From 092cab7e2cd868cb0b30209a0337689c3ffd6133 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 16 Dec 2008 01:19:41 -0800 Subject: [PATCH 1/9] netfilter: ctnetlink: fix missing CTA_NAT_SEQ_UNSPEC This patch fixes an inconsistency in nfnetlink_conntrack.h that I introduced myself. The problem is that CTA_NAT_SEQ_UNSPEC is missing from enum ctattr_natseq. This inconsistency may lead to problems in the message parsing in userspace (if the message contains the CTA_NAT_SEQ_* attributes, of course). This patch breaks backward compatibility, however, the only known client of this code is libnetfilter_conntrack which indeed crashes because it assumes the existence of CTA_NAT_SEQ_UNSPEC to do the parsing. The CTA_NAT_SEQ_* attributes were introduced in 2.6.25. Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter/nfnetlink_conntrack.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h index c19595c89304..29fe9ea1d346 100644 --- a/include/linux/netfilter/nfnetlink_conntrack.h +++ b/include/linux/netfilter/nfnetlink_conntrack.h @@ -141,6 +141,7 @@ enum ctattr_protonat { #define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) enum ctattr_natseq { + CTA_NAT_SEQ_UNSPEC, CTA_NAT_SEQ_CORRECTION_POS, CTA_NAT_SEQ_OFFSET_BEFORE, CTA_NAT_SEQ_OFFSET_AFTER, From 8953f1282793882a5444924f7a273dc72a43d0a3 Mon Sep 17 00:00:00 2001 From: Sakari Ailus Date: Tue, 16 Dec 2008 01:44:05 -0800 Subject: [PATCH 2/9] tlan: Fix small (< 64 bytes) datagram transmissions The TLAN chip does not support tranmissions smaller than 64 bytes. Smaller transfers need to be padded up to that size. This was broken by commit id 41873e9aff0632d80c74380d58a89e8d420151bd ("tlan: get rid of padding buffer"). Signed-off-by: Sakari Ailus Signed-off-by: David S. Miller --- drivers/net/tlan.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/drivers/net/tlan.c b/drivers/net/tlan.c index c41d68761364..cf8cdafda5af 100644 --- a/drivers/net/tlan.c +++ b/drivers/net/tlan.c @@ -1098,6 +1098,7 @@ static int TLan_StartTx( struct sk_buff *skb, struct net_device *dev ) dma_addr_t tail_list_phys; u8 *tail_buffer; unsigned long flags; + unsigned int txlen; if ( ! priv->phyOnline ) { TLAN_DBG( TLAN_DEBUG_TX, "TRANSMIT: %s PHY is not ready\n", @@ -1108,6 +1109,7 @@ static int TLan_StartTx( struct sk_buff *skb, struct net_device *dev ) if (skb_padto(skb, TLAN_MIN_FRAME_SIZE)) return 0; + txlen = max(skb->len, (unsigned int)TLAN_MIN_FRAME_SIZE); tail_list = priv->txList + priv->txTail; tail_list_phys = priv->txListDMA + sizeof(TLanList) * priv->txTail; @@ -1125,16 +1127,16 @@ static int TLan_StartTx( struct sk_buff *skb, struct net_device *dev ) if ( bbuf ) { tail_buffer = priv->txBuffer + ( priv->txTail * TLAN_MAX_FRAME_SIZE ); - skb_copy_from_linear_data(skb, tail_buffer, skb->len); + skb_copy_from_linear_data(skb, tail_buffer, txlen); } else { tail_list->buffer[0].address = pci_map_single(priv->pciDev, - skb->data, skb->len, + skb->data, txlen, PCI_DMA_TODEVICE); TLan_StoreSKB(tail_list, skb); } - tail_list->frameSize = (u16) skb->len; - tail_list->buffer[0].count = TLAN_LAST_BUFFER | (u32) skb->len; + tail_list->frameSize = (u16) txlen; + tail_list->buffer[0].count = TLAN_LAST_BUFFER | (u32) txlen; tail_list->buffer[1].count = 0; tail_list->buffer[1].address = 0; From 2c413a6434dca02387a263dc4ca8009692421998 Mon Sep 17 00:00:00 2001 From: Baruch Siach Date: Mon, 15 Dec 2008 20:18:52 +0000 Subject: [PATCH 3/9] enc28j60: use netif_rx_ni() to deliver RX packets The enc28j60 driver reads incoming packets in the process (workqueue) context, not in a tasklet or the interrupt context. Thus, we should use netif_rx_ni() to deliver those packets to the networking layer, instead of netif_rx(). This way incoming packets don't wait in the incoming queue for the next IRQ to be serviced. Signed-off-by: Baruch Siach Signed-off-by: David S. Miller --- drivers/net/enc28j60.