]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
16 years agoia64: Fix unaligned handler for floating point instructions with base update
Luck, Tony [Wed, 16 Jan 2008 19:04:16 +0000 (11:04 -0800)]
ia64: Fix unaligned handler for floating point instructions with base update

commit 1a499150e4ec1299232e24389f648d059ce5617a in mainline.

[IA64] Fix unaligned handler for floating point instructions with base update

The compiler team did the hard work for this distilling a problem in
large fortran application which showed up when applied to a 290MB input
data set down to this instruction:

ldfd f34=[r17],-8

Which they noticed incremented r17 by 0x10 rather than decrementing it
by 8 when the value in r17 caused an unaligned data fault.  I tracked
it down to some bad instruction decoding in unaligned.c. The code
assumes that the 'x' bit can determine whether the instruction is
an "ldf" or "ldfp" ... which it is for opcode=6 (see table 4-29 on
page 3:302 of the SDM).  But for opcode=7 the 'x' bit is irrelevent,
all variants are "ldf" instructions (see table 4-36 on page 3:306).

Note also that interpreting the instruction as "ldfp" means that the
"paired" floating point register (f35 in the example here) will also
be corrupted.

Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosata_promise: ASIC PRD table bug workaround
Mikael Pettersson [Wed, 16 Jan 2008 09:33:00 +0000 (10:33 +0100)]
sata_promise: ASIC PRD table bug workaround

patch 03116d67e0973bb493fe9307e28973a24a272bcc in mainline.

Second-generation Promise SATA controllers have an ASIC bug
which can trigger if the last PRD entry is larger than 164 bytes,
resulting in intermittent errors and possible data corruption.

Work around this by replacing calls to ata_qc_prep() with a
private version that fills the PRD, checks the size of the
last entry, and if necessary splits it to avoid the bug.
Also reduce sg_tablesize by 1 to accommodate the new entry.

Tested on the second-generation SATA300 TX4 and SATA300 TX2plus,
and the first-generation PDC20378.

Thanks to Alexander Sabourenkov for verifying the bug by
studying the vendor driver, and for writing the initial patch
upon which this one is based.

Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agovm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007)
Nick Piggin [Sat, 2 Feb 2008 02:08:53 +0000 (03:08 +0100)]
vm audit: add VM_DONTEXPAND to mmap for drivers that need it (CVE-2008-0007)

Drivers that register a ->fault handler, but do not range-check the
offset argument, must set VM_DONTEXPAND in the vm_flags in order to
prevent an expanding mremap from overflowing the resource.

I've audited the tree and attempted to fix these problems (usually by
adding VM_DONTEXPAND where it is not obvious).

Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoknfsd: Allow NFSv2/3 WRITE calls to succeed when krb5i etc is used.
NeilBrown [Fri, 11 Jan 2008 22:06:52 +0000 (17:06 -0500)]
knfsd: Allow NFSv2/3 WRITE calls to succeed when krb5i etc is used.

patch ba67a39efde8312e386c6f603054f8945433d91f in mainline.

When RPCSEC/GSS and krb5i is used, requests are padded, typically to a multiple
of 8 bytes.  This can make the request look slightly longer than it
really is.

As of

f34b95689d2ce001c "The NFSv2/NFSv3 server does not handle zero
length WRITE request correctly",

the xdr decode routines for NFSv2 and NFSv3 reject requests that aren't
the right length, so krb5i (for example) WRITE requests can get lost.

This patch relaxes the appropriate test and enhances the related comment.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Cc: Peter Staubach <staubach@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agomd: fix data corruption when a degraded raid5 array is reshaped
Dan Williams [Tue, 8 Jan 2008 23:32:53 +0000 (15:32 -0800)]
md: fix data corruption when a degraded raid5 array is reshaped

patch 0f94e87cdeaaac9f0f9a28a5dd2a5070b87cd3e8 in mainline.

We currently do not wait for the block from the missing device to be
computed from parity before copying data to the new stripe layout.

The change in the raid6 code is not techincally needed as we don't delay
data block recovery in the same way for raid6 yet.  But making the change
now is safer long-term.

This bug exists in 2.6.23 and 2.6.24-rc

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosecurity: protect from stack expantion into low vm addresses
Eric Paris [Mon, 26 Nov 2007 23:47:26 +0000 (18:47 -0500)]
security: protect from stack expantion into low vm addresses

patch 8869477a49c3e99def1fcdadd6bbc407fea14b45 in mainline.

Add security checks to make sure we are not attempting to expand the
stack into memory protected by mmap_min_addr

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoVM/Security: add security hook to do_brk (CVE-2007-6434)
Eric Paris [Wed, 19 Dec 2007 12:59:32 +0000 (13:59 +0100)]
VM/Security: add security hook to do_brk (CVE-2007-6434)

patch ecaf18c15aac8bb9bed7b7aa0e382fe252e275d5 in mainline.

VM/Security: add security hook to do_brk

Given a specifically crafted binary do_brk() can be used to get low pages
available in userspace virtual memory and can thus be used to circumvent
the mmap_min_addr low memory protection.  Add security checks in do_brk().

Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Alan Cox <alan@redhat.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agom68k: Export cachectl.h
Matthew Wilcox [Mon, 17 Dec 2007 23:44:43 +0000 (00:44 +0100)]
m68k: Export cachectl.h

patch e92042e5c009d84ba741ec4a978a13f260e6ee24 in mainline.

m68k: Export cachectl.h

libffi in GCC 4.2 needs cachectl.h to do its cache flushing.  But we
don't currently export it.  I believe this patch should do the trick.

Signed-off-by: Matthew Wilcox <matthew@wil.cx>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCIFS: Respect umask when using POSIX mkdir
Steve French [Mon, 17 Dec 2007 22:08:58 +0000 (23:08 +0100)]
CIFS: Respect umask when using POSIX mkdir

patch a8cd925f74c3b1b6d1192f9e75f9d12cc2ab148a in mainline.

[CIFS] Respect umask when using POSIX mkdir

When making a directory with POSIX mkdir calls, cifs_mkdir does not
respect the umask.  This patch causes the new POSIX mkdir to create with
the right mode

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoInput: fix open count handling in input interfaces
Oliver Neukum [Fri, 12 Oct 2007 18:18:40 +0000 (14:18 -0400)]
Input: fix open count handling in input interfaces

patch 064450140f1eab959bd0eca0245f449993216074 in mainline.

If input_open_device() fails we should not leave interfaces marked
as opened.

Signed-off-by: Oliver Neukum <oneukum@suse.de>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoInput: tsdev - implement proper locking
Dmitry Torokhov [Thu, 30 Aug 2007 04:22:39 +0000 (00:22 -0400)]
Input: tsdev - implement proper locking

patch b9d2d110b10f7b4788d0fdd328cf57e34b767817 in mainline.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoInput: joydev - implement proper locking
Dmitry Torokhov [Thu, 30 Aug 2007 04:22:32 +0000 (00:22 -0400)]
Input: joydev - implement proper locking

patch b126207ccdfe492fbc339c18d4898b1b5353fc6b in mainline.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoInput: mousedev - implement proper locking
Dmitry Torokhov [Thu, 30 Aug 2007 04:22:24 +0000 (00:22 -0400)]
Input: mousedev - implement proper locking

patch 464b241575f3700e14492e34f26bcd1794280f55 in mainline.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoInput: evdev - implement proper locking
Dmitry Torokhov [Thu, 30 Aug 2007 04:22:18 +0000 (00:22 -0400)]
Input: evdev - implement proper locking

patch 6addb1d6de1968b84852f54561cc9a999909b5a9 in mainline.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoInput: implement proper locking in input core
Dmitry Torokhov [Thu, 30 Aug 2007 04:22:11 +0000 (00:22 -0400)]
Input: implement proper locking in input core

patch 8006479c9b75fb6594a7b746af3d7f1fbb68f18f in mainline.

Also add some kerneldoc documentation to input.h

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agocxgb: fix stats
Divy Le Ray [Tue, 18 Dec 2007 23:13:55 +0000 (15:13 -0800)]
cxgb: fix stats

patch e0348b9ae5374f9a24424ae680bcd80724415f60 in mainline.

Fix MAC stats accounting.
Fix get_stats.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agocxgb: fix T2 GSO
Divy Le Ray [Tue, 18 Dec 2007 23:12:44 +0000 (15:12 -0800)]
cxgb: fix T2 GSO

patch 7832ee034b6ef78aab020c9ec1348544cd65ccbd in mainline.

