]> git.karo-electronics.de Git - karo-tx-linux.git/log
karo-tx-linux.git
16 years agom68k: Add ext2_find_{first,next}_bit() for ext4
Aneesh Kumar K.V [Sun, 8 Jun 2008 20:30:48 +0000 (22:30 +0200)]
m68k: Add ext2_find_{first,next}_bit() for ext4

commit 69c5ddf58a03da3686691ad2f293bc79fd977c10 upstream

Add ext2_find_{first,next}_bit(), which are needed for ext4.
They're derived out of the ext2_find_next_zero_bit found in the same file.
Compile tested with crosstools

[Reworked to preserve all symmetry with ext2_find_{first,next}_zero_bit()]

This fixes http://bugzilla.kernel.org/show_bug.cgi?id=10393

Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoIB/umem: Avoid sign problems when demoting npages to integer
Roland Dreier [Tue, 10 Jun 2008 02:35:12 +0000 (02:35 +0000)]
IB/umem: Avoid sign problems when demoting npages to integer

commit 8079ffa0e18baaf2940e52e0c118eef420a473a4 upstream

On a 64-bit architecture, if ib_umem_get() is called with a size value
that is so big that npages is negative when cast to int, then the
length of the page list passed to get_user_pages(), namely

min_t(int, npages, PAGE_SIZE / sizeof (struct page *))

will be negative, and get_user_pages() will immediately return 0 (at
least since 900cf086, "Be more robust about bad arguments in
get_user_pages()").  This leads to an infinite loop in ib_umem_get(),
since the code boils down to:

while (npages) {
ret = get_user_pages(...);
npages -= ret;
}

Fix this by taking the minimum as unsigned longs, so that the value of
npages is never truncated.

The impact of this bug isn't too severe, since the value of npages is
checked against RLIMIT_MEMLOCK, so a process would need to have an
astronomical limit or have CAP_IPC_LOCK to be able to trigger this,
and such a process could already cause lots of mischief.  But it does
let buggy userspace code cause a kernel lock-up; for example I hit
this with code that passes a negative value into a memory registartion
function where it is promoted to a huge u64 value.

Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agotcp: Fix inconsistency source (CA_Open only when !tcp_left_out(tp))
Ilpo Järvinen [Tue, 10 Jun 2008 22:37:34 +0000 (15:37 -0700)]
tcp: Fix inconsistency source (CA_Open only when !tcp_left_out(tp))

[ upstream commit: 8aca6cb1179ed9bef9351028c8d8af852903eae2 ]

It is possible that this skip path causes TCP to end up into an
invalid state where ca_state was left to CA_Open while some
segments already came into sacked_out. If next valid ACK doesn't
contain new SACK information TCP fails to enter into
tcp_fastretrans_alert(). Thus at least high_seq is set
incorrectly to a too high seqno because some new data segments
could be sent in between (and also, limited transmit is not
being correctly invoked there). Reordering in both directions
can easily cause this situation to occur.

I guess we would want to use tcp_moderate_cwnd(tp) there as well
as it may be possible to use this to trigger oversized burst to
network by sending an old ACK with huge amount of SACK info, but
I'm a bit unsure about its effects (mainly to FlightSize), so to
be on the safe side I just currently fixed it minimally to keep
TCP's state consistent (obviously, such nasty ACKs have been
possible this far). Though it seems that FlightSize is already
underestimated by some amount, so probably on the long term we
might want to trigger recovery there too, if appropriate, to make
FlightSize calculation to resemble reality at the time when the
losses where discovered (but such change scares me too much now
and requires some more thinking anyway how to do that as it
likely involves some code shuffling).

This bug was found by Brian Vowell while running my TCP debug
patch to find cause of another TCP issue (fackets_out
miscount).

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoforcedeth: msi interrupts
Ayaz Abdulla [Thu, 12 Jun 2008 00:20:18 +0000 (00:20 +0000)]
forcedeth: msi interrupts

commit 4db0ee176e256444695ee2d7b004552e82fec987 upstream

Add a workaround for lost MSI interrupts.  There is a race condition in
the HW in which future interrupts could be missed.  The workaround is to
toggle the MSI irq mask.

Added cleanup based on comments from Andrew Morton.

Signed-off-by: Ayaz Abdulla <aabdulla@nvidia.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agohgafb: resource management fix
Krzysztof Helt [Fri, 13 Jun 2008 02:40:28 +0000 (02:40 +0000)]
hgafb: resource management fix

commit 630c270183133ac25bef8c8d726ac448df9b169a upstream
Date: Thu, 12 Jun 2008 15:21:29 -0700
Subject: hgafb: resource management fix

Release ports which are requested during detection which are not freed if
there is no hga card.  Otherwise there is a crash during cat /proc/ioports
command.

Signed-off-by: Krzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agocciss: add new hardware support
Mike Miller [Fri, 13 Jun 2008 02:40:19 +0000 (02:40 +0000)]
cciss: add new hardware support

commit 24aac480e76c6f5d1391ac05c5e9c0eb9b0cd302 upstream
Date: Thu, 12 Jun 2008 15:21:34 -0700
Subject: cciss: add new hardware support

Add support for the next generation of HP Smart Array SAS/SATA
controllers.  Shipping date is late Fall 2008.

Bump the driver version to 3.6.20 to reflect the new hardware support from
patch 1 of this set.

Signed-off-by: Mike Miller <mike.miller@hp.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agommc: wbsd: initialize tasklets before requesting interrupt
Chuck Ebbert [Fri, 13 Jun 2008 02:40:16 +0000 (02:40 +0000)]
mmc: wbsd: initialize tasklets before requesting interrupt

commit cef33400d0349fb24b6f8b7dea79b66e3144fd8b upstream

With CONFIG_DEBUG_SHIRQ set we will get an interrupt as soon as we
allocate one.  Tasklets may be scheduled in the interrupt handler but they
will be initialized after the handler returns, causing a BUG() in
kernel/softirq.c when they run.

Should fix this Fedora bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=449817

Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
Acked-by: Pierre Ossman <drzeus@drzeus.cx>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agotcp FRTO: work-around inorder receivers
Ilpo Järvinen [Tue, 13 May 2008 09:54:19 +0000 (02:54 -0700)]
tcp FRTO: work-around inorder receivers

[ upstream commit: 79d44516b4b178ffb6e2159c75584cfcfc097914 ]

If receiver consumes segments successfully only in-order, FRTO
fallback to conventional recovery produces RTO loop because
FRTO's forward transmissions will always get dropped and need to
be resent, yet by default they're not marked as lost (which are
the only segments we will retransmit in CA_Loss).

Price to pay about this is occassionally unnecessarily
retransmitting the forward transmission(s). SACK blocks help
a bit to avoid this, so it's mainly a concern for NewReno case
though SACK is not fully immune either.

This change has a side-effect of fixing SACKFRTO problem where
it didn't have snd_nxt of the RTO time available anymore when
fallback become necessary (this problem would have only occured
when RTO would occur for two or more segments and ECE arrives
in step 3; no need to figure out how to fix that unless the
TODO item of selective behavior is considered in future).

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Damon L. Chesser <damon@damtek.com>
Tested-by: Damon L. Chesser <damon@damtek.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agotcp FRTO: SACK variant is errorneously used with NewReno
Ilpo Järvinen [Thu, 8 May 2008 08:09:11 +0000 (01:09 -0700)]
tcp FRTO: SACK variant is errorneously used with NewReno

[ upstream commit: 62ab22278308a40bcb7f4079e9719ab8b7fe11b5 ]

Note: there's actually another bug in FRTO's SACK variant, which
is the causing failure in NewReno case because of the error
that's fixed here. I'll fix the SACK case separately (it's
a separate bug really, though related, but in order to fix that
I need to audit tp->snd_nxt usage a bit).

There were two places where SACK variant of FRTO is getting
incorrectly used even if SACK wasn't negotiated by the TCP flow.
This leads to incorrect setting of frto_highmark with NewReno
if a previous recovery was interrupted by another RTO.

An eventual fallback to conventional recovery then incorrectly
considers one or couple of segments as forward transmissions
though they weren't, which then are not LOST marked during
fallback making them "non-retransmittable" until the next RTO.
In a bad case, those segments are really lost and are the only
one left in the window. Thus TCP needs another RTO to continue.
The next FRTO, however, could again repeat the same events
making the progress of the TCP flow extremely slow.

In order for these events to occur at all, FRTO must occur
again in FRTOs step 3 while the key segments must be lost as
well, which is not too likely in practice. It seems to most
frequently with some small devices such as network printers
that *seem* to accept TCP segments only in-order. In cases
were key segments weren't lost, things get automatically
resolved because those wrongly marked segments don't need to be
retransmitted in order to continue.

I found a reproducer after digging up relevant reports (few
reports in total, none at netdev or lkml I know of), some
cases seemed to indicate middlebox issues which seems now
to be a false assumption some people had made. Bugzilla
#10063 _might_ be related. Damon L. Chesser <damon@damtek.com>
had a reproducable case and was kind enough to tcpdump it
for me. With the tcpdump log it was quite trivial to figure
out.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agotcp FRTO: Fix fallback to conventional recovery
Ilpo Järvinen [Tue, 13 May 2008 09:53:26 +0000 (02:53 -0700)]
tcp FRTO: Fix fallback to conventional recovery

[ upstream commit: a1c1f281b84a751fdb5ff919da3b09df7297619f ]

It seems that commit 009a2e3e4ec ("[TCP] FRTO: Improve
interoperability with other undo_marker users") run into
another land-mine which caused fallback to conventional
recovery to break:

1. Cumulative ACK arrives after FRTO retransmission
2. tcp_try_to_open sees zero retrans_out, clears retrans_stamp
   which should be kept like in CA_Loss state it would be
3. undo_marker change allowed tcp_packet_delayed to return
   true because of the cleared retrans_stamp once FRTO is
   terminated causing LossUndo to occur, which means all loss
   markings FRTO made are reverted.

This means that the conventional recovery basically recovered
one loss per RTT, which is not that efficient. It was quite
unobvious that the undo_marker change broken something like
this, I had a quite long session to track it down because of
the non-intuitiviness of the bug (luckily I had a trivial
reproducer at hand and I was also able to learn to use kprobes
in the process as well :-)).

