]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
14 years agoHID: fix oops in gyration_event()
Jiri Kosina [Tue, 23 Mar 2010 15:32:37 +0000 (16:32 +0100)]
HID: fix oops in gyration_event()

commit d8e4ebf8b603bdcd091540e6b5bddf0dec10d516 upstream.

Fix oops caused by dereferencing field->hidinput in cases where
the device hasn't been claimed by hid-input.

Reported-by: Andreas Demmer <mail@andreas-demmer.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotty: release_one_tty() forgets to put pids
Oleg Nesterov [Fri, 2 Apr 2010 16:05:12 +0000 (18:05 +0200)]
tty: release_one_tty() forgets to put pids

commit 6da8d866d0d39e9509ff826660f6a86a6757c966 upstream.

release_one_tty(tty) can be called when tty still has a reference
to pgrp/session. In this case we leak the pid.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Reported-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-and-tested-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agogenirq: Force MSI irq handlers to run with interrupts disabled
Thomas Gleixner [Wed, 31 Mar 2010 11:30:19 +0000 (13:30 +0200)]
genirq: Force MSI irq handlers to run with interrupts disabled

commit 753649dbc49345a73a2454c770a3f2d54d11aec6 upstream.

Network folks reported that directing all MSI-X vectors of their multi
queue NICs to a single core can cause interrupt stack overflows when
enough interrupts fire at the same time.

This is caused by the fact that we run interrupt handlers by default
with interrupts enabled unless the driver reuqests the interrupt with
the IRQF_DISABLED set. The NIC handlers do not set this flag, so
simultaneous interrupts can nest unlimited and cause the stack
overflow.

The only safe counter measure is to run the interrupt handlers with
interrupts disabled. We can't switch to this mode in general right
now, but it is safe to do so for MSI interrupts.

Force IRQF_DISABLED for MSI interrupt handlers.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Andi Kleen <andi@firstfloor.org>
Cc: Linus Torvalds <torvalds@osdl.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: David Miller <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoWATCHDOG: iTCO_wdt: TCO Watchdog patch for additional Intel Cougar Point DeviceIDs
Seth Heasley [Thu, 25 Mar 2010 23:14:41 +0000 (16:14 -0700)]
WATCHDOG: iTCO_wdt: TCO Watchdog patch for additional Intel Cougar Point DeviceIDs

commit 4c7d849204341dea19be941a3c1eb4bdffac9cc4 upstream.

This patch adds the Intel Cougar Point PCH LPC Controller DeviceIDs for iTCO Watchdog.

Signed-off-by: Seth Heasley <seth.heasley@intel.com>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoWATCHDOG: hpwdt - fix lower timeout limit
Thomas Mingarelli [Wed, 17 Mar 2010 15:33:31 +0000 (15:33 +0000)]
WATCHDOG: hpwdt - fix lower timeout limit

commit 8ba42bd88c6982fe224b09c33151c797b0fdf1a5 upstream.

[Novell Bug 581103] HP Watchdog driver has arbitrary (wrong) timeout limits.
Fix the lower timeout limit to a more appropriate value.

Signed-off-by: Thomas Mingarelli <Thomas.Mingarelli@hp.com>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosunxvr500: Ignore secondary output PCI devices.
David S. Miller [Sun, 4 Apr 2010 08:12:50 +0000 (01:12 -0700)]
sunxvr500: Ignore secondary output PCI devices.

[ Upstream commit bdd32ce95f79fb5cc964cd789d7ae4500bba7c6f ]

These just represent the secondary and further heads attached to the
card, and they have different sets of PCI bar registers to map.

So don't try to drive them in the main driver.

Reported-by: Frans van Berckel <fberckel@xs4all.nl>
Tested-by: Frans van Berckel <fberckel@xs4all.nl>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc: Fix regset register window handling.
David S. Miller [Thu, 1 Apr 2010 01:05:05 +0000 (18:05 -0700)]
sparc: Fix regset register window handling.

[ Upstream commit b857bd292223f54aaae3693c82fa7299a99991cd ]

We have to adjust 'reg_window' down by 16 becuase the 'pos' iterator
we'll use to index into the stack slots will be between 16 and 32.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomac80211: tear down all agg queues when restart/reconfig hw
Wey-Yi Guy [Wed, 3 Feb 2010 17:28:55 +0000 (09:28 -0800)]
mac80211: tear down all agg queues when restart/reconfig hw

commit 74e2bd1fa3ae9695af566ad5a7a288898787b909 upstream.

When there is a need to restart/reconfig hw, tear down all the
aggregation queues and let the mac80211 and driver get in-sync to have
the opportunity to re-establish the aggregation queues again.

Need to wait until driver re-establish all the station information before tear
down the aggregation queues, driver(at least iwlwifi driver) will reject the
stop aggregation queue request if station is not ready. But also need to make
sure the aggregation queues are tear down before waking up the queues, so
mac80211 will not sending frames with aggregation bit set.

Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomac80211: move netdev queue enabling to correct spot
Johannes Berg [Mon, 22 Mar 2010 20:42:43 +0000 (13:42 -0700)]
mac80211: move netdev queue enabling to correct spot

commit 7236fe29fd72d17074574ba312e7f1bb9d10abaa upstream.

"mac80211: fix skb buffering issue" still left a race
between enabling the hardware queues and the virtual
interface queues. In hindsight it's totally obvious
that enabling the netdev queues for a hardware queue
when the hardware queue is enabled is wrong, because
it could well possible that we can fill the hw queue
with packets we already have pending. Thus, we must
only enable the netdev queues once all the pending
packets have been processed and sent off to the device.

In testing, I haven't been able to trigger this race
condition, but it's clearly there, possibly only when
aggregation is being enabled.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomac80211: fix PREQ processing and one small bug
Porsch, Marco [Wed, 24 Feb 2010 08:53:13 +0000 (09:53 +0100)]
mac80211: fix PREQ processing and one small bug

commit 533866b12cce484994163b1e201778cbac4c04c5 upstream.

1st) a PREQ should only be processed, if it has the same SN and better
metric (instead of better or equal).
2nd) next_hop[ETH_ALEN] now actually used to buffer
mpath->next_hop->sta.addr for use out of lock.

Signed-off-by: Marco Porsch <marco.porsch@siemens.com>
Acked-by: Javier Cardona <javier@cozybit.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosetup correct int pipe type in ar9170_usb_exec_cmd
Valentin Longchamp [Fri, 26 Mar 2010 10:44:33 +0000 (11:44 +0100)]
setup correct int pipe type in ar9170_usb_exec_cmd

commit 2d20c72c021d96f8b9230396c8e3782f204214ec upstream.

An int urb is constructed but we fill it in with a bulk pipe type.

Commit f661c6f8c67bd55e93348f160d590ff9edf08904 implemented a pipe type
check when CONFIG_USB_DEBUG is enabled. The check failed for all the ar9170
usb transfers and the driver could not configure the wifi dongle.

This went unnoticed until now because most people don't have
CONFIG_USB_DEBUG enabled.

Signed-off-by: Valentin Longchamp <valentin.longchamp@epfl.ch>
Acked-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoiwlwifi: range checking issue
Dan Carpenter [Sun, 28 Mar 2010 11:55:00 +0000 (14:55 +0300)]
iwlwifi: range checking issue

commit 8e1a53c615e8efe0fac670f2973da64758748a8a upstream.

IWL_RATE_COUNT is 13 and IWL_RATE_COUNT_LEGACY is 12.

IWL_RATE_COUNT_LEGACY is the right one here because iwl3945_rates
doesn't support 60M and also that's how "rates" is defined in
iwlcore_init_geos() from drivers/net/wireless/iwlwifi/iwl-core.c.

        rates = kzalloc((sizeof(struct ieee80211_rate) * IWL_RATE_COUNT_LEGACY),
                        GFP_KERNEL);

Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoiwlwifi: counting number of tfds can be free for 4965
Wey-Yi Guy [Thu, 18 Mar 2010 16:05:00 +0000 (09:05 -0700)]
iwlwifi: counting number of tfds can be free for 4965

commit be6b38bcb175613f239e0b302607db346472c6b6 upstream.

Forget one hunk in 4965 during "iwlwifi: error checking for number of tfds
in queue" patch.

Reported-by: Shanyu Zhao <shanyu.zhao@intel.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoiwlwifi: fix regulatory
Reinette Chatre [Fri, 12 Mar 2010 19:13:26 +0000 (11:13 -0800)]
iwlwifi: fix regulatory

commit f6c8f1523a2de3b84340e45913cbcee8bee74570 upstream.

Commit "cfg80211: convert bools into flags" mistakenly modified iwlwifi's
regulatory settings instead of just converting it. Fix this.

This fixes http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2172

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoFreezer: Fix buggy resume test for tasks frozen with cgroup freezer
Matt Helsley [Fri, 26 Mar 2010 22:51:44 +0000 (23:51 +0100)]
Freezer: Fix buggy resume test for tasks frozen with cgroup freezer

commit 5a7aadfe2fcb0f69e2acc1fbefe22a096e792fc9 upstream.

When the cgroup freezer is used to freeze tasks we do not want to thaw
those tasks during resume. Currently we test the cgroup freezer
state of the resuming tasks to see if the cgroup is FROZEN.  If so
then we don't thaw the task. However, the FREEZING state also indicates
that the task should remain frozen.

This also avoids a problem pointed out by Oren Ladaan: the freezer state
transition from FREEZING to FROZEN is updated lazily when userspace reads
or writes the freezer.state file in the cgroup filesystem. This means that
resume will thaw tasks in cgroups which should be in the FROZEN state if
there is no read/write of the freezer.state file to trigger this
transition before suspend.

NOTE: Another "simple" solution would be to always update the cgroup
freezer state during resume. However it's a bad choice for several reasons:
Updating the cgroup freezer state is somewhat expensive because it requires
walking all the tasks in the cgroup and checking if they are each frozen.
Worse, this could easily make resume run in N^2 time where N is the number
of tasks in the cgroup. Finally, updating the freezer state from this code
path requires trickier locking because of the way locks must be ordered.

Instead of updating the freezer state we rely on the fact that lazy
updates only manage the transition from FREEZING to FROZEN. We know that
a cgroup with the FREEZING state may actually be FROZEN so test for that
state too. This makes sense in the resume path even for partially-frozen
cgroups -- those that really are FREEZING but not FROZEN.

Reported-by: Oren Ladaan <orenl@cs.columbia.edu>
Signed-off-by: Matt Helsley <matthltc@us.ibm.com>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86,kgdb: Always initialize the hw breakpoint attribute
Jason Wessel [Tue, 30 Mar 2010 19:05:07 +0000 (14:05 -0500)]
x86,kgdb: Always initialize the hw breakpoint attribute

commit ab310b5edb8b601bcb02491ed6f7676da4fd1757 upstream.

It is required to call hw_breakpoint_init() on an attr before using it
in any other calls.  This fixes the problem where kgdb will sometimes
fail to initialize on x86_64.

