Commit graph

95761 commits

Author SHA1 Message Date
Johannes Berg
dbabad0c9c zd1211rw: fix potential use-after-free bug
zd_mac_tx_to_dev() could potentially free the skb, or hand it off
to mac80211 which might free it. Hence, this code needs to get the
usb pointer out of skb->cb before handing it off to that function.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:19 -04:00
Pavel Emelyanov
6d6936e2ea Fix potential scheduling while atomic in mesh_path_add.
Calling synchronize_rcu() under write-lock-ed pathtbl_resize_lock may
result in this warning (and other side effects).

It looks safe just dropping this lock before calling synchronize_rcu.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:19 -04:00
Pavel Emelyanov
0eb03d5a14 Fix not checked kmalloc() result.
The new_node kmallocation is not checked for success, so add
this check.

BTW, it also happens under the read_lock.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:19 -04:00
Pavel Emelyanov
f84e71a94c Fix GFP_KERNEL allocation under read lock.
The mesh_path_add() read-locks the pathtbl_resize_lock and calls
kmalloc with GFP_KERNEL mask.

Fix it and move the endadd2 label lower. It should be _before_ the
if() beyond, but it makes no sense for it being there, so I move it
right after this if().

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:18 -04:00
Patrick McHardy
812714d741 mac80211: mesh hwmp: fix kfree(skb)
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:18 -04:00
Luis Carlos Cobo
69687a0b99 mac80211: fix access to null skb
Without this patch, if xmit_skb is null but net_ratelimit() returns 0 we would
go to the else branch and access the null xmit_skb. Pointed out by Johannes
Berg.

Signed-off-by: Luis Carlos Cobo <luisca@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:18 -04:00
Luis Carlos Cobo
ef26925477 mac80211: fix incorrect mesh header length
This should have been updated at the same time we were transitioning from 3 byte
to 4 byte mesh sequence number. Pointed out by Johannes Berg.

Signed-off-by: Luis Carlos Cobo <luisca@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:18 -04:00
Ivo van Doorn
df44205455 mac80211: Don't encrypt beacons
mac80211 should set the IEEE80211_TX_CTL_DO_NOT_ENCRYPT flag in tx_control
structure to inform drivers not to encrypt the beacon. Drivers that only check
for that flag before accessing the hw_key field, will otherwise cause a NULL
pointer dereference since that field is not configured for beacons.

Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:18 -04:00
Ivo van Doorn
b30cdfc517 rt2x00: Clean up error handling of PCI queue DMA allocation.
When, for some reason, the rt2x00pci module fails to allocate DMA memory for
the queues, it tries to undo the complete initialization of the PCI device,
including freeing of the irq. This results in the following error in dmesg, as
the irq hadn't been requested yet:

[  78.123456] Trying to free already-free IRQ 17

Fix this by implementing proper error handling code, instead of just using the
full uninitialization function.

Signed-off-by: Gertjan van Wingerde <gwingerde@kpnplanet.nl>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:18 -04:00
Ivo van Doorn
ed499983b8 rt2x00: Fix broken recover-on-error path
During initialization the initialize() callback function
in rt2x00pci and rt2x00usb will cleanup the mess they made.

rt2x00lib shouldn't call uninitialize because the callback function already
cleaned up _and_ the DEVICE_INITIALIZED isn't set which causes the
rt2x00lib_uninitialize() to halt directly anyway. All that is required
to be cleaned up by rt2x00lib is the queue, and that can be done by
calling rt2x00queue_uninitialize() directly.

Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:17 -04:00
Ivo van Doorn
7872089745 rt2x00: Don't use pskb_expand_head()
rt2x00pci allocates DMA for descriptor and data,
rt61pci doesn't use this for the beacon, but it can
use the descriptor part as temporary buffer instead
of using pskb_expand_head().
Using this temporary buffer is obviously much better
then reallocating the skb buffer...

At the same time we can set the data length for the
beacon queue at 0, to make sure no DMA is allocated for
data (but just for the descriptor).

Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:22:17 -04:00
Zhu Yi
6243065d30 iwlwifi: fix compile error when CONFIG_MAC80211_DEBUGFS is not selected
Make iwl4965_lq_sta->drv available even without CONFIG_MAC80211_DEBUGFS.

Signed-off-by: Yi Zhu <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:19:43 -04:00
Johannes Berg
78520cad4b mac80211: fix debugfs default key oops
Under certain circumstances (in AP mode) the debugfs function
that is supposed to add the default key symlink can encounter
a NULL default_key pointer. This patch makes it handle that
situtation gracefully.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:18:05 -04:00
John W. Linville
d5251aea15 wavelan: avoid index past end of array if DEBUG_SHOW_UNUSED is defined
Reported by Daniel Marjamäki <danielm77@spray.se> here:

	http://bugzilla.kernel.org/show_bug.cgi?id=10588

Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:18:05 -04:00
Steven Rostedt
bb55bdd512 fix irq flags in mac80211 code
A file in the net/mac80211 directory uses "int" for flags.  This can cause
hard to find bugs on some architectures.  This patch converts the flags to use
"long" instead.

This bug was discovered by doing an allyesconfig make on the -rt kernel where
checks are done to ensure all flags are of size sizeof(long).

Signed-off-by: Steven Rostedt <srostedt@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:18:04 -04:00
Luis R. Rodriguez
85b442e378 prism54: fix regression with missing carrier in AP-mode
This fixes a regression introduced by commit 7b463ced6 (prism54: set
carrier flags correctly) which causes the device to come up without
a carrier in AP-mode.

Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
2008-05-12 21:18:04 -04:00
Wei Yongjun
c4492586a6 sctp: Add address type check while process paramaters of ASCONF chunk
If socket is create by AF_INET type, add IPv6 address to asoc will cause
kernel panic while packet is transmitted on that transport.

This patch add address type check before process paramaters of ASCONF
chunk. If peer is not support this address type, return with error
invald parameter.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-12 03:11:48 -07:00
Wei Yongjun
6e40a915de sctp: Do not enable peer IPv6 address support on PF_INET socket
If socket is create by PF_INET type, it can not used IPv6 address to
send/recv DATA, So we can not used IPv6 address even if peer tell us it
support IPv6 address.
This patch fix to only enabled peer IPv6 address support on PF_INET6 socket.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-12 03:11:43 -07:00
Matheos Worku
f9af857489 niu: Determine the # of ports from the card's VPD data
Determine the number of physical ports from the card's VPD data.
Previous fix failed on Maramba platform which doesn't have the
"board-model" property. This fix uses the "model" property which
exists on all cards and Neptune based motherboards.

cstyle cleanup included.

Signed-off-by: Matheos Worku <matheos.worku@sun.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-12 03:10:59 -07:00
David S. Miller
36ca34cc3b sit: Add missing kfree_skb() on pskb_may_pull() failure.
Noticed by Paul Marks <paul@pmarks.net>.

Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 23:40:26 -07:00
Allan Stephens
f08269d3ec tipc: Increase buffer header to support worst-case device
This patch increases the headroom TIPC reserves in each sk_buff
to accommodate the largest possible link level device header.

Signed-off-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 21:38:24 -07:00
Ben Hutchings
e46b66bc42 net: Added ASSERT_RTNL() to dev_open() and dev_close().
dev_open() and dev_close() must be called holding the RTNL, since they
call device functions and netdevice notifiers that are promised the RTNL.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 02:53:17 -07:00
Oliver Hartkopp
c2ab7ac225 can: Fix can_send() handling on dev_queue_xmit() failures
The tx packet counting and the local loopback of CAN frames should
only happen in the case that the CAN frame has been enqueued to the
netdevice tx queue successfully.

Thanks to Andre Naujoks <nautsch@gmail.com> for reporting this issue.

