Benoit Goby [Wed, 5 Jan 2011 02:59:42 +0000 (18:59 -0800)]
usb: host: tegra: Fix enumeration after lp0
Fix enumeration when a device is plugged while the host is in lp0 state.
Change-Id: Idb491f347172daac8a5603ed098b422b15cc534e
Signed-off-by: Benoit Goby <benoit@android.com>
Benoit Goby [Wed, 5 Jan 2011 01:40:30 +0000 (17:40 -0800)]
usb: host: tegra: Fix a possible int storm on resume from lp0
usbcore will reenable usb interrupts later once the bus has been
resumed.
Change-Id: If78088bc86710f50293d84234d764655f4bba979
Signed-off-by: Benoit Goby <benoit@android.com>
Ari Hirvonen [Thu, 30 Dec 2010 13:27:28 +0000 (15:27 +0200)]
video: tegra: fix three overlay window blending
Change-Id: I36e2540b5b98817b87efbe4ca2b1f4d4f19ceba4
Signed-off-by: Michael I. Gold <gold@nvidia.com>
Ari Hirvonen [Thu, 30 Dec 2010 13:18:18 +0000 (15:18 +0200)]
video: tegra: fix typo from register header
Change-Id: Ifa7b454791f2d32cd1d12a8930890e061e835ef6
Signed-off-by: Michael I. Gold <gold@nvidia.com>
Colin Cross [Thu, 30 Dec 2010 05:15:12 +0000 (21:15 -0800)]
i2c: i2c-tegra: Return error code on partial master_xfer transfer
It is unclear what the correct return value is when
master_xfer gets an error part way through a set of
messages, but other drivers seem to return the error
code of the individual failed message instead of
the number of successful messages. Convert the Tegra
i2c driver to do the same.
Change-Id: Iacda4b6d7591bfe644b93564b93356a0cda3134f
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Thu, 30 Dec 2010 04:45:10 +0000 (20:45 -0800)]
ARM: smp_twd: Use cpufreq notifiers to update prescalers
Change-Id: I957d5ca8580d4e7a98fb9fc754ca8f00133940d9
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Thu, 30 Dec 2010 04:43:50 +0000 (20:43 -0800)]
ARM: tegra: cpufreq: Remove direct calls to localtimer
The localtimer code will use a cpufreq notifier to update
the prescalers.
Change-Id: Ie0587d7eaec628ff11bf40636f78597574cd63ec
Signed-off-by: Colin Cross <ccross@android.com>
Colin Cross [Thu, 30 Dec 2010 03:51:35 +0000 (19:51 -0800)]
ARM: smp_twd: Avoid recalibrating local timer
Change-Id: I10af3139ecd0dc1ef54e7a8e5258ee6fb29bfb0c
Signed-off-by: Colin Cross <ccross@android.com>
Todd Poynor [Tue, 21 Dec 2010 19:12:31 +0000 (11:12 -0800)]
ARM: tegra: cpufreq thermal throttling cleanups
Various review feedback, including:
Keep a global throttling index that specifies a ceiling CPU speed, lowered by one
at each delay interval (while the temperature alarm continues to be signalled).
Avoid lowering the throttle too far based on a transitory lowering of speed
requested by the governor.
Restore governor-requested speed when throttling turned off.
Add cpufreq sysfs attribute for checking throttling state.
Make throttling workqueue high-priority.
Cosmetic changes.
Change-Id: I068bf32115927fa61282f17f4a8798f2aee0b530
Signed-off-by: Todd Poynor <toddpoynor@google.com>
Colin Cross [Tue, 28 Dec 2010 22:54:10 +0000 (14:54 -0800)]
ARM: tegra: clock: Add function to set SDMMC tap delay
The SDMMC controllers have extra bits in the clock source
register that adjust the delay between the clock and data
to compenstate for delays on the PCB. The values need to
be set from the clock code so the clock can be locked
during the read-modify-write on the clock source register.
Change-Id: Id25b7cc01fa4ec48478b60aefdf5e59bb040fbf2
Signed-off-by: Colin Cross <ccross@android.com>
Varun Wadekar [Mon, 27 Dec 2010 12:47:35 +0000 (18:17 +0530)]
crypto: tegra-aes: reduce ivsize to 16 bytes and priority to 100
Change-Id: I6f5a7107d1140cf67f6029111cb4df312ac1183c
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar [Mon, 27 Dec 2010 06:53:47 +0000 (12:23 +0530)]
crypto: tegra-aes: initialise bsev/vde clocks per operation
Change-Id: Iaddea9ba9d3bee9c987776f37225dee483684274
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar [Mon, 27 Dec 2010 10:04:59 +0000 (15:34 +0530)]
[ARM] tegra: clocks: add clock entry for bsev
Change-Id: I7ec657c30b84c65705b38a390bdc44b64cd5ea36
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Benoit Goby [Tue, 28 Dec 2010 23:33:49 +0000 (15:33 -0800)]
usb: ehci: tegra: Don't change the hcd state on restart
usbcore will change it once the bus has been resumed. This fixes
the "hub 3-0:1.0: activate --> -22" error on resume.
Change-Id: Icff283a60634b4d003e77aafb5a5127d415cbd3f
Signed-off-by: Benoit Goby <benoit@android.com>
Benoit Goby [Sat, 18 Dec 2010 01:25:12 +0000 (17:25 -0800)]
ARM: tegra: usb_phy: Use utmi_phy_preresume for usb1 too
This prevents disconnects on resume.
Change-Id: I16a9e826df0d6c992e0e4480d38badba6cc9dfec
Signed-off-by: Benoit Goby <benoit@android.com>
Colin Cross [Wed, 22 Dec 2010 02:34:37 +0000 (18:34 -0800)]
Merge commit 'v2.6.36.2' into linux-tegra-2.6.36
Varun Wadekar [Wed, 8 Dec 2010 12:51:59 +0000 (18:21 +0530)]
[ARM] tegra: ventana: remove pda-power device
pda-power is only needed on pdas and phones.
Change-Id: I46a668cc0ee3f4b23c63de48251591cf4a8f99e8
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Todd Poynor [Mon, 20 Dec 2010 23:53:54 +0000 (15:53 -0800)]
ARM: tegra: cpufreq: Change function signature for CPU speed throttling
The NCT1008 driver is now passed a function pointer from the board
file's platform data to be called when alarms are asserted or
deasserted. Switch to a single function for throttling
enable/disable suitable for calling via the temperature alarm
callback.
Change-Id: Ic0eb1566a68e151216e26dfb6ed6f4bc7a273ddb
Signed-off-by: Todd Poynor <toddpoynor@google.com>
Todd Poynor [Sat, 18 Dec 2010 03:36:23 +0000 (19:36 -0800)]
ARM: tegra: Make CPU thermal throttling configurable
Based on work by Dmitriy Gruzman and Varun Wadekar.
Change-Id: I64d765628223b7ef1ec493b9e409ea11e9391b94
Signed-off-by: Todd Poynor <toddpoynor@google.com>
Stephen Warren [Thu, 9 Dec 2010 17:30:11 +0000 (10:30 -0700)]
mfd: Remove tps6586x device ID check
... and convert it to a dev_info print at probe time.
There are many variants of this chip with different values of VERSIONCRC.
The set of values is large, and not useful to enumerate. All are SW
compatible. The difference lies in default settings of the various power
rails, and other similar differences. The driver, or clients of the
driver, shouldn't be affected by this, since all rails should be
programmed into the desired state in all cases for correct operation.
