10 years agoxfrm: MIGRATE enhancements (draft-ebalard-mext-pfkey-enhanced-migrate)
Arnaud Ebalard [Sun, 5 Oct 2008 20:33:42 +0000]
xfrm: MIGRATE enhancements (draft-ebalard-mext-pfkey-enhanced-migrate)

Provides implementation of the enhancements of XFRM/PF_KEY MIGRATE mechanism
specified in draft-ebalard-mext-pfkey-enhanced-migrate-00. Defines associated
PF_KEY SADB_X_EXT_KMADDRESS extension and XFRM/netlink XFRMA_KMADDRESS
attribute.

Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: pipe end-point protocol documentation
Rémi Denis-Courmont [Sun, 5 Oct 2008 18:16:36 +0000]
Phonet: pipe end-point protocol documentation

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: implement GPRS virtual interface over PEP socket
Rémi Denis-Courmont [Sun, 5 Oct 2008 18:16:16 +0000]
Phonet: implement GPRS virtual interface over PEP socket

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: receive pipe control requests as out-of-band data
Rémi Denis-Courmont [Sun, 5 Oct 2008 18:15:43 +0000]
Phonet: receive pipe control requests as out-of-band data

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: Pipe End Point for Phonet Pipes protocol
Rémi Denis-Courmont [Sun, 5 Oct 2008 18:15:13 +0000]
Phonet: Pipe End Point for Phonet Pipes protocol

This protocol provides some connection handling and negotiated
congestion control. Nokia cellular modems use it for bulk transfers.
It provides packet boundaries (hence SOCK_SEQPACKET). Congestion
control is per packet rather per byte, so we do not re-use the
generic socket memory accounting.

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: connected sockets glue
Rémi Denis-Courmont [Sun, 5 Oct 2008 18:14:48 +0000]
Phonet: connected sockets glue

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: modules auto-loading support
Rémi Denis-Courmont [Sun, 5 Oct 2008 18:14:27 +0000]
Phonet: modules auto-loading support

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agonetdrv: Fix unregister_netdev typos
Herbert Xu [Sun, 5 Oct 2008 16:20:28 +0000]
netdrv: Fix unregister_netdev typos

Found during the (partial) unregister_netdevice audit that we didn't
have to have :)

It looks like a couple of Sun NIC drivers had unregister_netdevice
when they really meant unregister_netdev.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agosctp: correctly save sctp_adaptation from parameter.
Vlad Yasevich [Mon, 15 Sep 2008 20:29:49 +0000]
sctp: correctly save sctp_adaptation from parameter.

The INIT perameter carries the adapatation value in network-byte
order.  We need to store it in host byte order as expected
by data types and the user API.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: enable cookie-echo retransmission transport switch
Vlad Yasevich [Mon, 8 Sep 2008 18:00:26 +0000]
sctp: enable cookie-echo retransmission transport switch

This patch enables cookie-echo retransmission transport switch
feature. If COOKIE-ECHO retransmission happens, it will be sent
to the address other than the one last sent to.

Signed-off-by: Gui Jianfeng <guijianfeng@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: Fix the SNMP counter of SCTP_MIB_OUTOFBLUES
Wei Yongjun [Mon, 8 Sep 2008 04:13:55 +0000]
sctp: Fix the SNMP counter of SCTP_MIB_OUTOFBLUES

RFC3873 defined SCTP_MIB_OUTOFBLUES:

 sctpOutOfBlues OBJECT-TYPE
   SYNTAX         Counter32
   MAX-ACCESS     read-only
   STATUS         current
   DESCRIPTION
        "The number of out of the blue packets received by the host.
        An out of the blue packet is an SCTP packet correctly formed,
        including the proper checksum, but for which the receiver was
        unable to identify an appropriate association."
   REFERENCE
        "Section 8.4 in RFC2960 deals with the Out-Of-The-Blue
         (OOTB) packet definition and procedures."

But OOTB packet INIT, INIT-ACK and SHUTDOWN-ACK(COOKIE-WAIT or
COOKIE-ECHOED state) are not counted by SCTP_MIB_OUTOFBLUES.

Case 1(INIT):

Endpoint A               Endpoint B
(CLOSED)                 (CLOSED)

 INIT     ---------->
          <----------    ABORT

Case 2(INIT-ACK):

Endpoint A               Endpoint B
(CLOSED)                 (CLOSED)

 INIT-ACK  ---------->
           <----------   ABORT

Case 3(SHUTDOWN-ACK):

Endpoint A               Endpoint B
(CLOSED)                 (CLOSED)

          <----------    INIT
 SHUTDOWN-ACK  ---------->
           <----------   SHUTDOWN-COMPLETE

Case 4(SHUTDOWN-ACK):

Endpoint A               Endpoint B
(CLOSED)                 (COOKIE-ECHOED)

 SHUTDOWN-ACK  ---------->
           <----------   SHUTDOWN-COMPLETE

This patch fixed the problem.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: Fix to start T5-shutdown-guard timer while enter SHUTDOWN-SENT state
Wei Yongjun [Fri, 5 Sep 2008 00:55:26 +0000]
sctp: Fix to start T5-shutdown-guard timer while enter SHUTDOWN-SENT state

RFC 4960: Section 9.2
The sender of the SHUTDOWN MAY also start an overall guard timer
'T5-shutdown-guard' to bound the overall time for the shutdown
sequence.  At the expiration of this timer, the sender SHOULD abort
the association by sending an ABORT chunk.  If the 'T5-shutdown-
guard' timer is used, it SHOULD be set to the recommended value of 5
times 'RTO.Max'.

The timer 'T5-shutdown-guard' is used to counter the overall time
for shutdown sequence, and it's start by the sender of the SHUTDOWN.
So timer 'T5-shutdown-guard' should be start when we send the first
SHUTDOWN chunk and enter the SHUTDOWN-SENT state, not start when we
receipt of the SHUTDOWN primitive and enter SHUTDOWN-PENDING state.

If 'T5-shutdown-guard' timer is start at SHUTDOWN-PENDING state, the
association may be ABORT while data is still transmitting.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: try harder to figure out address family when checking wildcards
Vlad Yasevich [Mon, 18 Aug 2008 14:34:34 +0000]
sctp: try harder to figure out address family when checking wildcards

sctp_is_any() function that is used to check for wildcard addresses
only looks at the address itself to determine the address family.
This function is used in the API to check the address passed in from
the user.  If the user simply zerroes out the sockaddr_storage and
pass that in, we'll end up failing.  So, let's try harder to determine
the address family by also checking the socket if it's possible.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: reduce memory footprint of sctp_chunk structure
Neil Horman [Fri, 25 Jul 2008 16:44:09 +0000]
sctp: reduce memory footprint of sctp_chunk structure

sctp_chunks should be put on a diet.  This is some of the low hanging
fruit that we can strip out.  Changes all the __s8/__u8 flags to
bitfields.  Saves 12 bytes per chunk.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: Retransmit list is ineligable for missing indications
Vlad Yasevich [Mon, 23 Jun 2008 19:26:20 +0000]
sctp: Retransmit list is ineligable for missing indications