Signed-off-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: Urs Thuermann <urs@isnogud.escape.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 02:49:55 -07:00
David S. Miller
33f9936b2b Merge branch 'upstream-davem' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 2008-05-08 02:35:54 -07:00
Pavel Emelyanov
aca51397d0 netns: Fix arbitrary net_device-s corruptions on net_ns stop.
When a net namespace is destroyed, some devices (those, not killed
on ns stop explicitly) are moved back to init_net.

The problem, is that this net_ns change has one point of failure -
the __dev_alloc_name() may be called if a name collision occurs (and
this is easy to trigger). This allocator performs a likely-to-fail
GFP_ATOMIC allocation to find a suitable number. Other possible 
conditions that may cause error (for device being ns local or not
registered) are always false in this case.

So, when this call fails, the device is unregistered. But this is
*not* the right thing to do, since after this the device may be
released (and kfree-ed) improperly. E. g. bridges require more
actions (sysfs update, timer disarming, etc.), some other devices 
want to remove their private areas from lists, etc.

I. e. arbitrary use-after-free cases may occur.

The proposed fix is the following: since the only reason for the
dev_change_net_namespace to fail is the name generation, we may
give it a unique fall-back name w/o %d-s in it - the dev<ifindex>
one, since ifindexes are still unique.

So make this change, raise the failure-case printk loglevel to 
EMERG and replace the unregister_netdevice call with BUG().

[ Use snprintf() -DaveM ]

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 01:24:25 -07:00
Patrick McHardy
f3261aff35 netfilter: Kconfig: default DCCP/SCTP conntrack support to the protocol config values
When conntrack and DCCP/SCTP protocols are enabled, chances are good
that people also want DCCP/SCTP conntrack and NAT support.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 01:16:04 -07:00
Patrick McHardy
ef75d49f11 netfilter: nf_conntrack_sip: restrict RTP expect flushing on error to last request
Some Inovaphone PBXs exhibit very stange behaviour: when dialing for
example "123", the device sends INVITE requests for "1", "12" and
"123" back to back.  The first requests will elicit error responses
from the receiver, causing the SIP helper to flush the RTP
expectations even though we might still see a positive response.

Note the sequence number of the last INVITE request that contained a
media description and only flush the expectations when receiving a
negative response for that sequence number.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 01:15:21 -07:00
Patrick McHardy
7312096454 macvlan: Fix memleak on device removal/crash on module removal
As noticed by Ben Greear, macvlan crashes the kernel when unloading the
module. The reason is that it tries to clean up the macvlan_port pointer
on the macvlan device itself instead of the underlying device. A non-NULL
pointer is taken as indication that the macvlan_handle_frame_hook is
valid, when receiving the next packet on the underlying device it tries
to call the NULL hook and crashes.

Clean up the macvlan_port on the correct device to fix this.

Signed-off-by; Patrick McHardy <kaber@trash.net>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 01:13:31 -07:00
J.H.M. Dassen (Ray)
c67fa02799 net/ipv4: correct RFC 1122 section reference in comment
RFC 1122 does not have a section 3.1.2.2. The requirement to silently
discard datagrams with a bad checksum is in section 3.2.1.2 instead.

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=10611

Signed-off-by: J.H.M. Dassen (Ray) <jdassen@debian.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 01:11:04 -07:00
Ilpo Järvinen
62ab222783 tcp FRTO: SACK variant is errorneously used with NewReno
Note: there's actually another bug in FRTO's SACK variant, which
is the causing failure in NewReno case because of the error
that's fixed here. I'll fix the SACK case separately (it's
a separate bug really, though related, but in order to fix that
I need to audit tp->snd_nxt usage a bit).

There were two places where SACK variant of FRTO is getting
incorrectly used even if SACK wasn't negotiated by the TCP flow.
This leads to incorrect setting of frto_highmark with NewReno
if a previous recovery was interrupted by another RTO.

An eventual fallback to conventional recovery then incorrectly
considers one or couple of segments as forward transmissions
though they weren't, which then are not LOST marked during
fallback making them "non-retransmittable" until the next RTO.
In a bad case, those segments are really lost and are the only
one left in the window. Thus TCP needs another RTO to continue.
The next FRTO, however, could again repeat the same events
making the progress of the TCP flow extremely slow.

