[CRYPTO] api: fix writting into unallocated memory in setkey_aligned
setkey_unaligned() commited in ca7c39385ce1a7b44894a4b225a4608624e90730
overwrites unallocated memory in the following memset() because
I used the wrong buffer length.
Signed-off-by: Sebastian Siewior <sebastian@breakpoint.cc> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Linus Torvalds [Fri, 3 Aug 2007 22:16:33 +0000 (15:16 -0700)]
Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
[POWERPC] Fixes for the SLB shadow buffer code
[POWERPC] Fix a compile warning in powermac/feature.c
[POWERPC] Fix a compile warning in pci_32.c
[POWERPC] Fix parse_drconf_memory() for 64-bit start addresses
[POWERPC] Fix num_cpus calculation in smp_call_function_map()
[POWERPC] ps3: Fix section mismatch in ps3/setup.c
[POWERPC] spufs: Fix affinity after introduction of node_allowed() calls
[POWERPC] Fix special PTE code for secondary hash bucket
[POWERPC] Expand RPN field to 34 bits when using 64k pages
Oleg Nesterov [Fri, 3 Aug 2007 21:04:41 +0000 (01:04 +0400)]
Kill some obsolete sub-thread-ptrace stuff
There is a couple of subtle checks which were needed to handle ptracing from
the same thread group. This was deprecated a long ago, imho this code just
complicates the understanding.
And, the "->parent->signal->flags & SIGNAL_GROUP_EXIT" check in exit_notify()
is not right. SIGNAL_GROUP_EXIT can mean exec(), not exit_group(). This means
ptracer can lose a ptraced zombie on exec(). Minor problem, but still the bug.
Daniel Ritz [Fri, 3 Aug 2007 14:07:43 +0000 (16:07 +0200)]
serial: fix 8250 early console setup
the early setup function serial8250_console_early_setup() can be called
from non __init code (eg. hotpluggable serial ports like serial_cs) so
remove the __init from the call chain to avoid crashes.
Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch> Cc: Yinghai Lu <yinghai.lu@sun.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds [Fri, 3 Aug 2007 21:57:41 +0000 (14:57 -0700)]
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[TCP]: DSACK signals data receival, be conservative
[TCP]: Also handle snd_una changes in tcp_cwnd_down
[TIPC]: Fix two minor sparse warnings.
[TIPC]: Make function tipc_nameseq_subscribe static.
[PF_KEY]: Fix ipsec not working in 2.6.23-rc1-git10
[TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg().
[IPV4] route.c: mostly kmalloc + memset conversion to k[cz]alloc
[IPV4] raw.c: kmalloc + memset conversion to kzalloc
[NETFILTER] nf_conntrack_l3proto_ipv4_compat.c: kmalloc + memset conversion to kzalloc
[NETFILTER] nf_conntrack_expect.c: kmalloc + memset conversion to kzalloc
[NET]: Removal of duplicated include net/wanrouter/wanmain.c
SCTP: remove useless code in function sctp_init_cause
SCTP: drop SACK if ctsn is not less than the next tsn of assoc
SCTP: IPv4 mapped addr not returned in SCTPv6 accept()
SCTP: IPv4 mapped addr not returned in SCTPv6 accept()
sctp: fix shadow symbol in net/sctp/tsnmap.c
sctp: try to fix readlock
sctp: remove shadowed symbols
sctp: move global declaration to header file.
sctp: make locally used function static
Satyam Sharma [Fri, 3 Aug 2007 02:57:13 +0000 (08:27 +0530)]
[MTD] Makefile fix for mtdsuper
We want drivers/mtd/{mtdcore, mtdsuper, mtdpart}.c to be built and linked
into the same mtd.ko module. Fix the Makefile to ensure this, and remove
duplicate MODULE_ declarations in mtdpart.c, as mtdcore.c already has them.
Signed-off-by: Satyam Sharma <satyam@infradead.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Michael Neuling [Fri, 3 Aug 2007 01:55:39 +0000 (11:55 +1000)]
[POWERPC] Fixes for the SLB shadow buffer code
On a machine with hardware 64kB pages and a kernel configured for a
64kB base page size, we need to change the vmalloc segment from 64kB
pages to 4kB pages if some driver creates a non-cacheable mapping in
the vmalloc area. However, we never updated with SLB shadow buffer.
