]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
14 years agosecurity: testing the wrong variable in create_by_name()
Dan Carpenter [Thu, 22 Apr 2010 10:05:35 +0000 (12:05 +0200)]
security: testing the wrong variable in create_by_name()

commit b338cc8207eae46640a8d534738fda7b5e48511d upstream.

There is a typo here.  We should be testing "*dentry" instead of
"dentry".  If "*dentry" is an ERR_PTR, it gets dereferenced in either
mkdir() or create() which would cause an OOPs.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Fix memory leak in pci_register_iommu_region().
David S. Miller [Sun, 11 Apr 2010 03:26:55 +0000 (20:26 -0700)]
sparc64: Fix memory leak in pci_register_iommu_region().

[ Upstream commit e182c77cc291456eed127b1472952ddb59a81a9d ]

Found by kmemleak.

If request_resource() fails, we leak the struct resource we
allocated to represent the IOMMU mapping area.

This actually happens on sun4v machines because the IOMEM area is only
reported sans the IOMMU region, unlike all previous systems.  I'll
need to fix that at some point, but for now fix the leak.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Adjust __raw_local_irq_save() to cooperate in NMIs.
David S. Miller [Mon, 10 May 2010 12:19:10 +0000 (05:19 -0700)]
sparc64: Adjust __raw_local_irq_save() to cooperate in NMIs.

[ Upstream commits 0c25e9e6cbe7b233bb91d14d0e2c258bf8e6ec83 and
   c011f80ba0912486fe51dd2b3f71d9b33a151188 ]

If we are in an NMI then doing a plain raw_local_irq_disable() will
write PIL_NORMAL_MAX into %pil, which is lower than PIL_NMI, and thus
we'll re-enable NMIs and recurse.

Doing a simple:

%pil = %pil | PIL_NORMAL_MAX

does what we want, if we're already at PIL_NMI (15) we leave it at
that setting, else we set it to PIL_NORMAL_MAX (14).

This should get the function tracer working on sparc64.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Use kstack_valid() in die_if_kernel().
David S. Miller [Tue, 13 Apr 2010 05:16:22 +0000 (22:16 -0700)]
sparc64: Use kstack_valid() in die_if_kernel().

[ Upstream commit cb256aa60409efd803806cfb0528a4b3f8397dba ]

This gets rid of a local function (is_kernel_stack()) which tries to
do the same thing, yet poorly in that it doesn't handle IRQ stacks
properly.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Fix hardirq tracing in trap return path.
David S. Miller [Tue, 20 Apr 2010 07:48:37 +0000 (00:48 -0700)]
sparc64: Fix hardirq tracing in trap return path.

[ Upstream commit 28a1f533ae8606020238b840b82ae70a3f87609e ]

We can overflow the hardirq stack if we set the %pil here
so early, just let the normal control flow do it.

This is fine as we are allowed to do the actual IRQ enable
at any point after we call trace_hardirqs_on.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Fix PREEMPT_ACTIVE value.
David S. Miller [Mon, 19 Apr 2010 08:30:51 +0000 (01:30 -0700)]
sparc64: Fix PREEMPT_ACTIVE value.

[ Upstream commit 6c94b1ee0ca2bfb526d779c088ec20da6a3761db ]

It currently overlaps the NMI bit.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Use correct pt_regs in decode_access_size() error paths.
David S. Miller [Mon, 19 Apr 2010 20:46:48 +0000 (13:46 -0700)]
sparc64: Use correct pt_regs in decode_access_size() error paths.

[ Upstream commit baa06775e224e9f74e5c2de894c95cd49678beff ]

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoWAN: flush tx_queue in hdlc_ppp to prevent panic on rmmod hw_driver.
Krzysztof Halasa [Wed, 14 Apr 2010 14:09:52 +0000 (14:09 +0000)]
WAN: flush tx_queue in hdlc_ppp to prevent panic on rmmod hw_driver.

[ Upstream commit 31f634a63de7068c6a5dcb0d7b09b24b61a5cf88 ]

tx_queue is used as a temporary queue when not allowed to queue skb
directly to the hw device driver (which may sleep). Most paths flush
it before returning, but ppp_start() currently cannot. Make sure we
don't leave skbs pointing to a non-existent device.

Thanks to Michael Barkowski for reporting this problem.

Signed-off-by: Krzysztof HaƂasa <khc@pm.waw.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoudp: fix for unicast RX path optimization
Jorge Boncompte [DTI2] [Thu, 8 Apr 2010 04:56:48 +0000 (04:56 +0000)]
udp: fix for unicast RX path optimization

[ Upstream commit 1223c67c0938d2df309fde618bd82c87c8c1af04 ]

Commits 5051ebd275de672b807c28d93002c2fb0514a3c9 and
5051ebd275de672b807c28d93002c2fb0514a3c9 ("ipv[46]: udp: optimize unicast RX
path") broke some programs.

After upgrading a L2TP server to 2.6.33 it started to fail, tunnels going up an
down, after the 10th tunnel came up. My modified rp-l2tp uses a global
unconnected socket bound to (INADDR_ANY, 1701) and one connected socket per
tunnel after parameter negotiation.

After ten sockets were open and due to mixed parameters to
udp[46]_lib_lookup2() kernel started to drop packets.

Signed-off-by: Jorge Boncompte [DTI2] <jorge@dti2.net>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotun: orphan an skb on tx
Michael S. Tsirkin [Tue, 13 Apr 2010 04:59:44 +0000 (04:59 +0000)]
tun: orphan an skb on tx

[ Upstream commit 0110d6f22f392f976e84ab49da1b42f85b64a3c5 ]

The following situation was observed in the field:
tap1 sends packets, tap2 does not consume them, as a result
tap1 can not be closed. This happens because
tun/tap devices can hang on to skbs undefinitely.

As noted by Herbert, possible solutions include a timeout followed by a
copy/change of ownership of the skb, or always copying/changing
ownership if we're going into a hostile device.

This patch implements the second approach.

Note: one issue still remaining is that since skbs
keep reference to tun socket and tun socket has a
reference to tun device, we won't flush backlog,
instead simply waiting for all skbs to get transmitted.
At least this is not user-triggerable, and
this was not reported in practice, my assumption is
other devices besides tap complete an skb
within finite time after it has been queued.

A possible solution for the second issue
would not to have socket reference the device,
instead, implement dev->destructor for tun, and
wait for all skbs to complete there, but this
needs some thought, probably too risky for 2.6.34.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Yan Vugenfirer <yvugenfi@redhat.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotipc: Fix oops on send prior to entering networked mode (v3)
Neil Horman [Wed, 3 Mar 2010 08:31:23 +0000 (08:31 +0000)]
tipc: Fix oops on send prior to entering networked mode (v3)

[ Upstream commit d0021b252eaf65ca07ed14f0d66425dd9ccab9a6 ]

Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE

user programs can oops the kernel by sending datagrams via AF_TIPC prior to
entering networked mode.  The following backtrace has been observed:

ID: 13459  TASK: ffff810014640040  CPU: 0   COMMAND: "tipc-client"
[exception RIP: tipc_node_select_next_hop+90]
RIP: ffffffff8869d3c3  RSP: ffff81002d9a5ab8  RFLAGS: 00010202
RAX: 0000000000000001  RBX: 0000000000000001  RCX: 0000000000000001
RDX: 0000000000000000  RSI: 0000000000000001  RDI: 0000000001001001
RBP: 0000000001001001   R8: 0074736575716552   R9: 0000000000000000
R10: ffff81003fbd0680  R11: 00000000000000c8  R12: 0000000000000008
R13: 0000000000000001  R14: 0000000000000001  R15: ffff810015c6ca00
ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
RIP: 0000003cbd8d49a3  RSP: 00007fffc84e0be8  RFLAGS: 00010206
RAX: 000000000000002c  RBX: ffffffff8005d116  RCX: 0000000000000000
RDX: 0000000000000008  RSI: 00007fffc84e0c00  RDI: 0000000000000003
RBP: 0000000000000000   R8: 00007fffc84e0c10   R9: 0000000000000010
R10: 0000000000000000  R11: 0000000000000246  R12: 0000000000000000
R13: 00007fffc84e0d10  R14: 0000000000000000  R15: 00007fffc84e0c30
ORIG_RAX: 000000000000002c  CS: 0033  SS: 002b

What happens is that, when the tipc module in inserted it enters a standalone
node mode in which communication to its own address is allowed <0.0.0> but not
to other addresses, since the appropriate data structures have not been
allocated yet (specifically the tipc_net pointer).  There is nothing stopping a
client from trying to send such a message however, and if that happens, we
attempt to dereference tipc_net.zones while the pointer is still NULL, and
explode.  The fix is pretty straightforward.  Since these oopses all arise from
the dereference of global pointers prior to their assignment to allocated
values, and since these allocations are small (about 2k total), lets convert
these pointers to static arrays of the appropriate size.  All the accesses to
these bits consider 0/NULL to be a non match when searching, so all the lookups
still work properly, and there is no longer a chance of a bad dererence
anywhere.  As a bonus, this lets us eliminate the setup/teardown routines for
those pointers, and elimnates the need to preform any locking around them to
prevent access while their being allocated/freed.

I've updated the tipc_net structure to behave this way to fix the exact reported
problem, and also fixed up the tipc_bearers and media_list arrays to fix an
obvious simmilar problem that arises from issuing tipc-config commands to
manipulate bearers/links prior to entering networked mode

I've tested this for a few hours by running the sanity tests and stress test
with the tipcutils suite, and nothing has fallen over.  There have been a few
lockdep warnings, but those were there before, and can be addressed later, as
they didn't actually result in any deadlock.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Allan Stephens <allan.stephens@windriver.com>
CC: David S. Miller <davem@davemloft.net>
CC: tipc-discussion@lists.sourceforge.net
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonet: Fix oops from tcp_collapse() when using splice()
Steven J. Magnani [Tue, 30 Mar 2010 20:56:01 +0000 (13:56 -0700)]
net: Fix oops from tcp_collapse() when using splice()

[ Upstream commit baff42ab1494528907bf4d5870359e31711746ae ]

tcp_read_sock() can have a eat skbs without immediately advancing copied_seq.
This can cause a panic in tcp_collapse() if it is called as a result
of the recv_actor dropping the socket lock.

