]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
17 years agonfsd: fix possible oops on re-insertion of rpcsec_gss modules
J. Bruce Fields [Tue, 24 Jul 2007 01:43:52 +0000 (18:43 -0700)]
nfsd: fix possible oops on re-insertion of rpcsec_gss modules

The handling of the re-registration case is wrong here; the "test" that was
returned from auth_domain_lookup will not be used again, so that reference
should be put.  And auth_domain_lookup never did anything with "new" in
this case, so we should just clean it up ourself.

Thanks to Akinobu Mita for bug report, analysis, and testing.

Cc: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Cc: Neil Brown <neilb@suse.de>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoieee1394: revert "sbp2: enforce 32bit DMA mapping"
Stefan Richter [Sat, 4 Aug 2007 16:39:34 +0000 (18:39 +0200)]
ieee1394: revert "sbp2: enforce 32bit DMA mapping"

Revert commit 0555659d63c285ceb7ead3115532e1b71b0f27a7 from 2.6.22-rc1.
The dma_set_mask call somehow failed on a PowerMac G5, PPC64:
http://lkml.org/lkml/2007/8/1/344

Should there ever occur a DMA mapping beyond the physical DMA range, a
proper SBP-2 firmware will report transport errors.  So let's leave it
at that.

Same as commit a9c2f18800753c82c45fc13b27bdc148849bdbb2.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Tested-by: Olaf Hering <olh@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agolibata: add FUJITSU MHV2080BH to NCQ blacklist
Tejun Heo [Tue, 10 Jul 2007 07:16:18 +0000 (16:16 +0900)]
libata: add FUJITSU MHV2080BH to NCQ blacklist

Please warmly welcome the first member from FUJITSU to the prestigious
NCQ spurious completion club.

This is reported by Serge Van Thillo in bugzilla bug 8730.

  http://bugzilla.kernel.org/show_bug.cgi?id=8730

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Serge van Thillo <nulleke@hotmail.com>
Cc: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agocfq-iosched: fix async queue behaviour
Jens Axboe [Tue, 10 Jul 2007 20:11:00 +0000 (22:11 +0200)]
cfq-iosched: fix async queue behaviour

With the cfq_queue hash removal, we inadvertently got rid of the
async queue sharing. This was not intentional, in fact CFQ purposely
shares the async queue per priority level to get good merging for
async writes.

So put some logic in cfq_get_queue() to track the shared queues.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agodrivers/video/macmodes.c:mac_find_mode() mustn't be __devinit
Adrian Bunk [Tue, 17 Jul 2007 11:05:53 +0000 (04:05 -0700)]
drivers/video/macmodes.c:mac_find_mode() mustn't be __devinit

If it's EXPORT_SYMBOL'ed it can't be __devinit.

Reported by Mikael Pettersson.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agodestroy_workqueue() can livelock
Oleg Nesterov [Tue, 17 Jul 2007 11:03:55 +0000 (04:03 -0700)]
destroy_workqueue() can livelock

Pointed out by Michal Schmidt <mschmidt@redhat.com>.

The bug was introduced in 2.6.22 by me.

cleanup_workqueue_thread() does flush_cpu_workqueue(cwq) in a loop until
->worklist becomes empty.  This is live-lockable, a re-niced caller can get
CPU after wake_up() and insert a new barrier before the lower-priority
cwq->thread has a chance to clear ->current_work.

Change cleanup_workqueue_thread() to do flush_cpu_workqueue(cwq) only once.
 We can rely on the fact that run_workqueue() won't return until it flushes
all works.  So it is safe to call kthread_stop() after that, the "should
stop" request won't be noticed until run_workqueue() returns.

Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru>
Cc: Michal Schmidt <mschmidt@redhat.com>
Cc: Srivatsa Vaddagiri <vatsa@in.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agosony-laptop: fix bug in event handling
Mattia Dongili [Sun, 15 Jul 2007 17:44:58 +0000 (02:44 +0900)]
sony-laptop: fix bug in event handling

The rewritten event reading code from sonypi was absolutely wrong,
this patche makes things functional for type2 and type1 models.

Cc: Andrei Paskevich <andrei@capet.iut-fbleau.fr>
Signed-off-by: Mattia Dongili <malattia@linux.it>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agouml: limit request size on COWed devices
Jeff Dike [Mon, 16 Jul 2007 06:38:58 +0000 (23:38 -0700)]
uml: limit request size on COWed devices

COWed devices can't handle more than 32 (64 on x86_64) sectors in one request
due to the size of the bitmap being carried around in the io_thread_req.

Enforce that by telling the block layer not to put too many sectors in
requests to COWed devices.

Signed-off-by: Jeff Dike <jdike@linux.intel.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agodo not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY
Herbert van den Bergh [Mon, 16 Jul 2007 06:38:25 +0000 (23:38 -0700)]
do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY

Fix a bug in mm/mlock.c on 32-bit architectures that prevents a user from
locking more than 4GB of shared memory, or allocating more than 4GB of
shared memory in hugepages, when rlim[RLIMIT_MEMLOCK] is set to
RLIM_INFINITY.

Signed-off-by: Herbert van den Bergh <herbert.van.den.bergh@oracle.com>
Acked-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agohugetlb: fix race in alloc_fresh_huge_page()
Joe Jin [Mon, 16 Jul 2007 06:38:12 +0000 (23:38 -0700)]
hugetlb: fix race in alloc_fresh_huge_page()

That static `nid' index needs locking.  Without it we can end up calling
alloc_pages_node() with an illegal node ID and the kernel crashes.

Acked-by: Gurudas Pai <gurudas.pai@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agojbd2 commit: fix transaction dropping
Jan Kara [Mon, 16 Jul 2007 06:37:20 +0000 (23:37 -0700)]
jbd2 commit: fix transaction dropping

We have to check that also the second checkpoint list is non-empty before
dropping the transaction.

Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Chuck Ebbert <cebbert@redhat.com>
Cc: Kirill Korotaev <dev@openvz.org>
Cc: <linux-ext4@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agojbd commit: fix transaction dropping
Jan Kara [Mon, 16 Jul 2007 06:37:18 +0000 (23:37 -0700)]
jbd commit: fix transaction dropping

We have to check that also the second checkpoint list is non-empty before
dropping the transaction.

Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Chuck Ebbert <cebbert@redhat.com>
Cc: Kirill Korotaev <dev@openvz.org>
Cc: <linux-ext4@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoacpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR
Venki Pallipadi [Mon, 16 Jul 2007 20:57:38 +0000 (16:57 -0400)]
acpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR

[CPUFREQ] acpi-cpufreq: Proper ReadModifyWrite of PERF_CTL MSR

During recent acpi-cpufreq changes, writing to PERF_CTL msr
changed from RMW of entire 64 bit to RMW of low 32 bit and clearing of
upper 32 bit. Fix it back to do a proper RMW of the MSR.

Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoforcedeth bug fix: realtek phy
Ayaz Abdulla [Mon, 16 Jul 2007 13:50:24 +0000 (09:50 -0400)]
forcedeth bug fix: realtek phy

This patch contains errata fixes for the realtek phy. It only renamed the
defines to be phy specific.

Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoforcedeth bug fix: vitesse phy
Ayaz Abdulla [Mon, 16 Jul 2007 13:50:01 +0000 (09:50 -0400)]
forcedeth bug fix: vitesse phy

This patch contains errata fixes for the vitesse phy. It only renamed the
defines to be phy specific.

Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoforcedeth bug fix: cicada phy
Ayaz Abdulla [Mon, 16 Jul 2007 13:49:51 +0000 (09:49 -0400)]
forcedeth bug fix: cicada phy

This patch contains errata fixes for the cicada phy. It only renamed the
defines to be phy specific.

Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofs: 9p/conv.c error path fix
Mariusz Kozlowski [Fri, 20 Jul 2007 00:27:22 +0000 (17:27 -0700)]
fs: 9p/conv.c error path fix

When buf_check_overflow() returns != 0 we will hit kfree(ERR_PTR(err))
and it will not be happy about it.

Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoreadahead: MIN_RA_PAGES/MAX_RA_PAGES macros
Fengguang Wu [Thu, 19 Jul 2007 08:47:58 +0000 (01:47 -0700)]
readahead: MIN_RA_PAGES/MAX_RA_PAGES macros

Define two convenient macros for read-ahead:
- MAX_RA_PAGES: rounded down counterpart of VM_MAX_READAHEAD
- MIN_RA_PAGES: rounded _up_ counterpart of VM_MIN_READAHEAD

Note that the rounded up MIN_RA_PAGES will work flawlessly with _large_
page sizes like 64k.

Signed-off-by: Fengguang Wu <wfg@mail.ustc.edu.cn>
Cc: Steven Pratt <slpratt@austin.ibm.com>
Cc: Ram Pai <linuxram@us.ibm.com>
Cc: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agonfsd: fix possible read-ahead cache and export table corruption
J. Bruce Fields [Thu, 19 Jul 2007 08:49:18 +0000 (01:49 -0700)]
nfsd: fix possible read-ahead cache and export table corruption

The value of nperbucket calculated here is too small--we should be rounding up
instead of down--with the result that the index j in the following loop can
overflow the raparm_hash array.  At least in my case, the next thing in memory
turns out to be export_table, so the symptoms I see are crashes caused by the
appearance of four zeroed-out export entries in the first bucket of the hash
table of exports (which were actually entries in the readahead cache, a
pointer to which had been written to the export table in this initialization
code).

It looks like the bug was probably introduced with commit
fce1456a19f5c08b688c29f00ef90fdfa074c79b ("knfsd: make the readahead params
cache SMP-friendly").

Cc: Greg Banks <gnb@melbourne.sgi.com>
Signed-off-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Acked-by: NeilBrown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoeCryptfs: ecryptfs_setattr() bugfix
Michael Halcrow [Thu, 19 Jul 2007 08:47:54 +0000 (01:47 -0700)]
eCryptfs: ecryptfs_setattr() bugfix

There is another bug recently introduced into the ecryptfs_setattr()
function in 2.6.22.  eCryptfs will attempt to treat special files like
regular eCryptfs files on chmod, chown, and so forth.  This leads to a NULL
pointer dereference.  This patch validates that the file is a regular file
before proceeding with operations related to the inode's crypt_stat.

Thanks to Ryusuke Konishi for finding this bug and suggesting the fix.

Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agosoftmac: Fix ESSID problem
Jean Tourrilhes [Tue, 17 Jul 2007 15:46:33 +0000 (10:46 -0500)]
softmac: Fix ESSID problem

Victor Porton reported that the SoftMAC layer had random problem when setting the ESSID :
http://bugzilla.kernel.org/show_bug.cgi?id=8686 After investigation, it turned out to be
worse, the SoftMAC layer is left in an inconsistent state. The fix is pretty trivial.

Signed-off-by: Jean Tourrilhes <jt@hpl.hp.com>
Acked-by: Michael Buesch <mb@bu3sch.de>
Acked-by: Larry Finger <Larry.Finger@lwfinger.net>
Acked-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofirewire: fix memory leak of fw_request instances
Stefan Richter [Thu, 19 Jul 2007 07:28:42 +0000 (09:28 +0200)]
firewire: fix memory leak of fw_request instances

Found and debugged by Jay Fenlason <fenlason@redhat.com>.
The bug was especially noticeable with direct I/O over fw-sbp2.

Same as commit 9c9bdf4d50730fd04b06077e22d7a83b585f26b5.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Kristian Høgsberg <krh@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofw-ohci: fix "scheduling while atomic"
Stefan Richter [Thu, 19 Jul 2007 07:27:37 +0000 (09:27 +0200)]
fw-ohci: fix "scheduling while atomic"

context_stop is called by bus_reset_tasklet, among else.

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=8735.
Same as commit b980f5a224f3df6c884dbf5ae48797ce352ba139.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoi386: HPET, check if the counter works
Thomas Gleixner [Sat, 21 Jul 2007 15:11:12 +0000 (17:11 +0200)]
i386: HPET, check if the counter works

Some systems have a HPET which is not incrementing, which leads to a
complete hang.  Detect it during HPET setup.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Andi Kleen <ak@suse.de>
Cc: john stultz <johnstul@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agodm io: fix panic on large request
Milan Broz [Sat, 21 Jul 2007 11:37:27 +0000 (04:37 -0700)]
dm io: fix panic on large request

Flush workqueue before releasing bioset and mopools in dm-crypt.  There can
be finished but not yet released request.

Call chain causing oops:
  run workqueue
    dec_pending
      bio_endio(...);
       <remove device request - remove mempool>
      mempool_free(io, cc->io_pool);

This usually happens when cryptsetup create temporary
luks mapping in the beggining of crypt device activation.

When dm-core calls destructor crypt_dtr, no new request
are possible.

Signed-off-by: Milan Broz <mbroz@redhat.com>
Cc: Chuck Ebbert <cebbert@redhat.com>
Cc: Patrick McHardy <kaber@trash.net>
Acked-by: Alasdair G Kergon <agk@redhat.com>
Cc: Christophe Saout <christophe@saout.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoInclude serial_reg.h with userspace headers
Herton Ronaldo Krzesinski [Tue, 31 Jul 2007 07:38:52 +0000 (00:38 -0700)]
Include serial_reg.h with userspace headers

As reported by Gustavo de Nardin <gustavodn@mandriva.com.br>, while trying to
compile xosview (http://xosview.sourceforge.net/) with upstream kernel
headers being used you get the following errors:
serialmeter.cc:48:30: error: linux/serial_reg.h: No such file or directory
serialmeter.cc: In member function 'virtual void
SerialMeter::checkResources()':
serialmeter.cc:71: error: 'UART_LSR' was not declared in this scope
serialmeter.cc:71: error: 'UART_MSR' was not declared in this scope
...

Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br>
Cc: Gustavo de Nardin <gustavodn@mandriva.com.br>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years ago"ext4_ext_put_in_cache" uses __u32 to receive physical block number
Mingming Cao [Tue, 31 Jul 2007 07:37:46 +0000 (00:37 -0700)]
"ext4_ext_put_in_cache" uses __u32 to receive physical block number

Yan Zheng wrote:

> I think I found a bug in ext4/extents.c, "ext4_ext_put_in_cache" uses
> "__u32" to receive physical block number.  "ext4_ext_put_in_cache" is
> used in "ext4_ext_get_blocks", it sets ext4 inode's extent cache
> according most recently tree lookup (higher 16 bits of saved physical
> block number are always zero). when serving a mapping request,
> "ext4_ext_get_blocks" first check whether the logical block is in
> inode's extent cache. if the logical block is in the cache and the
> cached region isn't a gap, "ext4_ext_get_blocks" gets physical block
> number by using cached region's physical block number and offset in
> the cached region.  as described above, "ext4_ext_get_blocks" may
> return wrong result when there are physical block numbers bigger than
> 0xffffffff.
>

You are right.  Thanks for reporting this!

Signed-off-by: Mingming Cao <cmm@us.ibm.com>
Cc: Yan Zheng <yanzheng@21cn.com>
Cc: <linux-ext4@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofutex: pass nr_wake2 to futex_wake_op
Andreas Schwab [Tue, 31 Jul 2007 07:38:51 +0000 (00:38 -0700)]
futex: pass nr_wake2 to futex_wake_op

The fourth argument of sys_futex is ignored when op == FUTEX_WAKE_OP,
but futex_wake_op expects it as its nr_wake2 parameter.

The only user of this operation in glibc is always passing 1, so this
bug had no consequences so far.

Signed-off-by: Andreas Schwab <schwab@suse.de>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix leaks on /proc/{*/sched, sched_debug, timer_list, timer_stats}
Alexey Dobriyan [Tue, 31 Jul 2007 07:38:50 +0000 (00:38 -0700)]
Fix leaks on /proc/{*/sched, sched_debug, timer_list, timer_stats}

On every open/close one struct seq_operations leaks.
Kudos to /proc/slab_allocators.

Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agopcmcia: give socket time to power down
Daniel Ritz [Tue, 31 Jul 2007 07:38:08 +0000 (00:38 -0700)]
pcmcia: give socket time to power down

Give sockets up to 100ms of additional time to power down.  otherwise we
might generate false warnings with KERN_ERR priority (like in bug #8262).

Signed-off-by: Daniel Ritz <daniel.ritz@gmx.ch>
Cc: Nils Neumann <nils.neumann@rwth-aachen.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agomd: raid10: fix use-after-free of bio
Maik Hampel [Tue, 31 Jul 2007 07:37:57 +0000 (00:37 -0700)]
md: raid10: fix use-after-free of bio

In case of read errors raid10d tries to print a nice error message,
unfortunately using data from an already put bio.

Signed-off-by: Maik Hampel <m.hampel@gmx.de>
Acked-By: NeilBrown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agomd: handle writes to broken raid10 arrays gracefully
Arne Redlich [Tue, 31 Jul 2007 07:37:57 +0000 (00:37 -0700)]
md: handle writes to broken raid10 arrays gracefully

When writing to a broken array, raid10 currently happily emits empty bio
lists.  IOW, the master bio will never be completed, sending writers to
UNINTERRUPTIBLE_SLEEP forever.

Signed-off-by: Arne Redlich <agr@powerkom-dd.de>
Acked-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix user struct leakage with locked IPC shem segment
Pavel Emelianov [Tue, 31 Jul 2007 07:38:48 +0000 (00:38 -0700)]
Fix user struct leakage with locked IPC shem segment

When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is
already locked the shmem_lock() function returns 0.  After this the
subsequent code leaks the existing user struct:

== ipc/shm.c: sys_shmctl() ==
     ...
     err = shmem_lock(shp->shm_file, 1, user);
     if (!err) {
          shp->shm_perm.mode |= SHM_LOCKED;
          shp->mlock_user = user;
     }
     ...
==

Other results of this are:
1. the new shp->mlock_user is not get-ed and will point to freed
   memory when the task dies.
2. the RLIMIT_MEMLOCK is screwed on both user structs.

The exploit looks like this:

==
    id = shmget(...);
    setresuid(uid, 0, 0);
    shmctl(id, SHM_LOCK, NULL);
    setresuid(uid + 1, 0, 0);
    shmctl(id, SHM_LOCK, NULL);
==

My solution is to return 0 to the userspace and do not change the
segment's user.

Signed-off-by: Pavel Emelianov <xemul@openvz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoCPU online file permission
Ulrich Drepper [Tue, 31 Jul 2007 07:38:16 +0000 (00:38 -0700)]
CPU online file permission

Is there a reason why the "online" file in the subdirectories for the CPUs
in /sys/devices/system isn't world-readable?  I cannot imagine it to be
security relevant especially now that a getcpu() syscall can be used to
determine what CPUa thread runs on.

The file is useful to correctly implement the sysconf() function to return
the number of online CPUs.  In the presence of hotplug we currently cannot
provide this information.  The patch below should to it.

Signed-off-by: Ulrich Drepper <drepper@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix leak on /proc/lockdep_stats
Alexey Dobriyan [Tue, 31 Jul 2007 07:38:50 +0000 (00:38 -0700)]
Fix leak on /proc/lockdep_stats

Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agodrm/i915: Fix i965 secured batchbuffer usage (CVE-2007-3851)
Dave Airlie [Mon, 6 Aug 2007 23:09:51 +0000 (09:09 +1000)]
drm/i915: Fix i965 secured batchbuffer usage (CVE-2007-3851)

This 965G and above chipsets moved the batch buffer non-secure bits to
another place. This means that previous drm's allowed in-secure batchbuffers
to be submitted to the hardware from non-privileged users who are logged
into X and and have access to direct rendering.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agosplice: fix double page unlock
Jens Axboe [Fri, 20 Jul 2007 13:21:36 +0000 (15:21 +0200)]
splice: fix double page unlock

If add_to_page_cache_lru() fails, the page will not be locked. But
splice jumps to an error path that does a page release and unlock,
causing a BUG() in unlock_page().

Fix this by adding one more label that just releases the page. This bug
was actually triggered on EL5 by gurudas pai <gurudas.pai@oracle.com>
using fio.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoInput: lifebook - fix an oops on Panasonic CF-18
Dmitry Torokhov [Fri, 20 Jul 2007 04:37:30 +0000 (00:37 -0400)]
Input: lifebook - fix an oops on Panasonic CF-18

Input: lifebook - fix an oops on Panasonic CF-18

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoV4L: wm8775/wm8739: Fix memory leak when unloading module
Hans Verkuil [Tue, 24 Jul 2007 12:07:43 +0000 (08:07 -0400)]
V4L: wm8775/wm8739: Fix memory leak when unloading module

State struct was never freed.

(cherry picked from commit 1b2232ab879993fcf5b9391c3febf6ab5d78201e)

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoV4L: ivtv: Add locking to ensure stream setup is atomic
Hans Verkuil [Tue, 24 Jul 2007 12:07:40 +0000 (08:07 -0400)]
V4L: ivtv: Add locking to ensure stream setup is atomic

Starting an MPEG and VBI capture simultaneously caused errors in
the VBI setup: this setup was done twice when it should be done
only for the first stream that is opened.
Added a mutex to prevent this from happening.

(cherry picked from commit f885969196da6ae905162c0d1c5f0553de12cb40)

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
17 years agoV4L: ivtv: fix DMA timeout when capturing VBI + another stream
Hans Verkuil [Tue, 24 Jul 2007 12:07:33 +0000 (08:07 -0400)]
V4L: ivtv: fix DMA timeout when capturing VBI + another stream

The VBI DMA is handled in a special way and is marked with a bit.
However, that bit was set at the wrong time and could be cleared
by mistake if a PCM (or other) DMA request would arrive before the
VBI DMA was completed. So on completion of the VBI DMA the driver
no longer knew that that DMA transfer was for VBI data. And this
in turn caused havoc with the card's DMA engine.

(cherry picked from commit dd1e729d63f74a0b6290ca417bafd3fd8665db50)

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoV4L: ivtv: fix broken VBI output support
Hans Verkuil [Tue, 24 Jul 2007 12:07:28 +0000 (08:07 -0400)]
V4L: ivtv: fix broken VBI output support

The old service_set_out setting was still tested, even though it no longer
was ever set and was in fact obsolete. This meant that everything that was
written to /dev/vbi16 was ignored. Removed the service_set_out variable
altogether and now it works again.

(cherry picked from commit 47fd3ba9fc62d23a985f4969719c3091438d21c5)

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoV4L: Add check for valid control ID to v4l2_ctrl_next
Hans Verkuil [Tue, 24 Jul 2007 12:07:17 +0000 (08:07 -0400)]
V4L: Add check for valid control ID to v4l2_ctrl_next

If v4l2_ctrl_next is called without the V4L2_CTRL_FLAG_NEXT_CTRL then it
should check whether the passed control ID is valid and return 0 if it
isn't. Otherwise a for-loop over the control IDs will never end.

(cherry picked from commit a46c5fbc6912c4e34cb7ded314249b639dc244a6)

Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agomake timerfd return a u64 and fix the __put_user
Davide Libenzi [Thu, 26 Jul 2007 17:41:07 +0000 (10:41 -0700)]
make timerfd return a u64 and fix the __put_user

Davi fixed a missing cast in the __put_user(), that was making timerfd
return a single byte instead of the full value.

Talking with Michael about the timerfd man page, we think it'd be better to
use a u64 for the returned value, to align it with the eventfd
implementation.

This is an ABI change.  The timerfd code is new in 2.6.22 and if we merge this
into 2.6.23 then we should also merge it into 2.6.22.x.  That will leave a few
early 2.6.22 kernels out in the wild which might misbehave when a future
timerfd-enabled glibc is run on them.

mtk says:
The difference would be that read() will only return 4 bytes,
while the application will expect 8.  If the application is
checking the size of returned value, as it should, then it will
be able to detect the problem (it could even be sophisticated
enough to know that if this is a 4-byte return, then it is
running on an old 2.6.22 kernel).  If the application is not
checking the return from read(), then its 8-byte buffer will not
be filled -- the contents of the last 4 bytes will be undefined,
so the u64 value as a whole will be junk.