In order for these events to occur at all, FRTO must occur
again in FRTOs step 3 while the key segments must be lost as
well, which is not too likely in practice. It seems to most
frequently with some small devices such as network printers
that *seem* to accept TCP segments only in-order. In cases
were key segments weren't lost, things get automatically
resolved because those wrongly marked segments don't need to be
retransmitted in order to continue.

I found a reproducer after digging up relevant reports (few
reports in total, none at netdev or lkml I know of), some
cases seemed to indicate middlebox issues which seems now
to be a false assumption some people had made. Bugzilla
#10063 _might_ be related. Damon L. Chesser <damon@damtek.com>
had a reproducable case and was kind enough to tcpdump it
for me. With the tcpdump log it was quite trivial to figure
out.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-05-08 01:09:11 -07:00
Kok, Auke
f227ec3ca2 e1000e: don't return half-read eeprom on error
On a read error, e1000e might have returned uninitialized block of
eeprom data back to userspace. The convention is that 0xff is "empty",
so mark the entire eeprom as empty in case of an error.

Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:38:02 -04:00
Joakim Tjernlund
e410553fd3 ucc_geth: Don't use RX clock as TX clock.
Commit 9fb1e350e1,
ucc_geth: use rx-clock-name and tx-clock-name device tree properties
Introduced a typo that made the driver use the RX clock
as TX clock, causing massive TX errors.

Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:27:58 -04:00
Alan Cox
1b3aa7afb6 cxgb3: Use CAP_SYS_RAWIO for firmware
Otherwise theoretically at least

	CAP_NET_ADMIN
	Reload new firmware
	Wait..
	Firmware patches kernel

So it should be CAY_SYS_RAWIO - not that I suspect this is in fact a
credible attack vector!

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:27:53 -04:00
Don Fry
01935d7d2c pcnet32: delete non NAPI code from driver.
Delete the non-napi code from the driver and Kconfig.
Tested x86_64.  Apply at next open opportunity.

Signed-off-by: Don Fry <pcnet32@verizon.net>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:22:39 -04:00
Scott Wood
a86e2cbe26 fs_enet: Fix a memory leak in fs_enet_mdio_probe
There are more memory leaks in the !PPC_CPM_NEW_BINDING case, but that code
will disappear soon along with arch/ppc.

Reported by Daniel Marjamki <danielm77@spray.se> at
http://bugzilla.kernel.org/show_bug.cgi?id=10591

Signed-off-by: Scott Wood <scottwood@freescale.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:22:37 -04:00
Bruce Robson
46fa06170d [netdrvr] eexpress: IPv6 fails - multicast problems
Taken from http://bugzilla.kernel.org/show_bug.cgi?id=10577

I was unable to access a computer containing an Intel EtherExpress 16 network
card using IPv6.

I traced this to failure of neighbour discovery.  When I used an "ip -6 neigh
add" command, on the computer attempting access, to insert a binding between
the IPv6 address of the computer with the Intel EtherExpress 16 network card
and the card's ethernet address, I was able to access that computer using
IPv6.

Neighbour discovery requires working multicast.  The driver sources file
eexpress.c contains an approximately 30 line function eexp_setup_filter used
when loading multicast addresses.

I found 3 problems in this function

1) It wrote the number of multicast addresses to the card instead of the
    number of bytes in the multicast addresses.

2) When loading multiple multicast addresses it loaded the first one
    provided multiple times instead of loading each one once.

3) The setting of pointer 'data' from 'dmi->dmi_addr' occured before the
    test for the error situation of 'dmi' being NULL.

