Adding memory barrier after the poll_wait function, paired with
receive callbacks. Adding fuctions sock_poll_wait and sk_has_sleeper
to wrap the memory barrier.

Without the memory barrier, following race can happen.
The race fires, when following code paths meet, and the tp->rcv_nxt
and __add_wait_queue updates stay in CPU caches.

CPU1                         CPU2

sys_select                   receive packet
  ...                        ...
  __add_wait_queue           update tp->rcv_nxt
  ...                        ...
  tp->rcv_nxt check          sock_def_readable
  ...                        {
  schedule                      ...
                                if (sk->sk_sleep && waitqueue_active(sk->sk_sleep))
                                        wake_up_interruptible(sk->sk_sleep)
                                ...
                             }

If there was no cache the code would work ok, since the wait_queue and
rcv_nxt are opposit to each other.

Meaning that once tp->rcv_nxt is updated by CPU2, the CPU1 either already
passed the tp->rcv_nxt check and sleeps, or will get the new value for
tp->rcv_nxt and will return with new data mask.
In both cases the process (CPU1) is being added to the wait queue, so the
waitqueue_active (CPU2) call cannot miss and will wake up CPU1.

The bad case is when the __add_wait_queue changes done by CPU1 stay in its
cache, and so does the tp->rcv_nxt update on CPU2 side.  The CPU1 will then
endup calling schedule and sleep forever if there are no more data on the
socket.

Calls to poll_wait in following modules were ommited:
	net/bluetooth/af_bluetooth.c
	net/irda/af_irda.c
	net/irda/irnet/irnet_ppp.c
	net/mac80211/rc80211_pid_debugfs.c
	net/phonet/socket.c
	net/rds/af_rds.c
	net/rfkill/core.c
	net/sunrpc/cache.c
	net/sunrpc/rpc_pipe.c
	net/tipc/socket.c
Signed-off-by: NJiri Olsa <jolsa@redhat.com>
Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Using early netconsole and gianfar driver this error pops up:

  netconsole: timeout waiting for carrier

It appears that net/core/netpoll.c:netpoll_setup() is using
cond_resched() in a loop waiting for a carrier.

The thing is that cond_resched() is a no-op when system_state !=
SYSTEM_RUNNING, and so drivers/net/phy/phy.c's state_queue is never
scheduled, therefore link detection doesn't work.

I belive that the main problem is in cond_resched()[1], but despite
how the cond_resched() story ends, it might be a good idea to call
msleep(1) instead of cond_resched(), as suggested by Andrew Morton.

[1] http://lkml.org/lkml/2009/7/7/463Signed-off-by: NAnton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

fix the following 'make includecheck' warning:

  include/linux/rfkill.h: linux/types.h is included more than once.
Signed-off-by: NJaswinder Singh Rajput <jaswinderrajput@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

In the mainline kernel, p54usb will fail because the TX queue length can
become < 0. This problem has been reported as Bugzilla #13725. The failure
is expressed by the following message in the logs:

WARNING: at net/mac80211/tx.c:1325 ieee80211_tx+0x23c/0x298 [mac80211]()
Hardware name: HP Pavilion dv2700 Notebook PC
tx refused but queue active

This problem has been recently observed in the wireless-testing tree, where
a full solution is being tested. That fix is too invasive for 2.6.31-rcX,
but the simple change supplied here will prevent the failure.
Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Atheros top level menu needs a "depends WLAN_80211" to properly indent
within menuconfig and xconfig interfaces.