A userspace program that splices data from a socket to either another
socket or to a file can trigger this bug.

Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosctp: Fix oops when sending queued ASCONF chunks
Vlad Yasevich [Wed, 28 Apr 2010 08:47:22 +0000 (08:47 +0000)]
sctp: Fix oops when sending queued ASCONF chunks

[ Upstream commit c0786693404cffd80ca3cb6e75ee7b35186b2825 ]

When we finish processing ASCONF_ACK chunk, we try to send
the next queued ASCONF.  This action runs the sctp state
machine recursively and it's not prepared to do so.

kernel BUG at kernel/timer.c:790!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/module/ipv6/initstate
Modules linked in: sha256_generic sctp libcrc32c ipv6 dm_multipath
uinput 8139too i2c_piix4 8139cp mii i2c_core pcspkr virtio_net joydev
floppy virtio_blk virtio_pci [last unloaded: scsi_wait_scan]

Pid: 0, comm: swapper Not tainted 2.6.34-rc4 #15 /Bochs
EIP: 0060:[<c044a2ef>] EFLAGS: 00010286 CPU: 0
EIP is at add_timer+0xd/0x1b
EAX: cecbab14 EBX: 000000f0 ECX: c0957b1c EDX: 03595cf4
ESI: cecba800 EDI: cf276f00 EBP: c0957aa0 ESP: c0957aa0
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process swapper (pid: 0, ti=c0956000 task=c0988ba0 task.ti=c0956000)
Stack:
 c0957ae0 d1851214 c0ab62e4 c0ab5f26 0500ffff 00000004 00000005 00000004
<0> 00000000 d18694fd 00000004 1666b892 cecba800 cecba800 c0957b14
00000004
<0> c0957b94 d1851b11 ceda8b00 cecba800 cf276f00 00000001 c0957b14
000000d0
Call Trace:
 [<d1851214>] ? sctp_side_effects+0x607/0xdfc [sctp]
 [<d1851b11>] ? sctp_do_sm+0x108/0x159 [sctp]
 [<d1863386>] ? sctp_pname+0x0/0x1d [sctp]
 [<d1861a56>] ? sctp_primitive_ASCONF+0x36/0x3b [sctp]
 [<d185657c>] ? sctp_process_asconf_ack+0x2a4/0x2d3 [sctp]
 [<d184e35c>] ? sctp_sf_do_asconf_ack+0x1dd/0x2b4 [sctp]
 [<d1851ac1>] ? sctp_do_sm+0xb8/0x159 [sctp]
 [<d1863334>] ? sctp_cname+0x0/0x52 [sctp]
 [<d1854377>] ? sctp_assoc_bh_rcv+0xac/0xe1 [sctp]
 [<d1858f0f>] ? sctp_inq_push+0x2d/0x30 [sctp]
 [<d186329d>] ? sctp_rcv+0x797/0x82e [sctp]

Tested-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Yuansong Qiao <ysqiao@research.ait.ie>
Signed-off-by: Shuaijun Zhang <szhang@research.ait.ie>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosctp: fix to calc the INIT/INIT-ACK chunk length correctly is set
Wei Yongjun [Wed, 28 Apr 2010 08:47:21 +0000 (08:47 +0000)]
sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set

[ Upstream commita8170c35e738d62e9919ce5b109cf4ed66e95bde ]

When calculating the INIT/INIT-ACK chunk length, we should not
only account the length of parameters, but also the parameters
zero padding length, such as AUTH HMACS parameter and CHUNKS
parameter. Without the parameters zero padding length we may get
following oops.

skb_over_panic: text:ce2068d2 len:130 put:6 head:cac3fe00 data:cac3fe00 tail:0xcac3fe82 end:0xcac3fe80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:127!
invalid opcode: 0000 [#2] SMP
last sysfs file: /sys/module/aes_generic/initstate
Modules linked in: authenc ......

Pid: 4102, comm: sctp_darn Tainted: G      D    2.6.34-rc2 #6
EIP: 0060:[<c0607630>] EFLAGS: 00010282 CPU: 0
EIP is at skb_over_panic+0x37/0x3e
EAX: 00000078 EBX: c07c024b ECX: c07c02b9 EDX: cb607b78
ESI: 00000000 EDI: cac3fe7a EBP: 00000002 ESP: cb607b74
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process sctp_darn (pid: 4102, ti=cb607000 task=cabdc990 task.ti=cb607000)
Stack:
 c07c02b9 ce2068d2 00000082 00000006 cac3fe00 cac3fe00 cac3fe82 cac3fe80
<0> c07c024b cac3fe7c cac3fe7a c0608dec ca986e80 ce2068d2 00000006 0000007a
<0> cb8120ca ca986e80 cb812000 00000003 cb8120c4 ce208a25 cb8120ca cadd9400
Call Trace:
 [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
 [<c0608dec>] ? skb_put+0x2e/0x32
 [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
 [<ce208a25>] ? sctp_make_init+0x279/0x28c [sctp]
 [<c0686a92>] ? apic_timer_interrupt+0x2a/0x30
 [<ce1fdc0b>] ? sctp_sf_do_prm_asoc+0x2b/0x7b [sctp]
 [<ce202823>] ? sctp_do_sm+0xa0/0x14a [sctp]
 [<ce2133b9>] ? sctp_pname+0x0/0x14 [sctp]
 [<ce211d72>] ? sctp_primitive_ASSOCIATE+0x2b/0x31 [sctp]
 [<ce20f3cf>] ? sctp_sendmsg+0x7a0/0x9eb [sctp]
 [<c064eb1e>] ? inet_sendmsg+0x3b/0x43
 [<c04244b7>] ? task_tick_fair+0x2d/0xd9
 [<c06031e1>] ? sock_sendmsg+0xa7/0xc1
 [<c0416afe>] ? smp_apic_timer_interrupt+0x6b/0x75
 [<c0425123>] ? dequeue_task_fair+0x34/0x19b
 [<c0446abb>] ? sched_clock_local+0x17/0x11e
 [<c052ea87>] ? _copy_from_user+0x2b/0x10c
 [<c060ab3a>] ? verify_iovec+0x3c/0x6a
 [<c06035ca>] ? sys_sendmsg+0x186/0x1e2
 [<c042176b>] ? __wake_up_common+0x34/0x5b
 [<c04240c2>] ? __wake_up+0x2c/0x3b
 [<c057e35c>] ? tty_wakeup+0x43/0x47
 [<c04430f2>] ? remove_wait_queue+0x16/0x24
 [<c0580c94>] ? n_tty_read+0x5b8/0x65e
 [<c042be02>] ? default_wake_function+0x0/0x8
 [<c0604e0e>] ? sys_socketcall+0x17f/0x1cd
 [<c040264c>] ? sysenter_do_call+0x12/0x22
Code: 0f 45 de 53 ff b0 98 00 00 00 ff b0 94 ......
EIP: [<c0607630>] skb_over_panic+0x37/0x3e SS:ESP 0068:cb607b74

To reproduce:

# modprobe sctp
# echo 1 > /proc/sys/net/sctp/addip_enable
# echo 1 > /proc/sys/net/sctp/auth_enable
# sctp_test -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 800 -l
# sctp_darn -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 900 -h 192.168.0.21 -p 800 -I -s -t
sctp_darn ready to send...
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.0.21
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> bindx-add=192.168.1.21
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900-192.168.0.21:800 Interactive mode> snd=10

------------------------------------------------------------------
eth0 has addresses: 3ffe:501:ffff:100:20c:29ff:fe4d:f37e and 192.168.0.21
eth1 has addresses: 192.168.1.21
------------------------------------------------------------------

Reported-by: George Cheimonidis <gchimon@gmail.com>
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosctp: per_cpu variables should be in bh_disabled section
Vlad Yasevich [Wed, 28 Apr 2010 08:47:20 +0000 (08:47 +0000)]
sctp: per_cpu variables should be in bh_disabled section

[ Upstream commit 81419d862db743fe4450a021893f24bab4698c1d ]

Since the change of the atomics to percpu variables, we now
have to disable BH in process context when touching percpu variables.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosctp: fix potential reference of a freed pointer
Vlad Yasevich [Wed, 28 Apr 2010 08:47:19 +0000 (08:47 +0000)]
sctp: fix potential reference of a freed pointer

[ Upstream commit 0c42749cffbb4a06be86c5e5db6c7ebad548781f ]

When sctp attempts to update an assocition, it removes any
addresses that were not in the updated INITs.  However, the loop
may attempt to refrence a transport with address after removing it.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosctp: avoid irq lock inversion while call sk->sk_data_ready()
Wei Yongjun [Wed, 28 Apr 2010 08:47:18 +0000 (08:47 +0000)]
sctp: avoid irq lock inversion while call sk->sk_data_ready()

[ Upstream commit 561b1733a465cf9677356b40c27653dd45f1ac56 ]

sk->sk_data_ready() of sctp socket can be called from both BH and non-BH
contexts, but the default sk->sk_data_ready(), sock_def_readable(), can
not be used in this case. Therefore, we have to make a new function
sctp_data_ready() to grab sk->sk_data_ready() with BH disabling.

=========================================================
[ INFO: possible irq lock inversion dependency detected ]
2.6.33-rc6 #129
---------------------------------------------------------
sctp_darn/1517 just changed the state of lock:
 (clock-AF_INET){++.?..}, at: [<c06aab60>] sock_def_readable+0x20/0x80
but this lock took another, SOFTIRQ-unsafe lock in the past:
 (slock-AF_INET){+.-...}

and interrupts could create inverse lock ordering between them.

other info that might help us debug this:
1 lock held by sctp_darn/1517:
 #0:  (sk_lock-AF_INET){+.+.+.}, at: [<cdfe363d>] sctp_sendmsg+0x23d/0xc00 [sctp]

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipv6: Fix tcp_v6_send_response transport header setting.
Herbert Xu [Wed, 21 Apr 2010 07:47:15 +0000 (00:47 -0700)]
ipv6: Fix tcp_v6_send_response transport header setting.

