]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
13 years agoi2c-algo-bit: Call pre/post_xfer for bit_test
Alex Deucher [Sun, 17 Apr 2011 08:20:19 +0000 (10:20 +0200)]
i2c-algo-bit: Call pre/post_xfer for bit_test

commit d3b3e15da14ded61c9654db05863b04a2435f4cc upstream.

Apparently some distros set i2c-algo-bit.bit_test to 1 by
default.  In some cases this causes i2c_bit_add_bus
to fail and prevents the i2c bus from being added.  In the
radeon case, we fail to add the ddc i2c buses which prevents
the driver from being able to detect attached monitors.
The i2c bus works fine even if bit_test fails.  This is likely
due to gpio switching that is required and handled in the
pre/post_xfer hooks, so call the pre/post_xfer hooks in the
bit test as well.

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=36221

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6864/1: hw_breakpoint: clear DBGVCR out of reset
Will Deacon [Tue, 5 Apr 2011 12:57:53 +0000 (13:57 +0100)]
ARM: 6864/1: hw_breakpoint: clear DBGVCR out of reset

commit e89c0d7090c54d7b11b9b091e495a1ae345dd3ff upstream.

The DBGVCR, used for configuring vector catch debug events, is UNKNOWN
out of reset on ARMv7. When enabling monitor mode, this must be zeroed
to avoid UNPREDICTABLE behaviour.

This patch adds the zeroing code to the debug reset path.

Reported-by: Stepan Moskovchenko <stepanm@codeaurora.org>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovfs: Fix absolute RCU path walk failures due to uninitialized seq number
Tim Chen [Fri, 15 Apr 2011 18:39:29 +0000 (11:39 -0700)]
vfs: Fix absolute RCU path walk failures due to uninitialized seq number

commit c1530019e311c91d14b24d8e74d233152d806e45 upstream.

During RCU walk in path_lookupat and path_openat, the rcu lookup
frequently failed if looking up an absolute path, because when root
directory was looked up, seq number was not properly set in nameidata.

We dropped out of RCU walk in nameidata_drop_rcu due to mismatch in
directory entry's seq number.  We reverted to slow path walk that need
to take references.

With the following patch, I saw a 50% increase in an exim mail server
benchmark throughput on a 4-socket Nehalem-EX system.

Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Reviewed-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, amd: Disable GartTlbWlkErr when BIOS forgets it
Joerg Roedel [Fri, 15 Apr 2011 12:47:40 +0000 (14:47 +0200)]
x86, amd: Disable GartTlbWlkErr when BIOS forgets it

commit 5bbc097d890409d8eff4e3f1d26f11a9d6b7c07e upstream.

This patch disables GartTlbWlk errors on AMD Fam10h CPUs if
the BIOS forgets to do is (or is just too old). Letting
these errors enabled can cause a sync-flood on the CPU
causing a reboot.

The AMD BKDG recommends disabling GART TLB Wlk Error completely.

This patch is the fix for

https://bugzilla.kernel.org/show_bug.cgi?id=33012

on my machine.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Link: http://lkml.kernel.org/r/20110415131152.GJ18463@8bytes.org
Tested-by: Alexandre Demers <alexandre.f.demers@gmail.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, AMD: Set ARAT feature on AMD processors
Boris Ostrovsky [Tue, 15 Mar 2011 16:13:44 +0000 (12:13 -0400)]
x86, AMD: Set ARAT feature on AMD processors

commit b87cf80af3ba4b4c008b4face3c68d604e1715c6 upstream.

Support for Always Running APIC timer (ARAT) was introduced in
commit db954b5898dd3ef3ef93f4144158ea8f97deb058. This feature
allows us to avoid switching timers from LAPIC to something else
(e.g. HPET) and go into timer broadcasts when entering deep
C-states.

AMD processors don't provide a CPUID bit for that feature but
they also keep APIC timers running in deep C-states (except for
cases when the processor is affected by erratum 400). Therefore
we should set ARAT feature bit on AMD CPUs.

Tested-by: Borislav Petkov <borislav.petkov@amd.com>
Acked-by: Andreas Herrmann <andreas.herrmann3@amd.com>
Acked-by: Mark Langsdorf <mark.langsdorf@amd.com>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@amd.com>
LKML-Reference: <1300205624-4813-1-git-send-email-ostr@amd64.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: fix oops when R/O file-system is fsync'ed
Artem Bityutskiy [Wed, 13 Apr 2011 07:31:52 +0000 (10:31 +0300)]
UBIFS: fix oops when R/O file-system is fsync'ed

commit 78530bf7f2559b317c04991b52217c1608d5a58d upstream.

This patch fixes severe UBIFS bug: UBIFS oopses when we 'fsync()' an
file on R/O-mounter file-system. We (the UBIFS authors) incorrectly
thought that VFS would not propagate 'fsync()' down to the file-system
if it is read-only, but this is not the case.

It is easy to exploit this bug using the following simple perl script:

use strict;
use File::Sync qw(fsync sync);

die "File path is not specified" if not defined $ARGV[0];
my $path = $ARGV[0];

open FILE, "<", "$path" or die "Cannot open $path: $!";
fsync(\*FILE) or die "cannot fsync $path: $!";
close FILE or die "Cannot close $path: $!";

Thanks to Reuben Dowle <Reuben.Dowle@navico.com> for reporting about this
issue.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Reported-by: Reuben Dowle <Reuben.Dowle@navico.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoMAINTAINERS: update STABLE BRANCH info
Randy Dunlap [Thu, 14 Apr 2011 22:22:07 +0000 (15:22 -0700)]
MAINTAINERS: update STABLE BRANCH info

commit d00ebeac5f24f290636f7a895dafc124b2930a08 upstream.

Drop Chris Wright from STABLE maintainers.  He hasn't done STABLE release
work for quite some time.

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agooom-kill: remove boost_dying_task_prio()
KOSAKI Motohiro [Thu, 14 Apr 2011 22:22:13 +0000 (15:22 -0700)]
oom-kill: remove boost_dying_task_prio()

commit 341aea2bc48bf652777fb015cc2b3dfa9a451817 upstream.

This is an almost-revert of commit 93b43fa ("oom: give the dying task a
higher priority").

That commit dramatically improved oom killer logic when a fork-bomb
occurs.  But I've found that it has nasty corner case.  Now cpu cgroup has
strange default RT runtime.  It's 0!  That said, if a process under cpu
cgroup promote RT scheduling class, the process never run at all.

If an admin inserts a !RT process into a cpu cgroup by setting
rtruntime=0, usually it runs perfectly because a !RT task isn't affected
by the rtruntime knob.  But if it promotes an RT task via an explicit
setscheduler() syscall or an OOM, the task can't run at all.  In short,
the oom killer doesn't work at all if admins are using cpu cgroup and don't
touch the rtruntime knob.

Eventually, kernel may hang up when oom kill occur.  I and the original
author Luis agreed to disable this logic.

Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Acked-by: Luis Claudio R. Goncalves <lclaudio@uudg.org>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Acked-by: David Rientjes <rientjes@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoramfs: fix memleak on no-mmu arch
Bob Liu [Thu, 14 Apr 2011 22:22:20 +0000 (15:22 -0700)]
ramfs: fix memleak on no-mmu arch

commit b836aec53e2bce71de1d5415313380688c851477 upstream.

On no-mmu arch, there is a memleak during shmem test.  The cause of this
memleak is ramfs_nommu_expand_for_mapping() added page refcount to 2
which makes iput() can't free that pages.

The simple test file is like this:

  int main(void)
  {
int i;
key_t k = ftok("/etc", 42);

for ( i=0; i<100; ++i) {
int id = shmget(k, 10000, 0644|IPC_CREAT);
if (id == -1) {
printf("shmget error\n");
}
if(shmctl(id, IPC_RMID, NULL ) == -1) {
printf("shm  rm error\n");
return -1;
}
}
printf("run ok...\n");
return 0;
  }

And the result:

  root:/> free
               total         used         free       shared      buffers
  Mem:         60320        17912        42408            0            0
  -/+ buffers:              17912        42408
  root:/> shmem
  run ok...
  root:/> free
               total         used         free       shared      buffers
  Mem:         60320        19096        41224            0            0
  -/+ buffers:              19096        41224
  root:/> shmem
  run ok...
  root:/> free
               total         used         free       shared      buffers
  Mem:         60320        20296        40024            0            0
  -/+ buffers:              20296        40024
  ...

After this patch the test result is:(no memleak anymore)

  root:/> free
               total         used         free       shared      buffers
  Mem:         60320        16668        43652            0            0
  -/+ buffers:              16668        43652
  root:/> shmem
  run ok...
  root:/> free
               total         used         free       shared      buffers
  Mem:         60320        16668        43652            0            0
  -/+ buffers:              16668        43652

Signed-off-by: Bob Liu <lliubbo@gmail.com>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomm/thp: use conventional format for boolean attributes
Ben Hutchings [Thu, 14 Apr 2011 22:22:21 +0000 (15:22 -0700)]
mm/thp: use conventional format for boolean attributes

commit e27e6151b154ff6e5e8162efa291bc60196d29ea upstream.

The conventional format for boolean attributes in sysfs is numeric ("0" or
"1" followed by new-line).  Any boolean attribute can then be read and
written using a generic function.  Using the strings "yes [no]", "[yes]
no" (read), "yes" and "no" (write) will frustrate this.