This is purely a visual issue but it effects all subsequent drivers.
The issue is the top level menu does not include a dependency on
WLAN_80211 so within the tree structure, Atheros is at the same level as
WLAN_80211 but when WLAN_80211 collapsed, the menu disappears along with
all subsequent drives, so it is really a subordinate.
Signed-off-by: NJay Sternberg <jay.e.sternberg@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

These two functions no longer exist in mac80211,
so trying to insert them generates warnings in
the document.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

There's a race condition -- started can be set to true
before channel is set due to the way mac80211 callbacks
currently work (->start should probably pass the channel
we would like to have initially). For now simply add a
check to hwsim to avoid dereferencing the NULL channel
pointer.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Added support for the Broadcom 4318E chipset on PCMCIA/CF cards. The
4318E can do 802.11A/B/G, only B and G mode are supported in b43.
Signed-off-by: NClyde McPherson <ccmcphe@verizon.net>
Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Added support for the Broadcom 4318E chipset on PCMCIA/CF cards. The
4318E can do 802.11A/B/G, only B and G mode are supported in b43.
Signed-off-by: NClyde McPherson <ccmcphe@verizon.net>
Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Yevgen Kotikov reported success on the sourceforge zd1211-devs list
with the following details:

Brand/retail: SONY IFU-WLM2
USB-IDs: Vendor: 0x054C Device: 0x0257
chip ID: zd1211b chip 054c:0257 v4802 high 00-0b-6b AL2230_RF pa0 -----
FCC ID: unknown
Signed-off-by: NHin-Tak Leung <htl10@users.sourceforge.net>
Tested-by: NYevgen Kotikov <yevgen.kotikov@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

On a shuttle machine here we got 07b8:6001 device, handled by zd1211rw, which does not work.
Scanning is OK but association does not work, we get "direct probe to AP xxx timed out"

It appears that this simple patch makes the device work perfectly.

This id was already there in initial import of the driver so I don't know if it has ever been
working as ZD1211 (which would mean they changed it and kept the id :( ).
Signed-off-by: NPascal Terjan <pterjan@mandriva.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Signed-off-by: NFlorian Fainelli <florian@openwrt.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

When the r6040 device IRQ line is shared we will enter the driver
interrupt service routine, mask off the device interrupt enable
register (MIER) and return with IRQ_NONE, we would then leave the
device with interrupts disabled, this patch fixes that issue.
Reported-by: NSteve Holland <sdh4@iastate.edu>
Signed-off-by: NJoe Chou <joe.chou@rdc.com.tw>
Signed-off-by: NFlorian Fainelli <florian@openwrt.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Pawel Staszewski wrote:
<blockquote>
Some time ago i report this:
http://bugzilla.kernel.org/show_bug.cgi?id=6648

and now with 2.6.29 / 2.6.29.1 / 2.6.29.3 and 2.6.30 it back
dmesg output:
oprofile: using NMI interrupt.
Fix inflate_threshold_root. Now=15 size=11 bits
...
Fix inflate_threshold_root. Now=15 size=11 bits

cat /proc/net/fib_triestat
Basic info: size of leaf: 40 bytes, size of tnode: 56 bytes.
Main:
        Aver depth:     2.28
        Max depth:      6
        Leaves:         276539
        Prefixes:       289922
        Internal nodes: 66762
          1: 35046  2: 13824  3: 9508  4: 4897  5: 2331  6: 1149  7: 5
9: 1  18: 1
        Pointers: 691228
Null ptrs: 347928
Total size: 35709  kB
</blockquote>

It seems, the current threshold for root resizing is too aggressive,
and it causes misleading warnings during big updates, but it might be
also responsible for memory problems, especially with non-preempt
configs, when RCU freeing is delayed long after call_rcu.

It should be also mentioned that because of non-atomic changes during
resizing/rebalancing the current lookup algorithm can miss valid leaves
so it's additional argument to shorten these activities even at a cost
of a minimally longer searching.

This patch restores values before the patch "[IPV4]: fib_trie root
node settings", commit: 965ffea4 from
v2.6.22.

Pawel's report:
<blockquote>
I dont see any big change of (cpu load or faster/slower
routing/propagating routes from bgpd or something else) - in avg there
is from 2% to 3% more of CPU load i dont know why but it is - i change
from "preempt" to "no preempt" 3 times and check this my "mpstat -P ALL
1 30"
always avg cpu load was from 2 to 3% more compared to "no preempt"
[...]
cat /proc/net/fib_triestat
Basic info: size of leaf: 20 bytes, size of tnode: 36 bytes.
Main:
        Aver depth:     2.44
        Max depth:      6
        Leaves:         277814
        Prefixes:       291306
        Internal nodes: 66420
          1: 32737  2: 14850  3: 10332  4: 4871  5: 2313  6: 942  7: 371  8: 3  17: 1
        Pointers: 599098
Null ptrs: 254865
Total size: 18067  kB
</blockquote>