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/enc28j60.c b/drivers/net/enc28j60.c index c414554ac321..36cb6e95b465 100644 --- a/drivers/net/enc28j60.c +++ b/drivers/net/enc28j60.c @@ -959,7 +959,7 @@ static void enc28j60_hw_rx(struct net_device *ndev) ndev->stats.rx_packets++; ndev->stats.rx_bytes += len; ndev->last_rx = jiffies; - netif_rx(skb); + netif_rx_ni(skb); } } /* From bb5f133dbc4f04b6388715d364ae5865455166c2 Mon Sep 17 00:00:00 2001 From: Sakari Ailus Date: Tue, 16 Dec 2008 15:22:41 -0800 Subject: [PATCH 4/9] tlan: Fix pci memory unmapping Fix pci unmapping problem introduced by commit id 8953f1282793882a5444924f7a273dc72a43d0a3 "tlan: Fix small (< 64 bytes) datagram transmissions". Signed-off-by: Sakari Ailus Signed-off-by: David S. Miller --- drivers/net/tlan.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/net/tlan.c b/drivers/net/tlan.c index cf8cdafda5af..e60498232b94 100644 --- a/drivers/net/tlan.c +++ b/drivers/net/tlan.c @@ -1433,7 +1433,9 @@ static u32 TLan_HandleTxEOF( struct net_device *dev, u16 host_int ) if ( ! bbuf ) { struct sk_buff *skb = TLan_GetSKB(head_list); pci_unmap_single(priv->pciDev, head_list->buffer[0].address, - skb->len, PCI_DMA_TODEVICE); + max(skb->len, + (unsigned int)TLAN_MIN_FRAME_SIZE), + PCI_DMA_TODEVICE); dev_kfree_skb_any(skb); head_list->buffer[8].address = 0; head_list->buffer[9].address = 0; @@ -2057,9 +2059,12 @@ static void TLan_FreeLists( struct net_device *dev ) list = priv->txList + i; skb = TLan_GetSKB(list); if ( skb ) { - pci_unmap_single(priv->pciDev, - list->buffer[0].address, skb->len, - PCI_DMA_TODEVICE); + pci_unmap_single( + priv->pciDev, + list->buffer[0].address, + max(skb->len, + (unsigned int)TLAN_MIN_FRAME_SIZE), + PCI_DMA_TODEVICE); dev_kfree_skb_any( skb ); list->buffer[8].address = 0; list->buffer[9].address = 0; From 9a3de25544dadab1971847f28f33b1cd0d1770a6 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Tue, 16 Dec 2008 15:42:20 -0800 Subject: [PATCH 5/9] drivers/net: starfire: Fix napi ->poll() weight handling starfire napi ->poll() handler can return work == weight after calling netif_rx_complete() (if there is no more work). It is illegal and this patch fixes it. Reported-by: Alexander Huemer Tested-by: Alexander Huemer Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller --- drivers/net/starfire.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/starfire.c b/drivers/net/starfire.c index 1d2ef8f47780..5a40f2d78beb 100644 --- a/drivers/net/starfire.c +++ b/drivers/net/starfire.c @@ -1509,6 +1509,11 @@ static int __netdev_rx(struct net_device *dev, int *quota) desc->status = 0; np->rx_done = (np->rx_done + 1) % DONE_Q_SIZE; } + + if (*quota == 0) { /* out of rx quota */ + retcode = 1; + goto out; + } writew(np->rx_done, np->base + CompletionQConsumerIdx); out: From e8e5752dc0a56a01527055b0c37510b1d6b6b861 Mon Sep 17 00:00:00 2001 From: Krzysztof Halasa Date: Wed, 17 Dec 2008 00:24:13 -0800 Subject: [PATCH 6/9] net: kernel BUG at drivers/net/phy/mdio_bus.c:165! kernel BUG at drivers/net/phy/mdio_bus.c:165! Unable to handle kernel NULL pointer dereference at virtual address 00000000 How? mdiobus_alloc() sets bus->state = MDIOBUS_ALLOCATED. mdiobus_register() sets bus->state = MDIOBUS_REGISTERED but then can fail (mdiobus_scan()) returning an error to the caller. The caller aborts correctly with mdiobus_free() which does: if (bus->state == MDIOBUS_ALLOCATED) { kfree(bus); return; } BUG_ON(bus->state != MDIOBUS_UNREGISTERED); Signed-off-by: Krzysztof Halasa Signed-off-by: David S. Miller --- drivers/net/phy/mdio_bus.