[akpm@linux-foundation.org: use kstrtoul()]
[akpm@linux-foundation.org: test_bit() doesn't return 1/0, per Neil]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Andrea Arcangeli <aarcange@redhat.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Johannes Weiner <jweiner@redhat.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Hugh Dickins <hughd@google.com>
Tested-by: David Rientjes <rientjes@google.com>
Cc: NeilBrown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agokstrto*: converting strings to integers done (hopefully) right
Alexey Dobriyan [Tue, 22 Mar 2011 23:34:40 +0000 (16:34 -0700)]
kstrto*: converting strings to integers done (hopefully) right

commit 33ee3b2e2eb9b4b6c64dcf9ed66e2ac3124e748c upstream.

1. simple_strto*() do not contain overflow checks and crufty,
   libc way to indicate failure.
2. strict_strto*() also do not have overflow checks but the name and
   comments pretend they do.
3. Both families have only "long long" and "long" variants,
   but users want strtou8()
4. Both "simple" and "strict" prefixes are wrong:
   Simple doesn't exactly say what's so simple, strict should not exist
   because conversion should be strict by default.

The solution is to use "k" prefix and add convertors for more types.
Enter
kstrtoull()
kstrtoll()
kstrtoul()
kstrtol()
kstrtouint()
kstrtoint()

kstrtou64()
kstrtos64()
kstrtou32()
kstrtos32()
kstrtou16()
kstrtos16()
kstrtou8()
kstrtos8()

Include runtime testsuite (somewhat incomplete) as well.

strict_strto*() become deprecated, stubbed to kstrto*() and
eventually will be removed altogether.

Use kstrto*() in code today!

Note: on some archs _kstrtoul() and _kstrtol() are left in tree, even if
      they'll be unused at runtime. This is temporarily solution,
      because I don't want to hardcode list of archs where these
      functions aren't needed. Current solution with sizeof() and
      __alignof__ at least always works.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofutex: Set FLAGS_HAS_TIMEOUT during futex_wait restart setup
Darren Hart [Thu, 14 Apr 2011 22:41:57 +0000 (15:41 -0700)]
futex: Set FLAGS_HAS_TIMEOUT during futex_wait restart setup

commit 0cd9c6494ee5c19aef085152bc37f3a4e774a9e1 upstream.

The FLAGS_HAS_TIMEOUT flag was not getting set, causing the restart_block to
restart futex_wait() without a timeout after a signal.

Commit b41277dc7a18ee332d in 2.6.38 introduced the regression by accidentally
removing the the FLAGS_HAS_TIMEOUT assignment from futex_wait() during the setup
of the restart block. Restore the originaly behavior.

Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=32922
Reported-by: Tim Smith <tsmith201104@yahoo.com>
Reported-by: Torsten Hilbrich <torsten.hilbrich@secunet.com>
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: John Kacur <jkacur@redhat.com>
Link: http://lkml.kernel.org/r/%3Cdaac0eb3af607f72b9a4d3126b2ba8fb5ed3b883.1302820917.git.dvhart%40linux.intel.com%3E
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosparc64: Fix build errors with gcc-4.6.0
David S. Miller [Sun, 27 Feb 2011 07:40:02 +0000 (23:40 -0800)]
sparc64: Fix build errors with gcc-4.6.0

[ Upstream commit c6fee0810df4e0f4cf9c4834d2569ca01c02cffc ]

Most of the warnings emitted (we fail arch/sparc file
builds with -Werror) were legitimate but harmless, however
one case (n2_pcr_write) was a genuine bug.

Based almost entirely upon a patch by Sam Ravnborg.

Reported-by: Dennis Gilmore <dennis@ausil.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosparc32: Pass task_struct to schedule_tail() in ret_from_fork
Tkhai Kirill [Thu, 31 Mar 2011 07:52:38 +0000 (00:52 -0700)]
sparc32: Pass task_struct to schedule_tail() in ret_from_fork

[ Upstream commit 47c7c97a93a5b8f719093dbf83555090b3b8228b ]

We have to pass task_struct of previous process to function
schedule_tail(). Currently in ret_from_fork previous thread_info
is passed:

switch_to: mov %g6, %g3 /* previous thread_info in g6 */

ret_from_fork: call    schedule_tail
                mov    %g3, %o0 /* previous thread_info is passed */

void schedule_tail(struct task_struct *prev);

Signed-off-by: Tkhai Kirill <tkhai@yandex.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosparc32: Fix might-be-used-uninitialized warning in do_sparc_fault().
David S. Miller [Wed, 9 Mar 2011 21:00:47 +0000 (13:00 -0800)]
sparc32: Fix might-be-used-uninitialized warning in do_sparc_fault().

[ Upstream commit c816be7b5f24585baa9eba1f2413935f771d6ad6 ]

When we try to handle vmalloc faults, we can take a code
path which uses "code" before we actually set it.

Amusingly gcc-3.3 notices this yet gcc-4.x does not.

Reported-by: Bob Breuer <breuerr@mc.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosparc: Fix .size directive for do_int_load
Ben Hutchings [Wed, 9 Mar 2011 20:54:27 +0000 (12:54 -0800)]
sparc: Fix .size directive for do_int_load

[ Upstream commit 35043c428f1fcb92feb5792f5878a8852ee00771 ]

gas used to accept (and ignore?) .size directives which referred to
undefined symbols, as this does.  In binutils 2.21 these are treated
as errors.

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobridge: Reset IPCB when entering IP stack on NF_FORWARD
Herbert Xu [Fri, 18 Mar 2011 05:27:28 +0000 (05:27 +0000)]
bridge: Reset IPCB when entering IP stack on NF_FORWARD

[ Upstream commit 6b1e960fdbd75dcd9bcc3ba5ff8898ff1ad30b6e ]

Whenever we enter the IP stack proper from bridge netfilter we
need to ensure that the skb is in a form the IP stack expects
it to be in.

The entry point on NF_FORWARD did not meet the requirements of
the IP stack, therefore leading to potential crashes/panics.

This patch fixes the problem.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovlan: should take into account needed_headroom
Eric Dumazet [Fri, 18 Mar 2011 00:27:27 +0000 (00:27 +0000)]
vlan: should take into account needed_headroom

[ Upstream commit d870bfb9d366c5d466c0f5419a4ec95a3f71ea8a ]

Commit c95b819ad7 (gre: Use needed_headroom)
made gre use needed_headroom instead of hard_header_len

This uncover a bug in vlan code.

We should make sure vlan devices take into account their
real_dev->needed_headroom or we risk a crash in ipgre_header(), because
we dont have enough room to push IP header in skb.

Reported-by: Diddi Oscarsson <diddi@diddi.se>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoxfrm: Refcount destination entry on xfrm_lookup
Steffen Klassert [Tue, 15 Mar 2011 21:12:49 +0000 (21:12 +0000)]
xfrm: Refcount destination entry on xfrm_lookup

[ Upstream commit fbd5060875d25f7764fd1c3d35b83a8ed1d88d7b ]

We return a destination entry without refcount if a socket
policy is found in xfrm_lookup. This triggers a warning on
a negative refcount when freeeing this dst entry. So take
a refcount in this case to fix it.

This refcount was forgotten when xfrm changed to cache bundles
instead of policies for outgoing flows.

Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Acked-by: Timo Teräs <timo.teras@iki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotcp: avoid cwnd moderation in undo
Yuchung Cheng [Mon, 14 Mar 2011 10:57:03 +0000 (10:57 +0000)]
tcp: avoid cwnd moderation in undo

[ Upstream commit 67d4120a1793138bc9f4a6eb61d0fc5298ed97e0 ]

In the current undo logic, cwnd is moderated after it was restored
to the value prior entering fast-recovery. It was moderated first
in tcp_try_undo_recovery then again in tcp_complete_cwr.

Since the undo indicates recovery was false, these moderations
are not necessary. If the undo is triggered when most of the
outstanding data have been acknowledged, the (restored) cwnd is
falsely pulled down to a small value.

This patch removes these cwnd moderations if cwnd is undone
  a) during fast-recovery
b) by receiving DSACKs past fast-recovery

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosctp: Pass __GFP_NOWARN to hash table allocation attempts.
David S. Miller [Thu, 31 Mar 2011 00:51:36 +0000 (17:51 -0700)]
sctp: Pass __GFP_NOWARN to hash table allocation attempts.

[ Upstream commit a84b50ceb7d640437d0dc28a2bef0d0de054de89 ]

Like DCCP and other similar pieces of code, there are mechanisms
here to try allocating smaller hash tables if the allocation
fails.  So pass in __GFP_NOWARN like the others do instead of
emitting a scary message.

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agopppoe: drop PPPOX_ZOMBIEs in pppoe_flush_dev
Ulrich Weber [Wed, 6 Apr 2011 21:04:49 +0000 (14:04 -0700)]
pppoe: drop PPPOX_ZOMBIEs in pppoe_flush_dev

[ Upstream commit ae07b0b221b6ab2edf9e3abd518aec6cd3f1ba66 ]

otherwise we loop forever if a PPPoE socket was set
to PPPOX_ZOMBIE state by a PADT message when the
ethernet device is going down afterwards.

