GIT a07921bcd5830c5a1130309977a8ade8a4f7d69b git+ssh://master.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6.git commit f7f847b01571e86044dc77e03d92f43699652f8d Author: Linus Torvalds Date: Wed Sep 26 15:21:33 2007 -0700 Revert "x86-64: Disable local APIC timer use on AMD systems with C1E" This reverts commit e66485d747505e9d960b864fc6c37f8b2afafaf0, since Rafael Wysocki noticed that the change only works for his in -mm, not in mainline (and that both "noapictimer" _and_ "apicmaintimer" are broken on his hardware, but that's apparently not a regression, just a symptom of the same issue that causes the automatic apic timer disable to not work). It turns out that it really doesn't work correctly on x86-64, since x86-64 doesn't use the generic clock events for timers yet. Thanks to Rafal for testing, and here's the ugly details on x86-64 as per Thomas: "I just looked into the code and the logic vs. noapictimer on SMP is completely broken. On i386 the noapictimer option not only disables the local APIC timer, it also registers the CPUs for broadcasting via IPI on SMP systems. The x86-64 code uses the broadcast only when the local apic timer is active, i.e. "noapictimer" is not on the command line. This defeats the whole purpose of "noapictimer". It should be there to make boxen work, where the local APIC timer actually has a hardware problem, e.g. the nx6325. The current implementation of x86_64 only fixes the ACPI c-states related problem where the APIC timer stops in C3(2), nothing else. On nx6325 and other AMD X2 equipped systems which have the C1E enabled we run into the following: PIT keeps jiffies (and the system) running, but the local APIC timer interrupts can get out of sync due to this C1E effect. I don't think this is a critical problem, but it is wrong nevertheless. I think it's safe to revert the C1E patch and postpone the fix to the clock events conversion." On further reflection, Thomas noted: "It's even worse than I thought on the first check: "noapictimer" on the command line of an SMP box prevents _ONLY_ the boot CPU apic timer from being used. But the secondary CPU is still unconditionally setting up the APIC timer and uses the non calibrated variable calibration_result, which is of course 0, to setup the APIC timer. Wreckage guaranteed." so we'll just have to wait for the x86 merge to hopefully fix this up for x86-64. Tested-and-requested-by: Rafael J. Wysocki Acked-by: Thomas Gleixner Signed-off-by: Linus Torvalds commit 2efa33f81ef56e7700c09a3d8a881c96692149e5 Author: H. Peter Anvin Date: Wed Sep 26 14:11:43 2007 -0700 [x86 setup] Handle case of improperly terminated E820 chain At least one system (a Geode system with a Digital Logic BIOS) has been found which suddenly stops reporting the SMAP signature when reading the E820 memory chain. We can't know what, exactly, broke in the BIOS, so if we detect this situation, declare the E820 data unusable and fall back to E801. Also, revert to original behavior of always probing all memory methods; that way all the memory information is available to the kernel. Signed-off-by: H. Peter Anvin Cc: Jordan Crouse Cc: Joerg Pommnitz commit df912ea4ae7233d1504fbd861ee127bd7ee5781d Author: Jeremy Fitzhardinge Date: Tue Sep 25 11:50:00 2007 -0700 xen: execve's error paths don't pin the mm before unpinning execve's error paths don't activate (and therefore pin) the mm before calling exit_mmap to free it up, so don't try to unpin unless it is actually pinned. This prevents a BUG_ON from triggering. Signed-off-by: Jeremy Fitzhardinge Cc: Christian Ostheimer Signed-off-by: Linus Torvalds commit e66485d747505e9d960b864fc6c37f8b2afafaf0 Author: Thomas Gleixner Date: Tue Sep 25 21:37:01 2007 +0200 x86-64: Disable local APIC timer use on AMD systems with C1E commit 3556ddfa9284a86a59a9b78fe5894430f6ab4eef titled [PATCH] x86-64: Disable local APIC timer use on AMD systems with C1E solves a problem with AMD dual core laptops e.g. HP nx6325 (Turion 64 X2) with C1E enabled: When both cores go into idle at the same time, then the system switches into C1E state, which is basically the same as C3. This stops the local apic timer. This was debugged right after the dyntick merge on i386 and despite the patch title it fixes only the 32 bit path. x86_64 is still missing this fix. It seems that mainline is not really affected by this issue, as the PIT is running and keeps jiffies incrementing, but that's just waiting for trouble. -mm suffers from this problem due to the x86_64 high resolution timer patches. This is a quick and dirty port of the i386 code to x86_64. I spent quite a time with Rafael to debug the -mm / hrt wreckage until someone pointed us to this. I really had forgotten that we debugged this half a year ago already. Sigh, is it just me or is there something yelling arch/x86 into my ear? Signed-off-by: Thomas Gleixner Tested-by: Rafael J. Wysocki Signed-off-by: Linus Torvalds commit 3dffec45c2742961dd27f55aba426cb9cf3f0dcd Author: S.Çağlar Onur Date: Wed Sep 26 12:15:33 2007 +0300 Silent drivers/char/hpet.c build warnings on i386 Following patch silents; ... drivers/char/hpet.c:72: warning: 'clocksource_hpet' defined but not used drivers/char/hpet.c:81: warning: 'hpet_clocksource' defined but not used ... build warnings on i386, they appeared after commit 3b2b64fd311c92f2137eb7cee7025794cd854057 Signed-off-by: S.Çağlar Onur Signed-off-by: Linus Torvalds -- drivers/char/hpet.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) commit 255129d1e9ca0ed3d69d5517fae3e03d7ab4b806 Author: Trond Myklebust Date: Tue Sep 25 15:55:03 2007 -0400 NLM: Fix a circular lock dependency in lockd The problem is that the garbage collector for the 'host' structures nlm_gc_hosts(), holds nlm_host_mutex while calling down to nlmsvc_mark_resources, which, eventually takes the file->f_mutex. We cannot therefore call nlmsvc_lookup_host() from within nlmsvc_create_block, since the caller will already hold file->f_mutex, so the attempt to grab nlm_host_mutex may deadlock. Fix the problem by calling nlmsvc_lookup_host() outside the file->f_mutex. Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds commit f6a592e8abd2f2394623ce5427cbb4c265495974 Author: Chris Malley Date: Wed Sep 26 14:19:18 2007 +1000 lguest example launcher truncates block device file to 0 length on problems The function should also use ftruncate64() rather than ftruncate() to prevent files over 4GB (not uncommon for a root filesystem) being zeroed. Signed-off-by: Chris Malley Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds commit 78bd8fbbcd66fc977baa40e7fd838a4461b0f727 Author: Al Viro Date: Wed Sep 26 01:54:32 2007 +0100 fix sctp_del_bind_addr() last argument type It gets pointer to fastcall function, expects a pointer to normal one and calls the sucker. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit 459685c75b82a0431da102365d507fdb72858b84 Author: Al Viro Date: Wed Sep 26 01:54:12 2007 +0100 hibernation doesn't even build on frv - tons of helpers are missing Signed-off-by: Al Viro Acked-By: David Howells Signed-off-by: Linus Torvalds commit d8c4a2f9d9e7827362fd7ab0b5d9637c6af5ac5b Author: Al Viro Date: Wed Sep 26 01:53:52 2007 +0100 mv643xx_eth: duplicate methods in initializer Signed-off-by: Al Viro Signed-off-by: Linus Torvalds commit ed4d6375a1498009a9e68d93661207351d36874f Author: Al Viro Date: Wed Sep 26 01:53:42 2007 +0100 usbvision-video: buggered method tables duplicated .mmap in one, .vidioc_s_audio misspelled as .vidioc_g_audio in other Signed-off-by: Al Viro Acked-by: Mauro Carvalho Chehab Signed-off-by: Linus Torvalds commit 5309809129ca3ab14f8bd5e5ef66c1b7686eb639 Author: Linus Torvalds Date: Wed Sep 26 09:16:21 2007 -0700 Add explicit zeroing to "envp" array in device 'show' method As Stephen Hemminger says, this is a "belt and suspenders" patch that zeroes the envp array at allocation time, even though all the users should NULL-terminate it anyway (and we've hopefully fixed everybody that doesn't do that). And we'll apparently clean the whole envp thing up for 2.6.24 anyway. But let's just be robust, and do both this *and* make sure that all users are doing the right thing. Acked-by: Stephen Hemminger Acked-by: Greg Kroah-Hartman Signed-off-by: Linus Torvalds commit 603c461250b223ac42c10b8d1df653af1a361d44 Author: Jeremy Kerr Date: Wed Sep 26 10:53:45 2007 +1000 [POWERPC] spufs: fix mismerge, making context signal{1,2} files readable again The commit 8b6f50ef1d5cc86b278eb42bc91630fad455fb10 seems to have been affected by a mismerge of a duplicate patch (d054b36ffd302ec65aabec16a0c60ddd9e6b5a62) - both the spufs_dir_contents and spufs_dir_nosched_contents have been given write-only signal notification files. This change reverts the spufs_dir_contents array to use the readable signal notification file implementation. Signed-off-by: Jeremy Kerr Acked-by: Arnd Bergmann Signed-off-by: Paul Mackerras commit ae3ba4fd966e38d8d766d19f7a58b551df8ecc97 Author: Al Viro Date: Wed Sep 26 08:20:44 2007 +0200 cdrom_open() forgets to unlock on -EROFS failure exits Signed-off-by: Al Viro Signed-off-by: Jens Axboe commit 45dfd5b5dd20f17fe23dafc5cfe921474d27f849 Author: Michal Schmidt Date: Tue Sep 25 23:05:39 2007 -0700 [PPP_MPPE]: Don't put InterimKey on the stack Signed-off-by: Michal Schmidt Signed-off-by: David S. Miller commit 6f4c618ddb0e6b7e6d49cfc8134e694be1c0bc9b Author: Wei Yongjun Date: Wed Sep 19 17:19:52 2007 +0800 SCTP : Add paramters validity check for ASCONF chunk If ADDIP is enabled, when an ASCONF chunk is received with ASCONF paramter length set to zero, this will cause infinite loop. By the way, if an malformed ASCONF chunk is received, will cause processing to access memory without verifying. This is because of not check the validity of parameters in ASCONF chunk. This patch fixed this. Signed-off-by: Wei Yongjun Signed-off-by: Vlad Yasevich commit 3c77f961b55b6060858c68a213d7f4470d7f3eb2 Author: Vlad Yasevich Date: Mon Sep 17 15:14:28 2007 -0400 SCTP: Discard OOTB packetes with bundled INIT early. RFC 4460 and future RFC 4960 (2960-bis) specify that packets with bundled INIT chunks need to be dropped. We currenlty do that only after processing any leading chunks. For OOTB chunks, since we already walk the entire packet, we should discard packets with bundled INITs. There are other chunks chunks that MUST NOT be bundled, but the spec is silent on theire treatment. Thus, we'll leave their teatment alone for the moment. Signed-off-by: Vlad Yasevich Acked-by: Wei Yongjun commit ece25dfa0991f65c4e1d26beb1c3c45bda4239b8 Author: Vlad Yasevich Date: Fri Sep 7 16:30:54 