Alexey Dobriyan [Mon, 29 May 2006 05:51:05 +0000 (22:51 -0700)]
[NETFILTER]: PPTP helper: fix sstate/cstate typo
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Marcel Holtmann [Mon, 29 May 2006 05:50:18 +0000 (22:50 -0700)]
[NETFILTER]: Fix small information leak in SO_ORIGINAL_DST (CVE-2006-1343)
It appears that sockaddr_in.sin_zero is not zeroed during
getsockopt(...SO_ORIGINAL_DST...) operation. This can lead
to an information leak (CVE-2006-1343).
Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Paul Mackerras [Sun, 28 May 2006 22:42:34 +0000 (08:42 +1000)]
ppc: Fix typo in TI_LOCAL_FLAGS definition
A typo crept in with commit ea1e847cc202e805769c3c46ba5e5c53714068a1
which defined TI_LOCAL_FLAGS to be the offset of the `flags' field
of struct thread_info, rather than the `local_flags' field. This
fixes it. The typo was pointed out by Guennadi Liakhovetski.
Linus Torvalds [Sat, 27 May 2006 16:40:40 +0000 (09:40 -0700)]
Merge branch 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc
* 'merge' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc:
[PATCH] powerpc: fix RTC/NVRAM accesses on Maple
[PATCH] ppc32 CPM_UART: various fixes for pq2 uart users
[PATCH] powerpc: linuxppc64.org no more
Klaus Wacker [Wed, 24 May 2006 07:51:17 +0000 (09:51 +0200)]
[PATCH] s390: lcs driver bug fixes and improvements [1/2]
Several problems occured with lcs device driver:
- device not operational anymore after cable pull/plug-in.
- unpredictable results occured, e.g. kernel panic
using cards of type QD8F.
- STOPLAN and delete multicast address command
were not proper recognized by OSA card under heavy network workload.
- channel/device error checks missing in interrupt handler.
To fix all problems at once recovery of lcs devices has been improved.
missing error checks in lcs interrupt handler has been added.
Once a hardware problem occurs lcs will recover the device now properly.
Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Ursula Braun [Wed, 24 May 2006 07:51:13 +0000 (09:51 +0200)]
[PATCH] s390: qeth driver fixes
From: Frank Blaschka <Frank.Blaschka@de.ibm.com>
From: Frank Pavlic <fpavlic@de.ibm.com>
- fix fake_ll during initial device bringup. fake_ll was
not active after first start of the device.
Problem only occured when qeth was built without IPV6 support.
- avoid skb usage after invocation of qeth_flush_buffers,
because skb might already be freed.
- remove yet another useless netif_wake_queue in
qeth_softsetup_ipv6 since this function is only called
when device is going online. In this case card->state will
never be in state UP. So let the net_device queue down .
Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Ursula Braun [Wed, 24 May 2006 07:51:11 +0000 (09:51 +0200)]
[PATCH] s390: qeth driver fixes
From: Frank Pavlic <fpavlic@de.ibm.com>
- correct checking of sscanf-%n value in qeth_string_to_ipaddr().
- don't use netif_stop_queue outside the hard_start_xmit routine.
Rather use netif_tx_disable.
- don't call qeth_netdev_init on a recovery.
Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
During a code scan for another change I discovered that this call to
pcnet32_free_ring must be removed. If the open fails due to a lack of
memory all the ring structures are removed via the call to free_ring
and a subsequent call to open will dereference a null pointer in
pcnet32_init_ring.
Please apply to 2.6.17.
Signed-off-by: Don Fry <brazilnut@us.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Auke Kok [Tue, 23 May 2006 20:35:57 +0000 (13:35 -0700)]
e1000: add shutdown handler back to fix WOL
Someone was waaay too aggressive and removed e1000's reboot notifier
instead of porting it to the new way of the shutdown handler. This change
broke wake on lan. Add the shutdown handler back in using the same method
as e100 uses.
Randy Dunlap [Thu, 25 May 2006 18:10:08 +0000 (11:10 -0700)]
[PATCH] arlan: fix section mismatch warnings
Fix section mismatch warnings:
WARNING: drivers/net/wireless/arlan.o - Section mismatch: reference to
.init.text:arlan_probe from .text between 'init_module' (at offset
0x3526) and 'cleanup_module'
WARNING: drivers/net/wireless/arlan.o - Section mismatch: reference to
.init.text:init_arlan_proc from .text between 'init_module' (at offset
0x3539) and 'cleanup_module'
WARNING: drivers/net/wireless/arlan.o - Section mismatch: reference to
.exit.text:cleanup_arlan_proc from .text between 'cleanup_module' (at
offset 0x356c) and 'arlan_diagnostic_info_string'
Signed-off-by: Randy Dunlap <rdunlap@xenotime.net> Signed-off-by: John W. Linville <linville@tuxdriver.com>
Kylene Jo Hall [Fri, 26 May 2006 01:44:27 +0000 (18:44 -0700)]
[PATCH] tpm: fix bug for TPM on ThinkPad T60 and Z60
The TPM chip on the ThinkPad T60 and Z60 machines is returning 0xFFFF for
the vendor ID which is a check the driver made to double check it was
actually talking to the memory mapped space of a TPM. This patch removes
the check since it isn't absolutely necessary and was causing device
discovery to fail on these machines.
