]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
14 years agoUSB: add missing delay during remote wakeup
Alan Stern [Fri, 8 Jan 2010 16:18:38 +0000 (11:18 -0500)]
USB: add missing delay during remote wakeup

commit 49d0f078f494b9d81e820a13dd8093a9bfb0b6b1 upstream.

This patch (as1330) fixes a bug in khbud's handling of remote
wakeups.  When a device sends a remote-wakeup request, the parent hub
(or the host controller driver, for directly attached devices) begins
the resume sequence and notifies khubd when the sequence finishes.  At
this point the port's SUSPEND feature is automatically turned off.

However the device needs an additional 10-ms resume-recovery time
(TRSMRCY in the USB spec).  Khubd does not wait for this delay if the
SUSPEND feature is off, and as a result some devices fail to behave
properly following a remote wakeup.  This patch adds the missing
delay to the remote-wakeup path.

It also extends the resume-signalling delay used by ehci-hcd and
uhci-hcd from 20 ms (the value in the spec) to 25 ms (the value we use
for non-remote-wakeup resumes).  The extra time appears to help some
devices.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: Rickard Bellini <rickard.bellini@ericsson.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotty: fix race in tty_fasync
Greg Kroah-Hartman [Thu, 17 Dec 2009 15:07:19 +0000 (07:07 -0800)]
tty: fix race in tty_fasync

commit 703625118069f9f8960d356676662d3db5a9d116 upstream.

We need to keep the lock held over the call to __f_setown() to
prevent a PID race.

Thanks to Al Viro for pointing out the problem, and to Travis for
making us look here in the first place.

Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Julien Tinnes <jln@google.com>
Cc: Matt Mackall <mpm@selenic.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoserial: 8250_pnp: use wildcard for serial Wacom tablets
Matthew Garrett [Wed, 9 Dec 2009 20:31:37 +0000 (12:31 -0800)]
serial: 8250_pnp: use wildcard for serial Wacom tablets

commit 6d34855d9aa281f72c533ecb827405139d1b0fe9 upstream.

Wacom claims that the WACF namespace will always be devoted to serial
Wacom tablets.  Remove the existing entries and add a wildcard to avoid
having to update the kernel every time they add a new device.

Signed-off-by: Ping Cheng <pingc@wacom.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Tested-by: Ping Cheng <pingc@wacom.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonozomi: quick fix for the close/close bug
Alan Cox [Mon, 4 Jan 2010 16:26:50 +0000 (16:26 +0000)]
nozomi: quick fix for the close/close bug

commit eeec32a731631a9bad9abb21c626b9f2840bee0d upstream.

Nozomi goes wrong if you get the sequence

open
open
close

[stuff]
close

which turns out to occur on some ppp type setups.

This is a quick patch up for the problem. It's not really fixing Nozomi
which completely fails to implement tty open/close semantics and all the
other needed stuff. Doing it right is a rather more invasive patch set and
not one that will backport.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoecryptfs: use after free
Dan Carpenter [Tue, 19 Jan 2010 09:34:32 +0000 (12:34 +0300)]
ecryptfs: use after free

commit ece550f51ba175c14ec3ec047815927d7386ea1f upstream.

The "full_alg_name" variable is used on a couple error paths, so we
shouldn't free it until the end.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoecryptfs: initialize private persistent file before dereferencing pointer
Erez Zadok [Thu, 3 Dec 2009 18:35:27 +0000 (13:35 -0500)]
ecryptfs: initialize private persistent file before dereferencing pointer

commit e27759d7a333d1f25d628c4f7caf845c51be51c2 upstream.

Ecryptfs_open dereferences a pointer to the private lower file (the one
stored in the ecryptfs inode), without checking if the pointer is NULL.
Right afterward, it initializes that pointer if it is NULL.  Swap order of
statements to first initialize.  Bug discovered by Duckjin Kang.

Signed-off-by: Duckjin Kang <fromdj2k@gmail.com>
Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu>
Cc: Dustin Kirkland <kirkland@canonical.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoreiserfs: truncate blocks not used by a write
Jan Kara [Thu, 17 Dec 2009 23:27:06 +0000 (15:27 -0800)]
reiserfs: truncate blocks not used by a write

commit ec8e2f7466ca370f5e09000ca40a71759afc9ac8 upstream.

It can happen that write does not use all the blocks allocated in
write_begin either because of some filesystem error (like ENOSPC) or
because page with data to write has been removed from memory.  We truncate
these blocks so that we don't have dangling blocks beyond i_size.

Cc: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86, apic: use physical mode for IBM summit platforms
Suresh Siddha [Mon, 18 Jan 2010 20:10:48 +0000 (12:10 -0800)]
x86, apic: use physical mode for IBM summit platforms

commit dfea91d5a7c795fd6f4e1a97489a98e4e767463e upstream.

Chris McDermott from IBM confirmed that hurricane chipset in IBM summit
platforms doesn't support logical flat mode.  Irrespective of the other
things like apic_id's, total number of logical cpu's, Linux kernel
should default to physical mode for this system.

The 32-bit kernel does so using the OEM checks for the IBM summit
platform.  Add a similar OEM platform check for the 64bit kernel too.

Otherwise the linux kernel boot can hang on this platform under certain
bios/platform settings.

Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Tested-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com>
Cc: Chris McDermott <lcm@linux.vnet.ibm.com>
Cc: Yinghai Lu <yinghai@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopage allocator: update NR_FREE_PAGES only when necessary
KOSAKI Motohiro [Sat, 16 Jan 2010 01:01:18 +0000 (17:01 -0800)]
page allocator: update NR_FREE_PAGES only when necessary

commit 6ccf80eb15ccaca4d3f1ab5162b9ded5eecd9971 upstream.

commit f2260e6b (page allocator: update NR_FREE_PAGES only as necessary)
made one minor regression.  if __rmqueue() was failed, NR_FREE_PAGES stat
go wrong.  this patch fixes it.

Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Reported-by: Huang Shijie <shijie8@gmail.com>
Reviewed-by: Christoph Lameter <cl@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomegaraid_sas: remove sysfs poll_mode_io world writeable permissions
Bryn M. Reeves [Thu, 12 Nov 2009 18:31:54 +0000 (18:31 +0000)]
megaraid_sas: remove sysfs poll_mode_io world writeable permissions

commit bb7d3f24c71e528989501617651b669fbed798cb upstream.

/sys/bus/pci/drivers/megaraid_sas/poll_mode_io defaults to being
world-writable, which seems bad (letting any user affect kernel driver
behavior).

This turns off group and user write permissions, so that on typical
production systems only root can write to it.

Signed-off-by: Bryn M. Reeves <bmr@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoedac: i5000_edac critical fix panic out of bounds
Tamas Vincze [Sat, 16 Jan 2010 01:01:10 +0000 (17:01 -0800)]
edac: i5000_edac critical fix panic out of bounds

commit 118f3e1afd5534c15f9701f33514186cfc841a27 upstream.

EDAC MC0: INTERNAL ERROR: channel-b out of range (4 >= 4)
Kernel panic - not syncing: EDAC MC0: Uncorrected Error  (XEN) Domain 0 crashed: 'noreboot' set - not rebooting.

This happens because FERR_NF_FBD bit 28 is not updated on i5000.  Due to
that, both bits 28 and 29 may be equal to one, returning channel = 3.  As
this value is invalid, EDAC core generates the panic.

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=14568

Signed-off-by: Tamas Vincze <tom@vincze.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Doug Thompson <dougthompson@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoinotify: only warn once for inotify problems
Eric Paris [Fri, 15 Jan 2010 17:12:25 +0000 (12:12 -0500)]
inotify: only warn once for inotify problems

commit 976ae32be45a736acd49215a7e4771ff91f161c3 upstream.

inotify will WARN() if it finds that the idr and the fsnotify internals
somehow got out of sync.  It was only supposed to do this once but due
to this stupid bug it would warn every single time a problem was
detected.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoinotify: do not reuse watch descriptors
Eric Paris [Fri, 15 Jan 2010 17:12:24 +0000 (12:12 -0500)]
inotify: do not reuse watch descriptors

commit 9e572cc9877ee6c43af60778f6b8d5ba0692d935 upstream.

Since commit 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 ("inotify: fix
error paths in inotify_update_watch") inotify changed the manor in which
it gave watch descriptors back to userspace.  Previous to this commit
inotify acted like the following:

  inotify_add_watch(X, Y, Z) = 1
  inotify_rm_watch(X, 1);
  inotify_add_watch(X, Y, Z) = 2

but after this patch inotify would return watch descriptors like so:

  inotify_add_watch(X, Y, Z) = 1
  inotify_rm_watch(X, 1);
  inotify_add_watch(X, Y, Z) = 1

which I saw as equivalent to opening an fd where

  open(file) = 1;
  close(1);
  open(file) = 1;

seemed perfectly reasonable.  The issue is that quite a bit of userspace
apparently relies on the behavior in which watch descriptors will not be
quickly reused.  KDE relies on it, I know some selinux packages rely on
it, and I have heard complaints from other random sources such as debian
bug 558981.

