]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
17 years agoV4L: msp_attach must return 0 if no msp3400 was found.
Hans Verkuil [Thu, 29 Mar 2007 01:22:35 +0000 (21:22 -0400)]
V4L: msp_attach must return 0 if no msp3400 was found.

V4L: msp_attach must return 0 if no msp3400 was found.

Returning -1 causes the probe to stop, but it should just continue
instead. This patch fixes an annoying 'i2c_adapter i2c-7: Client
creation failed at 0x44 (-1)' kernel message that appeared in 2.6.20

(cherry picked from commit 3284b4e077cb2322754ea7455b8f8af7ce3777b8)

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoV4L: Fix SECAM handling on saa7115
Mauro Carvalho Chehab [Thu, 29 Mar 2007 01:22:32 +0000 (21:22 -0400)]
V4L: Fix SECAM handling on saa7115

V4L: Fix SECAM handling on saa7115

(cherry picked from commit a9aaec4e83e687d23b78b38e331bbd6a10b96380)

Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoV4L: radio: Fix error in Kbuild file
Trent Piepho [Thu, 29 Mar 2007 01:22:28 +0000 (21:22 -0400)]
V4L: radio: Fix error in Kbuild file

V4L: radio: Fix error in Kbuild file

All the radio drivers need video_dev, but they were depending on
VIDEO_DEV!=n.  That meant that one could try to compile the driver into
the kernel when VIDEO_DEV=m, which will not work.  If video_dev is a
module, then the radio drivers must be modules too.

(cherry picked from commit b10fece583fdfdb3d2f29b0da3896ec58b8fe122)

Signed-off-by: Trent Piepho <xyzzy@speakeasy.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoDVB: fix nxt200x rf input switching
Michael Krufky [Thu, 29 Mar 2007 01:22:16 +0000 (21:22 -0400)]
DVB: fix nxt200x rf input switching

DVB: fix nxt200x rf input switching

After dvb tuner refactoring, the pll buffer has been altered such that
the pll address is now stored in buf[0].  Instead of sending buf to
set_pll_input, we should send buf+1.

(cherry picked from commit f5ae29e284b328e0976789d5c199bbbe80e4b005)

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoNET: Fix FIB rules compatability
Thomas Graf [Thu, 29 Mar 2007 19:34:13 +0000 (12:34 -0700)]
NET: Fix FIB rules compatability

[NET]: Fix fib_rules compatibility breakage

Based upon a patch from Patrick McHardy.

The fib_rules netlink attribute policy introduced in 2.6.19 broke
userspace compatibilty. When specifying a rule with "from all"
or "to all", iproute adds a zero byte long netlink attribute,
but the policy requires all addresses to have a size equal to
sizeof(struct in_addr)/sizeof(struct in6_addr), resulting in a
validation error.

Check attribute length of FRA_SRC/FRA_DST in the generic framework
by letting the family specific rules implementation provide the
length of an address. Report an error if address length is non
zero but no address attribute is provided. Fix actual bug by
checking address length for non-zero instead of relying on
availability of attribute.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFRA_{DST,SRC} are le16 for decnet
Al Viro [Thu, 29 Mar 2007 19:32:48 +0000 (12:32 -0700)]
FRA_{DST,SRC} are le16 for decnet

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoSPARC: Fix sparc builds with gcc-4.2.x
Mikael Pettersson [Thu, 29 Mar 2007 19:25:38 +0000 (12:25 -0700)]
SPARC: Fix sparc builds with gcc-4.2.x

[SPARC]: sparc64 gcc-4.2.0 20070317 -Werror failure

Compiling 2.6.21-rc5 with gcc-4.2.0 20070317 (prerelease)
for sparc64 fails as follows:

  gcc -Wp,-MD,arch/sparc64/kernel/.time.o.d  -nostdinc -isystem /home/mikpe/pkgs/linux-sparc64/gcc-4.2.0/lib/gcc/sparc64-unknown-linux-gnu/4.2.0/include -D__KERNEL__ -Iinclude  -include include/linux/autoconf.h -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -Os -m64 -pipe -mno-fpu -mcpu=ultrasparc -mcmodel=medlow -ffixed-g4 -ffixed-g5 -fcall-used-g7 -Wno-sign-compare -Wa,--undeclared-regs -fomit-frame-pointer  -fno-stack-protector -Wdeclaration-after-statement -Wno-pointer-sign -Werror   -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(time)"  -D"KBUILD_MODNAME=KBUILD_STR(time)" -c -o arch/sparc64/kernel/time.o arch/sparc64/kernel/time.c
cc1: warnings being treated as errors
arch/sparc64/kernel/time.c: In function 'kick_start_clock':
arch/sparc64/kernel/time.c:559: warning: overflow in implicit constant conversion
make[1]: *** [arch/sparc64/kernel/time.o] Error 1
make: *** [arch/sparc64/kernel] Error 2

gcc gets unhappy when the MSTK_SET macro's u8 __val variable
is updated with &= ~0xff (MSTK_YEAR_MASK). Making the constant
unsigned fixes the problem.

[ I fixed up the sparc32 side as well -DaveM ]

Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoNET: Fix sock_attach_fd() failure in sys_accept()
Alexey Dobriyan [Thu, 29 Mar 2007 19:22:40 +0000 (12:22 -0700)]
NET: Fix sock_attach_fd() failure in sys_accept()

[NET]: Correct accept(2) recovery after sock_attach_fd()

* d_alloc() in sock_attach_fd() fails leaving ->f_dentry of new file NULL
* bail out to out_fd label, doing fput()/__fput() on new file
* but __fput() assumes valid ->f_dentry and dereferences it

Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoVIDEO: Fix FFB DAC revision probing
David Miller [Thu, 29 Mar 2007 19:16:27 +0000 (12:16 -0700)]
VIDEO: Fix FFB DAC revision probing

[VIDEO] ffb: Fix two DAC handling bugs.

The determination of whether the DAC has inverted cursor logic is
broken, import the version checks the X.org driver uses to fix this.

Next, when we change the timing generator, borrow code from X.org that
does 10 NOP reads of the timing generator register afterwards to make
sure the video-enable transition occurs cleanly.

Finally, use macros for the DAC registers and fields in order to
provide documentation for the next person who reads this code.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoDCCP: Fix exploitable hole in DCCP socket options
Arnaldo Carvalho de Melo [Thu, 29 Mar 2007 18:57:36 +0000 (11:57 -0700)]
DCCP: Fix exploitable hole in DCCP socket options

[DCCP] getsockopt: Fix DCCP_SOCKOPT_[SEND,RECV]_CSCOV

We were only checking if there was enough space to put the int, but
left len as specified by the (malicious) user, sigh, fix it by setting
len to sizeof(val) and transfering just one int worth of data, the one
asked for.

Also check for negative len values.

Signed-off-by: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoPPP: Fix PPP skb leak
G. Liakhovetski [Tue, 27 Mar 2007 02:07:40 +0000 (19:07 -0700)]
PPP: Fix PPP skb leak

[PPP]: Don't leak an sk_buff on interface destruction.

Signed-off-by: G. Liakhovetski <gl@dsa-ac.de>
Acked-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoIPV6: Fix ipv6 round-robin locking.
David Miller [Tue, 27 Mar 2007 01:56:59 +0000 (18:56 -0700)]
IPV6: Fix ipv6 round-robin locking.

[IPV6]: Fix routing round-robin locking.

As per RFC2461, section 6.3.6, item #2, when no routers on the
matching list are known to be reachable or probably reachable we
do round robin on those available routes so that we make sure
to probe as many of them as possible to detect when one becomes
reachable faster.

Each routing table has a rwlock protecting the tree and the linked
list of routes at each leaf.  The round robin code executes during
lookup and thus with the rwlock taken as a reader.  A small local
spinlock tries to provide protection but this does not work at all
for two reasons:

1) The round-robin list manipulation, as coded, goes like this (with
   read lock held):

walk routes finding head and tail

spin_lock();
rotate list using head and tail
spin_unlock();

   While one thread is rotating the list, another thread can
   end up with stale values of head and tail and then proceed
   to corrupt the list when it gets the lock.  This ends up causing
   the OOPS in fib6_add() later onthat many people have been hitting.