Signed-off-by: Ulrich Weber <uweber@astaro.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet_sched: fix ip_tos2prio
Dan Siemon [Tue, 15 Mar 2011 13:56:07 +0000 (13:56 +0000)]
net_sched: fix ip_tos2prio

[ Upstream commit 4a2b9c3756077c05dd8666e458a751d2248b61b6 ]

ECN support incorrectly maps ECN BESTEFFORT packets to TC_PRIO_FILLER
(1) instead of TC_PRIO_BESTEFFORT (0)

This means ECN enabled flows are placed in pfifo_fast/prio low priority
band, giving ECN enabled flows [ECT(0) and CE codepoints] higher drop
probabilities.

This is rather unfortunate, given we would like ECN being more widely
used.

Ref : http://www.coverfire.com/archives/2011/03/13/pfifo_fast-and-ecn/

Signed-off-by: Dan Siemon <dan@coverfire.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Dave Täht <d@taht.net>
Cc: Jonathan Morton <chromatix99@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet ipv6: Fix duplicate /proc/sys/net/ipv6/neigh directory entries.
Eric W. Biederman [Tue, 22 Mar 2011 01:23:34 +0000 (18:23 -0700)]
net ipv6: Fix duplicate /proc/sys/net/ipv6/neigh directory entries.

[ Upstream commit 9d2a8fa96a44ba242de3a6f56acaef7a40a97b97 ]

When I was fixing issues with unregisgtering tables under /proc/sys/net/ipv6/neigh
by adding a mount point it appears I missed a critical ordering issue, in the
ipv6 initialization.  I had not realized that ipv6_sysctl_register is called
at the very end of the ipv6 initialization and in particular after we call
neigh_sysctl_register from ndisc_init.

"neigh" needs to be initialized in ipv6_static_sysctl_register which is
the first ipv6 table to initialized, and definitely before ndisc_init.
This removes the weirdness of duplicate tables while still providing a
"neigh" mount point which prevents races in sysctl unregistering.

This was initially reported at https://bugzilla.kernel.org/show_bug.cgi?id=31232
Reported-by: sunkan@zappa.cx
Signed-off-by: Eric W. Biederman <ebiederm@aristanetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agol2tp: fix possible oops on l2tp_eth module unload
James Chapman [Tue, 22 Mar 2011 01:10:25 +0000 (18:10 -0700)]
l2tp: fix possible oops on l2tp_eth module unload

[ Upstream commit 8aa525a9340da4227797a06221ca08399006635f ]

A struct used in the l2tp_eth driver for registering network namespace
ops was incorrectly marked as __net_initdata, leading to oops when
module unloaded.

BUG: unable to handle kernel paging request at ffffffffa00ec098
IP: [<ffffffff8123dbd8>] ops_exit_list+0x7/0x4b
PGD 142d067 PUD 1431063 PMD 195da8067 PTE 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/module/l2tp_eth/refcnt
Call Trace:
 [<ffffffff8123dc94>] ? unregister_pernet_operations+0x32/0x93
 [<ffffffff8123dd20>] ? unregister_pernet_device+0x2b/0x38
 [<ffffffff81068b6e>] ? sys_delete_module+0x1b8/0x222
 [<ffffffff810c7300>] ? do_munmap+0x254/0x318
 [<ffffffff812c64e5>] ? page_fault+0x25/0x30
 [<ffffffff812c6952>] ? system_call_fastpath+0x16/0x1b

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agogianfar: Fall back to software tcp/udp checksum on older controllers
Alex Dubov [Wed, 16 Mar 2011 17:57:13 +0000 (17:57 +0000)]
gianfar: Fall back to software tcp/udp checksum on older controllers

[ Upstream commit 4363c2fddb1399b728ef21ee8101c148a311ea45 ]

As specified by errata eTSEC49 of MPC8548 and errata eTSEC12 of MPC83xx,
older revisions of gianfar controllers will be unable to calculate a TCP/UDP
packet checksum for some alignments of the appropriate FCB. This patch checks
for FCB alignment on such controllers and falls back to software checksumming
if the alignment is known to be bad.

Signed-off-by: Alex Dubov <oakad@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agofib: add rtnl locking in ip_fib_net_exit
Eric Dumazet [Wed, 30 Mar 2011 23:57:46 +0000 (16:57 -0700)]
fib: add rtnl locking in ip_fib_net_exit

[ Upstream commit e2666f84958adb3a034b98e99699b55705117e01 ]

Daniel J Blueman reported a lockdep splat in trie_firstleaf(), caused by
RTNL being not locked before a call to fib_table_flush()

Reported-by: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobridge: Fix possibly wrong MLD queries' ethernet source address
Linus Lüssing [Tue, 22 Mar 2011 11:40:32 +0000 (11:40 +0000)]
bridge: Fix possibly wrong MLD queries' ethernet source address

[ Upstream commit a7bff75b087e7a355838a32efe61707cfa73c194 ]

The ipv6_dev_get_saddr() is currently called with an uninitialized
destination address. Although in tests it usually seemed to nevertheless
always fetch the right source address, there seems to be a possible race
condition.

Therefore this commit changes this, first setting the destination
address and only after that fetching the source address.

Reported-by: Jan Beulich <JBeulich@novell.com>
Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoperf: Fix task context scheduling
Peter Zijlstra [Thu, 31 Mar 2011 08:29:26 +0000 (10:29 +0200)]
perf: Fix task context scheduling

commit ab711fe08297de1485fff0a366e6db8828cafd6a upstream.

Jiri reported:

 |
 | - once an event is created by sys_perf_event_open, task context
 |   is created and it stays even if the event is closed, until the
 |   task is finished ... thats what I see in code and I assume it's
 |   correct
 |
 | - when the task opens event, perf_sched_events jump label is
 |   incremented and following callbacks are started from scheduler
 |
 |         __perf_event_task_sched_in
 |         __perf_event_task_sched_out
 |
 |   These callback *in/out set/unset cpuctx->task_ctx value to the
 |   task context.
 |
 | - close is called on event on CPU 0:
 |         - the task is scheduled on CPU 0
 |         - __perf_event_task_sched_in is called
 |         - cpuctx->task_ctx is set
 |         - perf_sched_events jump label is decremented and == 0
 |         - __perf_event_task_sched_out is not called
 |         - cpuctx->task_ctx on CPU 0 stays set
 |
 | - exit is called on CPU 1:
 |         - the task is scheduled on CPU 1
 |         - perf_event_exit_task is called
 |         - task_ctx_sched_out unsets cpuctx->task_ctx on CPU 1
 |         - put_ctx destroys the context
 |
 | - another call of perf_rotate_context on CPU 0 will use invalid
 |   task_ctx pointer, and eventualy panic.
 |

Cure this the simplest possibly way by partially reverting the
jump_label optimization for the sched_out case.

Reported-and-tested-by: Jiri Olsa <jolsa@redhat.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Oleg Nesterov <oleg@redhat.com>
LKML-Reference: <1301520405.4859.213.camel@twins>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: fix assertion warnings
Artem Bityutskiy [Tue, 29 Mar 2011 06:45:21 +0000 (09:45 +0300)]
UBIFS: fix assertion warnings

commit c88ac00c5af70c2a0741da14b22cdcf8507ddd92 upstream.

This patch fixes UBIFS assertion warnings like:

UBIFS assert failed in ubifs_leb_unmap at 135 (pid 29365)
Pid: 29365, comm: integck Tainted: G          I 2.6.37-ubi-2.6+ #34
Call Trace:
 [<ffffffffa047c663>] ubifs_lpt_init+0x95e/0x9ee [ubifs]
 [<ffffffffa04623a7>] ubifs_remount_fs+0x2c7/0x762 [ubifs]
 [<ffffffff810f066e>] do_remount_sb+0xb6/0x101
 [<ffffffff81106ff4>] ? do_mount+0x191/0x78e
 [<ffffffff811070bb>] do_mount+0x258/0x78e
 [<ffffffff810da1e8>] ? alloc_pages_current+0xa2/0xc5
 [<ffffffff81107674>] sys_mount+0x83/0xbd
 [<ffffffff81009a12>] system_call_fastpath+0x16/0x1b

They happen when we re-mount from R/O mode to R/W mode. While
re-mounting, we write to the media, but we still have the c->ro_mount
flag set. The fix is very simple - just clear the flag before
starting re-mounting R/W.

These warnings are caused by the following commit:
2ef13294d29bcfb306e0d360f1b97f37b647b0c0

For -stable guys: this bug was introduced in 2.6.38, this is materieal
for 2.6.38-stable.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovm: fix mlock() on stack guard page
Linus Torvalds [Tue, 12 Apr 2011 21:15:51 +0000 (14:15 -0700)]
vm: fix mlock() on stack guard page

commit 95042f9eb78a8d9a17455e2ef263f2f310ecef15 upstream.

Commit 53a7706d5ed8 ("mlock: do not hold mmap_sem for extended periods
of time") changed mlock() to care about the exact number of pages that
__get_user_pages() had brought it.  Before, it would only care about
errors.

And that doesn't work, because we also handled one page specially in
__mlock_vma_pages_range(), namely the stack guard page.  So when that
case was handled, the number of pages that the function returned was off
by one.  In particular, it could be zero, and then the caller would end
up not making any progress at all.

Rather than try to fix up that off-by-one error for the mlock case
specially, this just moves the logic to handle the stack guard page
into__get_user_pages() itself, thus making all the counts come out
right automatically.