This together with the NewReno+FRTO fix and FRTO in-order
workaround this fixes Damon's problems, this and the first
mentioned are enough to fix Bugzilla #10063.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Damon L. Chesser <damon@damtek.com>
Tested-by: Damon L. Chesser <damon@damtek.com>
Tested-by: Sebastian Hyrwall <zibbe@cisko.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agotcp: fix skb vs fack_count out-of-sync condition
Ilpo Järvinen [Wed, 4 Jun 2008 19:07:44 +0000 (12:07 -0700)]
tcp: fix skb vs fack_count out-of-sync condition

[ upstream commit: a6604471db5e7a33474a7f16c64d6b118fae3e74 ]

This bug is able to corrupt fackets_out in very rare cases.
In order for this to cause corruption:
  1) DSACK in the middle of previous SACK block must be generated.
  2) In order to take that particular branch, part or all of the
     DSACKed segment must already be SACKed so that we have that
     in cache in the first place.
  3) The new info must be top enough so that fackets_out will be
     updated on this iteration.
...then fack_count is updated while skb wasn't, then we walk again
that particular segment thus updating fack_count twice for
a single skb and finally that value is assigned to fackets_out
by tcp_sacktag_one.

It is safe to call tcp_sacktag_one just once for a segment (at
DSACK), no need to call again for plain SACK.

Potential problem of the miscount are limited to premature entry
to recovery and to inflated reordering metric (which could even
cancel each other out in the most the luckiest scenarios :-)).
Both are quite insignificant in worst case too and there exists
also code to reset them (fackets_out once sacked_out becomes zero
and reordering metric on RTO).

This has been reported by a number of people, because it occurred
quite rarely, it has been very evasive. Andy Furniss was able to
get it to occur couple of times so that a bit more info was
collected about the problem using a debug patch, though it still
required lot of checking around. Thanks also to others who have
tried to help here.

This is listed as Bugzilla #10346. The bug was introduced by
me in commit 68f8353b48 ([TCP]: Rewrite SACK block processing &
sack_recv_cache use), I probably thought back then that there's
need to scan that entry twice or didn't dare to make it go
through it just once there. Going through twice would have
required restoring fack_count after the walk but as noted above,
I chose to drop the additional walk step altogether here.

Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agol2tp: Fix possible oops if transmitting or receiving when tunnel goes down
James Chapman [Mon, 9 Jun 2008 20:35:41 +0000 (13:35 -0700)]
l2tp: Fix possible oops if transmitting or receiving when tunnel goes down

[ upstream commit: 24b95685ffcdb3dc28f64b9e8af6ea3e8360fbc5 ]

Some problems have been experienced in the field which cause an oops
in the pppol2tp driver if L2TP tunnels fail while passing data.

The pppol2tp driver uses private data that is referenced via the
sk->sk_user_data of its UDP and PPPoL2TP sockets. This patch makes
sure that the driver uses sock_hold() when it holds a reference to the
sk pointer. This affects its sendmsg(), recvmsg(), getname(),
[gs]etsockopt() and ioctl() handlers.

Tested by ISP where problem was seen. System has been up 10 days with
no oops since running this patch. Without the patch, an oops would
occur every 1-2 days.

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agol2tp: Fix possible WARN_ON from socket code when UDP socket is closed
James Chapman [Mon, 9 Jun 2008 20:34:39 +0000 (13:34 -0700)]
l2tp: Fix possible WARN_ON from socket code when UDP socket is closed

[ upstream commit: 199f7d24ae59894243687a234a909f44a8724506 ]

If an L2TP daemon closes a tunnel socket while packets are queued in
the tunnel's reorder queue, a kernel warning is logged because the
socket is closed while skbs are still referencing it. The fix is to
purge the queue in the socket's release handler.

WARNING: at include/net/sock.h:351 udp_lib_unhash+0x41/0x68()
Pid: 12998, comm: openl2tpd Not tainted 2.6.25 #8
 [<c0423c58>] warn_on_slowpath+0x41/0x51
 [<c05d33a7>] udp_lib_unhash+0x41/0x68
 [<c059424d>] sk_common_release+0x23/0x90
 [<c05d16be>] udp_lib_close+0x8/0xa
 [<c05d8684>] inet_release+0x42/0x48
 [<c0592599>] sock_release+0x14/0x60
 [<c059299f>] sock_close+0x29/0x30
 [<c046ef52>] __fput+0xad/0x15b
 [<c046f1d9>] fput+0x17/0x19
 [<c046c8c4>] filp_close+0x50/0x5a
 [<c046da06>] sys_close+0x69/0x9f
 [<c04048ce>] syscall_call+0x7/0xb

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agotcp: Limit cwnd growth when deferring for GSO
John Heffner [Tue, 29 Apr 2008 10:13:52 +0000 (03:13 -0700)]
tcp: Limit cwnd growth when deferring for GSO

[ upstream commit: 246eb2af060fc32650f07203c02bdc0456ad76c7 ]

This fixes inappropriately large cwnd growth on sender-limited flows
when GSO is enabled, limiting cwnd growth to 64k.

[ Backport to 2.6.25 by replacing sk->sk_gso_max_size with 65536 -DaveM ]

Signed-off-by: John Heffner <johnwheffner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agotcp: Allow send-limited cwnd to grow up to max_burst when gso disabled
John Heffner [Tue, 29 Apr 2008 10:13:02 +0000 (03:13 -0700)]
tcp: Allow send-limited cwnd to grow up to max_burst when gso disabled

[ upstream commit: ce447eb91409225f8a488f6b7b2a1bdf7b2d884f ]

This changes the logic in tcp_is_cwnd_limited() so that cwnd may grow
up to tcp_max_burst() even when sk_can_gso() is false, or when
sysctl_tcp_tso_win_divisor != 0.

Signed-off-by: John Heffner <johnwheffner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agotcp: TCP connection times out if ICMP frag needed is delayed
Sridhar Samudrala [Wed, 21 May 2008 23:42:20 +0000 (16:42 -0700)]
tcp: TCP connection times out if ICMP frag needed is delayed

[ upstream commit: 7d227cd235c809c36c847d6a597956ad9e9d2bae ]

We are seeing an issue with TCP in handling an ICMP frag needed
message that is received after net.ipv4.tcp_retries1 retransmits.
The default value of retries1 is 3. So if the path mtu changes
and ICMP frag needed is lost for the first 3 retransmits or if
it gets delayed until 3 retransmits are done, TCP doesn't update
MSS correctly and continues to retransmit the orginal message
until it timesout after tcp_retries2 retransmits.

I am seeing this issue even with the latest 2.6.25.4 kernel.

In tcp_retransmit_timer(), when retransmits counter exceeds
tcp_retries1 value, the dst cache entry of the socket is reset.
At this time, if we receive an ICMP frag needed message, the
dst entry gets updated with the new MTU, but the TCP sockets
dst_cache entry remains NULL.

So the next time when we try to retransmit after the ICMP frag
needed is received, tcp_retransmit_skb() gets called. Here the
cur_mss value is calculated at the start of the routine with
a NULL sk_dst_cache. Instead we should call tcp_current_mss after
the rebuild_header that caches the dst entry with the updated mtu.
Also the rebuild_header should be called before tcp_fragment
so that skb is fragmented if the mss goes down.

Signed-off-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agovlan: Correctly handle device notifications for layered VLAN devices
Patrick McHardy [Mon, 9 Jun 2008 18:42:44 +0000 (11:42 -0700)]
vlan: Correctly handle device notifications for layered VLAN devices

[ upstream commit: 81d85346b3fcd8b3167eac8b5fb415a210bd4345 ]

Commit 30688a9 ([VLAN]: Handle vlan devices net namespace changing)
changed the device notifier to special-case notifications for VLAN
devices, effectively disabling state propagation to underlying VLAN
devices. This is needed for layered VLANs though, so restore the
original behaviour.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agol2tp: avoid skb truesize bug if headroom is increased
James Chapman [Mon, 19 May 2008 21:10:01 +0000 (14:10 -0700)]
l2tp: avoid skb truesize bug if headroom is increased

[ upstream commit: 090c48d3dd5ea90b37350334aaed9a93b0c1e0a1 ]

A user reported seeing occasional bugs such as the following when
using the L2TP driver.

  SKB BUG: Invalid truesize (272) len=72, sizeof(sk_buff)=208

When L2TP adds its header in the transmit path, it might need to
increase the headroom of the skb. In some cases, the increased
headroom trips a kernel bug when the skb is freed because the skb has
grown beyond its truesize value. The fix is to increase the truesize
by the amount of headroom added, after orphaning the skb.

While here, fix a misleading comment.

Thanks to Iouri Kharon <bc-info@styx.cabel.net> for the initial
report and testing the fix.

Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agonetlink: Fix nla_parse_nested_compat() to call nla_parse() directly
Thomas Graf [Thu, 22 May 2008 17:48:59 +0000 (10:48 -0700)]
netlink: Fix nla_parse_nested_compat() to call nla_parse() directly

[ upstream commit: b9a2f2e450b0f770bb4347ae8d48eb2dea701e24 ]

The purpose of nla_parse_nested_compat() is to parse attributes which
contain a struct followed by a stream of nested attributes.  So far,
it called nla_parse_nested() to parse the stream of nested attributes
which was wrong, as nla_parse_nested() expects a container attribute
as data which holds the attribute stream.  It needs to call
nla_parse() directly while pointing at the next possible alignment
point after the struct in the beginning of the attribute.

With this patch, I can no longer reproduce the reported leftover
warnings.

Signed-off-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoipsec: Use the correct ip_local_out function
Herbert Xu [Tue, 20 May 2008 21:32:14 +0000 (14:32 -0700)]
ipsec: Use the correct ip_local_out function

[ upstream commit: 1ac06e0306d0192a7a4d9ea1c9e06d355ce7e7d3 ]

Because the IPsec output function xfrm_output_resume does its
own dst_output call it should always call __ip_local_output
instead of ip_local_output as the latter may invoke dst_output
directly.  Otherwise the return values from nf_hook and dst_output
may clash as they both use the value 1 but for different purposes.

When that clash occurs this can cause a packet to be used after
it has been freed which usually leads to a crash.  Because the
offending value is only returned from dst_output with qdiscs
such as HTB, this bug is normally not visible.

Thanks to Marco Berizzi for his perseverance in tracking this
down.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agonet_sched: cls_api: fix return value for non-existant classifiers
Patrick McHardy [Tue, 20 May 2008 21:34:46 +0000 (14:34 -0700)]
net_sched: cls_api: fix return value for non-existant classifiers

[ upstream commit: f2df824948d559ea818e03486a8583e42ea6ab37 ]

cls_api should return ENOENT when the requested classifier doesn't
exist.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agonet: Fix call to ->change_rx_flags(dev, IFF_MULTICAST) in dev_change_flags()
David Woodhouse [Tue, 20 May 2008 21:36:14 +0000 (14:36 -0700)]
net: Fix call to ->change_rx_flags(dev, IFF_MULTICAST) in dev_change_flags()

[ upstream commit: 0e91796eb46e29edc791131c832a2232bcaed9dd ]

Am I just being particularly dim today, or can the call to
dev->change_rx_flags(dev, IFF_MULTICAST) in dev_change_flags() never
happen?

