10 years agoNETROM: Fix use of static buffer
Ralf Baechle [Tue, 18 Aug 2009 01:05:32 +0000]
NETROM: Fix use of static buffer

The static variable used by nr_call_to_digi might result in corruption if
multiple threads are trying to usee a node or neighbour via ioctl.  Fixed
by having the caller pass a structure in.  This is safe because nr_add_node
rsp. nr_add_neigh will allocate a permanent structure, if needed.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoe1000e: fix use of pci_enable_pcie_error_reporting
Xiaotian Feng [Fri, 14 Aug 2009 14:35:52 +0000]
e1000e: fix use of pci_enable_pcie_error_reporting

commit 111b9dc5 ("e1000e: add aer support") introduces pcie aer
support for e1000e, but it is not reasonable to disable it in
e1000_remove but enable it in e1000_resume.  This patch enables aer
support in e1000_probe.

Signed-off-by: Xiaotian Feng <dfeng@redhat.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoe1000e: WoL does not work on 82577/82578 with manageability enabled
Bruce Allan [Fri, 14 Aug 2009 14:35:33 +0000]
e1000e: WoL does not work on 82577/82578 with manageability enabled

With manageability (Intel AMT) enabled via BIOS, PHY wakeup does not get
configured on newer parts which use PHY wakeup vs. MAC wakeup which causes
WoL to not work.  The driver should configure PHY wakeup whether or not
manageability is enabled.

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agocnic: Fix locking in init/exit calls.
Michael Chan [Fri, 14 Aug 2009 15:49:47 +0000]
cnic: Fix locking in init/exit calls.

The slow path ulp_init and ulp_exit calls to the bnx2i driver
are sleepable calls and therefore should not be protected using
rcu_read_lock.  Fix it by using mutex and refcount during these
calls.  cnic_unregister_driver() will now wait for the refcount
to go to zero before completing the call.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Reviewed-by: Benjamin Li <benli@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agocnic: Fix locking in start/stop calls.
Michael Chan [Fri, 14 Aug 2009 15:49:46 +0000]
cnic: Fix locking in start/stop calls.

The slow path ulp_start and ulp_stop calls to the bnx2i driver
are sleepable calls and therefore should not be protected using
rcu_read_lock.  Fix it by using mutex and setting a bit during
these calls.  cnic_unregister_device() will now wait for the bit
to clear before completing the call.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Reviewed-by: Benjamin Li <benli@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agobnx2: Use mutex on slow path cnic calls.
Michael Chan [Fri, 14 Aug 2009 15:49:45 +0000]
bnx2: Use mutex on slow path cnic calls.

The slow path calls to the cnic driver are sleepable calls so we
cannot use rcu_read_lock().  Use mutex for these slow path calls

Signed-off-by: Michael Chan <mchan@broadcom.com>
Reviewed-by: Benjamin Li <benli@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agocnic: Refine registration with bnx2.
Michael Chan [Fri, 14 Aug 2009 15:49:44 +0000]
cnic: Refine registration with bnx2.

Register and unregister with bnx2 during NETDEV_UP and NETDEV_DOWN
events.  This simplifies the sequence of events and allows locking
fixes in the next patch.

Signed-off-by: Michael Chan <mchan@broadcom.com>
Reviewed-by: Benjamin Li <benli@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agocnic: Fix symbol_put_addr() panic on ia64.
Michael Chan [Fri, 14 Aug 2009 15:49:43 +0000]
cnic: Fix symbol_put_addr() panic on ia64.

When the cnic driver tries to grab a symbol from bnx2 when bnx2 is
running init code, symbol_get() will succeed but symbol_put_addr()
will hit BUG() a moment later.  module_text_address() fails because
bnx2 is still in init code.

This is fixed by using symbol_put() instead which does the exact
opposite of symbol_get().

Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agogre: Fix MTU calculation for bound GRE tunnels
Tom Goff [Fri, 14 Aug 2009 23:33:56 +0000]
gre: Fix MTU calculation for bound GRE tunnels

The GRE header length should be subtracted when the tunnel MTU is
calculated.  This just corrects for the associativity change
introduced by commit 42aa916265d740d66ac1f17290366e9494c884c2
("gre: Move MTU setting out of ipgre_tunnel_bind_dev").

Signed-off-by: Tom Goff <thomas.goff@boeing.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agopegasus: Add new device ID.
Petko Manolov [Fri, 14 Aug 2009 06:40:48 +0000]
pegasus: Add new device ID.

Add new definition to 'pegasus.h' for support Japanese IO DATA
"ETX-US2" USB Ethernet Adapter.


Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agodrivers/net: fixed drivers that support netpoll use ndo_start_xmit()
Dongdong Deng [Thu, 13 Aug 2009 19:12:31 +0000]
drivers/net: fixed drivers that support netpoll use ndo_start_xmit()

The NETPOLL API requires that interrupts remain disabled in
netpoll_send_skb(). The use of spin_lock_irq() and spin_unlock_irq()
in the NETPOLL API callbacks causes the interrupts to get enabled and
can lead to kernel instability.

The solution is to use spin_lock_irqsave() and spin_unlock_restore()
to prevent the irqs from getting enabled while in netpoll_send_skb().

Call trace:
   -> local_irq_save(flags)
     ---> dev->ndo_start_xmit(skb, dev)
         ---> spin_lock_irq()
         ---> spin_unlock_irq() *******here would enable the interrupt.
   -> local_irq_restore(flags)

Signed-off-by: Dongdong Deng <dongdong.deng@windriver.com>
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Acked-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Acked-by: Matt Mackall <mpm@selenic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agovia-velocity: Fix test of mii_status bit VELOCITY_DUPLEX_FULL
roel kluin [Fri, 14 Aug 2009 02:09:56 +0000]
via-velocity: Fix test of mii_status bit VELOCITY_DUPLEX_FULL

Test whether VELOCITY_DUPLEX_FULL bit is set in mii_status.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Fri, 14 Aug 2009 19:27:19 +0000]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

10 years agort2x00: fix memory corruption in rf cache, add a sanity check
Pavel Roskin [Tue, 4 Aug 2009 21:48:16 +0000]
rt2x00: fix memory corruption in rf cache, add a sanity check

Change rt2x00_rf_read() and rt2x00_rf_write() to subtract 1 from the rf
register number.  This is needed because the rf registers are enumerated
starting with one.  The size of the rf register cache is just enough to
hold all registers, so writing to the highest register was corrupting
memory.  Add a check to make sure that the rf register number is valid.

Signed-off-by: Pavel Roskin <proski@gnu.org>
Cc: stable@kernel.org
Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoixgbe: Fix receive on real device when VLANs are configured
Lucy Liu [Thu, 13 Aug 2009 14:09:38 +0000]
ixgbe: Fix receive on real device when VLANs are configured

Traffic received with a priority tag (VID = 0) and non-zero priority value was
incorrectly handled by the VLAN packet code path due to a check on zero for
the whole VLAN tag instead of just the VID.

This patch masked out the priority field when checking the vlan tag for
received VLAN packets.

Signed-off-by: Lucy Liu <lucy.liu@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoixgbe: Do not return 0 in ixgbe_fcoe_ddp() upon FCP_RSP in DDP completion
Yi Zou [Thu, 13 Aug 2009 14:09:58 +0000]
ixgbe: Do not return 0 in ixgbe_fcoe_ddp() upon FCP_RSP in DDP completion

We return the ddp->len in ixgbe_fcoe_ddp() to indicate the length of data that
have been DDPed. However, it is possible that the length is 0, e.g., for SCSI
READ, the FCP_RSP may come back w/ SCSI status 0x28 as Task Set Full with no FCP
data for DDP. In ixgbe_fcoe_ddp(), we return 0 to indicate not passing DDPed
packets to upper layer. Therefore in the case of ddp->len being 0 upon FCP_RSP,
we do not want to return the 0 ddp->len as we want FCP_RSP to be always
delivered to the upper layer. This patch fixes this bug by setting rc only if
ddp->len is non-zero.

