Jody McIntyre [Tue, 22 Nov 2005 17:17:11 +0000 (12:17 -0500)]
csr1212: check results of keyval reads
csr1212_parse_csr() did not properly check return values when reading
keyvals. Fix this by using _csr1212_read_keyval() instead of
csr1212_get_keyval() and checking the return code.
Adrian Bunk [Mon, 21 Nov 2005 22:32:14 +0000 (17:32 -0500)]
drivers/ieee1394/raw1394.c: fix a NULL pointer
The coverity checker spotted that this was a NULL pointer dereference in
the "if (copy_from_user(...))" case since the next step is to
kfree(cache->filled_head).
There's no need to free cache at this point, and it's getting free'd
later.
Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Jody McIntyre <scjody@modernduck.com>
hawkes@sgi.com [Fri, 18 Nov 2005 19:30:34 +0000 (11:30 -0800)]
[IA64] fix bug in sn/ia64 for sparse CPU numbering
The kernel's use of the for_each_*cpu(i) macros has allowed for sparse CPU
numbering. When I hacked the kernel to test sparse cpu_present_map[] and
cpu_possible_map[] cpumasks, I discovered one remaining spot, in
sn_hwperf_ioctl() during sn initialization, that needs to be fixed.
Signed-off-by: John Hawkes <hawkes@sgi.com> Signed-off-by: Dean Roe <roe@sgi.com> Signed-off-by: Tony Luck <tony.luck@intel.com>
Jens Axboe [Mon, 21 Nov 2005 18:49:41 +0000 (19:49 +0100)]
[PATCH] as-iosched: remove state assertion in as_add_request()
Kill the arq->state poison statement in as_add_request(), it can trigger
for perfectly valid code that just reuses a request after io completion
instead of freeing it and allocating a new one. We probably should
introduce a blk_init_request() to start from scratch, but for now just
kill it as we will be removing the as specific poisoning soon.
Russell King [Mon, 21 Nov 2005 15:26:18 +0000 (15:26 +0000)]
[ARM] Add asm/memory.h to asm/numnodes.h
Since the defintion of NODES_SHIFT may be overridden in asm/arch/memory.h
it's important to include asm/memory.h into asm/numnodes.h to ensure
that the correct value is always defined.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Nicolas Kaiser [Mon, 21 Nov 2005 05:11:31 +0000 (21:11 -0800)]
[NETFILTER]: Remove ARRAY_SIZE duplicate
Signed-off-by: Nicolas Kaiser <nikai@nikai.net> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Yasuyuki Kozakai [Mon, 21 Nov 2005 05:09:55 +0000 (21:09 -0800)]
[NETFILTER]: fixed dependencies between modules related with ip_conntrack
- IP_NF_CONNTRACK_MARK is bool and depends on only IP_NF_CONNTRACK
which is tristate. If a variable depends on IP_NF_CONNTRACK_MARK and
doesn't care about IP_NF_CONNTRACK, it can be y. This must be avoided.
- IP_NF_CT_ACCT has same problem.
- IP_NF_TARGET_CLUSTERIP also depends on IP_NF_MANGLE.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Yan Zheng [Sun, 20 Nov 2005 21:42:20 +0000 (13:42 -0800)]
[IPV6]: Acquire addrconf_hash_lock for read in addrconf_verify(...)
addrconf_verify(...) only traverse address hash table when
addrconf_hash_lock is held for writing, and it may hold
addrconf_hash_lock for a long time. So I think it's better to acquire
addrconf_hash_lock for reading instead of writing
Signed-off-by: Yan Zheng <yanzheng@21cn.com> Signed-off-by: David S. Miller <davem@davemloft.net>
From: Alexandra Kossovsky <Alexandra.Kossovsky@oktetlabs.ru>
From http://bugzilla.kernel.org/show_bug.cgi?id=4746
There is user data corruption when using ioctl(SIOCGIFCONF) in 32-bit
application running amd64 kernel. I do not think that this problem is
exploitable, but any data corruption may lead to security problems.