Derived-from-code-by: Andrew Chew <achew@nvidia.com>
Signed-off-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Andrew Chew [Tue, 19 Oct 2010 09:08:36 +0000 (11:08 +0200)]
mfd: Add TPS658621C device ID
The interface for this device should be identical to that of the
TPS658521A.
Signed-off-by: Andrew Chew <achew@nvidia.com>
Acked-by: Mike Rapoport <mike@compulab.co.il>
Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
Rebecca Schultz Zavin [Fri, 17 Dec 2010 23:06:38 +0000 (15:06 -0800)]
video: tegra: nvmap: Add logging to some error conditions
Change-Id: I1ec34fd4a6bb21a6d84912a7228c209f459261be
Signed-off-by: Rebecca Schultz Zavin <rebecca@android.com>
Colin Cross [Thu, 16 Dec 2010 20:51:22 +0000 (12:51 -0800)]
crypto: tegra-aes: Disable clock at end of probe
Change-Id: Ie5b98b705a7ec70782df5dc0aec69438b699661c
Signed-off-by: Colin Cross <ccross@android.com>
Varun Wadekar [Sun, 17 Oct 2010 00:44:37 +0000 (06:14 +0530)]
[ARM] tegra: ventana: register AES device
Change-Id: I5badd8d4967d7a98439b6f4b5d1329b28ee0c2d4
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar [Sun, 17 Oct 2010 00:40:43 +0000 (06:10 +0530)]
[ARM] tegra: add aes to devices.c
Change-Id: Id13075009d785e784ae6bd0feb9b29f3fa7184df
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar [Mon, 18 Oct 2010 11:29:31 +0000 (16:59 +0530)]
crypto: driver for tegra AES hardware
driver supports ecb/cbc/ansi_x9.31rng modes, 128, 192 and 256-bit key sizes
and encrypt/decrypt using ssk.
Change-Id: I63e03ead5b53adc5e44cf5b60f9f700dea2a2e61
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar [Fri, 15 Oct 2010 17:12:14 +0000 (22:42 +0530)]
ARM: tegra: hardware arbitration semaphore support
add apis to use the hardware arbitration semaphores in order
to share hardware modules between kernel drivers and AVP
firmware (e.g., the BSEA (audio bitstream) engine and
AES block)
Change-Id: I500ef0797223bc702151ad14e0e2156f50644a2a
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar [Wed, 10 Nov 2010 12:51:21 +0000 (18:21 +0530)]
ARM: tegra: duplicate vde clock for aes in tegra2_clocks
Change-Id: If5ad2bfe767c7c43e83fd78ac1cb3d9c62fe785d
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Varun Wadekar [Fri, 15 Oct 2010 17:04:33 +0000 (22:34 +0530)]
ARM: tegra: add VDE and arb semaphores to iomap.h
Change-Id: Ic47b80d1c7fdf04305afbea4b34d6c9e9c9304ad
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Erik Gilling [Tue, 14 Dec 2010 04:51:43 +0000 (20:51 -0800)]
video: tegra: fix HDMI audio programming
This was causing the Onkyo TXNR708 to drop out audio.
Change-Id: I9b9fd782d39d60c3207ea140a94d074b1338c7fa
Signed-off-by: Erik Gilling <konkers@android.com>
Jay Cheng [Tue, 7 Dec 2010 15:15:32 +0000 (10:15 -0500)]
usb: host: tegra: Remove clear PORT_RESUME to clear PORT_SUSPEND
PORT_SUSPEND bit will be cleared by the host controller when PORT_RESUME
change to 0.
Change-Id: I94a72f51be1cebee414f11ace89a7e8b3249278d
Signed-off-by: Jay Cheng <jacheng@nvidia.com>
Varun Wadekar [Tue, 23 Nov 2010 14:33:02 +0000 (20:03 +0530)]
tegra: video: host: fix race condition in hostintr wait list
Change-Id: I5e58f5fe8935741441e2b30f585bb997b6317d3d
Author: Alex Frid <afrid@nvidia.com>
Signed-off-by: Varun Wadekar <vwadekar@nvidia.com>
Greg Kroah-Hartman [Thu, 9 Dec 2010 22:17:27 +0000 (14:17 -0800)]
Linux 2.6.36.2
Linus Torvalds [Mon, 29 Nov 2010 00:27:19 +0000 (16:27 -0800)]
Un-inline get_pipe_info() helper function
commit
72083646528d4887b920deb71b37e09bc7d227bb upstream.
This avoids some include-file hell, and the function isn't really
important enough to be inlined anyway.
Reported-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Linus Torvalds [Sun, 28 Nov 2010 22:09:57 +0000 (14:09 -0800)]
Export 'get_pipe_info()' to other users
commit
c66fb347946ebdd5b10908866ecc9fa05ee2cf3d upstream.
And in particular, use it in 'pipe_fcntl()'.
The other pipe functions do not need to use the 'careful' version, since
they are only ever called for things that are already known to be pipes.
The normal read/write/ioctl functions are called through the file
operations structures, so if a file isn't a pipe, they'd never get
called. But pipe_fcntl() is special, and called directly from the
generic fcntl code, and needs to use the same careful function that the
splice code is using.
Cc: Jens Axboe <jaxboe@fusionio.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Linus Torvalds [Sun, 28 Nov 2010 21:56:09 +0000 (13:56 -0800)]
Rename 'pipe_info()' to 'get_pipe_info()'
commit
71993e62a47dabddf10302807d6aa260455503f4 upstream.
.. and change it to take the 'file' pointer instead of an inode, since
that's what all users want anyway.
The renaming is preparatory to exporting it to other users. The old
'pipe_info()' name was too generic and is already used elsewhere, so
before making the function public we need to use a more specific name.
Cc: Jens Axboe <jaxboe@fusionio.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dave Jones <davej@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Heiko Carstens [Thu, 25 Nov 2010 08:52:45 +0000 (09:52 +0100)]
nmi: fix clock comparator revalidation
commit
e8129c642155616d9e2160a75f103e127c8c3708 upstream.
On each machine check all registers are revalidated. The save area for
the clock comparator however only contains the upper most seven bytes
of the former contents, if valid.
Therefore the machine check handler uses a store clock instruction to
get the current time and writes that to the clock comparator register
which in turn will generate an immediate timer interrupt.
However within the lowcore the expected time of the next timer
interrupt is stored. If the interrupt happens before that time the
handler won't be called. In turn the clock comparator won't be
reprogrammed and therefore the interrupt condition stays pending which
causes an interrupt loop until the expected time is reached.
On NOHZ machines this can result in unresponsive machines since the
time of the next expected interrupted can be a couple of days in the
future.
To fix this just revalidate the clock comparator register with the
expected value.
In addition the special handling for udelay must be changed as well.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Shan Wei [Fri, 12 Nov 2010 00:15:25 +0000 (00:15 +0000)]
r8169: fix checksum broken
commit
d5d3ebe3be5c5123f2d444e186717f45284151e2 upstream.
If r8196 received packets with invalid sctp/igmp(not tcp, udp) checksum, r8196 set skb->ip_summed
wit CHECKSUM_UNNECESSARY. This cause that upper protocol don't check checksum field.
I am not family with r8196 driver. I try to guess the meaning of RxProtoIP and IPFail.
RxProtoIP stands for received IPv4 packet that upper protocol is not tcp and udp.
!(opts1 & IPFail) is true means that driver correctly to check checksum in IPv4 header.
If it's right, I think we should not set ip_summed wit CHECKSUM_UNNECESSARY for my sctp packets
with invalid checksum.
If it's not right, please tell me.
