Richard Purdie [Mon, 15 May 2006 16:44:17 +0000 (09:44 -0700)]
[PATCH] LED: Fix sysfs store function error handling
Fix the error handling of some LED _store functions. This corrects them to
return -EINVAL if the value is not numeric with an optional byte of trailing
whitespace.
Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The backlight and LCD class _store functions currently accept values like "34
some random strings" without error. This corrects them to return -EINVAL if
the value is not numeric with an optional byte of trailing whitespace.
Signed-off-by: Richard Purdie <rpurdie@rpsys.net> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Mike Kravetz [Mon, 15 May 2006 16:44:13 +0000 (09:44 -0700)]
[PATCH] add slab_is_available() routine for boot code
slab_is_available() indicates slab based allocators are available for use.
SPARSEMEM code needs to know this as it can be called at various times
during the boot process.
Signed-off-by: Mike Kravetz <kravetz@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Jan Niehusmann [Mon, 15 May 2006 16:44:12 +0000 (09:44 -0700)]
[PATCH] smbfs: Fix slab corruption in samba error path
Yesterday, I got the following error with 2.6.16.13 during a file copy from
a smb filesystem over a wireless link. I guess there was some error on the
wireless link, which in turn caused an error condition for the smb
filesystem.
In the log, smb_file_read reports error=4294966784 (0xfffffe00), which also
shows up in the slab dumps, and also is -ERESTARTSYS. Error code 27499
corresponds to 0x6b6b, so the rq_errno field seems to be the only one being
set after freeing the slab.
In smb_add_request (which is the only place in smbfs where I found
ERESTARTSYS), I found the following:
if (!timeleft || signal_pending(current)) {
/*
* On timeout or on interrupt we want to try and remove the
* request from the recvq/xmitq.
*/
smb_lock_server(server);
if (!(req->rq_flags & SMB_REQ_RECEIVED)) {
list_del_init(&req->rq_queue);
smb_rput(req);
}
smb_unlock_server(server);
}
[...]
if (signal_pending(current))
req->rq_errno = -ERESTARTSYS;
I guess that some codepath like smbiod_flush() caused the request to be
removed from the queue, and smb_rput(req) be called, without
SMB_REQ_RECEIVED being set. This violates an asumption made by the quoted
code.
Then, the above code calls smb_rput(req) again, the req gets freed, and
req->rq_errno = -ERESTARTSYS writes into the already freed slab. As
list_del_init doesn't cause an error if called multiple times, that does
cause the observed behaviour (freed slab with rq_errno=-ERESTARTSYS).
If this observation is correct, the following patch should fix it.
I wonder why the smb code uses list_del_init everywhere - using list_del
instead would catch such situations by poisoning the next and prev
pointers.
May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Firmware error detected. Restarting.
May 4 23:29:21 knautsch kernel: [17180085.456000] ipw2200: Sysfs 'error' log captured.
May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Firmware error detected. Restarting.
May 4 23:33:02 knautsch kernel: [17180306.316000] ipw2200: Sysfs 'error' log already exists.
May 4 23:33:02 knautsch kernel: [17180306.968000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:34:18 knautsch kernel: [17180383.256000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:34:18 knautsch kernel: [17180383.284000] SMB connection re-established (-5)
May 4 23:37:19 knautsch kernel: [17180563.956000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:40:09 knautsch kernel: [17180733.636000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:40:26 knautsch kernel: [17180750.700000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:43:02 knautsch kernel: [17180907.304000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:43:08 knautsch kernel: [17180912.324000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:43:34 knautsch kernel: [17180938.416000] smb_errno: class Unknown, code 27499 from command 0x6b
May 4 23:43:34 knautsch kernel: [17180938.416000] Slab corruption: start=c4ebe09c, len=244
May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May 4 23:43:34 knautsch kernel: [17180938.416000] 0f0: 00 fe ff ff
May 4 23:43:34 knautsch kernel: [17180938.416000] Next obj: start=c4ebe19c, len=244
May 4 23:43:34 knautsch kernel: [17180938.416000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:43:34 knautsch kernel: [17180938.416000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May 4 23:43:34 knautsch kernel: [17180938.416000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:43:34 knautsch kernel: [17180938.416000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:43:34 knautsch kernel: [17180938.460000] SMB connection re-established (-5)
May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Firmware error detected. Restarting.
May 4 23:43:42 knautsch kernel: [17180946.292000] ipw2200: Sysfs 'error' log already exists.
May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Firmware error detected. Restarting.
May 4 23:45:04 knautsch kernel: [17181028.752000] ipw2200: Sysfs 'error' log already exists.
