There is a race between sctp_rcv() and sctp_accept() where we
have moved the association from the listening socket to the
accepted socket, but sctp_rcv() processing cached the old
socket and continues to use it.
The easy solution is to check for the socket mismatch once we've
grabed the socket lock. If we hit a mis-match, that means
that were are currently holding the lock on the listening socket,
but the association is refrencing a newly accepted socket. We need
to drop the lock on the old socket and grab the lock on the new one.
A more proper solution might be to create accepted sockets when
the new association is established, similar to TCP. That would
eliminate the race for 1-to-1 style sockets, but it would still
existing for 1-to-many sockets where a user wished to peeloff an
association. For now, we'll live with this easy solution as
it addresses the problem.
Reported-by: Michal Hocko <mhocko@suse.cz>
Reported-by: Karsten Keil <kkeil@suse.de>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Recent changes to the retransmit code exposed a long standing
bug where it was possible for a chunk to be time stamped
after the retransmit timer was reset. This caused a rare
situation where the retrnamist timer has expired, but
nothing was marked for retrnasmission because all of
timesamps on data were less then 1 rto ago. As result,
the timer was never restarted since nothing was retransmitted,
and this resulted in a hung association that did couldn't
complete the data transfer. The solution is to timestamp
the chunk when it's added to the packet for transmission
purposes. After the packet is trsnmitted the rtx timer
is restarted. This guarantees that when the timer expires,
there will be data to retransmit.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 62aeaff5cc
(sctp: Start T3-RTX timer when fast retransmitting lowest TSN)
introduced a regression where it was possible to forcibly
restart the sctp retransmit timer at the transmission of any
new chunk. This resulted in much longer timeout times and
sometimes hung sctp connections.
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
crc32c algorithm provides a byteswaped result. On little-endian
arches, the result ends up in big-endian/network byte order.
On big-endinan arches, the result ends up in little-endian
order and needs to be byte swapped again. Thus calling cpu_to_le32
gives the right output.
Tested-by: Jukka Taimisto <jukka.taimisto@mail.suomi.net>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
All supported SMSC PHYs implement the standard "power down" bit 11 of
BMCR, so this patch adds support using the generic genphy_{suspend,resume}
functions.
Signed-off-by: Steve Glendinning <steve.glendinning@smsc.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Suspend/resume routines check for phydrv != NULL, but that is
wrong because "phydrv" comes from container_of(drv). If drv is NULL,
then container_of(drv) will return non-NULL result, and the checks
won't work.
The Freescale TBI PHYs are driver-less, so "drv" is NULL, and that
leads to the following oops:
Unable to handle kernel paging request for data at address 0xffffffe4
Faulting instruction address: 0xc0215554
Oops: Kernel access of bad area, sig: 11 [#1]
[...]
NIP [c0215554] mdio_bus_suspend+0x34/0x70
LR [c01cc508] suspend_device+0x258/0x2bc
Call Trace:
[cfad3da0] [cfad3db8] 0xcfad3db8 (unreliable)
[cfad3db0] [c01cc508] suspend_device+0x258/0x2bc
[cfad3dd0] [c01cc62c] dpm_suspend+0xc0/0x140
[cfad3e20] [c01cc6f4] device_suspend+0x48/0x5c
[cfad3e40] [c0068dd8] suspend_devices_and_enter+0x8c/0x148
[cfad3e60] [c00690f8] enter_state+0x100/0x118
[cfad3e80] [c00691c0] state_store+0xb0/0xe4
[cfad3ea0] [c018c938] kobj_attr_store+0x24/0x3c
[cfad3eb0] [c00ea9a8] flush_write_buffer+0x58/0x7c
[cfad3ed0] [c00eadf0] sysfs_write_file+0x58/0xa0
[cfad3ef0] [c009e810] vfs_write+0xb4/0x16c
[cfad3f10] [c009ed40] sys_write+0x4c/0x90
[cfad3f40] [c0014954] ret_from_syscall+0x0/0x38
[...]
This patch fixes the issue, plus removes unneeded parentheses
and fixes indentation level in mdio_bus_suspend().
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
A link change interrupt might be queued and activated after the loopback was set
and it will cause the loopback to fail. The PHY lock should be kept until the
loopback test is over.