2) All the other code paths that run with the rwlock held as
   a reader do not expect the list to change on them, they
   expect it to remain completely fixed while they hold the
   lock in that way.

So, simply stated, it is impossible to implement this correctly using
a manipulation of the list without violating the rwlock locking
semantics.

Reimplement using a per-fib6_node round-robin pointer.  This way we
don't need to manipulate the list at all, and since the round-robin
pointer can only ever point to real existing entries we don't need
to perform any locking on the changing of the round-robin pointer
itself.  We only need to reset the round-robin pointer to NULL when
the entry it is pointing to is removed.

The idea is from Thomas Graf and it is very similar to how this
was implemented before the advanced router selection code when in.

Signed-off-by: David S. Miller <davem@davemloft.net>
17 years agoNET_SCHED: Fix ingress qdisc locking.
Patrick McHardy [Tue, 27 Mar 2007 01:15:37 +0000 (18:15 -0700)]
NET_SCHED: Fix ingress qdisc locking.

[NET_SCHED]: Fix ingress locking

Ingress queueing uses a seperate lock for serializing enqueue operations,
but fails to properly protect itself against concurrent changes to the
qdisc tree. Use queue_lock for now since the real fix it quite intrusive.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
17 years agoNET: Fix packet classidier NULL pointer OOPS
Patrick McHardy [Tue, 27 Mar 2007 01:13:51 +0000 (18:13 -0700)]
NET: Fix packet classidier NULL pointer OOPS

[NET_SCHED]: cls_basic: fix NULL pointer dereference

cls_basic doesn't allocate tp->root before it is linked into the
active classifier list, resulting in a NULL pointer dereference
when packets hit the classifier before its ->change function is
called.

Reported by Chris Madden <chris@reflexsecurity.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoieee1394: dv1394: fix CardBus card ejection
Stefan Richter [Sun, 25 Mar 2007 19:24:43 +0000 (21:24 +0200)]
ieee1394: dv1394: fix CardBus card ejection

Fix NULL pointer dereference on hot ejection of a FireWire card while
dv1394 was loaded.  http://bugzilla.kernel.org/show_bug.cgi?id=7121
I did not test card ejection with open /dev/dv1394 files yet.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agouml: fix unreasonably long udelay
Paolo 'Blaisorblade' Giarrusso [Wed, 28 Mar 2007 23:26:11 +0000 (01:26 +0200)]
uml: fix unreasonably long udelay

Currently we have a confused udelay implementation.

* __const_udelay does not accept usecs but xloops in i386 and x86_64
* our implementation requires usecs as arg
* it gets a xloops count when called by asm/arch/delay.h

Bugs related to this (extremely long shutdown times) where reported by some
x86_64 users, especially using Device Mapper.

To hit this bug, a compile-time constant time parameter must be passed - that's
why UML seems to work most times.
Fix this with a simple udelay implementation.

Signed-off-by: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoUML - use correct register file size everywhere
Jeff Dike [Sun, 25 Mar 2007 17:01:44 +0000 (13:01 -0400)]
UML - use correct register file size everywhere

This patch uses MAX_REG_NR consistently to refer to the register file
size.  FRAME_SIZE isn't sufficient because on x86_64, it is smaller
than the ptrace register file size.  MAX_REG_NR was introduced as a
consistent way to get the number of registers, but wasn't used
everywhere it should be.

When this causes a problem, it makes PTRACE_SETREGS fail on x86_64
because of a corrupted segment register value in the known-good
register file. The patch also adds a register dump at that point in
case there are any future problems here.

Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoUML - Fix static linking
Jeff Dike [Sun, 25 Mar 2007 16:54:32 +0000 (12:54 -0400)]
UML - Fix static linking

During a static link, ld has started putting a .note section in the
.uml.setup.init section.  This has the result that the UML setups
begin with 32 bytes of garbage and UML crashes immediately on boot.

This patch creates a specific .note section for ld to drop this stuff
into.

Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoUML - host VDSO fix
Jeff Dike [Fri, 23 Mar 2007 19:37:30 +0000 (15:37 -0400)]
UML - host VDSO fix

This fixes a problem seen by a number of people running UML on newer host
kernels.  init would hang with an infinite segfault loop.

It turns out that the host kernel was providing a AT_SYSINFO_EHDR of
0xffffe000, which faked UML into believing that the host VDSO page could be
reused.  However, AT_SYSINFO pointed into the middle of the address space, and
was unmapped as a result.  Because UML was providing AT_SYSINFO_EHDR and
AT_SYSINFO to its own processes, these would branch to nowhere when trying to
use the VDSO.

The fix is to also check the location of AT_SYSINFO when deciding whether to
use the host's VDSO.

Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoUML - fix epoll
Jeff Dike [Fri, 23 Mar 2007 18:18:17 +0000 (14:18 -0400)]
UML - fix epoll

UML/x86_64 needs the same packing of struct epoll_event as x86_64.

Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agosata_nv: delay on switching between NCQ and non-NCQ commands
Robert Hancock [Thu, 22 Mar 2007 16:39:04 +0000 (12:39 -0400)]
sata_nv: delay on switching between NCQ and non-NCQ commands

sata_nv: delay on switching between NCQ and non-NCQ commands

This patch appears to solve some problems with commands timing out in
cases where an NCQ command is immediately followed by a non-NCQ command
(or possibly vice versa). This is a rather ugly solution, but until we
know more about why this is needed, this is about all we can do.

[backport to 2.6.20 by Chuck Ebbert <cebbert@redhat.com>]

Signed-off-by: Robert Hancock <hancockr@shaw.ca>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoide: remove clearing bmdma status from cdrom_decode_status() (rev #4)
Albert Lee [Wed, 21 Mar 2007 20:08:49 +0000 (16:08 -0400)]
ide: remove clearing bmdma status from cdrom_decode_status() (rev #4)

ide: remove clearing bmdma status from cdrom_decode_status() (rev #4)

patch 2/2:
  Remove clearing bmdma status from cdrom_decode_status() since ATA devices
  might need it as well.

  (http://lkml.org/lkml/2006/12/4/201 and http://lkml.org/lkml/2006/11/15/94)

Signed-off-by: Albert Lee <albertcc@tw.ibm.com>
Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: "Adam W. Hawks" <awhawks@us.ibm.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoide: clear bmdma status in ide_intr() for ICHx controllers (revised #4)
Albert Lee [Wed, 21 Mar 2007 20:08:08 +0000 (16:08 -0400)]
ide: clear bmdma status in ide_intr() for ICHx controllers (revised #4)

ide: clear bmdma status in ide_intr() for ICHx controllers (revised #4)

patch 1/2 (revised):
- Fix drive->waiting_for_dma to work with CDB-intr devices.
- Do the dma status clearing in ide_intr() and add a new
  hwif->ide_dma_clear_irq for Intel ICHx controllers.

Revised per Alan, Sergei and Bart's advice.

Patch against 2.6.20-rc6. Tested ok on my ICH4 and pdc20275 adapters.
Please review/apply, thanks.

Signed-off-by: Albert Lee <albertcc@tw.ibm.com>
Cc: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Adam Hawks <awhawks@us.ibm.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoLinux 2.6.20.4 v2.6.20.4
Greg Kroah-Hartman [Fri, 23 Mar 2007 19:52:51 +0000 (12:52 -0700)]
Linux 2.6.20.4

17 years agoFix niagara memory corruption
David Miller [Mon, 19 Mar 2007 21:50:04 +0000 (14:50 -0700)]
Fix niagara memory corruption

[SPARC64]: store-init needs trailing membar.

The manual says that it is required and we actually have crash reports
where loads see stale data due to not having membars here.

