linux/drivers/net, branch v2.6.32

Merge branch 'security' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6

2009-12-01T00:47:16Z

* 'security' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6: mac80211: fix spurious delBA handling mac80211: fix two remote exploits

mac80211: fix spurious delBA handling

2009-11-30T18:55:51Z

Lennert Buytenhek noticed that delBA handling in mac80211 was broken and has remotely triggerable problems, some of which are due to some code shuffling I did that ended up changing the order in which things were done -- this was commit d75636ef9c1af224f1097941879d5a8db7cd04e5 Author: Johannes Berg Date: Tue Feb 10 21:25:53 2009 +0100 mac80211: RX aggregation: clean up stop session and other parts were already present in the original commit d92684e66091c0f0101819619b315b4bb8b5bcc5 Author: Ron Rindjunsky Date: Mon Jan 28 14:07:22 2008 +0200 mac80211: A-MPDU Tx add delBA from recipient support The first problem is that I moved a BUG_ON before various checks -- thereby making it possible to hit. As the comment indicates, the BUG_ON can be removed since the ampdu_action callback must already exist when the state is != IDLE. The second problem isn't easily exploitable but there's a race condition due to unconditionally setting the state to OPERATIONAL when a delBA frame is received, even when no aggregation session was ever initiated. All the drivers accept stopping the session even then, but that opens a race window where crashes could happen before the driver accepts it. Right now, a WARN_ON may happen with non-HT drivers, while the race opens only for HT drivers. For this case, there are two things necessary to fix it: 1) don't process spurious delBA frames, and be more careful about the session state; don't drop the lock 2) HT drivers need to be prepared to handle a session stop even before the session was really started -- this is true for all drivers (that support aggregation) but iwlwifi which can be fixed easily. The other HT drivers (ath9k and ar9170) are behaving properly already. Reported-by: Lennert Buytenhek Cc: stable@kernel.org Signed-off-by: Johannes Berg Signed-off-by: John W. Linville

b44: Fix wedge when using netconsole.

2009-11-30T08:13:28Z

Fixes kernel bugzilla #14691 Due to the way netpoll works, it is perfectly legal to see NAPI already scheduled when new device events are pending in b44_interrupt(). So logging a message about it is wrong and in fact harmful. Based upon a patch by Andreas Mohr. Signed-off-by: David S. Miller

wan: cosa: drop chan->wsem on error path

2009-11-30T08:06:51Z

The other paths all drop chan->wsem. This was found by a static checker (smatch). Signed-off-by: Dan Carpenter Acked-by: Jan "Yenya" Kasprzak Signed-off-by: David S. Miller

ep93xx-eth: check for zero MAC address on probe, not on device open

2009-11-30T07:50:32Z

If we happen to have registered the driver without passing a MAC address, we will print a zero MAC address and register the interface with this invalid address, this is confusin. This patch moves the checking of a valid ethernet address and the generation of a random one down from the open function to the probe function. Signed-off-by: Florian Fainelli Acked-by: Lennert Buytenhek Signed-off-by: David S. Miller

NET: smc91x: Fix irq flags

2009-11-30T07:47:14Z

smc91x.h defines SMC_IRQ_FLAGS to be -1 when it wants the interrupt flags to be taken from the resource structure. However, d280ead changed this to checking for non-zero resource flags. Unfortunately, this means that on some platforms, we end up passing '-1' to request_irq rather than the desired result. Combine the two conditions into one so that the IRQ flags are taken from the resource if either SMC_IRQ_FLAGS is -1 or the resource flags specify an interrupt trigger. This restores network on at least the Versatile platform. Signed-off-by: Russell King Acked-by: Eric Miao Signed-off-by: David S. Miller

smsc9420: prevent BUG() if ethtool is called with interface down

2009-11-30T07:14:45Z

This patch fixes a null pointer dereference BUG() if ethtool is used on an smsc9420 interface while it is down, because the phy_dev is only allocated while the interface is up. Signed-off-by: Steve Glendinning Signed-off-by: David S. Miller

r8169: restore mac addr in rtl8169_remove_one and rtl_shutdown

2009-11-30T07:12:52Z

The newer chipsets (all PCI-E) are known that they need full power cycle (AC or battery removal) to reset MAC address to a hardwired one. Previous patch to address this problem loads the original MAC address from EEPROM. But it brought other problem for which it is necessary to introduce a new module parameter. However, it might suffice to restore the initial MAC address before shutdown/reboot/kexec and when removing the module. Signed-off-by: Ivan Vecera Signed-off-by: David S. Miller

e100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failure

2009-11-30T01:17:29Z

pci_alloc_consistent uses GFP_ATOMIC allocation that may fail on some systems with limited memory (Bug #14265). pci_pool_alloc allows waiting with GFP_KERNEL. Tested-by: Karol Lewandowski Signed-off-by: Roger Oksanen Signed-off-by: David S. Miller

macvlan: fix gso_max_size setting

2009-11-23T22:18:53Z

gso_max_size must be set based on the value of the underlying device to support devices not using the full 64k. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller