Aneesh Kumar K.V [Mon, 31 May 2010 02:49:26 +0000 (22:49 -0400)]
ext4: Drop EXT4_GET_BLOCKS_UPDATE_RESERVE_SPACE flag
commit
1296cc85c26e94eb865d03f82140f27d598de467 upstream (as of v2.6.33-rc6)
We should update reserve space if it is delalloc buffer
and that is indicated by EXT4_GET_BLOCKS_DELALLOC_RESERVE flag.
So use EXT4_GET_BLOCKS_DELALLOC_RESERVE in place of
EXT4_GET_BLOCKS_UPDATE_RESERVE_SPACE
[ Stable note: This fixes a corruption cuased by the following
reproduction case:
rm -f $TEST_FN
touch $TEST_FN
fallocate -n -o 656712 -l 858907 $TEST_FN
dd if=/dev/zero of=$TEST_FN conv=notrunc bs=1 seek=
1011020 count=36983
sync
dd if=/dev/zero of=$TEST_FN conv=notrunc bs=1 seek=332121 count=24005
dd if=/dev/zero of=$TEST_FN conv=notrunc bs=1 seek=
1040179 count=93319
If the filesystem is then unmounted and e2fsck run forced, the
i_blocks field for the file $TEST_FN will be found to be incorrect. ]
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Aneesh Kumar K.V [Mon, 31 May 2010 02:49:25 +0000 (22:49 -0400)]
ext4: Fix quota accounting error with fallocate
commit
5f634d064c709ea02c3cdaa850a08323a4a4bf28 upstream (as of v2.6.33-rc6)
When we fallocate a region of the file which we had recently written,
and which is still in the page cache marked as delayed allocated blocks
we need to make sure we don't do the quota update on writepage path.
This is because the needed quota updated would have already be done
by fallocate.
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Aneesh Kumar K.V [Mon, 31 May 2010 02:49:24 +0000 (22:49 -0400)]
ext4: Handle -EDQUOT error on write
commit
1db913823c0f8360fccbd24ca67eb073966a5ffd upstream (as of v2.6.33-rc6)
We need to release the journal before we do a write_inode. Otherwise
we could deadlock.
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Theodore Ts'o [Mon, 31 May 2010 02:49:23 +0000 (22:49 -0400)]
ext4: Calculate metadata requirements more accurately
commit
9d0be50230b333005635967f7ecd4897dbfd181b upstream (as of v2.6.33-rc3)
In the past, ext4_calc_metadata_amount(), and its sub-functions
ext4_ext_calc_metadata_amount() and ext4_indirect_calc_metadata_amount()
badly over-estimated the number of metadata blocks that might be
required for delayed allocation blocks. This didn't matter as much
when functions which managed the reserved metadata blocks were more
aggressive about dropping reserved metadata blocks as delayed
allocation blocks were written, but unfortunately they were too
aggressive. This was fixed in commit
0637c6f, but as a result the
over-estimation by ext4_calc_metadata_amount() would lead to reserving
2-3 times the number of pending delayed allocation blocks as
potentially required metadata blocks. So if there are 1 megabytes of
blocks which have been not yet been allocation, up to 3 megabytes of
space would get reserved out of the user's quota and from the file
system free space pool until all of the inode's data blocks have been
allocated.
This commit addresses this problem by much more accurately estimating
the number of metadata blocks that will be required. It will still
somewhat over-estimate the number of blocks needed, since it must make
a worst case estimate not knowing which physical blocks will be
needed, but it is much more accurate than before.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Theodore Ts'o [Mon, 31 May 2010 02:49:22 +0000 (22:49 -0400)]
ext4: Fix accounting of reserved metadata blocks
commit
ee5f4d9cdf32fd99172d11665c592a288c2b1ff4 upstream (as of v2.6.33-rc3)
Commit
0637c6f had a typo which caused the reserved metadata blocks to
not be released correctly. Fix this.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Theodore Ts'o [Mon, 31 May 2010 02:49:21 +0000 (22:49 -0400)]
ext4: Patch up how we claim metadata blocks for quota purposes
commit
0637c6f4135f592f094207c7c21e7c0fc5557834 upstream (as of v2.6.33-rc3)
As reported in Kernel Bugzilla #14936, commit
d21cd8f triggered a BUG
in the function ext4_da_update_reserve_space() found in
fs/ext4/inode.c. The root cause of this BUG() was caused by the fact
that ext4_calc_metadata_amount() can severely over-estimate how many
metadata blocks will be needed, especially when using direct
block-mapped files.
In addition, it can also badly *under* estimate how much space is
needed, since ext4_calc_metadata_amount() assumes that the blocks are
contiguous, and this is not always true. If the application is
writing blocks to a sparse file, the number of metadata blocks
necessary can be severly underestimated by the functions
ext4_da_reserve_space(), ext4_da_update_reserve_space() and
ext4_da_release_space(). This was the cause of the dq_claim_space
reports found on kerneloops.org.
Unfortunately, doing this right means that we need to massively
over-estimate the amount of free space needed. So in some cases we
may need to force the inode to be written to disk asynchronously in
to avoid spurious quota failures.
http://bugzilla.kernel.org/show_bug.cgi?id=14936
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Aneesh Kumar K.V [Mon, 31 May 2010 02:49:20 +0000 (22:49 -0400)]
ext4: Ensure zeroout blocks have no dirty metadata
commit
515f41c33a9d44a964264c9511ad2c869af1fac3 upstream (as of v2.6.33-rc3)
This fixes a bug (found by Curt Wohlgemuth) in which new blocks
returned from an extent created with ext4_ext_zeroout() can have dirty
metadata still associated with them.
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Curt Wohlgemuth <curtw@google.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Richard Kennedy [Mon, 31 May 2010 02:49:19 +0000 (22:49 -0400)]
ext4: return correct wbc.nr_to_write in ext4_da_writepages
commit
2faf2e19dd0e060eeb32442858ef495ac3083277 upstream (as of v2.6.33-rc3)
When ext4_da_writepages increases the nr_to_write in writeback_control
then it must always re-base the return value. Originally there was a
(misguided) attempt prevent wbc.nr_to_write from going negative. In
fact, it's necessary to allow nr_to_write to be negative so that
wb_writeback() can correctly calculate how many pages were actually
written.
Signed-off-by: Richard Kennedy <richard@rsk.demon.co.uk>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Julia Lawall [Mon, 31 May 2010 02:49:18 +0000 (22:49 -0400)]
ext4: Eliminate potential double free on error path
commit
d3533d72e7478a61a3e1936956fc825289a2acf4 upstream (as of v2.6.33-rc3)
b_entry_name and buffer are initially NULL, are initialized within a loop
to the result of calling kmalloc, and are freed at the bottom of this loop.
The loop contains gotos to cleanup, which also frees b_entry_name and
buffer. Some of these gotos are before the reinitializations of
b_entry_name and buffer. To maintain the invariant that b_entry_name and
buffer are NULL at the top of the loop, and thus acceptable arguments to
kfree, these variables are now set to NULL after the kfrees.
This seems to be the simplest solution. A more complicated solution
would be to introduce more labels in the error handling code at the end of
the function.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@r@
identifier E;
expression E1;
iterator I;
statement S;
@@
*kfree(E);
... when != E = E1
when != I(E,...) S
when != &E
*kfree(E);
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Theodore Ts'o [Mon, 31 May 2010 02:49:17 +0000 (22:49 -0400)]
ext4, jbd2: Add barriers for file systems with exernal journals
commit
cc3e1bea5d87635c519da657303690f5538bb4eb upstream (as of v2.6.33-rc3)
This is a bit complicated because we are trying to optimize when we
send barriers to the fs data disk. We could just throw in an extra
barrier to the data disk whenever we send a barrier to the journal
disk, but that's not always strictly necessary.
We only need to send a barrier during a commit when there are data
blocks which are must be written out due to an inode written in
ordered mode, or if fsync() depends on the commit to force data blocks
to disk. Finally, before we drop transactions from the beginning of
the journal during a checkpoint operation, we need to guarantee that
any blocks that were flushed out to the data disk are firmly on the
rust platter before we drop the transaction from the journal.
Thanks to Oleg Drokin for pointing out this flaw in ext3/ext4.
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Surbhi Palande [Mon, 31 May 2010 02:49:16 +0000 (22:49 -0400)]
ext4: replace BUG() with return -EIO in ext4_ext_get_blocks
commit
034fb4c95fc0fed4ec4a50778127b92c6f2aec01 upstream (as of v2.6.33-rc3)
This patch fixes the Kernel BZ #14286. When the address of an extent
corresponding to a valid block is corrupted, a -EIO should be reported
instead of a BUG(). This situation should not normally not occur
except in the case of a corrupted filesystem. If however it does,
then the system should not panic directly but depending on the mount
time options appropriate action should be taken. If the mount options
so permit, the I/O should be gracefully aborted by returning a -EIO.
http://bugzilla.kernel.org/show_bug.cgi?id=14286
Signed-off-by: Surbhi Palande <surbhi.palande@canonical.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dmitry Monakhov [Mon, 31 May 2010 02:49:14 +0000 (22:49 -0400)]
ext4: Fix potential quota deadlock
commit
d21cd8f163ac44b15c465aab7306db931c606908 upstream (as of v2.6.33-rc2)
We have to delay vfs_dq_claim_space() until allocation context destruction.