Chunks placed on the retransmit list are marked as inelegible
for fast retrasnmission.   Since missing indications determine
when fast reransmission is done, there is not point in calling
sctp_mark_missing() on the retransmit list since those chunks
will not be marked.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: Optimize SFR-CACC transport list walking during SACK processing
Vlad Yasevich [Thu, 19 Jun 2008 22:17:24 +0000]
sctp: Optimize SFR-CACC transport list walking during SACK processing

There is a possibility of walking the transport list twice during
SACK processing when doing SFR-CACC algorithm.  We can restructure
the code to only do this once.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agosctp: Only mark chunks as missing when there are gaps
Vlad Yasevich [Thu, 19 Jun 2008 21:59:13 +0000]
sctp: Only mark chunks as missing when there are gaps

Frist small step in optimizing SACK processing.   Do not call
sctp_mark_missing() when there are no gaps reported and thus
not missing chunks.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>

10 years agoudp: Export UDP socket lookup function
KOVACS Krisztian [Wed, 1 Oct 2008 14:48:10 +0000]
udp: Export UDP socket lookup function

The iptables tproxy code has to be able to do UDP socket hash lookups,
so we have to provide an exported lookup function for this purpose.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agotcp: Port redirection support for TCP
KOVACS Krisztian [Wed, 1 Oct 2008 14:46:49 +0000]
tcp: Port redirection support for TCP

Current TCP code relies on the local port of the listening socket
being the same as the destination address of the incoming
connection. Port redirection used by many transparent proxying
techniques obviously breaks this, so we have to store the original
destination port address.

This patch extends struct inet_request_sock and stores the incoming
destination port value there. It also modifies the handshake code to
use that value as the source port when sending reply packets.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv4: Make Netfilter's ip_route_me_harder() non-local address compatible
KOVACS Krisztian [Wed, 1 Oct 2008 14:44:42 +0000]
ipv4: Make Netfilter's ip_route_me_harder() non-local address compatible

Netfilter's ip_route_me_harder() tries to re-route packets either
generated or re-routed by Netfilter. This patch changes
ip_route_me_harder() to handle packets from non-locally-bound sockets
with IP_TRANSPARENT set as local and to set the appropriate flowi
flags when re-doing the routing lookup.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agotcp: Handle TCP SYN+ACK/ACK/RST transparency
KOVACS Krisztian [Wed, 1 Oct 2008 14:41:00 +0000]
tcp: Handle TCP SYN+ACK/ACK/RST transparency

The TCP stack sends out SYN+ACK/ACK/RST reply packets in response to
incoming packets. The non-local source address check on output bites
us again, as replies for transparently redirected traffic won't have a
chance to leave the node.

This patch selectively sets the FLOWI_FLAG_ANYSRC flag when doing the
route lookup for those replies. Transparent replies are enabled if the
listening socket has the transparent socket flag set.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv4: Conditionally enable transparent flow flag when connecting
KOVACS Krisztian [Wed, 1 Oct 2008 14:35:39 +0000]
ipv4: Conditionally enable transparent flow flag when connecting

Set FLOWI_FLAG_ANYSRC in flowi->flags if the socket has the
transparent socket option set. This way we selectively enable certain
connections with non-local source addresses to be routed.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv4: Make inet_sock.h independent of route.h
KOVACS Krisztian [Wed, 1 Oct 2008 14:33:10 +0000]
ipv4: Make inet_sock.h independent of route.h

inet_iif() in inet_sock.h requires route.h. Since users of inet_iif()
usually require other route.h functionality anyway this patch moves
inet_iif() to route.h.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv4: Allow binding to non-local addresses if IP_TRANSPARENT is set
Tóth László Attila [Wed, 1 Oct 2008 14:31:24 +0000]
ipv4: Allow binding to non-local addresses if IP_TRANSPARENT is set

Setting IP_TRANSPARENT is not really useful without allowing non-local
binds for the socket. To make user-space code simpler we allow these
binds even if IP_TRANSPARENT is set but IP_FREEBIND is not.

Signed-off-by: Tóth László Attila <panther@balabit.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv4: Implement IP_TRANSPARENT socket option
KOVACS Krisztian [Wed, 1 Oct 2008 14:30:02 +0000]
ipv4: Implement IP_TRANSPARENT socket option

This patch introduces the IP_TRANSPARENT socket option: enabling that
will make the IPv4 routing omit the non-local source address check on
output. Setting IP_TRANSPARENT requires NET_ADMIN capability.

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv4: Loosen source address check on IPv4 output
Julian Anastasov [Wed, 1 Oct 2008 14:28:28 +0000]
ipv4: Loosen source address check on IPv4 output

ip_route_output() contains a check to make sure that no flows with
non-local source IP addresses are routed. This obviously makes using
such addresses impossible.

This patch introduces a flowi flag which makes omitting this check
possible. The new flag provides a way of handling transparent and
non-transparent connections differently.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agonet: BUG instead of corrupting memory in pskb_expand_head
Herbert Xu [Wed, 1 Oct 2008 14:09:38 +0000]
net: BUG instead of corrupting memory in pskb_expand_head

If the caller of pskb_expand_head specifies a negative nhead
we'll silently overwrite other people's memory.  This patch
makes it BUG instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipsec: Put dumpers on the dump list
Herbert Xu [Wed, 1 Oct 2008 14:03:24 +0000]
ipsec: Put dumpers on the dump list

Herbert Xu came up with the idea and the original patch to make
xfrm_state dump list contain also dumpers:

As it is we go to extraordinary lengths to ensure that states
don't go away while dumpers go to sleep.  It's much easier if
we just put the dumpers themselves on the list since they can't
go away while they're going.

I've also changed the order of addition on new states to prevent
a never-ending dump.

Timo Teräs improved the patch to apply cleanly to latest tree,
modified iteration code to be more readable by using a common
struct for entries in the list, implemented the same idea for
xfrm_policy dumping and moved the af_key specific "last" entry
caching to af_key.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Timo Teras <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoMerge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
David S. Miller [Wed, 1 Oct 2008 13:12:56 +0000]
Merge branch 'master' of /linux/kernel/git/davem/net-2.6

Conflicts:

drivers/net/wireless/ath9k/core.c
drivers/net/wireless/ath9k/main.c
net/core/dev.c

10 years agoaf_key: Free dumping state on socket close
Timo Teras [Wed, 1 Oct 2008 12:17:54 +0000]
af_key: Free dumping state on socket close

Fix a xfrm_{state,policy}_walk leak if pfkey socket is closed while
dumping is on-going.