Reported-by: Robert Święcki <robert@swiecki.net>
Cc: Hugh Dickins <hughd@google.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomca.c: Fix cast from integer to pointer warning
Jeff Mahoney [Thu, 24 Feb 2011 22:23:09 +0000 (17:23 -0500)]
mca.c: Fix cast from integer to pointer warning

commit c1d036c4d1cb00b7e8473a2ad0a78f13e13a8183 upstream.

ia64_mca_cpu_init has a void *data local variable that is assigned
the value from either __get_free_pages() or mca_bootmem(). The problem
is that __get_free_pages returns an unsigned long and mca_bootmem, via
alloc_bootmem(), returns a void *. format_mca_init_stack takes the void *,
and it's also used with __pa(), but that casts it to long anyway.

This results in the following build warning:

arch/ia64/kernel/mca.c:1898: warning: assignment makes pointer from
integer without a cast

Cast the return of __get_free_pages to a void * to avoid
the warning.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agotioca: Fix assignment from incompatible pointer warnings
Jeff Mahoney [Thu, 24 Feb 2011 20:33:24 +0000 (15:33 -0500)]
tioca: Fix assignment from incompatible pointer warnings

commit b4a6b3436531f6c5256e6d60d388c3c28ff1a0e9 upstream.

The prototype for sn_pci_provider->{dma_map,dma_map_consistent} expects
an unsigned long instead of a u64.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86: Fix a bogus unwind annotation in lib/semaphore_32.S
Jan Beulich [Tue, 1 Mar 2011 14:28:02 +0000 (14:28 +0000)]
x86: Fix a bogus unwind annotation in lib/semaphore_32.S

commit e938c287ea8d977e079f07464ac69923412663ce upstream.

'simple' would have required specifying current frame address
and return address location manually, but that's obviously not
the case (and not necessary) here.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
LKML-Reference: <4D6D1082020000780003454C@vpn.id2.novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoNET: cdc-phonet, handle empty phonet header
Jiri Slaby [Sun, 13 Mar 2011 06:54:31 +0000 (06:54 +0000)]
NET: cdc-phonet, handle empty phonet header

commit 468c3f924f043cad7a04f4f4d5224a2c9bc886c1 upstream.

Currently, for N 5800 XM I get:
cdc_phonet: probe of 1-6:1.10 failed with error -22

It's because phonet_header is empty. Extra altsetting looks like
there:
E 05 24 00 01 10 03 24 ab 05 24 06 0a 0b 04 24 fd  .$....$..$....$.
E 00                                               .

I don't see the header used anywhere so just check if the phonet
descriptor is there, not the structure itself.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Cc: David S. Miller <davem@davemloft.net>
Acked-by: Rémi Denis-Courmont <remi.denis-courmont@nokia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoALSA: hda - Fix pin-config of Gigabyte mobo
Takashi Iwai [Mon, 28 Mar 2011 10:05:31 +0000 (12:05 +0200)]
ALSA: hda - Fix pin-config of Gigabyte mobo

commit c6b358748e19ce7e230b0926ac42696bc485a562 upstream.

Use pin-fix instead of the static quirk for Gigabyte mobos 1458:a002.

Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=677256
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: restrict world-writable debugfs files
Vasiliy Kulikov [Fri, 4 Feb 2011 12:24:19 +0000 (15:24 +0300)]
UBIFS: restrict world-writable debugfs files

commit 8c559d30b4e59cf6994215ada1fe744928f494bf upstream.

Don't allow everybody to dump sensitive information about filesystems.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovideo: sn9c102: world-wirtable sysfs files
Vasiliy Kulikov [Fri, 4 Feb 2011 12:23:33 +0000 (09:23 -0300)]
video: sn9c102: world-wirtable sysfs files

commit 14ddc3188d50855ae2a419a6aced995e2834e5d4 upstream.

Don't allow everybody to change video settings.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Acked-by: Luca Risolia <luca.risolia@studio.unibo.it>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: wrap received signature check in srv_mutex
Jeff Layton [Sat, 2 Apr 2011 11:34:30 +0000 (07:34 -0400)]
cifs: wrap received signature check in srv_mutex

commit 157c249114508aa71daa308a426e15d81a4eed00 upstream.

While testing my patchset to fix asynchronous writes, I hit a bunch
of signature problems when testing with signing on. The problem seems
to be that signature checks on receive can be running at the same
time as a process that is sending, or even that multiple receives can
be checking signatures at the same time, clobbering the same data
structures.

While we're at it, clean up the comments over cifs_calculate_signature
and add a note that the srv_mutex should be held when calling this
function.

This patch seems to fix the problems for me, but I'm not clear on
whether it's the best approach. If it is, then this should probably
go to stable too.

Cc: Shirish Pargaonkar <shirishpargaonkar@gmail.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: set ra_pages in backing_dev_info
Jeff Layton [Fri, 25 Mar 2011 20:25:57 +0000 (16:25 -0400)]
cifs: set ra_pages in backing_dev_info

commit 2b6c26a0a62cc0bab0ad487533d5581d7c293fef upstream.

Commit 522440ed made cifs set backing_dev_info on the mapping attached
to new inodes. This change caused a fairly significant read performance
regression, as cifs started doing page-sized reads exclusively.

By virtue of the fact that they're allocated as part of cifs_sb_info by
kzalloc, the ra_pages on cifs BDIs get set to 0, which prevents any
readahead. This forces the normal read codepaths to use readpage instead
of readpages causing a four-fold increase in the number of read calls
with the default rsize.

Fix it by setting ra_pages in the BDI to the same value as that in the
default_backing_dev_info.

Fixes https://bugzilla.kernel.org/show_bug.cgi?id=31662

Reported-and-Tested-by: Till <till2.schaefer@uni-dortmund.de>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: check for private_data before trying to put it
Jeff Layton [Tue, 5 Apr 2011 23:23:47 +0000 (16:23 -0700)]
cifs: check for private_data before trying to put it

commit 7797069305d13252fd66cf722aa8f2cbeb3c95cd upstream.

cifs_close doesn't check that the filp->private_data is non-NULL before
trying to put it. That can cause an oops in certain error conditions
that can occur on open or lookup before the private_data is set.

Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocifs: always do is_path_accessible check in cifs_mount
Jeff Layton [Mon, 14 Mar 2011 17:48:08 +0000 (13:48 -0400)]
cifs: always do is_path_accessible check in cifs_mount

commit 70945643722ffeac779d2529a348f99567fa5c33 upstream.

Currently, we skip doing the is_path_accessible check in cifs_mount if
there is no prefixpath. I have a report of at least one server however
that allows a TREE_CONNECT to a share that has a DFS referral at its
root. The reporter in this case was using a UNC that had no prefixpath,
so the is_path_accessible check was not triggered and the box later hit
a BUG() because we were chasing a DFS referral on the root dentry for
the mount.

This patch fixes this by removing the check for a zero-length
prefixpath.  That should make the is_path_accessible check be done in
this situation and should allow the client to chase the DFS referral at
mount time instead.

Reported-and-Tested-by: Yogesh Sharma <ysharma@cymer.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: fix suspend on rv530 asics
Alex Deucher [Tue, 12 Apr 2011 17:33:27 +0000 (13:33 -0400)]
drm/radeon/kms: fix suspend on rv530 asics

commit 71e16bfbd2b1c63d4d97cc5059694c9346aee340 upstream.

Apparently only rv515 asics need the workaround
added in f24d86f1a49505cdea56728b853a5d0a3f8e3d11
(drm/radeon/kms: fix resume regression for some r5xx laptops).

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=34709

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrm/radeon/kms: pll tweaks for rv6xx
Alex Deucher [Thu, 7 Apr 2011 14:31:25 +0000 (10:31 -0400)]
drm/radeon/kms: pll tweaks for rv6xx

commit 9bb09fa1b5b07459279301ac6220d575f307597b upstream.

Prefer minm over maxp.

Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=35994

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agovm: fix vm_pgoff wrap in stack expansion
Linus Torvalds [Wed, 13 Apr 2011 15:07:28 +0000 (08:07 -0700)]
vm: fix vm_pgoff wrap in stack expansion

commit a626ca6a656450e9f4df91d0dda238fff23285f4 upstream.

Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed
the case of a expanding mapping causing vm_pgoff wrapping when you used
mremap.  But there was another case where we expand mappings hiding in
plain sight: the automatic stack expansion.

This fixes that case too.

This one also found by Robert Święcki, using his nasty system call
fuzzer tool.  Good job.

Reported-and-tested-by: Robert Święcki <robert@swiecki.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoLinux 2.6.38.3 v2.6.38.3
Greg Kroah-Hartman [Thu, 14 Apr 2011 20:03:56 +0000 (13:03 -0700)]
Linux 2.6.38.3

13 years agonfsd4: fix oops on lock failure
J. Bruce Fields [Mon, 28 Mar 2011 07:15:09 +0000 (15:15 +0800)]
nfsd4: fix oops on lock failure

commit 23fcf2ec93fb8573a653408316af599939ff9a8e upstream.

Lock stateid's can have access_bmap 0 if they were only partially
initialized (due to a failed lock request); handle that case in
free_generic_stateid.

