From cbbd7d4f36a61631f8c0d73be43df985d1e7d6a6 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 4 Jan 2007 16:56:46 -0800 Subject: [INET]: Fix incorrect "inet_sock->is_icsk" assignment. The inet_create() and inet6_create() functions incorrectly set the inet_sock->is_icsk field. Both functions assume that the is_icsk field is large enough to hold at least a INET_PROTOSW_ICSK value when it is actually only a single bit. This patch corrects the assignment by doing a boolean comparison whose result will safely fit into a single bit field. Signed-off-by: Paul Moore Signed-off-by: David S. Miller --- net/ipv4/af_inet.c | 2 +- net/ipv6/af_inet6.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c index 1144900d37f..d60fd7321e6 100644 --- a/net/ipv4/af_inet.c +++ b/net/ipv4/af_inet.c @@ -305,7 +305,7 @@ lookup_protocol: sk->sk_reuse = 1; inet = inet_sk(sk); - inet->is_icsk = INET_PROTOSW_ICSK & answer_flags; + inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) == INET_PROTOSW_ICSK; if (SOCK_RAW == sock->type) { inet->num = protocol; diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c index e5cd83b2205..832a5e6e2d7 100644 --- a/net/ipv6/af_inet6.c +++ b/net/ipv6/af_inet6.c @@ -171,7 +171,7 @@ lookup_protocol: sk->sk_reuse = 1; inet = inet_sk(sk); - inet->is_icsk = INET_PROTOSW_ICSK & answer_flags; + inet->is_icsk = (INET_PROTOSW_ICSK & answer_flags) == INET_PROTOSW_ICSK; if (SOCK_RAW == sock->type) { inet->num = protocol; -- cgit v1.2.3 From d2e7543c41755f4ec75385536b109d5f084fe734 Mon Sep 17 00:00:00 2001 From: Andrew Hendry Date: Thu, 4 Jan 2007 17:00:56 -0800 Subject: [X25]: Trivial, SOCK_DEBUG's in x25_facilities missing newlines Trivial. Newlines missing on the SOCK_DEBUG's for X.25 facility negotiation. Signed-off-by: Andrew Hendry Signed-off-by: David S. Miller --- net/x25/x25_facilities.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/net/x25/x25_facilities.c b/net/x25/x25_facilities.c index 9f42b9c9de3..27f5cc7966f 100644 --- a/net/x25/x25_facilities.c +++ b/net/x25/x25_facilities.c @@ -254,7 +254,7 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk, * They want reverse charging, we won't accept it. */ if ((theirs.reverse & 0x01 ) && (ours->reverse & 0x01)) { - SOCK_DEBUG(sk, "X.25: rejecting reverse charging request"); + SOCK_DEBUG(sk, "X.25: rejecting reverse charging request\n"); return -1; } @@ -262,29 +262,29 @@ int x25_negotiate_facilities(struct sk_buff *skb, struct sock *sk, if (theirs.throughput) { if (theirs.throughput < ours->throughput) { - SOCK_DEBUG(sk, "X.25: throughput negotiated down"); + SOCK_DEBUG(sk, "X.25: throughput negotiated down\n"); new->throughput = theirs.throughput; } } if (theirs.pacsize_in && theirs.pacsize_out) { if (theirs.pacsize_in < ours->pacsize_in) { - SOCK_DEBUG(sk, "X.25: packet size inwards negotiated down"); + SOCK_DEBUG(sk, "X.25: packet size inwards negotiated down\n"); new->pacsize_in = theirs.pacsize_in; } if (theirs.pacsize_out < ours->pacsize_out) { - SOCK_DEBUG(sk, "X.25: packet size outwards negotiated down"); + SOCK_DEBUG(sk, "X.25: packet size outwards negotiated down\n"); new->pacsize_out = theirs.pacsize_out; } } if (theirs.winsize_in && theirs.winsize_out) { if (theirs.winsize_in < ours->winsize_in) { - SOCK_DEBUG(sk, "X.25: window size inwards negotiated down"); + SOCK_DEBUG(sk, "X.25: window size inwards negotiated down\n"); new->winsize_in = theirs.winsize_in; } if (theirs.winsize_out < ours->winsize_out) { - SOCK_DEBUG(sk, "X.25: