aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2009-07-21libertas: Fix problem with broken V4 firmware on CF8381Marek Vasut
Firmware V4 on CF8381 reports region code shifted by 1 byte to left. The following patch checks for this and handles it properly. Signed-off-by: Marek Vasut <marek.vasut@gmail.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21ath: add support for special 0x8000 regulatory domainLuis R. Rodriguez
Two users of ar9170 devices have now reported their cards have been programmed with a regulatory domain of 0x8000. This is not a valid regulatory domain as such these users were unable to use these devices. Since this doesn't seem to be a device EEPROM corruption we must treat it specially. It may have been possible the manufacturer intended to use 0x0 as the regulatory domain and that would ultimately yield to US but since we cannot get confirmationf or this we default this special case to one of our world regulatory domains, specifically 0x64. Reported-by: DavidFreeman on #linux-wireless Reported-by: Joerg Albert <jal2@gmx.de> Cc: Christian Lamparter <chunkeey@web.de>, Cc: Stephen Chen <stephen.chen@atheros.com> Cc: David Quan <david.quan@atheros.com> Cc: Tony Yang <tony.yang@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21p54spi: fix potential null deref in p54spi.cDan Carpenter
Fix a potential NULL dereference bug during error handling in p54spi_probe. This bug was discovered by smatch: (http://repo.or.cz/w/smatch.git). Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21acer-wmi: fix rfkill conversionAlan Jenkins
Fix another polarity error introduced by the rfkill rewrite, this time in acer_rfkill_set(). Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21cfg80211: double free in __cfg80211_scan_doneChristian Lamparter
This patch fixes a double free corruption in __cfg80211_scan_done: ================================================ BUG kmalloc-512: Object already free ------------------------------------------------ INFO: Allocated in load_elf_binary+0x18b/0x19af age=6 INFO: Freed in load_elf_binary+0x104e/0x19af age=5 INFO: Slab 0xffffea0001bae4c0 objects=14 used=7 INFO: Object 0xffff88007e8a9918 @offset=6424 fp=0xffff88007e8a9488 Bytes b4 0xffff88007e8a9908: 00 00 00 00 00 00 00 00 5a 5a [...] Pid: 28705, comm: rmmod Tainted: P C 2.6.31-rc2-wl #1 Call Trace: [<ffffffff810da9f4>] print_trailer+0x14e/0x16e [<ffffffff810daa56>] object_err+0x42/0x61 [<ffffffff810dbcd9>] __slab_free+0x2af/0x396 [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffff810dd5e3>] kfree+0x13c/0x17a [<ffffffffa0ec9694>] ? wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0ec9694>] wiphy_unregister+0x92/0x142 [cfg80211] [<ffffffffa0eed163>] ieee80211_unregister_hw+0xc8/0xff [mac80211] [<ffffffffa0f3fbc8>] p54_unregister_common+0x31/0x66 [p54common] [...] FIX kmalloc-512: Object at 0xffff88007e8a9918 not freed The code path which leads to the *funny* double free: request = rdev->scan_req; dev = dev_get_by_index(&init_net, request->ifidx); /* * the driver was unloaded recently and * therefore dev_get_by_index will return NULL! */ if (!dev) goto out; [...] rdev->scan_req = NULL; /* not executed... */ [...] out: kfree(request); Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21rfkill: remove too-strict __must_checkAlan Jenkins
Some drivers don't need the return value of rfkill_set_hw_state(), so it should not be marked as __must_check. Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21ath9k: Tune ANI function processing on AP mode during ANI resetLuis R. Rodriguez
For AP mode we must tune ANI specially for 2 GHz and for 5 GHz. We mask in only the flags we want to toggle on ath9k_hw_ani_control() through the ah->ani_function bitmask, this will take care of ignoring changes during ANI reset which we were disabling before. Testedy-by: Steven Luo <steven@steven676.net> Cc: Bennyam Malavazi <bennyam.malavazi@atheros.com> Cc: Jouni Malinen <jouni.malinen@Atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21rt2x00: Fix chipset detection for rt2500usbAndy Whitcroft
The commit below changed the semantics of rt2x00_check_rev so that it no longer checked the bottom 4 bits of the rev were non-zero. During that conversion this part of the check was not propogated to the rt2500usb initialisation. commit 358623c22c9fd837b3b1b444377037f72553dc9f Author: Ivo van Doorn <ivdoorn@gmail.com> Date: Tue May 5 19:46:08 2009 +0200 rt2x00: Simplify rt2x00_check_rev Without this check rt73 devices are miss recognised as rt2500 devices and two drivers are loaded. Preventing the device being used. Reinstate this check. Signed-off-by: Andy Whitcroft <apw@canonical.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21nl80211: Memory leak fixedNiko Jokinen