We've just set dev->flags = flags & IFF_MULTICAST, effectively. So the
condition '(dev->flags ^ flags) & IFF_MULTICAST' is _never_ going to be
true.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agocassini: Only use chip checksum for ipv4 packets.
David S. Miller [Thu, 22 May 2008 00:05:34 +0000 (17:05 -0700)]
cassini: Only use chip checksum for ipv4 packets.

[ upstream commit: b1443e2f6501f06930a162ff1ff08382a98bf23e ]

According to David Monro, at least with Natsemi Saturn chips the
cassini driver has some trouble with ipv6 checksums.

Until we have more information about what's going on here, only
use the chip checksums for ipv4.

This workaround was suggested and tested by David.

Update version and release date.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agocan: Fix copy_from_user() results interpretation
Sam Ravnborg [Mon, 9 Jun 2008 18:22:01 +0000 (11:22 -0700)]
can: Fix copy_from_user() results interpretation

[ Upstream commit: 3f91bd420a955803421f2db17b2e04aacfbb2bb8 ]

Both copy_to_ and _from_user return the number of bytes, that failed to
reach their destination, not the 0/-EXXX values.

Based on patch from Pavel Emelyanov <xemul@openvz.org>

Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Acked-by: Oliver Hartkopp <oliver.hartkopp@volkswagen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agobluetooth: rfcomm_dev_state_change deadlock fix
Dave Young [Mon, 2 Jun 2008 06:50:52 +0000 (23:50 -0700)]
bluetooth: rfcomm_dev_state_change deadlock fix

commit 537d59af73d894750cff14f90fe2b6d77fbab15b in mainline

There's logic in __rfcomm_dlc_close:
rfcomm_dlc_lock(d);
d->state = BT_CLOSED;
d->state_changed(d, err);
rfcomm_dlc_unlock(d);

In rfcomm_dev_state_change, it's possible that rfcomm_dev_put try to
take the dlc lock, then we will deadlock.

Here fixed it by unlock dlc before rfcomm_dev_get in
rfcomm_dev_state_change.

why not unlock just before rfcomm_dev_put? it's because there's
another problem.  rfcomm_dev_get/rfcomm_dev_del will take
rfcomm_dev_lock, but in rfcomm_dev_add the lock order is :
rfcomm_dev_lock --> dlc lock

so I unlock dlc before the taken of rfcomm_dev_lock.

Actually it's a regression caused by commit
1905f6c736cb618e07eca0c96e60e3c024023428 ("bluetooth :
__rfcomm_dlc_close lock fix"), the dlc state_change could be two
callbacks : rfcomm_sk_state_change and rfcomm_dev_state_change. I
missed the rfcomm_sk_state_change that time.

Thanks Arjan van de Ven <arjan@linux.intel.com> for the effort in
commit 4c8411f8c115def968820a4df6658ccfd55d7f1a ("bluetooth: fix
locking bug in the rfcomm socket cleanup handling") but he missed the
rfcomm_dev_state_change lock issue.

Signed-off-by: Dave Young <hidave.darkstar@gmail.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agobluetooth: fix locking bug in the rfcomm socket cleanup handling
Arjan van de Ven [Thu, 29 May 2008 08:32:47 +0000 (01:32 -0700)]
bluetooth: fix locking bug in the rfcomm socket cleanup handling

[ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]

in net/bluetooth/rfcomm/sock.c, rfcomm_sk_state_change() does the
following operation:

        if (parent && sock_flag(sk, SOCK_ZAPPED)) {
                /* We have to drop DLC lock here, otherwise
                 * rfcomm_sock_destruct() will dead lock. */
                rfcomm_dlc_unlock(d);
                rfcomm_sock_kill(sk);
                rfcomm_dlc_lock(d);
        }
}

which is fine, since rfcomm_sock_kill() will call sk_free() which will call
rfcomm_sock_destruct() which takes the rfcomm_dlc_lock()... so far so good.

HOWEVER, this assumes that the rfcomm_sk_state_change() function always gets
called with the rfcomm_dlc_lock() taken. This is the case for all but one
case, and in that case where we don't have the lock, we do a double unlock
followed by an attempt to take the lock, which due to underflow isn't
going anywhere fast.

This patch fixes this by moving the stragling case inside the lock, like
the other usages of the same call are doing in this code.

This was found with the help of the www.kerneloops.org project, where this
deadlock was observed 51 times at this point in time:
http://www.kerneloops.org/search.php?search=rfcomm_sock_destruct

Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Acked-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoax25: Fix NULL pointer dereference and lockup.
Jarek Poplawski [Tue, 3 Jun 2008 21:53:46 +0000 (14:53 -0700)]
ax25: Fix NULL pointer dereference and lockup.

[ Upstream commit: 7dccf1f4e1696c79bff064c3770867cc53cbc71c ]

There is only one function in AX25 calling skb_append(), and it really
looks suspicious: appends skb after previously enqueued one, but in
the meantime this previous skb could be removed from the queue.

This patch Fixes it the simple way, so this is not fully compatible with
the current method, but testing hasn't shown any problems.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoaf_key: Fix selector family initialization.
Kazunori MIYAZAWA [Wed, 21 May 2008 20:26:11 +0000 (13:26 -0700)]
af_key: Fix selector family initialization.

[ upstream commit: 4da5105687e0993a3bbdcffd89b2b94d9377faab ]

This propagates the xfrm_user fix made in commit
bcf0dda8d2408fe1c1040cdec5a98e5fcad2ac72 ("[XFRM]: xfrm_user: fix
selector family initialization")

Based upon a bug report from, and tested by, Alan Swanson.

Signed-off-by: Kazunori MIYAZAWA <kazunori@miyazawa.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agosunhv: Fix locking in non-paged I/O case.
David S. Miller [Mon, 9 Jun 2008 20:49:22 +0000 (13:49 -0700)]
sunhv: Fix locking in non-paged I/O case.

[ upstream commit: 3651751fff44ede58f65cbb1e39242139ead251b ]

This causes the lock to be taken twice, thus resulting in
a deadlock.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agofbdev: export symbol fb_mode_option
Geoff Levand [Sat, 7 Jun 2008 18:26:34 +0000 (11:26 -0700)]
fbdev: export symbol fb_mode_option

upstream commit: 659179b28f15ab1b1db5f8767090f5e728f115a1

Frame buffer and mode setting drivers can be built as modules,
so fb_mode_option needs to be exported to support these.

Prevents this error:

  ERROR: "fb_mode_option" [drivers/ps3/ps3av_mod.ko] undefined!

Signed-off-by: Geoff Levand <geoffrey.levand@am.sony.com>
Acked-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoecryptfs: fix missed mutex_unlock
Cyrill Gorcunov [Sun, 8 Jun 2008 09:00:36 +0000 (11:00 +0200)]
ecryptfs: fix missed mutex_unlock

upstream commit: 71fd5179e8d1d4d503b517e0c5374f7c49540bfc

Cc: Michael Halcrow <mhalcrow@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoecryptfs: clean up (un)lock_parent
Miklos Szeredi [Sun, 8 Jun 2008 08:59:23 +0000 (10:59 +0200)]
ecryptfs: clean up (un)lock_parent

upstream commit: 8dc4e37362a5dc910d704d52ac6542bfd49ddc2f

dget(dentry->d_parent) --> dget_parent(dentry)

unlock_parent() is racy and unnecessary.  Replace single caller with
unlock_dir().

There are several other suspect uses of ->d_parent in ecryptfs...

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Michael Halcrow <mhalcrow@us.ibm.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoeCryptfs: protect crypt_stat->flags in ecryptfs_open()
Michael Halcrow [Sun, 8 Jun 2008 08:58:02 +0000 (10:58 +0200)]
eCryptfs: protect crypt_stat->flags in ecryptfs_open()

upstream commit: 2f9b12a31fcb738ea8c9eb0d4ddf906c6f1d696c

Make sure crypt_stat->flags is protected with a lock in ecryptfs_open().

Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
Cc: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoecryptfs: add missing lock around notify_change
Miklos Szeredi [Sun, 8 Jun 2008 08:56:53 +0000 (10:56 +0200)]
ecryptfs: add missing lock around notify_change

upstream commit: 9c3580aa52195699065bc2d7242b1c7e3e6903fa

Callers of notify_change() need to hold i_mutex.

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Cc: Michael Halcrow <mhalcrow@us.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agosound: emu10k1 - fix system hang with Audigy2 ZS Notebook PCMCIA card
Jaroslav Franek [Sun, 8 Jun 2008 07:27:26 +0000 (09:27 +0200)]
sound: emu10k1 - fix system hang with Audigy2 ZS Notebook PCMCIA card

upstream commit: 868e15dbd2940f9453b4399117686f408dc77299

When the Linux kernel is compiled with CONFIG_DEBUG_SHIRQ=y,
the Soundblaster Audigy2 ZS Notebook PCMCIA card causes the
system hang during boot (udev stage) or when the card is hot-plug.
The CONFIG_DEBUG_SHIRQ flag is by default 'y' with all Fedora
kernels since 2.6.23. The problem was reported as
https://bugzilla.redhat.com/show_bug.cgi?id=326411

The issue was hunted down to the snd_emu10k1_create() routine:

/* pseudo-code */
snd_emu10k1_create(...) {
...
request_irq(... IRQF_SHARED ...) {
register the irq handler
#ifdef CONFIG_DEBUG_SHIRQ
call the irq handler: snd_emu10k1_interrupt() {
poll I/O port   // <---- !! system hangs
...
}
#endif
}
...
snd_emu10k1_cardbus_init(...) {
initialize I/O ports
}
...
}

The early access to I/O port in the interrupt handler causes
the freeze. Obviously it is necessary to init the I/O ports
before accessing them. This patch moves the registration of
the irq handler after the initialization of the I/O ports.

Signed-off-by: Jaroslav Franek <jarin.franek@post.cz>
Acked-by: James Courtier-Dutton <James@superbug.co.uk>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoALSA: hda - Fix resume of auto-config mode with Realtek codecs
Takashi Iwai [Sun, 8 Jun 2008 07:26:09 +0000 (09:26 +0200)]
ALSA: hda - Fix resume of auto-config mode with Realtek codecs

upstream commit: 07bc76dfa19b10017b518dd9aa1b2719e8c863de

The auto-config mode of Realtek ALC codecs has a bug since 2.6.25
that it cannot resume properly.  The problem was the wrong assignment
of init_hook that overrides the whole initialization.