According to this and other similar reports average depth is slightly
increased (~0.2), and root nodes are shorter (log 17 vs. 18), but
there is no visible performance decrease. So, until memory handling is
improved or added parameters for changing this individually, this
patch resets to safer defaults.
Reported-by: NPawel Staszewski <pstaszewski@itcare.pl>
Reported-by: NJorge Boncompte [DTI2] <jorge@dti2.net>
Signed-off-by: NJarek Poplawski <jarkao2@gmail.com>
Tested-by: NPawel Staszewski <pstaszewski@itcare.pl>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Check that network interface is running before changing its MAC address.
Otherwise, rxch is accessed when it's NULL - causing a kernel oops.
Moreover, check that the new MAC address is valid.
Signed-off-by: NPablo Bitton <pablo.bitton@gmail.com>
Signed-off-by: NChaithrika U S <chaithrika@ti.com>
Tested-by: NChaithrika U S <chaithrika@ti.com>
[tested on DM6467 EVM]
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The igb driver was defaulting to using the lock for pci-e function 0 for
all of the phys due to the fact that the lan id was not being set prior to
initialization.  This change makes it so that the function id is set prior
to checking for the phy id.
Signed-off-by: NAlexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

If rix is not found in mi->r[], i will become -1 after the loop.  This value
is eventually used to access arrays, so we were accessing arrays with a
negative index, which is obviously not what we want to do.  This patch fixes
this potential problem.
Signed-off-by: NLuciano Coelho <luciano.coelho@nokia.com>
Acked-by: NFelix Fietkau <nbd@openwrt.org>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

The code in cfg80211's cfg80211_bss_update erroneously
grabs a reference to the BSS, which means that it will
never be freed.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Cc: stable@kernel.org [2.6.29, 2.6.30]
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Fix the third (I think) polarity error I accidentally
introduced in the rfkill rewrite to make wireless work
again on (certain?) HP laptops.
Signed-off-by: NJohannes Berg <johannes@sipsolutions.net>
Tested-by: NMaciej Rutecki <maciej.rutecki@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

We allocate a PREQ queue node in mesh_queue_preq, however the allocation
may cause us to sleep.  Use GFP_ATOMIC to prevent this.

