]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
16 years agosparc: Fix ptrace() detach.
David S. Miller [Sun, 11 May 2008 04:11:23 +0000 (21:11 -0700)]
sparc: Fix ptrace() detach.

[ Upstream commit: 986bef854fab44012df678a5b51817d5274d3ca1 ]

Forever we had a PTRACE_SUNOS_DETACH which was unconditionally
recognized, regardless of the personality of the process.

Unfortunately, this value is what ended up in the GLIBC sys/ptrace.h
header file on sparc as PTRACE_DETACH and PT_DETACH.

So continue to recognize this old value.  Luckily, it doesn't conflict
with anything we actually care about.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoi2c-piix4: Blacklist two mainboards
Jean Delvare [Mon, 12 May 2008 14:21:24 +0000 (16:21 +0200)]
i2c-piix4: Blacklist two mainboards

commit c2fc54fcd340cbee47510aa84c346aab3440ba09 upstream

We had a report that running sensors-detect on a Sapphire AM2RD790
motherbord killed the CPU. While the exact cause is still unknown,
I'd rather play it safe and prevent any access to the SMBus on that
machine by not letting the i2c-piix4 driver attach to the SMBus host
device on that machine. Also blacklist a similar board made by DFI.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agox86: sysfs cpu?/topology is empty in 2.6.25 (32-bit Intel system)
Vaidyanathan Srinivasan [Sun, 11 May 2008 04:20:09 +0000 (04:20 +0000)]
x86: sysfs cpu?/topology is empty in 2.6.25 (32-bit Intel system)

commit 5c3a121d52b30a1e53cdaa802fa1965fcd243164 upstream

System topology on intel based system needs to be exported
for non-numa case as well.

All parts of asm-i386/topology.h has come under
#ifdef CONFIG_NUMA after the merge to asm-x86/topology.h

/sys/devices/system/cpu/cpu?/topology/* is populated based on
ENABLE_TOPO_DEFINES

The sysfs cpu topology is not being populated on my dual socket
dual core xeon 5160 processor based (x86 32 bit) system.

CONFIG_NUMA is not set in my case yet the topology is relevant
and useful.

irqbalance daemon application depends on topology to build the
cpus and package list and it fails on Fedora9 beta since the
sysfs topology was not being populated in the 2.6.25 kernel.

I am not sure if it was intentional to not define ENABLE_TOPO_DEFINES
for non-numa systems.

This fix has been tested on the above mentioned dual core, dual socket
system.

Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoata_piix: verify SIDPR access before enabling it
Tejun Heo [Tue, 13 May 2008 08:23:38 +0000 (17:23 +0900)]
ata_piix: verify SIDPR access before enabling it

commit cb6716c879ecf49e2af344926c6a476821812061 upstream

On certain configurations (certain macbooks), even though all the
conditions for SIDPR access described in the datasheet are met,
actually reading those registers just returns 0 and have no effect on
write.  Verify SIDPR is actually working before enabling it.

This is reported by Ryan Roth in bz#10512.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Ryan Roth <ryan.roth@ch2m.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years ago{nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packets
Arnaud Ebalard [Tue, 13 May 2008 11:39:16 +0000 (13:39 +0200)]
{nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packets

[NETFILTER]: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets

From: Arnaud Ebalard <arno@natisbad.org>

Upstream commit 9a732ed6d:

While reinjecting *bigger* modified versions of IPv6 packets using
libnetfilter_queue, things work fine on a 2.6.24 kernel (2.6.22 too)
but I get the following on recents kernels (2.6.25, trace below is
against today's net-2.6 git tree):

skb_over_panic: text:c04fddb0 len:696 put:632 head:f7592c00 data:f7592c00 tail:0xf7592eb8 end:0xf7592e80 dev:eth0
------------[ cut here ]------------
invalid opcode: 0000 [#1] PREEMPT
Process sendd (pid: 3657, ti=f6014000 task=f77c31d0 task.ti=f6014000)
Stack: c071e638 c04fddb0 000002b8 00000278 f7592c00 f7592c00 f7592eb8 f7592e80
       f763c000 f6bc5200 f7592c40 f6015c34 c04cdbfc f6bc5200 00000278 f6015c60
       c04fddb0 00000020 f72a10c0 f751b420 00000001 0000000a 000002b8 c065582c
Call Trace:
 [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
 [<c04cdbfc>] ? skb_put+0x3c/0x40
 [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0
 [<c04fd115>] ? nfnetlink_rcv_msg+0xf5/0x160
 [<c04fd03e>] ? nfnetlink_rcv_msg+0x1e/0x160
 [<c04fd020>] ? nfnetlink_rcv_msg+0x0/0x160
 [<c04f8ed7>] ? netlink_rcv_skb+0x77/0xa0
 [<c04fcefc>] ? nfnetlink_rcv+0x1c/0x30
 [<c04f8c73>] ? netlink_unicast+0x243/0x2b0
 [<c04cfaba>] ? memcpy_fromiovec+0x4a/0x70
 [<c04f9406>] ? netlink_sendmsg+0x1c6/0x270
 [<c04c8244>] ? sock_sendmsg+0xc4/0xf0
 [<c011970d>] ? set_next_entity+0x1d/0x50
 [<c0133a80>] ? autoremove_wake_function+0x0/0x40
 [<c0118f9e>] ? __wake_up_common+0x3e/0x70
 [<c0342fbf>] ? n_tty_receive_buf+0x34f/0x1280
 [<c011d308>] ? __wake_up+0x68/0x70
 [<c02cea47>] ? copy_from_user+0x37/0x70
 [<c04cfd7c>] ? verify_iovec+0x2c/0x90
 [<c04c837a>] ? sys_sendmsg+0x10a/0x230
 [<c011967a>] ? __dequeue_entity+0x2a/0xa0
 [<c011970d>] ? set_next_entity+0x1d/0x50
 [<c0345397>] ? pty_write+0x47/0x60
 [<c033d59b>] ? tty_default_put_char+0x1b/0x20
 [<c011d2e9>] ? __wake_up+0x49/0x70
 [<c033df99>] ? tty_ldisc_deref+0x39/0x90
 [<c033ff20>] ? tty_write+0x1a0/0x1b0
 [<c04c93af>] ? sys_socketcall+0x7f/0x260
 [<c0102ff9>] ? sysenter_past_esp+0x6a/0x91
 [<c05f0000>] ? snd_intel8x0m_probe+0x270/0x6e0
 =======================
Code: 00 00 89 5c 24 14 8b 98 9c 00 00 00 89 54 24 0c 89 5c 24 10 8b 40 50 89 4c 24 04 c7 04 24 38 e6 71 c0 89 44 24 08 e8 c4 46 c5 ff <0f> 0b eb fe 55 89 e5 56 89 d6 53 89 c3 83 ec 0c 8b 40 50 39 d0
EIP: [<c04ccdfc>] skb_over_panic+0x5c/0x60 SS:ESP 0068:f6015bf8

Looking at the code, I ended up in nfq_mangle() function (called by
nfqnl_recv_verdict()) which performs a call to skb_copy_expand() due to
the increased size of data passed to the function. AFAICT, it should ask
for 'diff' instead of 'diff - skb_tailroom(e->skb)'. Because the
resulting sk_buff has not enough space to support the skb_put(skb, diff)
call a few lines later, this results in the call to skb_over_panic().

The patch below asks for allocation of a copy with enough space for
mangled packet and the same amount of headroom as old sk_buff. While
looking at how the regression appeared (e2b58a67), I noticed the same
pattern in ipq_mangle_ipv6() and ipq_mangle_ipv4(). The patch corrects
those locations too.

Tested with bigger reinjected IPv6 packets (nfqnl_mangle() path), things
are ok (2.6.25 and today's net-2.6 git tree).

Signed-off-by: Arnaud Ebalard <arno@natisbad.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agonf_conntrack: padding breaks conntrack hash on ARM
Philip Craig [Tue, 13 May 2008 11:39:13 +0000 (13:39 +0200)]
nf_conntrack: padding breaks conntrack hash on ARM

[NETFILTER]: nf_conntrack: padding breaks conntrack hash on ARM

Upstream commit 443a70d50:

commit 0794935e "[NETFILTER]: nf_conntrack: optimize hash_conntrack()"
results in ARM platforms hashing uninitialised padding.  This padding
doesn't exist on other architectures.

Fix this by replacing NF_CT_TUPLE_U_BLANK() with memset() to ensure
everything is initialised.  There were only 4 bytes that
NF_CT_TUPLE_U_BLANK() wasn't clearing anyway (or 12 bytes on ARM).

Signed-off-by: Philip Craig <philipc@snapgear.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agox86: use defconfigs from x86/configs/*
Sam Ravnborg [Sat, 10 May 2008 19:07:32 +0000 (20:07 +0100)]
x86: use defconfigs from x86/configs/*

commit b9b39bfba5b0de3418305f01cfa7bc55a16004e1 upstream

x86: use defconfigs from x86/configs/*

Daniel Drake <dsd@gentoo.org> reported:

In 2.6.23, if you unpacked a kernel source tarball and then
ran "make menuconfig" you'd be presented with this message:
    # using defaults found in arch/i386/defconfig

and the default options would be set.

The same thing in 2.6.24 does not give you any "using defaults" message, and
the default config options within menuconfig are rather blank (e.g. no PCI
support). You can work around this by explicitly running "make defconfig"
before menuconfig, but it would be nice to have the behaviour the way it was
for 2.6.23 (and the way it still is for other archs).