When I wrote up that description above, I forgot a crucial
detail.  The above description described the difference between
the new behavior implemented by the patch, and the current
(i.e., 2.6.22) *intended* behavior.  However, as I originally
remarked to Davide, the 2.6.22 read() behavior is broken: it
should return 4 bytes on a read(), but as originally
implemented, only the least significant byte contained valid
information.  (In other words, the top 3 bytes of overrun
information were simply being discarded.)

So the patch both fixes a bug in the originally intended
behavior, and changes the intended behavior (to return 8 bytes
from a read() instead of 4).

Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Cc: Michael Kerrisk <mtk-manpages@gmx.net>
Cc: Davi Arnaut <davi@haxent.com.br>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agofirewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters)
Stefan Richter [Sat, 4 Aug 2007 16:38:32 +0000 (18:38 +0200)]
firewire: fw-sbp2: set correct maximum payload (fixes CardBus adapters)

As far as I know, all CardBus FireWire 400 adapters have a maximum
payload of 1024 bytes which is less than the speed-dependent limit of
2048 bytes.  Fw-sbp2 has to take the host adapter's limit into account.

This apparently fixes Juju's incompatibility with my CardBus cards, a
NEC based card and a VIA based card.

Backport of commit 25659f7183376c6b37661da6141d5eaa21479061.

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoaacraid: fix security hole
Alan Cox [Mon, 23 Jul 2007 13:51:05 +0000 (14:51 +0100)]
aacraid: fix security hole

On the SCSI layer ioctl path there is no implicit permissions check for
ioctls (and indeed other drivers implement unprivileged ioctls). aacraid
however allows all sorts of very admin only things to be done so should
check.

Signed-off-by: Alan Cox <alan@redhat.com>
Acked-by: Mark Salyzyn <mark_salyzyn@adaptec.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix reported task file values in sense data
Petr Vandrovec [Fri, 20 Jul 2007 11:44:44 +0000 (07:44 -0400)]
Fix reported task file values in sense data

ata_tf_read was setting HOB bit when lba48 command was submitted, but
was not clearing it before reading "normal" data.  As it is only place
which sets HOB bit in control register, and register reads should not
be affected by other bits, let's just clear it when we are done with
reading upper bytes so non-48bit commands do not have to touch ctl
at all.

pata_scc suffered from same problem...

Signed-off-by: Petr Vandrovec <petr@vandrovec.name>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agousb-serial: Fix edgeport regression on non-EPiC devices
Adam Kropelin [Mon, 30 Jul 2007 22:09:07 +0000 (15:09 -0700)]
usb-serial: Fix edgeport regression on non-EPiC devices

Fix serious regression on non-EPiC edgeport usb-serial devices. Baud
rate and MCR/LCR registers are not being written on these models due
to apparent copy-n-paste errors introduced with EPiC support.

Failure reported by Nick Pasich <Nick@NickAndBarb.net>.

Signed-off-by: Adam Kropelin <akropel1@rochester.rr.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoUSB: fix warning caused by autosuspend counter going negative
Alan Stern [Fri, 20 Jul 2007 03:44:51 +0000 (20:44 -0700)]
USB: fix warning caused by autosuspend counter going negative

This patch (as937) fixes a minor bug in the autosuspend usage-counting
code.  Each hub's usage counter keeps track of the number of
unsuspended children.  However the current driver increments the
counter after registering a new child, by which time the child may
already have been suspended and caused the counter to go negative.
The obvious solution is to increment the counter before registering
the child.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoKVM: SVM: Reliably detect if SVM was disabled by BIOS
Joerg Roedel [Wed, 18 Jul 2007 16:51:36 +0000 (19:51 +0300)]
KVM: SVM: Reliably detect if SVM was disabled by BIOS

This patch adds an implementation to the svm is_disabled function to
detect reliably if the BIOS disabled the SVM feature in the CPU. This
fixes the issues with kernel panics when loading the kvm-amd module on
machines where SVM is available but disabled.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Avi Kivity <avi@qumranet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix TCP IPV6 MD5 bug.
YOSHIFUJI Hideaki [Wed, 25 Jul 2007 04:47:05 +0000 (21:47 -0700)]
Fix TCP IPV6 MD5 bug.

[TCPv6] MD5SIG: Ensure to reset allocation count to avoid panic.

After clearing all passwords for IPv6 peers, we need to
set allocation count to zero as well as we free the storage.
Otherwise, we panic when a user trys to (re)add a password.

Discovered and fixed by MIYAJIMA Mitsuharu <miyajima.mitsuharu@anchor.jp>.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix sparc32 udelay() rounding errors.
Mark Fortescue [Wed, 25 Jul 2007 04:45:44 +0000 (21:45 -0700)]
Fix sparc32 udelay() rounding errors.

[SPARC32]: Fix rounding errors in ndelay/udelay implementation.

__ndelay and __udelay have not been delayung >= specified time.
The problem with __ndelay has been tacked down to the rounding of the
multiplier constant. By changing this, delays > app 18us are correctly
calculated.
The problem with __udelay has also been tracked down to rounding issues.
Changing the multiplier constant (to match that used in sparc64) corrects
for large delays and adding in a rounding constant corrects for trunctaion
errors in the claculations.
Many short delays will return without looping. This is not an error as there
is the fixed delay of doing all the maths to calculate the loop count.

Signed-off-by: Mark Fortescue <mark@mtfhpc.demon.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix sparc32 memset()
Alexander Shmelev [Wed, 25 Jul 2007 04:44:48 +0000 (21:44 -0700)]
Fix sparc32 memset()

[SPARC32]: Fix bug in sparc optimized memset.

Sparc optimized memset (arch/sparc/lib/memset.S) does not fill last
byte of the memory area, if area size is less than 8 bytes and start
address is not word (4-bytes) aligned.

Here is code chunk where bug located:
/* %o0 - memory address, %o1 - size, %g3 - value */
8:
     add    %o0, 1, %o0
    subcc    %o1, 1, %o1
    bne,a    8b
     stb %g3, [%o0 - 1]

This code should write byte every loop iteration, but last time delay
instruction stb is not executed because branch instruction sets
"annul" bit.

Patch replaces bne,a by bne instruction.

Error can be reproduced by simple kernel module:

--------------------
#include <linux/module.h>
#include <linux/config.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <string.h>

static void do_memset(void **p, int size)
{
        memset(p, 0x00, size);
}

static int __init memset_test_init(void)
{
    char fooc[8];
    int *fooi;
    memset(fooc, 0xba, sizeof(fooc));

    do_memset((void**)(fooc + 3), 1);

    fooi = (int*) fooc;
    printk("%08X %08X\n", fooi[0], fooi[1]);

    return -1;
}

static void __exit memset_test_cleanup(void)
{
    return;
}

module_init(memset_test_init);
module_exit(memset_test_cleanup);

MODULE_LICENSE("GPL");
EXPORT_NO_SYMBOLS;
------------------------

Signed-off-by: Alexander Shmelev <ashmelev@task.sun.mcst.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix ipv6 tunnel endianness bug.
Al Viro [Wed, 25 Jul 2007 04:43:58 +0000 (21:43 -0700)]
Fix ipv6 tunnel endianness bug.

[IPV6]: endianness bug in ip6_tunnel

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoSparc64 bootup assembler bug
David S. Miller [Fri, 20 Jul 2007 05:06:09 +0000 (22:06 -0700)]
Sparc64 bootup assembler bug

[SPARC64]: Fix two year old bug in early bootup asm.

