]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
14 years agotty: cp210x: Fix carrier handling
Alan Cox [Wed, 28 Oct 2009 20:12:33 +0000 (21:12 +0100)]
tty: cp210x: Fix carrier handling

commit d94c7bd4c1361cab58a21d530078c5673863dcc2 upstream.

Original discussion:
http://thread.gmane.org/gmane.linux.usb.general/23217/focus=23248
or
http://marc.info/?l=linux-usb&m=125553790714133&w=2

9a68e39d4a701fb3be03cae9b462408664ebd205 broke carrier handling so that a
cp210x setup which needed the carrier lines set up (non CLOCAL) which did
not make a call which set the termios bits left the lines down even if
CLOCAL was not asserted.

Fix this not by reverting but by adding the proper dtr_rts and
carrier_raised methods. This both sets the modem lines properly and also
implements the correct blocking semantics for the port as required by
POSIX.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reported-by: Karl Hiramoto <karl@hiramoto.org>
Tested-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agotty_port: If we are opened non blocking we still need to raise the carrier
Alan Cox [Wed, 28 Oct 2009 20:12:32 +0000 (21:12 +0100)]
tty_port: If we are opened non blocking we still need to raise the carrier

commit 4175f3e31cc7157669aa66d46dc79de6ae0126ce upstream.

Original discussion:
http://thread.gmane.org/gmane.linux.usb.general/23217/focus=23248
or
http://marc.info/?l=linux-usb&m=125553790714133&w=2

The tty_port code inherited a bug common to various drivers it was based
upon. If the tty is opened O_NONBLOCK we do not wait for the carrier to be
raised but we must still raise our modem lines if appropriate.

(There is a second question here about whether we should do so if CLOCAL is
 set but that can wait)

Signed-off-by: Alan Cox <alan@linux.intel.com>
Reported-by: Karl Hiramoto <karl@hiramoto.org>
Tested-by: Karl Hiramoto <karl@hiramoto.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopage allocator: always wake kswapd when restarting an allocation attempt after direct...
Mel Gorman [Wed, 11 Nov 2009 22:26:14 +0000 (14:26 -0800)]
page allocator: always wake kswapd when restarting an allocation attempt after direct reclaim failed

commit cc4a6851466039a8a688c843962a05689059ff3b upstream.

If a direct reclaim makes no forward progress, it considers whether it
should go OOM or not.  Whether OOM is triggered or not, it may retry the
allocation afterwards.  In times past, this would always wake kswapd as
well but currently, kswapd is not woken up after direct reclaim fails.
For order-0 allocations, this makes little difference but if there is a
heavy mix of higher-order allocations that direct reclaim is failing for,
it might mean that kswapd is not rewoken for higher orders as much as it
did previously.

This patch wakes up kswapd when an allocation is being retried after a
direct reclaim failure.  It would be expected that kswapd is already
awake, but this has the effect of telling kswapd to reclaim at the higher
order as well.

Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Reviewed-by: Christoph Lameter <cl@linux-foundation.org>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopage allocator: Do not allow interrupts to use ALLOC_HARDER
Mel Gorman [Wed, 11 Nov 2009 22:26:17 +0000 (14:26 -0800)]
page allocator: Do not allow interrupts to use ALLOC_HARDER

commit 9d0ed60fe9cd1fbf57f755cd27a23ae9114d7210 upstream.

Commit 341ce06f69abfafa31b9468410a13dbd60e2b237 ("page allocator:
calculate the alloc_flags for allocation only once") altered watermark
logic slightly by allowing rt_tasks that are handling an interrupt to set
ALLOC_HARDER.  This patch brings the watermark logic more in line with
2.6.30.

This change results in a reduction of the number high-order GFP_ATOMIC
allocation failures reported.  See
http://www.gossamer-threads.com/lists/linux/kernel/1144153

[rientjes@google.com: Spotted the problem]
Signed-off-by: Mel Gorman <mel@csn.ul.ie>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Reviewed-by: Rik van Riel <riel@redhat.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopidns: fix a leak in /proc dentries and inodes with pid namespaces.
Sukadev Bhattiprolu [Wed, 11 Nov 2009 22:26:32 +0000 (14:26 -0800)]
pidns: fix a leak in /proc dentries and inodes with pid namespaces.

commit 29f12ca32122db98481150be09d35bd72b68045e upstream.

Daniel Lezcano reported a leak in 'struct pid' and 'struct pid_namespace'
that is discussed in:

http://lkml.org/lkml/2009/10/2/159.

To summarize the thread, when container-init is terminated, it sets the
PF_EXITING flag, zaps other processes in the container and waits to reap
them.  As a part of reaping, the container-init should flush any /proc
dentries associated with the processes.  But because the container-init is
itself exiting and the following PF_EXITING check, the dentries are not
flushed, resulting in leak in /proc inodes and dentries.

This fix reverts the commit 7766755a2f249e7e0 ("Fix /proc dcache deadlock
in do_exit") which introduced the check for PF_EXITING.  At the time of
the commit, shrink_dcache_parent() flushed dentries from other filesystems
also and could have caused a deadlock which the commit fixed.  But as
pointed out by Eric Biederman, after commit 0feae5c47aabdde59,
shrink_dcache_parent() no longer affects other filesystems.  So reverting
the commit is now safe.

As pointed out by Jan Kara, the leak is not as critical since the
unclaimed space will be reclaimed under memory pressure or by:

echo 3 > /proc/sys/vm/drop_caches

But since this check is no longer required, its best to remove it.

Signed-off-by: Sukadev Bhattiprolu <sukadev@us.ibm.com>
Reported-by: Daniel Lezcano <dlezcano@fr.ibm.com>
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Acked-by: Jan Kara <jack@ucw.cz>
Cc: Andrea Arcangeli <andrea@cpushare.com>
Cc: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomemcg: fix wrong pointer initialization at page migration when memcg is disabled.
KAMEZAWA Hiroyuki [Wed, 11 Nov 2009 22:26:26 +0000 (14:26 -0800)]
memcg: fix wrong pointer initialization at page migration when memcg is disabled.

commit e00e431612c3a6e437a01f2129fd3843da0c982a upstream.

Lee Schermerhorn reported that he saw bad pointer dereference in
mem_cgroup_end_migration() when he disabled memcg by boot option.

memcg's page migration logic works as

mem_cgroup_prepare_migration(page, &ptr);
do page migration
mem_cgroup_end_migration(page, ptr);

Now, ptr is not initialized in prepare_migration when memcg is disabled
by boot option. This causes panic in end_migration. This patch fixes it.

Reported-by: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
Cc: Balbir Singh <balbir@in.ibm.com>
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Reviewed-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agofs: add missing compat_ptr handling for FS_IOC_RESVSP ioctl
Heiko Carstens [Wed, 11 Nov 2009 22:26:34 +0000 (14:26 -0800)]
fs: add missing compat_ptr handling for FS_IOC_RESVSP ioctl

commit 7779d7bed950a7fb1af4f540c2f82a6b81b65901 upstream.

For FS_IOC_RESVSP and FS_IOC_RESVSP64 compat_sys_ioctl() uses its
arg argument as a pointer to userspace. However it is missing a
a call to compat_ptr() which will do a proper pointer conversion.

This was introduced with 3e63cbb1 "fs: Add new pre-allocation ioctls
to vfs for compatibility with legacy xfs ioctls".

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Ankit Jain <me@ankitjain.org>
Acked-by: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Arnd Bergmann <arndbergmann@googlemail.com>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agortc: v3020: fix v3020_mmio_read_bit()
Scott Valentine [Wed, 11 Nov 2009 22:26:49 +0000 (14:26 -0800)]
rtc: v3020: fix v3020_mmio_read_bit()

commit bcb3a1676b87effbdeffe8da5c44f63433d158d9 upstream.

v3020_mmio_read_bit() always returns 0 when left_shift > 7.

v3020_mmio_read_bit()'s return type is (unsigned char).  The code returns
a value masked by (1 << left_shift) that is casted to the return type.  If
left_shift is larger than 7, the cast will always result in a 0 return
value.  The problem was discovered with left_shift = 16, and the included
patch corrects the problem.

The bug was introduced in the last (Apr 3 2009) commit of the file, kernel
versions 2.6.30 and later.

Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Paul Gortmaker <p_gortmaker@yahoo.com>
Cc: Raphael Assenat <raph@8d.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopps: locking scheme fix up for PPS_GETPARAMS
Rodolfo Giometti [Wed, 11 Nov 2009 22:26:52 +0000 (14:26 -0800)]
pps: locking scheme fix up for PPS_GETPARAMS

commit cbf83cc5a29dba480cf1ba1c5e3417a0d4a31410 upstream.

Userland programs may read/write PPS parameters at same time and these
operations may corrupt PPS data.

Signed-off-by: Rodolfo Giometti <giometti@linux.it>
Tested-by: Reg Clemens <clemens@dwf.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopps: events reporting fix up
Rodolfo Giometti [Wed, 11 Nov 2009 22:26:54 +0000 (14:26 -0800)]
pps: events reporting fix up

commit 276b282e904f690dc930f9bc946110651f297669 upstream.

PPS events must be recorded according to PPS's mode settings.

If a process asks for (i.e.) capture-assert events only, when the PPS
client calls the pps_event() function to save the current PPS event, we
should verify the event type and then discard unwanted ones.

Also, without this patch userland processes waiting for a specific PPS
event (assert or clear but not both) may be awakened at wrong time.

Signed-off-by: Rodolfo Giometti <giometti@linux.it>
Tested-by: William S. Brasher <billb958@door.net>
Tested-by: Reg Clemens <clemens@dwf.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agouids: Prevent tear down race
Thomas Gleixner [Mon, 2 Nov 2009 12:01:56 +0000 (13:01 +0100)]
uids: Prevent tear down race

commit b00bc0b237055b4c45816325ee14f0bd83e6f590 upstream.

Ingo triggered the following warning:

WARNING: at lib/debugobjects.c:255 debug_print_object+0x42/0x50()
Hardware name: System Product Name
ODEBUG: init active object type: timer_list
Modules linked in:
Pid: 2619, comm: dmesg Tainted: G        W  2.6.32-rc5-tip+ #5298
Call Trace:
 [<81035443>] warn_slowpath_common+0x6a/0x81
 [<8120e483>] ? debug_print_object+0x42/0x50
 [<81035498>] warn_slowpath_fmt+0x29/0x2c
 [<8120e483>] debug_print_object+0x42/0x50
 [<8120ec2a>] __debug_object_init+0x279/0x2d7
 [<8120ecb3>] debug_object_init+0x13/0x18
 [<810409d2>] init_timer_key+0x17/0x6f
 [<81041526>] free_uid+0x50/0x6c
 [<8104ed2d>] put_cred_rcu+0x61/0x72
 [<81067fac>] rcu_do_batch+0x70/0x121

debugobjects warns about an enqueued timer being initialized. If
CONFIG_USER_SCHED=y the user management code uses delayed work to
remove the user from the hash table and tear down the sysfs objects.

free_uid is called from RCU and initializes/schedules delayed work if
the usage count of the user_struct is 0. The init/schedule happens
outside of the uidhash_lock protected region which allows a concurrent
caller of find_user() to reference the about to be destroyed
user_struct w/o preventing the work from being scheduled. If the next
free_uid call happens before the work timer expired then the active
timer is initialized and the work scheduled again.

