Several arrays were read before checking whether the index was within
bounds. ARRAY_SIZE() should be used to determine the size of arrays.
rates->rates has an arraysize of 1, so calling get_common_rates()
with a rates_size of MAX_RATES (14) was causing reads out of bounds.
tmp_size can increment at most to (ARRAY_SIZE(lbs_bg_rates) - 1) *
(*rates_size - 1), so that should be the number of elements of tmp[].
A goto can be eliminated: ret was already set upon its declaration.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
reads bss->rates[j] before checking bounds of index, and should use
ARRAY_SIZE to determine the size of the array.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Holger Schurig <hs4233@mail.mn-solutions.de>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
tid is bounded (above) by the size of default_tid_to_tx_fifo (17 elements), but
the size of priv->stations[].tid[] is MAX_TID_COUNT (9) elements.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Incorrect limits leads to reads outside array bounds.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
SSID_rid has space for only 3 ssids.
txPowerLevels[i] is read before the bounds check for i
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
iwm_wdev_alloc() returns an ERR_PTR on failure and not null. It also
prints its own dev_err() message so I removed that as well.
Compile tested only. Sorry.
Found by smatch (http://repo.or.cz/w/smatch.git).
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
We need to provide a reasonable minimum that will result in a
working setup if used. Set minimum to be 10 to provide for
4 standard TX queues + 1 command queue + 2 (unused) HCCA queues +
4 HT queues (one per AC).
We allow the user to change the number of queues used via a module
parameter and use this minimum value to check if it is valid. Without
this patch a user can select a value for the number of queues that
will result in a failing setup.
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Acked-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
I had a problem on 4965 hardware (well, probably other hardware too,
but others don't survive my stress testing right now, unfortunately)
where the driver was sending invalid commands to the device, but no
such thing could be seen from the driver's point of view. I could
reproduce this fairly easily by sending multiple TCP streams with
iperf on different TIDs, though sometimes a single iperf stream was
sufficient. It even happened with a single core, but I have forced
preemption turned on.
The culprit was a queue overrun, where we advanced the queue's write
pointer over the read pointer. After careful analysis I've come to
the conclusion that the cause is a race condition between iwlwifi
and mac80211.
mac80211, of course, checks whether the queue is stopped, before
transmitting a frame. This effectively looks like this:
lock(queues)
if (stopped(queue)) {
unlock(queues)
return busy;
}
unlock(queues)
... <-- this place will be important
there is some more code here
drv_tx(frame)
The driver, on the other hand, can stop and start queues, which does
lock(queues)
mark_running/stopped(queue)
unlock(queues)
[if marked running: wake up tasklet to send pending frames]
Now, however, once the driver starts the queue, mac80211 can see that
and end up at the marked place above, at which point for some reason the
driver seems to stop the queue again (I don't understand that) and then
we end up transmitting while the queue is actually full.
Now, this shouldn't actually matter much, but for some reason I've seen
it happen multiple times in a row and the queue actually overflows, at
which point the queue bites itself in the tail and things go completely
wrong.
This patch fixes this by just dropping the packet should this have
happened, and making the lock in iwlwifi cover everything so iwlwifi
can't race against itself (dropping the lock there might make it more
likely, but it did seem to happen without that too).
Since we can't hold the lock across drv_tx() above, I see no way to fix
this in mac80211, but I also don't understand why I haven't seen this
before -- maybe I just never stress tested it this badly.
With this patch, the device has survived many minutes of simultanously
sending two iperf streams on different TIDs with combined throughput
of about 60 Mbps.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
There is an 82599 errata that UDP frames with a zero checksum are
incorrectly marked as checksum invalid by the hardware. This was
leading to misleading hw_csum_rx_error counts. This patch adds a
test around this counter increase for this condition.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
More stuff for http://bugzilla.kernel.org/show_bug.cgi?id=9512
Some 8168 are unable to WoL when receiving is not enabled (plain
old 8169 do not seem to care).