Following code demonstrates the problem
main()
{
int s = socket(AF_INET, SOCK_DGRAM, 0);
struct ifconf req;
int i;
req.ifc_buf = buf;
req.ifc_len = 41;
printf("Result %d\n", ioctl(s, SIOCGIFCONF, &req));
printf("Len %d\n", req.ifc_len);
for (i = 41; i < 256; i++)
if (buf[i] != 0)
printf("Byte %d is corrupted\n", i);
}
Steps to reproduce:
Compile the code above into 32-bit elf and run it. You'll get
Result 0
Len 32
Byte 48 is corrupted
Byte 52 is corrupted
Byte 53 is corrupted
Byte 54 is corrupted
Byte 55 is corrupted
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Andrea Bittau [Sun, 20 Nov 2005 21:41:05 +0000 (13:41 -0800)]
[PKT_SCHED]: sch_netem: correctly order packets to be sent simultaneously
If two packets were queued to be sent at the same time in the future,
their order would be reversed. This would occur because the queue is
traversed back to front, and a position is found by checking whether
the new packet needs to be sent before the packet being examined. If
the new packet is to be sent at the same time of a previous packet, it
would end up before the old packet in the queue. This patch places
packets in the correct order when they are queued to be sent at a same
time in the future.
Signed-off-by: Andrea Bittau <a.bittau@cs.ucl.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
Dmitry Torokhov [Sun, 20 Nov 2005 05:56:43 +0000 (00:56 -0500)]
Input: make serio and gameport more swsusp friendly
kseriod and kgameportd used to process all pending events before
checking for freeze condition. This may cause swsusp to time out
while stopping tasks when resuming. Switch to process events one
by one to check freeze status more often.
Dmitry Torokhov [Sun, 20 Nov 2005 05:51:43 +0000 (00:51 -0500)]
Input: uinput - don't use "interruptible" in FF code
If thread that submitted FF request gets interrupted somehow it
will release request structure and ioctl handler will work with
freed memory. TO prevent that from happening switch to using
wait_for_completion instead of wait_for_completion_interruptible.
Input: wistron - add support for Acer Aspire 1500 notebooks
Also fix a potential issue with some notebooks:
The current code assumes the response to bios_wifi_get_default_setting is
either 1 (disabled) or 3 (enabled), or wifi isn't supported. The BIOS
response appears to be a bit field w/ 0x1 indicating hardware presence, 0x2
indicating actiation status, and the other 6 bits being unknown/reserved --
with the patch, these 6 bits are ignored.
Signed-off-by: Bernhard Rosenkraenzer <bero@arklinux.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Dmitry Torokhov [Sun, 20 Nov 2005 05:50:06 +0000 (00:50 -0500)]
Input: add Wistron driver
A driver for laptop buttons using an x86 BIOS interface that is
apparently used on quite a few laptops and seems to be originating
from Wistron.
This driver currently "knows" only about Fujitsu-Siemens Amilo Pro V2000
(i.e. it can detect the laptop using DMI and it contains the
keycode->key meaning mapping for this laptop) and Xeron SonicPro X 155G
(probably can't be reliably autodetected, requires a module parameter),
adding other laptops should be easy.
In addition to reporting button presses to the input layer the driver
also allows enabling/disabling the embedded wireless NIC (using the
"Wifi" button); this is done using the same BIOS interface, so it seems
only logical to keep the implementation together. Any flexibility
possibly gained by allowing users to remap the function of the "Wifi"
button is IMHO not worth it when weighted against the necessity to run
an user-space daemon to convert button presses to wifi state changes.
Dmitry Torokhov [Sun, 20 Nov 2005 05:49:42 +0000 (00:49 -0500)]
Input: atkbd - speed up setting leds/repeat state
Changing led state is pretty slow operation; when there are multiple
requests coming at a high rate they may interfere with normal typing.
Try optimize (skip) changing hardware state when multiple requests
are coming back-to-back.
Stefan Richter [Sun, 20 Nov 2005 02:35:22 +0000 (21:35 -0500)]
sbp2: slimmer interface to scsi_mod
- sbp2scsi_reset does not need to take host_lock
- sbp2scsi_reset, as our device reset handler, does not need to stand in as
bus reset or host reset handler
- let scsi_mod use scsi_host_template.name instead of .info
(sbp2 is not an emulation anway)
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Jody McIntyre <scjody@modernduck.com>
This patch fixes the incoherent timestamps generated by video1394 since
the single-buffer patch was applied in 2.6.11. Credits have also been
removed from the header and a "//" comment was changed to "/* */".