The race was introduced in commit 5cb350ba (sched: group scheduling,
sysfs tunables) and made more prominent by commit 3959214f (sched:
delayed cleanup of user_struct)

Move the init/schedule_delayed_work inside of the uidhash_lock
protected region to prevent the race.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
Cc: Paul E. McKenney <paulmck@us.ibm.com>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13230): s2255drv: Don't conditionalize video buffer completion on waiting...
Mike Isely [Wed, 23 Sep 2009 21:06:57 +0000 (18:06 -0300)]
V4L/DVB (13230): s2255drv: Don't conditionalize video buffer completion on waiting processes

commit 1f95725755ab67f3198df3b5bf7517f926f310ca upstream.

The s2255 driver had logic which aborted processing of a video frame
if there was no process waiting on the video buffer in question.  That
simply doesn't work when the application is doing things in an
asynchronous manner.  If the application went to the trouble to queue
the buffer in the first place, then the driver should always attempt
to complete it - even if the application at that moment has its
attention turned elsewhere.  Applications which always blocked waiting
for I/O on the capture device would not have been affected by this.
Applications which *mostly* blocked waiting for I/O on the capture
device probably only would have been somewhat affected (frame lossage,
at a rate which goes up as the application blocks less).  Applications
which never blocked on the capture device (e.g. polling only) however
would never have been able to receive any video frames, since in that
case this "is anyone waiting on this?" check on the buffer never would
have evalutated true.  This patch just deletes that harmful check
against the buffer's wait queue.

Signed-off-by: Mike Isely <isely@pobox.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13079): dib0700: fixed xc2028 firmware loading kernel oops
Martin Samek [Thu, 1 Oct 2009 01:59:09 +0000 (22:59 -0300)]
V4L/DVB (13079): dib0700: fixed xc2028 firmware loading kernel oops

commit 7646b9de26c54cf4bc9c446d7ada9f91ece31e0a upstream.

Fixing kernel oops when driver attemps to load xc2028 firmware.

Note by djh: the patch contribute by Martin is a port of a fix I made during
the PCTV 340e development.  It's a temporary workaround that fixes a regression
(an OOPS condition) and the real fix should be in the code that manages the
i2c master on the dib7000p.  But this fix does address the immmediate
regression and should be merged upstream until we do a cleaner fix.

Signed-off-by: Martin Samek <martin@marsark.sytes.net>
Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13190): em28xx: fix panic that can occur when starting audio streaming
Devin Heitmueller [Thu, 15 Oct 2009 04:14:34 +0000 (01:14 -0300)]
V4L/DVB (13190): em28xx: fix panic that can occur when starting audio streaming

commit 96fbf771d86a90ff006bc62ca4d4de6474b3de31 upstream.

Because the counters were not reset when starting up streaming, they would
be reused from the previous run.  This can result in cases such that when the
second instance of streaming starts up, the "cnt" variable in
em28xx_audio_isocirq() can end up being negative, resulting in attempting to
write to memory before the start of runtime->dma_area (as well as having a
negative number of bytes to copy).

Signed-off-by: Devin Heitmueller <dheitmueller@kernellabs.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13107): tda18271: fix overflow in FM radio frequency calculation
Michael Krufky [Sun, 27 Sep 2009 17:05:12 +0000 (14:05 -0300)]
V4L/DVB (13107): tda18271: fix overflow in FM radio frequency calculation

commit 4d8317876d5f53ef792e90f89d8f162d7bca5c81 upstream.

Multiplication by 62500 causes an overflow in the 32 bit freq variable,
which is later divided by 1000 when using FM radio.

This patch prevents the overflow by scaling the frequency value correctly
upfront.  Thanks to Henk Vergonet for spotting the problem and providing
a preliminary patch, which this changeset was based upon.

Cc: Henk Vergonet <Henk.Vergonet@gmail.com>
Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13109): tda18271: fix signedness issue in tda18271_rf_tracking_filters_init
Seth Barry [Sun, 27 Sep 2009 19:42:29 +0000 (16:42 -0300)]
V4L/DVB (13109): tda18271: fix signedness issue in tda18271_rf_tracking_filters_init

commit a57c1dcb93e43357ed3f666e5a2b5d5071dd3930 upstream.

While having tda18271 module set with debug=17 (cal & info prints) and
cal=0 (delay calibration process until first use) - I discovered that
during the calibration process, if the frequency test for 69750000
returned a bcal of 0 (see tda18721-fe.c in tda18271_powerscan func) that
the tuner wouldn't be able to pickup any of the frequencies in the range
(all the other frequencies bands returned bcal=1).  I spent some time
going over the code and the NXP's tda18271 spec (ver.4 of it i think) and
adding a lot of debug prints and walking/stepping through the calibration
process.  I found that when the powerscan fails to find a frequency, the
rf calibration is not run and the default value is supposed to be used in
its place (pulled from the RF_CAL_map table) - but something was getting
goofed up there.

Now, my c coding skills are very rusty, but i think root of the problem is
a signedness issue with the math operation for calculating the rf_a1 and
rf_a2 values in tda18271_rf_tracking_filters_init func, which results in
values like 20648 for rf_a1 (when it should probably have a value like 0,
or so slightly negative that it should be zero - this bad value for rf_a1
would in turn makes the approx calc within
tda18271c2_rf_tracking_filters_correction go out of whack).  The simplest
solution i found was to explicitly convert the signedness of the
denominator to avoid the implicit conversion.  The values placed into the
u32 rf_freq array should never exceed about 900mhz, so i think the s32 max
value shouldn't be an issue in this case.

I've tested it out a little, and even when i get a bcal=0 with the
modified code, the default calibration value gets used, rf_a1 is zero, and
the tuner seems to lock on the stream and mythtv seems to play it fine.

Signed-off-by: Seth Barry <seth@cyberseth.com>
Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13170): bttv: Fix reversed polarity error when switching video standard
Mike Isely [Mon, 21 Sep 2009 15:42:22 +0000 (12:42 -0300)]
V4L/DVB (13170): bttv: Fix reversed polarity error when switching video standard

commit 2de26c0a4a218a351bb1970eeaddf2905b47ff13 upstream.

The bttv driver function which handles switching of the video standard
(set_tvnorm() in bttv-driver.c) includes a check which can optionally
also reset the cropping configuration to a default value.  It is
"optional" based on a comparison of the cropcap parameters of the
previous vs the newly requested video standard.  The comparison is
being done with a memcmp(), a function which only returns a true value
if the comparison actually fails.

This if-statement appears to have been written to assume wrong
memcmp() semantics.  That is, it was re-initializing the cropping
configuration only if the new video standard did NOT have different
cropcap values.  That doesn't make any sense.  One definitely should
reset things if the cropcap parameters are different - if there's any
comparison to made at all.

The effect of this problem was that a transition from, say, PAL to
NTSC would leave in place old cropping setup that made sense for the
PAL geometry but not for NTSC.  If the application doesn't care about
cropping it also won't try to reset the cropping configuration,
resulting in an improperly cropped video frame.  In the case I was
testing this actually caused black video frames to be displayed.

Another interesting effect of this bug is that if one does something
which does NOT change the video standard and this function is run,
then the cropping setup gets reset anyway - again because of the
backwards comparison.  It turns out that just running anything which
merely opens and closes the video device node (e.g. v4l-info) will
cause this to happen.  One can argue that simply opening the device
node and not doing anything to it should not mess with any of its
state - but because of this behavior, any TV app which does such
things (e.g. xawtv) probably therefore doesn't see the problem.

The solution is to fix the sense of the if-statement.  It's easy to
see how this mistake could have been made given how memcmp() works.
The patch is therefore removal of a single "!" character from the
if-statement in set_tvnorm in bttv-driver.c.

Signed-off-by: Mike Isely <isely@pobox.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoV4L/DVB (13169): bttv: Fix potential out-of-order field processing
Mike Isely [Mon, 21 Sep 2009 15:09:08 +0000 (12:09 -0300)]
V4L/DVB (13169): bttv: Fix potential out-of-order field processing

commit 66349b4e7ab3825dbfc167a5f0309792a587adb7 upstream.

There is a subtle interaction in the bttv driver which can result in
fields being repeatedly processed out of order.  This is a problem
specifically when running in V4L2_FIELD_ALTERNATE mode (probably the
most common case).

1. The determination of which fields are associated with which buffers
happens in videobuf, before the bttv driver gets a chance to queue the
corresponding DMA.  Thus by the point when the DMA is queued for a
given buffer, the algorithm has to do the queuing based on the
buffer's already assigned field type - not based on which field is
"next" in the video stream.

2. The driver normally tries to queue both the top and bottom fields
at the same time (see bttv_irq_next_video()).  It tries to sort out
top vs bottom by looking at the field type for the next 2 available
buffers and assigning them appropriately.

3. However the bttv driver *always* actually processes the top field
first.  There's even an interrupt set aside for specifically
recognizing when the top field has been processed so that it can be
marked done even while the bottom field is still being DMAed.

Given all of the above, if one gets into a situation where
bttv_irq_next_video() gets entered when the first available buffer has
been pre-associated as a bottom field, then the function is going to
process the buffers out of order.  That first available buffer will be
put into the bottom field slot and the buffer after that will be put
into the top field slot.  Problem is, since the top field is always
processed first by the driver, then that second buffer (the one after
the first available buffer) will be the first one to be finished.
Because of the strict fifo handling of all video buffers, then that
top field won't be seen by the app until after the bottom field is
also processed.  Worse still, the app will get back the
chronologically later bottom field first, *before* the top field is
received.  The buffer's timestamps will even be backwards.

While not fatal to most TV apps, this behavior can subtlely degrade
userspace deinterlacing (probably will cause jitter).  That's probably
why it has gone unnoticed.  But it will also cause serious problems if
the app in question discards all but the latest received buffer (a
latency minimizing tactic) - causing one field to only ever be
displayed since the other is now always late.  Unfortunately once you
get into this state, you're stuck this way - because having consumed
two buffers, now the next time around the "first" available buffer
will again be a bottom field and the same thing happens.

How can we get into this state?  In a perfect world, where there's
always a few free buffers queued to the driver, it should be
impossible.  However if something disrupts streaming, e.g. if the
userspace app can't queue free buffers fast enough for a moment due
perhaps to a CPU scheduling glitch, then the driver can get
momentarily starved and some number of fields will be dropped.  That's
OK.  But if an odd number of fields get dropped, then that "first"
available buffer might be the bottom field and now we're stuck...

This patch fixes that problem by deliberately only setting up a single
field for one frame if we don't get a top field as the first available
buffer.  By purposely skipping the other field, then we only handle a
single buffer thus bringing things back into proper sync (i.e. top
field first) for the next frame.  To do this we just drop the few
lines in bttv_irq_next_video() that attempt to set up the second
buffer when that second buffer isn't for the bottom field.

This is definitely a problem in when in V4L2_FIELD_ALTERNATE mode.  In
the other modes this change either has no effect or doesn't harm
things any further anyway.

Signed-off-by: Mike Isely <isely@pobox.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Michael Krufky <mkrufky@kernellabs.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agokmap: fix build errors with DEBUG_HIGHMEM enabled
Russell King [Wed, 18 Nov 2009 18:03:19 +0000 (18:03 +0000)]
kmap: fix build errors with DEBUG_HIGHMEM enabled

commit 4ff1fa278b0bd1b2dd3c42efc0cb86788ffe05d5 upstream.

d451564 broke ARM by requiring KM_IRQ_PTE, KM_NMI and KM_NMI_PTE to
always be defined.  Solve this by providing invalid definitions for
these constants, but only if CONFIG_DEBUG_HIGHMEM is enabled.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agopowerpc: Fix DEBUG_HIGHMEM build break from d4515646699
Becky Bruce [Mon, 23 Nov 2009 12:28:53 +0000 (12:28 +0000)]
powerpc: Fix DEBUG_HIGHMEM build break from d4515646699

commit e8105903d78c81119754a42926951d9d17e191ba upstream.

