| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
In cfg80211_inform_bss_frame() wiphy is first dereferenced on privsz
initialisation and then it is checked for NULL. This patch fixes that.
Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
This patch moves 'key' dereference after BUG_ON(!key) so that when key is NULL
we will see proper trace instead of oops.
Signed-off-by: Mariusz Kozlowski <mk@lab.zgora.pl>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
The ieee80211_key struct can be kfree()d several times in the function, for
example if some of the key setup functions fails beforehand, but there's no
check if the struct is still valid before we call memcpy() and INIT_LIST_HEAD()
on it. In some cases (like it was in my case), if there's missing aes-generic
module it could lead to the following kernel OOPS:
Unable to handle kernel NULL pointer dereference at virtual address 0000018c
....
PC is at memcpy+0x80/0x29c
...
Backtrace:
[<bf11c5e4>] (ieee80211_key_alloc+0x0/0x234 [mac80211]) from [<bf1148b4>] (ieee80211_add_key+0x70/0x12c [mac80211])
[<bf114844>] (ieee80211_add_key+0x0/0x12c [mac80211]) from [<bf070cc0>] (__cfg80211_set_encryption+0x2a8/0x464 [cfg80211])
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
When the chip is still asleep when ath9k_start is called,
ath9k_hw_configpcipowersave can trigger a data bus error.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
When a client connects in HT mode but does not provide any valid MCS
rates, the function that finds the next sample rate gets stuck in an
infinite loop.
Fix this by falling back to legacy rates if no usable MCS rates are found.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
After we made debugobjects working again, we got the following:
WARNING: at lib/debugobjects.c:262 debug_print_object+0x8e/0xb0()
Hardware name: System Product Name
ODEBUG: free active (active state 0) object type: timer_list hint: hci_cmd_timer+0x0/0x60
Pid: 2125, comm: dmsetup Tainted: G W 2.6.38-06707-gc62b389 #110375
Call Trace:
[<ffffffff8104700a>] warn_slowpath_common+0x7a/0xb0
[<ffffffff810470b6>] warn_slowpath_fmt+0x46/0x50
[<ffffffff812d3a5e>] debug_print_object+0x8e/0xb0
[<ffffffff81bd8810>] ? hci_cmd_timer+0x0/0x60
[<ffffffff812d4685>] debug_check_no_obj_freed+0x125/0x230
[<ffffffff810f1063>] ? check_object+0xb3/0x2b0
[<ffffffff810f3630>] kfree+0x150/0x190
[<ffffffff81be4d06>] ? bt_host_release+0x16/0x20
[<ffffffff81be4d06>] bt_host_release+0x16/0x20
[<ffffffff813a1907>] device_release+0x27/0xa0
[<ffffffff812c519c>] kobject_release+0x4c/0xa0
[<ffffffff812c5150>] ? kobject_release+0x0/0xa0
[<ffffffff812c61f6>] kref_put+0x36/0x70
[<ffffffff812c4d37>] kobject_put+0x27/0x60
[<ffffffff813a21f7>] put_device+0x17/0x20
[<ffffffff81bda4f9>] hci_free_dev+0x29/0x30
[<ffffffff81928be6>] vhci_release+0x36/0x70
[<ffffffff810fb366>] fput+0xd6/0x1f0
[<ffffffff810f8fe6>] filp_close+0x66/0x90
[<ffffffff810f90a9>] sys_close+0x99/0xf0
[<ffffffff81d4c96b>] system_call_fastpath+0x16/0x1b
That timer was introduced with commit 6bd32326cda(Bluetooth: Use
proper timer for hci command timout)
Timer seems to be running when the thing is closed. Removing the timer
unconditionally fixes the problem. And yes, it needs to be fixed
before the HCI_UP check.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Sometimes L2CAP connection remains hanging. Make sure that
L2CAP channel is deleted.
Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
The code was correctly calling _unlock at the end of the function but
there was no actual _lock call anywhere.
Signed-off-by: Johan Hedberg <johan.hedberg@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Now that we have support for LE connections, before discarding a
frame we must check if there's a LE connection over that transport.
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@openbossa.org>
Acked-by: Ville Tervo <ville.tervo@nokia.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
We can't send new commands before a cmd_complete for the HCI_RESET command
shows up.