Fixed by adding a x86 specific defconfig list to Kconfig.

Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=10470
Tested-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agocan: Fix can_send() handling on dev_queue_xmit() failures
Oliver Hartkopp [Thu, 8 May 2008 09:49:55 +0000 (02:49 -0700)]
can: Fix can_send() handling on dev_queue_xmit() failures

[ Upstream commit: c2ab7ac225e29006b7117d6a9fe8f3be8d98b0c2 ]

The tx packet counting and the local loopback of CAN frames should
only happen in the case that the CAN frame has been enqueued to the
netdevice tx queue successfully.

Thanks to Andre Naujoks <nautsch@gmail.com> for reporting this issue.

Signed-off-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: Urs Thuermann <urs@isnogud.escape.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agodccp: return -EINVAL on invalid feature length
Chris Wright [Mon, 5 May 2008 20:50:24 +0000 (13:50 -0700)]
dccp: return -EINVAL on invalid feature length

[ Upstream commit: 19443178fbfbf40db15c86012fc37df1a44ab857 ]

dccp_feat_change() validates length and on error is returning 1.
This happens to work since call chain is checking for 0 == success,
but this is returned to userspace, so make it a real error value.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Acked-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoipvs: fix oops in backup for fwmark conn templates
Julian Anastasov [Tue, 29 Apr 2008 10:21:23 +0000 (03:21 -0700)]
ipvs: fix oops in backup for fwmark conn templates

[ Upstream commit: 2ad17defd596ca7e8ba782d5fc6950ee0e99513c ]

Fixes bug http://bugzilla.kernel.org/show_bug.cgi?id=10556
where conn templates with protocol=IPPROTO_IP can oops backup box.

        Result from ip_vs_proto_get() should be checked because
protocol value can be invalid or unsupported in backup. But
for valid message we should not fail for templates which use
IPPROTO_IP. Also, add checks to validate message limits and
connection state. Show state NONE for templates using IPPROTO_IP.

Fix tested and confirmed by L0op8ack <l0op8ack@hotmail.com>

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agomacvlan: Fix memleak on device removal/crash on module removal
Patrick McHardy [Thu, 8 May 2008 08:13:31 +0000 (01:13 -0700)]
macvlan: Fix memleak on device removal/crash on module removal

[ Upstream commit: 7312096454b6cd71267eaa3d0efb408e449e9ff3 ]

As noticed by Ben Greear, macvlan crashes the kernel when unloading the
module. The reason is that it tries to clean up the macvlan_port pointer
on the macvlan device itself instead of the underlying device. A non-NULL
pointer is taken as indication that the macvlan_handle_frame_hook is
valid, when receiving the next packet on the underlying device it tries
to call the NULL hook and crashes.

Clean up the macvlan_port on the correct device to fix this.

Signed-off-by; Patrick McHardy <kaber@trash.net>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosch_htb: remove from event queue in htb_parent_to_leaf()
Jarek Poplawski [Sun, 4 May 2008 03:46:29 +0000 (20:46 -0700)]
sch_htb: remove from event queue in htb_parent_to_leaf()

[ Upstream commit: 3ba08b00e0d8413d79be9cab8ec085ceb6ae6fd6 ]

There is lack of removing a class from the event queue while changing
from parent to leaf which can cause corruption of this rb tree. This
patch fixes a bug introduced by my patch: "sch_htb: turn intermediate
classes into leaves" commit: 160d5e10f87b1dc88fd9b84b31b1718e0fd76398.

Many thanks to Jan 'yanek' Bortl for finding a way to reproduce this
rare bug and narrowing the test case, which made possible proper
diagnosing.

This patch is recommended for all kernels starting from 2.6.20.

Reported-and-tested-by: Jan 'yanek' Bortl <yanek@ya.bofh.cz>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoserial: Fix sparc driver name strings.
David S. Miller [Thu, 1 May 2008 08:14:27 +0000 (01:14 -0700)]
serial: Fix sparc driver name strings.

[ Upstream commit: b53e5216e5f73330bffae93b42dceb94e361f4c0 ]

They were all "serial" so if multiple of these drivers registered,
we'd trigger sysfs directory creation errors:

[    1.695793] proc_dir_entry 'serial' already registered
[    1.695839] Call Trace:
[    1.831891]  [00000000004f2534] create_proc_entry+0x7c/0x98
[    1.833608]  [00000000004f3a58] proc_tty_register_driver+0x40/0x70
[    1.833663]  [0000000000594700] tty_register_driver+0x1fc/0x208
[    1.835371]  [00000000005aade4] uart_register_driver+0x134/0x16c
[    1.841762]  [00000000005ac274] sunserial_register_minors+0x34/0x68
[    1.841818]  [00000000007db2a4] sunsu_init+0xf8/0x150
[    1.867697]  [00000000007c62a4] kernel_init+0x190/0x330
[    1.939147]  [0000000000426cf8] kernel_thread+0x38/0x48
[    1.939198]  [00000000006a0d90] rest_init+0x18/0x5c

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSPARC64: Fix args to 64-bit sys_semctl() via sys_ipc().
David S. Miller [Fri, 25 Apr 2008 09:12:05 +0000 (02:12 -0700)]
SPARC64: Fix args to 64-bit sys_semctl() via sys_ipc().

[ Upstream commit: 020cfb05f2c594c778537159bd45ea5efb0c5e0d ]

Second and third arguments were swapped for whatever reason.

Reported by Tom Callaway.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosparc64: Fix wedged irq regression.
David S. Miller [Sat, 26 Apr 2008 09:19:18 +0000 (02:19 -0700)]
sparc64: Fix wedged irq regression.

[ Upstream commit: 92aa3573c9cd58fe0bcd1c52c9fd8f5708785917 ]

Kernel bugzilla 10273

As reported by Jos van der Ende, ever since commit
5a606b72a4309a656cd1a19ad137dc5557c4b8ea ("[SPARC64]: Do not ACK an
INO if it is disabled or inprogress.") sun4u interrupts
can get stuck.

What this changset did was add the following conditional to
the various IRQ chip ->enable() handlers on sparc64:

if (unlikely(desc->status & (IRQ_DISABLED|IRQ_INPROGRESS)))
return;

which is correct, however it means that special care is needed
in the ->enable() method.

Specifically we must put the interrupt into IDLE state during
an enable, or else it might never be sent out again.

Setting the INO interrupt state to IDLE resets the state machine,
the interrupt input to the INO is retested by the hardware, and
if an interrupt is being signalled by the device, the INO
moves back into TRANSMIT state, and an interrupt vector is sent
to the cpu.

The two sun4v IRQ chip handlers were already doing this properly,
only sun4u got it wrong.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosparc64: Stop creating dummy root PCI host controller devices.
David S. Miller [Thu, 1 May 2008 08:12:40 +0000 (01:12 -0700)]
sparc64: Stop creating dummy root PCI host controller devices.

[ Upstream commit: 86d8337618e69573b5ccd3553f800944e843cae7 ]

It just creates confusion, errors, and bugs.

For one thing, this can cause dup sysfs or procfs nodes to get
created:

[    1.198015] proc_dir_entry '00.0' already registered
[    1.198036] Call Trace:
[    1.198052]  [00000000004f2534] create_proc_entry+0x7c/0x98
[    1.198092]  [00000000005719e4] pci_proc_attach_device+0xa4/0xd4
[    1.198126]  [00000000007d991c] pci_proc_init+0x64/0x88
[    1.198158]  [00000000007c62a4] kernel_init+0x190/0x330
[    1.198183]  [0000000000426cf8] kernel_thread+0x38/0x48
[    1.198210]  [00000000006a0d90] rest_init+0x18/0x5c

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosparc: Fix fork/clone/vfork system call restart.
David S. Miller [Wed, 7 May 2008 23:21:28 +0000 (16:21 -0700)]
sparc: Fix fork/clone/vfork system call restart.

[ Upstream commit: 1e38c126c9252b612697e34f43b1b3371c8ee31d ]

We clobber %i1 as well as %i0 for these system calls,
because they give two return values.

Therefore, on error, we have to restore %i1 properly
or else the restart explodes since it uses the wrong
arguments.

This fixes glibc's nptl/tst-eintr1.c testcase.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosparc: Fix SA_ONSTACK signal handling.
David S. Miller [Thu, 8 May 2008 01:54:05 +0000 (18:54 -0700)]
sparc: Fix SA_ONSTACK signal handling.

[ Upstream commit: dc5dc7e6d71ca9fd1ea01a1418150af3b2937489 ]

We need to be more liberal about the alignment of the buffer given to
us by sigaltstack().  The user should not need to be mindful of all of
the alignment constraints we have for the stack frame.

This mirrors how we handle this situation in clone() as well.

Also, we align the stack even in non-SA_ONSTACK cases so that signals
due to bad stack alignment can be delivered properly.  This makes such
errors easier to debug and recover from.

Finally, add the sanity check x86 has to make sure we won't overflow
the signal stack.

