From 401023710d73aaef1191ab4d6a79d39c51add828 Mon Sep 17 00:00:00 2001 From: "Kim B. Heino" Date: Fri, 29 Feb 2008 12:26:21 -0800 Subject: [TUN]: Fix RTNL-locking in tun/tap driver Current tun/tap driver sets also net device's hw address when asked to change character device's hw address. This is a good idea, but it misses RTLN-locking, resulting following error message in 2.6.25-rc3's inetdev_event() function: RTNL: assertion failed at net/ipv4/devinet.c (1050) Attached patch fixes this problem. Signed-off-by: Kim B. Heino Signed-off-by: David S. Miller --- drivers/net/tun.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'drivers/net') diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 038c1ef94d2..7b816a03295 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -663,7 +663,11 @@ static int tun_chr_ioctl(struct inode *inode, struct file *file, case SIOCSIFHWADDR: { /* try to set the actual net device's hw address */ - int ret = dev_set_mac_address(tun->dev, &ifr.ifr_hwaddr); + int ret; + + rtnl_lock(); + ret = dev_set_mac_address(tun->dev, &ifr.ifr_hwaddr); + rtnl_unlock(); if (ret == 0) { /** Set the character device's hardware address. This is used when -- cgit v1.2.3 From c8fff1cf4e4e5e420c929469a09427aa37342928 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Mon, 3 Mar 2008 20:48:53 -0800 Subject: Subject: [PPPOL2TP] add missing sock_put() in pppol2tp_recv_dequeue() Every skb removed from session->reorder_q needs sock_put(). Signed-off-by: Jarek Poplawski Acked-by: James Chapman Signed-off-by: David S. Miller --- drivers/net/pppol2tp.c | 1 + 1 file changed, 1 insertion(+) (limited to 'drivers/net') diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c index e0b072d9fdb..dcd499118b9 100644 --- a/drivers/net/pppol2tp.c +++ b/drivers/net/pppol2tp.c @@ -455,6 +455,7 @@ static void pppol2tp_recv_dequeue(struct pppol2tp_session *session) skb_queue_len(&session->reorder_q)); __skb_unlink(skb, &session->reorder_q); kfree_skb(skb); + sock_put(session->sock); continue; } -- cgit v1.2.3 From ec9b6add7d81f902f6094e71f595da4a362f3348 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Mon, 3 Mar 2008 20:49:34 -0800 Subject: [PPPOL2TP]: Add missing sock_put() in pppol2tp_tunnel_closeall() Every skb removed from session->reorder_q needs sock_put(). Signed-off-by: Jarek Poplawski Acked-by: James Chapman Signed-off-by: David S. Miller --- drivers/net/pppol2tp.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'drivers/net') diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c index dcd499118b9..86e5dba079f 100644 --- a/drivers/net/pppol2tp.c +++ b/drivers/net/pppol2tp.c @@ -1111,6 +1111,8 @@ static void pppol2tp_tunnel_closeall(struct pppol2tp_tunnel *tunnel) for (hash = 0; hash < PPPOL2TP_HASH_SIZE; hash++) { again: hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) { + struct sk_buff *skb; + session = hlist_entry(walk, struct pppol2tp_session, hlist); sk = session->sock; @@ -1139,7 +1141,10 @@ again: /* Purge any queued data */ skb_queue_purge(&sk->sk_receive_queue); skb_queue_purge(&sk->sk_write_queue); - skb_queue_purge(&session->reorder_q); + while ((skb = skb_dequeue(&session->reorder_q))) { + kfree_skb(skb); + sock_put(sk); + } release_sock(sk); sock_put(sk); -- cgit v1.2.3 From 8c28293f5514f64ba064bac7946aebeda4a663c6 Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 29 Feb 2008 13:56:33 +0100 Subject: p54: fix EEPROM structure endianness Since the EEPROM structure is read from hardware, it is always little endian, annotate that in the struct and make sure to convert where applicable. Signed-off-by: Johannes Berg Cc: Michael Wu Tested-by: Florian Fainelli Signed-off-by: John W. Linville --- drivers/net/wireless/p54common.c | 2 +- drivers/net/wireless/p54common.h | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'drivers/net') diff --git a/drivers/net/wireless/p54common.c b/drivers/net/wireless/p54common.c index 5cda49aff3a..56aabec73c2 