Currently we have following call-trace:
ext4_mb_new_blocks()
/* task is already holding ac->alloc_semp */
->ext4_mb_mark_diskspace_used
->vfs_dq_claim_space() /* acquire dqptr_sem here. Possible deadlock */
->ext4_mb_release_context() /* drop ac->alloc_semp here */
Let's move quota claiming to ext4_da_update_reserve_space()
=======================================================
[ INFO: possible circular locking dependency detected ]
2.6.32-rc7 #18
-------------------------------------------------------
write-truncate-/3465 is trying to acquire lock:
(&s->s_dquot.dqptr_sem){++++..}, at: [<
c025e73b>] dquot_claim_space+0x3b/0x1b0
but task is already holding lock:
(&meta_group_info[i]->alloc_sem){++++..}, at: [<
c02ce962>] ext4_mb_load_buddy+0xb2/0x370
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #3 (&meta_group_info[i]->alloc_sem){++++..}:
[<
c017d04b>] __lock_acquire+0xd7b/0x1260
[<
c017d5ea>] lock_acquire+0xba/0xd0
[<
c0527191>] down_read+0x51/0x90
[<
c02ce962>] ext4_mb_load_buddy+0xb2/0x370
[<
c02d0c1c>] ext4_mb_free_blocks+0x46c/0x870
[<
c029c9d3>] ext4_free_blocks+0x73/0x130
[<
c02c8cfc>] ext4_ext_truncate+0x76c/0x8d0
[<
c02a8087>] ext4_truncate+0x187/0x5e0
[<
c01e0f7b>] vmtruncate+0x6b/0x70
[<
c022ec02>] inode_setattr+0x62/0x190
[<
c02a2d7a>] ext4_setattr+0x25a/0x370
[<
c022ee81>] notify_change+0x151/0x340
[<
c021349d>] do_truncate+0x6d/0xa0
[<
c0221034>] may_open+0x1d4/0x200
[<
c022412b>] do_filp_open+0x1eb/0x910
[<
c021244d>] do_sys_open+0x6d/0x140
[<
c021258e>] sys_open+0x2e/0x40
[<
c0103100>] sysenter_do_call+0x12/0x32
-> #2 (&ei->i_data_sem){++++..}:
[<
c017d04b>] __lock_acquire+0xd7b/0x1260
[<
c017d5ea>] lock_acquire+0xba/0xd0
[<
c0527191>] down_read+0x51/0x90
[<
c02a5787>] ext4_get_blocks+0x47/0x450
[<
c02a74c1>] ext4_getblk+0x61/0x1d0
[<
c02a7a7f>] ext4_bread+0x1f/0xa0
[<
c02bcddc>] ext4_quota_write+0x12c/0x310
[<
c0262d23>] qtree_write_dquot+0x93/0x120
[<
c0261708>] v2_write_dquot+0x28/0x30
[<
c025d3fb>] dquot_commit+0xab/0xf0
[<
c02be977>] ext4_write_dquot+0x77/0x90
[<
c02be9bf>] ext4_mark_dquot_dirty+0x2f/0x50
[<
c025e321>] dquot_alloc_inode+0x101/0x180
[<
c029fec2>] ext4_new_inode+0x602/0xf00
[<
c02ad789>] ext4_create+0x89/0x150
[<
c0221ff2>] vfs_create+0xa2/0xc0
[<
c02246e7>] do_filp_open+0x7a7/0x910
[<
c021244d>] do_sys_open+0x6d/0x140
[<
c021258e>] sys_open+0x2e/0x40
[<
c0103100>] sysenter_do_call+0x12/0x32
-> #1 (&sb->s_type->i_mutex_key#7/4){+.+...}:
[<
c017d04b>] __lock_acquire+0xd7b/0x1260
[<
c017d5ea>] lock_acquire+0xba/0xd0
[<
c0526505>] mutex_lock_nested+0x65/0x2d0
[<
c0260c9d>] vfs_load_quota_inode+0x4bd/0x5a0
[<
c02610af>] vfs_quota_on_path+0x5f/0x70
[<
c02bc812>] ext4_quota_on+0x112/0x190
[<
c026345a>] sys_quotactl+0x44a/0x8a0
[<
c0103100>] sysenter_do_call+0x12/0x32
-> #0 (&s->s_dquot.dqptr_sem){++++..}:
[<
c017d361>] __lock_acquire+0x1091/0x1260
[<
c017d5ea>] lock_acquire+0xba/0xd0
[<
c0527191>] down_read+0x51/0x90
[<
c025e73b>] dquot_claim_space+0x3b/0x1b0
[<
c02cb95f>] ext4_mb_mark_diskspace_used+0x36f/0x380
[<
c02d210a>] ext4_mb_new_blocks+0x34a/0x530
[<
c02c83fb>] ext4_ext_get_blocks+0x122b/0x13c0
[<
c02a5966>] ext4_get_blocks+0x226/0x450
[<
c02a5ff3>] mpage_da_map_blocks+0xc3/0xaa0
[<
c02a6ed6>] ext4_da_writepages+0x506/0x790
[<
c01de272>] do_writepages+0x22/0x50
[<
c01d766d>] __filemap_fdatawrite_range+0x6d/0x80
[<
c01d7b9b>] filemap_flush+0x2b/0x30
[<
c02a40ac>] ext4_alloc_da_blocks+0x5c/0x60
[<
c029e595>] ext4_release_file+0x75/0xb0
[<
c0216b59>] __fput+0xf9/0x210
[<
c0216c97>] fput+0x27/0x30
[<
c02122dc>] filp_close+0x4c/0x80
[<
c014510e>] put_files_struct+0x6e/0xd0
[<
c01451b7>] exit_files+0x47/0x60
[<
c0146a24>] do_exit+0x144/0x710
[<
c0147028>] do_group_exit+0x38/0xa0
[<
c0159abc>] get_signal_to_deliver+0x2ac/0x410
[<
c0102849>] do_notify_resume+0xb9/0x890
[<
c01032d2>] work_notifysig+0x13/0x21
other info that might help us debug this:
3 locks held by write-truncate-/3465:
#0: (jbd2_handle){+.+...}, at: [<
c02e1f8f>] start_this_handle+0x38f/0x5c0
#1: (&ei->i_data_sem){++++..}, at: [<
c02a57f6>] ext4_get_blocks+0xb6/0x450
#2: (&meta_group_info[i]->alloc_sem){++++..}, at: [<
c02ce962>] ext4_mb_load_buddy+0xb2/0x370
stack backtrace:
Pid: 3465, comm: write-truncate- Not tainted 2.6.32-rc7 #18
Call Trace:
[<
c0524cb3>] ? printk+0x1d/0x22
[<
c017ac9a>] print_circular_bug+0xca/0xd0
[<
c017d361>] __lock_acquire+0x1091/0x1260
[<
c016bca2>] ? sched_clock_local+0xd2/0x170
[<
c0178fd0>] ? trace_hardirqs_off_caller+0x20/0xd0
[<
c017d5ea>] lock_acquire+0xba/0xd0
[<
c025e73b>] ? dquot_claim_space+0x3b/0x1b0
[<
c0527191>] down_read+0x51/0x90
[<
c025e73b>] ? dquot_claim_space+0x3b/0x1b0
[<
c025e73b>] dquot_claim_space+0x3b/0x1b0
[<
c02cb95f>] ext4_mb_mark_diskspace_used+0x36f/0x380
[<
c02d210a>] ext4_mb_new_blocks+0x34a/0x530
[<
c02c601d>] ? ext4_ext_find_extent+0x25d/0x280
[<
c02c83fb>] ext4_ext_get_blocks+0x122b/0x13c0
[<
c016bca2>] ? sched_clock_local+0xd2/0x170
[<
c016be60>] ? sched_clock_cpu+0x120/0x160
[<
c016beef>] ? cpu_clock+0x4f/0x60
[<
c0178fd0>] ? trace_hardirqs_off_caller+0x20/0xd0
[<
c052712c>] ? down_write+0x8c/0xa0
[<
c02a5966>] ext4_get_blocks+0x226/0x450
[<
c016be60>] ? sched_clock_cpu+0x120/0x160
[<
c016beef>] ? cpu_clock+0x4f/0x60
[<
c017908b>] ? trace_hardirqs_off+0xb/0x10
[<
c02a5ff3>] mpage_da_map_blocks+0xc3/0xaa0
[<
c01d69cc>] ? find_get_pages_tag+0x16c/0x180
[<
c01d6860>] ? find_get_pages_tag+0x0/0x180
[<
c02a73bd>] ? __mpage_da_writepage+0x16d/0x1a0
[<
c01dfc4e>] ? pagevec_lookup_tag+0x2e/0x40
[<
c01ddf1b>] ? write_cache_pages+0xdb/0x3d0
[<
c02a7250>] ? __mpage_da_writepage+0x0/0x1a0
[<
c02a6ed6>] ext4_da_writepages+0x506/0x790
[<
c016beef>] ? cpu_clock+0x4f/0x60
[<
c016bca2>] ? sched_clock_local+0xd2/0x170
[<
c016be60>] ? sched_clock_cpu+0x120/0x160
[<
c016be60>] ? sched_clock_cpu+0x120/0x160
[<
c02a69d0>] ? ext4_da_writepages+0x0/0x790
[<
c01de272>] do_writepages+0x22/0x50
[<
c01d766d>] __filemap_fdatawrite_range+0x6d/0x80
[<
c01d7b9b>] filemap_flush+0x2b/0x30
[<
c02a40ac>] ext4_alloc_da_blocks+0x5c/0x60
[<
c029e595>] ext4_release_file+0x75/0xb0
[<
c0216b59>] __fput+0xf9/0x210
[<
c0216c97>] fput+0x27/0x30
[<
c02122dc>] filp_close+0x4c/0x80
[<
c014510e>] put_files_struct+0x6e/0xd0
[<
c01451b7>] exit_files+0x47/0x60
[<
c0146a24>] do_exit+0x144/0x710
[<
c017b163>] ? lock_release_holdtime+0x33/0x210
[<
c0528137>] ? _spin_unlock_irq+0x27/0x30
[<
c0147028>] do_group_exit+0x38/0xa0
[<
c017babb>] ? trace_hardirqs_on+0xb/0x10
[<
c0159abc>] get_signal_to_deliver+0x2ac/0x410
[<
c0102849>] do_notify_resume+0xb9/0x890
[<
c0178fd0>] ? trace_hardirqs_off_caller+0x20/0xd0
[<
c017b163>] ? lock_release_holdtime+0x33/0x210
[<
c0165b50>] ? autoremove_wake_function+0x0/0x50
[<
c017ba54>] ? trace_hardirqs_on_caller+0x134/0x190
[<
c017babb>] ? trace_hardirqs_on+0xb/0x10
[<
c0300ba4>] ? security_file_permission+0x14/0x20
[<
c0215761>] ? vfs_write+0x131/0x190
[<
c0214f50>] ? do_sync_write+0x0/0x120
[<
c0103115>] ? sysenter_do_call+0x27/0x32
[<
c01032d2>] work_notifysig+0x13/0x21
CC: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Dmitry Monakhov <dmonakhov@openvz.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ben Hutchings [Wed, 28 Jul 2010 22:53:47 +0000 (23:53 +0100)]
ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
commit
bf988435bd5b53529f4408a8efb1f433f6ddfda9 upstream.
struct ethtool_rxnfc was originally defined in 2.6.27 for the
ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data
fields. It was then extended in 2.6.30 to support various additional
commands. These commands should have been defined to use a new
structure, but it is too late to change that now.