------------[ cut here ]------------
kernel BUG at fs/nfsd/nfs4state.c:380!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/kernel/mm/ksm/run
Modules linked in: nfs fscache md4 nls_utf8 cifs ip6table_filter ip6_tables ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat bridge stp llc nfsd lockd nfs_acl auth_rpcgss sunrpc ipv6 ppdev parport_pc parport pcnet32 mii pcspkr microcode i2c_piix4 BusLogic floppy [last unloaded: mperf]

Pid: 1468, comm: nfsd Not tainted 2.6.38+ #120 VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform
EIP: 0060:[<e24f180d>] EFLAGS: 00010297 CPU: 0
EIP is at nfs4_access_to_omode+0x1c/0x29 [nfsd]
EAX: ffffffff EBX: dd758120 ECX: 00000000 EDX: 00000004
ESI: dd758120 EDI: ddfe657c EBP: dd54dde0 ESP: dd54dde0
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process nfsd (pid: 1468, ti=dd54c000 task=ddc92580 task.ti=dd54c000)
Stack:
 dd54ddf0 e24f19ca 00000000 ddfe6560 dd54de08 e24f1a5d dd758130 deee3a20
 ddfe6560 31270000 dd54df1c e24f52fd 0000000f dd758090 e2505dd0 0be304cf
 dbb51d68 0000000e ddfe657c ddcd8020 dd758130 dd758128 dd7580d8 dd54de68
Call Trace:
 [<e24f19ca>] free_generic_stateid+0x1c/0x3e [nfsd]
 [<e24f1a5d>] release_lockowner+0x71/0x8a [nfsd]
 [<e24f52fd>] nfsd4_lock+0x617/0x66c [nfsd]
 [<e24e57b6>] ? nfsd_setuser+0x199/0x1bb [nfsd]
 [<e24e056c>] ? nfsd_setuser_and_check_port+0x65/0x81 [nfsd]
 [<c07a0052>] ? _cond_resched+0x8/0x1c
 [<c04ca61f>] ? slab_pre_alloc_hook.clone.33+0x23/0x27
 [<c04cac01>] ? kmem_cache_alloc+0x1a/0xd2
 [<c04835a0>] ? __call_rcu+0xd7/0xdd
 [<e24e0dfb>] ? fh_verify+0x401/0x452 [nfsd]
 [<e24f0b61>] ? nfsd4_encode_operation+0x52/0x117 [nfsd]
 [<e24ea0d7>] ? nfsd4_putfh+0x33/0x3b [nfsd]
 [<e24f4ce6>] ? nfsd4_delegreturn+0xd4/0xd4 [nfsd]
 [<e24ea2c9>] nfsd4_proc_compound+0x1ea/0x33e [nfsd]
 [<e24de6ee>] nfsd_dispatch+0xd1/0x1a5 [nfsd]
 [<e1d6e1c7>] svc_process_common+0x282/0x46f [sunrpc]
 [<e1d6e578>] svc_process+0xdc/0xfa [sunrpc]
 [<e24de0fa>] nfsd+0xd6/0x115 [nfsd]
 [<e24de024>] ? nfsd_shutdown+0x24/0x24 [nfsd]
 [<c0454322>] kthread+0x62/0x67
 [<c04542c0>] ? kthread_worker_fn+0x114/0x114
 [<c07a6ebe>] kernel_thread_helper+0x6/0x10
Code: eb 05 b8 00 00 27 4f 8d 65 f4 5b 5e 5f 5d c3 83 e0 03 55 83 f8 02 89 e5 74 17 83 f8 03 74 05 48 75 09 eb 09 b8 02 00 00 00 eb 0b <0f> 0b 31 c0 eb 05 b8 01 00 00 00 5d c3 55 89 e5 57 56 89 d6 8d
EIP: [<e24f180d>] nfs4_access_to_omode+0x1c/0x29 [nfsd] SS:ESP 0068:dd54dde0
---[ end trace 2b0bf6c6557cb284 ]---

The trace route is:

 -> nfsd4_lock()
   -> if (lock->lk_is_new) {
     -> alloc_init_lock_stateid()

        3739: stp->st_access_bmap = 0;

   ->if (status && lock->lk_is_new && lock_sop)
     -> release_lockowner()
      -> free_generic_stateid()
       -> nfs4_access_bmap_to_omode()
          -> nfs4_access_to_omode()

        380: BUG();   *****

This problem was introduced by 0997b173609b9229ece28941c118a2a9b278796e.

Reported-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
Tested-by: Mi Jinlong <mijinlong@cn.fujitsu.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonfsd: fix auth_domain reference leak on nlm operations
J. Bruce Fields [Fri, 25 Mar 2011 02:51:14 +0000 (22:51 -0400)]
nfsd: fix auth_domain reference leak on nlm operations

commit 954032d2527f2fce7355ba70709b5e143d6b686f upstream.

This was noticed by users who performed more than 2^32 lock operations
and hence made this counter overflow (eventually leading to
use-after-free's).  Setting rq_client to NULL here means that it won't
later get auth_domain_put() when it should be.

Appears to have been introduced in 2.5.42 by "[PATCH] kNFSd: Move auth
domain lookup into svcauth" which moved most of the rq_client handling
to common svcauth code, but left behind this one line.

Cc: Neil Brown <neilb@suse.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoext4: fix credits computing for indirect mapped files
Yongqiang Yang [Mon, 4 Apr 2011 19:40:24 +0000 (15:40 -0400)]
ext4: fix credits computing for indirect mapped files

commit 5b41395fcc0265fc9f193aef9df39ce49d64677c upstream.

When writing a contiguous set of blocks, two indirect blocks could be
needed depending on how the blocks are aligned, so we need to increase
the number of credits needed by one.

[ Also fixed a another bug which could further underestimate the
  number of journal credits needed by 1; the code was using integer
  division instead of DIV_ROUND_UP() -- tytso]

Signed-off-by: Yongqiang Yang <xiaoqiangnk@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoext4: fix a double free in ext4_register_li_request
Tao Ma [Mon, 4 Apr 2011 20:00:49 +0000 (16:00 -0400)]
ext4: fix a double free in ext4_register_li_request

commit 46e4690bbd9a4f8d9e7c4f34e34b48f703ad47e0 upstream.

In ext4_register_li_request, we malloc a ext4_li_request and
inserts it into ext4_li_info->li_request_list. In case of any
error later, we free it in the end.  But if we have some error
in ext4_run_lazyinit_thread, the whole li_request_list will be
dropped and freed in it. So we will double free this ext4_li_request.

This patch just sets elr to NULL after it is inserted to the list
so that the latter kfree won't double free it.

Signed-off-by: Tao Ma <boyu.mt@taobao.com>
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoatm/solos-pci: Don't flap VCs when carrier state changes
Philip A. Prindeville [Wed, 30 Mar 2011 13:17:04 +0000 (13:17 +0000)]
atm/solos-pci: Don't flap VCs when carrier state changes

commit c031235b395433350f25943b7580a5e343c7b7b2 upstream.

Don't flap VCs when carrier state changes; higher-level protocols
can detect loss of connectivity and act accordingly. This is more
consistent with how other network interfaces work.

We no longer use release_vccs() so we can delete it.

release_vccs() was duplicated from net/atm/common.c; make the
corresponding function exported, since other code duplicates it
and could leverage it if it were public.

Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoatm/solos-pci: Don't include frame pseudo-header on transmit hex-dump
Philip A. Prindeville [Wed, 30 Mar 2011 12:59:26 +0000 (12:59 +0000)]
atm/solos-pci: Don't include frame pseudo-header on transmit hex-dump

commit 18b429e74eeafe42e947b1b0f9a760c7153a0b5c upstream.

Omit pkt_hdr preamble when dumping transmitted packet as hex-dump;
we can pull this up because the frame has already been sent, and
dumping it is the last thing we do with it before freeing it.

Also include the size, vpi, and vci in the debug as is done on
receive.

Use "port" consistently instead of "device" intermittently.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoSquashfs: handle corruption of directory structure
Phillip Lougher [Tue, 15 Mar 2011 22:09:55 +0000 (22:09 +0000)]
Squashfs: handle corruption of directory structure

commit 44cff8a9ee8a974f9e931df910688e7fc1f0b0f9 upstream.

Handle the rare case where a directory metadata block is uncompressed and
corrupted, leading to a kernel oops in directory scanning (memcpy).
Normally corruption is detected at the decompression stage and dealt with
then, however, this will not happen if:

- metadata isn't compressed (users can optionally request no metadata
  compression), or
- the compressed metadata block was larger than the original, in which
  case the uncompressed version was used, or
- the data was corrupt after decompression

This patch fixes this by adding some sanity checks against known maximum
values.

Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoSquashfs: Use vmalloc rather than kmalloc for zlib workspace
Phillip Lougher [Tue, 22 Mar 2011 23:01:26 +0000 (23:01 +0000)]
Squashfs: Use vmalloc rather than kmalloc for zlib workspace

commit 117a91e0f25fd7698e20ac3dfa62086be3dc82a3 upstream.

Bugzilla bug 31422 reports occasional "page allocation failure. order:4"
at Squashfs mount time.  Fix this by making zlib workspace allocation
use vmalloc rather than kmalloc.

Reported-by: Mehmet Giritli <mehmet@giritli.eu>
Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "x86: Cleanup highmap after brk is concluded"
Greg Kroah-Hartman [Mon, 11 Apr 2011 23:01:32 +0000 (16:01 -0700)]
Revert "x86: Cleanup highmap after brk is concluded"

This reverts upstream commit e5f15b45ddf3afa2bbbb10c7ea34fb32b6de0a0e

It caused problems in the stable tree and should not have been there.