Although the man page implies what we do is ok, we broke userspace so
this patch almost reverts us to the old behavior.  It is still slightly
racey and I have patches that would fix that, but they are rather large
and this will fix it for all real world cases.  The race is as follows:

 - task1 creates a watch and blocks in idr_new_watch() before it updates
   the hint.
 - task2 creates a watch and updates the hint.
 - task1 updates the hint with it's older wd
 - task removes the watch created by task2
 - task adds a new watch and will reuse the wd originally given to task2

it requires moving some locking around the hint (last_wd) but this should
solve it for the real world and be -stable safe.

As a side effect this patch papers over a bug in the lib/idr code which
is causing a large number WARN's to pop on people's system and many
reports in kerneloops.org.  I'm working on the root cause of that idr
bug seperately but this should make inotify immune to that issue.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoHID: add device IDs for new model of Apple Wireless Keyboard
Christian Schuerer-Waldheim [Wed, 6 Jan 2010 13:49:57 +0000 (14:49 +0100)]
HID: add device IDs for new model of Apple Wireless Keyboard

commit 23aeb61e7e1f02fb0f3b8f9e798e75537ca1731d upstream.

Added device IDs for the new model of the Apple Wireless Keyboard
(November 2009).

Signed-off-by: Christian Schuerer-Waldheim <csw@xray.at>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: usb-audio - Avoid Oops after disconnect
Takashi Iwai [Mon, 28 Dec 2009 11:24:22 +0000 (12:24 +0100)]
ALSA: usb-audio - Avoid Oops after disconnect

commit 78b8d5d2ee280c463908fd75f3bdf246bcb6ac8d upstream.

As the release of substreams may be done asynchronously from the
disconnection, close callback needs to check the shutdown flag before
actually accessing the usb interface.

Reference: Novell bnc#505027
http://bugzilla.novell.com/show_bug.cgi?id=565027

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoKVM: x86 emulator: limit instructions to 15 bytes
Avi Kivity [Tue, 24 Nov 2009 13:20:15 +0000 (15:20 +0200)]
KVM: x86 emulator: limit instructions to 15 bytes

commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb upstream

While we are never normally passed an instruction that exceeds 15 bytes,
smp games can cause us to attempt to interpret one, which will cause
large latencies in non-preempt hosts.

Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoconnector: Delete buggy notification code.
Evgeniy Polyakov [Tue, 2 Feb 2010 23:58:48 +0000 (15:58 -0800)]
connector: Delete buggy notification code.

commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 upstream.

On Tue, Feb 02, 2010 at 02:57:14PM -0800, Greg KH (gregkh@suse.de) wrote:
> > There are at least two ways to fix it: using a big cannon and a small
> > one. The former way is to disable notification registration, since it is
> > not used by anyone at all. Second way is to check whether calling
> > process is root and its destination group is -1 (kind of priveledged
> > one) before command is dispatched to workqueue.
>
> Well if no one is using it, removing it makes the most sense, right?
>
> No objection from me, care to make up a patch either way for this?

Getting it is not used, let's drop support for notifications about
(un)registered events from connector.
Another option was to check credentials on receiving, but we can always
restore it without bugs if needed, but genetlink has a wider code base
and none complained, that userspace can not get notification when some
other clients were (un)registered.

Kudos for Sebastian Krahmer <krahmer@suse.de>, who found a bug in the
code.

Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoclockevent: Don't remove broadcast device when cpu is dead
Xiaotian Feng [Thu, 7 Jan 2010 03:22:44 +0000 (11:22 +0800)]
clockevent: Don't remove broadcast device when cpu is dead

commit ea9d8e3f45404d411c00ae67b45cc35c58265bb7 upstream.

Marc reported that the BUG_ON in clockevents_notify() triggers on his
system. This happens because the kernel tries to remove an active
clock event device (used for broadcasting) from the device list.

The handling of devices which can be used as per cpu device and as a
global broadcast device is suboptimal.

The simplest solution for now (and for stable) is to check whether the
device is used as global broadcast device, but this needs to be
revisited.

[ tglx: restored the cpuweight check and massaged the changelog ]

Reported-by: Marc Dionne <marc.c.dionne@gmail.com>
Tested-by: Marc Dionne <marc.c.dionne@gmail.com>
Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
LKML-Reference: <1262834564-13033-1-git-send-email-dfeng@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoath5k: Fix eeprom checksum check for custom sized eeproms
Luis R. Rodriguez [Mon, 4 Jan 2010 15:40:39 +0000 (10:40 -0500)]
ath5k: Fix eeprom checksum check for custom sized eeproms

commit 359207c687cc8f4f9845c8dadd0d6dabad44e584 upstream.

Commit 8bf3d79bc401ca417ccf9fc076d3295d1a71dbf5 enabled EEPROM
checksum checks to avoid bogus bug reports but failed to address
updating the code to consider devices with custom EEPROM sizes.
Devices with custom sized EEPROMs have the upper limit size stuffed
in the EEPROM. Use this as the upper limit instead of the static
default size. In case of a checksum error also provide back the
max size and whether or not this was the default size or a custom
one. If the EEPROM is busted we add a failsafe check to ensure
we don't loop forever or try to read bogus areas of hardware.

This closes bug 14874

http://bugzilla.kernel.org/show_bug.cgi?id=14874

Cc: stable@kernel.org
Cc: David Quan <david.quan@atheros.com>
Cc: Stephen Beahm <stephenbeahm@comcast.net>
Reported-by: Joshua Covington <joshuacov@googlemail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
14 years agortc-fm3130: add missing braces
Sergey Matyukevich [Tue, 2 Feb 2010 21:43:59 +0000 (13:43 -0800)]
rtc-fm3130: add missing braces

commit f4b5162820de60204afa5c8639335f4931b7fb0c upstream.

Add missing braces for multiline 'if' statements in fm3130_probe.

Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
Signed-off-by: Alessandro Zummo <a.zummo@towertech.it>
Cc: Sergey Lapin <slapin@ossfans.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoresource: add helpers for fetching rlimits
Jiri Slaby [Thu, 19 Nov 2009 16:16:37 +0000 (17:16 +0100)]
resource: add helpers for fetching rlimits

commit 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd upstream.

We want to be sure that compiler fetches the limit variable only
once, so add helpers for fetching current and maximal resource
limits which do that.

Add them to sched.h (instead of resource.h) due to circular dependency
 sched.h->resource.h->task_struct
Alternative would be to create a separate res_access.h or similar.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: James Morris <jmorris@namei.org>
Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoCPUFREQ: Fix use after free of struct powernow_k8_data
Thomas Renninger [Mon, 14 Dec 2009 10:44:15 +0000 (11:44 +0100)]
CPUFREQ: Fix use after free of struct powernow_k8_data

commit 557a701c16553b0b691dbb64ef30361115a80f64 upstream.

Easy fix for a regression introduced in 2.6.31.

On managed CPUs the cpufreq.c core will call driver->exit(cpu) on the
managed cpus and powernow_k8 will free the core's data.

Later driver->get(cpu) function might get called trying to read out the
current freq of a managed cpu and the NULL pointer check does not work on
the freed object -> better set it to NULL.

->get() is unsigned and must return 0 as invalid frequency.

Reference:
http://bugzilla.kernel.org/show_bug.cgi?id=14391

Signed-off-by: Thomas Renninger <trenn@suse.de>
Tested-by: Michal Schmidt <mschmidt@redhat.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agocciss: Make cciss_seq_show handle holes in the h->drv[] array
Stephen M. Cameron [Fri, 5 Feb 2010 12:14:04 +0000 (13:14 +0100)]
cciss: Make cciss_seq_show handle holes in the h->drv[] array

commit 531c2dc70d339c5dfa8c3eb628c3459dc6f3a075 upstream.

It is possible (and expected) for there to be holes in the h->drv[]
array, that is, some elements may be NULL pointers.  cciss_seq_show
needs to be made aware of this possibility to avoid an Oops.

To reproduce the Oops which this fixes:

1) Create two "arrays" in the Array Configuratino Utility and
   several logical drives on each array.
2) cat /proc/driver/cciss/cciss* in an infinite loop
3) delete some of the logical drives in the first "array."

Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUBI: fix volume creation input checking
Mika Westerberg [Tue, 26 Jan 2010 15:47:05 +0000 (17:47 +0200)]
UBI: fix volume creation input checking

commit c5ce5b46af76f52dea21f467397d24c4ae6cb3ff upstream.

Do not use an unchecked variable UBI_IOCMKVOL ioctl.

Signed-off-by: Mika Westerberg <ext-mika.1.westerberg@nokia.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoSECURITY: selinux, fix update_rlimit_cpu parameter
Jiri Slaby [Fri, 28 Aug 2009 08:47:16 +0000 (10:47 +0200)]
SECURITY: selinux, fix update_rlimit_cpu parameter

commit 17740d89785aeb4143770923d67c293849414710 upstream.

