summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* cifs: Read buffer overflowRoel Kluin2009-08-031-1/+1
| | | | | | | | Check whether index is within bounds before testing the element. Acked-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* cifs: show noforceuid/noforcegid mount options (try #2)Jeff Layton2009-08-031-0/+4
| | | | | | | Since forceuid is the default, we now need to show when it's disabled. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* cifs: reinstate original behavior when uid=/gid= options are specifiedJeff Layton2009-08-021-12/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes the regression reported here: http://bugzilla.kernel.org/show_bug.cgi?id=13861 commit 4ae1507f6d266d0cc3dd36e474d83aad70fec9e4 changed the default behavior when the uid= or gid= option was specified for a mount. The existing behavior was to always clobber the ownership information provided by the server when these options were specified. The above commit changed this behavior so that these options simply provided defaults when the server did not provide this information (unless "forceuid" or "forcegid" were specified) This patch reverts this change so that the default behavior is restored. It also adds "noforceuid" and "noforcegid" options to make it so that ownership information from the server is preserved, even when the mount has uid= or gid= options specified. It also adds a couple of printk notices that pop up when forceuid or forcegid options are specified without a uid= or gid= option. Reported-by: Tom Chiverton <bugzilla.kernel.org@falkensweb.com> Reviewed-by: Shirish Pargaonkar <shirishp@us.ibm.com> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* [CIFS] Updates fs/cifs/CHANGESSteve French2009-07-301-0/+6
| | | | Signed-off-by: Steve French <sfrench@us.ibm.com>
* cifs: fix error handling in mount-time DFS referral chasing codeJeff Layton2009-07-282-6/+19
| | | | | | | | | | | | If the referral is malformed or the hostname can't be resolved, then the current code generates an oops. Fix it to handle these errors gracefully. Reported-by: Sandro Mathys <sm@sandro-mathys.ch> Acked-by: Igor Mammedov <niallain@gmail.com> CC: Stable <stable@kernel.org> Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
* Merge branch 'for-linus' of git://git.infradead.org/users/eparis/notifyLinus Torvalds2009-07-287-59/+91
|\ | | | | | | | | | | | | | | | | | | | | * 'for-linus' of git://git.infradead.org/users/eparis/notify: inotify: use GFP_NOFS under potential memory pressure fsnotify: fix inotify tail drop check with path entries inotify: check filename before dropping repeat events fsnotify: use def_bool in kconfig instead of letting the user choose inotify: fix error paths in inotify_update_watch inotify: do not leak inode marks in inotify_add_watch inotify: drop user watch count when a watch is removed
| * inotify: use GFP_NOFS under potential memory pressureEric Paris2009-07-214-12/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | inotify can have a watchs removed under filesystem reclaim. ================================= [ INFO: inconsistent lock state ] 2.6.31-rc2 #16 --------------------------------- inconsistent {IN-RECLAIM_FS-W} -> {RECLAIM_FS-ON-W} usage. khubd/217 [HC0[0]:SC0[0]:HE1:SE1] takes: (iprune_mutex){+.+.?.}, at: [<c10ba899>] invalidate_inodes+0x20/0xe3 {IN-RECLAIM_FS-W} state was registered at: [<c10536ab>] __lock_acquire+0x2c9/0xac4 [<c1053f45>] lock_acquire+0x9f/0xc2 [<c1308872>] __mutex_lock_common+0x2d/0x323 [<c1308c00>] mutex_lock_nested+0x2e/0x36 [<c10ba6ff>] shrink_icache_memory+0x38/0x1b2 [<c108bfb6>] shrink_slab+0xe2/0x13c [<c108c3e1>] kswapd+0x3d1/0x55d [<c10449b5>] kthread+0x66/0x6b [<c1003fdf>] kernel_thread_helper+0x7/0x10 [<ffffffff>] 0xffffffff Two things are needed to fix this. First we need a method to tell fsnotify_create_event() to use GFP_NOFS and second we need to stop using one global IN_IGNORED event and allocate them one at a time. This solves current issues with multiple IN_IGNORED on a queue having tail drop problems and simplifies the allocations since we don't have to worry about two tasks opperating on the IGNORED event concurrently. Signed-off-by: Eric Paris <eparis@redhat.com>
| * fsnotify: fix inotify tail drop check with path entriesEric Paris2009-07-211-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | fsnotify drops new events when they are the same as the tail event on the queue to be sent to userspace. The problem is that if the event comes with a path we forget to break out of the switch statement and fall into the code path which matches on events that do not have any type of file backed information (things like IN_UNMOUNT and IN_Q_OVERFLOW). The problem is that this code thinks all such events should be dropped. Fix is to add a break. Signed-off-by: Eric Paris <eparis@redhat.com>