Signed-off-by: Yi Zou <yi.zou@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agonetxen: free napi resources during detach
Dhananjay Phadke [Thu, 13 Aug 2009 07:03:01 +0000]
netxen: free napi resources during detach

o Defer napi resouce allocation to device attach.

o Free napi resources and delete napi during detach.

This ensures right behavior across firmware reset.

Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agonetxen: remove netxen workqueue
Amit Kumar Salecha [Thu, 13 Aug 2009 07:03:00 +0000]
netxen: remove netxen workqueue

o Remove private workqueue in the driver, move all
  scheduled tasks to keventd workqueues. This makes
  ports (interfaces) of same / different NIC boards
  independent, in terms of their link watchdog and
  reset tasks.

o Move quick checks for link status and temperature
  in timer callback, schedule watchdog task only if
  link status changed or temperature reached critical

This also fixes deadlock when thermal panic occurs,
watchdog work was flushing workqueue that it was
sitting on.

Signed-off-by: Amit Kumar Salecha <amit@qlogic.com>
Signed-off-by: Dhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoixgbe: fix issues setting rx-usecs with legacy interrupts
Don Skidmore [Tue, 11 Aug 2009 13:18:14 +0000]
ixgbe: fix issues setting rx-usecs with legacy interrupts

Currently setting rx-usecs when the interface is in legacy interrupt
mode it is not immediate.  We were only setting EITR for each MSIx
vector and since this count would be zero for legacy mode it wasn't
set until after a reset.  This patch corrects that by checking what
mode we are in and then setting EITR accordingly.

Signed-off-by: Don Skidmore <donald.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agocan: fix oops caused by wrong rtnl newlink usage
Oliver Hartkopp [Tue, 11 Aug 2009 02:41:24 +0000]
can: fix oops caused by wrong rtnl newlink usage

For 'real' hardware CAN devices the netlink interface is used to set CAN
specific communication parameters. Real CAN hardware can not be created with
the ip tool ...

The invocation of 'ip link add type can' lead to an oops as the standard rtnl
newlink function was called:


This patch adds a private newlink function for the CAN device driver interface
that unconditionally returns -EOPNOTSUPP.

Signed-off-by: Oliver Hartkopp <oliver@hartkopp.net>
Reported-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
CC: Patrick McHardy <kaber@trash.net>
CC: Wolfgang Grandegger <wg@grandegger.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agomac80211: fix panic when splicing unprepared TIDs
Luis R. Rodriguez [Tue, 11 Aug 2009 20:10:33 +0000]
mac80211: fix panic when splicing unprepared TIDs

We splice skbs from the pending queue for a TID
onto the local pending queue when tearing down a
block ack request. This is not necessary unless we
actually have received a request to start a block ack
request (rate control, for example). If we never received
that request we should not be splicing the tid pending
queue as it would be null, causing a panic.

Not sure yet how exactly we allowed through a call when the
tid state does not have at least HT_ADDBA_REQUESTED_MSK set,
that will require some further review as it is not quite

For more information see the bug report:


This fixes this oops:

BUG: unable to handle kernel NULL pointer dereference at 00000030
IP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
*pdpt = 0000000002d1e001 *pde = 0000000000000000
Thread overran stack, or stack corrupted
Oops: 0000 [#1] SMP
last sysfs file: /sys/module/aes_generic/initstate
Modules linked in: <bleh>

Pid: 0, comm: swapper Not tainted (2.6.31-rc5-wl #2) Dell DV051
EIP: 0060:[<f8806c70>] EFLAGS: 00010292 CPU: 0
EIP is at ieee80211_agg_splice_packets+0x40/0xc0 [mac80211]
EAX: 00000030 EBX: 0000004c ECX: 00000003 EDX: 00000000
ESI: c1c98000 EDI: f745a1c0 EBP: c076be58 ESP: c076be38
 DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
Process swapper (pid: 0, ti=c076a000 task=c0709160 task.ti=c076a000)
Stack: <bleh2>
Call Trace:
 [<f8806edb>] ? ieee80211_stop_tx_ba_cb+0xab/0x150 [mac80211]
 [<f8802f1e>] ? ieee80211_tasklet_handler+0xce/0x110 [mac80211]
 [<c04862ff>] ? net_rx_action+0xef/0x1d0
 [<c0149378>] ? tasklet_action+0x58/0xc0
 [<c014a0f2>] ? __do_softirq+0xc2/0x190
 [<c018eb48>] ? handle_IRQ_event+0x58/0x140
 [<c01205fe>] ? ack_apic_level+0x7e/0x270
 [<c014a1fd>] ? do_softirq+0x3d/0x40
 [<c014a345>] ? irq_exit+0x65/0x90
 [<c010a6af>] ? do_IRQ+0x4f/0xc0
 [<c014a35d>] ? irq_exit+0x7d/0x90
 [<c011d547>] ? smp_apic_timer_interrupt+0x57/0x90
 [<c01094a9>] ? common_interrupt+0x29/0x30
 [<c010fd9e>] ? mwait_idle+0xbe/0x100
 [<c0107e42>] ? cpu_idle+0x52/0x90
 [<c054b1a5>] ? rest_init+0x55/0x60
 [<c077492d>] ? start_kernel+0x315/0x37d
 [<c07743ce>] ? unknown_bootoption+0x0/0x1f9
 [<c0774099>] ? i386_start_kernel+0x79/0x81
Code: <bleh3>
EIP: [<f8806c70>] ieee80211_agg_splice_packets+0x40/0xc0 [mac80211] SS:ESP 0068:c076be38
CR2: 0000000000000030

Cc: stable@kernel.org
Testedy-by: Jack Lau <jackelectronics@hotmail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years ago8139cp: balance dma_map_single vs dma_unmap_single pair
Francois Romieu [Thu, 13 Aug 2009 05:18:14 +0000]
8139cp: balance dma_map_single vs dma_unmap_single pair

The driver always:
1. allocate cp->rx_buf_sz + NET_IP_ALIGN
2. map cp->rx_buf_sz

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoRevert "libertas: Read buffer overflow"
David S. Miller [Thu, 13 Aug 2009 00:37:52 +0000]
Revert "libertas: Read buffer overflow"

This reverts commit 57921c312e8cef72ba35a4cfe870b376da0b1b87.

On request from John Linville:

It has been shown to create a new problem.  There is work
towards a solution to that one, but it isn't a simple

Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoar9170: fix read & write outside array bounds
Dan Carpenter [Sun, 9 Aug 2009 12:24:09 +0000]
ar9170: fix read & write outside array bounds

queue == __AR9170_NUM_TXQ would cause a bug on the next line.

found by Smatch ( http://repo.or.cz/w/smatch.git ).

Cc: stable@kernel.org
Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agoar9170usb: fix spurious firmware related message
Christian Lamparter [Sat, 8 Aug 2009 15:09:48 +0000]
ar9170usb: fix spurious firmware related message

When ar9170-2.fw was missing, the driver erroneously complained
about missing the initialization values file ar9170-1.fw...