Don't pass current RLIMIT_RTTIME to update_rlimit_cpu() in
selinux_bprm_committing_creds, since update_rlimit_cpu expects
RLIMIT_CPU limit.

Use proper rlim[RLIMIT_CPU].rlim_cur instead to fix that.

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Eric Paris <eparis@parisplace.org>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofutex_lock_pi() key refcnt fix
Mikael Pettersson [Sat, 23 Jan 2010 21:36:29 +0000 (22:36 +0100)]
futex_lock_pi() key refcnt fix

commit 5ecb01cfdf96c5f465192bdb2a4fd4a61a24c6cc upstream.

This fixes a futex key reference count bug in futex_lock_pi(),
where a key's reference count is incremented twice but decremented
only once, causing the backing object to not be released.

If the futex is created in a temporary file in an ext3 file system,
this bug causes the file's inode to become an "undead" orphan,
which causes an oops from a BUG_ON() in ext3_put_super() when the
file system is unmounted. glibc's test suite is known to trigger this,
see <http://bugzilla.kernel.org/show_bug.cgi?id=14256>.

The bug is a regression from 2.6.28-git3, namely Peter Zijlstra's
38d47c1b7075bd7ec3881141bb3629da58f88dab "[PATCH] futex: rely on
get_user_pages() for shared futexes". That commit made get_futex_key()
also increment the reference count of the futex key, and updated its
callers to decrement the key's reference count before returning.
Unfortunately the normal exit path in futex_lock_pi() wasn't corrected:
the reference count is incremented by get_futex_key() and queue_lock(),
but the normal exit path only decrements once, via unqueue_me_pi().
The fix is to put_futex_key() after unqueue_me_pi(), since 2.6.31
this is easily done by 'goto out_put_key' rather than 'goto out'.

Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Darren Hart <dvhltc@us.ibm.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofutex: Handle user space corruption gracefully
Thomas Gleixner [Tue, 2 Feb 2010 10:40:27 +0000 (11:40 +0100)]
futex: Handle user space corruption gracefully

commit 51246bfd189064079c54421507236fd2723b18f3 upstream.

If the owner of a PI futex dies we fix up the pi_state and set
pi_state->owner to NULL. When a malicious or just sloppy programmed
user space application sets the futex value to 0 e.g. by calling
pthread_mutex_init(), then the futex can be acquired again. A new
waiter manages to enqueue itself on the pi_state w/o damage, but on
unlock the kernel dereferences pi_state->owner and oopses.

Prevent this by checking pi_state->owner in the unlock path. If
pi_state->owner is not current we know that user space manipulated the
futex value. Ignore the mess and return -EINVAL.

This catches the above case and also the case where a task hijacks the
futex by setting the tid value and then tries to unlock it.

Reported-by: Jermome Marchand <jmarchan@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Darren Hart <dvhltc@us.ibm.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofutex: Handle futex value corruption gracefully
Thomas Gleixner [Wed, 3 Feb 2010 08:33:05 +0000 (09:33 +0100)]
futex: Handle futex value corruption gracefully

commit 59647b6ac3050dd964bc556fe6ef22f4db5b935c upstream.

The WARN_ON in lookup_pi_state which complains about a mismatch
between pi_state->owner->pid and the pid which we retrieved from the
user space futex is completely bogus.

The code just emits the warning and then continues despite the fact
that it detected an inconsistent state of the futex. A conveniant way
for user space to spam the syslog.

Replace the WARN_ON by a consistency check. If the values do not match
return -EINVAL and let user space deal with the mess it created.

This also fixes the missing task_pid_vnr() when we compare the
pi_state->owner pid with the futex value.

Reported-by: Jermome Marchand <jmarchan@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Darren Hart <dvhltc@us.ibm.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoFix potential crash with sys_move_pages
Linus Torvalds [Sat, 6 Feb 2010 00:16:50 +0000 (16:16 -0800)]
Fix potential crash with sys_move_pages

commit 6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0 upstream.

We incorrectly depended on the 'node_state/node_isset()' functions
testing the node range, rather than checking it explicitly.  That's not
reliable, even if it might often happen to work.  So do the proper
explicit test.

Reported-by: Marcus Meissner <meissner@suse.de>
Acked-and-tested-by: Brice Goglin <Brice.Goglin@inria.fr>
Acked-by: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoLinux 2.6.31.12 v2.6.31.12
Greg Kroah-Hartman [Mon, 18 Jan 2010 18:30:45 +0000 (10:30 -0800)]
Linux 2.6.31.12

14 years agoACPI: DMI init_set_sci_en_on_resume for HP-Compaq C700
Len Brown [Mon, 23 Nov 2009 16:44:12 +0000 (11:44 -0500)]
ACPI: DMI init_set_sci_en_on_resume for HP-Compaq C700

commit 87c687be055e67bc04189ce476690be73d16063e upstream.

...else ACPI thermal controls fail after resume.

http://bugzilla.kernel.org/show_bug.cgi?id=13745

Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoACPI: sleep: another HP/Compaq DMI entries for init_set_sci_en_on_resume
Vaibhav Verma [Fri, 6 Nov 2009 04:13:36 +0000 (23:13 -0500)]
ACPI: sleep: another HP/Compaq DMI entries for init_set_sci_en_on_resume

commit 2839d396e3ae0891c1fdd87aa1cea218e6f5c4df upstream.

http://bugzilla.kernel.org/show_bug.cgi?id=13745

Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoACPI: add DMI entry for SCI_EN resume quirk on HP dv4
Gustavo Maciel Dias Vieira [Mon, 19 Oct 2009 11:41:53 +0000 (09:41 -0200)]
ACPI: add DMI entry for SCI_EN resume quirk on HP dv4

commit 8a1cbf64977f89e9e9bc1d80dd01503337424f96 upstream.

Fixes the missing battery on sleep problem for yet another HP laptop
("HP Pavilion dv4").

Fixes:
http://bugzilla.kernel.org/show_bug.cgi?id=13449

Signed-off-by: Gustavo Maciel Dias Vieira <gustavo@sagui.org>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoACPI: sleep: another HP DMI entry for init_set_sci_en_on_resume
Len Brown [Sun, 30 Aug 2009 02:39:06 +0000 (22:39 -0400)]
ACPI: sleep: another HP DMI entry for init_set_sci_en_on_resume

commit eb0ca849863ecdc593ba7faa95fda5695af891c8 upstream.

DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv3 Notebook PC")

http://bugzilla.kernel.org/show_bug.cgi?id=13745

Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipv6: skb_dst() can be NULL in ipv6_hop_jumbo().
David S. Miller [Thu, 14 Jan 2010 01:27:37 +0000 (17:27 -0800)]
ipv6: skb_dst() can be NULL in ipv6_hop_jumbo().

commit 2570a4f5428bcdb1077622342181755741e7fa60 upstream.

This fixes CERT-FI FICORA #341748

Discovered by Olli Jarva and Tuomo Untinen from the CROSS
project at Codenomicon Ltd.

Just like in CVE-2007-4567, we can't rely upon skb_dst() being
non-NULL at this point.  We fixed that in commit
e76b2b2567b83448c2ee85a896433b96150c92e6 ("[IPV6]: Do no rely on
skb->dst before it is assigned.")

However commit 483a47d2fe794328d29950fe00ce26dd405d9437 ("ipv6: added
net argument to IP6_INC_STATS_BH") put a new version of the same bug
into this function.

Complicating analysis further, this bug can only trigger when network
namespaces are enabled in the build.  When namespaces are turned off,
the dev_net() does not evaluate it's argument, so the dereference
would not occur.

So, for a long time, namespaces couldn't be turned on unless SYSFS was
disabled.  Therefore, this code has largely been disabled except by
people turning it on explicitly for namespace development.

With help from Eugene Teo <eugene@redhat.com>

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofix more leaks in audit_tree.c tag_chunk()
Al Viro [Sat, 19 Dec 2009 16:03:30 +0000 (16:03 +0000)]
fix more leaks in audit_tree.c tag_chunk()

commit b4c30aad39805902cf5b855aa8a8b22d728ad057 upstream.

Several leaks in audit_tree didn't get caught by commit
318b6d3d7ddbcad3d6867e630711b8a705d873d7, including the leak on normal
exit in case of multiple rules refering to the same chunk.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofix braindamage in audit_tree.c untag_chunk()
Al Viro [Sat, 19 Dec 2009 15:59:45 +0000 (15:59 +0000)]
fix braindamage in audit_tree.c untag_chunk()

commit 6f5d51148921c242680a7a1d9913384a30ab3cbe upstream.

... aka "Al had badly fscked up when writing that thing and nobody
noticed until Eric had fixed leaks that used to mask the breakage".

The function essentially creates a copy of old array sans one element
and replaces the references to elements of original (they are on cyclic
lists) with those to corresponding elements of new one.  After that the
old one is fair game for freeing.