[ Upstream commit 6651ffc8e8bdd5fb4b7d1867c6cfebb4f309512c ]

My recent patch to remove the open-coded checksum sequence in
tcp_v6_send_response broke it as we did not set the transport
header pointer on the new packet.

Actually, there is code there trying to set the transport
header properly, but it sets it for the wrong skb ('skb'
instead of 'buff').

This bug was introduced by commit
a8fdf2b331b38d61fb5f11f3aec4a4f9fb2dedcb ("ipv6: Fix
tcp_v6_send_response(): it didn't set skb transport header")

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoieee802154: Fix oops during ieee802154_sock_ioctl
Stefan Schmidt [Mon, 26 Apr 2010 18:20:32 +0000 (11:20 -0700)]
ieee802154: Fix oops during ieee802154_sock_ioctl

[ Upstream commit 93c0c8b4a5a174645550d444bd5c3ff0cccf74cb ]

Trying to run izlisten (from lowpan-tools tests) on a device that does not
exists I got the oops below. The problem is that we are using get_dev_by_name
without checking if we really get a device back. We don't in this case and
writing to dev->type generates this oops.

[Oops code removed by Dmitry Eremin-Solenikov]

If possible this patch should be applied to the current -rc fixes branch.

Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agocdc_ether: fix autosuspend for mbm devices
Torgny Johansson [Wed, 28 Apr 2010 00:07:40 +0000 (17:07 -0700)]
cdc_ether: fix autosuspend for mbm devices

[ Upstream commit 55964d72d63b15df49a5df11ef91dc8601270815 ]

Autosuspend works until you bring the wwan interface up, then the
device does not enter autosuspend anymore.

The following patch fixes the problem by setting the .manage_power
field in the mbm_info struct to the same as in the cdc_info struct
(cdc_manager_power).

Signed-off-by: Torgny Johansson <torgny.johansson@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agobnx2: Fix lost MSI-X problem on 5709 NICs.
Michael Chan [Tue, 27 Apr 2010 11:28:09 +0000 (11:28 +0000)]
bnx2: Fix lost MSI-X problem on 5709 NICs.

commit c441b8d2cb2194b05550a558d6d95d8944e56a84 upstream.

It has been reported that under certain heavy traffic conditions in MSI-X
mode, the driver can lose an MSI-X vector causing all packets in the
associated rx/tx ring pair to be dropped.  The problem is caused by
the chip dropping the write to unmask the MSI-X vector by the kernel
(when migrating the IRQ for example).

This can be prevented by increasing the GRC timeout value for these
register read and write operations.

Thanks to Dell for helping us debug this problem.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopowerpc: Reduce printk from pseries_mach_cpu_die()
Vaidyanathan Srinivasan [Mon, 1 Mar 2010 02:58:23 +0000 (02:58 +0000)]
powerpc: Reduce printk from pseries_mach_cpu_die()

commit a8e6da093ea8642b1320fb5d64134366f2a8d0ac upstream.

Remove debug printks in pseries_mach_cpu_die().  These are
noisy at runtime.  Traceevents can be added to instrument this
section of code.

The following KERN_INFO printks are removed:

cpu 62 (hwid 62) returned from cede.
Decrementer value = b2802fff Timebase value = 2fa8f95035f4a
cpu 62 (hwid 62) got prodded to go online
cpu 58 (hwid 58) ceding for offline with hint 2

Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Cc: Gautham R Shenoy <ego@in.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopowerpc: Move checks in pseries_mach_cpu_die()
Vaidyanathan Srinivasan [Mon, 1 Mar 2010 02:58:16 +0000 (02:58 +0000)]
powerpc: Move checks in pseries_mach_cpu_die()

commit 0212f2602a38e740d5a96aba4cebfc2ebc993ecf upstream.

Rearrange condition checks for better code readability and
prevention of possible race conditions when
preferred_offline_state can potentially change during the
execution of pseries_mach_cpu_die().  The patch will make
pseries_mach_cpu_die() put cpu in one of the consistent states
and not hit the run over BUG()

Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Cc: Gautham R Shenoy <ego@in.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopowerpc: Reset kernel stack on cpu online from cede state
Vaidyanathan Srinivasan [Mon, 1 Mar 2010 02:58:09 +0000 (02:58 +0000)]
powerpc: Reset kernel stack on cpu online from cede state

commit 8dbce53cc249a76e9450708d291fce5a7e29c6a1 upstream.

Cpu hotplug (offline) without dlpar operation will place cpu
in cede state and the extended_cede_processor() function will
return when resumed.

Kernel stack pointer needs to be reset before
start_secondary() is called to continue the online operation.

Added new function start_secondary_resume() to do the above
steps.

Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Cc: Gautham R Shenoy <ego@in.ibm.com>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoxfs: add a shrinker to background inode reclaim
Dave Chinner [Tue, 4 May 2010 02:58:20 +0000 (12:58 +1000)]
xfs: add a shrinker to background inode reclaim

commit 9bf729c0af67897ea8498ce17c29b0683f7f2028 upstream

On low memory boxes or those with highmem, kernel can OOM before the
background reclaims inodes via xfssyncd. Add a shrinker to run inode
reclaim so that it inode reclaim is expedited when memory is low.

This is more complex than it needs to be because the VM folk don't
want a context added to the shrinker infrastructure. Hence we need
to add a global list of XFS mount structures so the shrinker can
traverse them.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Acked-by: Alex Elder <aelder@sgi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotg3: Fix INTx fallback when MSI fails
Andre Detsch [Mon, 26 Apr 2010 07:27:07 +0000 (07:27 +0000)]
tg3: Fix INTx fallback when MSI fails

commit dc8bf1b1a6edfc92465526de19772061302f0929 upstream.

tg3: Fix INTx fallback when MSI fails

MSI setup changes the value of irq_vec in struct tg3 *tp.
This attribute must be taken into account and restored before
we try to do a new request_irq for INTx fallback.

In powerpc, the original code was leading to an EINVAL return within
request_irq, because the driver was trying to use the disabled MSI
virtual irq number instead of tp->pdev->irq.

Signed-off-by: Andre Detsch <adetsch@br.ibm.com>
Acked-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Brandon Philips <bphilips@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoskip sense logging for some ATA PASS-THROUGH cdbs
Douglas Gilbert [Sun, 3 Jan 2010 18:51:15 +0000 (13:51 -0500)]
skip sense logging for some ATA PASS-THROUGH cdbs

commit e7efe5932b1d3916c79326a4221693ea90a900e2 upstream.

Further to the lsml thread titled:
"does scsi_io_completion need to dump sense data for ata pass through (ck_cond =
1) ?"

This is a patch to skip logging when the sense data is
associated with a SENSE_KEY of "RECOVERED_ERROR" and the
additional sense code is "ATA PASS-THROUGH INFORMATION
AVAILABLE". This only occurs with the SAT ATA PASS-THROUGH
commands when CK_COND=1 (in the cdb). It indicates that
the sense data contains ATA registers.

Smartmontools uses such commands on ATA disks connected via
SAT. Periodic checks such as those done by smartd cause
nuisance entries into logs that are:
    - neither errors nor warnings
    - pointless unless the cdb that caused them are also logged

Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoath9k: reorder ieee80211_free_hw behind ath9k_uninit_hw to avoid oops
John W. Linville [Fri, 30 Apr 2010 15:19:58 +0000 (11:19 -0400)]
ath9k: reorder ieee80211_free_hw behind ath9k_uninit_hw to avoid oops

This code only exists in 2.6.33 -- 2.6.32 and 2.6.34 are not affected.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agor8169: more broken register writes workaround
françois romieu [Mon, 26 Apr 2010 11:42:58 +0000 (11:42 +0000)]
r8169: more broken register writes workaround

commit 908ba2bfd22253f26fa910cd855e4ccffb1467d0 upstream.

78f1cd02457252e1ffbc6caa44a17424a45286b8 ("fix broken register writes")
does not work for Al Viro's r8169 (XID 18000000).

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agor8169: fix broken register writes
Francois Romieu [Sun, 28 Mar 2010 02:35:46 +0000 (19:35 -0700)]
r8169: fix broken register writes

commit 78f1cd02457252e1ffbc6caa44a17424a45286b8 upstream.

This is quite similar to b39fe41f481d20c201012e4483e76c203802dda7
though said registers are not even documented as 64-bit registers
- as opposed to the initial TxDescStartAddress ones - but as single
bytes which must be combined into 32 bits at the MMIO read/write
level before being merged into a 64 bit logical entity.

Credits go to Ben Hutchings <ben@decadent.org.uk> for the MAR
registers (aka "multicast is broken for ages on ARM) and to
Timo TerĂ€s <timo.teras@iki.fi> for the MAC registers.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agor8169: use correct barrier between cacheable and non-cacheable memory
David Dillow [Wed, 3 Mar 2010 16:33:10 +0000 (16:33 +0000)]
r8169: use correct barrier between cacheable and non-cacheable memory

commit 4c020a961a812ffae9846b917304cea504c3a733 upstream.

r8169 needs certain writes to be visible to other CPUs or the NIC before
touching the hardware, but was using smp_wmb() which is only required to
order cacheable memory access. Switch to wmb() which is required to
order both cacheable and non-cacheable memory.

Noticed by Catalin Marinas and Paul Mackerras.

Signed-off-by: David Dillow <dave@thedillows.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agokgdb: don't needlessly skip PAGE_USER test for Fsl booke
Wufei [Wed, 28 Apr 2010 21:42:32 +0000 (17:42 -0400)]
kgdb: don't needlessly skip PAGE_USER test for Fsl booke

commit 56151e753468e34aeb322af4b0309ab727c97d2e upstream.

The bypassing of this test is a leftover from 2.4 vintage
kernels, and is no longer appropriate, or even used by KGDB.
Currently KGDB uses probe_kernel_write() for all access to
memory via the KGDB core, so it can simply be deleted.