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Cc: Ingo Molnar <mingo@elte.hu>
LKML-Reference: <1269975907-27602-1-git-send-email-jason.wessel@windriver.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agolibiscsi: Fix recovery slowdown regression
Mike Christie [Tue, 9 Mar 2010 20:14:51 +0000 (14:14 -0600)]
libiscsi: Fix recovery slowdown regression

commit 4ae0a6c15efcc37e94e3f30e3533bdec03c53126 upstream.

We could be failing/stopping a connection due to libiscsi starting
recovery/cleanup, but the xmit path or scsi eh thread path
could be dropping the connection at the same time.

As a result the session->state gets set to failed instead of in
recovery. We end up not blocking the session
and so the replacement timeout never gets started and we only end up
failing the IO when scsi_softirq_done sees that the
cmd has been running for (cmd->allowed + 1) * rq->timeout secs.

We used to fail the IO right away so users are seeing a long
delay when using dm-multipath. This problem was added in
2.6.28.

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoreiserfs: Fix locking BUG during mount failure
Jeff Mahoney [Mon, 29 Mar 2010 19:12:39 +0000 (15:12 -0400)]
reiserfs: Fix locking BUG during mount failure

commit b7b7fa43103a9fb30dbcc60cbd5161fdfc25f904 upstream.

Commit 8ebc423238341b52912c7295b045a32477b33f09 (reiserfs: kill-the-BKL)
introduced a bug in the mount failure case.

The error label releases the lock before calling journal_release_error,
but it requires that the lock be held. do_journal_release unlocks and
retakes it. When it releases it without it held, we trigger a BUG().

The error_alloc label skips the unlock since the lock isn't held yet
but none of the other conditions that are clean up exist yet either.

This patch returns immediately after the kzalloc failure and moves
the reiserfs_write_unlock after the journal_release_error call.

This was reported in https://bugzilla.novell.com/show_bug.cgi?id=591807

Reported-by: Thomas Siedentopf <thomas.siedentopf@novell.com>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Cc: Thomas Siedentopf <thomas.siedentopf@novell.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosh: Enable the mmu in start_secondary()
Matt Fleming [Sun, 28 Mar 2010 20:08:25 +0000 (20:08 +0000)]
sh: Enable the mmu in start_secondary()

commit 4bea3418c737891894b9d3d3e9f8bbd67d66fa38 upstream.

For the boot, enable_mmu() is called from setup_arch() but we don't call
setup_arch() for any of the other cpus. So turn on the non-boot cpu's
mmu inside of start_secondary().

I noticed this bug on an SMP board when trying to map I/O memory
(smsc911x registers) into the kernel address space. Since the Address
Translation bit in MMUCR wasn't set, accessing the virtual address where
the smsc911x registers were supposedly mapped actually performed a
physical address access.

Signed-off-by: Matt Fleming <matt@console-pimps.org>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosh: Fix FDPIC binary loader
Andrew Stubbs [Mon, 29 Mar 2010 03:04:19 +0000 (12:04 +0900)]
sh: Fix FDPIC binary loader

commit d5ab780305bb6d60a7b5a74f18cf84eb6ad153b1 upstream.

Ensure that the aux table is properly initialized, even when optional
features are missing. Without this, the FDPIC loader did not work.

Signed-off-by: Andrew Stubbs <ams@codesourcery.com>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm: Return ENODEV if the inode mapping changes
Chris Wilson [Thu, 18 Mar 2010 11:56:54 +0000 (11:56 +0000)]
drm: Return ENODEV if the inode mapping changes

commit da58405860b992d2bb21ebae5d685fe3204dd3f0 upstream.

Replace a BUG_ON with an error code in the event that the inode mapping
changes between calls to drm_open. This may happen for instance if udev
is loaded subsequent to the original opening of the device:

[  644.291870] kernel BUG at drivers/gpu/drm/drm_fops.c:146!
[  644.291876] invalid opcode: 0000 [#1] SMP
[  644.291882] last sysfs file: /sys/kernel/uevent_seqnum
[  644.291888]
[  644.291895] Pid: 7276, comm: lt-cairo-test-s Not tainted 2.6.34-rc1 #2 N150/N210/N220             /N150/N210/N220
[  644.291903] EIP: 0060:[<c11c70e3>] EFLAGS: 00210283 CPU: 0
[  644.291912] EIP is at drm_open+0x4b1/0x4e2
[  644.291918] EAX: f72d8d18 EBX: f790a400 ECX: f73176b8 EDX: 00000000
[  644.291923] ESI: f790a414 EDI: f790a414 EBP: f647ae20 ESP: f647adfc
[  644.291929]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  644.291937] Process lt-cairo-test-s (pid: 7276, ti=f647a000 task=f73f5c80 task.ti=f647a000)
[  644.291941] Stack:
[  644.291945]  00000000 f7bb7400 00000080 f6451100 f73176b8 f6479214 f6451100 f73176b8
[  644.291957] <0> c1297ce0 f647ae34 c11c6c04 f73176b8 f7949800 00000000 f647ae54 c1080ac5
[  644.291969] <0> f7949800 f6451100 00000000 f6451100 f73176b8 f6452780 f647ae70 c107d1e6
[  644.291982] Call Trace:
[  644.291991]  [<c11c6c04>] ? drm_stub_open+0x8a/0xb8
[  644.292000]  [<c1080ac5>] ? chrdev_open+0xef/0x106
[  644.292008]  [<c107d1e6>] ? __dentry_open+0xd4/0x1a6
[  644.292015]  [<c107d35b>] ? nameidata_to_filp+0x31/0x45
[  644.292022]  [<c10809d6>] ? chrdev_open+0x0/0x106
[  644.292030]  [<c10864e2>] ? do_last+0x346/0x423
[  644.292037]  [<c108789f>] ? do_filp_open+0x190/0x415
[  644.292046]  [<c1071eb5>] ? handle_mm_fault+0x214/0x710
[  644.292053]  [<c107d008>] ? do_sys_open+0x4d/0xe9
[  644.292061]  [<c1016462>] ? do_page_fault+0x211/0x23f
[  644.292068]  [<c107d0f0>] ? sys_open+0x23/0x2b
[  644.292075]  [<c1002650>] ? sysenter_do_call+0x12/0x26
[  644.292079] Code: 89 f0 89 55 dc e8 8d 96 0a 00 8b 45 e0 8b 55 dc 83 78 04 01 75 28 8b 83 18 02 00 00 85 c0 74 0f 8b 4d ec 3b 81 ac 00 00 00 74 13 <0f> 0b eb fe 8b 4d ec 8b 81 ac 00 00 00 89 83 18 02 00 00 89 f0
[  644.292143] EIP: [<c11c70e3>] drm_open+0x4b1/0x4e2 SS:ESP 0068:f647adfc
[  644.292175] ---[ end trace 2ddd476af89a60fa ]---

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/radeon/kms: fix pal tv-out support on legacy IGP chips
Alex Deucher [Wed, 10 Mar 2010 23:33:03 +0000 (18:33 -0500)]
drm/radeon/kms: fix pal tv-out support on legacy IGP chips

commit 15f7207761cfcf8f53fb6e5cacffe060478782c3 upstream.

Based on ddx patch by Andrzej Hajda.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/radeon/kms: don't print error on -ERESTARTSYS.
Dave Airlie [Fri, 19 Mar 2010 00:33:44 +0000 (10:33 +1000)]
drm/radeon/kms: don't print error on -ERESTARTSYS.

commit 97f23b3d85a4d734a8584dade3a34579931c8f8d upstream.

We can get this if the user moves the mouse when we are waiting to move
some stuff around in the validate. Don't fail.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/radeon/kms: Fix NULL pointer dereference if memory allocation failed in a simple way
Stefan Lippers-Hollmann [Tue, 6 Apr 2010 21:45:38 +0000 (23:45 +0200)]
drm/radeon/kms: Fix NULL pointer dereference if memory allocation failed in a simple way

> From: Pauli Nieminen <suokkos@gmail.com>
> Date: Fri, 19 Mar 2010 07:44:33 +0000
> Subject: drm/radeon/kms: Fix NULL pointer dereference if memory allocation failed.
>
> From: Pauli Nieminen <suokkos@gmail.com>
>
> commit fcbc451ba1948fba967198bd150ecbd10bbb7075 upstream.
>
> When there is allocation failure in radeon_cs_parser_relocs parser->nrelocs
> is not cleaned. This causes NULL pointer defeference in radeon_cs_parser_fini
> when clean up code is trying to loop over the relocation array and free the
> objects.
>
> Fix adds a check for a possible NULL pointer in clean up code.
[...]

This patch breaks compiling kernel 2.6.33 + the current stable queue:

  CC [M]  drivers/gpu/drm/radeon/radeon_cs.o
/tmp/buildd/linux-sidux-2.6-2.6.33/debian/build/source_amd64_none/drivers/gpu/drm/radeon/radeon_cs.c: In function 'radeon_cs_parser_fini':
/tmp/buildd/linux-sidux-2.6-2.6.33/debian/build/source_amd64_none/drivers/gpu/drm/radeon/radeon_cs.c:200: error: implicit declaration of function 'drm_gem_object_unreference_unlocked'
make[6]: *** [drivers/gpu/drm/radeon/radeon_cs.o] Error 1

as it depends on the introduction of drm_gem_object_unreference_unlocked()
in:

Commit:     c3ae90c099bb62387507e86da7cf799850444b08
Author:     Luca Barbieri <luca@luca-barbieri.com>
AuthorDate: Tue Feb 9 05:49:11 2010 +0000

    drm: introduce drm_gem_object_[handle_]unreference_unlocked

    This patch introduces the drm_gem_object_unreference_unlocked
    and drm_gem_object_handle_unreference_unlocked functions that
    do not require holding struct_mutex.

    drm_gem_object_unreference_unlocked calls the new
    ->gem_free_object_unlocked entry point if available, and
    otherwise just takes struct_mutex and just calls ->gem_free_object

which in turn suggests:

Commit:     bc9025bdc4e2b591734cca17697093845007b63d
Author:     Luca Barbieri <luca@luca-barbieri.com>
AuthorDate: Tue Feb 9 05:49:12 2010 +0000

    Use drm_gem_object_[handle_]unreference_unlocked where possible

    Mostly obvious simplifications.

    The i915 pread/pwrite ioctls, intel_overlay_put_image and
    nouveau_gem_new were incorrectly using the locked versions
    without locking: this is also fixed in this patch.

which don't really look like candidates for 2.6.33-stable.