Reported-by: Mikko Vinni <mmvinni@yahoo.com>
Reported-by: Justin P. Mattock <justinmattock@gmail.com>
Reported-by: Ed Tomlinson <edt@aei.ca>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Tested-by: Justin P. Mattock <justinmattock@gmail.com>
Tested-by: Mikko Vinni <mmvinni@yahoo.com>
Tested-by: Ed Tomlinson <edt@aei.ca>
|
|
This patch lets 'l2cap_pinfo.unacked_frames' be incremented only
the first time a frame is transmitted.
Previously it was being incremented for retransmitted packets
too resulting the value to cross the transmit window size.
Signed-off-by: Suraj Sumangala <suraj@atheros.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
Just adding the vendor details makes it work fine.
Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
|
|
commit 86271e460a66003dc1f4cbfd845adafb790b7587 introduced a
regression that caused mac80211 queues in stopped state.
ath_drain_all_txq is called in driver flush which would reset
the stopped flag and the mac80211 queues were never started
after that. iperf traffic is completely stalled due to this issue.
Restart the mac80211 queues in driver flush only if the txqs were
drained.
Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
With the recent tx status optimization in mac80211, we bail out as
and and when invalid rate index is found. So the behavior of resetting
rate idx to -1 and count to 0 has changed for the rate indexes that
were not part of the driver's retry series.
This has resulted in ath9k using incorrect rate table index which
caused the system to panic. Ideally ath9k need to loop only for the
indexes that were part of the retry series and so simply use hw->max_rates
as the loop counter.
Pasted the stack trace of the panic issue for reference.
[ 754.093192] BUG: unable to handle kernel paging request at ffff88046a9025b0
[ 754.093256] IP: [<ffffffffa02eac49>] ath_tx_status+0x209/0x2f0 [ath9k]
[ 754.094888] Call Trace:
[ 754.094903] <IRQ>
[ 754.094928] [<ffffffffa051f883>] ieee80211_tx_status+0x203/0x9e0 [mac80211]
[ 754.094975] [<ffffffffa053e305>] ? __ieee80211_wake_queue+0x125/0x140 [mac80211]
[ 754.095017] [<ffffffffa02e66c9>] ath_tx_complete_buf+0x1b9/0x370 [ath9k]
[ 754.095054] [<ffffffffa02e6fcf>] ath_tx_complete_aggr+0x51f/0xb50 [ath9k]
[ 754.095098] [<ffffffffa05382a3>] ? ieee80211_prepare_and_rx_handle+0x173/0xab0 [mac80211]
[ 754.095148] [<ffffffff81350e62>] ? _raw_spin_unlock_irqrestore+0x32/0x40
[ 754.095186] [<ffffffffa02e9735>] ath_tx_tasklet+0x365/0x4b0 [ath9k]
[ 754.095224] [<ffffffff8107a2a2>] ? clockevents_program_event+0x62/0xa0
[ 754.095261] [<ffffffffa02e2628>] ath9k_tasklet+0x168/0x1c0 [ath9k]
[ 754.095298] [<ffffffff8105599b>] tasklet_action+0x6b/0xe0
[ 754.095331] [<ffffffff81056278>] __do_softirq+0x98/0x120
[ 754.095361] [<ffffffff8100cd5c>] call_softirq+0x1c/0x30
[ 754.095393] [<ffffffff8100efb5>] do_softirq+0x65/0xa0
[ 754.095423] [<ffffffff810563fd>] irq_exit+0x8d/0x90
[ 754.095453] [<ffffffff8100ebc1>] do_IRQ+0x61/0xe0
[ 754.095482] [<ffffffff81351413>] ret_from_intr+0x0/0x15
[ 754.095513] <EOI>
[ 754.095531] [<ffffffff81014375>] ? native_sched_clock+0x15/0x70
[ 754.096475] [<ffffffffa02bcfa6>] ? acpi_idle_enter_bm+0x24d/0x285 [processor]
[ 754.096475] [<ffffffffa02bcf9f>] ? acpi_idle_enter_bm+0x246/0x285 [processor]
[ 754.096475] [<ffffffff8127fab2>] cpuidle_idle_call+0x82/0x100
[ 754.096475] [<ffffffff8100a236>] cpu_idle+0xa6/0xf0
[ 754.096475] [<ffffffff81339bc1>] rest_init+0x91/0xa0
[ 754.096475] [<ffffffff814efccd>] start_kernel+0x3fd/0x408
[ 754.096475] [<ffffffff814ef347>] x86_64_start_reservations+0x132/0x136
[ 754.096475] [<ffffffff814ef451>] x86_64_start_kernel+0x106/0x115
[ 754.096475] RIP [<ffffffffa02eac49>] ath_tx_status+0x209/0x2f0 [ath9k]
Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
On hardware busy the scan request pointer should be cleared, as higher
levels will release. This avoids a crash when that pointer is
erroneously used later.