Cc: Yinghai Lu <yinghai@kernel.org>
Cc: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoacer-wmi: does not set persistence state by rfkill_init_sw_state
Chun-Yi Lee [Mon, 28 Mar 2011 08:52:02 +0000 (16:52 +0800)]
acer-wmi: does not set persistence state by rfkill_init_sw_state

commit 8215af019040ce9182728afee9642d8fdeb17f59 upstream.

Acer BIOS keeps devices state when system reboot, but reset to default
device states (Wlan on, Bluetooth off, wwan on) if system cold boot.
That means BIOS's initial state is not always real persistence.

So, removed rfkill_init_sw_state because it sets initial state to
persistence then replicate to other new killswitch when rfkill-input
enabled.
After removed it, acer-wmi set initial soft-block state after rfkill
register, and doesn't allow set_block until rfkill initial finished.

Reference: bko#31002
https://bugzilla.kernel.org/show_bug.cgi?id=31002

Cc: Carlos Corbacho <carlos@strangeworlds.co.uk>
Cc: Matthew Garrett <mjg@redhat.com>
Cc: Dmitry Torokhov <dtor@mail.ru>
Cc: Corentin Chary <corentincj@iksaif.net>
Cc: OldÅ\99ich JedliÄ\8dka <oldium.pro@seznam.cz>
Cc: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Chun-Yi Lee <jlee@novell.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/media/video/tlg2300/pd-video.c: Remove second mutex_unlock in pd_vidioc_s_fmt
Alexander Strakh [Tue, 25 Jan 2011 21:00:13 +0000 (18:00 -0300)]
drivers/media/video/tlg2300/pd-video.c: Remove second mutex_unlock in pd_vidioc_s_fmt

commit a07500ef690fcbec76e879ee2093d7ca69883825 upstream.

Error path in file drivers/media/video/tlg2300/pd-video.c:
1. First mutex_unlock on &pd->lock in line 767 (in function that
   called from line 805)
2. Second in line  806

 805        pd_vidioc_s_fmt(pd, &f->fmt.pix);
 806        mutex_unlock(&pd->lock);

Found by Linux Device Drivers Verification Project

Signed-off-by: Alexander Strakh <strakh@ispras.ru>
Acked-by: Huang Shijie <shijie8@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosound/oss: remove offset from load_patch callbacks
Dan Rosenberg [Wed, 23 Mar 2011 14:53:41 +0000 (10:53 -0400)]
sound/oss: remove offset from load_patch callbacks

commit b769f49463711205d57286e64cf535ed4daf59e9 upstream.

Was: [PATCH] sound/oss/midi_synth: prevent underflow, use of
uninitialized value, and signedness issue

The offset passed to midi_synth_load_patch() can be essentially
arbitrary.  If it's greater than the header length, this will result in
a copy_from_user(dst, src, negative_val).  While this will just return
-EFAULT on x86, on other architectures this may cause memory corruption.
Additionally, the length field of the sysex_info structure may not be
initialized prior to its use.  Finally, a signed comparison may result
in an unintentionally large loop.

On suggestion by Takashi Iwai, version two removes the offset argument
from the load_patch callbacks entirely, which also resolves similar
issues in opl3.  Compile tested only.

v3 adjusts comments and hopefully gets copy offsets right.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonetfilter: h323: bug in parsing of ASN1 SEQOF field
David Sterba [Mon, 4 Apr 2011 13:21:02 +0000 (15:21 +0200)]
netfilter: h323: bug in parsing of ASN1 SEQOF field

commit b4232a22776aa5d063f890d21ca69870dbbe431b upstream.

Static analyzer of clang found a dead store which appears to be a bug in
reading count of items in SEQOF field, only the lower byte of word is
stored. This may lead to corrupted read and communication shutdown.

The bug has been in the module since it's first inclusion into linux
kernel.

[Patrick: the bug is real, but without practical consequence since the
 largest amount of sequence-of members we parse is 30.]

Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoeconet: 4 byte infoleak to the network
Vasiliy Kulikov [Thu, 17 Mar 2011 01:40:10 +0000 (01:40 +0000)]
econet: 4 byte infoleak to the network

commit 67c5c6cb8129c595f21e88254a3fc6b3b841ae8e upstream.

struct aunhdr has 4 padding bytes between 'pad' and 'handle' fields on
x86_64.  These bytes are not initialized in the variable 'ah' before
sending 'ah' to the network.  This leads to 4 bytes kernel stack
infoleak.

This bug was introduced before the git epoch.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/leds/leds-lp5521.c: world-writable sysfs engine* files
Vasiliy Kulikov [Tue, 22 Mar 2011 23:30:19 +0000 (16:30 -0700)]
drivers/leds/leds-lp5521.c: world-writable sysfs engine* files

commit 67d1da79b25c05d9a38b820bb5b5d89c91070ab2 upstream.

Don't allow everybody to change LED settings.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/leds/leds-lp5523.c: world-writable engine* sysfs files
Vasiliy Kulikov [Tue, 22 Mar 2011 23:30:20 +0000 (16:30 -0700)]
drivers/leds/leds-lp5523.c: world-writable engine* sysfs files

commit ccd7510fd8dea5b4b2af87fb2aef2ebd6b23b76b upstream.

Don't allow everybody to change LED settings.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Richard Purdie <rpurdie@rpsys.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/misc/ep93xx_pwm.c: world-writable sysfs files
Vasiliy Kulikov [Tue, 22 Mar 2011 23:34:01 +0000 (16:34 -0700)]
drivers/misc/ep93xx_pwm.c: world-writable sysfs files

commit deb187e72470b0382d4f0cb859e76e1ebc3a1082 upstream.

Don't allow everybody to change device settings.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Hartley Sweeten <hartleys@visionengravers.com>
Cc: Matthieu Crapet <mcrapet@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file
Vasiliy Kulikov [Tue, 22 Mar 2011 23:34:53 +0000 (16:34 -0700)]
drivers/rtc/rtc-ds1511.c: world-writable sysfs nvram file

commit 49d50fb1c28738ef6bad0c2b87d5355a1653fed5 upstream.

Don't allow everybogy to write to NVRAM.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Cc: Andy Sharp <andy.sharp@onstor.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomfd: ab3100: world-writable debugfs *_priv files
Vasiliy Kulikov [Fri, 4 Feb 2011 12:23:36 +0000 (15:23 +0300)]
mfd: ab3100: world-writable debugfs *_priv files

commit f8a0697722d12a201588225999cfc8bfcbc82781 upstream.

Don't allow everybody to change device hardware registers.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Linus Walleij <linus.walleij@stericsson.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomfd: ab3500: world-writable debugfs register-* files
Vasiliy Kulikov [Fri, 4 Feb 2011 12:23:39 +0000 (15:23 +0300)]
mfd: ab3500: world-writable debugfs register-* files

commit 90c861c2a83d974684974441093ff8a50e6b430b upstream.

Don't allow everybody to interact with hardware registers.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Linus Walleij <linus.walleij@stericsson.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomfd: ab8500: world-writable debugfs register-* files
Vasiliy Kulikov [Fri, 4 Feb 2011 12:23:43 +0000 (15:23 +0300)]
mfd: ab8500: world-writable debugfs register-* files

commit 44bdcb54df2714da18c4a0c6f711a350ab4ed93c upstream.

Don't allow everybody to interact with hardware registers.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Linus Walleij <linus.walleij@stericsson.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoscsi_transport_iscsi: make priv_sess file writeable only by root
Vasiliy Kulikov [Fri, 4 Feb 2011 12:24:14 +0000 (15:24 +0300)]
scsi_transport_iscsi: make priv_sess file writeable only by root

commit 523f3c80bc41d663d5b35c0cd6ce0fad7f3e7188 upstream.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoipv6: netfilter: ip6_tables: fix infoleak to userspace
Vasiliy Kulikov [Tue, 15 Mar 2011 12:37:13 +0000 (13:37 +0100)]
ipv6: netfilter: ip6_tables: fix infoleak to userspace

commit 6a8ab060779779de8aea92ce3337ca348f973f54 upstream.

Structures ip6t_replace, compat_ip6t_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first bug was introduced before the git epoch;  the second was
introduced in 3bc3fe5e (v2.6.25-rc1);  the third is introduced by
6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonetfilter: ipt_CLUSTERIP: fix buffer overflow
Vasiliy Kulikov [Sun, 20 Mar 2011 14:42:52 +0000 (15:42 +0100)]
netfilter: ipt_CLUSTERIP: fix buffer overflow

commit 961ed183a9fd080cf306c659b8736007e44065a5 upstream.

'buffer' string is copied from userspace.  It is not checked whether it is
zero terminated.  This may lead to overflow inside of simple_strtoul().
Changli Gao suggested to copy not more than user supplied 'size' bytes.

It was introduced before the git epoch.  Files "ipt_CLUSTERIP/*" are
root writable only by default, however, on some setups permissions might be
relaxed to e.g. network admin user.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Acked-by: Changli Gao <xiaosuo@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonetfilter: arp_tables: fix infoleak to userspace
Vasiliy Kulikov [Tue, 15 Mar 2011 12:35:21 +0000 (13:35 +0100)]
netfilter: arp_tables: fix infoleak to userspace

commit 42eab94fff18cb1091d3501cd284d6bd6cc9c143 upstream.

Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first bug was introduced before the git epoch;  the second is
introduced by 6b7d31fc (v2.6.15-rc1);  the third is introduced by
6b7d31fc (v2.6.15-rc1).  To trigger the bug one should have
CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonetfilter: xtables: fix reentrancy
Eric Dumazet [Sun, 20 Mar 2011 14:40:06 +0000 (15:40 +0100)]
netfilter: xtables: fix reentrancy

commit db856674ac69e31946e56085239757cca3f7655f upstream.

commit f3c5c1bfd4308 (make ip_tables reentrant) introduced a race in
handling the stackptr restore, at the end of ipt_do_table()

We should do it before the call to xt_info_rdunlock_bh(), or we allow
cpu preemption and another cpu overwrites stackptr of original one.

A second fix is to change the underflow test to check the origptr value
instead of 0 to detect underflow, or else we allow a jump from different
hooks.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonetfilter: ip_tables: fix infoleak to userspace
Vasiliy Kulikov [Tue, 15 Mar 2011 12:36:05 +0000 (13:36 +0100)]
netfilter: ip_tables: fix infoleak to userspace

commit 78b79876761b86653df89c48a7010b5cbd41a84a upstream.

Structures ipt_replace, compat_ipt_replace, and xt_get_revision are
copied from userspace.  Fields of these structs that are
zero-terminated strings are not checked.  When they are used as argument
to a format string containing "%s" in request_module(), some sensitive
information is leaked to userspace via argument of spawned modprobe
process.

The first and the third bugs were introduced before the git epoch; the
second was introduced in 2722971c (v2.6.17-rc1).  To trigger the bug
one should have CAP_NET_ADMIN.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agochar/tpm: Fix unitialized usage of data buffer
Peter Huewe [Tue, 29 Mar 2011 11:31:25 +0000 (13:31 +0200)]
char/tpm: Fix unitialized usage of data buffer

commit 1309d7afbed112f0e8e90be9af975550caa0076b upstream.

This patch fixes information leakage to the userspace by initializing
the data buffer to zero.

Reported-by: Peter Huewe <huewe.external@infineon.com>
Signed-off-by: Peter Huewe <huewe.external@infineon.com>
Signed-off-by: Marcel Selhorst <m.selhorst@sirrix.com>
[ Also removed the silly "* sizeof(u8)".  If that isn't 1, we have way
  deeper problems than a simple multiplication can fix.   - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoTreat writes as new when holes span across page boundaries
Goldwyn Rodrigues [Thu, 17 Feb 2011 15:44:40 +0000 (09:44 -0600)]
Treat writes as new when holes span across page boundaries

commit 272b62c1f0f6f742046e45b50b6fec98860208a0 upstream.

When a hole spans across page boundaries, the next write forces
a read of the block. This could end up reading existing garbage
data from the disk in ocfs2_map_page_blocks. This leads to
non-zero holes. In order to avoid this, mark the writes as new
when the holes span across page boundaries.

Signed-off-by: Goldwyn Rodrigues <rgoldwyn@suse.de>
Signed-off-by: jlbec <jlbec@evilplan.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoBluetooth: add support for Apple MacBook Pro 8,2
Marc-Antoine Perennou [Thu, 24 Mar 2011 17:51:21 +0000 (14:51 -0300)]
Bluetooth: add support for Apple MacBook Pro 8,2

commit 63a8588debd4dc72becb9e27add9343c76301c7d upstream.

Just adding the vendor details makes it work fine.

Signed-off-by: Marc-Antoine Perennou <Marc-Antoine@Perennou.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tested-by: Grant Likely <grant.likely@secretlab.ca>
13 years agoBluetooth: bnep: fix buffer overflow
Vasiliy Kulikov [Mon, 14 Feb 2011 10:54:31 +0000 (13:54 +0300)]
Bluetooth: bnep: fix buffer overflow

commit 43629f8f5ea32a998d06d1bb41eefa0e821ff573 upstream.

Struct ca is copied from userspace.  It is not checked whether the "device"
field is NULL terminated.  This potentially leads to BUG() inside of
alloc_netdev_mqs() and/or information leak by creating a device with a name
made of contents of kernel stack.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobridge: netfilter: fix information leak
Vasiliy Kulikov [Mon, 14 Feb 2011 15:49:23 +0000 (16:49 +0100)]
bridge: netfilter: fix information leak

commit d846f71195d57b0bbb143382647c2c6638b04c5a upstream.

Struct tmp is copied from userspace.  It is not checked whether the "name"
field is NULL terminated.  This may lead to buffer overflow and passing
contents of kernel stack as a module name to try_then_request_module() and,
consequently, to modprobe commandline.  It would be seen by all userspace
processes.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoBluetooth: sco: fix information leak to userspace
Vasiliy Kulikov [Mon, 14 Feb 2011 10:54:26 +0000 (13:54 +0300)]
Bluetooth: sco: fix information leak to userspace

commit c4c896e1471aec3b004a693c689f60be3b17ac86 upstream.

struct sco_conninfo has one padding byte in the end.  Local variable
cinfo of type sco_conninfo is copied to userspace with this uninizialized
one byte, leading to old stack contents leak.

Signed-off-by: Vasiliy Kulikov <segoon@openwall.com>
Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agob43: allocate receive buffers big enough for max frame len + offset
John W. Linville [Wed, 30 Mar 2011 18:02:46 +0000 (14:02 -0400)]
b43: allocate receive buffers big enough for max frame len + offset

commit c85ce65ecac078ab1a1835c87c4a6319cf74660a upstream.

Otherwise, skb_put inside of dma_rx can fail...

https://bugzilla.kernel.org/show_bug.cgi?id=32042

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomedia/radio/wl1273: fix build errors
Randy Dunlap [Sun, 27 Feb 2011 17:51:54 +0000 (14:51 -0300)]
media/radio/wl1273: fix build errors

commit 1b149bbe9156d2eb2afd5a072bd61ad0d4bfaca7 upstream.

RADIO_WL1273 needs to make sure that the mfd core is built to avoid
build errors:

ERROR: "mfd_add_devices" [drivers/mfd/wl1273-core.ko] undefined!
ERROR: "mfd_remove_devices" [drivers/mfd/wl1273-core.ko] undefined!

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Cc: Matti Aaltonen <matti.j.aaltonen@nokia.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: Mike Frysinger <vapier.adi@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agowl12xx: fix potential buffer overflow in testmode nvs push
Luciano Coelho [Fri, 1 Apr 2011 16:42:02 +0000 (19:42 +0300)]
wl12xx: fix potential buffer overflow in testmode nvs push

commit 09b661b33268698d3b453dceb78cda129ad899b4 upstream.

We were allocating the size of the NVS file struct and not checking
whether the length of the buffer passed was correct before copying it
into the allocated memory.  This is a security hole because buffer
overflows can occur if the userspace passes a bigger file than what is
expected.

With this patch, we check if the size of the data passed from
userspace matches the size required.

This bug was introduced in 2.6.36.

Reported-by: Ido Yariv <ido@wizery.com>
Signed-off-by: Luciano Coelho <coelho@ti.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agort2x00: fix cancelling uninitialized work
Stanislaw Gruszka [Mon, 4 Apr 2011 11:50:32 +0000 (13:50 +0200)]
rt2x00: fix cancelling uninitialized work

commit 37f4ee0b6b39640828dac5937a482c20e8ac794f upstream.

{rx,tx}done_work's are only initialized for usb devices.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agort2x00: Fix radio off hang issue for PCIE interface
RA-Jay Hung [Mon, 10 Jan 2011 10:27:43 +0000 (11:27 +0100)]
rt2x00: Fix radio off hang issue for PCIE interface

commit 7f6e144fb99a4a70d3c5ad5f074204c5b89a6f65 upstream.

PCI/PCIE radio off behavior is different from SOC/USB.
They mainly use MCU command to disable DMA, TX/RX and enter power saving mode.

Signed-off-by: RA-Jay Hung <jay_hung@ralinktech.com>
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agop54usb: IDs for two new devices
Christian Lamparter [Sat, 2 Apr 2011 09:31:29 +0000 (11:31 +0200)]
p54usb: IDs for two new devices

commit 220107610c7c2c9703e09eb363e8ab31025b9315 upstream.

Reported-by: Mark Davis [via p54/devices wiki]
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoiwlwifi: accept EEPROM version 0x423 for iwl6000
John W. Linville [Mon, 4 Apr 2011 17:18:44 +0000 (13:18 -0400)]
iwlwifi: accept EEPROM version 0x423 for iwl6000

commit 3d7dc7e8c1566acb0fc55df228b2ed91f5638e9d upstream.

A number of these devices have appeared "in the wild", and apparently
the Windows driver is perfectly happy to support this EEPROM version.

Signed-off-by: John W. Linville <linville@tuxdriver.com>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoRevert "net/sunrpc: Use static const char arrays"
Trond Myklebust [Wed, 6 Apr 2011 17:13:32 +0000 (10:13 -0700)]
Revert "net/sunrpc: Use static const char arrays"

commit 0867659fa3c245bf203d837a82e0f6ea5079c2c5 upstream.

This reverts commit 411b5e05617593efebc06241dbc56f42150f2abe.

Olga Kornievskaia reports:

Problem: linux client mounting linux server using rc4-hmac-md5
enctype. gssd fails with create a context after receiving a reply from
the server.