> --- a/drivers/gpu/drm/radeon/radeon_cs.c
> +++ b/drivers/gpu/drm/radeon/radeon_cs.c
> @@ -193,11 +193,13 @@ static void radeon_cs_parser_fini(struct
>   radeon_bo_list_fence(&parser->validated, parser->ib->fence);
>   }
>   radeon_bo_list_unreserve(&parser->validated);
> - for (i = 0; i < parser->nrelocs; i++) {
> - if (parser->relocs[i].gobj) {
> - mutex_lock(&parser->rdev->ddev->struct_mutex);
> - drm_gem_object_unreference(parser->relocs[i].gobj);
> - mutex_unlock(&parser->rdev->ddev->struct_mutex);
> + if (parser->relocs != NULL) {
    ^ the only important part, the rest merely covers the new indentation
     level

> + for (i = 0; i < parser->nrelocs; i++) {
> + if (parser->relocs[i].gobj) {
> + mutex_lock(&parser->rdev->ddev->struct_mutex);
> + drm_gem_object_unreference_unlocked(parser->relocs[i].gobj);
   ^ drm_gem_object_unreference_unlocked() doesn't exist in 2.6.33, yet
     we can use drm_gem_object_unreference() instead.

> + mutex_unlock(&parser->rdev->ddev->struct_mutex);
> + }
>   }
>   }
>   kfree(parser->track);

As a consequence, I'd suggest to merely backport the NULL pointer check,
while ignoring the simplification of using the newly introduced
drm_gem_object_unreference_unlocked() from 2.6.34:

Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Cc: Pauli Nieminen <suokkos@gmail.com>
Cc: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/radeon/kms: never treat rs4xx as AGP
Alex Deucher [Sun, 21 Mar 2010 18:02:25 +0000 (14:02 -0400)]
drm/radeon/kms: never treat rs4xx as AGP

commit f95df9ca6896978108201a77422a1ae2cdc595ec upstream.

RS4xx+ IGP chips use an internal gart, however,
some of them have the agp cap bits set in their pci
configs.  Make sure to clear the AGP flag as AGP will
not work with them.

Should fix fdo bug 27225

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agooom: fix the unsafe usage of badness() in proc_oom_score()
Oleg Nesterov [Thu, 1 Apr 2010 13:13:57 +0000 (15:13 +0200)]
oom: fix the unsafe usage of badness() in proc_oom_score()

commit b95c35e76b29ba812e5dabdd91592e25ec640e93 upstream.

proc_oom_score(task) has a reference to task_struct, but that is all.
If this task was already released before we take tasklist_lock

- we can't use task->group_leader, it points to nowhere

- it is not safe to call badness() even if this task is
  ->group_leader, has_intersects_mems_allowed() assumes
  it is safe to iterate over ->thread_group list.

- even worse, badness() can hit ->signal == NULL

Add the pid_alive() check to ensure __unhash_process() was not called.

Also, use "task" instead of task->group_leader. badness() should return
the same result for any sub-thread. Currently this is not true, but
this should be changed anyway.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofat: fix buffer overflow in vfat_create_shortname()
Nikolaus Schulz [Wed, 31 Mar 2010 17:21:10 +0000 (02:21 +0900)]
fat: fix buffer overflow in vfat_create_shortname()

commit 30d1872d9eb3663b4cf7bdebcbf5cd465674cced upstream.

When using the string representation of a random counter as part of the base
name, ensure that it is no longer than 4 bytes.

Since we are repeatedly decrementing the counter in a loop until we have found a
unique base name, the counter may wrap around zero; therefore, it is not enough
to mask its higher bits before entering the loop, this must be done inside the
loop.

[hirofumi@mail.parknet.co.jp: use snprintf()]
Signed-off-by: Nikolaus Schulz <microschulz@web.de>
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm: remove the EDID blob stored in the EDID property when it is disconnected
Zhao Yakui [Thu, 4 Mar 2010 08:25:55 +0000 (08:25 +0000)]
drm: remove the EDID blob stored in the EDID property when it is disconnected

commit 725398322d05486109375fbb85c3404108881e17 upstream.

Now the EDID property will be updated when the corresponding EDID can be
obtained from the external display device. But after the external device
is plugged-out, the EDID property is not updated. In such case we still
get the corresponding EDID property although it is already detected as
disconnected.

https://bugs.freedesktop.org/show_bug.cgi?id=26743

Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/radeon: add new RS880 pci id
Alex Deucher [Wed, 3 Mar 2010 18:39:13 +0000 (13:39 -0500)]
drm/radeon: add new RS880 pci id

commit 338e2b1d571e4873908b199c90d6a31f65137fe3 upstream.

This should go to 2.6.33 stable as well.

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/edid: allow certain bogus edids to hit a fixup path rather than fail
Ben Skeggs [Wed, 17 Feb 2010 23:12:09 +0000 (09:12 +1000)]
drm/edid: allow certain bogus edids to hit a fixup path rather than fail

commit 44fef22416886a04d432043f741a6faf2c6ffefd upstream.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoLinux 2.6.33.2 v2.6.33.2
Greg Kroah-Hartman [Thu, 1 Apr 2010 23:02:33 +0000 (16:02 -0700)]
Linux 2.6.33.2

14 years agopata_via: fix VT6410/6415/6330 detection issue
JosephChan@via.com.tw [Thu, 25 Mar 2010 12:51:47 +0000 (20:51 +0800)]
pata_via: fix VT6410/6415/6330 detection issue

commit bc8a67386fd462914269fa93446e1891955a8bb3 upstream.

When using VT6410/6415/6330 chips on some VIA's platforms, the HDD
connection to VT6410/6415/6330 cannot be detected.

It is because the driver detects wrong via_isa_bridge ID, and then
causes this issue to happen.

Signed-off-by: Joseph Chan <josephchan@via.com.tw>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoGFS2: Skip check for mandatory locks when unlocking
Sachin Prabhu [Thu, 11 Mar 2010 17:24:45 +0000 (12:24 -0500)]
GFS2: Skip check for mandatory locks when unlocking

commit 720e7749279bde0d08684b1bb4e7a2eedeec6394 upstream.

gfs2_lock() will skip locks on file which have mode set to 02666. This is a problem in cases where the mode of the file is changed after a process has obtained a lock on the file. Such a lock will be skipped and will result in a BUG in locks_remove_flock().

gfs2_lock() should skip the check for mandatory locks when unlocking a file.

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoclassmate-laptop: use a single MODULE_DEVICE_TABLE to get correct aliases
Thadeu Lima de Souza Cascardo [Tue, 9 Feb 2010 22:37:27 +0000 (17:37 -0500)]
classmate-laptop: use a single MODULE_DEVICE_TABLE to get correct aliases

commit 02e77a55f7b7e36888e39c62439fedb90ae4e808 upstream.

Instead of a MODULE_DEVICE_TABLE for every acpi_driver ids table, we
create a table containing all ids to export to get a module alias for
each one.

This will fix automatic loading of the driver when one of the ACPI
devices is not present (like the accelerometer, which is not present in
some models).

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86: Fix sched_clock_cpu for systems with unsynchronized TSC
Dimitri Sivanich [Mon, 1 Mar 2010 17:48:15 +0000 (11:48 -0600)]
x86: Fix sched_clock_cpu for systems with unsynchronized TSC

commit 14be1f7454ea96ee614467a49cf018a1a383b189 upstream.

On UV systems, the TSC is not synchronized across blades.  The
sched_clock_cpu() function is returning values that can go
backwards  (I've seen as much as 8 seconds) when switching
between cpus.

As each cpu comes up, early_init_intel() will currently set the
sched_clock_stable flag true.  When mark_tsc_unstable() runs, it
clears the flag, but this only occurs once (the first time a cpu
comes up whose TSC is not synchronized with cpu 0).  After this,
early_init_intel() will set the flag again as the next cpu comes
up.

Only set sched_clock_stable if tsc has not been marked unstable.

Signed-off-by: Dimitri Sivanich <sivanich@sgi.com>
Acked-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <20100301174815.GC8224@sgi.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agob43: Workaround circular locking in hw-tkip key update callback
Michael Buesch [Fri, 19 Mar 2010 15:38:33 +0000 (10:38 -0500)]
b43: Workaround circular locking in hw-tkip key update callback

commit 96869a39399269a776a94812e9fff3d38b47d838 upstream

The TKIP key update callback is called from the RX path, where the driver
mutex is already locked. This results in a circular locking bug.
Avoid this by removing the lock.

Johannes noted that there is a separate bug: The callback still breaks on SDIO
hardware, because SDIO hardware access needs to sleep, but we are not allowed
to sleep in the callback due to mac80211's RCU locking.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Tested-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: kecsa@kutfo.hit.bme.hu
Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoBluetooth: Fix kernel crash on L2CAP stress tests
Andrei Emeltchenko [Fri, 19 Mar 2010 08:26:28 +0000 (10:26 +0200)]
Bluetooth: Fix kernel crash on L2CAP stress tests

commit c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 upstream.

Added very simple check that req buffer has enough space to
fit configuration parameters. Shall be enough to reject packets
with configuration size more than req buffer.

Crash trace below

[ 6069.659393] Unable to handle kernel paging request at virtual address 02000205
[ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT
...
[ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap]
[ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap]
...
[ 6070.030303] Backtrace:
[ 6070.032806] [<bf1c2880>] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from
[<bf1c6624>] (l2cap_recv_frame+0x1350/0x2e78 [l2cap])
[ 6070.043823]  r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200
[ 6070.050659] [<bf1c52d4>] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from
[<bf1c8408>] (l2cap_recv_acldata+0x2bc/0x350 [l2cap])
[ 6070.061798] [<bf1c814c>] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from
[<bf0037a4>] (hci_rx_task+0x244/0x478 [bluetooth])
[ 6070.072631]  r6:dc647700 r5:00000001 r4:df2ab740
[ 6070.077362] [<bf003560>] (hci_rx_task+0x0/0x478 [bluetooth]) from
[<c006b9fc>] (tasklet_action+0x78/0xd8)
[ 6070.087005] [<c006b984>] (tasklet_action+0x0/0xd8) from [<c006c160>]

Signed-off-by: Andrei Emeltchenko <andrei.emeltchenko@nokia.com>
Acked-by: Gustavo F. Padovan <gustavo@padovan.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoBluetooth: Fix potential bad memory access with sysfs files
Marcel Holtmann [Mon, 15 Mar 2010 21:12:58 +0000 (14:12 -0700)]
Bluetooth: Fix potential bad memory access with sysfs files

commit 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 upstream.

When creating a high number of Bluetooth sockets (L2CAP, SCO
and RFCOMM) it is possible to scribble repeatedly on arbitrary
pages of memory. Ensure that the content of these sysfs files is
always less than one page. Even if this means truncating. The
files in question are scheduled to be moved over to debugfs in
the future anyway.

Based on initial patches from Neil Brown and Linus Torvalds

Reported-by: Neil Brown <neilb@suse.de>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoahci: use BIOS date in broken_suspend list
Tejun Heo [Tue, 16 Mar 2010 00:50:26 +0000 (09:50 +0900)]
ahci: use BIOS date in broken_suspend list

commit 9deb343189b3cf45e84dd08480f330575ffe2004 upstream.

HP is recycling both DMI_PRODUCT_NAME and DMI_BIOS_VERSION making
ahci_broken_suspend() trigger for later products which are not
affected by the original problems.  Match BIOS date instead of version
and add references to bko's so that full information can be found
easier later.

