From b0de8e402dc5d3ee04f4d0f669ae492a3e569933 Mon Sep 17 00:00:00 2001 From: Mirko Lindner Date: Thu, 10 Jan 2008 02:12:44 -0800 Subject: [NIU]: Support for Marvell PHY From: Mirko Lindner This patch makes necessary changes in the Neptune driver to support the new Marvell PHY. It also adds support for the LED blinking on Neptune cards with Marvell PHY. All registers are using defines in the niu.h header file as is already done for the BCM8704 registers. [ Coding style, etc. cleanups -DaveM ] Signed-off-by: David S. Miller --- drivers/net/niu.c | 218 +++++++++++++++++++++++++++++++++++++++++++++++++----- drivers/net/niu.h | 33 +++++++++ 2 files changed, 231 insertions(+), 20 deletions(-) diff --git a/drivers/net/niu.c b/drivers/net/niu.c index 9a0c6d3adfe982..3bbcea11329fae 100644 --- a/drivers/net/niu.c +++ b/drivers/net/niu.c @@ -801,22 +801,90 @@ static int bcm8704_init_user_dev3(struct niu *np) return 0; } -static int xcvr_init_10g(struct niu *np) +static int mrvl88x2011_act_led(struct niu *np, int val) +{ + int err; + + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV2_ADDR, + MRVL88X2011_LED_8_TO_11_CTL); + if (err < 0) + return err; + + err &= ~MRVL88X2011_LED(MRVL88X2011_LED_ACT,MRVL88X2011_LED_CTL_MASK); + err |= MRVL88X2011_LED(MRVL88X2011_LED_ACT,val); + + return mdio_write(np, np->phy_addr, MRVL88X2011_USER_DEV2_ADDR, + MRVL88X2011_LED_8_TO_11_CTL, err); +} + +static int mrvl88x2011_led_blink_rate(struct niu *np, int rate) +{ + int err; + + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV2_ADDR, + MRVL88X2011_LED_BLINK_CTL); + if (err >= 0) { + err &= ~MRVL88X2011_LED_BLKRATE_MASK; + err |= (rate << 4); + + err = mdio_write(np, np->phy_addr, MRVL88X2011_USER_DEV2_ADDR, + MRVL88X2011_LED_BLINK_CTL, err); + } + + return err; +} + +static int xcvr_init_10g_mrvl88x2011(struct niu *np) +{ + int err; + + /* Set LED functions */ + err = mrvl88x2011_led_blink_rate(np, MRVL88X2011_LED_BLKRATE_134MS); + if (err) + return err; + + /* led activity */ + err = mrvl88x2011_act_led(np, MRVL88X2011_LED_CTL_OFF); + if (err) + return err; + + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV3_ADDR, + MRVL88X2011_GENERAL_CTL); + if (err < 0) + return err; + + err |= MRVL88X2011_ENA_XFPREFCLK; + + err = mdio_write(np, np->phy_addr, MRVL88X2011_USER_DEV3_ADDR, + MRVL88X2011_GENERAL_CTL, err); + if (err < 0) + return err; + + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV1_ADDR, + MRVL88X2011_PMA_PMD_CTL_1); + if (err < 0) + return err; + + if (np->link_config.loopback_mode == LOOPBACK_MAC) + err |= MRVL88X2011_LOOPBACK; + else + err &= ~MRVL88X2011_LOOPBACK; + + err = mdio_write(np, np->phy_addr, MRVL88X2011_USER_DEV1_ADDR, + MRVL88X2011_PMA_PMD_CTL_1, err); + if (err < 0) + return err; + + /* Enable PMD */ + return mdio_write(np, np->phy_addr, MRVL88X2011_USER_DEV1_ADDR, + MRVL88X2011_10G_PMD_TX_DIS, MRVL88X2011_ENA_PMDTX); +} + +static int xcvr_init_10g_bcm8704(struct niu *np) { struct niu_link_config *lp = &np->link_config; u16 analog_stat0, tx_alarm_status; int err; - u64 val; - - val = nr64_mac(XMAC_CONFIG); - val &= ~XMAC_CONFIG_LED_POLARITY; - val |= XMAC_CONFIG_FORCE_LED_ON; - nw64_mac(XMAC_CONFIG, val); - - /* XXX shared resource, lock parent XXX */ - val = nr64(MIF_CONFIG); - val |= MIF_CONFIG_INDIRECT_MODE; - nw64(MIF_CONFIG, val); err = bcm8704_reset(np); if (err) @@ -896,6 +964,38 @@ static int xcvr_init_10g(struct niu *np) return 0; } +static int xcvr_init_10g(struct niu *np) +{ + int phy_id, err; + u64 val; + + val = nr64_mac(XMAC_CONFIG); + val &= ~XMAC_CONFIG_LED_POLARITY; + val |= XMAC_CONFIG_FORCE_LED_ON; + nw64_mac(XMAC_CONFIG, val); + + /* XXX shared resource, lock parent XXX */ + val = nr64(MIF_CONFIG); + val |= MIF_CONFIG_INDIRECT_MODE; + nw64(MIF_CONFIG, val); + + phy_id = phy_decode(np->parent->port_phy, np->port); + phy_id = np->parent->phy_probe_info.phy_id[phy_id][np->port]; + + /* handle different phy types */ + switch (phy_id & NIU_PHY_ID_MASK) { + case NIU_PHY_ID_MRVL88X2011: + err = xcvr_init_10g_mrvl88x2011(np); + break; + + default: /* bcom 8704 */ + err = xcvr_init_10g_bcm8704(np); + break; + } + + return 0; +} + static int mii_reset(struct niu *np) { int limit, err; @@ -1082,19 +1182,68 @@ static int niu_link_status_common(struct niu *np, int link_up) return 0; } -static int link_status_10g(struct niu *np, int *link_up_p) +static int link_status_10g_mrvl(struct niu *np, int *link_up_p) { - unsigned long flags; - int err, link_up; + int err, link_up, pma_status, pcs_status; link_up = 0; - spin_lock_irqsave(&np->lock, flags); + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV1_ADDR, + MRVL88X2011_10G_PMD_STATUS_2); + if (err < 0) + goto out; - err = -EINVAL; - if (np->link_config.loopback_mode != LOOPBACK_DISABLED) + /* Check PMA/PMD Register: 1.0001.2 == 1 */ + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV1_ADDR, + MRVL88X2011_PMA_PMD_STATUS_1); + if (err < 0) + goto out; + + pma_status = ((err & MRVL88X2011_LNK_STATUS_OK) ? 1 : 0); + + /* Check PMC Register : 3.0001.2 == 1: read twice */ + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV3_ADDR, + MRVL88X2011_PMA_PMD_STATUS_1); + if (err < 0) + goto out; + + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV3_ADDR, + MRVL88X2011_PMA_PMD_STATUS_1); + if (err < 0) + goto out; + + pcs_status = ((err & MRVL88X2011_LNK_STATUS_OK) ? 1 : 0); + + /* Check XGXS Register : 4.0018.[0-3,12] */ + err = mdio_read(np, np->phy_addr, MRVL88X2011_USER_DEV4_ADDR, + MRVL88X2011_10G_XGXS_LANE_STAT); + if (err < 0) goto out; + if (err == (PHYXS_XGXS_LANE_STAT_ALINGED | PHYXS_XGXS_LANE_STAT_LANE3 | + PHYXS_XGXS_LANE_STAT_LANE2 | PHYXS_XGXS_LANE_STAT_LANE1 | + PHYXS_XGXS_LANE_STAT_LANE0 | PHYXS_XGXS_LANE_STAT_MAGIC | + 0x800)) + link_up = (pma_status && pcs_status) ? 1 : 0; + + np->link_config.active_speed = SPEED_10000; + np->link_config.active_duplex = DUPLEX_FULL; + err = 0; +out: + mrvl88x2011_act_led(np, (link_up ? + MRVL88X2011_LED_CTL_PCS_ACT : + MRVL88X2011_LED_CTL_OFF)); + + *link_up_p = link_up; + return err; +} + +static int link_status_10g_bcom(struct niu *np, int *link_up_p) +{ + int err, link_up; + + link_up = 0; + err = mdio_read(np, np->phy_addr, BCM8704_PMA_PMD_DEV_ADDR, BCM8704_PMD_RCV_SIGDET); if (err < 0) @@ -1134,9 +1283,37 @@ static int link_status_10g(struct niu *np, int *link_up_p) err = 0; out: + *link_up_p = link_up; + return err; +} + +static int link_status_10g(struct niu *np, int *link_up_p) +{ + unsigned long flags; + int err = -EINVAL; + + spin_lock_irqsave(&np->lock, flags); + + if (np->link_config.loopback_mode == LOOPBACK_DISABLED) { + int phy_id; + + phy_id = phy_decode(np->parent->port_phy, np->port); + phy_id = np->parent->phy_probe_info.phy_id[phy_id][np->port]; + + /* handle different phy types */ + switch (phy_id & NIU_PHY_ID_MASK) { + case NIU_PHY_ID_MRVL88X2011: + err = link_status_10g_mrvl(np, link_up_p); + break; + + default: /* bcom 8704 */ + err = link_status_10g_bcom(np, link_up_p); + break; + } + } + spin_unlock_irqrestore(&np->lock, flags); - *link_up_p = link_up; return err; } @@ -6297,7 +6474,8 @@ static int __devinit phy_record(struct niu_parent *parent, if (dev_id_1 < 0 || dev_id_2 < 0) return 0; if (type == PHY_TYPE_PMA_PMD || type == PHY_TYPE_PCS) { - if ((id & NIU_PHY_ID_MASK) != NIU_PHY_ID_BCM8704) + if (((id & NIU_PHY_ID_MASK) != NIU_PHY_ID_BCM8704) && + ((id & NIU_PHY_ID_MASK) != NIU_PHY_ID_MRVL88X2011)) return 0; } else { if ((id & NIU_PHY_ID_MASK) != NIU_PHY_ID_BCM5464R) diff --git a/drivers/net/niu.h b/drivers/net/niu.h index 10e3f111b6d5d1..0e8626adc573e2 100644 --- a/drivers/net/niu.h +++ b/drivers/net/niu.h @@ -2538,6 +2538,39 @@ struct fcram_hash_ipv6 { #define NIU_PHY_ID_MASK 0xfffff0f0 #define NIU_PHY_ID_BCM8704 0x00206030 #define NIU_PHY_ID_BCM5464R 0x002060b0 +#define NIU_PHY_ID_MRVL88X2011 0x01410020 + +/* MRVL88X2011 register addresses */ +#define MRVL88X2011_USER_DEV1_ADDR 1 +#define MRVL88X2011_USER_DEV2_ADDR 2 +#define MRVL88X2011_USER_DEV3_ADDR 3 +#define MRVL88X2011_USER_DEV4_ADDR 4 +#define MRVL88X2011_PMA_PMD_CTL_1 0x0000 +#define MRVL88X2011_PMA_PMD_STATUS_1 0x0001 +#define MRVL88X2011_10G_PMD_STATUS_2 0x0008 +#define MRVL88X2011_10G_PMD_TX_DIS 0x0009 +#define MRVL88X2011_10G_XGXS_LANE_STAT 0x0018 +#define MRVL88X2011_GENERAL_CTL 0x8300 +#define MRVL88X2011_LED_BLINK_CTL 0x8303 +#define MRVL88X2011_LED_8_TO_11_CTL 0x8306 + +/* MRVL88X2011 register control */ +#define MRVL88X2011_ENA_XFPREFCLK 0x0001 +#define MRVL88X2011_ENA_PMDTX 0x0000 +#define MRVL88X2011_LOOPBACK 0x1 +#define MRVL88X2011_LED_ACT 0x1 +#define MRVL88X2011_LNK_STATUS_OK 0x4 +#define MRVL88X2011_LED_BLKRATE_MASK 0x70 +#define MRVL88X2011_LED_BLKRATE_034MS 0x0 +#define MRVL88X2011_LED_BLKRATE_067MS 0x1 +#define MRVL88X2011_LED_BLKRATE_134MS 0x2 +#define MRVL88X2011_LED_BLKRATE_269MS 0x3 +#define MRVL88X2011_LED_BLKRATE_538MS 0x4 +#define MRVL88X2011_LED_CTL_OFF 0x0 +#define MRVL88X2011_LED_CTL_PCS_ACT 0x5 +#define MRVL88X2011_LED_CTL_MASK 0x7 +#define MRVL88X2011_LED(n,v) ((v)<<((n)*4)) +#define MRVL88X2011_LED_STAT(n,v) ((v)>>((n)*4)) #define BCM8704_PMA_PMD_DEV_ADDR 1 #define BCM8704_PCS_DEV_ADDR 2 -- cgit 1.2.3-korg From 9cd40029423701c376391da59d2c6469672b4bed Mon Sep 17 00:00:00 2001 From: Pavel Emelyanov Date: Thu, 10 Jan 2008 03:48:38 -0800 Subject: [NEIGH]: Fix race between neigh_parms_release and neightbl_fill_parms The neightbl_fill_parms() is called under the write-locked tbl->lock and accesses the parms->dev. The negh_parm_release() calls the dev_put(parms->dev) without this lock. This creates a tiny race window on which the parms contains potentially stale dev pointer. To fix this race it's enough to move the dev_put() upper under the tbl->lock, but note, that the parms are held by neighbors and thus can live after the neigh_parms_release() is called, so we still can have a parm with bad dev pointer. I didn't find where the neigh->parms->dev is accessed, but still think that putting the dev is to be done in a place, where the parms are really freed. Am I right with that? Signed-off-by: Pavel Emelyanov Signed-off-by: David S. Miller --- net/core/neighbour.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/core/neighbour.c b/net/core/neighbour.c index 29b8ee4e35d6dc..cc8a2f190acfa7 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -1316,8 +1316,6 @@ void neigh_parms_release(struct neigh_table *tbl, struct neigh_parms *parms) *p = parms->next; parms->dead = 1; write_unlock_bh(&tbl->lock); - if (parms->dev) - dev_put(parms->dev); call_rcu(&parms->rcu_head, neigh_rcu_free_parms); return; } @@ -1328,6 +1326,8 @@ void neigh_parms_release(struct neigh_table *tbl, struct neigh_parms *parms) void neigh_parms_destroy(struct neigh_parms *parms) { + if (parms->dev) + dev_put(parms->dev); kfree(parms); } -- cgit 1.2.3-korg From 0bcceadceb0907094ba4e40bf9a7cd9b080f13fb Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 10 Jan 2008 03:55:57 -0800 Subject: [IPV4] ROUTE: fix rcu_dereference() uses in /proc/net/rt_cache In rt_cache_get_next(), no need to guard seq->private by a rcu_dereference() since seq is private to the thread running this function. Reading seq.private once (as guaranted bu rcu_dereference()) or several time if compiler really is dumb enough wont change the result. But we miss real spots where rcu_dereference() are needed, both in rt_cache_get_first() and rt_cache_get_next() Signed-off-by: Eric Dumazet Signed-off-by: Herbert Xu Signed-off-by: David S. Miller --- net/ipv4/route.