Signed-off-by: Joseph J. Gunn <armadefuego@yahoo.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Clearly a mistake, since pointers won't suddenly
change their value...
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
This field is used to determine the inactivity time. When in AP mode,
hostapd uses it for kicking out inactive clients after a while. Without this
patch, hostapd immediately deauthenticates a new client if it checks the
inactivity time before the client sends its first data frame.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Cc: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Kernel panic occurs just after AR2427 establishes connection with AP.
Unless aggregation is enabled we don't initialize the TID structure.
Thus accesing the elements of the TID structure when aggregation is
disabled, leads to NULL pointer dereferencing.
[ 191.320358] Call Trace:
[ 191.320364] [<fd250ea7>] ? ath9k_tx+0xa7/0x200 [ath9k]
[ 191.320376] [<fd1ec7fc>] ? __ieee80211_tx+0x5c/0x1e0 [mac80211]
[ 191.320386] [<fd1edd2b>] ? ieee80211_tx+0x7b/0x90 [mac80211]
[ 191.320395] [<fd1edddd>] ? ieee80211_xmit+0x9d/0x1d0 [mac80211]
[ 191.320401] [<c014218f>] ? wake_up_state+0xf/0x20
[ 191.320405] [<c015dbc8>] ? signal_wake_up+0x28/0x40
[ 191.320410] [<c012a578>] ? default_spin_lock_flags+0x8/0x10
[ 191.320420] [<fd1ee308>] ? ieee80211_subif_start_xmit+0x2e8/0x7c0
[mac80211]
[ 191.320425] [<c058f905>] ? do_page_fault+0x295/0x3a0
[ 191.320431] [<c04c4a3d>] ? dev_hard_start_xmit+0x1ad/0x210
[ 191.320436] [<c04d96b5>] ? sch_direct_xmit+0x105/0x170
[ 191.320445] [<fd1f161a>] ? get_sta_flags+0x2a/0x40 [mac80211]
[ 191.320449] [<c04c780f>] ? dev_queue_xmit+0x37f/0x4b0
[ 191.320452] [<c04d75b0>] ? eth_header+0x0/0xb0
[ 191.320456] [<c04cc479>] ? neigh_resolve_output+0xe9/0x310
[ 191.320461] [<c053d295>] ? ip6_output_finish+0xa5/0x110
[ 191.320464] [<c053e354>] ? ip6_output2+0x134/0x250
[ 191.320468] [<c053f7dd>] ? ip6_output+0x6d/0x100
[ 191.320471] [<c0559665>] ? mld_sendpack+0x395/0x3e0
[ 191.320475] [<c0557f81>] ? add_grhead+0x31/0xa0
[ 191.320478] [<c055a83c>] ? mld_send_cr+0x1bc/0x2b0
[ 191.320482] [<c01535d9>] ? irq_exit+0x39/0x70
[ 191.320485] [<c055a940>] ? mld_ifc_timer_expire+0x10/0x40
[ 191.320489] [<c015b92e>] ? run_timer_softirq+0x13e/0x2c0
[ 191.320493] [<c0103a30>] ? common_interrupt+0x30/0x40
[ 191.320498] [<c055a930>] ? mld_ifc_timer_expire+0x0/0x40
[ 191.320502] [<c0153358>] ? __do_softirq+0x98/0x1b0
[ 191.320506] [<c01534b5>] ? do_softirq+0x45/0x50
[ 191.320509] [<c0153605>] ? irq_exit+0x65/0x70
[ 191.320513] [<c05917dc>] ? smp_apic_timer_interrupt+0x5c/0x8b
[ 191.320516] [<c0103df1>] ? apic_timer_interrupt+0x31/0x40
[ 191.320521] [<c016007b>] ? k_getrusage+0x12b/0x2f0
[ 191.320525] [<c039e384>] ? acpi_idle_enter_simple+0x117/0x148
[ 191.320529] [<c04a20da>] ? cpuidle_idle_call+0x7a/0x100
[ 191.320532] [<c01021d4>] ? cpu_idle+0x94/0xd0
[ 191.320536] [<c057ab88>] ? rest_init+0x58/0x60
[ 191.320541] [<c07a58ec>] ? start_kernel+0x351/0x357
[ 191.320544] [<c07a53c7>] ? unknown_bootoption+0x0/0x19e
[ 191.320548] [<c07a50aa>] ? i386_start_kernel+0xaa/0xb1
[ 191.320550] Code: 03 66 3d 00 03 0f 84 7c 02 00 00 83 c3 18 0f b6 03
8b 4d e0 89 c3 83 e3 0f 6b c3 48 89 5d d8 8d 04 06 8d 50 0c 89 55 d0 8b
40 20 <8b> 00 3b 01 0f 85 8e 02 00 00 f6 47 20 40 0f 84 29 ff ff ff 8b