| * inotify: check filename before dropping repeat eventsEric Paris2009-07-211-2/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | inotify drops events if the last event on the queue is the same as the current event. But it does 2 things wrong. First it is comparing old->inode with new->inode. But after an event if put on the queue the ->inode is no longer allowed to be used. It's possible between the last event and this new event the inode could be reused and we would falsely match the inode's memory address between two differing events. The second problem is that when a file is removed fsnotify is passed the negative dentry for the removed object rather than the postive dentry from immediately before the removal. This mean the (broken) inotify tail drop code was matching the NULL ->inode of differing events. The fix is to check the file name which is stored with events when doing the tail drop instead of wrongly checking the address of the stored ->inode. Reported-by: Scott James Remnant <scott@ubuntu.com> Signed-off-by: Eric Paris <eparis@redhat.com>
| * fsnotify: use def_bool in kconfig instead of letting the user chooseEric Paris2009-07-213-13/+3
| | | | | | | | | | | | | | | | | | | | | | fsnotify doens't give the user anything. If someone chooses inotify or dnotify it should build fsnotify, if they don't select one it shouldn't be built. This patch changes fsnotify to be a def_bool=n and makes everything else select it. Also fixes the issue people complained about on lwn where gdm hung because they didn't have inotify and they didn't get the inotify build option..... Signed-off-by: Eric Paris <eparis@redhat.com>
| * inotify: fix error paths in inotify_update_watchEric Paris2009-07-211-30/+49
| | | | | | | | | | | | | | | | | | | | | | inotify_update_watch could leave things in a horrid state on a number of error paths. We could try to remove idr entries that didn't exist, we could send an IN_IGNORED to userspace for watches that don't exist, and a bit of other stupidity. Clean these up by doing the idr addition before we put the mark on the inode since we can clean that up on error and getting off the inode's mark list is hard. Signed-off-by: Eric Paris <eparis@redhat.com>
| * inotify: do not leak inode marks in inotify_add_watchEric Paris2009-07-211-4/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | inotify_add_watch had a couple of problems. The biggest being that if inotify_add_watch was called on the same inode twice (to update or change the event mask) a refence was taken on the original inode mark by fsnotify_find_mark_entry but was not being dropped at the end of the inotify_add_watch call. Thus if inotify_rm_watch was called although the mark was removed from the inode, the refcnt wouldn't hit zero and we would leak memory. Reported-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Eric Paris <eparis@redhat.com>
| * inotify: drop user watch count when a watch is removedEric Paris2009-07-211-0/+2
| | | | | | | | | | | | | | | | | | The inotify rewrite forgot to drop the inotify watch use cound when a watch was removed. This means that a single inotify fd can only ever register a maximum of /proc/sys/fs/max_user_watches even if some of those had been freed. Signed-off-by: Eric Paris <eparis@redhat.com>
* | pty: quickfix for the pty ENXIO timing problemsAlan Cox2009-07-281-0/+2
| | | | | | | | | | | | | | | | This also makes close stall in the normal case which is apparently needed to fix emacs Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2009-07-2747-174/+336
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (45 commits) cnic: Fix ISCSI_KEVENT_IF_DOWN message handling. net: irda: init spinlock after memcpy ixgbe: fix for 82599 errata marking UDP checksum errors r8169: WakeOnLan fix for the 8168 netxen: reset ring consumer during cleanup net/bridge: use kobject_put to release kobject in br_add_if error path smc91x.h: add config for Nomadik evaluation kit NET: ROSE: Don't use static buffer. eepro: Read buffer overflow tokenring: Read buffer overflow at1700: Read buffer overflow fealnx: Write outside array bounds ixgbe: remove unnecessary call to device_init_wakeup ixgbe: Don't priority tag control frames in DCB mode ixgbe: Enable FCoE offload when DCB is enabled for 82599 net: Rework mdio-ofgpio driver to use of_mdio infrastructure register at91_ether using platform_driver_probe skge: Enable WoL by default if supported net: KS8851 needs to depend on MII be2net: Bug fix in the non-lro path. Size of received packet was not updated in statistics properly. ...