Signed-off-by: Christian Lamparter <chunkeey@web.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

10 years agomlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()
roel kluin [Sat, 8 Aug 2009 23:54:21 +0000]
mlx4_en: Fix read buffer overflow in mlx4_en_complete_rx_desc()

If the length is less or equal to frag_prefix_size in the first iteration
we write skb_frags_rx[-1] and read from priv->frag_info[-1]

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agozorro8390: Fix read buffer overflow in zorro8390_init_one()
roel kluin [Sun, 9 Aug 2009 04:00:25 +0000]
zorro8390: Fix read buffer overflow in zorro8390_init_one()

Prevent read from cards[-1] when no card was found.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agopcnet32: Read buffer overflow
roel kluin [Fri, 7 Aug 2009 03:24:27 +0000]
pcnet32: Read buffer overflow

An `options[cards_found]' that equals `sizeof(options_mapping)' is already beyond
the array.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agosctp: fix missing destroy of percpu counter variable in sctp_proc_exit()
Rafael Laufer [Fri, 7 Aug 2009 05:17:17 +0000]
sctp: fix missing destroy of percpu counter variable in sctp_proc_exit()

Commit 1748376b6626acf59c24e9592ac67b3fe2a0e026,
net: Use a percpu_counter for sockets_allocated

added percpu_counter function calls to sctp_proc_init code path, but
forgot to add them to sctp_proc_exit().  This resulted in a following
Ooops when performing this test
# modprobe sctp
# rmmod -f sctp
# modprobe sctp

[  573.862512] BUG: unable to handle kernel paging request at f8214a24
[  573.862518] IP: [<c0308b8f>] __percpu_counter_init+0x3f/0x70
[  573.862530] *pde = 37010067 *pte = 00000000
[  573.862534] Oops: 0002 [#1] SMP
[  573.862537] last sysfs file: /sys/module/libcrc32c/initstate
[  573.862540] Modules linked in: sctp(+) crc32c libcrc32c binfmt_misc bridge
stp bnep lp snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep
snd_pcm_oss snd_mixer_oss arc4 joydev snd_pcm ecb pcmcia snd_seq_dummy
snd_seq_oss iwlagn iwlcore snd_seq_midi snd_rawmidi snd_seq_midi_event
yenta_socket rsrc_nonstatic thinkpad_acpi snd_seq snd_timer snd_seq_device
mac80211 psmouse sdhci_pci sdhci nvidia(P) ppdev video snd soundcore serio_raw
pcspkr iTCO_wdt iTCO_vendor_support led_class ricoh_mmc pcmcia_core intel_agp
nvram agpgart usbhid parport_pc parport output snd_page_alloc cfg80211 btusb
ohci1394 ieee1394 e1000e [last unloaded: sctp]
[  573.862589]
[  573.862593] Pid: 5373, comm: modprobe Tainted: P  R        (2.6.31-rc3 #6)
[  573.862596] EIP: 0060:[<c0308b8f>] EFLAGS: 00010286 CPU: 1
[  573.862599] EIP is at __percpu_counter_init+0x3f/0x70
[  573.862602] EAX: f8214a20 EBX: f80faa14 ECX: c48c0000 EDX: f80faa20
[  573.862604] ESI: f80a7000 EDI: 00000000 EBP: f69d5ef0 ESP: f69d5eec
[  573.862606]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[  573.862610] Process modprobe (pid: 5373, ti=f69d4000 task=c2130c70
[  573.862612] Stack:
[  573.862613]  00000000 f69d5f18 f80a70a8 f80fa9fc 00000000 fffffffc f69d5f30
[  573.862619] <0> 00000000 f80a7000 00000000 f69d5f88 c010112b 00000000
c07029c0 fffffffb
[  573.862626] <0> 00000000 f69d5f38 c018f83f f69d5f54 c0557cad f80fa860
00000001 c07010c0
[  573.862634] Call Trace:
[  573.862644]  [<f80a70a8>] ? sctp_init+0xa8/0x7d4 [sctp]
[  573.862650]  [<c018e2d4>] ? marker_update_probe_range+0x184/0x260
[  573.862659]  [<f80a7000>] ? sctp_init+0x0/0x7d4 [sctp]
[  573.862662]  [<c010112b>] ? do_one_initcall+0x2b/0x160
[  573.862666]  [<c018f83f>] ? tracepoint_module_notify+0x2f/0x40
[  573.862671]  [<c0557cad>] ? notifier_call_chain+0x2d/0x70
[  573.862678]  [<c01588fd>] ? __blocking_notifier_call_chain+0x4d/0x60
[  573.862682]  [<c016b2f1>] ? sys_init_module+0xb1/0x1f0
[  573.862686]  [<c0102ffc>] ? sysenter_do_call+0x12/0x28
[  573.862688] Code: 89 48 08 b8 04 00 00 00 e8 df aa ec ff ba f4 ff ff ff 85
c0 89 43 14 74 31 b8 b0 18 71 c0 e8 19 b9 24 00 a1 c4 18 71 c0 8d 53 0c <89> 50
04 89 43 0c b8 b0 18 71 c0 c7 43 10 c4 18 71 c0 89 15 c4
[  573.862725] EIP: [<c0308b8f>] __percpu_counter_init+0x3f/0x70 SS:ESP
[  573.862730] CR2: 00000000f8214a24
[  573.862734] ---[ end trace 39c4e0b55e7cf54d ]---

Signed-off-by: Rafael Laufer <rlaufer@cisco.com>
Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Joe Perches [Fri, 7 Aug 2009 06:43:01 +0000]

Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agogianfar: keep vlan related state when restart
Yong Zhang [Fri, 7 Aug 2009 16:36:52 +0000]
gianfar: keep vlan related state when restart

If vlan has been enabled. ifdown followed by ifup will lost hardware
related state.

Also remove duplicated operation in gfar_vlan_rx_register().

Signed-off-by: Yong Zhang <yong.zhang0@gmail.com>
Acked-by: Dai Haruki <dai.haruki@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoe1000e: fix potential NVM corruption on ICH9 with 8K bank size
Bruce Allan [Fri, 7 Aug 2009 07:41:56 +0000]
e1000e: fix potential NVM corruption on ICH9 with 8K bank size

The bank offset was being incorrectly calculated on ICH9 parts with a bank
size of 8K (instead of the more common 4K bank) which would cause any NVM
writes to be done on the wrong address after switching from bank 1 to bank
0.  Additionally, assume we are meant to use bank 0 if a valid bank is not
detected, and remove the unnecessary acquisition of the SW/FW/HW semaphore
when writing to the shadow ram version of the NVM image.

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoe1000e: fix acquisition of SW/FW/HW semaphore for ICHx parts
Bruce Allan [Fri, 7 Aug 2009 07:41:37 +0000]
e1000e: fix acquisition of SW/FW/HW semaphore for ICHx parts

For ICHx parts, write the EXTCNF_CTRL.SWFLAG bit once when trying to
acquire the SW/FW/HW semaphore instead of multiple times to prevent the
hardware from having problems (especially for systems with manageability
enabled), and extend the timeout for the hardware to set the SWFLAG bit.

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoixgbe: Disable packet split only on FCoE queues in 82599
Yi Zou [Thu, 6 Aug 2009 13:05:44 +0000]
ixgbe: Disable packet split only on FCoE queues in 82599

For 82599, packet split has to be disabled for FCoE direct data placement.
However, this is only required on received queues allocated for FCoE. This
patch adds a per ring flags to indicate if packet split is disabled on a
per queue basis, particularly for FCoE, as packet split must be disabled
for large receive using direct data placement (DDP).

Signed-off-by: Yi Zou <yi.zou@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoixgbe: Pass rx_ring directly in ixgbe_configure_srrctl()
Yi Zou [Thu, 6 Aug 2009 13:05:23 +0000]
ixgbe: Pass rx_ring directly in ixgbe_configure_srrctl()

Instead of passing the register index of the corresponding rx_ring and find
the way back to get to corresponding rx_ring in ixgbe_configure_srrctl(),
simplify the function ixgbe_configure_srrctl() by passing the rx_ring into
it. Then the register index for that rx_ring is already available from

Signed-off-by: Yi Zou <yi.zou@intel.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agotun: Extend RTNL lock coverage over whole ioctl
Herbert Xu [Thu, 6 Aug 2009 14:22:44 +0000]
tun: Extend RTNL lock coverage over whole ioctl

As it is, parts of the ioctl runs under the RTNL and parts of
it do not.  The unlocked section is still protected by the BKL,
but there can be subtle races.  For example, Eric Biederman and
Paul Moore observed that if two threads tried to create two tun
devices on the same file descriptor, then unexpected results
may occur.

As there isn't anything in the ioctl that is expected to sleep
indefinitely, we can prevent this from occurring by extending
the RTNL lock coverage.

This also allows to get rid of the BKL.