Code was added to mm/higmem.c that depends on several
kmap types that powerpc does not support.  We add dummy
invalid definitions for KM_NMI, KM_NM_PTE, and KM_IRQ_PTE.

According to list discussion, this fix should not be needed
anymore starting with 2.6.33.  The code is commented to this
effect so hopefully we will remember to remove this.

Signed-off-by: Becky Bruce <beckyb@kernel.crashing.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohighmem: Fix debug_kmap_atomic() to also handle KM_IRQ_PTE, KM_NMI, and KM_NMI_PTE
Soeren Sandmann [Wed, 28 Oct 2009 17:56:35 +0000 (18:56 +0100)]
highmem: Fix debug_kmap_atomic() to also handle KM_IRQ_PTE, KM_NMI, and KM_NMI_PTE

commit d4515646699b6ad7b1a98ceb871296b957f3ef47 upstream.

Previously calling debug_kmap_atomic() with these types would
cause spurious warnings.

(triggered by SysProf using perf events)

Signed-off-by: Soeren Sandmann Pedersen <sandmann@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: a.p.zijlstra@chello.nl
LKML-Reference: <ye8vdhz8krw.fsf@camel23.daimi.au.dk>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agohighmem: Fix race in debug_kmap_atomic() which could cause warn_count to underflow
Soeren Sandmann [Wed, 28 Oct 2009 17:55:36 +0000 (18:55 +0100)]
highmem: Fix race in debug_kmap_atomic() which could cause warn_count to underflow

commit 5ebd4c22897dce65845807a9bd3a31cc4e142b53 upstream.

debug_kmap_atomic() tries to prevent ever printing more than 10
warnings, but it does so by testing whether an unsigned integer
is equal to 0. However, if the warning is caused by a nested
IRQ, then this counter may underflow and the stream of warnings
will never end.

Fix that by using a signed integer instead.

Signed-off-by: Soeren Sandmann Pedersen <sandmann@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: a.p.zijlstra@chello.nl
LKML-Reference: <ye8zl7b8ktj.fsf@camel23.daimi.au.dk>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosound: rawmidi: fix MIDI device O_APPEND error handling
Clemens Ladisch [Wed, 21 Oct 2009 07:11:43 +0000 (09:11 +0200)]
sound: rawmidi: fix MIDI device O_APPEND error handling

commit b7fe750fcceda4fa6bef399b0e2812562728ea82 upstream.

Commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a in 2.6.30 broke the
error handling code in rawmidi_open_priv().

If only the output substream of a RawMIDI device has been opened and
if this device is then opened with O_RDWR | O_APPEND and if the
initialization of the input substream fails (either because of low
memory or because the device driver's open callback fails), then the
runtime structure of the already open output substream will be freed
and all following writes through the first handle will cause
snd_rawmidi_write() to use the NULL runtime pointer.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosound: rawmidi: fix double init when opening MIDI device with O_APPEND
Clemens Ladisch [Wed, 21 Oct 2009 07:09:38 +0000 (09:09 +0200)]
sound: rawmidi: fix double init when opening MIDI device with O_APPEND

commit 8579d2d7779d7ff41ea2a0183015e0e5038f1043 upstream.

Commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a in 2.6.30 moved the
substream initialization code to where it would be executed every time
the substream is opened.

This had the consequence that any further opening would drop and leak
the data in the existing buffer, and that the device driver's open
callback would be called multiple times, unexpectedly.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosound: rawmidi: fix checking of O_APPEND when opening MIDI device
Clemens Ladisch [Wed, 21 Oct 2009 07:10:16 +0000 (09:10 +0200)]
sound: rawmidi: fix checking of O_APPEND when opening MIDI device

commit 16fb109644b5644e42ececeff644514de6f4bd03 upstream.

Commit 9a1b64caac82aa02cb74587ffc798e6f42c6170a in 2.6.30 dropped the
check that a substream must already have been opened with O_APPEND to be
able to open it a second time.

This would make it possible for a substream to be switched to append
mode, which would mean that non-atomic writes would fail unexpectedly.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agosound: rawmidi: disable active-sensing-on-close by default
Clemens Ladisch [Mon, 13 Jul 2009 11:52:46 +0000 (13:52 +0200)]
sound: rawmidi: disable active-sensing-on-close by default

commit 2d4b842014dc76a81abced47ef27177eedb9deba upstream.

Sending an Active Sensing message when closing a port can interfere with
the following data if the port is reopened and a note-on is sent before
the device's timeout has elapsed.  Therefore, it is better to disable
this setting by default.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
14 years agojffs2: Fix memory corruption in jffs2_read_inode_range()
David Woodhouse [Mon, 30 Nov 2009 09:06:40 +0000 (09:06 +0000)]
jffs2: Fix memory corruption in jffs2_read_inode_range()

commit 199bc9ff5ca5e4b3bcaff8927b2983c65f34c263 upstream.

In 2.6.23 kernel, commit a32ea1e1f925399e0d81ca3f7394a44a6dafa12c
("Fix read/truncate race") fixed a race in the generic code, and as a
side effect, now do_generic_file_read() can ask us to readpage() past
the i_size. This seems to be correctly handled by the block routines
(e.g. block_read_full_page() fills the page with zeroes in case if
somebody is trying to read past the last inode's block).

JFFS2 doesn't handle this; it assumes that it won't be asked to read
pages which don't exist -- and thus that there will be at least _one_
valid 'frag' on the page it's being asked to read. It will fill any
holes with the following memset:

  memset(buf, 0, min(end, frag->ofs + frag->size) - offset);

When the 'closest smaller match' returned by jffs2_lookup_node_frag() is
actually on a previous page and ends before 'offset', that results in:

  memset(buf, 0, <huge unsigned negative>);

Hopefully, in most cases the corruption is fatal, and quickly causing
random oopses, like this:

  root@10.0.0.4:~/ltp-fs-20090531# ./testcases/kernel/fs/ftest/ftest01
  Unable to handle kernel paging request for data at address 0x00000008
  Faulting instruction address: 0xc01cd980
  Oops: Kernel access of bad area, sig: 11 [#1]
  [...]
  NIP [c01cd980] rb_insert_color+0x38/0x184
  LR [c0043978] enqueue_hrtimer+0x88/0xc4
  Call Trace:
  [c6c63b60] [c004f9a8] tick_sched_timer+0xa0/0xe4 (unreliable)
  [c6c63b80] [c0043978] enqueue_hrtimer+0x88/0xc4
  [c6c63b90] [c0043a48] __run_hrtimer+0x94/0xbc
  [c6c63bb0] [c0044628] hrtimer_interrupt+0x140/0x2b8
  [c6c63c10] [c000f8e8] timer_interrupt+0x13c/0x254
  [c6c63c30] [c001352c] ret_from_except+0x0/0x14
  --- Exception: 901 at memset+0x38/0x5c
      LR = jffs2_read_inode_range+0x144/0x17c
  [c6c63cf0] [00000000] (null) (unreliable)

This patch fixes the issue, plus fixes all LTP tests on NAND/UBI with
JFFS2 filesystem that were failing since 2.6.23 (seems like the bug
above also broke the truncation).

Reported-By: Anton Vorontsov <avorontsov@ru.mvista.com>
Tested-By: Anton Vorontsov <avorontsov@ru.mvista.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: AACI: fix recording bug
Russell King [Sun, 29 Nov 2009 16:39:59 +0000 (16:39 +0000)]
ALSA: AACI: fix recording bug

commit 8ee763b9c82c6ca0a59a7271ce4fa29d7baf5c09 upstream.

pcm->r[1].slots is the double rate slot information, not the
capture information.  For capture, 'pcm' will already be the
capture ac97 pcm structure.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: AACI: fix AC97 multiple-open bug
Russell King [Sun, 29 Nov 2009 16:39:52 +0000 (16:39 +0000)]
ALSA: AACI: fix AC97 multiple-open bug

commit 4acd57c3de62374fe5bb52e5cd24538190f4eab2 upstream.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: hda - Dell Studio 1557 hd-audio quirk
Daniel J Blueman [Sat, 14 Nov 2009 18:20:04 +0000 (18:20 +0000)]
ALSA: hda - Dell Studio 1557 hd-audio quirk

commit 8ef5837a47f73faee18fa7ce2f9a9eb7675be8de upstream.

Add the Dell Studio 15 (model 1557, Core i7) laptop to the hd-audio
quirk list, enabling audio.

Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoALSA: usb-audio: fix combine_word problem
Julian Anastasov [Fri, 6 Nov 2009 21:44:53 +0000 (23:44 +0200)]
ALSA: usb-audio: fix combine_word problem

commit f495088210c8b9e20791d995a8210170c68d2deb upstream.

Fix combine_word problem where first octet is not
read properly. The only affected place seems to be the
INPUT_TERMINAL type. Before now, sound controls can be created
with the output terminal's name which is a fallback mechanism
used only for unknown input terminal types. For example,
Line can wrongly appear as Speaker. After the change it
should appear as Line.

The side effect of this change can be that users
can expect the wrong control name in their scripts or
programs while now we return the correct one.

Probably, these defines should use get_unaligned_le16 and
friends.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomd/raid1/raid10: add a cond_resched
NeilBrown [Fri, 16 Oct 2009 04:55:32 +0000 (15:55 +1100)]
md/raid1/raid10: add a cond_resched

commit 1d9d52416c0445019ccc1f0fddb9a227456eb61b upstream.

During 'check' of a raid1 or raid10 it is possible for the management
thread to spend a lot of time running 'memcmp' on blocks from
different devices, so make sure the thread has a chance to schedule.
raid5d already has a cond_resched (in process_stripe).

Reported-By: Lee Howard <faxguy@howardsilvan.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomd/raid5: make sure curr_sync_completes is uptodate when reshape starts
NeilBrown [Fri, 6 Nov 2009 03:59:29 +0000 (14:59 +1100)]
md/raid5: make sure curr_sync_completes is uptodate when reshape starts

commit 8dee7211467a56b7eb4e4359efb0aa4a72e1b6f3 upstream.

This value is visible through sysfs and is used by mdadm
when it manages a reshape (backing up data that is about to be
rearranged).  So it is important that it is always correct.
Current it does not get updated properly when a reshape
starts which can cause problems when assembling an array
that is in the middle of being reshaped.

This is suitable for 2.6.31.y stable kernels.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agomd: don't clear endpoint for resync when resync is interrupted.
NeilBrown [Fri, 6 Nov 2009 03:59:27 +0000 (14:59 +1100)]
md: don't clear endpoint for resync when resync is interrupted.

commit 24395a85d8efe6eee477ea35c73d045a8dd7a3a1 upstream.

If a 'sync_max' has been set (via sysfs), it is wrong to clear it
until a resync (or reshape or recovery ...) actually reached that
point.
So if a resync is interrupted (e.g. by device failure),
leave 'resync_max' unchanged.

This is particularly important for 'reshape' operations that do not
change the size of the array.  For such operations mdadm needs to
monitor the reshape taking rolling backups of the section being
reshaped.  If resync_max gets cleared, the reshape can get ahead of
mdadm and then the backups that mdadm creates are useless.