Since user-space may still be using the old structure definition
for the ETHTOOL_{G,S}RXFH commands, and since they do not need the
additional fields, only copy the originally defined fields to and
from user-space.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Corey Minyard [Wed, 21 Jul 2010 13:39:22 +0000 (08:39 -0500)]
USB: FTDI: Add support for the RT System VX-7 radio programming cable
commit
fcc6cb789c77ffee31710eec64efeb25f2124f7a upstream.
RT Systems has put out bunch of ham radio cables based on the FT232RL
chip. Each cable type has a unique PID, this adds one for the Yaesu VX-7
radios.
Signed-off-by: Corey Minyard <minyard@acm.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Oliver Neukum [Wed, 14 Jul 2010 16:26:22 +0000 (18:26 +0200)]
USB: add quirk for Broadcom BT dongle
commit
63ab71deae67b031045bb28bf8cff45180089f8f upstream.
This device needs to be reset when resuming
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Oliver Neukum [Fri, 16 Jul 2010 15:36:26 +0000 (17:36 +0200)]
USB: sisusbvga: Fix for USB 3.0
commit
20a12f007feee1cfa761b431047271d1141d8031 upstream.
Super speed is also fast enough to let sisusbvga operate.
Therefor expand the checks.
Signed-off-by: Oliver Neukum <oneukum@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Paul Mortier [Fri, 9 Jul 2010 12:18:50 +0000 (13:18 +0100)]
USB: adds Artisman USB dongle to list of quirky devices
commit
47f19c0eedb377ad1ee8114f464d001ec5f96a69 upstream.
When an attempt is made to read the interface strings of the Artisman
Watchdog USB dongle (idVendor:idProduct 04b4:0526) an error is written
to the dmesg log (uhci_result_common: failed with status 440000) and the
dongle resets itself, resulting in a disconnect/reconnect loop.
Adding the dongle to the list of devices in quirks.c, with the same
quirk Alan Stern's previous patch for the Saitek Cyborg Gold 3D
joystick, stops the device from resetting and allows it to be used with
no problems.
Signed-off-by: Paul Mortier <mortier@btinternet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dennis Jansen [Fri, 9 Jul 2010 20:03:53 +0000 (22:03 +0200)]
USB: option: Add support for AMOI Skypephone S2
commit
7595931c986f50b1e197ce7b881563e36a7d041e upstream.
usbserial: Add AMOI Skypephone S2 support.
This patch adds support for the AMOI Skypephone S2 to the usbserial module.
Tested-by: Dennis Jansen <Dennis.Jansen@web.de>
Signed-off-by: Dennis Jansen <Dennis.Jansen@web.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Colin Leitner [Thu, 1 Jul 2010 08:49:55 +0000 (10:49 +0200)]
USB: ftdi_sio: support for Signalyzer tools based on FTDI chips
commit
77dbd74e16b566e9d5eeb4be18ae3ee7d5902bd3 upstream.
ftdi_sio: support for Signalyzer tools based on FTDI chips
This patch adds support for the Xverve Signalyzers.
Signed-off-by: Colin Leitner <colin.leitner@googlemail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
august huber [Mon, 28 Jun 2010 18:46:05 +0000 (11:46 -0700)]
USB: Add PID for Sierra 250U to drivers/usb/serial/sierra.c
commit
9d72c81d657340e54a260a3b621f4a9f5b33829c upstream.
Add VID/PID for Sierra Wireless 250U USB dongle to sierra.c
Allows use of 3G radio only
Signed-off-by: August Huber <gus@pbx.org>
Cc: Elina Pasheva <epasheva@sierrawireless.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ömer Sezgin Ugurlu [Mon, 28 Jun 2010 16:01:58 +0000 (19:01 +0300)]
USB: option: add support for 1da5:4518
commit
646d90e2b925578abef5c45853e0b166b6a450bf upstream.
Signed-off-by: Omer Sezgin Ugurlu <omer.ugurlu@a-kent.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jon Povey [Mon, 14 Jun 2010 10:42:10 +0000 (19:42 +0900)]
USB: g_serial: fix tty cleanup on unload
commit
b23097b793081358a6d943263c91bae4c955c4e3 upstream.
Call put_tty_driver() in cleanup function, to fix Oops when trying to open
gadget serial char device after module unload.
Signed-off-by: Jon Povey <jon.povey@racelogic.co.uk>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jon Povey [Mon, 14 Jun 2010 10:41:04 +0000 (19:41 +0900)]
USB: g_serial: don't set low_latency flag
commit
44a0c0190b500ee6bcfc0976fe540f65dee2cd67 upstream.
No longer set low_latency flag as it causes this warning backtrace:
WARNING: at kernel/mutex.c:207 __mutex_lock_slowpath+0x6c/0x288()
Fix associated locking and wakeups.
Signed-off-by: Jon Povey <jon.povey@racelogic.co.uk>
Cc: Maulik Mankad <x0082077@ti.com>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Tue, 22 Jun 2010 20:14:48 +0000 (16:14 -0400)]
USB: obey the sysfs power/wakeup setting
commit
48826626263d4a61d06fd8c5805da31f925aefa0 upstream.
This patch (as1403) is a partial reversion of an earlier change
(commit
5f677f1d45b2bf08085bbba7394392dfa586fa8e "USB: fix remote
wakeup settings during system sleep"). After hearing from a user, I
realized that remote wakeup should be enabled during system sleep
whenever userspace allows it, and not only if a driver requests it
too.
Indeed, there could be a device with no driver, that does nothing but
generate a wakeup request when the user presses a button. Such a
device should be allowed to do its job.
The problem fixed by the earlier patch -- device generating a wakeup
request for no reason, causing system suspend to abort -- was also
addressed by a later patch ("USB: don't enable remote wakeup by
default", accepted but not yet merged into mainline). The device
won't be able to generate the bogus wakeup requests because it will be
disabled for remote wakeup by default. Hence this reversion will not
re-introduce any old problems.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Pavel Roskin [Wed, 10 Mar 2010 04:11:07 +0000 (23:11 -0500)]
Staging: rtl8192su: add USB ID for 0bda:8171
commit
c0087580b8d414f6874cfe93d2653212842fcb44 upstream.
Signed-off-by: Pavel Roskin <proski@gnu.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stephane Glondu [Thu, 17 Dec 2009 14:41:23 +0000 (15:41 +0100)]
staging: rtl8192su: add USB VID/PID for HWNUm-300
commit
488d3749620779ab2668c0dba2962836e51e3cd6 upstream.
The Hercules Wireless N USB mini (HWNUm-300) uses the RTL8191S chipset
and seems to work with this driver.
Signed-off-by: Stephane Glondu <steph@glondu.net>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefano Stabellini [Wed, 21 Jul 2010 17:32:37 +0000 (18:32 +0100)]
x86: Do not try to disable hpet if it hasn't been initialized before
commit
ff4878089e1eaeac79d57878ad4ea32910fb4037 upstream.
hpet_disable is called unconditionally on machine reboot if hpet support
is compiled in the kernel.
hpet_disable only checks if the machine is hpet capable but doesn't make
sure that hpet has been initialized.
[ tglx: Made it a one liner and removed the redundant hpet_address check ]
Signed-off-by: Stefano Stabellini <stefano.stabellini@eu.citrix.com>
Acked-by: Venkatesh Pallipadi <venki@google.com>
LKML-Reference: <alpine.DEB.2.00.
1007211726240.22235@kaball-desktop>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nicolas Pitre [Wed, 14 Jul 2010 04:21:22 +0000 (05:21 +0100)]
ARM: 6226/1: fix kprobe bug in ldr instruction emulation
commit
0ebe25f90cd99bb1bcf622ec8a841421d48380d6 upstream.
From: Bin Yang <bin.yang@marvell.com>
Signed-off-by: Bin Yang <bin.yang@marvell.com>
Signed-off-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Catalin Marinas [Thu, 1 Jul 2010 12:21:47 +0000 (13:21 +0100)]
ARM: 6201/1: RealView: Do not use outer_sync() on ARM11MPCore boards with L220
commit
2503a5ecd86c002506001eba432c524ea009fe7f upstream.
RealView boards with certain revisions of the L220 cache controller (ARM11*
processors only) may have issues (hardware deadlock) with the recent changes to
the mb() barrier implementation (DSB followed by an L2 cache sync). The patch
redefines the RealView ARM11MPCore mandatory barriers without the outer_sync()
call.
Tested-by: Linus Walleij <linus.walleij@stericsson.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dmitry Torokhov [Wed, 21 Jul 2010 03:25:35 +0000 (20:25 -0700)]
Input: twl40300-keypad - fix handling of "all ground" rows
commit
3fea60261e73dbf4a51130d40cafcc8465b0f2c3 upstream.
The Nokia RX51 board code (arch/arm/mach-omap2/board-rx51-peripherals.c)
defines a key map for the matrix keypad keyboard. The hardware seems to
use all of the 8 rows and 8 columns of the keypad, although not all
possible locations are used.
The TWL4030 supports keypads with at most 8 rows and 8 columns. Most keys
are defined with a row and column number between 0 and 7, except
KEY(0xff, 2, KEY_F9),
KEY(0xff, 4, KEY_F10),
KEY(0xff, 5, KEY_F11),
which represent keycodes that should be emitted when entire row is
connected to the ground. since the driver handles this case as if we
had an extra column in the key matrix. Unfortunately we do not allocate
enough space and end up owerwriting some random memory.
Reported-and-tested-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kamal Mostafa [Mon, 19 Jul 2010 18:00:52 +0000 (11:00 -0700)]
Input: i8042 - add Gigabyte Spring Peak to dmi_noloop_table
commit
3e1bbc8d5018a05c0793c8a32b777a1396eb4414 upstream.
Gigabyte "Spring Peak" notebook indicates wrong chassis-type, tripping up
i8042 and breaking the touchpad. Add this model to i8042_dmi_noloop_table[]
to resolve.
BugLink: https://bugs.launchpad.net/bugs/580664
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Or Gerlitz [Sun, 6 Jun 2010 04:59:16 +0000 (04:59 +0000)]
IPoIB: Fix world-writable child interface control sysfs attributes
commit
7a52b34b07122ff5f45258d47f260f8a525518f0 upstream.
Sumeet Lahorani <sumeet.lahorani@oracle.com> reported that the IPoIB
child entries are world-writable; however we don't want ordinary users
to be able to create and destroy child interfaces, so fix them to be
writable only by root.