Signed-off-by: Shan Wei <shanwei@cn.fujitsu.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
françois romieu [Mon, 8 Nov 2010 13:23:05 +0000 (13:23 +0000)]
r8169: revert "Handle rxfifo errors on 8168 chips"
commit
53f57357ff0afc37804f4e82ee3123e0c0a2cad6 upstream.
The original patch helps under obscure conditions (no pun) but
some 8168 do not like it. The change needs to be tightened with
a specific 8168 version.
This reverts commit
801e147cde02f04b5c2f42764cd43a89fc7400a2
("r8169: Handle rxfifo errors on 8168 chips").
Regression at https://bugzilla.kernel.org/show_bug.cgi?id=20882
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Tested-by: Andreas Radke <a.radke@arcor.de>
Cc: Matthew Garrett <mjg@redhat.com>
Cc: Daniel J Blueman <daniel.blueman@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stanislaw Gruszka [Wed, 20 Oct 2010 22:25:42 +0000 (22:25 +0000)]
r8169: (re)init phy on resume
commit
fccec10b33503a2b1197c8e7a3abd30443bedb08 upstream.
Fix switching device to low-speed mode after resume reported in:
https://bugzilla.redhat.com/show_bug.cgi?id=502974
Reported-and-tested-by: Laurentiu Badea <bugzilla-redhat@wotevah.com>
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eric Dumazet [Mon, 6 Sep 2010 03:04:05 +0000 (20:04 -0700)]
r8169: fix rx checksum offload
commit
adea1ac7effbddbe60a9de6d63462bfe79289e59 upstream.
While porting GRO to r8169, I found this driver has a bug in its rx
path.
All skbs given to network stack had their ip_summed set to
CHECKSUM_NONE, while hardware said they had correct TCP/UDP checksums.
The reason is driver sets skb->ip_summed on the original skb before the
copy eventually done by copybreak. The fresh skb gets the ip_summed =
CHECKSUM_NONE value, forcing network stack to recompute checksum, and
preventing my GRO patch to work.
Fix is to make the ip_summed setting after skb copy.
Note : rx_copybreak current value is 16383, so all frames are copied...
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Hans Verkuil [Sun, 17 Oct 2010 10:24:20 +0000 (07:24 -0300)]
msp3400: fix mute audio regression
commit
0310871d8f71da4ad8643687fbc40f219a0dac4d upstream.
The switch to the new control framework caused a regression where the audio was
no longer unmuted after the carrier scan finished.
The original code attempted to set the volume control to its current value in
order to have the set-volume control code to be called that handles the volume
and muting. However, the framework will not call that code unless the new volume
value is different from the old.
Instead we now call msp_s_ctrl directly.
It is a bit of a hack: we really need a v4l2_ctrl_refresh_ctrl function for this
(or something along those lines).
Thanks to Andy Walls for bisecting this and to Shane Shrybman for reporting it!
Reported-by: Shane Shrybman <shrybman@teksavvy.com>
Thanks-to: Andy Walls <awalls@md.metrocast.net>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Chad Dupuis [Fri, 15 Oct 2010 18:27:40 +0000 (11:27 -0700)]
qla2xxx: Add module parameter to enable/disable GFF_ID device type check.
commit
4da26e162b69d89c3186a35a052c05e61a555637 upstream.
Add the module parameter ql2xgffidenable to disable/enable the use of the
GFF_ID name server command to prevent non FCP SCSI devices from being added to
the driver's internal fc_port database.
Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com>
Signed-off-by: Madhuranath Iyengar <Madhu.Iyengar@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luis R. Rodriguez [Sat, 13 Nov 2010 00:31:23 +0000 (16:31 -0800)]
cfg80211: fix extension channel checks to initiate communication
commit
9236d838c920e90708570d9bbd7bb82d30a38130 upstream.
When operating in a mode that initiates communication and using
HT40 we should fail if we cannot use both primary and secondary
channels to initiate communication. Our current ht40 allowmap
only covers STA mode of operation, for beaconing modes we need
a check on the fly as the mode of operation is dynamic and
there other flags other than disable which we should read
to check if we can initiate communication.
Do not allow for initiating communication if our secondary HT40
channel has is either disabled, has a passive scan flag, a
no-ibss flag or is a radar channel. Userspace now has similar
checks but this is also needed in-kernel.
Reported-by: Jouni Malinen <jouni.malinen@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Wed, 17 Nov 2010 06:37:16 +0000 (06:37 +0000)]
rds: Integer overflow in RDS cmsg handling
commit
218854af84038d828a32f061858b1902ed2beec6 upstream.
In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX. This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation. This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value. If it somehow doesn't crash here, then memory
corruption could occur soon after.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Phil Blundell [Wed, 24 Nov 2010 19:51:47 +0000 (11:51 -0800)]
econet: fix CVE-2010-3848
commit
a27e13d370415add3487949c60810e36069a23a6 upstream.
Don't declare variable sized array of iovecs on the stack since this
could cause stack overflow if msg->msgiovlen is large. Instead, coalesce
the user-supplied data into a new buffer and use a single iovec for it.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Phil Blundell [Wed, 24 Nov 2010 19:49:53 +0000 (11:49 -0800)]
econet: fix CVE-2010-3850
commit
16c41745c7b92a243d0874f534c1655196c64b74 upstream.
Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Phil Blundell [Wed, 24 Nov 2010 19:49:19 +0000 (11:49 -0800)]
econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
commit
fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.
Later parts of econet_sendmsg() rely on saddr != NULL, so return early
with EINVAL if NULL was passed otherwise an oops may occur.
Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Sergey Senozhatsky [Thu, 28 Oct 2010 01:30:04 +0000 (21:30 -0400)]
ext4: fix NULL pointer dereference in print_daily_error_info()
commit
a1c6c5698d53db4c47a25c3a8d11731a4d7b8370 upstream.
Fix NULL pointer dereference in print_daily_error_info, when
called on unmounted fs (EXT4_SB(sb) returns NULL), by removing error
reporting timer in ext4_put_super.
Google-Bug-Id:
3017663
Signed-off-by: Sergey Senozhatsky <sergey.senozhatsky@gmail.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: Thomas Meyer <thomas@m3y3r.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Herbert Xu [Thu, 4 Nov 2010 18:38:39 +0000 (14:38 -0400)]
crypto: padlock - Fix AES-CBC handling on odd-block-sized input
commit
c054a076a1bd4731820a9c4d638b13d5c9bf5935 upstream.
On certain VIA chipsets AES-CBC requires the input/output to be
a multiple of 64 bytes. We had a workaround for this but it was
buggy as it sent the whole input for processing when it is meant
to only send the initial number of blocks which makes the rest
a multiple of 64 bytes.
As expected this causes memory corruption whenever the workaround
kicks in.
Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Fri, 12 Nov 2010 20:44:42 +0000 (12:44 -0800)]
x25: Prevent crashing when parsing bad X.25 facilities
commit
5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.
Now with improved comma support.
On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow. Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.
This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Oliver Hartkopp [Wed, 10 Nov 2010 12:10:30 +0000 (12:10 +0000)]
can-bcm: fix minor heap overflow
commit
0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream.
On 64-bit platforms the ASCII representation of a pointer may be up to 17
bytes long. This patch increases the length of the buffer accordingly.
http://marc.info/?l=linux-netdev&m=
128872251418192&w=2
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
CC: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David S. Miller [Wed, 10 Nov 2010 18:38:24 +0000 (10:38 -0800)]
filter: make sure filters dont read uninitialized memory
commit
57fe93b374a6b8711995c2d466c502af9f3a08bb upstream.