[ 1869.126498] BUG: scheduling while atomic: ping/1859/0x10000100
[ 1869.127164] Modules linked in: ath5k mac80211 ath
[ 1869.128310] Pid: 1859, comm: ping Not tainted 2.6.30-wl #1
[ 1869.128754] Call Trace:
[ 1869.129293]  [<c1023a2b>] __schedule_bug+0x48/0x4d
[ 1869.129866]  [<c13b5533>] __schedule+0x77/0x67a
[ 1869.130544]  [<c1026f2e>] ? release_console_sem+0x17d/0x185
[ 1869.131568]  [<c807cf47>] ? mesh_queue_preq+0x2b/0x165 [mac80211]
[ 1869.132318]  [<c13b5b3e>] schedule+0x8/0x1f
[ 1869.132807]  [<c1023c12>] __cond_resched+0x16/0x2f
[ 1869.133478]  [<c13b5bf0>] _cond_resched+0x27/0x32
[ 1869.134191]  [<c108a370>] kmem_cache_alloc+0x1c/0xcf
[ 1869.134714]  [<c10273ae>] ? printk+0x15/0x17
[ 1869.135670]  [<c807cf47>] mesh_queue_preq+0x2b/0x165 [mac80211]
[ 1869.136731]  [<c807d1f8>] mesh_nexthop_lookup+0xee/0x12d [mac80211]
[ 1869.138130]  [<c807417e>] ieee80211_xmit+0xe6/0x2b2 [mac80211]
[ 1869.138935]  [<c80be46d>] ? ath5k_hw_setup_rx_desc+0x0/0x66 [ath5k]
[ 1869.139831]  [<c80c97bc>] ? ath5k_tasklet_rx+0xba/0x506 [ath5k]
[ 1869.140863]  [<c8075191>] ieee80211_subif_start_xmit+0x6c9/0x6e4
[mac80211]
[ 1869.141665]  [<c105cf1c>] ? handle_level_irq+0x78/0x9d
[ 1869.142390]  [<c12e3f93>] dev_hard_start_xmit+0x168/0x1c7
[ 1869.143092]  [<c12f1f17>] __qdisc_run+0xe1/0x1b7
[ 1869.143612]  [<c12e25ff>] qdisc_run+0x18/0x1a
[ 1869.144248]  [<c12e62f4>] dev_queue_xmit+0x16a/0x25a
[ 1869.144785]  [<c13b6dcc>] ? _read_unlock_bh+0xe/0x10
[ 1869.145465]  [<c12eacdb>] neigh_resolve_output+0x19c/0x1c7
[ 1869.146182]  [<c130e2da>] ? ip_finish_output+0x0/0x51
[ 1869.146697]  [<c130e2a0>] ip_finish_output2+0x182/0x1bc
[ 1869.147358]  [<c130e327>] ip_finish_output+0x4d/0x51
[ 1869.147863]  [<c130e9d5>] ip_output+0x80/0x85
[ 1869.148515]  [<c130cc49>] dst_output+0x9/0xb
[ 1869.149141]  [<c130dec6>] ip_local_out+0x17/0x1a
[ 1869.149632]  [<c130e0bc>] ip_push_pending_frames+0x1f3/0x255
[ 1869.150343]  [<c13247ff>] raw_sendmsg+0x5e6/0x667
[ 1869.150883]  [<c1033c55>] ? insert_work+0x6a/0x73
[ 1869.151834]  [<c8071e00>] ?
ieee80211_invoke_rx_handlers+0x17da/0x1ae8 [mac80211]
[ 1869.152630]  [<c132bd68>] inet_sendmsg+0x3b/0x48
[ 1869.153232]  [<c12d7deb>] __sock_sendmsg+0x45/0x4e
[ 1869.153740]  [<c12d8537>] sock_sendmsg+0xb8/0xce
[ 1869.154519]  [<c80be46d>] ? ath5k_hw_setup_rx_desc+0x0/0x66 [ath5k]
[ 1869.155289]  [<c1036b25>] ? autoremove_wake_function+0x0/0x30
[ 1869.155859]  [<c115992b>] ? __copy_from_user_ll+0x11/0xce
[ 1869.156573]  [<c1159d99>] ? copy_from_user+0x31/0x54
[ 1869.157235]  [<c12df646>] ? verify_iovec+0x40/0x6e
[ 1869.157778]  [<c12d869a>] sys_sendmsg+0x14d/0x1a5
[ 1869.158714]  [<c8072c40>] ? __ieee80211_rx+0x49e/0x4ee [mac80211]
[ 1869.159641]  [<c80c83fe>] ? ath5k_rxbuf_setup+0x6d/0x8d [ath5k]
[ 1869.160543]  [<c80be46d>] ? ath5k_hw_setup_rx_desc+0x0/0x66 [ath5k]
[ 1869.161434]  [<c80beba4>] ? ath5k_hw_get_rxdp+0xe/0x10 [ath5k]
[ 1869.162319]  [<c80c97bc>] ? ath5k_tasklet_rx+0xba/0x506 [ath5k]
[ 1869.163063]  [<c1005627>] ? enable_8259A_irq+0x40/0x43
[ 1869.163594]  [<c101edb8>] ? __dequeue_entity+0x23/0x27
[ 1869.164793]  [<c100187a>] ? __switch_to+0x2b/0x105
[ 1869.165442]  [<c1021d5f>] ? finish_task_switch+0x5b/0x74
[ 1869.166129]  [<c12d963a>] sys_socketcall+0x14b/0x17b
[ 1869.166612]  [<c1002b95>] syscall_call+0x7/0xb
Signed-off-by: NAndrey Yurovsky <andrey@cozybit.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

We're missing a Kconfig help for the iwmc3200wifi driver.
Signed-off-by: NSamuel Ortiz <samuel.ortiz@intel.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

When we reclaim the tx desc, we always assume that the
last desc is a holding desc, which is not true, and skip it.
If the tx queue is drained during channel change, internal
reset and etc, the last descriptor may not be the holding
descriptor and we fail to reclaim them. This results in the
following two issues.