We try to fetch the CIF entry pointer from %o4, but that
can get clobbered by the early OBP calls.  It is saved
in %l7 already, so actually this "mov %o4, %l7" can just
be completely removed with no other changes.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoNetpoll leak
Satyam Sharma [Wed, 18 Jul 2007 09:54:19 +0000 (02:54 -0700)]
Netpoll leak

[NETPOLL]: Fix a leak-n-bug in netpoll_cleanup()

93ec2c723e3f8a216dde2899aeb85c648672bc6b applied excessive duct tape to
the netpoll beast's netpoll_cleanup(), thus substituting one leak with
another, and opening up a little buglet :-)

net_device->npinfo (netpoll_info) is a shared and refcounted object and
cannot simply be set NULL the first time netpoll_cleanup() is called.
Otherwise, further netpoll_cleanup()'s see np->dev->npinfo == NULL and
become no-ops, thus leaking. And it's a bug too: the first call to
netpoll_cleanup() would thus (annoyingly) "disable" other (still alive)
netpolls too. Maybe nobody noticed this because netconsole (only user
of netpoll) never supported multiple netpoll objects earlier.

This is a trivial and obvious one-line fixlet.

Signed-off-by: Satyam Sharma <ssatyam@cse.iitk.ac.in>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix ipv6 link down handling.
Vlad Yasevich [Wed, 18 Jul 2007 09:52:33 +0000 (02:52 -0700)]
Fix ipv6 link down handling.

[IPV6]: Call inet6addr_chain notifiers on link down

Currently if the link is brought down via ip link or ifconfig down,
the inet6addr_chain notifiers are not called even though all
the addresses are removed from the interface.  This caused SCTP
to add duplicate addresses to it's list.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix error queue socket lookup in ipv6
Dmitry Butskoy [Wed, 18 Jul 2007 09:51:17 +0000 (02:51 -0700)]
Fix error queue socket lookup in ipv6

[IPV6]: MSG_ERRQUEUE messages do not pass to connected raw sockets

From: Dmitry Butskoy <dmitry@butskoy.name>

Taken from http://bugzilla.kernel.org/show_bug.cgi?id=8747

Problem Description:

It is related to the possibility to obtain MSG_ERRQUEUE messages from the udp
and raw sockets, both connected and unconnected.

There is a little typo in net/ipv6/icmp.c code, which prevents such messages
to be delivered to the errqueue of the correspond raw socket, when the socket
is CONNECTED.  The typo is due to swap of local/remote addresses.

Consider __raw_v6_lookup() function from net/ipv6/raw.c. When a raw socket is
looked up usual way, it is something like:

sk = __raw_v6_lookup(sk, nexthdr, daddr, saddr, IP6CB(skb)->iif);

where "daddr" is a destination address of the incoming packet (IOW our local
address), "saddr" is a source address of the incoming packet (the remote end).

But when the raw socket is looked up for some icmp error report, in
net/ipv6/icmp.c:icmpv6_notify() , daddr/saddr are obtained from the echoed
fragment of the "bad" packet, i.e.  "daddr" is the original destination
address of that packet, "saddr" is our local address.  Hence, for
icmpv6_notify() must use "saddr, daddr" in its arguments, not "daddr, saddr"
...

Steps to reproduce:

Create some raw socket, connect it to an address, and cause some error
situation: f.e. set ttl=1 where the remote address is more than 1 hop to reach.
Set IPV6_RECVERR .
Then send something and wait for the error (f.e. poll() with POLLERR|POLLIN).
You should receive "time exceeded" icmp message (because of "ttl=1"), but the
socket do not receive it.

If you do not connect your raw socket, you will receive MSG_ERRQUEUE
successfully.  (The reason is that for unconnected socket there are no actual
checks for local/remote addresses).

Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agogen estimator deadlock fix
Ranko Zivojnovic [Wed, 18 Jul 2007 09:49:48 +0000 (02:49 -0700)]
gen estimator deadlock fix

[NET]: gen_estimator deadlock fix

-Fixes ABBA deadlock noted by Patrick McHardy <kaber@trash.net>:

> There is at least one ABBA deadlock, est_timer() does:
> read_lock(&est_lock)
> spin_lock(e->stats_lock) (which is dev->queue_lock)
>
> and qdisc_destroy calls htb_destroy under dev->queue_lock, which
> calls htb_destroy_class, then gen_kill_estimator and this
> write_locks est_lock.

To fix the ABBA deadlock the rate estimators are now kept on an rcu list.

-The est_lock changes the use from protecting the list to protecting
the update to the 'bstat' pointer in order to avoid NULL dereferencing.

-The 'interval' member of the gen_estimator structure removed as it is
not needed.

Signed-off-by: Ranko Zivojnovic <ranko@spidernet.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agogen estimator timer unload race
Patrick McHardy [Wed, 18 Jul 2007 09:48:43 +0000 (02:48 -0700)]
gen estimator timer unload race

[NET]: Fix gen_estimator timer removal race

As noticed by Jarek Poplawski <jarkao2@o2.pl>, the timer removal in
gen_kill_estimator races with the timer function rearming the timer.

Check whether the timer list is empty before rearming the timer
in the timer function to fix this.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Jarek Poplawski <jarkao2@o2.pl>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix rfkill IRQ flags.
Ingo Molnar [Wed, 18 Jul 2007 09:45:14 +0000 (02:45 -0700)]
Fix rfkill IRQ flags.

[RFKILL]: fix net/rfkill/rfkill-input.c bug on 64-bit systems

Subject: [patch] net/input: fix net/rfkill/rfkill-input.c bug on 64-bit systems

this recent commit:

 commit cf4328cd949c2086091c62c5685f1580fe9b55e4
 Author: Ivo van Doorn <IvDoorn@gmail.com>
 Date:   Mon May 7 00:34:20 2007 -0700

     [NET]: rfkill: add support for input key to control wireless radio

added this 64-bit bug:

        ....
unsigned int flags;

  spin_lock_irqsave(&task->lock, flags);
        ....

irq 'flags' must be unsigned long, not unsigned int. The -rt tree has
strict checks about this on 64-bit so this triggered a build failure.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoSCTP scope_id handling fix
Vlad Yasevich [Wed, 18 Jul 2007 09:44:12 +0000 (02:44 -0700)]
SCTP scope_id handling fix

SCTP: Add scope_id validation for link-local binds

SCTP currently permits users to bind to link-local addresses,
but doesn't verify that the scope id specified at bind matches
the interface that the address is configured on.  It was report
that this can hang a system.

Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoMissing header include in ipt_iprange.h
Adrian Bunk [Wed, 18 Jul 2007 09:37:05 +0000 (02:37 -0700)]
Missing header include in ipt_iprange.h

[NETFILTER]: ipt_iprange.h must #include <linux/types.h>

ipt_iprange.h must #include <linux/types.h> since it uses __be32.

This patch fixes kernel Bugzilla #7604.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoAdd a PCI ID for santa rosa's PATA controller.
Christian Lamparter [Thu, 2 Aug 2007 06:36:50 +0000 (15:36 +0900)]
Add a PCI ID for santa rosa's PATA controller.

This is commit c1e6f28cc5de37dcd113b9668a185c0b9334ba8a which is
merged during 23-rc1 window.  Considering the popularity of these
chips, I think including it in -stable release would be good idea.

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix console write locking in sparc drivers.
David S. Miller [Wed, 18 Jul 2007 09:34:05 +0000 (02:34 -0700)]
Fix console write locking in sparc drivers.

Mirror the logic in 8250 for proper console write locking
when SYSRQ is triggered or an OOPS is in progress.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix IPCOMP crashes.
Patrick McHardy [Wed, 18 Jul 2007 09:26:27 +0000 (02:26 -0700)]
Fix IPCOMP crashes.

[XFRM]: Fix crash introduced by struct dst_entry reordering

XFRM expects xfrm_dst->u.next to be same pointer as dst->next, which
was broken by the dst_entry reordering in commit 1e19e02c~, causing
an oops in xfrm_bundle_ok when walking the bundle upwards.

Kill xfrm_dst->u.next and change the only user to use dst->next instead.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoFix TC deadlock.
Patrick McHardy [Wed, 18 Jul 2007 09:32:39 +0000 (02:32 -0700)]
Fix TC deadlock.