This fixes CVE-2010-1446.

CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
CC: Paul Mackerras <paulus@samba.org>
CC: Kumar Gala <galak@kernel.crashing.org>
Signed-off-by: Wufei <fei.wu@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrivers/net/wireless/p54/txrx.c Fix off by one error
Darren Jenkins [Wed, 17 Feb 2010 12:40:15 +0000 (23:40 +1100)]
drivers/net/wireless/p54/txrx.c Fix off by one error

commit 088ea189c4c75cdf211146faa4b341a0f7476be6 upstream.

fix off by one error in the queue size check of p54_tx_qos_accounting_alloc()

Coverity CID: 13314

Signed-off-by: Darren Jenkins <darrenrjenkins@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agojfs: fix diAllocExt error in resizing filesystem
Bill Pemberton [Fri, 16 Apr 2010 13:01:20 +0000 (08:01 -0500)]
jfs: fix diAllocExt error in resizing filesystem

commit 2b0b39517d1af5294128dbc2fd7ed39c8effa540 upstream.

Resizing the filesystem would result in an diAllocExt error in some
instances because changes in bmp->db_agsize would not get noticed if
goto extendBmap was called.

Signed-off-by: Bill Pemberton <wfp5p@virginia.edu>
Signed-off-by: Dave Kleikamp <shaggy@linux.vnet.ibm.com>
Cc: jfs-discussion@lists.sourceforge.net
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoCRED: Fix a race in creds_are_invalid() in credentials debugging
David Howells [Wed, 21 Apr 2010 09:28:25 +0000 (10:28 +0100)]
CRED: Fix a race in creds_are_invalid() in credentials debugging

commit e134d200d57d43b171dcb0b55c178a1a0c7db14a upstream.

creds_are_invalid() reads both cred->usage and cred->subscribers and then
compares them to make sure the number of processes subscribed to a cred struct
never exceeds the refcount of that cred struct.

The problem is that this can cause a race with both copy_creds() and
exit_creds() as the two counters, whilst they are of atomic_t type, are only
atomic with respect to themselves, and not atomic with respect to each other.

This means that if creds_are_invalid() can read the values on one CPU whilst
they're being modified on another CPU, and so can observe an evolving state in
which the subscribers count now is greater than the usage count a moment
before.

Switching the order in which the counts are read cannot help, so the thing to
do is to remove that particular check.

I had considered rechecking the values to see if they're in flux if the test
fails, but I can't guarantee they won't appear the same, even if they've
changed several times in the meantime.

Note that this can only happen if CONFIG_DEBUG_CREDENTIALS is enabled.

The problem is only likely to occur with multithreaded programs, and can be
tested by the tst-eintr1 program from glibc's "make check".  The symptoms look
like:

CRED: Invalid credentials
CRED: At include/linux/cred.h:240
CRED: Specified credentials: ffff88003dda5878 [real][eff]
CRED: ->magic=43736564, put_addr=(null)
CRED: ->usage=766, subscr=766
CRED: ->*uid = { 0,0,0,0 }
CRED: ->*gid = { 0,0,0,0 }
CRED: ->security is ffff88003d72f538
CRED: ->security {359, 359}
------------[ cut here ]------------
kernel BUG at kernel/cred.c:850!
...
RIP: 0010:[<ffffffff81049889>]  [<ffffffff81049889>] __invalid_creds+0x4e/0x52
...
Call Trace:
 [<ffffffff8104a37b>] copy_creds+0x6b/0x23f

Note the ->usage=766 and subscr=766.  The values appear the same because
they've been re-read since the check was made.

Reported-by: Roland McGrath <roland@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoinitramfs: handle unrecognised decompressor when unpacking
Phillip Lougher [Fri, 23 Apr 2010 17:18:11 +0000 (13:18 -0400)]
initramfs: handle unrecognised decompressor when unpacking

commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream.

The unpack routine fails to handle the decompress_method() returning
unrecognised decompressor (compress_name == NULL).  This results in the
routine looping eventually oopsing on an out of bounds memory access.

Note this bug is usually hidden, only triggering on trailing junk after
one or more correct compressed blocks.  The case of the compressed archive
being complete junk is (by accident?) caught by the if (state != Reset)
check because state is initialised to Start, but not updated due to the
decompressor not having been called.  Obviously if the junk is trailing a
correctly decompressed buffer, state == Reset from the previous call to
the decompressor.

Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoext4: correctly calculate number of blocks for fiemap
Leonard Michlmayr [Thu, 4 Mar 2010 22:07:28 +0000 (17:07 -0500)]
ext4: correctly calculate number of blocks for fiemap

commit aca92ff6f57c000d1b4523e383c8bd6b8269b8b1 upstream.

ext4_fiemap() rounds the length of the requested range down to
blocksize, which is is not the true number of blocks that cover the
requested region.  This problem is especially impressive if the user
requests only the first byte of a file: not a single extent will be
reported.

We fix this by calculating the last block of the region and then
subtract to find the number of blocks in the extents.

Signed-off-by: Leonard Michlmayr <leonard.michlmayr@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agolibata: Fix accesses at LBA28 boundary (old bug, but nasty) (v2)
Mark Lord [Wed, 7 Apr 2010 17:52:08 +0000 (13:52 -0400)]
libata: Fix accesses at LBA28 boundary (old bug, but nasty) (v2)

commit 45c4d015a92f72ec47acd0c7557abdc0c8a6499d upstream.

Most drives from Seagate, Hitachi, and possibly other brands,
do not allow LBA28 access to sector number 0x0fffffff (2^28 - 1).
So instead use LBA48 for such accesses.

This bug could bite a lot of systems, especially when the user has
taken care to align partitions to 4KB boundaries. On misaligned systems,
it is less likely to be encountered, since a 4KB read would end at
0x10000000 rather than at 0x0fffffff.

Signed-off-by: Mark Lord <mlord@pobox.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoPCI: Ensure we re-enable devices on resume
Matthew Garrett [Thu, 22 Apr 2010 13:30:51 +0000 (09:30 -0400)]
PCI: Ensure we re-enable devices on resume

commit cc2893b6af5265baa1d68b17b136cffca9e40cfa upstream.

If the firmware puts a device back into D0 state at resume time, we'll
update its state in resume_noirq and thus skip the platform resume code.
Calling that code twice should be safe and we ought to avoid getting to
that point anyway, so remove the check and also allow the platform pci
code to be called for D0.

Fixes USB not being powered after resume on recent Lenovo machines.

Acked-by: Alex Chiang <achiang@canonical.com>
Acked-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite P500-PSPGSC-01800T
Daniel T Chen [Wed, 5 May 2010 02:07:58 +0000 (22:07 -0400)]
ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite P500-PSPGSC-01800T

commit c53666813813a0ea3d0391e1911eefc05a5e6b4f upstream.

BugLink: https://launchpad.net/bugs/549267
The OR verified that using the olpc-xo-1_5 model quirk allows the
headphones to be audible when inserted into the jack. Capture was
also verified to work correctly.

Reported-by: Richard Gagne
Tested-by: Richard Gagne
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite Pro T130-15F
Daniel T Chen [Tue, 4 May 2010 00:39:31 +0000 (20:39 -0400)]
ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite Pro T130-15F

commit 4442dd4613fe3795b4c8a5f42fc96b7ffb90d01a upstream.

BugLink: https://launchpad.net/bugs/573284
The OR verified that using the olpc-xo-1_5 model quirk allows the
headphones to be audible when inserted into the jack. Capture was
also verified to work correctly.

Reported-by: Andy Couldrake <acouldrake@googlemail.com>
Tested-by: Andy Couldrake <acouldrake@googlemail.com>
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Fix 0 dB for Packard Bell models using Conexant CX20549 (Venice)
Daniel T Chen [Wed, 28 Apr 2010 22:00:11 +0000 (18:00 -0400)]
ALSA: hda: Fix 0 dB for Packard Bell models using Conexant CX20549 (Venice)

commit 8f0f5ff6777104084b4b2e1ae079541c2a6ed6d9 upstream.

BugLink: https://launchpad.net/bugs/541802
The OR's hardware distorts at PCM 100% because it does not correspond to
0 dB. Fix this in patch_cxt5045() for all Packard Bell models.

Reported-by: Valombre
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: snd-meastro3: Ignore spurious HV interrupts during suspend / resume
Hans de Goede [Wed, 21 Apr 2010 15:04:08 +0000 (11:04 -0400)]
ALSA: snd-meastro3: Ignore spurious HV interrupts during suspend / resume

commit 715aa675338ce6e1a3b4f77cf87ea611f93058a8 upstream.

Ignore spurious HV interrupts during suspend / resume, this avoids
mistaking them for a mute button press. This is not very pretty but
it seems the only way to fix the master volume control gets muted
after suspend issue I'm seeing. Note that the es1968 driver is doing
exactly the same.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: snd-meastro3: Add amp_gpio quirk for Compaq EVO N600C
Hans de Goede [Wed, 21 Apr 2010 15:04:06 +0000 (11:04 -0400)]
ALSA: snd-meastro3: Add amp_gpio quirk for Compaq EVO N600C

commit 7efbfd1ae98ef9efe06352e2a1ad83e8c14ceeb1 upstream.

Without this quirk sound stops working after suspend resume. With this quirk,
one still needs to manually unmute the master volume control after a suspend /
/ resume cycle. That is fixed in another patch in this set.

Note that this patch was submitted to the alsa bug tracker a long time ago:
https://bugtrack.alsa-project.org/alsa-bug/view.php?id=4319

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Use ALC880_F1734 quirk for Fujitsu Siemens AMILO Xi 1526
Daniel T Chen [Thu, 22 Apr 2010 11:15:26 +0000 (07:15 -0400)]
ALSA: hda: Use ALC880_F1734 quirk for Fujitsu Siemens AMILO Xi 1526

commit 3353541fe533350a22a03e2fb7dc085b35912575 upstream.