Finally, I changed tun_get_iff to take a tun device in order to
avoid calling tun_put which would dead-lock as it also tries to
take the RTNL lock.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agofec: fix FEC driver packet transmission breakage
Greg Ungerer [Thu, 6 Aug 2009 17:58:18 +0000]
fec: fix FEC driver packet transmission breakage

Commit f0b3fbeae11a526c3d308b691684589ee37c359b ("FEC Buffer rework")
breaks transmission of packets where the skb data buffer is not memory
aligned according to FEC_ALIGNMENT. It incorrectly passes to
dma_sync_single() the buffer address directly from the skb, instead of
the address calculated for use (which may be the skb address or one of
the bounce buffers).

It seems there is no use converting the cpu address of the buffer to
a physical either, since dma_map_single() expects the cpu address and
will return the dma address to use in the descriptor. So remove the use
of __pa() on the buffer address as well.

This patch is against 2.6.30-rc5. This breakage is a regression over
2.6.30, which does not have this problem.

Signed-off-by: Greg Ungerer <gerg@uclinux.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agocan: Fix raw_getname() leak
Eric Dumazet [Thu, 6 Aug 2009 20:27:04 +0000]
can: Fix raw_getname() leak

raw_getname() can leak 10 bytes of kernel memory to user

(two bytes hole between can_family and can_ifindex,
8 bytes at the end of sockaddr_can structure)

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Oliver Hartkopp <oliver@hartkopp.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoFix xfrm hash collisions by changing __xfrm4_daddr_saddr_hash to hash addresses with...
Jussi Mäki [Thu, 6 Aug 2009 21:38:14 +0000]
Fix xfrm hash collisions by changing __xfrm4_daddr_saddr_hash to hash addresses with addition

This patch fixes hash collisions in cases where number
of entries have incrementing IP source and destination addresses
from single respective subnets (i.e.,, and so on.).

Signed-off-by: Jussi Maki <joamaki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoatlx: strncpy does not null terminate string
Roel Kluin [Thu, 6 Aug 2009 13:06:56 +0000]
atlx: strncpy does not null terminate string

strlcpy() will always null terminate the string.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Jay Cliburn <jcliburn@gmail.com>
Cc: Chris Snook <csnook@redhat.com>
Cc: Jie Yang <jie.yang@atheros.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoirda: fix read buffer overflow
Roel Kluin [Thu, 6 Aug 2009 13:06:03 +0000]
irda: fix read buffer overflow

io[i] is read before the bounds check on i, order should be reversed.

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoMAINTAINERS: update atlx contact info
Chris Snook [Thu, 6 Aug 2009 12:19:31 +0000]
MAINTAINERS: update atlx contact info

Update MAINTAINERS to reflect my current (non-)affiliation.  Anyone

Signed-off-by: Chris Snook <chris.snook@gmail.com>
Cc: Jay Cliburn <jcliburn@gmail.com>
Cc: Jie Yang <jie.yang@atheros.com>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

10 years agoMerge branch 'master' of /home/davem/src/GIT/linux-2.6/
David S. Miller [Mon, 10 Aug 2009 04:29:47 +0000]
Merge branch 'master' of /home/davem/src/GIT/linux-2.6/

10 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
David S. Miller [Mon, 10 Aug 2009 03:47:39 +0000]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

10 years agoMerge branch 'for-linus' of git://git.infradead.org/ubi-2.6
Linus Torvalds [Sun, 9 Aug 2009 21:58:34 +0000]
Merge branch 'for-linus' of git://git.infradead.org/ubi-2.6

* 'for-linus' of git://git.infradead.org/ubi-2.6:
  UBI: compatible fallback in absense of sequence numbers
  UBI: fix double free on error path

10 years agoMerge branch 'kvm-updates/2.6.31' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Linus Torvalds [Sun, 9 Aug 2009 21:58:21 +0000]
Merge branch 'kvm-updates/2.6.31' of git://git./virt/kvm/kvm

* 'kvm-updates/2.6.31' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
  KVM: Avoid redelivery of edge interrupt before next edge
  KVM: MMU: limit rmap chain length
  KVM: ia64: fix build failures due to ia64/unsigned long mismatches
  KVM: Make KVM_HPAGES_PER_HPAGE unsigned long to avoid build error on powerpc
  KVM: fix ack not being delivered when msi present
  KVM: s390: fix wait_queue handling
  KVM: VMX: Fix locking imbalance on emulation failure
  KVM: VMX: Fix locking order in handle_invalid_guest_state
  KVM: MMU: handle n_free_mmu_pages > n_alloc_mmu_pages in kvm_mmu_change_mmu_pages
  KVM: SVM: force new asid on vcpu migration
  KVM: x86: verify MTRR/PAT validity
  KVM: PIT: fix kpit_elapsed division by zero

10 years agoMerge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied...
Linus Torvalds [Sun, 9 Aug 2009 21:58:09 +0000]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/i915: silence vblank warnings
  drm: silence pointless vblank warning.
  drm: When adding probed modes, preserve duplicate mode types

10 years agoMerge branch 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 9 Aug 2009 21:57:41 +0000]
Merge branch 'timers-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  posix_cpu_timers_exit_group(): Do not use thread_group_cputimer()

10 years agoMerge branch 'tracing-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 9 Aug 2009 21:57:26 +0000]
Merge branch 'tracing-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'tracing-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  perf_counter: Fix/complete ftrace event records sampling
  perf_counter, ftrace: Fix perf_counter integration
  tracing/filters: Always free pred on filter_add_subsystem_pred() failure
  tracing/filters: Don't use pred on alloc failure
  ring-buffer: Fix memleak in ring_buffer_free()
  tracing: Fix recordmcount.pl to handle sections with only weak functions
  ring-buffer: Fix advance of reader in rb_buffer_peek()
  tracing: do not use functions starting with .L in recordmcount.pl
  ring-buffer: do not disable ring buffer on oops_in_progress
  ring-buffer: fix check of try_to_discard result

10 years agoMerge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sun, 9 Aug 2009 21:57:09 +0000]
Merge branch 'x86-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  x86: fix buffer overflow in efi_init()
  x86: Add quirk to make Apple MacBookPro5,1 use reboot=pci
  x86: Fix MSI-X initialization by using online_mask for x2apic target_cpus
  x86: Fix VMI && stack protector

10 years agoMerge branch 'core-fixes-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 9 Aug 2009 21:56:51 +0000]
Merge branch 'core-fixes-for-linus-2' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'core-fixes-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  lockdep: Fix typos in documentation
  lockdep: Fix file mode of lock_stat
  rtmutex: Avoid deadlock in rt_mutex_start_proxy_lock()

10 years agoperf_counter: Fix/complete ftrace event records sampling
Frederic Weisbecker [Thu, 6 Aug 2009 23:25:54 +0000]
perf_counter: Fix/complete ftrace event records sampling

This patch implements the kernel side support for ftrace event
record sampling.

A new counter sampling attribute is added:


which requests ftrace events record sampling. In this case
if a PERF_TYPE_TRACEPOINT counter is active and a tracepoint
fires, we emit the tracepoint binary record to the
perfcounter event buffer, as a sample.

Result, after setting PERF_SAMPLE_TP_RECORD attribute from perf

 perf record -f -F 1 -a -e workqueue:workqueue_execution
 perf report -D

 0x21e18 [0x48]: event: 9
 . ... raw event: size 72 bytes
 .  0000:  09 00 00 00 01 00 48 00 d0 c7 00 81 ff ff ff ff  ......H........
 .  0010:  0a 00 00 00 0a 00 00 00 21 00 00 00 00 00 00 00  ........!......
 .  0020:  2b 00 01 02 0a 00 00 00 0a 00 00 00 65 76 65 6e  +...........eve
 .  0030:  74 73 2f 31 00 00 00 00 00 00 00 00 0a 00 00 00  ts/1...........
 .  0040:  e0 b1 31 81 ff ff ff ff                          .......
0x21e18 [0x48]: PERF_EVENT_SAMPLE (IP, 1): 10: 0xffffffff8100c7d0 period: 33

The raw ftrace binary record starts at offset 0020.


 struct trace_entry {
type = 0x2b = 43;
flags = 1;
preempt_count = 2;
pid = 0xa = 10;
tgid = 0xa = 10;

 thread_comm = "events/1"
 thread_pid  = 0xa = 10;
 func     = 0xffffffff8131b1e0 = flush_to_ldisc()

What will come next?