May 4 23:45:05 knautsch kernel: [17181029.868000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:45:36 knautsch kernel: [17181060.984000] smb_errno: class Unknown, code 27499 from command 0x6b
May 4 23:45:36 knautsch kernel: [17181060.984000] Slab corruption: start=c4ebe09c, len=244
May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May 4 23:45:36 knautsch kernel: [17181060.984000] 0f0: 00 fe ff ff
May 4 23:45:36 knautsch kernel: [17181060.984000] Next obj: start=c4ebe19c, len=244
May 4 23:45:36 knautsch kernel: [17181060.984000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:45:36 knautsch kernel: [17181060.984000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May 4 23:45:36 knautsch kernel: [17181060.984000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:45:36 knautsch kernel: [17181060.984000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:45:36 knautsch kernel: [17181061.024000] SMB connection re-established (-5)
May 4 23:46:17 knautsch kernel: [17181102.132000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:47:46 knautsch kernel: [17181190.468000] smb_errno: class Unknown, code 27499 from command 0x6b
May 4 23:47:46 knautsch kernel: [17181190.468000] Slab corruption: start=c4ebe09c, len=244
May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<e087b903>](smb_rput+0x53/0x90 [smbfs])
May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6a 6b 6b 6b 6b 6b 6b 6b
May 4 23:47:46 knautsch kernel: [17181190.468000] 0f0: 00 fe ff ff
May 4 23:47:46 knautsch kernel: [17181190.468000] Next obj: start=c4ebe19c, len=244
May 4 23:47:46 knautsch kernel: [17181190.468000] Redzone: 0x5a2cf071/0x5a2cf071.
May 4 23:47:46 knautsch kernel: [17181190.468000] Last user: [<00000000>](_stext+0x3feffde0/0x30)
May 4 23:47:46 knautsch kernel: [17181190.468000] 000: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:47:46 knautsch kernel: [17181190.468000] 010: 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
May 4 23:47:46 knautsch kernel: [17181190.492000] SMB connection re-established (-5)
May 4 23:49:20 knautsch kernel: [17181284.828000] smb_file_read: //some_file validation failed, error=4294966784
May 4 23:49:39 knautsch kernel: [17181303.896000] smb_file_read: //some_file validation failed, error=4294966784
Signed-off-by: Jan Niehusmann <jan@gondor.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Trent Piepho [Mon, 15 May 2006 16:44:06 +0000 (09:44 -0700)]
[PATCH] symbol_put_addr() locks kernel
Even since a previous patch:
Fix race between CONFIG_DEBUG_SLABALLOC and modules
Sun, 27 Jun 2004 17:55:19 +0000 (17:55 +0000)
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/old-2.6-bkcvs.git;a=commit;h=92b3db26d31cf21b70e3c1eadc56c179506d8fbe
The function symbol_put_addr() will deadlock the kernel.
symbol_put_addr() would acquire modlist_lock, then while holding the lock call
two functions kernel_text_address() and module_text_address() which also try
to acquire the same lock. This deadlocks the kernel of course.
This patch changes symbol_put_addr() to not acquire the modlist_lock, it
doesn't need it since it never looks at the module list directly. Also, it
now uses core_kernel_text() instead of kernel_text_address(). The latter has
an additional check for addr inside a module, but we don't need to do that
since we call module_text_address() (the same function kernel_text_address
uses) ourselves.
Signed-off-by: Trent Piepho <xyzzy@speakeasy.org> Cc: Zwane Mwaikambo <zwane@fsmlabs.com> Acked-by: Rusty Russell <rusty@rustcorp.com.au> Cc: Johannes Stezenbach <js@linuxtv.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Add new vmsplice system call and add missing __NR_xxx defines for
sys_set_robust_list, sys_get_robust_list, sys_splice, sys_sync_file_range
and sys_tee.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Mark Huang [Mon, 15 May 2006 16:44:03 +0000 (09:44 -0700)]
[PATCH] initramfs: fix CPIO hardlink check
Copy the filenames of hardlinks when inserting them into the hash, since
the "name" pointer may point to scratch space (name_buf). Not doing so
results in corruption if the scratch space is later overwritten: the wrong
file may be hardlinked, or, if the scratch space contains garbage, the link
will fail and a 0-byte file will be created instead.
Signed-off-by: Mark Huang <mlhuang@cs.princeton.edu> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Greg Smith [Mon, 15 May 2006 16:44:02 +0000 (09:44 -0700)]
[PATCH] s390: lcs incorrect test
While debugging why our LCS emulator is having some problems I noticed the
following weirdness in drivers/s390/net/lcs.c routine lcs_irq. The `if'
statement is always true since SCHN_STAT_PCI is defined as 0x80.
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> Cc: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Andrew Morton [Mon, 15 May 2006 16:43:59 +0000 (09:43 -0700)]
[PATCH] setup_per_zone_pages_min() overflow fix
As pointed out in http://bugzilla.kernel.org/show_bug.cgi?id=6490, this
function can experience overflows on 32-bit machines, causing our response to
changed values of min_free_kbytes to go whacky.
Fixing it efficiently is all too hard, so fix it with 64-bit math instead.