Correcting these problems allows the computer with the Intel EtherExpress 16
network card to found by IPv6 neighbour discovery.

p.s. There is some information on the Intel EtherExpress 16 at
http://www.intel.com/support/etherexpress/vintage/sb/cs-013500.htm
Datasheet for the Intel 82586 ethernet controller used by the card
http://www.datasheetcatalog.com/datasheets_pdf/8/2/5/8/82586.shtml

Signed-off-by: Bruce Robson <bns_robson@hotmail.com>
Cc: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:22:34 -04:00
Paulius Zaleckas
1daad055bf 3c59x: use netstats in net_device structure
Use net_device_stats from net_device structure instead of local.

Signed-off-by: Paulius Zaleckas <paulius.zaleckas@teltonika.lt>
Acked-by: Steffen Klassert <klassert@mathematik.tu-chemnitz.de>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:22:11 -04:00
Gunnar Larisch
aa807f79da 3c980-TX needs EXTRA_PREAMBLE
The ethernet card 3c980-TX needs a mdio_sync() to initialize the ethernet
properly. This is forced by adding an EXTRA_PREAMBLE to its drv_flags.

Without this, the driver did not reconnect after a link loss.

Signed-off-by: Gunnar Larisch <Gunnar.Larisch@gmx.de>
Acked-by: Steffen Klassert <klassert@mathematik.tu-chemnitz.de>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:22:10 -04:00
Jeff Garzik
54c852a2d6 Merge branch 'for-2.6.26' of git://git.farnsworth.org/dale/linux-2.6-mv643xx_eth into upstream 2008-05-06 12:22:03 -04:00
Jeff Garzik
7ab267d4ec fix warning in drivers/net/appletalk/cops.c
drivers/net/appletalk/cops.c: In function ‘cops_reset’:
drivers/net/appletalk/cops.c:507: warning: comparison of distinct pointer
types lacks a cast

by replacing hand-woven msleep() with call to msleep()

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:16:24 -04:00
Bruce Allan
97ac8caee2 e1000e: Add support for BM PHYs on ICH9
This patch adds support for the BM PHY, a new PHY model being used
on ICH9-based implementations.

This new PHY exposes issues in the ICH9 silicon when receiving
jumbo frames large enough to use more than a certain part of the
Rx FIFO, and this unfortunately breaks packet split jumbo receives.
For this reason we re-introduce (for affected adapters only) the
jumbo single-skb receive routine back so that people who do
wish to use jumbo frames on these ich9 platforms can do so.
Part of this problem has to do with CPU sleep states and to make
sure that all the wake up timings are correctly we force them
with the recently merged pm_qos infrastructure written by Mark
Gross. (See http://lkml.org/lkml/2007/10/4/400).

To make code read a bit easier we introduce a _IS_ICH flag so
that we don't need to do mac type checks over the code.

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Auke Kok <auke-jan.h.kok@intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:04:14 -04:00
Anton Vorontsov
e284e5c660 uli526x: fix endianness issues in the setup frame
This patch fixes uli526x driver's issues on a PowerPC boards: uli chip
is unable to receive the packets.

It appears that send_frame_filter prepares the setup frame in the
endianness unsafe manner. On a big endian machines we should shift
the address nibble by two bytes.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:02:26 -04:00
Anton Vorontsov
afd8e39919 uli526x: initialize the hardware prior to requesting interrupts
The firmware on MPC8610HPCD boards enables ULI ethernet and leaves it
in some funky state before booting Linux. For drivers, it's always good
idea to (re)initialize the hardware prior to requesting interrupts.

This patch fixes the following oops:

Oops: Kernel access of bad area, sig: 11 [#1]
MPC86xx HPCD
NIP: c0172820 LR: c017287c CTR: 00000000
[...]
NIP [c0172820] allocate_rx_buffer+0x2c/0xb0
LR [c017287c] allocate_rx_buffer+0x88/0xb0
Call Trace:
[df82bdc0] [c017287c] allocate_rx_buffer+0x88/0xb0 (unreliable)
[df82bde0] [c0173000] uli526x_interrupt+0xe4/0x49c
[df82be20] [c0045418] request_irq+0xf0/0x114
[df82be50] [c01737b0] uli526x_open+0x48/0x160
[df82be70] [c0201184] dev_open+0xb0/0xe8
[df82be80] [c0200104] dev_change_flags+0x90/0x1bc
[df82bea0] [c035fab0] ip_auto_config+0x214/0xef4
[df82bf60] [c03421c8] kernel_init+0xc4/0x2ac
[df82bff0] [c0010834] kernel_thread+0x44/0x60
Instruction dump:
4e800020 9421ffe0 7c0802a6 bfa10014 7c7e1b78 90010024 80030060 83e30054
2b80002f 419d0078 3fa0c039 48000058 <907f0010> 80630088 2f830000 419e0014