Relevant bug reports:
http://bugzilla.kernel.org/show_bug.cgi?id=10662
https://bugzilla.novell.com/show_bug.cgi?id=385473

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agodouble-free of inode on alloc_file() failure exit in create_write_pipe()
Al Viro [Tue, 22 Apr 2008 23:51:27 +0000 (19:51 -0400)]
double-free of inode on alloc_file() failure exit in create_write_pipe()

upstream commit: ed1524371716466e9c762808b02601d0d0276a92

Duh...  Fortunately, the bug is quite recent (post-2.6.25) and, embarrassingly,
mine ;-/

http://bugzilla.kernel.org/show_bug.cgi?id=10878

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agossb: Fix context assertion in ssb_pcicore_dev_irqvecs_enable
Michael Buesch [Sat, 7 Jun 2008 15:57:37 +0000 (17:57 +0200)]
ssb: Fix context assertion in ssb_pcicore_dev_irqvecs_enable

upstream commit: a3bafeedfff2ac5fa0a316bea4570e27900b6fcc

This fixes a context assertion in ssb that makes b44 print
out warnings on resume.

This fixes the following kernel oops:
http://www.kerneloops.org/oops.php?number=12732
http://www.kerneloops.org/oops.php?number=11410

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoAdd 'rd' alias to new brd ramdisk driver
Nick Piggin [Wed, 4 Jun 2008 15:18:42 +0000 (17:18 +0200)]
Add 'rd' alias to new brd ramdisk driver

upstream commit: efedf51c866130945b5db755cb58670e60205d83

Alias brd to rd in the hope of helping legacy users. Suggested by Jan.

Signed-off-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoipwireless: Fix blocked sending
David Sterba [Fri, 6 Jun 2008 08:56:35 +0000 (10:56 +0200)]
ipwireless: Fix blocked sending

upstream commit: eb4e545d4ac82d9018487edb4419b33b9930c857

Packet sending is driven by two flags, tx_ready and tx_queued.
It was possible, that there were queued data for sending and
hardware was flagged as blocked but in fact it was not.

The tx_queued was indicator but should be really a counter else
first fragmented packet resets tx_queued flag, but there may be
pending packets which do not get sent.

New semantics:
tx_ready - set, if hw is ready to send packet, no packet is being
           transferred right now
           set the flag right at the place where data are copied
           into hw memory and not earlier without checking if it
           was succesful
tx_queued - count of enqueued packets, including fragments

Tested-by: Michal Rokos <michal.rokos@gmail.com>
Signed-off-by: David Sterba <dsterba@suse.cz>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agob43: Fix controller restart crash
Michael Buesch [Thu, 22 May 2008 14:32:16 +0000 (16:32 +0200)]
b43: Fix controller restart crash

upstream commit: 3bf0a32e22fedc0b46443699db2d61ac2a883ac4

This fixes a kernel crash on rmmod, in the case where the controller
was restarted before doing the rmmod.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoLinux 2.6.25.6 v2.6.25.6
Chris Wright [Mon, 9 Jun 2008 18:27:19 +0000 (11:27 -0700)]
Linux 2.6.25.6

16 years agox86: fix bad pmd ffff810000207xxx(9090909090909090)
Hugh Dickins [Thu, 5 Jun 2008 14:09:02 +0000 (15:09 +0100)]
x86: fix bad pmd ffff810000207xxx(9090909090909090)

upstream commit: 2884f110d5409714f3a04eeb6d2ecd77da66b242

OGAWA Hirofumi and Fede have reported rare pmd_ERROR messages:
mm/memory.c:127: bad pmd ffff810000207xxx(9090909090909090).

Initialization's cleanup_highmap was leaving alignment filler
behind in the pmd for MODULES_VADDR: when vmalloc's guard page
would occupy a new page table, it's not allocated, and then
module unload's vfree hits the bad 9090 pmd entry left over.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Hugh notes:

 It's actually not a serious problem, but it does look as if it's a
 serious problem, so we should stamp it out.

Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agocpufreq: fix null object access on Transmeta CPU
CHIKAMA masaki [Fri, 6 Jun 2008 18:41:31 +0000 (18:41 +0000)]
cpufreq: fix null object access on Transmeta CPU

upstream commit: 879000f94442860e72c934f9e568989bc7fb8ec4

If cpu specific cpufreq driver(i.e.  longrun) has "setpolicy" function,
governor object isn't set into cpufreq_policy object at "__cpufreq_set_policy"
function in driver/cpufreq/cpufreq.c .

This causes a null object access at "store_scaling_setspeed" and
"show_scaling_setspeed" function in driver/cpufreq/cpufreq.c when reading or
writing through /sys interface (ex.  cat
/sys/devices/system/cpu/cpu0/cpufreq/scaling_setspeed)

Addresses:
http://bugzilla.kernel.org/show_bug.cgi?id=10654
https://bugzilla.redhat.com/show_bug.cgi?id=443354

Signed-off-by: CHIKAMA Masaki <masaki.chikama@gmail.com>
Cc: Dave Jones <davej@codemonkey.org.uk>
Cc: Chuck Ebbert <cebbert@redhat.com>
Acked-by: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agocapabilities: remain source compatible with 32-bit raw legacy capability support.
Andrew G. Morgan [Fri, 6 Jun 2008 18:44:08 +0000 (18:44 +0000)]
capabilities: remain source compatible with 32-bit raw legacy capability support.

upstream commit: ca05a99a54db1db5bca72eccb5866d2a86f8517f

Source code out there hard-codes a notion of what the
_LINUX_CAPABILITY_VERSION #define means in terms of the semantics of the
raw capability system calls capget() and capset().  Its unfortunate, but
true.

Since the confusing header file has been in a released kernel, there is
software that is erroneously using 64-bit capabilities with the semantics
of 32-bit compatibilities.  These recently compiled programs may suffer
corruption of their memory when sys_getcap() overwrites more memory than
they are coded to expect, and the raising of added capabilities when using
sys_capset().

As such, this patch does a number of things to clean up the situation
for all. It

  1. forces the _LINUX_CAPABILITY_VERSION define to always retain its
     legacy value.

  2. adopts a new #define strategy for the kernel's internal
     implementation of the preferred magic.

  3. deprecates v2 capability magic in favor of a new (v3) magic
     number. The functionality of v3 is entirely equivalent to v2,
     the only difference being that the v2 magic causes the kernel
     to log a "deprecated" warning so the admin can find applications
     that may be using v2 inappropriately.

[User space code continues to be encouraged to use the libcap API which
protects the application from details like this.  libcap-2.10 is the first
to support v3 capabilities.]

Fixes issue reported in https://bugzilla.redhat.com/show_bug.cgi?id=447518.
Thanks to Bojan Smojver for the report.

[akpm@linux-foundation.org: s/depreciate/deprecate/g]
[akpm@linux-foundation.org: be robust about put_user size]
[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Andrew G. Morgan <morgan@kernel.org>
Cc: Serge E. Hallyn <serue@us.ibm.com>
Cc: Bojan Smojver <bojan@rexursive.com>
Cc: stable@kernel.org
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agomd: fix prexor vs sync_request race
Dan Williams [Fri, 6 Jun 2008 18:43:58 +0000 (18:43 +0000)]
md: fix prexor vs sync_request race

upstream commit: e0a115e5aa554b93150a8dc1c3fe15467708abb2

During the initial array synchronization process there is a window between
when a prexor operation is scheduled to a specific stripe and when it
completes for a sync_request to be scheduled to the same stripe.  When
this happens the prexor completes and the stripe is unconditionally marked
"insync", effectively canceling the sync_request for the stripe.  Prior to
2.6.23 this was not a problem because the prexor operation was done under
sh->lock.  The effect in older kernels being that the prexor would still
erroneously mark the stripe "insync", but sync_request would be held off
and re-mark the stripe as "!in_sync".

Change the write completion logic to not mark the stripe "in_sync" if a
prexor was performed.  The effect of the change is to sometimes not set
STRIPE_INSYNC.  The worst this can do is cause the resync to stall waiting
for STRIPE_INSYNC to be set.  If this were happening, then STRIPE_SYNCING
would be set and handle_issuing_new_read_requests would cause all
available blocks to eventually be read, at which point prexor would never
be used on that stripe any more and STRIPE_INSYNC would eventually be set.

echo repair > /sys/block/mdN/md/sync_action will correct arrays that may
have lost this race.

Cc: <stable@kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[chrisw: backport to 2.6.25.5]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agomd: fix uninitialized use of mddev->recovery_wait
Dan Williams [Fri, 6 Jun 2008 18:43:53 +0000 (18:43 +0000)]
md: fix uninitialized use of mddev->recovery_wait

upstream commit: a6d8113a986c66aeb379a26b6e0062488b3e59e1

If an array was created with --assume-clean we will oops when trying to
set ->resync_max.

Fix this by initializing ->recovery_wait in mddev_find.

Cc: <stable@kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agomd: do not compute parity unless it is on a failed drive
Dan Williams [Fri, 6 Jun 2008 18:43:45 +0000 (18:43 +0000)]
md: do not compute parity unless it is on a failed drive

upstream commit: c337869d95011495fa181536786e74aa2d7ff031

If a block is computed (rather than read) then a check/repair operation
may be lead to believe that the data on disk is correct, when infact it
isn't.  So only compute blocks for failed devices.

This issue has been around since at least 2.6.12, but has become harder to
hit in recent kernels since most reads bypass the cache.

echo repair > /sys/block/mdN/md/sync_action will set the parity blocks to the
correct state.

Cc: <stable@kernel.org>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoeCryptfs: remove unnecessary page decrypt call
Michael Halcrow [Fri, 6 Jun 2008 18:43:31 +0000 (18:43 +0000)]
eCryptfs: remove unnecessary page decrypt call

upstream commit: d3e49afbb66109613c3474f2273f5830ac2dcb09

The page decrypt calls in ecryptfs_write() are both pointless and buggy.
Pointless because ecryptfs_get_locked_page() has already brought the page
up to date, and buggy because prior mmap writes will just be blown away by
the decrypt call.

This patch also removes the declaration of a now-nonexistent function
ecryptfs_write_zeros().

Thanks to Eric Sandeen and David Kleikamp for helping to track this
down.

Eric said:

   fsx w/ mmap dies quickly ( < 100 ops) without this, and survives
   nicely (to millions of ops+) with it in place.

Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
Cc: Eric Sandeen <sandeen@redhat.com>
Cc: Dave Kleikamp <shaggy@austin.ibm.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[chrisw: backport to 2.6.25.5]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agobrk: make sys_brk() honor COMPAT_BRK when computing lower bound
Jiri Kosina [Fri, 6 Jun 2008 18:43:23 +0000 (18:43 +0000)]
brk: make sys_brk() honor COMPAT_BRK when computing lower bound

upstream commit: a5b4592cf77b973c29e7c9695873a26052b58951

Fix a regression introduced by

commit 4cc6028d4040f95cdb590a87db478b42b8be0508
Author: Jiri Kosina <jkosina@suse.cz>
Date:   Wed Feb 6 22:39:44 2008 +0100

    brk: check the lower bound properly

The check in sys_brk() on minimum value the brk might have must take
CONFIG_COMPAT_BRK setting into account.  When this option is turned on
(i.e.  we support ancient legacy binaries, e.g.  libc5-linked stuff), the
lower bound on brk value is mm->end_code, otherwise the brk start is
allowed to be arbitrarily shifted.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Tested-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agopagemap: fix bug in add_to_pagemap, require aligned-length reads of /proc/pid/pagemap
Thomas Tuttle [Fri, 6 Jun 2008 18:41:41 +0000 (18:41 +0000)]
pagemap: fix bug in add_to_pagemap, require aligned-length reads of /proc/pid/pagemap

upstream commit: aae8679b0ebcaa92f99c1c3cb0cd651594a43915

Fix a bug in add_to_pagemap.  Previously, since pm->out was a char *,
put_user was only copying 1 byte of every PFN, resulting in the top 7
bytes of each PFN not being copied.  By requiring that reads be a multiple
of 8 bytes, I can make pm->out and pm->end u64*s instead of char*s, which
makes put_user work properly, and also simplifies the logic in
add_to_pagemap a bit.

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Thomas Tuttle <ttuttle@google.com>
Cc: Matt Mackall <mpm@selenic.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoproc: calculate the correct /proc/<pid> link count
Vegard Nossum [Fri, 6 Jun 2008 18:40:28 +0000 (18:40 +0000)]
proc: calculate the correct /proc/<pid> link count

upstream commit: aed5417593ad125283f35513573282139a8664b5

This patch:

  commit e9720acd728a46cb40daa52c99a979f7c4ff195c
  Author: Pavel Emelyanov <xemul@openvz.org>
  Date:   Fri Mar 7 11:08:40 2008 -0800

    [NET]: Make /proc/net a symlink on /proc/self/net (v3)

introduced a /proc/self/net directory without bumping the corresponding
link count for /proc/self.

This patch replaces the static link count initializations with a call that
counts the number of directory entries in the given pid_entry table
whenever it is instantiated, and thus relieves the burden of manually
keeping the two in sync.

[akpm@linux-foundation.org: cleanup]
Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Vegard Nossum <vegard.nossum@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoSmack: fuse mount hang fix
Casey Schaufler [Mon, 2 Jun 2008 17:04:32 +0000 (10:04 -0700)]
Smack: fuse mount hang fix

upstream commit: e97dcb0eadbb821eccd549d4987b653cf61e2374

The d_instantiate hook for Smack can hang on the root inode of a
filesystem if the file system code has not really done all the set-up.
Fuse is known to encounter this problem.

This change detects an attempt to instantiate a root inode and addresses
it early in the processing, before any attempt is made to do something
that might hang.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Tested-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoatl1: fix 4G memory corruption bug
Alexey Dobriyan [Thu, 5 Jun 2008 23:44:59 +0000 (18:44 -0500)]
atl1: fix 4G memory corruption bug

upstream commit: aefdbf1a3b832a580a50cf3d1dcbb717be7cbdbe

When using 4+ GB RAM and SWIOTLB is active, the driver corrupts
memory by writing an skb after the relevant DMA page has been
unmapped.  Although this doesn't happen when *not* using bounce
buffers, clearing the pointer to the DMA page after unmapping
it fixes the problem.

http://marc.info/?t=120861317000005&r=2&w=2

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Jay Cliburn <jacliburn@bellsouth.net>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
[jacliburn@bellsouth.net: backport to 2.6.25.4]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agonetfilter: nf_conntrack_ipv6: fix inconsistent lock state in nf_ct_frag6_gather()
Patrick McHardy [Fri, 6 Jun 2008 17:16:07 +0000 (19:16 +0200)]
netfilter: nf_conntrack_ipv6: fix inconsistent lock state in nf_ct_frag6_gather()

upstream commit: b9c698964614f71b9c8afeca163a945b4c2e2d20

[   63.531438] =================================
[   63.531520] [ INFO: inconsistent lock state ]
[   63.531520] 2.6.26-rc4 #7
[   63.531520] ---------------------------------
[   63.531520] inconsistent {softirq-on-W} -> {in-softirq-W} usage.
[   63.531520] tcpsic6/3864 [HC0[0]:SC1[1]:HE1:SE0] takes:
[   63.531520]  (&q->lock#2){-+..}, at: [<c07175b0>] ipv6_frag_rcv+0xd0/0xbd0
[   63.531520] {softirq-on-W} state was registered at:
[   63.531520]   [<c0143bba>] __lock_acquire+0x3aa/0x1080
[   63.531520]   [<c0144906>] lock_acquire+0x76/0xa0
[   63.531520]   [<c07a8f0b>] _spin_lock+0x2b/0x40
[   63.531520]   [<c0727636>] nf_ct_frag6_gather+0x3f6/0x910
 ...

According to this and another similar lockdep report inet_fragment
locks are taken from nf_ct_frag6_gather() with softirqs enabled, but
these locks are mainly used in softirq context, so disabling BHs is
necessary.

Reported-and-tested-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agonetfilter: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state
Patrick McHardy [Fri, 6 Jun 2008 17:16:05 +0000 (19:16 +0200)]
netfilter: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state

upstream commit: d2ee3f2c4b1db1320c1efb4dcaceeaf6c7e6c2d3

In xt_connlimit match module, the counter of an IP is decreased when
the TCP packet is go through the chain with ip_conntrack state TW.
Well, it's very natural that the server and client close the socket
with FIN packet. But when the client/server close the socket with RST
packet(using so_linger), the counter for this connection still exsit.
The following patch can fix it which is based on linux-2.6.25.4

Signed-off-by: Dong Wei <dwei.zh@gmail.com>
Acked-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agonetfilter: nf_conntrack_expect: fix error path unwind in nf_conntrack_expect_init()
Patrick McHardy [Fri, 6 Jun 2008 17:16:04 +0000 (19:16 +0200)]
netfilter: nf_conntrack_expect: fix error path unwind in nf_conntrack_expect_init()

upstream commit: 12293bf91126ad253a25e2840b307fdc7c2754c3

Signed-off-by: Alexey Dobriyan <adobriyan@parallels.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agox86, fpu: fix CONFIG_PREEMPT=y corruption of application's FPU stack
Suresh Siddha [Wed, 4 Jun 2008 22:05:29 +0000 (22:05 +0000)]
x86, fpu: fix CONFIG_PREEMPT=y corruption of application's FPU stack

upstream commit: 870568b39064cab2dd971fe57969916036982862

Jürgen Mell reported an FPU state corruption bug under CONFIG_PREEMPT,
and bisected it to commit v2.6.19-1363-gacc2076, "i386: add sleazy FPU
optimization".

Add tsk_used_math() checks to prevent calling math_state_restore()
which can sleep in the case of !tsk_used_math(). This prevents
making a blocking call in __switch_to().

Apparently "fpu_counter > 5" check is not enough, as in some signal handling
and fork/exec scenarios, fpu_counter > 5 and !tsk_used_math() is possible.

It's a side effect though. This is the failing scenario:

process 'A' in save_i387_ia32() just after clear_used_math()

Got an interrupt and pre-empted out.

At the next context switch to process 'A' again, kernel tries to restore
the math state proactively and sees a fpu_counter > 0 and !tsk_used_math()

This results in init_fpu() during the __switch_to()'s math_state_restore()

And resulting in fpu corruption which will be saved/restored
(save_i387_fxsave and restore_i387_fxsave) during the remaining
part of the signal handling after the context switch.

Bisected-by: Jürgen Mell <j.mell@t-online.de>
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Tested-by: Jürgen Mell <j.mell@t-online.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoCPUFREQ: Make acpi-cpufreq more robust against BIOS freq changes behind our back.
Venkatesh Pallipadi [Mon, 28 Apr 2008 19:13:43 +0000 (15:13 -0400)]
CPUFREQ: Make acpi-cpufreq more robust against BIOS freq changes behind our back.

upstream commit: e56a727b023d40d1adf660168883f30f2e6abe0a

We checked the hardware freq with OS cached freq value in get_cur_freqon_cpu().

Signed-off-by: Venkatesh Pallipadi <venkatesh.pallipadi@intel.com>
Signed-off-by: Thomas Renninger <trenn@suse.de>
Signed-off-by: Dave Jones <davej@redhat.com>
Cc: Thomas Renninger <trenn@suse.de>
Cc: "Anthony L. Awtrey" <tony@awtrey.com>
[chrisw: backport to 2.6.25.4]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoHID: split Numlock emulation quirk from HID_QUIRK_APPLE_HAS_FN.
Diego 'Flameeyes' Petteno [Wed, 28 May 2008 10:49:59 +0000 (12:49 +0200)]
HID: split Numlock emulation quirk from HID_QUIRK_APPLE_HAS_FN.

upstream commit: 6e7045990f35ef9250804b3fd85e855b8c2aaeb6.

[jkosina@suse.cz: Needed to fix apple aluminium keyboard regression]

Since 2.6.25 the HID_QUIRK_APPLE_HAS_FN quirk is enabled even for
non-laptop Apple keyboards of the Aluminium series. The USB version of
these don't need Numlock emulation, like the laptop (and Aluminium
Wireless) do, as they have a proper keypad.

This patch splits the Numlock emulation for Apple keyboards in a
different quirk flag, so that it can be enabled for all the keyboards
but the Aluminium USB ones.

If the Numlock emulation is enabled for Aluminium USB keyboards, the
JKL and UIO keys become the numeric pad, and the rest of the keyboard
is disabled, included the key used to disable Numlock.

Additionally, these keyboard should not have a Numlock at all, as the
Numlock key is instead replaced by the 'Clear' key as usual for Apple
USB keyboards.

Signed-off-by: Diego 'Flameeyes' Petteno <flameeyes@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agonetfilter: xt_iprange: module aliases for xt_iprange
Phil Oester [Wed, 14 May 2008 06:27:48 +0000 (23:27 -0700)]
netfilter: xt_iprange: module aliases for xt_iprange

upstream commit: 01b7a314291b2ef56ad718ee1374a1bac4768b29

Using iptables 1.3.8 with kernel 2.6.25, rules which include '-m
iprange' don't automatically pull in xt_iprange module.  Below patch
adds module aliases to fix that.  Patch against latest -git, but seems
like a good candidate for -stable also.

Signed-off-by: Phil Oester <kernel@linuxace.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoPS3: gelic: fix memory leak
Masakazu Mokuno [Mon, 12 May 2008 04:50:28 +0000 (13:50 +0900)]
PS3: gelic: fix memory leak

upstream commit: 6fc7431dc0775f21ad7a7a39c2ad0290291a56ea

This fixes the bug that the I/O buffer is not freed at the driver removal.