This fixes it. Thanks to paulus for finding this.
Also added some write barriers to ensure the shadow buffer contents
are always consistent.
Signed-off-by: Michael Neuling <mikey@neuling.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
[POWERPC] Fix parse_drconf_memory() for 64-bit start addresses
Some new machines use the "ibm,dynamic-reconfiguration-memory" property
to provide memory layout information, rather than via memory nodes.
There is a bug in the code to parse this property for start addresses
over 4GB; we store the start address in an unsigned int, which means
we throw away the high bits and add apparently duplicate regions.
This results in a BUG() in free_bootmem_core(). This fixes it by
using an unsigned long instead.
Signed-off-by: Michael Ellerman <michael@ellerman.id.au> Signed-off-by: Paul Mackerras <paulus@samba.org>
Kevin Corry [Tue, 31 Jul 2007 20:19:46 +0000 (06:19 +1000)]
[POWERPC] Fix num_cpus calculation in smp_call_function_map()
In smp_call_function_map(), num_cpus is set to the number of online
CPUs minus one. However, if the CPU mask does not include all CPUs
(except the one we're running on), the routine will hang in the first
while() loop until the 8 second timeout occurs.
The num_cpus should be set to the number of CPUs specified in the mask
passed into the routine, after we've made any modifications to the
mask. With this change, we can also get rid of the call to
cpus_empty() and avoid adding another pass through the bitmask.
Signed-off-by: Kevin Corry <kevcorry@us.ibm.com> Signed-off-by: Carl Love <carll@us.ibm.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
Andre Detsch [Mon, 30 Jul 2007 23:48:11 +0000 (09:48 +1000)]
[POWERPC] spufs: Fix affinity after introduction of node_allowed() calls
This patch fixes affinity reference point placement, which was not being
done in some situations, after the introduction of node_allowed() calls.
The previously used parameter, 'ctx', is just the iterator of the
previous list_for_each_entry_reverse loop, and its value might be
invalid at the end of the loop. Also, the right context to seek
for information when defining the reference ctx location
_is_ the reference ctx.
Signed-off-by: Andre Detsch <adetsch@br.ibm.com> Signed-off-by: Arnd Bergmann <arnd.bergmann@de.ibm.com> Signed-off-by: Jeremy Kerr <jk@ozlabs.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Paul Mackerras [Fri, 3 Aug 2007 09:16:11 +0000 (19:16 +1000)]
[POWERPC] Fix special PTE code for secondary hash bucket
The code for mapping special 4k pages on kernels using a 64kB base
page size was missing the code for doing the RPN (real page number)
manipulation when inserting the hardware PTE in the secondary hash
bucket. It needs the same code as has already been added to the
code that inserts the HPTE in the primary hash bucket. This adds it.
Paul Mackerras [Fri, 3 Aug 2007 04:08:24 +0000 (14:08 +1000)]
[POWERPC] Expand RPN field to 34 bits when using 64k pages
The real page number field in our PTEs when configured for 64kB pages
is currently 32 bits, which turns out to be not quite enough for the
resources that the eHCA driver wants to map. This expands the RPN
field to include 2 adjacent, previously-unused bits.
Signed-off-by: Paul Mackerras <paulus@samba.org> Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Ilpo Järvinen [Fri, 3 Aug 2007 02:46:58 +0000 (19:46 -0700)]
[TCP]: Also handle snd_una changes in tcp_cwnd_down
tcp_cwnd_down must check for it too as it should be conservative
in case of collapse stuff and also when receiver is trying to
lie (though that wouldn't be very successful/useful anyway).
Note:
- Separated also is_dupack and do_lost in fast_retransalert
* Much cleaner look-and-feel now
* This time it really fixes cumulative ACK with many new
SACK blocks recovery entry (I claimed this fixes with
last patch but it wasn't). TCP will now call
tcp_update_scoreboard regardless of is_dupack when
in recovery as long as there is enough fackets_out.
- Introduce FLAG_SND_UNA_ADVANCED
* Some prior_snd_una arguments are unnecessary after it
- Added helper FLAG_ANY_PROGRESS to avoid long FLAG...|FLAG...
constructs
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
Joy Latten [Fri, 3 Aug 2007 02:25:43 +0000 (19:25 -0700)]
[PF_KEY]: Fix ipsec not working in 2.6.23-rc1-git10
Although an ipsec SA was established, kernel couldn't seem to find it.