| * | cnic: Fix ISCSI_KEVENT_IF_DOWN message handling.Michael Chan2009-07-271-2/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When a net device goes down or when the bnx2i driver is unloaded, the code was not generating the ISCSI_KEVENT_IF_DOWN message properly and this could cause the userspace driver to crash. This is fixed by sending the message properly in the shutdown path. cnic_uio_stop() is also added to send the message when bnx2i is unregistering. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net: irda: init spinlock after memcpyDeepak Saxena2009-07-271-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | irttp_dup() copies a tsap_cb struct, but does not initialize the spinlock in the new structure, which confuses lockdep. Signed-off-by: Deepak Saxena <dsaxena@mvista.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | ixgbe: fix for 82599 errata marking UDP checksum errorsDon Skidmore2009-07-271-2/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There is an 82599 errata that UDP frames with a zero checksum are incorrectly marked as checksum invalid by the hardware. This was leading to misleading hw_csum_rx_error counts. This patch adds a test around this counter increase for this condition. Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | r8169: WakeOnLan fix for the 8168françois romieu2009-07-271-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | More stuff for http://bugzilla.kernel.org/show_bug.cgi?id=9512 Some 8168 are unable to WoL when receiving is not enabled (plain old 8169 do not seem to care). It is not exactly pretty to leave the receiver enabled but we should now enable DMA late enough for it to be safe. Some late stage boot failure due to pxe and friends may benefit from the delayed enabling of bus-mastering as well. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Tested-by: Jaromír Cápík <tavvva@volny.cz> Cc: Edward Hsu <edward_hsu@realtek.com.tw>
| * | netxen: reset ring consumer during cleanupDhananjay Phadke2009-07-271-0/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reset consumer of status rings to 0 when cleaning up sw resources. Status rings are not deleted during suspend since they have napi objects. This ensures correct rx processing across suspen-resume. Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net/bridge: use kobject_put to release kobject in br_add_if error pathXiaotian Feng2009-07-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | kobject_init_and_add will alloc memory for kobj->name, so in br_add_if error path, simply use kobject_del will not free memory for kobj->name. Fix by using kobject_put instead, kobject_put will internally calls kobject_del and frees memory for kobj->name. Signed-off-by: Xiaotian Feng <dfeng@redhat.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | smc91x.h: add config for Nomadik evaluation kitAlessandro Rubini2009-07-271-1/+2
| | | | | | | | | | | | | | | | | | Signed-off-by: Alessandro Rubini <rubini@unipv.it> Acked-by: Andrea Gallo <andrea.gallo@stericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | NET: ROSE: Don't use static buffer.Ralf Baechle2009-07-273-22/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | The use of a static buffer in rose2asc() to return its result is not threadproof and can result in corruption if multiple threads are trying to use one of the procfs files based on rose2asc(). Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | eepro: Read buffer overflowRoel Kluin2009-07-271-1/+1
| | | | | | | | | | | | | | | | | | | | | io[i] is read before the bounds check on i, order should be reversed Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | tokenring: Read buffer overflowroel kluin2009-07-271-1/+1
| | | | | | | | | | | | | | | | | | | | | io[i] is read before the bounds check on i, order should be reversed Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | at1700: Read buffer overflowroel kluin2009-07-271-1/+1
| | | | | | | | | | | | | | | | | | | | | loop bound looks to be wrong, for an array of length 8 Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | fealnx: Write outside array boundsroel kluin2009-07-271-1/+2
| | | | | | | | | | | | | | | | | | | | | phy_idx is checked to be < 4, but np->phys[] is 2 elements long Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | ixgbe: remove unnecessary call to device_init_wakeupAndy Gospodarek2009-07-231-1/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Calls to device_init_wakeup should not be necessary in drivers that use device_set_wakeup_enable since pci_pm_init will set the can_wakeup flag for the device when initialized. Signed-off-by: Andy Gospodarek <andy@greyhouse.net> Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | ixgbe: Don't priority tag control frames in DCB modeLucy Liu2009-07-231-6/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Certain types of control packets (LLDP, LACP, etc.) are not supposed to have a priority tag or vlan tag inserted. Ixgbe driver is currently priority tagging everything (if packet is not on a VLAN interface). This patch modifies DCB mode, so that packets marked with skb priority TC_PRIO_CONTROL are not priority tagged. It also transmits these packets on the highest priority traffic class. Programs (like dcbd) can set the skb priority using a socket option. Or, a tc filter can be configured to set the priority value. Using the value TC_PRIO_CONTROL (7) has the benefit that it is already defined in the kernel, and the bonding LACP code already sets the skb->priority field to this value. Signed-off-by: Lucy Liu <lucy.liu@intel.com> Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | ixgbe: Enable FCoE offload when DCB is enabled for 82599Yi Zou2009-07-233-10/+31