Signed-off-by: Or Gerlitz <ogerlitz@voltaire.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Yinghai Lu [Thu, 15 Jul 2010 07:00:59 +0000 (00:00 -0700)]
x86: Fix x2apic preenabled system with kexec
commit
fd19dce7ac07973f700b0f13fb7f94b951414a4c upstream.
Found one x2apic system kexec loop test failed
when CONFIG_NMI_WATCHDOG=y (old) or CONFIG_LOCKUP_DETECTOR=y (current tip)
first kernel can kexec second kernel, but second kernel can not kexec third one.
it can be duplicated on another system with BIOS preenabled x2apic.
First kernel can not kexec second kernel.
It turns out, when kernel boot with pre-enabled x2apic, it will not execute
disable_local_APIC on shutdown path.
when init_apic_mappings() is called in setup_arch, it will skip setting of
apic_phys when x2apic_mode is set. ( x2apic_mode is much early check_x2apic())
Then later, disable_local_APIC() will bail out early because !apic_phys.
So check !x2apic_mode in x2apic_mode in disable_local_APIC with !apic_phys.
another solution could be updating init_apic_mappings() to set apic_phys even
for preenabled x2apic system. Actually even for x2apic system, that lapic
address is mapped already in early stage.
BTW: is there any x2apic preenabled system with apicid of boot cpu > 255?
Signed-off-by: Yinghai Lu <yinghai@kernel.org>
LKML-Reference: <
4C3EB22B.
3000701@kernel.org>
Acked-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mark Brown [Sat, 17 Jul 2010 13:20:17 +0000 (14:20 +0100)]
ASoC: Remove duplicate AUX definition from WM8776
commit
3c0709396df0869786f83e4b2d2d687c70ee886d upstream.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Acked-by: Liam Girdwood <lrg@slimlogic.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Marek Szyprowski [Tue, 20 Jul 2010 20:24:33 +0000 (13:24 -0700)]
sdhci-s3c: add missing remove function
commit
9d51a6b2487724e8713cd2794cf09ffeee5f6932 upstream.
System will crash sooner or later once the memory with the code of the
s3c-sdhci.ko module is reused for something else. I really have no idea
how the lack of remove function went unnoticed into the mainline code.
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ben Hutchings [Mon, 28 Jun 2010 08:44:07 +0000 (08:44 +0000)]
ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL
commit
db048b69037e7fa6a7d9e95a1271a50dc08ae233 upstream.
On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer
overflow and the buffer may be smaller than needed. Since
ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at
least denial of service.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Joakim Tjernlund [Tue, 29 Jun 2010 22:05:34 +0000 (15:05 -0700)]
rtc: fix ds1388 time corruption
commit
96fc3a45ea073136566f3c2676cad52f8b39a7df upstream.
The ds1307 driver misreads the ds1388 registers when checking for 12 or 24
hour mode. Instead of checking the hour register it reads the minute
register. Therefore the driver thinks minutes >= 40 has the 12HR bit set
and resets the minute register by zeroing the high bits. This results in
minutes are reset to 0-9, jumping back in time 40 or 50 minutes. The time
jump is also written back to the RTC.
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Cc: Wan ZongShun <mcuos.com@gmail.com>
Cc: Alessandro Zummo <a.zummo@towertech.it>
Cc: Paul Gortmaker <p_gortmaker@yahoo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ilpo Järvinen [Mon, 19 Jul 2010 01:16:18 +0000 (01:16 +0000)]
tcp: fix crash in tcp_xmit_retransmit_queue
commit
45e77d314585869dfe43c82679f7e08c9b35b898 upstream.
It can happen that there are no packets in queue while calling
tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns
NULL and that gets deref'ed to get sacked into a local var.
There is no work to do if no packets are outstanding so we just
exit early.
This oops was introduced by
08ebd1721ab8fd (tcp: remove tp->lost_out
guard to make joining diff nicer).
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Reported-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de>
Tested-by: Lennart Schulte <lennart.schulte@nets.rwth-aachen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Doug Kehn [Thu, 15 Jul 2010 01:02:16 +0000 (18:02 -0700)]
net/core: neighbour update Oops
commit
91a72a70594e5212c97705ca6a694bd307f7a26b upstream.
When configuring DMVPN (GRE + openNHRP) and a GRE remote
address is configured a kernel Oops is observed. The
obserseved Oops is caused by a NULL header_ops pointer
(neigh->dev->header_ops) in neigh_update_hhs() when
void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *)
= neigh->dev->header_ops->cache_update;
is executed. The dev associated with the NULL header_ops is
the GRE interface. This patch guards against the
possibility that header_ops is NULL.
This Oops was first observed in kernel version 2.6.26.8.
Signed-off-by: Doug Kehn <rdkehn@yahoo.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mikulas Patocka [Tue, 6 Apr 2010 23:43:33 +0000 (16:43 -0700)]
ide: Fix IDE taskfile with cfq scheduler
commit
720fc22a7af79d91ec460c80efa92c65c12d105e upstream.
When ide taskfile access is being used (for example with hdparm --security
commands) and cfq scheduler is selected, the scheduler crashes on BUG in
cfq_put_request.
The reason is that the cfq scheduler is tracking counts of read and write
requests separately; the ide-taskfile subsystem allocates a read request and
then flips the flag to make it a write request. The counters in cfq will
mismatch.
This patch changes ide-taskfile to allocate the READ or WRITE request as
required and don't change the flag later.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Sergei Shtylyov [Tue, 11 May 2010 07:08:03 +0000 (00:08 -0700)]
cmd640: fix kernel oops in test_irq() method
commit
a9ddabc52ce3757a4331d6c1e8bf4065333cc51b upstream.
When implementing the test_iqr() method, I forgot that this driver is not an
ordinary PCI driver and also needs to support VLB variant of the chip. Moreover,
'hwif->dev' should be NULL, potentially causing oops in pci_read_config_byte().
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dongdong Deng [Thu, 17 Jun 2010 03:13:40 +0000 (11:13 +0800)]
serial: cpm_uart: implement the cpm_uart_early_write() function for console poll
commit
8cd774ad30c22b9d89823f1f05d845f4cdaba9e8 upstream.
The cpm_uart_early_write() function which was used for console poll
isn't implemented in the cpm uart driver.
Implementing this function both fixes the build when CONFIG_CONSOLE_POLL
is set and allows kgdboc to work via the cpm uart.
Signed-off-by: Dongdong Deng <dongdong.deng@windriver.com>
Reviewed-by: Bruce Ashfield <bruce.ashfield@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Thomas Gleixner [Mon, 7 Jun 2010 15:53:51 +0000 (17:53 +0200)]
genirq: Deal with desc->set_type() changing desc->chip
commit
4673247562e39a17e09440fa1400819522ccd446 upstream.
The set_type() function can change the chip implementation when the
trigger mode changes. That might result in using an non-initialized
irq chip when called from __setup_irq() or when called via
set_irq_type() on an already enabled irq.
The set_irq_type() function should not be called on an enabled irq,
but because we forgot to put a check into it, we have a bunch of users
which grew the habit of doing that and it never blew up as the
function is serialized via desc->lock against all users of desc->chip
and they never hit the non-initialized irq chip issue.
The easy fix for the __setup_irq() issue would be to move the
irq_chip_set_defaults(desc->chip) call after the trigger setting to
make sure that a chip change is covered.
But as we have already users, which do the type setting after
request_irq(), the safe fix for now is to call irq_chip_set_defaults()
from __irq_set_trigger() when desc->set_type() changed the irq chip.
It needs a deeper analysis whether we should refuse to change the chip
on an already enabled irq, but that'd be a large scale change to fix
all the existing users. So that's neither stable nor 2.6.35 material.
Reported-by: Esben Haabendal <eha@doredevelopment.dk>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Cc: linuxppc-dev <linuxppc-dev@ozlabs.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex,Shi [Thu, 17 Jun 2010 06:08:13 +0000 (14:08 +0800)]
sched: Fix over-scheduling bug
commit
3c93717cfa51316e4dbb471e7c0f9d243359d5f8 upstream.
Commit
e70971591 ("sched: Optimize unused cgroup configuration") introduced
an imbalanced scheduling bug.
If we do not use CGROUP, function update_h_load won't update h_load. When the
system has a large number of tasks far more than logical CPU number, the
incorrect cfs_rq[cpu]->h_load value will cause load_balance() to pull too
many tasks to the local CPU from the busiest CPU. So the busiest CPU keeps
going in a round robin. That will hurt performance.
The issue was found originally by a scientific calculation workload that
developed by Yanmin. With that commit, the workload performance drops
about 40%.
CPU before after
00 : 2 : 7
01 : 1 : 7
02 : 11 : 6
03 : 12 : 7
04 : 6 : 6
05 : 11 : 7
06 : 10 : 6
07 : 12 : 7
08 : 11 : 6
09 : 12 : 6
10 : 1 : 6
11 : 1 : 6
12 : 6 : 6
13 : 2 : 6
14 : 2 : 6
15 : 1 : 6
Reviewed-by: Yanmin zhang <yanmin.zhang@intel.com>
Signed-off-by: Alex Shi <alex.shi@intel.com>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <
1276754893.9452.5442.camel@debian>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Will Deacon [Mon, 24 May 2010 19:11:43 +0000 (12:11 -0700)]
sched: Prevent compiler from optimising the sched_avg_update() loop
commit
0d98bb2656e9bd2dfda2d089db1fe1dbdab41504 upstream.
GCC 4.4.1 on ARM has been observed to replace the while loop in
sched_avg_update with a call to uldivmod, resulting in the
following build failure at link-time:
kernel/built-in.o: In function `sched_avg_update':
kernel/sched.c:1261: undefined reference to `__aeabi_uldivmod'
kernel/sched.c:1261: undefined reference to `__aeabi_uldivmod'
make: *** [.tmp_vmlinux1] Error 1
This patch introduces a fake data hazard to the loop body to
prevent the compiler optimising the loop away.
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Catalin Marinas <catalin.marinas@arm.com>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Darrick J. Wong [Thu, 1 Jul 2010 00:45:19 +0000 (17:45 -0700)]
x86, Calgary: Limit the max PHB number to 256
commit
d596043d71ff0d7b3d0bead19b1d68c55f003093 upstream.