This is suitable for 2.6.31.y stable kernels.

Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agortl8187: Fix kernel oops when device is removed when LEDS enabled
Larry Finger [Wed, 4 Nov 2009 06:00:25 +0000 (00:00 -0600)]
rtl8187: Fix kernel oops when device is removed when LEDS enabled

commit 37b12dd2b07b4d7dc222a5f7f88b25cec532b2aa upstream.

As reported by Rick Farina (sidhayn@gmail.com), removing the RTL8187
USB stick, or unloading the driver rtl8187 using rmmod will cause a
kernel oops.  There are at least two forms of the failure, (1) BUG:
Scheduling while atomic, and (2) a fatal kernel page fault. This
problem is reported in Bugzilla #14539.

This problem does not occur for kernel 2.6.31, but does for 2.6.32-rc2,
thus it is technically a regression; however, bisection did not locate
any faulty patch. The fix was found by comparing the faulty code in
rtl8187 with p54usb.  My interpretation is that the handling of work
queues in mac80211 changed enough to the LEDs to be unregistered
before tasks on the work queues are cancelled. Previously, these
actions could be done in either order.

(Herton Ronaldo Krzesinski <herton@mandriva.com.br> reports that the
code is the same in 2.6.31, so this may be a candidate for 2.6.31.x.
-- JWL)

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-by: Rick Farina <sidhayn@gmail.com>
Tested-by: Rick Farina <sidhayn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agogdth: Prevent negative offsets in ioctl CVE-2009-3080
Dave Jones [Mon, 19 Oct 2009 23:55:13 +0000 (19:55 -0400)]
gdth: Prevent negative offsets in ioctl CVE-2009-3080

commit 690e744869f3262855b83b4fb59199cf142765b0 upstream.

A negative offset could be used to index before the event buffer and
lead to a security breach.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoCIFS: Duplicate data on appending to some Samba servers
Steve French [Tue, 24 Nov 2009 22:49:37 +0000 (22:49 +0000)]
CIFS: Duplicate data on appending to some Samba servers

commit cea62343956c24452700c06cf028b72414c58a74 upstream.

SMB writes are sent with a starting offset and length. When the server
supports the newer SMB trans2 posix open (rather than using the SMB
NTCreateX) a file can be opened with SMB_O_APPEND flag, and for that
case Samba server assumes that the offset sent in SMBWriteX is unneeded
since the write should go to the end of the file - which can cause
problems if the write was cached (since the beginning part of a
page could be written twice by the client mm).  Jeff suggested that
masking the flag on posix open on the client is easiest for the time
being. Note that recent Samba server also had an unrelated problem with
SMB NTCreateX and append (see samba bugzilla bug number 6898) which
should not affect current Linux clients (unless cifs Unix Extensions
are disabled).

The cifs client did not send the O_APPEND flag on posix open
before 2.6.29 so the fix is unneeded on early kernels.

In the future, for the non-cached case (O_DIRECT, and forcedirectio mounts)
it would be possible and useful to send O_APPEND on posix open (for Windows
case: FILE_APPEND_DATA but not FILE_WRITE_DATA on SMB NTCreateX) but for
cached writes although the vfs sets the offset to end of file it
may fragment a write across pages - so we can't send O_APPEND on
open (could result in sending part of a page twice).

Reviewed-by: Shirish Pargaonkar <shirishp@us.ibm.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agoCIFS: fix oops in cifs_lookup during net boot
Steve French [Tue, 24 Nov 2009 22:17:59 +0000 (22:17 +0000)]
CIFS: fix oops in cifs_lookup during net boot

commit 8e6c0332d5032aef2d3bc8f41771f999112c8c66 upstream.

Fixes bugzilla.kernel.org bug number 14641

Lookup called during network boot (network root filesystem
for diskless workstation) has case where nd is null in
lookup.  This patch fixes that in cifs_lookup.

(Shirish noted that 2.6.30 and 2.6.31 stable need the same check)

Signed-off-by: Shirish Pargaonkar <shirishp@us.ibm.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Tested-by: Vladimir Stavrinov <vs@inist.ru>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agocifs: clear server inode number flag while autodisabling
Suresh Jayaraman [Mon, 16 Nov 2009 06:33:16 +0000 (12:03 +0530)]
cifs: clear server inode number flag while autodisabling

commit f534dc994397560343be4a3223b9bbaa8e739e1f upstream.

Fix the commit ec06aedd44 that intended to turn off querying for server inode
numbers when server doesn't consistently support inode numbers. Presumably
the commit didn't actually clear the CIFS_MOUNT_SERVER_INUM flag, perhaps a
typo.

Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agocifs: clean up handling when server doesn't consistently support inode numbers
Jeff Layton [Fri, 6 Nov 2009 19:18:29 +0000 (14:18 -0500)]
cifs: clean up handling when server doesn't consistently support inode numbers

commit ec06aedd44541129840ed52e6165afa3796a27bf upstream.

It's possible that a server will return a valid FileID when we query the
FILE_INTERNAL_INFO for the root inode, but then zeroed out inode numbers
when we do a FindFile with an infolevel of
SMB_FIND_FILE_ID_FULL_DIR_INFO.

In this situation turn off querying for server inode numbers, generate a
warning for the user and just generate an inode number using iunique.
Once we generate any inode number with iunique we can no longer use any
server inode numbers or we risk collisions, so ensure that we don't do
that in cifs_get_inode_info either.

Reported-by: Timothy Normand Miller <theosib@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agocifs: don't use CIFSGetSrvInodeNumber in is_path_accessible
Jeff Layton [Fri, 6 Nov 2009 19:18:49 +0000 (14:18 -0500)]
cifs: don't use CIFSGetSrvInodeNumber in is_path_accessible

commit f475f6775465283494346663f201ad04810d2e8a upstream.

Because it's lighter weight, CIFS tries to use CIFSGetSrvInodeNumber to
verify the accessibility of the root inode and then falls back to doing a
full QPathInfo if that fails with -EOPNOTSUPP. I have at least a report
of a server that returns NT_STATUS_INTERNAL_ERROR rather than something
that translates to EOPNOTSUPP.

Rather than trying to be clever with that call, just have
is_path_accessible do a normal QPathInfo. That call is widely
supported and it shouldn't increase the overhead significantly.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
14 years agonilfs2: fix kernel oops in error case of nilfs_ioctl_move_blocks
Ryusuke Konishi [Sat, 7 Nov 2009 09:45:16 +0000 (18:45 +0900)]
nilfs2: fix kernel oops in error case of nilfs_ioctl_move_blocks

commit 5399dd1fc8f5e812db931225ef5f67d89f3b1a56 upstream.

This fixes a kernel oops reported by Markus Trippelsdorf in the email
titled "[NILFS users] kernel Oops while running nilfs_cleanerd".

The oops was caused by a bug of error path in
nilfs_ioctl_move_blocks() function, which was inlined in
nilfs_ioctl_clean_segments().

nilfs_ioctl_move_blocks checks duplication of blocks which will be
moved in garbage collection.  But, the check should have be done
within nilfs_ioctl_move_inode_block() to prevent list corruption among
buffers storing the target blocks.

To fix the kernel oops, this moves forward the duplication check
before the list insertion.

I also tested this for stable trees [2.6.30, 2.6.31].

Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoLinux 2.6.31.6 v2.6.31.6
Greg Kroah-Hartman [Tue, 10 Nov 2009 00:32:31 +0000 (16:32 -0800)]
Linux 2.6.31.6

15 years agoPM / yenta: Split resume into early and late parts (rev. 4)
Rafael J. Wysocki [Tue, 3 Nov 2009 09:54:58 +0000 (10:54 +0100)]
PM / yenta: Split resume into early and late parts (rev. 4)

commit 9905d1b411946fb3fb228e8c6529fd94afda8a92 upstream.

Commit 0c570cdeb8fdfcb354a3e9cd81bfc6a09c19de0c
(PM / yenta: Fix cardbus suspend/resume regression) caused resume to
fail on systems with two CardBus bridges.  While the exact nature
of the failure is not known at the moment, it can be worked around by
splitting the yenta resume into an early part, executed during the
early phase of resume, that will only resume the socket and power it
up if there was a card in it during suspend, and a late part,
executed during "regular" resume, that will carry out all of the
remaining yenta resume operations.

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14334, which is a
listed regression from 2.6.31.

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Dominik Brodowski <linux@dominikbrodowski.net>
Reported-by: Stephen J. Gowdy <gowdy@cern.ch>
Tested-by: Jose Marino <braket@hotmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agopata_via: extend the rev_max for VT6330
JosephChan@via.com.tw [Fri, 16 Oct 2009 07:45:23 +0000 (15:45 +0800)]
pata_via: extend the rev_max for VT6330

commit 7d948b1114c7eded14e5a31f440af751d70ecde0 upstream.

Fix the VT6330 issue, it's because the rev_max of VT6330 exceeds 0x2f.
The VT6415 and VT6330 share the same device ID.

Signed-off-by: Joseph Chan <josephchan@via.com.tw>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agosata_via: Remove redundant device ID for VIA VT8261
JosephChan@via.com.tw [Mon, 2 Nov 2009 11:36:08 +0000 (19:36 +0800)]
sata_via: Remove redundant device ID for VIA VT8261

commit f38e35b43f2924b3b4e51147b7193f32e9276db4 upstream.

Just remove redundant device ID for VIA VT8261.
The device ID 0x9000 and 0x9040 are redundant (for VT8261).
The 0x9040 is reserved for other usage.

Signed-off-by: Joseph Chan <josephchan@via.com.tw>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agopowerpc: Fix some late PowerMac G5 with PCIe ATI graphics
Benjamin Herrenschmidt [Mon, 31 Aug 2009 21:34:36 +0000 (21:34 +0000)]
powerpc: Fix some late PowerMac G5 with PCIe ATI graphics

commit cede3930f0ca6fef353fa01306c72a01420bd45e upstream.

A misconfiguration by the firmware of the U4 PCIe bridge on PowerMac G5
with the U4 bridge (latest generations, may also affect the iMac G5
"iSight") is causing us to re-assign the PCI BARs of the video card,
which can get it out of sync with the firmware, thus breaking offb.

This works around it by fixing up the bridge configuration properly
at boot time. It also fixes a bug where the firmware provides us with
an incorrect set of accessible regions in the device-tree.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agopowerpc/pci: Fix regression in powerpc MSI-X
Andre Detsch [Wed, 4 Nov 2009 15:03:19 +0000 (13:03 -0200)]
powerpc/pci: Fix regression in powerpc MSI-X

commit 8435b027b87a78145992c37b0b8ed0f1b7761bf0 upstream.

Patch f598282f5145036312d90875d0ed5c14b49fd8a7 exposed a problem in
powerpc MSI-X functionality, making network interfaces such as ixgbe
and cxgb3 stop to work when MSI-X is enabled. RX interrupts were not
being generated.

The problem was caused because MSI irq was not being effectively
unmasked after device initialization.

Signed-off-by: Andre Detsch <adetsch@br.ibm.com>
Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agopowerpc/pmac: Fix issues with sleep on some powerbooks
Benjamin Herrenschmidt [Fri, 9 Oct 2009 11:27:54 +0000 (11:27 +0000)]
powerpc/pmac: Fix issues with sleep on some powerbooks

commit 11a50873ef2b3c1c3fe99a661c22c08f35d93553 upstream.