This fixes glibc testcases nptl/tst-cancel20.c and
nptl/tst-cancelx20.c

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosparc: sunzilog uart order
Robert Reif [Thu, 24 Apr 2008 10:37:51 +0000 (03:37 -0700)]
sparc: sunzilog uart order

[ Upstream commit: 227739bf4c110bbd02d0c0f13b272c32de406e4c ]

I have a sparcstation 20 clone with a lot of on board serial ports.
The serial core code assumes that uarts are assigned contiguously
and that may not be the case when there are multiple zs devices
present.  This patch insures that uart chips are placed in front of
keyboard/mouse chips in the port table.

ffd37420: ttyS0 at MMIO 0xf1100000 (irq = 44) is a zs (ESCC)
Console: ttyS0 (SunZilog zs0)
console [ttyS0] enabled
ffd37420: ttyS1 at MMIO 0xf1100004 (irq = 44) is a zs (ESCC)
ffd37500: Keyboard at MMIO 0xf1000000 (irq = 44) is a zs
ffd37500: Mouse at MMIO 0xf1000004 (irq = 44) is a zs
ffd3c5c0: ttyS2 at MMIO 0xf1100008 (irq = 44) is a zs (ESCC)
ffd3c5c0: ttyS3 at MMIO 0xf110000c (irq = 44) is a zs (ESCC)
ffd3c6a0: ttyS4 at MMIO 0xf1100010 (irq = 44) is a zs (ESCC)
ffd3c6a0: ttyS5 at MMIO 0xf1100014 (irq = 44) is a zs (ESCC)
ffd3c780: ttyS6 at MMIO 0xf1100018 (irq = 44) is a zs (ESCC)
ffd3c780: ttyS7 at MMIO 0xf110001c (irq = 44) is a zs (ESCC)

Signed-off-by: Robert Reif <reif@earthlink.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoXFRM: AUDIT: Fix flowlabel text format ambibuity.
YOSHIFUJI Hideaki [Sun, 27 Apr 2008 05:24:10 +0000 (22:24 -0700)]
XFRM: AUDIT: Fix flowlabel text format ambibuity.

[ Upstream commit: 27a27a2158f4fe56a29458449e880a52ddee3dc4 ]

Flowlabel text format was not correct and thus ambiguous.
For example, 0x00123 or 0x01203 are formatted as 0x123.
This is not what audit tools want.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoOHCI: fix regression upon awakening from hibernation
Alan Stern [Thu, 8 May 2008 18:21:22 +0000 (14:21 -0400)]
OHCI: fix regression upon awakening from hibernation

commit 43bbb7e015c4380064796c5868b536437b165615 in upstream

Drivers in the ohci-hcd family should perform certain tasks whenever
their controller device is resumed.  These include checking for loss
of power during suspend, turning on port power, and enabling interrupt
requests.

Until now these jobs have been carried out when the root hub is
resumed, not when the controller is.  Many drivers work around the
resulting awkwardness by automatically resuming their root hub
whenever the controller is resumed.  But this is wasteful and
unnecessary.

In 2.6.25, ohci-pci doesn't even do that.  After waking up from
hibernation, it simply leaves the controller in a RESET state, which
is useless.

To simplify the situation, this patch (as1066b) adds a new core
routine, ohci_finish_controller_resume(), which can be used by all the
OHCI-variant drivers.  They can call the new routine instead of
resuming their root hubs.  And ohci-pci.c can call it instead of using
its own special-purpose handler.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoserial: access after NULL check in uart_flush_buffer()
Tetsuo Handa [Thu, 8 May 2008 21:06:17 +0000 (21:06 +0000)]
serial: access after NULL check in uart_flush_buffer()

commit 55d7b68996a5064f011d681bca412b6281d2f711 upstream

I noticed that

  static void uart_flush_buffer(struct tty_struct *tty)
  {
   struct uart_state *state = tty->driver_data;
   struct uart_port *port = state->port;
   unsigned long flags;

   /*
    * This means you called this function _after_ the port was
    * closed.  No cookie for you.
    */
   if (!state || !state->info) {
   WARN_ON(1);
   return;
   }

is too late for checking state != NULL.

Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agovt: fix canonical input in UTF-8 mode
Samuel Thibault [Thu, 8 May 2008 21:06:15 +0000 (21:06 +0000)]
vt: fix canonical input in UTF-8 mode

commit c1236d31a1b9fc018b85e15a3e58e3601ddc90ae upstream

For e.g.  proper TTY canonical support, IUTF8 termios flag has to be set as
appropriate.  Linux used to not care about setting that flag for VT TTYs.

This patch fixes that by activating it according to the current mode of the
VT, and sets the default value according to the vt.default_utf8 parameter.

Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoV4L/DVB (7473): PATCH for various Dibcom based devices
Albert Comerma [Sun, 30 Mar 2008 00:35:57 +0000 (21:35 -0300)]
V4L/DVB (7473): PATCH for various Dibcom based devices

patch 6ca8f0b97473dcef3a754bab5239dcfcdd00b244 upstream

This patch introduces support for dvb-t for the following DiBcom based cards:

- Terratec Cinergy HT USB XE (USB-ID: 0ccd:0058)
- Terratec Cinergy HT Express (USB-ID: 0ccd:0060)
- Pinnacle 320CX (USB-ID: 2304:022e)
- Pinnacle PCTV72e (USB-ID: 2304:0236)
- Pinnacle PCTV73e (USB-ID: 2304:0237)
- Yuan EC372S (USB-ID: 1164:1edc)

Signed-off-by: Hans-Frieder Vogt <hfvogt@gmx.net>
Signed-off-by: Felix Apitzsch <F.Apitzsch@soz.uni-frankfurt.de>
Signed-off-by: Antti Palosaari <crope@iki.fi>
Signed-off-by: Albert Comerma <albert.comerma@gmail.com>
Signed-off-by: Patrick Boettcher <pb@linuxtv.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Cc: Michel Morisot <mmorisot.abonnement@belcenter.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.25.3 v2.6.25.3
Greg Kroah-Hartman [Sat, 10 May 2008 04:48:50 +0000 (21:48 -0700)]
Linux 2.6.25.3

16 years agosit: Add missing kfree_skb() on pskb_may_pull() failure.
David S. Miller [Fri, 9 May 2008 06:40:26 +0000 (23:40 -0700)]
sit: Add missing kfree_skb() on pskb_may_pull() failure.

[ Upstream commit: 36ca34cc3b8335eb1fe8bd9a1d0a2592980c3f02 ]

Noticed by Paul Marks <paul@pmarks.net>.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosparc: Fix mmap VA span checking.
David S. Miller [Wed, 7 May 2008 09:24:28 +0000 (02:24 -0700)]
sparc: Fix mmap VA span checking.

[ Upstream commit: 5816339310b2d9623cf413d33e538b45e815da5d ]

We should not conditionalize VA range checks on MAP_FIXED.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCRYPTO: eseqiv: Fix off-by-one encryption
Herbert Xu [Tue, 6 May 2008 06:01:24 +0000 (14:01 +0800)]
CRYPTO: eseqiv: Fix off-by-one encryption

[CRYPTO] eseqiv: Fix off-by-one encryption

[ Upstream commit: 46f8153cc59384eb09a426d044668d4801f818ce ]

After attaching the IV to the head during encryption, eseqiv does not
increase the encryption length by that amount.  As such the last block
of the actual plain text will be left unencrypted.

Fortunately the only user of this code hifn currently crashes so this
shouldn't affect anyone :)

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCRYPTO: authenc: Fix async crypto crash in crypto_authenc_genicv()
Patrick McHardy [Tue, 6 May 2008 06:01:22 +0000 (14:01 +0800)]
CRYPTO: authenc: Fix async crypto crash in crypto_authenc_genicv()

[CRYPTO] authenc: Fix async crypto crash in crypto_authenc_genicv()

[ Upstream commit: 161613293fd4b7d5ceb1faab788f47e688e07a67 ]

crypto_authenc_givencrypt_done uses req->data as struct aead_givcrypt_request,
while it really points to a struct aead_request, causing this crash:

BUG: unable to handle kernel paging request at 6b6b6b6b
IP: [<dc87517b>] :authenc:crypto_authenc_genicv+0x23/0x109
*pde = 00000000
Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
Modules linked in: hifn_795x authenc esp4 aead xfrm4_mode_tunnel sha1_generic hmac crypto_hash]

Pid: 3074, comm: ping Not tainted (2.6.25 #4)
EIP: 0060:[<dc87517b>] EFLAGS: 00010296 CPU: 0
EIP is at crypto_authenc_genicv+0x23/0x109 [authenc]
EAX: daa04690 EBX: daa046e0 ECX: dab0a100 EDX: daa046b0
ESI: 6b6b6b6b EDI: dc872054 EBP: c033ff60 ESP: c033ff0c
 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process ping (pid: 3074, ti=c033f000 task=db883a80 task.ti=dab6c000)
Stack: 00000000 daa046b0 c0215a3e daa04690 dab0a100 00000000 ffffffff db9fd7f0
       dba208c0 dbbb1720 00000001 daa04720 00000001 c033ff54 c0119ca9 dc852a75
       c033ff60 c033ff60 daa046e0 00000000 00000001 c033ff6c dc87527b 00000001
Call Trace:
 [<c0215a3e>] ? dev_alloc_skb+0x14/0x29
 [<c0119ca9>] ? printk+0x15/0x17
 [<dc87527b>] ? crypto_authenc_givencrypt_done+0x1a/0x27 [authenc]
 [<dc850cca>] ? hifn_process_ready+0x34a/0x352 [hifn_795x]
 [<dc8353c7>] ? rhine_napipoll+0x3f2/0x3fd [via_rhine]
 [<dc851a56>] ? hifn_check_for_completion+0x4d/0xa6 [hifn_795x]
 [<dc851ab9>] ? hifn_tasklet_callback+0xa/0xc [hifn_795x]
 [<c011d046>] ? tasklet_action+0x3f/0x66
 [<c011d230>] ? __do_softirq+0x38/0x7a
 [<c0105a5f>] ? do_softirq+0x3e/0x71
 [<c011d17c>] ? irq_exit+0x2c/0x65
 [<c010e0c0>] ? smp_apic_timer_interrupt+0x5f/0x6a
 [<c01042e4>] ? apic_timer_interrupt+0x28/0x30
 [<dc851640>] ? hifn_handle_req+0x44a/0x50d [hifn_795x]
 ...