Cc: Ake Sandgren <ake.sandgren@hpc2n.umu.se> Cc: Martin Bligh <mbligh@google.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Heiko Carstens [Mon, 15 May 2006 16:43:58 +0000 (09:43 -0700)]
[PATCH] RCU: introduce rcu_needs_cpu() interface
With "Paul E. McKenney" <paulmck@us.ibm.com>
Introduce rcu_needs_cpu() interface. This can be used to tell if there
will be a new rcu batch on a cpu soon by looking at the curlist pointer.
This can be used to avoid to enter a tickless idle state where the cpu
would miss that a new batch is ready when rcu_start_batch would be called
on a different cpu.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: "Paul E. McKenney" <paulmck@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Olaf Kirch [Mon, 15 May 2006 16:43:57 +0000 (09:43 -0700)]
[PATCH] smbfs chroot issue (CVE-2006-1864)
Mark Moseley reported that a chroot environment on a SMB share can be left
via "cd ..\\". Similar to CVE-2006-1863 issue with cifs, this fix is for
smbfs.
Steven French <sfrench@us.ibm.com> wrote:
Looks fine to me. This should catch the slash on lookup or equivalent,
which will be all obvious paths of interest.
Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Chris Wedgwood [Mon, 15 May 2006 16:43:55 +0000 (09:43 -0700)]
[PATCH] VIA quirk fixup, additional PCI IDs
An earlier commit (75cf7456dd87335f574dcd53c4ae616a2ad71a11) changed an
overly-zealous PCI quirk to only poke those VIA devices that need it.
However, some PCI devices were not included in what I hope is now the full
list. Consequently we're failing to run the quirk on all machines which need
it, causing IRQ routing failures.
This should I hope correct this.
Thanks to Masoud Sharbiani <masouds@masoud.ir> for pointing this out
and testing the fix.
Signed-off-by: Chris Wedgwood <cw@f00f.org> Cc: Greg KH <greg@kroah.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Kylene Jo Hall [Mon, 15 May 2006 16:43:53 +0000 (09:43 -0700)]
[PATCH] tpm: update module dependencies
The TIS driver is dependent upon information from the ACPI table for device
discovery thus it compiles but does no actual work without this dependency.
Signed-off-by: Kylene Hall <kjhall@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Stefan Schweizer [Mon, 15 May 2006 16:43:52 +0000 (09:43 -0700)]
[PATCH] Fix capi reload by unregistering the correct major
I am having the bug FATAL: Error inserting capi ([..]/capi.ko): Device or
resource busy when I try to reload capi after loading it. in dmesg:
capi20: unable to get major 68
Fix the issue which is caused by setting the major to zero when registering
the chrdev succeeded.
(akpm: this means that we can again not use `major=0' (dynamic major
allocation) for this driver).
Ian Kent [Mon, 15 May 2006 16:43:51 +0000 (09:43 -0700)]
[PATCH] autofs4: NFY_NONE wait race fix
This patch fixes two problems.
First, the comparison of entries in the waitq.c was incorrect.
Second, the NFY_NONE check was incorrect. The test of whether the dentry
is mounted if ineffective, for example, if an expire fails then we could
wait forever on a non existant expire. The bug was identified by Jeff
Moyer.
The patch changes autofs4 to wait on expires only as this is all that's
needed. If there is no existing wait when autofs4_wait is call with a type
of NFY_NONE it delays until either a wait appears or the the expire flag is
cleared.
Signed-off-by: Ian Kent <raven@themaw.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
The resource struct is still 32-bit, so trying to save a 64-bit memory
size there obviously won't work.
When we merge the 64-bit resource series, we can re-enable this.
Thanks to Sachin Sant and Maneesh Soni for debugging
Cc: Maneesh Soni <maneesh@in.ibm.com> Cc: Sachin Sant <sachinp@in.ibm.com> Cc: Russell King <rmk+lkml@arm.linux.org.uk> Cc: Sharyathi Nagesh <sharyath@in.ibm.com> Cc: Arjan van de Ven <arjan@infradead.org> Cc: Vivek Goyal <vgoyal@in.ibm.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Linus Torvalds [Sat, 13 May 2006 01:42:09 +0000 (18:42 -0700)]
Alternative fix for MMC oops on unmount after removal
Make sure to clear the driverfs_dev pointer when we do del_gendisk() (on
disk removal), so that other users that may still have a ref to the disk
won't try to use the stale pointer.
Also move the KOBJ_REMOVE uevent handler up, so that the uevent still
has access to the driverfs_dev data.
* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
[SPARC]: Fix warning on prom_getproperty in openprom.c
[SPARC]: Handle UNWIND_INFO properly.
[SPARC64]: Update defconfig.
[SPARC]: show device name in /proc/dvma_map
[SPARC]: Remove duplicate symbol exports
Sean Hefty [Fri, 12 May 2006 21:57:52 +0000 (14:57 -0700)]
IB: refcount race fixes
Fix race condition during destruction calls to avoid possibility of
accessing object after it has been freed. Instead of waking up a wait
queue directly, which is susceptible to a race where the object is
freed between the reference count going to 0 and the wake_up(), use a
completion to wait in the function doing the freeing.