[ 191.320634] EIP: [<fd2586d4>] ath_tx_start+0x474/0x770 [ath9k] SS:ESP
0068:c0761a90
[ 191.320642] CR2: 0000000000000000
[ 191.320647] ---[ end trace 9296ef23b9076ece ]---
[ 191.320650] Kernel panic - not syncing: Fatal exception in interrupt
Cc: stable@kernel.org
Signed-off-by: Mohammed Shafi Shajakhan <mshajakhan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Fix many of each of these warnings:
Warning(include/net/cfg80211.h:519): No description found for parameter 'rxrate'
Warning(include/net/mac80211.h:1163): bad line:
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
These were found using the following semantic match:
// <smpl>
@@expression E1; type T;@@
* memset(E1, ... * sizeof(T) * ..., ...);
// </smpl>
Also take this opportunity to remove the unnecessary void* casts.
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Add unknown Toshiba device, mentioned in rt3572sta sources, under
CONFIG_RT2800USB_UNKNOWN
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Add 2L Central Europe BV 8070 under CONFIG_RT2800USB_UNKNOWN
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Add Planex Communications, Inc. RT8070 under CONFIG_RT2800USB_UNKNOWN
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Add ID for Asus USB-N11 Wi-FI adapter. Tested by me.
Signed-off-by: Peter Lemenkov <lemenkov@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Removing an entry from the scan_list should be performed while holding
the lock.
Signed-off-by: Joseph J. Gunn <armadefuego@yahoo.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
We should unlock here instead of returning -EINVAL directly.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
Signed-off-by: Tõnu Samuel <tonu@jes.ee>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
|
|
'buffer' string is copied from userspace. It is not checked whether it is
zero terminated. This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.
It was introduced before the git epoch. Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
commit f3c5c1bfd4308 (make ip_tables reentrant) introduced a race in
handling the stackptr restore, at the end of ipt_do_table()
We should do it before the call to xt_info_rdunlock_bh(), or we allow
cpu preemption and another cpu overwrites stackptr of original one.
A second fix is to change the underflow test to check the origptr value
instead of 0 to detect underflow, or else we allow a jump from different
hooks.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
The revision of the set type was not checked at the create command: if the
userspace sent a valid set type but with not supported revision number,
it'd create a loop.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
The hash:*port* types with IPv4 silently ignored when address ranges
with non TCP/UDP were added/deleted from the set and used the first
address from the range only.
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
|
|
When the OF device driver bits were converted over to the platform
device infrastructure in commit 74888760d40b3ac9054f9c5fa07b566c0676ba2d
("dt/net: Eliminate users of of_platform_{,un}register_driver") we
inadvertantly created probing problems in the OF case.
The NIU driver creates a dummy platform device to represent the
board that contains one or more child NIU devices. Unfortunately
we use the same name, "niu", as the OF device driver itself uses.