The x3950 family can have as many as 256 PCI buses in a single system, so
change the limits to the maximum. Since there can only be 256 PCI buses in one
domain, we no longer need the BUG_ON check.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
LKML-Reference: <
20100701004519.GQ15515@tux1.beaverton.ibm.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Darrick J. Wong [Thu, 24 Jun 2010 21:26:47 +0000 (14:26 -0700)]
x86, Calgary: Increase max PHB number
commit
499a00e92dd9a75395081f595e681629eb1eebad upstream.
Newer systems (x3950M2) can have 48 PHBs per chassis and 8
chassis, so bump the limits up and provide an explanation
of the requirements for each class.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Muli Ben-Yehuda <muli@il.ibm.com>
Cc: Corinna Schultz <cschultz@linux.vnet.ibm.com>
LKML-Reference: <
20100624212647.GI15515@tux1.beaverton.ibm.com>
[ v2: Fixed build bug, added back PHBS_PER_CALGARY == 4 ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andi Kleen [Fri, 18 Jun 2010 21:09:00 +0000 (23:09 +0200)]
x86: Fix vsyscall on gcc 4.5 with -Os
commit
124482935fb7fb9303c8a8ab930149c6a93d9910 upstream.
This fixes the -Os breaks with gcc 4.5 bug. rdtsc_barrier needs to be
force inlined, otherwise user space will jump into kernel space and
kill init.
This also addresses http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44129
I believe.
Signed-off-by: Andi Kleen <ak@linux.intel.com>
LKML-Reference: <
20100618210859.GA10913@basil.fritz.box>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Frederic Weisbecker [Thu, 8 Jul 2010 04:06:17 +0000 (06:06 +0200)]
perf: Resurrect flat callchains
commit
97aa1052739c6a06cb6b0467dbf410613d20bc97 upstream.
Initialize the callchain radix tree root correctly.
When we walk through the parents, we must stop after the root, but
since it wasn't well initialized, its parent pointer was random.
Also the number of hits was random because uninitialized, hence it
was part of the callchain while the root doesn't contain anything.
This fixes segfaults and percentages followed by empty callchains
while running:
perf report -g flat
Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Peter Zijlstra <a.p.zijlstra@chello.nl>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ben Hutchings [Wed, 24 Mar 2010 03:36:31 +0000 (03:36 +0000)]
amd64-agp: Probe unknown AGP devices the right way
commit
6fd024893911dcb51b4a0aa71971db5ba38f7071 upstream.
The current initialisation code probes 'unsupported' AGP devices
simply by calling its own probe function. It does not lock these
devices or even check whether another driver is already bound to
them.
We must use the device core to manage this. So if the specific
device id table didn't match anything and agp_try_unsupported=1,
switch the device id table and call driver_attach() again.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Julia Lawall [Sat, 15 May 2010 09:46:12 +0000 (11:46 +0200)]
SCSI: aacraid: Eliminate use after free
commit
8a52da632ceb9d8b776494563df579e87b7b586b upstream.
The debugging code using the freed structure is moved before the kfree.
A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)
// <smpl>
@free@
expression E;
position p;
@@
kfree@p(E)
@@
expression free.E, subE<=free.E, E1;
position free.p;
@@
kfree@p(E)
...
(
subE = E1
|
* E
)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Eric Dumazet [Fri, 2 Jul 2010 08:05:01 +0000 (10:05 +0200)]
netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT
commit
499031ac8a3df6738f6186ded9da853e8ea18253 upstream.
We should release dst if dst->error is set.
Bug introduced in 2.6.14 by commit
e104411b82f5c
([XFRM]: Always release dst_entry on error in xfrm_lookup)
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Sven Wegener [Wed, 9 Jun 2010 14:10:57 +0000 (16:10 +0200)]
ipvs: Add missing locking during connection table hashing and unhashing
commit
aea9d711f3d68c656ad31ab578ecfb0bb5cd7f97 upstream.
The code that hashes and unhashes connections from the connection table
is missing locking of the connection being modified, which opens up a
race condition and results in memory corruption when this race condition
is hit.
Here is what happens in pretty verbose form:
CPU 0 CPU 1
------------ ------------
An active connection is terminated and
we schedule ip_vs_conn_expire() on this
CPU to expire this connection.
IRQ assignment is changed to this CPU,
but the expire timer stays scheduled on
the other CPU.
New connection from same ip:port comes
in right before the timer expires, we
find the inactive connection in our
connection table and get a reference to
it. We proper lock the connection in
tcp_state_transition() and read the
connection flags in set_tcp_state().
ip_vs_conn_expire() gets called, we
unhash the connection from our
connection table and remove the hashed
flag in ip_vs_conn_unhash(), without
proper locking!
While still holding proper locks we
write the connection flags in
set_tcp_state() and this sets the hashed
flag again.
ip_vs_conn_expire() fails to expire the
connection, because the other CPU has
incremented the reference count. We try
to re-insert the connection into our
connection table, but this fails in
ip_vs_conn_hash(), because the hashed
flag has been set by the other CPU. We
re-schedule execution of
ip_vs_conn_expire(). Now this connection
has the hashed flag set, but isn't
actually hashed in our connection table
and has a dangling list_head.
We drop the reference we held on the
connection and schedule the expire timer
for timeouting the connection on this
CPU. Further packets won't be able to
find this connection in our connection
table.
ip_vs_conn_expire() gets called again,
we think it's already hashed, but the
list_head is dangling and while removing
the connection from our connection table
we write to the memory location where
this list_head points to.
The result will probably be a kernel oops at some other point in time.
This race condition is pretty subtle, but it can be triggered remotely.
It needs the IRQ assignment change or another circumstance where packets
coming from the same ip:port for the same service are being processed on
different CPUs. And it involves hitting the exact time at which
ip_vs_conn_expire() gets called. It can be avoided by making sure that
all packets from one connection are always processed on the same CPU and
can be made harder to exploit by changing the connection timeouts to
some custom values.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rajiv Andrade [Wed, 23 Jun 2010 19:18:56 +0000 (12:18 -0700)]
tpm_tis: fix subsequent suspend failures
commit
59f6fbe4291fcc078ba26ce4edf8373a7620a13a upstream.
Fix subsequent suspends by issuing tpm_continue_selftest during resume.
Otherwise, the tpm chip seems to be not fully initialized and will reject
the save state command during suspend, thus preventing the whole system
to suspend.
Addresses https://bugzilla.kernel.org/show_bug.cgi?id=16256
Signed-off-by: Helmut Schaa <helmut.schaa@googlemail.com>
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Cc: James Morris <jmorris@namei.org>
Cc: Debora Velarde <debora@linux.vnet.ibm.com>
Cc: David Safford <safford@watson.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Deucher [Wed, 21 Jul 2010 23:37:21 +0000 (19:37 -0400)]
drm/radeon/kms: fix legacy LVDS dpms sequence
commit
15cb02c0a0338ee724bf23e31c7c410ecbffeeba upstream.
Add delay after turning off the LVDS encoder.
Fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=16389
Tested-by: Jan Kreuzer <kontrollator@gmx.de>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Deucher [Tue, 20 Jul 2010 22:07:22 +0000 (18:07 -0400)]
drm/radeon/kms: add quirk for ASUS HD 3600 board
commit
e153b70b89770968a704eda0b55707c6066b2d44 upstream.
Connector is actually DVI rather than HDMI.
Reported-by: trapDoor <trapdoor6@gmail.com>
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Roland Scheidegger [Sat, 12 Jun 2010 17:31:10 +0000 (13:31 -0400)]
drm/radeon/r200: handle more hw tex coord types
commit
688acaa2897462e4c5e2482496e2868db0760809 upstream.
Code did not handle projected 2d and depth coordinates, meaning potentially
set 3d or cube special handling might stick.
(Not sure what depth coord actually does, but I guess handling it
like a normal coordinate is the right thing to do.)
Might be related to https://bugs.freedesktop.org/show_bug.cgi?id=26428
Signed-off-by: sroland@vmware.com
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Adam Jackson [Fri, 2 Jul 2010 20:43:30 +0000 (16:43 -0400)]
drm/i915: Make G4X-style PLL search more permissive
commit
6ba770dc5c334aff1c055c8728d34656e0f091e2 upstream.
Fixes an Ironlake laptop with a 68.940MHz 1280x800 panel and 120MHz SSC
reference clock.
More generally, the 0.488% tolerance used before is just too tight to
reliably find a PLL setting. I extracted the search algorithm and
modified it to find the dot clocks with maximum error over the valid
range for the given output type:
http://people.freedesktop.org/~ajax/intel_g4x_find_best_pll.c
This gave:
Worst dotclock for Ironlake DAC refclk is 350000kHz (error 0.00571)
Worst dotclock for Ironlake SL-LVDS refclk is 102321kHz (error 0.00524)
Worst dotclock for Ironlake DL-LVDS refclk is 219642kHz (error 0.00488)
Worst dotclock for Ironlake SL-LVDS SSC refclk is 84374kHz (error 0.00529)
Worst dotclock for Ironlake DL-LVDS SSC refclk is 183035kHz (error 0.00488)
Worst dotclock for G4X SDVO refclk is 267600kHz (error 0.00448)
Worst dotclock for G4X HDMI refclk is 334400kHz (error 0.00478)
Worst dotclock for G4X SL-LVDS refclk is 95571kHz (error 0.00449)
Worst dotclock for G4X DL-LVDS refclk is 224000kHz (error 0.00510)
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dave Airlie [Tue, 20 Jul 2010 03:15:31 +0000 (13:15 +1000)]
drm/i915: enable low power render writes on GEN3 hardware.
commit
944001201ca0196bcdb088129e5866a9f379d08c upstream.
A lot of 945GMs have had stability issues for a long time, this manifested as X hangs, blitter engine hangs, and lots of crashes.
one such report is at:
https://bugs.freedesktop.org/show_bug.cgi?id=20560
along with numerous distro bugzillas.
This only took a week of digging and hair ripping to figure out.
Tracked down and tested on a 945GM Lenovo T60,
previously running
x11perf -copypixwin500
or
x11perf -copywinpix500
repeatedly would cause the GPU to wedge within 4 or 5 tries, with random busy bits set.
After this patch no hangs were observed.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Keith Packard [Tue, 20 Jul 2010 04:12:35 +0000 (21:12 -0700)]
drm/i915: Define MI_ARB_STATE bits
commit
45503ded966c98e604c9667c0b458d40666b9ef3 upstream.
The i915 memory arbiter has a register full of configuration
bits which are currently not defined in the driver header file.
Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Daniel J Blueman [Mon, 17 May 2010 13:23:52 +0000 (14:23 +0100)]
i915: fix lock imbalance on error path...
commit
f953c9353f5fe6e98fa7f32f51060a74d845b5f8 upstream.
While investigating Intel i5 Arrandale GPU lockups with -rc4, I
noticed a lock imbalance.
Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jason Baron [Tue, 27 Jul 2010 20:18:01 +0000 (13:18 -0700)]
dynamic debug: move ddebug_remove_module() down into free_module()
commit
b82bab4bbe9efa7bc7177fc20620fff19bd95484 upstream.
The command
echo "file ec.c +p" >/sys/kernel/debug/dynamic_debug/control
causes an oops.
Move the call to ddebug_remove_module() down into free_module(). In this
way it should be called from all error paths. Currently, we are missing
the remove if the module init routine fails.
Signed-off-by: Jason Baron <jbaron@redhat.com>
Reported-by: Thomas Renninger <trenn@suse.de>
Tested-by: Thomas Renninger <trenn@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Joerg Albert [Sun, 13 Jun 2010 12:22:23 +0000 (14:22 +0200)]
p54pci: add Symbol AP-300 minipci adapters pciid
commit
50900f1698f68127e54c67fdfe829e4a97b1be2b upstream.
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Mon, 19 Jul 2010 20:58:20 +0000 (16:58 -0400)]
Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE
commit
2ebc3464781ad24474abcbd2274e6254689853b5 upstream.
1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check
whether the donor file is append-only before writing to it.
2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer
overflow that allows a user to specify an out-of-bounds range to copy
from the source file (if off + len wraps around). I haven't been able
to successfully exploit this, but I'd imagine that a clever attacker
could use this to read things he shouldn't. Even if it's not
exploitable, it couldn't hurt to be safe.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Chris Mason <chris.mason@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Javier Cardona [Mon, 29 Mar 2010 18:00:20 +0000 (11:00 -0700)]
mac80211: Handle mesh action frames in ieee80211_rx_h_action
commit
1cb561f83793191cf86a2db3948d28f5f42df9ff upstream.
This fixes the problem introduced in commit
8404080568613d93ad7cf0a16dfb68 which broke mesh peer link establishment.
changes:
v2 Added missing break (Johannes)
v3 Broke original patch into two (Johannes)
Signed-off-by: Javier Cardona <javier@cozybit.com>
Reviewed-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stanislaw Gruszka [Wed, 28 Apr 2010 13:17:03 +0000 (15:17 +0200)]
mac80211: do not wip out old supported rates
commit
f0b058b61711ebf5be94d6865ca7b2c259b71d37 upstream.
Use old supported rates, if AP do not provide supported rates
information element in a new managment frame.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
John W. Linville [Mon, 14 Jun 2010 18:30:25 +0000 (14:30 -0400)]
iwlwifi: cancel scan watchdog in iwl_bg_abort_scan
commit
a69b03e941abae00380fc6bc1877fb797a1b31e6 upstream.
Avoids this:
WARNING: at net/mac80211/scan.c:312 ieee80211_scan_completed+0x5f/0x1f1
[mac80211]()
Hardware name: Latitude E5400
Modules linked in: aes_x86_64 aes_generic fuse ipt_MASQUERADE iptable_nat
nf_nat rfcomm sco bridge stp llc bnep l2cap sunrpc cpufreq_ondemand
acpi_cpufreq freq_table xt_physdev ip6t_REJECT nf_conntrack_ipv6
ip6table_filter ip6_tables ipv6 kvm_intel kvm uinput arc4 ecb
snd_hda_codec_intelhdmi snd_hda_codec_idt snd_hda_intel iwlagn snd_hda_codec
snd_hwdep snd_seq snd_seq_device iwlcore snd_pcm dell_wmi sdhci_pci sdhci
iTCO_wdt tg3 dell_laptop mmc_core i2c_i801 wmi mac80211 snd_timer
iTCO_vendor_support btusb joydev dcdbas cfg80211 bluetooth snd soundcore
microcode rfkill snd_page_alloc firewire_ohci firewire_core crc_itu_t
yenta_socket rsrc_nonstatic i915 drm_kms_helper drm i2c_algo_bit i2c_core video
output [last unloaded: scsi_wait_scan]
Pid: 979, comm: iwlagn Tainted: G W 2.6.33.3-85.fc13.x86_64 #1
Call Trace:
[<
ffffffff8104b558>] warn_slowpath_common+0x77/0x8f
[<
ffffffff8104b57f>] warn_slowpath_null+0xf/0x11
[<
ffffffffa01bb7d9>] ieee80211_scan_completed+0x5f/0x1f1 [mac80211]
[<
ffffffffa02a23f0>] iwl_bg_scan_completed+0xbb/0x17a [iwlcore]
[<
ffffffff81060d3d>] worker_thread+0x1a4/0x232
[<
ffffffffa02a2335>] ? iwl_bg_scan_completed+0x0/0x17a [iwlcore]
[<
ffffffff81064817>] ? autoremove_wake_function+0x0/0x34
[<
ffffffff81060b99>] ? worker_thread+0x0/0x232
[<
ffffffff810643c7>] kthread+0x7a/0x82
[<
ffffffff8100a924>] kernel_thread_helper+0x4/0x10
[<
ffffffff8106434d>] ? kthread+0x0/0x82
[<
ffffffff8100a920>] ? kernel_thread_helper+0x0/0x10
Reported here:
https://bugzilla.redhat.com/show_bug.cgi?id=590436
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Reported-by: Mihai Harpau <mishu@piatafinanciara.ro>
Acked-by: Reinette Chatre <reinette.chatre@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dave Airlie [Wed, 23 Jun 2010 01:35:41 +0000 (11:35 +1000)]
fb: fix colliding defines for fb flags.
commit
b26c949755c06ec79e55a75817210083bd78fc9a upstream.
When I added the flags I must have been using a 25 line terminal and missed the following flags.
The collided with flag has one user in staging despite being in-tree for 5 years.
I'm happy to push this via my drm tree unless someone really wants to do it.
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rajiv Andrade [Mon, 14 Jun 2010 16:58:22 +0000 (13:58 -0300)]
TPM: ReadPubEK output struct fix
commit
02a077c52ef7631275a79862ffd9f3dbe9d38bc2 upstream.
This patch adds a missing element of the ReadPubEK command output,
that prevents future overflow of this buffer when copying the
TPM output result into it.
Prevents a kernel panic in case the user tries to read the
pubek from sysfs.
Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tim Gardner [Tue, 8 Jun 2010 17:33:02 +0000 (11:33 -0600)]
hostap: Protect against initialization interrupt
commit
d6a574ff6bfb842bdb98065da053881ff527be46 upstream.
Use an irq spinlock to hold off the IRQ handler until
enough early card init is complete such that the handler
can run without faulting.
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vivek Natarajan [Tue, 27 Apr 2010 07:35:38 +0000 (13:05 +0530)]
ath9k: Avoid corrupt frames being forwarded to mac80211.
commit
3a37495268ab45507b4cab9d4cb18c5496ab7a10 upstream.
If bit 29 is set, MAC H/W can attempt to decrypt the received aggregate
with WEP or TKIP, eventhough the received frame may be a CRC failed
corrupted frame. If this bit is set, H/W obeys key type in keycache.
If it is not set and if the key type in keycache is neither open nor
AES, H/W forces key type to be open. But bit 29 should be set to 1
for AsyncFIFO feature to encrypt/decrypt the aggregate with WEP or TKIP.
Reported-by: Johan Hovold <johan.hovold@lundinova.se>
Signed-off-by: Vivek Natarajan <vnatarajan@atheros.com>
Signed-off-by: Ranga Rao Ravuri <ranga.ravuri@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luis R. Rodriguez [Fri, 18 Dec 2009 16:26:04 +0000 (11:26 -0500)]
ath9k: re-enable ps by default for new single chip families
commit
14acdde6e527950f66c084dbf19bad6fbfcaeedc upstream.
The newer single chip hardware family of chipsets have not been
experiencing issues with power saving set by default with recent
fixes merged (even into stable). The remaining issues are only
reported with AR5416 and since enabling PS by default can increase
power savings considerably best to take advantage of that feature
as this has been tested properly.
For more details on this issue see the bug report:
http://bugzilla.kernel.org/show_bug.cgi?id=14267
We leave AR5416 with PS disabled by default, that seems to require
some more work.
Cc: Peter Stuge <peter@stuge.se>
Cc: Justin P. Mattock <justinmattock@gmail.com>
Cc: Kristoffer Ericson <kristoffer.ericson@gmail.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luis R. Rodriguez [Mon, 10 May 2010 19:26:27 +0000 (15:26 -0400)]
ath5k: drop warning on jumbo frames
commit
9637e516d16a58b13f6098cfe899e22963132be3 upstream.
Jumbo frames are not supported, and if they are seen it is likely
a bogus frame so just silently discard them instead of warning on
them all time. Also, instead of dropping them immediately though
move the check *after* we check for all sort of frame errors. This
should enable us to discard these frames if the hardware picks
other bogus items first. Lets see if we still get those jumbo
counters increasing still with this.
Jumbo frames would happen if we tell hardware we can support
a small 802.11 chunks of DMA'd frame, hardware would split RX'd
frames into parts and we'd have to reconstruct them in software.
This is done with USB due to the bulk size but with ath5k we
already provide a good limit to hardware and this should not be
happening.
This is reported quite often and if it fills the logs then this
needs to be addressed and to avoid spurious reports.
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Trond Myklebust [Wed, 16 Jun 2010 17:57:32 +0000 (13:57 -0400)]
SUNRPC: Fix a re-entrancy bug in xs_tcp_read_calldir()
commit
b76ce56192bcf618013fb9aecd83488cffd645cc upstream.
If the attempt to read the calldir fails, then instead of storing the read
bytes, we currently discard them. This leads to a garbage final result when
upon re-entry to the same routine, we read the remaining bytes.
Fixes the regression in bugzilla number 16213. Please see
https://bugzilla.kernel.org/show_bug.cgi?id=16213
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Trond Myklebust [Fri, 18 Jun 2010 16:23:58 +0000 (12:23 -0400)]
NFSv4: Ensure that /proc/self/mountinfo displays the minor version number
commit
0be8189f2c87fcc747d6a4a657a0b6e2161b2318 upstream.