I think since we are now using "x->sel.family" instead of "family" in
the xfrm_selector_match() called in xfrm_state_find(), af_key needs to
set this field too, just as xfrm_user.
In af_key.c, x->sel.family only gets set when there's an
ext_hdrs[SADB_EXT_ADDRESS_PROXY-1] which I think is for tunnel.
I think pfkey needs to also set the x->sel.family field when it is 0.
Tested with below patch, and ipsec worked when using pfkey.
Signed-off-by: David S. Miller <davem@davemloft.net>
David S. Miller [Fri, 3 Aug 2007 02:23:56 +0000 (19:23 -0700)]
[TCP]: Invoke tcp_sendmsg() directly, do not use inet_sendmsg().
As discovered by Evegniy Polyakov, if we try to sendmsg after
a connection reset, we can do incredibly stupid things.
The core issue is that inet_sendmsg() tries to autobind the
socket, but we should never do that for TCP. Instead we should
just go straight into TCP's sendmsg() code which will do all
of the necessary state and pending socket error checks.
TCP's sendpage already directly vectors to tcp_sendpage(), so this
merely brings sendmsg() in line with that.
Signed-off-by: David S. Miller <davem@davemloft.net>
Magnus Damm [Fri, 3 Aug 2007 01:17:47 +0000 (10:17 +0900)]
sh: fix defconfigs for sh7751r boards
This patch fixes up the defconfig for various sh7751r based boards
by updating them to the single cpu subtype CONFIG_CPU_SUBTYPE_SH7751R.
The following sh4 boards are updated: hs7751rvoip, landisk, lboxre2,
systemh, titan.
The current defconfigs with two subtypes defined trigger a configuration
bug which result in kernel configurations with missing board support
code. We end up with kernels without board code and with generic machvec
only.
So we need this patch to make sure the board code gets compiled in.
Signed-off-by: Magnus Damm <damm@igel.co.jp> Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Ben Dooks [Mon, 28 May 2007 18:17:54 +0000 (19:17 +0100)]
[MTD] [NAND] nand_base.c: fix type of eccpos pointer
The nand_base.c driver implicitly casts the uint32_t
eccpos array to 'int *', which is not only not guaranteed
to be the same sign as the source, but is not guaranteed
to be the same size.
Fix by changing nand_base.c to use uint32_t
referencing the eccpos fields.
Signed-off-by: Ben Dooks <ben-linux@fluff.org> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
When we mark block bad we have to get chip because this involves
writing to the page's OOB. We hit this bug in UBI - we observed
random obscure crashes when it marks block bad from the background
thread and there is some parallel task which utilizes flash.
This patch also adds a TODO note about BBT table protection which
it seems does not exist.
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Roland Stigge [Wed, 18 Jul 2007 12:56:11 +0000 (14:56 +0200)]
[MTD] [NAND] Fix refactoring of EDB7312 hwcontrol function.
The patch ensures that the current code (kernel 2.6.22) uses the bits
like the code prior to the refactoring. The variable "bits" is employed
in a useful way now.
Signed-off-by: Roland Stigge <stigge@antcom.de> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
David Woodhouse [Thu, 28 Jun 2007 18:49:36 +0000 (19:49 +0100)]
[JFFS2] Fix suspend failure with JFFS2 GC thread.
The try_to_freeze() call was in the wrong place; we need it in the
signal-pending loop now that a pending freeze also makes
signal_pending() return true.
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Joakim Tjernlund [Sun, 24 Jun 2007 17:22:29 +0000 (19:22 +0200)]
[JFFS2] Prevent oops after 'node added in wrong place' debug check
jffs2_add_physical_node_ref() should never really return error -- it's
an internal debugging check which triggered. We really need to work out
why and stop it happening. But in the meantime, let's make the failure
mode a little less nasty.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Stefan Richter [Sat, 21 Jul 2007 20:43:05 +0000 (22:43 +0200)]
firewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters)
As far as I know, all CardBus FireWire 400 adapters have a maximum
payload of 1024 bytes which is less than the speed-dependent limit of
2048 bytes. Fw-sbp2 has to take the host adapter's limit into account.
This apparently fixes Juju's incompatibility with my CardBus cards, a
NEC based card and a VIA based card.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Acked-by: Kristian Høgsberg <krh@redhat.com>
Revert commit 0555659d63c285ceb7ead3115532e1b71b0f27a7 from 2.6.22-rc1.