The patch ensures that a GSO skb has enough headroom
to push an encapsulating cpl_tx_pkt_lso header.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agochelsio: Fix skb->dev setting
Divy Le Ray [Tue, 18 Dec 2007 23:11:52 +0000 (15:11 -0800)]
chelsio: Fix skb->dev setting

patch 7de6af0f23b25df8da9719ecae1916b669d0b03d in mainline.

eth_type_trans() now sets skb->dev.
Access skb->def after it gets set.

Signed-off-by: Divy Le Ray <divy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoquicklists: Only consider memory that can be used with GFP_KERNEL
Christoph Lameter [Tue, 15 Jan 2008 18:51:19 +0000 (00:21 +0530)]
quicklists: Only consider memory that can be used with GFP_KERNEL

patch 96990a4ae979df9e235d01097d6175759331e88c in mainline.

Quicklists calculates the size of the quicklists based on the number of
free pages.  This must be the number of free pages that can be allocated
with GFP_KERNEL.  node_page_state() includes the pages in ZONE_HIGHMEM and
ZONE_MOVABLE which may lead the quicklists to become too large causing OOM.

Signed-off-by: Christoph Lameter <clameter@sgi.com>
Tested-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoquicklists: do not release off node pages early
Christoph Lameter [Sat, 22 Dec 2007 22:03:23 +0000 (14:03 -0800)]
quicklists: do not release off node pages early

patch ed367fc3a7349b17354c7acef551533337764859 in mainline.

quicklists must keep even off node pages on the quicklists until the TLB
flush has been completed.

Signed-off-by: Christoph Lameter <clameter@sgi.com>
Cc: Dhaval Giani <dhaval@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agovfs: coredumping fix (CVE-2007-6206)
Ingo Molnar [Mon, 17 Dec 2007 20:17:56 +0000 (21:17 +0100)]
vfs: coredumping fix (CVE-2007-6206)

vfs: coredumping fix

patch c46f739dd39db3b07ab5deb4e3ec81e1c04a91af in mainline

fix: http://bugzilla.kernel.org/show_bug.cgi?id=3043

only allow coredumping to the same uid that the coredumping
task runs under.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Alan Cox <alan@redhat.com>
Acked-by: Christoph Hellwig <hch@lst.de>
Acked-by: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoFreezer: Fix APM emulation breakage
Rafael J. Wysocki [Mon, 17 Dec 2007 00:03:46 +0000 (01:03 +0100)]
Freezer: Fix APM emulation breakage

The APM emulation is currently broken as a result of commit
831441862956fffa17b9801db37e6ea1650b0f69
"Freezer: make kernel threads nonfreezable by default"
that removed the PF_NOFREEZE annotations from apm_ioctl() without
adding the appropriate freezer hooks.  Fix it and remove the
unnecessary variable flags from apm_ioctl().

This problem has been fixed in the mainline by
commit cb43c54ca05c01533c45e4d3abfe8f99b7acf624
"Freezer: Fix APM emulation breakage".

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoclockevents: fix reprogramming decision in oneshot broadcast
Thomas Gleixner [Thu, 13 Dec 2007 08:57:17 +0000 (09:57 +0100)]
clockevents: fix reprogramming decision in oneshot broadcast

patch cdc6f27d9e3c2f7ca1a3e19c6eabb1ad6a2add5d in mainline.

A previous version of the code did the reprogramming of the broadcast
device in the return from idle code. This was removed, but the logic in
tick_handle_oneshot_broadcast() was kept the same.

When a broadcast interrupt happens we signal the expiry to all CPUs
which have an expired event. If none of the CPUs has an expired event,
which can happen in dyntick mode, then we reprogram the broadcast
device. We do not reprogram otherwise, but this is only correct if all
CPUs, which are in the idle broadcast state have been woken up.

The code ignores, that there might be pending not yet expired events on
other CPUs, which are in the idle broadcast state. So the delivery of
those events can be delayed for quite a time.

Change the tick_handle_oneshot_broadcast() function to check for CPUs,
which are in broadcast state and are not woken up by the current event,
and enforce the rearming of the broadcast device for those CPUs.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
16 years agoUSB: update sierra.c with latest device ids that are in 2.6.24-rc7
Greg Kroah-Hartman [Tue, 15 Jan 2008 19:17:56 +0000 (20:17 +0100)]
USB: update sierra.c with latest device ids that are in 2.6.24-rc7

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCRYPTO: padlock: Fix spurious ECB page fault
Herbert Xu [Fri, 11 Jan 2008 05:02:52 +0000 (16:02 +1100)]
CRYPTO: padlock: Fix spurious ECB page fault

[CRYPTO] padlock: Fix spurious ECB page fault

[ Upstream commit: d4a7dd8e637b322faaa934ffcd6dd07711af831f ]
[ Upstream commit: 490fe3f05be3f7c87d7932bcb6e6e53e3db2cd9c ]

The xcryptecb instruction always processes an even number of blocks so
we need to ensure th existence of an extra block if we have to process
an odd number of blocks.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoPM: ACPI and APM must not be enabled at the same time
Len Brown [Mon, 14 Jan 2008 07:39:18 +0000 (02:39 -0500)]
PM: ACPI and APM must not be enabled at the same time

patch 9f9adecd2d0e4f88fa0e8cb06c6ec207748df70a in mainline.

ACPI and APM used "pm_active" to guarantee that
they would not be simultaneously active.

But pm_active was recently moved under CONFIG_PM_LEGACY,
so that without CONFIG_PM_LEGACY, pm_active became a NOP --
allowing ACPI and APM to both be simultaneously enabled.
This caused unpredictable results, including boot hangs.

Further, the code under CONFIG_PM_LEGACY is scheduled
for removal.

So replace pm_active with pm_flags.
pm_flags depends only on CONFIG_PM,
which is present for both CONFIG_APM and CONFIG_ACPI.

http://bugzilla.kernel.org/show_bug.cgi?id=9194

Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9
Zhao Yakui [Mon, 14 Jan 2008 07:27:45 +0000 (02:27 -0500)]
ACPI: apply quirk_ich6_lpc_acpi to more ICH8 and ICH9

patch d1ec7298fcefd7e4d1ca612da402ce9e5d5e2c13 in mainline.

It is important that these resources be reserved
to avoid conflicts with well known ACPI registers.

Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoACPICA: fix acpi_serialize hang regression
Bob Moore [Mon, 14 Jan 2008 07:23:24 +0000 (02:23 -0500)]
ACPICA: fix acpi_serialize hang regression

patch 014d433f35d7f34b55dcc7b57c7635aaefc3757f in mainline.

http://bugzilla.kernel.org/show_bug.cgi?id=8171

Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoACPI: Not register gsi for PCI IDE controller in legacy mode
Alan Cox [Mon, 14 Jan 2008 07:22:11 +0000 (02:22 -0500)]
ACPI: Not register gsi for PCI IDE controller in legacy mode

patch 96c2a8766bf4fe91abac863749c11637fabcc64f in mainline.

When PCI IDE controller works in legacy mode and no PRT entry is found
in ACPI PRT table, OSPM will neither read the irq number from the IDE
PCI configuration space nor call the function of acpi_register_gsi to
register gsi.

http://bugzilla.kernel.org/show_bug.cgi?id=5637

Signed-off-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference
Bob Moore [Thu, 6 Dec 2007 04:42:10 +0000 (23:42 -0500)]
ACPICA: fix acpi-cpufreq boot crash due to _PSD return-by-reference

patch 152c300d007c70c4a1847dad39ecdaba22e7d457 in mainline.

Changed resolution of named references in packages

Fixed a problem with the Package operator where all named
references were created as object references and left otherwise
unresolved. According to the ACPI specification, a Package can
only contain Data Objects or references to control methods. The
implication is that named references to Data Objects (Integer,
Buffer, String, Package, BufferField, Field) should be resolved
immediately upon package creation. This is the approach taken
with this change. References to all other named objects (Methods,
Devices, Scopes, etc.) are all now properly created as reference objects.

http://bugzilla.kernel.org/show_bug.cgi?id=5328
http://bugzilla.kernel.org/show_bug.cgi?id=9429

Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSPARC64: Implement pci_resource_to_user()
David Miller [Fri, 11 Jan 2008 09:28:43 +0000 (01:28 -0800)]
SPARC64: Implement pci_resource_to_user()

[SPARC64]: Implement pci_resource_to_user()

[ Upstream commit: bcea1db16ba1c45ccebb3bfb8441642d1342c4d5 ]

This makes libpciaccess able to mmap() resources of the
device properly.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSPARC64: Fix OOPS in dma_sync_*_for_device()
David Miller [Fri, 11 Jan 2008 09:27:23 +0000 (01:27 -0800)]
SPARC64: Fix OOPS in dma_sync_*_for_device()

[SPARC64]: Fix OOPS in dma_sync_*_for_device()

[ Upstream commit: 36bb61346d9e64b55285f27363e93a6e96f2abba ]

I included these operations vector cases for situations
where we never need to do anything, the entries aren't
filled in by any implementation, so we OOPS trying to
invoke NULL pointer functions.