Since the change of how interrupts are disabled during suspend,
certain PowerBook models started exhibiting various issues during
suspend or resume from sleep.

I finally tracked it down to the code that runs various "platform"
functions (kind of little scripts extracted from the device-tree),
which uses our i2c and PMU drivers expecting interrutps to work,
and at a time where with the new scheme, they have been disabled.

This causes timeouts internally which for some reason results in
the PMU being unable to see the trackpad, among other issues, really
it depends on the machine. Most of the time, we fail to properly adjust
some clocks for suspend/resume so the results are not always
predictable.

This patch fixes it by using IRQF_TIMER for both the PMU and the I2C
interrupts. I prefer doing it this way than moving the call sites since
I really want those platform functions to still be called after all
drivers (and before sysdevs).

We also do a slight cleanup to via-pmu.c driver to make sure the
ADB autopoll mask is handled correctly when doing bus resets

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agopowerpc/pmac: Fix PowerSurge SMP IPI allocation
Benjamin Herrenschmidt [Tue, 14 Jul 2009 20:56:58 +0000 (20:56 +0000)]
powerpc/pmac: Fix PowerSurge SMP IPI allocation

commit 527b3639616b21c257518ee7c26fbf05232db0c0 upstream.

The code for setting up the IPIs for SMP PowerSurge marchines bitrot,
it needs to properly map the HW interrupt number

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoKVM: Prevent kvm_init from corrupting debugfs structures
Darrick J. Wong [Fri, 6 Nov 2009 14:00:51 +0000 (12:00 -0200)]
KVM: Prevent kvm_init from corrupting debugfs structures

commit: 0ea4ed8e948c30f88c824c973ee4b9529015fe65 upstream

I'm seeing an oops condition when kvm-intel and kvm-amd are modprobe'd
during boot (say on an Intel system) and then rmmod'd:

   # modprobe kvm-intel
     kvm_init()
     kvm_init_debug()
     kvm_arch_init()  <-- stores debugfs dentries internally
     (success, etc)

   # modprobe kvm-amd
     kvm_init()
     kvm_init_debug() <-- second initialization clobbers kvm's
                          internal pointers to dentries
     kvm_arch_init()
     kvm_exit_debug() <-- and frees them

   # rmmod kvm-intel
     kvm_exit()
     kvm_exit_debug() <-- double free of debugfs files!

     *BOOM*

If execution gets to the end of kvm_init(), then the calling module has been
established as the kvm provider.  Move the debugfs initialization to the end of
the function, and remove the now-unnecessary call to kvm_exit_debug() from the
error path.  That way we avoid trampling on the debugfs entries and freeing
them twice.

Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agox86/amd-iommu: Un__init function required on shutdown
Joerg Roedel [Wed, 28 Oct 2009 17:02:26 +0000 (18:02 +0100)]
x86/amd-iommu: Un__init function required on shutdown

commit ca0207114f1708b563f510b7781a360ec5b98359 upstream.

The function iommu_feature_disable is required on system
shutdown to disable the IOMMU but it is marked as __init.
This may result in a panic if the memory is reused. This
patch fixes this bug.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoiwlwifi: reduce noise when skb allocation fails
Reinette Chatre [Thu, 17 Sep 2009 17:43:56 +0000 (10:43 -0700)]
iwlwifi: reduce noise when skb allocation fails

commit f82a924cc88a5541df1d4b9d38a0968cd077a051 upstream.

Replenishment of receive buffers is done in the tasklet handling
received frames as well as in a workqueue. When we are in the tasklet
we cannot sleep and thus attempt atomic skb allocations. It is generally
not a big problem if this fails since iwl_rx_allocate is always followed
by a call to iwl_rx_queue_restock which will queue the work to replenish
the buffers at a time when sleeping is allowed.

We thus add the __GFP_NOWARN to the skb allocation in iwl_rx_allocate to
reduce the noise if such an allocation fails while we still have enough
buffers. We do maintain the warning and the error message when we are low
on buffers to communicate to the user that there is a potential problem with
memory availability on system

This addresses issue reported upstream in thread "iwlagn: order 2 page
allocation failures" in
http://thread.gmane.org/gmane.linux.kernel.wireless.general/39187

Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Acked-by: Mel Gorman <mel@csn.ul.ie>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoiwlwifi: fix potential rx buffer loss
Reinette Chatre [Fri, 11 Sep 2009 17:38:12 +0000 (10:38 -0700)]
iwlwifi: fix potential rx buffer loss

commit de0bd50845eb5935ce3d503c5d2f565d6cb9ece1 upstream.

RX handling maintains a few lists that keep track of the RX buffers.
Buffers move from one list to the other as they are used, replenished, and
again made available for usage. In one such instance, when a buffer is used
it enters the "rx_used" list. When buffers are replenished an skb is
attached to the buffer and it is moved to the "rx_free" list. The problem
here is that the buffer is first removed from the "rx_used" list _before_ the
skb is allocated. Thus, if the skb allocation fails this buffer remains
removed from the "rx_used" list and is thus lost for future usage.

Fix this by first allocating the skb before trying to attach it to a list.
We add an additional check to not do this unnecessarily.

Reported-by: Rick Farrington <rickdic@hotmail.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agox86: mce: Fix thermal throttling message storm
Ingo Molnar [Tue, 22 Sep 2009 13:50:24 +0000 (15:50 +0200)]
x86: mce: Fix thermal throttling message storm

commit b417c9fd8690637f0c91479435ab3e2bf450c038 upstream.

If a system switches back and forth between hot and cold mode,
the MCE code will print a stream of critical kernel messages.

Extend the throttling code to properly notice this, by
only printing the first hot + cold transition and omitting
the rest up to CHECK_INTERVAL (5 minutes).

This way we'll only get a single incident of:

 [  102.356584] CPU0: Temperature above threshold, cpu clock throttled (total events = 1)
 [  102.357000] Disabling lock debugging due to kernel taint
 [  102.369223] CPU0: Temperature/speed normal

Every 5 minutes. The 'total events' count tells the number of cold/hot
transitions detected, should overheating occur after 5 minutes again:

[  402.357580] CPU0: Temperature above threshold, cpu clock throttled (total events = 24891)
[  402.358001] CPU0: Temperature/speed normal
[  450.704142] Machine check events logged

Cc: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agox86: mce: Clean up thermal throttling state tracking code
Ingo Molnar [Tue, 22 Sep 2009 13:50:24 +0000 (15:50 +0200)]
x86: mce: Clean up thermal throttling state tracking code

commit 3967684006f30c253bc6d4a6604d1bad4a7fc672 upstream.

Instead of a mess of three separate percpu variables, consolidate
the state into a single structure.

Also clean up therm_throt_process(), use cleaner and more
understandable variable names and a clearer logic.

This, without changing the logic, makes the code more
streamlined, more readable and smaller as well:

   text    data     bss     dec     hex filename
   1487     169       4    1660     67c therm_throt.o.before
   1432     176       4    1612     64c therm_throt.o.after

Cc: Hidetoshi Seto <seto.hidetoshi@jp.fujitsu.com>
Cc: Huang Ying <ying.huang@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agovmscan: limit VM_EXEC protection to file pages
Wu Fengguang [Mon, 26 Oct 2009 23:49:53 +0000 (16:49 -0700)]
vmscan: limit VM_EXEC protection to file pages

commit 41e20983fe553b39bc2b00e07c7a379f0c86a4bc upstream.

It is possible to have !Anon but SwapBacked pages, and some apps could
create huge number of such pages with MAP_SHARED|MAP_ANONYMOUS.  These
pages go into the ANON lru list, and hence shall not be protected: we only
care mapped executable files.  Failing to do so may trigger OOM.

Tested-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Rik van Riel <riel@redhat.com>
Signed-off-by: Wu Fengguang <fengguang.wu@intel.com>
Cc: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agopowerpc: Remove SMP warning from PowerMac cpufreq
Bastian Blank [Wed, 12 Aug 2009 23:30:45 +0000 (23:30 +0000)]
powerpc: Remove SMP warning from PowerMac cpufreq

commit 6fdc31a2b86cf1f98e3eed896578ad9659eeb0f8 upstream.

On Thu, Aug 13, 2009 at 04:14:58PM +1000, Benjamin Herrenschmidt wrote:
> On Tue, 2009-08-11 at 11:39 +0200, Bastian Blank wrote:
> > This patch just disables this driver on SMP kernels, as it is obviously
> > not supported.
> Why not remove the #error instead ? :-) I don't think it's still
> meaningful, especially since we use the timebase for delays nowadays
> which doesn't depend on the CPU frequency...

Your call. Take this one:

The build of a PowerMac 32bit kernel currently fails with

error: #warning "WARNING, CPUFREQ not recommended on SMP kernels"

Thie patch removes the not longer applicable SMP warning from the
PowerMac cpufreq code.

Signed-off-by: Bastian Blank <waldi@debian.org>
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoNFSv4: The link() operation should return any delegation on the file
Trond Myklebust [Mon, 26 Oct 2009 12:09:46 +0000 (08:09 -0400)]
NFSv4: The link() operation should return any delegation on the file

commit 9a3936aac133037f65124fcb2d676a6c201a90a4 upstream.

Otherwise, we have to wait for the server to recall it.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoNFSv4: Kill nfs4_renewd_prepare_shutdown()
Trond Myklebust [Thu, 8 Oct 2009 15:50:55 +0000 (11:50 -0400)]
NFSv4: Kill nfs4_renewd_prepare_shutdown()

commit 3050141bae57984dd660e6861632ccf9b8bca77e upstream.

The NFSv4 renew daemon is shared between all active super blocks that refer
to a particular NFS server, so it is wrong to be shutting it down in
nfs4_kill_super every time a super block is destroyed.

This patch therefore kills nfs4_renewd_prepare_shutdown altogether, and
leaves it up to nfs4_shutdown_client() to also shut down the renew daemon
by means of the existing call to nfs4_kill_renewd().

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoNFSv4: Fix two unbalanced put_rpccred() issues.
Trond Myklebust [Mon, 26 Oct 2009 12:09:46 +0000 (08:09 -0400)]
NFSv4: Fix two unbalanced put_rpccred() issues.

commit 141aeb9f26f9f12f1584c128ce8697cdffb046e7 upstream.

Commits 29fba38b (nfs41: lease renewal) and fc01cea9 (nfs41: sequence
operation) introduce a couple of put_rpccred() calls on credentials for
which there is no corresponding get_rpccred().

See http://bugzilla.kernel.org/show_bug.cgi?id=14249

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoNFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE
Trond Myklebust [Fri, 23 Oct 2009 18:46:42 +0000 (14:46 -0400)]
NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE

commit 52567b03ca38b6e556ced450d64dba8d66e23b0e upstream.

RFC 3530 states that when we recieve the error NFS4ERR_RESOURCE, we are not
supposed to bump the sequence number on OPEN, LOCK, LOCKU, CLOSE, etc
operations. The problem is that we map that error into EREMOTEIO in the XDR
layer, and so the NFSv4 middle-layer routines like seqid_mutating_err(),
and nfs_increment_seqid() don't recognise it.

The fix is to defer the mapping until after the middle layers have
processed the error.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agonfs: Panic when commit fails
Terry Loftin [Fri, 23 Oct 2009 01:36:01 +0000 (21:36 -0400)]
nfs: Panic when commit fails

commit a8b40bc7e635831b61c43acc71a86d3a68b2dff0 upstream.