2007 -0400 SCTP: Clean up OOTB handling and fix infinite loop processing While processing OOTB chunks as well as chunks with an invalid length of 0, it was possible to SCTP to get wedged inside an infinite loop because we didn't catch the condition correctly, or didn't mark the packet for discard correctly. This work is based on original findings and work by Wei Yongjun Signed-off-by: Vlad Yasevich commit d3f259687fd248aa4de477149481478c122ba48b Author: Vlad Yasevich Date: Fri Sep 7 11:47:45 2007 -0400 SCTP: Explicitely discard OOTB chunks Explicitely discard OOTB chunks, whether the result is a SHUTDOWN COMPLETE or an ABORT. We need to discard the OOTB SHUTDOWN ACK to prevent bombing attackes since responsed MUST NOT be bundled. We also explicietely discard in the ABORT case since that function is widely used internally. Signed-off-by: Vlad Yasevich Acked-by: Neil Horman commit 02c4e12c6400b6dccdc6b5c2c18325551e4b2dc9 Author: Wei Yongjun Date: Fri Aug 31 10:03:58 2007 +0800 SCTP: Send ABORT chunk with correct tag in response to INIT ACK When SCTP client received an INIT ACK chunk with missing mandatory parameter such as "cookie parameter", it will send back a ABORT with T-bit not set and verification tag is set to 0. This is because before we accept this INIT ACK chunk, we do not know the peer's tag. This patch change to reflect vtag when responding to INIT ACK with missing mandatory parameter. Signed-off-by: Wei Yongjun Signed-off-by: Vlad Yasevich commit a09c83847b664dcd67a72613374061c900afb799 Author: Vlad Yasevich Date: Wed Sep 5 15:53:58 2007 -0400 SCTP: Validate buffer room when processing sequential chunks When we process bundled chunks, we need to make sure that the skb has the buffer for each header since we assume it's always there. Some malicious node can send us something like DATA + 2 bytes and we'll try to walk off the end refrencing potentially uninitialized memory. Signed-off-by: Vlad Yasevich commit ca9938fea576ebbb8d8c4fbe8a5bcc937e49e1ca Author: Johannes Berg Date: Tue Sep 11 12:50:32 2007 +0200 [PATCH] mac80211: fix initialisation when built-in When mac80211 is built into the kernel it needs to init earlier so that device registrations are run after it has initialised. The same applies to rate control algorithms. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville commit 136e83d6b8999f4ef680ff9cf2a67e1e1ccbd94e Author: Johannes Berg Date: Mon Sep 10 13:55:08 2007 +0200 [PATCH] net/mac80211/wme.c: fix sparse warning wme.c triggers a sparse warning; it wasn't noticed before because until recently ARRAY_SIZE triggered a sparse error. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville commit 3a4624652e68ee897145ac698a85bfd2603367c3 Author: Johannes Berg Date: Mon Sep 10 13:44:45 2007 +0200 [PATCH] cfg80211: fix initialisation if built-in When cfg80211 is built into the kernel it needs to init earlier so that device registrations are run after it has initialised. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville commit 7b5ee3a038c869e773092834abaa8174e0d77514 Author: Satyam Sharma Date: Mon Sep 3 01:41:34 2007 +0530 [PATCH] net/wireless/sysfs.c: Shut up build warning net/wireless/sysfs.c:108: warning: ‘wiphy_uevent’ defined but not used when CONFIG_HOTPLUG=n is because the only usage site of this function is #ifdef'ed as such, so let's #ifdef the definition also. Signed-off-by: Satyam Sharma Acked-by: Johannes Berg Signed-off-by: John W. Linville commit 744551cceb73acd62189cb4afe0a336b2c9684d8 Author: Thomas Bogendoerfer Date: Tue Sep 25 22:49:37 2007 -0700 [SUNSAB]: Fix broken SYSRQ. Include SYSRQ support for SUNSAB if SUNSAB_CONSOLE is selected Signed-off-by: Thomas Bogendoerfer Signed-off-by: David S. Miller commit ff4abd6cfacf0bb23a077f615d3a5cd17359db1b Author: David Miller Date: Fri Aug 24 22:25:58 2007 -0700 [SCSI] esp: fix instance numbering. Because the ->unique_id is set too late, the ESP scsi host instance numbers in the kernel log during probing are wrong. Bug reported by Meelis Roos. Signed-off-by: David S. Miller Signed-off-by: James Bottomley commit edeb614c1c8388b354d93ff7790317cc5d6a38ec Author: Tejun Heo Date: Fri Sep 21 16:29:05 2007 +0900 pata_sis: add missing UDMA5 timing value in sis_66_set_dmamode() sis_66_set_dmamode() also handles early UDMA100 (SIS630 ET) but is missing udma timing value for UDMA100. According to sis5513, this should be 0x8000. This caused UDMA100 device to fail on pata_sis till it downgrades to UDMA66 while it works fine on sis5513 at UDMA100. Reported by Adam Blech. Signed-off-by: Tejun Heo Cc: Adam Blech Signed-off-by: Jeff Garzik commit 228f47b959a0cf2e24c9696757c7e6510334e499 Author: Tejun Heo Date: Sun Sep 23 12:37:05 2007 +0900 sata_sil24: fix IRQ clearing race when PCIX_IRQ_WOC is used When PCIX_IRQ_WOC is used, sil24 has an inherent race condition between clearing IRQ pending and reading IRQ status. If IRQ pending is cleared after reading IRQ status, there's possibility of lost IRQ. If IRQ pending is cleared before reading IRQ status, spurious IRQs will occur. sata_sil24 till now cleared IRQ pending after reading IRQ status thus losing IRQs on machines where PCIX_IRQ_WOC was used. Reverse the order and ignore spurious IRQs if PCIX_IRQ_WOC. Signed-off-by: Tejun Heo Signed-off-by: Jeff Garzik commit 78e1ca49c7ead5cd00882ed0c776260857613122 Author: Zhao Yakui Date: Thu Sep 20 21:23:13 2007 -0400 ACPI: hpet: ACPI Error (utglobal-0126): Unknown exception code: 0xFFFFFFF0 If hpet has been initialized before registering hpet driver, the callback function of hpet_resources will return the status code of -EBUSY, which is not defined in the ACPI exception table. So when ACPI checks the status code of callback function, it will report the unknown exception code. So the status code in ACPI is used instead of the generic error code in the ACPI callback function of hpet_resources. For example: -EBUSY is replaced by AE_ALREADY_EXISTS -EINVAL is replaced by AE_NO_MEMORY http://bugzilla.kernel.org/show_bug.cgi?id=8630 Signed-off-by: Zhao Yakui Signed-off-by: Len Brown commit 853298bc03ef65e3eb392f5d61265605214ee8fb Author: Alexey Starikovskiy Date: Tue Sep 25 18:45:15 2007 +0400 ACPI: CONFIG_ACPI_SLEEP=n power off regression in 2.6.23-rc8 (NOT in rc7) Signed-off-by: Alexey Starikovskiy Acked-by: Rafael J. Wysocki Signed-off-by: Len Brown commit 2f3f22269bdf702311342c5d106dfdd7347d1c3e Author: Alexey Starikovskiy Date: Mon Sep 24 14:33:21 2007 +0200 ACPI: suspend: build-fix for CONFIG_SUSPEND=n and CONFIG_HIBERNATION=y This fixes compilation with CONFIG_SUSPEND unset and CONFIG_HIBERNATION set (raf. http://marc.info/?l=linux-acpi&m=119055289723895&w=4). Signed-off-by: Alexey Starikovskiy Signed-off-by: Rafael J. Wysocki Signed-off-by: Len Brown commit bbbd2bf00bab467cff7b1f418b2cb24c71291f59 Author: Rusty Russell Date: Mon Sep 24 21:24:44 2007 -0700 fix modules oopsing in lguest guests The assembly templates for lguest guest patching are in the .init.text section. This means that modules get patched with "cc cc cc cc" or similar junk. Signed-off-by: Rusty Russell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit fdfb870f8e34e77567043b388051df14f7d33482 Author: Danny ter Haar Date: Mon Sep 24 21:24:43 2007 -0700 typo fix Kernel config option Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d1cf16c91605d051d36360f70858b06b103b4aed Author: Stephen Hemminger Date: Mon Sep 24 21:24:42 2007 -0700 missing null termination in one wire uevent Need to null terminate environment. Found by inspection while looking for similar problems to platform uevent bug Signed-off-by: Stephen Hemminger Cc: Greg Kroah-Hartman Acked-by: Evgeniy Polyakov Cc: Andrew Morton Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit afa684f6fda6086b229348f0ea21df7c8ad17964 Author: Cliff Wickman Date: Mon Sep 24 21:24:41 2007 -0700 fix "mspec: handle shrinking virtual memory areas" The vma_data structure may be shared by vma's from multiple tasks, with no way of knowing which areas are shared or not shared, so release/clear pages only when the refcount (of vma's) goes to zero. Signed-off-by: Cliff Wickman Cc: Jes Sorensen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f9b7cba1b8a74c10b0771ca28d4c554aeb9803fc Author: Evgeniy Dushistov Date: Mon Sep 24 21:24:39 2007 -0700 ufs: fix sun state Different types of ufs hold state in different places, to hide complexity of this, there is ufs_get_fs_state, it returns state according to "UFS_SB(sb)->s_flags", but during mount ufs_get_fs_state is called, before setting s_flags, this cause message for ufs types like sun ufs: "fs need fsck", and remount in readonly state. Signed-off-by: Evgeniy Dushistov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 474f81967217f3bec2389ae913da72641f2c40e3 Author: Roland McGrath Date: Mon Sep 24 16:52:44 2007 -0700 [POWERPC] Ensure FULL_REGS on exec When PTRACE_O_TRACEEXEC is used, a ptrace call to fetch the registers at the PTRACE_EVENT_EXEC stop (PTRACE_PEEKUSR) will oops in CHECK_FULL_REGS. With recent versions, "gdb --args /bin/sh -c 'exec /bin/true'" and "run" at the (gdb) prompt is sufficient to produce this. I also have written an isolated test case, see https://bugzilla.redhat.com/show_bug.cgi?id=301791#c15. This change fixes the problem by clearing the low bit of pt_regs.trap in start_thread so that FULL_REGS is true again. This is correct since all of the GPRs that "full" refers to are cleared in start_thread. Signed-off-by: Roland McGrath Signed-off-by: Paul Mackerras commit 21c0f275085e5b884a409d75a7deb73ece6477fb Author: Jeff Garzik Date: Tue Sep 25 00:11:34 2007 -0400 Revert "drivers/net/pcmcia/3c589_cs: fix port configuration switcheroo" This reverts commit fadacb1b80e35e0b36a90d43e21ef91eec4b889b. The change being reverted made the driver consistent with include/linux/netdevice.h, but then inconsistent with the other PCMCIA ethernet drivers. Signed-off-by: Jeff Garzik commit cb560737676260ac15b68d426305ad5e755417ea Author: Thomas Rohwer Date: Tue Sep 25 00:06:25 2007 -0400 Input: appletouch - fix idle reset logic Idle count should only be incremented when touchpad button is not pressed, otherwise reset may happen at a wrong time and touchpad will never report button release event. Signed-off-by: Thomas Rohwer Acked-by: Matthew Garrett Signed-off-by: Dmitry Torokhov commit e0c281163d634e2982a81b55fc974a6663afde65 Author: Stephen Hemminger Date: Thu Sep 20 13:03:49 2007 -0700 sky2: be more selective about FIFO watchdog Be more selective about when to enable the ram buffer watchdog code. It is unnecessary on XL A3 or later revs, and with Yukon FE