Signed-off-by: Sean Hefty <sean.hefty@intel.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Roland Dreier [Fri, 12 May 2006 21:57:52 +0000 (14:57 -0700)]
IB/ipath: Properly terminate PCI ID table
The ipath driver's table of PCI IDs needs a { 0, } entry at the end.
This makes all of the device aliases visible to userspace so hotplug
loads the module for all supported devices. Without the patch,
modinfo ipath_core only shows:
Simon Kelley [Fri, 12 May 2006 21:56:08 +0000 (14:56 -0700)]
[NEIGH]: Fix IP-over-ATM and ARP interaction.
The classical IP over ATM code maintains its own IPv4 <-> <ATM stuff>
ARP table, using the standard neighbour-table code. The
neigh_table_init function adds this neighbour table to a linked list
of all neighbor tables which is used by the functions neigh_delete()
neigh_add() and neightbl_set(), all called by the netlink code.
Once the ATM neighbour table is added to the list, there are two
tables with family == AF_INET there, and ARP entries sent via netlink
go into the first table with matching family. This is indeterminate
and often wrong.
To see the bug, on a kernel with CLIP enabled, create a standard IPv4
ARP entry by pinging an unused address on a local subnet. Then attempt
to complete that entry by doing
ip neigh replace <ip address> lladdr <some mac address> nud reachable
Looking at the ARP tables by using
ip neigh show
will reveal two ARP entries for the same address. One of these can be
found in /proc/net/arp, and the other in /proc/net/atm/arp.
This patch adds a new function, neigh_table_init_no_netlink() which
does everything the neigh_table_init() does, except add the table to
the netlink all-arp-tables chain. In addition neigh_table_init() has a
check that all tables on the chain have a distinct address family.
The init call in clip.c is changed to call
neigh_table_init_no_netlink().
Since ATM ARP tables are rather more complicated than can currently be
handled by the available rtattrs in the netlink protocol, no
functionality is lost by this patch, and non-ATM ARP manipulation via
netlink is rescued. A more complete solution would involve a rtattr
for ATM ARP entries and some way for the netlink code to give
neigh_add and friends more information than just address family with
which to find the correct ARP table.
[ I've changed the assertion checking in neigh_table_init() to not
use BUG_ON() while holding neigh_tbl_lock. Instead we remember that
we found an existing tbl with the same family, and after dropping
the lock we'll give a diagnostic kernel log message and a stack dump.
-DaveM ]
Signed-off-by: Simon Kelley <simon@thekelleys.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
* master.kernel.org:/pub/scm/linux/kernel/git/gregkh/i2c-2.6:
[PATCH] scx200_acb: Fix for the CS5535 errata
[PATCH] scx200_acb: Fix resource name use after free
[PATCH] scx200_acb: Fix return on init error
Both Erik Mouw and Andrew Vasquez independently pinpointed this commit
as causing problems, where the slab cache for a driver is never released
(most obviously causing problems when immediately re-loading that
driver, resulting in a "kmem_cache_create: duplicate cache <xyz>"
message, but it can also cause other trouble).
James Bottomley dug into it, and reports:
"OK, here's the scoop. The problem patch adds a get of driverfs_dev in
add_disk(), but doesn't put it again until disk_release() (which occurs
on final put_disk() of the gendisk).
However, in SCSI, the driverfs_dev is the sdev_gendev. That means
there's a reference held on sdev_gendev until final disk put.
Unfortunately, we use the driver model driver_remove to trigger
del_gendisk (which removes the gendisk from visibility and decrements
the refcount), so we've introduced an unbreakable deadlock in the
reference counting with this.
I suggest simply reversing this patch at the moment. If Russell and
Jens can tell me what they're trying to do I'll see if there's another
way to do it."
so hereby the patch gets reverted, waiting for a better fix.
Cc: Jens Axboe <axboe@suse.de> Cc: Russell King <rmk@arm.linux.org.uk> Cc: James Bottomley <James.Bottomley@SteelEye.com> Cc: Erik Mouw <erik@harddisk-recovery.com> Cc: Andrew Vasquez <andrew.vasquez@qlogic.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
I introduced this way back in 2.6.13 when adding the port lock logic.
This device talks out through different "ports" all at the same time, so
the lock logic was wrong, preventing any data from ever being sent
properly.
Thanks a lot to Bernhard Reiter <bernhard@intevation.de> for being
patient and helping with debugging this.
Cc: Bernhard Reiter <bernhard@intevation.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
[PATCH] usbserial: Fixes use-after-free in serial_open().
If the device is disconnected while serial_open() is executing and
either try_module_get() or the device specific open function fails, the
kref_put() call in the 'bailout_kref_put' label will free the memory
pointed out by 'port'.
The subsequent dereferences in the 'bailout_kref_put' label will be
invalid.
The fix is just to assure kref_put() is called after any 'port' usage.
Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Monty [Tue, 9 May 2006 19:37:22 +0000 (12:37 -0700)]
[PATCH] USB: Emagic USB firmware loading fixes
It's become apparent as machines get faster that the emagic kernel firmware
loaders (based on the ezusb loader) have a reset race. a 400MHz TiBook
never tripped it, but a 2GHz Pentium M seems to hit it about 30% of the
time. The bug is seen as a hung USB box and the kernel error:
Olaf Hering [Fri, 5 May 2006 09:07:21 +0000 (11:07 +0200)]
[PATCH] USB: add an IBM USB keyboard to the HID_QUIRK_NOGET blacklist
After recent changes, the USB keyboard as shipped with IBM pSeries systems
does not work anymore, unless the keyboard is replugged after reboot.
Adding this model to the blacklist fixes it.
Signed-off-by: Olaf Hering <olh@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
* master.kernel.org:/home/rmk/linux-2.6-serial:
[SERIAL] 8250: add locking to console write function
[SERIAL] Remove unconditional enable of TX irq for console
[SERIAL] 8250: set divisor register correctly for AMD Alchemy SoC uart
[SERIAL] AMD Alchemy UART: claim memory range
[SERIAL] Clean up serial locking when obtaining a reference to a port
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[NET_SCHED]: HFSC: fix thinko in hfsc_adjust_levels()
[IPV6]: skb leakage in inet6_csk_xmit
[BRIDGE]: Do sysfs registration inside rtnl.
[NET]: Do sysfs registration as part of register_netdevice.
[TG3]: Fix possible NULL deref in tg3_run_loopback().
[NET] linkwatch: Handle jiffies wrap-around
[IRDA]: Switching to a workqueue for the SIR work
[IRDA]: smsc-ircc: Minimal hotplug support.
[IRDA]: Removing unused EXPORT_SYMBOLs
[IRDA]: New maintainer.
[NET]: Make netdev_chain a raw notifier.
[IPV4]: ip_options_fragment() has no effect on fragmentation
[NET]: Add missing operstates documentation.
Jens Axboe [Thu, 11 May 2006 06:20:16 +0000 (08:20 +0200)]
[BLOCK] limit request_fn recursion
Don't recurse back into the driver even if the unplug threshold is met,
when the driver asks for a requeue. This is both silly from a logical
point of view (requeues typically happen due to driver/hardware
shortage), and also dangerous since we could hit an endless request_fn
-> requeue -> unplug -> request_fn loop and crash on stack overrun.
Also limit blk_run_queue() to one level of recursion, similar to how
blk_start_queue() works.
This patch fixed a real problem with SLES10 and lpfc, and it could hit
any SCSI lld that returns non-zero from it's ->queuecommand() handler.
Linus Torvalds [Thu, 11 May 2006 18:08:49 +0000 (11:08 -0700)]
ptrace_attach: fix possible deadlock schenario with irqs
Eric Biederman points out that we can't take the task_lock while holding
tasklist_lock for writing, because another CPU that holds the task lock
might take an interrupt that then tries to take tasklist_lock for writing.
Which would be a nasty deadlock, with one CPU spinning forever in an
interrupt handler (although admittedly you need to really work at
triggering it ;)
Since the ptrace_attach() code is special and very unusual, just make it
be extra careful, and use trylock+repeat to avoid the possible deadlock.
Cc: Oleg Nesterov <oleg@tv-sign.ru> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Roland McGrath <roland@redhat.com> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Addresses for ioremap must be calculated off of pci_resource_start;
we can't directly use the bus address as seen by the HCA. Fix the
code that remaps device memory for FMR access.
Based on patch by Klaus Smolin.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
James Cameron [Wed, 10 May 2006 20:33:29 +0000 (13:33 -0700)]
sis900: phy for FoxCon motherboard
661FX7MI-S motherboard which uses the SiS 661FX chipset. The patch adds
an entry to mii_chip_info for the transceiver.
The PHY ids were found using the sis900_c_122.diff patch from
http://brownhat.org/sis900.html but that patch didn't solve the problem,
because the PHY at address 1 was already being chosen.
Without my patch, when bursts of packets arrive from other hosts on a
LAN, the interface dropped one roughly 10% of the time, causing
retransmits. There were fifth second pauses in refresh of large xterms,
and it made Netrek suck. I can provide further test data.
Workaround in lieu of patch is to use mii-tool to advertise
100baseTx-HD, then force renegotiation.
I wasn't able to identify the actual transceiver, so the description
field is a guess.
This patch is similar to Artur Skawina's patch:
http://marc.theaimsgroup.com/?l=linux-netdev&m=114297516729079&w=2
I'm not sure, but I wonder if it means the default behaviour should be
changed, so as to better handle future transceivers.
Diff is against 2.6.16.13.
Signed-off-by: James Cameron <james.cameron@hp.com> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
phy: mdiobus_register(): initialize all phy_map entries
make sure phy_map entries whose PHY address is masked are initialized
to NULL, given that other code (such as mdiobus_unregister for
instance) assumes that non-NULL phy_map entries are allocated
phy_devices
Signed-off-by: Herbert Valerio Riedel <hvr@gnu.org> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Harald Welte [Wed, 10 May 2006 11:28:52 +0000 (13:28 +0200)]
[Cardman 40x0] Fix udev device creation
This patch corrects the order of the calls to register_chrdev() and
pcmcia_register_driver(). Now udev correctly creates userspace device
files /dev/cmmN and /dev/cmxN respectively.