The dma_set_mask call somehow failed on a PowerMac G5, PPC64:
http://lkml.org/lkml/2007/8/1/344
Should there ever occur a DMA mapping beyond the physical DMA range, a
proper SBP-2 firmware will report transport errors. So let's leave it
at that.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Tested-by: Olaf Hering <olh@suse.de>
H. Peter Anvin [Thu, 2 Aug 2007 17:50:43 +0000 (13:50 -0400)]
[x86 setup] Document grub < 0.93 as broken
Grub older than 0.93 are broken when the kernel setup is bigger than
8K. This was fixed in 2002, and 0.93 was the first grub version which
fixed this bug.
Paul Moore [Wed, 1 Aug 2007 15:12:59 +0000 (11:12 -0400)]
Net/Security: fix memory leaks from security_secid_to_secctx()
The security_secid_to_secctx() function returns memory that must be freed
by a call to security_release_secctx() which was not always happening. This
patch fixes two of these problems (all that I could find in the kernel source
at present).
Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Paul Moore [Mon, 30 Jul 2007 20:33:26 +0000 (16:33 -0400)]
SELinux: restore proper NetLabel caching behavior
A small fix to the SELinux/NetLabel glue code to ensure that the NetLabel
cache is utilized when possible. This was broken when the SELinux/NetLabel
glue code was reorganized in the last kernel release.
Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Peter Williams [Thu, 2 Aug 2007 15:41:40 +0000 (17:41 +0200)]
[PATCH] sched: tidy up left over smpnice code
1. The only place that RTPRIO_TO_LOAD_WEIGHT() is used is in the call to
move_tasks() in the function active_load_balance() and its purpose here
is just to make sure that the load to be moved is big enough to ensure
that exactly one task is moved (if there's one available). This can be
accomplished by using ULONG_MAX instead and this allows
RTPRIO_TO_LOAD_WEIGHT() to be deleted.
2. This, in turn, allows PRIO_TO_LOAD_WEIGHT() to be deleted.
3. This allows load_weight() to be deleted which allows
TIME_SLICE_NICE_ZERO to be deleted along with the comment above it.
Signed-off-by: Peter Williams <pwil3058@bigpond.net.au> Signed-off-by: Ingo Molnar <mingo@elte.hu>
Wei Yongjun [Thu, 2 Aug 2007 08:57:44 +0000 (16:57 +0800)]
SCTP: drop SACK if ctsn is not less than the next tsn of assoc
We need to drop the SACK if the peer is attempting to acknowledge
unset data, i.e. the CTSN in the SACK is greater or equal to the
next TSN we will send.
Example:
Endpoint A Endpoint B
<--------------- DATA (TSN=1)
SACK(TSN=1) --------------->
<--------------- DATA (TSN=2)
<--------------- DATA (TSN=3)
<--------------- DATA (TSN=4)
<--------------- DATA (TSN=5)
SACK(TSN=1000) --------------->
<--------------- DATA (TSN=6)
<--------------- DATA (TSN=7)
USB HID: fix a possible NULL pointer dereference when we fail to allocate memory
If, in usb_hid_configure(), we fail to allocate storage for 'usbhid',
"if (!(usbhid = kzalloc(sizeof(struct usbhid_device), GFP_KERNEL)))",
then we'll jump to the 'fail:' label where we have this code:
usb_free_urb(usbhid->urbin);
usb_free_urb(usbhid->urbout);
usb_free_urb(usbhid->urbctrl);
Since we got here because we couldn't allocate storage for 'usbhid',
what we have here is a NULL pointer dereference - ouch...
This patch solves that little problem by adding a new
'fail_no_usbhid:' label after the problematic calls to
usb_free_urb() and jumps to that one instead, in the problem case.
Some of ASUS' notebooks (e.g G Series) include a tiny oled display, which is
attached to an internal USB bus. Unfortunatly the device reports a wrong
DeviceDescriptor and is therefore identified as a HID device...