Russell King [Sat, 19 Nov 2005 11:10:35 +0000 (11:10 +0000)]
[SERIAL] Fix status reporting with PL011 serial driver
The receiver status register reports latched error conditions, which
must be cleared by writing to it. However, the data register reports
unlatched conditions which are associated with the current character.
Use the data register to interpret error status rather than the RSR.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Paul Mackerras [Sat, 19 Nov 2005 10:24:55 +0000 (21:24 +1100)]
powerpc: Fix bug in timebase synchronization on 32-bit SMP powermac
We were using udelay in the loop on the primary cpu waiting for the
secondary cpu to take the timebase value. Unfortunately now that
udelay uses the timebase, and the timebase is stopped at this point,
the udelay never terminated. This fixes it by not using udelay, and
increases the number of loops before we time out to compensate.
[ARM] 3168/1: Update ARM signal delivery and masking
Patch from Daniel Jacobowitz
After delivering a signal (creating its stack frame) we must check for
additional pending unblocked signals before returning to userspace.
Otherwise signals may be delayed past the next syscall or reschedule.
Once that was fixed it became obvious that the ARM signal mask manipulation
was broken. It was a little bit broken before the recent SA_NODEFER
changes, and then very broken after them. We must block the requested
signals before starting the handler or the same signal can be delivered
again before the handler even gets a chance to run.
Signed-off-by: Daniel Jacobowitz <dan@codesourcery.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Paul Mackerras [Sat, 19 Nov 2005 09:46:04 +0000 (20:46 +1100)]
powerpc: Merge pci.h
This involves some minor changes: a few unused functions that the
ppc32 pci.c provides are no longer declared here or exported;
pcibios_assign_all_busses now just refers to the pci_assign_all_buses
variable on both 32-bit and 64-bit; pcibios_scan_all_fns is now
just 0 instead of a function that always returns 0 on 64-bit.
David Gibson [Wed, 16 Nov 2005 04:43:48 +0000 (15:43 +1100)]
[PATCH] powerpc: Remove imalloc.h
asm-ppc64/imalloc.h is only included from files in arch/powerpc/mm.
We already have a header for mm local definitions,
arch/powerpc/mm/mmu_decl.h. Thus, this patch moves the contents of
imalloc.h into mmu_decl.h. The only exception are the definitions of
PHBS_IO_BASE, IMALLOC_BASE and IMALLOC_END. Those are moved into
pgtable.h, next to similar definitions of VMALLOC_START and
VMALLOC_SIZE.
Built for multiplatform 32bit and 64bit (ARCH=powerpc).
Signed-off-by: David Gibson <david@gibson.dropbear.id.au> Signed-off-by: Paul Mackerras <paulus@samba.org>
Trying to set the priority would just disable the interrupt due to an
incorrect mask used. We rarely use that call, in fact, I think only in
the powermac code for the cmd-power key combo that triggers xmon. So it
got unnoticed for a while.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Roland Dreier [Fri, 18 Nov 2005 22:18:26 +0000 (14:18 -0800)]
IB/umad: make sure write()s have sufficient data
Make sure that userspace passes in enough data when sending a MAD. We
always copy at least sizeof (struct ib_user_mad) + IB_MGMT_RMPP_HDR
bytes from userspace, so anything less is definitely invalid. Also,
if the length is less than this limit, it's possible for the second
copy_from_user() to get a negative length and trigger a BUG().
James Bottomley [Fri, 18 Nov 2005 22:13:33 +0000 (23:13 +0100)]
[PATCH] ide: fix ide_toggle_bounce() to not try to bounce if we have an IOMMU
The following patch fixes a crash caused by attempting to bounce buffer
when an IDE CD-ROM is used on a machine with an IO-MMU. [At least, this
patch fixes things so I can use my IDE CD-ROM behind an ns87415 on a
HP PA-RISC workstation.]
Calculation of QP capabilities still isn't exactly right in mthca:
max_send_sge/max_recv_sge fields returned in create_qp can exceed the
handware supported limits.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>