It is not exactly pretty to leave the receiver enabled but we
should now enable DMA late enough for it to be safe. Some late
stage boot failure due to pxe and friends may benefit from the
delayed enabling of bus-mastering as well.
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Jaromír Cápík <tavvva@volny.cz>
Cc: Edward Hsu <edward_hsu@realtek.com.tw>
Reset consumer of status rings to 0 when cleaning
up sw resources. Status rings are not deleted
during suspend since they have napi objects.
This ensures correct rx processing across suspen-resume.
Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
kobject_init_and_add will alloc memory for kobj->name, so in br_add_if
error path, simply use kobject_del will not free memory for kobj->name.
Fix by using kobject_put instead, kobject_put will internally calls
kobject_del and frees memory for kobj->name.
Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Alessandro Rubini <rubini@unipv.it>
Acked-by: Andrea Gallo <andrea.gallo@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The use of a static buffer in rose2asc() to return its result is not
threadproof and can result in corruption if multiple threads are trying
to use one of the procfs files based on rose2asc().
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
io[i] is read before the bounds check on i, order should be reversed
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
io[i] is read before the bounds check on i, order should be reversed
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
loop bound looks to be wrong, for an array of length 8
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
phy_idx is checked to be < 4, but np->phys[] is 2 elements long
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Calls to device_init_wakeup should not be necessary in drivers that use
device_set_wakeup_enable since pci_pm_init will set the can_wakeup flag
for the device when initialized.
Signed-off-by: Andy Gospodarek <andy@greyhouse.net>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Certain types of control packets (LLDP, LACP, etc.) are not supposed to have a
priority tag or vlan tag inserted. Ixgbe driver is currently priority
tagging everything (if packet is not on a VLAN interface).
This patch modifies DCB mode, so that packets marked with skb priority
TC_PRIO_CONTROL are not priority tagged. It also transmits these packets on
the highest priority traffic class.
Programs (like dcbd) can set the skb priority using a socket option. Or, a tc
filter can be configured to set the priority value. Using the value
TC_PRIO_CONTROL (7) has the benefit that it is already defined in the kernel,
and the bonding LACP code already sets the skb->priority field to this value.
Signed-off-by: Lucy Liu <lucy.liu@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently, FCoE offload feature is turned on when the kernel config has
CONFIG_FCOE or CONFIG_FCOE_MODULE set. However, we really want to turn
FCoE offload on when there is FCoE traffic passing and turn it off when
it's just LAN traffic. Since FCoE depends on a lossless network provided
by DCB, this allows us to have FCoE turned on/off when user turns on DCB
using dcbtool.
Signed-off-by: Yi Zou <yi.zou@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Changes to the fs_enet driver aa73832c5a
("net: Rework fs_enet driver to use of_mdio infrastructure")
cause kernel crashes when using the mdio-ofgpio driver.
This patch replicates similar changes made to the fs_enet mii-bitbang
drivers. It has been tested on a custom mpc8280 based board using an
NFS mounted root.
Signed-off-by: Mark Ware <mware@elphinstone.net>
Acked-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
at91ether_probe lives in .init.text, so using platform_driver_register
to register it is wrong because binding a device after the init memory
is discarded (e.g. via sysfs) results in an oops.
As requested by David Brownell platform_driver_probe is used instead of
moving the probe function to .devinit.text as proposed initially.
This saves some memory, but devices registered after the driver is
probed are not bound (probably there are none) and binding via sysfs
isn't possible.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Acked-by: Andrew Victor <linux@maxim.org.za>
Signed-off-by: David S. Miller <davem@davemloft.net>
If skge hardware is capable of waking up the system from sleep,
enable magic packet WoL during driver initialisation.