Potential memory leak via msg pointer in nl80211_get_key() function. Signed-off-by: Niko Jokinen <ext-niko.k.jokinen@nokia.com> Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21rtl8187: Fix for kernel oops when unloading with LEDs enabledLarry Finger
When rtl8187 is unloaded and CONFIG_RTL8187_LEDS is set, the kernel may oops when the module is unloaded as the workqueue for led_on was not being cancelled. This patch fixes the problem reported in http://marc.info/?l=linux-wireless&m=124742957615781&w=2. Reported-by: Gábor Stefanik <netrolller.3d@gmail.com> Signed-off-by: Larry Finger <Larry.Finger@lwfinger> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21ath5k: temporarily disable crypto for AP modeBob Copeland
Pavel Roskin reported some issues with using AP mode without nohwcrypt=1. Most likely this is similar to the problem fixed some time ago in ath9k by 3f53dd64f192450cb331c0fecfc26ca952fb242f, "ath9k: Fix hw crypto configuration for TKIP in AP mode." That only affects TKIP but it's easiest to just disable that and WEP too until we get a proper fix in. Signed-off-by: Bob Copeland <me@bobcopeland.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211: use correct address for mesh Path ErrorJavier Cardona
For forwarded frames, we save the precursor address in addr1 in case it needs to be used to send a Path Error. mesh_path_discard_frame, however, was using addr2 instead of addr1 to send Path Error frames, so correct that and also make the comment regarding this more clear. Signed-off-by: Andrey Yurovsky <andrey@cozybit.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211_hwsim: fix use after freeJohannes Berg
Once the "data" pointer is freed, we can't be iterating to the next item in the list any more so we need to use list_for_each_entry_safe with a temporary variable. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211_hwsim: fix unregistrationJohannes Berg
If you rmmod the module while associated, frames might be transmitted during unregistration -- which will crash if the hwsim%d interface is unregistered first, so only do that after all the virtual wiphys are gone. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21rfkill: fix rfkill_set_states() to set the hw stateAlan Jenkins
The point of this function is to set the software and hardware state at the same time. When I tried to use it, I found it was only setting the software state. Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211: fix injection in monitor modePavel Roskin
The location of the 802.11 header is calculated incorrectly due to a wrong placement of parentheses. Found by kmemcheck. Signed-off-by: Pavel Roskin <proski@gnu.org> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21rfkill: allow toggling soft state in sysfs againJohannes Berg
Apparently there actually _are_ tools that try to set this in sysfs even though it wasn't supposed to be used this way without claiming first. Guess what: now that I've cleaned it all up it doesn't matter and we can simply allow setting the soft-block state in sysfs. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Tested-By: Darren Salt <linux@youmustbejoking.demon.co.uk> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21mac80211: disable meshJohannes Berg
My kvm instance was complaining a lot about sleeping in atomic contexts in the mesh code, and it turns out that both mesh_path_add() and mpp_path_add() need to be able to sleep (they even use synchronize_rcu()!). I put in a might_sleep() to annotate that, but I see no way, at least right now, of actually making sure those functions are only called from process context since they are both called during TX and RX and the mesh code itself even calls them with rcu_read_lock() "held". Therefore, let's disable it completely for now. It's possible that I'm only seeing this because the hwsim's beaconing is broken and thus the peers aren't discovered right away, but it is possible that this happens even if beaconing is working, for a peer that doesn't exist or so. It should be possible to solve this by deferring the freeing of the tables to call_rcu() instead of using synchronize_rcu(), and also using atomic allocations, but maybe it makes more sense to rework the code to not call these from atomic contexts and defer more of the work to the workqueue. Right now, I can't work on either of those solutions though. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21iwlwifi: only update byte count table during aggregationReinette Chatre