Currently, we do not display the minor version mount parameter in the
/proc mount info.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Trond Myklebust [Tue, 22 Jun 2010 12:52:39 +0000 (08:52 -0400)]
NFSv4: Fix an embarassing typo in encode_attrs()
commit
d3f6baaa34c54040b3ef30950e59b54ac0624b21 upstream.
Apparently, we have never been able to set the atime correctly from the
NFSv4 client.
Reported-by: 小倉一夫 <ka-ogura@bd6.so-net.ne.jp>
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mikael Pettersson [Wed, 21 Jul 2010 01:45:14 +0000 (18:45 -0700)]
math-emu: correct test for downshifting fraction in _FP_FROM_INT()
commit
f8324e20f8289dffc646d64366332e05eaacab25 upstream.
The kernel's math-emu code contains a macro _FP_FROM_INT() which is
used to convert an integer to a raw normalized floating-point value.
It does this basically in three steps:
1. Compute the exponent from the number of leading zero bits.
2. Downshift large fractions to put the MSB in the right position
for normalized fractions.
3. Upshift small fractions to put the MSB in the right position.
There is an boundary error in step 2, causing a fraction with its
MSB exactly one bit above the normalized MSB position to not be
downshifted. This results in a non-normalized raw float, which when
packed becomes a massively inaccurate representation for that input.
The impact of this depends on a number of arch-specific factors,
but it is known to have broken emulation of FXTOD instructions
on UltraSPARC III, which was originally reported as GCC bug 44631
<http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44631>.
Any arch which uses math-emu to emulate conversions from integers to
same-size floats may be affected.
The fix is simple: the exponent comparison used to determine if the
fraction should be downshifted must be "<=" not "<".
I'm sending a kernel module to test this as a reply to this message.
There are also SPARC user-space test cases in the GCC bug entry.
Signed-off-by: Mikael Pettersson <mikpe@it.uu.se>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rob Landley [Sat, 27 Mar 2010 15:36:18 +0000 (08:36 -0700)]
sparc: Fix use of uid16_t and gid16_t in asm/stat.h
commit
7469a9acf919d36836f6c635099d8edc9be4528a upstream.
Signed-off-by: Rob Landley <rob@landley.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alexander Duyck [Mon, 5 Oct 2009 06:34:25 +0000 (06:34 +0000)]
igb: change how we handle alternate mac addresses
commit
22896639af98ebc721a94ed71fc3acf2fb4a24dc upstream.
This patch allows us to treat the alternate mac address as though it is the
physical address on the adapter. This is accomplished by letting the
alt_mac_address function to only fail on an NVM error. If no errors occur
and the alternate mac address is not present then RAR0 is read as the
default mac address.
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Brandon Philips <bphilips@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Brandon Philips [Wed, 16 Jun 2010 16:21:58 +0000 (16:21 +0000)]
sky2: enable rx/tx in sky2_phy_reinit()
commit
38000a94a902e94ca8b5498f7871c6316de8957a upstream.
sky2_phy_reinit is called by the ethtool helpers sky2_set_settings,
sky2_nway_reset and sky2_set_pauseparam when netif_running.
However, at the end of sky2_phy_init GM_GP_CTRL has GM_GPCR_RX_ENA and
GM_GPCR_TX_ENA cleared. So, doing these commands causes the device to
stop working:
$ ethtool -r eth0
$ ethtool -A eth0 autoneg off
Fix this issue by enabling Rx/Tx after running sky2_phy_init in
sky2_phy_reinit.
Signed-off-by: Brandon Philips <bphilips@suse.de>
Tested-by: Brandon Philips <bphilips@suse.de>
Cc: stable@kernel.org
Tested-by: Mike McCormack <mikem@ring3k.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Florian Fainelli [Sun, 20 Jun 2010 22:07:48 +0000 (22:07 +0000)]
cpmac: do not leak struct net_device on phy_connect errors
commit
ed770f01360b392564650bf1553ce723fa46afec upstream.
If the call to phy_connect fails, we will return directly instead of freeing
the previously allocated struct net_device.
Signed-off-by: Florian Fainelli <florian@openwrt.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luke Yelavich [Tue, 22 Jun 2010 01:04:19 +0000 (11:04 +1000)]
ALSA: hda - Add Macbook 5,2 quirk
commit
3bfea98ff73d377ffce0d4c7f938b7ef958cdb35 upstream.
BugLink: https://bugs.launchpad.net/bugs/463178
Set Macbook 5,2 (106b:4a00) hardware to use ALC885_MB5
Signed-off-by: Luke Yelavich <luke.yelavich@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Howells [Thu, 22 Jul 2010 11:53:18 +0000 (12:53 +0100)]
CIFS: Fix a malicious redirect problem in the DNS lookup code
commit
4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 upstream.
Fix the security problem in the CIFS filesystem DNS lookup code in which a
malicious redirect could be installed by a random user by simply adding a
result record into one of their keyrings with add_key() and then invoking a
CIFS CFS lookup [CVE-2010-2524].
This is done by creating an internal keyring specifically for the caching of
DNS lookups. To enforce the use of this keyring, the module init routine
creates a set of override credentials with the keyring installed as the thread
keyring and instructs request_key() to only install lookup result keys in that
keyring.
The override is then applied around the call to request_key().
This has some additional benefits when a kernel service uses this module to
request a key:
(1) The result keys are owned by root, not the user that caused the lookup.
(2) The result keys don't pop up in the user's keyrings.
(3) The result keys don't come out of the quota of the user that caused the
lookup.
The keyring can be viewed as root by doing cat /proc/keys:
2a0ca6c3 I----- 1 perm
1f030000 0 0 keyring .dns_resolver: 1/4
It can then be listed with 'keyctl list' by root.
# keyctl list 0x2a0ca6c3
1 key in keyring:
726766307: --alswrv 0 0 dns_resolver: foo.bar.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-and-Tested-by: Jeff Layton <jlayton@redhat.com>
Acked-by: Steve French <smfrench@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jeff Layton [Tue, 1 Jun 2010 20:21:01 +0000 (16:21 -0400)]
cifs: don't attempt busy-file rename unless it's in same directory
commit
ed0e3ace576d297a5c7015401db1060bbf677b94 upstream.
Busy-file renames don't actually work across directories, so we need
to limit this code to renames within the same dir.
This fixes the bug detailed here:
https://bugzilla.redhat.com/show_bug.cgi?id=591938
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jeff Layton [Wed, 16 Jun 2010 17:40:18 +0000 (13:40 -0400)]
cifs: remove bogus first_time check in NTLMv2 session setup code
commit
8a224d489454b7457105848610cfebebdec5638d upstream.
This bug appears to be the result of a cut-and-paste mistake from the
NTLMv1 code. The function to generate the MAC key was commented out, but
not the conditional above it. The conditional then ended up causing the
session setup key not to be copied to the buffer unless this was the
first session on the socket, and that made all but the first NTLMv2
session setup fail.
Fix this by removing the conditional and all of the commented clutter
that made it difficult to see.
Reported-by: Gunther Deschner <gdeschne@redhat.com>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Fri, 9 Jul 2010 14:22:48 +0000 (16:22 +0200)]
hwmon: (it87) Fix in7 on IT8720F
commit
436cad2a41a40c6c32bd9152b63d17eeb1f7c99b upstream.
The IT8720F has no VIN7 pin, so VCCH should always be routed
internally to VIN7 with an internal divider. Curiously, there still
is a configuration bit to control this, which means it can be set
incorrectly. And even more curiously, many boards out there are
improperly configured, even though the IT8720F datasheet claims that
the internal routing of VCCH to VIN7 is the default setting. So we
force the internal routing in this case.
It turns out that all boards with the wrong setting are from Gigabyte,
so I suspect a BIOS bug. But it's easy enough to workaround in the
driver, so let's do it.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Jean-Marc Spaggiari <jean-marc@spaggiari.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Fri, 9 Jul 2010 14:22:49 +0000 (16:22 +0200)]
hwmon: (coretemp) Skip duplicate CPU entries
commit
d883b9f0977269d519469da72faec6a7f72cb489 upstream.
On hyper-threaded CPUs, each core appears twice in the CPU list. Skip
the second entry to avoid duplicate sensors.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Huaxu Wan <huaxu.wan@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Fri, 9 Jul 2010 14:22:51 +0000 (16:22 +0200)]
hwmon: (coretemp) Properly label the sensors
commit
3f4f09b4be35d38d6e2bf22c989443e65e70fc4c upstream.
Don't assume that CPU entry number and core ID always match. It
worked in the simple cases (single CPU, no HT) but fails on
multi-CPU systems.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Acked-by: Huaxu Wan <huaxu.wan@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andreas Herrmann [Fri, 9 Jul 2010 14:22:47 +0000 (16:22 +0200)]
hwmon: (k8temp) Fix temperature reporting for ASB1 processor revisions
commit
d535bad90dad4eb42ec6528043fcfb53627d4f89 upstream.
Reported temperature for ASB1 CPUs is too high.
Add ASB1 CPU revisions (these are also non-desktop variants) to the
list of CPUs for which the temperature fixup is not required.
Example: (from LENOVO ThinkPad Edge 13, 01972NG, system was idle)
Current kernel reports
$ sensors
k8temp-pci-00c3
Adapter: PCI adapter
Core0 Temp: +74.0 C
Core0 Temp: +70.0 C
Core1 Temp: +69.0 C
Core1 Temp: +70.0 C
With this patch I have
$ sensors
k8temp-pci-00c3
Adapter: PCI adapter
Core0 Temp: +54.0 C
Core0 Temp: +51.0 C
Core1 Temp: +48.0 C
Core1 Temp: +49.0 C
Cc: Rudolf Marek <r.marek@assembler.cz>
Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Sun, 20 Jun 2010 07:22:32 +0000 (09:22 +0200)]
hwmon: (k8temp) Bypass core swapping on single-core processors
commit
cd4de21f7e65a8cd04860f5661b3c18648ee52a1 upstream.
Commit
a2e066bba2aad6583e3ff648bf28339d6c9f0898 introduced core
swapping for CPU models 64 and later. I recently had a report about
a Sempron 3200+, model 95, for which this patch broke temperature
reading. It happens that this is a single-core processor, so the
effect of the swapping was to read a temperature value for a core
that didn't exist, leading to an incorrect value (-49 degrees C.)
Disabling core swapping on singe-core processors should fix this.