In one case the networking does:

memset(skb, 0, offsetof(struct sk_buff, truesize));

and then some code later checks skb->nohdr for zero, but it's still
the value that was there before the memset().

Note that arch/sparc64/lib/xor.S already got this right.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agost: fix Tape dies if wrong block size used, bug 7919
Kai Makisara [Mon, 19 Mar 2007 23:58:57 +0000 (16:58 -0700)]
st: fix Tape dies if wrong block size used, bug 7919

[SCSI] st: fix Tape dies if wrong block size used, bug 7919

On Thu, 1 Feb 2007, Andrew Morton wrote:
> On Thu, 1 Feb 2007 15:34:29 -0800
> bugme-daemon@bugzilla.kernel.org wrote:
>
> > http://bugzilla.kernel.org/show_bug.cgi?id=7919
> >
> >            Summary: Tape dies if wrong block size used
> >     Kernel Version: 2.6.20-rc5
> >             Status: NEW
> >           Severity: normal
> >              Owner: scsi_drivers-other@kernel-bugs.osdl.org
> >          Submitter: dmartin@sccd.ctc.edu
> >
> >
> > Most recent kernel where this bug did *NOT* occur: 2.6.17.14
> >
> > Other Kernels Tested and Results:
> >
> >     OK 2.6.15.7
> >     OK 2.6.16.37
> >     OK 2.6.17.14
> >     BAD 2.6.18.6
> >     BAD 2.6.18-1.2869.fc6
> >     BAD 2.6.19.2 +
> >     BAD 2.6.20-rc5
> >
> > NOTE: 2.6.18-1.2869.fc6 is a Fedora modified kernel, all others are from kernel.org
> >
...
> > Steps to reproduce:
> > Get a Adaptec AHA-2940U/UW/D / AIC-7881U card and a tape drive,
> > install a recent kernel
> > set the tape block size - mt setblk 4096
> > read from or write to tape using wrong block size - tar -b 7 -cvf /dev/tape foo
> >
Write does not trigger this bug because the driver refuses in fixed block
mode writes that are not a multiple of the block size. Read does trigger
it in my system.

The bug is not associated with any specific HBA. st tries to do direct i/o
in fixed block mode with reads that are not a multiple of tape block size.

The patch in this message fixes the st problem by switching to using the
driver buffer up to the next close of the device file in fixed block mode
if the user asks for a read like this.

I don't know why the bug has surfaced only after 2.6.17 although the st
problem is old. There may be another bug in the block subsystem and this
patch works around it. However, the patch fixes a problem in st and in
this way it is a valid fix.

This patch may also fix the bug 7900.

The patch compiles and is lightly tested.

Signed-off-by: Kai Makisara <kai.makisara@kolumbus.fi>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoInput: i8042 - another attempt to fix AUX delivery checks
Dmitry Torokhov [Thu, 8 Mar 2007 04:20:55 +0000 (23:20 -0500)]
Input: i8042 - another attempt to fix AUX delivery checks

Do not assume that AUX_LOOP command is broken unless it
completes successfully but returns wrong (unexpected) data.

Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoUML - arch_prctl should set thread fs
Jeff Dike [Mon, 19 Mar 2007 20:12:50 +0000 (16:12 -0400)]
UML - arch_prctl should set thread fs

x86_64 needs some TLS fixes.  What was missing was remembering the child
thread id during clone and stuffing it into the child during each context
switch.

The %fs value is stored separately in the thread structure since the host
controls what effect it has on the actual register file.  The host also needs
to store it in its own thread struct, so we need the value kept outside the
register file.

arch_prctl_skas was fixed to call PTRACE_ARCH_PRCTL appropriately.  There is
some saving and restoring of registers in the ARCH_SET_* cases so that the
correct set of registers are changed on the host and restored to the process
when it runs again.

Signed-off-by: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofix deadlock in audit_log_task_context()
Al Viro [Mon, 19 Mar 2007 15:55:04 +0000 (11:55 -0400)]
fix deadlock in audit_log_task_context()

GFP_KERNEL allocations in non-blocking context; fixed by killing
an idiotic use of security_getprocattr().

Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: James Morris <jmorris@namei.org>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoInput: i8042 - fix AUX IRQ delivery check
Dmitry Torokhov [Mon, 19 Mar 2007 13:06:25 +0000 (09:06 -0400)]
Input: i8042 - fix AUX IRQ delivery check

Input: i8042 - fix AUX IRQ delivery check

On boxes that do not implement AUX LOOP command we can not
verify AUX IRQ delivery and must assume that it is wired
properly.

Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agodio: invalidate clean pages before dio write
Zach Brown [Sun, 18 Mar 2007 22:55:51 +0000 (18:55 -0400)]
dio: invalidate clean pages before dio write

This patch fixes a user-triggerable oops that was reported by Leonid
Ananiev as archived at http://lkml.org/lkml/2007/2/8/337.

dio writes invalidate clean pages that intersect the written region so that
subsequent buffered reads go to disk to read the new data.  If this fails
the interface tries to tell the caller that the cache is inconsistent by
returning EIO.

Before this patch we had the problem where this invalidation failure would
clobber -EIOCBQUEUED as it made its way from fs/direct-io.c to fs/aio.c.
Both fs/aio.c and bio completion call aio_complete() and we reference freed
memory, usually oopsing.

This patch addresses this problem by invalidating before the write so that
we can cleanly return -EIO before ->direct_IO() has had a chance to return
-EIOCBQUEUED.

There is a compromise here.  During the dio write we can fault in mmap()ed
pages which intersect the written range with get_user_pages() if the user
provided them for the source buffer.  This is a crazy thing to do, but we
can make it mostly work in most cases by trying the invalidation again.
The compromise is that we won't return an error if this second invalidation
fails if it's an AIO write and we have -EIOCBQUEUED.

This was tested by having two processes race performing large O_DIRECT and
buffered ordered writes.  Within minutes ext3 would see a race between
ext3_releasepage() and jbd holding a reference on ordered data buffers and
would cause invalidation to fail, panicing the box.  The test can be found
in the 'aio_dio_bugs' test group in test.kernel.org/autotest.  After this
patch the test passes.

Signed-off-by: Zach Brown <zach.brown@oracle.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: Chuck Ebbert <cebbert@redhat.com>
Cc: Leonid Ananiev <leonid.i.ananiev@linux.intel.com>
Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agooom fix: prevent oom from killing a process with children/sibling unkillable
Ankita Garg [Sun, 18 Mar 2007 22:54:14 +0000 (18:54 -0400)]
oom fix: prevent oom from killing a process with children/sibling unkillable

Looking at oom_kill.c, found that the intention to not kill the selected
process if any of its children/siblings has OOM_DISABLE set, is not being
met.

Signed-off-by: Ankita Garg <ankita@in.ibm.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Acked-by: Nick Piggin <npiggin@suse.de>
Acked-by: William Irwin <wli@holomorphy.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agohda-intel - Fix codec probe with ATI controllers
Takashi Iwai [Sun, 18 Mar 2007 22:19:29 +0000 (18:19 -0400)]
hda-intel - Fix codec probe with ATI controllers

[ALSA] hda-intel - Fix codec probe with ATI contorllers

ATI controllers may have up to 4 codecs while ICH up to 3.
Thus the earlier fix to change AZX_MAX_CODECS to 3 cause a regression
on some devices that have the audio codec at bit#3.
Now max codecs is defined according to the driver type, either 3 or 4.
Currently 4 is set only to ATI chips.  Other might need the same
change, too.

Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
17 years agoInput: i8042 - really suppress ACK/NAK during panic blink
Dmitry Torokhov [Sun, 18 Mar 2007 21:41:28 +0000 (17:41 -0400)]
Input: i8042 - really suppress ACK/NAK during panic blink

Input: i8042 - really suppress ACK/NAK during panic blink

On some boxes panic blink procedure manages to send both bytes
to keyboard contoller before getting first ACK so we need to
make i8042_suppress_kbd_ack a counter instead of boolean.

Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoIrDA: irttp_dup spin_lock initialisation
Samuel Ortiz [Sat, 17 Mar 2007 02:04:27 +0000 (04:04 +0200)]
IrDA: irttp_dup spin_lock initialisation

Without this initialization one gets

kernel BUG at kernel/rtmutex_common.h:80!

This patch should also be included in the -stable kernel.

Signed-off-by: G. Liakhovetski <gl@dsa-ac.de>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix page allocation debugging on sparc64
David Miller [Sat, 17 Mar 2007 01:51:00 +0000 (18:51 -0700)]
Fix page allocation debugging on sparc64

[SPARC64]: Get DEBUG_PAGEALLOC working again.

We have to make sure to use base-pagesize TLB entries even during the
early transition period where we need TLB miss handling but don't have
the kernel page tables setup yet for the linear region.

Also, it is necessary therefore to not use the 4MB TSB for these
translations, and instead use the normal kernel TSB.  This allows us
to also get rid of the 4MB tsb for debug builds which shrinks the
kernel a little bit.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix sparc64 hugepage bugs
David Miller [Sat, 17 Mar 2007 01:49:06 +0000 (18:49 -0700)]
Fix sparc64 hugepage bugs

[SPARC64]: Add missing HPAGE_MASK masks on address parameters.

These pte loops all assume the passed in address is HPAGE
aligned, make sure that is actually true.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoCopy over mac_len when cloning an skb
Alexey Dobriyan [Sat, 17 Mar 2007 01:32:09 +0000 (18:32 -0700)]
Copy over mac_len when cloning an skb

[NET]: Copy mac_len in skb_clone() as well

ANK says: "It is rarely used, that's wy it was not noticed.
But in the places, where it is used, it should be disaster."

Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix ipv6 flow label inheritance
Masayuki Nakagawa [Sat, 17 Mar 2007 01:31:22 +0000 (18:31 -0700)]
Fix ipv6 flow label inheritance

[IPV6]: ipv6_fl_socklist is inadvertently shared.

The ipv6_fl_socklist from listening socket is inadvertently shared
with new socket created for connection.  This leads to a variety of
interesting, but fatal, bugs. For example, removing one of the
sockets may lead to the other socket's encountering a page fault
when the now freed list is referenced.

The fix is to not share the flow label list with the new socket.

Signed-off-by: Masayuki Nakagawa <nakagawa.msy@ncos.nec.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix GFP_KERNEL with preemption disabled in fib_trie
Robert Olsson [Sat, 17 Mar 2007 01:30:13 +0000 (18:30 -0700)]
Fix GFP_KERNEL with preemption disabled in fib_trie

[IPV4]: Do not disable preemption in trie_leaf_remove().

Hello, Just discussed this Patrick...

We have two users of trie_leaf_remove, fn_trie_flush and fn_trie_delete
both are holding RTNL. So there shouldn't be need for this preempt stuff.
This is assumed to a leftover from an older RCU-take.

> Mhh .. I think I just remembered something - me incorrectly suggesting
> to add it there while we were talking about this at OLS :) IIRC the
> idea was to make sure tnode_free (which at that time didn't use
> call_rcu) wouldn't free memory while still in use in a rcu read-side
> critical section. It should have been synchronize_rcu of course,
> but with tnode_free using call_rcu it seems to be completely
> unnecessary. So I guess we can simply remove it.

Signed-off-by: Robert Olsson <robert.olsson@its.uu.se>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix extraneous IPSEC larval SA creation
Joy Latten [Sat, 17 Mar 2007 01:27:51 +0000 (18:27 -0700)]
Fix extraneous IPSEC larval SA creation

[XFRM]: Fix missing protocol comparison of larval SAs.

I noticed that in xfrm_state_add we look for the larval SA in a few
places without checking for protocol match. So when using both
AH and ESP, whichever one gets added first, deletes the larval SA.
It seems AH always gets added first and ESP is always the larval
SA's protocol since the xfrm->tmpl has it first. Thus causing the
additional km_query()

Adding the check eliminates accidental double SA creation.

Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agor8169: fix a race between PCI probe and dev_open
Francois Romieu [Wed, 14 Mar 2007 20:32:00 +0000 (21:32 +0100)]
r8169: fix a race between PCI probe and dev_open

Initialize the timer with the rest of the private-struct.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofix read past end of array in md/linear.c
Andy Isaacson [Fri, 16 Mar 2007 21:38:04 +0000 (13:38 -0800)]
fix read past end of array in md/linear.c

When iterating through an array, one must be careful to test one's index
variable rather than another similarly-named variable.

The loop will read off the end of conf->disks[] in the following
(pathological) case:

% dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1
% for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done
% ./vmlinux ubd0=root ubd1=d1 ubd2=d2 ubd3=d3 ubd4=d4
# mdadm -C /dev/md0 --level=linear --raid-devices=4 /dev/ubd[1234]

adding some printks, I saw this:
[42949374.960000] hash_spacing = 821120
[42949374.960000] cnt          = 4
[42949374.960000] min_spacing  = 801
[42949374.960000] j=0 size=820928 sz=820928
[42949374.960000] i=0 sz=820928 hash_spacing=820928
[42949374.960000] j=1 size=64 sz=64
[42949374.960000] j=2 size=64 sz=128
[42949374.960000] j=3 size=64 sz=192
[42949374.960000] j=4 size=1515870810 sz=1515871002

Cc: Gautham R Shenoy <ego@in.ibm.com>
Acked-by: Neil Brown <neilb@cse.unsw.edu.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofix MTIME_SEC_MAX on 32-bit
Thomas Gleixner [Fri, 16 Mar 2007 22:15:57 +0000 (14:15 -0800)]
fix MTIME_SEC_MAX on 32-bit

The maximum seconds value we can handle on 32bit is LONG_MAX.

Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agohrtimer: prevent overrun DoS in hrtimer_forward()
Thomas Gleixner [Fri, 16 Mar 2007 21:38:20 +0000 (13:38 -0800)]
hrtimer: prevent overrun DoS in hrtimer_forward()

hrtimer_forward() does not check for the possible overflow of
timer->expires.  This can happen on 64 bit machines with large interval
values and results currently in an endless loop in the softirq because the
expiry value becomes negative and therefor the timer is expired all the
time.

Check for this condition and set the expiry value to the max.  expiry time
in the future.  The fix should be applied to stable kernel series as well.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfs: nfs_getattr() can't call nfs_sync_mapping_range() for non-regular files
Trond Myklebust [Fri, 16 Mar 2007 21:38:28 +0000 (13:38 -0800)]
nfs: nfs_getattr() can't call nfs_sync_mapping_range() for non-regular files

Looks like we need a check in nfs_getattr() for a regular file. It makes
no sense to call nfs_sync_mapping_range() on anything else. I think that
should fix your problem: it will stop the NFS client from interfering
with dirty pages on that inode's mapping.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Acked-by: Olof Johansson <olof@lixom.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofutex: PI state locking fix
Ingo Molnar [Fri, 16 Mar 2007 21:38:31 +0000 (13:38 -0800)]
futex: PI state locking fix

Testing of -rt by IBM uncovered a locking bug in wake_futex_pi(): the PI
state needs to be locked before we access it.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoinitialise pi_lock if CONFIG_RT_MUTEXES=N
Zilvinas Valinskas [Fri, 16 Mar 2007 21:38:34 +0000 (13:38 -0800)]
initialise pi_lock if CONFIG_RT_MUTEXES=N

Fixes a bogus lockdep warning which causes lockdep to disable itself.

Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoEHCI: add delay to bus_resume before accessing ports
Alan Stern [Fri, 16 Mar 2007 13:34:29 +0000 (09:34 -0400)]
EHCI: add delay to bus_resume before accessing ports

This patch (as870) adds a delay to ehci-hcd's bus_resume routine.
Apparently there are controllers and/or BIOSes out there which need
such a delay to get the ports back into their correct state.  This
fixes Bugzilla #8190.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agomm: fix madvise infinine loop
Nick Piggin [Fri, 16 Mar 2007 21:38:10 +0000 (13:38 -0800)]
mm: fix madvise infinine loop

madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the
call covers a region from the start of a vma, and extending past that vma.

Signed-off-by: Nick Piggin <npiggin@suse.de>
Cc: Badari Pulavarty <pbadari@us.ibm.com>
Acked-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoadjust legacy IDE resource setting (v2)
Jan Beulich [Tue, 13 Mar 2007 18:04:11 +0000 (14:04 -0400)]
adjust legacy IDE resource setting (v2)

adjust legacy IDE resource setting (v2)

The change to force legacy mode IDE channels' resources to fixed non-zero
values confuses (at least some versions of) X, because the values reported
by the kernel and those readable from PCI config space aren't consistent
anymore.  Therefore, this patch arranges for the respective BARs to also
get updated if possible.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Alan Cox <alan@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoIA64: fix NULL pointer in ia64/irq_chip-mask/unmask function
KAMEZAWA Hiroyuki [Tue, 13 Mar 2007 18:00:39 +0000 (14:00 -0400)]
IA64: fix NULL pointer in ia64/irq_chip-mask/unmask function

[IA64] fix NULL pointer in ia64/irq_chip-mask/unmask function

This patch fixes boot failure because irq_desc->mask() is NULL.

- Added mask/unmask functions to ia64's irq desc function table.
- rename hw_interrupt_type to irq_chip. hw_interrupt_type is old name.
- Tony: Added same change to arch/ia64/sn/kernel/irq.c as pointed out
  by Eric Biederman ... mask/unmask functions there can be no-op.

Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoNETFILTER: nfnetlink_log: fix reference counting
Michal Miroslaw [Tue, 13 Mar 2007 15:45:26 +0000 (16:45 +0100)]
NETFILTER: nfnetlink_log: fix reference counting

[NETFILTER]: nfnetlink_log: fix reference counting

Fix reference counting (memory leak) problem in __nfulnl_send() and callers
related to packet queueing.

Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoNetLabel: Verify sensitivity level has a valid CIPSO mapping
Paul Moore [Mon, 12 Mar 2007 14:33:12 +0000 (09:33 -0500)]
NetLabel: Verify sensitivity level has a valid CIPSO mapping

The current CIPSO engine has a problem where it does not verify that the given
sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
used.  The end result is that bad packets are sent on the wire which should
have never been sent in the first place.  This patch corrects this problem by
verifying the sensitivity level mapping similar to what is done with the
category mapping.  This patch also changes the returned error code in this case
to -EPERM to better match what the category mapping verification code returns.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agogdth: fix oops in gdth_copy_cmd()
Joerg Dorchain [Tue, 6 Mar 2007 10:46:54 +0000 (02:46 -0800)]
gdth: fix oops in gdth_copy_cmd()

Recent alterations to the gdth_fill_raw_cmd() path no longer set the
sg_ranz field for zero transfer commands. However, this field is used
lower down in the function to initialise ha->cmd_len to the size of
the firmware packet.  If this uninitialised field contains a bogus
value, ha->cmd_len can become much larger than the actual firmware
packet and end up oopsing in gdth_copy_cmd() as it tries to copy this
huge packet to the device (usually because it runs into an unallocated
page).

The fix is to initialise the sg_ranz field to zero at the start of
gdth_fill_raw_cmd().

Signed-off-by: Joerg Dorchain <joerg@dorchain.net>
Acked-by: "Achim Leubner" <Achim_Leubner@adaptec.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix rtm_to_ifaddr() error return.
Evgeniy Polyakov [Sat, 10 Mar 2007 07:04:42 +0000 (23:04 -0800)]
Fix rtm_to_ifaddr() error return.

[IPV4]: Fix rtm_to_ifaddr() error handling.

Return negative error value (embedded in the pointer) instead of
returning NULL.

Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix another NULL pointer deref in ipv6_sockglue.c
Olaf Kirch [Sat, 10 Mar 2007 07:03:53 +0000 (23:03 -0800)]
Fix another NULL pointer deref in ipv6_sockglue.c

[IPV6]: Fix for ipv6_setsockopt NULL dereference

I came across this bug in http://bugzilla.kernel.org/show_bug.cgi?id=8155

Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoLinux 2.6.20.3 v2.6.20.3
Greg Kroah-Hartman [Tue, 13 Mar 2007 18:27:08 +0000 (11:27 -0700)]
Linux 2.6.20.3

17 years agoFix UDP header pointer after pskb_trim_rcsum()
Herbert Xu [Thu, 8 Mar 2007 02:50:54 +0000 (18:50 -0800)]
Fix UDP header pointer after pskb_trim_rcsum()

[UDP]: Reread uh pointer after pskb_trim

The header may have moved when trimming.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix timewait jiffies
Eric Dumazet [Thu, 8 Mar 2007 02:48:44 +0000 (18:48 -0800)]
Fix timewait jiffies

[INET]: twcal_jiffie should be unsigned long, not int

Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix sparc64 device register probing
David Miller [Thu, 8 Mar 2007 02:47:54 +0000 (18:47 -0800)]
Fix sparc64 device register probing

[SPARC]: Fix bus handling in build_device_resources().

We mistakedly modify 'bus' in the innermost loop.  What
should happen is that at each register index iteration,
we start with the same 'bus'.

So preserve it's value at the top level, and use a loop
local variable 'dbus' for iteration.

This bug causes registers other than the first to be
decoded improperly.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix callback bug in connector
Philipp Reisner [Thu, 8 Mar 2007 02:45:12 +0000 (18:45 -0800)]
Fix callback bug in connector

[CONNECTOR]: Bugfix for cn_call_callback()

When system under heavy stress and must allocate new work
instead of reusing old one, new work must use correct
completion callback.

Patch is based on Philipp's and Lars' work.
I only cleaned small stuff (and removed spaces instead of tabs).

Signed-off-by: Philipp Reisner <philipp.reisner@linbit.com>
Signed-off-by: Lars Ellenberg <lars.ellenberg@linbit.com>
Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofix for bugzilla #7544 (keyspan USB-to-serial converter)
Rainer Weikusat [Wed, 3 Jan 2007 14:36:25 +0000 (15:36 +0100)]
fix for bugzilla #7544 (keyspan USB-to-serial converter)

At least the Keyspan USA-19HS USB-to-serial converter supports
two different configurations, one where the input endpoints
have interrupt transfer type and one where they are bulk endpoints.
The default UHCI configuration uses the interrupt input endpoints.
The keyspan driver, OTOH, assumes that the device has only bulk
endpoints (all URBs are initialized by calling usb_fill_bulk_urb
in keyspan.c/ keyspan_setup_urb). This causes the interval field
of the input URBs to have a value of zero instead of one, which
'accidentally' worked with Linux at least up to 2.6.17.11 but
stopped to with 2.6.18, which changed the UHCI support code handling
URBs for interrupt endpoints. The patch below modifies to driver to
initialize its input URBs either as interrupt or as bulk URBs,
depending on the transfertype contained in the associated endpoint
descriptor (only tested with the default configuration) enabling
the driver to again receive data from the serial converter.

Greg K-H reworked the patch.

Signed-off-by: Rainer Weikusat <rweikusat@sncag.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix compat_getsockopt
Johannes Berg [Thu, 8 Mar 2007 02:42:52 +0000 (18:42 -0800)]
Fix compat_getsockopt

[NET]: Fix compat_sock_common_getsockopt typo.

This patch fixes a typo in compat_sock_common_getsockopt.

Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Acked-by: James Morris <jmorris@namei.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agobcm43xx: Fix problem with >1 GB RAM
Larry Finger [Wed, 7 Mar 2007 18:05:58 +0000 (13:05 -0500)]
bcm43xx: Fix problem with >1 GB RAM

Some versions of the bcm43xx chips only support 30-bit DMA, which means
that the descriptors and buffers must be in the first 1 GB of RAM. On
the i386 and x86_64 architectures with more than 1 GB RAM, an incorrect
assignment may occur. This patch ensures that the various DMA addresses
are within the capability of the chip. Testing has been limited to x86_64
as no one has an i386 system with more than 1 GB RAM.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix bug 7994 sleeping function called from invalid context
Douglas Gilbert [Wed, 7 Mar 2007 19:33:38 +0000 (14:33 -0500)]
Fix bug 7994 sleeping function called from invalid context

  - addresses the reported bug (with GFP_KERNEL -> GFP_ATOMIC)
  - improves error checking, and
  - is a subset of the changes to scsi_debug in lk 2.6.21-rc*

Compiled and lightly tested (in lk 2.6.21-rc2 environment).

Signed-off-by: Douglas Gilbert <dougg@torque.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfnetlink_log: fix crash on bridged packet
Patrick McHardy [Wed, 7 Mar 2007 21:34:45 +0000 (22:34 +0100)]
nfnetlink_log: fix crash on bridged packet

[NETFILTER]: nfnetlink_log: fix crash on bridged packet

physoutdev is only set on purely bridged packet, when nfnetlink_log is used
in the OUTPUT/FORWARD/POSTROUTING hooks on packets forwarded from or to a
bridge it crashes when trying to dereference skb->nf_bridge->physoutdev.

Reported by Holger Eitzenberger <heitzenberger@astaro.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfnetlink_log: zero-terminate prefix
Patrick McHardy [Wed, 7 Mar 2007 21:34:43 +0000 (22:34 +0100)]
nfnetlink_log: zero-terminate prefix

[NETFILTER]: nfnetlink_log: zero-terminate prefix

Userspace expects a zero-terminated string, so include the trailing
zero in the netlink message.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED
Patrick McHardy [Wed, 7 Mar 2007 21:34:42 +0000 (22:34 +0100)]
nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED

[NETFILTER]: nf_conntrack: fix incorrect classification of IPv6 fragments as ESTABLISHED

The individual fragments of a packet reassembled by conntrack have the
conntrack reference from the reassembled packet attached, but nfctinfo
is not copied. This leaves it initialized to 0, which unfortunately is
the value of IP_CT_ESTABLISHED.

The result is that all IPv6 fragments are tracked as ESTABLISHED,
allowing them to bypass a usual ruleset which accepts ESTABLISHED
packets early.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoip6_route_me_harder should take into account mark
Yasuyuki Kozakai [Wed, 7 Mar 2007 21:34:40 +0000 (22:34 +0100)]
ip6_route_me_harder should take into account mark

[NETFILTER]: ip6_route_me_harder should take into account mark

Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfnetlink_log: fix possible NULL pointer dereference
Michal Miroslaw [Wed, 7 Mar 2007 21:34:36 +0000 (22:34 +0100)]
nfnetlink_log: fix possible NULL pointer dereference

[NETFILTER]: nfnetlink_log: fix possible NULL pointer dereference

Eliminate possible NULL pointer dereference in nfulnl_recv_config().

Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfnetlink_log: fix NULL pointer dereference
Micha Mirosaw [Wed, 7 Mar 2007 21:34:34 +0000 (22:34 +0100)]
nfnetlink_log: fix NULL pointer dereference

[NETFILTER]: nfnetlink_log: fix NULL pointer dereference

Fix the nasty NULL dereference on multiple packets per netlink message.

BUG: unable to handle kernel NULL pointer dereference at virtual address 00000004
 printing eip:
f8a4b3bf
*pde = 00000000
Oops: 0002 [#1]
SMP
Modules linked in: nfnetlink_log ipt_ttl ipt_REDIRECT xt_tcpudp iptable_nat nf_nat nf_conntrack
_ipv4 xt_state ipt_ipp2p xt_NFLOG xt_hashlimit ip6_tables iptable_filter xt_multiport xt_mark i
pt_set iptable_raw xt_MARK iptable_mangle ip_tables cls_fw cls_u32 sch_esfq sch_htb ip_set_ipma
p ip_set ipt_ULOG x_tables dm_snapshot dm_mirror loop e1000 parport_pc parport e100 floppy ide_
cd cdrom
CPU:    0
EIP:    0060:[<f8a4b3bf>]    Not tainted VLI
EFLAGS: 00010206   (2.6.20 #5)
EIP is at __nfulnl_send+0x24/0x51 [nfnetlink_log]
eax: 00000000   ebx: f2b5cbc0   ecx: c03f5f54   edx: c03f4000
esi: f2b5cbc8   edi: c03f5f54   ebp: f8a4b3ec   esp: c03f5f30
ds: 007b   es: 007b   ss: 0068
Process swapper (pid: 0, ti=c03f4000 task=c03bece0 task.ti=c03f4000)
Stack: f2b5cbc0 f8a4b401 00000100 c0444080 c012af49 00000000 f6f19100 f6f19000
       c1707800 c03f5f54 c03f5f54 00000123 00000021 c03e8d08 c0426380 00000009
       c0126932 00000000 00000046 c03e9980 c03e6000 0047b007 c01269bd 00000000
Call Trace:
 [<f8a4b401>] nfulnl_timer+0x15/0x25 [nfnetlink_log]
 [<c012af49>] run_timer_softirq+0x10a/0x164
 [<c0126932>] __do_softirq+0x60/0xba
 [<c01269bd>] do_softirq+0x31/0x35
 [<c0104f6e>] do_IRQ+0x62/0x74
 [<c01036cb>] common_interrupt+0x23/0x28
 [<c0101018>] default_idle+0x0/0x3f
 [<c0101045>] default_idle+0x2d/0x3f
 [<c01010fa>] cpu_idle+0xa0/0xb9
 [<c03fb7f5>] start_kernel+0x1a8/0x1ac
 [<c03fb293>] unknown_bootoption+0x0/0x181
 =======================
Code: 5e 5f 5b 5e 5f 5d c3 53 89 c3 8d 40 1c 83 7b 1c 00 74 05 e8 2c ee 6d c7 83 7b 14 00 75 04
 31 c0 eb 34 83 7b 10 01 76 09 8b 43 18 <66> c7 40 04 03 00 8b 53 34 8b 43 14 b9 40 00 00 00 e8
 08 9a 84
EIP: [<f8a4b3bf>] __nfulnl_send+0x24/0x51 [nfnetlink_log] SS:ESP 0068:c03f5f30
 <0>Kernel panic - not syncing: Fatal exception in interrupt
 <0>Rebooting in 5 seconds..

Panic no more!

Signed-off-by: Micha Mirosaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfnetlink_log: fix use after free
Patrick McHardy [Wed, 7 Mar 2007 21:34:33 +0000 (22:34 +0100)]
nfnetlink_log: fix use after free

[NETFILTER]: nfnetlink_log: fix use after free

Paranoia: instance_put() might have freed the inst pointer when we
spin_unlock_bh().

Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfnetlink_log: fix reference leak
Patrick McHardy [Wed, 7 Mar 2007 21:34:32 +0000 (22:34 +0100)]
nfnetlink_log: fix reference leak

[NETFILTER]: nfnetlink_log: fix reference leak

Stop reference leaking in nfulnl_log_packet(). If we start a timer we
are already taking another reference.

Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agotcp conntrack: accept SYN|URG as valid
Patrick McHardy [Wed, 7 Mar 2007 21:34:30 +0000 (22:34 +0100)]
tcp conntrack: accept SYN|URG as valid

[NETFILTER]: tcp conntrack: accept SYN|URG as valid

Some stacks apparently send packets with SYN|URG set. Linux accepts
these packets, so TCP conntrack should to.

Pointed out by Martijn Posthuma <posthuma@sangine.com>.