The byte count table is only used for aggregation. Updating it in other cases caused fragmented frames to be dropped. This fixes http://www.intellinuxwireless.org/bugzilla/show_bug.cgi?id=2004 Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21iwlwifi: only show active power level via sysfsReinette Chatre
This changes the power_level file to adhere to the "one value per file" sysfs rule. The user will know which power level was requested as it will be the number just written to this file. It is thus not necessary to create a new sysfs file for this value. In addition it fixes a problem where powertop's parsing expects this value to be the first value in this file without any descriptions. Signed-off-by: Reinette Chatre <reinette.chatre@intel.com> cc: stable@kernel.org Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-21iwmc3200wifi: fix NULL pointer dereference in iwm_if_freeZhu Yi
The driver private data is now based on wiphy. So we should not touch the private data after wiphy_free() is called. The patch fixes the potential NULL pointer dereference by making the iwm_wdev_free() the last one on the interface removal path. Signed-off-by: Zhu Yi <yi.zhu@intel.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
2009-07-20can: switch carrier on if device was stopped while in bus-off stateWolfgang Grandegger
This patch fixes a problem when a device is stopped while in the bus-off state. Then the carrier remains off forever. Signed-off-by: Kurt Van Dijck <kurt.van.dijck@skynet.be> Signed-off-by: Wolfgang Grandegger <wg@grandegger.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20can: restart device even if dev_alloc_skb() failsWolfgang Grandegger
If dev_alloc_skb() failed in can_restart(), the device was left behind in the bus-off state. This patch restarts the device nevertheless. Signed-off-by: Kurt Van Dijck <kurt.van.dijck@eia.be> Signed-off-by: Wolfgang Grandegger <wg@grandegger.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20can: sja1000: remove duplicated includesWolfgang Grandegger
Remove duplicated #include('s) in drivers/net/can/sja1000/sja1000.c Signed-off-by: Huang Weiyi <weiyi.huang@gmail.com> Signed-off-by: Wolfgang Grandegger <wg@grandegger.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20New device ID for sc92031 [1088:2031]Cesar Eduardo Barros
rain_maker@root-forum.org wrote: > Hello cesar, > > In a recent thread in a german linux forum, a user reported his PIC > NIC not being recognized by the kernel. > > Fortunately he provided enough information and I was able to help him > and get the device working with the sc92031 driver. > > The device ID is [1088:2031] (Vendor is called "Microcomputer Systems > (M) Son"), here is the respective thread in "ubuntuusers.de" > > http://forum.ubuntuusers.de/topic/lankarte-unter-xubuntu-wird-nicht-erkannt/ > > (Although you might not speak german, the code provided will show > you, that the device is actually working with your driver). > > It would be nice, if you include this new device ID to the > sc92031-driver. > > Regards, > > Axel Köllhofer (aka Rain_Maker) Cc: rain_maker@root-forum.org Signed-off-by: Cesar Eduardo Barros <cesarb@cesarb.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-203c589_cs: re-initialize the multicast in the tc589_resetKen Kawasaki
3c589_cs: re-initialize the multicast in the tc589_reset, and spin_lock the set_multicast_list function. Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20Fix error return for setsockopt(SO_TIMESTAMPING)Rémi Denis-Courmont
I guess it should be -EINVAL rather than EINVAL. I have not checked when the bug came in. Perhaps a candidate for -stable? Signed-off-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20netxen: fix thermal check and shutdownDhananjay Phadke
Check temperature for all PCI functions, that can allow graceful shutdown of all interfaces on the overheated card. Old code was only monitoring temperature for function 0 only. Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20netxen: fix deadlock on dev closeDhananjay Phadke