First of all, there's a dumb braino: when we get to list_replace_init we
use indices for wrong arrays - position in new one with the old array
and vice versa.

Another bug is more subtle - termination condition is wrong if the
element to be excluded happens to be the last one.  We shouldn't go
until we fill the new array, we should go until we'd finished the old
one.  Otherwise the element we are trying to kill will remain on the
cyclic lists...

That crap used to be masked by several leaks, so it was not quite
trivial to hit.  Eric had fixed some of those leaks a while ago and the
shit had hit the fan...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoquota: Fix dquot_transfer for filesystems different from ext4
Jan Kara [Wed, 6 Jan 2010 17:03:36 +0000 (18:03 +0100)]
quota: Fix dquot_transfer for filesystems different from ext4

commit 05b5d898235401c489c68e1f3bc5706a29ad5713 upstream.

Commit fd8fbfc1 modified the way we find amount of reserved space
belonging to an inode. The amount of reserved space is checked
from dquot_transfer and thus inode_reserved_space gets called
even for filesystems that don't provide get_reserved_space callback
which results in a BUG.

Fix the problem by checking get_reserved_space callback and return 0 if
the filesystem does not provide it.

CC: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonetfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()
Patrick McHardy [Thu, 7 Jan 2010 17:33:18 +0000 (18:33 +0100)]
netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()

commit aaff23a95aea5f000895f50d90e91f1e2f727002 upstream.

As noticed by Dan Carpenter <error27@gmail.com>, update_nl_seq()
currently contains an out of bounds read of the seq_aft_nl array
when looking for the oldest sequence number position.

Fix it to only compare valid positions.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonetfilter: ebtables: enforce CAP_NET_ADMIN
Florian Westphal [Fri, 8 Jan 2010 16:31:24 +0000 (17:31 +0100)]
netfilter: ebtables: enforce CAP_NET_ADMIN

commit dce766af541f6605fa9889892c0280bab31c66ab upstream.

normal users are currently allowed to set/modify ebtables rules.
Restrict it to processes with CAP_NET_ADMIN.

Note that this cannot be reproduced with unmodified ebtables binary
because it uses SOCK_RAW.

Signed-off-by: Florian Westphal <fwestphal@astaro.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agokernel/signal.c: fix kernel information leak with print-fatal-signals=1
Andi Kleen [Fri, 8 Jan 2010 22:42:52 +0000 (14:42 -0800)]
kernel/signal.c: fix kernel information leak with print-fatal-signals=1

commit b45c6e76bc2c72f6426c14bed64fdcbc9bf37cb0 upstream.

When print-fatal-signals is enabled it's possible to dump any memory
reachable by the kernel to the log by simply jumping to that address from
user space.

Or crash the system if there's some hardware with read side effects.

The fatal signals handler will dump 16 bytes at the execution address,
which is fully controlled by ring 3.

In addition when something jumps to a unmapped address there will be up to
16 additional useless page faults, which might be potentially slow (and at
least is not very efficient)

Fortunately this option is off by default and only there on i386.

But fix it by checking for kernel addresses and also stopping when there's
a page fault.

Signed-off-by: Andi Kleen <ak@linux.intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohwmon: (adt7462) Fix pin 28 monitoring
Roger Blofeld [Sun, 10 Jan 2010 19:52:32 +0000 (20:52 +0100)]
hwmon: (adt7462) Fix pin 28 monitoring

commit bb595c923bc51dff9cdd112de18deb57ac7945d2 upstream.

The ADT7462_PIN28_VOLT value is a 4-bit field, so the corresponding
shift must be 4.

Signed-off-by: Roger Blofeld <blofeldus@yahoo.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofasync: split 'fasync_helper()' into separate add/remove functions
Linus Torvalds [Wed, 16 Dec 2009 16:23:37 +0000 (08:23 -0800)]
fasync: split 'fasync_helper()' into separate add/remove functions

commit 53281b6d34d44308372d16acb7fb5327609f68b6 upstream.

Yes, the add and remove cases do share the same basic loop and the
locking, but the compiler can inline and then CSE some of the end result
anyway.  And splitting it up makes the code way easier to follow,
and makes it clearer exactly what the semantics are.

In particular, we must make sure that the FASYNC flag in file->f_flags
exactly matches the state of "is this file on any fasync list", since
not only is that flag visible to user space (F_GETFL), but we also use
that flag to check whether we need to remove any fasync entries on file
close.

We got that wrong for the case of a mixed use of file locking (which
tries to remove any fasync entries for file leases) and fasync.

Splitting the function up also makes it possible to do some future
optimizations without making the function even messier.  In particular,
since the FASYNC flag has to match the state of "is this on a list", we
can do the following future optimizations:

 - on remove, we don't even need to get the locks and traverse the list
   if FASYNC isn't set, since we can know a priori that there is no
   point (this is effectively the same optimization that we already do
   in __fput() wrt removing fasync on file close)

 - on add, we can use the FASYNC flag to decide whether we are changing
   an existing entry or need to allocate a new one.

but this is just the cleanup + fix for the FASYNC flag.

Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Tested-by: Tavis Ormandy <taviso@google.com>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Matt Mackall <mpm@selenic.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoLinux 2.6.31.11 v2.6.31.11
Greg Kroah-Hartman [Thu, 7 Jan 2010 15:23:27 +0000 (07:23 -0800)]
Linux 2.6.31.11

14 years agoRevert "rt2x00: Disable powersaving for rt61pci and rt2800pci."
Greg Kroah-Hartman [Thu, 7 Jan 2010 15:21:10 +0000 (07:21 -0800)]
Revert "rt2x00: Disable powersaving for rt61pci and rt2800pci."

This reverts commit f1850a5783908f6528c305e321119e7aa6641151.

It broke the build :(

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoLinux 2.6.31.10 v2.6.31.10
Greg Kroah-Hartman [Wed, 6 Jan 2010 22:27:24 +0000 (14:27 -0800)]
Linux 2.6.31.10

14 years agoext4: fix sleep inside spinlock issue with quota and dealloc (#14739)
Dmitry Monakhov [Thu, 10 Dec 2009 16:36:27 +0000 (16:36 +0000)]
ext4: fix sleep inside spinlock issue with quota and dealloc (#14739)

commit 39bc680a8160bb9d6743f7873b535d553ff61058 upstream.

Unlock i_block_reservation_lock before vfs_dq_reserve_block().
This patch fixes http://bugzilla.kernel.org/show_bug.cgi?id=14739

Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoext4: Convert to generic reserved quota's space management.
Dmitry Monakhov [Mon, 14 Dec 2009 12:21:14 +0000 (15:21 +0300)]
ext4: Convert to generic reserved quota's space management.

commit a9e7f4472075fb6937c545af3f6329e9946bbe66 upstream.

This patch also fixes write vs chown race condition.

Acked-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoquota: decouple fs reserved space from quota reservation
Dmitry Monakhov [Mon, 14 Dec 2009 12:21:13 +0000 (15:21 +0300)]
quota: decouple fs reserved space from quota reservation

commit fd8fbfc1709822bd94247c5b2ab15a5f5041e103 upstream.

Currently inode_reservation is managed by fs itself and this
reservation is transfered on dquot_transfer(). This means what
inode_reservation must always be in sync with
dquot->dq_dqb.dqb_rsvspace. Otherwise dquot_transfer() will result
in incorrect quota(WARN_ON in dquot_claim_reserved_space() will be
triggered)
This is not easy because of complex locking order issues
for example http://bugzilla.kernel.org/show_bug.cgi?id=14739

The patch introduce quota reservation field for each fs-inode
(fs specific inode is used in order to prevent bloating generic
vfs inode). This reservation is managed by quota code internally
similar to i_blocks/i_bytes and may not be always in sync with
internal fs reservation.

Also perform some code rearrangement:
- Unify dquot_reserve_space() and dquot_reserve_space()
- Unify dquot_release_reserved_space() and dquot_free_space()
- Also this patch add missing warning update to release_rsv()
  dquot_release_reserved_space() must call flush_warnings() as
  dquot_free_space() does.

Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoAdd unlocked version of inode_add_bytes() function
Dmitry Monakhov [Mon, 14 Dec 2009 12:21:12 +0000 (15:21 +0300)]
Add unlocked version of inode_add_bytes() function

commit b462707e7ccad058ae151e5c5b06eb5cadcb737f upstream.

Quota code requires unlocked version of this function. Off course
we can just copy-paste the code, but copy-pasting is always an evil.

Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoInput: atkbd - add force relese key quirk for Samsung R59P/R60P/R61P
Moiseev Vladimir [Mon, 7 Dec 2009 09:26:54 +0000 (17:26 +0800)]
Input: atkbd - add force relese key quirk for Samsung R59P/R60P/R61P

This patch is not upstream. Since 2.6.32, there is an interface in
/sys for handling the force_release events from userspace, so such
quirk patches are no longer accepted upstream now. But this patch is
valid for version 2.6.31 downwards.