BugLink: https://launchpad.net/bugs/567494
The OR has verified that the existing model quirk, ALC880_UNIWILL,
is insufficient for audible playback and capture by default. Instead,
the ALC880_F1734 model quirk needs to be used.

This change is necessary for both 2.6.32.11 and 2.6.33.2.

Reported-by: Arnaud Malpeyre <amalpeyre@gmail.com>
Tested-by: Arnaud Malpeyre <amalpeyre@gmail.com>
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio 1558
Daniel T Chen [Thu, 22 Apr 2010 21:54:45 +0000 (17:54 -0400)]
ALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio 1558

commit 5c1bccf645d4ab65e4c7502acb42e8b9afdb5bdc upstream.

BugLink: https://launchpad.net/bugs/568600
The OR has verified that the dell-m6 model quirk is necessary for audio
to be audible by default on the Dell Studio XPS 1645.

This change is necessary for 2.6.32.11 and 2.6.33.2 alike.

Reported-by: Andy Ross <andy@plausible.org>
Tested-by: Andy Ross <andy@plausible.org>
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio XPS 1645
Daniel T Chen [Thu, 22 Apr 2010 00:41:52 +0000 (20:41 -0400)]
ALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio XPS 1645

commit aac78daf8f37256283f56820ae858add7139c56c upstream.

BugLink: https://launchpad.net/bugs/553002
The OR has verified that the dell-m6 model quirk is necessary for audio
to be audible by default on the Dell Studio XPS 1645.

This change is necessary for 2.6.32.11 and 2.6.33.2 alike.

Reported-by: Robert Chambers
Tested-by: Robert Chambers
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda - Add PCI quirk for HP dv6-1110ax.
Kunal Gangakhedkar [Sat, 20 Mar 2010 17:38:01 +0000 (23:08 +0530)]
ALSA: hda - Add PCI quirk for HP dv6-1110ax.

commit e3d2530a6cea80987f77b75d8784a00f3aaf22ff upstream.

Adding this PCI quirk fixes the board config detection.
This also fixes jack sensing by using "hp_detect=1" via properly detected
board config.

Signed-off-by: Kunal Gangakhedkar <kunal.gangakhedkar@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Use LPIB quirk for DG965OT board version AAD63733-203
Daniel T Chen [Wed, 21 Apr 2010 23:55:43 +0000 (19:55 -0400)]
ALSA: hda: Use LPIB quirk for DG965OT board version AAD63733-203

commit 0e0280dc2b0c7395a880d25544b47f3e3e3f79db upstream.

BugLink: https://launchpad.net/bugs/459083
The OR has verified with 2.6.32.11 and the latest alsa-driver stable
daily snapshot that position_fix=1 is necessary for the external mic
to work and for PulseAudio not to crash constantly.

This patch is necessary also for 2.6.32.11 and 2.6.33.2.

Reported-by: <imwithid@yahoo.com>
Tested-by: <imwithid@yahoo.com>
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86, k8 nb: Fix boot crash: enable k8_northbridges unconditionally on AMD systems
Borislav Petkov [Fri, 12 Mar 2010 14:43:03 +0000 (15:43 +0100)]
x86, k8 nb: Fix boot crash: enable k8_northbridges unconditionally on AMD systems

commit 0e152cd7c16832bd5cadee0c2e41d9959bc9b6f9 upstream.

de957628ce7c84764ff41331111036b3ae5bad0f changed setting of the
x86_init.iommu.iommu_init function ptr only when GART IOMMU is
found.

One side effect of it is that num_k8_northbridges
is not initialized anymore if not explicitly
called. This resulted in uninitialized pointers in
<arch/x86/kernel/cpu/intel_cacheinfo.c:amd_calc_l3_indices()>,
for example, which uses the num_k8_northbridges thing through
node_to_k8_nb_misc().

Fix that through an initcall that runs right after the PCI
subsystem and does all the scanning. Then, remove initialization
in gart_iommu_init() which is a rootfs_initcall and we're
running before that.

What is more, since num_k8_northbridges is being used in other
places beside GART IOMMU, include it whenever we add AMD CPU
support. The previous dependency chain in kconfig contained

K8_NB depends on AGP_AMD64|GART_IOMMU

which was clearly incorrect. The more natural way in terms of
hardware dependency should be

AGP_AMD64|GART_IOMMU depends on K8_NB depends on CPU_SUP_AMD &&
PCI. Make it so Number One!

Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Cc: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Cc: Joerg Roedel <joerg.roedel@amd.com>
LKML-Reference: <20100312144303.GA29262@aftab>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Tested-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86: Fix NULL pointer access in irq_force_complete_move() for Xen guests
Prarit Bhargava [Tue, 27 Apr 2010 15:24:42 +0000 (11:24 -0400)]
x86: Fix NULL pointer access in irq_force_complete_move() for Xen guests

commit bbd391a15d82e14efe9d69ba64cadb855b061dba upstream.

Upstream PV guests fail to boot because of a NULL pointer in
irq_force_complete_move().  It is possible that xen guests have
irq_desc->chip_data = NULL.

Test for NULL chip_data pointer before attempting to complete an irq move.

Signed-off-by: Prarit Bhargava <prarit@redhat.com>
LKML-Reference: <20100427152434.16193.49104.sendpatchset@prarit.bos.redhat.com>
Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86: Disable large pages on CPUs with Atom erratum AAE44
H. Peter Anvin [Tue, 13 Apr 2010 21:40:54 +0000 (14:40 -0700)]
x86: Disable large pages on CPUs with Atom erratum AAE44

commit 7a0fc404ae663776e96db43879a0fa24fec1fa3a upstream.

Atom erratum AAE44/AAF40/AAG38/AAH41:

"If software clears the PS (page size) bit in a present PDE (page
directory entry), that will cause linear addresses mapped through this
PDE to use 4-KByte pages instead of using a large page after old TLB
entries are invalidated. Due to this erratum, if a code fetch uses
this PDE before the TLB entry for the large page is invalidated then
it may fetch from a different physical address than specified by
either the old large page translation or the new 4-KByte page
translation. This erratum may also cause speculative code fetches from
incorrect addresses."

[http://download.intel.com/design/processor/specupdt/319536.pdf]

Where as commit 211b3d03c7400f48a781977a50104c9d12f4e229 seems to
workaround errata AAH41 (mixed 4K TLBs) it reduces the window of
opportunity for the bug to occur and does not totally remove it.  This
patch disables mixed 4K/4MB page tables totally avoiding the page
splitting and not tripping this processor issue.

This is based on an original patch by Colin King.

Originally-by: Colin Ian King <colin.king@canonical.com>
Cc: Colin Ian King <colin.king@canonical.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
LKML-Reference: <1269271251-19775-1-git-send-email-colin.king@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86-64: Clear a 64-bit FS/GS base on fork if selector is nonzero
H. Peter Anvin [Fri, 23 Apr 2010 23:17:40 +0000 (16:17 -0700)]
x86-64: Clear a 64-bit FS/GS base on fork if selector is nonzero

commit 7ce5a2b9bb2e92902230e3121d8c3047fab9cb47 upstream.

When we do a thread switch, we clear the outgoing FS/GS base if the
corresponding selector is nonzero.  This is taken by __switch_to() as
an entry invariant; it does not verify that it is true on entry.
However, copy_thread() doesn't enforce this constraint, which can
result in inconsistent results after fork().

Make copy_thread() match the behavior of __switch_to().

Reported-and-tested-by: Samuel Thibault <samuel.thibault@inria.fr>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
LKML-Reference: <4BD1E061.8030605@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoedac, mce: Fix wrong mask and macro usage
Borislav Petkov [Fri, 30 Apr 2010 13:19:02 +0000 (15:19 +0200)]
edac, mce: Fix wrong mask and macro usage

commit 35d824b28fc5544d1eb7c1e3db15a1740df8ec4b upstream.

Correct two mishaps which prevented reporting error type (CECC vs UECC)
and extended error description.

Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agop54pci: fix bugs in p54p_check_tx_ring
Hans de Goede [Thu, 22 Apr 2010 17:52:16 +0000 (19:52 +0200)]
p54pci: fix bugs in p54p_check_tx_ring

commit 0250ececdf6813457c98719e2d33b3684881fde0 upstream.

Hans de Goede identified a bug in p54p_check_tx_ring:

there are two ring indices. 1 => tx data and 3 => tx management.
But the old code had a constant "1" and this resulted in spurious
dma unmapping failures.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=583623
Bug-Identified-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodm9601: fix phy/eeprom write routine
Peter Korsgaard [Mon, 3 May 2010 10:01:26 +0000 (10:01 +0000)]
dm9601: fix phy/eeprom write routine

commit e9162ab1610531d6ea6c1833daeb2613e44275e8 upstream.

Use correct bit positions in DM_SHARED_CTRL register for writes.

Michael Planes recently encountered a 'KY-RS9600 USB-LAN converter', which
came with a driver CD containing a Linux driver. This driver turns out to
be a copy of dm9601.c with symbols renamed and my copyright stripped.
That aside, it did contain 1 functional change in dm_write_shared_word(),
and after checking the datasheet the original value was indeed wrong
(read versus write bits).

On Michaels HW, this change bumps receive speed from ~30KB/s to ~900KB/s.
On other devices the difference is less spectacular, but still significant
(~30%).

Reported-by: Michael Planes <michael.planes@free.fr>
Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoRevert "memory-hotplug: add 0x prefix to HEX block_size_bytes"
Linus Torvalds [Fri, 9 Apr 2010 17:05:33 +0000 (10:05 -0700)]
Revert "memory-hotplug: add 0x prefix to HEX block_size_bytes"

commit 4dc86ae1f925b2121d4e75058675895f83e54c71 upstream.

This reverts commit ba168fc37dea145deeb8fa9e7e71c748d2e00d74.

It changes user-visible sysfs interfaces, and breaks some existing user
space applications which apparently rely on the fact that the output
does not contain the "0x" prefix.