the buffer is so small (4K) that the watchdog detects false positives. Signed-off-by: Stephen Hemminger Signed-off-by: Jeff Garzik commit 6d3105d5388c359882068b161b431ab3db4b3721 Author: Stephen Hemminger Date: Mon Sep 24 19:34:51 2007 -0700 sky2: FE+ Phy initialization One more snippet of PHY initialization required for FE+ chips. Discovered in latest sk98lin 10.21.1.3 driver. Please apply to 2.6.23. Signed-off-by: Stephen Hemminger Signed-off-by: Jeff Garzik commit 2302827c95fe0f441025acd5133e532d2eef322b Author: James Bottomley Date: Sat Sep 22 08:40:09 2007 -0500 [SCSI] scsi_transport_spi: fix domain validation failure from incorrect width setting Domain Validation in the SPI transport class is failing on boxes with damaged cables (and failing to the extent that the box hangs). The problem is that the first test it does is a cable integrity test for wide transfers and if this fails, it turns the wide bit off. The problem is that the next set of tests it does turns wide back on again, with the result that it runs through the entirety of DV with a known bad setting and then hangs the system. The attached patch fixes the problem by physically nailing the wide setting to what it deduces it should be for the whole of Domain Validation. Signed-off-by: James Bottomley commit d59952d532ed8fc93ccb98186f73d9ce5cfcb93d Author: Jean Tourrilhes Date: Thu Sep 20 11:08:18 2007 -0700 [PATCH] WE : Add missing auth compat-ioctl Johannes just found that we are missing a compat-ioctl declaration. The fix is trivial. As previous patches for compat-ioctl, this should also go to stable. More info : http://marc.info/?l=linux-wireless&m=119029667902588&w=2 Signed-off-by: Jean Tourrilhes Signed-off-by: John W. Linville commit efe870f9f4ad74410a18ecbf0d9ba7c14b50a0fb Author: Larry Finger Date: Tue Sep 18 22:00:52 2007 -0500 [PATCH] softmac: Fix inability to associate with WEP networks Commit 4cf92a3c was submitted as a fix for bug #8686 at bugzilla.kernel.org (http://bugzilla.kernel.org/show_bug.cgi?id=8686). Unfortunately, the fix led to a new bug, reported by Yoshifuji Hideaki, that prevented association for WEP encrypted networks that use ifconfig to control the device. This patch effectively reverts the earlier commit and does a proper fix for bug #8686. Signed-off-by: Larry Finger Signed-off-by: John W. Linville commit d78ae2dcc2acebb9a1048278f47f762c069db75c Author: Francois Romieu Date: Sun Aug 26 20:08:19 2007 +0200 r8169: workaround against ignored TxPoll writes (8168) The 8168 ignores the requests to fetch the Tx descriptors when the relevant TxPoll bit is already set. It easily kills the performances of the 8168. David Gundersen has noticed that it is enough to wait for the completion of the DMA transfer (NPQ bit is cleared) before writing the TxPoll register again. The extra IO traffic added by the proposed workaround could be minimalized but it is not a high-priority task. Fix for: http://bugzilla.kernel.org/show_bug.cgi?id=7924 http://bugzilla.kernel.org/show_bug.cgi?id=8688 (http://bugzilla.kernel.org/show_bug.cgi?id=7555 ?) Signed-off-by: Francois Romieu Cc: David Gundersen Cc: Edward Hsu commit 65d916d95314566f426cc40ff0f17b754a773b0b Author: Edward Hsu Date: Fri Aug 17 10:14:36 2007 +0200 r8169: correct phy parameters for the 8110SC The phys of the 8110SC (RTL_GIGA_MAC_VER_{05/06}) act abnormally in gigabit mode if they are applied the parameters in rtl8169_hw_phy_config which actually aim the 8110S/SB. It is ok to return early from rtl8169_hw_phy_config as it does not apply to the 8101 and 8168 families. Signed-off-by: Edward Hsu Signed-off-by: Francois Romieu Documentation/lguest/lguest.c | 2 arch/i386/boot/memory.c | 30 ++- arch/i386/xen/mmu.c | 5 arch/powerpc/kernel/process.c | 7 + arch/powerpc/platforms/cell/spufs/file.c | 4 drivers/acpi/sleep/Makefile | 2 drivers/acpi/sleep/main.c | 46 ++-- drivers/ata/pata_sis.c | 3 drivers/ata/sata_sil24.c | 16 +- drivers/base/core.c | 1 drivers/cdrom/cdrom.c | 4 drivers/char/hpet.c | 9 + drivers/char/mspec.c | 26 +- drivers/input/mouse/appletouch.c | 6 - drivers/lguest/lguest_asm.S | 6 - drivers/media/video/usbvision/usbvision-video.c | 5 drivers/net/mv643xx_eth.c | 2 drivers/net/pcmcia/3c589_cs.c | 2 drivers/net/ppp_mppe.c | 14 + drivers/net/r8169.c | 14 + drivers/net/sky2.c | 37 ++-- drivers/net/sky2.h | 2 drivers/scsi/esp_scsi.c | 3 drivers/scsi/scsi_transport_spi.c | 28 ++- drivers/serial/sunsab.c | 2 drivers/w1/w1.c | 1 fs/compat_ioctl.c | 2 fs/lockd/svclock.c | 29 ++- fs/ufs/super.c | 4 include/acpi/acpi_drivers.h | 4 include/net/sctp/sm.h | 4 include/net/sctp/structs.h | 3 kernel/power/Kconfig | 2 lib/Kconfig.debug | 2 net/ieee80211/softmac/ieee80211softmac_assoc.c | 2 net/ieee80211/softmac/ieee80211softmac_wx.c | 54 ++--- net/mac80211/ieee80211.c | 2 net/mac80211/rc80211_simple.c | 2 net/mac80211/wme.c | 2 net/sctp/bind_addr.c | 2 net/sctp/input.c | 8 + net/sctp/inqueue.c | 8 + net/sctp/sm_make_chunk.c | 46 ++++ net/sctp/sm_statefuns.c | 243 +++++++++++++++++++---- net/sctp/sm_statetable.c | 16 +- net/wireless/core.c | 2 net/wireless/sysfs.c | 2 47 files changed, 505 insertions(+), 211 deletions(-) diff --git a/Documentation/lguest/lguest.c b/Documentation/lguest/lguest.c index f791840..73c5f1f 100644 --- a/Documentation/lguest/lguest.c +++ b/Documentation/lguest/lguest.c @@ -882,7 +882,7 @@ static u32 handle_block_output(int fd, c * of the block file (possibly extending it). */ if (off + len > device_len) { /* Trim it back to the correct length */ - ftruncate(dev->fd, device_len); + ftruncate64(dev->fd, device_len); /* Die, bad Guest, die. */ errx(1, "Write past end %llu+%u", off, len); } diff --git a/arch/i386/boot/memory.c b/arch/i386/boot/memory.c index 1a2e62d..bccaa1c 100644 --- a/arch/i386/boot/memory.c +++ b/arch/i386/boot/memory.c @@ -20,6 +20,7 @@ #define SMAP 0x534d4150 /* ASCII "SMAP" static int detect_memory_e820(void) { + int count = 0; u32 next = 0; u32 size, id; u8 err; @@ -33,14 +34,24 @@ static int detect_memory_e820(void) "=m" (*desc) : "D" (desc), "a" (0xe820)); - if (err || id != SMAP) + /* Some BIOSes stop returning SMAP in the middle of + the search loop. We don't know exactly how the BIOS + screwed up the map at that point, we might have a + partial map, the full map, or complete garbage, so + just return failure. */ + if (id != SMAP) { + count = 0; break; + } - boot_params.e820_entries++; + if (err) + break; + + count++; desc++; - } while (next && boot_params.e820_entries < E820MAX); + } while (next && count < E820MAX); - return boot_params.e820_entries; + return boot_params.e820_entries = count; } static int detect_memory_e801(void) @@ -89,11 +100,16 @@ static int detect_memory_88(void) int detect_memory(void) { + int err = -1; + if (detect_memory_e820() > 0) - return 0; + err = 0; if (!detect_memory_e801()) - return 0; + err = 0; + + if (!detect_memory_88()) + err = 0; - return detect_memory_88(); + return err; } diff --git a/arch/i386/xen/mmu.c b/arch/i386/xen/mmu.c index 4ae038a..874db0c 100644 --- a/arch/i386/xen/mmu.c +++ b/arch/i386/xen/mmu.c @@ -559,6 +559,9 @@ void xen_exit_mmap(struct mm_struct *mm) put_cpu(); spin_lock(&mm->page_table_lock); - xen_pgd_unpin(mm->pgd); + + /* pgd may not be pinned in the error exit path of execve */ + if (PagePinned(virt_to_page(mm->pgd))) + xen_pgd_unpin(mm->pgd); spin_unlock(&mm->page_table_lock); } diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c index e477c9d..8a1b001 100644 --- a/arch/powerpc/kernel/process.c +++ b/arch/powerpc/kernel/process.c @@ -605,6 +605,13 @@ #endif regs->ccr = 0; regs->gpr[1] = sp; + /* + * We have just cleared all the nonvolatile GPRs, so make + * FULL_REGS(regs) return true. This is necessary to allow + * ptrace to examine the thread immediately after exec. + */ + regs->trap &= ~1UL; + #ifdef CONFIG_PPC32 regs->mq = 0; regs->nip = start; diff --git a/arch/powerpc/platforms/cell/spufs/file.c b/arch/powerpc/platforms/cell/spufs/file.c index 4100ddc..7de4e91 100644 --- a/arch/powerpc/platforms/cell/spufs/file.c +++ b/arch/powerpc/platforms/cell/spufs/file.c @@ -2177,8 +2177,8 @@ struct tree_descr spufs_dir_contents[] = { "mbox_stat", &spufs_mbox_stat_fops, 0444, }, { "ibox_stat", &spufs_ibox_stat_fops, 0444, }, { "wbox_stat", &spufs_wbox_stat_fops, 0444, }, - { "signal1", &spufs_signal1_nosched_fops, 0222, }, - { "signal2", &spufs_signal2_nosched_fops, 0222, }, + { "signal1", &spufs_signal1_fops, 0666, }, + { "signal2", &spufs_signal2_fops, 0666, }, { "signal1_type", &spufs_signal1_type, 0666, }, { "signal2_type", &spufs_signal2_type, 0666, }, { "cntl", &spufs_cntl_fops, 0666, }, diff --git a/drivers/acpi/sleep/Makefile b/drivers/acpi/sleep/Makefile index ba9bd40..f1fb888 100644 --- a/drivers/acpi/sleep/Makefile +++ b/drivers/acpi/sleep/Makefile @@ -1,5 +1,5 @@ obj-y := wakeup.o -obj-$(CONFIG_ACPI_SLEEP) += main.o +obj-y += main.o obj-$(CONFIG_ACPI_SLEEP) += proc.o EXTRA_CFLAGS += $(ACPI_CFLAGS) diff --git a/drivers/acpi/sleep/main.c b/drivers/acpi/sleep/main.c index 85633c5..2cbb9aa 100644 --- a/drivers/acpi/sleep/main.c +++ b/drivers/acpi/sleep/main.c @@ -24,7 +24,30 @@ #include "sleep.h" u8 sleep_states[ACPI_S_STATE_COUNT]; +#ifdef CONFIG_PM_SLEEP static u32 acpi_target_sleep_state = ACPI_STATE_S0; +#endif + +int acpi_sleep_prepare(u32 acpi_state) +{ +#ifdef CONFIG_ACPI_SLEEP + /* do we have a wakeup address for S2 and S3? */ + if (acpi_state == ACPI_STATE_S3) { + if (!acpi_wakeup_address) { + return -EFAULT; + } + acpi_set_firmware_waking_vector((acpi_physical_address) + virt_to_phys((void *) + acpi_wakeup_address)); + + } + ACPI_FLUSH_CPU_CACHE(); + acpi_enable_wakeup_device_prep(acpi_state); +#endif + acpi_gpe_sleep_prepare(acpi_state); + acpi_enter_sleep_state_prep(acpi_state); + return 0; +} #ifdef CONFIG_SUSPEND static struct pm_ops acpi_pm_ops; @@ -60,27 +83,6 @@ static int acpi_pm_set_target(suspend_st return error; } -int acpi_sleep_prepare(u32 acpi_state) -{ -#ifdef CONFIG_ACPI_SLEEP - /* do we have a wakeup address for S2 and S3? */ - if (acpi_state == ACPI_STATE_S3) { - if (!acpi_wakeup_address) { - return -EFAULT; - } - acpi_set_firmware_waking_vector((acpi_physical_address) - virt_to_phys((void *) - acpi_wakeup_address)); - - } - ACPI_FLUSH_CPU_CACHE(); - acpi_enable_wakeup_device_prep(acpi_state); -#endif - acpi_gpe_sleep_prepare(acpi_state); - acpi_enter_sleep_state_prep(acpi_state); - return 0; -} - /** * acpi_pm_prepare - Do preliminary suspend work. * @pm_state: ignored @@ -299,6 +301,7 @@ int acpi_suspend(u32 acpi_state) return -EINVAL; } +#ifdef CONFIG_PM_SLEEP /** * acpi_pm_device_sleep_state - return preferred power