Signed-off-by: Kylene Hall <kjhall@us.ibm.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Johannes Berg [Fri, 26 May 2006 01:44:24 +0000 (18:44 -0700)]
[PATCH] PowerMac: force only suspend-to-disk to be valid
For a very long time, echoing 'standby' or 'mem' into /sys/power/state has
killed the machine on powerpc. This patch fixes that.
This patch adds the .valid callback to pm_ops on PowerMac so that only the
suspend to disk state can be entered. Note that just returning 0 would
suffice since the upper layers don't pass PM_SUSPEND_DISK down, but we
handle it there regardless just in case that changes.
Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
David Brownell [Fri, 26 May 2006 01:44:20 +0000 (18:44 -0700)]
[PATCH] ads7846 conversion accuracy
This improves accuracy of the touchscreen and hwmon sensor readings,
addressing an issue noted by Imre Deak: there's an extra bit written before
the sample (12 bits) gets written out.
It also catches up to various comments, and makes the /proc/interrupts
entry sensible again.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Cc: Imre Deak <imre.deak@nokia.com> Cc: Jean Delvare <khali@linux-fr.org> Cc: Dmitry Torokhov <dtor_core@ameritech.net> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Hollis Blanchard [Thu, 25 May 2006 21:36:53 +0000 (16:36 -0500)]
[PATCH] powerpc: fix RTC/NVRAM accesses on Maple
Due to a firmware device tree bug, RTC and NVRAM accesses (including
halt/reboot) on Maple have been broken since January, when an untested
build fix went in. This code patches the device tree in Linux.
Vitaly Bordug [Wed, 24 May 2006 17:40:18 +0000 (21:40 +0400)]
[PATCH] ppc32 CPM_UART: various fixes for pq2 uart users
This fixes various odd things that missed update together with cpm_uart
platform_device move. Unified resources names, restructurisation, etc.
Also, addressed issue with recent phys/virt translation rework. Being
cache-coherent, CPM2's do alloc_bootmem() for the console stuff, and it was
used to treat console buffer descriptor mapping 1:1 (as in CPM1 case),
which is definitely wrong.
Signed-off-by: Vitaly Bordug <vbordug@ru.mvista.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
Arthur Othieno [Fri, 19 May 2006 10:22:23 +0000 (06:22 -0400)]
[PATCH] powerpc: linuxppc64.org no more
http://linuxppc64.org has long been a redirect to the canonical
http://penguinppc.org/ppc64/ -- update all instances accordingly,
as ACKed by Hollis:
On Wed, Jan 18, 2006 at 09:48:08AM -0600, Hollis Blanchard wrote:
> On Wed, 2006-01-18 at 13:07 +0100, Olaf Hering wrote:
> > On Wed, Jan 18, Arthur Othieno wrote:
> > >
> > > What about the s/linuxppc64\.org/penguinppc\.org/g case? Or is
> > > penguinppc64.org preferable? Or am I just taking it too far? ;)
> >
> > They are redirected on DNS or HTTP level.
>
> HTTP level, but that doesn't answer his question.
>
> As the maintainer of that site, I would prefer to remove the
> linuxppc64.org reference.
Signed-off-by: Arthur Othieno <apgo@patchbomb.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
Samuel Ortiz [Thu, 25 May 2006 23:17:53 +0000 (16:17 -0700)]
[IRDA]: *_DONGLE should depend on IRTTY_SIR
If a SIR dongle is built in the kernel while IRTTY_SIR is built
as a module, kernel compilation will fail.
Thus, the SIR dongle config should depend on the IRTTY_SIR.
Jean Delvare [Wed, 24 May 2006 18:13:14 +0000 (15:13 -0300)]
[PATCH] V4L/DVB (4045): Fixes recursive dependency for I2C
Mixing "depends on I2C" and "select I2C" within the media subsystem
leads to the following problem:
Warning! Found recursive dependency: I2C DVB_BUDGET DVB_BUDGET_PATCH
DVB_AV7110 VIDEO_SAA7146_VV VIDEO_SAA7146 I2C
Signed-off-by: Jean Delvare <khali@linux-fr.org> Acked-by: Manu Abraham <manu@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
IB/mthca: Fix posting lists of 256 receive requests to SRQ for Tavor
If we post a list of length exactly a multiple of 256, nreq in
doorbell gets set to 256 which is wrong: it should be encoded by 0.
This is because we only zero it out on the next WR, which may not be
there. The solution is to ring the doorbell after posting a WQE, not
before posting the next one.
This is the same bug that we just fixed for QPs with non-shared RQ.