[NET_SCHED]: Revert "avoid transmit softirq on watchdog wakeup" optimization

As noticed by Ranko Zivojnovic <ranko@spidernet.net>, calling qdisc_run
from the timer handler can result in deadlock:

> CPU#0
>
> qdisc_watchdog() fires and gets dev->queue_lock
> qdisc_run()...qdisc_restart()...
> -> releases dev->queue_lock and enters dev_hard_start_xmit()
>
> CPU#1
>
> tc del qdisc dev ...
> qdisc_graft()...dev_graft_qdisc()...dev_deactivate()...
> -> grabs dev->queue_lock ...
>
> qdisc_reset()...{cbq,hfsc,htb,netem,tbf}_reset()...qdisc_watchdog_cancel()...
> -> hrtimer_cancel() - waiting for the qdisc_watchdog() to exit, while still
>         holding dev->queue_lock
>
> CPU#0
>
> dev_hard_start_xmit() returns ...
> -> wants to get dev->queue_lock(!)
>
> DEADLOCK!

The entire optimization is a bit questionable IMO, it moves potentially
large parts of NET_TX_SOFTIRQ work to TIMER_SOFTIRQ/HRTIMER_SOFTIRQ,
which kind of defeats the separation of them.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Ranko Zivojnovic <ranko@spidernet.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoTCP FRTO retransmit bug fix
Ilpo Järvinen [Wed, 18 Jul 2007 09:30:41 +0000 (02:30 -0700)]
TCP FRTO retransmit bug fix

[TCP]: Verify the presence of RETRANS bit when leaving FRTO

For yet unknown reason, something cleared SACKED_RETRANS bit
underneath FRTO.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoUSB: cdc-acm: fix sysfs attribute registration bug
Alan Stern [Thu, 2 Aug 2007 17:29:10 +0000 (13:29 -0400)]
USB: cdc-acm: fix sysfs attribute registration bug

This patch (as950) fixes a bug in the cdc-acm driver.  It doesn't keep
track of which interface (control or data) the sysfs attributes get
registered for, and as a result, during disconnect it will sometimes
attempt to remove the attributes from the wrong interface.  The
left-over attributes can cause a crash later on, particularly if the driver
module has been unloaded.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Oliver Neukum <oliver@neukum.name>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoLinux 2.6.22.1 v2.6.22.1
Greg Kroah-Hartman [Tue, 10 Jul 2007 18:56:30 +0000 (11:56 -0700)]
Linux 2.6.22.1

Ok, so it was more than just 5 minutes for the first exploit to be
found, nothing to be ashamed about :)

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
17 years agoNETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference...
Patrick McHardy [Tue, 5 Jun 2007 12:14:22 +0000 (14:14 +0200)]
NETFILTER: {ip, nf}_conntrack_sctp: fix remotely triggerable NULL ptr dereference (CVE-2007-2876)

When creating a new connection by sending an unknown chunk type, we
don't transition to a valid state, causing a NULL pointer dereference in
sctp_packet when accessing sctp_timeouts[SCTP_CONNTRACK_NONE].

Fix by don't creating new conntrack entry if initial state is invalid.

Noticed by Vilmos Nebehaj <vilmos.nebehaj@ramsys.hu>

CC: Kiran Kumar Immidi <immidi_kiran@yahoo.com>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
17 years agoLinux 2.6.22 v2.6.22
Linus Torvalds [Sun, 8 Jul 2007 23:32:17 +0000 (16:32 -0700)]
Linux 2.6.22

Woo-hoo. I'm sure somebody will report a "this doesn't compile, and
I have a new root exploit" five minutes after release, but it still
feels good ;)

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoMerge master.kernel.org:/pub/scm/linux/kernel/git/bart/ide-2.6
Linus Torvalds [Sun, 8 Jul 2007 19:14:27 +0000 (12:14 -0700)]
Merge master.kernel.org:/pub/scm/linux/kernel/git/bart/ide-2.6

* master.kernel.org:/pub/scm/linux/kernel/git/bart/ide-2.6:
  qd65xx: fix PIO mode selection
  sis5513: adding PCI-ID

17 years agoFix permission checking for the new utimensat() system call
Linus Torvalds [Sun, 8 Jul 2007 19:02:55 +0000 (12:02 -0700)]
Fix permission checking for the new utimensat() system call

Commit 1c710c896eb461895d3c399e15bb5f20b39c9073 added the utimensat()
system call, but didn't handle the case of checking for the writability
of the target right, when the target was a file descriptor, not a
filename.

We cannot use vfs_permission(MAY_WRITE) for that case, and need to
simply check whether the file descriptor is writable.  The oops from
using the wrong function was noticed and narrowed down by Markus
Trippelsdorf.

Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Al Viro <viro@ftp.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agomm: double mark_page_accessed() in read_cache_page_async()
Peter Zijlstra [Sun, 8 Jul 2007 08:13:06 +0000 (01:13 -0700)]
mm: double mark_page_accessed() in read_cache_page_async()

Fix a post-2.6.21 regression.

read_cache_page_async() has two invocations of mark_page_accessed() which will
launch pages right onto the active list.

Remove the first one, keeping the latter one.  This avoids marking unwanted
pages active (in the retry loop).

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Nick Piggin <nickpiggin@yahoo.com.au>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoqd65xx: fix PIO mode selection
Bartlomiej Zolnierkiewicz [Sun, 8 Jul 2007 13:21:58 +0000 (15:21 +0200)]
qd65xx: fix PIO mode selection

PIO4 is a maximum PIO mode supported by a driver.  Using "255" as a max_mode
argument to ide_get_best_pio_mode() could result in wrong timings being used
by a driver (for "pio" equal to 5) or OOPS (for "pio" values > 5 && < 255).

Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Reviewed-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
17 years agosis5513: adding PCI-ID
Uwe Koziolek [Sun, 8 Jul 2007 13:21:58 +0000 (15:21 +0200)]
sis5513: adding PCI-ID

The SiS966 has one additional PCI-ID 1180.

If the chipset is using this PCI-ID, the primary channel is connected to the
first PATA-port. The secondary channel is connected to SATA-ports in IDE
emulation mode.  The legacy IO-ports are used.

The including of the PCI-ID into pata_sis is not sufficient, because the legacy
driver in drivers/ide is initialized before pata_sis.

Signed-off-by: Uwe Koziolek <uwe.koziolek@gmx.net>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
17 years agoDLM must depend on SYSFS
Adrian Bunk [Sat, 7 Jul 2007 04:14:02 +0000 (06:14 +0200)]
DLM must depend on SYSFS

The dependency of DLM on SYSFS got lost in
commit 6ed7257b46709e87d79ac2b6b819b7e0c9184998 resulting in the
following compile error with CONFIG_DLM=y, CONFIG_SYSFS=n:

<--  snip  -->

...
  LD      .tmp_vmlinux1
fs/built-in.o: In function `dlm_lockspace_init':
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/fs/dlm/lockspace.c:231: undefined reference to `kernel_subsys'
fs/built-in.o: In function `configfs_init':
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/fs/configfs/mount.c:143: undefined reference to `kernel_subsys'
make[1]: *** [.tmp_vmlinux1] Error 1

<--  snip  -->

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoClean up E7520/7320/7525 quirk printk.
Dave Jones [Fri, 6 Jul 2007 18:59:43 +0000 (14:59 -0400)]
Clean up E7520/7320/7525 quirk printk.

The printk level in this printk is bogus, as the previous printk
didn't have a terminating \n resulting in ..

Intel E7520/7320/7525 detected.<6>Disabling irq balancing and affinity

It also never printed a \n at all in the case where we didn't do
the quirk.

Change it to only make noise if it actually does something useful.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoinclude/linux/kallsyms.h must #include <linux/errno.h>
Adrian Bunk [Fri, 6 Jul 2007 22:54:09 +0000 (00:54 +0200)]
include/linux/kallsyms.h must #include <linux/errno.h>

This patch fixes the following 2.6.22 regression with CONFIG_KALLSYMS=n:

<--  snip  -->

...
  CC      arch/m32r/kernel/traps.o
In file included from /home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/arch/m32r/kernel/traps.c:14:
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h: In function 'lookup_symbol_name':
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:66: error: 'ERANGE' undeclared (first use in this function)
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:66: error: (Each undeclared identifier is reported only once
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:66: error: for each function it appears in.)
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h: In function 'lookup_symbol_attrs':
/home/bunk/linux/kernel-2.6/linux-2.6.22-rc6-mm1/include/linux/kallsyms.h:71: error: 'ERANGE' undeclared (first use in this function)
make[2]: *** [arch/m32r/kernel/traps.o] Error 1

<--  snip  -->

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoFix use-after-free oops in Bluetooth HID.
David Woodhouse [Sat, 7 Jul 2007 18:58:39 +0000 (14:58 -0400)]
Fix use-after-free oops in Bluetooth HID.