This makes WoL work without calling 'ethtool -s ethX wol g'
for each adapter.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Tested-by: Michael Guntsche <mike@it-loops.com>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
fix this build error when CONFIG_MII is not set
drivers/net/ks8851.c:999: undefined reference to `generic_mii_ioctl'
drivers/net/ks8851.c:1050: undefined reference to `mii_link_ok'
drivers/net/ks8851.c:1056: undefined reference to `mii_nway_restart'
drivers/net/ks8851.c:1044: undefined reference to `mii_ethtool_sset'
drivers/net/ks8851.c:1038: undefined reference to `mii_ethtool_gset'
Signed-off-by: Alexander Beregalov <a.beregalov@gmail.com>
Acked-by: Ben Dooks <ben@simtec.co.uk>
This patch fixes a bug in the non-lro path. Wrong size of received
packet was being passed for updating receive statistics. This patch
is against the net-2.6 git.
Signed-off-by: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since commit 0b9da337dc ("Rework
ucc_geth driver to use of_mdio infrastructure") the fixed-link
support is broken.
This patch fixes the support by removing !ug_info->phy_node check,
and adds a call to of_phy_connect_fixed_link() if a phy is not attached
to the MAC.
Also, remove an old fixed-link code that we don't use any longer.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since commit fe192a4911 ("Rework gianfar
driver to use of_mdio infrastructure") the fixed-link support is
broken, the driver oopses at init_phy():
Unable to handle kernel paging request for data at address 0x000000e4
Faulting instruction address: 0xc01cf298
Oops: Kernel access of bad area, sig: 11 [#1]
[...]
NIP [c01cf298] init_phy+0x80/0xdc
LR [c01cf250] init_phy+0x38/0xdc
Call Trace:
[cf81fe80] [c01d1cf8] gfar_enet_open+0x6c/0x19c
[cf81fea0] [c024494c] dev_open+0xfc/0x134
[cf81fec0] [c0242edc] dev_change_flags+0x84/0x1ac
[cf81fee0] [c0399ee0] ic_open_devs+0x168/0x2d8
[cf81ff20] [c039b2e8] ip_auto_config+0x90/0x2a4
[cf81ff60] [c0003884] do_one_initcall+0x34/0x1a8
This patch fixes the oops, and removes phy_node checks, and adds a call
to of_phy_connect_fixed_link() if a phy isn't attached..
Also, remove an old fixed-link code that we don't use any longer.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Since commit aa73832c5a ("Rework
fs_enet driver to use of_mdio infrastructure") the fixed-link support
is broken in the fs_enet driver.
This patch fixes the support by removing a check for phy_node, and adding
a call to of_phy_connect_fixed_link().
Also set netdev parent device via SET_NETDEV_DEV() call, this is needed
so that OF MDIO core could find a node pointer for a device.
Plus, fix "if (IS_ERR(phydev))" check, in case of errors,
of_phy_connect() returns NULL, not ERR_PTR as phy_connect().
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixed-link support is broken for the ucc_eth, gianfar, and fs_enet
device drivers. The "OF MDIO rework" patches removed most of the
support. Instead of re-adding fixed-link stuff to the drivers, this
patch adds a support function for parsing the fixed-link property
and obtaining a dummy phy to match.
Note: the dummy phy handling in arch/powerpc is a bit of a hack and
needs to be reworked. This function is being added now to solve the
regression in the Ethernet drivers, but it should be considered a
temporary measure until the fixed link handling can be reworked.
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reset rx chain before trying to drain it.
Shut interrupts off last, incase there's something to report.
Signed-off-by: Mike McCormack <mikem@ring3k.org>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The values in the advertising field are typically ADVERTISED_xxx, not
SUPPORTED_xxx. Both SUPPORTED_10000baseT_Full and
ADVERTISED_1000baseT_Full have the same value.
The semantic match that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
struct ethtool_cmd E;
@@
*E.advertising = SUPPORTED_10000baseT_Full
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
If the NULL test is necessary, then the dereference should be moved below
the NULL test.
The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@
- T i = E->fld;
+ T i;
... when != E=E1
when != i
if (E == NULL||...) S
+ i = E->fld;
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
If the NULL test is necessary, then the dereferences should be moved below
the NULL test.