Signed-off-by: Patrick McHardy <kaber@trash.net>
17 years agonf_conntrack/nf_nat: fix incorrect config ifdefs
Patrick McHardy [Wed, 7 Mar 2007 21:34:29 +0000 (22:34 +0100)]
nf_conntrack/nf_nat: fix incorrect config ifdefs

[NETFILTER]: nf_conntrack/nf_nat: fix incorrect config ifdefs

The nf_conntrack_netlink config option is named CONFIG_NF_CT_NETLINK,
but multiple files use CONFIG_IP_NF_CONNTRACK_NETLINK or
CONFIG_NF_CONNTRACK_NETLINK for ifdefs.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoconntrack: fix {nf, ip}_ct_iterate_cleanup endless loops
Patrick McHardy [Wed, 7 Mar 2007 21:34:27 +0000 (22:34 +0100)]
conntrack: fix {nf, ip}_ct_iterate_cleanup endless loops

[NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops

Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:

- unconfirmed entries can not be killed manually, they are removed on
  confirmation or final destruction of the conntrack entry, which means
  we might iterate forever without making forward progress.

  This can happen in combination with the conntrack event cache, which
  holds a reference to the conntrack entry, which is only released when
  the packet makes it all the way through the stack or a different
  packet is handled.

- taking references to an unconfirmed entry and using it outside the
  locked section doesn't work, the list entries are not refcounted and
  another CPU might already be waiting to destroy the entry

What the code really wants to do is make sure the references of the hash
table to the selected conntrack entries are released, so they will be
destroyed once all references from skbs and the event cache are dropped.

Since unconfirmed entries haven't even entered the hash yet, simply mark
them as dying and skip confirmation based on that.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoLinux 2.6.20.2 v2.6.20.2
Greg Kroah-Hartman [Fri, 9 Mar 2007 18:58:04 +0000 (10:58 -0800)]
Linux 2.6.20.2

17 years agoIPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]
David S. Miller [Wed, 7 Mar 2007 20:50:46 +0000 (12:50 -0800)]
IPV6: Handle np->opt being NULL in ipv6_getsockopt_sticky() [CVE-2007-1000]

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=8134

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17 years agox86-64: survive having no irq mapping for a vector
Eric W. Biederman [Wed, 7 Mar 2007 19:23:54 +0000 (14:23 -0500)]
x86-64: survive having no irq mapping for a vector

Occasionally the kernel has bugs that result in no irq being found for a
given cpu vector.  If we acknowledge the irq the system has a good chance
of continuing even though we dropped an irq message.  If we continue to
simply print a message and not acknowledge the irq the system is likely to
become non-responsive shortly there after.

AK: Fixed compilation for UP kernels

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Andi Kleen <ak@suse.de>
Cc: "Luigi Genoni" <luigi.genoni@pirelli.com>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17 years agoFix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)
Marcel Holtmann [Wed, 7 Mar 2007 18:22:40 +0000 (13:22 -0500)]
Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005)

Based on a patch from Don Howard <dhoward@redhat.com>

When calling write() with a buffer larger than 512 bytes, the
driver's write buffer overflows, allowing to overwrite the EIP and
execute arbitrary code with kernel privileges.

In read(), there exists a similar problem, but coming from the device.
A malicous or buggy device sending more than 512 bytes can overflow
of the driver's read buffer, with the same effects as above.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17 years agoTCP: Fix minisock tcp_create_openreq_child() typo.
Arnaldo Carvalho de Melo [Wed, 28 Feb 2007 19:29:33 +0000 (11:29 -0800)]
TCP: Fix minisock tcp_create_openreq_child() typo.

On 2/28/07, KOVACS Krisztian <hidden@balabit.hu> wrote:
>
>   Hi,
>
>   While reading TCP minisock code I've found this suspiciously looking
> code fragment:
>
> - 8< -
> struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req, struct sk_buff *skb)
> {
>         struct sock *newsk = inet_csk_clone(sk, req, GFP_ATOMIC);
>
>         if (newsk != NULL) {
>                 const struct inet_request_sock *ireq = inet_rsk(req);
>                 struct tcp_request_sock *treq = tcp_rsk(req);
>                 struct inet_connection_sock *newicsk = inet_csk(sk);
>                 struct tcp_sock *newtp;
> - 8< -
>
>   The above code initializes newicsk to inet_csk(sk), isn't that supposed
> to be inet_csk(newsk)?  As far as I can tell this might leave
> icsk_ack.last_seg_size zero even if we do have received data.

Good catch!

David, please apply the attached patch.

Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17 years agogfs2: fix locking mistake
Josef Whiter [Wed, 21 Feb 2007 22:37:59 +0000 (14:37 -0800)]
gfs2: fix locking mistake

Fix a locking mistake in the quota code, we do a mutex_lock instead of a
mutex_unlock.

Signed-off-by: Josef Whiter <jwhiter@redhat.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoATA: convert GSI to irq on ia64
Zhang, Yanmin [Thu, 15 Feb 2007 07:37:03 +0000 (23:37 -0800)]
ATA: convert GSI to irq on ia64

If an ATA drive uses legacy mode, ata driver will choose 14 and 15 as the
fixed irq number.  On ia64 platform, such numbers are GSI and should be
converted to irq vector.

Signed-off-by: Zhang Yanmin <yanmin.zhang@intel.com>
Cc: Jeff Garzik <jeff@garzik.org>
Cc: Tony Luck <tony.luck@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agopktcdvd: Correctly set cmd_len field in pkt_generic_packet
Gerhard Dirschl [Tue, 13 Feb 2007 05:32:43 +0000 (21:32 -0800)]
pktcdvd: Correctly set cmd_len field in pkt_generic_packet

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=7810 - a silly
copy-paste bug introduced by the latest change.

Signed-off-by: Gerhard Dirschl <gd@spherenet.de>
Cc: Peter Osterlund <petero2@telia.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agovideo/aty/mach64_ct.c: fix bogus delay loop
David Miller [Mon, 5 Mar 2007 23:53:45 +0000 (15:53 -0800)]
video/aty/mach64_ct.c: fix bogus delay loop

CT based mach64 cards were reported to hang on sparc64 boxes when
compiled with gcc-4.1.x and later.

Looking at this piece of code, it's no surprise.  A critical
delay was implemented as an empty for() loop, and gcc 4.0.x
and previous did not optimize it away, so we did get a delay.

But gcc-4.1.x and later can optimize it away, and we get crashes.

Use a real udelay() to fix this.  Fix verified on SunBlade100.

Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agorevert "drivers/net/tulip/dmfe: support basic carrier detection"
Andrew Morton [Tue, 6 Mar 2007 10:41:49 +0000 (02:41 -0800)]
revert "drivers/net/tulip/dmfe: support basic carrier detection"

Revert 7628b0a8c01a02966d2228bdf741ddedb128e8f8.  Thomas Bachler
reports:

  Commit 7628b0a8c01a02966d2228bdf741ddedb128e8f8 (drivers/net/tulip/dmfe:
  support basic carrier detection) breaks networking on my Davicom DM9009.
  ethtool always reports there is no link.  tcpdump shows incoming packets,
  but TX is disabled.  Reverting the above patch fixes the problem.

Cc: Samuel Thibault <samuel.thibault@ens-lyon.org>
Cc: Jeff Garzik <jeff@garzik.org>
Cc: Valerie Henson <val_henson@linux.intel.com>
Cc: Thomas Bachler <thomas@archlinux.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agothrottle_vm_writeout(): don't loop on GFP_NOFS and GFP_NOIO allocations
Andrew Morton [Thu, 1 Mar 2007 04:13:21 +0000 (20:13 -0800)]
throttle_vm_writeout(): don't loop on GFP_NOFS and GFP_NOIO allocations

throttle_vm_writeout() is designed to wait for the dirty levels to subside.
But if the caller holds IO or FS locks, we might be holding up that writeout.

So change it to take a single nap to give other devices a chance to clean some
memory, then return.