The result is that we try to probe the dummy "niu" parent device we
create, and since it has a NULL ofdevice pointer etc. everything
explodes:
[783019.128243] niu: niu.c:v1.1 (Apr 22, 2010)
[783019.128810] Unable to handle kernel NULL pointer dereference
[783019.128949] tsk->{mm,active_mm}->context = 000000000000039e
[783019.129078] tsk->{mm,active_mm}->pgd = fffff803afc5a000
[783019.129206] \|/ ____ \|/
[783019.129213] "@'/ .. \`@"
[783019.129220] /_| \__/ |_\
[783019.129226] \__U_/
[783019.129378] modprobe(2004): Oops [#1]
[783019.129423] TSTATE: 0000000011001602 TPC: 0000000010052ff8 TNPC: 000000000061bbb4 Y: 00000000 Not tainted
[783019.129542] TPC: <niu_of_probe+0x3c/0x2dc [niu]>
[783019.129624] g0: 8080000000000000 g1: 0000000000000000 g2: 0000000010056000 g3: 0000000000000002
[783019.129733] g4: fffff803fc1da0c0 g5: fffff800441e2000 g6: fffff803fba84000 g7: 0000000000000000
[783019.129842] o0: fffff803fe7df010 o1: 0000000010055700 o2: 0000000000000000 o3: fffff803fbacaca0
[783019.129951] o4: 0000000000000080 o5: 0000000000777908 sp: fffff803fba866e1 ret_pc: 0000000010052ff4
[783019.130083] RPC: <niu_of_probe+0x38/0x2dc [niu]>
[783019.130165] l0: fffff803fe7df010 l1: fffff803fbacafc0 l2: fffff803fbacaca0 l3: ffffffffffffffed
[783019.130273] l4: 0000000000000000 l5: 000000007fffffff l6: fffff803fba86f40 l7: 0000000000000001
[783019.130382] i0: fffff803fe7df000 i1: fffff803fc20aba0 i2: 0000000000000000 i3: 0000000000000001
[783019.130490] i4: 0000000000000000 i5: 0000000000000000 i6: fffff803fba867a1 i7: 000000000062038c
[783019.130614] I7: <platform_drv_probe+0xc/0x20>
Fix by simply renaming the parent device to "niu-board".
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
commit 54405cde7624 (r8169: support control of advertising.)
introduced a bug in rtl8169_init_phy()
Reported-by: Piotr Hosowicz <piotr@hosowicz.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Oliver Neukum <oliver@neukum.org>
Cc: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Anca Emanuel <anca.emanuel@gmail.com>
Tested-by: Piotr Hosowicz <piotr@hosowicz.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Signed-off-by: Nicolas de Pesloüan <nicolas.2p.debian@free.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
The calculation is off-by-one. It should be "end - start + 1". This
patch fixes it to use resource_size() instead. Oddly, the code already
uses resource size correctly a couple lines earlier when it calls
request_mem_region() for this memory.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Now that we finally have __aligned_xx exported to userspace, convert
the headers that get exported over to the proper type.
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Whenever we enter the IP stack proper from bridge netfilter we
need to ensure that the skb is in a form the IP stack expects
it to be in.
The entry point on NF_FORWARD did not meet the requirements of
the IP stack, therefore leading to potential crashes/panics.
This patch fixes the problem.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
Commit c95b819ad7 (gre: Use needed_headroom)
made gre use needed_headroom instead of hard_header_len
This uncover a bug in vlan code.
We should make sure vlan devices take into account their
real_dev->needed_headroom or we risk a crash in ipgre_header(), because
we dont have enough room to push IP header in skb.
Reported-by: Diddi Oscarsson <diddi@diddi.se>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
This structure was accidentally defined such that its layout can
differ between 32-bit and 64-bit processes. Add compat structure
definitions and an ioctl wrapper function.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Cc: stable@kernel.org [2.6.30+]
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
__ethtool_set_sg does not check if dev->ethtool_ops->set_sg is defined
which can result in a NULL pointer dereference when ethtool is used to
change SG settings for drivers without SG support.
Signed-off-by: Roger Luethi <rl@hellgate.ch>
Reviewed-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64. These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network. This leads to 4 bytes kernel stack
infoleak.
This bug was introduced before the git epoch.
Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
As specified by errata eTSEC49 of MPC8548 and errata eTSEC12 of MPC83xx,
older revisions of gianfar controllers will be unable to calculate a TCP/UDP
packet checksum for some alignments of the appropriate FCB. This patch checks
for FCB alignment on such controllers and falls back to software checksumming
if the alignment is known to be bad.