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=15462

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: tigerfishdaisy@gmail.com
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoquota: Fix warning when a delayed write happens before quota is enabled
Jan Kara [Tue, 9 Feb 2010 17:20:39 +0000 (18:20 +0100)]
quota: Fix warning when a delayed write happens before quota is enabled

commit 0a5a9c725512461d19397490f3adf29931dca1f2 upstream.

If a delayed-allocation write happens before quota is enabled, the
kernel spits out a warning:
WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112()

because the fact that user has some delayed allocation is not recorded
in quota structure.

Make dquot_initialize() update amount of reserved space for user if it sees
inode has some space reserved. Also make sure that reserved quota space does
not go negative and we warn about the filesystem bug just once.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoquota: manage reserved space when quota is not active [v2]
Dmitry Monakhov [Tue, 9 Feb 2010 16:53:36 +0000 (17:53 +0100)]
quota: manage reserved space when quota is not active [v2]

commit c469070aea5a0ada45a836937c776fd3083dae2b upstream.

Since we implemented generic reserved space management interface,
then it is possible to account reserved space even when quota
is not active (similar to i_blocks/i_bytes).

Without this patch following testcase result in massive comlain from
WARN_ON in dquot_claim_space()

TEST_CASE:
mount /dev/sdb /mnt -oquota
dd if=/dev/zero of=/mnt/test bs=1M count=1
quotaon /mnt
# fs_reserved_spave == 1Mb
# quota_reserved_space == 0, because quota was disabled
dd if=/dev/zero of=/mnt/test seek=1 bs=1M count=1
# fs_reserved_spave == 2Mb
# quota_reserved_space == 1Mb
sync  # ->dquot_claim_space() -> WARN_ON

Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotcp: Fix tcp_make_synack()
Eric Dumazet [Mon, 8 Mar 2010 19:32:01 +0000 (11:32 -0800)]
tcp: Fix tcp_make_synack()

[ Upstream commit 28b2774a0d5852236dab77a4147b8b88548110f1 ]

Commit 4957faad (TCPCT part 1g: Responder Cookie => Initiator), part
of TCP_COOKIE_TRANSACTION implementation, forgot to correctly size
synack skb in case user data must be included.

Many thanks to Mika Pentillä for spotting this error.

Reported-by: Penttillä Mika <mika.penttila@ixonos.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotcp: Fix OOB POLLIN avoidance.
Alexandra Kossovsky [Fri, 19 Mar 2010 03:29:24 +0000 (20:29 -0700)]
tcp: Fix OOB POLLIN avoidance.

[ Upstream commit b634f87522dff87712df8bda2a6c9061954d552a ]

From: Alexandra.Kossovsky@oktetlabs.ru

Fixes kernel bugzilla #15541

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotcp: Fix tcp_mark_head_lost() with packets == 0
Lennart Schulte [Wed, 17 Mar 2010 02:16:29 +0000 (02:16 +0000)]
tcp: Fix tcp_mark_head_lost() with packets == 0

[ Upstream commit 6830c25b7d08fbbd922959425193791bc42079f2 ]

A packet is marked as lost in case packets == 0, although nothing should be done.
This results in a too early retransmitted packet during recovery in some cases.
This small patch fixes this issue by returning immediately.

Signed-off-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de>
Signed-off-by: Arnd Hannemann <hannemann@nets.rwth-aachen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoskbuff: remove unused dma_head & dma_maps fields
Alexander Duyck [Tue, 23 Mar 2010 20:40:50 +0000 (20:40 +0000)]
skbuff: remove unused dma_head & dma_maps fields

[ Upstream commit 03e6d819c2cb2cc8ce5642669a0a7c72336ee7a2 ]

The dma map fields in the skb_shared_info structure no longer has any users
and can be dropped since it is making the skb_shared_info unecessarily larger.

Running slabtop show that we were using 4K slabs for the skb->head on x86_64 w/
an allocation size of 1522.  It turns out that the dma_head and dma_maps array
made skb_shared large enough that we had crossed over the 2k boundary with
standard frames and as such we were using 4k blocks of memory for all skbs.

Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonet: Potential null skb->dev dereference
Eric Dumazet [Tue, 30 Mar 2010 04:33:28 +0000 (21:33 -0700)]
net: Potential null skb->dev dereference

[ Upstream commit 0641e4fbf2f824faee00ea74c459a088d94905fd ]

When doing "ifenslave -d bond0 eth0", there is chance to get NULL
dereference in netif_receive_skb(), because dev->master suddenly becomes
NULL after we tested it.

We should use ACCESS_ONCE() to avoid this (or rcu_dereference())

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agor8169: offical fix for CVE-2009-4537 (overlength frame DMAs)
Neil Horman [Mon, 29 Mar 2010 20:16:02 +0000 (13:16 -0700)]
r8169: offical fix for CVE-2009-4537 (overlength frame DMAs)

[ Upstream commit c0cd884af045338476b8e69a61fceb3f34ff22f1 ]

Official patch to fix the r8169 frame length check error.

Based on this initial thread:
http://marc.info/?l=linux-netdev&m=126202972828626&w=1
This is the official patch to fix the frame length problems in the r8169
driver.  As noted in the previous thread, while this patch incurs a performance
hit on the driver, its possible to improve performance dynamically by updating
the mtu and rx_copybreak values at runtime to return performance to what it was
for those NICS which are unaffected by the ideosyncracy (if there are any).

Summary:

    A while back Eric submitted a patch for r8169 in which the proper
allocated frame size was written to RXMaxSize to prevent the NIC from dmaing too
much data.  This was done in commit fdd7b4c3302c93f6833e338903ea77245eb510b4.  A
long time prior to that however, Francois posted
126fa4b9ca5d9d7cb7d46f779ad3bd3631ca387c, which expiclitly disabled the MaxSize
setting due to the fact that the hardware behaved in odd ways when overlong
frames were received on NIC's supported by this driver.  This was mentioned in a
security conference recently:
http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html

It seems that if we can't enable frame size filtering, then, as Eric correctly
noticed, we can find ourselves DMA-ing too much data to a buffer, causing
corruption.  As a result is seems that we are forced to allocate a frame which
is ready to handle a maximally sized receive.

This obviously has performance issues with it, so to mitigate that issue, this
patch does two things:

1) Raises the copybreak value to the frame allocation size, which should force
appropriately sized packets to get allocated on rx, rather than a full new 16k
buffer.

2) This patch only disables frame filtering initially (i.e., during the NIC
open), changing the MTU results in ring buffer allocation of a size in relation
to the new mtu (along with a warning indicating that this is dangerous).

Because of item (2), individuals who can't cope with the performance hit (or can
otherwise filter frames to prevent the bug), or who have hardware they are sure
is unaffected by this issue, can manually lower the copybreak and reset the mtu
such that performance is restored easily.

Signed-off-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonetlink: fix unaligned access in nla_get_be64()
Pablo Neira Ayuso [Tue, 16 Mar 2010 13:30:44 +0000 (13:30 +0000)]
netlink: fix unaligned access in nla_get_be64()

[ Upstream commit f5d410f2ea7ba340f11815a56e05b9fa9421c421 ]

This patch fixes a unaligned access in nla_get_be64() that was
introduced by myself in a17c859849402315613a0015ac8fbf101acf0cc1.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonetfilter: ctnetlink: fix reliable event delivery if message building fails
Pablo Neira Ayuso [Tue, 30 Mar 2010 04:28:23 +0000 (21:28 -0700)]
netfilter: ctnetlink: fix reliable event delivery if message building fails

[ Upstream commit 37b7ef7203240b3aba577bb1ff6765fe15225976 ]

This patch fixes a bug that allows to lose events when reliable
event delivery mode is used, ie. if NETLINK_BROADCAST_SEND_ERROR
and NETLINK_RECV_NO_ENOBUFS socket options are set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonetlink: fix NETLINK_RECV_NO_ENOBUFS in netlink_set_err()
Pablo Neira Ayuso [Thu, 18 Mar 2010 14:24:42 +0000 (14:24 +0000)]
netlink: fix NETLINK_RECV_NO_ENOBUFS in netlink_set_err()

[ Upstream commit 1a50307ba1826e4da0024e64b245ce4eadf7688a ]

Currently, ENOBUFS errors are reported to the socket via
netlink_set_err() even if NETLINK_RECV_NO_ENOBUFS is set. However,
that should not happen. This fixes this problem and it changes the
prototype of netlink_set_err() to return the number of sockets that
have set the NETLINK_RECV_NO_ENOBUFS socket option. This return
value is used in the next patch in these bugfix series.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoNET_DMA: free skbs periodically
Steven J. Magnani [Tue, 16 Mar 2010 05:22:44 +0000 (05:22 +0000)]
NET_DMA: free skbs periodically

[ Upstream commit 73852e8151b7d7a529fbe019ab6d2d0c02d8f3f2 ]

Under NET_DMA, data transfer can grind to a halt when userland issues a
large read on a socket with a high RCVLOWAT (i.e., 512 KB for both).
This appears to be because the NET_DMA design queues up lots of memcpy
operations, but doesn't issue or wait for them (and thus free the
associated skbs) until it is time for tcp_recvmesg() to return.
The socket hangs when its TCP window goes to zero before enough data is
available to satisfy the read.

Periodically issue asynchronous memcpy operations, and free skbs for ones
that have completed, to prevent sockets from going into zero-window mode.

Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipv6: Don't drop cache route entry unless timer actually expired.
YOSHIFUJI Hideaki / 吉藤英明 [Sun, 28 Mar 2010 07:15:45 +0000 (07:15 +0000)]
ipv6: Don't drop cache route entry unless timer actually expired.

[ Upstream commit 54c1a859efd9fd6cda05bc700315ba2519c14eba ]

This is ipv6 variant of the commit 5e016cbf6.. ("ipv4: Don't drop
redirected route cache entry unless PTMU actually expired")
by Guenter Roeck <guenter.roeck@ericsson.com>.

Remove cache route entry in ipv6_negative_advice() only if
the timer is expired.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipv4: Don't drop redirected route cache entry unless PTMU actually expired
Guenter Roeck [Mon, 22 Mar 2010 03:55:13 +0000 (20:55 -0700)]
ipv4: Don't drop redirected route cache entry unless PTMU actually expired

[ Upstream commit 5e016cbf6cffd4a53b7922e0c91b775399d7fe47 ]

TCP sessions over IPv4 can get stuck if routers between endpoints
do not fragment packets but implement PMTU instead, and we are using
those routers because of an ICMP redirect.

Setup is as follows

       MTU1    MTU2   MTU1
    A--------B------C------D

with MTU1 > MTU2. A and D are endpoints, B and C are routers. B and C
implement PMTU and drop packets larger than MTU2 (for example because
DF is set on all packets). TCP sessions are initiated between A and D.
There is packet loss between A and D, causing frequent TCP
retransmits.