Signed-off-by: Timo Teras <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv6: almost identical frag hashing funcs combined
Ilpo Järvinen [Wed, 1 Oct 2008 09:48:31 +0000]
ipv6: almost identical frag hashing funcs combined

$ diff-funcs ip6qhashfn reassembly.c netfilter/nf_conntrack_reasm.c
 --- reassembly.c:ip6qhashfn()
 +++ netfilter/nf_conntrack_reasm.c:ip6qhashfn()
@@ -1,5 +1,5 @@
-static unsigned int ip6qhashfn(__be32 id, struct in6_addr *saddr,
-        struct in6_addr *daddr)
+static unsigned int ip6qhashfn(__be32 id, const struct in6_addr *saddr,
+        const struct in6_addr *daddr)
 {
  u32 a, b, c;

@@ -9,7 +9,7 @@

  a += JHASH_GOLDEN_RATIO;
  b += JHASH_GOLDEN_RATIO;
- c += ip6_frags.rnd;
+ c += nf_frags.rnd;
  __jhash_mix(a, b, c);

  a += (__force u32)saddr->s6_addr32[3];

And codiff xx.o.old xx.o.new:

net/ipv6/netfilter/nf_conntrack_reasm.c:
  ip6qhashfn         | -512
  nf_hashfn          |   +6
  nf_ct_frag6_gather |  +36
 3 functions changed, 42 bytes added, 512 bytes removed, diff: -470
net/ipv6/reassembly.c:
  ip6qhashfn    | -512
  ip6_hashfn    |   +7
  ipv6_frag_rcv |  +89
 3 functions changed, 96 bytes added, 512 bytes removed, diff: -416

net/ipv6/reassembly.c:
  inet6_hash_frag | +510
 1 function changed, 510 bytes added, diff: +510

Total: -376

Compile tested.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoXFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep
Arnaud Ebalard [Wed, 1 Oct 2008 09:37:56 +0000]
XFRM,IPv6: initialize ip6_dst_blackhole_ops.kmem_cachep

ip6_dst_blackhole_ops.kmem_cachep is not expected to be NULL (i.e. to
be initialized) when dst_alloc() is called from ip6_dst_blackhole().
Otherwise, it results in the following (xfrm_larval_drop is now set to
1 by default):

[   78.697642] Unable to handle kernel paging request for data at address 0x0000004c
[   78.703449] Faulting instruction address: 0xc0097f54
[   78.786896] Oops: Kernel access of bad area, sig: 11 [#1]
[   78.792791] PowerMac
[   78.798383] Modules linked in: btusb usbhid bluetooth b43 mac80211 cfg80211 ehci_hcd ohci_hcd sungem sungem_phy usbcore ssb
[   78.804263] NIP: c0097f54 LR: c0334a28 CTR: c002d430
[   78.809997] REGS: eef19ad0 TRAP: 0300   Not tainted  (2.6.27-rc5)
[   78.815743] MSR: 00001032 <ME,IR,DR>  CR: 22242482  XER: 20000000
[   78.821550] DAR: 0000004c, DSISR: 40000000
[   78.827278] TASK = eef0df40[3035] 'mip6d' THREAD: eef18000
[   78.827408] GPR00: 00001032 eef19b80 eef0df40 00000000 00008020 eef19c30 00000001 00000000
[   78.833249] GPR08: eee5101c c05a5c10 ef9ad500 00000000 24242422 1005787c 00000000 1004f960
[   78.839151] GPR16: 00000000 10024e90 10050040 48030018 0fe44150 00000000 00000000 eef19c30
[   78.845046] GPR24: eef19e44 00000000 eef19bf8 efb37c14 eef19bf8 00008020 00009032 c0596064
[   78.856671] NIP [c0097f54] kmem_cache_alloc+0x20/0x94
[   78.862581] LR [c0334a28] dst_alloc+0x40/0xc4
[   78.868451] Call Trace:
[   78.874252] [eef19b80] [c03c1810] ip6_dst_lookup_tail+0x1c8/0x1dc (unreliable)
[   78.880222] [eef19ba0] [c0334a28] dst_alloc+0x40/0xc4
[   78.886164] [eef19bb0] [c03cd698] ip6_dst_blackhole+0x28/0x1cc
[   78.892090] [eef19be0] [c03d9be8] rawv6_sendmsg+0x75c/0xc88
[   78.897999] [eef19cb0] [c038bca4] inet_sendmsg+0x4c/0x78
[   78.903907] [eef19cd0] [c03207c8] sock_sendmsg+0xac/0xe4
[   78.909734] [eef19db0] [c03209e4] sys_sendmsg+0x1e4/0x2a0
[   78.915540] [eef19f00] [c03220a8] sys_socketcall+0xfc/0x210
[   78.921406] [eef19f40] [c0014b3c] ret_from_syscall+0x0/0x38
[   78.927295] --- Exception: c01 at 0xfe2d730
[   78.927297]     LR = 0xfe2d71c
[   78.939019] Instruction dump:
[   78.944835] 91640018 9144001c 900a0000 4bffff44 9421ffe0 7c0802a6 bf810010 7c9d2378
[   78.950694] 90010024 7fc000a6 57c0045e 7c000124 <83e3004c> 8383005c 2f9f0000 419e0050
[   78.956464] ---[ end trace 05fa1ed7972487a1 ]---

As commented by Benjamin Thery, the bug was introduced by
f2fc6a54585a1be6669613a31fbaba2ecbadcd36, while adding network
namespaces support to ipv6 routes.

Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Acked-by: Benjamin Thery <benjamin.thery@bull.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agomv643xx_eth: hook up skb recycling
Lennert Buytenhek [Wed, 1 Oct 2008 09:33:57 +0000]
mv643xx_eth: hook up skb recycling

This gives a nice increase in the maximum loss-free packet forwarding
rate in routing workloads.

Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agonet: add skb_recycle_check() to enable netdriver skb recycling
Lennert Buytenhek [Wed, 1 Oct 2008 09:33:12 +0000]
net: add skb_recycle_check() to enable netdriver skb recycling

This patch adds skb_recycle_check(), which can be used by a network
driver after transmitting an skb to check whether this skb can be
recycled as a receive buffer.

skb_recycle_check() checks that the skb is not shared or cloned, and
that it is linear and its head portion large enough (as determined by
the driver) to be recycled as a receive buffer.  If these conditions
are met, it does any necessary reference count dropping and cleans
up the skbuff as if it just came from __alloc_skb().

Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipv6: NULL pointer dereferrence in tcp_v6_send_ack
Denis V. Lunev [Wed, 1 Oct 2008 09:13:16 +0000]
ipv6: NULL pointer dereferrence in tcp_v6_send_ack

The following actions are possible:
tcp_v6_rcv
  skb->dev = NULL;
  tcp_v6_do_rcv
    tcp_v6_hnd_req
      tcp_check_req
        req->rsk_ops->send_ack == tcp_v6_send_ack

So, skb->dev can be NULL in tcp_v6_send_ack. We must obtain namespace
from dst entry.

Thanks to Vitaliy Gusev <vgusev@openvz.org> for initial problem finding
in IPv4 code.

Signed-off-by: Denis V. Lunev <den@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Wed, 1 Oct 2008 08:55:41 +0000]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-next-2.6

10 years agotcp: Fix NULL dereference in tcp_4_send_ack()
Vitaliy Gusev [Wed, 1 Oct 2008 08:51:39 +0000]
tcp: Fix NULL dereference in tcp_4_send_ack()

Fix NULL dereference in tcp_4_send_ack().