state of ACPI device * in the system sleep state given by %acpi_target_sleep_state @@ -373,6 +376,7 @@ int acpi_pm_device_sleep_state(struct de *d_min_p = d_min; return d_max; } +#endif static void acpi_power_off_prepare(void) { diff --git a/drivers/ata/pata_sis.c b/drivers/ata/pata_sis.c index 2bd7645..cce2834 100644 --- a/drivers/ata/pata_sis.c +++ b/drivers/ata/pata_sis.c @@ -375,8 +375,9 @@ static void sis_66_set_dmamode (struct a int drive_pci = sis_old_port_base(adev); u16 timing; + /* MWDMA 0-2 and UDMA 0-5 */ const u16 mwdma_bits[] = { 0x008, 0x302, 0x301 }; - const u16 udma_bits[] = { 0xF000, 0xD000, 0xB000, 0xA000, 0x9000}; + const u16 udma_bits[] = { 0xF000, 0xD000, 0xB000, 0xA000, 0x9000, 0x8000 }; pci_read_config_word(pdev, drive_pci, &timing); diff --git a/drivers/ata/sata_sil24.c b/drivers/ata/sata_sil24.c index ef83e6b..233e886 100644 --- a/drivers/ata/sata_sil24.c +++ b/drivers/ata/sata_sil24.c @@ -888,6 +888,16 @@ static inline void sil24_host_intr(struc u32 slot_stat, qc_active; int rc; + /* If PCIX_IRQ_WOC, there's an inherent race window between + * clearing IRQ pending status and reading PORT_SLOT_STAT + * which may cause spurious interrupts afterwards. This is + * unavoidable and much better than losing interrupts which + * happens if IRQ pending is cleared after reading + * PORT_SLOT_STAT. + */ + if (ap->flags & SIL24_FLAG_PCIX_IRQ_WOC) + writel(PORT_IRQ_COMPLETE, port + PORT_IRQ_STAT); + slot_stat = readl(port + PORT_SLOT_STAT); if (unlikely(slot_stat & HOST_SSTAT_ATTN)) { @@ -895,9 +905,6 @@ static inline void sil24_host_intr(struc return; } - if (ap->flags & SIL24_FLAG_PCIX_IRQ_WOC) - writel(PORT_IRQ_COMPLETE, port + PORT_IRQ_STAT); - qc_active = slot_stat & ~HOST_SSTAT_ATTN; rc = ata_qc_complete_multiple(ap, qc_active, sil24_finish_qc); if (rc > 0) @@ -910,7 +917,8 @@ static inline void sil24_host_intr(struc return; } - if (ata_ratelimit()) + /* spurious interrupts are expected if PCIX_IRQ_WOC */ + if (!(ap->flags & SIL24_FLAG_PCIX_IRQ_WOC) && ata_ratelimit()) ata_port_printk(ap, KERN_INFO, "spurious interrupt " "(slot_stat 0x%x active_tag %d sactive 0x%x)\n", slot_stat, ap->active_tag, ap->sactive); diff --git a/drivers/base/core.c b/drivers/base/core.c index 6de33d7..67c9258 100644 --- a/drivers/base/core.c +++ b/drivers/base/core.c @@ -284,6 +284,7 @@ static ssize_t show_uevent(struct device /* let the kset specific function add its keys */ pos = data; + memset(envp, 0, sizeof(envp)); retval = kset->uevent_ops->uevent(kset, &dev->kobj, envp, ARRAY_SIZE(envp), pos, PAGE_SIZE); diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c index 67ee3d4..7924571 100644 --- a/drivers/cdrom/cdrom.c +++ b/drivers/cdrom/cdrom.c @@ -1032,6 +1032,10 @@ int cdrom_open(struct cdrom_device_info check_disk_change(ip->i_bdev); return 0; err_release: + if (CDROM_CAN(CDC_LOCK) && cdi->options & CDO_LOCK) { + cdi->ops->lock_door(cdi, 0); + cdinfo(CD_OPEN, "door unlocked.\n"); + } cdi->ops->release(cdi); err: cdi->use_count--; diff --git a/drivers/char/hpet.c b/drivers/char/hpet.c index 7ecffc9..4c16778 100644 --- a/drivers/char/hpet.c +++ b/drivers/char/hpet.c @@ -62,6 +62,8 @@ #endif static u32 hpet_nhpet, hpet_max_freq = HPET_USER_FREQ; +/* This clocksource driver currently only works on ia64 */ +#ifdef CONFIG_IA64 static void __iomem *hpet_mctr; static cycle_t read_hpet(void) @@ -79,6 +81,7 @@ static struct clocksource clocksource_hp .flags = CLOCK_SOURCE_IS_CONTINUOUS, }; static struct clocksource *hpet_clocksource; +#endif /* A lock for concurrent access by app and isr hpet activity. */ static DEFINE_SPINLOCK(hpet_lock); @@ -943,14 +946,14 @@ static acpi_status hpet_resources(struct printk(KERN_DEBUG "%s: 0x%lx is busy\n", __FUNCTION__, hdp->hd_phys_address); iounmap(hdp->hd_address); - return -EBUSY; + return AE_ALREADY_EXISTS; } } else if (res->type == ACPI_RESOURCE_TYPE_FIXED_MEMORY32) { struct acpi_resource_fixed_memory32 *fixmem32; fixmem32 = &res->data.fixed_memory32; if (!fixmem32) - return -EINVAL; + return AE_NO_MEMORY; hdp->hd_phys_address = fixmem32->address; hdp->hd_address = ioremap(fixmem32->address, @@ -960,7 +963,7 @@ static acpi_status hpet_resources(struct printk(KERN_DEBUG "%s: 0x%lx is busy\n", __FUNCTION__, hdp->hd_phys_address); iounmap(hdp->hd_address); - return -EBUSY; + return AE_ALREADY_EXISTS; } } else if (res->type == ACPI_RESOURCE_TYPE_EXTENDED_IRQ) { struct acpi_resource_extended_irq *irqp; diff --git a/drivers/char/mspec.c b/drivers/char/mspec.c index 049a46c..04ac155 100644 --- a/drivers/char/mspec.c +++ b/drivers/char/mspec.c @@ -155,23 +155,22 @@ mspec_open(struct vm_area_struct *vma) * mspec_close * * Called when unmapping a device mapping. Frees all mspec pages - * belonging to the vma. + * belonging to all the vma's sharing this vma_data structure. */ static void mspec_close(struct vm_area_struct *vma) { struct vma_data *vdata; - int index, last_index, result; + int index, last_index; unsigned long my_page; vdata = vma->vm_private_data; - BUG_ON(vma->vm_start < vdata->vm_start || vma->vm_end > vdata->vm_end); + if (!atomic_dec_and_test(&vdata->refcnt)) + return; - spin_lock(&vdata->lock); - index = (vma->vm_start - vdata->vm_start) >> PAGE_SHIFT; - last_index = (vma->vm_end - vdata->vm_start) >> PAGE_SHIFT; - for (; index < last_index; index++) { + last_index = (vdata->vm_end - vdata->vm_start) >> PAGE_SHIFT; + for (index = 0; index < last_index; index++) { if (vdata->maddr[index] == 0) continue; /* @@ -180,20 +179,12 @@ mspec_close(struct vm_area_struct *vma) */ my_page = vdata->maddr[index]; vdata->maddr[index] = 0; - spin_unlock(&vdata->lock); - result = mspec_zero_block(my_page, PAGE_SIZE); - if (!result) + if (!mspec_zero_block(my_page, PAGE_SIZE)) uncached_free_page(my_page); else printk(KERN_WARNING "mspec_close(): " - "failed to zero page %i\n", - result); - spin_lock(&vdata->lock); + "failed to zero page %ld\n", my_page); } - spin_unlock(&vdata->lock); - - if (!atomic_dec_and_test(&vdata->refcnt)) - return; if (vdata->flags & VMD_VMALLOCED) vfree(vdata); @@ -201,7 +192,6 @@ mspec_close(struct vm_area_struct *vma) kfree(vdata); } - /* * mspec_nopfn * diff --git a/drivers/input/mouse/appletouch.c b/drivers/input/mouse/appletouch.c index 2bea1b2..a1804bf 100644 --- a/drivers/input/mouse/appletouch.c +++ b/drivers/input/mouse/appletouch.c @@ -328,6 +328,7 @@ static void atp_complete(struct urb* urb { int x, y, x_z, y_z, x_f, y_f; int retval, i, j; + int key; struct atp *dev = urb->context; switch (urb->status) { @@ -468,6 +469,7 @@ static void atp_complete(struct urb* urb ATP_XFACT, &x_z, &x_f); y = atp_calculate_abs(dev->xy_acc + ATP_XSENSORS, ATP_YSENSORS, ATP_YFACT, &y_z, &y_f); + key = dev->data[dev->datalen - 1] & 1; if (x && y) { if (dev->x_old != -1) { @@ -505,7 +507,7 @@ static void atp_complete(struct urb* urb the first touch unless reinitialised. Do so if it's been idle for a while in order to avoid waking the kernel up several hundred times a second */ - if (atp_is_geyser_3(dev)) { + if (!key && atp_is_geyser_3(dev)) { dev->idlecount++; if (dev->idlecount == 10) { dev->valid = 0; @@ -514,7 +516,7 @@ static void atp_complete(struct urb* urb } } - input_report_key(dev->input, BTN_LEFT, dev->data[dev->datalen - 1] & 1); + input_report_key(dev->input, BTN_LEFT, key); input_sync(dev->input); exit: diff --git a/drivers/lguest/lguest_asm.S b/drivers/lguest/lguest_asm.S index f182c6a..1ddcd5c 100644 --- a/drivers/lguest/lguest_asm.S +++ b/drivers/lguest/lguest_asm.S @@ -22,8 +22,9 @@ #include jmp lguest_init /*G:055 We create a macro which puts the assembler code between lgstart_ and - * lgend_ markers. These templates end up in the .init.text section, so they - * are discarded after boot. */ + * lgend_ markers. These templates are put in the .text section: they can't be + * discarded after boot as we may need to patch modules, too. */ +.text #define LGUEST_PATCH(name, insns...) \ lgstart_##name: insns; lgend_##name:; \ .globl lgstart_##name; .globl lgend_##name @@ -34,7 +35,6 @@ LGUEST_PATCH(popf, movl %eax, lguest_dat LGUEST_PATCH(pushf, movl lguest_data+LGUEST_DATA_irq_enabled, %eax) /*:*/ -.text /* These demark the EIP range where host should never deliver interrupts. */ .global lguest_noirq_start .global lguest_noirq_end diff --git a/drivers/media/video/usbvision/usbvision-video.c b/drivers/media/video/usbvision/usbvision-video.c index e3371f9..0cb006f 100644 --- a/drivers/media/video/usbvision/usbvision-video.c +++ b/drivers/media/video/usbvision/usbvision-video.c @@ -1387,7 +1387,6 @@ static const struct file_operations usbv .ioctl = video_ioctl2, .llseek = no_llseek, /* .poll = video_poll, */ - .mmap = usbvision_v4l2_mmap, .compat_ioctl = v4l_compat_ioctl32, }; static struct video_device usbvision_video_template = { @@ -1413,7 +1412,7 @@ static struct video_device usbvision_vid .vidioc_s_input = vidioc_s_input, .vidioc_queryctrl = vidioc_queryctrl, .vidioc_g_audio = vidioc_g_audio, - .vidioc_g_audio = vidioc_s_audio, + .vidioc_s_audio = vidioc_s_audio, .vidioc_g_ctrl = vidioc_g_ctrl, .vidioc_s_ctrl = vidioc_s_ctrl, .vidioc_streamon = vidioc_streamon, @@ -1459,7 +1458,7 @@ static struct video_device usbvision_rad .vidioc_s_input = vidioc_s_input, .vidioc_queryctrl = vidioc_queryctrl, .vidioc_g_audio = vidioc_g_audio, - .vidioc_g_audio = vidioc_s_audio, + .vidioc_s_audio = vidioc_s_audio, .vidioc_g_ctrl = vidioc_g_ctrl, .vidioc_s_ctrl = vidioc_s_ctrl, .vidioc_g_tuner = vidioc_g_tuner, diff --git a/drivers/net/mv643xx_eth.c b/drivers/net/mv643xx_eth.c index 6a117e9..456d1e1 100644 --- a/drivers/net/mv643xx_eth.c +++ b/drivers/net/mv643xx_eth.c @@ -2768,8 +2768,6 @@ static const struct ethtool_ops mv643xx_ .get_stats_count = mv643xx_get_stats_count, .get_ethtool_stats = mv643xx_get_ethtool_stats, .get_strings = mv643xx_get_strings, - .get_stats_count = mv643xx_get_stats_count, - .get_ethtool_stats = mv643xx_get_ethtool_stats, .nway_reset = mv643xx_eth_nway_restart, }; diff --git a/drivers/net/pcmcia/3c589_cs.c b/drivers/net/pcmcia/3c589_cs.c index c06cae3..503f268 100644 --- a/drivers/net/pcmcia/3c589_cs.c +++ b/drivers/net/pcmcia/3c589_cs.c @@ -116,7 +116,7 @@ struct el3_private { spinlock_t lock; }; -static const char *if_names[] = { "auto", "10base2", "10baseT", "AUI" }; +static const char *if_names[] = { "auto", "10baseT", "10base2", "AUI" }; /*====================================================================*/ diff --git a/drivers/net/ppp_mppe.c b/drivers/net/ppp_mppe.c index f79cf87..c0b6d19 100644 --- a/drivers/net/ppp_mppe.c +++ b/drivers/net/ppp_mppe.c @@ -136,7 +136,7 @@ #define SANITY_MAX 1600 /* Max bogon fac * Key Derivation, from RFC 3078, RFC 3079. * Equivalent to Get_Key() for MS-CHAP as described in RFC 3079. */ -static void get_new_key_from_sha(struct ppp_mppe_state * state, unsigned char *InterimKey) +static void get_new_key_from_sha(struct ppp_mppe_state * state) { struct hash_desc desc; struct scatterlist sg[4]; @@ -153,8 +153,6 @@ static void get_new_key_from_sha(struct desc.flags = 0; crypto_hash_digest(&desc, sg, nbytes, state->sha1_digest); - - memcpy(InterimKey, state->sha1_digest, state->keylen); } /* @@ -163,21 +161,21 @@ static void get_new_key_from_sha(struct */ static void mppe_rekey(struct ppp_mppe_state * state, int initial_key) { - unsigned char InterimKey[MPPE_MAX_KEY_LEN]; struct scatterlist sg_in[1], sg_out[1]; struct blkcipher_desc desc = { .tfm = state->arc4 }; - get_new_key_from_sha(state, InterimKey); + get_new_key_from_sha(state); if (!initial_key) { - crypto_blkcipher_setkey(state->arc4, InterimKey, state->keylen); - setup_sg(sg_in, InterimKey, state->keylen); + crypto_blkcipher_setkey(state->arc4, state->sha1_digest, + state->keylen); + setup_sg(sg_in, state->sha1_digest, state->keylen); setup_sg(sg_out, state->session_key, state->keylen); if (crypto_blkcipher_encrypt(&desc, sg_out, sg_in, state->keylen) != 0) { printk(KERN_WARNING "mppe_rekey: cipher_encrypt failed\n"); } } else { - memcpy(state->session_key, InterimKey, state->keylen); + memcpy(state->session_key, state->sha1_digest, state->keylen); } if (state->keylen == 8) { /* See RFC 3078 */ diff --git a/drivers/net/r8169.c b/drivers/net/r8169.c index b85ab4a..c921ec3 100644 --- a/drivers/net/r8169.c +++ b/drivers/net/r8169.c @@ -1228,7 +1228,10 @@ static void rtl8169_hw_phy_config(struct return; } - /* phy config for RTL8169s mac_version C chip */ + if ((tp->mac_version != RTL_GIGA_MAC_VER_02) && + (tp->mac_version != RTL_GIGA_MAC_VER_03)) + return; + mdio_write(ioaddr, 31, 0x0001); //w 31 2 0 1 mdio_write(ioaddr, 21, 0x1000); //w 21 15 0 1000 mdio_write(ioaddr, 24, 0x65c7); //w 24 15 0 65c7 @@ -2567,6 +2570,15 @@ static void rtl8169_tx_interrupt(struct (TX_BUFFS_AVAIL(tp) >= MAX_SKB_FRAGS)) { netif_wake_queue(dev); } + /* + * 8168 hack: TxPoll requests are lost when the Tx packets are + * too close. Let's kick an extra TxPoll request when a burst + * of start_xmit activity is detected (if it is not detected, + * it is slow enough). -- FR + */ + smp_rmb(); + if (tp->cur_tx != dirty_tx) + RTL_W8(TxPoll, NPQ); } } diff --git a/drivers/net/sky2.c b/drivers/net/sky2.c index eaffe55..0792031 100644 --- a/drivers/net/sky2.c +++ b/drivers/net/sky2.c @@ -338,6 +338,16 @@ static void sky2_phy_init(struct sky2_hw if (!(hw->flags & SKY2_HW_GIGABIT)) { /* enable automatic crossover */ ctrl |= PHY_M_PC_MDI_XMODE(PHY_M_PC_ENA_AUTO) >> 1; + + if (hw->chip_id == CHIP_ID_YUKON_FE_P && + hw->chip_rev == CHIP_REV_YU_FE2_A0) { + u16 spec; + + /* Enable Class A driver for FE+ A0 */ + spec = gm_phy_read(hw, port, PHY_MARV_FE_SPEC_2); + spec |= PHY_M_FESC_SEL_CL_A; + gm_phy_write(hw, port, PHY_MARV_FE_SPEC_2, spec); + } } else { /* disable energy detect */ ctrl &= ~PHY_M_PC_EN_DET_MSK; @@ -816,7 +826,8 @@ static void sky2_mac_init(struct sky2_hw sky2_write8(hw, SK_REG(port, TX_GMF_CTRL_T), GMF_RST_CLR); sky2_write16(hw, SK_REG(port, TX_GMF_CTRL_T), GMF_OPER_ON); - if (!(hw->flags & SKY2_HW_RAMBUFFER)) { + /* On chips without ram buffer, pause is controled by MAC level */ + if (sky2_read8(hw, B2_E_0) == 0) { sky2_write8(hw, SK_REG(port, RX_GMF_LP_THR), 768/8); sky2_write8(hw, SK_REG(port, RX_GMF_UP_THR), 1024/8); @@ -1271,7 +1282,7 @@ static int sky2_up(struct net_device *de struct sky2_port *sky2 = netdev_priv(dev); struct sky2_hw *hw = sky2->hw; unsigned port = sky2->port; - u32 imask; + u32 imask, ramsize; int cap, err = -ENOMEM; struct net_device *otherdev = hw->dev[sky2->port^1]; @@ -1326,13 +1337,12 @@ static int sky2_up(struct net_device *de sky2_mac_init(hw, port); - if (hw->flags & SKY2_HW_RAMBUFFER) { - /* Register is number of 4K blocks on internal RAM buffer. */ - u32 ramsize = sky2_read8(hw, B2_E_0) * 4; + /* Register is number of 4K blocks on internal RAM buffer. */ + ramsize = sky2_read8(hw, B2_E_0) * 4; + if (ramsize > 0) { u32 rxspace; - printk(KERN_DEBUG PFX "%s: ram buffer %dK\n", dev->name, ramsize); - + pr_debug(PFX "%s: ram buffer %dK\n", dev->name, ramsize); if (ramsize < 16) rxspace = ramsize / 2; else @@ -1995,7 +2005,7 @@ static int sky2_change_mtu(struct net_de synchronize_irq(hw->pdev->irq); - if (!(hw->flags & SKY2_HW_RAMBUFFER)) + if (sky2_read8(hw, B2_E_0) == 0) sky2_set_tx_stfwd(hw, port); ctl = gma_read16(hw, port, GM_GP_CTRL); @@ -2526,7 +2536,7 @@ static void sky2_watchdog(unsigned long ++active; /* For chips with Rx FIFO, check if stuck */ - if ((hw->flags & SKY2_HW_RAMBUFFER) && + if ((hw->flags & SKY2_HW_FIFO_HANG_CHECK) && sky2_rx_hung(dev)) { pr_info(PFX "%s: receiver hang detected\n", dev->name); @@ -2684,8 +2694,10 @@ static int __devinit sky2_init(struct sk switch(hw->chip_id) { case CHIP_ID_YUKON_XL: hw->flags = SKY2_HW_GIGABIT - | SKY2_HW_NEWER_PHY - | SKY2_HW_RAMBUFFER; + | SKY2_HW_NEWER_PHY; + if (hw->chip_rev < 3) + hw->flags |= SKY2_HW_FIFO_HANG_CHECK; + break; case CHIP_ID_YUKON_EC_U: @@ -2711,11 +2723,10 @@ static int __devinit sky2_init(struct sk dev_err(&hw->pdev->dev, "unsupported revision Yukon-EC rev A1\n"); return -EOPNOTSUPP; } - hw->flags = SKY2_HW_GIGABIT | SKY2_HW_RAMBUFFER; + hw->flags = SKY2_HW_GIGABIT | SKY2_HW_FIFO_HANG_CHECK; break; case CHIP_ID_YUKON_FE: - hw->flags = SKY2_HW_RAMBUFFER; break; case CHIP_ID_YUKON_FE_P: diff --git a/drivers/net/sky2.h b/drivers/net/sky2.h index 69cd984..8bc5c54 100644 --- a/drivers/net/sky2.h +++ b/drivers/net/sky2.h @@ -2063,7 +2063,7 @@ #define SKY2_HW_USE_MSI 0x00000001 #define SKY2_HW_FIBRE_PHY 0x00000002 #define SKY2_HW_GIGABIT 0x00000004 #define SKY2_HW_NEWER_PHY 0x00000008 -#define SKY2_HW_RAMBUFFER 0x00000010 /* chip has RAM FIFO */ +#define SKY2_HW_FIFO_HANG_CHECK 0x00000010 #define SKY2_HW_NEW_LE 0x00000020 /* new LSOv2 format */ #define SKY2_HW_AUTO_TX_SUM 0x00000040 /* new IP decode for Tx */ #define SKY2_HW_ADV_POWER_CTL 0x00000080 /* additional PHY power regs */ diff --git a/drivers/scsi/esp_scsi.c b/drivers/scsi/esp_scsi.c index 77b06a9..95cf7b6 100644 --- a/drivers/scsi/esp_scsi.c +++ b/drivers/scsi/esp_scsi.c @@ -2314,6 +2314,7 @@ int __devinit scsi_esp_register(struct e esp->host->transportt = esp_transport_template; esp->host->max_lun = ESP_MAX_LUN; esp->host->cmd_per_lun = 2; + esp->host->unique_id = instance; esp_set_clock_params(esp); @@ -2337,7 +2338,7 @@ int __devinit scsi_esp_register(struct e if (err) return err; - esp->host->unique_id = instance++; + instance++; scsi_scan_host(esp->host); diff --git a/drivers/scsi/scsi_transport_spi.c b/drivers/scsi/scsi_transport_spi.c index 6f56f87..4df21c9 100644 --- a/drivers/scsi/scsi_transport_spi.c +++ b/drivers/scsi/scsi_transport_spi.c @@ -787,10 +787,12 @@ spi_dv_device_internal(struct scsi_devic struct scsi_target *starget = sdev->sdev_target; struct Scsi_Host *shost = sdev->host; int len = sdev->inquiry_len; + int min_period = spi_min_period(starget); + int max_width = spi_max_width(starget); /* first set us up for narrow async */ DV_SET(offset, 0); DV_SET(width, 0); - + if (spi_dv_device_compare_inquiry(sdev, buffer, buffer, DV_LOOPS) != SPI_COMPARE_SUCCESS) { starget_printk(KERN_ERR, starget, "Domain Validation Initial Inquiry Failed\n"); @@ -798,9 +800,13 @@ spi_dv_device_internal(struct scsi_devic return; } + if (!scsi_device_wide(sdev)) { + spi_max_width(starget) = 0; + max_width = 0; + } + /* test width */ - if (i->f->set_width && spi_max_width(starget) && - scsi_device_wide(sdev)) { + if (i->f->set_width && max_width) { i->f->set_width(starget, 1); if (spi_dv_device_compare_inquiry(sdev, buffer, @@ -809,6 +815,11 @@ spi_dv_device_internal(struct scsi_devic != SPI_COMPARE_SUCCESS) { starget_printk(KERN_ERR, starget, "Wide Transfers Fail\n"); i->f->set_width(starget, 0); + /* Make sure we don't force wide back on by asking + * for a transfer period that requires it */ + max_width = 0; + if (min_period < 10) + min_period = 10; } } @@ -828,7 +839,8 @@ spi_dv_device_internal(struct scsi_devic /* now set up to the maximum */ DV_SET(offset, spi_max_offset(starget)); - DV_SET(period, spi_min_period(starget)); + DV_SET(period, min_period); + /* try QAS requests; this should be harmless to set if the * target supports it */ if (scsi_device_qas(sdev)) { @@ -837,14 +849,14 @@ spi_dv_device_internal(struct scsi_devic DV_SET(qas, 0); } - if (scsi_device_ius(sdev) && spi_min_period(starget) < 9) { + if (scsi_device_ius(sdev) && min_period < 9) { /* This u320 (or u640). Set IU transfers */ DV_SET(iu, 1); /* Then set the optional parameters */ DV_SET(rd_strm, 1); DV_SET(wr_flow, 1); DV_SET(rti, 1); - if (spi_min_period(starget) == 8) + if (min_period == 8) DV_SET(pcomp_en, 1); } else { DV_SET(iu, 0); @@ -862,6 +874,10 @@ spi_dv_device_internal(struct scsi_devic } else { DV_SET(dt, 1); } + /* set width last because it will pull all the other + * parameters down to required values */ + DV_SET(width, max_width); + /* Do the read only INQUIRY tests */ spi_dv_retrain(sdev, buffer, buffer + sdev->inquiry_len, spi_dv_device_compare_inquiry); diff --git a/drivers/serial/sunsab.c b/drivers/serial/sunsab.c index e348ba6..ff610c2 100644 --- a/drivers/serial/sunsab.c +++ b/drivers/serial/sunsab.c @@ -38,7 +38,7 @@ #include #include #include -#if defined(CONFIG_SERIAL_SUNZILOG_CONSOLE) && defined(CONFIG_MAGIC_SYSRQ) +#if defined(CONFIG_SERIAL_SUNSAB_CONSOLE) && defined(CONFIG_MAGIC_SYSRQ) #define SUPPORT_SYSRQ #endif diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c index 8d7ab74..a593f90 100644 --- a/drivers/w1/w1.c +++ b/drivers/w1/w1.c @@ -431,6 +431,7 @@ static int w1_uevent(struct device *dev, err = add_uevent_var(envp, num_envp, &cur_index, buffer, buffer_size, &cur_len, "W1_SLAVE_ID=%024LX", (unsigned long long)sl->reg_num.id); + envp[cur_index] = NULL; if (err) return err; diff --git a/fs/compat_ioctl.c b/fs/compat_ioctl.c index 5a5b711..37310b0 100644 --- a/fs/compat_ioctl.c +++ b/fs/compat_ioctl.c @@ -3190,6 +3190,8 @@ COMPATIBLE_IOCTL(SIOCSIWRETRY) COMPATIBLE_IOCTL(SIOCGIWRETRY) COMPATIBLE_IOCTL(SIOCSIWPOWER) COMPATIBLE_IOCTL(SIOCGIWPOWER) +COMPATIBLE_IOCTL(SIOCSIWAUTH) +COMPATIBLE_IOCTL(SIOCGIWAUTH) /* hiddev */ COMPATIBLE_IOCTL(HIDIOCGVERSION) COMPATIBLE_IOCTL(HIDIOCAPPLICATION) diff --git a/fs/lockd/svclock.c b/fs/lockd/svclock.c index a21e4bc..d098c7a 100644 --- a/fs/lockd/svclock.c +++ b/fs/lockd/svclock.c @@ -171,19 +171,14 @@ found: * GRANTED_RES message by