After the number of retransmits on a TCP session reaches tcp_retries1,
tcp calls dst_negative_advice() prior to each retransmit. This results
in route cache entries for the peer to be deleted in
ipv4_negative_advice() if the Path MTU is set.

If the outstanding data on an affected TCP session is larger than
MTU2, packets sent from the endpoints will be dropped by B or C, and
ICMP NEEDFRAG will be returned. A and D receive NEEDFRAG messages and
update PMTU.

Before the next retransmit, tcp will again call dst_negative_advice(),
causing the route cache entry (with correct PMTU) to be deleted. The
retransmitted packet will be larger than MTU2, causing it to be
dropped again.

This sequence repeats until the TCP session aborts or is terminated.

Problem is fixed by removing redirected route cache entries in
ipv4_negative_advice() only if the PMTU is expired.

Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipv4: check rt_genid in dst_check
Timo Teräs [Thu, 18 Mar 2010 23:20:20 +0000 (23:20 +0000)]
ipv4: check rt_genid in dst_check

[ Upstream commit d11a4dc18bf41719c9f0d7ed494d295dd2973b92 ]

Xfrm_dst keeps a reference to ipv4 rtable entries on each
cached bundle. The only way to renew xfrm_dst when the underlying
route has changed, is to implement dst_check for this. This is
what ipv6 side does too.

The problems started after 87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9
("ipsec: Fix bogus bundle flowi") which fixed a bug causing xfrm_dst
to not get reused, until that all lookups always generated new
xfrm_dst with new route reference and path mtu worked. But after the
fix, the old routes started to get reused even after they were expired
causing pmtu to break (well it would occationally work if the rtable
gc had run recently and marked the route obsolete causing dst_check to
get called).

Signed-off-by: Timo Teras <timo.teras@iki.fi>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoipsec: Fix bogus bundle flowi
Herbert Xu [Tue, 2 Mar 2010 02:51:56 +0000 (02:51 +0000)]
ipsec: Fix bogus bundle flowi

[ Upstream commit 87c1e12b5eeb7b30b4b41291bef8e0b41fc3dde9 ]

When I merged the bundle creation code, I introduced a bogus
flowi value in the bundle.  Instead of getting from the caller,
it was instead set to the flow in the route object, which is
totally different.

The end result is that the bundles we created never match, and
we instead end up with an ever growing bundle list.

Thanks to Jamal for find this problem.

Reported-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Jamal Hadi Salim <hadi@cyberus.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoip_gre: include route header_len in max_headroom calculation
Timo Teräs [Sat, 20 Mar 2010 02:27:58 +0000 (02:27 +0000)]
ip_gre: include route header_len in max_headroom calculation

[ Upstream commit 243aad830e8a4cdda261626fbaeddde16b08d04a ]

Taking route's header_len into account, and updating gre device
needed_headroom will give better hints on upper bound of required
headroom. This is useful if the gre traffic is xfrm'ed.

Signed-off-by: Timo Teras <timo.teras@iki.fi>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoe100: Fix ring parameter change handling regression.
David S. Miller [Mon, 15 Mar 2010 22:23:30 +0000 (15:23 -0700)]
e100: Fix ring parameter change handling regression.

[ Upstream commit 211a0d941b1924e667483f822a55e2cc694cd212 ]

When the PCI pool changes were added to fix resume failures:

commit 98468efddb101f8a29af974101c17ba513b07be1
e100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failu

and

commit 70abc8cb90e679d8519721e2761d8366a18212a6
e100: Fix broken cbs accounting due to missing memset.

This introduced a problem that can happen if the TX ring size
is increased.  We need to size the PCI pool using cbs->max
instead of the default cbs->count value.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agobonding: fix device leak on error in bond_create()
Patrick McHardy [Sat, 27 Feb 2010 10:52:05 +0000 (02:52 -0800)]
bonding: fix device leak on error in bond_create()

[ Upstream commit 8d6184e4881b423522136aeb3ec1cbd9c35e8813 ]

When the register_netdevice() call fails, the newly allocated device is
not freed.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonet: add __must_check to sk_add_backlog
Zhu Yi [Sun, 7 Mar 2010 16:21:39 +0000 (16:21 +0000)]
net: add __must_check to sk_add_backlog

[ Upstream commit 4045635318538d3ddd2007720412fdc4b08f6a62 ]

Add the "__must_check" tag to sk_add_backlog() so that any failure to
check and drop packets will be warned about.

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonet: backlog functions rename
Zhu Yi [Thu, 4 Mar 2010 18:01:47 +0000 (18:01 +0000)]
net: backlog functions rename

[ Upstream commit a3a858ff18a72a8d388e31ab0d98f7e944841a62 ]

sk_add_backlog -> __sk_add_backlog
sk_add_backlog_limited -> sk_add_backlog

Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox25: use limited socket backlog
Zhu Yi [Thu, 4 Mar 2010 18:01:46 +0000 (18:01 +0000)]
x25: use limited socket backlog

[ Upstream commit 2499849ee8f513e795b9f2c19a42d6356e4943a4 ]

Make x25 adapt to the limited socket backlog change.

Cc: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotipc: use limited socket backlog
Zhu Yi [Thu, 4 Mar 2010 18:01:45 +0000 (18:01 +0000)]
tipc: use limited socket backlog

[ Upstream commit 53eecb1be5ae499d399d2923933937a9ea1a284f ]

Make tipc adapt to the limited socket backlog change.

Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Allan Stephens <allan.stephens@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosctp: use limited socket backlog
Zhu Yi [Thu, 4 Mar 2010 18:01:44 +0000 (18:01 +0000)]
sctp: use limited socket backlog

[ Upstream commit 50b1a782f845140f4138f14a1ce8a4a6dd0cc82f ]

Make sctp adapt to the limited socket backlog change.

Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agollc: use limited socket backlog
Zhu Yi [Thu, 4 Mar 2010 18:01:43 +0000 (18:01 +0000)]
llc: use limited socket backlog

[ Upstream commit 79545b681961d7001c1f4c3eb9ffb87bed4485db ]

Make llc adapt to the limited socket backlog change.

Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoudp: use limited socket backlog
Zhu Yi [Thu, 4 Mar 2010 18:01:42 +0000 (18:01 +0000)]
udp: use limited socket backlog

[ Upstream commit 55349790d7cbf0d381873a7ece1dcafcffd4aaa9 ]

Make udp adapt to the limited socket backlog change.

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: Patrick McHardy <kaber@trash.net>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotcp: use limited socket backlog
Zhu Yi [Thu, 4 Mar 2010 18:01:41 +0000 (18:01 +0000)]
tcp: use limited socket backlog

[ Upstream commit 6b03a53a5ab7ccf2d5d69f96cf1c739c4d2a8fb9 ]

Make tcp adapt to the limited socket backlog change.

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: Patrick McHardy <kaber@trash.net>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonet: add limit for socket backlog
Zhu Yi [Thu, 4 Mar 2010 18:01:40 +0000 (18:01 +0000)]
net: add limit for socket backlog

[ Upstream commit 8eae939f1400326b06d0c9afe53d2a484a326871 ]

We got system OOM while running some UDP netperf testing on the loopback
device. The case is multiple senders sent stream UDP packets to a single
receiver via loopback on local host. Of course, the receiver is not able
to handle all the packets in time. But we surprisingly found that these
packets were not discarded due to the receiver's sk->sk_rcvbuf limit.
Instead, they are kept queuing to sk->sk_backlog and finally ate up all
the memory. We believe this is a secure hole that a none privileged user
can crash the system.

The root cause for this problem is, when the receiver is doing
__release_sock() (i.e. after userspace recv, kernel udp_recvmsg ->
skb_free_datagram_locked -> release_sock), it moves skbs from backlog to
sk_receive_queue with the softirq enabled. In the above case, multiple
busy senders will almost make it an endless loop. The skbs in the
backlog end up eat all the system memory.

The issue is not only for UDP. Any protocols using socket backlog is
potentially affected. The patch adds limit for socket backlog so that
the backlog size cannot be expanded endlessly.

Reported-by: Alex Shi <alex.shi@intel.com>
Cc: David Miller <davem@davemloft.net>
Cc: Arnaldo Carvalho de Melo <acme@ghostprotocols.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: Sridhar Samudrala <sri@us.ibm.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Allan Stephens <allan.stephens@windriver.com>
Cc: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: Zhu Yi <yi.zhu@intel.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoroute: Fix caught BUG_ON during rt_secret_rebuild_oneshot()
Vitaliy Gusev [Tue, 16 Mar 2010 01:07:51 +0000 (01:07 +0000)]
route: Fix caught BUG_ON during rt_secret_rebuild_oneshot()

[ Upstream commit 858a18a6a2f74e8f0e5b2e9671d4b74694aba708 ]

route: Fix caught BUG_ON during rt_secret_rebuild_oneshot()

Call rt_secret_rebuild can cause BUG_ON(timer_pending(&net->ipv4.rt_secret_timer)) in
add_timer as there is not any synchronization for call rt_secret_rebuild_oneshot()
for the same net namespace.

Also this issue affects to rt_secret_reschedule().

Thus use mod_timer enstead.

Signed-off-by: Vitaliy Gusev <vgusev@openvz.org>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agol2tp: Fix UDP socket reference count bugs in the pppol2tp driver
James Chapman [Tue, 16 Mar 2010 06:29:20 +0000 (06:29 +0000)]
l2tp: Fix UDP socket reference count bugs in the pppol2tp driver

[ Upstream commit c3259c8a7060d480e8eb2166da0a99d6879146b4 ]

This patch fixes UDP socket refcnt bugs in the pppol2tp driver.

A bug can cause a kernel stack trace when a tunnel socket is closed.

A way to reproduce the issue is to prepare the UDP socket for L2TP (by
opening a tunnel pppol2tp socket) and then close it before any L2TP
sessions are added to it. The sequence is

Create UDP socket
Create tunnel pppol2tp socket to prepare UDP socket for L2TP
  pppol2tp_connect: session_id=0, peer_session_id=0
L2TP SCCRP control frame received (tunnel_id==0)
  pppol2tp_recv_core: sock_hold()
  pppol2tp_recv_core: sock_put
L2TP ZLB control frame received (tunnel_id=nnn)
  pppol2tp_recv_core: sock_hold()
  pppol2tp_recv_core: sock_put
Close tunnel management socket
  pppol2tp_release: session_id=0, peer_session_id=0
Close UDP socket
  udp_lib_close: BUG

The addition of sock_hold() in pppol2tp_connect() solves the problem.

For data frames, two sock_put() calls were added to plug a refcnt leak
per received data frame. The ref that is grabbed at the top of
pppol2tp_recv_core() must always be released, but this wasn't done for
accepted data frames or data frames discarded because of bad UDP
checksums. This leak meant that any UDP socket that had passed L2TP
data traffic (i.e. L2TP data frames, not just L2TP control frames)
using pppol2tp would not be released by the kernel.