window size outwards negotiated down"); + SOCK_DEBUG(sk, "X.25: window size outwards negotiated down\n"); new->winsize_out = theirs.winsize_out; } } -- cgit v1.2.3 From f4777569204cb59f2f04fbe9ef4e9a6918209104 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 8 Jan 2007 02:16:23 +0100 Subject: [Bluetooth] Add packet size checks for CAPI messages With malformed packets it might be possible to overwrite internal CMTP and CAPI data structures. This patch adds additional length checks to prevent these kinds of remote attacks. Signed-off-by: Marcel Holtmann --- net/bluetooth/cmtp/capi.c | 39 +++++++++++++++++++++++++++++++++------ 1 file changed, 33 insertions(+), 6 deletions(-) diff --git a/net/bluetooth/cmtp/capi.c b/net/bluetooth/cmtp/capi.c index be04e9fb11f..ab166b48ce8 100644 --- a/net/bluetooth/cmtp/capi.c +++ b/net/bluetooth/cmtp/capi.c @@ -196,6 +196,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s switch (CAPIMSG_SUBCOMMAND(skb->data)) { case CAPI_CONF: + if (skb->len < CAPI_MSG_BASELEN + 10) + break; + func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 5); info = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 8); @@ -226,6 +229,9 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s break; case CAPI_FUNCTION_GET_PROFILE: + if (skb->len < CAPI_MSG_BASELEN + 11 + sizeof(capi_profile)) + break; + controller = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 11); msgnum = CAPIMSG_MSGID(skb->data); @@ -246,17 +252,26 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s break; case CAPI_FUNCTION_GET_MANUFACTURER: + if (skb->len < CAPI_MSG_BASELEN + 15) + break; + controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 10); if (!info && ctrl) { + int len = min_t(uint, CAPI_MANUFACTURER_LEN, + skb->data[CAPI_MSG_BASELEN + 14]); + + memset(ctrl->manu, 0, CAPI_MANUFACTURER_LEN); strncpy(ctrl->manu, - skb->data + CAPI_MSG_BASELEN + 15, - skb->data[CAPI_MSG_BASELEN + 14]); + skb->data + CAPI_MSG_BASELEN + 15, len); } break; case CAPI_FUNCTION_GET_VERSION: + if (skb->len < CAPI_MSG_BASELEN + 32) + break; + controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12); if (!info && ctrl) { @@ -269,13 +284,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s break; case CAPI_FUNCTION_GET_SERIAL_NUMBER: + if (skb->len < CAPI_MSG_BASELEN + 17) + break; + controller = CAPIMSG_U32(skb->data, CAPI_MSG_BASELEN + 12); if (!info && ctrl) { + int len = min_t(uint, CAPI_SERIAL_LEN, + skb->data[CAPI_MSG_BASELEN + 16]); + memset(ctrl->serial, 0, CAPI_SERIAL_LEN); strncpy(ctrl->serial, - skb->data + CAPI_MSG_BASELEN + 17, - skb->data[CAPI_MSG_BASELEN + 16]); + skb->data + CAPI_MSG_BASELEN + 17, len); } break; @@ -284,14 +304,18 @@ static void cmtp_recv_interopmsg(struct cmtp_session *session, struct sk_buff *s break; case CAPI_IND: + if (skb->len < CAPI_MSG_BASELEN + 6) + break; + func = CAPIMSG_U16(skb->data, CAPI_MSG_BASELEN + 3); if (func == CAPI_FUNCTION_LOOPBACK) { + int len = min_t(uint, skb->len - CAPI_MSG_BASELEN - 6, + skb->data[CAPI_MSG_BASELEN + 5]); appl = CAPIMSG_APPID(skb->data); msgnum = CAPIMSG_MSGID(skb->data); cmtp_send_interopmsg(session, CAPI_RESP, appl, msgnum, func, - skb->data + CAPI_MSG_BASELEN + 6, - skb->data[CAPI_MSG_BASELEN + 5]); + skb->data + CAPI_MSG_BASELEN + 6, len); } break; @@ -309,6 +333,9 @@ void cmtp_recv_capimsg(struct cmtp_session *session, struct sk_buff *skb) BT_DBG("session %p skb %p len %d", session, skb, skb->len); + if (skb->len < CAPI_MSG_BASELEN) + return; + if (CAPIMSG_COMMAND(skb->data) == CAPI_INTEROPERABILITY) { cmtp_recv_interopmsg(session, skb); return; -- cgit v1.2.3 From b6e557fbf1dbba8cfa667a25503e5dbd0e9330b7 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 8 Jan 2007 02:16:27 +0100 Subject: [Bluetooth] More checks if DLC is still attached to the TTY If the DLC device is no longer attached to the TTY device, then return errors or default values for various callbacks of the TTY layer. Signed-off-by: Marcel Holtmann --- net/bluetooth/rfcomm/tty.c | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-) diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index e0e0d09023b..eb2b52484c7 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -697,9 +697,13 @@ static int rfcomm_tty_write_room(struct tty_struct *tty) BT_DBG("tty %p", tty); + if (!dev || !dev->dlc) + return 0; + room = rfcomm_room(dev->dlc) - atomic_read(&dev->wmem_alloc); if (room < 0) room = 0; + return room; } @@ -915,12 +919,14 @@ static void rfcomm_tty_unthrottle(struct tty_struct *tty) static int rfcomm_tty_chars_in_buffer(struct tty_struct *tty) { struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; - struct rfcomm_dlc *dlc = dev->dlc; BT_DBG("tty %p dev %p", tty, dev); - if (!skb_queue_empty(&dlc->tx_queue)) - return dlc->mtu; + if (!dev || !dev->dlc) + return 0; + + if (!skb_queue_empty(&dev->dlc->tx_queue)) + return dev->dlc->mtu; return 0; } @@ -928,11 +934,12 @@ static int rfcomm_tty_chars_in_buffer(struct tty_struct *tty) static void rfcomm_tty_flush_buffer(struct tty_struct *tty) { struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; - if (!dev) - return; BT_DBG("tty %p dev %p", tty, dev); + if (!dev || !dev->dlc) + return; + skb_queue_purge(&dev->dlc->tx_queue); if (test_bit(TTY_DO_WRITE_WAKEUP, &tty->flags) && tty->ldisc.write_wakeup) @@ -952,11 +959,12 @@ static void rfcomm_tty_wait_until_sent(struct tty_struct *tty, int timeout) static void rfcomm_tty_hangup(struct tty_struct *tty) { struct rfcomm_dev *dev = (struct rfcomm_dev *) tty->driver_data; - if (!dev) - return; BT_DBG("tty %p dev %p", tty, dev); + if (!dev) + return; + rfcomm_tty_flush_buffer(tty); if (test_bit(RFCOMM_RELEASE_ONHUP, &dev->flags)) -- cgit v1.2.3 From 4d6a2188bd456969f52c03edf1988de90f08d9f5 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 8 Jan 2007 02:16:31 +0100 Subject: [Bluetooth] Fix uninitialized return value for RFCOMM sendmsg() When calling send() with a zero length parameter on a RFCOMM socket it returns a positive value. In this rare case the variable err is used uninitialized and unfortunately its value is returned. Signed-off-by: Marcel Holtmann --- net/bluetooth/rfcomm/sock.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c index 544d65b7baa..cb7e855f082 100644 --- a/net/bluetooth/rfcomm/sock.c +++ b/net/bluetooth/rfcomm/sock.c @@ -557,7 +557,6 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct sock *sk = sock->sk; struct rfcomm_dlc *d = rfcomm_pi(sk)->dlc; struct sk_buff *skb; - int err; int sent = 0; if (msg->msg_flags & MSG_OOB) @@ -572,6 +571,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, while (len) { size_t size = min_t(size_t, len, d->mtu); + int err; skb = sock_alloc_send_skb(sk, size + RFCOMM_SKB_RESERVE, msg->msg_flags & MSG_DONTWAIT, &err); @@ -582,13 +582,16 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, err = memcpy_fromiovec(skb_put(skb, size), msg->msg_iov, size); if (err) { kfree_skb(skb); - sent = err; + if (sent == 0) + sent = err; break; } err = rfcomm_dlc_send(d, skb); if (err < 0) { kfree_skb(skb); + if (sent == 0) + sent = err; break; } @@ -598,7 +601,7 @@ static int rfcomm_sock_sendmsg(struct kiocb *iocb, struct socket *sock, release_sock(sk); - return sent ? sent : err; + return sent; } static long rfcomm_sock_data_wait(struct sock *sk, long timeo) -- cgit v1.2.3 From c893779e9fbe78575cbd04596f1fcafdb48e8f3f Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 8 Jan 2007 02:16:38 +0100 Subject: [Bluetooth] Handle device registration failures In the case the device registration for a new Bluetooth low-level connection fails there is no need to unregister it when the temporary data structure has been removed. Signed-off-by: Marcel Holtmann --- net/bluetooth/hci_sysfs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c index d4c935692cc..801d687ea4e 100644 --- a/net/bluetooth/hci_sysfs.c +++ b/net/bluetooth/hci_sysfs.c @@ -242,7 +242,7 @@ static void add_conn(struct work_struct *work) struct hci_conn *conn = container_of(work, struct hci_conn, work); int i; - if (device_register(&conn->dev) < 0) { + if (device_add(&conn->dev) < 0) { BT_ERR("Failed to register connection device"); return; } @@ -272,6 +272,8 @@ void hci_conn_add_sysfs(struct hci_conn *conn) dev_set_drvdata(&conn->dev, conn); + device_initialize(&conn->dev); + INIT_WORK(&conn->work, add_conn); schedule_work(&conn->work); @@ -287,6 +289,9 @@ void hci_conn_del_sysfs(struct hci_conn *conn) { BT_DBG("conn %p", conn); + if (!device_is_registered(&conn->dev)) + return; + INIT_WORK(&conn->work, del_conn); schedule_work(&conn->work); -- cgit v1.2.3 From 5939be43a5718dadda2810b011c786c3e2c581ce Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 8 Jan 2007 02:16:46 +0100 Subject: [Bluetooth] Correct SCO buffer size for another ThinkPad laptop The ThinkPad R60E uses a Broadcom based Bluetooth chip and even this version needs the quirk to correct the SCO buffer size values. Signed-off-by: Marcel Holtmann --- drivers/bluetooth/hci_usb.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/bluetooth/hci_usb.c b/drivers/bluetooth/hci_usb.c index aeefec97fde..93d2836cac0 100644 --- a/drivers/bluetooth/hci_usb.c +++ b/drivers/bluetooth/hci_usb.c @@ -117,6 +117,7 @@ static struct usb_device_id blacklist_ids[] = { /* IBM/Lenovo ThinkPad with Broadcom chip */ { USB_DEVICE(0x0a5c, 0x201e), .driver_info = HCI_WRONG_SCO_MTU }, + { USB_DEVICE(0x0a5c, 0x2110), .driver_info = HCI_WRONG_SCO_MTU }, /* ANYCOM Bluetooth USB-200 and USB-250 */ { USB_DEVICE(0x0a5c, 0x2111), .driver_info = HCI_RESET }, -- cgit v1.2.3 From da942704c10129ecd0337a48ed4a0b0db59936b9 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 8 Jan 2007 02:16:50 +0100 Subject: [Bluetooth] Correct SCO buffer for Broadcom based HP laptops The SCO buffer size values on HP laptops with a Bluetooth chip from Broadcom are wrong. The USB Bluetooth driver has to set a quirk to correct the SCO buffer size values. Signed-off-by: Marcel Holtmann --- drivers/bluetooth/hci_usb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/bluetooth/hci_usb.c b/drivers/bluetooth/hci_usb.c index 93d2836cac0..01d6789b3eb 100644 --- a/drivers/bluetooth/hci_usb.c +++ b/drivers/bluetooth/hci_usb.c @@ -122,6 +122,9 @@ static struct usb_device_id blacklist_ids[] = { /* ANYCOM Bluetooth USB-200 and USB-250 */ { USB_DEVICE(0x0a5c, 0x2111), .driver_info = HCI_RESET }, + /* HP laptop with Broadcom chip */ + { USB_DEVICE(0x03f0, 0x171d), .driver_info = HCI_WRONG_SCO_MTU }, + /* Microsoft Wireless Transceiver for Bluetooth 2.0 */ { USB_DEVICE(0x045e, 0x009c), .driver_info = HCI_RESET }, -- cgit v1.2.3 From 86112ffdccab3ee75bc9d9dfae6745df73189e37 Mon Sep 17 00:00:00 2001 From: Marcel Holtmann Date: Mon, 8 Jan 2007 02:16:53 +0100 Subject: [Bluetooth] Correct SCO buffer for Broadcom based Dell laptops The SCO buffer size values on Dell laptops with a Bluetooth chip from Broadcom are wrong. The USB Bluetooth driver has to set a quirk to correct the SCO buffer size values. Signed-off-by: Marcel Holtmann --- drivers/bluetooth/hci_usb.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drivers/bluetooth/hci_usb.c b/drivers/bluetooth/hci_usb.c index 01d6789b3eb..6bdf593081d 100644 --- a/drivers/bluetooth/hci_usb.c +++ b/drivers/bluetooth/hci_usb.c @@ -125,6 +125,9 @@ static struct usb_device_id blacklist_ids[] = { /* HP laptop with Broadcom chip */ { USB_DEVICE(0x03f0, 0x171d), .driver_info = HCI_WRONG_SCO_MTU }, + /* Dell laptop with Broadcom chip */ + { USB_DEVICE(0x413c, 0x8126), .driver_info = HCI_WRONG_SCO_MTU }, + /* Microsoft Wireless Transceiver for Bluetooth 2.0 */ { USB_DEVICE(0x045e, 0x009c), .driver_info = HCI_RESET }, -- cgit v1.2.3 From 797951200679f1d5ea12a2e58cc7bdbc2848764c Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 5 Jan 2007 15:08:21 -0500 Subject: NetLabel: correct locking in selinux_netlbl_socket_setsid() The spinlock protecting the update of the "sksec->nlbl_state" variable is not currently softirq safe which can lead to problems. This patch fixes this by changing the spin_{un}lock() functions into spin_{un}lock_bh() functions. Signed-off-by: Paul Moore Signed-off-by: James Morris --- security/selinux/ss/services.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 372eaade3ca..3eb1fa9f0de 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -2491,9 +2491,9 @@ static int selinux_netlbl_socket_setsid(struct socket *sock, u32 sid) rc = netlbl_socket_setattr(sock, &secattr); if (rc == 0) { - spin_lock(&sksec->nlbl_lock); + spin_lock_bh(&sksec->nlbl_lock); sksec->nlbl_state = NLBL_LABELED; - spin_unlock(&sksec->nlbl_lock); + spin_unlock_bh(&sksec->nlbl_lock); } netlbl_socket_setsid_return: -- cgit v1.2.3 From 2a2f11c227bdf292b3a2900ad04139d301b56ac4 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 5 Jan 2007 15:08:22 -0500 Subject: NetLabel: correct CIPSO tag handling when adding new DOI definitions The current netlbl_cipsov4_add_common() function has two problems which are fixed with this patch. The first is an off-by-one bug where it is possibile to overflow the doi_def->tags[] array. The second is a bug where the same doi_def->tags[] array was not always fully initialized, which caused sporadic failures. Signed-off-by: Paul Moore Signed-off-by: James Morris --- net/netlabel/netlabel_cipso_v4.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c index 4afc75f9e37..73e0ff469bf 100644 --- a/net/netlabel/netlabel_cipso_v4.c +++ b/net/netlabel/netlabel_cipso_v4.c @@ -130,12 +130,12 @@ static int netlbl_cipsov4_add_common(struct genl_info *info, nla_for_each_nested(nla, info->attrs[NLBL_CIPSOV4_A_TAGLST], nla_rem) if (nla->nla_type == NLBL_CIPSOV4_A_TAG) { - if (iter > CIPSO_V4_TAG_MAXCNT) + if (iter >= CIPSO_V4_TAG_MAXCNT) return -EINVAL; doi_def->tags[iter++] = nla_get_u8(nla); } - if (iter < CIPSO_V4_TAG_MAXCNT) - doi_def->tags[iter] = CIPSO_V4_TAG_INVALID; + while (iter < CIPSO_V4_TAG_MAXCNT) + doi_def->tags[iter++] = CIPSO_V4_TAG_INVALID; return 0; } -- cgit v1.2.3 From 261dd5ca05c6f36c9216f2d60b018f59f92620c4 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 8 Jan 2007 19:55:46 -0800 Subject: [BNX2]: Don't apply CRC PHY workaround to 5709. The workaround is only needed on 5706/5708 and cannot be applied on 5709. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/bnx2.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index ada5e9b9988..8d682fc3760 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -1345,8 +1345,6 @@ bnx2_init_copper_phy(struct bnx2 *bp) { u32 val; - bp->phy_flags |= PHY_CRC_FIX_FLAG; - if (bp->phy_flags & PHY_CRC_FIX_FLAG) { bnx2_write_phy(bp, 0x18, 0x0c00); bnx2_write_phy(bp, 0x17, 0x000a); @@ -5880,7 +5878,9 @@ bnx2_init_board(struct pci_dev *pdev, struct net_device *dev) if (reg & BNX2_SHARED_HW_CFG_PHY_2_5G) bp->phy_flags |= PHY_2_5G_CAPABLE_FLAG; } - } + } else if (CHIP_NUM(bp) == CHIP_NUM_5706 || + CHIP_NUM(bp) == CHIP_NUM_5708) + bp->phy_flags |= PHY_CRC_FIX_FLAG; if ((CHIP_ID(bp) == CHIP_ID_5708_A0) || (CHIP_ID(bp) == CHIP_ID_5708_B0) || -- cgit v1.2.3 From 253c8b75546c5f21d5321d691df92c1e84d9b0fb Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 8 Jan 2007 19:56:01 -0800 Subject: [BNX2]: Fix 5709 Serdes detection. 5709 has a new register to detect copper/fiber PHYs. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/bnx2.c | 45 +++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 41 insertions(+), 4 deletions(-) diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index 8d682fc3760..e325f933722 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -5643,6 +5643,44 @@ poll_bnx2(struct net_device *dev) } #endif +static void __devinit +bnx2_get_5709_media(struct bnx2 *bp) +{ + u32 val = REG_RD(bp, BNX2_MISC_DUAL_MEDIA_CTRL); + u32 bond_id = val & BNX2_MISC_DUAL_MEDIA_CTRL_BOND_ID; + u32 strap; + + if (bond_id == BNX2_MISC_DUAL_MEDIA_CTRL_BOND_ID_C) + return; + else if (bond_id == BNX2_MISC_DUAL_MEDIA_CTRL_BOND_ID_S) { + bp->phy_flags |= PHY_SERDES_FLAG; + return; + } + + if (val & BNX2_MISC_DUAL_MEDIA_CTRL_STRAP_OVERRIDE) + strap = (val & BNX2_MISC_DUAL_MEDIA_CTRL_PHY_CTRL) >> 21; + else + strap = (val & BNX2_MISC_DUAL_MEDIA_CTRL_PHY_CTRL_STRAP) >> 8; + + if (PCI_FUNC(bp->pdev->devfn) == 0) { + switch (strap) { + case 0x4: + case 0x5: + case 0x6: + bp->phy_flags |= PHY_SERDES_FLAG; + return; + } + } else { + switch (strap) { + case 0x1: + case 0x2: + case 0x4: + bp->phy_flags |= PHY_SERDES_FLAG; + return; + } + } +} + static int __devinit bnx2_init_board(struct pci_dev *pdev, struct net_device *dev) { @@ -5863,10 +5901,9 @@ bnx2_init_board(struct pci_dev *pdev, struct net_device *dev) bp->phy_addr = 1; /* Disable WOL support if we are running on a SERDES chip. */ - if (CHIP_NUM(bp) == CHIP_NUM_5709) { - if (CHIP_BOND_ID(bp) != BNX2_MISC_DUAL_MEDIA_CTRL_BOND_ID_C) - bp->phy_flags |= PHY_SERDES_FLAG; - } else if (CHIP_BOND_ID(bp) & CHIP_BOND_ID_SERDES_BIT) + if (CHIP_NUM(bp) == CHIP_NUM_5709) + bnx2_get_5709_media(bp); + else if (CHIP_BOND_ID(bp) & CHIP_BOND_ID_SERDES_BIT) bp->phy_flags |= PHY_SERDES_FLAG; if (bp->phy_flags & PHY_SERDES_FLAG) { -- cgit v1.2.3 From e6be763f63420c334710a5a0818e6bfcf5d593f8 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 8 Jan 2007 19:56:13 -0800 Subject: [BNX2]: Fix bug in bnx2_nvram_write(). The bug was a bogus pointer being passed to kfree(). The pointer was incremented in the write loop and then passed to kfree(). The fix is to use align_buf to save the original address. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/bnx2.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index e325f933722..08a77a36b4c 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -3083,7 +3083,7 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, int buf_size) { u32 written, offset32, len32; - u8 *buf, start[4], end[4], *flash_buffer = NULL; + u8 *buf, start[4], end[4], *align_buf = NULL, *flash_buffer = NULL; int rc = 0; int align_start, align_end; @@ -3111,16 +3111,17 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } if (align_start || align_end) { - buf = kmalloc(len32, GFP_KERNEL); - if (buf == NULL) + align_buf = kmalloc(len32, GFP_KERNEL); + if (align_buf == NULL) return -ENOMEM; if (align_start) { - memcpy(buf, start, 4); + memcpy(align_buf, start, 4); } if (align_end) { - memcpy(buf + len32 - 4, end, 4); + memcpy(align_buf + len32 - 4, end, 4); } - memcpy(buf + align_start, data_buf, buf_size); + memcpy(align_buf + align_start, data_buf, buf_size); + buf = align_buf; } if (bp->flash_info->buffered == 0) { @@ -3254,11 +3255,8 @@ bnx2_nvram_write(struct bnx2 *bp, u32 offset, u8 *data_buf, } nvram_write_end: - if (bp->flash_info->buffered == 0) - kfree(flash_buffer); - - if (align_start || align_end) - kfree(buf); + kfree(flash_buffer); + kfree(align_buf); return rc; } -- cgit v1.2.3 From d6aa4acebafe3acb0aade7704ec5b2f03742ea14 Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 8 Jan 2007 19:56:31 -0800 Subject: [BNX2]: Update version and reldate. Update version to 1.5.3. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/bnx2.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/bnx2.c b/drivers/net/bnx2.c index 08a77a36b4c..ca5acc4736d 100644 --- a/drivers/net/bnx2.c +++ b/drivers/net/bnx2.c @@ -57,8 +57,8 @@ #define DRV_MODULE_NAME "bnx2" #define PFX DRV_MODULE_NAME ": " -#define DRV_MODULE_VERSION "1.5.2" -#define DRV_MODULE_RELDATE "December 13, 2006" +#define DRV_MODULE_VERSION "1.5.3" +#define DRV_MODULE_RELDATE "January 8, 2007" #define RUN_AT(x) (jiffies + (x)) -- cgit v1.2.3 From c1d2a1965a00693bddaddf75d57488a0d8e891af Mon Sep 17 00:00:00 2001 From: Michael Chan Date: Mon, 8 Jan 2007 19:57:20 -0800 Subject: [TG3]: Add PHY workaround for 5755M. Some PHY trim values need to be fine-tuned on 5755M to be IEEE-compliant. Update version to 3.72. Signed-off-by: Michael Chan Signed-off-by: David S. Miller --- drivers/net/tg3.c | 17 ++++++++++++----- drivers/net/tg3.h | 4 ++++ 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/drivers/net/tg3.c b/drivers/net/tg3.c index 4056ba1ff3c..f4bf62c2a7a 100644 --- a/drivers/net/tg3.c +++ b/drivers/net/tg3.c @@ -68,8 +68,8 @@ #define DRV_MODULE_NAME "tg3" #define PFX DRV_MODULE_NAME ": " -#define DRV_MODULE_VERSION "3.71" -#define DRV_MODULE_RELDATE "December 15, 2006" +#define DRV_MODULE_VERSION "3.72" +#define DRV_MODULE_RELDATE "January 8, 2007" #define TG3_DEF_MAC_MODE 0 #define TG3_DEF_RX_MODE 0 @@ -1015,7 +1015,12 @@ out: else if (tp->tg3_flags2 & TG3_FLG2_PHY_JITTER_BUG) { tg3_writephy(tp, MII_TG3_AUX_CTRL, 0x0c00); tg3_writephy(tp, MII_TG3_DSP_ADDRESS, 0x000a); - tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x010b); + if (tp->tg3_flags2 & TG3_FLG2_PHY_ADJUST_TRIM) { + tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x110b); + tg3_writephy(tp, MII_TG3_TEST1, + MII_TG3_TEST1_TRIM_EN | 0x4); + } else + tg3_writephy(tp, MII_TG3_DSP_RW_PORT, 