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/ipv4/route.c b/net/ipv4/route.c index d3377069ce05bc..28484f396b048e 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c @@ -283,12 +283,12 @@ static struct rtable *rt_cache_get_first(struct seq_file *seq) break; rcu_read_unlock_bh(); } - return r; + return rcu_dereference(r); } static struct rtable *rt_cache_get_next(struct seq_file *seq, struct rtable *r) { - struct rt_cache_iter_state *st = rcu_dereference(seq->private); + struct rt_cache_iter_state *st = seq->private; r = r->u.dst.rt_next; while (!r) { @@ -298,7 +298,7 @@ static struct rtable *rt_cache_get_next(struct seq_file *seq, struct rtable *r) rcu_read_lock_bh(); r = rt_hash_table[st->bucket].chain; } - return r; + return rcu_dereference(r); } static struct rtable *rt_cache_get_idx(struct seq_file *seq, loff_t pos) -- cgit 1.2.3-korg From 27d1cba21fcc50c37eef5042c6be9fa7135e88fc Mon Sep 17 00:00:00 2001 From: maximilian attems Date: Thu, 10 Jan 2008 03:57:29 -0800 Subject: [AX25]: Kill user triggable printks. sfuzz can easily trigger any of those. move the printk message to the corresponding comment: makes the intention of the code clear and easy to pick up on an scheduled removal. as bonus simplify the braces placement. Signed-off-by: maximilian attems Signed-off-by: David S. Miller --- net/ax25/af_ax25.c | 39 ++++++++++++++++++--------------------- 1 file changed, 18 insertions(+), 21 deletions(-) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index 8378afd54b3014..ecb14ee004980d 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -1109,21 +1109,19 @@ static int __must_check ax25_connect(struct socket *sock, * some sanity checks. code further down depends on this */ - if (addr_len == sizeof(struct sockaddr_ax25)) { - /* support for this will go away in early 2.5.x */ - printk(KERN_WARNING "ax25_connect(): %s uses obsolete socket structure\n", - current->comm); - } - else if (addr_len != sizeof(struct full_sockaddr_ax25)) { - /* support for old structure may go away some time */ + if (addr_len == sizeof(struct sockaddr_ax25)) + /* support for this will go away in early 2.5.x + * ax25_connect(): uses obsolete socket structure + */ + ; + else if (addr_len != sizeof(struct full_sockaddr_ax25)) + /* support for old structure may go away some time + * ax25_connect(): uses old (6 digipeater) socket structure. + */ if ((addr_len < sizeof(struct sockaddr_ax25) + sizeof(ax25_address) * 6) || - (addr_len > sizeof(struct full_sockaddr_ax25))) { + (addr_len > sizeof(struct full_sockaddr_ax25))) return -EINVAL; - } - printk(KERN_WARNING "ax25_connect(): %s uses old (6 digipeater) socket structure.\n", - current->comm); - } if (fsa->fsa_ax25.sax25_family != AF_AX25) return -EINVAL; @@ -1467,21 +1465,20 @@ static int ax25_sendmsg(struct kiocb *iocb, struct socket *sock, goto out; } - if (addr_len == sizeof(struct sockaddr_ax25)) { - printk(KERN_WARNING "ax25_sendmsg(): %s uses obsolete socket structure\n", - current->comm); - } - else if (addr_len != sizeof(struct full_sockaddr_ax25)) { - /* support for old structure may go away some time */ + if (addr_len == sizeof(struct sockaddr_ax25)) + /* ax25_sendmsg(): uses obsolete socket structure */ + ; + else if (addr_len != sizeof(struct full_sockaddr_ax25)) + /* support for old structure may go away some time + * ax25_sendmsg(): uses old (6 digipeater) + * socket structure. + */ if ((addr_len < sizeof(struct sockaddr_ax25) + sizeof(ax25_address) * 6) || (addr_len > sizeof(struct full_sockaddr_ax25))) { err = -EINVAL; goto out; } - printk(KERN_WARNING "ax25_sendmsg(): %s uses old (6 digipeater) socket structure.