As skb->dev is reset to NULL in tcp_v4_rcv() thus OOPS occurs:

BUG: unable to handle kernel NULL pointer dereference at 00000000000004d0
IP: [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250

Stack:  ffff810005dbb000 ffff810015c8acc0 e77b2c6e5f861600 a01610802e90cb6d
 0a08010100000000 88afffff88afffff 0000000080762be8 0000000115c872e8
 0004122000000000 0000000000000001 ffffffff80762b88 0000000000000020
Call Trace:
 <IRQ>  [<ffffffff80499c33>] tcp_v4_reqsk_send_ack+0x20/0x22
 [<ffffffff8049bce5>] tcp_check_req+0x108/0x14c
 [<ffffffff8047aaf7>] ? rt_intern_hash+0x322/0x33c
 [<ffffffff80499846>] tcp_v4_do_rcv+0x399/0x4ec
 [<ffffffff8045ce4b>] ? skb_checksum+0x4f/0x272
 [<ffffffff80485b74>] ? __inet_lookup_listener+0x14a/0x15c
 [<ffffffff8049babc>] tcp_v4_rcv+0x6a1/0x701
 [<ffffffff8047e739>] ip_local_deliver_finish+0x157/0x24a
 [<ffffffff8047ec9a>] ip_local_deliver+0x72/0x7c
 [<ffffffff8047e5bd>] ip_rcv_finish+0x38d/0x3b2
 [<ffffffff803d3548>] ? scsi_io_completion+0x19d/0x39e
 [<ffffffff8047ebe5>] ip_rcv+0x2a2/0x2e5
 [<ffffffff80462faa>] netif_receive_skb+0x293/0x303
 [<ffffffff80465a9b>] process_backlog+0x80/0xd0
 [<ffffffff802630b4>] ? __rcu_process_callbacks+0x125/0x1b4
 [<ffffffff8046560e>] net_rx_action+0xb9/0x17f
 [<ffffffff80234cc5>] __do_softirq+0xa3/0x164
 [<ffffffff8020c52c>] call_softirq+0x1c/0x28
 <EOI>  [<ffffffff8020de1c>] do_softirq+0x34/0x72
 [<ffffffff80234b8e>] local_bh_enable_ip+0x3f/0x50
 [<ffffffff804d43ca>] _spin_unlock_bh+0x12/0x14
 [<ffffffff804599cd>] release_sock+0xb8/0xc1
 [<ffffffff804a6f9a>] inet_stream_connect+0x146/0x25c
 [<ffffffff80243078>] ? autoremove_wake_function+0x0/0x38
 [<ffffffff8045751f>] sys_connect+0x68/0x8e
 [<ffffffff80291818>] ? fd_install+0x5f/0x68
 [<ffffffff80457784>] ? sock_map_fd+0x55/0x62
 [<ffffffff8020b39b>] system_call_after_swapgs+0x7b/0x80

Code: 41 10 11 d0 83 d0 00 4d 85 ed 89 45 c0 c7 45 c4 08 00 00 00 74 07 41 8b 45 04 89 45 c8 48 8b 43 20 8b 4d b8 48 8d 55 b0 48 89 de <48> 8b 80 d0 04 00 00 48 8b b8 60 01 00 00 e8 20 ae fe ff 65 48
RIP  [<ffffffff80498503>] tcp_v4_send_ack+0x203/0x250
 RSP <ffffffff80762b78>
CR2: 00000000000004d0

Signed-off-by: Vitaliy Gusev <vgusev@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agophonet: Protect if_phonet.h against multiple inclusions.
Remi Denis-Courmont [Wed, 1 Oct 2008 08:30:19 +0000]
phonet: Protect if_phonet.h against multiple inclusions.

From: Remi Denis-Courmont <remi.denis-courmont@nokia.com>

Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoath5k: Add support for AR2417 v2
Nick Kossifidis [Sun, 28 Sep 2008 22:27:27 +0000]
ath5k: Add support for AR2417 v2

 * Add support for AR2417 (include pci id) since my previous patch doesn't sit on top of base.c/ath5k.h anymore.
 * Update module version to 0.6.0

Changes-Licensed-under: ISC
Signed-Off-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoath5k: Fix SREV reporting after SREV updates
Nick Kossifidis [Sun, 28 Sep 2008 22:24:44 +0000]
ath5k: Fix SREV reporting after SREV updates

 * Fix srev reporting during attach

Changes-Licensed-under: ISC
Signed-Off-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoath5k: Use QUIET mechanism on tx dma stop
Nick Kossifidis [Sun, 28 Sep 2008 22:23:07 +0000]
ath5k: Use QUIET mechanism on tx dma stop

 * Use QUIET mechanism to drain tx buffer on PCU for newer chips
 * Make sure that INTPEND is really 1 and not 0xffffffff while checking for pending interrupts

Changes-Licensed-under: ISC
Signed-Off-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoath5k: Use new srevs to properly attach radio chips
Nick Kossifidis [Sun, 28 Sep 2008 22:18:16 +0000]
ath5k: Use new srevs to properly attach radio chips

 * Use new SREV values and PHY srevs to identify radio type durring attach

Changes-Licensed-under: ISC
Signed-Off-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agob43: Increase loop tries in do_dummy_tx
Larry Finger [Mon, 29 Sep 2008 19:19:29 +0000]
b43: Increase loop tries in do_dummy_tx

One of the spin-on-condition loops in routine do_dummy_tx always exits before
the condition is satisfied. The hardware might be left in an inconsistent
state that might be the cause of the PHY transmission errors seen by some
users.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoath5k: Update registers and SREV ids v2
Nick Kossifidis [Sun, 28 Sep 2008 23:09:09 +0000]
ath5k: Update registers and SREV ids v2

 * Update registers
 * Update SREV values and add some PHY srevs
 * Prepare ath5k.h for newer radios etc

 Thanks to Atheros 's HAL source we now know for sure how many parts we have
 and what their SREV values are. We also have some updates on registers. Prepare
 ath5k for some major updates ;-)

 My previous mail had 2 more patches following (git log misusage), sorry for double
 posting ;-(

Changes-Licensed-under: ISC
Signed-Off-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoath5k: write beacon control register twice when resetting tsf
Bob Copeland [Sun, 28 Sep 2008 16:09:43 +0000]
ath5k: write beacon control register twice when resetting tsf

According to the newly-released Atheros HAL code, asserting the
TSF reset bit will toggle a hardware internal state, resulting in a
spurious reset on the next chip reset.  Whenever we force a TSF bit,
write the bit twice to clear the internal signal.

Signed-off-by: Bob Copeland <me@bobcopeland.com>
Acked-by: Nick Kossifidis <mickflemm@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoFix modpost failure when rx handlers are not inlined.
Davide Pesavento [Sat, 27 Sep 2008 15:29:12 +0000]
Fix modpost failure when rx handlers are not inlined.

When CONFIG_MAC80211_MESH=n and CONFIG_MAC80211_NOINLINE=y,
gcc doesn't optimize out a call to ieee80211_rx_h_mesh_fwding,
even if the previous comparison is always false in this case.
This leads to the following errors during modpost:

ERROR: "mpp_path_lookup" [net/mac80211/mac80211.ko] undefined!
ERROR: "mpp_path_add" [net/mac80211/mac80211.ko] undefined!

Fix by removing the possibility of uninlining
ieee80211_rx_h_mesh_fwding rx handler.

Signed-off-by: Davide Pesavento <davidepesa@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agort2x00: Fix build errors due to modularized rfkill or leds and built-in rt2x00.
Gertjan van Wingerde [Sun, 28 Sep 2008 13:11:38 +0000]
rt2x00: Fix build errors due to modularized rfkill or leds and built-in rt2x00.