There is a possibility malicious users can get limited information about
uninitialized stack mem array. Even if sk_run_filter() result is bound
to packet length (0 .. 65535), we could imagine this can be used by
hostile user.
Initializing mem[] array, like Dan Rosenberg suggested in his patch is
expensive since most filters dont even use this array.
Its hard to make the filter validation in sk_chk_filter(), because of
the jumps. This might be done later.
In this patch, I use a bitmap (a single long var) so that only filters
using mem[] loads/stores pay the price of added security checks.
For other filters, additional cost is a single instruction.
[ Since we access fentry->k a lot now, cache it in a local variable
and mark filter entry pointer as const. -DaveM ]
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Arnaud Lacombe [Mon, 23 Aug 2010 16:01:24 +0000 (12:01 -0400)]
kbuild: use getopt_long(), not its _only() variant
commit
c94d3fb01fb6db1899cdf53ea4eb9d38e08a08fe upstream.
NetBSD lacks getopt_long_only() whereas getopt_long() works just fine.
Signed-off-by: Arnaud Lacombe <lacombar@gmail.com>
Acked-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Michal Marek <mmarek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jesse Gross [Mon, 8 Nov 2010 21:23:01 +0000 (13:23 -0800)]
vlan: Avoid hwaccel vlan packets when vid not used.
[This patch applies only to 2.6.36 stable. The problem was introduced
in that release and is already fixed by larger changes to the vlan
code in 2.6.37.]
Normally hardware accelerated vlan packets are quickly dropped if
there is no corresponding vlan device configured. The one exception
is promiscuous mode, where we allow all of these packets through so
they can be picked up by tcpdump. However, this behavior causes a
crash if we actually try to receive these packets. This fixes that
crash by ignoring packets with vids not corresponding to a configured
device in the vlan hwaccel routines and then dropping them before they
get to consumers in the network stack.
Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Nikola Ciprich <extmaillist@linuxbox.cz>
Signed-off-by: Jesse Gross <jesse@nicira.com>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
andrew hendry [Wed, 3 Nov 2010 12:54:53 +0000 (12:54 +0000)]
memory corruption in X.25 facilities parsing
commit
a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.
Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Peter Ujfalusi [Mon, 11 Oct 2010 21:18:56 +0000 (14:18 -0700)]
OMAP3: DMA: Errata i541: sDMA FIFO draining does not finish
commit
0e4905c0199d683497833be60a428c784d7575b8 upstream.
Implement the suggested workaround for OMAP3 regarding to sDMA draining
issue, when the channel is disabled on the fly.
This errata affects the following configuration:
sDMA transfer is source synchronized
Buffering is enabled
SmartStandby is selected.
The issue can be easily reproduced by creating overrun situation while
recording audio.
Either introduce load to the CPU:
nice -19 arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null & \
dd if=/dev/urandom of=/dev/null
or suspending the arecord, and resuming it:
arecord -D hw:0 -M -B 10000 -F 5000 -f dat > /dev/null
CTRL+Z; fg; CTRL+Z; fg; ...
In case of overrun audio stops DMA, and restarts it (without reseting
the sDMA channel). When we hit this errata in stop case (sDMA drain did
not complete), at the coming start the sDMA will not going to be
operational (it is still draining).
This leads to DMA stall condition.
On OMAP3 we can recover with sDMA channel reset, it has been observed
that by introducing unrelated sDMA activity might also help (reading
from MMC for example).
The same errata exists for OMAP2, where the suggestion is to disable the
buffering to avoid this type of error.
On OMAP3 the suggestion is to set sDMA to NoStandby before disabling
the channel, and wait for the drain to finish, than configure sDMA to
SmartStandby again.
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@nokia.com>
Acked-by: Jarkko Nikula <jhnikula@gmail.com>
Acked-by : Santosh Shilimkar <santosh.shilimkar@ti.com>
Acked-by : Manjunath Kondaiah G <manjugk@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jarkko Nikula [Mon, 11 Oct 2010 21:18:45 +0000 (14:18 -0700)]
omap: dma: Fix buffering disable bit setting for omap24xx
commit
3e57f1626b5febe5cc99aa6870377deef3ae03cc upstream.
An errata workaround for omap24xx is not setting the buffering disable bit
25 what is the purpose but channel enable bit 7 instead.
Background for this fix is the DMA stalling issue with ASoC omap-mcbsp
driver. Peter Ujfalusi <peter.ujfalusi@nokia.com> has found an issue in
recording that the DMA stall could happen if there were a buffer overrun
detected by ALSA and the DMA was stopped and restarted due that. This
problem is known to occur on both OMAP2420 and OMAP3. It can recover on
OMAP3 after dma free, dma request and reconfiguration cycle. However, on
OMAP2420 it seems that only way to recover is a reset.
Problem was not visible before the commit
c12abc0. That commit changed that
the McBSP transmitter/receiver is released from reset only when needed. That
is, only enabled McBSP transmitter without transmission was able to prevent
this DMA stall problem in receiving side and underlying problem did not show
up until now. McBSP transmitter itself seems to no be reason since DMA
stall does not recover by enabling the transmission after stall.
Debugging showed that there were a DMA write active during DMA stop time and
it never completed even when restarting the DMA. Experimenting showed that
the DMA buffering disable bit could be used to avoid stalling when using
source synchronized transfers. However that could have performance hit and
OMAP3 TRM states that buffering disable is not allowed for destination
synchronized transfers so subsequent patch will implement a method to
complete DMA writes when stopping.
This patch is based on assumtion that complete lock-up on OMAP2420 is
different but related problem. I don't have access to OMAP2420 errata but
I believe this old workaround here is put for a reason but unfortunately
a wrong bit was typed and problem showed up only now.
Signed-off-by: Jarkko Nikula <jhnikula@gmail.com>
Signed-off-by: Peter Ujfalusi <peter.ujfalusi@nokia.com>
Acked-by: Manjunath Kondaiah G <manjugk@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dmitry Torokhov [Thu, 4 Nov 2010 16:12:44 +0000 (09:12 -0700)]
Input: i8042 - add Sony VAIO VPCZ122GX to nomux list
[Note that the mainline will not have this particular fix but rather
will blacklist entire VAIO line based off DMI board name. For stable
I am being a bit more cautious and blacklist one particular product.]
Trying to query/activate active multiplexing mode on this VAIO makes
both keyboard and touchpad inoperable. Futher kernels will blacklist
entire VAIO line, however here we blacklist just one particular model.
Reported-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David S. Miller [Thu, 28 Oct 2010 18:41:55 +0000 (11:41 -0700)]
net: Limit socket I/O iovec total length to INT_MAX.
commit
8acfe468b0384e834a303f08ebc4953d72fb690a upstream.
This helps protect us from overflow issues down in the
individual protocol sendmsg/recvmsg handlers. Once
we hit INT_MAX we truncate out the rest of the iovec
by setting the iov_len members to zero.
This works because:
1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
writes are allowed and the application will just continue
with another write to send the rest of the data.
2) For datagram oriented sockets, where there must be a
one-to-one correspondance between write() calls and
packets on the wire, INT_MAX is going to be far larger
than the packet size limit the protocol is going to
check for and signal with -EMSGSIZE.
Based upon a patch by Linus Torvalds.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Linus Torvalds [Sat, 30 Oct 2010 23:43:10 +0000 (16:43 -0700)]
net: Truncate recvfrom and sendto length to INT_MAX.
commit
253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kenji Kaneshige [Tue, 30 Nov 2010 08:36:08 +0000 (17:36 +0900)]
genirq: Fix incorrect proc spurious output
commit
25c9170ed64a6551beefe9315882f754e14486f4 upstream.