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCRYPTO: cryptd: Correct kzalloc error test
Julia Lawall [Tue, 6 May 2008 06:01:25 +0000 (14:01 +0800)]
CRYPTO: cryptd: Correct kzalloc error test

[CRYPTO] cryptd: Correct kzalloc error test

[ Upstream commit: b1145ce395f7785487c128fe8faf8624e6586d84 ]

Normally, kzalloc returns NULL or a valid pointer value, not a value to be
tested using IS_ERR.

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoCRYPTO: api: Fix scatterwalk_sg_chain
Herbert Xu [Tue, 6 May 2008 06:01:23 +0000 (14:01 +0800)]
CRYPTO: api: Fix scatterwalk_sg_chain

[CRYPTO] api: Fix scatterwalk_sg_chain

[ Upstream commit: 8ec970d8561abb5645d4602433b772e268c96d05 ]

When I backed out of using the generic sg chaining (as it isn't currently
portable) and introduced scatterwalk_sg_chain/scatterwalk_sg_next I left
out the sg_is_last check in the latter.  This causes it to potentially
dereference beyond the end of the sg array.

As most uses of scatterwalk_sg_next are bound by an overall length, this
only affected the chaining code in authenc and eseqiv. Thanks to Patrick
McHardy for identifying this problem.

This patch also clears the "last" bit on the head of the chained list as
it's no longer last.  This also went missing in scatterwalk_sg_chain and
is present in sg_chain.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agox86 PCI: call dmi_check_pciprobe()
Yinghai Lu [Tue, 6 May 2008 02:59:58 +0000 (21:59 -0500)]
x86 PCI: call dmi_check_pciprobe()

This is a backport of the noted commit which is in 2.6.26-rc1
now.  This is necessary to enable pci=bfsort automatically on a number
of Dell and HP servers, as well as pci=assign-busses for a few other
systems, which was broken between 2.6.22 and 2.6.23.

commit 0df18ff366853cdf31e5238764ec5c63e6b5a398 upstream

x86 PCI: call dmi_check_pciprobe()

this change:

| commit 08f1c192c3c32797068bfe97738babb3295bbf42
| Author: Muli Ben-Yehuda <muli@il.ibm.com>
| Date:   Sun Jul 22 00:23:39 2007 +0300
|
|    x86-64: introduce struct pci_sysdata to facilitate sharing of ->sysdata
|
|    This patch introduces struct pci_sysdata to x86 and x86-64, and
|    converts the existing two users (NUMA, Calgary) to use it.
|
|    This lays the groundwork for having other users of sysdata, such as
|    the PCI domains work.
|
|    The Calgary bits are tested, the NUMA bits just look ok.

replaces pcibios_scan_root with pci_scan_bus_parented...

but in pcibios_scan_root we have a DMI check:

dmi_check_system(pciprobe_dmi_table);

when when have several peer root buses this could be called multiple
times (which is bad), so move that call to pci_access_init().

Signed-off-by: Yinghai Lu <yhlu.kernel@gmail.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Matt Domsch <Matt_Domsch@dell.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agob43: Fix some TX/RX locking issues
Michael Buesch [Fri, 2 May 2008 10:19:57 +0000 (12:19 +0200)]
b43: Fix some TX/RX locking issues

commit 21a75d7788f4e29b6c6d28e08f9f0310c4de828d upstream.

This fixes some TX/RX related locking issues.
With this patch applied, some of the PHY transmission errors are fixed.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agokprobes/arm: fix decoding of arithmetic immediate instructions
Lennert Buytenhek [Thu, 1 May 2008 15:04:55 +0000 (11:04 -0400)]
kprobes/arm: fix decoding of arithmetic immediate instructions

The ARM kprobes arithmetic immediate instruction decoder
(space_cccc_001x()) was accidentally zero'ing out not only the Rn and
Rd arguments, but the lower nibble of the immediate argument as well
-- this patch fixes this.

Mainline commit: a3fd133c24e16d430ba21f3d9f5c0b8faeeb37fe

Signed-off-by: Lennert Buytenhek <buytenh@marvell.com>
Acked-by: Nicolas Pitre <nico@marvell.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agokprobes/arm: fix cache flush address for instruction stub
Nicolas Pitre [Thu, 1 May 2008 15:03:13 +0000 (11:03 -0400)]
kprobes/arm: fix cache flush address for instruction stub

It is more useful to flush the cache with the actual buffer address
rather than the address containing a pointer to the buffer.

Mainline commit: 8f79ff0cb5330a92032c30ff586745d3016b34ca

Signed-off-by: Nicolas Pitre <nico@marvell.com>
Acked-by: Lennert Buytenhek <buytenh@marvell.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agob43: Fix dual-PHY devices
Michael Buesch [Thu, 1 May 2008 10:31:44 +0000 (12:31 +0200)]
b43: Fix dual-PHY devices

commit 2e35af143a1380173ba292e48e9b4913ef16b4ee upstream

This fixes operation of dual-PHY (A/B/G) devices.
Do not anounce the A-PHY to mac80211, as that's not supported, yet.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoPOWERPC: mpc5200: Fix unterminated of_device_id table
Grant Likely [Tue, 6 May 2008 14:41:44 +0000 (08:41 -0600)]
POWERPC: mpc5200: Fix unterminated of_device_id table

commit bc775eac63c16dbcfabc4c6e949c0228edf3e11f upstream

If CONFIG_PPC_MPC5121 is not set, then the of_device_id table for the
mpc5200 serial driver will not get terminated with a NULL entry.

Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoreiserfs: Unpack tails on quota files
Jan Kara [Mon, 5 May 2008 11:42:12 +0000 (13:42 +0200)]
reiserfs: Unpack tails on quota files

commit d5dee5c395062a55236318ac4eec1f4ebb9de6db upstream

Quota files cannot have tails because quota_write and quota_read functions do
not support them. So far when quota files did have tail, we just refused to
turn quotas on it. Sadly this check has been wrong and so there are now plenty
installations where quota files don't have NOTAIL flag set and so now after
fixing the check, they suddently fail to turn quotas on. Since it's easy to
unpack the tail from kernel, do this from reiserfs_quota_on() which solves the
problem and is generally nicer to users anyway.

Signed-off-by: Jan Kara <jack@suse.cz>
Reported-by: <urhausen@urifabi.net>
Cc: Jeff Mahoney <jeffm@suse.com>
Cc: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agosched: fix hrtick_start_fair and CPU-Hotplug
Peter Zijlstra [Tue, 6 May 2008 03:05:15 +0000 (03:05 +0000)]
sched: fix hrtick_start_fair and CPU-Hotplug

commit: b328ca182f01c2a04b85e0ee8a410720b104fbcc upstream

Gautham R Shenoy reported:

 > While running the usual CPU-Hotplug stress tests on linux-2.6.25,
 > I noticed the following in the console logs.
 >
 > This is a wee bit difficult to reproduce. In the past 10 runs I hit this
 > only once.
 >
 > ------------[ cut here ]------------
 >
 > WARNING: at kernel/sched.c:962 hrtick+0x2e/0x65()
 >
 > Just wondering if we are doing a good job at handling the cancellation
 > of any per-cpu scheduler timers during CPU-Hotplug.

This looks like its indeed not cancelled at all and migrates the it to
another cpu. Fix it via a proper hotplug notifier mechanism.

Reported-by: Gautham R Shenoy <ego@in.ibm.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agovfs: fix permission checking in sys_utimensat
Miklos Szeredi [Thu, 1 May 2008 18:45:34 +0000 (18:45 +0000)]
vfs: fix permission checking in sys_utimensat

commit: 02c6be615f1fcd37ac5ed93a3ad6692ad8991cd9 upstream

If utimensat() is called with both times set to UTIME_NOW or one of them to
UTIME_NOW and the other to UTIME_OMIT, then it will update the file time
without any permission checking.

I don't think this can be used for anything other than a local DoS, but could
be quite bewildering at that (e.g.  "Why was that large source tree rebuilt
when I didn't modify anything???")

This affects all kernels from 2.6.22, when the utimensat() syscall was
introduced.

Fix by doing the same permission checking as for the "times == NULL" case.

Thanks to Michael Kerrisk, whose utimensat-non-conformances-and-fixes.patch in
-mm also fixes this (and breaks other stuff), only he didn't realize the
security implications of this bug.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agomd: fix use after free when removing rdev via sysfs
Dan Williams [Wed, 30 Apr 2008 18:55:30 +0000 (18:55 +0000)]
md: fix use after free when removing rdev via sysfs

commit: 6a51830e14529063cb2685921e1177d9af50e49a upstream

rdev->mddev is no longer valid upon return from entry->store() when the
'remove' command is given.

Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agomm: fix usemap initialization
KAMEZAWA Hiroyuki [Tue, 29 Apr 2008 17:25:19 +0000 (17:25 +0000)]
mm: fix usemap initialization

commit: 86051ca5eaf5e560113ec7673462804c54284456 upstream

usemap must be initialized only when pfn is within zone.  If not, it corrupts
memory.

And this patch also reduces the number of calls to set_pageblock_migratetype()
from
(pfn & (pageblock_nr_pages -1)
to
!(pfn & (pageblock_nr_pages-1)
it should be called once per pageblock.

Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Mel Gorman <mel@csn.ul.ie>
Cc: Hugh Dickins <hugh@veritas.com>
Cc: Shi Weihua <shiwh@cn.fujitsu.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years ago2.6.25 regression: powertop says 120K wakeups/sec
Venkatesh Pallipadi [Thu, 10 Apr 2008 01:31:46 +0000 (21:31 -0400)]
2.6.25 regression: powertop says 120K wakeups/sec

commit 0fda6b403f0eca66ad8a7c946b3996e359100443 upstream

Patch to fix huge number of wakeups reported due to recent changes in
processor_idle.c. The problem was that the entry_method determination was
broken due to one of the recent commits (bc71bec91f987) causing
C1 entry to not to go to halt.

http://lkml.org/lkml/2008/3/22/124

Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.25.2 v2.6.25.2
Greg Kroah-Hartman [Tue, 6 May 2008 23:21:32 +0000 (16:21 -0700)]
Linux 2.6.25.2

16 years agofix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)
Al Viro [Tue, 6 May 2008 17:58:34 +0000 (13:58 -0400)]
fix SMP ordering hole in fcntl_setlk() (CVE-2008-1669)

commit 0b2bac2f1ea0d33a3621b27ca68b9ae760fca2e9 upstream.

fcntl_setlk()/close() race prevention has a subtle hole - we need to
make sure that if we *do* have an fcntl/close race on SMP box, the
access to descriptor table and inode->i_flock won't get reordered.

As it is, we get STORE inode->i_flock, LOAD descriptor table entry vs.
STORE descriptor table entry, LOAD inode->i_flock with not a single
lock in common on both sides.  We do have BKL around the first STORE,
but check in locks_remove_posix() is outside of BKL and for a good
reason - we don't want BKL on common path of close(2).

Solution is to hold ->file_lock around fcheck() in there; that orders
us wrt removal from descriptor table that preceded locks_remove_posix()
on close path and we either come first (in which case eviction will be
handled by the close side) or we'll see the effect of close and do
eviction ourselves.  Note that even though it's read-only access,
we do need ->file_lock here - rcu_read_lock() won't be enough to
order the things.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.25.1 v2.6.25.1
Greg Kroah-Hartman [Thu, 1 May 2008 21:45:25 +0000 (14:45 -0700)]
Linux 2.6.25.1

16 years agoFix dnotify/close race (CVE-2008-1375)
Al Viro [Thu, 1 May 2008 02:52:22 +0000 (03:52 +0100)]
Fix dnotify/close race (CVE-2008-1375)

commit 214b7049a7929f03bbd2786aaef04b8b79db34e2 upstream.

We have a race between fcntl() and close() that can lead to
dnotify_struct inserted into inode's list *after* the last descriptor
had been gone from current->files.

Since that's the only point where dnotify_struct gets evicted, we are
screwed - it will stick around indefinitely.  Even after struct file in
question is gone and freed.  Worse, we can trigger send_sigio() on it at
any later point, which allows to send an arbitrary signal to arbitrary
process if we manage to apply enough memory pressure to get the page
that used to host that struct file and fill it with the right pattern...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agodrivers/net/tehuti: use proper capability check for raw IO access
Linus Torvalds [Tue, 29 Apr 2008 18:45:16 +0000 (11:45 -0700)]
drivers/net/tehuti: use proper capability check for raw IO access

commit 6203554207728f43cfb9fd48585cd6500da73d42 in mainline.

Yeah, in practice they both mean "root", but Alan correctly points out
that anybody who gets to do raw IO space accesses should really be using
CAP_SYS_RAWIO rather than CAP_NET_ADMIN.

Pointed-out-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agohrtimer: raise softirq unlocked to avoid circular lock dependency
Thomas Gleixner [Tue, 29 Apr 2008 01:15:10 +0000 (01:15 +0000)]
hrtimer: raise softirq unlocked to avoid circular lock dependency

commit 0c96c5979a522c3323c30a078a70120e29b5bdbc upstream

The scheduler hrtimer bits in 2.6.25 introduced a circular lock
dependency in a rare code path:

=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.25-sched-devel.git-x86-latest.git #19
-------------------------------------------------------
X/2980 is trying to acquire lock:
 (&rq->rq_lock_key#2){++..}, at: [<ffffffff80230146>] task_rq_lock+0x56/0xa0

but task is already holding lock:
 (&cpu_base->lock){++..}, at: [<ffffffff80257ae1>] lock_hrtimer_base+0x31/0x60

which lock already depends on the new lock.

The scenario which leads to this is:

posix-timer signal is delivered
 -> posix-timer is rearmed
    timer is already expired in hrtimer_enqueue()
     -> softirq is raised

To prevent this we need to move the raise of the softirq out of the
base->lock protected code path.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agox86: Fix 32-bit x86 MSI-X allocation leakage
PJ Waskiewicz [Mon, 28 Apr 2008 18:56:22 +0000 (11:56 -0700)]
x86: Fix 32-bit x86 MSI-X allocation leakage

commit 9d9ad4b51d2b29b5bbeb4011f5e76f7538119cf9 upstream

This bug was introduced in the 2.6.24 lguest merge, where
MSI-X vector allocation will eventually fail.  The cause is the new
bit array tracking used vectors is not getting cleared properly on
IRQ destruction on the 32-bit APIC code.

This can be seen easily using the ixgbe 10 GbE driver on multi-core
systems by simply loading and unloading the driver a few times.
Depending on the number of available vectors on the host system, the
MSI-X allocation will eventually fail, and the driver will only be
able to use legacy interrupts.

Signed-off-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoalpha: unbreak OSF/1 (a.out) binaries
Ivan Kokshaysky [Thu, 24 Apr 2008 12:54:50 +0000 (16:54 +0400)]
alpha: unbreak OSF/1 (a.out) binaries

commit 2444e56b0c08e6f3e3877583841a1213e3263d98 upstream

OSF/1 brk(2) was broken by following one-liner in sys_brk()
(commit 4cc6028d4040f95cdb590a87db478b42b8be0508):

- if (brk < mm->end_code)
+ if (brk < mm->start_brk)
goto out;

The problem is that osf_set_program_attributes()
does update mm->end_code, but not mm->start_brk,
which still contains inappropriate value left from
binary loader, so brk() always fails.

Signed-off-by: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSCSI: qla2xxx: Correct regression in relogin code.
Andrew Vasquez [Sun, 27 Apr 2008 18:35:08 +0000 (18:35 +0000)]
SCSI: qla2xxx: Correct regression in relogin code.

commit: 666301e673e192c87a40e07a8357d6996b57b70f upstream

Commit 63a8651f2548c6bb5132c0b4e7dad4f57a9274db ([SCSI] qla2xxx:
Correct infinite-login-retry issue.) introduced a small
regression where a successful relogin would result in an fcport's
loop_id to be incorrectly reset to FC_NO_LOOP_ID.  Only clear-out
loopid, if retries have been 'truly' exhausted.

Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoRDMA/nes: Fix adapter reset after PXE boot
Chien Tung [Sun, 27 Apr 2008 18:35:11 +0000 (18:35 +0000)]
RDMA/nes: Fix adapter reset after PXE boot

commit: bc5698f3ecc9587e1edb343a2878f8d228c49e0e upstream

After PXE boot, the iw_nes driver does a full reset to ensure the card
is in a clean state.  However, it doesn't wait for firmware to
complete its work before issuing a port reset to enable the ports,
which leads to problems bringing up the ports.

The solution is to wait for firmware to complete its work before
proceeding with port reset.

This bug was flagged by Roland Dreier <rolandd@cisco.com>.

Signed-off-by: Chien Tung <ctung@neteffect.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agohrtimer: timeout too long when using HRTIMER_CB_SOFTIRQ
Bodo Stroesser [Mon, 28 Apr 2008 17:15:50 +0000 (17:15 +0000)]
hrtimer: timeout too long when using HRTIMER_CB_SOFTIRQ

commit d7b41a24bfb5d7fa02f7b49be1293d468814e424 upstream

When using hrtimer with timer->cb_mode == HRTIMER_CB_SOFTIRQ
in some cases the clockevent is not programmed.
This happens, if:
 - a timer is rearmed while it's state is HRTIMER_STATE_CALLBACK
 - hrtimer_reprogram() returns -ETIME, when it is called after
   CALLBACK is finished. This occurs if the new timer->expires
   is in the past when CALLBACK is done.
In this case, the timer needs to be removed from the tree and put
onto the pending list again.

The patch is against 2.6.22.5, but AFAICS, it is relevant
for 2.6.25 also (in run_hrtimer_pending()).

Signed-off-by: Bodo Stroesser <bstroesser@fujitsu-siemens.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agomm: fix possible off-by-one in walk_pte_range()
Johannes Weiner [Mon, 28 Apr 2008 17:15:47 +0000 (17:15 +0000)]
mm: fix possible off-by-one in walk_pte_range()

commit 556637cdabcd5918c7d4a1a2679b8f86fc81e891 upstream

After the loop in walk_pte_range() pte might point to the first address after
the pmd it walks.  The pte_unmap() is then applied to something bad.