cookie, without having to rely on the client's IP * address. --okir */ -static inline struct nlm_block * -nlmsvc_create_block(struct svc_rqst *rqstp, struct nlm_file *file, - struct nlm_lock *lock, struct nlm_cookie *cookie) +static struct nlm_block * +nlmsvc_create_block(struct svc_rqst *rqstp, struct nlm_host *host, + struct nlm_file *file, struct nlm_lock *lock, + struct nlm_cookie *cookie) { struct nlm_block *block; - struct nlm_host *host; struct nlm_rqst *call = NULL; - /* Create host handle for callback */ - host = nlmsvc_lookup_host(rqstp, lock->caller, lock->len); - if (host == NULL) - return NULL; - call = nlm_alloc_call(host); if (call == NULL) return NULL; @@ -366,6 +361,7 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru struct nlm_lock *lock, int wait, struct nlm_cookie *cookie) { struct nlm_block *block = NULL; + struct nlm_host *host; int error; __be32 ret; @@ -377,6 +373,10 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru (long long)lock->fl.fl_end, wait); + /* Create host handle for callback */ + host = nlmsvc_lookup_host(rqstp, lock->caller, lock->len); + if (host == NULL) + return nlm_lck_denied_nolocks; /* Lock file against concurrent access */ mutex_lock(&file->f_mutex); @@ -385,7 +385,8 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru */ block = nlmsvc_lookup_block(file, lock); if (block == NULL) { - block = nlmsvc_create_block(rqstp, file, lock, cookie); + block = nlmsvc_create_block(rqstp, nlm_get_host(host), file, + lock, cookie); ret = nlm_lck_denied_nolocks; if (block == NULL) goto out; @@ -449,6 +450,7 @@ nlmsvc_lock(struct svc_rqst *rqstp, stru out: mutex_unlock(&file->f_mutex); nlmsvc_release_block(block); + nlm_release_host(host); dprintk("lockd: nlmsvc_lock returned %u\n", ret); return ret; } @@ -477,10 +479,15 @@ nlmsvc_testlock(struct svc_rqst *rqstp, if (block == NULL) { struct file_lock *conf = kzalloc(sizeof(*conf), GFP_KERNEL); + struct nlm_host *host; if (conf == NULL) return nlm_granted; - block = nlmsvc_create_block(rqstp, file, lock, cookie); + /* Create host handle for callback */ + host = nlmsvc_lookup_host(rqstp, lock->caller, lock->len); + if (host == NULL) + return nlm_lck_denied_nolocks; + block = nlmsvc_create_block(rqstp, host, file, lock, cookie); if (block == NULL) { kfree(conf); return nlm_granted; diff --git a/fs/ufs/super.c b/fs/ufs/super.c index 73402c5..38eb0b7 100644 --- a/fs/ufs/super.c +++ b/fs/ufs/super.c @@ -894,7 +894,7 @@ magic_found: goto again; } - + sbi->s_flags = flags;/*after that line some functions use s_flags*/ ufs_print_super_stuff(sb, usb1, usb2, usb3); /* @@ -1025,8 +1025,6 @@ magic_found: UFS_MOUNT_UFSTYPE_44BSD) uspi->s_maxsymlinklen = fs32_to_cpu(sb, usb3->fs_un2.fs_44.fs_maxsymlinklen); - - sbi->s_flags = flags; inode = iget(sb, UFS_ROOTINO); if (!inode || is_bad_inode(inode)) diff --git a/include/acpi/acpi_drivers.h b/include/acpi/acpi_drivers.h index 202acb9..f85f77a 100644 --- a/include/acpi/acpi_drivers.h +++ b/include/acpi/acpi_drivers.h @@ -147,10 +147,6 @@ #endif /*-------------------------------------------------------------------------- Suspend/Resume -------------------------------------------------------------------------- */ -#ifdef CONFIG_ACPI_SLEEP extern int acpi_sleep_init(void); -#else -static inline int acpi_sleep_init(void) { return 0; } -#endif #endif /*__ACPI_DRIVERS_H__*/ diff --git a/include/net/sctp/sm.h b/include/net/sctp/sm.h index 991c85b..e8e3a64 100644 --- a/include/net/sctp/sm.h +++ b/include/net/sctp/sm.h @@ -114,7 +114,6 @@ sctp_state_fn_t sctp_sf_do_4_C; sctp_state_fn_t sctp_sf_eat_data_6_2; sctp_state_fn_t sctp_sf_eat_data_fast_4_4; sctp_state_fn_t sctp_sf_eat_sack_6_2; -sctp_state_fn_t sctp_sf_tabort_8_4_8; sctp_state_fn_t sctp_sf_operr_notify; sctp_state_fn_t sctp_sf_t1_init_timer_expire; sctp_state_fn_t sctp_sf_t1_cookie_timer_expire; @@ -247,6 +246,9 @@ struct sctp_chunk *sctp_make_asconf_upda int, __be16); struct sctp_chunk *sctp_make_asconf_set_prim(struct sctp_association *asoc, union sctp_addr *addr); +int sctp_verify_asconf(const struct sctp_association *asoc, + struct sctp_paramhdr *param_hdr, void *chunk_end, + struct sctp_paramhdr **errp); struct sctp_chunk *sctp_process_asconf(struct sctp_association *asoc, struct sctp_chunk *asconf); int sctp_process_asconf_ack(struct sctp_association *asoc, diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h index c2fe2dc..baff49d 100644 --- a/include/net/sctp/structs.h +++ b/include/net/sctp/structs.h @@ -421,6 +421,7 @@ struct sctp_signed_cookie { * internally. */ union sctp_addr_param { + struct sctp_paramhdr p; struct sctp_ipv4addr_param v4; struct sctp_ipv6addr_param v6; }; @@ -1156,7 +1157,7 @@ int sctp_bind_addr_copy(struct sctp_bind int sctp_add_bind_addr(struct sctp_bind_addr *, union sctp_addr *, __u8 use_as_src, gfp_t gfp); int sctp_del_bind_addr(struct sctp_bind_addr *, union sctp_addr *, - void (*rcu_call)(struct rcu_head *, + void fastcall (*rcu_call)(struct rcu_head *, void (*func)(struct rcu_head *))); int sctp_bind_addr_match(struct sctp_bind_addr *, const union sctp_addr *, struct sctp_sock *); diff --git a/kernel/power/Kconfig b/kernel/power/Kconfig index c8580a1..14b0e10 100644 --- a/kernel/power/Kconfig +++ b/kernel/power/Kconfig @@ -110,7 +110,7 @@ config SUSPEND config HIBERNATION_UP_POSSIBLE bool - depends on X86 || PPC64_SWSUSP || FRV || PPC32 + depends on X86 || PPC64_SWSUSP || PPC32 depends on !SMP default y diff --git a/lib/Kconfig.debug b/lib/Kconfig.debug index 50a94ee..495863a 100644 --- a/lib/Kconfig.debug +++ b/lib/Kconfig.debug @@ -284,7 +284,7 @@ config LOCKDEP select KALLSYMS_ALL config LOCK_STAT - bool "Lock usage statisitics" + bool "Lock usage statistics" depends on DEBUG_KERNEL && TRACE_IRQFLAGS_SUPPORT && STACKTRACE_SUPPORT && LOCKDEP_SUPPORT select LOCKDEP select DEBUG_SPINLOCK diff --git a/net/ieee80211/softmac/ieee80211softmac_assoc.c b/net/ieee80211/softmac/ieee80211softmac_assoc.c index afb6c66..e475f2e 100644 --- a/net/ieee80211/softmac/ieee80211softmac_assoc.c +++ b/net/ieee80211/softmac/ieee80211softmac_assoc.c @@ -273,8 +273,6 @@ ieee80211softmac_assoc_work(struct work_ ieee80211softmac_notify(mac->dev, IEEE80211SOFTMAC_EVENT_SCAN_FINISHED, ieee80211softmac_assoc_notify_scan, NULL); if (ieee80211softmac_start_scan(mac)) { dprintk(KERN_INFO PFX "Associate: failed to initiate scan. Is device up?\n"); - mac->associnfo.associating = 0; - mac->associnfo.associated = 0; } goto out; } else { diff --git a/net/ieee80211/softmac/ieee80211softmac_wx.c b/net/ieee80211/softmac/ieee80211softmac_wx.c index d054e92..442b987 100644 --- a/net/ieee80211/softmac/ieee80211softmac_wx.c +++ b/net/ieee80211/softmac/ieee80211softmac_wx.c @@ -70,44 +70,30 @@ ieee80211softmac_wx_set_essid(struct net char *extra) { struct ieee80211softmac_device *sm = ieee80211_priv(net_dev); - struct ieee80211softmac_network *n; struct ieee80211softmac_auth_queue_item *authptr; int length = 0; check_assoc_again: mutex_lock(&sm->associnfo.mutex); - /* Check if we're already associating to this or another network - * If it's another network, cancel and start over with our new network - * If it's our network, ignore the change, we're already doing it! - */ if((sm->associnfo.associating || sm->associnfo.associated) && (data->essid.flags && data->essid.length)) { - /* Get the associating network */ - n = ieee80211softmac_get_network_by_bssid(sm, sm->associnfo.bssid); - if(n && n->essid.len == data->essid.length && - !memcmp(n->essid.data, extra, n->essid.len)) { - dprintk(KERN_INFO PFX "Already associating or associated to "MAC_FMT"\n", - MAC_ARG(sm->associnfo.bssid)); - goto out; - } else { - dprintk(KERN_INFO PFX "Canceling existing associate request!\n"); - /* Cancel assoc work */ - cancel_delayed_work(&sm->associnfo.work); - /* We don't have to do this, but it's a little cleaner */ - list_for_each_entry(authptr, &sm->auth_queue, list) - cancel_delayed_work(&authptr->work); - sm->associnfo.bssvalid = 0; - sm->associnfo.bssfixed = 0; - sm->associnfo.associating = 0; - sm->associnfo.associated = 0; - /* We must unlock to avoid deadlocks with the assoc workqueue - * on the associnfo.mutex */ - mutex_unlock(&sm->associnfo.mutex); - flush_scheduled_work(); - /* Avoid race! Check assoc status again. Maybe someone started an - * association while we flushed. */ - goto check_assoc_again; - } + dprintk(KERN_INFO PFX "Canceling existing associate request!\n"); + /* Cancel assoc work */ + cancel_delayed_work(&sm->associnfo.work); + /* We don't have to do this, but it's a little cleaner */ + list_for_each_entry(authptr, &sm->auth_queue, list) + cancel_delayed_work(&authptr->work); + sm->associnfo.bssvalid = 0; + sm->associnfo.bssfixed = 0; + sm->associnfo.associating = 0; + sm->associnfo.associated = 0; + /* We must unlock to avoid deadlocks with the assoc workqueue + * on the associnfo.mutex */ + mutex_unlock(&sm->associnfo.mutex); + flush_scheduled_work(); + /* Avoid race! Check assoc status again. Maybe someone started an + * association while we flushed. */ + goto check_assoc_again; } sm->associnfo.static_essid = 0; @@ -153,13 +139,13 @@ ieee80211softmac_wx_get_essid(struct net data->essid.length = sm->associnfo.req_essid.len; data->essid.flags = 1; /* active */ memcpy(extra, sm->associnfo.req_essid.data, sm->associnfo.req_essid.len); - } - + dprintk(KERN_INFO PFX "Getting essid from req_essid\n"); + } else if (sm->associnfo.associated || sm->associnfo.associating) { /* If we're associating/associated, return that */ - if (sm->associnfo.associated || sm->associnfo.associating) { data->essid.length = sm->associnfo.associate_essid.len; data->essid.flags = 1; /* active */ memcpy(extra, sm->associnfo.associate_essid.data, sm->associnfo.associate_essid.len); + dprintk(KERN_INFO PFX "Getting essid from associate_essid\n"); } mutex_unlock(&sm->associnfo.mutex); diff --git a/net/mac80211/ieee80211.c b/net/mac80211/ieee80211.c index 7286c38..ff2172f 100644 --- a/net/mac80211/ieee80211.c +++ b/net/mac80211/ieee80211.c @@ -5259,7 +5259,7 @@ static void __exit ieee80211_exit(void) } -module_init(ieee80211_init); +subsys_initcall(ieee80211_init); module_exit(ieee80211_exit); MODULE_DESCRIPTION("IEEE 802.11 subsystem"); diff --git a/net/mac80211/rc80211_simple.c b/net/mac80211/rc80211_simple.c index f6780d6..17b9f46 100644 --- a/net/mac80211/rc80211_simple.c +++ b/net/mac80211/rc80211_simple.c @@ -431,7 +431,7 @@ static void __exit rate_control_simple_e } -module_init(rate_control_simple_init); +subsys_initcall(rate_control_simple_init); module_exit(rate_control_simple_exit); MODULE_DESCRIPTION("Simple rate control algorithm