Signed-off-by: Masakazu Mokuno <mokuno@sm.sony.co.jp>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoRevert "PCI: remove default PCI expansion ROM memory allocation"
Linus Torvalds [Wed, 28 May 2008 21:40:12 +0000 (17:40 -0400)]
Revert "PCI: remove default PCI expansion ROM memory allocation"

upstream commit: 8d539108560ec121d59eee05160236488266221c

This reverts commit 9f8daccaa05c14e5643bdd4faf5aed9cc8e6f11e, which was
reported to break X startup (xf86-video-ati-6.8.0). See

http://bugs.freedesktop.org/show_bug.cgi?id=15523

for details.

Reported-by: Laurence Withers <l@lwithers.me.uk>
Cc: Gary Hade <garyhade@us.ibm.com>
Cc: Greg KH <greg@kroah.com>
Cc: Jan Beulich <jbeulich@novell.com>
Cc: "Jun'ichi Nomura" <j-nomura@ce.jp.nec.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[cebbert@redhat.com: backport, remove first hunk to make port easier]
[chrisw@sous-sol.org: add back first hunk]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agox86: prevent PGE flush from interruption/preemption
Ingo Molnar [Wed, 28 May 2008 21:33:46 +0000 (17:33 -0400)]
x86: prevent PGE flush from interruption/preemption

upstream commit: b1979a5fda7869a790f4fd83fb06c78498d26ba1

CR4 manipulation is not protected against interrupts and preemption,
but KVM uses smp_function_call to manipulate the X86_CR4_VMXE bit
either from the CPU hotplug code or from the kvm_init call.

We need to protect the CR4 manipulation from both interrupts and
preemption.

Original bug report: http://lkml.org/lkml/2008/5/7/48
Bugzilla entry: http://bugzilla.kernel.org/show_bug.cgi?id=10642

This is not a regression from 2.6.25, it's a long standing and hard to
trigger bug.

Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoXFS: Fix memory corruption with small buffer reads
Christoph Hellwig [Wed, 28 May 2008 21:29:44 +0000 (17:29 -0400)]
XFS: Fix memory corruption with small buffer reads

upstream commit: 6ab455eeaff6893cd06da33843e840d888cdc04a

When we have multiple buffers in a single page for a blocksize == pagesize
filesystem we might overwrite the page contents if two callers hit it
shortly after each other. To prevent that we need to keep the page locked
until I/O is completed and the page marked uptodate.

Thanks to Eric Sandeen for triaging this bug and finding a reproducible
testcase and Dave Chinner for additional advice.

This should fix kernel.org bz #10421.

Tested-by: Eric Sandeen <sandeen@sandeen.net>
SGI-PV: 981813
SGI-Modid: xfs-linux-melb:xfs-kern:31173a

Signed-off-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: David Chinner <dgc@sgi.com>
Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agox86: disable TSC for sched_clock() when calibration failed
Thomas Gleixner [Sat, 24 May 2008 17:40:17 +0000 (17:40 +0000)]
x86: disable TSC for sched_clock() when calibration failed

upstream commit: 74dc51a3de06aa516e3b9fdc4017b2aeb38bf44b

When the TSC calibration fails then TSC is still used in
sched_clock(). Disable it completely in that case.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@kernel.org
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agox86: distangle user disabled TSC from unstable
Thomas Gleixner [Tue, 13 May 2008 10:31:00 +0000 (12:31 +0200)]
x86: distangle user disabled TSC from unstable

upstream commit: 9ccc906c97e34fd91dc6aaf5b69b52d824386910

tsc_enabled is set to 0 from the command line switch "notsc" and from
the mark_tsc_unstable code. Seperate those functionalities and replace
tsc_enable with tsc_disable. This makes also the native_sched_clock()
decision when to use TSC understandable.

Preparatory patch to solve the sched_clock() issue on 32 bit.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agox86: if we cannot calibrate the TSC, we panic.
Rusty Russell [Tue, 4 Mar 2008 12:07:50 +0000 (23:07 +1100)]
x86: if we cannot calibrate the TSC, we panic.

upstream commit: 3c2047cd32b1a8c782d7efab72707e7daa251625

The current tsc_init() clears the TSC feature bit if the TSC khz
cannot be calculated, causing us to panic in
arch/x86/kernel/cpu/bugs.c check_config().  We should simply mark it
unstable.

Frankly, someone should take an axe to this code.  mark_tsc_unstable()
not only marks it unstable, but sets tsc_enabled to 0, which seems
redundant but is actually important here because means it won't be
used by sched_clock() either.  Perhaps a tristate enum "UNUSABLE,
UNSTABLE, OK" would be clearer, and separate mark_tsc_unstable() and
mark_tsc_broken() functions?

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agox86: fix setup of cyc2ns in tsc_64.c
Thomas Gleixner [Sat, 24 May 2008 17:40:18 +0000 (17:40 +0000)]
x86: fix setup of cyc2ns in tsc_64.c

upstream commit: b6db80ee1331e7beaeb91b4b3d946dd16c72e388

When the TSC is calibrated against the PIT due to the nonavailability
of PMTIMER/HPET or due to SMI interference then the setup of the per
CPU cyc2ns variables is skipped. This is unlikely to happen but it
would definitely render sched_clock() unusable.

This was introduced with commit 53d517cdbaac704352b3d0c10fecb99e0b54572e

    x86: scale cyc_2_nsec according to CPU frequency

Update the per CPU cyc2ns variables in all exit pathes of tsc_calibrate.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@kernel.org
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoIPoIB: Test for NULL broadcast object in ipiob_mcast_join_finish()
Jack Morgenstein [Sat, 24 May 2008 17:40:21 +0000 (17:40 +0000)]
IPoIB: Test for NULL broadcast object in ipiob_mcast_join_finish()

upstream commit: e1d50dce5af77cb6d33555af70e2b8748dd84009

We saw a kernel oops in our regression testing when a multicast "join
finish" occurred just after the interface was -- this is
<https://bugs.openfabrics.org/show_bug.cgi?id=1040>.  The test
randomly causes the HCA physical port to go down then up.

The cause of this is that ipoib_mcast_join_finish() processing happen
just after ipoib_mcast_dev_flush() was invoked (in which case the
broadcast pointer is NULL).  This patch tests for and handles the case
where priv->broadcast is NULL.

Cc: <stable@kernel.org>
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agox86: don't read maxlvt before checking if APIC is mapped
Chuck Ebbert [Sat, 24 May 2008 17:40:16 +0000 (17:40 +0000)]
x86: don't read maxlvt before checking if APIC is mapped

upstream commit: 2584a82deed7196f48066f1b1a7fad4ec5bea961

A check for unmapped apic was added before reading maxlvt but the early
read of maxlvt wasn't removed.

Signed-off-by: Chuck Ebbert <cebbert@redhat.com>
Cc: Andi Kleen <ak@suse.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agotypes.h: don't expose struct ustat to userspace
maximilian attems [Sat, 24 May 2008 17:40:14 +0000 (17:40 +0000)]
types.h: don't expose struct ustat to userspace

upstream commit: 6c7c6afbb8c0e60d32a563cae7c6889211e9d9d8

<linux/types.h> can't be used together with <sys/ustat.h> because they
both define struct ustat:

    $ cat test.c
    #include <sys/ustat.h>
    #include <linux/types.h>
    $ gcc -c test.c
    In file included from test.c:2:
    /usr/include/linux/types.h:165: error: redefinition of 'struct ustat'

has been reported a while ago to debian, but seems to have been
lost in cat fighting: http://bugs.debian.org/429064

Signed-off-by: maximilian attems <max@stro.at>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agocgroups: remove node_ prefix_from ns subsystem
Cedric Le Goater [Sat, 24 May 2008 17:40:10 +0000 (17:40 +0000)]
cgroups: remove node_ prefix_from ns subsystem

upstream commit: 5c02b575780d0d785815a1e7b79a98edddee895a

This is a slight change in the namespace cgroup subsystem api.

The change is that previously when cgroup_clone() was called (currently
only from the unshare path in ns_proxy cgroup, you'd get a new group named
"node_$pid" whereas now you'll get a group named after just your pid.)

The only users who would notice it are those who are using the ns_proxy
cgroup subsystem to auto-create cgroups when namespaces are unshared -
something of an experimental feature, which I think really needs more
complete container/namespace support in order to be useful.  I suspect the
only users are Cedric and Serge, or maybe a few others on
containers@lists.linux-foundation.org.  And in fact it would only be
noticed by the users who make the assumption about how the name is
generated, rather than getting it from the /proc/<pid>/cgroups file for
the process in question.

Whether the change is actually needed or not I'm fairly agnostic on, but I
guess it is more elegant to just use the pid as the new group name rather
than adding a fairly arbitrary "node_" prefix on the front.

[menage@google.com: provided changelog]
Signed-off-by: Cedric Le Goater <clg@fr.ibm.com>
Cc: "Paul Menage" <menage@google.com>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agousb-serial: Use ftdi_sio driver for RATOC REX-USB60F
Atsushi Nemoto [Wed, 21 May 2008 02:35:17 +0000 (02:35 +0000)]
usb-serial: Use ftdi_sio driver for RATOC REX-USB60F

upstream commit: 26ab705396b65a469233a8327ecb51b8aebb6be0

This patch reverts 57833ea6b95a3995149f1f6d1a8d8862ab7a0ba2
("usb-serial: pl2303: add support for RATOC REX-USB60F") and adds
support for the device to ftdi_sio driver.

Cc: Akira Tsukamoto <akirat@rd.scei.sony.co.jp>
Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: add TELIT HDSPA UC864-E modem to option driver
Greg Kroah-Hartman [Wed, 21 May 2008 02:35:14 +0000 (02:35 +0000)]
USB: add TELIT HDSPA UC864-E modem to option driver

upstream commit: ee53b0ca0153b4f944cb142b5e65c96a1860d765

This adds the Telit UC864-E HDSPA modem support to the option driver.
This lets their customers comply with the GPL instead of having to use a
binary driver from the manufacturer.

Cc: Simon Kissel <kissel@viprinet.com>
Cc: Nico Erfurth <ne@nicoerfurth.de>
Cc: Andrea Ghezzo <TS-EMEA@telit.com>
Cc: Dietmar Staps <Dietmar.Staps@telit.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoCIFS: Fix UNC path prefix on QueryUnixPathInfo to have correct slash
Steve French [Tue, 20 May 2008 22:21:49 +0000 (18:21 -0400)]
CIFS: Fix UNC path prefix on QueryUnixPathInfo to have correct slash

upstream commit: 076d8423a98659a92837b07aa494cb74bfefe77c

When a share was in DFS and the server was Unix/Linux, we were sending paths of the form
    \\server\share/dir/file
rather than
    //server/share/dir/file

There was some discussion between me and jra over whether we should use
    /server/share/dir/file
as MS sometimes says - but the documentation for this claims it should be
doubleslash for this type of UNC-like path format and that works, so leaving
it as doubleslash but converting the \ to / in the the //server/share portion.