Actually pass the NFS_FILE_SYNC option to the server to avoid a
Panic in nfs_direct_write_complete() when a commit fails.

At the end of an nfs write, if the nfs commit fails, all the writes
will be rescheduled.  They are supposed to be rescheduled as NFS_FILE_SYNC
writes, but the rpc_task structure is not completely intialized and so
the option is not passed.  When the rescheduled writes complete, the
return indicates that they are NFS_UNSTABLE and we try to do another
commit.  This leads to a Panic because the commit data structure pointer
was set to null in the initial (failed) commit attempt.

Signed-off-by: Terry Loftin <terry.loftin@hp.com>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agonfs: Avoid overrun when copying client IP address string
Ben Hutchings [Tue, 6 Oct 2009 19:42:18 +0000 (15:42 -0400)]
nfs: Avoid overrun when copying client IP address string

commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream.

As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
overrun the source string when copying the client IP address from
nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr.  Since
these are both treated as null-terminated strings elsewhere, the copy
should be done with strlcpy() not memcpy().

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agonetlink: fix typo in initialization (CVE-2009-3612)
Jiri Pirko [Thu, 8 Oct 2009 08:21:46 +0000 (01:21 -0700)]
netlink: fix typo in initialization (CVE-2009-3612)

commit ad61df918c44316940404891d5082c63e79c256a upstream.

Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing
initializations in dumped data") introduced a typo in
initialization. This patch fixes this.

Signed-off-by: Jiri Pirko <jpirko@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agohwmon: (it87) Fix VID reading on IT8718F/IT8720F
Jean Delvare [Sat, 24 Oct 2009 11:28:47 +0000 (13:28 +0200)]
hwmon: (it87) Fix VID reading on IT8718F/IT8720F

commit 371dc4a6d8c3c74a9a1c74b87c2affb3fcef6500 upstream.

Comparing apples to bananas doesn't seem right. Consistently use the
chips enum for chip type comparisons, to avoid such bugs in the
future.

The bug has been there since support for the IT8718F was added, so
VID never worked for this chip nor for the similar IT8720F.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agobonding: fix a race condition in calls to slave MII ioctls
Jiri Bohac [Thu, 29 Oct 2009 05:23:54 +0000 (22:23 -0700)]
bonding: fix a race condition in calls to slave MII ioctls

commit d9d5283228d0c752f199c901fff6e1405dc91bcb upstream.

In mii monitor mode, bond_check_dev_link() calls the the ioctl
handler of slave devices. It stores the ndo_do_ioctl function
pointer to a static (!) ioctl variable and later uses it to call the
handler with the IOCTL macro.

If another thread executes bond_check_dev_link() at the same time
(even with a different bond, which none of the locks prevent), a
race condition occurs. If the two racing slaves have different
drivers, this may result in one driver's ioctl handler being
called with a pointer to a net_device controlled with a different
driver, resulting in unpredictable breakage.

Unless I am overlooking something, the "static" must be a
copy'n'paste error (?).

Signed-off-by: Jiri Bohac <jbohac@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoALSA: ice1724 - Make call to set hw params succeed on ESI Juli@
David Henningsson [Sun, 11 Oct 2009 09:37:22 +0000 (11:37 +0200)]
ALSA: ice1724 - Make call to set hw params succeed on ESI Juli@

commit bd3c200e6d5495343c91db66d2acf1853b57a141 upstream.

If two streams are started immediately after one another (such as a
playback and a recording stream), the call to set hw params fails with
EBUSY. This patch makes the call succeed, so playback and recording will
work properly.

Signed-off-by: David Henningsson <launchpad.web@epost.diwic.se>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoAF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)
Tomoki Sekiyama [Mon, 19 Oct 2009 06:17:37 +0000 (23:17 -0700)]
AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)

commit 77238f2b942b38ab4e7f3aced44084493e4a8675 upstream.

I found a deadlock bug in UNIX domain socket, which makes able to DoS
attack against the local machine by non-root users.

How to reproduce:
1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
    namespace(*), and shutdown(2) it.
 2. Repeat connect(2)ing to the listening socket from the other sockets
    until the connection backlog is full-filled.
 3. connect(2) takes the CPU forever. If every core is taken, the
    system hangs.

PoC code: (Run as many times as cores on SMP machines.)

int main(void)
{
int ret;
int csd;
int lsd;
struct sockaddr_un sun;

/* make an abstruct name address (*) */
memset(&sun, 0, sizeof(sun));
sun.sun_family = PF_UNIX;
sprintf(&sun.sun_path[1], "%d", getpid());

/* create the listening socket and shutdown */
lsd = socket(AF_UNIX, SOCK_STREAM, 0);
bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
listen(lsd, 1);
shutdown(lsd, SHUT_RDWR);

/* connect loop */
alarm(15); /* forcely exit the loop after 15 sec */
for (;;) {
csd = socket(AF_UNIX, SOCK_STREAM, 0);
ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
if (-1 == ret) {
perror("connect()");
break;
}
puts("Connection OK");
}
return 0;
}

(*) Make sun_path[0] = 0 to use the abstruct namespace.
    If a file-based socket is used, the system doesn't deadlock because
    of context switches in the file system layer.

Why this happens:
 Error checks between unix_socket_connect() and unix_wait_for_peer() are
 inconsistent. The former calls the latter to wait until the backlog is
 processed. Despite the latter returns without doing anything when the
 socket is shutdown, the former doesn't check the shutdown state and
 just retries calling the latter forever.

Patch:
 The patch below adds shutdown check into unix_socket_connect(), so
 connect(2) to the shutdown socket will return -ECONREFUSED.

Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
Signed-off-by: Masanori Yoshida <masanori.yoshida.tv@hitachi.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
15 years agopata_sc1200: Fix crash on boot
Alan Cox [Tue, 6 Oct 2009 15:07:51 +0000 (16:07 +0100)]
pata_sc1200: Fix crash on boot

commit 6d4f950e9ea15816c6a4f266ce6b9e438346771e upstream.

The SC1200 needs a NULL terminator or it may cause a crash on boot.

Bug #14227

Also correct a bogus comment as the driver had serializing added so can run
dual port.

Signed-off-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agob43: Fix Bugzilla #14181 and the bug from the previous 'fix'
Larry Finger [Fri, 16 Oct 2009 15:18:09 +0000 (10:18 -0500)]
b43: Fix Bugzilla #14181 and the bug from the previous 'fix'

commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream.

"b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported
in Bugzilla No. 14181; however, it introduced a new bug. Whenever the
radio switch was turned off, it was necessary to unload and reload
the driver for it to recognize the switch again.

This patch fixes both the original bug in #14181 and the bug introduced by
the previous patch. It must be stated, however, that if there is a BCM4306/3
with an rfkill switch (not yet proven), then the driver will need an
unload/reload cycle to turn the device back on.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoKEYS: get_instantiation_keyring() should inc the keyring refcount in all cases
David Howells [Thu, 15 Oct 2009 09:14:35 +0000 (10:14 +0100)]
KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases

commit 21279cfa107af07ef985539ac0de2152b9cba5f5 upstream.

The destination keyring specified to request_key() and co. is made available to
the process that instantiates the key (the slave process started by
/sbin/request-key typically).  This is passed in the request_key_auth struct as
the dest_keyring member.

keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring()
to get the keyring to attach the newly constructed key to at the end of
instantiation.  This may be given a specific keyring into which a link will be
made later, or it may be asked to find the keyring passed to request_key().  In
the former case, it returns a keyring with the refcount incremented by
lookup_user_key(); in the latter case, it returns the keyring from the
request_key_auth struct - and does _not_ increment the refcount.

The latter case will eventually result in an oops when the keyring prematurely
runs out of references and gets destroyed.  The effect may take some time to
show up as the key is destroyed lazily.

To fix this, the keyring returned by get_instantiation_keyring() must always
have its refcount incremented, no matter where it comes from.

This can be tested by setting /etc/request-key.conf to:

#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ...
#====== ======= =============== =============== ===============================
create  * test:* * |/bin/false %u %g %d %{user:_display}
negate * * * /bin/keyctl negate %k 10 @u

and then doing:

keyctl add user _display aaaaaaaa @u
        while keyctl request2 user test:x test:x @u &&
        keyctl list @u;
        do
                keyctl request2 user test:x test:x @u;
                sleep 31;
                keyctl list @u;
        done

which will oops eventually.  Changing the negate line to have @u rather than
%S at the end is important as that forces the latter case by passing a special
keyring ID rather than an actual keyring ID.

Reported-by: Alexander Zangerl <az@bond.edu.au>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Alexander Zangerl <az@bond.edu.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoRevert "ACPI: Attach the ACPI device to the ACPI handle as early as possible"
Len Brown [Sat, 5 Sep 2009 17:33:23 +0000 (13:33 -0400)]
Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible"

commit f61f925859c57f6175082aeeee17743c68558a6e upstream.

This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af.

http://bugzilla.kernel.org/show_bug.cgi?id=13002

Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2)
Rafael J. Wysocki [Mon, 12 Oct 2009 23:01:57 +0000 (01:01 +0200)]
ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2)

commit 497fb54f578efd2b479727bc88d5ef942c0a1e2d upstream.

acpi_get_pci_dev() may be called for a non-PCI device, in which case
it should return NULL.  However, it assumes that every handle it
finds in the ACPI CA name space, between given device handle and the
PCI root bridge handle, corresponds to a PCI-to-PCI bridge with an
existing secondary bus.  For this reason, when it finds a struct
pci_dev object corresponding to one of them, it doesn't check if
its 'subordinate' field is a valid pointer.  This obviously leads to
a NULL pointer dereference if acpi_get_pci_dev() is called for a
non-PCI device with a PCI parent which is not a bridge.

To fix this issue make acpi_get_pci_dev() check if pdev->subordinate
is not NULL for every device it finds on the path between the root
bridge and the device it's supposed to get to and return NULL if the
"target" device cannot be found.

http://bugzilla.kernel.org/show_bug.cgi?id=14129
(worked in 2.6.30, regression in 2.6.31)

Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Reported-by: Danny Feng <dfeng@redhat.com>
Reviewed-by: Alex Chiang <achiang@hp.com>
Tested-by: chepioq <chepioq@gmail.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoalpha: fix build after vmlinux.lds.S cleanup
Sam Ravnborg [Fri, 25 Sep 2009 17:53:43 +0000 (19:53 +0200)]
alpha: fix build after vmlinux.lds.S cleanup

commit de078ef55c74d02ee93d44513da5ee88a089d71d upstream.

Add include to get missing THREAD_SIZE definition

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Cc: Tim Abbott <tabbott@ksplice.com>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Richard Henderson <rth@twiddle.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agomips: fix build of vmlinux.lds
Manuel Lauss [Thu, 24 Sep 2009 19:44:24 +0000 (21:44 +0200)]
mips: fix build of vmlinux.lds

commit d71789b6fa37c21ce5eb588d279f57904a62e7e2 upstream.

Commit 51b563fc93c8cb5bff1d67a0a71c374e4a4ea049 ("arm, cris, mips,
sparc, powerpc, um, xtensa: fix build with bash 4.0") removed a few
CPPFLAGS with vital include paths necessary to build vmlinux.lds
on MIPS, and moved the calculation of the 'jiffies' symbol
directly to vmlinux.lds.S but forgot to change make ifdef/... to
cpp macros.