Fix by disabling rt2x00 rfkill support when rt2x00 is built-in and rfkill has been modularized, and
a similar scheme for the relationship between leds_class and rt2x00..
Also, give a warning to the end-user when rfkill-/leds-support is disabled this way, so that the
end-user has at least some clues on what is going on.

Proper fixing required some general updates of the Kconfig-structure for the rt2x00 driver, whereby
internal configuration symbols had to be moved to after the user-visible configuration symbols.

Signed-off-by: Gertjan van Wingerde <gwingerde@kpnplanet.nl>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoieee80211.h: remove superfluous ETH_P_PAE definition
John W. Linville [Mon, 29 Sep 2008 20:28:21 +0000]
ieee80211.h: remove superfluous ETH_P_PAE definition

Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agolibertas: Improvements on automatic tx power control via SIOCSIWTXPOW (fixups)
Anna Neal [Fri, 26 Sep 2008 15:34:35 +0000]
libertas: Improvements on automatic tx power control via SIOCSIWTXPOW (fixups)

This patch addresses comments from Dan Williams about the patch
committed as "libertas: Improvements on automatic tx power control via
SIOCSIWTXPOW."

Signed-off-by: Anna Neal <anna@cozybit.com>
Signed-off-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agomac80211: remove wme_tx_queue and wme_rx_queue from net/mac80211/sta_info.h
Rami Rosen [Thu, 25 Sep 2008 17:45:01 +0000]
mac80211: remove wme_tx_queue and wme_rx_queue from net/mac80211/sta_info.h

This patch removes wme_tx_queue and wme_rx_queue from struct sta_info
and from the debugfs sub-structure of struct sta_info
in net/mac80211/sta_info.h, as they are useless and not used.

Signed-off-by: Rami Rosen <ramirose@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agob43: Fix Bluetooth Coexistence SPROM programming error for HP 12f8 version of BCM4306
Larry Finger [Fri, 26 Sep 2008 13:23:00 +0000]
b43: Fix Bluetooth Coexistence SPROM programming error for HP 12f8 version of BCM4306

Yet another BCM4306 card with the Bluetooth Coexistence SPROM programming
error has been found.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agomac80211: fixups for "make master iface not wireless"
Johannes Berg [Fri, 26 Sep 2008 11:34:54 +0000]
mac80211: fixups for "make master iface not wireless"

In "mac80211: make master iface not wireless" I accidentally
forgot to include these changes ... leading to the expected
BUG_ON errors.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoiwlwifi: use correct DMA_MASK
Winkler, Tomas [Fri, 26 Sep 2008 07:09:34 +0000]
iwlwifi: use correct DMA_MASK

Use correct DMA_MASK: 4964 and 5000 support 36 bit addresses for
pci express memory access.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoiwlwifi: enable power save setting upon config
Ester Kummer [Fri, 26 Sep 2008 07:09:33 +0000]
iwlwifi: enable power save setting upon config

This patch enables power save setting from config (iwconfig power)
The sysfs power_level interface is still preserved as it has
mac80211 power implementation is not yet rich enough.

Signed-off-by: Ester Kummer <ester.kummer@intel.com>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoiwlwifi: refactor rx register initialization
Winkler, Tomas [Fri, 26 Sep 2008 07:09:32 +0000]
iwlwifi: refactor rx register initialization

The patch adds HW bug W/A FH_RCSR_CHNL0_RX_IGNORE_RXF_EMPTY so that we
can enable again interrupt coalescing. It also uses named constants for
open code.

Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agop54: Fix sparse warnings
Larry Finger [Thu, 25 Sep 2008 19:54:28 +0000]
p54: Fix sparse warnings

The command

make C=2 CF="-D__CHECK_ENDIAN__" drivers/net/wireless/p54/

generates the following warnings:

.../p54common.c:152:38: warning: incorrect type in argument 1 (different base types)
.../p54common.c:152:38:    expected restricted __be32 const [usertype] *p
.../p54common.c:152:38:    got unsigned int *<noident>
.../p54common.c:184:15: warning: restricted __le32 degrades to integer
.../p54common.c:185:29: warning: cast to restricted __le16
.../p54common.c:309:11: warning: symbol 'p54_rf_chips' was not declared.
        Should it be static?
.../p54common.c:313:5: warning: symbol 'p54_parse_eeprom' was not declared.
       Should it be static?
.../p54common.c:620:43: warning: incorrect type in argument 3 (different base types)
.../p54common.c:620:43:    expected unsigned long [unsigned] [usertype] len
.../p54common.c:620:43:    got restricted __le16 [usertype] len
.../p54common.c:780:41: warning: restricted __le16 degrades to integer
.../p54common.c:781:32: warning: restricted __le16 degrades to integer
.../p54common.c:1250:28: warning: incorrect type in argument 2 (different base types)
.../p54common.c:1250:28:    expected unsigned short [unsigned] [usertype] filter_type
.../p54common.c:1250:28:    got restricted __le16 [usertype] filter_type
.../p54common.c:1252:28: warning: incorrect type in argument 2 (different base types)
.../p54common.c:1252:28:    expected unsigned short [unsigned] [usertype] filter_type
.../p54common.c:1252:28:    got restricted __le16 [usertype] filter_type
.../p54common.c:1257:42: warning: incorrect type in argument 2 (different base types)
.../p54common.c:1257:42:    expected unsigned short [unsigned] [usertype] filter_type
.../p54common.c:1257:42:    got restricted __le16
.../p54common.c:1260:42: warning: incorrect type in argument 2 (different base types)
.../p54common.c:1260:42:    expected unsigned short [unsigned] [usertype] filter_type
.../p54common.c:1260:42:    got restricted __le16
.../p54usb.c:228:10: warning: restricted __le32 degrades to integer
.../p54usb.c:228:23: warning: restricted __le32 degrades to integer
.../p54usb.c:228:7: warning: incorrect type in assignment (different base types)
.../p54usb.c:228:7:    expected restricted __le32 [assigned] [usertype] chk
.../p54usb.c:228:7:    got unsigned int
.../p54usb.c:221:8: warning: symbol 'p54u_lm87_chksum' was not declared.
    Should it be static?

All of the above have been fixed. One question, however, remains: In struct
bootrec, the array "data" is treated in many places as native CPU order, but
it may be little-endian everywhere. As far as I can tell, this driver has only
been used with little-endian hardware.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agob43: Fix Bluetooth coexistence SPROM coding error for Motorola 7010 variant of BCM4306
Larry Finger [Fri, 19 Sep 2008 19:47:38 +0000]
b43: Fix Bluetooth coexistence SPROM coding error for Motorola 7010 variant of BCM4306

An additional BCM4306 has been found with the Bluetooth coexistence
SPROM coding error.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agosctp: Fix kernel panic while process protocol violation parameter
Wei Yongjun [Tue, 30 Sep 2008 12:32:24 +0000]
sctp: Fix kernel panic while process protocol violation parameter

Since call to function sctp_sf_abort_violation() need paramter 'arg' with
'struct sctp_chunk' type, it will read the chunk type and chunk length from
the chunk_hdr member of chunk. But call to sctp_sf_violation_paramlen()
always with 'struct sctp_paramhdr' type's parameter, it will be passed to
sctp_sf_abort_violation(). This may cause kernel panic.

   sctp_sf_violation_paramlen()
     |-- sctp_sf_abort_violation()
        |-- sctp_make_abort_violation()

This patch fixed this problem. This patch also fix two place which called
sctp_sf_violation_paramlen() with wrong paramter type.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoiucv: Fix mismerge again.
Heiko Carstens [Tue, 30 Sep 2008 10:03:35 +0000]
iucv: Fix mismerge again.

fb65a7c091529bfffb1262515252c0d0f6241c5c ("iucv: Fix bad merging.") fixed
a merge error, but in a wrong way. We now end up with the bug below.
This patch corrects the mismerge like it was intended.

