO core could find a node pointer for a device.

Plus, fix "if (IS_ERR(phydev))" check, in case of errors,
of_phy_connect() returns NULL, not ERR_PTR as phy_connect().

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoof/mdio: Add support function for Ethernet fixed-link property
Anton Vorontsov [Thu, 16 Jul 2009 21:31:31 +0000 (21:31 +0000)] 
of/mdio: Add support function for Ethernet fixed-link property

Fixed-link support is broken for the ucc_eth, gianfar, and fs_enet
device drivers.  The "OF MDIO rework" patches removed most of the
support. Instead of re-adding fixed-link stuff to the drivers, this
patch adds a support function for parsing the fixed-link property
and obtaining a dummy phy to match.

Note: the dummy phy handling in arch/powerpc is a bit of a hack and
needs to be reworked.  This function is being added now to solve the
regression in the Ethernet drivers, but it should be considered a
temporary measure until the fixed link handling can be reworked.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agosky2: Avoid races in sky2_down
Mike McCormack [Wed, 22 Jul 2009 03:57:56 +0000 (20:57 -0700)] 
sky2: Avoid races in sky2_down

Reset rx chain before trying to drain it.
Shut interrupts off last, incase there's something to report.

Signed-off-by: Mike McCormack <mikem@ring3k.org>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agodrivers/net/mlx4: Adjust constant
Julia Lawall [Sun, 19 Jul 2009 06:09:25 +0000 (06:09 +0000)] 
drivers/net/mlx4: Adjust constant

The values in the advertising field are typically ADVERTISED_xxx, not
SUPPORTED_xxx.  Both SUPPORTED_10000baseT_Full and
ADVERTISED_1000baseT_Full have the same value.

The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
struct ethtool_cmd E;
@@
*E.advertising = SUPPORTED_10000baseT_Full
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agodrivers/net: Move a dereference below a NULL test
Julia Lawall [Sun, 19 Jul 2009 05:26:35 +0000 (05:26 +0000)] 
drivers/net: Move a dereference below a NULL test

If the NULL test is necessary, then the dereference should be moved below
the NULL test.

The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@

- T i = E->fld;
+ T i;
  ... when != E=E1
      when != i
  if (E == NULL||...) S
+ i = E->fld;
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agodrivers/net: Move a dereference below a NULL test
Julia Lawall [Sun, 19 Jul 2009 06:13:04 +0000 (06:13 +0000)] 
drivers/net: Move a dereference below a NULL test

If the NULL test is necessary, then the dereferences should be moved below
the NULL test.

The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@

- T i = E->fld;
+ T i;
  ... when != E=E1
      when != i
  BUG_ON (E == NULL||...);
+ i = E->fld;
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agolibertas: Fix problem with broken V4 firmware on CF8381
Marek Vasut [Thu, 16 Jul 2009 17:19:53 +0000 (19:19 +0200)] 
libertas: Fix problem with broken V4 firmware on CF8381

Firmware V4 on CF8381 reports region code shifted by 1 byte to left.
The following patch checks for this and handles it properly.

Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoath: add support for special 0x8000 regulatory domain
Luis R. Rodriguez [Mon, 20 Jul 2009 15:32:47 +0000 (08:32 -0700)] 
ath: add support for special 0x8000 regulatory domain

Two users of ar9170 devices have now reported their cards
have been programmed with a regulatory domain of 0x8000.
This is not a valid regulatory domain as such these users were
unable to use these devices. Since this doesn't seem to be
a device EEPROM corruption we must treat it specially. It
may have been possible the manufacturer intended to use 0x0
as the regulatory domain and that would ultimately yield
to US but since we cannot get confirmationf or this we
default this special case to one of our world regulatory
domains, specifically 0x64.

Reported-by: DavidFreeman on #linux-wireless
Reported-by: Joerg Albert <jal2@gmx.de>
Cc: Christian Lamparter <chunkeey@web.de>,
Cc: Stephen Chen <stephen.chen@atheros.com>
Cc: David Quan <david.quan@atheros.com>
Cc: Tony Yang <tony.yang@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agop54spi: fix potential null deref in p54spi.c
Dan Carpenter [Sun, 19 Jul 2009 19:26:13 +0000 (21:26 +0200)] 
p54spi: fix potential null deref in p54spi.c

Fix a potential NULL dereference bug during
error handling in p54spi_probe.

This bug was discovered by smatch:
(http://repo.or.cz/w/smatch.git).

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoacer-wmi: fix rfkill conversion
Alan Jenkins [Sun, 19 Jul 2009 08:48:28 +0000 (09:48 +0100)] 
acer-wmi: fix rfkill conversion

Fix another polarity error introduced by the rfkill rewrite,
this time in acer_rfkill_set().