Requested-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Acked-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Wu Fengguang <fengguang.wu@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoblock: ensure jiffies wrap is handled correctly in blk_rq_timed_out_timer
Richard Kennedy [Wed, 14 Apr 2010 18:54:03 +0000 (20:54 +0200)]
block: ensure jiffies wrap is handled correctly in blk_rq_timed_out_timer

commit a534dbe96e9929c7245924d8252d89048c23d569 upstream.

blk_rq_timed_out_timer() relied on blk_add_timer() never returning a
timer value of zero, but commit 7838c15b8dd18e78a523513749e5b54bda07b0cb
removed the code that bumped this value when it was zero.
Therefore when jiffies is near wrap we could get unlucky & not set the
timeout value correctly.

This patch uses a flag to indicate that the timeout value was set and so
handles jiffies wrap correctly, and it keeps all the logic in one
function so should be easier to maintain in the future.

Signed-off-by: Richard Kennedy <richard@rsk.demon.co.uk>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoserial: 8250_pnp - add Fujitsu Wacom device
Ping Cheng [Mon, 22 Mar 2010 20:40:29 +0000 (13:40 -0700)]
serial: 8250_pnp - add Fujitsu Wacom device

commit d9901660b53b92f0f3551c06588b8be38224b245 upstream.

Add Fujitsu Wacom 1FGT Tablet PC device

Signed-off-by: Ping Cheng <pingc@wacom.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoraid6: fix recovery performance regression
Dan Williams [Wed, 5 May 2010 03:41:56 +0000 (20:41 -0700)]
raid6: fix recovery performance regression

commit 5157b4aa5b7de8787b6318e61bcc285031bb9088 upstream.

The raid6 recovery code should immediately drop back to the optimized
synchronous path when a p+q dma resource is not available.  Otherwise we
run the non-optimized/multi-pass async code in sync mode.

Verified with raid6test (NDISKS=255)

Applies to kernels >= 2.6.32.

Acked-by: NeilBrown <neilb@suse.de>
Reported-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoperf: Fix resource leak in failure path of perf_event_open()
Tejun Heo [Sat, 1 May 2010 08:11:35 +0000 (10:11 +0200)]
perf: Fix resource leak in failure path of perf_event_open()

commit 048c852051d2bd5da54a4488bc1f16b0fc74c695 upstream.

perf_event_open() kfrees event after init failure which doesn't
release all resources allocated by perf_event_alloc().  Use
free_event() instead.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Paul Mackerras <paulus@au1.ibm.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
LKML-Reference: <4BDBE237.1040809@kernel.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoi2c: Fix probing of FSC hardware monitoring chips
Jean Delvare [Tue, 4 May 2010 09:09:28 +0000 (11:09 +0200)]
i2c: Fix probing of FSC hardware monitoring chips

commit b1d4b390ea4bb480e65974ce522a04022608a8df upstream.

Some FSC hardware monitoring chips (Syleus at least) doesn't like
quick writes we typically use to probe for I2C chips. Use a regular
byte read instead for the address they live at (0x73). These are the
only known chips living at this address on PC systems.

For clarity, this fix should not be needed for kernels 2.6.30 and
later, as we started instantiating the hwmon devices explicitly based
on DMI data. Still, this fix is valuable in the following two cases:
* Support for recent FSC chips on older kernels. The DMI-based device
  instantiation is more difficult to backport than the device support
  itself.
* Case where the DMI-based device instantiation fails, whatever the
  reason. We fall back to probing in that case, so it should work.

This fixes kernel bug #15634:
https://bugzilla.kernel.org/show_bug.cgi?id=15634

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoStaging: hv: name network device ethX rather than sethX
Stephen Hemminger [Thu, 11 Mar 2010 17:11:37 +0000 (09:11 -0800)]
Staging: hv: name network device ethX rather than sethX

commit 546d9e101e7a71e6202f47a13ddcd9b8fb05a52e upstream.

This patch makes the HyperV network device use the same naming scheme as
other virtual drivers (Xen, KVM). In an ideal world, userspace tools
would not care what the name is, but some users and applications do
care. Vyatta CLI is one of the tools that does depend on what the name
is.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Cc: Hank Janssen <hjanssen@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoStaging: hv: Fix up memory leak on HvCleanup
Cyrill Gorcunov [Mon, 5 Apr 2010 16:56:57 +0000 (20:56 +0400)]
Staging: hv: Fix up memory leak on HvCleanup

commit fa8ad0257ea256381126ecf447694622216c600f upstream.

Don't assign NULL too early

Signed-off-by: Cyrill Gorcunov <gorcunov@openvz.org>
Cc: Hank Janssen <hjanssen@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoStaging: hv: Fix a bug affecting IPv6
Haiyang Zhang [Mon, 19 Apr 2010 15:32:11 +0000 (15:32 +0000)]
Staging: hv: Fix a bug affecting IPv6

commit 95beae90aa4afce57fb28e6f8238b78217bd7c98 upstream.

Fix a bug affecting IPv6
Added the multicast flag for proper IPv6 function.

Reported-by: Toshikazu Sakai <toshikas@microsoft.com>
Signed-off-by: Hank Janssen <hjanssen@microsoft.com>
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoNFS: rsize and wsize settings ignored on v4 mounts
Chuck Lever [Thu, 22 Apr 2010 19:35:56 +0000 (15:35 -0400)]
NFS: rsize and wsize settings ignored on v4 mounts

commit 356e76b855bdbfd8d1c5e75bcf0c6bf0dfe83496 upstream.

NFSv4 mounts ignore the rsize and wsize mount options, and always use
the default transfer size for both.  This seems to be because all
NFSv4 mounts are now cloned, and the cloning logic doesn't copy the
rsize and wsize settings from the parent nfs_server.

I tested Fedora's 2.6.32.11-99 and it seems to have this problem as
well, so I'm guessing that .33, .32, and perhaps older kernels have
this issue as well.

Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonfs d_revalidate() is too trigger-happy with d_drop()
Al Viro [Thu, 29 Apr 2010 02:10:43 +0000 (03:10 +0100)]
nfs d_revalidate() is too trigger-happy with d_drop()

commit d9e80b7de91db05c1c4d2e5ebbfd70b3b3ba0e0f upstream.

If dentry found stale happens to be a root of disconnected tree, we
can't d_drop() it; its d_hash is actually part of s_anon and d_drop()
would simply hide it from shrink_dcache_for_umount(), leading to
all sorts of fun, including busy inodes on umount and oopsen after
that.

Bug had been there since at least 2006 (commit c636eb already has it),
so it's definitely -stable fodder.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopowernow-k8: Fix frequency reporting
Mark Langsdorf [Wed, 31 Mar 2010 19:56:45 +0000 (21:56 +0200)]
powernow-k8: Fix frequency reporting

commit b810e94c9d8e3fff6741b66cd5a6f099a7887871 upstream.

With F10, model 10, all valid frequencies are in the ACPI _PST table.

Signed-off-by: Mark Langsdorf <mark.langsdorf@amd.com>
LKML-Reference: <1270065406-1814-6-git-send-email-bp@amd64.org>
Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Reviewed-by: Thomas Renninger <trenn@suse.de>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoocfs2_dlmfs: Fix math error when reading LVB.
Joel Becker [Fri, 23 Apr 2010 22:24:59 +0000 (15:24 -0700)]
ocfs2_dlmfs: Fix math error when reading LVB.

commit a36d515c7a2dfacebcf41729f6812dbc424ebcf0 upstream.

When asked for a partial read of the LVB in a dlmfs file, we can
accidentally calculate a negative count.

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoocfs2: Compute metaecc for superblocks during online resize.
Joel Becker [Thu, 1 Apr 2010 01:25:44 +0000 (18:25 -0700)]
ocfs2: Compute metaecc for superblocks during online resize.

commit a42ab8e1a37257da37e0f018e707bf365ac24531 upstream.

Online resize writes out the new superblock and its backups directly.
The metaecc data wasn't being recomputed.  Let's do that directly.

Signed-off-by: Joel Becker <joel.becker@oracle.com>
Acked-by: Mark Fasheh <mfasheh@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoocfs2: potential ERR_PTR dereference on error paths
Dan Carpenter [Thu, 22 Apr 2010 09:39:29 +0000 (11:39 +0200)]
ocfs2: potential ERR_PTR dereference on error paths

commit 0350cb078f5035716ebdad4ad4709d02fe466a8a upstream.

If "handle" is non null at the end of the function then we assume it's a
valid pointer and pass it to ocfs2_commit_trans();

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoocfs2: Update VFS inode's id info after reflink.
Tao Ma [Wed, 21 Apr 2010 06:05:55 +0000 (14:05 +0800)]
ocfs2: Update VFS inode's id info after reflink.

commit c21a534e2f24968cf74976a4e721ac194db30ded upstream.

In reflink we update the id info on the disk but forgot to update
the corresponding information in the VFS inode.  Update them
accordingly when we want to preserve the attributes.

Reported-by: Jeff Liu <jeff.liu@oracle.com>
Signed-off-by: Tao Ma <tao.ma@oracle.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: xhci: properly set endpoint context fields for periodic eps.
Sarah Sharp [Fri, 16 Apr 2010 15:07:27 +0000 (08:07 -0700)]
USB: xhci: properly set endpoint context fields for periodic eps.

commit 9238f25d5d32a435277eb234ec82bacdd5daed41 upstream.

For periodic endpoints, we must let the xHCI hardware know the maximum
payload an endpoint can transfer in one service interval.  The xHCI
specification refers to this as the Maximum Endpoint Service Interval Time
Payload (Max ESIT Payload).  This is used by the hardware for bandwidth
management and scheduling of packets.

For SuperSpeed endpoints, the maximum is calculated by multiplying the max
packet size by the number of bursts and the number of opportunities to
transfer within a service interval (the Mult field of the SuperSpeed
Endpoint companion descriptor).  Devices advertise this in the
wBytesPerInterval field of their SuperSpeed Endpoint Companion Descriptor.

For high speed devices, this is taken by multiplying the max packet size by the
"number of additional transaction opportunities per microframe" (the high
bits of the wMaxPacketSize field in the endpoint descriptor).