Diagnose: putting printout statements in the server kernel and
kerberos libraries revealed that client and server derived different
integrity keys.

Server kernel code was at fault due the the commit

[aglo@skydive linux-pnfs]$ git show 411b5e05617593efebc06241dbc56f42150f2abe

Trond: The problem is that since it relies on virt_to_page(), you cannot
call sg_set_buf() for data in the const section.

Reported-by: Olga Kornievskaia <aglo@citi.umich.edu>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomm: avoid wrapping vm_pgoff in mremap()
Linus Torvalds [Thu, 7 Apr 2011 14:35:50 +0000 (07:35 -0700)]
mm: avoid wrapping vm_pgoff in mremap()

commit 982134ba62618c2d69fbbbd166d0a11ee3b7e3d8 upstream.

The normal mmap paths all avoid creating a mapping where the pgoff
inside the mapping could wrap around due to overflow.  However, an
expanding mremap() can take such a non-wrapping mapping and make it
bigger and cause a wrapping condition.

Noticed by Robert Swiecki when running a system call fuzzer, where it
caused a BUG_ON() due to terminally confusing the vma_prio_tree code.  A
vma dumping patch by Hugh then pinpointed the crazy wrapped case.

Reported-and-tested-by: Robert Swiecki <robert@swiecki.net>
Acked-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoquota: Don't write quota info in dquot_commit()
Jan Kara [Thu, 31 Mar 2011 16:36:52 +0000 (18:36 +0200)]
quota: Don't write quota info in dquot_commit()

commit b03f24567ce7caf2420b8be4c6eb74c191d59a91 upstream.

There's no reason to write quota info in dquot_commit(). The writing is a
relict from the old days when we didn't have dquot_acquire() and
dquot_release() and thus dquot_commit() could have created / removed quota
structures from the file. These days dquot_commit() only updates usage counters
/ limits in quota structure and thus there's no need to write quota info.

This also fixes an issue with journaling filesystem which didn't reserve
enough space in the transaction for write of quota info (it could have been
dirty at the time of dquot_commit() because of a race with other operation
changing it).

Reported-and-tested-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: fix debugging failure in dbg_check_space_info
Artem Bityutskiy [Mon, 4 Apr 2011 14:16:39 +0000 (17:16 +0300)]
UBIFS: fix debugging failure in dbg_check_space_info

commit 7da6443aca9be29c6948dcbd636ad50154d0bc0c upstream.

This patch fixes a debugging failure with which looks like this:
UBIFS error (pid 32313): dbg_check_space_info: free space changed from 6019344 to 6022654

The reason for this failure is described in the comment this patch adds
to the code. But in short - 'c->freeable_cnt' may be different before
and after re-mounting, and this is normal. So the debugging code should
make sure that free space calculations do not depend on 'c->freeable_cnt'.

A similar issue has been reported here:
http://lists.infradead.org/pipermail/linux-mtd/2011-April/034647.html

This patch should fix it.

For the -stable guys: this patch is only relevant for kernels 2.6.30
onwards.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: fix oops on error path in read_pnode
Artem Bityutskiy [Fri, 25 Mar 2011 17:09:54 +0000 (19:09 +0200)]
UBIFS: fix oops on error path in read_pnode

commit 54acbaaa523ca0bd284a18f67ad213c379679e86 upstream.

Thanks to coverity which spotted that UBIFS will oops if 'kmalloc()'
in 'read_pnode()' fails and we dereference a NULL 'pnode' pointer
when we 'goto out'.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUBIFS: do not read flash unnecessarily
Artem Bityutskiy [Fri, 25 Mar 2011 16:33:57 +0000 (18:33 +0200)]
UBIFS: do not read flash unnecessarily

commit 8b229c76765816796eec7ccd428f03bd8de8b525 upstream.

This fix makes the 'dbg_check_old_index()' function return
immediately if debugging is disabled, instead of executing
incorrect 'goto out' which causes UBIFS to:

1. Allocate memory
2. Read the flash

On every commit. OK, we do not commit that often, but it is
still silly to do unneeded I/O anyway.

Credits to coverity for spotting this silly issue.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agostaging: IIO: IMU: ADIS16400: Make sure only enabled scan_elements are pushed into...
Michael Hennerich [Mon, 21 Mar 2011 15:44:38 +0000 (16:44 +0100)]
staging: IIO: IMU: ADIS16400: Make sure only enabled scan_elements are pushed into the ring

commit 0fea4d6192cb82789e28905240d3c1dac6529c7c upstream.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agostaging: IIO: IMU: ADIS16400: Fix addresses of GYRO and ACCEL calibration offset
Michael Hennerich [Mon, 21 Mar 2011 15:44:37 +0000 (16:44 +0100)]
staging: IIO: IMU: ADIS16400: Fix addresses of GYRO and ACCEL calibration offset

commit b181119723d62b19904e1f12e467e996631c5a29 upstream.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agostaging: IIO: IMU: ADIS16400: Add delay after self test
Michael Hennerich [Mon, 21 Mar 2011 15:44:36 +0000 (16:44 +0100)]
staging: IIO: IMU: ADIS16400: Add delay after self test

commit c59c95ce6ace6d256401fc3a3648a95375ef4e63 upstream.

Add delay after self test to satisfy timing requirements.
Increase start-up delay.

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agostaging: IIO: IMU: ADIS16400: Fix up SPI messages cs_change behavior
Michael Hennerich [Mon, 21 Mar 2011 15:44:35 +0000 (16:44 +0100)]
staging: IIO: IMU: ADIS16400: Fix up SPI messages cs_change behavior

commit fc5b85b0ad1f9da948e4d683710081a9bda357cb upstream.

cs_change must not be set in the last transfer of a spi message

Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomac80211: fix a crash in minstrel_ht in HT mode with no supported MCS rates
Felix Fietkau [Fri, 25 Mar 2011 14:30:38 +0000 (15:30 +0100)]
mac80211: fix a crash in minstrel_ht in HT mode with no supported MCS rates

commit 4dc217df68a17a57f8464c74c1b4785e40bddf77 upstream.

When a client connects in HT mode but does not provide any valid MCS
rates, the function that finds the next sample rate gets stuck in an
infinite loop.
Fix this by falling back to legacy rates if no usable MCS rates are found.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoath9k: fix a chip wakeup related crash in ath9k_start
Felix Fietkau [Fri, 25 Mar 2011 16:43:41 +0000 (17:43 +0100)]
ath9k: fix a chip wakeup related crash in ath9k_start

commit f62d816fc4324afbb7cf90110c70b6a14139b225 upstream.

When the chip is still asleep when ath9k_start is called,
ath9k_hw_configpcipowersave can trigger a data bus error.

Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoInput: synaptics - fix crash in synaptics_module_init()
Jan Beulich [Thu, 31 Mar 2011 07:01:58 +0000 (00:01 -0700)]
Input: synaptics - fix crash in synaptics_module_init()

commit 708748670c7c6dd5bd3b141473086e6937e72737 upstream.

'struct dmi_system_id' arrays must always have a terminator to keep
dmi_check_system() from looking at data (and possibly crashing) it
isn't supposed to look at.

The issue went unnoticed until ef8313bb1a22e7d2125d9d758aa8a81f1de91d81,
but was introduced about a year earlier with
7705d548cbe33f18ea7713b9a07aa11047aaeca4 (which also similarly changed
lifebook.c, but the problem there got eliminated shortly afterwards).

The first hunk therefore is a stable candidate back to 2.6.33, while
the full change is needed only on 2.6.38.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, mtrr, pat: Fix one cpu getting out of sync during resume
Suresh Siddha [Tue, 29 Mar 2011 22:38:12 +0000 (15:38 -0700)]
x86, mtrr, pat: Fix one cpu getting out of sync during resume

commit 84ac7cdbdd0f04df6b96153f7a79127fd6e45467 upstream.

On laptops with core i5/i7, there were reports that after resume
graphics workloads were performing poorly on a specific AP, while
the other cpu's were ok. This was observed on a 32bit kernel
specifically.

Debug showed that the PAT init was not happening on that AP
during resume and hence it contributing to the poor workload
performance on that cpu.

On this system, resume flow looked like this:

1. BP starts the resume sequence and we reinit BP's MTRR's/PAT
   early on using mtrr_bp_restore()

2. Resume sequence brings all AP's online

3. Resume sequence now kicks off the MTRR reinit on all the AP's.

4. For some reason, between point 2 and 3, we moved from BP
   to one of the AP's. My guess is that printk() during resume
   sequence is contributing to this. We don't see similar
   behavior with the 64bit kernel but there is no guarantee that
   at this point the remaining resume sequence (after AP's bringup)
   has to happen on BP.

5. set_mtrr() was assuming that we are still on BP and skipped the
   MTRR/PAT init on that cpu (because of 1 above)

6. But we were on an AP and this led to not reprogramming PAT
   on this cpu leading to bad performance.

Fix this by doing unconditional mtrr_if->set_all() in set_mtrr()
during MTRR/PAT init. This might be unnecessary if we are still
running on BP. But it is of no harm and will guarantee that after
resume, all the cpu's will be in sync with respect to the
MTRR/PAT registers.

Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
LKML-Reference: <1301438292-28370-1-git-send-email-eric@anholt.net>
Signed-off-by: Eric Anholt <eric@anholt.net>
Tested-by: Keith Packard <keithp@keithp.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>