Based on an earlier patch by Jan Niehusmann <jan@gondor.com>.
Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Now that netdevice sysfs registration is done as part of
register_netdevice; bridge code no longer has to be tricky when adding
it's kobjects to bridges.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
[NET]: Do sysfs registration as part of register_netdevice.
The last step of netdevice registration was being done by a delayed
call, but because it was delayed, it was impossible to return any error
code if the class_device registration failed.
Side effects:
* one state in registration process is unnecessary.
* register_netdevice can sleep inside class_device registration/hotplug
* code in netdev_run_todo only does unregistration so it is simpler.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
mdr@sgi.com [Mon, 1 May 2006 18:07:04 +0000 (13:07 -0500)]
[SCSI] mptfc: race between mptfc_register_dev and mptfc_target_alloc
A race condition exists in mptfc between the thread registering a device
with the fc transport and the scan work generated by the transport.
This race existed prior to the application of the mptfc bug fix patch.
mptfc_register_dev() calls fc_remote_port_add() with the FC_RPORT_ROLE_TARGET
bit set in the rport ids passed to the function. Having this bit set causes
fc_remote_port_add() to schedule a scan of the device.
This scan can execute before mptfc_register_dev() can fill in the dd_data
in the rport structure. When this happens, mptfc_target_alloc() will fail
because dd_data is null.
Attached is a patch which fixes the problem. The patch changes the rport ids
passed to fc_remote_port_add() to not have the TARGET bit set. This prevents
the scan from being scheduled. After mptfc_register_dev() fills in the rport
dd_data field, fc_remote_port_rolechg() is called, changing the role of the
rport to TARGET. Thus, the scan is scheduled after dd_data is filled
in which prevents the failure in mptfc_target_alloc().
Signed-off-by: Michael Reed <mdr@sgi.com> Signed-off-by: Eric Moore <Eric.Moore@lsil.com> Signed-off-by: James Bottomley <James.Bottomley@SteelEye.com>
Jesper Juhl [Wed, 10 May 2006 06:14:35 +0000 (23:14 -0700)]
[TG3]: Fix possible NULL deref in tg3_run_loopback().
tg3_run_loopback doesn't check that dev_alloc_skb() returns anything
useful.
Even if dev_alloc_skb() fails to return an skb to us we'll happily go
on and assume it did, so we risk dereferencing a NULL pointer. Much
better to fail gracefully by returning -ENOMEM than crashing here.
Signed-off-by: Jesper Juhl <jesper.juhl@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Roland Dreier [Wed, 10 May 2006 05:54:59 +0000 (22:54 -0700)]
IPoIB: Free child interfaces properly
When deleting a child interface with a non-default P_Key via
/sys/class/net/ibX/delete_child, the interface must be freed with
free_netdev() (rather than kfree() on the private data).
Herbert Xu [Tue, 9 May 2006 22:27:54 +0000 (15:27 -0700)]
[NET] linkwatch: Handle jiffies wrap-around
The test used in the linkwatch does not handle wrap-arounds correctly.
Since the intention of the code is to eliminate bursts of messages we
can afford to delay things up to a second. Using that fact we can
easily handle wrap-arounds by making sure that we don't delay things
by more than one second.
This is based on diagnosis and a patch by Stefan Rompf.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Stefan Rompf <stefan@loplof.de> Signed-off-by: David S. Miller <davem@davemloft.net>
Since sir_kthread.c pretty much duplicates the workqueue
functionality, we'd better switch. The SIR fsm has been merged into
sir_dev.c and thus sir_kthread.c is deleted.
Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Samuel Ortiz <samuel.ortiz@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
David Brownell [Tue, 9 May 2006 22:26:11 +0000 (15:26 -0700)]
[IRDA]: smsc-ircc: Minimal hotplug support.
Minimal PNP hotplug support for the smsc-ircc2 driver. A modular
driver will be modprobed via hotplug, but still bypasses driver model
probing.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Samuel Ortiz <samuel.ortiz@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Russell King [Tue, 9 May 2006 21:14:28 +0000 (22:14 +0100)]
[ARM] Fix thread struct allocator for SMP case
The ARM thread struct allocator is racy on SMP systems. Fix it by
turning it into a per-cpu based allocator. This also allows keeps
the cache cache warm for thread structs and kernel stacks.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Jordan Crouse [Fri, 28 Apr 2006 20:53:30 +0000 (22:53 +0200)]
[PATCH] scx200_acb: Fix for the CS5535 errata
This is a fix for the CS5535 errata 111:
When the SMBus controller tries to access a non-existing device, it sets
the NEGACK bit, SMBus I/O offset 01h[4], to 1 after it detects no
acknowledge at the ninth clock. The specification states that the bit
can be cleared by writing a 1 to it, but under certain circumstances it
is possible for this bit to not clear.