 - Userspace support ('perf trace'), 'flight data recorder' mode
   for perf trace, etc.

 - The unconditional copy from the profiling callback brings
   some costs however if someone wants no such sampling to
   occur, and needs to be fixed in the future. For that we need
   to have an instant access to the perf counter attribute.
   This is a matter of a flag to add in the struct ftrace_event.

 - Take care of the events recursivity! Don't ever try to record
   a lock event for example, it seems some locking is used in
   the profiling fast path and lead to a tracing recursivity.
   That will be fixed using raw spinlock or recursivity

 - [...]

 - Profit! :-)

Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Li Zefan <lizf@cn.fujitsu.com>
Cc: Tom Zanussi <tzanussi@gmail.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Paul Mackerras <paulus@samba.org>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Gabriel Munteanu <eduard.munteanu@linux360.ro>
Cc: Lai Jiangshan <laijs@cn.fujitsu.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agoperf_counter, ftrace: Fix perf_counter integration
Peter Zijlstra [Tue, 21 Jul 2009 15:34:57 +0000]
perf_counter, ftrace: Fix perf_counter integration

Adds possible second part to the assign argument of TP_EVENT().


Which, when specified make the swcounter increment with @foo instead
of the usual 1, and report @bar for PERF_SAMPLE_ADDR (data address
associated with the event) when this triggers a counter overflow.

Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Jason Baron <jbaron@redhat.com>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agoMerge branch 'linus' into tracing/urgent
Ingo Molnar [Sun, 9 Aug 2009 10:46:45 +0000]
Merge branch 'linus' into tracing/urgent

Merge reason: Merge up to almost-rc6 to pick up latest perfcounters
              (on which we'll queue up a dependent fix)

Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agoKVM: Avoid redelivery of edge interrupt before next edge
Gleb Natapov [Sun, 5 Jul 2009 15:48:11 +0000]
KVM: Avoid redelivery of edge interrupt before next edge

The check for an edge is broken in current ioapic code. ioapic->irr is
cleared on each edge interrupt by ioapic_service() and this makes
old_irr != ioapic->irr condition in kvm_ioapic_set_irq() to be always
true. The patch fixes the code to properly recognise edge.

Some HW emulation calls set_irq() without level change. If each such
call is propagated to an OS it may confuse a device driver. This is the
case with keyboard device emulation and Windows XP x64  installer on SMP VM.
Each keystroke produce two interrupts (down/up) one interrupt is
submitted to CPU0 and another to CPU1. This confuses Windows somehow
and it ignores keystrokes.

Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>

10 years agox86: fix buffer overflow in efi_init()
Roel Kluin [Thu, 6 Aug 2009 22:58:13 +0000]
x86: fix buffer overflow in efi_init()

If the vendor name (from c16) can be longer than 100 bytes (or missing a
terminating null), then the null is written past the end of vendor[].

Found with Parfait, http://research.sun.com/projects/parfait/

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Huang Ying <ying.huang@intel.com>

10 years agodrm/i915: silence vblank warnings
Frans Pop [Sun, 9 Aug 2009 02:25:29 +0000]
drm/i915: silence vblank warnings

these errors are pretty pointless

Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>

10 years agodrm: silence pointless vblank warning.
Paul Rolland [Sun, 9 Aug 2009 02:24:01 +0000]
drm: silence pointless vblank warning.

Some applications/hardware combinations are triggering the message "failed to
acquire vblank counter" to be issued up to 20 times a second, which makes it
both useless and dangerous, as this may hide other important messages.
This changes makes it only appear when people are debugging.

Signed-off-by: Paul Rolland <rol@as2917.net>
Reviewed-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Lost-twice-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

10 years agodrm: When adding probed modes, preserve duplicate mode types
Keith Packard [Mon, 20 Jul 2009 21:49:17 +0000]
drm: When adding probed modes, preserve duplicate mode types

The code which takes probed modes and adds them to a connector eliminates
duplicate modes by comparing them using drm_mode_equal. That function
doesn't consider the type bits, which means that any modes which differ only
in the type field will be lost.

One of the bits in the mode->type field is the DRM_MODE_TYPE_PREFERRED bit.
If the mode with that bit is lost, then higher level code will not know
which mode to select, causing a random mode to be used instead.

This patch simply merges the two mode type bits together; that seems
reasonable to me, but perhaps only a subset of the bits should be used? None
of these can be user defined as they all come from looking at just the

Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>

10 years agoposix_cpu_timers_exit_group(): Do not use thread_group_cputimer()
Stanislaw Gruszka [Thu, 6 Aug 2009 23:03:30 +0000]
posix_cpu_timers_exit_group(): Do not use thread_group_cputimer()

When the process exits we don't have to run new cputimer nor
use running one (as it not accounts when tsk->exit_state != 0)
to get process CPU times.  As there is only one thread we can
just use CPU times fields from task and signal structs.

Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Roland McGrath <roland@redhat.com>
Cc: Vitaly Mayatskikh <vmayatsk@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agotracing/filters: Always free pred on filter_add_subsystem_pred() failure
Tom Zanussi [Sat, 8 Aug 2009 15:49:53 +0000]
tracing/filters: Always free pred on filter_add_subsystem_pred() failure

If filter_add_subsystem_pred() fails due to ENOSPC or ENOMEM,
the pred doesn't get freed, while as a side effect it does for
other errors. Make it so the caller always frees the pred for
any error.

Signed-off-by: Tom Zanussi <tzanussi@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Li Zefan <lizf@cn.fujitsu.com>
LKML-Reference: <1249746593.6453.32.camel@tropicana>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agotracing/filters: Don't use pred on alloc failure
Tom Zanussi [Sat, 8 Aug 2009 15:49:09 +0000]
tracing/filters: Don't use pred on alloc failure

Dan Carpenter sent me a fix to prevent pred from being used if
it couldn't be allocated.  I noticed the same problem also
existed for the create_pred() case and added a fix for that.

Reported-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: Tom Zanussi <tzanussi@gmail.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Li Zefan <lizf@cn.fujitsu.com>
LKML-Reference: <1249746549.6453.29.camel@tropicana>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agox86: Add quirk to make Apple MacBookPro5,1 use reboot=pci
Ozan Çağlayan [Tue, 4 Aug 2009 16:39:31 +0000]
x86: Add quirk to make Apple MacBookPro5,1 use reboot=pci

MacBookPro5,1 is not able to reboot unless reboot=pci is set.
This patch forces it through a DMI quirk specific to this

Signed-off-by: Ozan Çağlayan <ozan@pardus.org.tr>
LKML-Reference: <1249403971-6543-1-git-send-email-ozan@pardus.org.tr>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agox86: Fix MSI-X initialization by using online_mask for x2apic target_cpus
Yinghai Lu [Tue, 4 Aug 2009 15:59:59 +0000]
x86: Fix MSI-X initialization by using online_mask for x2apic target_cpus

found a system where x2apic reports an MSI-X irq initialization

[  302.859446] igbvf 0000:81:10.4: enabling device (0000 -> 0002)
[  302.874369] igbvf 0000:81:10.4: using 64bit DMA mask
[  302.879023] igbvf 0000:81:10.4: using 64bit consistent DMA mask
[  302.894386] igbvf 0000:81:10.4: enabling bus mastering
[  302.898171] igbvf 0000:81:10.4: setting latency timer to 64
[  302.914050] reserve_memtype added 0xefb08000-0xefb0c000, track uncached-minus, req uncached-minus, ret uncached-minus
[  302.933839] reserve_memtype added 0xefb28000-0xefb29000, track uncached-minus, req uncached-minus, ret uncached-minus
[  302.940367]   alloc irq_desc for 265 on node 4
[  302.956874]   alloc kstat_irqs on node 4
[  302.959452] alloc irq_2_iommu on node 0
[  302.974328] igbvf 0000:81:10.4: irq 265 for MSI/MSI-X
[  302.977778]   alloc irq_desc for 266 on node 4
[  302.980347]   alloc kstat_irqs on node 4
[  302.995312] free_memtype request 0xefb28000-0xefb29000
[  302.998816] igbvf 0000:81:10.4: Failed to initialize MSI-X interrupts.