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:02:15 -04:00
Andy Fleming
6fee40e9b8 ucc_geth: Fix a bunch of sparse warnings
ucc_geth didn't have anything marked as __iomem.  It was also inconsistent
with its use of in/out accessors (using them sometimes, not using them other
times).  Cleaning this up cuts the warnings down from hundreds to just over a
dozen.

Signed-off-by: Andy Fleming <afleming@freescale.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:02:08 -04:00
Andy Fleming
9b9a8bfc8d phylib: Fix some sparse warnings
Declared some things static, declared some things in the header.

Signed-off-by: Andy Fleming <afleming@freescale.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:01:41 -04:00
Andy Fleming
f162b9d582 gianfar: Fix a locking bug in gianfar's sysfs code
During sparse cleanup, found a locking bug.  Some of the sysfs functions were
acquiring a lock, and then returning in the event of an error.  We rearrange
the code so that the lock is released in error conditions, too.

Signed-off-by: Andy Fleming <afleming@freescale.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:01:34 -04:00
Jay Vosburgh
569f0c4d90 bonding: fix enslavement error unwinds
As part of:

commit c2edacf80e
Author: Jay Vosburgh <fubar@us.ibm.com>
Date:   Mon Jul 9 10:42:47 2007 -0700

    bonding / ipv6: no addrconf for slaves separately from master

two steps were rearranged in the enslavement process: netdev_set_master
is now before the call to dev_open to open the slave.

	This patch updates the error cases and unwind process at the
end of bond_enslave to match the new order.  Without this patch, it is
possible for the enslavement to fail, but leave the slave with IFF_SLAVE
set in its flags.

Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:01:32 -04:00
Pavel Emelyanov
ae68c39819 bonding: Deadlock between bonding_store_bonds and bond_destroy_sysfs.
The sysfs layer has an internal protection, that ensures, that
all the process sitting inside ->sore/->show callback exits
before the appropriate entry is unregistered (the calltraces
are rather big, but I can provide them if required).

On the other hand, bonding takes rtnl_lock in
a) the bonding_store_bonds, i.e. in ->store callback,
b) module exit before calling the sysfs unregister routines.

Thus, the classical AB-BA deadlock may occur. To reproduce run
# while :; do modprobe bonding; rmmod bonding; done
and
# while :; do echo '+bond%d' > /sys/class/net/bonding_masters ; done
in parallel.

The fix is to move the bond_destroy_sysfs out of the rtnl_lock,
but _before_ bond_free_all to make sure no bonding devices exist
after module unload.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:01:30 -04:00
Jay Vosburgh
c4ebc66a1a bonding: fix error unwind in bonding_store_bonds
Fixed an error unwind in bonding_store_bonds that didn't release
the locks it held, and consolidated unwinds into a common block at the
end of the function.  Bug reported by Pavel Emelyanov <xemul@openvz.org>,
who provided a different fix.

Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:01:29 -04:00
Pavel Emelyanov
822973ba79 bonding: Do not call free_netdev for already registered device.
If the call to bond_create_sysfs_entry in bond_create fails, the
proper rollback is to call unregister_netdevice, not free_netdev.
Otherwise - kernel BUG at net/core/dev.c:4057!

Checked with artificial failures injected into bond_create_sysfs_entry.

Pavel's original patch modified by Jay Vosburgh to move code around
for clarity (remove goto-hopping within the unwind block).

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2008-05-06 12:01:27 -04:00