Really make them NOPs, to fix the bug.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCASSINI: Set skb->truesize properly on receive packets.
David Miller [Fri, 11 Jan 2008 09:38:38 +0000 (01:38 -0800)]
CASSINI: Set skb->truesize properly on receive packets.

[ Upstream commit: d011a231675b240157a3c335dd53e9b849d7d30d ]

skb->truesize was not being incremented at all to
reflect the page based data added to RX SKBs.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCASSINI: Revert 'dont touch page_count'.
David Miller [Fri, 11 Jan 2008 09:38:38 +0000 (01:38 -0800)]
CASSINI: Revert 'dont touch page_count'.

[ Upstream commit: 9de4dfb4c7176e5bb232a21cdd8df78da2b15cac ]

This reverts changeset fa4f0774d7c6cccb4d1fda76b91dd8eddcb2dd6a
([CASSINI]: dont touch page_count) because it breaks the driver.

The local page counting added by this changeset did not account
for the asynchronous page count changes done by kfree_skb()
and friends.

The change adds extra atomics and on top of it all appears to be
totally unnecessary as well.

Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCASSINI: Fix endianness bug.
Al Viro [Fri, 11 Jan 2008 09:38:38 +0000 (01:38 -0800)]
CASSINI: Fix endianness bug.

[ Upstream commit: e5e025401f6e926c1d9dc3f3f2813cf98a2d8708 ]

Here's proposed fix for RX checksum handling in cassini; it affects
little-endian working with half-duplex gigabit, but obviously needs
testing on big-endian too.

The problem is, we need to convert checksum to fixed-endian *before*
correcting for (unstripped) FCS.  On big-endian it won't matter
(conversion is no-op), on little-endian it will, but only if FCS is
not stripped by hardware; i.e. in half-duplex gigabit mode when
->crc_size is set.

cassini.c part is that fix, cassini.h one consists of trivial
endianness annotations.  With that applied the sucker is endian-clean,
according to sparse.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPV4: ip_gre: set mac_header correctly in receive path
Timo Teras [Fri, 11 Jan 2008 09:30:35 +0000 (01:30 -0800)]
IPV4: ip_gre: set mac_header correctly in receive path

[IPV4] ip_gre: set mac_header correctly in receive path

[ Upstream commit: 1d0691674764098304ae4c63c715f5883b4d3784 ]

mac_header update in ipgre_recv() was incorrectly changed to
skb_reset_mac_header() when it was introduced.

Signed-off-by: Timo Teras <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoNET: Correct two mistaken skb_reset_mac_header() conversions.
David Miller [Fri, 11 Jan 2008 09:31:39 +0000 (01:31 -0800)]
NET: Correct two mistaken skb_reset_mac_header() conversions.

[NET]: Correct two mistaken skb_reset_mac_header() conversions.

[ Upstream commit: c6e6ca712b5cc06a662f900c0484d49d7334af64 ]

This operation helper abstracts:

skb->mac_header = skb->data;

but it was done in two more places which were actually:

skb->mac_header = skb->network_header;

and those are corrected here.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPSEC: Avoid undefined shift operation when testing algorithm ID
Herbert Xu [Fri, 11 Jan 2008 09:32:51 +0000 (01:32 -0800)]
IPSEC: Avoid undefined shift operation when testing algorithm ID

[IPSEC]: Avoid undefined shift operation when testing algorithm ID

[ Upstream commit: f398035f2dec0a6150833b0bc105057953594edb ]

The aalgos/ealgos fields are only 32 bits wide.  However, af_key tries
to test them with the expression 1 << id where id can be as large as
253.  This produces different behaviour on different architectures.

The following patch explicitly checks whether ID is greater than 31
and fails the check if that's the case.

We cannot easily extend the mask to be longer than 32 bits due to
exposure to user-space.  Besides, this whole interface is obsolete
anyway in favour of the xfrm_user interface which doesn't use this
bit mask in templates (well not within the kernel anyway).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoATM: [nicstar] delay irq setup until card is configured
Chas Williams [Fri, 11 Jan 2008 09:35:51 +0000 (01:35 -0800)]
ATM: [nicstar] delay irq setup until card is configured

[ATM]: [nicstar] delay irq setup until card is configured

[ Upstream commit: 52961955aa180959158faeb9fd6b4f8a591450f5 ]

Signed-off-by: Chas Williams <chas@cmf.nrl.navy.mil>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPV4 ROUTE: ip_rt_dump() is unecessary slow
Eric Dumazet [Fri, 11 Jan 2008 09:42:12 +0000 (01:42 -0800)]
IPV4 ROUTE: ip_rt_dump() is unecessary slow

[IPV4] ROUTE: ip_rt_dump() is unecessary slow

[ Upstream commit: d8c9283089287341c85a0a69de32c2287a990e71 ]

I noticed "ip route list cache x.y.z.t" can be *very* slow.

While strace-ing -T it I also noticed that first part of route cache
is fetched quite fast :

recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.000047>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.000042>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3740 <0.000055>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.000043>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\
202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3732 <0.000053>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3708 <0.000052>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202
GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3680 <0.000041>

while the part at the end of the table is more expensive:

recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3656 <0.003857>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\204\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3772 <0.003891>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3712 <0.003765>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3700 <0.003879>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3676 <0.003797>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"p\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\2\0\2\0"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3724 <0.003856>
recvmsg(3, {msg_name(12)={sa_family=AF_NETLINK, pid=0, groups=00000000}, msg_iov(1)=[{"\234\0\0\0\30\0\2\0\254i\202GXm\0\0\2  \0\376\0\0\1\0\2"..., 16384}], msg_controllen=0, msg_flags=0}, 0) = 3736 <0.003848>

The following patch corrects this performance/latency problem,
removing quadratic behavior.

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoATM: Check IP header validity in mpc_send_packet
Herbert Xu [Fri, 11 Jan 2008 09:10:42 +0000 (01:10 -0800)]
ATM: Check IP header validity in mpc_send_packet

[ATM]: Check IP header validity in mpc_send_packet

[ Upstream commit: 1c9b7aa1eb40ab708ef3242f74b9a61487623168 ]

Al went through the ip_fast_csum callers and found this piece of code
that did not validate the IP header.  While root crashing the machine
by sending bogus packets through raw or AF_PACKET sockets isn't that
serious, it is still nice to react gracefully.

This patch ensures that the skb has enough data for an IP header and
that the header length field is valid.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCONNECTOR: Don't touch queue dev after decrement of ref count.
Li Zefan [Fri, 11 Jan 2008 09:11:48 +0000 (01:11 -0800)]
CONNECTOR: Don't touch queue dev after decrement of ref count.

[CONNECTOR]: Don't touch queue dev after decrement of ref count.

[ Upstream commit: cf585ae8ae9ac7287a6d078425ea32f22bf7f1f7 ]

cn_queue_free_callback() will touch 'dev'(i.e. cbq->pdev), so it
should be called before atomic_dec(&dev->refcnt).

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoINET: Fix netdev renaming and inet address labels
Mark McLoughlin [Fri, 11 Jan 2008 09:13:17 +0000 (01:13 -0800)]
INET: Fix netdev renaming and inet address labels

[INET]: Fix netdev renaming and inet address labels

[ Upstream commit: 44344b2a85f03326c7047a8c861b0c625c674839 ]

When re-naming an interface, the previous secondary address
labels get lost e.g.

  $> brctl addbr foo
  $> ip addr add 192.168.0.1 dev foo
  $> ip addr add 192.168.0.2 dev foo label foo:00
  $> ip addr show dev foo | grep inet
    inet 192.168.0.1/32 scope global foo
    inet 192.168.0.2/32 scope global foo:00
  $> ip link set foo name bar
  $> ip addr show dev bar | grep inet
    inet 192.168.0.1/32 scope global bar
    inet 192.168.0.2/32 scope global bar:2

Turns out to be a simple thinko in inetdev_changename() - clearly we
want to look at the address label, rather than the device name, for
a suffix to retain.