When cleaning up HIDP sessions, we currently close the ACL connection
before deregistering the input device. Closing the ACL connection
schedules a workqueue to remove the associated objects from sysfs, but
the input device still refers to them -- and if the workqueue happens to
run before the input device removal, the kernel will oops when trying to
look up PHYSDEVPATH for the removed input device.

Fix this by deregistering the input device before closing the
connections.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoslub: remove useless EXPORT_SYMBOL
Christoph Lameter [Fri, 6 Jul 2007 18:17:32 +0000 (11:17 -0700)]
slub: remove useless EXPORT_SYMBOL

kmem_cache_open is static. EXPORT_SYMBOL was leftover from some earlier
time period where kmem_cache_open was usable outside of slub.

(Fixes powerpc build error)

Signed-off-by: Chrsitoph Lameter <clameter@sgi.com>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoMAINTAINERS new kernel janitors ml
maximilian attems [Fri, 6 Jul 2007 18:17:32 +0000 (11:17 -0700)]
MAINTAINERS new kernel janitors ml

davem kindly moved the list from osdl to vger.

Signed-of-by: maximilian attems <max@stro.at>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoGEODE: reboot fixup for geode machines with CS5536 boards
Andres Salomon [Fri, 6 Jul 2007 18:17:30 +0000 (11:17 -0700)]
GEODE: reboot fixup for geode machines with CS5536 boards

Writing to MSR 0x51400017 forces a hard reset on CS5536-based machines,
this has the reboot fixup do just that if such a board is detected.

Acked-by: Jordan Crouse <jordan.crouse@amd.com>
Signed-off-by: Andres Salomon <dilinger@debian.org>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoMerge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Fri, 6 Jul 2007 17:30:12 +0000 (10:30 -0700)]
Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6

* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [NETPOLL]: Fixups for 'fix soft lockup when removing module'
  [NET]: net/core/netevent.c should #include <net/netevent.h>
  [NETFILTER]: nf_conntrack_h323: add checking of out-of-range on choices' index values
  [NET] skbuff: remove export of static symbol
  SCTP: Add scope_id validation for link-local binds
  SCTP: Check to make sure file is valid before setting timeout
  SCTP: Fix thinko in sctp_copy_laddrs()

17 years agoMerge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus
Linus Torvalds [Fri, 6 Jul 2007 17:29:33 +0000 (10:29 -0700)]
Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus

* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
  [MIPS] Fix scheduling latency issue on 24K, 34K and 74K cores
  [MIPS] Add macros to encode processor revisions.
  [MIPS] RM7000: Enable ICACHE_REFILLS_WORKAROUND_WAR.
  [MIPS] SMTC: Fix cut'n'paste bug in Kconfig.debug
  [MIPS] Change libgcc-style functions from lib-y to obj-y
  [MIPS] Fix timer/performance interrupt detection
  [MIPS] AP/SP: Avoid triggering the 34K E125 performance issue
  [MIPS] 64-bit TO_PHYS_MASK macro for RM9000 processors

17 years agomm: fixup /proc/vmstat output
Peter Zijlstra [Fri, 6 Jul 2007 11:35:34 +0000 (13:35 +0200)]
mm: fixup /proc/vmstat output

Line up the vmstat_text with zone_stat_item

enum zone_stat_item {
/* First 128 byte cacheline (assuming 64 bit words) */
NR_FREE_PAGES,
NR_INACTIVE,
NR_ACTIVE,

We current have nr_active and nr_inactive reversed.

[ "OK with patch, though using initializers canbe handy to prevent such
   things in future:

static const char * const vmstat_text[] = {
[NR_FREE_PAGES] = "nr_free_pages",
..."
 - Alexey ]

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agopotential compiler error, irqfunc caller sites update
Yoann Padioleau [Fri, 6 Jul 2007 09:39:56 +0000 (02:39 -0700)]
potential compiler error, irqfunc caller sites update

In 7d12e780e003f93433d49ce78cfedf4b4c52adc5 David Howells performed
this evolution:
 "IRQ: Maintain regs pointer globally rather than passing to IRQ handlers"

He correctly updated many of the function definitions that were using this
extra regs pointer parameter but forgot to update some caller sites of
those functions.  The reason the modifications was not properly done on all
drivers is that some drivers were rarely compiled because they are for
AMIGA, or that some code sites were inside #ifdefs where the option is not
set or inside #if 0.

Here is the semantic patch that found the occurences
and fixed the problem.

@ rule1 @
identifier fn;
identifier irq, dev_id;
typedef irqreturn_t;
@@

static irqreturn_t fn(int irq, void *dev_id)
{
   ...
}

@@
identifier rule1.fn;
expression E1, E2, E3;
@@

 fn(E1, E2
-   ,E3
   )

Signed-off-by: Yoann Padioleau <padator@wanadoo.fr>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jeff Garzik <jeff@garzik.org>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoi386: es7000 build breakage fix
Vivek Goyal [Fri, 6 Jul 2007 09:39:55 +0000 (02:39 -0700)]
i386: es7000 build breakage fix

o Commit 1833d6bc72893265f22addd79cf52e6987496e0f broke the build if
  compiled with CONFIG_ES7000=y and CONFIG_X86_GENERICARCH=n

arch/i386/kernel/built-in.o(.init.text+0x4fa9): In function `acpi_parse_madt':
: undefined reference to `acpi_madt_oem_check'
arch/i386/kernel/built-in.o(.init.text+0x7406): In function `smp_read_mpc':
: undefined reference to `mps_oem_check'
arch/i386/kernel/built-in.o(.init.text+0x8990): In function
`connect_bsp_APIC':
: undefined reference to `enable_apic_mode'
make: *** [.tmp_vmlinux1] Error 1

o Fix the build issue. Provided the definitions of missing functions.

o Don't have ES7000 machine. Only compile tested.

Cc: Len Brown <lenb@kernel.org>
Cc: Natalie Protasevich <protasnb@gmail.com>
Cc: Roland Dreier <rolandd@cisco.com>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoPNP SMCf010 quirk: work around Toshiba Portege 4000 ACPI issues
Bjorn Helgaas [Fri, 6 Jul 2007 09:39:54 +0000 (02:39 -0700)]
PNP SMCf010 quirk: work around Toshiba Portege 4000 ACPI issues

When we enable the SMCf010 IR device, the Toshiba Portege 4000 BIOS claims
the device is working, but it really isn't configured correctly.  The BIOS
*will* configure it, but only if we call _SRS after (1) reversing the order
of the SIR and FIR I/O port regions and (2) changing the IRQ from
active-high to active-low.

This patch addresses the 2.6.22 regression:
    "no irda0 interface (2.6.21 was OK), smsc does not find chip"

I tested this on a Portege 4000.  The smsc-ircc2 driver correctly detects
the device, and "irattach irda0 -s && irdadump" shows transmitted and
received packets.

Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com>
Cc: Andrey Borzenkov <arvidjaar@mail.ru>
Cc: Samuel Ortiz <samuel@sortiz.org>
Cc: "Linus Walleij (LD/EAB)" <linus.walleij@ericsson.com>
Cc: Michal Piotrowski <michal.k.k.piotrowski@gmail.com>
Cc: Adam Belay <ambx1@neo.rr.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agofix logic error in ipc compat semctl()
Alexander Graf [Fri, 6 Jul 2007 09:39:53 +0000 (02:39 -0700)]
fix logic error in ipc compat semctl()

When calling a semctl(IPC_STAT) without IPC_64 the check if the memory is
unevaluated.  This patch fixes this.