For FS/LS devices, this is just the max packet size.

The other thing we must set in the endpoint context is the Average TRB
Length.  This is supposed to be the average of the total bytes in the
transfer descriptor (TD), divided by the number of transfer request blocks
(TRBs) it takes to describe the TD.  This gives the host controller an
indication of whether the driver will be enqueuing a scatter gather list
with many entries comprised of small buffers, or one contiguous buffer.

It also takes into account the number of extra TRBs you need for every TD.
This includes No-op TRBs and Link TRBs used to link ring segments
together.  Some drivers may choose to chain an Event Data TRB on the end
of every TD, thus increasing the average number of TRBs per TD.  The Linux
xHCI driver does not use Event Data TRBs.

In theory, if there was an API to allow drivers to state what their
bandwidth requirements are, we could set this field accurately.  For now,
we set it to the same number as the Max ESIT payload.

The Average TRB Length should also be set for bulk and control endpoints,
but I have no idea how to guess what it should be.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: xhci: properly set the "Mult" field of the endpoint context.
Sarah Sharp [Fri, 16 Apr 2010 15:07:04 +0000 (08:07 -0700)]
USB: xhci: properly set the "Mult" field of the endpoint context.

commit 1cf62246c0e394021e494e0a8f1013e80db1a1a9 upstream.

A SuperSpeed interrupt or isochronous endpoint can define the number of
"burst transactions" it can handle in a service interval.  This is
indicated by the "Mult" bits in the bmAttributes of the SuperSpeed
Endpoint Companion Descriptor.  For example, if it has a max packet size
of 1024, a max burst of 11, and a mult of 3, the host may send 33
1024-byte packets in one service interval.

We must tell the xHCI host controller the number of multiple service
opportunities (mults) the device can handle when the endpoint is
installed.  We do that by setting the Mult field of the Endpoint Context
before a configure endpoint command is sent down.  The Mult field is
invalid for control or bulk SuperSpeed endpoints.

Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: OHCI: don't look at the root hub to get the number of ports
Alan Stern [Tue, 20 Apr 2010 14:37:57 +0000 (10:37 -0400)]
USB: OHCI: don't look at the root hub to get the number of ports

commit fcf7d2141f4a363a4a8454c4a0f26bb69e766c5f upstream.

This patch (as1371) fixes a small bug in ohci-hcd.  The HCD already
knows how many ports the controller has; there's no need to go looking
at the root hub's usb_device structure to find out.  Especially since
the root hub's maxchild value is set correctly only while the root hub
is bound to the hub driver.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: don't choose configs with no interfaces
Alan Stern [Tue, 20 Apr 2010 14:40:59 +0000 (10:40 -0400)]
USB: don't choose configs with no interfaces

commit 62f9cfa3ece58268b3e92ca59c23b175f86205aa upstream.

This patch (as1372) fixes a bug in the routine that chooses the
default configuration to install when a new USB device is detected.
The algorithm is supposed to look for a config whose first interface
is for a non-vendor-specific class.  But the way it's currently
written, it will also accept a config with no interfaces at all, which
is not very useful.  (Believe it or not, such things do exist.)

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Andrew Victor <avictor.za@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: fix testing the wrong variable in fs_create_by_name()
Dan Carpenter [Thu, 22 Apr 2010 10:00:52 +0000 (12:00 +0200)]
USB: fix testing the wrong variable in fs_create_by_name()

commit fa7fe7af146a7b613e36a311eefbbfb5555325d1 upstream.

There is a typo here.  We should be testing "*dentry" which was just
assigned instead of "dentry".  This could result in dereferencing an
ERR_PTR inside either usbfs_mkdir() or usbfs_create().

Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: don't read past config->interface[] if usb_control_msg() fails in usb_reset_conf...
Roel Kluin [Thu, 18 Feb 2010 01:36:23 +0000 (02:36 +0100)]
USB: don't read past config->interface[] if usb_control_msg() fails in usb_reset_configuration()

commit e4a3d94658b5760fc947d7f7185c57db47ca362a upstream.

While looping over the interfaces, if usb_hcd_alloc_bandwidth() fails it calls
hcd->driver->reset_bandwidth(), so there was no need to reinstate the interface
again.

If no break occurred, the index equals config->desc.bNumInterfaces. A
subsequent usb_control_msg() failure resulted in a read from
config->interface[config->desc.bNumInterfaces] at label reset_old_alts.

In either case the last interface should be skipped.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: Add id for HP ev2210 a.k.a Sierra MC5725 miniPCI-e Cell Modem.
William Lightning [Fri, 26 Mar 2010 17:51:20 +0000 (10:51 -0700)]
USB: Add id for HP ev2210 a.k.a Sierra MC5725 miniPCI-e Cell Modem.

commit cfbaa39347b34837f26e01fe8f4f8dbbae60b520 upstream.

Signed-off-by: William Lightning <kassah@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoUSB: fix remote wakeup settings during system sleep
Alan Stern [Fri, 30 Apr 2010 16:09:23 +0000 (12:09 -0400)]
USB: fix remote wakeup settings during system sleep

This is a backport of commit 5f677f1d45b2bf08085bbba7394392dfa586fa8e.
Some of the functionality had to be removed, but it should still fix
the webcam problem.

This patch (as1363b) changes the way USB remote wakeup is handled
during system sleeps.  It won't be enabled unless an interface driver
specifically needs it.  Also, it won't be enabled during the FREEZE or
QUIESCE phases of hibernation, when the system doesn't respond to
wakeup events anyway.

This will fix problems people have reported with certain USB webcams
that generate wakeup requests when they shouldn't, and as a result
cause system suspends to fail.  See

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/515109

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agostaging: usbip: Fix deadlock
Eric Lescouet [Sat, 24 Apr 2010 00:55:24 +0000 (02:55 +0200)]
staging: usbip: Fix deadlock

commit d01f42a22ef381ba973958e977209ac9a8667d57 upstream.

When detaching a port from the client side (usbip --detach 0),
the event thread, on the server side, is going to deadlock.
The "eh" server thread is getting USBIP_EH_RESET event and calls:
  -> stub_device_reset() -> usb_reset_device()
the USB framework is then calling back _in the same "eh" thread_ :
  -> stub_disconnect() -> usbip_stop_eh() -> wait_for_completion()
the "eh" thread is being asleep forever, waiting for its own completion.
This patch checks if "eh" is the current thread, in usbip_stop_eh().

Signed-off-by: Eric Lescouet <eric@lescouet.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosfc: Change falcon_probe_board() to fail for unsupported boards
Ben Hutchings [Wed, 28 Apr 2010 09:01:50 +0000 (09:01 +0000)]
sfc: Change falcon_probe_board() to fail for unsupported boards

commit e41c11ee0cc602bcde68916be85fb97d1a484324 upstream.

The driver needs specific PHY and board support code for each SFC4000
board; there is no point trying to continue if it is missing.
Currently unsupported boards can trigger an 'oops'.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosfc: Always close net device at the end of a disabling reset
Ben Hutchings [Wed, 28 Apr 2010 09:01:33 +0000 (09:01 +0000)]
sfc: Always close net device at the end of a disabling reset

commit f49a4589e9e25ef525da449b1ce5597cb659bbb5 upstream.

This fixes a regression introduced by commit
eb9f6744cbfa97674c13263802259b5aa0034594 "sfc: Implement ethtool
reset operation".

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosfc: Wait at most 10ms for the MC to finish reading out MAC statistics
Ben Hutchings [Wed, 28 Apr 2010 09:00:35 +0000 (09:00 +0000)]
sfc: Wait at most 10ms for the MC to finish reading out MAC statistics

commit aabc5649078310094cbffb430fcbf9c25b6268f9 upstream.

The original code would wait indefinitely if MAC stats DMA failed.

Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agokeys: the request_key() syscall should link an existing key to the dest keyring
David Howells [Tue, 27 Apr 2010 20:13:08 +0000 (13:13 -0700)]
keys: the request_key() syscall should link an existing key to the dest keyring

commit 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 upstream.

The request_key() system call and request_key_and_link() should make a
link from an existing key to the destination keyring (if supplied), not
just from a new key to the destination keyring.

This can be tested by:

ring=`keyctl newring fred @s`
keyctl request2 user debug:a a
keyctl request user debug:a $ring
keyctl list $ring

If it says:

keyring is empty

then it didn't work.  If it shows something like:

1 key in keyring:
1070462727: --alswrv     0     0 user: debug:a

then it did.

request_key() system call is meant to recursively search all your keyrings for
the key you desire, and, optionally, if it doesn't exist, call out to userspace
to create one for you.

If request_key() finds or creates a key, it should, optionally, create a link
to that key from the destination keyring specified.

Therefore, if, after a successful call to request_key() with a desination
keyring specified, you see the destination keyring empty, the code didn't work
correctly.

If you see the found key in the keyring, then it did - which is what the patch
is required for.

Signed-off-by: David Howells <dhowells@redhat.com>
Cc: James Morris <jmorris@namei.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonfsd4: bug in read_buf
Neil Brown [Tue, 20 Apr 2010 02:16:52 +0000 (12:16 +1000)]
nfsd4: bug in read_buf

commit 2bc3c1179c781b359d4f2f3439cb3df72afc17fc upstream.

When read_buf is called to move over to the next page in the pagelist
of an NFSv4 request, it sets argp->end to essentially a random
number, certainly not an address within the page which argp->p now
points to.  So subsequent calls to READ_BUF will think there is much
more than a page of spare space (the cast to u32 ensures an unsigned
comparison) so we can expect to fall off the end of the second
page.

We never encountered thsi in testing because typically the only
operations which use more than two pages are write-like operations,
which have their own decoding logic.  Something like a getattr after a
write may cross a page boundary, but it would be very unusual for it to
cross another boundary after that.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoprocfs: fix tid fdinfo
Jerome Marchand [Tue, 27 Apr 2010 20:13:06 +0000 (13:13 -0700)]
procfs: fix tid fdinfo

commit 3835541dd481091c4dbf5ef83c08aed12e50fd61 upstream.