Signed-off-by: Mark McLoughlin <markmc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIRDA: irda_create() nuke user triggable printk
maximilian attems [Fri, 11 Jan 2008 09:14:17 +0000 (01:14 -0800)]
IRDA: irda_create() nuke user triggable printk

[IRDA]: irda_create() nuke user triggable printk

[ Upstream commit: 9e8d6f8959c356d8294d45f11231331c3e1bcae6 ]

easy to trigger as user with sfuzz.

irda_create() is quiet on unknown sock->type,
match this behaviour for SOCK_DGRAM unknown protocol

Signed-off-by: maximilian attems <max@stro.at>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoNET: kaweth was forgotten in msec switchover of usb_start_wait_urb
Russ Dill [Fri, 11 Jan 2008 09:16:28 +0000 (01:16 -0800)]
NET: kaweth was forgotten in msec switchover of usb_start_wait_urb

[NET]: kaweth was forgotten in msec switchover of usb_start_wait_urb

[ Upstream commit: 2b2b2e35b71e5be8bc06cc0ff38df15dfedda19b ]

Back in 2.6.12-pre, usb_start_wait_urb was switched over to take
milliseconds instead of jiffies. kaweth.c was never updated to match.

Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoNET: mcs7830 passes msecs instead of jiffies to usb_control_msg
Russ Dill [Fri, 11 Jan 2008 09:19:55 +0000 (01:19 -0800)]
NET: mcs7830 passes msecs instead of jiffies to usb_control_msg

[NET]: mcs7830 passes msecs instead of jiffies to usb_control_msg

[ Upstream commit 1d39da3dcaad4231f0fa75024b1d6d710a2ced74 ]

usb_control_msg was changed long ago (2.6.12-pre) to take milliseconds
instead of jiffies. Oddly, mcs7830 wasn't added until 2.6.19-rc3.

Signed-off-by: Russ Dill <Russ.Dill@asu.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoX25: Add missing x25_neigh_put
Julia Lawall [Fri, 11 Jan 2008 09:26:33 +0000 (01:26 -0800)]
X25: Add missing x25_neigh_put

[X25]: Add missing x25_neigh_put

[ Upstream commit: 76975f8a3186dae501584d0155ea410464f62815 ]

The function x25_get_neigh increments a reference count.  At the point of
the second goto out, the result of calling x25_get_neigh is only stored in
a local variable, and thus no one outside the function will be able to
decrease the reference count.  Thus, x25_neigh_put should be called before
the return in this case.

The problem was found using the following semantic match.
(http://www.emn.fr/x-info/coccinelle/)

// <smpl>

@@
type T,T1,T2;
identifier E;
statement S;
expression x1,x2,x3;
int ret;
@@

  T E;
  ...
* if ((E = x25_get_neigh(...)) == NULL)
  S
  ... when != x25_neigh_put(...,(T1)E,...)
      when != if (E != NULL) { ... x25_neigh_put(...,(T1)E,...); ...}
      when != x1 = (T1)E
      when != E = x3;
      when any
  if (...) {
    ... when != x25_neigh_put(...,(T2)E,...)
        when != if (E != NULL) { ... x25_neigh_put(...,(T2)E,...); ...}
        when != x2 = (T2)E
(
*   return;
|
*   return ret;
)
  }
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoPOWERPC: Change fallocate to match unistd.h on powerpc
Patrick Mansfield [Sat, 3 Nov 2007 17:42:03 +0000 (04:42 +1100)]
POWERPC: Change fallocate to match unistd.h on powerpc

patch f2205fbb5a8933514fd343cc329df631802b4543 in mainline.

Fix the fallocate system call on powerpc to match its unistd.h.

This implies none of these system calls are currently working with the
unistd.h sys call values:
fallocate
signalfd
timerfd
eventfd
sync_file_range2

Signed-off-by: Patrick Mansfield <patmans@us.ibm.com>
Acked-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosky2: RX lockup fix
Stephen Hemminger [Wed, 26 Dec 2007 17:59:27 +0000 (09:59 -0800)]
sky2: RX lockup fix

Backport commit 798fdd07fcc131f396e521febb4a7d42559bf4b5

I'm using a Marvell 88E8062 on a custom PPC64 blade and ran into RX
lockups while validating the sky2 driver.  The receive MAC FIFO would
become stuck during testing with high traffic.  One port of the 88E8062
would lockup, while the other port remained functional.  Re-inserting
the sky2 module would not fix the problem - only a power cycle would.

I looked over Marvell's most recent sk98lin driver and it looks like
they had a "workaround" for the Yukon XL that the sky2 doesn't have yet.
The sk98lin driver disables the RX MAC FIFO flush feature for all
revisions of the Yukon XL.

According to skgeinit.c of the sk98lin driver, "Flushing must be enabled
(needed for ASF see dev. #4.29), but the flushing mask should be
disabled (see dev. #4.115)".  Nice. I implemented this same change in
the sky2 driver and verified that the RX lockup I was seeing was
resolved.

Signed-off-by: Peter Tyser <ptyser@xes-inc.com>
Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosky2: disable rx checksum on Yukon XL
Stephen Hemminger [Wed, 26 Dec 2007 17:59:26 +0000 (09:59 -0800)]
sky2: disable rx checksum on Yukon XL

Backport of 8b31cfbcd1b54362ef06c85beb40e65a349169a2

The Marvell Yukon XL chipset appears to have a hardware glitch
where it will repeat the checksum of the last packet. Of course, this is
timing sensitive and only happens sometimes...

More info: http://bugzilla.kernel.org/show_bug.cgi?id=9381

As a workaround just disable hardware checksumming by default on
this chip version. The earlier workaround for PCIX, dual port
was also on Yukon XL so don't need to disable checksumming there.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPV4 raw: Strengthen check on validity of iph->ihl
Herbert Xu [Fri, 11 Jan 2008 09:09:46 +0000 (01:09 -0800)]
IPV4 raw: Strengthen check on validity of iph->ihl

[IPV4] raw: Strengthen check on validity of iph->ihl

[ Upstream commit: f844c74fe07321953e2dd227fe35280075f18f60 ]

We currently check that iph->ihl is bounded by the real length and that
the real length is greater than the minimum IP header length.  However,
we did not check the caes where iph->ihl is less than the minimum IP
header length.

This breaks because some ip_fast_csum implementations assume that which
is quite reasonable.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agotty: fix logic change introduced by wait_event_interruptible_timeout()
Cory T. Tusar [Sun, 23 Dec 2007 20:34:51 +0000 (12:34 -0800)]
tty: fix logic change introduced by wait_event_interruptible_timeout()

patch db99247ac68fc352100090ad7704fb5efb9327b6 in mainline.

Commit 5a52bd4a2dcb570333ce6fe2e16cd311650dbdc8 introduced a subtle logic
change in tty_wait_until_sent().  The original version would only error out
of the 'do { ...  } while (timeout)' loop if signal_pending() evaluated to
true; a timeout or break due to an empty buffer would fall out of the loop
and into the tty->driver->wait_until_sent handling.  The current
implementation will error out on either a pending signal or an empty
buffer, falling through to the tty->driver->wait_until_sent handling only
on a timeout.

The ->wait_until_sent() will not be reached if the buffer empties before
timeout jiffies have elapsed.  This behavior differs from that prior to commit
5a52bd4a2dcb570333ce6fe2e16cd311650dbdc8.

I turned this up while using a little serial download utility to bootstrap an
ARM-based eval board.  The util worked fine on 2.6.22.x, but consistently
failed on 2.6.23.x.  Once I'd determined that, I narrowed things down with git
bisect, and found the above difference in logic in tty_wait_until_sent() by
inspection.

This change reverts the logic flow in tty_wait_until_sent() to match that
prior to the aforementioned commit.

Signed-off-by: Cory T. Tusar <ctusar@videon-central.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Acked-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoVLAN: Lost rtnl_unlock() in vlan_ioctl()
Pavel Emelyanov [Thu, 20 Dec 2007 00:30:48 +0000 (16:30 -0800)]
VLAN: Lost rtnl_unlock() in vlan_ioctl()

[VLAN]: Lost rtnl_unlock() in vlan_ioctl()

[ Upstream commit: e35de02615f97b785dc6f73cba421cea06bcbd10 ]

The SET_VLAN_NAME_TYPE_CMD command w/o CAP_NET_ADMIN capability
doesn't release the rtnl lock.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPSEC: Fix potential dst leak in xfrm_lookup
Herbert Xu [Thu, 20 Dec 2007 00:35:54 +0000 (16:35 -0800)]
IPSEC: Fix potential dst leak in xfrm_lookup

[IPSEC]: Fix potential dst leak in xfrm_lookup

[ Upstream commit: 75b8c133267053c9986a7c8db5131f0e7349e806 ]

If we get an error during the actual policy lookup we don't free the
original dst while the caller expects us to always free the original
dst in case of error.