BUG: scheduling while atomic: swapper/1/0x00000000
Modules linked in:
CPU: 1 Not tainted 2.6.27-rc7-00094-gc0f4d6d #9
Process swapper (pid: 1, task: 000000003fe7d988, ksp: 000000003fe838c0)
0000000000000000 000000003fe839b8 0000000000000002 0000000000000000
       000000003fe83a58 000000003fe839d0 000000003fe839d0 0000000000390de6
       000000000058acd8 00000000000000d0 000000003fe7dcd8 0000000000000000
       000000000000000c 000000000000000d 0000000000000000 000000003fe83a28
       000000000039c5b8 0000000000015e5e 000000003fe839b8 000000003fe83a00
Call Trace:
([<0000000000015d6a>] show_trace+0xe6/0x134)
 [<0000000000039656>] __schedule_bug+0xa2/0xa8
 [<0000000000391744>] schedule+0x49c/0x910
 [<0000000000391f64>] schedule_timeout+0xc4/0x114
 [<00000000003910d4>] wait_for_common+0xe8/0x1b4
 [<00000000000549ae>] call_usermodehelper_exec+0xa6/0xec
 [<00000000001af7b8>] kobject_uevent_env+0x418/0x438
 [<00000000001d08fc>] bus_add_driver+0x1e4/0x298
 [<00000000001d1ee4>] driver_register+0x90/0x18c
 [<0000000000566848>] netiucv_init+0x168/0x2c8
 [<00000000000120be>] do_one_initcall+0x3e/0x17c
 [<000000000054a31a>] kernel_init+0x1ce/0x248
 [<000000000001a97a>] kernel_thread_starter+0x6/0xc
 [<000000000001a974>] kernel_thread_starter+0x0/0xc
 iucv: NETIUCV driver initialized
initcall netiucv_init+0x0/0x2c8 returned with preemption imbalance

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: declare headers
Rémi Denis-Courmont [Tue, 30 Sep 2008 09:53:18 +0000]
Phonet: declare headers

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: improve documentation
Rémi Denis-Courmont [Tue, 30 Sep 2008 09:52:01 +0000]
Phonet: improve documentation

Fix grammar errors spotted by Randy Dunlap,
and adds some more details.

Signed-off-by: Remi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoPhonet: Netlink factorization and cleanup
Rémi Denis-Courmont [Tue, 30 Sep 2008 09:51:18 +0000]
Phonet: Netlink factorization and cleanup

Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agonetdev: docbook comment update (revised)
Stephen Hemminger [Tue, 30 Sep 2008 09:23:58 +0000]
netdev: docbook comment update (revised)

Add more docbook comments to network device functions and cleanup
the comments.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agonetdev: use const for some name functions
Stephen Hemminger [Tue, 30 Sep 2008 09:22:14 +0000]
netdev: use const for some name functions

dev_change_name and netdev_drivername should use const char on
parameters that are read-only input values. The strcpy to newname is
not needed since newname is not used later in function.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoipsec: Fix pskb_expand_head corruption in xfrm_state_check_space
Herbert Xu [Tue, 30 Sep 2008 09:03:19 +0000]
ipsec: Fix pskb_expand_head corruption in xfrm_state_check_space

We're never supposed to shrink the headroom or tailroom.  In fact,
shrinking the headroom is a fatal action.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoLinux 2.6.27-rc8
Linus Torvalds [Mon, 29 Sep 2008 22:24:02 +0000]
Linux 2.6.27-rc8

10 years agomm owner: fix race between swapoff and exit
Balbir Singh [Sun, 28 Sep 2008 22:09:31 +0000]
mm owner: fix race between swapoff and exit

There's a race between mm->owner assignment and swapoff, more easily
seen when task slab poisoning is turned on.  The condition occurs when
try_to_unuse() runs in parallel with an exiting task.  A similar race
can occur with callers of get_task_mm(), such as /proc/<pid>/<mmstats>
or ptrace or page migration.

CPU0                                    CPU1
                                        try_to_unuse
                                        looks at mm = task0->mm
                                        increments mm->mm_users
task 0 exits
mm->owner needs to be updated, but no
new owner is found (mm_users > 1, but
no other task has task->mm = task0->mm)
mm_update_next_owner() leaves
                                        mmput(mm) decrements mm->mm_users
task0 freed
                                        dereferencing mm->owner fails

The fix is to notify the subsystem via mm_owner_changed callback(),
if no new owner is found, by specifying the new task as NULL.

Jiri Slaby:
mm->owner was set to NULL prior to calling cgroup_mm_owner_callbacks(), but
must be set after that, so as not to pass NULL as old owner causing oops.

Daisuke Nishimura:
mm_update_next_owner() may set mm->owner to NULL, but mem_cgroup_from_task()
and its callers need to take account of this situation to avoid oops.

Hugh Dickins:
Lockdep warning and hang below exec_mmap() when testing these patches.
exit_mm() up_reads mmap_sem before calling mm_update_next_owner(),
so exec_mmap() now needs to do the same.  And with that repositioning,
there's now no point in mm_need_new_owner() allowing for NULL mm.

Reported-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agoMerge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Mon, 29 Sep 2008 15:39:59 +0000]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  x86: disable apm on the olpc

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6
Linus Torvalds [Mon, 29 Sep 2008 15:37:29 +0000]
Merge git://git./linux/kernel/git/bart/ide-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6:
  cdrom: update ioctl documentation
  ide: note that IDE generic may prevent other drivers from attaching
  ide-tape: fix vendor strings
  Swarm: Fix crash due to missing initialization

10 years agoMerge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus
Linus Torvalds [Mon, 29 Sep 2008 15:31:52 +0000]
Merge branch 'upstream' of git://ftp.linux-mips.org/upstream-linus

* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
  [SSB] Initialise dma_mask for SSB_BUSTYPE_SSB devices
  [MIPS] BCM47xx: Fix build error due to missing PCI functions
  [MIPS] IP27: Switch to dynamic interrupt routing avoding panic on error.
  [MIPS] au1000: Make sure GPIO value is zero or one

10 years agoMerge branch 'linux-m32r' of git://www.linux-m32r.org/git/takata/linux-2.6_dev
Linus Torvalds [Mon, 29 Sep 2008 15:30:47 +0000]
Merge branch 'linux-m32r' of git://linux-m32r.org/git/takata/linux-2.6_dev