WARNING: at include/net/sock.h:435 udp_lib_unhash+0x117/0x120()
Pid: 1086, comm: openl2tpd Not tainted 2.6.33-rc1 #8
Call Trace:
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c101b871>] ? warn_slowpath_common+0x71/0xd0
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c101b8e3>] ? warn_slowpath_null+0x13/0x20
 [<c119e9b7>] ? udp_lib_unhash+0x117/0x120
 [<c11598a7>] ? sk_common_release+0x17/0x90
 [<c11a5e33>] ? inet_release+0x33/0x60
 [<c11577b0>] ? sock_release+0x10/0x60
 [<c115780f>] ? sock_close+0xf/0x30
 [<c106e542>] ? __fput+0x52/0x150
 [<c106b68e>] ? filp_close+0x3e/0x70
 [<c101d2e2>] ? put_files_struct+0x62/0xb0
 [<c101eaf7>] ? do_exit+0x5e7/0x650
 [<c1081623>] ? mntput_no_expire+0x13/0x70
 [<c106b68e>] ? filp_close+0x3e/0x70
 [<c101eb8a>] ? do_group_exit+0x2a/0x70
 [<c101ebe1>] ? sys_exit_group+0x11/0x20
 [<c10029b0>] ? sysenter_do_call+0x12/0x26

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agol2tp: Fix oops in pppol2tp_xmit
James Chapman [Tue, 16 Mar 2010 06:46:31 +0000 (06:46 +0000)]
l2tp: Fix oops in pppol2tp_xmit

[ Upstream commit 3feec9095d12e311b7d4eb7fe7e5dfa75d4a72a5 ]

When transmitting L2TP frames, we derive the outgoing interface's UDP
checksum hardware assist capabilities from the tunnel dst dev. This
can sometimes be NULL, especially when routing protocols are used and
routing changes occur. This patch just checks for NULL dst or dev
pointers when checking for netdev hardware assist features.

BUG: unable to handle kernel NULL pointer dereference at 0000000c
IP: [<f89d074c>] pppol2tp_xmit+0x341/0x4da [pppol2tp]
*pde = 00000000
Oops: 0000 [#1] SMP
last sysfs file: /sys/class/net/lo/operstate
Modules linked in: pppol2tp pppox ppp_generic slhc ipv6 dummy loop snd_hda_codec_atihdmi snd_hda_intel snd_hda_codec snd_pcm snd_timer snd soundcore snd_page_alloc evdev psmouse serio_raw processor button i2c_piix4 i2c_core ati_agp agpgart pcspkr ext3 jbd mbcache sd_mod ide_pci_generic atiixp ide_core ahci ata_generic floppy ehci_hcd ohci_hcd libata e1000e scsi_mod usbcore nls_base thermal fan thermal_sys [last unloaded: scsi_wait_scan]

Pid: 0, comm: swapper Not tainted (2.6.32.8 #1)
EIP: 0060:[<f89d074c>] EFLAGS: 00010297 CPU: 3
EIP is at pppol2tp_xmit+0x341/0x4da [pppol2tp]
EAX: 00000000 EBX: f64d1680 ECX: 000005b9 EDX: 00000000
ESI: f6b91850 EDI: f64d16ac EBP: f6a0c4c0 ESP: f70a9cac
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=f70a8000 task=f70a31c0 task.ti=f70a8000)
Stack:
 000005a9 000005b9 f734c400 f66652c0 f7352e00 f67dc800 00000000 f6b91800
<0> 000005a3 f70ef6c4 f67dcda9 000005a3 f89b192e 00000246 000005a3 f64d1680
<0> f63633e0 f6363320 f64d1680 f65a7320 f65a7364 f65856c0 f64d1680 f679f02f
Call Trace:
 [<f89b192e>] ? ppp_push+0x459/0x50e [ppp_generic]
 [<f89b217f>] ? ppp_xmit_process+0x3b6/0x430 [ppp_generic]
 [<f89b2306>] ? ppp_start_xmit+0x10d/0x120 [ppp_generic]
 [<c11c15cb>] ? dev_hard_start_xmit+0x21f/0x2b2
 [<c11d0947>] ? sch_direct_xmit+0x48/0x10e
 [<c11c19a0>] ? dev_queue_xmit+0x263/0x3a6
 [<c11e2a9f>] ? ip_finish_output+0x1f7/0x221
 [<c11df682>] ? ip_forward_finish+0x2e/0x30
 [<c11de645>] ? ip_rcv_finish+0x295/0x2a9
 [<c11c0b19>] ? netif_receive_skb+0x3e9/0x404
 [<f814b791>] ? e1000_clean_rx_irq+0x253/0x2fc [e1000e]
 [<f814cb7a>] ? e1000_clean+0x63/0x1fc [e1000e]
 [<c1047eff>] ? sched_clock_local+0x15/0x11b
 [<c11c1095>] ? net_rx_action+0x96/0x195
 [<c1035750>] ? __do_softirq+0xaa/0x151
 [<c1035828>] ? do_softirq+0x31/0x3c
 [<c10358fe>] ? irq_exit+0x26/0x58
 [<c1004b21>] ? do_IRQ+0x78/0x89
 [<c1003729>] ? common_interrupt+0x29/0x30
 [<c101ac28>] ? native_safe_halt+0x2/0x3
 [<c1008c54>] ? default_idle+0x55/0x75
 [<c1009045>] ? c1e_idle+0xd2/0xd5
 [<c100233c>] ? cpu_idle+0x46/0x62
Code: 8d 45 08 f0 ff 45 08 89 6b 08 c7 43 68 7e fb 9c f8 8a 45 24 83 e0 0c 3c 04 75 09 80 63 64 f3 e9 b4 00 00 00 8b 43 18 8b 4c 24 04 <8b> 40 0c 8d 79 11 f6 40 44 0e 8a 43 64 75 51 6a 00 8b 4c 24 08
EIP: [<f89d074c>] pppol2tp_xmit+0x341/0x4da [pppol2tp] SS:ESP 0068:f70a9cac
CR2: 000000000000000c

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Add very basic XVR-1000 framebuffer driver.
David S. Miller [Tue, 30 Mar 2010 05:18:29 +0000 (22:18 -0700)]
sparc64: Add very basic XVR-1000 framebuffer driver.

[ Upstream commits 2d378b9179881b46a0faf11430efb421fe03ddd8 and
  f04e879bf296d136bcafd8c5a26e95599b141671 ]

Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Frans van Berckel <fberckel@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosparc64: Properly truncate pt_regs framepointer in perf callback.
David S. Miller [Mon, 29 Mar 2010 20:08:52 +0000 (13:08 -0700)]
sparc64: Properly truncate pt_regs framepointer in perf callback.

[ Upstream commit 9e8307ecaf9f8c8b5b3b22145021204c4e73114a ]

For 32-bit processes, we save the full 64-bits of the regs in pt_regs.

But unlike when the userspace actually does load and store
instructions, the top 32-bits don't get automatically truncated by the
cpu in kernel mode (because the kernel doesn't execute with PSTATE_AM
address masking enabled).

So we have to do it by hand.

Reported-by: Frederic Weisbecker <fweisbec@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoqlogicpti: Remove slash in QlogicPTI irq name
Meelis Roos [Mon, 8 Mar 2010 18:53:08 +0000 (10:53 -0800)]
qlogicpti: Remove slash in QlogicPTI irq name

[ Upstream commit 77d3926306bf4eecac50150ba5625797219f14ba ]

qlogicpti driver registers its irq with a name containing slash.
This results in

[   71.049735] WARNING: at fs/proc/generic.c:316 __xlate_proc_name+0xa8/0xb8()
[   71.132815] name 'Qlogic/PTI'

because proc_mkdir with the name of the irq fails. Fix it by just
removing the slash from irq name. Discovered and tested on real hardware
(Sun Ultra 1).

Signed-off-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoide: Fix Promise UDMA33 IDE driver (pdc202xx_old)
Russell King [Sun, 3 Jan 2010 12:35:42 +0000 (12:35 +0000)]
ide: Fix Promise UDMA33 IDE driver (pdc202xx_old)

[ Upstream commit c3be57b6f35ef96a980ce84e59d6a5a8ca6184ad ]

On Sun, Jan 03, 2010 at 12:23:14AM +0000, Russell King wrote:
> - with IDE
>   - locks the interrupt line, and makes the machine extremely painful -
>     about an hour to get to the point of being able to unload the
>     pdc202xx_old module.

Having manually bisected kernel versions, I've narrowed it down to some
change between 2.6.30 and 2.6.31.  There's not much which has changed
between the two kernels, but one change stands out like a sore thumb:

+static int pdc202xx_test_irq(ide_hwif_t *hwif)
+{
+       struct pci_dev *dev     = to_pci_dev(hwif->dev);
+       unsigned long high_16   = pci_resource_start(dev, 4);
+       u8 sc1d                 = inb(high_16 + 0x1d);
+
+       if (hwif->channel) {
+               /*
+                * bit 7: error, bit 6: interrupting,
+                * bit 5: FIFO full, bit 4: FIFO empty
+                */
+               return ((sc1d & 0x50) == 0x40) ? 1 : 0;
+       } else  {
+               /*
+                * bit 3: error, bit 2: interrupting,
+                * bit 1: FIFO full, bit 0: FIFO empty
+                */
+               return ((sc1d & 0x05) == 0x04) ? 1 : 0;
+       }
+}

Reading the (documented as a 32-bit) system control register when the
interface is idle gives: 0x01da110c

So, the byte at 0x1d is 0x11, which is documented as meaning that the
primary and secondary FIFOs are empty.

The code above, which is trying to see whether an IRQ is pending, checks
for the IRQ bit to be one, and the FIFO bit to be zero - or in English,
to be non-empty.

Since during a BM-DMA read, the FIFOs will naturally be drained to the
PCI bus, the chance of us getting to the interface before this happens
are extremely small - and if we don't, it means we decide not to service
the interrupt.  Hence, the screaming interrupt problem with drivers/ide.

Fix this by only indicating an interrupt is ready if both the interrupt
and FIFO empty bits are at '1'.

This bug only affects PDC20246/PDC20247 (Promise Ultra33) based cards,
and has been tested on 2.6.31 and 2.6.33-rc2.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Tested-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoRevert "ide: skip probe if there are no devices on the port (v2)"
David S. Miller [Mon, 29 Mar 2010 01:58:28 +0000 (18:58 -0700)]
Revert "ide: skip probe if there are no devices on the port (v2)"

[ Upstream commit 9ce41aed0d392246eb788786253f242e829fd5e1 ]

This reverts commit a20b2a44eca52818ef52a94959480b7e6ea2f528.