1. Tx stuck - We drop all the frames coming from upper layer
due to shortage in tx desc.

2. Crash - If we fail to reclaim a tx descriptor, we miss to
update the tx BA window with the seq number of the frame
associated to that desc, which, at some point, result in
the following crash due to an assert failure in ath_tx_addto_baw().

This patch fixes these two issues.

 kernel BUG at ../drivers/net/wireless/ath/ath9k/xmit.c:180!
[155064.304164] invalid opcode: 0000 [#1] SMP
 Call Trace:
  [<fbc6d83b>] ? ath9k_tx+0xeb/0x160 [ath9k]
  [<fbbc9591>]  ipv6? __ieee80211_tx+0x41/0x120 [mac80211]
  [<fbbcb5ae>] ?  aes_i586ieee80211_master_start_xmit+0x28e/0x560 [mac80211]
  [<c037e501>]  aes_generic? _spin_lock_irqsave+0x31/0x40
  [<c02f347b>] ? dev_hard_start_xmit+0x16b/0x1c0
  [<c03058b5>] ? __qdisc_run+0x1b5/0x200
  [<fbbcda5a>] ?  af_packetieee80211_select_queue+0xa/0x100 [mac80211]
  [<c02f53b7>] ?  i915dev_queue_xmit+0x2e7/0x3f0
  [<fbbc9b49>] ? ieee80211_subif_start_xmit+0x369/0x7a0 [mac80211]
  [<c031bc35>] ? ip_output+0x55/0xb0
  [<c02e0188>] ? show_memcpy_count+0x18/0x60
  [<c02eb186>] ? __kfree_skb+0x36/0x90
  [<c02f2202>] ?  binfmt_miscdev_queue_xmit_nit+0xd2/0x110
  [<c02f347b>] ? dev_hard_start_xmit+0x16b/0x1c0
  [<c03058b5>] ? __qdisc_run+0x1b5/0x200
  [<c033bca7>] ?  scoarp_create+0x57/0x2a0
  [<c02f53b7>] ?  bridgedev_queue_xmit+0x2e7/0x3f0
  [<c03034a0>] ? eth_header+0x0/0xc0
  [<c033b95f>]  stp? arp_xmit+0x5f/0x70
  [<c033bf4f>] ? arp_send+0x5f/0x70
  [<c033c8f5>]  bnep? arp_solicit+0x105/0x210
  [<c02fa5aa>] ? neigh_timer_handler+0x19a/0x390
  [<c013bf88>] ? run_timer_softirq+0x138/0x210
  [<c02fa410>] ?  ppdevneigh_timer_handler+0x0/0x390
  [<c02fa410>] ? neigh_timer_handler+0x0/0x390
Signed-off-by: NVasanthakumar Thiagarajan <vasanth@atheros.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Fix condition in which radio LED did not initialize correctly, and remove
4 compilation warnings.

After the recent changes in rfkill, the radio LED used by b43/b43legacy
did not always initialize correctly.

Both b43 and b43legacy used the deprecated variable radio_enabled in
struct ieee80211_conf.
Signed-off-by: NLarry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

Don't forget to unlock cfg80211_mutex in one fail path of
nl80211_set_wiphy.
Signed-off-by: NJiri Slaby <jirislaby@gmail.com>
Signed-off-by: NJohn W. Linville <linville@tuxdriver.com>

fec: fix definition of 5272 version of FEC_X_DES_ACTIVE register

The ColdFire 5272 FEC driver has a different register address map
than other users of the FEC driver. And its definition of the
FEC_X_DES_ACTIVE register is incorrect, it should be 0x14.
The fec interface cannot transmit data with the old value.
Signed-off-by: NGreg Ungerer <gerg@uclinux.org>
----
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Signed-off-by: NGreg Ungerer <gerg@uclinux.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This reverts commit a1091aae.