OriginalAuthor:
    Moiseev Vladimir <cdb@linkycat.com>
    Alexander Huhlaev <sancheolz@gmail.com>

BugLink: http://bugs.launchpad.net/bugs/253874
Signed-off-by: Keng-Yu Lin <keng-yu.lin@canonical.com>
Cc: Moiseev Vladimir <cdb@linkycat.com>
Cc: Alexander Huhlaev <sancheolz@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomemcg: avoid oom-killing innocent task in case of use_hierarchy
Daisuke Nishimura [Tue, 5 Jan 2010 03:26:33 +0000 (12:26 +0900)]
memcg: avoid oom-killing innocent task in case of use_hierarchy

commit d31f56dbf8bafaacb0c617f9a6f137498d5c7aed upstream

task_in_mem_cgroup(), which is called by select_bad_process() to check whether
a task can be a candidate for being oom-killed from memcg's limit, checks
"curr->use_hierarchy"("curr" is the mem_cgroup the task belongs to).

But this check return true(it's false positive) when:

<some path>/00 use_hierarchy == 0 <- hitting limit
  <some path>/00/aa use_hierarchy == 1 <- "curr"

This leads to killing an innocent task in 00/aa. This patch is a fix for this
bug. And this patch also fixes the arg for mem_cgroup_print_oom_info(). We
should print information of mem_cgroup which the task being killed, not current,
belongs to.

Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Reviewed-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agort2x00: Disable powersaving for rt61pci and rt2800pci.
Gertjan van Wingerde [Mon, 14 Dec 2009 19:33:55 +0000 (20:33 +0100)]
rt2x00: Disable powersaving for rt61pci and rt2800pci.

commit 93b6bd26b74efe46b4579592560f9f1cb7b61994 upstream.

We've had many reports of rt61pci failures with powersaving enabled.
Therefore, as a stop-gap measure, disable powersaving of the rt61pci
until we have found a proper solution.
Also disable powersaving on rt2800pci as it most probably will show
the same problem.

Signed-off-by: Gertjan van Wingerde <gwingerde@gmail.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agogeneric_permission: MAY_OPEN is not write access
Serge E. Hallyn [Tue, 29 Dec 2009 20:50:19 +0000 (14:50 -0600)]
generic_permission: MAY_OPEN is not write access

commit 7ea6600148c265b1fd53e521022b1d7aec81d974 upstream.

generic_permission was refusing CAP_DAC_READ_SEARCH-enabled
processes from opening DAC-protected files read-only, because
do_filp_open adds MAY_OPEN to the open mask.

Ignore MAY_OPEN.  After this patch, CAP_DAC_READ_SEARCH is
again sufficient to open(fname, O_RDONLY) on a file to which
DAC otherwise refuses us read permission.

Reported-by: Mike Kazantsev <mk.fraggod@gmail.com>
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Tested-by: Mike Kazantsev <mk.fraggod@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoXFS bug in log recover with quota (bugzilla id 855)
Jan Rekorajski [Mon, 16 Nov 2009 11:57:02 +0000 (11:57 +0000)]
XFS bug in log recover with quota (bugzilla id 855)

commit 8ec6dba2581754e375be66f7bedd708d856d8b30 upstream.

Hi,
I was hit by a bug in linux 2.6.31 when XFS is not able to recover the
log after a crash if fs was mounted with quotas. Gory details in XFS
bugzilla: http://oss.sgi.com/bugzilla/show_bug.cgi?id=855.

It looks like wrong struct is used in buffer length check, and the following
patch should fix the problem.

xfs_dqblk_t has a size of 104+32 bytes, while xfs_disk_dquot_t is 104 bytes
long, and this is exactly what I see in system logs - "XFS: dquot too small
(104) in xlog_recover_do_dquot_trans."

Signed-off-by: Jan Rekorajski <baggins@sith.mimuw.edu.pl>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
Cc: Simon Kirby <sim@hostway.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86/ptrace: make genregs[32]_get/set more robust
Linus Torvalds [Thu, 17 Dec 2009 15:04:56 +0000 (07:04 -0800)]
x86/ptrace: make genregs[32]_get/set more robust

commit 04a1e62c2cec820501f93526ad1e46073b802dc4 upstream.

The loop condition is fragile: we compare an unsigned value to zero, and
then decrement it by something larger than one in the loop.  All the
callers should be passing in appropriately aligned buffer lengths, but
it's better to just not rely on it, and have some appropriate defensive
loop limits.

Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13596): ov511.c typo: lock => unlock
Dan Carpenter [Thu, 10 Dec 2009 19:44:51 +0000 (16:44 -0300)]
V4L/DVB (13596): ov511.c typo: lock => unlock

commit 50e9d31183ed61c787b870cb3ee8f6c3db8c8a1e upstream.

This was found with a static checker and has not been tested, but it seems
pretty clear that the mutex_lock() was supposed to be mutex_unlock()

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Douglas Schilling Landgraf <dougsland@redhat.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: Brandon Philips <brandon@ifup.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoudf: Try harder when looking for VAT inode
Jan Kara [Mon, 30 Nov 2009 18:47:55 +0000 (19:47 +0100)]
udf: Try harder when looking for VAT inode

commit e971b0b9e0dd50d9ceecb67a6a6ab80a80906033 upstream.

Some disks do not contain VAT inode in the last recorded block as required
by the standard but a few blocks earlier (or the number of recorded blocks
is wrong). So look for the VAT inode a bit before the end of the media.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoS390: dasd: support DIAG access for read-only devices
Stefan Weinhuber [Mon, 7 Dec 2009 11:51:48 +0000 (12:51 +0100)]
S390: dasd: support DIAG access for read-only devices

commit 22825ab7693fd29769518a0d25ba43c01a50092a upstream.

When a DASD device is used with the DIAG discipline, the DIAG
initialization will indicate success or error with a respective
return code. So far we have interpreted a return code of 4 as error,
but it actually means that the initialization was successful, but
the device is read-only. To allow read-only devices to be used with
DIAG we need to accept a return code of 4 as success.

Re-initialization of the DIAG access is also part of the DIAG error
recovery. If we find that the access mode of a device has been
changed from writable to read-only while the device was in use,
we print an error message.

Signed-off-by: Stefan Weinhuber <wein@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Stephen Powell <zlinuxman@wowway.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipv6: reassembly: use seperate reassembly queues for conntrack and local delivery
Patrick McHardy [Tue, 15 Dec 2009 15:59:18 +0000 (16:59 +0100)]
ipv6: reassembly: use seperate reassembly queues for conntrack and local delivery

commit 0b5ccb2ee250136dd7385b1c7da28417d0d4d32d upstream.

Currently the same reassembly queue might be used for packets reassembled
by conntrack in different positions in the stack (PREROUTING/LOCAL_OUT),
as well as local delivery. This can cause "packet jumps" when the fragment
completing a reassembled packet is queued from a different position in the
stack than the previous ones.

Add a "user" identifier to the reassembly queue key to seperate the queues
of each caller, similar to what we do for IPv4.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoi2c/tsl2550: Fix lux value in extended mode
Michele Jr De Candia [Thu, 26 Nov 2009 08:22:32 +0000 (09:22 +0100)]
i2c/tsl2550: Fix lux value in extended mode

commit 5f5bfb09d81c9a1d26238ae6668e584c14ae3daf upstream.

According to the TAOS Application Note 'Controlling a Backlight with
the TSL2550 Ambient Light Sensor' (page 14), the actual lux value in
extended mode should be obtained multiplying the calculated lux value
by 5.

Signed-off-by: Michele Jr De Candia <michele.decandia@valueteam.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohwmon: (sht15) Off-by-one error in array index + incorrect constants
Jonathan Cameron [Wed, 16 Dec 2009 20:38:28 +0000 (21:38 +0100)]
hwmon: (sht15) Off-by-one error in array index + incorrect constants

commit 4235f684b66d6f00d2cd8849c884cf8f8b57ecad upstream.

Fix an off-by-one error in array index + incorrect constants.

Signed-off-by: Christoph Walser <walser@tik.ee.ethz.ch>
Signed-off-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohwmon: (fschmd) Fix check on unsigned in watchdog_write()
Roel Kluin [Sat, 24 Oct 2009 11:28:45 +0000 (13:28 +0200)]
hwmon: (fschmd) Fix check on unsigned in watchdog_write()

commit c7702c31340f84cfd5e5df22293578b7ae1e9370 upstream.

If unsigned the watchdog_trigger() return value will not be
checked correctly.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohostap: Revert a toxic part of the conversion to net_device_ops
Martin Decky [Thu, 10 Sep 2009 01:44:47 +0000 (03:44 +0200)]
hostap: Revert a toxic part of the conversion to net_device_ops

commit e484c16f6212f7f06407382efa4d3ad214b6c589 upstream.