0x010b); tg3_writephy(tp, MII_TG3_AUX_CTRL, 0x0400); } /* Set Extended packet length bit (bit 14) on all chips that */ @@ -10803,9 +10808,11 @@ static int __devinit tg3_get_invariants(struct tg3 *tp) if (tp->tg3_flags2 & TG3_FLG2_5705_PLUS) { if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5755 || - GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5787) + GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5787) { tp->tg3_flags2 |= TG3_FLG2_PHY_JITTER_BUG; - else if (GET_ASIC_REV(tp->pci_chip_rev_id) != ASIC_REV_5906) + if (tp->pdev->device == PCI_DEVICE_ID_TIGON3_5755M) + tp->tg3_flags2 |= TG3_FLG2_PHY_ADJUST_TRIM; + } else if (GET_ASIC_REV(tp->pci_chip_rev_id) != ASIC_REV_5906) tp->tg3_flags2 |= TG3_FLG2_PHY_BER_BUG; } diff --git a/drivers/net/tg3.h b/drivers/net/tg3.h index cf78a7e5997..80f59ac7ec5 100644 --- a/drivers/net/tg3.h +++ b/drivers/net/tg3.h @@ -1658,6 +1658,9 @@ #define MII_TG3_EPHY_TEST 0x1f /* 5906 PHY register */ #define MII_TG3_EPHY_SHADOW_EN 0x80 +#define MII_TG3_TEST1 0x1e +#define MII_TG3_TEST1_TRIM_EN 0x0010 + /* There are two ways to manage the TX descriptors on the tigon3. * Either the descriptors are in host DMA'able memory, or they * exist only in the cards on-chip SRAM. All 16 send bds are under @@ -2256,6 +2259,7 @@ struct tg3 { #define TG3_FLG2_1SHOT_MSI 0x10000000 #define TG3_FLG2_PHY_JITTER_BUG 0x20000000 #define TG3_FLG2_NO_FWARE_REPORTED 0x40000000 +#define TG3_FLG2_PHY_ADJUST_TRIM 0x80000000 u32 split_mode_max_reqs; #define SPLIT_MODE_5704_MAX_REQ 3 -- cgit v1.2.3 From 88044c8c9635b2ec67a27c6f334965e5b97eb2c7 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 9 Jan 2007 00:03:26 -0800 Subject: [NETFILTER]: nf_conntrack_netbios_ns: fix uninitialized member in expectation ->helper is uninitialized in the expectation registered by the netbios_ns helper and it later copied to the expected connection, which causes invalid memory dereferences when trying to call the helper. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/nf_conntrack_netbios_ns.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_conntrack_netbios_ns.c b/net/netfilter/nf_conntrack_netbios_ns.c index a5b234e444d..2a48efdf0d6 100644 --- a/net/netfilter/nf_conntrack_netbios_ns.c +++ b/net/netfilter/nf_conntrack_netbios_ns.c @@ -89,6 +89,7 @@ static int help(struct sk_buff **pskb, unsigned int protoff, exp->expectfn = NULL; exp->flags = NF_CT_EXPECT_PERMANENT; + exp->helper = NULL; nf_conntrack_expect_related(exp); nf_conntrack_expect_put(exp); -- cgit v1.2.3 From cb48cfe8079ddda78425a16d6c1be57d822b365b Mon Sep 17 00:00:00 2001 From: Craig Schlenter Date: Tue, 9 Jan 2007 00:11:15 -0800 Subject: [TCP]: Fix iov_len calculation in tcp_v4_send_ack(). This fixes the ftp stalls present in the current kernels. All credit goes to Komuro for tracking this down. The patch is untested but it looks *cough* obviously correct. Signed-off-by: Craig Schlenter Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: David S. Miller --- net/ipv4/tcp_ipv4.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index bf7a22412bc..12de90a5047 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -648,7 +648,7 @@ static void tcp_v4_send_ack(struct tcp_timewait_sock *twsk, TCPOLEN_TIMESTAMP); rep.opt[1] = htonl(tcp_time_stamp); rep.opt[2] = htonl(ts); - arg.iov[0].iov_len = TCPOLEN_TSTAMP_ALIGNED; + arg.iov[0].iov_len += TCPOLEN_TSTAMP_ALIGNED; } /* Swap the send and the receive. */ -- cgit v1.2.3