Commit 'net: Move rx skb_orphan call to where needed' broken sctp protocol
with warning at inet_sock_destruct(). Actually, sctp can do this right with
sctp_sock_rfree_frag() and sctp_skb_set_owner_r_frag() pair.

    sctp_sock_rfree_frag(skb);
    sctp_skb_set_owner_r_frag(skb, newsk);

This patch not revert the commit d55d87fd,
instead remove the sctp_sock_rfree_frag() function.

------------[ cut here ]------------
WARNING: at net/ipv4/af_inet.c:151 inet_sock_destruct+0xe0/0x142()
Modules linked in: sctp ipv6 dm_mirror dm_region_hash dm_log dm_multipath
scsi_mod ext3 jbd uhci_hcd ohci_hcd ehci_hcd [last unloaded: scsi_wait_scan]
Pid: 1808, comm: sctp_test Not tainted 2.6.31-rc2 #40
Call Trace:
 [<c042dd06>] warn_slowpath_common+0x6a/0x81
 [<c064a39a>] ? inet_sock_destruct+0xe0/0x142
 [<c042dd2f>] warn_slowpath_null+0x12/0x15
 [<c064a39a>] inet_sock_destruct+0xe0/0x142
 [<c05fde44>] __sk_free+0x19/0xcc
 [<c05fdf50>] sk_free+0x18/0x1a
 [<ca0d14ad>] sctp_close+0x192/0x1a1 [sctp]
 [<c0649f7f>] inet_release+0x47/0x4d
 [<c05fba4d>] sock_release+0x19/0x5e
 [<c05fbab3>] sock_close+0x21/0x25
 [<c049c31b>] __fput+0xde/0x189
 [<c049c3de>] fput+0x18/0x1a
 [<c049988f>] filp_close+0x56/0x60
 [<c042f422>] put_files_struct+0x5d/0xa1
 [<c042f49f>] exit_files+0x39/0x3d
 [<c043086a>] do_exit+0x1a5/0x5dd
 [<c04a86c2>] ? d_kill+0x35/0x3b
 [<c0438fa4>] ? dequeue_signal+0xa6/0x115
 [<c0430d05>] do_group_exit+0x63/0x8a
 [<c0439504>] get_signal_to_deliver+0x2e1/0x2f9
 [<c0401d9e>] do_notify_resume+0x7c/0x6b5
 [<c043f601>] ? autoremove_wake_function+0x0/0x34
 [<c04a864e>] ? __d_free+0x3d/0x40
 [<c04a867b>] ? d_free+0x2a/0x3c
 [<c049ba7e>] ? vfs_write+0x103/0x117
 [<c05fc8fa>] ? sys_socketcall+0x178/0x182
 [<c0402a56>] work_notifysig+0x13/0x19
---[ end trace 9db92c463e789fba ]---
Signed-off-by: NWei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NVlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fix NULL pointer dereference in tun_chr_pool() introduced by commit
33dccbb0 ("tun: Limit amount of queued
packets per device") and triggered by this code:

	int fd;
	struct pollfd pfd;
	fd = open("/dev/net/tun", O_RDWR);
	pfd.fd = fd;
	pfd.events = POLLIN | POLLOUT;
	poll(&pfd, 1, 0);
Reported-by: NEugene Kapun <abacabadabacaba@gmail.com>
Signed-off-by: NMariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The bit that tells us whether a statistics counter snapshot operation
has completed is located in the GLOBAL register block, not in the
GLOBAL2 register block, so fix up mv88e6xxx_stats_wait() to poll the
right register address.
Signed-off-by: NStephane Contri <Stephane.Contri@grassvalley.com>
Signed-off-by: NLennert Buytenhek <buytenh@marvell.com>
Cc: stable@kernel.org
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Eric Dumazet a écrit :
> Ingo Molnar a écrit :
>>> The following changes since commit 52989765:
>>>   Linus Torvalds (1):
>>>         Merge git://git.kernel.org/.../davem/net-2.6