Signed-off-by: Christian Lamparter <chunkeey@web.de> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Phil Dibowitz [Mon, 30 Jul 2007 10:00:48 +0000 (12:00 +0200)]
USB HID: Add all Logitech Harmonies to blacklist
This patch adds the entire range of Logitech's ProductIDs that are reserved
for their Harmony remotes. The in-kernel HID driver can't do anything with
these, and now there is a GPL user-space application that can handle them:
http://www.sf.net/projects/harmonycontrol
Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Jiri Kosina <jkosina@suse.cz>
HID: remove the Applie IR sensor from the hid_blacklist
The IR sensor in some newer Apple computers has no other
driver in the kernel, yet. However, the macmini driver in lirc
requires a HID device for the IR sensor.
Linus Torvalds [Thu, 2 Aug 2007 03:48:54 +0000 (20:48 -0700)]
Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
[IA64] ITC: Reduce rating for ITC clock if ITCs are drifty
[IA64] SN2: Fix up sn2_rtc clock
[IA64] Fix wrong access to irq_desc[] in iosapic_register_intr().
[IA64] Fix possible race in destroy_and_reserve_irq()
[IA64] Fix registered interrupt check
[IA64] Remove a few duplicate includes
[IA64] Allow smp_call_function_single() to current cpu
[IA64] fix a few section mismatch warnings
* master.kernel.org:/pub/scm/linux/kernel/git/bart/ide-2.6:
scc_pata: PIO fixes
piix/slc90e66: fix PIO1 handling in ->speedproc method (take 2)
jmicron: PIO fixes
it8213: PIO fixes (take 2)
cs5535: PIO fixes
cs5520: fix PIO auto-tuning in ->ide_dma_check method
drivers/scsi/ide-scsi.c: kmalloc + memset conversion to kzalloc
drivers/ide/arm/icside.c: kmalloc + memset conversion to kzalloc
ide: eliminate warnings in ide-tape.c
ide: fix runtogether printk's in cmd64x IDE driver
sis5513: Add FSC Amilo A1630 PCI subvendor/dev to laptops
alim15x3: Correct HP detect
ide: Fix an overrun found in the CS5535 IDE driver
David Howells [Wed, 1 Aug 2007 18:04:51 +0000 (19:04 +0100)]
FRV: Enable the MB86943 PCI arbiter correctly
Enable the MB93090 motherboard's MB86943 PCI arbiter correctly by assigning to
the register rather than comparing against it. This is required to support
bus mastering.
Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Thomas Gleixner [Wed, 1 Aug 2007 15:13:19 +0000 (17:13 +0200)]
genirq: temporary fix for level-triggered IRQ resend
Marcin Slusarz reported a ne2k-pci "hung network interface" regression.
delayed disable relies on the ability to re-trigger the interrupt in the
case that a real interrupt happens after the software disable was set.
In this case we actually disable the interrupt on the hardware level
_after_ it occurred.
On enable_irq, we need to re-trigger the interrupt. On i386 this relies
on a hardware resend mechanism (send_IPI_self()).
Actually we only need the resend for edge type interrupts. Level type
interrupts come back once enable_irq() re-enables the interrupt line.
I assume that the interrupt in question is level triggered because it is
shared and above the legacy irqs 0-15:
17: 12 IO-APIC-fasteoi eth1, eth0
Looking into the IO_APIC code, the resend via send_IPI_self() happens
unconditionally. So the resend is done for level and edge interrupts.
This makes the problem more mysterious.
* Use pio == 255 == "auto-tune" in scc_config_drive_for_dma() instead of
forcing PIO4 on PIO fallback. Fix comment while at it.
* Rename scc_tuneproc() to scc_tune_pio() and add scc_tuneproc() wrapper.
Move finding of the best PIO mode and setting of transfer mode on the device
to the new wrapper.
* Fix scc_tune_chipset() to tune PIO modes. Do a small cleanup while at it.
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
* Fix cs5535_tuneproc() to pass PIO transfer mode value instead of PIO mode
number to cs5535_set_speed() (fixes random PIO timings being programmed
and a possible OOPS). Do a little cleanup while at it.
* Fix cs5535_set_speed() to check if the mate device is present (fixes PIO0
taskfile timings being used if there is no other device on the cable).
* Use cs5535_tuneproc() in cs5535_dma_check(). The old code had the same
issue as cs5535_tuneproc() and add additionally caused 0x00-0x04 transfer
mode values (== default PIO, default PIO w/ IORDY + two invalid values)
being set on the device instead of values 0x08-0x0c (XFER_PIO_[0,4]).
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>