... it turns out that when trying to enable MSI-X,
__assign_irq_vector(new, cfg_new, apic->target_cpus()) can not
get vector because for x2apic target-cpus returns cpumask_of(0)

Update that to online_mask like xapic.

Signed-off-by: Yinghai Lu <yinghai@kernel.org>
Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
LKML-Reference: <4A785AFF.3050902@kernel.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6
Linus Torvalds [Sat, 8 Aug 2009 02:06:36 +0000]
Merge git://git./linux/kernel/git/gregkh/usb-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
  USB: fix oops on disconnect in cdc-acm
  USB: storage: include Prolific Technology USB drive in unusual_devs list
  USB: ftdi_sio: add product_id for Marvell OpenRD Base, Client
  USB: ftdi_sio: add vendor and product id for Bayer glucose meter serial converter cable
  USB: EHCI: fix counting of transaction error retries
  USB: EHCI: fix two new bugs related to Clear-TT-Buffer
  USB: usbfs: fix -ENOENT error code to be -ENODEV
  USB: musb: fix the nop registration for OMAP3EVM
  USB: devio: Properly do access_ok() checks
  USB: pl2303: New vendor and product id

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6
Linus Torvalds [Sat, 8 Aug 2009 02:06:13 +0000]
Merge git://git./linux/kernel/git/gregkh/staging-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6:
  Staging: rspiusb: Fix buffer overflow
  staging: add dependencies on PCI for drivers that require it
  Staging: rtl8192su: fix build error
  Staging: rt2870: Revert d44ca7 Removal of kernel_thread() API
  Staging: rt2870: Add USB ID for Linksys, Planex Communications, Belkin

10 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/anholt...
Linus Torvalds [Sat, 8 Aug 2009 02:03:59 +0000]
Merge branch 'for-linus' of git://git./linux/kernel/git/anholt/drm-intel

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/anholt/drm-intel: (22 commits)
  drm/i915: Fix read outside array bounds in restoring the SWF10 range.
  drm/i915: Use our own workqueue to avoid wedging the system along with the GPU.
  drm/i915: Add support for dual-channel LVDS on 8xx.
  drm/i915: Return disconnected for SDVO DVI when there's no digital EDID.
  drm/i915: Choose real sdvo output according to result from detection
  drm/i915: Set preferred mode for integrated TV according to TV format
  drm/i915: fix 845G FIFO size & burst length
  drm/i915: fix VGA detect on IGDNG
  drm/i915: Add eDP support on IGDNG mobile chip
  drm/i915: enable DisplayPort support on IGDNG
  drm/i915: Fix channel ending action for DP aux transaction
  drm/i915: fix issue in display pipe setup on IGDNG
  drm/i915: disable VGA plane reliably
  drm/I915: Fix offset to DVO timings in LVDS data
  drm/i915: hdmi detection according by reading edid
  drm/i915: correct self-refresh calculation in "everything off" case
  drm/i915: handle FIFO oversubsription correctly
  drm/i915: FIFO watermark calculation fixes
  drm/i915: ignore lvds on AOpen Mini PC MP-915
  drm/i915: Allow frame buffers up to 4096x4096 on 915/945 class hardware

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable
Linus Torvalds [Sat, 8 Aug 2009 02:03:09 +0000]
Merge git://git./linux/kernel/git/mason/btrfs-unstable

* git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable:
  Btrfs: fix balancing oops when invalidate_inode_pages2 returns EBUSY
  Btrfs: correct error-handling zlib error handling
  Btrfs: remove superfluous NULL pointer check in btrfs_rename()
  Btrfs: make sure the async caching thread advances the key
  Btrfs: fix btrfs_remove_from_free_space corner case

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/hch/xfs-icache-races
Linus Torvalds [Sat, 8 Aug 2009 01:53:44 +0000]
Merge git://git./linux/kernel/git/hch/xfs-icache-races

* git://git.kernel.org/pub/scm/linux/kernel/git/hch/xfs-icache-races:
  xfs: fix freeing of inodes not yet added to the inode cache
  vfs: add __destroy_inode
  vfs: fix inode_init_always calling convention

10 years agoStaging: rspiusb: Fix buffer overflow
Roel Kluin [Fri, 7 Aug 2009 19:00:10 +0000]
Staging: rspiusb: Fix buffer overflow

usb_buffer_map_sg() may return -1. This will result in a read from

Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agostaging: add dependencies on PCI for drivers that require it
Jeff Mahoney [Fri, 7 Aug 2009 23:12:03 +0000]
staging: add dependencies on PCI for drivers that require it

This patch adds PCI dependencies to staging drivers that require it.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoStaging: rtl8192su: fix build error
Greg Kroah-Hartman [Tue, 4 Aug 2009 23:53:36 +0000]
Staging: rtl8192su: fix build error

This fixes a build error when selecting the rtl8192su driver as a
module.  This has been reported by me, and the opensuse kernel developer
team, and I finally tracked it down.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoStaging: rt2870: Revert d44ca7 Removal of kernel_thread() API
Mike Galbraith [Fri, 31 Jul 2009 05:14:04 +0000]
Staging: rt2870: Revert d44ca7 Removal of kernel_thread() API

Staging: rt2870: Revert d44ca7 Removal of kernel_thread() API

The sanity check this patch introduced triggers on shutdown, apparently due to
threads having already exited by the time BUG_ON() is reached.

Signed-off-by: Mike Galbraith <efault@gmx.de>
Cc: Peter Teoh <htmldeveloper@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoStaging: rt2870: Add USB ID for Linksys, Planex Communications, Belkin
Jakob Gruber [Thu, 30 Jul 2009 18:37:36 +0000]
Staging: rt2870: Add USB ID for Linksys, Planex Communications, Belkin

Linksys WUSB100, Belkin F5D8053 N, Planex Communications unknown model.

Signed-off-by: Jakob Gruber <jakob.gruber@kabelnet.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: fix oops on disconnect in cdc-acm
Oliver Neukum [Tue, 4 Aug 2009 21:52:09 +0000]
USB: fix oops on disconnect in cdc-acm

This patch fixes an oops caused when during an unplug a device's table
of endpoints is zeroed before the driver is notified. A pointer to
the endpoint must be cached.

this fixes a regression caused by commit
Therefore it should go into 2.6.31

Signed-off-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: storage: include Prolific Technology USB drive in unusual_devs list
Rogerio Brito [Thu, 6 Aug 2009 22:20:19 +0000]
USB: storage: include Prolific Technology USB drive in unusual_devs list

Add a quirk entry for the Leading Driver UD-11 usb flash drive.

As Alan Stern told me, the device doesn't deal correctly with the
locking media feature of the device, and this patch incorporates it.

Compiled, tested, working.

Signed-off-by: Rogerio Brito <rbrito@ime.usp.br>
Cc: Phil Dibowitz <phil@ipom.com>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Robert Hancock <hancockrwd@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: ftdi_sio: add product_id for Marvell OpenRD Base, Client
Dhaval Vasa [Fri, 7 Aug 2009 11:56:49 +0000]
USB: ftdi_sio: add product_id for Marvell OpenRD Base, Client


Signed-off-by: Dhaval Vasa <dhaval.vasa@einfochips.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: ftdi_sio: add vendor and product id for Bayer glucose meter serial converter...
Marko Hänninen [Fri, 31 Jul 2009 19:32:39 +0000]
USB: ftdi_sio: add vendor and product id for Bayer glucose meter serial converter cable

Attached patch adds USB vendor and product IDs for Bayer's USB to serial
converter cable used by Bayer blood glucose meters. It seems to be a
FT232RL based device and works without any problem with ftdi_sio driver
when this patch is applied. See: http://winglucofacts.com/cables/

Signed-off-by: Marko Hänninen <bugitus@gmail.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: EHCI: fix counting of transaction error retries
Alan Stern [Fri, 31 Jul 2009 14:41:40 +0000]
USB: EHCI: fix counting of transaction error retries

This patch (as1274) simplifies the counting of transaction-error
retries.  Now we will count up from 0 to QH_XACTERR_MAX instead of
down from QH_XACTERR_MAX to 0.

The patch also fixes a small bug: qh->xacterr was not getting
initialized for interrupt endpoints.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Matthijs Kooijman <matthijs@stdin.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: EHCI: fix two new bugs related to Clear-TT-Buffer
Alan Stern [Fri, 31 Jul 2009 14:40:22 +0000]
USB: EHCI: fix two new bugs related to Clear-TT-Buffer

This patch (as1273) fixes two(!) bugs introduced by the new
Clear-TT-Buffer implementation in ehci-hcd.

It is now possible for an idle QH to have some URBs on its
queue -- this will happen if a Clear-TT-Buffer is pending for
the QH's endpoint.  Consequently we should not issue a warning
when someone tries to unlink an URB from an idle QH; instead
we should process the request immediately.

The refcounts for QHs could get messed up, because
submit_async() would increment the refcount when calling
qh_link_async() and qh_link_async() would then refuse to link
the QH into the schedule if a Clear-TT-Buffer was pending.
Instead we should increment the refcount only when the QH
actually is added to the schedule.  The current code tries to
be clever by leaving the refcount alone if an unlink is
immediately followed by a relink; the patch changes this to an
unconditional decrement and increment (although they occur in
the opposite order).

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: David Brownell <david-b@pacbell.net>
Tested-by: Manuel Lauss <manuel.lauss@gmail.com>
Tested-by: Matthijs Kooijman <matthijs@stdin.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: usbfs: fix -ENOENT error code to be -ENODEV
Alan Stern [Thu, 30 Jul 2009 19:28:14 +0000]
USB: usbfs: fix -ENOENT error code to be -ENODEV

This patch (as1272) changes the error code returned when an open call
for a USB device node fails to locate the corresponding device.  The
appropriate error code is -ENODEV, not -ENOENT.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Kay Sievers <kay.sievers@vrfy.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: musb: fix the nop registration for OMAP3EVM
Gupta, Ajay Kumar [Wed, 29 Jul 2009 06:28:57 +0000]
USB: musb: fix the nop registration for OMAP3EVM

OMAP3EVM uses ISP1504 phy which doesn't require any programming and
thus has to use NOP otg transceiver.

Cleanups being done:
- Remove unwanted code in usb-musb.c file
- Register NOP in OMAP3EVM board file using
- Select NOP_USB_XCEIV for OMAP3EVM boards.
- Don't enable TWL4030_USB in omap3_evm_defconfig

Signed-off-by: Ajay Kumar Gupta <ajay.gupta@ti.com>
Signed-off-by: Eino-Ville Talvala <talvala@stanford.edu>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: devio: Properly do access_ok() checks
Michael Buesch [Wed, 29 Jul 2009 09:39:03 +0000]
USB: devio: Properly do access_ok() checks

access_ok() checks must be done on every part of the userspace structure
that is accessed. If access_ok() on one part of the struct succeeded, it
does not imply it will succeed on other parts of the struct. (Does
depend on the architecture implementation of access_ok()).

This changes the __get_user() users to first check access_ok() on the
data structure.

Signed-off-by: Michael Buesch <mb@bu3sch.de>
Cc: stable <stable@kernel.org>
Cc: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoUSB: pl2303: New vendor and product id
Khanh-Dang Nguyen Thu Lam [Tue, 28 Jul 2009 17:41:17 +0000]
USB: pl2303: New vendor and product id

I am submitting a patch for the pl2303 driver.  This patch adds support
for the "Sony QN-3USB" cable (vendor=0x054c, product=0x0437).  This USB
cable is a so-called data cable used to connect a Sony mobile phone to a
computer.  Supported models are Sony CMD-J5, J6, J7, J16, J26, J70 and

I have used this patch with my Sony CMD-J70 for several days and I
haven't encountered any kernel/hardware issue.

From: Khanh-Dang Nguyen Thu Lam <kdntl@yahoo.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

10 years agoBtrfs: fix balancing oops when invalidate_inode_pages2 returns EBUSY
Yan Zheng [Fri, 7 Aug 2009 17:51:33 +0000]
Btrfs: fix balancing oops when invalidate_inode_pages2 returns EBUSY

invalidate_inode_pages2_range may return -EBUSY occasionally
which results Oops. This patch fixes the issue by moving
invalidate_inode_pages2_range into a loop and keeping calling
it until the return value is not -EBUSY.

The EBUSY return is temporary, and can happen when the btrfs release page
function is unable to release a page because the EXTENT_LOCK
bit is set.

Signed-off-by: Yan Zheng <zheng.yan@oracle.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>

10 years agoBtrfs: correct error-handling zlib error handling
Julia Lawall [Fri, 7 Aug 2009 17:51:33 +0000]
Btrfs: correct error-handling zlib error handling

find_zlib_workspace returns an ERR_PTR value in an error case instead of NULL.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@match exists@
expression x, E;
statement S1, S2;

x = find_zlib_workspace(...)
... when != x = E
*  if (x == NULL || ...) S1 else S2
*  if (x == NULL && ...) S1 else S2
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Chris Mason <chris.mason@oracle.com>

10 years agoBtrfs: remove superfluous NULL pointer check in btrfs_rename()
Bartlomiej Zolnierkiewicz [Fri, 7 Aug 2009 17:47:08 +0000]
Btrfs: remove superfluous NULL pointer check in btrfs_rename()

This takes care of the following entry from Dan's list:

fs/btrfs/inode.c +4788 btrfs_rename(36) warning: variable derefenced before check 'old_inode'

Reported-by: Dan Carpenter <error27@gmail.com>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Eugene Teo <eteo@redhat.com>
Cc: Julia Lawall <julia@diku.dk>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>

10 years agoMerge master.kernel.org:/home/rmk/linux-2.6-arm
Linus Torvalds [Fri, 7 Aug 2009 17:46:51 +0000]
Merge master.kernel.org:/home/rmk/linux-2.6-arm

* master.kernel.org:/home/rmk/linux-2.6-arm: (30 commits)
  ARM: 5639/1: arm: clkdev.c should include <linux/clk.h>
  ARM: 5638/1: arch/arm/kernel/signal.c: use correct address space for CRUNCH
  ARM: 5637/1: [KS8695] Don't reference CLOCK_TICK_RATE in drivers
  ARM: S3C64XX: serial: Fix section mismatch warning
  ARM: S3C24XX: serial: Fix section mismatch warnings
  ARM: S3C: PWM fix for low duty cycle
  ARM: 5597/1: [PCI] reset all internal hardware prior PCI initialization
  ARM: 5627/1: Fix restoring of lr at the end of mcount
  ARM: 5624/1: Document cache aliasing region
  S3C64XX: Fix ARMCLK configuration
  S3C64XX: Fix get_rate() for ARMCLK
  S3C24XX: GPIO: Fix pin range check in s3c_gpiolib_getchip
  mx3 defconfig update
  mx27 defconfig update
  ARM: 5623/1: Treo680: ir shutdown typo fix
  ARM: includecheck fix: plat-stmp3xxx/pinmux.c
  ARM: includecheck fix: plat-s3c64xx/pm.c
  ARM: includecheck fix: mach-omap2/mcbsp.c
  ARM: includecheck fix: mach-omap1/mcbsp.c
  ARM: includecheck fix: board-sffsdr.c

10 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Fri, 7 Aug 2009 17:46:27 +0000]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
  net: Fix spinlock use in alloc_netdev_mq()

10 years agoMerge branch 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6
Linus Torvalds [Fri, 7 Aug 2009 17:46:09 +0000]
Merge branch 'for-linus' of git://git390.marist.edu/linux-2.6

* 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6:
  [S390] KVM: Read buffer overflow
  [S390] kernel: Storing machine flags early in lowcore

10 years agoMerge git://git.infradead.org/~dwmw2/iommu-2.6.31
Linus Torvalds [Fri, 7 Aug 2009 17:44:11 +0000]
Merge git://git.infradead.org/~dwmw2/iommu-2.6.31

* git://git.infradead.org/~dwmw2/iommu-2.6.31:
  intel-iommu: Fix enabling snooping feature by mistake
  intel-iommu: Mask physical address to correct page size in intel_map_single()
  intel-iommu: Correct sglist size calculation.