Signed-off-by: Alexander Graf <agraf@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agox86_64: fix headers_install
David Woodhouse [Fri, 6 Jul 2007 09:39:52 +0000 (02:39 -0700)]
x86_64: fix headers_install

A bug in headers_install for ARCH=x86_64 yields an asm/ directory full of
files all of which are using the same #ifdef guard, "__ASM_STUB_" with no
postfix.  So the second and later asm files #included in the same C file
(often through standard headers like ioctl.h) yields no symbols.

Strangeness with the Ubuntu 'tell me if I support something that's not
explcitly mentioned in POSIX, and I'll strip it out' shell, I believe.

We don't need the 'export' but we do need a semicolon at the end of the
FNAME line:

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Rob Landley <rob@landley.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoMTRR: Fix race causing set_mtrr to go into infinite loop
Loic Prylli [Fri, 6 Jul 2007 09:39:52 +0000 (02:39 -0700)]
MTRR: Fix race causing set_mtrr to go into infinite loop

Processors synchronization in set_mtrr requires the .gate field to be set
after .count field is properly initialized.  Without an explicit barrier,
the compiler was reordering those memory stores.  That was sometimes
causing a processor (in ipi_handler) to see the .gate change and decrement
.count before the latter is set by set_mtrr() (which then hangs in a
infinite loop with irqs disabled).

Signed-off-by: Loic Prylli <loic@myri.com>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoi386: fix regression, endless loop in ptrace singlestep over an int80
Jason Wessel [Fri, 6 Jul 2007 09:39:50 +0000 (02:39 -0700)]
i386: fix regression, endless loop in ptrace singlestep over an int80

The commit 635cf99a80f4ebee59d70eb64bb85ce829e4591f introduced a
regression.  Executing a ptrace single step after certain int80
accesses will infinitely loop and never advance the PC.

The TIF_SINGLESTEP check should be done on the return from the syscall
and not before it.

I loops on each single step on the pop right after the int80 which writes out
to the console.  At that point you can issue as many single steps as you want
and it will not advance any further.

The test case is below:

/* Test whether singlestep through an int80 syscall works.
 */
#define _GNU_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/ptrace.h>
#include <sys/wait.h>
#include <sys/mman.h>
#include <asm/user.h>
#include <string.h>

static int child, status;
static struct user_regs_struct regs;

static void do_child()
{
char str[80] = "child: int80 test\n";

ptrace(PTRACE_TRACEME, 0, 0, 0);
kill(getpid(), SIGUSR1);
write(fileno(stdout),str,strlen(str));
asm ("int $0x80" : : "a" (20)); /* getpid */
}

static void do_parent()
{
unsigned long eip, expected = 0;
again:
waitpid(child, &status, 0);
if (WIFEXITED(status) || WIFSIGNALED(status))
return;

if (WIFSTOPPED(status)) {
ptrace(PTRACE_GETREGS, child, 0, &regs);
eip = regs.eip;
if (expected)
fprintf(stderr, "child stop @ %08lx, expected %08lx %s\n",
eip, expected,
eip == expected ? "" : " <== ERROR");

if (*(unsigned short *)eip == 0x80cd) {
fprintf(stderr, "int 0x80 at %08x\n", (unsigned int)eip);
expected = eip + 2;
} else
expected = 0;

ptrace(PTRACE_SINGLESTEP, child, NULL, NULL);
}
goto again;
}

int main(int argc, char * const argv[])
{
child = fork();
if (child)
do_parent();
else
do_child();
return 0;
}

Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>
Cc: <stable@kernel.org>
Cc: Chuck Ebbert <76306.1226@compuserve.com>
Acked-by: Andi Kleen <ak@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years agoFix elf_core_dump() when writing arch specific notes (spu coredumps)
Michael Ellerman [Fri, 6 Jul 2007 09:39:49 +0000 (02:39 -0700)]
Fix elf_core_dump() when writing arch specific notes (spu coredumps)

elf_core_dump() supports dumping arch specific ELF notes, via the #define
ELF_CORE_WRITE_EXTRA_NOTES.  Currently the only user of this is the powerpc
spu coredump code.

There is a bug in the handling of foffset WRT the arch notes, which causes
us to erroneously increment foffset by the size of the arch notes, leaving
a block of zeroes in the file, and causing all subsequent data in the file
to be at <supposed position> + <arch note size>.  eg:

  LOAD  0x050000 0x00100000 0x00000000 0x20000 0x20000 R E 0x10000

Tells us we should have a chunk of data at 0x50000.  The truth is the data
is at 0x90dbc = 0x50000 + 0x40dbc (the size of the arch notes).

This bug prevents gdb from reading the core file correctly.

The simplest fix is to simply remember the size of the arch notes, and add
it to foffset after we've written the arch notes.  The only drawback is
that if the arch code doesn't write as many bytes as it said it would, we
end up with a broken core dump again.  For now I think that's a reasonable
requirement.

Tested on a Cell blade, gdb no longer complains about the core file being
bogus.

While I'm here I should point out that the spu coredump code does not work
if we're dumping to a pipe - we'll have to wait for 23 to fix that.

Signed-off-by: Michael Ellerman <michael@ellerman.id.au>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Acked-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
17 years ago[MIPS] Fix scheduling latency issue on 24K, 34K and 74K cores
Ralf Baechle [Wed, 20 Jun 2007 23:22:34 +0000 (00:22 +0100)]
[MIPS] Fix scheduling latency issue on 24K, 34K and 74K cores

The idle loop goes to sleep using the WAIT instruction if !need_resched().
This has is suffering from from a race condition that if if just after
need_resched has returned 0 an interrupt might set TIF_NEED_RESCHED but
we've just completed the test so go to sleep anyway.  This would be
trivial to fix by just disabling interrupts during that sequence as in:

        local_irq_disable();
        if (!need_resched())
                __asm__("wait");
        local_irq_enable();

but the processor architecture leaves it undefined if a processor calling
WAIT with interrupts disabled will ever restart its pipeline and indeed
some processors have made use of the freedom provided by the architecture
definition.  This has been resolved and the Config7.WII bit indicates that
the use of WAIT is safe on 24K, 24KE and 34K cores.  It also is safe on
74K starting revision 2.1.0 so enable the use of WAIT with interrupts
disabled for 74K based on a c0_prid of at least that.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
17 years ago[MIPS] Add macros to encode processor revisions.
Ralf Baechle [Fri, 6 Jul 2007 13:40:05 +0000 (14:40 +0100)]
[MIPS] Add macros to encode processor revisions.

Older processors used to encode processor version and revision in two
4-bit bitfields, the 4K seems to simply count up and even newer MTI cores
have switched to use the 8-bits as 3:3:2 bitfield with the last field as
the patch number.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
17 years ago[MIPS] RM7000: Enable ICACHE_REFILLS_WORKAROUND_WAR.
Ralf Baechle [Thu, 5 Jul 2007 07:14:21 +0000 (08:14 +0100)]
[MIPS] RM7000: Enable ICACHE_REFILLS_WORKAROUND_WAR.

The RM7000 processors and the E9000 cores have a bug (though PMC-Sierra
opposes it being called that) where invalid instructions in the same
I-cache line worth of instructions being fetched may case spurious
exceptions.

The workaround for this was only enabled for E9000 cores; enable it also
for all RM7000-based platforms.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
17 years ago[MIPS] SMTC: Fix cut'n'paste bug in Kconfig.debug
Ralf Baechle [Thu, 5 Jul 2007 16:39:48 +0000 (17:39 +0100)]
[MIPS] SMTC: Fix cut'n'paste bug in Kconfig.debug

This effectivly turned the SMTC_IDLE_HOOK_DEBUG debug option into a no-op.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
17 years ago[MIPS] Change libgcc-style functions from lib-y to obj-y
Ralf Baechle [Tue, 26 Jun 2007 18:19:00 +0000 (20:19 +0200)]
[MIPS] Change libgcc-style functions from lib-y to obj-y

Reported by Eugene Surovegin <ebs@ebshome.net>.

If only modules were users of these functions they did not get linked into
the kernel proper, so later module loads would fail as well.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>