That implies that the bnx2x_test_link should used within the loopback function
and not bnx2x_wait_for_link since that function also takes the PHY link
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Waiting for the FW to response requires a memory barrier
Signed-off-by: Michal Kalderon <michals@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
rmmod might hang without this patch since the reference counter is not going
down
Signed-off-by: Yitchak Gertner <gertner@broadcom.com>
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Call carrier off should not be called after register_netdev since after
register netdev open can be called at any time followed by an interrupt that
will set it to carrier_on and the probe will resume control and set it to off
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Failures on load were not handled correctly - separate the flow to handle
different failures
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Calling napi disabled unconditionally at netif stop
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
To avoid complications, make sure that the HW is in reset (as it should be)
before trying to take it out of reset. In normal flows, the HW is indeed in rest
so this should have no effect
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
be consistent with mac80211 drivers and return correct return code.
NETDEV_TX_OK is 0, but we need to be consistent wrt formatting amongst
implementations
re: http://marc.info/?l=linux-wireless&m=123119327419865&w=2
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Reviewed-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Giuseppe Cala <jiveaxe@gmail.com> (The second "a" in "Cala" should be
a grave, U+00E0) reported success on zd1211-devs@lists.sourceforge.net.
The chip info is:
zd1211b chip 0df6:0036 v4810 high 00-0c-f6 AL2230_RF pa0 g--N-
The Sitecom WL-603 is detected as a zd1211b with a AL2230 RF transceiver chip.
Signed-off-by: Giuseppe Cala <jiveaxe@gmail.com>
Signed-off-by: Hin-Tak Leung <htl10@users.sourceforge.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
In theory, the firmware acks the received a data frame, before signaling the driver to free it again.
However Artur Skawina <art.08.09@gmail.com> has shown that it can happen in reverse order as well.
This is very bad and could lead to memory corruptions, oopses and panics.
Thanks to Artur Skawina <art.08.09@gmail.com> for reporting and debugging this issue.
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Tested-by: Artur Skawina <art.08.09@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
If we let the firmware do the data encryption, we have to remove the ICV and
(M)MIC at the end of the frame before we can give it back to mac80211.
Or, these data frames have a few trailing bytes on cooked monitor interfaces.
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
This patch fixes a obvious memory leak in the eeprom parser.
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
KERN_INFO is too "loud" for messages that are generated by the ordinary
events, such as accociation. Use of KERN_DEBUG is consistent with
mac80211.
Suggested by Michael Gilbert <michael.s.gilbert@gmail.com>
Signed-off-by: Pavel Roskin <proski@gnu.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Mac80211 provides 2 structures to handle bitrates, namely
ieee80211_rate and ieee80211_tx_rate. To determine the short preamble
mode for an outgoing frame, the flag IEEE80211_TX_RC_USE_SHORT_PREAMBLE
must be checked on ieee80211_tx_rate and not ieee80211_rate (which rt2x00 did).
This fixes a regression which was triggered in 2.6.29-rcX as reported by Chris Clayton.
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Tested-By: Chris Clayton <chris2553@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
wlan0: switched to short barker preamble (BSSID=00:01:aa:bb:cc:dd)
wlan0: switched to short slot (BSSID=) <something is missing here>
should be:
wlan0: switched to short barker preamble (BSSID=00:01:aa:bb:cc:dd)
wlan0: switched to short slot (BSSID=00:01:aa:bb:cc:dd)
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
After launching mesh discovery in tx path, reference count was not being
decremented. This was preventing module unload.
Signed-off-by: Brian Cavagnolo <brian@cozybit.com>
Signed-off-by: Andrey Yurovsky <andrey@cozybit.com>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
mcs7830_set_reg() and mcs7830_get_reg() are called with buffers
from stack which must not be used directly for USB transfers.
This causes corruption of the stack particulary on non x86
architectures because DMA may be used for these transfers.
Signed-off-by: Christian Eggers <christian.eggers@kathrein.de>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Improve usbnet's devdbg to always type-check diagnostic arguments,
like dev_dbg (device.h). This makes no change to the resulting size of
usbnet modules.
This patch also removes an #ifdef DEBUG directive from rndis_wlan so
it's devdbg statements are always type-checked at compile time.