\n", - current->comm); - } if (addr_len > sizeof(struct sockaddr_ax25) && usax->sax25_ndigis != 0) { int ct = 0; -- cgit 1.2.3-korg From ecd2ebdea350c40e73c00d400d74c8a09c072082 Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Thu, 10 Jan 2008 21:21:20 -0800 Subject: [AX25] af_ax25: Possible circular locking. Bernard Pidoux F6BVP reported: > When I killall kissattach I can see the following message. > > This happens on kernel 2.6.24-rc5 already patched with the 6 previously > patches I sent recently. > > > ======================================================= > [ INFO: possible circular locking dependency detected ] > 2.6.23.9 #1 > ------------------------------------------------------- > kissattach/2906 is trying to acquire lock: > (linkfail_lock){-+..}, at: [] ax25_link_failed+0x11/0x39 [ax25] > > but task is already holding lock: > (ax25_list_lock){-+..}, at: [] ax25_device_event+0x38/0x84 > [ax25] > > which lock already depends on the new lock. > > > the existing dependency chain (in reverse order) is: ... lockdep is worried about the different order here: #1 (rose_neigh_list_lock){-+..}: #3 (ax25_list_lock){-+..}: #0 (linkfail_lock){-+..}: #1 (rose_neigh_list_lock){-+..}: #3 (ax25_list_lock){-+..}: #0 (linkfail_lock){-+..}: So, ax25_list_lock could be taken before and after linkfail_lock. I don't know if this three-thread clutch is very probable (or possible at all), but it seems another bug reported by Bernard ("[...] system impossible to reboot with linux-2.6.24-rc5") could have similar source - namely ax25_list_lock held by ax25_kill_by_device() during ax25_disconnect(). It looks like the only place which calls ax25_disconnect() this way, so I guess, it isn't necessary. This patch is breaking the lock for ax25_disconnect(). Reported-and-tested-by: Bernard Pidoux Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller --- net/ax25/af_ax25.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c index ecb14ee004980d..b4725ff317c06a 100644 --- a/net/ax25/af_ax25.c +++ b/net/ax25/af_ax25.c @@ -87,10 +87,22 @@ static void ax25_kill_by_device(struct net_device *dev) return; spin_lock_bh(&ax25_list_lock); +again: ax25_for_each(s, node, &ax25_list) { if (s->ax25_dev == ax25_dev) { s->ax25_dev = NULL; + spin_unlock_bh(&ax25_list_lock); ax25_disconnect(s, ENETUNREACH); + spin_lock_bh(&ax25_list_lock); + + /* The entry could have been deleted from the + * list meanwhile and thus the next pointer is + * no longer valid. Play it safe and restart + * the scan. Forward progress is ensured + * because we set s->ax25_dev to NULL and we + * are never passed a NULL 'dev' argument. + */ + goto again; } } spin_unlock_bh(&ax25_list_lock); -- cgit 1.2.3-korg From f951375d470c1a20d92c34377991197e6bf17990 Mon Sep 17 00:00:00 2001 From: Dave Young Date: Thu, 10 Jan 2008 22:22:52 -0800 Subject: [BLUETOOTH]: rfcomm tty BUG_ON() code fix 1) In tty.c the BUG_ON at line 115 will never be called, because the the before list_del_init in this same function. 115 BUG_ON(!list_empty(&dev->list)); So move the list_del_init to rfcomm_dev_del 2) The rfcomm_dev_del could be called from diffrent path (rfcomm_tty_hangup/rfcomm_dev_state_change/rfcomm_release_dev), So add another BUG_ON when the rfcomm_dev_del is called more than one time. Signed-off-by: Dave Young Signed-off-by: David S. Miller --- net/bluetooth/rfcomm/tty.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c index e447651a2dbe86..a6a758dd1f7d88 100644 --- a/net/bluetooth/rfcomm/tty.c +++ b/net/bluetooth/rfcomm/tty.c @@ -95,9 +95,10 @@ static void rfcomm_dev_destruct(struct rfcomm_dev *dev) BT_DBG("dev %p dlc %p", dev, dlc); - write_lock_bh(&rfcomm_dev_lock); - list_del_init(&dev->list); - write_unlock_bh(&rfcomm_dev_lock); + /* Refcount should only hit zero when called from rfcomm_dev_del() + which will have taken us off the list. Everything else are + refcounting bugs. */ + BUG_ON(!list_empty(&dev->list)); rfcomm_dlc_lock(dlc); /* Detach DLC if it's owned by this dev */ @@ -109,11 +110,6 @@ static void rfcomm_dev_destruct(struct rfcomm_dev *dev) tty_unregister_device(rfcomm_tty_driver, dev->id); - /* Refcount should only