* 'linux-m32r' of git://www.linux-m32r.org/git/takata/linux-2.6_dev:
  m32r/kernel/: cleanups
  m32r: export __ndelay
  m32r: export empty_zero_page
  m32r: don't offer CONFIG_ISA
  m32r: remove the unused NOHIGHMEM option

10 years agoMerge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jwessel...
Linus Torvalds [Mon, 29 Sep 2008 15:30:11 +0000]
Merge branch 'for_linus' of git://git./linux/kernel/git/jwessel/linux-2.6-kgdb

* 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jwessel/linux-2.6-kgdb:
  kgdboc,tty: Fix tty polling search to use name correctly
  kgdb, x86_64: fix PS CS SS registers in gdb serial
  kgdb, x86_64: gdb serial has BX and DX reversed
  kgdb, x86, arm, mips, powerpc: ignore user space single stepping
  kgdb: could not write to the last of valid memory with kgdb

10 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
Linus Torvalds [Mon, 29 Sep 2008 15:08:16 +0000]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: ASoC: Fix another cs4270 error path
  ALSA: make the CS4270 driver a new-style I2C driver

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6
Linus Torvalds [Mon, 29 Sep 2008 15:07:46 +0000]
Merge git://git./linux/kernel/git/jejb/scsi-rc-fixes-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] qlogicpti: fix sg list traversal error in continuation entries
  [SCSI] Fix hang with split requests
  [SCSI] qla2xxx: Defer enablement of RISC interrupts until ISP initialization completes.

10 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
Linus Torvalds [Mon, 29 Sep 2008 15:07:04 +0000]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block

* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
  scsi: fix fall out of sg-chaining patch in qlogicpti

10 years agoMerge branch 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzi...
Linus Torvalds [Mon, 29 Sep 2008 15:05:55 +0000]
Merge branch 'upstream-linus' of git://git./linux/kernel/git/jgarzik/libata-dev

* 'upstream-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  sata_nv: reinstate nv_hardreset() for non generic controllers

10 years agokconfig: readd lost change count
zippel@linux-m68k.org [Mon, 29 Sep 2008 03:27:11 +0000]
kconfig: readd lost change count

Commit f072181e6403b0fe2e2aa800a005497b748fd284 ("kconfig: drop the
""trying to assign nonexistent symbol" warning") simply dropped the
warnings, but it does a little more than that, it also marks the current
.config as needed saving, so add this back.

Signed-off-by: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agokconfig: fix silentoldconfig
zippel@linux-m68k.org [Mon, 29 Sep 2008 03:27:10 +0000]
kconfig: fix silentoldconfig

Recent changes to oldconfig have mixed up the silentoldconfig handling,
so this fixes that by clearly separating that special mode, e.g.
KCONFIG_NOSILENTUPDATE is only relevant here, the .config is written as
needed.

This will also properly close Bug 11230.

Signed-off-by: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agoFix NULL pointer dereference in proc_sys_compare
Linus Torvalds [Mon, 29 Sep 2008 14:42:57 +0000]
Fix NULL pointer dereference in proc_sys_compare

The VFS interface for the 'd_compare()' is a bit special (read: 'odd'),
because it really just essentially replaces a memcmp().  The filesystem
is supposed to just compare the two names with whatever case-independent
or other function.

And when I say 'is supposed to', I obviously mean that 'procfs does odd
things, and actually looks at the dentry that we don't even pass down,
rather than just the name'.  Which results in problems, because we
actually call d_compare before we have even verified that the dentry is
still hashed at all.

And that causes a problm since the inode that procfs looks at may have
been free'd and the d_inode pointer is NULL.  procfs just assumes that
all dentries are positive, since procfs itself never generates a
negative one.  But memory pressure will still result in the dentry
getting torn down, and as it is removed by RCU, it still remains visible
on some lists - and to d_compare.

If the filesystem just did a name comparison, we wouldn't care.  And we
could just fix procfs to know about negative dentries too.  But rather
than have the low-level filesystems know about internal VFS details,
just move the check for a unhashed dentry up a bit, so that we will only
call d_compare on dentries that are still active.

The actual oops this caused didn't look like a NULL pointer dereference
because procfs did a 'container_of(inode, struct proc_inode, vfs_inode)'
to get at its internal proc_inode information from the inode pointer,
and accessed a field below the inode. So the oops would look something
like

BUG: unable to handle kernel paging request at fffffffffffffff0
IP: [<ffffffff802bc6c6>] proc_sys_compare+0x36/0x50

and was seen on both x86-64 (Alexey Dobriyan and Hugh Dickins) and
ppc64 (Hugh Dickins).

Reported-by: Alexey Dobriyan <adobriyan@gmail.com>
Acked-by: Hugh Dickins <hugh@veritas.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-of-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agoALSA: ASoC: Fix another cs4270 error path
Jean Delvare [Sat, 27 Sep 2008 18:30:52 +0000]
ALSA: ASoC: Fix another cs4270 error path

Conversion to new-style i2c driver missed the error path of the
probe function. Fix it.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Timur Tabi <timur@freescale.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

10 years agoALSA: make the CS4270 driver a new-style I2C driver
Timur Tabi [Tue, 29 Jul 2008 21:35:52 +0000]
ALSA: make the CS4270 driver a new-style I2C driver

Update the CS4270 ALSA device driver to use the new-style I2C interface.
Starting with the 2.6.27 PowerPC kernel, I2C devices that have entries in the
device trees can no longer be probed by old-style I2C drivers.  The device
tree for Freescale MPC8610 HPCD has included an entry for the CS4270 since
2.6.25, but that entry was previously ignored by the PowerPC I2C subsystem.
Since that's no longer the case, the best solution is to update the CS4270
driver to a new-style interface, rather than try to revert the behavior of
new PowerPC I2C subsystem.

Signed-off-by: Timur Tabi <timur@freescale.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>

10 years agoscsi: fix fall out of sg-chaining patch in qlogicpti
Boaz Harrosh [Mon, 29 Sep 2008 07:38:55 +0000]
scsi: fix fall out of sg-chaining patch in qlogicpti

Boaz writes:

"I've reviewed all patches since Matthew's, and I find one small
problem.

In the load_cmd() there is a compound loop where the first 4 sg's are
set then the rest are set into a memory structure in group of 7 sg's.

Well the second 7-group and on is a bug because sg pointer does not advance.
This is a fall out from Jens's patch."

The reporter, Meelis Roos <mroos@ut.ee>, verified that this patch
does indeed fix his problem with qlogicpti.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>

10 years agosata_nv: reinstate nv_hardreset() for non generic controllers
Tejun Heo [Sat, 27 Sep 2008 22:39:01 +0000]
sata_nv: reinstate nv_hardreset() for non generic controllers

Commit 2fd673ecf0378ddeeeb87b3605e50212e0c0ddc6 which tried to remove
hardreset for generic accidentally removed it for all flavors as all
others were inheriting from nv_generic_ops.  This patch reinstates
nv_hardreset() and puts it into nv_common_ops which all flavors
inherit from.  nv_generic_ops now inherits from nv_common_ops and
overrides .hardreset to ATA_OP_NULL.

While at it, explain why nv_hardreset and ATA_OP_NULL override are
necessary.

Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>

10 years ago[SCSI] qlogicpti: fix sg list traversal error in continuation entries
Boaz Harrosh [Wed, 24 Sep 2008 09:00:22 +0000]
[SCSI] qlogicpti: fix sg list traversal error in continuation entries

The current sg list traversal logic for the continuation entries
doesn't advance the list pointer once all seven slots are used, so the
next continuation entry (if there is one) wrongly begins again at the
start of the sg list.

Fix by advancing the sg pointer after the for_each_sg().

Reported-by: Meelis Roos <mroos@ut.ee>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>

10 years agocdrom: update ioctl documentation
Márton Németh [Sat, 27 Sep 2008 17:32:17 +0000]
cdrom: update ioctl documentation

Correct copy-paste problem: CDROMCLOSETRAY is about closing the tray,
not opening it.

Signed-off-by: Márton Németh <nm127@freemail.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

10 years agoide: note that IDE generic may prevent other drivers from attaching
Tejun Heo [Sat, 27 Sep 2008 17:32:17 +0000]
ide: note that IDE generic may prevent other drivers from attaching

Enabling IDE generic may prevent ATA controllers located on legacy
ports from being attached to more proper driver or can prevent other
controllers which share the IRQ from working.  Note it in the help
message.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: xerces8 <xerces8@butn.net>
Cc: Jeff Garzik <jgarzik@pobox.com>
Cc: stein@hermes.si
[bart: s/will grab/may grab/ since Borislav has fixed PCI-case for .28]
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

10 years agoide-tape: fix vendor strings
Borislav Petkov [Sat, 27 Sep 2008 17:32:17 +0000]
ide-tape: fix vendor strings

Remove superfluous two bytes from each string buffer and add proper length
format specifiers.

Signed-off-by: Borislav Petkov <petkovbb@gmail.com>
Tested-by: Mark de Wever <koraq@xs4all.nl>
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

10 years agoSwarm: Fix crash due to missing initialization
Ralf Baechle [Sat, 27 Sep 2008 17:32:16 +0000]
Swarm: Fix crash due to missing initialization

If things are just right this will result in the hws[0]->parent being
passed to ide_host_add() being non-zero and an ooops a little later.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>

10 years ago[SSB] Initialise dma_mask for SSB_BUSTYPE_SSB devices
Aurelien Jarno [Fri, 26 Sep 2008 20:27:11 +0000]
[SSB] Initialise dma_mask for SSB_BUSTYPE_SSB devices

For SSB_BUSTYPE_SSB type devices, we need to initialize dma_mask using
coherent_dma_mask so that calls to dma_set_mask() succeed.

It fixes the regression on the b44 driver introduced by commit
f225763a7d6c92c4932dbd528437997078496fcc

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

10 years ago[MIPS] BCM47xx: Fix build error due to missing PCI functions
Aurelien Jarno [Sat, 27 Sep 2008 14:06:16 +0000]
[MIPS] BCM47xx: Fix build error due to missing PCI functions

This patch defines pcibios_map_irq() and pcibios_plat_dev_init() for
the BCM47xx platform.

It fixes the regression introduced by commit
aab547ce0d1493d400b6468c521a0137cd8c1edf.

Signed-off-by: Aurelien Jarno <aurelien@aurel32.net>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

10 years ago[MIPS] IP27: Switch to dynamic interrupt routing avoding panic on error.
Ralf Baechle [Sat, 27 Sep 2008 14:05:06 +0000]
[MIPS] IP27: Switch to dynamic interrupt routing avoding panic on error.

pcibios_map_irq is no way of returning an error but on IP27 an interrupt
is possibly not routable when running out of resources.  So do the
interrupt routing at pcibios_enable_device time.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

10 years ago[MIPS] au1000: Make sure GPIO value is zero or one
Bruno Randolf [Thu, 25 Sep 2008 14:45:10 +0000]
[MIPS] au1000: Make sure GPIO value is zero or one

David Brownell <david-b@pacbell.net> wrote:
>       The problem is that "value" is zero-or-nonzero.
>       This code wrongly assumes it's zero-or-one.
>       Possible fix:  "((!!value) << gpio)".

Signed-off-by: Bruno Randolf <br1@einfach.org>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

10 years agom32r/kernel/: cleanups
Adrian Bunk [Wed, 24 Sep 2008 06:01:47 +0000]
m32r/kernel/: cleanups

This patch contains the following cleanups:
- make the following needlessly global code static:
  - entry.S: resume_userspace
  - process.c: pm_idle
  - process.c: default_idle()
  - smp.c: send_IPI_allbutself()
  - time.c: timer_interrupt()
  - time.c: struct irq0
  - traps.c: set_eit_vector_entries()
  - traps.c: kstack_depth_to_print
  - traps.c: show_trace()
  - traps.c: die_lock
- remove the following unused code:
  - head.S: startup_32
  - process.c: hlt_counter
  - process.c: disable_hlt()
  - process.c: enable_hlt()
  - process.c: dump_task_regs()
- remove the following variables and their usages since they were
  always 0:
  - irq.c: irq_err_count
  - irq.c: irq_mis_count

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>

10 years agom32r: export __ndelay
Adrian Bunk [Wed, 24 Sep 2008 06:01:15 +0000]
m32r: export __ndelay

ERROR: "__ndelay" [drivers/spi/spi_bitbang.ko] undefined!

Reported-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>

10 years agom32r: export empty_zero_page
Adrian Bunk [Wed, 24 Sep 2008 05:59:57 +0000]
m32r: export empty_zero_page

ERROR: "empty_zero_page" [fs/ext4/ext4dev.ko] undefined!

Reported-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>

10 years agom32r: don't offer CONFIG_ISA
Adrian Bunk [Wed, 24 Sep 2008 05:58:54 +0000]
m32r: don't offer CONFIG_ISA

As far as I know no M32R hardware actually has ISA slots.

And ISA drivers don't compile on M32R.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>

10 years agom32r: remove the unused NOHIGHMEM option
Adrian Bunk [Wed, 24 Sep 2008 05:57:11 +0000]
m32r: remove the unused NOHIGHMEM option

Remove the unused NOHIGHMEM option.

Reviewed-by: Robert P. J. Day <rpjday@crashcourse.ca>
Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>

10 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
Linus Torvalds [Fri, 26 Sep 2008 16:16:32 +0000]
Merge branch 'for-linus' of git://git./linux/kernel/git/tiwai/sound-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: remove unneeded power_mutex lock in snd_pcm_drop
  ALSA: fix locking in snd_pcm_open*() and snd_rawmidi_open*()

10 years agoMerge git://oss.sgi.com:8090/xfs/linux-2.6
Linus Torvalds [Fri, 26 Sep 2008 15:49:34 +0000]
Merge git://oss.sgi.com:8090/xfs/linux-2.6

* git://oss.sgi.com:8090/xfs/linux-2.6:
  [XFS] Remove xfs_iext_irec_compact_full()
  [XFS] Fix extent list corruption in xfs_iext_irec_compact_full().

10 years agoARM: Delete ARM's own cnt32_to_63.h
David Howells [Fri, 26 Sep 2008 15:22:58 +0000]
ARM: Delete ARM's own cnt32_to_63.h

Delete ARM's own cnt32_to_63.h as the copy in include/linux/ should now be
used instead.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>