Spotted by Roel Kluin and Andreas Schwab.

Signed-off-by: Johannes Weiner <hannes@saeurebad.de>
Cc: Roel Kluin <12o3l@tiscali.nl>
Cc: Andreas Schwab <schwab@suse.de>
Acked-by: Matt Mackall <mpm@selenic.com>
Acked-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agodz: test after postfix decrement fails in dz_console_putchar()
Roel Kluin [Mon, 28 Apr 2008 17:15:41 +0000 (17:15 +0000)]
dz: test after postfix decrement fails in dz_console_putchar()

commit 1ecf0d0cd28a4bfed3009f752061998e52d14db2 upstream

When loops reaches 0 the postfix decrement still subtracts, so the subsequent
test fails.

Signed-off-by: Roel Kluin <12o3l@tiscali.nl>
Acked-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: Johannes Weiner <hannes@saeurebad.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agortc-pcf8583 build fix
David Brownell [Mon, 28 Apr 2008 17:15:29 +0000 (17:15 +0000)]
rtc-pcf8583 build fix

commit 77459b059b02c16b2c8cbc39b524941a576ad36e upstream

Fix bogus #include in rtc-pcf8583, so it compiles on platforms that
don't support PC clone RTCs.  (Original issue noted by Adrian Bunk.)

Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Cc: Adrian Bunk <bunk@kernel.org>
Acked-by: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoaio: io_getevents() should return if io_destroy() is invoked
Jeff Moyer [Mon, 28 Apr 2008 17:15:24 +0000 (17:15 +0000)]
aio: io_getevents() should return if io_destroy() is invoked

commit e92adcba261fd391591bb63c1703185a04a41554 upstream

This patch wakes up a thread waiting in io_getevents if another thread
destroys the context.  This was tested using a small program that spawns a
thread to wait in io_getevents while the parent thread destroys the io context
and then waits for the getevents thread to exit.  Without this patch, the
program hangs indefinitely.  With the patch, the program exits as expected.

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Cc: Zach Brown <zach.brown@oracle.com>
Cc: Christopher Smith <x@xman.org>
Cc: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agotehuti: move ioctl perm check closer to function start (CVE-2008-1675)
Jeff Garzik [Fri, 25 Apr 2008 07:11:31 +0000 (03:11 -0400)]
tehuti: move ioctl perm check closer to function start (CVE-2008-1675)

Commit f946dffed6334f08da065a89ed65026ebf8b33b4 upstream

Noticed by davem.

Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agotehuti: check register size (CVE-2008-1675)
Francois Romieu [Sun, 20 Apr 2008 17:32:34 +0000 (19:32 +0200)]
tehuti: check register size (CVE-2008-1675)

commit 6131a2601f42cd7fdbac0e960713396fe68af59f upstream

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agob43: Workaround DMA quirks
Michael Buesch [Thu, 24 Apr 2008 18:06:11 +0000 (20:06 +0200)]
b43: Workaround DMA quirks

commit 1033b3ea11820ea1fb1b877207bd6724e9aaedc3 upstream

Some mainboards/CPUs don't allow DMA masks bigger than a certain limit.
Some VIA crap^h^h^h^hdevices have an upper limit of 0xFFFFFFFF. So in this
case a 64-bit b43 device would always fail to acquire the mask.
Implement a workaround to fallback to lower DMA mask, as we can always
also support a lower mask.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
16 years agob43: Add more btcoexist workarounds
Michael Buesch [Thu, 24 Apr 2008 18:04:38 +0000 (20:04 +0200)]
b43: Add more btcoexist workarounds

commit 9fc38458355525f801cd2ab403ac89850489a05e upstream

This adds more workarounds for devices with broken BT bits.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agob43: Workaround invalid bluetooth settings
Michael Buesch [Thu, 24 Apr 2008 18:02:41 +0000 (20:02 +0200)]
b43: Workaround invalid bluetooth settings

commit 1855ba7812dbd294fcfc083dc7d3b14d3b1f38db upstream.

This adds a workaround for invalid bluetooth SPROM settings
on ASUS PCI cards.
This will stop the microcode from poking with the BT GPIO line.
This fixes data transmission on this device, as the BT GPIO line
is used for something TX related on this device
(probably the power amplifier or the radio).
This also adds a modparam knob to help debugging this in the future,
as more devices with this bug may show up.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agossb: Fix all-ones boardflags
Larry Finger [Thu, 24 Apr 2008 18:00:45 +0000 (20:00 +0200)]
ssb: Fix all-ones boardflags

commit 4503183aa32e6886400d82282292934fa64a81b0 upstream

In the SSB SPROM a field set to all ones means the value
is not defined in the SPROM.
In case of the boardflags, we need to set them to zero
to avoid confusing drivers. Drivers will only check the
flags by ANDing.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Gabor Stefanik <netrolller.3d@gmail.com>
Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agox86, pci: fix off-by-one errors in some pirq warnings
Björn Steinbrink [Mon, 31 Mar 2008 02:22:53 +0000 (04:22 +0200)]
x86, pci: fix off-by-one errors in some pirq warnings

commit 223ac2f42d49dd0324ca02ea15897ead1a2f5133 upstream.

fix bogus pirq warnings reported in:

  http://bugzilla.kernel.org/show_bug.cgi?id=10366

safe to be backported to v2.6.25 and earlier.

Signed-off-by: Björn Steinbrink <B.Steinbrink@gmx.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts
Eric Paris [Mon, 21 Apr 2008 20:24:11 +0000 (16:24 -0400)]
SELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts

commit 0f5e64200f20fc8f5b759c4010082f577ab0af3f upstream

The Fedora installer actually makes multiple NFS mounts before it loads
selinux policy.  The code in selinux_clone_mnt_opts() assumed that the
init process would always be loading policy before NFS was up and
running.  It might be possible to hit this in a diskless environment as
well, I'm not sure.  There is no need to BUG_ON() in this situation
since we can safely continue given the circumstances.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoS2io: Version update for memory leak fix during free_tx_buffers
Sreenivasa Honnur [Fri, 25 Apr 2008 17:22:41 +0000 (13:22 -0400)]
S2io: Version update for memory leak fix during free_tx_buffers

commit 10371b5e6ba22173425877ea6a7040619b005fa1 upstream

- Updated version number.

Signed-off-by: Santosh Rastapur <santosh.rastapur@neterion.com>
Signed-off-by: Ramkrishna Vepa <ram.vepa@neterion.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoS2io: Fix memory leak during free_tx_buffers
Sreenivasa Honnur [Fri, 25 Apr 2008 17:21:40 +0000 (13:21 -0400)]
S2io: Fix memory leak during free_tx_buffers

commit b35b3b49fc6750806964048b31799c8782980ef9 upstream

- Fix the memory leak during free_tx_buffers.

Signed-off-by: Santosh Rastapur <santosh.rastapur@neterion.com>
Signed-off-by: Ramkrishna Vepa <ram.vepa@neterion.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoV4L: cx88: enable radio GPIO correctly
Steven Toth [Fri, 25 Apr 2008 00:52:40 +0000 (20:52 -0400)]
V4L: cx88: enable radio GPIO correctly

(cherry picked from commit 6b92b3bd7ac91b7e255541f4be9bfd55b12dae41)

This patch fixes an issue on the HVR1300, where GPIO is blown away due to
the radio input being undefined, breaking the functionality of the DVB
demodulator and MPEG2 encoder used on the cx8802 mpeg TS port.

This is a minimal patch for 2.6.26 and the -stable series.  This must be
fixed a better way for 2.6.27.

Signed-off-by: Steven Toth <stoth@hauppauge.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoV4L: tea5761: bugzilla #10462: tea5761 autodetection code were broken
Mauro Carvalho Chehab [Fri, 25 Apr 2008 00:52:33 +0000 (20:52 -0400)]
V4L: tea5761: bugzilla #10462: tea5761 autodetection code were broken

(cherry picked from commit 867e835f4db4eba6d49072382cc05fc210c4ed1c)

Fix bugzilla #10462: "tea5761 autodetection code were broken"

Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoV4L: Fix VIDIOCGAP corruption in ivtv
Alan Cox [Fri, 25 Apr 2008 00:52:24 +0000 (20:52 -0400)]
V4L: Fix VIDIOCGAP corruption in ivtv

(cherry picked from commit d2b213f7b76f187c4391079c7581d3a08b940133)

Frank Bennett reported that ivtv was causing skype to crash. With help
from one of their developers he showed it was a kernel problem.
VIDIOCGCAP copies a name into a fixed length buffer - ivtv uses names
that are too long and does not truncate them so corrupts a few bytes of
the app data area.

Possibly the names also want trimming but for now this should fix the
corruption case.