Signed-off-by: Manuel Lauss <manuel.lauss@gmail.com>
[sam: moved assignment of CPPFLAGS arch/mips/kernel/Makefile]
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Acked-by: Dmitri Vorobiev <dmitri.vorobiev@movial.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agofsnotify: do not set group for a mark before it is on the i_list
Eric Paris [Fri, 11 Sep 2009 17:03:19 +0000 (13:03 -0400)]
fsnotify: do not set group for a mark before it is on the i_list

commit 9f0d793b52eb2266359661369ef6303838904855 upstream.

fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to
set the group and inode for the mark.  fsnotify_destroy_mark_by_entry uses
the fact that ->group != NULL to know if this group should be destroyed or
if it's already been done.

But fsnotify_add_mark sets the group and inode before it actually adds the
mark to the i_list and g_list.  This can result in a race in inotify, it
requires 3 threads.

sys_inotify_add_watch("file") sys_inotify_add_watch("file") sys_inotify_rm_watch([a])
inotify_update_watch()
inotify_new_watch()
inotify_add_to_idr()
   ^--- returns wd = [a]
inotfiy_update_watch()
inotify_new_watch()
inotify_add_to_idr()
fsnotify_add_mark()
   ^--- returns wd = [b]
returns to userspace;
inotify_idr_find([a])
   ^--- gives us the pointer from task 1
fsnotify_add_mark()
   ^--- this is going to set the mark->group and mark->inode fields, but will
return -EEXIST because of the race with [b].
fsnotify_destroy_mark()
   ^--- since ->group != NULL we call back
into inotify_freeing_mark() which calls
inotify_remove_from_idr([a])

since fsnotify_add_mark() failed we call:
inotify_remove_from_idr([a])     <------WHOOPS it's not in the idr, this could
have been any entry added later!

The fix is to make sure we don't set mark->group until we are sure the mark is
on the inode and fsnotify_add_mark will return success.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agox86/amd-iommu: Workaround for erratum 63
Joerg Roedel [Fri, 9 Oct 2009 16:31:20 +0000 (18:31 +0200)]
x86/amd-iommu: Workaround for erratum 63

commit c5cca146aa03e1f60fb179df65f0dbaf17bc64ed upstream.

There is an erratum for IOMMU hardware which documents
undefined behavior when forwarding SMI requests from
peripherals and the DTE of that peripheral has a sysmgt
value of 01b. This problem caused weird IO_PAGE_FAULTS in my
case.
This patch implements the suggested workaround for that
erratum into the AMD IOMMU driver.  The erratum is
documented with number 63.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agofuse: fix kunmap in fuse_ioctl_copy_user
Jens Axboe [Tue, 3 Nov 2009 10:40:44 +0000 (11:40 +0100)]
fuse: fix kunmap in fuse_ioctl_copy_user

commit 0bd87182d3ab18a32a8e9175d3f68754c58e3432 upstream.

Looks like another victim of the confusing kmap() vs kmap_atomic() API
differences.

Reported-by: Todor Gyumyushev <yodor1@gmail.com>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agofuse: prevent fuse_put_request on invalid pointer
Anand V. Avati [Thu, 22 Oct 2009 13:24:52 +0000 (06:24 -0700)]
fuse: prevent fuse_put_request on invalid pointer

commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83 upstream.

fuse_direct_io() has a loop where requests are allocated in each
iteration. if allocation fails, the loop is broken out and follows
into an unconditional fuse_put_request() on that invalid pointer.

Signed-off-by: Anand V. Avati <avati@gluster.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoKVM: get_tss_base_addr() should return a gpa_t
Gleb Natapov [Sun, 25 Oct 2009 15:42:02 +0000 (17:42 +0200)]
KVM: get_tss_base_addr() should return a gpa_t

commit abb3911965c1bd8eea305f64d4840a314259d96d upstream.

If TSS we are switching to resides in high memory task switch will fail
since address will be truncated. Windows2k3 does this sometimes when
running with more then 4G

Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agosgi-gru: decrapfiy options_write() function
Linus Torvalds [Thu, 5 Nov 2009 18:48:30 +0000 (10:48 -0800)]
sgi-gru: decrapfiy options_write() function

commit d39b7dd1dcbf394a1cb897457c862dafe9a20ac5 upstream.

Not a single line of actual code in the function was really
fundamentally correct.

Problems ranged from lack of proper range checking, to removing the last
character written (which admittedly is usually '\n'), to not accepting
hex numbers even though the 'show' routine would show the data in that
format.

This tries to do better.

Acked-by: Michael Buesch <mb@bu3sch.de>
Tested-and-acked-by: Jack Steiner <steiner@sgi.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Cc: Michael Gilbert <michael.s.gilbert@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoxen: mask extended topology info in cpuid
Jeremy Fitzhardinge [Thu, 22 Oct 2009 23:41:15 +0000 (16:41 -0700)]
xen: mask extended topology info in cpuid

commit 82d6469916c6fcfa345636a49004c9d1753905d1 upstream.

A Xen guest never needs to know about extended topology, and knowing
would just confuse it.

This patch just zeros ebx in leaf 0xb which indicates no topology info,
preventing a crash under Xen on cpus which support this leaf.

Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
15 years agoxen/hvc: make sure console output is always emitted, with explicit polling
Jeremy Fitzhardinge [Tue, 20 Oct 2009 06:28:21 +0000 (15:28 +0900)]
xen/hvc: make sure console output is always emitted, with explicit polling

commit 7825cf10e31c64ece3cac66fb01a742f1094da51 upstream.

We never want to rely on the hvc workqueue to emit output, because the
most interesting output is when the kernel is broken.  This will
improve oops/crash/console message for better debugging.

Instead, we force-poll until all output is emitted.

Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agodrm/i915: add B43 chipset support
Fabian Henze [Mon, 7 Sep 2009 16:59:59 +0000 (00:59 +0800)]
drm/i915: add B43 chipset support

commit 7839c5d5519b6d9e2ccf3cdbf1c39e3817ad0835 upstream.

Signed-off-by: Fabian Henze <hoacha@quantentunnel.de>
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoagp/intel: Add B43 chipset support
Fabian Henze [Mon, 7 Sep 2009 16:59:58 +0000 (00:59 +0800)]
agp/intel: Add B43 chipset support

commit 38d8a95621b20ed7868e232a35a26ee61bdcae6f upstream.

Signed-off-by: Fabian Henze <hoacha@quantentunnel.de>
[Fix reversed HB & IG ids for B43]
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agodrm/i915: fix panel fitting filter coefficient select for Ironlake
Zhenyu Wang [Mon, 19 Oct 2009 07:43:49 +0000 (15:43 +0800)]
drm/i915: fix panel fitting filter coefficient select for Ironlake

commit b1f60b7029989da71fd8ea1b1176480fac9e846c upstream.

Must set filter selection as hardcoded coefficients for medium 3x3
filtering, which matches vbios setting for Ironlake.

This fixes display corrupt issue on HP arrandale with new vbios.

Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agodrm/i915: fix to setup display reference clock control on Ironlake
Zhenyu Wang [Mon, 19 Oct 2009 07:43:48 +0000 (15:43 +0800)]
drm/i915: fix to setup display reference clock control on Ironlake

commit c038e51e841581cc3fb9a76e5e16331331e9c85c upstream.

For new stepping of PCH, the display reference clock
is fully under driver's control. This one trys to setup
all needed reference clock for different outputs. Older
stepping of PCH chipset should be ignoring this.

This fixes output failure issue on newer PCH which requires
driver to take control of reference clock enabling.

Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agodrm/i915: Fix FDI M/N setting according with correct color depth
Zhenyu Wang [Fri, 25 Sep 2009 08:01:28 +0000 (08:01 +0000)]
drm/i915: Fix FDI M/N setting according with correct color depth

commit 58a27471d00dc09945cbcfbbc5cbcdcd3c28211d upstream.

FDI M/N calculation hasn't taken the current pipe color depth into account,
but always set as 24bpp. This one checks current pipe color depth setting,
and change FDI M/N calculation a little to use bits_per_pixel first, then
convert to bytes_per_pixel later.

This fixes display corrupt issue on Arrandle LVDS with 1600x900 panel
in 18bpp dual-channel mode.

Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agonilfs2: fix dirty page accounting leak causing hang at write
Ryusuke Konishi [Mon, 2 Nov 2009 15:25:53 +0000 (00:25 +0900)]
nilfs2: fix dirty page accounting leak causing hang at write

commit b1e19e5601277845b4f17ecd7c9ba04f73ee11aa upstream.

Bruno Prémont and Dunphy, Bill noticed me that NILFS will certainly
hang on ARM-based targets.

I found this was caused by an underflow of dirty pages counter.  A
b-tree cache routine was marking page dirty without adjusting page
account information.

This fixes the dirty page accounting leak and resolves the hang on
arm-based targets.

Reported-by: Bruno Prémont <bonbons@linux-vserver.org>
Reported-by: Dunphy, Bill <WDunphy@tandbergdata.com>
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Tested-by: Bruno Prémont <bonbons@linux-vserver.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agox86-64: Fix register leak in 32-bit syscall audting
Jan Beulich [Mon, 26 Oct 2009 15:20:29 +0000 (15:20 +0000)]
x86-64: Fix register leak in 32-bit syscall audting

commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream.

Restoring %ebp after the call to audit_syscall_exit() is not
only unnecessary (because the register didn't get clobbered),
but in the sysenter case wasn't even doing the right thing: It
loaded %ebp from a location below the top of stack (RBP <
ARGOFFSET), i.e. arbitrary kernel data got passed back to user
mode in the register.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Roland McGrath <roland@redhat.com>
LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agomm: remove incorrect swap_count() from try_to_unuse()
Bo Liu [Mon, 2 Nov 2009 16:50:33 +0000 (16:50 +0000)]
mm: remove incorrect swap_count() from try_to_unuse()

commit 32c5fc10e79a7053ac5728b01a0bff55cbcb9d49 upstream.

In try_to_unuse(), swcount is a local copy of *swap_map, including the
SWAP_HAS_CACHE bit; but a wrong comparison against swap_count(*swap_map),
which masks off the SWAP_HAS_CACHE bit, succeeded where it should fail.

That had the effect of resetting the mm from which to start searching
for the next swap page, to an irrelevant mm instead of to an mm in which
this swap page had been found: which may increase search time by ~20%.
But we're used to swapoff being slow, so never noticed the slowdown.

Remove that one spurious use of swap_count(): Bo Liu thought it merely
redundant, Hugh rewrote the description since it was measurably wrong.

Signed-off-by: Bo Liu <bo-liu@hotmail.com>
Signed-off-by: Hugh Dickins <hugh.dickins@tiscali.co.uk>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoNOMMU: Don't pass NULL pointers to fput() in do_mmap_pgoff()
David Howells [Fri, 30 Oct 2009 13:13:26 +0000 (13:13 +0000)]
NOMMU: Don't pass NULL pointers to fput() in do_mmap_pgoff()

commit 89a8640279f8bb78aaf778d1fc5c4a6778f18064 upstream.

Don't pass NULL pointers to fput() in the error handling paths of the NOMMU
do_mmap_pgoff() as it can't handle it.

The following can be used as a test program:

int main() { static long long a[1024 * 1024 * 20] = { 0 }; return a;}

Without the patch, the code oopses in atomic_long_dec_and_test() as called by
fput() after the kernel complains that it can't allocate that big a chunk of
memory.  With the patch, the kernel just complains about the allocation size
and then the program segfaults during execve() as execve() can't complete the
allocation of all the new ELF program segments.