Since commit
a1afb637(switch /proc/irq/*/spurious to seq_file) all
/proc/irq/XX/spurious files show the information of irq 0.
Current irq_spurious_proc_open() passes on NULL as the 3rd argument,
which is used as an IRQ number in irq_spurious_proc_show(), to the
single_open(). Because of this, all the /proc/irq/XX/spurious file
shows IRQ 0 information regardless of the IRQ number.
To fix the problem, irq_spurious_proc_open() must pass on the
appropreate data (IRQ number) to single_open().
Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Reviewed-by: Yong Zhang <yong.zhang0@gmail.com>
LKML-Reference: <
4CF4B778.90604@jp.fujitsu.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Heiko Carstens [Wed, 1 Dec 2010 09:08:01 +0000 (10:08 +0100)]
nohz/s390: fix arch_needs_cpu() return value on offline cpus
commit
398812159e328478ae49b4bd01f0d71efea96c39 upstream.
This fixes the same problem as described in the patch "nohz: fix
printk_needs_cpu() return value on offline cpus" for the arch_needs_cpu()
primitive:
arch_needs_cpu() may return 1 if called on offline cpus. When a cpu gets
offlined it schedules the idle process which, before killing its own cpu,
will call tick_nohz_stop_sched_tick().
That function in turn will call arch_needs_cpu() in order to check if the
local tick can be disabled. On offline cpus this function should naturally
return 0 since regardless if the tick gets disabled or not the cpu will be
dead short after. That is besides the fact that __cpu_disable() should already
have made sure that no interrupts on the offlined cpu will be delivered anyway.
In this case it prevents tick_nohz_stop_sched_tick() to call
select_nohz_load_balancer(). No idea if that really is a problem. However what
made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is
used within __mod_timer() to select a cpu on which a timer gets enqueued.
If arch_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get
updated when a cpu gets offlined. It may contain the cpu number of an offline
cpu. In turn timers get enqueued on an offline cpu and not very surprisingly
they never expire and cause system hangs.
This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses
get_nohz_timer_target() which doesn't have that problem. However there might
be other problems because of the too early exit tick_nohz_stop_sched_tick()
in case a cpu goes offline.
This specific bug was indrocuded with
3c5d92a0 "nohz: Introduce
arch_needs_cpu".
In this case a cpu hotplug notifier is used to fix the issue in order to keep
the normal/fast path small. All we need to do is to clear the condition that
makes arch_needs_cpu() return 1 since it is just a performance improvement
which is supposed to keep the local tick running for a short period if a cpu
goes idle. Nothing special needs to be done except for clearing the condition.
Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Thadeu Lima de Souza Cascardo [Sun, 28 Nov 2010 21:46:50 +0000 (19:46 -0200)]
wmi: use memcmp instead of strncmp to compare GUIDs
commit
8b14d7b22c61f17ccb869e0047d9df6dd9f50a9f upstream.
While looking for the duplicates in /sys/class/wmi/, I couldn't find
them. The code that looks for duplicates uses strncmp in a binary GUID,
which may contain zero bytes. The right function is memcmp, which is
also used in another section of wmi code.
It was finding
49142400-C6A3-40FA-BADB-
8A2652834100 as a duplicate of
39142400-C6A3-40FA-BADB-
8A2652834100. Since the first byte is the fourth
printed, they were found as equal by strncmp.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rafael J. Wysocki [Fri, 3 Dec 2010 21:57:45 +0000 (22:57 +0100)]
PM / Hibernate: Fix memory corruption related to swap
commit
c9e664f1fdf34aa8cede047b206deaa8f1945af0 upstream.
There is a problem that swap pages allocated before the creation of
a hibernation image can be released and used for storing the contents
of different memory pages while the image is being saved. Since the
kernel stored in the image doesn't know of that, it causes memory
corruption to occur after resume from hibernation, especially on
systems with relatively small RAM that need to swap often.
This issue can be addressed by keeping the GFP_IOFS bits clear
in gfp_allowed_mask during the entire hibernation, including the
saving of the image, until the system is finally turned off or
the hibernation is aborted. Unfortunately, for this purpose
it's necessary to rework the way in which the hibernate and
suspend code manipulates gfp_allowed_mask.
This change is based on an earlier patch from Hugh Dickins.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Reported-by: Ondrej Zary <linux@rainbow-software.org>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Anton Vorontsov [Mon, 29 Nov 2010 15:46:22 +0000 (18:46 +0300)]
ARM: cns3xxx: Fix build with CONFIG_PCI=y
commit
44266416f786514ec43a0d15ad951c34566b99c9 upstream.
commit
6338a6aa7c082f11d55712251e14178c68bf5869 ("ARM: 6269/1: Add 'code'
parameter for hook_fault_code()") breaks CNS3xxx build:
CC arch/arm/mach-cns3xxx/pcie.o
pcie.c: In function 'cns3xxx_pcie_init':
pcie.c:373: warning: passing argument 4 of 'hook_fault_code' makes integer from pointer without a cast
pcie.c:373: error: too few arguments to function 'hook_fault_code'
This commit fixes the small issue.
Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Marcelo Roberto Jimenez [Mon, 18 Oct 2010 21:38:08 +0000 (22:38 +0100)]
ARM: 6456/1: Fix for building DEBUG with sa11xx_base.c as a module.
commit
b9f515e3e3861abbaa093359f7c6f31283695228 upstream.
This patch fixes a compilation issue when compiling PCMCIA SA1100
support as a module with PCMCIA_DEBUG enabled. The symbol
soc_pcmcia_debug was not beeing exported.
ARM: pcmcia: Fix for building DEBUG with sa11xx_base.c as a module.
This patch fixes a compilation issue when compiling PCMCIA SA1100
support as a module with PCMCIA_DEBUG enabled. The symbol
soc_pcmcia_debug was not beeing exported.
Signed-off-by: Marcelo Roberto Jimenez <mroberto@cpti.cetuc.puc-rio.br>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Thomas Gleixner [Wed, 24 Nov 2010 09:05:55 +0000 (10:05 +0100)]
perf: Fix inherit vs. context rotation bug
commit
dddd3379a619a4cb8247bfd3c94ca9ae3797aa2e upstream.
It was found that sometimes children of tasks with inherited events had
one extra event. Eventually it turned out to be due to the list rotation
no being exclusive with the list iteration in the inheritance code.
Cure this by temporarily disabling the rotation while we inherit the events.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
LKML-Reference: <new-submission>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Marek Lindner [Mon, 22 Nov 2010 11:34:49 +0000 (12:34 +0100)]
Staging: batman-adv: ensure that eth_type_trans gets linear memory
commit
b6faaae1a15a352d68b3e3cd8b840e56709820bf upstream.
eth_type_trans tries to pull data with the length of the ethernet header
from the skb. We only ensured that enough data for the first ethernet
header and the batman header is available in non-paged memory of the skb
and not for the ethernet after the batman header.
eth_type_trans would fail sometimes with drivers which don't ensure that
all there data is perfectly linearised.
The failure was noticed through a kernel bug Oops generated by the
skb_pull inside eth_type_trans.
Reported-by: Rafal Lesniak <lesniak@eresi-project.org>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Larry Finger [Sat, 13 Nov 2010 19:01:56 +0000 (13:01 -0600)]
staging: rtl8187se: Change panic to warn when RF switch turned off
commit
f36d83a8cb7224f45fdfa1129a616dff56479a09 upstream.
This driver issues a kernel panic over conditions that do not
justify such drastic action. Change these to log entries with
a stack dump.