As requested by David Fries.  This makes CDROMs which are slave drives
on a ribbon without a master disappear and causes other similar kinds
of badness.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoicside: bring back ->maskproc method
Bartlomiej Zolnierkiewicz [Tue, 5 Jan 2010 07:07:27 +0000 (07:07 +0000)]
icside: bring back ->maskproc method

[ Upstream commit f75d4a238770d83d3a0475ce7f34e3fa37de161e ]

Bring back ->maskproc method since it is still needed for proper operation,
as noticed by Russell King:

> This change is bogus.
>
>         writeb(0, base + ICS_ARCIN_V6_INTROFFSET_1);
>         readb(base + ICS_ARCIN_V6_INTROFFSET_2);
>
>         writeb(0, base + ICS_ARCIN_V6_INTROFFSET_2);
>         readb(base + ICS_ARCIN_V6_INTROFFSET_1);
>
> This sequence of code does:
>
> 1. enable interrupt 1
> 2. disable interrupt 2
> 3. enable interrupt 2
> 4. disable interrupt 1
>
> which results in the interrupt for the second channel being enabled -
> leaving channel 1 blocked.
>
> Firstly, icside shares its two IDE channels with one DMA engine - so it's
> a simplex interface.  IDE supports those (or did when the code was written)
> serializing requests between the two interfaces.  libata does not.
>
> Secondly, the interrupt lines on icside float when there's no drive connected
> or when the drive has its NIEN bit set, which means that you get spurious
> screaming interrupts which can kill off all expansion card interrupts on
> the machine unless you disable the channel interrupt on the card.
>
> Since libata can not serialize the operation of the two channels like IDE
> can, the libata version of the icside driver does not contain the interrupt
> stearing logic.  Instead, it looks at the status after reset, and if
> nothing was found on that channel, it masks the interrupt from that
> channel.

This patch reverts changes done in commit dff8817 (I became confused due to
non-standard & undocumented ->maskproc method, anyway sorry about that).

Noticed-by: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoleds-gpio: fix default state handling on OF platforms
Anton Vorontsov [Thu, 11 Mar 2010 21:58:47 +0000 (13:58 -0800)]
leds-gpio: fix default state handling on OF platforms

commit 0493a4ff10959ff4c8e0d65efee25b7ffd4fa5db upstream.

The driver wrongly sets default state for LEDs that don't specify
default-state property.

Currently the driver handles default state this way:

memset(&led, 0, sizeof(led));
for_each_child_of_node(np, child) {
state = of_get_property(child, "default-state", NULL);
if (state) {
if (!strcmp(state, "keep"))
led.default_state = LEDS_GPIO_DEFSTATE_KEEP;
...
}
ret = create_gpio_led(&led, ...);
}

Which means that all LEDs that do not specify default-state will inherit
the last value of the default-state property, which is wrong.

This patch fixes the issue by moving LED's template initialization into
the loop body.

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoath9k: Enable IEEE80211_HW_REPORTS_TX_ACK_STATUS flag for ath9k
Vivek Natarajan [Thu, 11 Mar 2010 21:03:01 +0000 (13:03 -0800)]
ath9k: Enable IEEE80211_HW_REPORTS_TX_ACK_STATUS flag for ath9k

commit 05df49865be08b30e7ba91b9d3d94d7d52dd3033 upstream.

Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomac80211: Retry null data frame for power save
Vivek Natarajan [Thu, 11 Mar 2010 20:59:53 +0000 (12:59 -0800)]
mac80211: Retry null data frame for power save

commit 375177bf35efc08e1bd37bbda4cc0c8cc4db8500 upstream.

Even if the null data frame is not acked by the AP, mac80211
goes into power save. This might lead to loss of frames
from the AP.
Prevent this by restarting dynamic_ps_timer when ack is not
received for null data frames.

Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoath9k: configure the beacon only if the STA is associated
Senthil Balasubramanian [Wed, 3 Feb 2010 17:20:18 +0000 (22:50 +0530)]
ath9k: configure the beacon only if the STA is associated

commit 1a20034a73a40b8056731f9db0c535cec2961eb7 upstream.

beacons configuration SHOULD be done only if the STA is associated.

Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoath9k: Enable TIM timer interrupt only when needed.
Senthil Balasubramanian [Thu, 11 Mar 2010 20:10:12 +0000 (12:10 -0800)]
ath9k: Enable TIM timer interrupt only when needed.

commit 3f7c5c10e9dc6bf90179eb9f7c06151d508fb324 upstream.

The TIM timer interrupt is enabled even before the ACK of nullqos
is received which is unnecessary.

Also clean up the CONF_PS part of config callback properly for
better readability.

Signed-off-by: Senthil Balasubramanian <senthilkumar@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: ac97: Add IBM ThinkPad R40e to Headphone/Line Jack Sense blacklist
Daniel T Chen [Fri, 26 Mar 2010 05:38:15 +0000 (22:38 -0700)]
ALSA: ac97: Add IBM ThinkPad R40e to Headphone/Line Jack Sense blacklist

commit e1f7f02b45cf33a774d56e505ce1718af9392f5e upstream.

BugLink: https://launchpad.net/bugs/303789
This model needs both 'Headphone Jack Sense' and 'Line Jack Sense'
muted for audible audio, so just add its SSID to the blacklist and
don't enumerate the controls.

Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: ac97: Add Toshiba P500 to ac97 jack sense blacklist
Daniel Chen [Sun, 28 Mar 2010 20:32:34 +0000 (13:32 -0700)]
ALSA: ac97: Add Toshiba P500 to ac97 jack sense blacklist

commit 5cd165e7057020884e430941c24454d3df9a799d upstream.

BugLink: https://launchpad.net/bugs/481058
The OR has verified that both 'Headphone Jack Sense' and 'Line Jack Sense'
need to be muted for sound to be audible, so just add the machine's SSID
to the ac97 jack sense blacklist.

Reported-by: Richard Gagne
Tested-by: Richard Gagne
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda: Use LPIB for ga-ma770-ud3 board
Daniel T Chen [Sun, 28 Mar 2010 06:34:40 +0000 (02:34 -0400)]
ALSA: hda: Use LPIB for ga-ma770-ud3 board

commit 9ec8ddad59fadd8021adfea4cb716a49b0e232e9 upstream.

BugLink: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=575669
The OR states that position_fix=1 is necessary to work around glitching
during volume adjustments using PulseAudio.

Reported-by: Carlos Laviola <claviola@debian.org>
Tested-by: Carlos Laviola <claviola@debian.org>
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohwmon: (coretemp) Add missing newline to dev_warn() message
Dean Nelson [Mon, 29 Mar 2010 20:03:00 +0000 (22:03 +0200)]
hwmon: (coretemp) Add missing newline to dev_warn() message

commit 4d7a5644e4adfafe76c2bd8ee168e3f3b5dae3a8 upstream.

Add missing newline to dev_warn() message string. This is more of an issue
with older kernels that don't automatically add a newline if it was missing
from the end of the previous line.

Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86, amd: Restrict usage of c1e_idle()
Andreas Herrmann [Fri, 19 Mar 2010 11:09:22 +0000 (12:09 +0100)]
x86, amd: Restrict usage of c1e_idle()

commit 035a02c1e1de31888e8b6adac0ff667971ac04db upstream.

Currently c1e_idle returns true for all CPUs greater than or equal to
family 0xf model 0x40. This covers too many CPUs.

Meanwhile a respective erratum for the underlying problem was filed
(#400). This patch adds the logic to check whether erratum #400
applies to a given CPU.
Especially for CPUs where SMI/HW triggered C1e is not supported,
c1e_idle() doesn't need to be used. We can check this by looking at
the respective OSVW bit for erratum #400.

Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
LKML-Reference: <20100319110922.GA19614@alberich.amd.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agox86: Fix placement of FIX_OHCI1394_BASE
Jan Beulich [Mon, 15 Mar 2010 10:11:15 +0000 (10:11 +0000)]
x86: Fix placement of FIX_OHCI1394_BASE

commit ff30a0543e9a6cd732582063e7cae951cdb7acf2 upstream.

Ever for 32-bit with sufficiently high NR_CPUS, and starting
with commit 789d03f584484af85dbdc64935270c8e45f36ef7 also for
64-bit, the statically allocated early fixmap page tables were
not covering FIX_OHCI1394_BASE, leading to a boot time crash
when "ohci1394_dma=early" was used. Despite this entry not being
a permanently used one, it needs to be moved into the permanent
range since it has to be close to FIX_DBGP_BASE and
FIX_EARLYCON_MEM_BASE.

Reported-bisected-and-tested-by: Justin P. Mattock <justinmattock@gmail.com>
Fixes-bug: http://bugzilla.kernel.org/show_bug.cgi?id=14487
Signed-off-by: Jan Beulich <jbeulich@novell.com>
LKML-Reference: <4B9E15D30200007800034D23@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonetfilter: xt_recent: fix regression in rules using a zero hit_count
Patrick McHardy [Mon, 22 Mar 2010 17:25:20 +0000 (18:25 +0100)]
netfilter: xt_recent: fix regression in rules using a zero hit_count

commit ef1691504c83ba3eb636c0cfd3ed33f7a6d0b4ee upstream.

Commit 8ccb92ad (netfilter: xt_recent: fix false match) fixed supposedly
false matches in rules using a zero hit_count. As it turns out there is
nothing false about these matches and people are actually using entries
with a hit_count of zero to make rules dependant on addresses inserted
manually through /proc.

Since this slipped past the eyes of three reviewers, instead of
reverting the commit in question, this patch explicitly checks
for a hit_count of zero to make the intentions more clear.

Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Tested-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/nouveau: report unknown connector state if lid closed
Ben Skeggs [Thu, 25 Feb 2010 02:12:09 +0000 (12:12 +1000)]
drm/nouveau: report unknown connector state if lid closed

commit b30083bdb990bcc2829fce83d871a86059ff4fc1 upstream.

This is in preference to disconnected.  If there's no other outputs
connected this will cause LVDS to be programmed even with the lid
closed rather than having X fail to start because of no available
outputs.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: Avoid NULL deref in get_pages() unwind after error.
Chris Wilson [Fri, 12 Mar 2010 19:52:55 +0000 (19:52 +0000)]
drm/i915: Avoid NULL deref in get_pages() unwind after error.

commit 1f2b10131f83f7caa67bf1273cec126b4283015d upstream.

Fixes:
  http://bugzilla.kernel.org/show_bug.cgi?id=15527
  NULL pointer dereference in i915_gem_object_save_bit_17_swizzle

BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<f82b5d2b>] i915_gem_object_save_bit_17_swizzle+0x5b/0xc0 [i915]
Call Trace:
[<f82aea55>] ? i915_gem_object_put_pages+0x125/0x150 [i915]
[<f82aeb71>] ? i915_gem_object_get_pages+0xf1/0x110 [i915]
[<f82b0de8>] ? i915_gem_object_bind_to_gtt+0xb8/0x2a0 [i915]
[<c02db74d>] ? drm_mm_get_block_generic+0x4d/0x180
[<f82b11cd>] ? i915_gem_mmap_gtt_ioctl+0x16d/0x240 [i915]
[<f82ae786>] ? i915_gem_madvise_ioctl+0x86/0x120 [i915]

Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Reported-by: maciej.rutecki@gmail.com
Cc: stable@kernel.org
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agodrm/i915: fix small leak on overlay error path
Dan Carpenter [Sat, 6 Mar 2010 11:05:39 +0000 (14:05 +0300)]
drm/i915: fix small leak on overlay error path

commit 915a428e43acfd05e4ffeaf40549b0cf163eebe2 upstream.