As the hostap driver was converted to use net_device_ops, a mistake was
made in hostap_main.c (commit 5ae4efbcd2611562a8b93596be034e63495706a5).
Originally, the tx_queue_len was set to 0 for every other interface than
HOSTAP_INTERFACE_MASTER, but the new fragment of code sets tx_queue_len to
0 only for HOSTAP_INTERFACE_MASTER. The opposite of the previous
behavior makes the driver to drop all packets in AP mode.

Change the way 0 is assigned to tx_queue_len according to the original
logic.

Signed-off-by: Martin Decky <martin@decky.cz>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoe100: Fix broken cbs accounting due to missing memset.
Roger Oksanen [Sat, 19 Dec 2009 04:18:21 +0000 (20:18 -0800)]
e100: Fix broken cbs accounting due to missing memset.

commit 70abc8cb90e679d8519721e2761d8366a18212a6 upstream.

Alan Stern noticed that e100 caused slab corruption.
commit 98468efddb101f8a29af974101c17ba513b07be1 changed
the allocation of cbs to use dma pools that don't return zeroed memory,
especially the cb->status field used to track which cb to clean, causing
(the visible) double freeing of skbs and a wrong free cbs count.

Now the cbs are explicitly zeroed at allocation time.

Reported-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Roger Oksanen <roger.oksanen@cs.helsinki.fi>
Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoe100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failure
Roger Oksanen [Mon, 30 Nov 2009 01:17:29 +0000 (17:17 -0800)]
e100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failure

commit 98468efddb101f8a29af974101c17ba513b07be1 upstream.

pci_alloc_consistent uses GFP_ATOMIC allocation that may fail on some systems
with limited memory (Bug #14265). pci_pool_alloc allows waiting with
GFP_KERNEL.

Tested-by: Karol Lewandowski <karol.k.lewandowski@gmail.com>
Signed-off-by: Roger Oksanen <roger.oksanen@cs.helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86, cpuid: Add "volatile" to asm in native_cpuid()
Suresh Siddha [Thu, 17 Dec 2009 00:25:42 +0000 (16:25 -0800)]
x86, cpuid: Add "volatile" to asm in native_cpuid()

commit 45a94d7cd45ed991914011919e7d40eb6d2546d1 upstream.

xsave_cntxt_init() does something like:

cpuid(0xd, ..); // find out what features FP/SSE/.. etc are supported

xsetbv(); // enable the features known to OS

cpuid(0xd, ..); // find out the size of the context for features enabled

Depending on what features get enabled in xsetbv(), value of the
cpuid.eax=0xd.ecx=0.ebx changes correspondingly (representing the
size of the context that is enabled).

As we don't have volatile keyword for native_cpuid(), gcc 4.1.2
optimizes away the second cpuid and the kernel continues to use
the cpuid information obtained before xsetbv(), ultimately leading to kernel
crash on processors supporting more state than the legacy FP/SSE.

Add "volatile" for native_cpuid().

Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
LKML-Reference: <1261009542.2745.55.camel@sbs-t61.sc.intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: option: support hi speed for modem Haier CE100
Donny Kurnia [Wed, 23 Dec 2009 12:03:12 +0000 (19:03 +0700)]
USB: option: support hi speed for modem Haier CE100

commit c983202bd03eb82394ef1dce5906702fcbc7bb80 upstream.

I made this patch for usbserial driver to add the support for EVDO modem
Haier CE100. The bugs report for this is here:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/490068

This patch based on these post:
http://blankblondtank.wordpress.com/2009/09/04/mengoptimalkan-koneksi-modem-haier-ce-100-cdma-di-linux/
http://tantos.web.id/blogs/how-to-internet-connection-using-cdma-evdo-modem-and-karmic-koala-ubuntu-9-10

I hope this patch can help other that have the Haier C100 modem, mostly in my country, Indonesia.

Signed-off-by: Donny Kurnia <donnykurnia@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: musb: gadget_ep0: avoid SetupEnd interrupt
Sergei Shtylyov [Tue, 15 Dec 2009 11:30:01 +0000 (13:30 +0200)]
USB: musb: gadget_ep0: avoid SetupEnd interrupt

commit 17be5c5f5ef99c94374e07f71effa78e93a20eda upstream.

Gadget stalling a zero-length SETUP request results in this error message:

SetupEnd came in a wrong ep0stage idle

In order to avoid it, always set the CSR0.DataEnd bit after detecting a zero-
length request.  Add the missing '\n' to the error message itself as well...

Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Acked-by: Anand Gadiyar <gadiyar@ti.com>
Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: Fix a bug on appledisplay.c regarding signedness
pancho horrillo [Wed, 23 Dec 2009 10:09:13 +0000 (11:09 +0100)]
USB: Fix a bug on appledisplay.c regarding signedness

commit 37e9066b2f85480d99d3795373f5ef0b00ac1189 upstream.

brightness status is reported by the Apple Cinema Displays as an
'unsigned char' (u8) value, but the code used 'char' instead.

Note that he driver was developed on the PowerPC architecture,
where the two types are synonymous, which is not always the case.

Fixed that.  Otherwise the driver will interpret brightness
levels > 127 as negative, and fail to load.

Signed-off-by: pancho horrillo <pancho@pancho.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: emi62: fix crash when trying to load EMI 6|2 firmware
Clemens Ladisch [Mon, 21 Dec 2009 23:36:44 +0000 (15:36 -0800)]
USB: emi62: fix crash when trying to load EMI 6|2 firmware

commit ac06c06770bb8761b1f1f9bdf2f5420fa6d3e9fa upstream.

While converting emi62 to use request_firmware(), the driver was also
changed to use the ihex helper functions.  However, this broke the loading
of the FPGA firmware because the code tries to access the addr field of
the EOF record which works with a plain array that has an empty last
record but not with the ihex helper functions where the end of the data is
signaled with a NULL record pointer, resulting in:

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<f80d248c>] emi62_load_firmware+0x33c/0x740 [emi62]

This can be fixed by changing the loop condition to test the return value
of ihex_next_binrec() directly (like in emi26.c).

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Reported-and-tested-by: Der Mickster <retroeffective@gmail.com>
Acked-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosound: sgio2audio/pdaudiocf/usb-audio: initialize PCM buffer
Clemens Ladisch [Fri, 18 Dec 2009 08:27:24 +0000 (09:27 +0100)]
sound: sgio2audio/pdaudiocf/usb-audio: initialize PCM buffer

commit 3e85fd614c7b6bb7f33bb04a0dcb5a3bfca4c0fe upstream.

When allocating the PCM buffer, use vmalloc_user() instead of vmalloc().
Otherwise, it would be possible for applications to play the previous
contents of the kernel memory to the speakers, or to read it directly if
the buffer is exported to userspace.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoSCSI: fc class: fix fc_transport_init error handling
Mike Christie [Wed, 18 Nov 2009 03:25:16 +0000 (21:25 -0600)]
SCSI: fc class: fix fc_transport_init error handling

commit 48de68a40aef032a2e198437f4781a83bfb938db upstream.

If transport_class_register fails we should unregister any
registered classes, or we will leak memory or other
resources.

I did a quick modprobe of scsi_transport_fc to test the
patch.

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopata_hpt3x2n: fix clock turnaround
Sergei Shtylyov [Thu, 17 Dec 2009 06:11:27 +0000 (01:11 -0500)]
pata_hpt3x2n: fix clock turnaround

commit 256ace9bbd4cdb6d48d5f55d55d42fa20527fad1 upstream.

The clock turnaround code still doesn't work for several reasons:

- 'USE_DPLL' flag in 'ap->host->private_data' is never initialized
  or updated, so the driver can only set the chip to the DPLL clock
  mode, not the PCI mode;

- the driver doesn't serialize access to the channels depending on
  the current clock mode like the vendor drivers, so the clock
  turnaround is only executed "optionally", not always as it should be;

- the wrong ports are written to when hpt3x2n_set_clock() is called
  for the secondary channel;

- hpt3x2n_set_clock() can inadvertently enable the disabled channels
  when resetting the channel state machines.

Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopata_cmd64x: fix overclocking of UDMA0-2 modes
Bartlomiej Zolnierkiewicz [Sun, 20 Dec 2009 18:22:33 +0000 (19:22 +0100)]
pata_cmd64x: fix overclocking of UDMA0-2 modes

commit 509426bd46ad0903dca409803e0ee3d30f99f1e8 upstream.

adev->dma_mode stores the transfer mode value not UDMA mode number
so the condition in cmd64x_set_dmamode() is always true and the higher
UDMA clock is always selected.  This can potentially result in data
corruption when UDMA33 device is used, when 40-wire cable is used or
when the error recovery code decides to lower the device speed down.

The issue was introduced in the commit 6a40da0 ("libata cmd64x: whack
into a shape that looks like the documentation") which goes back to
kernel 2.6.20.

Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomd: Fix unfortunate interaction with evms
NeilBrown [Wed, 30 Dec 2009 01:08:49 +0000 (12:08 +1100)]
md: Fix unfortunate interaction with evms

commit cbd1998377504df005302ac90d49db72a48552a6 upstream.

evms configures md arrays by:
  open device
  send ioctl
  close device

for each different ioctl needed.
Since 2.6.29, the device can disappear after the 'close'
unless a significant configuration has happened to the device.
The change made by "SET_ARRAY_INFO" can too minor to stop the device
from disappearing, but important enough that losing the change is bad.