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, FCoE offload feature is turned on when the kernel config has CONFIG_FCOE or CONFIG_FCOE_MODULE set. However, we really want to turn FCoE offload on when there is FCoE traffic passing and turn it off when it's just LAN traffic. Since FCoE depends on a lossless network provided by DCB, this allows us to have FCoE turned on/off when user turns on DCB using dcbtool. Signed-off-by: Yi Zou <yi.zou@intel.com> Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net: Rework mdio-ofgpio driver to use of_mdio infrastructureMark Ware2009-07-231-41/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes to the fs_enet driver aa73832c5a80d6c52c69b18af858d88fa595dd3c ("net: Rework fs_enet driver to use of_mdio infrastructure") cause kernel crashes when using the mdio-ofgpio driver. This patch replicates similar changes made to the fs_enet mii-bitbang drivers. It has been tested on a custom mpc8280 based board using an NFS mounted root. Signed-off-by: Mark Ware <mware@elphinstone.net> Acked-by: Grant Likely <grant.likely@secretlab.ca> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | register at91_ether using platform_driver_probeUwe Kleine-König2009-07-221-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | at91ether_probe lives in .init.text, so using platform_driver_register to register it is wrong because binding a device after the init memory is discarded (e.g. via sysfs) results in an oops. As requested by David Brownell platform_driver_probe is used instead of moving the probe function to .devinit.text as proposed initially. This saves some memory, but devices registered after the driver is probed are not bound (probably there are none) and binding via sysfs isn't possible. Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Acked-by: David Brownell <dbrownell@users.sourceforge.net> Acked-by: Andrew Victor <linux@maxim.org.za> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | skge: Enable WoL by default if supportedRafael J. Wysocki2009-07-221-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If skge hardware is capable of waking up the system from sleep, enable magic packet WoL during driver initialisation. This makes WoL work without calling 'ethtool -s ethX wol g' for each adapter. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Tested-by: Michael Guntsche <mike@it-loops.com> Acked-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | Merge branch 'master' of ↵David S. Miller2009-07-2221-33/+94
| |\ \ | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6
| | * | libertas: Fix problem with broken V4 firmware on CF8381Marek Vasut2009-07-212-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Firmware V4 on CF8381 reports region code shifted by 1 byte to left. The following patch checks for this and handles it properly. Signed-off-by: Marek Vasut <marek.vasut@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | ath: add support for special 0x8000 regulatory domainLuis R. Rodriguez2009-07-211-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Two users of ar9170 devices have now reported their cards have been programmed with a regulatory domain of 0x8000. This is not a valid regulatory domain as such these users were unable to use these devices. Since this doesn't seem to be a device EEPROM corruption we must treat it specially. It may have been possible the manufacturer intended to use 0x0 as the regulatory domain and that would ultimately yield to US but since we cannot get confirmationf or this we default this special case to one of our world regulatory domains, specifically 0x64. Reported-by: DavidFreeman on #linux-wireless Reported-by: Joerg Albert <jal2@gmx.de> Cc: Christian Lamparter <chunkeey@web.de>, Cc: Stephen Chen <stephen.chen@atheros.com> Cc: David Quan <david.quan@atheros.com> Cc: Tony Yang <tony.yang@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | p54spi: fix potential null deref in p54spi.cDan Carpenter2009-07-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix a potential NULL dereference bug during error handling in p54spi_probe. This bug was discovered by smatch: (http://repo.or.cz/w/smatch.git). Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | acer-wmi: fix rfkill conversionAlan Jenkins2009-07-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix another polarity error introduced by the rfkill rewrite, this time in acer_rfkill_set(). Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | cfg80211: double free in __cfg80211_scan_doneChristian Lamparter2009-07-211-2/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a double free corruption in __cfg80211_scan_done: ================================================ BUG kmalloc-512: Object already free ------------------------------------------------ INFO: Allocated in load_elf_binary+0x18b/0x19af age=6 INFO: Freed in load_elf_binary+0x104e/0x19af age=5 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488 Bytes b4 0xffff88007e8a9908: 00 00 00 00 00 00 00 00 5a 5a [...] Pid: 28705, comm: rmmod Tainted: P C 2.6.31-rc2-wl #1 Call Trace: [<ffffffff810da9f4>] print_trailer+0x14e/0x16e [<ffffffff810daa56>] object_err+0x42/0x61 [<ffffffff810dbcd9>] __slab_free+0x2af/0x396 [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffff810dd5e3>] kfree+0x13c/0x17a [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211] [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common] [...] FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed The code path which leads to the *funny* double free: request = rdev->scan_req; dev = dev_get_by_index(&init_net, request->ifidx); /* * the driver was unloaded recently and * therefore dev_get_by_index will return NULL! */ if (!dev) goto out; [...] rdev->scan_req = NULL; /* not executed... */ [...] out: kfree(request); Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | rfkill: remove too-strict __must_checkAlan Jenkins2009-07-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Some drivers don't need the return value of rfkill_set_hw_state(), so it should not be marked as __must_check. Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | ath9k: Tune ANI function processing on AP mode during ANI resetLuis R. Rodriguez2009-07-211-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For AP mode we must tune ANI specially for 2 GHz and for 5 GHz. We mask in only the flags we want to toggle on ath9k_hw_ani_control() through the ah->ani_function bitmask, this will take care of ignoring changes during ANI reset which we were disabling before. Testedy-by: Steven Luo <steven@steven676.net> Cc: Bennyam Malavazi <bennyam.malavazi@atheros.com> Cc: Jouni Malinen <jouni.malinen@Atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | rt2x00: Fix chipset detection for rt2500usbAndy Whitcroft2009-07-211-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The commit below changed the semantics of rt2x00_check_rev so that it no longer checked the bottom 4 bits of the rev were non-zero. During that conversion this part of the check was not propogated to the rt2500usb initialisation. commit 358623c22c9fd837b3b1b444377037f72553dc9f Author: Ivo van Doorn <ivdoorn@gmail.com> Date: Tue May 5 19:46:08 2009 +0200 rt2x00: Simplify rt2x00_check_rev Without this check rt73 devices are miss recognised as rt2500 devices and two drivers are loaded. Preventing the device being used. Reinstate this check. Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | nl80211: Memory leak fixedNiko Jokinen2009-07-211-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Potential memory leak via msg pointer in nl80211_get_key() function. Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | rtl8187: Fix for kernel oops when unloading with LEDs enabledLarry Finger2009-07-211-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When rtl8187 is unloaded and CONFIG_RTL8187_LEDS is set, the kernel may oops when the module is unloaded as the workqueue for led_on was not being cancelled. This patch fixes the problem reported in http://marc.info/?l=linux-wireless&m=124742957615781&w=2. Reported-by: Gábor Stefanik <netrolller.3d@gmail.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | ath5k: temporarily disable crypto for AP modeBob Copeland2009-07-211-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Pavel Roskin reported some issues with using AP mode without nohwcrypt=1. Most likely this is similar to the problem fixed some time ago in ath9k by 3f53dd64f192450cb331c0fecfc26ca952fb242f, "ath9k: Fix hw crypto configuration for TKIP in AP mode." That only affects TKIP but it's easiest to just disable that and WEP too until we get a proper fix in. Signed-off-by: Bob Copeland <me@bobcopeland.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | mac80211: use correct address for mesh Path ErrorJavier Cardona2009-07-211-3/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For forwarded frames, we save the precursor address in addr1 in case it needs to be used to send a Path Error. mesh_path_discard_frame, however, was using addr2 instead of addr1 to send Path Error frames, so correct that and also make the comment regarding this more clear. Signed-off-by: Andrey Yurovsky <andrey@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | mac80211_hwsim: fix use after freeJohannes Berg2009-07-211-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Once the "data" pointer is freed, we can't be iterating to the next item in the list any more so we need to use list_for_each_entry_safe with a temporary variable. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | mac80211_hwsim: fix unregistrationJohannes Berg2009-07-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you rmmod the module while associated, frames might be transmitted during unregistration -- which will crash if the hwsim%d interface is unregistered first, so only do that after all the virtual wiphys are gone. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | rfkill: fix rfkill_set_states() to set the hw stateAlan Jenkins2009-07-211-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The point of this function is to set the software and hardware state at the same time. When I tried to use it, I found it was only setting the software state. Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
| | * | mac80211: fix injection in monitor modePavel Roskin2009-07-211-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The location of the 802.11 header is calculated incorrectly due to a wrong placement of parentheses. Found by kmemcheck. Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>