We should free "params" before returning.

Signed-off-by: Dan Carpenter <error27@gmail.com>
Reviewed-by: Daniel Vetter <daniel@ffwll.ch>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosoftlockup: Stop spurious softlockup messages due to overflow
Colin Ian King [Fri, 19 Mar 2010 10:28:02 +0000 (10:28 +0000)]
softlockup: Stop spurious softlockup messages due to overflow

commit 8c2eb4805d422bdbf60ba00ff233c794d23c3c00 upstream.

Ensure additions on touch_ts do not overflow.  This can occur
when the top 32 bits of the TSC reach 0xffffffff causing
additions to touch_ts to overflow and this in turn generates
spurious softlockup warnings.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
LKML-Reference: <1268994482.1798.6.camel@lenovo>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agogenirq: Prevent oneshot irq thread race
Thomas Gleixner [Tue, 9 Mar 2010 18:45:54 +0000 (19:45 +0100)]
genirq: Prevent oneshot irq thread race

commit 0b1adaa031a55e44f5dd942f234bf09d28e8a0d6 upstream.

Lars-Peter pointed out that the oneshot threaded interrupt handler
code has the following race:

 CPU0                            CPU1
 hande_level_irq(irq X)
   mask_ack_irq(irq X)
   handle_IRQ_event(irq X)
     wake_up(thread_handler)
                                 thread handler(irq X) runs
                                 finalize_oneshot(irq X)
  does not unmask due to
  !(desc->status & IRQ_MASKED)

 return from irq
 does not unmask due to
 (desc->status & IRQ_ONESHOT)

This leaves the interrupt line masked forever.

The reason for this is the inconsistent handling of the IRQ_MASKED
flag. Instead of setting it in the mask function the oneshot support
sets the flag after waking up the irq thread.

The solution for this is to set/clear the IRQ_MASKED status whenever
we mask/unmask an interrupt line. That's the easy part, but that
cleanup opens another race:

 CPU0                            CPU1
 hande_level_irq(irq)
   mask_ack_irq(irq)
   handle_IRQ_event(irq)
     wake_up(thread_handler)
                                 thread handler(irq) runs
                                 finalize_oneshot_irq(irq)
  unmask(irq)
     irq triggers again
     handle_level_irq(irq)
       mask_ack_irq(irq)
     return from irq due to IRQ_INPROGRESS

 return from irq
 does not unmask due to
 (desc->status & IRQ_ONESHOT)

This requires that we synchronize finalize_oneshot_irq() with the
primary handler. If IRQ_INPROGESS is set we wait until the primary
handler on the other CPU has returned before unmasking the interrupt
line again.

We probably have never seen that problem because it does not happen on
UP and on SMP the irqbalancer protects us by pinning the primary
handler and the thread to the same CPU.

Reported-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonilfs2: fix hang-up of cleaner after log writer returned with error
Ryusuke Konishi [Mon, 22 Mar 2010 12:36:06 +0000 (21:36 +0900)]
nilfs2: fix hang-up of cleaner after log writer returned with error

commit 110d735a0ae69bdd11af9acb6ea3b979137eb118 upstream.

According to the report from Andreas Beckmann (Message-ID:
<4BA54677.3090902@abeckmann.de>), nilfs in 2.6.33 kernel got stuck
after a disk full error.

This turned out to be a regression by log writer updates merged at
kernel 2.6.33.  nilfs_segctor_abort_construction, which is a cleanup
function for erroneous cases, was skipping writeback completion for
some logs.

This fixes the bug and would resolve the hang issue.

Reported-by: Andreas Beckmann <debian@abeckmann.de>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agocpuset: fix the problem that cpuset_mem_spread_node() returns an offline node
Miao Xie [Tue, 23 Mar 2010 20:35:34 +0000 (13:35 -0700)]
cpuset: fix the problem that cpuset_mem_spread_node() returns an offline node

commit 5ab116c9349ef52d6fbd2e2917a53f13194b048e upstream.

cpuset_mem_spread_node() returns an offline node, and causes an oops.

This patch fixes it by initializing task->mems_allowed to
node_states[N_HIGH_MEMORY], and updating task->mems_allowed when doing
memory hotplug.

Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Acked-by: David Rientjes <rientjes@google.com>
Reported-by: Nick Piggin <npiggin@suse.de>
Tested-by: Nick Piggin <npiggin@suse.de>
Cc: Paul Menage <menage@google.com>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoath9k: fix BUG_ON triggered by PAE frames
Felix Fietkau [Fri, 12 Mar 2010 03:02:43 +0000 (04:02 +0100)]
ath9k: fix BUG_ON triggered by PAE frames

commit 4fdec031b9169b3c17938b9c4168f099f457169c upstream.

When I initially stumbled upon sequence number problems with PAE frames
in ath9k, I submitted a patch to remove all special cases for PAE
frames and let them go through the normal transmit path.
Out of concern about crypto incompatibility issues, this change was
merged instead:

commit 6c8afef551fef87a3bf24f8a74c69a7f2f72fc82
Author: Sujith <Sujith.Manoharan@atheros.com>
Date:   Tue Feb 9 10:07:00 2010 +0530

    ath9k: Fix sequence numbers for PAE frames

After a lot of testing, I'm able to reliably trigger a driver crash on
rekeying with current versions with this change in place.
It seems that the driver does not support sending out regular MPDUs with
the same TID while an A-MPDU session is active.
This leads to duplicate entries in the TID Tx buffer, which hits the
following BUG_ON in ath_tx_addto_baw():

    index  = ATH_BA_INDEX(tid->seq_start, bf->bf_seqno);
    cindex = (tid->baw_head + index) & (ATH_TID_MAX_BUFS - 1);

    BUG_ON(tid->tx_buf[cindex] != NULL);

I believe until we actually have a reproducible case of an
incompatibility with another AP using no PAE special cases, we should
simply get rid of this mess.

This patch completely fixes my crash issues in STA mode and makes it
stay connected without throughput drops or connectivity issues even
when the AP is configured to a very short group rekey interval.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoPCI: cleanup error return for pcix get and set mmrbc functions
Dean Nelson [Wed, 10 Mar 2010 03:26:55 +0000 (22:26 -0500)]
PCI: cleanup error return for pcix get and set mmrbc functions

commit 7c9e2b1c4784c6e574f69dbd904b2822f2e04d6e upstream.

pcix_get_mmrbc() returns the maximum memory read byte count (mmrbc), if
successful, or an appropriate error value, if not.

Distinguishing errors from correct values and understanding the meaning of an
error can be somewhat confusing in that:

correct values: 512, 1024, 2048, 4096
errors: -EINVAL   -22
  PCIBIOS_FUNC_NOT_SUPPORTED 0x81
PCIBIOS_BAD_VENDOR_ID 0x83
PCIBIOS_DEVICE_NOT_FOUND 0x86
PCIBIOS_BAD_REGISTER_NUMBER 0x87
PCIBIOS_SET_FAILED 0x88
PCIBIOS_BUFFER_TOO_SMALL 0x89

The PCIBIOS_ errors are returned from the PCI functions generated by the
PCI_OP_READ() and PCI_OP_WRITE() macros.

In a similar manner, pcix_set_mmrbc() also returns the PCIBIOS_ error values
returned from pci_read_config_[word|dword]() and pci_write_config_word().

Following pcix_get_max_mmrbc()'s example, the following patch simply returns
-EINVAL for all PCIBIOS_ errors encountered by pcix_get_mmrbc(), and -EINVAL
or -EIO for those encountered by pcix_set_mmrbc().

This simplification was chosen in light of the fact that none of the current
callers of these functions are interested in the specific type of error
encountered. In the future, should this change, one could simply create a
function that maps each PCIBIOS_ error to a corresponding unique errno value,
which could be called by pcix_get_max_mmrbc(), pcix_get_mmrbc(), and
pcix_set_mmrbc().

Additionally, this patch eliminates some unnecessary variables.

Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoPCI: fix access of PCI_X_CMD by pcix get and set mmrbc functions
Dean Nelson [Wed, 10 Mar 2010 03:26:48 +0000 (22:26 -0500)]
PCI: fix access of PCI_X_CMD by pcix get and set mmrbc functions

commit bdc2bda7c4dd253026cc1fce45fc939304749029 upstream.

An e1000 driver on a system with a PCI-X bus was always being returned
a value of 135 from both pcix_get_mmrbc() and pcix_set_mmrbc(). This
value reflects an error return of PCIBIOS_BAD_REGISTER_NUMBER from
pci_bus_read_config_dword(,, cap + PCI_X_CMD,).

This is because for a dword, the following portion of the PCI_OP_READ()
macro:

if (PCI_##size##_BAD) return PCIBIOS_BAD_REGISTER_NUMBER;

expands to:

if (pos & 3) return PCIBIOS_BAD_REGISTER_NUMBER;

And is always true for 'cap + PCI_X_CMD', which is 0xe4 + 2 = 0xe6. ('cap' is
the result of calling pci_find_capability(, PCI_CAP_ID_PCIX).)

The same problem exists for pci_bus_write_config_dword(,, cap + PCI_X_CMD,).
In both cases, instead of calling _dword(), _word() should be called.

Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoPCI: fix return value from pcix_get_max_mmrbc()
Dean Nelson [Wed, 10 Mar 2010 03:26:40 +0000 (22:26 -0500)]
PCI: fix return value from pcix_get_max_mmrbc()

commit 25daeb550b69e89aff59bc6a84218a12b5203531 upstream.

For the PCI_X_STATUS register, pcix_get_max_mmrbc() is returning an incorrect
value, which is based on:

(stat & PCI_X_STATUS_MAX_READ) >> 12

Valid return values are 512, 1024, 2048, 4096, which correspond to a 'stat'
(masked and right shifted by 21) of 0, 1, 2, 3, respectively.

A right shift by 11 would generate the correct return value when 'stat' (masked
and right shifted by 21) has a value of 1 or 2. But for a value of 0 or 3 it's
not possible to generate the correct return value by only right shifting.

Fix is based on pcix_get_mmrbc()'s similar dealings with the PCI_X_CMD register.

Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofs/partition/msdos: fix unusable extended partition for > 512B sector
OGAWA Hirofumi [Tue, 23 Mar 2010 20:35:50 +0000 (13:35 -0700)]
fs/partition/msdos: fix unusable extended partition for > 512B sector

commit 8e0cc811e0f8029a7225372fb0951fab102c012f upstream.

Smaller size than a minimum blocksize can't be used, after all it's
handled like 0 size.

For extended partition itself, this makes sure to use bigger size than one
logical sector size at least.

Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Cc: Daniel Taylor <Daniel.Taylor@wdc.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>