Signed-off-by: Alex Dubov <oakad@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6
* 'linux-next' of git://git.kernel.org/pub/scm/linux/kernel/git/jbarnes/pci-2.6:
PCI: label: remove #include of ACPI header to avoid warnings
PCI: label: Fix compilation error when CONFIG_ACPI is unset
PCI: pre-allocate additional resources to devices only after successful allocation of essential resources.
PCI: introduce reset_resource()
PCI: data structure agnostic free list function
PCI: refactor io size calculation code
PCI: do not create quirk I/O regions below PCIBIOS_MIN_IO for ICH
PCI hotplug: acpiphp: set current_state to D0 in register_slot
PCI: Export ACPI _DSM provided firmware instance number and string name to sysfs
PCI: add more checking to ICH region quirks
PCI: aer-inject: Override PCIe AER Mask Registers
PCI: fix tlan build when CONFIG_PCI is not enabled
PCI: remove quirk for pre-production systems
PCI: Avoid potential NULL pointer dereference in pci_scan_bridge
PCI/lpc: irq and pci_ids patch for Intel DH89xxCC DeviceIDs
PCI: sysfs: Fix failure path for addition of "vpd" attribute
|
|
* 'spi/next' of git://git.secretlab.ca/git/linux-2.6: (34 commits)
spi/dw_spi: move dw_spi.h into drivers/spi
spi/dw_spi: Fix missing header
gpio/langwell: Clear edge bit before handling
gpio/langwell: Simplify demux loop
gpio/langwell: Convert irq name space
gpio/langwell: Fix broken irq_eoi change.
gpio; Make Intel chipset gpio drivers depend on x86
gpio/cs5535-gpio: Fix section mismatch
spi/rtc-{ds1390,ds3234,m41t94}: Use spi_get_drvdata() for SPI devices
spi/davinci: Support DMA transfers larger than 65535 words
spi/davinci: Use correct length parameter to dma_map_single calls
gpio: Use __devexit at necessary places
gpio: add MODULE_DEVICE_TABLE to pch_gpio and ml_ioh_gpio
gpio/mcp23s08: support mcp23s17 variant
of_mmc_spi: add card detect irq support
spi/omap_mcspi: catch xfers of non-multiple SPI word size
spi/omap_mcspi: Off-by-one error in finding the right divisor
gpio/pca953x: Fix wrong pointer type
spi/pl022: rid dangling labels
spi: add support for SuperH SPI
...
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/teigland/dlm:
dlm: use alloc_workqueue function
dlm: increase default hash table sizes
dlm: record full callback state
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
fs: call security_d_instantiate in d_obtain_alias V2
lose 'mounting_here' argument in ->d_manage()
don't pass 'mounting_here' flag to follow_down()
change the locking order for namespace_sem
fix deadlock in pivot_root()
vfs: split off vfsmount-related parts of vfs_kern_mount()
Some fixes for pstore
kill simple_set_mnt()
|
|
git://git.kernel.org/pub/scm/linux/kernel/git/bcopeland/omfs
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/bcopeland/omfs:
omfs: make readdir stop when filldir says so
omfs: merge unlink() and rmdir(), close leak in rename()
omfs: stop playing silly buggers with omfs_unlink() in ->rename()
omfs: rename() needs to mark old_inode dirty after ctime update
|
|
* 'linux-next' of git://git.infradead.org/ubifs-2.6: (25 commits)
UBIFS: clean-up commentaries
UBIFS: save 128KiB or more RAM
UBIFS: allocate orphans scan buffer on demand
UBIFS: allocate lpt dump buffer on demand
UBIFS: allocate ltab checking buffer on demand
UBIFS: allocate scanning buffer on demand
UBIFS: allocate dump buffer on demand
UBIFS: do not check data crc by default
UBIFS: simplify UBIFS Kconfig menu
UBIFS: print max. index node size
UBIFS: handle allocation failures in UBIFS write path
UBIFS: use max_write_size during recovery
UBIFS: use max_write_size for write-buffers
UBIFS: introduce write-buffer size field
UBI: incorporate LEB offset information
UBIFS: incorporate maximum write size
UBI: provide LEB offset information
UBI: incorporate maximum write size
UBIFS: fix LEB number in printk
UBIFS: restrict world-writable debugfs files
...
|