The semantic patch that makes this change is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@@
type T;
expression E,E1;
identifier i,fld;
statement S;
@@
- T i = E->fld;
+ T i;
... when != E=E1
when != i
BUG_ON (E == NULL||...);
+ i = E->fld;
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Firmware V4 on CF8381 reports region code shifted by 1 byte to left.
The following patch checks for this and handles it properly.
Signed-off-by: Marek Vasut <marek.vasut@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Two users of ar9170 devices have now reported their cards
have been programmed with a regulatory domain of 0x8000.
This is not a valid regulatory domain as such these users were
unable to use these devices. Since this doesn't seem to be
a device EEPROM corruption we must treat it specially. It
may have been possible the manufacturer intended to use 0x0
as the regulatory domain and that would ultimately yield
to US but since we cannot get confirmationf or this we
default this special case to one of our world regulatory
domains, specifically 0x64.
Reported-by: DavidFreeman on #linux-wireless
Reported-by: Joerg Albert <jal2@gmx.de>
Cc: Christian Lamparter <chunkeey@web.de>,
Cc: Stephen Chen <stephen.chen@atheros.com>
Cc: David Quan <david.quan@atheros.com>
Cc: Tony Yang <tony.yang@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Fix a potential NULL dereference bug during
error handling in p54spi_probe.
This bug was discovered by smatch:
(http://repo.or.cz/w/smatch.git).
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Fix another polarity error introduced by the rfkill rewrite,
this time in acer_rfkill_set().
Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Many Nokia handsets support a Phonet interface to the cellular modem
via a vendor-specific USB interface. CDC Phonet follows the
Communications Device Class model, with one control interface, and
and a pair of inactive and active data alternative interface. The later
has two bulk endpoint, one per direction.
This was tested against Nokia E61, Nokia N95, and the existing Phonet
gadget function for the Linux composite USB gadget framework.
Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Set the driver data before using it. Fixes an oops when doing rmmod.
Signed-off-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
A pointer to mac_sonic_probe is passed to the core via
platform_driver_register and so the function must not disappear when the
.init sections are discarded. Otherwise (if also having HOTPLUG=y)
unbinding and binding a device to the driver via sysfs will result in an
oops as does a device being registered late.
Various other functions that are called by mac_sonic_probe need to move
to .devinit.text, too.
An alternative to this patch is using platform_driver_probe instead of
platform_driver_register plus removing the pointer to the probe function
from the struct platform_driver.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Finn Thain <fthain@telegraphics.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Some drivers don't need the return value of rfkill_set_hw_state(),
so it should not be marked as __must_check.
Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
For AP mode we must tune ANI specially for 2 GHz and
for 5 GHz. We mask in only the flags we want to toggle
on ath9k_hw_ani_control() through the ah->ani_function
bitmask, this will take care of ignoring changes during
ANI reset which we were disabling before.
Testedy-by: Steven Luo <steven@steven676.net>
Cc: Bennyam Malavazi <bennyam.malavazi@atheros.com>
Cc: Jouni Malinen <jouni.malinen@Atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
The commit below changed the semantics of rt2x00_check_rev so that it no
longer checked the bottom 4 bits of the rev were non-zero. During that
conversion this part of the check was not propogated to the rt2500usb
initialisation.
commit 358623c22c
Author: Ivo van Doorn <ivdoorn@gmail.com>
Date: Tue May 5 19:46:08 2009 +0200
rt2x00: Simplify rt2x00_check_rev
Without this check rt73 devices are miss recognised as rt2500 devices and
two drivers are loaded. Preventing the device being used. Reinstate this
check.
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Potential memory leak via msg pointer in nl80211_get_key() function.
Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com>
Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
When rtl8187 is unloaded and CONFIG_RTL8187_LEDS is set, the kernel
may oops when the module is unloaded as the workqueue for led_on was
not being cancelled.
This patch fixes the problem reported in
http://marc.info/?l=linux-wireless&m=124742957615781&w=2.
Reported-by: Gábor Stefanik <netrolller.3d@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger>
Signed-off-by: John W. Linville <linville@tuxdriver.com>