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c index 536bda1f428b..289fc267edf3 100644 --- a/drivers/net/phy/mdio_bus.c +++ b/drivers/net/phy/mdio_bus.c @@ -105,8 +105,6 @@ int mdiobus_register(struct mii_bus *bus) return -EINVAL; } - bus->state = MDIOBUS_REGISTERED; - mutex_init(&bus->mdio_lock); if (bus->reset) @@ -123,6 +121,9 @@ int mdiobus_register(struct mii_bus *bus) } } + if (!err) + bus->state = MDIOBUS_REGISTERED; + pr_info("%s: probed\n", bus->name); return err; From 2fccd2814f8ebc8f1bd325dc46e11c333fc76ab3 Mon Sep 17 00:00:00 2001 From: cwm97m Date: Tue, 16 Dec 2008 20:28:44 +0000 Subject: [PATCH 7/9] jme: Fixed a typo Found a typo. Signed-off-by: Wei-Min Chen Signed-off-by: David S. Miller --- drivers/net/jme.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/jme.h b/drivers/net/jme.h index f863aee6648b..3f5d91543246 100644 --- a/drivers/net/jme.h +++ b/drivers/net/jme.h @@ -22,7 +22,7 @@ */ #ifndef __JME_H_INCLUDED__ -#define __JME_H_INCLUDEE__ +#define __JME_H_INCLUDED__ #define DRV_NAME "jme" #define DRV_VERSION "1.0.3" From 69c30e1e7492192f882a3fc11888b320fde5206a Mon Sep 17 00:00:00 2001 From: Samuel Ortiz Date: Wed, 17 Dec 2008 15:44:58 -0800 Subject: [PATCH 8/9] irda: Add irda_skb_cb qdisc related padding We need to pad irda_skb_cb in order to keep it safe accross dev_queue_xmit() calls. This is some ugly and temporary hack triggered by recent qisc code changes. Even though it fixes bugzilla.kernel.org bug #11795, it will be replaced by a proper fix before 2.6.29 is released. Signed-off-by: Samuel Ortiz Signed-off-by: David S. Miller --- include/net/irda/irda_device.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/net/irda/irda_device.h b/include/net/irda/irda_device.h index 3025ae17ddbe..94c852d47d0f 100644 --- a/include/net/irda/irda_device.h +++ b/include/net/irda/irda_device.h @@ -135,9 +135,11 @@ struct dongle_reg { /* * Per-packet information we need to hide inside sk_buff - * (must not exceed 48 bytes, check with struct sk_buff) + * (must not exceed 48 bytes, check with struct sk_buff) + * The default_qdisc_pad field is a temporary hack. */ struct irda_skb_cb { + unsigned int default_qdisc_pad; magic_t magic; /* Be sure that we can trust the information */ __u32 next_speed; /* The Speed to be set *after* this frame */ __u16 mtt; /* Minimum turn around time */ From 3298a7388c00227e736d1037328788073c80c7b4 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Wed, 17 Dec 2008 19:06:08 -0800 Subject: [PATCH 9/9] bnx2: Fix bug in bnx2_free_rx_mem(). DMA memory for the jumbo rx page rings was freed incorrectly using the wrong local variable as the array index. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/bnx2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index a1a3d0e5d2b4..9e8222f9e90e 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -543,9 +543,9 @@ bnx2_free_rx_mem(struct bnx2 *bp) for (j = 0; j < bp->rx_max_pg_ring; j++) { if (rxr->rx_pg_desc_ring[j]) pci_free_consistent(bp->pdev, RXBD_RING_SIZE, - rxr->rx_pg_desc_ring[i], - rxr->rx_pg_desc_mapping[i]); - rxr->rx_pg_desc_ring[i] = NULL; + rxr->rx_pg_desc_ring[j], + rxr->rx_pg_desc_mapping[j]); + rxr->rx_pg_desc_ring[j] = NULL; } if (rxr->rx_pg_ring) vfree(rxr->rx_pg_ring);