This patch fixes the system crash reported in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:18:33 +0000 (11:18 -0800)]
Staging: frontier: fix up some sysfs attribute permissions
commit
3bad28ec006ad6ab2bca4e5103860b75391e3c9d and
2a767fda5d0d8dcff465724dfad6ee131489b3f2 upstream merged together.
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Taht <d@teklibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Thu, 18 Nov 2010 19:21:04 +0000 (11:21 -0800)]
Staging: samsung-laptop: fix up my fixup for some sysfs attribute permissions
commit
4d7bc388b44e42a1feafa35e50eef4f24d6ca59d upstream.
They should be writable by root, not readable.
Doh, stupid me with the wrong flags.
Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:21:03 +0000 (11:21 -0800)]
Staging: samsung-laptop: fix up some sysfs attribute permissions
commit
90c05b97fdec8d2196e420d98f774bab731af7aa upstream.
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Thu, 18 Nov 2010 19:21:04 +0000 (11:21 -0800)]
Staging: iio: adis16220: fix up my fixup for some sysfs attribute permissions
commit
c9e51d9e4bee3da47623622884f4828e079a0581 upstream.
They should be writable by root, not readable.
Doh, stupid me with the wrong flags.
Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
Acked-by: Jonathan Cameron <jic23@cam.ac.uk>
Cc: Barry Song <Barry.Song@analog.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:19:53 +0000 (11:19 -0800)]
Staging: iio: adis16220: fix up some sysfs attribute permissions
commit
1d904e8950c86e670ace237eaea1d48cd81e94df upstream.
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jonathan Cameron <jic23@cam.ac.uk>
Cc: Barry Song <Barry.Song@analog.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:21:36 +0000 (11:21 -0800)]
Staging: udlfb: fix up some sysfs attribute permissions
commit
cc9ca9dfddda46b1802d325891a69d7efdbe1f1e and
cc9ca9dfddda46b1802d325891a69d7efdbe1f1e upstream merged together.
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Bernie Thompson <bernie@plugable.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eric W. Biederman [Sun, 5 Dec 2010 23:51:21 +0000 (15:51 -0800)]
Revert "vfs: show unreachable paths in getcwd and proc"
commit
7b2a69ba7055da9a04eb96aa7b38c8e3280aaaa5 upstream.
Because it caused a chroot ttyname regression in 2.6.36.
As of 2.6.36 ttyname does not work in a chroot. It has already been
reported that screen breaks, and for me this breaks an automated
distribution testsuite, that I need to preserve the ability to run the
existing binaries on for several more years. glibc 2.11.3 which has a
fix for this is not an option.
The root cause of this breakage is:
commit
8df9d1a4142311c084ffeeacb67cd34d190eff74
Author: Miklos Szeredi <mszeredi@suse.cz>
Date: Tue Aug 10 11:41:41 2010 +0200
vfs: show unreachable paths in getcwd and proc
Prepend "(unreachable)" to path strings if the path is not reachable
from the current root.
Two places updated are
- the return string from getcwd()
- and symlinks under /proc/$PID.
Other uses of d_path() are left unchanged (we know that some old
software crashes if /proc/mounts is changed).
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
So remove the nice sounding, but ultimately ill advised change to how
/proc/fd symlinks work.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Daisuke Nishimura [Wed, 24 Nov 2010 20:57:06 +0000 (12:57 -0800)]
memcg: avoid deadlock between move charge and try_charge()
commit
b1dd693e5b9348bd68a80e679e03cf9c0973b01b upstream.
__mem_cgroup_try_charge() can be called under down_write(&mmap_sem)(e.g.
mlock does it). This means it can cause deadlock if it races with move charge:
Ex.1)
move charge | try charge
--------------------------------------+------------------------------
mem_cgroup_can_attach() | down_write(&mmap_sem)
mc.moving_task = current | ..
mem_cgroup_precharge_mc() | __mem_cgroup_try_charge()
mem_cgroup_count_precharge() | prepare_to_wait()
down_read(&mmap_sem) | if (mc.moving_task)
-> cannot aquire the lock | -> true
| schedule()
Ex.2)
move charge | try charge
--------------------------------------+------------------------------
mem_cgroup_can_attach() |
mc.moving_task = current |
mem_cgroup_precharge_mc() |
mem_cgroup_count_precharge() |
down_read(&mmap_sem) |
.. |
up_read(&mmap_sem) |
| down_write(&mmap_sem)
mem_cgroup_move_task() | ..
mem_cgroup_move_charge() | __mem_cgroup_try_charge()
down_read(&mmap_sem) | prepare_to_wait()
-> cannot aquire the lock | if (mc.moving_task)
| -> true
| schedule()
To avoid this deadlock, we do all the move charge works (both can_attach() and
attach()) under one mmap_sem section.
And after this patch, we set/clear mc.moving_task outside mc.lock, because we
use the lock only to check mc.from/to.
Signed-off-by: Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp>
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Feng Tang [Fri, 19 Nov 2010 03:01:48 +0000 (11:01 +0800)]
serial: mfd: adjust the baud rate setting
commit
a5880a9e5bb40fbae55de60051d69a29091053c3 upstream.
Previous baud rate setting code only has been tested with 3.5M/9600/
115200/230400/460800 bps, and recently we got a 3M bps device to test,
which needs to modify current MUL register setting, and with this
patch 2.5M/2M/1.5M/1M/0.5M should also work as they just use a MUL
value scale down from 3M's.
Also got some reference register setting from silicon guys for
different baud rates, which tries to keep the pre-scalar register value
to 16.
Signed-off-by: Feng Tang <feng.tang@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Steven Rostedt [Wed, 24 Nov 2010 20:56:52 +0000 (12:56 -0800)]
leds: fix bug with reading NAS SS4200 dmi code
commit
50d431e8a15701b599c98afe2b464eb33c952477 upstream.
While running randconfg with ktest.pl I stumbled upon this bug:
BUG: unable to handle kernel NULL pointer dereference at
0000000000000003
IP: [<
ffffffff815fe44f>] strstr+0x39/0x86
PGD 0
Oops: 0000 [#1] SMP
last sysfs file:
CPU 0
Modules linked in:
Pid: 1, comm: swapper Not tainted 2.6.37-rc1-test+ #6 DG965MQ/
RIP: 0010:[<
ffffffff815fe44f>] [<
ffffffff815fe44f>] strstr+0x39/0x86
RSP: 0018:
ffff8800797cbd80 EFLAGS:
00010213
RAX:
0000000000000000 RBX:
0000000000000003 RCX:
ffffffffffffffff
RDX:
0000000000000000 RSI:
ffffffff82eb7ac9 RDI:
0000000000000003
RBP:
ffff8800797cbda0 R08:
ffff880000000003 R09:
0000000000030725
R10:
ffff88007d294c00 R11:
0000000000014c00 R12:
0000000000000020
R13:
ffffffff82eb7ac9 R14:
ffffffffffffffff R15:
ffffffff82eb7b08
FS:
0000000000000000(0000) GS:
ffff88007d200000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
000000008005003b
CR2:
0000000000000003 CR3:
0000000002a1d000 CR4:
00000000000006f0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000ffff0ff0 DR7:
0000000000000400
Process swapper (pid: 1, threadinfo
ffff8800797ca000, task
ffff8800797d0000)
Stack:
00000000000000ba ffffffff82eb7ac9 ffffffff82eb7ab8 00000000000000ba
ffff8800797cbdf0 ffffffff81e2050f ffff8800797cbdc0 00000000815f913b
ffff8800797cbe00 ffffffff82eb7ab8 0000000000000000 0000000000000000
Call Trace:
[<
ffffffff81e2050f>] dmi_matches+0x117/0x154
[<
ffffffff81e205d7>] dmi_check_system+0x3d/0x8d
[<
ffffffff82e1ad25>] ? nas_gpio_init+0x0/0x2c8
[<
ffffffff82e1ad49>] nas_gpio_init+0x24/0x2c8
[<
ffffffff820d750d>] ? wm8350_led_init+0x0/0x20
[<
ffffffff82e1ad25>] ? nas_gpio_init+0x0/0x2c8
[<
ffffffff810022f7>] do_one_initcall+0xab/0x1b2
[<
ffffffff82da749c>] kernel_init+0x248/0x331
[<
ffffffff8100e624>] kernel_thread_helper+0x4/0x10
[<
ffffffff82da7254>] ? kernel_init+0x0/0x331
Found that the nas_led_whitelist dmi_system_id structure array had no
NULL end delimiter, causing the dmi_check_system() loop to read an
undefined entry.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Acked-by: Dave Hansen <dave@sr71.net>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Acked-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
James Jones [Tue, 23 Nov 2010 23:21:37 +0000 (00:21 +0100)]
ARM: 6482/2: Fix find_next_zero_bit and related assembly
commit
0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream.