netxen: fix deadlock on dev close The tx ring accounting fix in commit cb2107be43d2fc5eadec58b92b ("netxen: fix tx ring accounting") introduced intermittent deadlock when inteface is going down. This was possibly combined effect of speculative tx pause, calling netif_tx_lock instead of queue lock and unclean synchronization with napi which could end up unmasking interrupt. Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20netxen: fix context deletion sequenceDhananjay Phadke
o Use D3 reset context deletion for NX2031, it cleans up more resources in the firmware. o Release rx buffers after hardware context has been reset. o Delete tx context after rx context, some firmware control commands are sent on tx context, so it should be the last to go. Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20net: Micrel KS8851 SPI network driverBen Dooks
Network driver for the SPI version of the Micrel KS8851 network chip. Signed-off-by: Ben Dooks <ben@simtec.co.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20tcp: Use correct peer adr when copying MD5 keysJohn Dykstra
When the TCP connection handshake completes on the passive side, a variety of state must be set up in the "child" sock, including the key if MD5 authentication is being used. Fix TCP for both address families to label the key with the peer's destination address, rather than the address from the listening sock, which is usually the wildcard. Reported-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: John Dykstra <john.dykstra1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20tcp: Fix MD5 signature checking on IPv4 mapped socketsJohn Dykstra
Fix MD5 signature checking so that an IPv4 active open to an IPv6 socket can succeed. In particular, use the correct address family's signature generation function for the SYN/ACK. Reported-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: John Dykstra <john.dykstra1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-20Add mac driver for w90p910Wan ZongShun
Add mac driver support for evaluation board based on w90p910. Signed-off-by: Wan ZongShun <mcuos.com@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-17Update Andreas Koensgen's email addressRalf Baechle
The kernel has used a stale email address of Andreas for a few years. Signed-off-by: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-17MAINTAINERS entry for STRIP driverRalf Baechle
The web server does no longer exist, it's not on archive.org nor does there seem to be any mirror. MAINTAINERS | 1 - 1 files changed, 0 insertions(+), 1 deletions(-) Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16cdc-eem: bad crc checkingVincent CUISSARD
When the driver received an EEM packet with CRC option enabled, driver must compute and check the CRC of the Ethernet data. Previous version computes CRC on Ethernet data plus the original CRC value. Skbuff is correctly trimed but the old length is used when CRC is computed. Signed-off-by: Vincent CUISSARD <vincent.cuissard@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16ixgbe: Remove DPRINTK messages in DCB modeLucy Liu
Remove debug DPRINTK in DCB mode netlink interface. Signed-off-by: Lucy Liu <lucy.liu@intel.com> Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16ixgbe: clear mac address data block in DCB modeLucy Liu
This change clears the address data block memory space, which is needed for the 82598 which does not have a SAN MAC. Signed-off-by: Lucy Liu <lucy.liu@intel.com> Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16sky2: revert shutdown changesStephen Hemminger
The commit changes to shutdown path broke startup on some systems. revert commit c0bad0f2e4366d5bbfe0c4a7a80bca8f4b05272b Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16net: sock_copy() fixesEric Dumazet
Commit e912b1142be8f1e2c71c71001dc992c6e5eb2ec1 (net: sk_prot_alloc() should not blindly overwrite memory) took care of not zeroing whole new socket at allocation time. sock_copy() is another spot where we should be very careful. We should not set refcnt to a non null value, until we are sure other fields are correctly setup, or a lockless reader could catch this socket by mistake, while not fully (re)initialized. This patch puts sk_node & sk_refcnt to the very beginning of struct sock to ease sock_copy() & sk_prot_alloc() job. We add appropriate smp_wmb() before sk_refcnt initializations to match our RCU requirements (changes to sock keys should be committed to memory before sk_refcnt setting) Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16E100: work around the driver using streaming DMA mapping for RX descriptors.Krzysztof Halasa