> >>> are available in the git repository at:

>>>   master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6.git master
>> Hm, something in this lot quickly wrecked networking here - see the
>> tx timeout dump below. It starts with:
>>
>> [  351.004596] WARNING: at net/sched/sch_generic.c:246 dev_watchdog+0x10b/0x19c()
>> [  351.011815] Hardware name: System Product Name
>> [  351.016220] NETDEV WATCHDOG: eth0 (forcedeth): transmit queue 0 timed out
>>
>> Config attached. Unfortunately i've got no time to do bisection
>> today.
>
>
>
> forcedeth might have a problem, in its netif_wake_queue() logic, but
> I could not see why a recent patch could make this problem visible now.
>
> CPU0/1: AMD Athlon(tm) 64 X2 Dual Core Processor 3800+ stepping 02
> is not a new cpu either :)
>
> forcedeth uses an internal tx_stop without appropriate barrier.
>
> Could you try following patch ?
>
> (random guess as I dont have much time right now)

We might have a race in napi_schedule(), leaving interrupts disabled forever.
I cannot test this patch, I dont have the hardware...
Tested-by: NIngo Molnar <mingo@elte.hu>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The call resource_size(res) returns res->end - res->start + 1 and thus the
second change is semantics-preserving.  res_size is then used as the second
argument of a call to request_mem_region, and the memory allocated by this
call appears to be the same as what is released in the two calls to
release_mem_region.  So the size argument for those calls should be
resource_size(size) as well.  Alternatively, in the second call to
release_mem_region, the second argument could be res_size, as that variable
has already been initialized at the point of this call.

The problem was found using the following semantic patch:
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>
@@
struct resource *res;
@@

- (res->end - res->start) + 1
+ resource_size(res)

@@
struct resource *res;
@@

- res->end - res->start
+ BAD(resource_size(res))
// </smpl>
Signed-off-by: NJulia Lawall <julia@diku.dk>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

add new id (RIOS System PC CARD3 ETHERNET).
Signed-off-by: NKen Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This patch properly defines the maximum values for rx/tx coalescing timeouts.
Signed-off-by: NVlad Zolotarov <vladz@broadcom.com>
Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Problem reported by Flavio Leitner <fleitner@redhat.com>:
When setting rx/tx coalescing timeout to the values less than 12 traffic was
stopped.

The FW supports coalescing in 12us granularity, and so value of less then 12
should be interpreted as disabling coalescing
Signed-off-by: NVlad Zolotarov <vladz@broadcom.com>
Signed-off-by: NEilon Greenstein <eilong@broadcom.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

It is currently possible for an asynchronous device unregister
to cause the same tun device to be unregistered twice.  This
is because the unregister in tun_chr_close only checks whether
__tun_get(tfile) != NULL.  This however has nothing to do with
whether the device has already been unregistered.  All it tells
you is whether __tun_detach has been called.

This patch fixes this by using the most obvious thing to test
whether the device has been unregistered.

It also moves __tun_detach outside of rtnl_unlock since nothing
that it does requires that lock.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Occasionally we may see an interrupt without an event in the eq.
In intx, we currently see the event queue and return IRQ_NONE causing
a the irq to be disabled ("no one cared".) Instead, read the CEV_ISR
reg to check the existence of the interrupt.
Signed-off-by: NSathya Perla <sathyap@serverengines.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This workaround is required for an issue in hardware where noise on the
interconnect between the MAC and PHY could be generated by a lower power
mode (K1) at 1000Mbps resulting in bad packets.  Disable K1 while at 1000
Mbps but keep it enabled for 10/100Mbps and when the cable is disconnected.
Signed-off-by: NBruce Allan <bruce.w.allan@intel.com>
Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Some PHYs may require two reads of the PHY_STATUS register to determine the
link status.  If the PHY is being accessed by another thread it is possible
the first read could timeout and fail.  In this case, put a delay in so
the second read will pick up the correct link status.
Signed-off-by: NBruce Allan <bruce.w.allan@intel.com>
Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>