Cc: Nick Piggin <nickpiggin@yahoo.com.au>
Cc: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Kumar Gala <galak@kernel.crashing.org>
Cc: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofix section mismatch warning in lockdep
Sam Ravnborg [Thu, 1 Mar 2007 04:12:31 +0000 (20:12 -0800)]
fix section mismatch warning in lockdep

lockdep_init() is marked __init but used in several places
outside __init code. This causes following warnings:
$ scripts/mod/modpost kernel/lockdep.o
WARNING: kernel/built-in.o - Section mismatch: reference to .init.text:lockdep_init from .text.lockdep_init_map after 'lockdep_init_map' (at offset 0x105)
WARNING: kernel/built-in.o - Section mismatch: reference to .init.text:lockdep_init from .text.lockdep_reset_lock after 'lockdep_reset_lock' (at offset 0x35)
WARNING: kernel/built-in.o - Section mismatch: reference to .init.text:lockdep_init from .text.__lock_acquire after '__lock_acquire' (at offset 0xb2)

The warnings are less obviously due to heavy inlining by gcc - this is not
altered.

Fix the section mismatch warnings by removing the __init marking, which
seems obviously wrong.

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoueagle-atm.c needs sched.h
Randy Dunlap [Fri, 16 Feb 2007 09:47:33 +0000 (01:47 -0800)]
ueagle-atm.c needs sched.h

Driver needs sched.h for try_to_freeze().

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agokvm: Fix asm constraint for lldt instruction
S.Caglar Onur [Mon, 12 Feb 2007 08:54:34 +0000 (00:54 -0800)]
kvm: Fix asm constraint for lldt instruction

lldt does not accept immediate operands, which "g" allows.

Signed-off-by: S.Caglar Onur <caglar@pardus.org.tr>
Signed-off-by: Avi Kivity <avi@qumranet.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agolockdep: forward declare struct task_struct
Heiko Carstens [Mon, 12 Feb 2007 08:52:20 +0000 (00:52 -0800)]
lockdep: forward declare struct task_struct

3117df0453828bd045c16244e6f50e5714667a8a causes this:

In file included from arch/s390/kernel/early.c:13:
include/linux/lockdep.h:300: warning:
"struct task_struct" declared inside parameter list
include/linux/lockdep.h:300:
warning: its scope is only this definition or
declaration, which is probably not what you want

Acked-by: Ingo Molnar <mingo@elte.hu>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoChar: specialix, isr have 2 params
Jiri Slaby [Mon, 12 Feb 2007 08:52:30 +0000 (00:52 -0800)]
Char: specialix, isr have 2 params

specialix, isr have 2 params

pt_regs are no longer the third parameter of isr, call sx_interrupt without
it.

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agobuffer: memorder fix
Nick Piggin [Sat, 10 Feb 2007 09:46:22 +0000 (01:46 -0800)]
buffer: memorder fix

unlock_buffer(), like unlock_page(), must not clear the lock without
ensuring that the critical section is closed.

Mingming later sent the same patch, saying:

We are running SDET benchmark and saw double free issue for ext3 extended
attributes block, which complains the same xattr block already being freed (in
ext3_xattr_release_block()).  The problem could also been triggered by
multiple threads loop untar/rm a kernel tree.

The race is caused by missing a memory barrier at unlock_buffer() before the
lock bit being cleared, resulting in possible concurrent h_refcounter update.
That causes a reference counter leak, then later leads to the double free that
we have seen.

Inside unlock_buffer(), there is a memory barrier is placed *after* the lock
bit is being cleared, however, there is no memory barrier *before* the bit is
cleared.  On some arch the h_refcount update instruction and the clear bit
instruction could be reordered, thus leave the critical section re-entered.

The race is like this: For example, if the h_refcount is initialized as 1,

cpu 0:                                   cpu1

17 years agokernel/time/clocksource.c needs struct task_struct on m68k
Mathieu Desnoyers [Sat, 10 Feb 2007 09:43:43 +0000 (01:43 -0800)]
kernel/time/clocksource.c needs struct task_struct on m68k

kernel/time/clocksource.c needs struct task_struct on m68k.

Because it uses spin_unlock_irq(), which, on m68k, uses hardirq_count(), which
uses preempt_count(), which needs to dereference struct task_struct, we
have to include sched.h. Because it would cause a loop inclusion, we
cannot include sched.h in any other of asm-m68k/system.h,
linux/thread_info.h, linux/hardirq.h, which leaves this ugly include in
a C file as the only simple solution.

Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@polymtl.ca>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agom32r: build fix for processors without ISA_DSP_LEVEL2
Hirokazu Takata [Sat, 10 Feb 2007 09:43:35 +0000 (01:43 -0800)]
m32r: build fix for processors without ISA_DSP_LEVEL2

Additional fixes for processors without ISA_DSP_LEVEL2.  sigcontext_t does not
have dummy_acc1h, dummy_acc1l members any longer.

Signed-off-by: Hirokazu Takata <takata@linux-m32r.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agohugetlb: preserve hugetlb pte dirty state
Ken Chen [Thu, 8 Feb 2007 22:20:27 +0000 (14:20 -0800)]
hugetlb: preserve hugetlb pte dirty state

__unmap_hugepage_range() is buggy that it does not preserve dirty state of
huge_pte when unmapping hugepage range.  It causes data corruption in the
event of dop_caches being used by sys admin.  For example, an application
creates a hugetlb file, modify pages, then unmap it.  While leaving the
hugetlb file alive, comes along sys admin doing a "echo 3 >
/proc/sys/vm/drop_caches".

drop_pagecache_sb() will happily free all pages that aren't marked dirty if
there are no active mapping.  Later when application remaps the hugetlb
file back and all data are gone, triggering catastrophic flip over on
application.

Not only that, the internal resv_huge_pages count will also get all messed
up.  Fix it up by marking page dirty appropriately.

Signed-off-by: Ken Chen <kenchen@google.com>
Cc: "Nish Aravamudan" <nish.aravamudan@gmail.com>
Cc: Adam Litke <agl@us.ibm.com>
Cc: David Gibson <david@gibson.dropbear.id.au>
Acked-by: William Irwin <bill.irwin@oracle.com>
Cc: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoenable mouse button 2+3 emulation for x86 macs
Soeren Sonnenburg [Thu, 8 Feb 2007 22:20:38 +0000 (14:20 -0800)]
enable mouse button 2+3 emulation for x86 macs

As macbook/macbook pro's also have to live with a single mouse button the
following patch just enables the Macintosh device drivers menu in Kconfig +
adds the macintosh dir to the obj-* to make macbook* users happy (who use
exactly that since months....

Signed-off-by: Soeren Sonnenburg <kernel@nn7.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agov9fs_vfs_mkdir(): fix a double free
Adrian Bunk [Thu, 8 Feb 2007 22:20:38 +0000 (14:20 -0800)]
v9fs_vfs_mkdir(): fix a double free

Fix a double free of "dfid" introduced by commit
da977b2c7eb4d6312f063a7b486f2aad99809710 and spotted by the Coverity
checker.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Cc: Eric Van Hensbergen <ericvh@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoufs: restore back support of openstep
Evgeniy Dushistov [Thu, 8 Feb 2007 22:20:25 +0000 (14:20 -0800)]
ufs: restore back support of openstep

This is a fix of regression, which triggered by ~2.6.16.

Patch with name ufs-directory-and-page-cache-from-blocks-to-pages.patch: in
additional to conversation from block to page cache mechanism added new
checks of directory integrity, one of them that directory entry do not
across directory chunks.

But some kinds of UFS: OpenStep UFS and Apple UFS (looks like these are the
same filesystems) have different directory chunk size, then common
UFSes(BSD and Solaris UFS).

So this patch adds ability to works with variable size of directory chunks,
and set it for ufstype=openstep to right size.

Tested on darwin ufs.

Signed-off-by: Evgeniy Dushistov <dushistov@mail.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>