Reported-by: Robin Getz <rgetz@blackfin.uclinux.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Robin Getz <rgetz@blackfin.uclinux.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agox86, UV: Set DELIVERY_MODE=4 for vector=NMI_VECTOR in uv_hub_send_ipi()
Robin Holt [Tue, 20 Oct 2009 19:36:15 +0000 (14:36 -0500)]
x86, UV: Set DELIVERY_MODE=4 for vector=NMI_VECTOR in uv_hub_send_ipi()

commit 02dd0a0613e0d84c7dd8315e3fe6204d005b7c79 upstream.

When sending a NMI_VECTOR IPI using the UV_HUB_IPI_INT register,
we need to ensure the delivery mode field of that register has
NMI delivery selected.

This makes those IPIs true NMIs, instead of flat IPIs. It
matters to reboot sequences and KGDB, both of which use NMI
IPIs.

Signed-off-by: Robin Holt <holt@sgi.com>
Acked-by: Jack Steiner <steiner@sgi.com>
Cc: Martin Hicks <mort@sgi.com>
LKML-Reference: <20091020193620.877322000@alcatraz.americas.sgi.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agox86, UV: Fix information in __uv_hub_info structure
Robin Holt [Thu, 15 Oct 2009 22:40:00 +0000 (17:40 -0500)]
x86, UV: Fix information in __uv_hub_info structure

commit 036ed8ba61b72c19dc5759446d4fe0844aa88255 upstream.

A few parts of the uv_hub_info structure are initialized
incorrectly.

 - n_val is being loaded with m_val.
 - gpa_mask is initialized with a bytes instead of an unsigned long.
 - Handle the case where none of the alias registers are used.

Lastly I converted the bau over to using the uv_hub_info->m_val
which is the correct value.

Without this patch, booting a large configuration hits a
problem where the upper bits of the gnode affect the pnode
and the bau will not operate.

Signed-off-by: Robin Holt <holt@sgi.com>
Acked-by: Jack Steiner <steiner@sgi.com>
Cc: Cliff Whickman <cpw@sgi.com>
LKML-Reference: <20091015224946.396355000@alcatraz.americas.sgi.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agomac80211: check interface is down before type change
Johannes Berg [Sun, 1 Nov 2009 18:25:40 +0000 (19:25 +0100)]
mac80211: check interface is down before type change

commit c1f9a764cf47686b1f5a0cf87ada68d90056136a upstream.

For some strange reason the netif_running() check
ended up after the actual type change instead of
before, potentially causing all kinds of problems
if the interface is up while changing the type;
one of the problems manifests itself as a warning:

WARNING: at net/mac80211/iface.c:651 ieee80211_teardown_sdata+0xda/0x1a0 [mac80211]()
Hardware name: Aspire one
Pid: 2596, comm: wpa_supplicant Tainted: G        W  2.6.31-10-generic #32-Ubuntu
Call Trace:
 [] warn_slowpath_common+0x6d/0xa0
 [] warn_slowpath_null+0x15/0x20
 [] ieee80211_teardown_sdata+0xda/0x1a0 [mac80211]
 [] ieee80211_if_change_type+0x4a/0xc0 [mac80211]
 [] ieee80211_change_iface+0x61/0xa0 [mac80211]
 [] cfg80211_wext_siwmode+0xc7/0x120 [cfg80211]
 [] ioctl_standard_call+0x58/0xf0

(http://www.kerneloops.org/searchweek.php?search=ieee80211_teardown_sdata)

Cc: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agomac80211: fix for incorrect sequence number on hostapd injected frames
Björn Smedman [Sat, 24 Oct 2009 18:55:09 +0000 (20:55 +0200)]
mac80211: fix for incorrect sequence number on hostapd injected frames

commit 9b1ce526eb917c8b5c8497c327768130ee683392 upstream.

When hostapd injects a frame, e.g. an authentication or association
response, mac80211 looks for a suitable access point virtual interface
to associate the frame with based on its source address. This makes it
possible e.g. to correctly assign sequence numbers to the frames.

A small typo in the ethernet address comparison statement caused a
failure to find a suitable ap interface. Sequence numbers on such
frames where therefore left unassigned causing some clients
(especially windows-based 11b/g clients) to reject them and fail to
authenticate or associate with the access point. This patch fixes the
typo in the address comparison statement.

Signed-off-by: Björn Smedman <bjorn.smedman@venatech.se>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agoCIFS: Fixing to avoid invalid kfree() in cifs_get_tcp_session()
Steve French [Tue, 6 Oct 2009 18:31:29 +0000 (18:31 +0000)]
CIFS: Fixing to avoid invalid kfree() in cifs_get_tcp_session()

commit 8347a5cdd1422eea0470ed586274c7f29e274b47 upstream.

trivial bug in fs/cifs/connect.c .
The bug is caused by fail of extract_hostname()
when mounting cifs file system.

This is the situation when I noticed this bug.

% sudo mount -t cifs //192.168.10.208 mountpoint -o options...

Then my kernel says,

[ 1461.807776] ------------[ cut here ]------------
[ 1461.807781] kernel BUG at mm/slab.c:521!
[ 1461.807784] invalid opcode: 0000 [#2] PREEMPT SMP
[ 1461.807790] last sysfs file:
/sys/devices/pci0000:00/0000:00:1e.0/0000:09:02.0/resource
[ 1461.807793] CPU 0
[ 1461.807796] Modules linked in: nls_iso8859_1 usbhid sbp2 uhci_hcd
ehci_hcd i2c_i801 ohci1394 ieee1394 psmouse serio_raw pcspkr sky2 usbcore
evdev
[ 1461.807816] Pid: 3446, comm: mount Tainted: G      D 2.6.32-rc2-vanilla
[ 1461.807820] RIP: 0010:[<ffffffff810b888e>]  [<ffffffff810b888e>]
kfree+0x63/0x156
[ 1461.807829] RSP: 0018:ffff8800b4f7fbb8  EFLAGS: 00010046
[ 1461.807832] RAX: ffffea00033fff98 RBX: ffff8800afbae7e2 RCX:
0000000000000000
[ 1461.807836] RDX: ffffea0000000000 RSI: 000000000000005c RDI:
ffffffffffffffea
[ 1461.807839] RBP: ffff8800b4f7fbf8 R08: 0000000000000001 R09:
0000000000000000
[ 1461.807842] R10: 0000000000000000 R11: ffff8800b4f7fbf8 R12:
00000000ffffffea
[ 1461.807845] R13: ffff8800afb23000 R14: ffff8800b4f87bc0 R15:
ffffffffffffffea
[ 1461.807849] FS:  00007f52b6f187c0(0000) GS:ffff880007600000(0000)
knlGS:0000000000000000
[ 1461.807852] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1461.807855] CR2: 0000000000613000 CR3: 00000000af8f9000 CR4:
00000000000006f0
[ 1461.807858] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 1461.807861] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7:
0000000000000400
[ 1461.807865] Process mount (pid: 3446, threadinfo ffff8800b4f7e000, task
ffff8800950e4380)
[ 1461.807867] Stack:
[ 1461.807869]  0000000000000202 0000000000000282 ffff8800b4f7fbf8
ffff8800afbae7e2
[ 1461.807876] <0> 00000000ffffffea ffff8800afb23000 ffff8800b4f87bc0
ffff8800b4f7fc28
[ 1461.807884] <0> ffff8800b4f7fcd8 ffffffff81159f6d ffffffff81147bc2
ffffffff816bfb48
[ 1461.807892] Call Trace:
[ 1461.807899]  [<ffffffff81159f6d>] cifs_get_tcp_session+0x440/0x44b
[ 1461.807904]  [<ffffffff81147bc2>] ? find_nls+0x1c/0xe9
[ 1461.807909]  [<ffffffff8115b889>] cifs_mount+0x16bc/0x2167
[ 1461.807917]  [<ffffffff814455bd>] ? _spin_unlock+0x30/0x4b
[ 1461.807923]  [<ffffffff81150da9>] cifs_get_sb+0xa5/0x1a8
[ 1461.807928]  [<ffffffff810c1b94>] vfs_kern_mount+0x56/0xc9
[ 1461.807933]  [<ffffffff810c1c64>] do_kern_mount+0x47/0xe7
[ 1461.807938]  [<ffffffff810d8632>] do_mount+0x712/0x775
[ 1461.807943]  [<ffffffff810d671f>] ? copy_mount_options+0xcf/0x132
[ 1461.807948]  [<ffffffff810d8714>] sys_mount+0x7f/0xbf
[ 1461.807953]  [<ffffffff8144509a>] ? lockdep_sys_exit_thunk+0x35/0x67
[ 1461.807960]  [<ffffffff81011cc2>] system_call_fastpath+0x16/0x1b
[ 1461.807963] Code: 00 00 00 00 ea ff ff 48 c1 e8 0c 48 6b c0 68 48 01 d0
66 83 38 00 79 04 48 8b 40 10 66 83 38 00 79 04 48 8b 40 10 80 38 00 78 04
<0f> 0b eb fe 4c 8b 70 58 4c 89 ff 41 8b 76 4c e8 b8 49 fb ff e8
[ 1461.808022] RIP  [<ffffffff810b888e>] kfree+0x63/0x156
[ 1461.808027]  RSP <ffff8800b4f7fbb8>
[ 1461.808031] ---[ end trace ffe26fcdc72c0ce4 ]---

The reason of this bug is that the error handling code of
cifs_get_tcp_session()
calls kfree() when corresponding kmalloc() failed.
(The kmalloc() is called by extract_hostname().)

Signed-off-by: Hitoshi Mitake <mitake@dcl.info.waseda.ac.jp>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agovirtio: order used ring after used index read
Michael S. Tsirkin [Sun, 25 Oct 2009 13:28:53 +0000 (15:28 +0200)]
virtio: order used ring after used index read

commit 2d61ba95034f1abbdec7729d52c740870a5eddb6 upstream.

On SMP guests, reads from the ring might bypass used index reads. This
causes guest crashes because host writes to used index to signal ring
data readiness.  Fix this by inserting rmb before used ring reads.

Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
15 years agocpuidle: always return with interrupts enabled
Kevin Hilman [Mon, 26 Oct 2009 23:50:18 +0000 (16:50 -0700)]
cpuidle: always return with interrupts enabled

commit 246eb7f0ed1a8aeddec5313137767658f378949b upstream.

In the case where cpuidle_idle_call() returns before changing state due to
a need_resched(), it was returning with IRQs disabled.

The idle path assumes that the platform specific idle code returns with
interrupts enabled (although this too is undocumented AFAICT) and on ARM
we have a WARN_ON(!(irqs_disabled()) when returning from the idle loop, so
the user-visible effects were only a warning since interrupts were
eventually re-enabled later.

On x86, this same problem exists, but there is no WARN_ON() to detect it.
As on ARM, the interrupts are eventually re-enabled, so I'm not sure of
any actual bugs triggered by this.  It's primarily a
correctness/consistency fix.

This patch ensures IRQs are (re)enabled before returning.

Reported-by: Hemanth V <hemanthv@ti.com>
Signed-off-by: Kevin Hilman <khilman@deeprootsystems.com>
Cc: Arjan van de Ven <arjan@linux.intel.com>
Cc: Len Brown <len.brown@intel.com>
Cc: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: "Rafael J. Wysocki" <rjw@sisk.pl>
Tested-by: Martin Michlmayr <tbm@cyrius.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>