So: make sure SET_ARRAY_INFO sets mddev->ctime, and keep the device
active as long as ctime is non-zero (it gets zeroed with lots of other
things when the array is stopped).

This is suitable for -stable kernels since 2.6.29.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoLibertas: fix buffer overflow in lbs_get_essid()
Daniel Mack [Wed, 16 Dec 2009 04:12:58 +0000 (05:12 +0100)]
Libertas: fix buffer overflow in lbs_get_essid()

commit 45b241689179a6065384260242637cf21dabfb2d upstream.

The libertas driver copies the SSID buffer back to the wireless core and
appends a trailing NULL character for termination. This is

a) unnecessary because the buffer is allocated with kzalloc and is hence
   already NULLed when this function is called, and

b) for priv->curbssparams.ssid_len == 32, it writes back one byte too
   much which causes memory corruptions.

Fix this by removing the extra write.

Signed-off-by: Daniel Mack <daniel@caiaq.de>
Cc: Stephen Hemminger <shemminger@vyatta.com>
Cc: Maithili Hinge <maithili@marvell.com>
Cc: Kiran Divekar <dkiran@marvell.com>
Cc: Michael Hirsch <m.hirsch@raumfeld.com>
Cc: netdev@vger.kernel.org
Cc: libertas-dev@lists.infradead.org
Cc: linux-wireless@lists.infradead.org
Acked-by: Holger Schurig <holgerschurig@gmail.com>
Acked-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrivers/net/usb: Correct code taking the size of a pointer
Julia Lawall [Sun, 13 Dec 2009 05:47:04 +0000 (05:47 +0000)]
drivers/net/usb: Correct code taking the size of a pointer

commit 6057912d7baad31be9819518674ffad349a065b1 upstream.

sizeof(dev->dev_addr) is the size of a pointer.  A few lines above, the
size of this field is obtained using netdev->addr_len for a call to memcpy,
so do the same here.

A simplified version of the semantic patch that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@@
expression *x;
expression f;
type T;
@@

*f(...,(T)x,...)
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodma: at_hdmac: correct incompatible type for argument 1 of 'spin_lock_bh'
Nicolas Ferre [Wed, 16 Dec 2009 15:28:03 +0000 (16:28 +0100)]
dma: at_hdmac: correct incompatible type for argument 1 of 'spin_lock_bh'

commit 4297a462f455e38f08976df7b16c849614a287da upstream.

Correct a typo error in locking calls.

Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoclockevents: Prevent clockevent_devices list corruption on cpu hotplug
Thomas Gleixner [Thu, 10 Dec 2009 14:35:10 +0000 (15:35 +0100)]
clockevents: Prevent clockevent_devices list corruption on cpu hotplug

commit bb6eddf7676e1c1f3e637aa93c5224488d99036f upstream.

Xiaotian Feng triggered a list corruption in the clock events list on
CPU hotplug and debugged the root cause.

If a CPU registers more than one per cpu clock event device, then only
the active clock event device is removed on CPU_DEAD. The unused
devices are kept in the clock events device list.

On CPU up the clock event devices are registered again, which means
that we list_add an already enqueued list_head. That results in list
corruption.

Resolve this by removing all devices which are associated to the dead
CPU on CPU_DEAD.

Reported-by: Xiaotian Feng <dfeng@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Xiaotian Feng <dfeng@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agocifs: NULL out tcon, pSesInfo, and srvTcp pointers when chasing DFS referrals
Jeff Layton [Thu, 3 Dec 2009 13:09:41 +0000 (08:09 -0500)]
cifs: NULL out tcon, pSesInfo, and srvTcp pointers when chasing DFS referrals

commit a2934c7b363ddcc001964f2444649f909e583bef upstream.

The scenario is this:

The kernel gets EREMOTE and starts chasing a DFS referral at mount time.
The tcon reference is put, which puts the session reference too, but
neither pointer is zeroed out.

The mount gets retried (goto try_mount_again) with new mount info.
Session setup fails fails and rc ends up being non-zero. The code then
falls through to the end and tries to put the previously freed tcon
pointer again.  Oops at: cifs_put_smb_ses+0x14/0xd0

Fix this by moving the initialization of the rc variable and the tcon,
pSesInfo and srvTcp pointers below the try_mount_again label. Also, add
a FreeXid() before the goto to prevent xid "leaks".

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Reported-by: Gustavo Carvalho Homem <gustavo@angulosolido.pt>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoASoC: Do not write to invalid registers on the wm9712.
Eric Millbrandt [Tue, 22 Dec 2009 15:13:24 +0000 (10:13 -0500)]
ASoC: Do not write to invalid registers on the wm9712.

commit 48e3cbb3f67a27d9c2db075f3d0f700246c40caa upstream.

This patch fixes a bug where "virtual" registers were being written to the ac97
bus.  This was causing unrelated registers to become corrupted (headphone 0x04,
touchscreen 0x78, etc).

This patch duplicates protection that was included in the wm9713 driver.

Signed-off-by: Eric Millbrandt <emillbrandt@dekaresearch.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoacerhdf: limit modalias matching to supported
Stefan Bader [Tue, 22 Dec 2009 00:20:04 +0000 (16:20 -0800)]
acerhdf: limit modalias matching to supported

commit bdc731bc5fcd1794e9ac8ac80c389d302381c123 upstream.

BugLink: https://bugs.launchpad.net/ubuntu/+bug/435958
The module alias currently matches any Acer computer but when loaded the
BIOS checks will only succeed on Aspire One models.  This causes a invalid
BIOS warning for all other models (seen on Aspire 4810T).  This is not
fatal but worries users that see this message.  Limiting the moule alias
to models starting with AOA or DOA for Packard Bell.

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Borislav Petkov <petkovbb@gmail.com>
Acked-by: Peter Feuerer <peter@piie.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoLinux 2.6.31.9 v2.6.31.9
Greg Kroah-Hartman [Fri, 18 Dec 2009 21:47:01 +0000 (13:47 -0800)]
Linux 2.6.31.9

14 years agodrm/i915: Fix sync to vblank when VGA output is turned off
Li Peng [Wed, 16 Dec 2009 15:33:26 +0000 (16:33 +0100)]
drm/i915: Fix sync to vblank when VGA output is turned off

commit 778c902640530371a169ad1c03566e7c51b09874 upstream

In current vblank-wait implementation, if we turn off VGA output,
drm_wait_vblank will still wait on the disabled pipe until timeout,
because vblank on the pipe is assumed be enabled. This would cause
slow system response on some system such as moblin.

This patch resolve the issue by adding a drm helper function
drm_vblank_off which explicitly clear vblank_enabled[crtc], wake up
any waiting queue and save last vblank counter before turning off
crtc. It also slightly change drm_vblank_get to ensure that we will
will return immediately if trying to wait on a disabled pipe.

Signed-off-by: Li Peng <peng.li@intel.com>
Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
[anholt: hand-applied for conflicts with overlay changes]
Signed-off-by: Eric Anholt <eric@anholt.net>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopowerpc/therm_adt746x: Record pwm invert bit at module load time]
Darrick J. Wong [Thu, 3 Dec 2009 16:19:59 +0000 (16:19 +0000)]
powerpc/therm_adt746x: Record pwm invert bit at module load time]

commit 1496e89ae2a0962748e55165a590fa3209c6f158 upstream.

In commit 0512a9a8e277a9de2820211eef964473b714ae65, we unilaterally zero the
"pwm invert" bit in the fan behavior configuration register.  On my PowerBook
G4, this results in the fans going to full speed at low temperature and
shutting off at high temperature because the pwm invert bit is supposed to be
set.

Therefore, record the pwm invert bit at driver load time, and write the bit
into the fan behavior control register.  This restores correct behavior on my
PBG4 and should work around the bit being set to the wrong value after
suspend/resume (which is what the original patch was trying to fix).  It also
fixes a minor omission where the pwm invert bit correction is NOT performed
when switching into automatic mode.

Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13116): gspca - ov519: Webcam 041e:4067 added.
Rafal Milecki [Fri, 2 Oct 2009 06:54:44 +0000 (03:54 -0300)]
V4L/DVB (13116): gspca - ov519: Webcam 041e:4067 added.

commit 518c8df77c21b7d1690dd8b96eb0e54c4ec1c9c1 upstream.

Signed-off-by: Rafal Milecki <zajec5@gmail.com>
Signed-off-by: Jean-Francois Moine <moinejf@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: Surbhi Palande <surbhi.palande@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agothinkpad-acpi: preserve rfkill state across suspend/resume
Henrique de Moraes Holschuh [Wed, 9 Dec 2009 01:36:22 +0000 (01:36 +0000)]
thinkpad-acpi: preserve rfkill state across suspend/resume

commit 208b996b6c460285650d39b2330f8ef82c007d10 upstream.