Additional comment from Andreas:
The BKDG says
Thermal Sensor Core Select (ThermSenseCoreSel)-Bit 2. This bit
selects the CPU whose temperature is reported in the CurTemp
field. This bit only applies to dual core processors. For
single core processors CPU0 Thermal Sensor is always selected.
k8temp_probe() correctly detected that SEL_CORE can't be used on single
core CPU. Thus k8temp did never update the temperature values stored
in temp[1][x] and -49 degrees was reported. For single core CPUs we
must use the values read into temp[0][x].
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Tested-by: Rick Moritz <rhavin@gmx.net>
Acked-by: Andreas Herrmann <andreas.herrmann3@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Christoph Fritz [Sun, 11 Jul 2010 23:26:15 +0000 (18:26 -0500)]
ssb: Handle Netbook devices where the SPROM address is changed
For some Netbook computers with Broadcom BCM4312 wireless interfaces,
the SPROM has been moved to a new location. When the ssb driver tries to
read the old location, the systems hangs when trying to read a
non-existent location. Such freezes are particularly bad as they do not
log the failure.
This patch is modified from commit
da1fdb02d9200ff28b6f3a380d21930335fe5429 with some pieces from other
mainline changes so that it can be applied to stable 2.6.34.Y.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michael S. Tsirkin [Thu, 24 Jun 2010 04:49:06 +0000 (22:49 -0600)]
virtio-pci: disable msi at startup
commit
b03214d559471359e2a85ae256686381d0672f29 upstream.
virtio-pci resets the device at startup by writing to the status
register, but this does not clear the pci config space,
specifically msi enable status which affects register
layout.
This breaks things like kdump when they try to use e.g. virtio-blk.
Fix by forcing msi off at startup. Since pci.c already has
a routine to do this, we export and use it instead of duplicating code.
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Tested-by: Vivek Goyal <vgoyal@redhat.com>
Acked-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Cc: linux-pci@vger.kernel.org
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 5 Jul 2010 18:14:00 +0000 (11:14 -0700)]
Linux 2.6.32.16
Wei Yongjun [Tue, 18 May 2010 05:51:58 +0000 (22:51 -0700)]
sctp: fix append error cause to ERROR chunk correctly
commit
2e3219b5c8a2e44e0b83ae6e04f52f20a82ac0f2 upstream.
commit
5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809
sctp: Fix skb_over_panic resulting from multiple invalid \
parameter errors (CVE-2010-1173) (v4)
cause 'error cause' never be add the the ERROR chunk due to
some typo when check valid length in sctp_init_cause_fixed().
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Reviewed-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ben Hutchings [Fri, 19 Mar 2010 23:59:19 +0000 (16:59 -0700)]
qla2xxx: Disable MSI on qla24xx chips other than QLA2432.
commit
6377a7ae1ab82859edccdbc8eaea63782efb134d upstream.
On specific platforms, MSI is unreliable on some of the QLA24xx chips, resulting
in fatal I/O errors under load, as reported in <http://bugs.debian.org/572322>
and by some RHEL customers.
Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Toshiyuki Okajima [Fri, 30 Apr 2010 13:32:13 +0000 (14:32 +0100)]
KEYS: find_keyring_by_name() can gain access to a freed keyring
commit
cea7daa3589d6b550546a8c8963599f7c1a3ae5c upstream.
find_keyring_by_name() can gain access to a keyring that has had its reference
count reduced to zero, and is thus ready to be freed. This then allows the
dead keyring to be brought back into use whilst it is being destroyed.
The following timeline illustrates the process:
|(cleaner) (user)
|
| free_user(user) sys_keyctl()
| | |
| key_put(user->session_keyring) keyctl_get_keyring_ID()
| || //=> keyring->usage = 0 |
| |schedule_work(&key_cleanup_task) lookup_user_key()
| || |
| kmem_cache_free(,user) |
| . |[KEY_SPEC_USER_KEYRING]
| . install_user_keyrings()
| . ||
| key_cleanup() [<= worker_thread()] ||
| | ||
| [spin_lock(&key_serial_lock)] |[mutex_lock(&key_user_keyr..mutex)]
| | ||
| atomic_read() == 0 ||
| |{ rb_ease(&key->serial_node,) } ||
| | ||
| [spin_unlock(&key_serial_lock)] |find_keyring_by_name()
| | |||
| keyring_destroy(keyring) ||[read_lock(&keyring_name_lock)]
| || |||
| |[write_lock(&keyring_name_lock)] ||atomic_inc(&keyring->usage)
| |. ||| *** GET freeing keyring ***
| |. ||[read_unlock(&keyring_name_lock)]
| || ||
| |list_del() |[mutex_unlock(&key_user_k..mutex)]
| || |
| |[write_unlock(&keyring_name_lock)] ** INVALID keyring is returned **
| | .
| kmem_cache_free(,keyring) .
| .
| atomic_dec(&keyring->usage)
v *** DESTROYED ***
TIME
If CONFIG_SLUB_DEBUG=y then we may see the following message generated:
=============================================================================
BUG key_jar: Poison overwritten
-----------------------------------------------------------------------------
INFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b
INFO: Allocated in key_alloc+0x10b/0x35f age=25 cpu=1 pid=5086
INFO: Freed in key_cleanup+0xd0/0xd5 age=12 cpu=1 pid=10
INFO: Slab 0xffffea000592cb90 objects=16 used=2 fp=0xffff880197a7e200 flags=0x200000000000c3
INFO: Object 0xffff880197a7e200 @offset=512 fp=0xffff880197a7e300
Bytes b4 0xffff880197a7e1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ
Object 0xffff880197a7e200: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk
Alternatively, we may see a system panic happen, such as:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000001
IP: [<
ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
PGD
6b2b4067 PUD
6a80d067 PMD 0
Oops: 0000 [#1] SMP
last sysfs file: /sys/kernel/kexec_crash_loaded
CPU 1
...
Pid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY
RIP: 0010:[<
ffffffff810e61a3>] [<
ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
RSP: 0018:
ffff88006af3bd98 EFLAGS:
00010002
RAX:
0000000000000000 RBX:
0000000000000001 RCX:
ffff88007d19900b
RDX:
0000000100000000 RSI:
00000000000080d0 RDI:
ffffffff81828430
RBP:
ffffffff81828430 R08:
ffff88000a293750 R09:
0000000000000000
R10:
0000000000000001 R11:
0000000000100000 R12:
00000000000080d0
R13:
00000000000080d0 R14:
0000000000000296 R15:
ffffffff810f20ce
FS:
00007f97116bc700(0000) GS:
ffff88000a280000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000000000001 CR3:
000000006a91c000 CR4:
00000000000006e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
Process su (pid: 31245, threadinfo
ffff88006af3a000, task
ffff8800374414c0)
Stack:
0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001
0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce
0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3
Call Trace:
[<
ffffffff810f20ce>] ? get_empty_filp+0x70/0x12f
[<
ffffffff810face3>] ? do_filp_open+0x145/0x590
[<
ffffffff810ce208>] ? tlb_finish_mmu+0x2a/0x33
[<
ffffffff810ce43c>] ? unmap_region+0xd3/0xe2
[<
ffffffff810e4393>] ? virt_to_head_page+0x9/0x2d
[<
ffffffff81103916>] ? alloc_fd+0x69/0x10e
[<
ffffffff810ef4ed>] ? do_sys_open+0x56/0xfc
[<
ffffffff81008a02>] ? system_call_fastpath+0x16/0x1b
Code: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 <48> 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef
RIP [<
ffffffff810e61a3>] kmem_cache_alloc+0x5b/0xe9
This problem is that find_keyring_by_name does not confirm that the keyring is
valid before accepting it.
Skipping keyrings that have been reduced to a zero count seems the way to go.
To this end, use atomic_inc_not_zero() to increment the usage count and skip
the candidate keyring if that returns false.
The following script _may_ cause the bug to happen, but there's no guarantee
as the window of opportunity is small:
#!/bin/sh
LOOP=100000
USER=dummy_user
/bin/su -c "exit;" $USER || { /usr/sbin/adduser -m $USER; add=1; }
for ((i=0; i<LOOP; i++))
do
/bin/su -c "echo '$i' > /dev/null" $USER
done
(( add == 1 )) && /usr/sbin/userdel -r $USER
exit
Note that the nominated user must not be in use.
An alternative way of testing this may be:
for ((i=0; i<100000; i++))
do
keyctl session foo /bin/true || break
done >&/dev/null
as that uses a keyring named "foo" rather than relying on the user and
user-session named keyrings.
Reported-by: Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Toshiyuki Okajima <toshi.okajima@jp.fujitsu.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Signed-off-by: James Morris <jmorris@namei.org>
Cc: Ben Hutchings <ben@decadent.org.uk>
Cc: Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Carpenter [Mon, 17 May 2010 13:42:35 +0000 (14:42 +0100)]
KEYS: Return more accurate error codes
commit
4d09ec0f705cf88a12add029c058b53f288cfaa2 upstream.
We were using the wrong variable here so the error codes weren't being returned
properly. The original code returns -ENOKEY.
Signed-off-by: Dan Carpenter <error27@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mikulas Patocka [Thu, 10 Dec 2009 23:52:08 +0000 (23:52 +0000)]
dm snapshot: simplify sector_to_chunk expression
commit
102c6ddb1d081a6a1fede38c43a42c9811313ec7 upstream.
Removed unnecessary 'and' masking: The right shift discards the lower
bits so there is no need to clear them.
(A later patch needs this change to support a 32-bit chunk_mask.)
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Reviewed-by: Mike Snitzer <snitzer@redhat.com>
Reviewed-by: Jonathan Brassow <jbrassow@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Helge Deller [Mon, 3 May 2010 20:44:21 +0000 (20:44 +0000)]
parisc: clear floating point exception flag on SIGFPE signal
commit
550f0d922286556c7ea43974bb7921effb5a5278 upstream.
Clear the floating point exception flag before returning to
user space. This is needed, else the libc trampoline handler
may hit the same SIGFPE again while building up a trampoline
to a signal handler.
Fixes debian bug #559406.
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Yin Kangkai [Tue, 15 Dec 2009 22:48:25 +0000 (14:48 -0800)]
jbd: jbd-debug and jbd2-debug should be writable
commit
765f8361902d015c864d5e62019b2f139452d7ef upstream.
jbd-debug and jbd2-debug is currently read-only (S_IRUGO), which is not
correct. Make it writable so that we can start debuging.
Signed-off-by: Yin Kangkai <kangkai.yin@intel.com>
Reviewed-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
projects / firefly-linux-kernel-4.4.55.git / log