The find_next_bit, find_first_bit, find_next_zero_bit
and find_first_zero_bit functions were not properly
clamping to the maxbit argument at the bit level. They
were instead only checking maxbit at the byte level.
To fix this, add a compare and a conditional move
instruction to the end of the common bit-within-the-
byte code used by all the functions and be sure not to
clobber the maxbit argument before it is used.
Reviewed-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: James Jones <jajones@nvidia.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Will Deacon [Fri, 19 Nov 2010 12:18:31 +0000 (13:18 +0100)]
ARM: 6489/1: thumb2: fix incorrect optimisation in usracc
commit
1142b71d85894dcff1466dd6c871ea3c89e0352c upstream.
Commit
8b592783 added a Thumb-2 variant of usracc which, when it is
called with \rept=2, calls usraccoff once with an offset of 0 and
secondly with a hard-coded offset of 4 in order to avoid incrementing
the pointer again. If \inc != 4 then we will store the data to the wrong
offset from \ptr. Luckily, the only caller that passes \rept=2 to this
function is __clear_user so we haven't been actively corrupting user data.
This patch fixes usracc to pass \inc instead of #4 to usraccoff
when it is called a second time.
Reported-by: Tony Thompson <tony.thompson@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mika Westerberg [Thu, 28 Oct 2010 10:45:22 +0000 (11:45 +0100)]
ARM: 6464/2: fix spinlock recursion in adjust_pte()
commit
4e54d93d3c9846ba1c2644ad06463dafa690d1b7 upstream.
When running following code in a machine which has VIVT caches and
USE_SPLIT_PTLOCKS is not defined:
fd = open("/etc/passwd", O_RDONLY);
addr = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);
addr2 = mmap(NULL, 4096, PROT_READ, MAP_SHARED, fd, 0);
v = *((int *)addr);
we will hang in spinlock recursion in the page fault handler:
BUG: spinlock recursion on CPU#0, mmap_test/717
lock:
c5e295d8, .magic:
dead4ead, .owner: mmap_test/717,
.owner_cpu: 0
[<
c0026604>] (unwind_backtrace+0x0/0xec)
[<
c014ee48>] (do_raw_spin_lock+0x40/0x140)
[<
c0027f68>] (update_mmu_cache+0x208/0x250)
[<
c0079db4>] (__do_fault+0x320/0x3ec)
[<
c007af7c>] (handle_mm_fault+0x2f0/0x6d8)
[<
c0027834>] (do_page_fault+0xdc/0x1cc)
[<
c00202d0>] (do_DataAbort+0x34/0x94)
This comes from the fact that when USE_SPLIT_PTLOCKS is not defined,
the only lock protecting the page tables is mm->page_table_lock
which is already locked before update_mmu_cache() is called.
Signed-off-by: Mika Westerberg <mika.westerberg@iki.fi>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Pekka Enberg [Mon, 8 Nov 2010 19:29:07 +0000 (21:29 +0200)]
perf_events: Fix perf_counter_mmap() hook in mprotect()
commit
63bfd7384b119409685a17d5c58f0b56e5dc03da upstream.
As pointed out by Linus, commit
dab5855 ("perf_counter: Add mmap event hooks to
mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
merging. Fix the problem by moving perf_event_mmap() hook to
mprotect_fixup().
Note: there's another successful return path from mprotect_fixup() if old
flags equal to new flags. We don't, however, need to call
perf_event_mmap() there because 'perf' already knows the VMA is
executable.
Reported-by: Dave Jones <davej@redhat.com>
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Tue, 23 Nov 2010 11:02:13 +0000 (11:02 +0000)]
DECnet: don't leak uninitialized stack byte
commit
3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.
A single uninitialized padding byte is leaked to userspace.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Guennadi Liakhovetski [Thu, 11 Nov 2010 16:32:25 +0000 (17:32 +0100)]
mmc: fix rmmod race for hosts using card-detection polling
commit
d9bcbf343ec63e1104b5276195888ee06b4d086f upstream.
MMC hosts that poll for card detection by defining the MMC_CAP_NEEDS_POLL
flag have a race on rmmod, where the delayed work is cancelled without
waiting for completed polling. To prevent this a _sync version of the work
cancellation has to be used.
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Chris Ball <cjb@laptop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Frederic Weisbecker [Thu, 11 Nov 2010 20:18:43 +0000 (21:18 +0100)]
x86: Ignore trap bits on single step exceptions
commit
6c0aca288e726405b01dacb12cac556454d34b2a upstream.
When a single step exception fires, the trap bits, used to
signal hardware breakpoints, are in a random state.
These trap bits might be set if another exception will follow,
like a breakpoint in the next instruction, or a watchpoint in the
previous one. Or there can be any junk there.
So if we handle these trap bits during the single step exception,
we are going to handle an exception twice, or we are going to
handle junk.
Just ignore them in this case.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=21332
Reported-by: Michael Stefaniuc <mstefani@redhat.com>
Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Cc: Maciej Rutecki <maciej.rutecki@gmail.com>
Cc: Alexandre Julliard <julliard@winehq.org>
Cc: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Colin Cross [Mon, 15 Nov 2010 21:45:22 +0000 (22:45 +0100)]
PM / PM QoS: Fix reversed min and max
commit
00fafcda1773245a5292f953321ec3f0668c8c28 upstream.
pm_qos_get_value had min and max reversed, causing all pm_qos
requests to have no effect.
Signed-off-by: Colin Cross <ccross@android.com>
Acked-by: mark <markgross@thegnar.org>
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Steven J. Magnani [Wed, 24 Nov 2010 20:56:54 +0000 (12:56 -0800)]
nommu: yield CPU while disposing VM
commit
04c3496152394d17e3bc2316f9731ee3e8a026bc upstream.
Depending on processor speed, page size, and the amount of memory a
process is allowed to amass, cleanup of a large VM may freeze the system
for many seconds. This can result in a watchdog timeout.
Make sure other tasks receive some service when cleaning up large VMs.
Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Cc: Greg Ungerer <gerg@snapgear.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Uwe Kleine-König [Wed, 24 Nov 2010 20:57:14 +0000 (12:57 -0800)]
backlight: grab ops_lock before testing bd->ops
commit
d1d73578e053b981c3611e5a211534290d24a5eb upstream.