E100 places it's RX packet descriptors inside skb->data and uses them with bidirectional streaming DMA mapping. Unfortunately it fails to transfer skb->data ownership to the device after it reads the descriptor's status, breaking on non-coherent (e.g., ARM) platforms. This have to be converted to use coherent memory for the descriptors. Signed-off-by: Krzysztof Halasa <khc@pm.waw.pl> Acked-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16bonding: clean muticast addresses when device changes typeMoni Shoua
Bonding device forbids slave device of different types under the same master. However, it is possible for a bonding master to change type during its lifetime. This can be either from ARPHRD_ETHER to ARPHRD_INFINIBAND or the other way arround. The change of type requires device level multicast address cleanup because device level multicast addresses depend on the device type. The patch adds a call to dev_close() before the bonding master changes type and dev_open() just after that. In the example below I enslaved an IPoIB device (ib0) under bond0. Since each bonding master starts as device of type ARPHRD_ETHER by default, a change of type occurs when ib0 is enslaved. This is how /proc/net/dev_mcast looks like without the patch 5 bond0 1 0 00ffffffff12601bffff000000000001ff96ca05 5 bond0 1 0 01005e000116 5 bond0 1 0 01005e7ffffd 5 bond0 1 0 01005e000001 5 bond0 1 0 333300000001 6 ib0 1 0 00ffffffff12601bffff000000000001ff96ca05 6 ib0 1 0 333300000001 6 ib0 1 0 01005e000001 6 ib0 1 0 01005e7ffffd 6 ib0 1 0 01005e000116 6 ib0 1 0 00ffffffff12401bffff00000000000000000001 6 ib0 1 0 00ffffffff12601bffff00000000000000000001 and this is how it looks like after the patch. 5 bond0 1 0 00ffffffff12601bffff000000000001ff96ca05 5 bond0 1 0 00ffffffff12601bffff00000000000000000001 5 bond0 1 0 00ffffffff12401bffff0000000000000ffffffd 5 bond0 1 0 00ffffffff12401bffff00000000000000000116 5 bond0 1 0 00ffffffff12401bffff00000000000000000001 6 ib0 1 0 00ffffffff12601bffff000000000001ff96ca05 6 ib0 1 0 00ffffffff12401bffff00000000000000000116 6 ib0 1 0 00ffffffff12401bffff0000000000000ffffffd 6 ib0 2 0 00ffffffff12401bffff00000000000000000001 6 ib0 2 0 00ffffffff12601bffff00000000000000000001 Signed-off-by: Moni Shoua <monis@voltaire.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16atl1c: misplaced parenthesisroel kluin
Fix misplaced parenthesis Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16atl1c: add missing parenthesesroel kluin
Parentheses are required or the comparison occurs before the bitand. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-16Merge branch 'master' of ↵David S. Miller
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
2009-07-16netfilter: nf_conntrack: nf_conntrack_alloc() fixesEric Dumazet
When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating objects, since slab allocator could give a freed object still used by lockless readers. In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next being always valid (ie containing a valid 'nulls' value, or a valid pointer to next object in hash chain.) kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid for ct->tuplehash[xxx].hnnode.next. Fix is to call kmem_cache_alloc() and do the zeroing ourself. As spotted by Patrick, we also need to make sure lookup keys are committed to memory before setting refcount to 1, or a lockless reader could get a reference on the old version of the object. Its key re-check could then pass the barrier. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-07-16netfilter: xt_osf: fix nf_log_packet() argumentsPatrick McHardy
The first argument is the address family, the second one the hook number. Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-07-15net/can: add module alias to can protocol driversLothar Waßmann
Add appropriate MODULE_ALIAS() to facilitate autoloading of can protocol drivers Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2009-07-15net/can bugfix: use after free bug in can protocol driversLothar Waßmann
Fix a use after free bug in can protocol drivers The release functions of the can protocol drivers lack a call to sock_orphan() which leads to referencing freed memory under certain circumstances. This patch fixes a bug reported here: https://lists.berlios.de/pipermail/socketcan-users/2009-July/000985.html Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Acked-by: Oliver Hartkopp <oliver@hartkopp.net> Signed-off-by: David S. Miller <davem@davemloft.net>