Writing a 0 to the bit resets the internal state machine and clears the
issue.
Since all writable bits in ACBST are W1C bits (write-one-to-clear) the
second write doesn't affect any other logic except the buggy NEGACK
state machine. The second write clears an internal register which is
responsible for "overwriting" the NEGACK bit in ACBST.
Signed-off-by: Jordan Crouse <jordan.crouse@amd.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Wed, 26 Apr 2006 21:00:16 +0000 (23:00 +0200)]
[PATCH] scx200_acb: Fix resource name use after free
We can't pass a string on the stack to request_region. As soon as we
leave the function that stack is gone and the string is lost. Let's
use the same string we identify the i2c_adapter with instead, it's
more simple, more consistent, and just works.
This is the second half of fix to bug #6445.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Wed, 26 Apr 2006 20:50:32 +0000 (22:50 +0200)]
[PATCH] scx200_acb: Fix return on init error
The scx200_acb driver shouldn't return failure after initialization
if it successfully registered at least one i2c_adapter, else we are
leaking resources. The driver was OK in that respect up to 2.6.16, a
recent change broke it.
This is part of the fix to bug #6445.
Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: Ben Gardner <bgardner@wabtec.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Roland Dreier [Tue, 9 May 2006 17:50:29 +0000 (10:50 -0700)]
IB/mthca: Fix race in reference counting
Fix races in in destroying various objects. If a destroy routine
waits for an object to become free by doing
wait_event(&obj->wait, !atomic_read(&obj->refcount));
/* now clean up and destroy the object */
and another place drops a reference to the object by doing
if (atomic_dec_and_test(&obj->refcount))
wake_up(&obj->wait);
then this is susceptible to a race where the wait_event() and final
freeing of the object occur between the atomic_dec_and_test() and the
wake_up(). And this is a use-after-free, since wake_up() will be
called on part of the already-freed object.
Fix this in mthca by replacing the atomic_t refcounts with plain old
integers protected by a spinlock. This makes it possible to do the
decrement of the reference count and the wake_up() so that it appears
as a single atomic operation to the code waiting on the wait queue.
While touching this code, also simplify mthca_cq_clean(): the CQ being
cleaned cannot go away, because it still has a QP attached to it. So
there's no reason to be paranoid and look up the CQ by number; it's
perfectly safe to use the pointer that the callers already have.
Roland Dreier [Tue, 9 May 2006 17:50:28 +0000 (10:50 -0700)]
IB/srp: Fix tracking of pending requests during error handling
If a SCSI abort completes, or the command completes successfully, then
the driver must remove the command from its queue of pending
commands. Similarly, if a device reset succeeds, then all commands
queued for the given device must be removed from the queue.
Ralph Campbell [Tue, 9 May 2006 17:50:28 +0000 (10:50 -0700)]
IB: Fix display of 4-bit port counters in sysfs
The code to display local_link_integrity_errors and
excessive_buffer_overrun_errors in
/sys/class/infiniband/<hca>/ports/<n>/counters/
uses the wrong shift to extract the 4 bit values.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Linus Torvalds [Tue, 9 May 2006 17:18:35 +0000 (10:18 -0700)]
Merge branch 'upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/netdev-2.6
* 'upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/netdev-2.6:
[PATCH] bcm43xx: Fix access to non-existent PHY registers
[PATCH] bcm43xx: Fix array overrun in bcm43xx_geo_init
[PATCH] bcm43xx: check for valid MAC address in SPROM
[PATCH] ieee80211: Fix A band channel count (resent)
[PATCH] bcm43xx: fix iwmode crash when down
[PATCH] softmac: make non-operational after being stopped
[PATCH] softmac: don't reassociate if user asked for deauthentication
spidernet: enable support for bcm5461 ethernet phy
spidernet: introduce new setting
Fix RTL8019AS init for Toshiba RBTX49xx boards
au1000_eth.c: use ether_crc() from <linux/crc32.h>
sky2: version 1.3
Add more support for the Yukon Ultra chip found in dual core centino laptops.
sky2: synchronize irq on remove
sky2: dont write status ring
sky2: edge triggered workaround enhancement
sky2: use mask instead of modulo operation
sky2: tx ring index mask fix
sky2: status irq hang fix
sky2: backout NAPI reschedule
Ian Abbott [Thu, 4 May 2006 10:34:25 +0000 (11:34 +0100)]
[PATCH] USB: ftdi_sio: Add support for HCG HF Dual ISO RFID Reader
This patch adds support for ACG Identification Technologies GmbH's HF
Dual ISO Reader (an RFID tag reader) to the ftdi_sio driver's device ID
table. The product ID was supplied by anotonios (anton at goto10 dot
org) on the ftdi-usb-sio-devel list and subsequently verified by myself
(Ian Abbott).