According to the comment describing ops_lock in the definition of struct
backlight_device and when comparing with other functions in backlight.c
the mutex must be hold when checking ops to be non-NULL.
Fixes a problem added by
c835ee7f4154992e6 ("backlight: Add suspend/resume
support to the backlight core") in Jan 2009.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Will Newton [Wed, 24 Nov 2010 20:56:55 +0000 (12:56 -0800)]
uml: disable winch irq before freeing handler data
commit
69e83dad5207f8f03c9699e57e1febb114383cb8 upstream.
Disable the winch irq early to make sure we don't take an interrupt part
way through the freeing of the handler data, resulting in a crash on
shutdown:
winch_interrupt : read failed, errno = 9
fd 13 is losing SIGWINCH support
------------[ cut here ]------------
WARNING: at lib/list_debug.c:48 list_del+0xc6/0x100()
list_del corruption, next is LIST_POISON1 (
00100100)
082578c8: [<
081fd77f>] dump_stack+0x22/0x24
082578e0: [<
0807a18a>] warn_slowpath_common+0x5a/0x80
08257908: [<
0807a23e>] warn_slowpath_fmt+0x2e/0x30
08257920: [<
08172196>] list_del+0xc6/0x100
08257940: [<
08060244>] free_winch+0x14/0x80
08257958: [<
080606fb>] winch_interrupt+0xdb/0xe0
08257978: [<
080a65b5>] handle_IRQ_event+0x35/0xe0
08257998: [<
080a8717>] handle_edge_irq+0xb7/0x170
082579bc: [<
08059bc4>] do_IRQ+0x34/0x50
082579d4: [<
08059e1b>] sigio_handler+0x5b/0x80
082579ec: [<
0806a374>] sig_handler_common+0x44/0xb0
08257a68: [<
0806a538>] sig_handler+0x38/0x50
08257a78: [<
0806a77c>] handle_signal+0x5c/0xa0
08257a9c: [<
0806be28>] hard_handler+0x18/0x20
08257aac: [<
00c14400>] 0xc14400
Signed-off-by: Will Newton <will.newton@gmail.com>
Acked-by: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Felix Fietkau [Sat, 20 Nov 2010 02:08:47 +0000 (03:08 +0100)]
ath9k: fix timeout on stopping rx dma
commit
d47844a014fada1a788719f6426bc7044f2a0fd8 upstream.
It seems that using ath9k_hw_stoppcurecv to stop rx dma is not enough.
When it's time to stop DMA, the PCU is still busy, so the rx enable
bit never clears.
Using ath9k_hw_abortpcurecv helps with getting rx stopped much faster,
with this change, I cannot reproduce the rx stop related WARN_ON anymore.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jeff Layton [Tue, 30 Nov 2010 20:14:48 +0000 (15:14 -0500)]
cifs: fix parsing of hostname in dfs referrals
commit
ba03864872691c0bb580a7fb47388da337ef4aa2 upstream.
The DFS referral parsing code does a memchr() call to find the '\\'
delimiter that separates the hostname in the referral UNC from the
sharename. It then uses that value to set the length of the hostname via
pointer subtraction. Instead of subtracting the start of the hostname
however, it subtracts the start of the UNC, which causes the code to
pass in a hostname length that is 2 bytes too long.
Regression introduced in commit
1a4240f4.
Reported-and-Tested-by: Robbert Kouprie <robbert@exx.nl>
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Cc: Wang Lei <wang840925@gmail.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Oskar Schirmer [Wed, 10 Nov 2010 21:06:13 +0000 (21:06 +0000)]
cifs: fix another memleak, in cifs_root_iget
commit
a7851ce73b9fdef53f251420e6883cf4f3766534 upstream.
cifs_root_iget allocates full_path through
cifs_build_path_to_root, but fails to kfree it upon
cifs_get_inode_info* failure.
Make all failure exit paths traverse clean up
handling at the end of the function.
Signed-off-by: Oskar Schirmer <oskar@scara.com>
Reviewed-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dean Nelson [Thu, 2 Dec 2010 22:31:12 +0000 (14:31 -0800)]
mm/hugetlb.c: avoid double unlock_page() in hugetlb_fault()
commit
1f64d69c7ad2e48e697493e45590679f7a69b7b2 upstream.
Have hugetlb_fault() call unlock_page(page) only if it had previously
called lock_page(page).
Setting CONFIG_DEBUG_VM=y and then running the libhugetlbfs test suite,
resulted in the tripping of VM_BUG_ON(!PageLocked(page)) in
unlock_page() having been called by hugetlb_fault() when page ==
pagecache_page. This patch remedied the problem.
Signed-off-by: Dean Nelson <dnelson@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nelson Elhage [Thu, 2 Dec 2010 22:31:21 +0000 (14:31 -0800)]
do_exit(): make sure that we run with get_fs() == USER_DS
commit
33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream.
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.
This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.
A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.
Let's just stick it in do_exit instead.
[akpm@linux-foundation.org: update code comment]
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andres Salomon [Thu, 2 Dec 2010 22:31:17 +0000 (14:31 -0800)]
cs5535-gpio: apply CS5536 errata workaround for GPIOs
commit
853ff88324a248a9f5da6e110850223db353ec07 upstream.
The AMD Geode CS5536 Companion Device Silicon Revision B1 Specification
Update mentions the follow as issue #36:
"Atomic write transactions to the atomic GPIO High Bank Feature Bit
registers should only affect the bits selected [...]"
"after Suspend, an atomic write transaction [...] will clear all
non-selected bits of the accessed register."
In other words, writing to the high bank for a single GPIO bit will
clear every other GPIO bit (but only sometimes after a suspend).
The workaround described is obvious and simple; do a read-modify-write.
This patch does that, and documents why we're doing it.
Signed-off-by: Andres Salomon <dilinger@queued.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ken Sumrall [Wed, 24 Nov 2010 20:57:00 +0000 (12:57 -0800)]
fuse: fix attributes after open(O_TRUNC)
commit
a0822c55779d9319939eac69f00bb729ea9d23da upstream.
The attribute cache for a file was not being cleared when a file is opened
with O_TRUNC.
If the filesystem's open operation truncates the file ("atomic_o_trunc"
feature flag is set) then the kernel should invalidate the cached st_mtime
and st_ctime attributes.
Also i_size should be explicitly be set to zero as it is used sometimes
without refreshing the cache.
Signed-off-by: Ken Sumrall <ksumrall@android.com>
Cc: Anfei <anfei.zhou@gmail.com>
Cc: "Anand V. Avati" <avati@gluster.com>
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dmitri Belimov [Tue, 26 Oct 2010 03:31:40 +0000 (00:31 -0300)]
saa7134: Fix autodetect for Behold A7 and H7 TV cards
commit
35bbe587d0959712b69540077c9e0fd27d3e6baf upstream.
The entries for those cards are after the generic entries,
so they don't work, in practice. Moving them to happen before the
generic entres fix the issue.
Signed-off-by: Beholder Intl. Ltd. Dmitry Belimov <d.belimov@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dmitry Torokhov [Sat, 18 Sep 2010 17:11:09 +0000 (10:11 -0700)]
PNPACPI: cope with invalid device IDs
commit
420a0f66378c84b00b0e603e4d38210102dbe367 upstream.
If primary ID (HID) is invalid try locating first valid ID on compatible
ID list before giving up.
This helps, for example, to recognize i8042 AUX port on Sony Vaio VPCZ1
which uses SNYSYN0003 as HID. Without the patch users are forced to
boot with i8042.nopnp to make use of their touchpads.
Tested-by: Jan-Hendrik Zab <jan@jhz.name>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>