10 years agoMerge branch 'perfcounters-fixes-for-linus' of git://git.kernel.org/pub/scm/linux...
Linus Torvalds [Fri, 7 Aug 2009 17:43:07 +0000]
Merge branch 'perfcounters-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'perfcounters-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  perf_counter: Fix double list iteration in per task precise stats
  perf: Auto-detect libelf
  perf symbol: Fix symbol parsing in certain cases: use the build-id as a symlink
  perf_counter/powerpc: Check oprofile_cpu_type for NULL before using it
  ftrace: Fix perf-tracepoint OOPS
  perf report: Add missing command line options to man page
  perf: Auto-detect libbfd
  perf report: Make --sort comm,dso,symbol the default

10 years agoMerge git://git.infradead.org/mtd-2.6
Linus Torvalds [Fri, 7 Aug 2009 17:42:31 +0000]
Merge git://git.infradead.org/mtd-2.6

* git://git.infradead.org/mtd-2.6:
  jffs2: Fix return value from jffs2_do_readpage_nolock()
  mtd: mtdblock: introduce mtdblks_lock
  mtd: remove 'SBC8240 Wind River' Device Driver Code
  mtd: OneNAND: OMAP2/3: free GPMC CS on module removal
  mtd: OneNAND: fix incorrect bufferram offset
  mtd: blkdevs: do not forget to get MTD devices
  mtd: fix the conversion from dev to mtd_info
  mtd: let include/linux/mtd/partitions.h stand on its own

10 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
Linus Torvalds [Fri, 7 Aug 2009 17:42:14 +0000]
Merge branch 'for-linus' of git://git./linux/kernel/git/dtor/input

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: matrix_keypad - make matrix keymap size dynamic
  Input: wistron_btns - support Prestigio Wifi RF kill button
  Input: i8042 - add Asus G1S to noloop exception list

10 years agoMerge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied...
Linus Torvalds [Fri, 7 Aug 2009 17:41:36 +0000]
Merge branch 'drm-fixes' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  drm/radeon/kms: setup MC/VRAM the same way for suspend/resume
  drm/radeon/kms: Fix caching mode selection for GTT object

10 years agoflat: fix uninitialized ptr with shared libs
Linus Torvalds [Thu, 6 Aug 2009 22:09:34 +0000]
flat: fix uninitialized ptr with shared libs

The new credentials code broke load_flat_shared_library() as it now uses
an uninitialized cred pointer.

Reported-by: Bernd Schmidt <bernds_cb1@t-online.de>
Tested-by: Bernd Schmidt <bernds_cb1@t-online.de>
Cc: Mike Frysinger <vapier@gentoo.org>
Cc: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agolib/decompress_*: only include <linux/slab.h> if STATIC is not defined
Albin Tonnerre [Thu, 6 Aug 2009 22:09:32 +0000]
lib/decompress_*: only include <linux/slab.h> if STATIC is not defined

These includes were added by 079effb6933f34b9b1b67b08bd4fd7fb672d16ef
("kmemtrace, kbuild: fix slab.h dependency problem in
lib/decompress_inflate.c") to fix the build when using kmemtrace.  However
this is not necessary when used to create a compressed kernel, and
actually creates issues (brings a lot of things unavailable in the
decompression environment), so don't include it if STATIC is defined.

Signed-off-by: Albin Tonnerre <albin.tonnerre@free-electrons.com>
Cc: Sam Ravnborg <sam@ravnborg.org>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Eduard - Gabriel Munteanu <eduard.munteanu@linux360.ro>
Cc: Phillip Lougher <phillip@lougher.demon.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agobzip2/lzma: remove nasty uncompressed size hack in pre-boot environment
Phillip Lougher [Thu, 6 Aug 2009 22:09:31 +0000]
bzip2/lzma: remove nasty uncompressed size hack in pre-boot environment

decompress_bunzip2 and decompress_unlzma have a nasty hack that subtracts
4 from the input length if being called in the pre-boot environment.

This is a nasty hack because it relies on the fact that flush = NULL only
when called from the pre-boot environment (i.e.
arch/x86/boot/compressed/misc.c).  initramfs.c/do_mounts_rd.c pass in a
flush buffer (flush != NULL).

This hack prevents the decompressors from being used with flush = NULL by
other callers unless knowledge of the hack is propagated to them.

This patch removes the hack by making decompress (called only from the
pre-boot environment) a wrapper function that subtracts 4 from the input
length before calling the decompressor.

Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agobzip2/lzma/gzip: fix comments describing decompressor API
Phillip Lougher [Thu, 6 Aug 2009 22:09:30 +0000]
bzip2/lzma/gzip: fix comments describing decompressor API

Fix and improve comments in decompress/generic.h that describe the
decompressor API.  Also remove an unused definition, and rename INBUF_LEN
in lib/decompress_inflate.c to conform to bzip2/lzma naming.

Signed-off-by: Phillip Lougher <phillip@lougher.demon.co.uk>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

10 years agoexecve: must clear current->clear_child_tid
Eric Dumazet [Thu, 6 Aug 2009 22:09:28 +0000]
execve: must clear current->clear_child_tid

While looking at Jens Rosenboom bug report
(http://lkml.org/lkml/2009/7/27/35) about strange sys_futex call done from
a dying "ps" program, we found following problem.

clone() syscall has special support for TID of created threads.  This
support includes two features.

One (CLONE_CHILD_SETTID) is to set an integer into user memory with the
TID value.

One (CLONE_CHILD_CLEARTID) is to clear this same integer once the created
thread dies.

The integer location is a user provided pointer, provided at clone()

kernel keeps this pointer value into current->clear_child_tid.

At execve() time, we should make sure kernel doesnt keep this user
provided pointer, as full user memory is replaced by a new one.

As glibc fork() actually uses clone() syscall with CLONE_CHILD_SETTID and
CLONE_CHILD_CLEARTID set, chances are high that we might corrupt user
memory in forked processes.

Following sequence could happen:

1) bash (or any program) starts a new process, by a fork() call that
   glibc maps to a clone( ...  CLONE_CHILD_SETTID | CLONE_CHILD_CLEARTID
   ...) syscall

2) When new process starts, its current->clear_child_tid is set to a
   location that has a meaning only in bash (or initial program) context

3) This new process does the execve() syscall to start a new program.
   current->clear_child_tid is left unchanged (a non NULL value)

4) If this new program creates some threads, and initial thread exits,
   kernel will attempt to clear the integer pointed by
   current->clear_child_tid from mm_release() :

        if (tsk->clear_child_tid
            && !(tsk->flags & PF_SIGNALED)
            && atomic_read(&mm->mm_users) > 1) {
                u32 __user * tidptr = tsk->clear_child_tid;
                tsk->clear_child_tid = NULL;

                 * We don't check the error code - if userspace has
                 * not set up a proper pointer then tough luck.
<< here >>      put_user(0, tidptr);
                sys_futex(tidptr, FUTEX_WAKE, 1, NULL, NULL, 0);

5) OR : if new program is not multi-threaded, but spied by /proc/pid
   users (ps command for example), mm_users > 1, and the exiting program
   could corrupt 4 bytes in a persistent memory area (shm or memory mapped

If current->clear_child_tid points to a writeable portion of memory of the
new program, kernel happily and silently corrupts 4 bytes of memory, with
unexpected effects.

Fix is straightforward and should not break any sane program.

Reported-by: Jens Rosenboom <jens@mcbone.net>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sonny Rao <sonnyrao@us.ibm.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ulrich Drepper <drepper@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>