Signed-off-by: Steve Glendinning <steve.glendinning@smsc.com>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Caused by call to request_module() while holding nf_conntrack_lock.
Reported-and-tested-by: Kövesdi György <kgy@teledigit.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
The previous fix to paged packets broke the merging because it
reset the skb->len before we added it to the merged packet. This
wasn't detected because it simply resulted in the truncation of
the packet while the missing bit is subsequently retransmitted.
The fix is to store skb->len before we clobber it.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
When a frag is shorter than an Ethernet header, we'd return a
zeroed packet instead of aborting. This patch fixes that.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
We need to perform skb_postpull_rcsum after pulling the IPv6
header in order to maintain the correctness of the complete
checksum.
This patch also adds a missing iph reload after pulling.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
while(--j >= 0) keeps spinning when j is unsigned:
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Don't forget to call pci_disable_device() in myri10ge_remove()
and when myri10ge_probe() fails.
By the way, update the copyright years.
Signed-off-by: Brice Goglin <brice@myri.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
register_pernet_gen_subsys omits mutex_unlock in one fail path.
Fix it.
Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This reverts commit fc8c7dc1b2.
As indicated by Jiri Klimes, this won't work. These numbers are
not only used the size validation, they are also used to locate
attributes sitting after the message.
Signed-off-by: David S. Miller <davem@davemloft.net>
Roel Kluin reported a bug in two error paths where skbs were wrongly
being freed using kfree(). He provided a fix where it was replaced to
kfree_skb(), as it should be.
However, in i2400mu_rx(), the error path was missing returning an
indication of the failure. Changed to reset rx_skb to NULL and return
it to the caller, i2400mu_rxd(). It will be treated as a transient
error and just ignore the packet.
Depending on the buffering conditions inside the device, the data
packet might be dropped or the device will signal the host again for
data-ready-to-read and the host will retry.
Signed-off-by: Inaky Perez-Gonzalez <inaky@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Contrary to what the docs say, the 'extended interrupt cause' bit in
the interrupt cause register (bit 1) appears to not be maskable on at
least some of the mv643xx_eth platforms, making writing zeroes to the
interrupt mask register but not the extended interrupt mask register
insufficient to stop interrupts from occuring. Therefore, also write
zeroes to the extended interrupt mask register when shutting down the
port.
This fixes the interrupt storm seen on the Pegasos board when shutting
down the interface.
Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 66e63ffbc0 ("mv643xx_eth:
implement ->set_rx_mode()") cleaned up mv643xx_eth's multicast filter
programming, but broke it as well.
The non-special multicast filter table (for multicast addresses that
are not of the form 01:00:5e:00:00:xx) consists of 256 hash table
buckets organised as 64 32-bit words, where the 'accept' bits are
in the LSB of each byte, so in bits 24 16 8 0 of each 32-bit word.
The old code got this right, but the referenced commit broke this by
using bits 3 2 1 0 instead. This commit fixes this up.
Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This reverts commit cd4ccf76bf.
On the Pegasos board, we can't do DMA burst that are longer than
one cache line. For now, go back to using 32 byte DMA bursts for
all mv643xx_eth platforms -- we can switch the ARM-based platforms
back to doing long 128 byte bursts in the next development cycle.
Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Reported-by: Alan Curry <pacman@kosh.dhis.org>
Reported-by: Gabriel Paubert <paubert@iram.es>
Signed-off-by: David S. Miller <davem@davemloft.net>
The trick in socket splicing where we try to convert the skb->data
into a page based reference using virt_to_page() does not work so
well.
The idea is to pass the virt_to_page() reference via the pipe
buffer, and refcount the buffer using a SKB reference.
But if we are splicing from a socket to a socket (via sendpage)
this doesn't work.
The from side processing will grab the page (and SKB) references.
The sendpage() calls will grab page references only, return, and
then the from side processing completes and drops the SKB ref.
The page based reference to skb->data is not enough to keep the
kmalloc() buffer backing it from being reused. Yet, that is
all that the socket send side has at this point.
This leads to data corruption if the skb->data buffer is reused
by SLAB before the send side socket actually gets the TX packet
out to the device.
The fix employed here is to simply allocate a page and copy the
skb->data bytes into that page.