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoconnector: maintainer/mail update.
Evgeniy Polyakov [Tue, 21 Jul 2009 19:43:51 +0000 (12:43 -0700)] 
connector: maintainer/mail update.

Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoUSB host CDC Phonet network interface driver
Rémi Denis-Courmont [Tue, 21 Jul 2009 01:58:35 +0000 (01:58 +0000)] 
USB host CDC Phonet network interface driver

Many Nokia handsets support a Phonet interface to the cellular modem
via a vendor-specific USB interface. CDC Phonet follows the
Communications Device Class model, with one control interface, and
and a pair of inactive and active data alternative interface. The later
has two bulk endpoint, one per direction.

This was tested against Nokia E61, Nokia N95, and the existing Phonet
gadget function for the Linux composite USB gadget framework.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agomacsonic, jazzsonic: fix oops on module unload
Finn Thain [Tue, 21 Jul 2009 19:21:49 +0000 (12:21 -0700)] 
macsonic, jazzsonic: fix oops on module unload

Set the driver data before using it. Fixes an oops when doing rmmod.

Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agomacsonic: move probe function to .devinit.text
Uwe Kleine-König [Sat, 11 Jul 2009 20:52:48 +0000 (20:52 +0000)] 
macsonic: move probe function to .devinit.text

A pointer to mac_sonic_probe is passed to the core via
platform_driver_register and so the function must not disappear when the
.init sections are discarded.  Otherwise (if also having HOTPLUG=y)
unbinding and binding a device to the driver via sysfs will result in an
oops as does a device being registered late.

Various other functions that are called by mac_sonic_probe need to move
to .devinit.text, too.

An alternative to this patch is using platform_driver_probe instead of
platform_driver_register plus removing the pointer to the probe function
from the struct platform_driver.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agocfg80211: double free in __cfg80211_scan_done
Christian Lamparter [Sun, 19 Jul 2009 03:05:37 +0000 (05:05 +0200)] 
cfg80211: double free in __cfg80211_scan_done

This patch fixes a double free corruption in __cfg80211_scan_done:

 ================================================
 BUG kmalloc-512: Object already free
 ------------------------------------------------

 INFO: Allocated in load_elf_binary+0x18b/0x19af age=6
 INFO: Freed in load_elf_binary+0x104e/0x19af age=5
 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7
 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488

 Bytes b4 0xffff88007e8a9908:  00 00 00 00 00 00 00 00 5a 5a
 [...]
 Pid: 28705, comm: rmmod Tainted: P         C 2.6.31-rc2-wl #1
 Call Trace:
  [<ffffffff810da9f4>] print_trailer+0x14e/0x16e
  [<ffffffff810daa56>] object_err+0x42/0x61
  [<ffffffff810dbcd9>] __slab_free+0x2af/0x396
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffff810dd5e3>] kfree+0x13c/0x17a
  [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211]
  [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211]
  [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common]
  [...]
 FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed

The code path which leads to the *funny* double free:

       request = rdev->scan_req;
       dev = dev_get_by_index(&init_net, request->ifidx);
/*
 * the driver was unloaded recently and
 * therefore dev_get_by_index will return NULL!
 */
        if (!dev)
                goto out;
[...]
rdev->scan_req = NULL; /* not executed... */
[...]
 out:
        kfree(request);

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agorfkill: remove too-strict __must_check
Alan Jenkins [Sat, 18 Jul 2009 18:20:20 +0000 (19:20 +0100)] 
rfkill: remove too-strict __must_check

Some drivers don't need the return value of rfkill_set_hw_state(),
so it should not be marked as __must_check.

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoath9k: Tune ANI function processing on AP mode during ANI reset
Luis R. Rodriguez [Thu, 16 Jul 2009 17:17:35 +0000 (10:17 -0700)] 
ath9k: Tune ANI function processing on AP mode during ANI reset

For AP mode we must tune ANI specially for 2 GHz and
for 5 GHz. We mask in only the flags we want to toggle
on ath9k_hw_ani_control() through the ah->ani_function
bitmask, this will take care of ignoring changes during
ANI reset which we were disabling before.

Testedy-by: Steven Luo <steven@steven676.net>
Cc: Bennyam Malavazi <bennyam.malavazi@atheros.com>
Cc: Jouni Malinen <jouni.malinen@Atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agort2x00: Fix chipset detection for rt2500usb
Andy Whitcroft [Thu, 16 Jul 2009 15:28:11 +0000 (16:28 +0100)] 
rt2x00: Fix chipset detection for rt2500usb

The commit below changed the semantics of rt2x00_check_rev so that it no
longer checked the bottom 4 bits of the rev were non-zero.  During that
conversion this part of the check was not propogated to the rt2500usb
initialisation.

    commit 358623c22c9fd837b3b1b444377037f72553dc9f
    Author: Ivo van Doorn <ivdoorn@gmail.com>
    Date:   Tue May 5 19:46:08 2009 +0200

        rt2x00: Simplify rt2x00_check_rev

Without this check rt73 devices are miss recognised as rt2500 devices and
two drivers are loaded.  Preventing the device being used.  Reinstate this
check.

Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agonl80211: Memory leak fixed
Niko Jokinen [Wed, 15 Jul 2009 08:00:53 +0000 (11:00 +0300)] 
nl80211: Memory leak fixed

Potential memory leak via msg pointer in nl80211_get_key() function.

Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agortl8187: Fix for kernel oops when unloading with LEDs enabled
Larry Finger [Tue, 14 Jul 2009 20:55:16 +0000 (15:55 -0500)] 
rtl8187: Fix for kernel oops when unloading with LEDs enabled

When rtl8187 is unloaded and CONFIG_RTL8187_LEDS is set, the kernel
may oops when the module is unloaded as the workqueue for led_on was
not being cancelled.

This patch fixes the problem reported in
http://marc.info/?l=linux-wireless&m=124742957615781&w=2.

Reported-by: Gábor Stefanik <netrolller.3d@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoath5k: temporarily disable crypto for AP mode
Bob Copeland [Tue, 14 Jul 2009 01:57:39 +0000 (21:57 -0400)] 
ath5k: temporarily disable crypto for AP mode

Pavel Roskin reported some issues with using AP mode without
nohwcrypt=1.  Most likely this is similar to the problem fixed
some time ago in ath9k by 3f53dd64f192450cb331c0fecfc26ca952fb242f,
"ath9k: Fix hw crypto configuration for TKIP in AP mode."

That only affects TKIP but it's easiest to just disable that and
WEP too until we get a proper fix in.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agomac80211: use correct address for mesh Path Error
Javier Cardona [Tue, 14 Jul 2009 00:00:10 +0000 (17:00 -0700)] 
mac80211: use correct address for mesh Path Error

For forwarded frames, we save the precursor address in addr1 in case it
needs to be used to send a Path Error.  mesh_path_discard_frame,
however, was using addr2 instead of addr1 to send Path Error frames, so
correct that and also make the comment regarding this more clear.

Signed-off-by: Andrey Yurovsky <andrey@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agomac80211_hwsim: fix use after free
Johannes Berg [Mon, 13 Jul 2009 11:25:58 +0000 (13:25 +0200)] 
mac80211_hwsim: fix use after free

Once the "data" pointer is freed, we can't be iterating
to the next item in the list any more so we need to use
list_for_each_entry_safe with a temporary variable.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agomac80211_hwsim: fix unregistration
Johannes Berg [Mon, 13 Jul 2009 11:04:30 +0000 (13:04 +0200)] 
mac80211_hwsim: fix unregistration

If you rmmod the module while associated, frames might
be transmitted during unregistration -- which will crash
if the hwsim%d interface is unregistered first, so only
do that after all the virtual wiphys are gone.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agorfkill: fix rfkill_set_states() to set the hw state
Alan Jenkins [Sun, 12 Jul 2009 16:03:13 +0000 (17:03 +0100)] 
rfkill: fix rfkill_set_states() to set the hw state

The point of this function is to set the software and hardware state at
the same time.  When I tried to use it, I found it was only setting the
software state.

Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agomac80211: fix injection in monitor mode
Pavel Roskin [Fri, 10 Jul 2009 20:42:29 +0000 (16:42 -0400)] 
mac80211: fix injection in monitor mode

The location of the 802.11 header is calculated incorrectly due to a
wrong placement of parentheses.  Found by kmemcheck.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agorfkill: allow toggling soft state in sysfs again
Johannes Berg [Fri, 10 Jul 2009 19:41:39 +0000 (21:41 +0200)] 
rfkill: allow toggling soft state in sysfs again

Apparently there actually _are_ tools that try to set
this in sysfs even though it wasn't supposed to be used
this way without claiming first. Guess what: now that
I've cleaned it all up it doesn't matter and we can
simply allow setting the soft-block state in sysfs.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Tested-By: Darren Salt <linux@youmustbejoking.demon.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agomac80211: disable mesh
Johannes Berg [Fri, 10 Jul 2009 09:38:14 +0000 (11:38 +0200)] 
mac80211: disable mesh

My kvm instance was complaining a lot about sleeping
in atomic contexts in the mesh code, and it turns out
that both mesh_path_add() and mpp_path_add() need to
be able to sleep (they even use synchronize_rcu()!).
I put in a might_sleep() to annotate that, but I see
no way, at least right now, of actually making sure
those functions are only called from process context
since they are both called during TX and RX and the
mesh code itself even calls them with rcu_read_lock()
"held".