This patch fixes that.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSPARC64: Fix two kernel linear mapping setup bugs.
David Miller [Thu, 20 Dec 2007 00:28:57 +0000 (16:28 -0800)]
SPARC64: Fix two kernel linear mapping setup bugs.

[SPARC64]: Fix two kernel linear mapping setup bugs.

[ Upstream commit: 8f361453d8e9a67c85b2cf9b93c642c2d8fe0462 ]

This was caught and identified by Greg Onufer.

Since we setup the 256M/4M bitmap table after taking over the trap
table, it's possible for some 4M mapping to get loaded in the TLB
beforhand which later will be 256M mappings.

This can cause illegal TLB multiple-match conditions.  Fix this by
setting up the bitmap before we take over the trap table.

Next, __flush_tlb_all() was not doing anything on hypervisor
platforms.  Fix by adding sun4v_mmu_demap_all() and calling it.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSPARC64: Fix memory controller register access when non-SMP.
David Miller [Thu, 20 Dec 2007 00:27:11 +0000 (16:27 -0800)]
SPARC64: Fix memory controller register access when non-SMP.

[SPARC64]: Fix memory controller register access when non-SMP.

[ Upstream commit: b332b8bc9c67165eabdfc7d10b4a2e4cc9f937d0 ]

get_cpu() always returns zero on non-SMP builds, but we
really want the physical cpu number in this code in order
to do the right thing.

Based upon a non-SMP kernel boot failure report from Bernd Zeimetz.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoACPI: thinkpad-acpi: fix lenovo keymap for brightness
Henrique de Moraes Holschuh [Fri, 14 Dec 2007 03:03:52 +0000 (22:03 -0500)]
ACPI: thinkpad-acpi: fix lenovo keymap for brightness

upstream  commit 56a185b43be05e48da7428e6a1d3e2585b232b1d

Starting in 2.6.23...

Several reports from X60 users complained that the default Lenovo keymap
issuing EV_KEY KEY_BRIGHTNESS_UP/DOWN input events caused major issues when
the proper brightness support through ACPI video.c was loaded.

Therefore, remove the generation of these events by default, which is the
right thing for T60, X60, R60, T61, X61 and R61 with their latest BIOSes.

Distros that want to misuse these events into OSD reporting (which requires
an ugly hack from hell in HAL) are welcome to set up the key map they need
through HAL.  That way, we don't break everyone else's systems.

Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoACPI: video_device_list corruption
William Lee Irwin III [Thu, 13 Dec 2007 21:29:16 +0000 (16:29 -0500)]
ACPI: video_device_list corruption

The ->cap fields of struct acpi_video_device and struct acpi_video_bus
are 1B each, not 4B. The oversized memset()'s corrupted the subsequent
list_head fields. This resulted in silent corruption without
CONFIG_DEBUG_LIST and BUG's with it. This patch uses sizeof() to pass
the proper bounds to the memset() calls and thereby correct the bugs.

upstream commit 98934def70b48dac74fac3738b78ab2d1a28edda

Signed-off-by: William Irwin <wli@holomorphy.com>
Acked-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agodm crypt: use bio_add_page
Milan Broz [Thu, 13 Dec 2007 14:44:18 +0000 (14:44 +0000)]
dm crypt: use bio_add_page

patch 91e106259214b40e992a58fb9417da46868e19b2 in mainline.

Fix possible max_phys_segments violation in cloned dm-crypt bio.

In write operation dm-crypt needs to allocate new bio request
and run crypto operation on this clone. Cloned request has always
the same size, but number of physical segments can be increased
and violate max_phys_segments restriction.

This can lead to data corruption and serious hardware malfunction.
This was observed when using XFS over dm-crypt and at least
two HBA controller drivers (arcmsr, cciss) recently.

Fix it by using bio_add_page() call (which tests for other
restrictions too) instead of constructing own biovec.

All versions of dm-crypt are affected by this bug.

Signed-off-by: Milan Broz <mbroz@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agodm crypt: fix write endio
Milan Broz [Thu, 13 Dec 2007 14:43:05 +0000 (14:43 +0000)]
dm crypt: fix write endio

patch adfe47702c4726b3e045f9f83178def02833be4c in mainline.

Fix BIO_UPTODATE test for write io.

Signed-off-by: Milan Broz <mbroz@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agodm: table detect io beyond device
Jun'ichi Nomura [Thu, 13 Dec 2007 14:42:08 +0000 (14:42 +0000)]
dm: table detect io beyond device

Patch 512875bd9661368da6f993205a61213b79ba1df0 in mainline.

This patch fixes a panic on shrinking a DM device if there is
outstanding I/O to the part of the device that is being removed.
(Normally this doesn't happen - a filesystem would be resized first,
for example.)

The bug is that __clone_and_map() assumes dm_table_find_target()
always returns a valid pointer.  It may fail if a bio arrives from the
block layer but its target sector is no longer included in the DM
btree.

This patch appends an empty entry to table->targets[] which will
be returned by a lookup beyond the end of the device.

After calling dm_table_find_target(), __clone_and_map() and target_message()
check for this condition using
dm_target_is_valid().

Sample test script to trigger oops:

#!/bin/bash

FILE=$(mktemp)
LODEV=$(losetup -f)
MAP=$(basename ${FILE})
SIZE=4M

dd if=/dev/zero of=${FILE} bs=${SIZE} count=1
losetup ${LODEV} ${FILE}

echo "0 $(blockdev --getsz ${LODEV}) linear ${LODEV} 0" |dmsetup create ${MAP}
dmsetup suspend ${MAP}
echo "0 1 linear ${LODEV} 0" |dmsetup load ${MAP}
dd if=/dev/zero of=/dev/mapper/${MAP} bs=${SIZE} count=1 &
echo "Wait til dd push some I/O"
sleep 5
dmsetup resume ${MAP}

Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSPARC64: Fix sparc64 cpu cross call hangs.
David Miller [Wed, 19 Dec 2007 23:50:06 +0000 (15:50 -0800)]
SPARC64: Fix sparc64 cpu cross call hangs.

[SPARC64]: Fix endless loop in cheetah_xcall_deliver().

[ Upsteam commit: 0de56d1ab83323d604d95ca193dcbd28388dbabb ]

We need to mask out the proper bits when testing the dispatch status
register else we can see unrelated NACK bits from previous cross call
sends.

Signed-off-by: David S. Miller <davem@davemloft.net>
16 years agoLinux 2.6.23.14 v2.6.23.14
Greg Kroah-Hartman [Mon, 14 Jan 2008 20:49:56 +0000 (12:49 -0800)]
Linux 2.6.23.14

16 years agoUse access mode instead of open flags to determine needed permissions (CVE-2008-0001)
Linus Torvalds [Sat, 12 Jan 2008 22:06:34 +0000 (14:06 -0800)]
Use access mode instead of open flags to determine needed permissions (CVE-2008-0001)

patch 974a9f0b47da74e28f68b9c8645c3786aa5ace1a in mainline

Way back when (in commit 834f2a4a1554dc5b2598038b3fe8703defcbe467, aka
"VFS: Allow the filesystem to return a full file pointer on open intent"
to be exact), Trond changed the open logic to keep track of the original
flags to a file open, in order to pass down the the intent of a dentry
lookup to the low-level filesystem.

However, when doing that reorganization, it changed the meaning of
namei_flags, and thus inadvertently changed the test of access mode for
directories (and RO filesystem) to use the wrong flag.  So fix those
test back to use access mode ("acc_mode") rather than the open flag
("flag").

Issue noticed by Bill Roman at Datalight.

Reported-and-tested-by: Bill Roman <bill.roman@datalight.com>
Acked-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.23.13 v2.6.23.13
Greg Kroah-Hartman [Wed, 9 Jan 2008 17:18:17 +0000 (09:18 -0800)]
Linux 2.6.23.13

16 years agohwmon: (w83627ehf) Be more careful when changing VID input level
Jean Delvare [Sun, 6 Jan 2008 13:18:44 +0000 (14:18 +0100)]
hwmon: (w83627ehf) Be more careful when changing VID input level

Already in Linus' tree:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=58e6e78119da2bdade9f6f588155f0320072b76b

Fix for:
http://bugzilla.kernel.org/show_bug.cgi?id=9634

The VID input level change has been reported to cause trouble. Be more
careful in this respect:
* Only change the level on the W83627EHF/EHG. The W83627DHG is more
  complex in this respect.
* Don't change the level if the VID pins are in output mode.
* Only set the level to TTL if VRM 9.x is used.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.23.12 v2.6.23.12
Greg Kroah-Hartman [Tue, 18 Dec 2007 21:55:57 +0000 (13:55 -0800)]
Linux 2.6.23.12

16 years agoRevert "PNP: increase the maximum number of resources"
Greg Kroah-Hartman [Tue, 18 Dec 2007 21:48:22 +0000 (13:48 -0800)]
Revert "PNP: increase the maximum number of resources"

This reverts commit fc175adc1c935ea8679d76a78d7a58df34af16eb.