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoRDMA/nes: Free IRQ before killing tasklet
Roland Dreier [Fri, 18 Apr 2008 16:25:17 +0000 (16:25 +0000)]
RDMA/nes: Free IRQ before killing tasklet

commit: 4cd1e5eb3cbe6e0cc934959770b4c60eac6ecf66

Move the free_irq() call in nes_remove() to before the tasklet_kill();
otherwise there is a window after tasklet_kill() where a new interrupt
can be handled and reschedule the tasklet, leading to a use-after-free
crash.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agocgroup: fix a race condition in manipulating tsk->cg_list
Li Zefan [Fri, 18 Apr 2008 16:25:10 +0000 (16:25 +0000)]
cgroup: fix a race condition in manipulating tsk->cg_list

commit: 0e04388f0189fa1f6812a8e1cb6172136eada87e

When I ran a test program to fork mass processes and at the same time
'cat /cgroup/tasks', I got the following oops:

  ------------[ cut here ]------------
  kernel BUG at lib/list_debug.c:72!
  invalid opcode: 0000 [#1] SMP
  Pid: 4178, comm: a.out Not tainted (2.6.25-rc9 #72)
  ...
  Call Trace:
   [<c044a5f9>] ? cgroup_exit+0x55/0x94
   [<c0427acf>] ? do_exit+0x217/0x5ba
   [<c0427ed7>] ? do_group_exit+0.65/0x7c
   [<c0427efd>] ? sys_exit_group+0xf/0x11
   [<c0404842>] ? syscall_call+0x7/0xb
   [<c05e0000>] ? init_cyrix+0x2fa/0x479
  ...
  EIP: [<c04df671>] list_del+0x35/0x53 SS:ESP 0068:ebc7df4
  ---[ end trace caffb7332252612b ]---
  Fixing recursive fault but reboot is needed!

After digging into the code and debugging, I finlly found out a race
situation:

do_exit()
  ->cgroup_exit()
    ->if (!list_empty(&tsk->cg_list))
        list_del(&tsk->cg_list);

  cgroup_iter_start()
    ->cgroup_enable_task_cg_list()
      ->list_add(&tsk->cg_list, ..);

In this case the list won't be deleted though the process has exited.

We got two bug reports in the past, which seem to be the same bug as
this one:
http://lkml.org/lkml/2008/3/5/332
http://lkml.org/lkml/2007/10/17/224

Actually sometimes I got oops on list_del, sometimes oops on list_add.
And I can change my test program a bit to trigger other oops.

The patch has been tested both on x86_32 and x86_64.

Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Paul Menage <menage@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agodm snapshot: fix chunksize sector conversion
Mikulas Patocka [Fri, 25 Apr 2008 20:05:39 +0000 (20:05 +0000)]
dm snapshot: fix chunksize sector conversion

commit: 924362629bf5645aee5f49f8a0d0d5b193e65997

If a snapshot has a smaller chunksize than the page size the
conversion to pages currently returns 0 instead of 1, causing:
kernel BUG in mempool_resize.

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Milan Broz <mbroz@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoUSB: OHCI: fix bug in controller resume
Alan Stern [Fri, 25 Apr 2008 20:05:46 +0000 (20:05 +0000)]
USB: OHCI: fix bug in controller resume

commit: 0d22f65515307c878ddd20b1305cce925ca9516c

This patch (as1063) fixes a bug in the way ohci-hcd resumes its
controllers.  It leaves the Master Interrupt Enable bit turned off.

If the root hub is resumed immediately this won't matter.  But if the
root hub is suspended (say because no devices are plugged in), it won't
ever wake up by itself.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: David Brownell <david-b@pacbell.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIPSEC: Fix catch-22 with algorithm IDs above 31
Herbert Xu [Fri, 25 Apr 2008 08:41:47 +0000 (01:41 -0700)]
IPSEC: Fix catch-22 with algorithm IDs above 31

[ Upstream commit: c5d18e984a313adf5a1a4ae69e0b1d93cf410229 ]

As it stands it's impossible to use any authentication algorithms
with an ID above 31 portably.  It just happens to work on x86 but
fails miserably on ppc64.

The reason is that we're using a bit mask to check the algorithm
ID but the mask is only 32 bits wide.

After looking at how this is used in the field, I have concluded
that in the long term we should phase out state matching by IDs
because this is made superfluous by the reqid feature.  For current
applications, the best solution IMHO is to allow all algorithms when
the bit masks are all ~0.

The following patch does exactly that.

This bug was identified by IBM when testing on the ppc64 platform
using the NULL authentication algorithm which has an ID of 251.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agonet: Fix wrong interpretation of some copy_to_user() results.
Pavel Emelyanov [Fri, 25 Apr 2008 08:49:48 +0000 (01:49 -0700)]
net: Fix wrong interpretation of some copy_to_user() results.

[ Upstream commit: 653252c2302cdf2dfbca66a7e177f7db783f9efa ]

I found some places, that erroneously return the value obtained from
the copy_to_user() call: if some amount of bytes were not able to get
to the user (this is what this one returns) the proper behavior is to
return the -EFAULT error, not that number itself.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agorose: Socket lock was not released before returning to user space
Bernard Pidoux [Fri, 25 Apr 2008 08:42:36 +0000 (01:42 -0700)]
rose: Socket lock was not released before returning to user space

[ Upstream commit: 43837b1e6c5aef803d57009a68db18df13e64892 ]

================================================
[ BUG: lock held when returning to user space! ]
------------------------------------------------
xfbbd/3683 is leaving the kernel with locks still held!
1 lock held by xfbbd/3683:
  #0:  (sk_lock-AF_ROSE){--..}, at: [<c8cd1eb3>] rose_connect+0x73/0x420 [rose]

INFO: task xfbbd:3683 blocked for more than 120 seconds.
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
xfbbd         D 00000246     0  3683   3669
        c6965ee0 00000092 c02c5c40 00000246 c0f6b5f0 c0f6b5c0 c0f6b5f0 c0f6b5c0
        c0f6b614 c6965f18 c024b74b ffffffff c06ba070 00000000 00000000 00000001
        c6ab07c0 c012d450 c0f6b634 c0f6b634 c7b5bf10 c0d6004c c7b5bf10 c6965f40
Call Trace:
  [<c024b74b>] lock_sock_nested+0x6b/0xd0
  [<c012d450>] ? autoremove_wake_function+0x0/0x40
  [<c02488f1>] sock_fasync+0x41/0x150
  [<c0249e69>] sock_close+0x19/0x40
  [<c0175d54>] __fput+0xb4/0x170
  [<c0176018>] fput+0x18/0x20
  [<c017300e>] filp_close+0x3e/0x70
  [<c01744e9>] sys_close+0x69/0xb0
  [<c0103bda>] sysenter_past_esp+0x5f/0xa5
  =======================
INFO: lockdep is turned off.

Signed-off-by: Bernard Pidoux <f6bvp@amsat.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoRTNETLINK: Fix bogus ASSERT_RTNL warning
Patrick McHardy [Thu, 24 Apr 2008 05:10:48 +0000 (22:10 -0700)]
RTNETLINK: Fix bogus ASSERT_RTNL warning

[ Upstream commit: c9c1014b2bd014c7ec037bbb6f58818162fdb265 ]

ASSERT_RTNL uses mutex_trylock to test whether the rtnl_mutex is
held. This bogus warnings when running in atomic context, which
f.e. happens when adding secondary unicast addresses through
macvlan or vlan or when synchronizing multicast addresses from
wireless devices.

Mid-term we might want to consider moving all address updates
to process context since the locking seems overly complicated,
for now just fix the bogus warning by changing ASSERT_RTNL to
use mutex_is_locked().

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoTCP: Increase the max_burst threshold from 3 to tp->reordering.
John Heffner [Fri, 25 Apr 2008 08:43:57 +0000 (01:43 -0700)]
TCP: Increase the max_burst threshold from 3 to tp->reordering.

[ Upstream commit: dd9e0dda66ba38a2ddd1405ac279894260dc5c36 ]

This change is necessary to allow cwnd to grow during persistent
reordering.  Cwnd moderation is applied when in the disorder state
and an ack that fills the hole comes in.  If the hole was greater
than 3 packets, but less than tp->reordering, cwnd will shrink when
it should not have.

Signed-off-by: John Heffner <jheffner@napa.none>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agotcp: tcp_probe buffer overflow and incorrect return value
Tom Quetchenbach [Fri, 25 Apr 2008 08:45:32 +0000 (01:45 -0700)]
tcp: tcp_probe buffer overflow and incorrect return value

[ Upstream commit: 8d390efd903485923419584275fd0c2aa4c94183 ]

tcp_probe has a bounds-checking bug that causes many programs (less,
python) to crash reading /proc/net/tcp_probe. When it outputs a log
line to the reader, it only checks if that line alone will fit in the
reader's buffer, rather than that line and all the previous lines it
has already written.

tcpprobe_read also returns the wrong value if copy_to_user fails--it
just passes on the return value of copy_to_user (number of bytes not
copied), which makes a failure look like a success.

This patch fixes the buffer overflow and sets the return value to
-EFAULT if copy_to_user fails.

Patch is against latest net-2.6; tested briefly and seems to fix the
crashes in less and python.

Signed-off-by: Tom Quetchenbach <virtualphtn@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agotg3: 5701 DMA corruption fix
Matt Carlson [Fri, 25 Apr 2008 08:46:46 +0000 (01:46 -0700)]
tg3: 5701 DMA corruption fix

[ Upstream commit: 41588ba1ae166eaba0a70abf2d7ff064ad9331d3 ]

Herbert Xu's commit fb93134dfc2a6e6fbedc7c270a31da03fce88db9, entitled
"[TCP]: Fix size calculation in sk_stream_alloc_pskb", has triggered a
bug in the 5701 where the 5701 DMA engine will corrupt outgoing
packets.  This problem only happens when the starting address of the
packet matches a certain range of offsets and only when the 5701 is
placed downstream of a particular Intel bridge.