hit zero when called from rfcomm_dev_del() - which will have taken us off the list. Everything else are - refcounting bugs. */ - BUG_ON(!list_empty(&dev->list)); - kfree(dev); /* It's safe to call module_put() here because socket still @@ -313,7 +309,15 @@ static void rfcomm_dev_del(struct rfcomm_dev *dev) { BT_DBG("dev %p", dev); - set_bit(RFCOMM_TTY_RELEASED, &dev->flags); + if (test_bit(RFCOMM_TTY_RELEASED, &dev->flags)) + BUG_ON(1); + else + set_bit(RFCOMM_TTY_RELEASED, &dev->flags); + + write_lock_bh(&rfcomm_dev_lock); + list_del_init(&dev->list); + write_unlock_bh(&rfcomm_dev_lock); + rfcomm_dev_put(dev); } -- cgit 1.2.3-korg From 5c5482266537fdb24d6b8462540d8f65a6007a97 Mon Sep 17 00:00:00 2001 From: Ohad Ben-Cohen Date: Thu, 10 Jan 2008 22:24:43 -0800 Subject: [BLUETOOTH]: Always send explicit hci_ll wake-up acks. In the (rare) event of simultaneous mutual wake up requests, do send the chip an explicit wake-up ack. This is required for Texas Instruments's BRF6350 chip. Signed-off-by: Ohad Ben-Cohen Signed-off-by: David S. Miller --- drivers/bluetooth/hci_ll.c | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/drivers/bluetooth/hci_ll.c b/drivers/bluetooth/hci_ll.c index 8c3e62a17b4a6f..b91d45a41b2f6b 100644 --- a/drivers/bluetooth/hci_ll.c +++ b/drivers/bluetooth/hci_ll.c @@ -204,6 +204,19 @@ static void ll_device_want_to_wakeup(struct hci_uart *hu) spin_lock_irqsave(&ll->hcill_lock, flags); switch (ll->hcill_state) { + case HCILL_ASLEEP_TO_AWAKE: + /* + * This state means that both the host and the BRF chip + * have simultaneously sent a wake-up-indication packet. + * Traditionaly, in this case, receiving a wake-up-indication + * was enough and an additional wake-up-ack wasn't needed. + * This has changed with the BRF6350, which does require an + * explicit wake-up-ack. Other BRF versions, which do not + * require an explicit ack here, do accept it, thus it is + * perfectly safe to always send one. + */ + BT_DBG("dual wake-up-indication"); + /* deliberate fall-through - do not add break */ case HCILL_ASLEEP: /* acknowledge device wake up */ if (send_hcill_cmd(HCILL_WAKE_UP_ACK, hu) < 0) { @@ -211,16 +224,8 @@ static void ll_device_want_to_wakeup(struct hci_uart *hu) goto out; } break; - case HCILL_ASLEEP_TO_AWAKE: - /* - * this state means that a wake-up-indication - * is already on its way to the device, - * and will serve as the required wake-up-ack - */ - BT_DBG("dual wake-up-indication"); - break; default: - /* any other state are illegal */ + /* any other state is illegal */ BT_ERR("received HCILL_WAKE_UP_IND in state %ld", ll->hcill_state); break; } -- cgit 1.2.3-korg From 0d89d7944fead211422e21fb7ea70ed3b903a79e Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Thu, 10 Jan 2008 22:35:21 -0800 Subject: [DECNET] ROUTE: fix rcu_dereference() uses in /proc/net/decnet_cache In dn_rt_cache_get_next(), no need to guard seq->private by a rcu_dereference() since seq is private to the thread running this function. Reading seq.private once (as guaranted bu rcu_dereference()) or several time if compiler really is dumb enough wont change the result. But we miss real spots where rcu_dereference() are needed, both in dn_rt_cache_get_first() and dn_rt_cache_get_next() Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- net/decnet/dn_route.