Correct the file_operations struct in fdinfo entry of tid_base_stuff[].

Presently /proc/*/task/*/fdinfo contains symlinks to opened files like
/proc/*/fd/.

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Miklos Szeredi <mszeredi@suse.cz>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoreiserfs: fix corruption during shrinking of xattrs
Jeff Mahoney [Fri, 23 Apr 2010 17:17:41 +0000 (13:17 -0400)]
reiserfs: fix corruption during shrinking of xattrs

commit fb2162df74bb19552db3d988fd11c787cf5fad56 upstream.

Commit 48b32a3553a54740d236b79a90f20147a25875e3 ("reiserfs: use generic
xattr handlers") introduced a problem that causes corruption when extended
attributes are replaced with a smaller value.

The issue is that the reiserfs_setattr to shrink the xattr file was moved
from before the write to after the write.

The root issue has always been in the reiserfs xattr code, but was papered
over by the fact that in the shrink case, the file would just be expanded
again while the xattr was written.

The end result is that the last 8 bytes of xattr data are lost.

This patch fixes it to use new_size.

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=14826

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Reported-by: Christian Kujau <lists@nerdbynature.de>
Tested-by: Christian Kujau <lists@nerdbynature.de>
Cc: Edward Shishkin <edward.shishkin@gmail.com>
Cc: Jethro Beekman <kernel@jbeekman.nl>
Cc: Greg Surbey <gregsurbey@hotmail.com>
Cc: Marco Gatti <marco.gatti@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoreiserfs: fix permissions on .reiserfs_priv
Jeff Mahoney [Fri, 23 Apr 2010 17:17:37 +0000 (13:17 -0400)]
reiserfs: fix permissions on .reiserfs_priv

commit cac36f707119b792b2396aed371d6b5cdc194890 upstream.

Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a ("reiserfs: remove
privroot hiding in lookup") removed the magic from the lookup code to hide
the .reiserfs_priv directory since it was getting loaded at mount-time
instead.  The intent was that the entry would be hidden from the user via
a poisoned d_compare, but this was faulty.

This introduced a security issue where unprivileged users could access and
modify extended attributes or ACLs belonging to other users, including
root.

This patch resolves the issue by properly hiding .reiserfs_priv.  This was
the intent of the xattr poisoning code, but it appears to have never
worked as expected.  This is fixed by using d_revalidate instead of
d_compare.

This patch makes -oexpose_privroot a no-op.  I'm fine leaving it this way.
The effort involved in working out the corner cases wrt permissions and
caching outweigh the benefit of the feature.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Edward Shishkin <edward.shishkin@gmail.com>
Reported-by: Matt McCutchen <matt@mattmccutchen.net>
Tested-by: Matt McCutchen <matt@mattmccutchen.net>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohugetlb: fix infinite loop in get_futex_key() when backed by huge pages
Mel Gorman [Fri, 23 Apr 2010 17:17:56 +0000 (13:17 -0400)]
hugetlb: fix infinite loop in get_futex_key() when backed by huge pages

commit 23be7468e8802a2ac1de6ee3eecb3ec7f14dc703 upstream.

If a futex key happens to be located within a huge page mapped
MAP_PRIVATE, get_futex_key() can go into an infinite loop waiting for a
page->mapping that will never exist.

See https://bugzilla.redhat.com/show_bug.cgi?id=552257 for more details
about the problem.

This patch makes page->mapping a poisoned value that includes
PAGE_MAPPING_ANON mapped MAP_PRIVATE.  This is enough for futex to
continue but because of PAGE_MAPPING_ANON, the poisoned value is not
dereferenced or used by futex.  No other part of the VM should be
dereferencing the page->mapping of a hugetlbfs page as its page cache is
not on the LRU.

This patch fixes the problem with the test case described in the bugzilla.

[akpm@linux-foundation.org: mel cant spel]
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Acked-by: Darren Hart <darren@dvhart.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoflex_array: fix the panic when calling flex_array_alloc() without __GFP_ZERO
Changli Gao [Fri, 23 Apr 2010 17:17:45 +0000 (13:17 -0400)]
flex_array: fix the panic when calling flex_array_alloc() without __GFP_ZERO

commit e59464c735db19619cde2aa331609adb02005f5b upstream.

memset() is called with the wrong address and the kernel panics.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomac80211: remove bogus TX agg state assignment
Johannes Berg [Mon, 19 Apr 2010 08:48:38 +0000 (10:48 +0200)]
mac80211: remove bogus TX agg state assignment

commit b4bb5c3fd9333024044362df67e23e96158489ed upstream.

When the addba timer expires but has no work to do,
it should not affect the state machine. If it does,
TX will not see the successfully established and we
can also crash trying to re-establish the session.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomemcg: fix prepare migration
Andrea Arcangeli [Fri, 23 Apr 2010 17:17:39 +0000 (13:17 -0400)]
memcg: fix prepare migration

commit 93d5c9be1ddd57d4063ce463c9ac2be1e5ee14f1 upstream.

If a signal is pending (task being killed by sigkill)
__mem_cgroup_try_charge will write NULL into &mem, and css_put will oops
on null pointer dereference.

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
  IP: [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0
  PGD a5d89067 PUD a5d8a067 PMD 0
  Oops: 0000 [#1] SMP
  last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading
  CPU 0
  Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode]

  Pid: 5299, comm: largepages Tainted: G        W  2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M.
  RIP: 0010:[<ffffffff810fc6cc>]  [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0

[nishimura@mxp.nes.nec.co.jp: fix merge issues]
Signed-off-by: Andrea Arcangeli <aarcange@redhat.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agow1: w1 temp: fix negative termperature calculation
Ian Dall [Fri, 23 Apr 2010 17:17:53 +0000 (13:17 -0400)]
w1: w1 temp: fix negative termperature calculation

commit 9a6a1ecd9e9b5d046a236da2f7eb6b6812f04229 upstream.

Fix regression caused by commit 507e2fbaaacb6f164b4125b87c5002f95143174b
("w1: w1 temp calculation overflow fix") whereby negative temperatures for
the DS18B20 are not converted properly.

When the temperature exceeds 32767 milli-degrees the temperature overflows
to -32768 millidegrees.  These are both well within the -55 - +125 degree
range for the sensor.

Addresses https://bugzilla.kernel.org/show_bug.cgi?id=12646

Signed-of-by: Ian Dall <ian@beware.dropbear.id.au>
Cc: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Tested-by: Karsten Elfenbein <kelfe@gmx.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agolibata: ensure NCQ error result taskfile is fully initialized before returning it...
Jeff Garzik [Fri, 23 Apr 2010 01:59:13 +0000 (21:59 -0400)]
libata: ensure NCQ error result taskfile is fully initialized before returning it via qc->result_tf.

commit a09bf4cd53b8ab000197ef81f15d50f29ecf973c upstream.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agolibata: fix locking around blk_abort_request()
Tejun Heo [Wed, 14 Apr 2010 23:57:37 +0000 (08:57 +0900)]
libata: fix locking around blk_abort_request()

commit fa41efdae7de61191a7bda3a00e88ef69afb5bb9 upstream.

blk_abort_request() expectes queue lock to be held by the caller.
Grab it before calling the function.

Lack of this synchronization led to infinite loop on corrupt
q->timeout_list.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomd/raid5: fix previous patch.
NeilBrown [Thu, 22 Apr 2010 21:08:28 +0000 (07:08 +1000)]
md/raid5: fix previous patch.

commit 6e3b96ed610e5a1838e62ddae9fa0c3463f235fa upstream.

Previous patch changes stripe and chunk_number to sector_t but
mistakenly did not update all of the divisions to use sector_dev().

This patch changes all the those divisions (actually the '%' operator)
to sector_div.

Signed-off-by: NeilBrown <neilb@suse.de>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomd/raid5: allow for more than 2^31 chunks.
NeilBrown [Tue, 20 Apr 2010 04:13:34 +0000 (14:13 +1000)]
md/raid5: allow for more than 2^31 chunks.

commit 35f2a591192d0a5d9f7fc696869c76f0b8e49c3d upstream.

With many large drives and small chunk sizes it is possible
to create a RAID5 with more than 2^31 chunks.  Make sure this
works.

Reported-by: Brett King <king.br@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: fix tiling limits for i915 class hw v2
Daniel Vetter [Sat, 17 Apr 2010 13:12:03 +0000 (15:12 +0200)]
drm/i915: fix tiling limits for i915 class hw v2

commit c36a2a6de59e4a141a68b7575de837d3b0bd96b3 upstream.

Current code is definitely crap: Largest pitch allowed spills into
the TILING_Y bit of the fence registers ... :(

I've rewritten the limits check under the assumption that 3rd gen hw
has a 3d pitch limit of 8kb (like 2nd gen). This is supported by an
otherwise totally misleading XXX comment.

This bug mostly resulted in tiling-corrupted pixmaps because the kernel
allowed too wide buffers to be tiled. Bug brought to the light by the
xf86-video-intel 2.11 release because that unconditionally enabled
tiling for pixmaps, relying on the kernel to check things. Tiling for
the framebuffer was not affected because the ddx does some additional
checks there ensure the buffer is within hw-limits.

v2: Instead of computing the value that would be written into the
hw fence registers and then checking the limits simply check whether
the stride is above the 8kb limit. To better document the hw, add
some WARN_ONs in i915_write_fence_reg like I've done for the i830
case (using the right limits).

Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=27449
Tested-by: Alexander Lam <lambchop468@gmail.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: Add initial bits for VGA modesetting bringup on Sandybridge.
Eric Anholt [Thu, 22 Oct 2009 23:11:14 +0000 (16:11 -0700)]
drm/i915: Add initial bits for VGA modesetting bringup on Sandybridge.

commit bad720ff3e8e47a04bd88d9bbc8317e7d7e049d3 upstream.

[needed for stable as it's just a bunch of macros that other drm patches
need, it changes no code functionality besides adding support for a new
device type. - gregkh]

Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>