There have been reports that it causes problems:
http://bugzilla.kernel.org/show_bug.cgi?id=9514
people are still debating for 2.6.24 if it should be reverted or not,
but as it causes a known problem, we will revert this for now.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.23.11 v2.6.23.11
Greg Kroah-Hartman [Sat, 15 Dec 2007 03:50:05 +0000 (19:50 -0800)]
Linux 2.6.23.11

16 years agoBRIDGE: Section fix.
Andrew Morton [Thu, 6 Dec 2007 05:35:23 +0000 (21:35 -0800)]
BRIDGE: Section fix.

WARNING: vmlinux.o(.init.text+0x204e2): Section mismatch: reference to .exit.text:br_fdb_fini (between 'br_init' and 'br_fdb_init')

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoRevert "Freezer: Fix APM emulation breakage"
Greg Kroah-Hartman [Sat, 15 Dec 2007 03:29:43 +0000 (19:29 -0800)]
Revert "Freezer: Fix APM emulation breakage"

This reverts commit a6eda373a0fe1c4d169d0ec081518d68323428ab.

It causes a build breakage.

Thanks to Chuck Ebbert <cebbert@redhat.com> for pointing it out.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.23.10 v2.6.23.10
Greg Kroah-Hartman [Fri, 14 Dec 2007 18:01:59 +0000 (10:01 -0800)]
Linux 2.6.23.10

16 years agoXFS: Make xfsbufd threads freezable
Rafael J. Wysocki [Fri, 7 Dec 2007 03:09:02 +0000 (14:09 +1100)]
XFS: Make xfsbufd threads freezable

patch 978c7b2ff49597ab76ff7529a933bd366941ac25 in mainline

Fix breakage caused by commit 831441862956fffa17b9801db37e6ea1650b0f69
that did not introduce the necessary call to set_freezable() in
xfs/linux-2.6/xfs_buf.c .

SGI-PV: 974224
SGI-Modid: xfs-linux-melb:xfs-kern:30203a

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: David Chinner <dgc@sgi.com>
Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
Cc: Oliver Pintr <oliver.pntr@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoBRIDGE: Properly dereference the br_should_route_hook
Pavel Emelyanov [Thu, 13 Dec 2007 04:57:24 +0000 (12:57 +0800)]
BRIDGE: Properly dereference the br_should_route_hook

[BRIDGE]: Properly dereference the br_should_route_hook

[ Upstream commit: 82de382ce8e1c7645984616728dc7aaa057821e4 ]

This hook is protected with the RCU, so simple

if (br_should_route_hook)
br_should_route_hook(...)

is not enough on some architectures.

Use the rcu_dereference/rcu_assign_pointer in this case.

Fixed Stephen's comment concerning using the typeof().

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoNETFILTER: xt_TCPMSS: remove network triggerable WARN_ON
Patrick McHardy [Thu, 13 Dec 2007 04:42:34 +0000 (12:42 +0800)]
NETFILTER: xt_TCPMSS: remove network triggerable WARN_ON

[NETFILTER]: xt_TCPMSS: remove network triggerable WARN_ON

[ Upstream commit: 9dc0564e862b1b9a4677dec2c736b12169e03e99 ]

ipv6_skip_exthdr() returns -1 for invalid packets. don't WARN_ON
that.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoXFRM: Fix leak of expired xfrm_states
Patrick McHardy [Thu, 29 Nov 2007 12:07:57 +0000 (23:07 +1100)]
XFRM: Fix leak of expired xfrm_states

[XFRM]: Fix leak of expired xfrm_states

[ Upstream commit: 5dba4797115c8fa05c1a4d12927a6ae0b33ffc41 ]

The xfrm_timer calls __xfrm_state_delete, which drops the final reference
manually without triggering destruction of the state. Change it to use
xfrm_state_put to add the state to the gc list when we're dropping the
last reference. The timer function may still continue to use the state
safely since the final destruction does a del_timer_sync().

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agolibata: kill spurious NCQ completion detection
Tejun Heo [Sat, 8 Dec 2007 00:25:31 +0000 (09:25 +0900)]
libata: kill spurious NCQ completion detection

patch 459ad68893a84fb0881e57919340b97edbbc3dc7 in mainline.

Spurious NCQ completion detection implemented in ahci was incorrect.
On AHCI receving and processing FISes and raising interrupts are not
interlocked and spurious interrupts are expected.

For example, if an interrupt occurs while interrupt handler is running
and the running interrupt handler handles the event the new IRQ
indicated, after IRQ handler finishes, it will be executed again
because IRQ pending bit is set by the new interrupt but there won't be
anything to process.

Please read the following message for more information.

  http://article.gmane.org/gmane.linux.ide/26012

This patch...

* Removes all spurious IRQ whining from ahci.  Spurious NCQ completion
  detection was completely wrong.  Spurious D2H Register FIS taught us
  that some early drives send spurious D2H Register FIS with I bit set
  while NCQ commands are in progress but none of recent drives does
  that and even the ones which show such behavior can do NCQ fine.

* Kills all NCQ blacklist entries which were added because of spurious
  NCQ completions.  I tracked down each commit and verified all
  removed ones are actually added because of spurious completions.

  WD740ADFD-00NLR1 wasn't deleted but moved upward because the drive
  not only had spurious NCQ completions but also is slow on sequential
  data transfers if NCQ is enabled.

  Maxtor 7V300F0 was added by 0e3dbc01d53940fe10e5a5cfec15ede3e929c918
  from Alan Cox.  I can only find evidences that the drive only had
  troubles with spuruious completions by searching the mailing list.
  This entry needs to be verified and removed if it doesn't have other
  NCQ related problems.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoNETFILTER: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK
Jan Engelhardt [Tue, 11 Dec 2007 01:39:40 +0000 (09:39 +0800)]
NETFILTER: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK

[NETFILTER]: fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK

[ Upstream commit: 67b4af297033f5f65999885542f95ba7b562848a ]

Fix forgotten module release in xt_CONNMARK and xt_CONNSECMARK

When xt_CONNMARK is used outside the mangle table and the user specified
"--restore-mark", the connmark_tg_check() function will (correctly)
error out, but (incorrectly) forgets to release the L3 conntrack module.
Same for xt_CONNSECMARK.

Fix is to move the call to acquire the L3 module after the basic
constraint checks.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoUNIX: EOF on non-blocking SOCK_SEQPACKET
Florian Zumbiehl [Tue, 11 Dec 2007 01:39:39 +0000 (09:39 +0800)]
UNIX: EOF on non-blocking SOCK_SEQPACKET

[UNIX]: EOF on non-blocking SOCK_SEQPACKET

[ Upstream commit: 0a11225887fe6cbccd882404dc36ddc50f47daf9 ]

I am not absolutely sure whether this actually is a bug (as in: I've got
no clue what the standards say or what other implementations do), but at
least I was pretty surprised when I noticed that a recv() on a
non-blocking unix domain socket of type SOCK_SEQPACKET (which is connection
oriented, after all) where the remote end has closed the connection
returned -1 (EAGAIN) rather than 0 to indicate end of file.

This is a test case:

| #include <sys/types.h>
| #include <unistd.h>
| #include <sys/socket.h>
| #include <sys/un.h>
| #include <fcntl.h>
| #include <string.h>
| #include <stdlib.h>
|
| int main(){
|  int sock;
|  struct sockaddr_un addr;
|  char buf[4096];
|  int pfds[2];
|
|  pipe(pfds);
|  sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
|  addr.sun_family=AF_UNIX;
|  strcpy(addr.sun_path,"/tmp/foobar_testsock");
|  bind(sock,(struct sockaddr *)&addr,sizeof(addr));
|  listen(sock,1);
|  if(fork()){
|  close(sock);
|  sock=socket(PF_UNIX,SOCK_SEQPACKET,0);
|  connect(sock,(struct sockaddr *)&addr,sizeof(addr));
|  fcntl(sock,F_SETFL,fcntl(sock,F_GETFL)|O_NONBLOCK);
|  close(pfds[1]);
|  read(pfds[0],buf,sizeof(buf));
|  recv(sock,buf,sizeof(buf),0); // <-- this one
|  }else accept(sock,NULL,NULL);
|  exit(0);
| }

If you try it, make sure /tmp/foobar_testsock doesn't exist.