This will hurt performance, but there is no clear way to fix this
properly without a copy at the present time, and it is important
to get rid of the data corruption.
With fixes from Herbert Xu.
Tested-by: Willy Tarreau <w@1wt.eu>
Foreseen-by: Changli Gao <xiaosuo@gmail.com>
Diagnosed-by: Willy Tarreau <w@1wt.eu>
Reported-by: Willy Tarreau <w@1wt.eu>
Fixed-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch modifies how the tg3 driver handles device firmware.
The patch starts by consolidating David Woodhouse's earlier patch under
the same name. Specifically, the patch moves the request_firmware call
into a separate tg3_request_firmware() function and calls that function
from tg3_open() rather than tg3_init_one().
The patch then goes on to limit the number of devices that will make
request_firmware calls. The original firmware patch unnecessarily
requested TSO firmware for devices that did not need it. This patch
reduces the set of devices making TSO firmware patches to approximately
the following device set : 5703, 5704, and 5705.
Finally, the patch reduces the effects of a request_firmware() failure.
For those devices that are requesting TSO firmware, the driver will turn
off the TSO capability. If TSO firmware becomes available at a later
time, the device can be closed and then opened again to reacquire the
TSO capability.
Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
netif_carrier_off() is sufficient to stop Tx into the driver. Stopping the Tx
queues is redundant and unnecessary. By the same token, netif_carrier_on()
will be sufficient to re-enable Tx, so waking the queues is unnecessary.
Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Register VLAN ID 0 so that frames with VLAN ID 0 are received and get
their tag stripped when ixgbe is not in DCB mode. VLAN ID 0 means
that the frame is 'priority tagged' only - it is not a VLAN, but the
priority value is the tag in valid. The functions
ixgbe_vlan_rx_register() and ixgbe_vlan_rx_kill_vid() were moved up a
couple functions to correct compiling issues with this change.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Eric W Multanen <eric.w.multanen@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The is an issue where setting Relaxed Ordering (RO) bit
(in a PCI-E write transaction) on 82598 causing the chipset
to drop DCA hints. This patch forces RO not to be set for
descriptors as well as payload. This will only be in effect
while DCA is enabled and no performance difference was
noticed in testing.
Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
I'm trying to track down why people're hitting the checksum warning
in skb_gso_segment. As the problem seems to be hitting lots of
people and I can't reproduce it or locate the bug, here is a patch
to print out more details which hopefully should help us to track
this down.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
As the assigned value is being overwritten shortly after, it can be
dropped and so the whole variable definition moved to the start of the
function.
Signed-off-by: Phil Sutter <n0-1@freewrt.org>
Acked-by: Florian Fainelli <florian@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This is copy and paste from the original driver. As skb_reserve() is
also called within korina_alloc_ring() when initially allocating the
receive descriptors, the same should be done when allocating new space
after passing an skb to upper layers.
Signed-off-by: Phil Sutter <n0-1@freewrt.org>
Acked-by: Florian Fainelli <florian@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
After the last loop iteration, i has the value RC32434_NUM_RDS and
therefore leads to an index overflow when used afterwards to address the
last element. This is yet another another bug introduced when rewriting
parts of the driver for upstream preparation, as the original driver
used 'RC32434_NUM_RDS - 1' instead.
Signed-off-by: Phil Sutter <n0-1@freewrt.org>
Acked-by: Florian Fainelli <florian@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
The lro manager's frag_align_pad setting was missing,
leading to misaligned access to the skb passed up
to the stack.
Tested-by: Rick Jones <rick.jones2@hp.com>
Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In rare cases when an underrun occur, all macb buffers where consumed
and the netif_queue was stopped infinitely. This happens then the TGO
(transfer ongoing) bit in the TSR is set (and UND). It seems like
clening up after the underrun makes the driver and the macb hardware
end up in an inconsistent state. The result of this is that in the
following calls to macb_tx no TX buffers are released -> the
netif_queue was stopped, and never woken up again.
The solution is to disable the transmitter, if TGO is set, before
clening up after the underrun, and re-enable the transmitter when the
cleaning up is done.
Signed-off-by: Richard Röjfors <richard.rojfors@endian.se>
Signed-off-by: David S. Miller <davem@davemloft.net>