Since the rfkill rework in 2.6.31, the driver is always resuming with
the radios disabled.

Change thinkpad-acpi to ask the firmware to resume with the radios in
the last state.  This fixes the Bluetooth and WWAN rfkill switches.

Note that it means we respect the firmware's oddities.  Should the
user toggle the hardware rfkill switch on and off, it might cause the
radios to resume enabled.

UWB is an unknown quantity since it has nowhere the same level of
firmware support (no control over state storage in NVRAM, for
example), and might need further fixing.  Testers welcome.

This change fixes a regression from 2.6.30.

Reported-by: Jerone Young <jerone.young@canonical.com>
Reported-by: Ian Molton <ian.molton@collabora.co.uk>
Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Tested-by: Ian Molton <ian.molton@collabora.co.uk>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agothinkpad-acpi: fix default brightness_mode for R50e/R51
Henrique de Moraes Holschuh [Wed, 9 Dec 2009 01:36:21 +0000 (01:36 +0000)]
thinkpad-acpi: fix default brightness_mode for R50e/R51

commit a9f8eacca4e9e8693de9b896c1fa7aadaa9402e8 upstream.

According to a report, the R50e wants EC-based brightness control,
even if it uses an Intel GPU.  The current driver default was reported
to not work at all.

This bug can be worked around by the "brightness_mode=3" module
parameter.

Change the default of the R50e and R51 2xxx models (which use the same
EC firmware, 1V) to TPACPI_BRGHT_Q_EC, but keep TPACPI_BRGHT_Q_ASK set
for now, as I'd like to get more reports.

This fixes a regression caused by commit
59fe4fe34d7afdf63208124f313be9056feaa2f4,
"thinkpad-acpi: fix incorrect use of TPACPI_BRGHT_MODE_ECNVRAM"

Kernel 2.6.31 also needs this fix.

Reported-by: Ferenc Wagner <wferi@niif.hu>
Tested-by: Ferenc Wagner <wferi@niif.hu>
Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Cc: stable@kernel.org
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonet: Fix userspace RTM_NEWLINK notifications.
Eric W. Biederman [Mon, 14 Dec 2009 06:39:28 +0000 (22:39 -0800)]
net: Fix userspace RTM_NEWLINK notifications.

commit d90a909e1f3e006a1d57fe11fd417173b6494701 upstream.

I received some bug reports about userspace programs having problems
because after RTM_NEWLINK was received they could not immeidate
access files under /proc/sys/net/ because they had not been
registered yet.

The problem was trivailly fixed by moving the userspace
notification from rtnetlink_event to the end of register_netdevice.

Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomatroxfb: fix problems with display stability
Alan Cox [Wed, 16 Dec 2009 00:46:40 +0000 (16:46 -0800)]
matroxfb: fix problems with display stability

commit 8c651311a3a08c1e4815de6933e00a760e498dae upstream.

Regression caused in 2.6.23 and then despite repeated requests never fixed
or dealt with (Petr promised to sort it in 2008 but seems to have
forgotten).

Enough is enough - remove the problem line that was added.  If it upsets
someone they've had two years to deal with it and at the very least it'll
rattle their cage and wake them up.

Addresses http://bugzilla.kernel.org/show_bug.cgi?id=9709

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reported-by: Damon <account@bugzilla.kernel.org.juxtaposition.net>
Tested-by: Ruud van Melick <rvm1974@raketnet.nl>
Cc: Petr Vandrovec <VANDROVE@vc.cvut.cz>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Paul A. Clarke <pc@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agojffs2: Fix long-standing bug with symlink garbage collection.
David Woodhouse [Wed, 16 Dec 2009 03:27:20 +0000 (03:27 +0000)]
jffs2: Fix long-standing bug with symlink garbage collection.

commit 2e16cfca6e17ae37ae21feca080a6f2eca9087dc upstream.

Ever since jffs2_garbage_collect_metadata() was first half-written in
February 2001, it's been broken on architectures where 'char' is signed.
When garbage collecting a symlink with target length above 127, the payload
length would end up negative, causing interesting and bad things to happen.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipw2100: fix rebooting hang with driver loaded
Zhu Yi [Wed, 2 Dec 2009 06:24:37 +0000 (14:24 +0800)]
ipw2100: fix rebooting hang with driver loaded

commit 52ce3e9a7db754b78cf2cbabc87013f921b25b28 upstream.

Add PCI .shutdown method so that we can disable the device during
shutdown or reboot. Without this, the reboot doesn't work well on
some platforms.

This fixes http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2124

Tested-by: pablo <pablolm2005@gmail.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipvs: zero usvc and udest
Simon Horman [Tue, 15 Dec 2009 16:01:25 +0000 (17:01 +0100)]
ipvs: zero usvc and udest

commit 258c889362aa95d0ab534b38ce8c15d3009705b1 upstream.

Make sure that any otherwise uninitialised fields of usvc are zero.

This has been obvserved to cause a problem whereby the port of
fwmark services may end up as a non-zero value which causes
scheduling of a destination server to fail for persisitent services.

As observed by Deon van der Merwe <dvdm@truteq.co.za>.
This fix suggested by Julian Anastasov <ja@ssi.bg>.

For good measure also zero udest.

Cc: Deon van der Merwe <dvdm@truteq.co.za>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoext3: Fix data / filesystem corruption when write fails to copy data
Jan Kara [Tue, 1 Dec 2009 15:53:06 +0000 (16:53 +0100)]
ext3: Fix data / filesystem corruption when write fails to copy data

commit 68eb3db08344286733adac48304d9fb7a0e53b27 upstream.

When ext3_write_begin fails after allocating some blocks or
generic_perform_write fails to copy data to write, we truncate blocks already
instantiated beyond i_size. Although these blocks were never inside i_size, we
have to truncate pagecache of these blocks so that corresponding buffers get
unmapped. Otherwise subsequent __block_prepare_write (called because we are
retrying the write) will find the buffers mapped, not call ->get_block, and
thus the page will be backed by already freed blocks leading to filesystem and
data corruption.

Reported-by: James Y Knight <foom@fuhm.net>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: PineView only has LVDS and CRT ports
Zhenyu Wang [Fri, 27 Nov 2009 03:44:36 +0000 (11:44 +0800)]
drm/i915: PineView only has LVDS and CRT ports

commit 103a196f4224dc6872081305cf7f82ebf67aa7bd upstream.

PineView only has 2 ports for LVDS and CRT. Don't enable other
ports for it.

Cc: Shaohua Li <shaohua.li@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: save/restore BLC histogram control reg across suspend/resume
Jesse Barnes [Wed, 14 Oct 2009 19:33:41 +0000 (12:33 -0700)]
drm/i915: save/restore BLC histogram control reg across suspend/resume

commit 0eb96d6ed38430b72897adde58f5477a6b71757a upstream.

Turns out some machines, like the ThinkPad X40 don't come back if you
don't save/restore this register.

Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
Cc: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: Fix LVDS stability issue on Ironlake
Zhenyu Wang [Wed, 25 Nov 2009 05:09:38 +0000 (13:09 +0800)]
drm/i915: Fix LVDS stability issue on Ironlake

commit 1b3c7a47f993bf9ab6c4c7cc3bbf5588052b58f4 upstream.

In disable sequence, all output ports on PCH have to be disabled
before PCH transcoder, but LVDS port was left always enabled. This
one fixes that by disable LVDS port properly during pipe disable
process, and resolved stability issue seen on Ironlake. Also move
panel fitting disable time just after pipe disable to align with
the spec.

Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: Fix CRT hotplug detect by checking really no channels attached
Zhenyu Wang [Wed, 11 Nov 2009 02:30:50 +0000 (02:30 +0000)]
drm/i915: Fix CRT hotplug detect by checking really no channels attached

commit 8e9e0eea9955bffbe5e5cd6355157cabddc31f17 upstream.

For CRT hotplug detect status, we have four test results as blue
channel only, green channel only, both blue and green channel, and
no channel attached. Origin code only marks both blue and green channel
case as connected, but ignore other possible connected states. This one
trys to detect CRT by checking no channel attached case instead.

Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: Avoid NULL dereference with component_only tv_modes
Chris Wilson [Fri, 27 Nov 2009 13:06:56 +0000 (13:06 +0000)]
drm/i915: Avoid NULL dereference with component_only tv_modes

commit d271817baecbccb47da0d9f28c285a0dae8a06b7 upstream.

In commit d2d9f2324, the guard for a valid video mode was removed. This
caused the regression:

  kernel crash during kms graphic boot on Intel GM4500 platform
  https://bugzilla.redhat.com/show_bug.cgi?id=540218

This patches changes the logic slightly not to rely on a coupled
variable, but to just check whether the video_modes is valid before
dereferencing.

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Zhenyu Wang <zhenyu.z.wang@intel.com>
[ickle: Actually reference the correct bug report]
Acked-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>