The marked recv() returns -1 (EAGAIN) on 2.6.23.9. Below you find a
patch that fixes that.

Signed-off-by: Florian Zumbiehl <florz@florz.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoTCP: illinois: Incorrect beta usage
Stephen Hemminger [Tue, 11 Dec 2007 01:39:37 +0000 (09:39 +0800)]
TCP: illinois: Incorrect beta usage

[TCP] illinois: Incorrect beta usage

[ Upstream commit: a357dde9df33f28611e6a3d4f88265e39bcc8880 ]

Lachlan Andrew observed that my TCP-Illinois implementation uses the
beta value incorrectly:
The parameter  beta  in the paper specifies the amount to decrease
*by*:  that is, on loss,
 W <-  W -  beta*W
but in   tcp_illinois_ssthresh() uses  beta  as the amount
to decrease  *to*: W <- beta*W

This bug makes the Linux TCP-Illinois get less-aggressive on uncongested network,
hurting performance. Note: since the base beta value is .5, it has no
impact on a congested network.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPV6: Restore IPv6 when MTU is big enough
Evgeniy Polyakov [Tue, 11 Dec 2007 01:39:34 +0000 (09:39 +0800)]
IPV6: Restore IPv6 when MTU is big enough

[IPV6]: Restore IPv6 when MTU is big enough

[ Upstream commit: d31c7b8fa303eb81311f27b80595b8d2cbeef950 ]

Avaid provided test application, so bug got fixed.

IPv6 addrconf removes ipv6 inner device from netdev each time cmu
changes and new value is less than IPV6_MIN_MTU (1280 bytes).
When mtu is changed and new value is greater than IPV6_MIN_MTU,
it does not add ipv6 addresses and inner device bac.

This patch fixes that.

Tested with Avaid's application, which works ok now.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoDECNET: dn_nl_deladdr() almost always returns no error
Pavel Emelyanov [Tue, 11 Dec 2007 01:39:32 +0000 (09:39 +0800)]
DECNET: dn_nl_deladdr() almost always returns no error

[DECNET]: dn_nl_deladdr() almost always returns no error

[ Upstream commit: 3ccd86241b277249d5ac08e91eddfade47184520 ]

As far as I see from the err variable initialization
the dn_nl_deladdr() routine was designed to report errors
like "EADDRNOTAVAIL" and probaby "ENODEV".

But the code sets this err to 0 after the first nlmsg_parse
and goes on, returning this 0 in any case.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Acked-by: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoVLAN: Fix nested VLAN transmit bug
Joonwoo Park [Tue, 11 Dec 2007 01:39:35 +0000 (09:39 +0800)]
VLAN: Fix nested VLAN transmit bug

[VLAN]: Fix nested VLAN transmit bug

[ Upstream commit: 6ab3b487db77fa98a24560f11a5a8e744b98d877 ]

Fix misbehavior of vlan_dev_hard_start_xmit() for recursive encapsulations.

Signed-off-by: Joonwoo Park <joonwpark81@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoTEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure
Pablo Neira Ayuso [Tue, 11 Dec 2007 01:39:38 +0000 (09:39 +0800)]
TEXTSEARCH: Do not allow zero length patterns in the textsearch infrastructure

[TEXTSEARCH]: Do not allow zero length patterns in the textsearch infrastructure

[ Upstream commit: e03ba84adb62fbc6049325a5bc00ef6932fa5e39 ]

If a zero length pattern is passed then return EINVAL.
Avoids infinite loops (bm) or invalid memory accesses (kmp).

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoRXRPC: Add missing select on CRYPTO
David Howells [Tue, 11 Dec 2007 01:39:36 +0000 (09:39 +0800)]
RXRPC: Add missing select on CRYPTO

[RXRPC]: Add missing select on CRYPTO

[ Upstream commit: d5a784b3719ae364f49ecff12a0248f6e4252720 ]

AF_RXRPC uses the crypto services, so should depend on or select CRYPTO.

Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoBRIDGE: Lost call to br_fdb_fini() in br_init() error path
Pavel Emelyanov [Tue, 11 Dec 2007 01:39:30 +0000 (09:39 +0800)]
BRIDGE: Lost call to br_fdb_fini() in br_init() error path

[BRIDGE]: Lost call to br_fdb_fini() in br_init() error path

[ Upstream commit: 17efdd45755c0eb8d1418a1368ef7c7ebbe98c6e ]

In case the br_netfilter_init() (or any subsequent call)
fails, the br_fdb_fini() must be called to free the allocated
in br_fdb_init() br_fdb_cache kmem cache.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoPFKEY: Sending an SADB_GET responds with an SADB_GET
Charles Hardin [Thu, 29 Nov 2007 12:07:57 +0000 (23:07 +1100)]
PFKEY: Sending an SADB_GET responds with an SADB_GET

[PFKEY]: Sending an SADB_GET responds with an SADB_GET

[ Upstream commit: 435000bebd94aae3a7a50078d142d11683d3b193 ]

Kernel needs to respond to an SADB_GET with the same message type to
conform to the RFC 2367 Section 3.1.5

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoTCP: MTUprobe: fix potential sk_send_head corruption
Ilpo Järvinen [Thu, 29 Nov 2007 12:07:58 +0000 (23:07 +1100)]
TCP: MTUprobe: fix potential sk_send_head corruption

[TCP] MTUprobe: fix potential sk_send_head corruption

[ Upstream commit: 6e42141009ff18297fe19d19296738b742f861db ]

When the abstraction functions got added, conversion here was
made incorrectly. As a result, the skb may end up pointing
to skb which got included to the probe skb and then was freed.
For it to trigger, however, skb_transmit must fail sending as
well.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoTCP: Fix TCP header misalignment
Herbert Xu [Thu, 29 Nov 2007 12:07:58 +0000 (23:07 +1100)]
TCP: Fix TCP header misalignment

[TCP]: Fix TCP header misalignment

[ Upstream commit: 21df56c6e2372e09c916111efb6c14c372a5ab2e ]

Indeed my previous change to alloc_pskb has made it possible
for the TCP header to be misaligned iff the MTU is not a multiple
of 4 (and less than a page).  So I suspect the optimised IPsec
MTU calculation is giving you just such an MTU :)

This patch fixes it by changing alloc_pskb to make sure that
the size is at least 32-bit aligned.  This does not cause the
problem fixed by the previous patch because max_header is always
32-bit aligned which means that in the SG/NOTSO case this will
be a no-op.

I thought about putting this in the callers but all the current
callers are from TCP.  If and when we get a non-TCP caller we
can always create a TCP wrapper for this function and move the
alignment over there.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCRYPTO api: Fix potential race in crypto_remove_spawn
Herbert Xu [Thu, 29 Nov 2007 12:07:57 +0000 (23:07 +1100)]
CRYPTO api: Fix potential race in crypto_remove_spawn

[CRYPTO] api: Fix potential race in crypto_remove_spawn

[ Upstream commit: 38cb2419f544ad413c7f7aa8c17fd7377610cdd8 ]

As it is crypto_remove_spawn may try to unregister an instance which is
yet to be registered.  This patch fixes this by checking whether the
instance has been registered before attempting to remove it.

It also removes a bogus cra_destroy check in crypto_register_instance as
1) it's outside the mutex;
2) we have a check in __crypto_register_alg already.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoTCP: Problem bug with sysctl_tcp_congestion_control function
Sam Jansen [Thu, 29 Nov 2007 12:07:57 +0000 (23:07 +1100)]
TCP: Problem bug with sysctl_tcp_congestion_control function

[TCP]: Problem bug with sysctl_tcp_congestion_control function

[ Upstream commit: 5487796f0c9475586277a0a7a91211ce5746fa6a ]

sysctl_tcp_congestion_control seems to have a bug that prevents it
from actually calling the tcp_set_default_congestion_control
function. This is not so apparent because it does not return an error
and generally the /proc interface is used to configure the default TCP
congestion control algorithm.  This is present in 2.6.18 onwards and
probably earlier, though I have not inspected 2.6.15--2.6.17.

sysctl_tcp_congestion_control calls sysctl_string and expects a successful
return code of 0. In such a case it actually sets the congestion control
algorithm with tcp_set_default_congestion_control. Otherwise, it returns the
value returned by sysctl_string. This was correct in 2.6.14, as sysctl_string
returned 0 on success. However, sysctl_string was updated to return 1 on
success around about 2.6.15 and sysctl_tcp_congestion_control was not updated.
Even though sysctl_tcp_congestion_control returns 1, do_sysctl_strategy
converts this return code to '0', so the caller never notices the error.

Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoATM: [he] initialize lock and tasklet earlier
chas williams [Thu, 29 Nov 2007 12:07:57 +0000 (23:07 +1100)]
ATM: [he] initialize lock and tasklet earlier

[ATM]: [he] initialize lock and tasklet earlier

[ Upstream commit: 8a8037ac9dbe4eb20ce50aa20244faf77444f4a3 ]

if you are lucky (unlucky?) enough to have shared interrupts, the
interrupt handler can be called before the tasklet and lock are ready
for use.

Signed-off-by: chas williams <chas@cmf.nrl.navy.mil>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPV4: Remove bogus ifdef mess in arp_process
Adrian Bunk [Thu, 29 Nov 2007 12:07:57 +0000 (23:07 +1100)]
IPV4: Remove bogus ifdef mess in arp_process

[IPV4]: Remove bogus ifdef mess in arp_process

[ Upstream commit: 3660019e5f96fd9a8b7d4214a96523c0bf7b676d ]

The #ifdef's in arp_process() were not only a mess, they were also wrong
in the CONFIG_NET_ETHERNET=n and (CONFIG_NETDEV_1000=y or
CONFIG_NETDEV_10000=y) cases.

Since they are not required this patch removes them.

Also removed are some #ifdef's around #include's that caused compile
errors after this change.

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoNET: Corrects a bug in ip_rt_acct_read()
Eric Dumazet [Thu, 29 Nov 2007 12:07:57 +0000 (23:07 +1100)]
NET: Corrects a bug in ip_rt_acct_read()

[NET]: Corrects a bug in ip_rt_acct_read()

[ Upstream commit: 483b23ffa3a5f44767038b0a676d757e0668437e ]

It seems that stats of cpu 0 are counted twice, since
for_each_possible_cpu() is looping on all possible cpus, including 0

Before percpu conversion of ip_rt_acct, we should also remove the
assumption that CPU 0 is online (or even possible)

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agocreate /sys/.../power when CONFIG_PM is set
Daniel Drake [Wed, 28 Nov 2007 22:52:16 +0000 (14:52 -0800)]
create /sys/.../power when CONFIG_PM is set

patch dec13c15445fec29ca9087890895718450e80b95 in mainline.

The CONFIG_SUSPEND changes in 2.6.23 caused a regression under certain
configuration conditions (SUSPEND=n, USB_AUTOSUSPEND=y) where all USB
device attributes in sysfs (idVendor, idProduct, ...) silently disappeared,
causing udev breakage and more.

The cause of this is that the /sys/.../power subdirectory is now only
created when CONFIG_PM_SLEEP is set, however, it should be created whenever
CONFIG_PM is set to handle the above situation.  The following patch fixes
the regression.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agonetfilter: Fix kernel panic with REDIRECT target.
Evgeniy Polyakov [Wed, 28 Nov 2007 08:56:54 +0000 (09:56 +0100)]
netfilter: Fix kernel panic with REDIRECT target.

This patch fixes a NAT regression in 2.6.23, resulting in a
crash when a connection is NATed and matches a conntrack
helper after NAT.

Please apply, thanks.
[NETFILTER]: Fix kernel panic with REDIRECT target.

Upstream commit 1f305323ff5b9ddc1a4346d36072bcdb58f3f68a

When connection tracking entry (nf_conn) is about to copy itself it can
have some of its extension users (like nat) as being already freed and
thus not required to be copied.

Actually looking at this function I suspect it was copied from
nf_nat_setup_info() and thus bug was introduced.

Report and testing from David <david@unsolicited.net>.

[ Patrick McHardy states:

        I now understand whats happening:

        - new connection is allocated without helper
        - connection is REDIRECTed to localhost
        - nf_nat_setup_info adds NAT extension, but doesn't initialize it yet
        - nf_conntrack_alter_reply performs a helper lookup based on the
           new tuple, finds the SIP helper and allocates a helper extension,
           causing reallocation because of too little space
        - nf_nat_move_storage is called with the uninitialized nat extension

        So your fix is entirely correct, thanks a lot :)  ]

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agonf_nat: fix memset error
Li Zefan [Wed, 28 Nov 2007 08:56:27 +0000 (09:56 +0100)]
nf_nat: fix memset error

This patch fixes an incorrect memset in the NAT code, causing
misbehaviour when unloading and reloading the NAT module.
Applies to stable-2.6.22 and stable-2.6.23.

Please apply, thanks.
[NETFILTER]: nf_nat: fix memset error

Upstream commit e0bf9cf15fc30d300b7fbd821c6bc975531fab44

The size passing to memset is the size of a pointer. Fixes
misbehaviour when unloading and reloading the NAT module.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoesp_scsi: fix reset cleanup spinlock recursion
Maciej W. Rozycki [Mon, 10 Dec 2007 23:49:31 +0000 (15:49 -0800)]
esp_scsi: fix reset cleanup spinlock recursion

patch 522939d45c293388e6a360210905f9230298df16 in mainline.

The esp_reset_cleanup() function is called with the host lock held and
invokes starget_for_each_device() which wants to take it too.  Here is a
fix along the lines of shost_for_each_device()/__shost_for_each_device()
adding a __starget_for_each_device() counterpart which assumes the lock
has already been taken.

Eventually, I think the driver should get modified so that more work is
done as a softirq rather than in the interrupt context, but for now it
fixes a bug that causes the spinlock debugger to fire.

While at it, it fixes a small number of cosmetic problems with
starget_for_each_device() too.

Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Acked-by: David S. Miller <davem@davemloft.net>
Cc: James Bottomley <James.Bottomley@steeleye.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agorevert "dpt_i2o: convert to SCSI hotplug model"
Andrew Morton [Mon, 10 Dec 2007 23:49:20 +0000 (15:49 -0800)]
revert "dpt_i2o: convert to SCSI hotplug model"

patch 24601bbcacb3356657747f2e64317923feb7a1a2 in mainline.

revert

    commit 55d9fcf57ba5ec427544fca7abc335cf3da78160
    Author: Matthew Wilcox <matthew@wil.cx>
    Date:   Mon Jul 30 15:19:18 2007 -0600

        [SCSI] dpt_i2o: convert to SCSI hotplug model

         - Delete refereces to HOSTS_C
         - Switch to module_init/module_exit instead of detect/release
         - Don't pass around the host template and rename it to adpt_template
         - Switch from scsi_register/scsi_unregister to scsi_host_alloc,
           scsi_add_host, scsi_scan_host and scsi_host_put.

Because it caused (for unknown reasons) Andres' all-data-reads-as-zeroes
problem, reported at
http://groups.google.com/group/fa.linux.kernel/msg/083a9acff0330234

Cc: Matthew Wilcox <matthew@wil.cx>
Cc: Mark Salyzyn <mark_salyzyn@adaptec.com>
Cc: James Bottomley <James.Bottomley@SteelEye.com>
Acked-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: Anders Henke <anders.henke@1und1.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agofb_ddc: fix DDC lines quirk
Jean Delvare [Thu, 29 Nov 2007 00:21:35 +0000 (16:21 -0800)]
fb_ddc: fix DDC lines quirk

patch b64d70825abbf706bbe80be1b11b09514b71f45e in mainline.

The code in fb_ddc_read() is said to be based on the implementation of the
radeon driver:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fc5891c8a3ba284f13994d7bc1f1bfa8283982de

However, comparing the old radeon driver code with the new fb_ddc code
reveals some differences.  Most notably, the I2C bus lines are held at the
end of the function, while the original code was releasing them (as the
comment above correctly says.)

There are a few other differences, which appear to be responsible for read
failures on my system.  While tracing low-level I2C code in i2c-algo-bit, I
noticed that the initial attempt to read the EDID always failed.  It takes
one retry for the read to succeed.  As we are about to remove this
automatic retry property from i2c-algo-bit, reading the EDID would really
fail.

As a summary, the I2C lines quirk which is supposedly needed to read EDID
on some older monitors is currently breaking the (first) read on all other
monitors (and might not even work with older ones - did anyone try since
October 2006?)

After applying the patch below, which makes the code in fb_ddc_read()
really similar to what the radeon driver used to have, the first EDID read
succeeds again.

On top of that, as it appears that this code has been broken for one year
now and nobody seems to have complained, I'm curious if it makes sense to
keep this quirk in place.  It makes the code more complex and slower just
for the sake of monitors which I guess nobody uses anymore.  Can't we just
get rid of it?

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Tested-by: Roger Leigh <rleigh@whinlatter.ukfsn.org>
Tested-by: Michael Buesch <mb@bu3sch.de>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>