for ieee80211"); diff --git a/net/mac80211/wme.c b/net/mac80211/wme.c index 89ce815..7ab82b3 100644 --- a/net/mac80211/wme.c +++ b/net/mac80211/wme.c @@ -424,7 +424,7 @@ static int wme_qdiscop_init(struct Qdisc skb_queue_head_init(&q->requeued[i]); q->queues[i] = qdisc_create_dflt(qd->dev, &pfifo_qdisc_ops, qd->handle); - if (q->queues[i] == 0) { + if (!q->queues[i]) { q->queues[i] = &noop_qdisc; printk(KERN_ERR "%s child qdisc %i creation failed", dev->name, i); } diff --git a/net/sctp/bind_addr.c b/net/sctp/bind_addr.c index d35cbf5..dfffa94 100644 --- a/net/sctp/bind_addr.c +++ b/net/sctp/bind_addr.c @@ -181,7 +181,7 @@ int sctp_add_bind_addr(struct sctp_bind_ * structure. */ int sctp_del_bind_addr(struct sctp_bind_addr *bp, union sctp_addr *del_addr, - void (*rcu_call)(struct rcu_head *head, + void fastcall (*rcu_call)(struct rcu_head *head, void (*func)(struct rcu_head *head))) { struct sctp_sockaddr_entry *addr, *temp; diff --git a/net/sctp/input.c b/net/sctp/input.c index 47e5601..f9a0c92 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -622,6 +622,14 @@ static int sctp_rcv_ootb(struct sk_buff if (SCTP_CID_SHUTDOWN_COMPLETE == ch->type) goto discard; + /* RFC 4460, 2.11.2 + * This will discard packets with INIT chunk bundled as + * subsequent chunks in the packet. When INIT is first, + * the normal INIT processing will discard the chunk. + */ + if (SCTP_CID_INIT == ch->type && (void *)ch != skb->data) + goto discard; + /* RFC 8.4, 7) If the packet contains a "Stale cookie" ERROR * or a COOKIE ACK the SCTP Packet should be silently * discarded. diff --git a/net/sctp/inqueue.c b/net/sctp/inqueue.c index 88aa224..e4ea7fd 100644 --- a/net/sctp/inqueue.c +++ b/net/sctp/inqueue.c @@ -130,6 +130,14 @@ struct sctp_chunk *sctp_inq_pop(struct s /* Force chunk->skb->data to chunk->chunk_end. */ skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data); + + /* Verify that we have at least chunk headers + * worth of buffer left. + */ + if (skb_headlen(chunk->skb) < sizeof(sctp_chunkhdr_t)) { + sctp_chunk_free(chunk); + chunk = queue->in_progress = NULL; + } } } diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index 2e34220..23ae37e 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -2499,6 +2499,52 @@ static __be16 sctp_process_asconf_param( return SCTP_ERROR_NO_ERROR; } +/* Verify the ASCONF packet before we process it. */ +int sctp_verify_asconf(const struct sctp_association *asoc, + struct sctp_paramhdr *param_hdr, void *chunk_end, + struct sctp_paramhdr **errp) { + sctp_addip_param_t *asconf_param; + union sctp_params param; + int length, plen; + + param.v = (sctp_paramhdr_t *) param_hdr; + while (param.v <= chunk_end - sizeof(sctp_paramhdr_t)) { + length = ntohs(param.p->length); + *errp = param.p; + + if (param.v > chunk_end - length || + length < sizeof(sctp_paramhdr_t)) + return 0; + + switch (param.p->type) { + case SCTP_PARAM_ADD_IP: + case SCTP_PARAM_DEL_IP: + case SCTP_PARAM_SET_PRIMARY: + asconf_param = (sctp_addip_param_t *)param.v; + plen = ntohs(asconf_param->param_hdr.length); + if (plen < sizeof(sctp_addip_param_t) + + sizeof(sctp_paramhdr_t)) + return 0; + break; + case SCTP_PARAM_SUCCESS_REPORT: + case SCTP_PARAM_ADAPTATION_LAYER_IND: + if (length != sizeof(sctp_addip_param_t)) + return 0; + + break; + default: + break; + } + + param.v += WORD_ROUND(length); + } + + if (param.v != chunk_end) + return 0; + + return 1; +} + /* Process an incoming ASCONF chunk with the next expected serial no. and * return an ASCONF_ACK chunk to be sent in response. */ diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 177528e..a583d67 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -90,6 +90,11 @@ static sctp_disposition_t sctp_sf_shut_8 const sctp_subtype_t type, void *arg, sctp_cmd_seq_t *commands); +static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const sctp_subtype_t type, + void *arg, + sctp_cmd_seq_t *commands); static struct sctp_sackhdr *sctp_sm_pull_sack(struct sctp_chunk *chunk); static sctp_disposition_t sctp_stop_t1_and_abort(sctp_cmd_seq_t *commands, @@ -98,6 +103,7 @@ static sctp_disposition_t sctp_stop_t1_a struct sctp_transport *transport); static sctp_disposition_t sctp_sf_abort_violation( + const struct sctp_endpoint *ep, const struct sctp_association *asoc, void *arg, sctp_cmd_seq_t *commands, @@ -111,6 +117,13 @@ static sctp_disposition_t sctp_sf_violat void *arg, sctp_cmd_seq_t *commands); +static sctp_disposition_t sctp_sf_violation_paramlen( + const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const sctp_subtype_t type, + void *arg, + sctp_cmd_seq_t *commands); + static sctp_disposition_t sctp_sf_violation_ctsn( const struct sctp_endpoint *ep, const struct sctp_association *asoc, @@ -118,6 +131,13 @@ static sctp_disposition_t sctp_sf_violat void *arg, sctp_cmd_seq_t *commands); +static sctp_disposition_t sctp_sf_violation_chunk( + const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const sctp_subtype_t type, + void *arg, + sctp_cmd_seq_t *commands); + /* Small helper function that checks if the chunk length * is of the appropriate length. The 'required_length' argument * is set to be the size of a specific chunk we are testing. @@ -181,16 +201,21 @@ sctp_disposition_t sctp_sf_do_4_C(const struct sctp_chunk *chunk = arg; struct sctp_ulpevent *ev; + if (!sctp_vtag_verify_either(chunk, asoc)) + return sctp_sf_pdiscard(ep, asoc, type, arg, commands); + /* RFC 2960 6.10 Bundling * * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. */ if (!chunk->singleton) - return SCTP_DISPOSITION_VIOLATION; + return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); - if (!sctp_vtag_verify_either(chunk, asoc)) - return sctp_sf_pdiscard(ep, asoc, type, arg, commands); + /* Make sure that the SHUTDOWN_COMPLETE chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); /* RFC 2960 10.2 SCTP-to-ULP * @@ -450,17 +475,17 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(c if (!sctp_vtag_verify(chunk, asoc)) return sctp_sf_pdiscard(ep, asoc, type, arg, commands); - /* Make sure that the INIT-ACK chunk has a valid length */ - if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) - return sctp_sf_violation_chunklen(ep, asoc, type, arg, - commands); /* 6.10 Bundling * An endpoint MUST NOT bundle INIT, INIT ACK or * SHUTDOWN COMPLETE with any other chunks. */ if (!chunk->singleton) - return SCTP_DISPOSITION_VIOLATION; + return sctp_sf_violation_chunk(ep, asoc, type, arg, commands); + /* Make sure that the INIT-ACK chunk has a valid length */ + if (!sctp_chunk_length_valid(chunk, sizeof(sctp_initack_chunk_t))) + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); /* Grab the INIT header. */ chunk->subh.init_hdr = (sctp_inithdr_t *) chunk->skb->data; @@ -585,7 +610,7 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co * control endpoint, respond with an ABORT. */ if (ep == sctp_sk((sctp_get_ctl_sock()))->ep) - return sctp_sf_ootb(ep, asoc, type, arg, commands); + return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); /* Make sure that the COOKIE_ECHO chunk has a valid length. * In this case, we check that we have enough for at least a @@ -2496,6 +2521,11 @@ sctp_disposition_t sctp_sf_do_9_2_reshut struct sctp_chunk *chunk = (struct sctp_chunk *) arg; struct sctp_chunk *reply; + /* Make sure that the chunk has a valid length */ + if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); + /* Since we are not going to really process this INIT, there * is no point in verifying chunk boundries. Just generate * the SHUTDOWN ACK. @@ -2929,7 +2959,7 @@ sctp_disposition_t sctp_sf_eat_sack_6_2( * * The return value is the disposition of the chunk. */ -sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, +static sctp_disposition_t sctp_sf_tabort_8_4_8(const struct sctp_endpoint *ep, const struct sctp_association *asoc, const sctp_subtype_t type, void *arg, @@ -2965,6 +2995,7 @@ sctp_disposition_t sctp_sf_tabort_8_4_8( SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); + sctp_sf_pdiscard(ep, asoc, type, arg, commands); return SCTP_DISPOSITION_CONSUME; } @@ -3125,14 +3156,14 @@ sctp_disposition_t sctp_sf_ootb(const st ch = (sctp_chunkhdr_t *) chunk->chunk_hdr; do { - /* Break out if chunk length is less then minimal. */ + /* Report violation if the chunk is less then minimal */ if (ntohs(ch->length) < sizeof(sctp_chunkhdr_t)) - break; - - ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); - if (ch_end > skb_tail_pointer(skb)) - break; + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); + /* Now that we know we at least have a chunk header, + * do things that are type appropriate. + */ if (SCTP_CID_SHUTDOWN_ACK == ch->type) ootb_shut_ack = 1; @@ -3144,15 +3175,19 @@ sctp_disposition_t sctp_sf_ootb(const st if (SCTP_CID_ABORT == ch->type) return sctp_sf_pdiscard(ep, asoc, type, arg, commands); + /* Report violation if chunk len overflows */ + ch_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length)); + if (ch_end > skb_tail_pointer(skb)) + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); + ch = (sctp_chunkhdr_t *) ch_end; } while (ch_end < skb_tail_pointer(skb)); if (ootb_shut_ack) - sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); + return sctp_sf_shut_8_4_5(ep, asoc, type, arg, commands); else - sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); - - return sctp_sf_pdiscard(ep, asoc, type, arg, commands); + return sctp_sf_tabort_8_4_8(ep, asoc, type, arg, commands); } /* @@ -3218,7 +3253,11 @@ static sctp_disposition_t sctp_sf_shut_8 if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) return sctp_sf_pdiscard(ep, asoc, type, arg, commands); - return SCTP_DISPOSITION_CONSUME; + /* We need to discard the rest of the packet to prevent + * potential bomming attacks from additional bundled chunks. + * This is documented in SCTP Threats ID. + */ + return sctp_sf_pdiscard(ep, asoc, type, arg, commands); } return SCTP_DISPOSITION_NOMEM; @@ -3241,6 +3280,13 @@ sctp_disposition_t sctp_sf_do_8_5_1_E_sa void *arg, sctp_cmd_seq_t *commands) { + struct sctp_chunk *chunk = arg; + + /* Make sure that the SHUTDOWN_ACK chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); + /* Although we do have an association in this case, it corresponds * to a restarted association. So the packet is treated as an OOTB * packet and the state function that handles OOTB SHUTDOWN_ACK is @@ -3257,8 +3303,11 @@ sctp_disposition_t sctp_sf_do_asconf(con { struct sctp_chunk *chunk = arg; struct sctp_chunk *asconf_ack = NULL; + struct sctp_paramhdr *err_param = NULL; sctp_addiphdr_t *hdr; + union sctp_addr_param *addr_param; __u32 