This gets Samba to now correctly return STATUS_PATH_NOT_COVERED when it is
supposed to (Windows already did since the direction of the slash was not an issue
for them).  Still need another minor change to fully enable DFS (need to finish
some chages to SMBGetDFSRefer

Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoi386: fix asm constraint in do_IRQ()
Jan Beulich [Tue, 20 May 2008 22:20:00 +0000 (18:20 -0400)]
i386: fix asm constraint in do_IRQ()

upstream commit: 5065dbafc299507f16731434e95b91dadff03006

i386: fix asm constraint in do_IRQ()

Two prior changes resulted in the "ecx" clobber being lost.

Signed-off-by: Jan Beulich <jbeulich@novell.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agox86: user_regset_view table fix for ia32 on 64-bit
Roland McGrath [Fri, 9 May 2008 22:43:44 +0000 (15:43 -0700)]
x86: user_regset_view table fix for ia32 on 64-bit

commit 1f465f4e475454b8bb590846c50a9d16e8046f3d upstream

The user_regset_view table for the 32-bit regsets on the 64-bit build had
the wrong sizes for the FP regsets.  This bug had no user-visible effect
(just on kernel modules using the user_regset interfaces and the like).
But the fix is trivial and risk-free.

Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoi2c/max6875: Really prevent 24RF08 corruption
Jean Delvare [Mon, 19 May 2008 09:14:02 +0000 (11:14 +0200)]
i2c/max6875: Really prevent 24RF08 corruption

commit 70455e790391dac85d9b483a9e286a40df1ecc7f in upstream

i2c-core takes care of the possible corruption of 24RF08 chips for
quite some times, so device drivers no longer need to do it. And they
really should not, as applying the prevention twice voids it.

I thought that I had fixed all drivers long ago but apparently I had
missed that one.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Ben Gardner <bgardner@wabtec.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoi2c-nforce2: Disable the second SMBus channel on the DFI Lanparty NF4 Expert
Jean Delvare [Mon, 19 May 2008 09:12:07 +0000 (11:12 +0200)]
i2c-nforce2: Disable the second SMBus channel on the DFI Lanparty NF4 Expert

commit 08851d6eb4eeb0894f4d095dfdf8ab61c435ad57 in upstream

There is a strange chip at 0x2e on the second SMBus channel of the
DFI Lanparty NF4 Expert motherboard. Accessing the chip reboots the
system. As there's nothing interesting on this SMBus channel, the
easiest and safest thing to do is to disable it on that board.

This is a better fix to bug #5889 than the it87 driver update that was
done originally:
http://bugzilla.kernel.org/show_bug.cgi?id=5889

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: fix build errors in ohci-omap.c and ohci-sm501.c
Greg Kroah-Hartman [Wed, 14 May 2008 19:21:22 +0000 (19:21 +0000)]
USB: fix build errors in ohci-omap.c and ohci-sm501.c

This fixes the build errors previously caused by
45fa78357eab3287b5c39f2d983b91150b3f4bd8

This makes the code mirror what went into Linus's tree previously.

Reported-by: Randy Dunlap <rdunlap@xenotime.net>
Cc: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agomemory_hotplug: always initialize pageblock bitmap
Heiko Carstens [Thu, 15 May 2008 02:45:16 +0000 (02:45 +0000)]
memory_hotplug: always initialize pageblock bitmap

commit 76cdd58e558669366adfaded436fda01b30cce3e upstream

Trying to online a new memory section that was added via memory hotplug
sometimes results in crashes when the new pages are added via __free_page.
 Reason for that is that the pageblock bitmap isn't initialized and hence
contains random stuff.  That means that get_pageblock_migratetype()
returns also random stuff and therefore

list_add(&page->lru,
&zone->free_area[order].free_list[migratetype]);

in __free_one_page() tries to do a list_add to something that isn't even
necessarily a list.

This happens since 86051ca5eaf5e560113ec7673462804c54284456 ("mm: fix
usemap initialization") which makes sure that the pageblock bitmap gets
only initialized for pages present in a zone.  Unfortunately for hot-added
memory the zones "grow" after the memmap and the pageblock memmap have
been initialized.  Which means that the new pages have an unitialized
bitmap.  To solve this the calls to grow_zone_span() and grow_pgdat_span()
are moved to __add_zone() just before the initialization happens.

The patch also moves the two functions since __add_zone() is the only
caller and I didn't want to add a forward declaration.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Cc: Andy Whitcroft <apw@shadowen.org>
Cc: Dave Hansen <haveblue@us.ibm.com>
Cc: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Yasunori Goto <y-goto@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agolibata: force hardreset if link is in powersave mode
Tejun Heo [Thu, 15 May 2008 13:14:57 +0000 (22:14 +0900)]
libata: force hardreset if link is in powersave mode

Inhibiting link PM mode doesn't bring the link back online if it's
already in powersave mode.  If SRST is used in these cases, libata EH
thinks that the link is offline and fails detection.  Force hardreset
if link is in powersave mode.

Signed-off-by: Tejun Heo <htejun@gmail.com>
Cc: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoext3/4: fix uninitialized bs in ext3/4_xattr_set_handle()
Tiger Yang [Thu, 15 May 2008 02:45:18 +0000 (02:45 +0000)]
ext3/4: fix uninitialized bs in ext3/4_xattr_set_handle()

commit 7e01c8e5420b6c7f9d85d34c15d8c7a15c9fc720 upstream

This fix the uninitialized bs when we try to replace a xattr entry in
ibody with the new value which require more than free space.

This situation only happens we format ext3/4 with inode size more than 128 and
we have put xattr entries both in ibody and block.  The consequences about
this bug is we will lost the xattr block which pointed by i_file_acl with all
xattr entires in it.  We will alloc a new xattr block and put that large value
entry in it.  The old xattr block will become orphan block.

Signed-off-by: Tiger Yang <tiger.yang@oracle.com>
Cc: <linux-ext4@vger.kernel.org>
Cc: Andreas Gruenbacher <agruen@suse.de>
Acked-by: Andreas Dilger <adilger@sun.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: add Telstra NextG CDMA id to option driver
Greg Kroah-Hartman [Wed, 14 May 2008 19:21:22 +0000 (19:21 +0000)]
USB: add Telstra NextG CDMA id to option driver

commit 23cacd65f65956426bbca25964a68c174db83a31 upstream

As reported by Magnus Boman <captain.magnus@opensuse.org>

Cc: Magnus Boman <captain.magnus@opensuse.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: do not handle device 1410:5010 in 'option' driver
Eugeniy Meshcheryakov [Wed, 14 May 2008 19:21:09 +0000 (19:21 +0000)]
USB: do not handle device 1410:5010 in 'option' driver

commit cdafc37a7b727b75ced65e31e47dafbd8b70f97f upstream

This device is not a serial port, but a virtual CD-ROM device. For
example with my Novatel MC950D:

lsusb -v -d 1410:5010 | grep InterfaceClass
      bInterfaceClass         8 Mass Storage

After some time (ca. 5min) or if virtual CD is ejected, device id
changes to 1410:4400:

% lsusb -v -d 1410:4400 | grep InterfaceClass
      bInterfaceClass       255 Vendor Specific Class
      bInterfaceClass       255 Vendor Specific Class

Variable name says that 0x5010 is a Novatel U727, but searching in
internet shows, that this device also provides virtual CD that should be
ejected before use. Product id for serial port in this case is 0x4100.

Signed-off-by: Eugeniy Meshcheryakov <eugen@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: add Zoom Telephonics Model 3095F V.92 USB Mini External modem to cdc-acm
Iain McFarlane [Wed, 14 May 2008 19:21:19 +0000 (19:21 +0000)]
USB: add Zoom Telephonics Model 3095F V.92 USB Mini External modem to cdc-acm

commit 6149ed5e3a6207595bd7362af7724d64f44af216 upstream

The patch below is a necessary workaround to support the Zoom Telephonics Model 3095F V.92 USB Mini External modem, which fails to initialise properly during normal probing thus:

May  3 22:53:00 imcfarla kernel: drivers/usb/class/cdc-acm.c: Zero length descriptor references
May  3 22:53:00 imcfarla kernel: cdc_acm: probe of 5-2:1.0 failed with error -22

Adding the patch below causes the probing section to be skipped, and the modem
then initialises correctly.

Signed-off-by: Iain McFarlane <iain@imcfarla.homelinux.net>
Acked-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: option: add new Dell 5520 HSDPA variant
Dan Williams [Wed, 14 May 2008 19:20:56 +0000 (19:20 +0000)]
USB: option: add new Dell 5520 HSDPA variant

commit 96cb15cf977356d9d3117dd88f3fe187d6024f4b upstream

New variant of the 5520 found by Luke Sheldrick.

Signed-off-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: unusual_devs: Add support for GI 0401 SD-Card interface
Filip Aben [Wed, 14 May 2008 19:21:03 +0000 (19:21 +0000)]
USB: unusual_devs: Add support for GI 0401 SD-Card interface

commit e7c6f80fd733218aa1e79efa5d9ece9f76966160 upstream

Enables the SD-Card interface on the GI 0401 HSUPA card from Option.

The unusual_devs.h entry is necessary because the device descriptor is
vendor-specific. That prevents usb-storage from binding to it as an
interface driver.

This revised patch adds a small comment explaining why and reduces the
rev range.

T:  Bus=02 Lev=01 Prnt=01 Port=06 Cnt=01 Dev#=  3 Spd=480 MxCh= 0
D:  Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs=  1
P:  Vendor=0af0 ProdID=7401 Rev= 0.00
S:  Manufacturer=Option N.V.
S:  Product=Globetrotter HSUPA Modem
C:* #Ifs=10 Cfg#= 1 Atr=80 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 0 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 1 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 2 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 2 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 3 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 3 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 4 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 4 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 5 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 5 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 6 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 6 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 7 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
I:  If#= 7 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
E:  Ad=89(I) Atr=03(Int.) MxPS=  64 Ivl=2ms
E:  Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms
I:* If#= 9 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage
E:  Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E:  Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms

Signed-off-by: Filip Aben <f.aben@option.com>
Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoUSB: remove PICDEM FS USB demo (04d8:000c) device from ldusb
Xiaofan Chen [Wed, 14 May 2008 19:20:51 +0000 (19:20 +0000)]
USB: remove PICDEM FS USB demo (04d8:000c) device from ldusb

commit 5fc89390f74ac42165db477793fb30f6a200e79c upstream
Date: Tue, 13 May 2008 21:52:00 +0800
Subject: USB: remove PICDEM FS USB demo (04d8:000c) device from ldusb

Microchip has changed the PICDEM FS USB demo device (0x04d8:000c)
to use bulk transfer and not interrupt transfer. So I've updated the libusb
based program here (Post #31).
http://forum.microchip.com/tm.aspx?m=106426&mpage=2

So I believe that the in-kernel ldusb driver will no longer work with the
demo firmware.  It should be removed.