100644 --- a/drivers/net/wireless/p54common.c +++ b/drivers/net/wireless/p54common.c @@ -172,7 +172,7 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len) int err; wrap = (struct eeprom_pda_wrap *) eeprom; - entry = (void *)wrap->data + wrap->len; + entry = (void *)wrap->data + le16_to_cpu(wrap->len); i += 2; i += le16_to_cpu(entry->len)*2; while (i < len) { diff --git a/drivers/net/wireless/p54common.h b/drivers/net/wireless/p54common.h index a721334e20d..b67ff34e26f 100644 --- a/drivers/net/wireless/p54common.h +++ b/drivers/net/wireless/p54common.h @@ -53,10 +53,10 @@ struct pda_entry { } __attribute__ ((packed)); struct eeprom_pda_wrap { - u32 magic; - u16 pad; - u16 len; - u32 arm_opcode; + __le32 magic; + __le16 pad; + __le16 len; + __le32 arm_opcode; u8 data[0]; } __attribute__ ((packed)); -- cgit v1.2.3 From c2f2d3a06f8b628d444cf4f396d6c6ddd47e1d1f Mon Sep 17 00:00:00 2001 From: Johannes Berg Date: Fri, 29 Feb 2008 23:28:25 +0100 Subject: p54: fix eeprom parser length sanity checks When I called p54_parse_eeprom() on a hand-coded structure I managed to make a small mistake with wrap->len which caused a segfault a few lines down when trying to read entry->len. This patch changes the validation code to avoid such problems. Signed-off-by: Johannes Berg Tested-by: Florian Fainelli Signed-off-by: John W. Linville --- drivers/net/wireless/p54common.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) (limited to 'drivers/net') diff --git a/drivers/net/wireless/p54common.c b/drivers/net/wireless/p54common.c index 56aabec73c2..d191e055a78 100644 --- a/drivers/net/wireless/p54common.c +++ b/drivers/net/wireless/p54common.c @@ -166,18 +166,23 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len) struct p54_common *priv = dev->priv; struct eeprom_pda_wrap *wrap = NULL; struct pda_entry *entry; - int i = 0; unsigned int data_len, entry_len; void *tmp; int err; + u8 *end = (u8 *)eeprom + len; wrap = (struct eeprom_pda_wrap *) eeprom; entry = (void *)wrap->data + le16_to_cpu(wrap->len); - i += 2; - i += le16_to_cpu(entry->len)*2; - while (i < len) { + + /* verify that at least the entry length/code fits */ + while ((u8 *)entry <= end - sizeof(*entry)) { entry_len = le16_to_cpu(entry->len); data_len = ((entry_len - 1) << 1); + + /* abort if entry exceeds whole structure */ + if ((u8 *)entry + sizeof(*entry) + data_len > end) + break; + switch (le16_to_cpu(entry->code)) { case PDR_MAC_ADDRESS: SET_IEEE80211_PERM_ADDR(dev, entry->data); @@ -249,13 +254,12 @@ int p54_parse_eeprom(struct ieee80211_hw *dev, void *eeprom, int len) priv->version = *(u8 *)(entry->data + 1); break; case PDR_END: - i = len; + /* make it overrun */ + entry_len = len; break; } entry = (void *)entry + (entry_len + 1)*2; - i += 2; - i += entry_len*2; } if (!priv->iq_autocal || !priv->output_limit || !priv->curve_data) { -- cgit v1.2.3 From 6305f498604df6c66bdb4cc533ce6332fa5ab61f Mon Sep 17 00:00:00 2001 From: David Woodhouse Date: Mon, 3 Mar 2008 12:20:12 +0100 Subject: libertas: fix sanity check on sequence number in command response Slightly more useful if we compare it against the sequence number of the command we have outstanding, rather than comparing the reply with itself. Doh. Pointed out by Sebastian Siewior Signed-off-by: David Woodhouse Acked-by: Dan Williams Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/cmdresp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/net') diff --git a/drivers/net/wireless/libertas/cmdresp.c b/drivers/net/wireless/libertas/cmdresp.c index 159216a9190..e2b0746c6cb 100644 --- a/drivers/net/wireless/libertas/cmdresp.c +++ b/drivers/net/wireless/libertas/cmdresp.c @@ -572,9 +572,9 @@ int lbs_process_rx_command(struct lbs_private *priv) respcmd, le16_to_cpu(resp->seqnum), priv->upld_len, jiffies); lbs_deb_hex(LBS_DEB_HOST, "CMD_RESP", (void *) resp, priv->upld_len); - if (resp->seqnum != resp->seqnum) { + if (resp->seqnum != priv->cur_cmd->cmdbuf->seqnum) { lbs_pr_info("Received