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c index 66663e5d7acdc8..0e10ff21e29204 100644 --- a/net/decnet/dn_route.c +++ b/net/decnet/dn_route.c @@ -1665,12 +1665,12 @@ static struct dn_route *dn_rt_cache_get_first(struct seq_file *seq) break; rcu_read_unlock_bh(); } - return rt; + return rcu_dereference(rt); } static struct dn_route *dn_rt_cache_get_next(struct seq_file *seq, struct dn_route *rt) { - struct dn_rt_cache_iter_state *s = rcu_dereference(seq->private); + struct dn_rt_cache_iter_state *s = seq->private; rt = rt->u.dst.dn_next; while(!rt) { @@ -1680,7 +1680,7 @@ static struct dn_route *dn_rt_cache_get_next(struct seq_file *seq, struct dn_rou rcu_read_lock_bh(); rt = dn_rt_hash_table[s->bucket].chain; } - return rt; + return rcu_dereference(rt); } static void *dn_rt_cache_seq_start(struct seq_file *seq, loff_t *pos) -- cgit 1.2.3-korg From 0fe1e567d0b4f6a98e94d3b9a40f41c801bd157f Mon Sep 17 00:00:00 2001 From: Jarek Poplawski Date: Thu, 10 Jan 2008 22:38:31 -0800 Subject: [VLAN]: nested VLAN: fix lockdep's recursive locking warning Allow vlans nesting other vlans without lockdep's warnings (max. 2 levels i.e. parent + child). Thanks to Patrick McHardy for pointing a bug in the first version of this patch. Reported-by: Benny Amorsen Signed-off-by: Jarek Poplawski Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/8021q/vlan.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/net/8021q/vlan.c b/net/8021q/vlan.c index 4add9bd4bc8d51..032bf44eca5e4e 100644 --- a/net/8021q/vlan.c +++ b/net/8021q/vlan.c @@ -323,6 +323,7 @@ static const struct header_ops vlan_header_ops = { static int vlan_dev_init(struct net_device *dev) { struct net_device *real_dev = VLAN_DEV_INFO(dev)->real_dev; + int subclass = 0; /* IFF_BROADCAST|IFF_MULTICAST; ??? */ dev->flags = real_dev->flags & ~IFF_UP; @@ -349,7 +350,11 @@ static int vlan_dev_init(struct net_device *dev) dev->hard_start_xmit = vlan_dev_hard_start_xmit; } - lockdep_set_class(&dev->_xmit_lock, &vlan_netdev_xmit_lock_key); + if (real_dev->priv_flags & IFF_802_1Q_VLAN) + subclass = 1; + + lockdep_set_class_and_subclass(&dev->_xmit_lock, + &vlan_netdev_xmit_lock_key, subclass); return 0; } -- cgit 1.2.3-korg From a6ca5f1dbe40470fcb1ecc921769d792a1e77ed9 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Thu, 10 Jan 2008 22:39:28 -0800 Subject: [MACVLAN]: Prevent nesting macvlan devices Don't allow to nest macvlan devices since it will cause lockdep warnings and isn't really useful for anything. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- drivers/net/macvlan.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c index 2e4bcd5654c4c0..e8dc2f44fec960 100644 --- a/drivers/net/macvlan.c +++ b/drivers/net/macvlan.c @@ -384,6 +384,13 @@ static int macvlan_newlink(struct net_device *dev, if (lowerdev == NULL) return -ENODEV; + /* Don't allow macvlans on top of other macvlans - its not really + * wrong, but lockdep can't handle it and its not useful for anything + * you couldn't do directly on top of the real device. + */ + if (lowerdev->rtnl_link_ops == dev->rtnl_link_ops) + return -ENODEV; + if (!tb[IFLA_MTU]) dev->mtu = lowerdev->mtu; else if (dev->mtu > lowerdev->mtu) -- cgit 1.2.3-korg From 8f41f017866bc3dfe4db02582cfd48f0586cb990 Mon Sep 17 00:00:00 2001 From: Yasuyuki Kozakai Date: Thu, 10 Jan 2008 22:40:39 -0800 Subject: [NETFILTER]: ip6t_eui64: Fixes calculation of Universal/Local bit RFC2464 says that the next to lowerst order bit of the first octet of the Interface Identifier is formed by complementing the Universal/Local bit of the EUI-64. But ip6t_eui64 uses OR not XOR. Thanks Peter Ivancik for reporing this bug and posting a patch for it. Signed-off-by: Yasuyuki Kozakai Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/ipv6/netfilter/ip6t_eui64.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv6/netfilter/ip6t_eui64.c b/net/ipv6/netfilter/ip6t_eui64.c index 34ba150bfe5d90..41df9a578c7aa8 100644 --- a/net/ipv6/netfilter/ip6t_eui64.c +++ b/net/ipv6/netfilter/ip6t_eui64.c @@ -47,7 +47,7 @@ match(const struct sk_buff *skb, memcpy(eui64 + 5, eth_hdr(skb)->h_source + 3, 3); eui64[3] = 0xff; eui64[4] = 0xfe; - eui64[0] |= 0x02; + eui64[0] ^= 0x02; i = 0; while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i] -- cgit 1.2.3-korg From 0ff4d77bd9fe86ca1bc7f44839d79f8a349a62f0 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 10 Jan 2008 22:41:28 -0800 Subject: [NETFILTER]: xt_helper: Do not bypass RCU Use the @helper variable that was just obtained. Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/netfilter/xt_helper.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c index 0a1f4c6bcdef41..d842c4a6d63f6b 100644 --- a/net/netfilter/xt_helper.c +++ b/net/netfilter/xt_helper.c @@ -56,8 +56,8 @@ match(const struct sk_buff *skb, if (info->name[0] == '\0') ret = !ret; else - ret ^= !strncmp(master_help->helper->name, info->name, - strlen(master_help->helper->name)); + ret ^= !strncmp(helper->name, info->name, + strlen(helper->name)); return ret; } -- cgit 1.2.3-korg From 2948d2ebbb98747b912ac6d0c864b4d02be8a6f5 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Fri, 11 Jan 2008 18:02:18 -0800 Subject: [NETFILTER]: bridge: fix double POST_ROUTING invocation The bridge code incorrectly causes two POST_ROUTING hook invocations for DNATed packets that end up on the same bridge device. This happens because packets with a changed destination address are passed to dst_output() to make them go through the neighbour output function again to build a new destination MAC address, before they will continue through the IP hooks simulated by bridge netfilter. The resulting hook order is: PREROUTING (bridge netfilter) POSTROUTING (dst_output -> ip_output) FORWARD (bridge netfilter) POSTROUTING (bridge netfilter) The deferred hooks used to abort the first POST_ROUTING invocation, but since the only thing bridge netfilter actually really wants is a new MAC address, we can avoid going through the IP stack completely by simply calling the neighbour output function directly. Tested, reported and lots of data provided by: Damien Thebault Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- net/bridge/br_netfilter.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index c1757c79dfbb3e..5d8b939eded193 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -247,8 +247,9 @@ static void __br_dnat_complain(void) * Let us first consider the case that ip_route_input() succeeds: * * If skb->dst->dev equals the logical bridge device the packet - * came in on, we can consider this bridging. We then call - * skb->dst->output() which will make the packet enter br_nf_local_out() + * came in on, we can consider this bridging. The packet is passed + * through the neighbour output function to build a new destination + * MAC address, which will make the packet enter br_nf_local_out() * not much later. In that function it is assured that the iptables * FORWARD chain is traversed for the packet. * @@ -285,12 +286,17 @@ static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb) skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING; skb->dev = bridge_parent(skb->dev); - if (!skb->dev) - kfree_skb(skb); - else { + if (skb->dev) { + struct dst_entry *dst = skb->dst; + nf_bridge_pull_encap_header(skb); - skb->dst->output(skb); + + if (dst->hh) + return neigh_hh_output(dst->hh, skb); + else if (dst->neighbour) + return dst->neighbour->output(skb); } + kfree_skb(skb); return 0; } -- cgit 1.2.3-korg From 1b310fca30ac9851f79337ca72b1cf6a0f58064a Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Sun, 13 Jan 2008 22:32:49 -0800 Subject: [TOKENRING]: rif_timer not initialized properly Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- net/802/tr.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/802/tr.c b/net/802/tr.c index a2bd0f2e3af84c..1e115e5beab635 100644 --- a/net/802/tr.c +++ b/net/802/tr.c @@ -642,7 +642,7 @@ struct net_device *alloc_trdev(int sizeof_priv) static int __init rif_init(void) { init_timer(&rif_timer); - rif_timer.expires = sysctl_tr_rif_timeout; + rif_timer.expires = jiffies + sysctl_tr_rif_timeout; rif_timer.data = 0L; rif_timer.function = rif_check_expire; add_timer(&rif_timer); -- cgit 1.2.3-korg