serial; + int length; if (!sctp_vtag_verify(chunk, asoc)) { sctp_add_cmd_sf(commands, SCTP_CMD_REPORT_BAD_TAG, @@ -3274,6 +3323,20 @@ sctp_disposition_t sctp_sf_do_asconf(con hdr = (sctp_addiphdr_t *)chunk->skb->data; serial = ntohl(hdr->serial); + addr_param = (union sctp_addr_param *)hdr->params; + length = ntohs(addr_param->p.length); + if (length < sizeof(sctp_paramhdr_t)) + return sctp_sf_violation_paramlen(ep, asoc, type, + (void *)addr_param, commands); + + /* Verify the ASCONF chunk before processing it. */ + if (!sctp_verify_asconf(asoc, + (sctp_paramhdr_t *)((void *)addr_param + length), + (void *)chunk->chunk_end, + &err_param)) + return sctp_sf_violation_paramlen(ep, asoc, type, + (void *)&err_param, commands); + /* ADDIP 4.2 C1) Compare the value of the serial number to the value * the endpoint stored in a new association variable * 'Peer-Serial-Number'. @@ -3328,6 +3391,7 @@ sctp_disposition_t sctp_sf_do_asconf_ack struct sctp_chunk *asconf_ack = arg; struct sctp_chunk *last_asconf = asoc->addip_last_asconf; struct sctp_chunk *abort; + struct sctp_paramhdr *err_param = NULL; sctp_addiphdr_t *addip_hdr; __u32 sent_serial, rcvd_serial; @@ -3345,6 +3409,14 @@ sctp_disposition_t sctp_sf_do_asconf_ack addip_hdr = (sctp_addiphdr_t *)asconf_ack->skb->data; rcvd_serial = ntohl(addip_hdr->serial); + /* Verify the ASCONF-ACK chunk before processing it. */ + if (!sctp_verify_asconf(asoc, + (sctp_paramhdr_t *)addip_hdr->params, + (void *)asconf_ack->chunk_end, + &err_param)) + return sctp_sf_violation_paramlen(ep, asoc, type, + (void *)&err_param, commands); + if (last_asconf) { addip_hdr = (sctp_addiphdr_t *)last_asconf->subh.addip_hdr; sent_serial = ntohl(addip_hdr->serial); @@ -3655,6 +3727,16 @@ sctp_disposition_t sctp_sf_discard_chunk void *arg, sctp_cmd_seq_t *commands) { + struct sctp_chunk *chunk = arg; + + /* Make sure that the chunk has a valid length. + * Since we don't know the chunk type, we use a general + * chunkhdr structure to make a comparison. + */ + if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); + SCTP_DEBUG_PRINTK("Chunk %d is discarded\n", type.chunk); return SCTP_DISPOSITION_DISCARD; } @@ -3710,6 +3792,13 @@ sctp_disposition_t sctp_sf_violation(con void *arg, sctp_cmd_seq_t *commands) { + struct sctp_chunk *chunk = arg; + + /* Make sure that the chunk has a valid length. */ + if (!sctp_chunk_length_valid(chunk, sizeof(sctp_chunkhdr_t))) + return sctp_sf_violation_chunklen(ep, asoc, type, arg, + commands); + return SCTP_DISPOSITION_VIOLATION; } @@ -3717,12 +3806,14 @@ sctp_disposition_t sctp_sf_violation(con * Common function to handle a protocol violation. */ static sctp_disposition_t sctp_sf_abort_violation( + const struct sctp_endpoint *ep, const struct sctp_association *asoc, void *arg, sctp_cmd_seq_t *commands, const __u8 *payload, const size_t paylen) { + struct sctp_packet *packet = NULL; struct sctp_chunk *chunk = arg; struct sctp_chunk *abort = NULL; @@ -3731,30 +3822,51 @@ static sctp_disposition_t sctp_sf_abort_ if (!abort) goto nomem; - sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); - SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); + if (asoc) { + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); + SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); - if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { - sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, - SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); - sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, - SCTP_ERROR(ECONNREFUSED)); - sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, - SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); + if (asoc->state <= SCTP_STATE_COOKIE_ECHOED) { + sctp_add_cmd_sf(commands, SCTP_CMD_TIMER_STOP, + SCTP_TO(SCTP_EVENT_TIMEOUT_T1_INIT)); + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, + SCTP_ERROR(ECONNREFUSED)); + sctp_add_cmd_sf(commands, SCTP_CMD_INIT_FAILED, + SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); + } else { + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, + SCTP_ERROR(ECONNABORTED)); + sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, + SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); + SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); + } } else { - sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, - SCTP_ERROR(ECONNABORTED)); - sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, - SCTP_PERR(SCTP_ERROR_PROTO_VIOLATION)); - SCTP_DEC_STATS(SCTP_MIB_CURRESTAB); + packet = sctp_ootb_pkt_new(asoc, chunk); + + if (!packet) + goto nomem_pkt; + + if (sctp_test_T_bit(abort)) + packet->vtag = ntohl(chunk->sctp_hdr->vtag); + + abort->skb->sk = ep->base.sk; + + sctp_packet_append_chunk(packet, abort); + + sctp_add_cmd_sf(commands, SCTP_CMD_SEND_PKT, + SCTP_PACKET(packet)); + + SCTP_INC_STATS(SCTP_MIB_OUTCTRLCHUNKS); } - sctp_add_cmd_sf(commands, SCTP_CMD_DISCARD_PACKET, SCTP_NULL()); + sctp_sf_pdiscard(ep, asoc, SCTP_ST_CHUNK(0), arg, commands); SCTP_INC_STATS(SCTP_MIB_ABORTEDS); return SCTP_DISPOSITION_ABORT; +nomem_pkt: + sctp_chunk_free(abort); nomem: return SCTP_DISPOSITION_NOMEM; } @@ -3787,7 +3899,24 @@ static sctp_disposition_t sctp_sf_violat { char err_str[]="The following chunk had invalid length:"; - return sctp_sf_abort_violation(asoc, arg, commands, err_str, + return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, + sizeof(err_str)); +} + +/* + * Handle a protocol violation when the parameter length is invalid. + * "Invalid" length is identified as smaller then the minimal length a + * given parameter can be. + */ +static sctp_disposition_t sctp_sf_violation_paramlen( + const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const sctp_subtype_t type, + void *arg, + sctp_cmd_seq_t *commands) { + char err_str[] = "The following parameter had invalid length:"; + + return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, sizeof(err_str)); } @@ -3806,10 +3935,31 @@ static sctp_disposition_t sctp_sf_violat { char err_str[]="The cumulative tsn ack beyond the max tsn currently sent:"; - return sctp_sf_abort_violation(asoc, arg, commands, err_str, + return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, sizeof(err_str)); } +/* Handle protocol violation of an invalid chunk bundling. For example, + * when we have an association and we recieve bundled INIT-ACK, or + * SHUDOWN-COMPLETE, our peer is clearly violationg the "MUST NOT bundle" + * statement from the specs. Additinally, there might be an attacker + * on the path and we may not want to continue this communication. + */ +static sctp_disposition_t sctp_sf_violation_chunk( + const struct sctp_endpoint *ep, + const struct sctp_association *asoc, + const sctp_subtype_t type, + void *arg, + sctp_cmd_seq_t *commands) +{ + char err_str[]="The following chunk violates protocol:"; + + if (!asoc) + return sctp_sf_violation(ep, asoc, type, arg, commands); + + return sctp_sf_abort_violation(ep, asoc, arg, commands, err_str, + sizeof(err_str)); +} /*************************************************************************** * These are the state functions for handling primitive (Section 10) events. ***************************************************************************/ @@ -5176,7 +5326,22 @@ static struct sctp_packet *sctp_ootb_pkt * association exists, otherwise, use the peer's vtag. */ if (asoc) { - vtag = asoc->peer.i.init_tag; + /* Special case the INIT-ACK as there is no peer's vtag + * yet. + */ + switch(chunk->chunk_hdr->type) { + case SCTP_CID_INIT_ACK: + { + sctp_initack_chunk_t *initack; + + initack = (sctp_initack_chunk_t *)chunk->chunk_hdr; + vtag = ntohl(initack->init_hdr.init_tag); + break; + } + default: + vtag = asoc->peer.i.init_tag; + break; + } } else { /* Special case the INIT and stale COOKIE_ECHO as there is no * vtag yet. diff --git a/net/sctp/sm_statetable.c b/net/sctp/sm_statetable.c index 70a91ec..ddb0ba3 100644 --- a/net/sctp/sm_statetable.c +++ b/net/sctp/sm_statetable.c @@ -110,7 +110,7 @@ #define TYPE_SCTP_DATA { \ /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), \ + TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \ /* SCTP_STATE_COOKIE_ECHOED */ \ @@ -173,7 +173,7 @@ #define TYPE_SCTP_SACK { \ /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), \ + TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \ /* SCTP_STATE_COOKIE_ECHOED */ \ @@ -194,7 +194,7 @@ #define TYPE_SCTP_HEARTBEAT { \ /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), \ + TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \ /* SCTP_STATE_COOKIE_ECHOED */ \ @@ -216,7 +216,7 @@ #define TYPE_SCTP_HEARTBEAT_ACK { \ /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), \ + TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_violation), \ /* SCTP_STATE_COOKIE_ECHOED */ \ @@ -258,7 +258,7 @@ #define TYPE_SCTP_SHUTDOWN { \ /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), \ + TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \ /* SCTP_STATE_COOKIE_ECHOED */ \ @@ -300,7 +300,7 @@ #define TYPE_SCTP_ERROR { \ /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), \ + TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \ /* SCTP_STATE_COOKIE_ECHOED */ \ @@ -499,7 +499,7 @@ #define TYPE_SCTP_FWD_TSN { \ /* SCTP_STATE_EMPTY */ \ TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_CLOSED */ \ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), \ + TYPE_SCTP_FUNC(sctp_sf_ootb), \ /* SCTP_STATE_COOKIE_WAIT */ \ TYPE_SCTP_FUNC(sctp_sf_discard_chunk), \ /* SCTP_STATE_COOKIE_ECHOED */ \ @@ -528,7 +528,7 @@ chunk_event_table_unknown[SCTP_STATE_NUM /* SCTP_STATE_EMPTY */ TYPE_SCTP_FUNC(sctp_sf_ootb), /* SCTP_STATE_CLOSED */ - TYPE_SCTP_FUNC(sctp_sf_tabort_8_4_8), + TYPE_SCTP_FUNC(sctp_sf_ootb), /* SCTP_STATE_COOKIE_WAIT */ TYPE_SCTP_FUNC(sctp_sf_unk_chunk), /* SCTP_STATE_COOKIE_ECHOED */ diff --git a/net/wireless/core.c b/net/wireless/core.c index 7eabd55..9771451 100644 --- a/net/wireless/core.c +++ b/net/wireless/core.c @@ -213,7 +213,7 @@ out_fail_notifier: out_fail_sysfs: return err; } -module_init(cfg80211_init); +subsys_initcall(cfg80211_init); static void cfg80211_exit(void) { diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c index 88aaacd..2d5d225 100644 --- a/net/wireless/sysfs.c +++ b/net/wireless/sysfs.c @@ -52,12 +52,14 @@ static void wiphy_dev_release(struct dev cfg80211_dev_free(rdev); } +#ifdef CONFIG_HOTPLUG static int wiphy_uevent(struct device *dev, char **envp, int num_envp, char *buf, int size) { /* TODO, we probably need stuff here */ return 0; } +#endif struct class ieee80211_class = { .name = "ieee80211",