Signed-off-by: Ian Abbott <abbotti@mev.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Pete Zaitcev [Wed, 3 May 2006 07:16:00 +0000 (00:16 -0700)]
[PATCH] USB: ub oops in block_uevent
In kernel 2.6.16, if a mounted storage device is removed, an oops happens
because ub supplies an interface device (and kobject) to the block layer,
but neglects to pin it. And apparently, the block layer expects its users
to pin device structures.
The code in ub was broken this way for years. But the bug was exposed only
by 2.6.16 when it started to call block_uevent on close, which traverses
device structures (kobjects actually).
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Tue, 2 May 2006 19:22:41 +0000 (15:22 -0400)]
[PATCH] USB: usbcore: don't check the device's power source
The choose_configuration() routine contains code the determine the
device's power source, so that configurations requiring external power
can be ruled out if the device is running on bus power. Unfortunately
it turns out that some devices have errors in their config descriptors
and other devices don't like the GET_DEVICE_STATUS request.
Since that information wasn't used for anything else, this patch (as673)
removes the code, leaving only a comment. It fixes bugzilla entry
#6448.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Brownell [Tue, 2 May 2006 05:07:13 +0000 (22:07 -0700)]
[PATCH] USB: fix OHCI PM regression
This fixes a small regression in USB controller power usage for many
OHCI controllers, notably including every non-PCI version of OHCI: on
those systems, the runtime autosuspend mechanism is no longer enabled.
The change moves to saner defaults. All root hubs are expected to handle
remote wakeup (and hence autosuspend), although drivers for buggy silicon
may override that default.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Because of the way stringify works, using an expression
like 64 * 1024 for UDSL_MAX_BUF_SIZE results in 64 * 1024
turning up in the modinfo output instead of 65536. So use
65536 directly (this was the only way I found of fixing this).
[PATCH] USBATM: change the default speedtouch iso altsetting
The maximum possible bandwidth for a speedtouch modem is about 7Mbaud.
You can only get this by using isochronous urbs (enable_isoc=1) and
altsetting 3. With the current default altsetting of 2, the modem
maxes out at about 4Mbaud. So change the default altsetting to 3
when using isochronous urbs. It would be nice to base the altsetting
on the detected line speed, but that's hard given the current design.
David Brownell [Wed, 26 Apr 2006 21:39:11 +0000 (14:39 -0700)]
[PATCH] USB: fix bug in ohci-hcd.c ohci_restart()
A loop on a power-lost resume path used the wrong index.
I suspect khubd has been working around such bugs.
Noticed by Andreas Mohr <andi@rhlx01.fht-esslingen.de>.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Marcelo Tosatti [Fri, 5 May 2006 20:09:29 +0000 (17:09 -0300)]
[PATCH] ppc32/8xx: Fix r3 trashing due to 8MB TLB page instantiation
Instantiation of 8MB pages on the TLB cache for the kernel static
mapping trashes r3 register on !CONFIG_8xx_CPU6 configurations.
This ensures r3 gets saved and restored.
Signed-off-by: Marcelo Tosatti <marcelo@kvack.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Paul Mackerras [Tue, 9 May 2006 06:00:59 +0000 (16:00 +1000)]
powerpc/32: Define an is_kernel_addr() to fix ARCH=ppc compilation
My commit 6bfd93c32a5065d0e858780b3beb0b667081601c broke the ARCH=ppc
compilation by using the is_kernel_addr() macro in asm/uaccess.h.
This fixes it by defining a suitable is_kernel_addr() for ARCH=ppc.
Linus Torvalds [Tue, 9 May 2006 00:41:05 +0000 (17:41 -0700)]
Merge git://oss.sgi.com:8090/xfs-2.6
* git://oss.sgi.com:8090/xfs-2.6:
[XFS] Fix a possible metadata buffer (AGFL) refcount leak when fixing an
[XFS] Fix a project quota space accounting leak on rename.
[XFS] Fix a possible forced shutdown due to mishandling write barriers
Jens Osterkamp [Thu, 4 May 2006 09:59:41 +0000 (05:59 -0400)]
spidernet: enable support for bcm5461 ethernet phy
A newer board revision changed the type of ethernet phy.
Moreover, this generalizes the way that a phy gets switched
into fiber mode when autodetection is not available.
Sergei Shtylyov [Mon, 8 May 2006 20:58:28 +0000 (00:58 +0400)]
Fix RTL8019AS init for Toshiba RBTX49xx boards
Ensure that 8-bit mode is selected for the on-board Realtek RTL8019AS chip
on Toshiba RBHMA4x00, get rid of the duplicate #ifdef's when setting
ei_status.word16.
The chip's datasheet says that the PSTOP register shouldn't exceed 0x60 in
8-bit mode -- ensure this too.
Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
au1000_eth.c: use ether_crc() from <linux/crc32.h>
since the au1000 driver already selects the CRC32 routines, simply replace
the internal ether_crc() implementation with the semantically equivalent
one from <linux/crc32.h>
Signed-off-by: Herbert Valerio Riedel <hvr@gnu.org> Signed-off-by: Stephen Hemminger <shemminger@osdl.org>