Signed-off-by: Xiaofan Chen <xiaofanc@gmail.com>
Cc: Michael Hund <MHund@LD-Didactic.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoPOWERPC Bolt in SLB entry for kernel stack on secondary cpus
Paul Mackerras [Tue, 13 May 2008 23:31:07 +0000 (09:31 +1000)]
POWERPC Bolt in SLB entry for kernel stack on secondary cpus

This is upstream as commit 3b5750644b2ffa2a76fdfe7b4e00e4af2ecf3539.

This fixes a regression reported by Kamalesh Bulabel where a POWER4
machine would crash because of an SLB miss at a point where the SLB
miss exception was unrecoverable.  This regression is tracked at:

http://bugzilla.kernel.org/show_bug.cgi?id=10082

SLB misses at such points shouldn't happen because the kernel stack is
the only memory accessed other than things in the first segment of the
linear mapping (which is mapped at all times by entry 0 of the SLB).
The context switch code ensures that SLB entry 2 covers the kernel
stack, if it is not already covered by entry 0.  None of entries 0
to 2 are ever replaced by the SLB miss handler.

Where this went wrong is that the context switch code assumes it
doesn't have to write to SLB entry 2 if the new kernel stack is in the
same segment as the old kernel stack, since entry 2 should already be
correct.  However, when we start up a secondary cpu, it calls
slb_initialize, which doesn't set up entry 2.  This is correct for
the boot cpu, where we will be using a stack in the kernel BSS at this
point (i.e. init_thread_union), but not necessarily for secondary
cpus, whose initial stack can be allocated anywhere.  This doesn't
cause any immediate problem since the SLB miss handler will just
create an SLB entry somewhere else to cover the initial stack.

In fact it's possible for the cpu to go quite a long time without SLB
entry 2 being valid.  Eventually, though, the entry created by the SLB
miss handler will get overwritten by some other entry, and if the next
access to the stack is at an unrecoverable point, we get the crash.

This fixes the problem by making slb_initialize create a suitable
entry for the kernel stack, if we are on a secondary cpu and the stack
isn't covered by SLB entry 0.  This requires initializing the
get_paca()->kstack field earlier, so I do that in smp_create_idle
where the current field is initialized.  This also abstracts a bit of
the computation that mk_esid_data in slb.c does so that it can be used
in slb_initialize.

Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
16 years agoLinux 2.6.25.5 v2.6.25.5
Chris Wright [Fri, 6 Jun 2008 23:05:04 +0000 (16:05 -0700)]
Linux 2.6.25.5

16 years agoasn1: additional sanity checking during BER decoding (CVE-2008-1673)
Chris Wright [Wed, 4 Jun 2008 16:16:33 +0000 (09:16 -0700)]
asn1: additional sanity checking during BER decoding (CVE-2008-1673)

upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5

- Don't trust a length which is greater than the working buffer.
  An invalid length could cause overflow when calculating buffer size
  for decoding oid.

- An oid length of zero is invalid and allows for an off-by-one error when
  decoding oid because the first subid actually encodes first 2 subids.

- A primitive encoding may not have an indefinite length.

Thanks to Wei Wang from McAfee for report.

Cc: Steven French <sfrench@us.ibm.com>
Cc: stable@kernel.org
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
16 years agoLinux 2.6.25.4 v2.6.25.4
Greg Kroah-Hartman [Thu, 15 May 2008 15:00:12 +0000 (08:00 -0700)]
Linux 2.6.25.4

16 years agomd: fix raid5 'repair' operations
Dan Williams [Tue, 13 May 2008 19:10:11 +0000 (19:10 +0000)]
md: fix raid5 'repair' operations

commit c8894419acf5e56851de9741c5047bebd78acd1f upstream
Date: Mon, 12 May 2008 14:02:12 -0700
Subject: md: fix raid5 'repair' operations

commit bd2ab67030e9116f1e4aae1289220255412b37fd "md: close a livelock window
in handle_parity_checks5" introduced a bug in handling 'repair' operations.
After a repair operation completes we clear the state bits tracking this
operation.  However, they are cleared too early and this results in the code
deciding to re-run the parity check operation.  Since we have done the repair
in memory the second check does not find a mismatch and thus does not do a
writeback.

Test results:
$ echo repair > /sys/block/md0/md/sync_action
$ cat /sys/block/md0/md/mismatch_cnt
51072
$ echo repair > /sys/block/md0/md/sync_action
$ cat /sys/block/md0/md/mismatch_cnt
0

(also fix incorrect indentation)

Tested-by: George Spelvin <linux@horizon.com>
Acked-by: NeilBrown <neilb@suse.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agortc: rtc_time_to_tm: use unsigned arithmetic
Maciej W. Rozycki [Tue, 13 May 2008 19:10:10 +0000 (19:10 +0000)]
rtc: rtc_time_to_tm: use unsigned arithmetic

commit 945185a69daa457c4c5e46e47f4afad7dcea734f upstream
Date: Mon, 12 May 2008 14:02:24 -0700
Subject: rtc: rtc_time_to_tm: use unsigned arithmetic

The input argument to rtc_time_to_tm() is unsigned as well as are members of
the output structure.  However signed arithmetic is used within for
calculations leading to incorrect results for input values outside the signed
positive range.  If this happens the time of day returned is out of range.

Found the problem when fiddling with the RTC and the driver where year was set
to an unexpectedly large value like 2070, e.g.:

rtc0: setting system clock to 2070-01-01 1193046:71582832:26 UTC (3155760954)

while it should be:

rtc0: setting system clock to 2070-01-01 00:15:54 UTC (3155760954)

Changing types to unsigned fixes the problem.

[akpm@linux-foundation.org: remove old-fashioned `register' keyword]
Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: David Brownell <david-b@pacbell.net>
Cc: Dmitri Vorobiev <dmitri.vorobiev@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSCSI: aha152x: fix init suspiciously returned 1, it should follow 0/-E convention
James Bottomley [Tue, 13 May 2008 19:10:24 +0000 (19:10 +0000)]
SCSI: aha152x: fix init suspiciously returned 1, it should follow 0/-E convention

commit ad2fa42d044b98469449880474a9662fb689f7f9 upstream

Reported-by: Frank de Jong <frapex@xs4all.nl>
> [1.] One line summary of the problem:
> linux-2.6.25.3, aha152x'->init suspiciously returned 1, it should
> follow 0/-E convention. The module / driver works okay. Unloading the
> module is impossible.

The driver is apparently returning 0 on failure and 1 on success.
That's a bit unfortunate.  Fix it by altering to -ENODEV and 0.

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSCSI: aha152x: Fix oops on module removal
James Bottomley [Tue, 13 May 2008 19:10:15 +0000 (19:10 +0000)]
SCSI: aha152x: Fix oops on module removal

commit 64976a0387835a7ac61bbe2a99b27ccae34eac5d upstream

Reported-by: Frank de Jong <frapex@xs4all.nl>
> after trying to unload the module:
> BUG: unable to handle kernel paging request at 00100100
> IP: [<fb9ff667>] :aha152x:aha152x_exit+0x47/0x6a
> *pde = 00000000
> Oops: 0000 [#1] PREEMPT SMP
> Modules linked in: aha152x(-) w83781d hwmon_vid tun ne 8390 bonding
> usb_storage snd_usb_audio snd_usb_lib snd_rawmidi pwc snd_seq_device
> compat_ioctl32 snd_hwdep videodev v4l1_compat 3c59x mii intel_agp
> agpgart snd_pcm_oss snd_pcm snd_timer snd_page_alloc snd_mixer_oss snd
>
> Pid: 2837, comm: rmmod Not tainted (2.6.25.3 #1)
> EIP: 0060:[<fb9ff667>] EFLAGS: 00210212 CPU: 0
> EIP is at aha152x_exit+0x47/0x6a [aha152x]
> EAX: 00000001 EBX: 000ffdc4 ECX: f7c517a8 EDX: 00000001
> ESI: 00000000 EDI: 00000003 EBP: e7880000 ESP: e7881f58
>   DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
> Process rmmod (pid: 2837, ti=e7880000 task=f27eb580 task.ti=e7880000)
> Stack: fba03700 c01419d2 31616861 00783235 e795ee70 c0157709 b7f24000 e79ae000
>         c0158271 ffffffff b7f25000 e79ae004 e795e370 b7f25000 e795e37c e795e370
>         009ae000 fba03700 00000880 e7881fa8 00000000 bf93ec20 bf93ec20 c0102faa
> Call Trace:
>   [<c01419d2>] sys_delete_module+0x112/0x1a0
>   [<c0157709>] remove_vma+0x39/0x50
>   [<c0158271>] do_munmap+0x181/0x1f0
>   [<c0102faa>] sysenter_past_esp+0x5f/0x85
>   [<c0490000>] rsc_parse+0x0/0x3c0

The problem is that the driver calls aha152x_release() under a
list_for_each_entry().  Unfortunately, aha152x_release() deletes from
the list in question.  Fix this by using list_for_each_entry_safe().

Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSCSI: libiscsi regression in 2.6.25: fix setting of recv timer
Mike Christie [Tue, 13 May 2008 19:10:25 +0000 (19:10 +0000)]
SCSI: libiscsi regression in 2.6.25: fix setting of recv timer

commit c8611f975403dd20e6503aff8aded5dcb718f75b upstream

If the ping tmo is longer than the recv tmo then we could miss a window
where we were supposed to check the recv tmo. This happens because
the ping code will set the next timeout for the ping timeout, and if the
ping executes quickly there will be a long chunk of time before the
timer wakes up again.

This patch has the ping processing code kick off a recv
tmo check when getting a nop in response to our ping.

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
16 years agoSCSI: libiscsi regression in 2.6.25: fix nop timer handling
Mike Christie [Tue, 13 May 2008 19:10:30 +0000 (19:10 +0000)]
SCSI: libiscsi regression in 2.6.25: fix nop timer handling

commit 4cf1043593db6a337f10e006c23c69e5fc93e722 upstream

The following patch fixes a bug in the iscsi nop processing.
The target sends iscsi nops to ping the initiator and the
initiator has to send nops to reply and can send nops to
ping the target.

In 2.6.25 we moved the nop processing to the kernel to handle
problems when the userspace daemon is not up, but the target
is pinging us, and to handle when scsi commands timeout, but
the transport may be the cause (we can send a nop to check
the transport). When we added this code we added a bug where
if the transport timer wakes at the exact same time we are supposed to check
for a nop timeout we drop the session instead of checking the transport.

This patch checks if a iscsi ping is outstanding and if the ping has
timed out, to determine if we need to signal a connection problem.

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>