CMD_RESP with invalid sequence %d (expected %d)\n", - le16_to_cpu(resp->seqnum), le16_to_cpu(resp->seqnum)); + le16_to_cpu(resp->seqnum), le16_to_cpu(priv->cur_cmd->cmdbuf->seqnum)); spin_unlock_irqrestore(&priv->driver_lock, flags); ret = -1; goto done; -- cgit v1.2.3 From 8a96df80b3ddb2410045a26ea19eeccb5f2d2d11 Mon Sep 17 00:00:00 2001 From: Sebastian Siewior Date: Tue, 4 Mar 2008 18:22:27 +0100 Subject: libertas: compare the current command with response instead of with itself. Signed-off-by: Sebastian Siewior Signed-off-by: John W. Linville --- drivers/net/wireless/libertas/cmdresp.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'drivers/net') diff --git a/drivers/net/wireless/libertas/cmdresp.c b/drivers/net/wireless/libertas/cmdresp.c index e2b0746c6cb..bdc6a1cc210 100644 --- a/drivers/net/wireless/libertas/cmdresp.c +++ b/drivers/net/wireless/libertas/cmdresp.c @@ -562,9 +562,7 @@ int lbs_process_rx_command(struct lbs_private *priv) } resp = (void *)priv->upld_buf; - - curcmd = le16_to_cpu(resp->command); - + curcmd = le16_to_cpu(priv->cur_cmd->cmdbuf->command); respcmd = le16_to_cpu(resp->command); result = le16_to_cpu(resp->result); -- cgit v1.2.3 From cdb2a9fe63575dd1eb82b724bbd0aa5e0dd89fa0 Mon Sep 17 00:00:00 2001 From: Jussi Kivilinna Date: Tue, 4 Mar 2008 20:05:27 +0200 Subject: rndis_wlan: fix broken data copy Replace broken code that attempted to copy 6 byte array to 64-bit integer. Due to missing cast to 64-bit integer, left shift operation were 32-bit and lead to bytes been copied over each other. New code uses simple memcpy, for greater readability and efficiency. Signed-off-by: Jussi Kivilinna Signed-off-by: John W. Linville --- drivers/net/wireless/rndis_wlan.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) (limited to 'drivers/net') diff --git a/drivers/net/wireless/rndis_wlan.c b/drivers/net/wireless/rndis_wlan.c index d9460aed1f2..10b776c1adc 100644 --- a/drivers/net/wireless/rndis_wlan.c +++ b/drivers/net/wireless/rndis_wlan.c @@ -260,7 +260,7 @@ struct NDIS_802_11_KEY { __le32 KeyLength; u8 Bssid[6]; u8 Padding[6]; - __le64 KeyRSC; + u8 KeyRSC[8]; u8 KeyMaterial[32]; } __attribute__((packed)); @@ -1508,7 +1508,7 @@ static int rndis_iw_set_encode_ext(struct net_device *dev, struct usbnet *usbdev = dev->priv; struct rndis_wext_private *priv = get_rndis_wext_priv(usbdev); struct NDIS_802_11_KEY ndis_key; - int i, keyidx, ret; + int keyidx, ret; u8 *addr; keyidx = wrqu->encoding.flags & IW_ENCODE_INDEX; @@ -1543,9 +1543,7 @@ static int rndis_iw_set_encode_ext(struct net_device *dev, ndis_key.KeyIndex = cpu_to_le32(keyidx); if (ext->ext_flags & IW_ENCODE_EXT_RX_SEQ_VALID) { - for (i = 0; i < 6; i++) - ndis_key.KeyRSC |= - cpu_to_le64(ext->rx_seq[i] << (i * 8)); + memcpy(ndis_key.KeyRSC, ext->rx_seq, 6); ndis_key.KeyIndex |= cpu_to_le32(1 << 29); } -- cgit v1.2.3 From c256e05b7b30fab484deacb4f8cff59ce649c75e Mon Sep 17 00:00:00 2001 From: Michael Buesch Date: Tue, 4 Mar 2008 20:31:13 +0100 Subject: b43legacy: Fix module init message This fixes the module init message to tell that the legacy driver loaded. This makes it less confusing, in case both drivers are loaded. Signed-off-by: Michael Buesch Signed-off-by: John W. Linville --- drivers/net/wireless/b43legacy/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'drivers/net') diff --git a/drivers/net/wireless/b43legacy/main.c b/drivers/net/wireless/b43legacy/main.c index c39de422e22..5f3f34e1dbf 100644 --- a/drivers/net/wireless/b43legacy/main.c +++ b/drivers/net/wireless/b43legacy/main.c @@ -3829,7 +3829,7 @@ static void b43legacy_print_driverinfo(void) #ifdef CONFIG_B43LEGACY_DMA feat_dma = "D"; #endif - printk(KERN_INFO "Broadcom 43xx driver loaded " + printk(KERN_INFO "Broadcom 43xx-legacy driver loaded " "[ Features: %s%s%s%s%s, Firmware-ID: " B43legacy_SUPPORTED_FIRMWARE_ID " ]\n", feat_pci, feat_leds, feat_rfkill, feat_pio, feat_dma); -- cgit v1.2.3