This patch detects the problematic bridge and if present, readjusts the
starting address of the packet data to a dword aligned boundary.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoJFFS2: Fix free space leak with in-band cleanmarkers
David Woodhouse [Wed, 23 Apr 2008 10:15:35 +0000 (11:15 +0100)]
JFFS2: Fix free space leak with in-band cleanmarkers

We were accounting for the cleanmarker by calling jffs2_link_node_ref()
(without locking!), which adjusted both superblock and per-eraseblock
accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size
and adding it to {jeb,c}->used_size.

But only _then_ were we adding the size of the newly-erased block back
to the superblock counts, and we were adding each of jeb->{free,used}_size
to the corresponding superblock counts. Thus, the size of the cleanmarker
was effectively subtracted from the superblock's free_size _twice_.

Fix this, by always adding a full eraseblock size to c->free_size when
we've erased a block. And call jffs2_link_node_ref() under the proper
lock, while we're at it.

Thanks to Alexander Yurchenko and/or Damir Shayhutdinov for (almost)
pinpointing the problem.

[Backport of commit 014b164e1392a166fe96e003d2f0e7ad2e2a0bb7]

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoUSB: Add HP hs2300 Broadband Wireless Module to sierra.c
Stefan Seyfried [Fri, 25 Apr 2008 20:05:51 +0000 (20:05 +0000)]
USB: Add HP hs2300 Broadband Wireless Module to sierra.c

commit 8f7f85e9f9561507b009d26395c53e70758695ec upstream

Add the HP hs2300 Broadband Wireless Module (relabeled MC8775) USB IDs

Signed-off-by: Stefan Seyfried <seife@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoUSB: log an error message when USB enumeration fails
Alan Stern [Fri, 25 Apr 2008 20:05:44 +0000 (20:05 +0000)]
USB: log an error message when USB enumeration fails

commit: 6427f7995338387ddded92f98adec19ddbf0ae5e

This patch (as1077) logs an error message whenever the kernel is
unable to enumerate a new USB device.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoLinux 2.6.25 v2.6.25
Linus Torvalds [Thu, 17 Apr 2008 02:49:44 +0000 (19:49 -0700)]
Linux 2.6.25

16 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6
Linus Torvalds [Thu, 17 Apr 2008 01:58:37 +0000 (18:58 -0700)]
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6:
  it821x: do not describe noraid parameter with its value
  Pb1200/DBAu1200: fix bad IDE resource size
  Au1200: IDE driver build fix
  Au1200: kill IDE driver function prototypes
  avr32 mustn't select HAVE_IDE

16 years agoit821x: do not describe noraid parameter with its value
Paul Bolle [Wed, 16 Apr 2008 23:14:33 +0000 (01:14 +0200)]
it821x: do not describe noraid parameter with its value

Describe noraid parameter with its name (and not its value).

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
16 years agoPb1200/DBAu1200: fix bad IDE resource size
Sergei Shtylyov [Wed, 16 Apr 2008 23:14:33 +0000 (01:14 +0200)]
Pb1200/DBAu1200: fix bad IDE resource size

The header files for the Pb1200/DBAu1200 boards have wrong definition for the
IDE interface's decoded range length -- it should be 512 bytes according to
what the IDE driver does.  In addition, the IDE platform device claims 1 byte
too many for its memory resource -- fix the platform code and the IDE driver
in accordance.

Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
16 years agoAu1200: IDE driver build fix
Sergei Shtylyov [Wed, 16 Apr 2008 23:14:33 +0000 (01:14 +0200)]
Au1200: IDE driver build fix

The driver fails to compile with CONFIG_BLK_DEV_IDE_AU1XXX_MDMA2_DBDMA enabled:

drivers/ide/mips/au1xxx-ide.c: In function `auide_build_dmatable':
drivers/ide/mips/au1xxx-ide.c:256: error: implicit declaration of function
`sg_virt'
drivers/ide/mips/au1xxx-ide.c:275: error: implicit declaration of function
`sg_next'
drivers/ide/mips/au1xxx-ide.c:275: warning: assignment makes pointer from
integer without a cast

Fix this by including <linux/scatterlist.h>. While at it, remove the #include's
without which the driver happily builds.

Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
16 years agoAu1200: kill IDE driver function prototypes
Sergei Shtylyov [Wed, 16 Apr 2008 23:14:33 +0000 (01:14 +0200)]
Au1200: kill IDE driver function prototypes

Fix these warnings emitted when compiling drivers/ide/mips/au1xxx-ide.c:

include/asm/mach-au1x00/au1xxx_ide.h:137: warning: 'auide_tune_drive' declared
`static' but never defined
include/asm/mach-au1x00/au1xxx_ide.h:138: warning: 'auide_tune_chipset' declared
 `static' but never defined

by wiping out the whole "function prototyping" section from the header file
<asm-mips/mach-au1x00/au1xxx_ide.h> as it mostly declared functions that are
already dead in the IDE driver; move the only useful prototype into the driver.

Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
16 years agoavr32 mustn't select HAVE_IDE
Adrian Bunk [Wed, 16 Apr 2008 23:14:32 +0000 (01:14 +0200)]
avr32 mustn't select HAVE_IDE

There's a libata based PATA driver for avr32, but no support for
drivers/ide/ on avr32.

This patch fixes the following compile error:

<--  snip  -->

...
  CC [M]  drivers/ide/ide-cd.o
In file included from /home/bunk/linux/kernel-2.6/git/linux-2.6/drivers/ide/ide-cd.c:37:
/home/bunk/linux/kernel-2.6/git/linux-2.6/include/linux/ide.h:209:21: error: asm/ide.h: No such file or directory
make[3]: *** [drivers/ide/ide-cd.o] Error 1

<--  snip  -->

Signed-off-by: Adrian Bunk <bunk@kernel.org>
Cc: Haavard Skinnemoen <hskinnemoen@atmel.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
16 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
Linus Torvalds [Wed, 16 Apr 2008 14:45:45 +0000 (07:45 -0700)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block

* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
  block: update git url for blktrace
  io context: increment task attachment count in ioc_task_link()

16 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6
Linus Torvalds [Wed, 16 Apr 2008 14:45:05 +0000 (07:45 -0700)]
Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
  USB: remove broken usb-serial num_endpoints check
  USB: option: Add new vendor ID and device ID for AMOI HSDPA modem
  USB: support more Huawei data card product IDs
  USB: option.c: add more device IDs
  USB: Obscure Maxon BP3-USB Device Support 16d8:6280 for option driver

16 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Wed, 16 Apr 2008 14:44:27 +0000 (07:44 -0700)]
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
  [TCP]: Add return value indication to tcp_prune_ofo_queue().
  PS3: gelic: fix the oops on the broken IE returned from the hypervisor
  b43legacy: fix DMA mapping leakage
  mac80211: remove message on receiving unexpected unencrypted frames
  Update rt2x00 MAINTAINERS entry
  Add rfkill to MAINTAINERS file
  rfkill: Fix device type check when toggling states
  b43legacy: Fix usage of struct device used for DMAing
  ssb: Fix usage of struct device used for DMAing
  MAINTAINERS: move to generic repository for iwlwifi
  b43legacy: fix initvals loading on bcm4303
  rtl8187: Add missing priv->vif assignments
  netconsole: only set CON_PRINTBUFFER if the user specifies a netconsole
  [CAN]: Update documentation of struct sockaddr_can
  MAINTAINERS: isdn4linux@listserv.isdn4linux.de is subscribers-only
  [TCP]: Fix never pruned tcp out-of-order queue.
  [NET_SCHED] sch_api: fix qdisc_tree_decrease_qlen() loop

16 years agoAFS: Do not describe debug parameters with their value
Paul Bolle [Wed, 16 Apr 2008 10:08:22 +0000 (11:08 +0100)]
AFS: Do not describe debug parameters with their value

Describe debug parameters with their names (and not their values).

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
16 years agoUSB: remove broken usb-serial num_endpoints check
Greg Kroah-Hartman [Mon, 14 Apr 2008 21:17:29 +0000 (14:17 -0700)]
USB: remove broken usb-serial num_endpoints check

The num_interrupt_in, num_bulk_in, and other checks in the usb-serial
code are just wrong, there are too many different devices out there with
different numbers of endpoints.  We need to just be sticking with the
device ids instead of trying to catch this kind of thing.  It broke too
many different devices.

This fixes a large number of usb-serial devices to get them working
properly again.

Cc: Oliver Neukum <oliver@neukum.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoUSB: option: Add new vendor ID and device ID for AMOI HSDPA modem
tang kai [Mon, 14 Apr 2008 02:06:35 +0000 (10:06 +0800)]
USB: option: Add new vendor ID and device ID for AMOI HSDPA modem

This patch add new vendor ID and device ID  for AMOI HSDPA modem.

From: tang kai <tangk73@hotmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoUSB: support more Huawei data card product IDs
fangxiaozhi [Thu, 10 Apr 2008 06:51:06 +0000 (14:51 +0800)]
USB: support more Huawei data card product IDs

 - declare the unusal device for Huawei data card devices in
   unusual_devs.h
 - disable the product ID matching for Huawei data card devices in
   usb_match_device function of driver.c
 - declare the product IDs in option.c.

Signed-off-by: fangxiaozhi <huananhu@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoUSB: option.c: add more device IDs
Matthias Urlichs [Thu, 10 Apr 2008 08:13:32 +0000 (10:13 +0200)]
USB: option.c: add more device IDs

Add devices by AMOI and NovatelWireless.

Signed-Off-By: Matthias Urlichs <matthias@urlichs.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>