Therefore, let's disable it completely for now.

It's possible that I'm only seeing this because the
hwsim's beaconing is broken and thus the peers aren't
discovered right away, but it is possible that this
happens even if beaconing is working, for a peer that
doesn't exist or so.

It should be possible to solve this by deferring the
freeing of the tables to call_rcu() instead of using
synchronize_rcu(), and also using atomic allocations,
but maybe it makes more sense to rework the code to
not call these from atomic contexts and defer more of
the work to the workqueue. Right now, I can't work on
either of those solutions though.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoiwlwifi: only update byte count table during aggregation
Reinette Chatre [Thu, 9 Jul 2009 17:33:39 +0000 (10:33 -0700)] 
iwlwifi: only update byte count table during aggregation

The byte count table is only used for aggregation. Updating it
in other cases caused fragmented frames to be dropped.

This fixes http://www.intellinuxwireless.org/bugzilla/show_bug.cgi?id=2004

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoiwlwifi: only show active power level via sysfs
Reinette Chatre [Thu, 9 Jul 2009 17:33:37 +0000 (10:33 -0700)] 
iwlwifi: only show active power level via sysfs

This changes the power_level file to adhere to the "one value
per file" sysfs rule. The user will know which power level was
requested as it will be the number just written to this file. It
is thus not necessary to create a new sysfs file for this value.

In addition it fixes a problem where powertop's parsing expects
this value to be the first value in this file without any descriptions.

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agoiwmc3200wifi: fix NULL pointer dereference in iwm_if_free
Zhu Yi [Thu, 9 Jul 2009 09:24:15 +0000 (17:24 +0800)] 
iwmc3200wifi: fix NULL pointer dereference in iwm_if_free

The driver private data is now based on wiphy. So we should not
touch the private data after wiphy_free() is called. The patch
fixes the potential NULL pointer dereference by making the
iwm_wdev_free() the last one on the interface removal path.

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
15 years agocan: switch carrier on if device was stopped while in bus-off state
Wolfgang Grandegger [Mon, 20 Jul 2009 04:06:41 +0000 (04:06 +0000)] 
can: switch carrier on if device was stopped while in bus-off state

This patch fixes a problem when a device is stopped while in the
bus-off state. Then the carrier remains off forever.

Signed-off-by: Kurt Van Dijck <kurt.van.dijck@skynet.be>
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agocan: restart device even if dev_alloc_skb() fails
Wolfgang Grandegger [Mon, 20 Jul 2009 04:06:40 +0000 (04:06 +0000)] 
can: restart device even if dev_alloc_skb() fails

If dev_alloc_skb() failed in can_restart(), the device was left behind
in the bus-off state. This patch restarts the device nevertheless.

Signed-off-by: Kurt Van Dijck <kurt.van.dijck@eia.be>
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agocan: sja1000: remove duplicated includes
Wolfgang Grandegger [Mon, 20 Jul 2009 04:06:39 +0000 (04:06 +0000)] 
can: sja1000: remove duplicated includes

Remove duplicated #include('s) in
  drivers/net/can/sja1000/sja1000.c

Signed-off-by: Huang Weiyi <weiyi.huang@gmail.com>
Signed-off-by: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agoNew device ID for sc92031 [1088:2031]
Cesar Eduardo Barros [Sun, 19 Jul 2009 08:03:32 +0000 (08:03 +0000)] 
New device ID for sc92031 [1088:2031]

rain_maker@root-forum.org wrote:
> Hello cesar,
>
> In a recent thread in a german linux forum, a user reported his PIC
> NIC not being recognized by the kernel.
>
> Fortunately he provided enough information and I was able to help him
> and get the device working with the sc92031 driver.
>
> The device ID is [1088:2031] (Vendor is called "Microcomputer Systems
> (M) Son"), here is the respective thread in "ubuntuusers.de"
>
> http://forum.ubuntuusers.de/topic/lankarte-unter-xubuntu-wird-nicht-erkannt/
>
> (Although you might not speak german, the code provided will show
> you, that the device is actually working with your driver).
>
> It would be nice, if you include this new device ID to the
> sc92031-driver.
>
> Regards,
>
> Axel Köllhofer (aka Rain_Maker)

Cc: rain_maker@root-forum.org
Signed-off-by: Cesar Eduardo Barros <cesarb@cesarb.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years ago3c589_cs: re-initialize the multicast in the tc589_reset
Ken Kawasaki [Sun, 19 Jul 2009 13:08:12 +0000 (13:08 +0000)] 
3c589_cs: re-initialize the multicast in the tc589_reset

3c589_cs:
re-initialize the multicast in the tc589_reset,
and spin_lock the set_multicast_list function.

Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>