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Linus Torvalds [Wed, 24 May 2006 15:55:12 +0000 (08:55 -0700)]
Merge branch 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband
* 'for-linus' of master.kernel.org:/pub/scm/linux/kernel/git/roland/infiniband:
IB/ipath: deref correct pointer when using kernel SMA
IB/ipath: fix null deref during rdma ops
IB/ipath: register as IB device owner
IB/ipath: enable PE800 receive interrupts on user ports
IB/ipath: enable GPIO interrupt on HT-460
IB/ipath: fix NULL dereference during cleanup
IB/ipath: replace uses of LIST_POISON
IB/ipath: fix reporting of driver version to userspace
IB/ipath: don't modify QP if changes fail
IB/ipath: fix spinlock recursion bug
Linus Torvalds [Wed, 24 May 2006 15:36:31 +0000 (08:36 -0700)]
Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev
* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
[PATCH] libata: add pio flush for via atapi (was: Re: TR: ASUS A8V Deluxe, x86_64)
Dave Kleikamp [Wed, 24 May 2006 12:43:38 +0000 (07:43 -0500)]
JFS: Fix multiple errors in metapage_releasepage
It looks like metapage_releasepage was making in invalid assumption that
the releasepage method would not be called on a dirty page. Instead of
issuing a warning and releasing the metapage, it should return 0, indicating
that the private data for the page cannot be released.
I also realized that metapage_releasepage had the return code all wrong. If
it is successful in releasing the private data, it should return 1, otherwise
it needs to return 0.
Lastly, there is no need to call wait_on_page_writeback, since
try_to_release_page will not call us with a page in writback state.
Signed-off-by: Dave Kleikamp <shaggy@austin.ibm.com>
The truncate threshold calculation to prevent receiver from getting stuck
was incorrect, and it didn't take into account the upper limit on bits
in the register so the jumbo packet support was broken.
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: Jeff Garzik <jeff@garzik.org>
Bridge will OOPS on removal if other application has the SAP open.
The bridge SAP might be shared with other usages, so need
to do reference counting on module removal rather than explicit
close/delete.
Since packet might arrive after or during removal, need to clear
the receive function handle, so LLC only hands it to user (if any).
Signed-off-by: Stephen Hemminger <shemminger@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Chris Wright [Tue, 23 May 2006 22:08:13 +0000 (15:08 -0700)]
[NETFILTER]: SNMP NAT: fix memleak in snmp_object_decode
If kmalloc fails, error path leaks data allocated from asn1_oid_decode().
Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
The condition "> H323_ERROR_STOP" can never be true since H323_ERROR_STOP
is positive and is the highest possible return code, while real errors are
negative, fix the checks. Also only abort on real errors in some spots
that were just interpreting any return value != 0 as error.
Fixes crashes caused by use of stale data after a parsing error occured:
Bryan O'Sullivan [Tue, 23 May 2006 18:32:37 +0000 (11:32 -0700)]
IB/ipath: fix null deref during rdma ops
The problem was that node A's sending thread, which handles sending RDMA
read response data, would write the trigger word, the last packet would
be sent, node B would send a new RDMA read request, node A's interrupt
handler would initialize s_rdma_sge, then node A's sending thread would
update s_rdma_sge. This didn't happen very often naturally but was more
frequent with 1 byte RDMA reads. Rather than adding more locking or
increasing the QP structure size and copying sge data, I modified the
copy routine to update the pointers before writing the trigger word to
avoid the update race.
Signed-off-by: Ralph Campbell <ralphc@pathscale.com> Signed-off-by: Bryan O'Sullivan <bos@pathscale.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Bryan O'Sullivan [Tue, 23 May 2006 18:32:29 +0000 (11:32 -0700)]
IB/ipath: fix spinlock recursion bug
The local loopback path for RC can lock the rkey table lock without
blocking interrupts. The receive interrupt path can then call
ipath_rkey_ok() and deadlock. Remove the redundant lock.
Signed-off-by: Bryan O'Sullivan <bos@pathscale.com> Signed-off-by: Roland Dreier <rolandd@cisco.com>
Jean Delvare [Tue, 23 May 2006 18:56:50 +0000 (15:56 -0300)]
V4L/DVB (4040a): Fix the following section warnings:
reference to .init.text: from .text between 'dvb_bt8xx_probe'
(at offset 0x122c) and 'dvb_bt8xx_remove'
reference to .init.text: from .text between 'dvb_bt8xx_probe'
(at offset 0x1267) and 'dvb_bt8xx_remove'
Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
If CONFIG_VIDEO_DEV=m and CONFIG_VIDEO_V4L1_COMPAT=y, v4l1-compat should
be built as a module (currently, it isn't built at all leading to
problems with modules using it).
Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
Jens Axboe [Tue, 23 May 2006 09:23:49 +0000 (11:23 +0200)]
[PATCH] blk: fix gendisk->in_flight accounting during barrier sequence
While executing barrrier sequence, the bar_rq which carries actual
write was accounted as normal IO on completion, while it wasn't on
queueing. This caused gendisk->in_flight to be decremented by 1 after
each barrier thus messed up statistics.
This patch makes bar_rq not accounted as normal IO. As the containing
barrier request as a whole is accounted, part of it shouldn't be.
NeilBrown [Tue, 23 May 2006 05:35:26 +0000 (22:35 -0700)]
[PATCH] md: fix possible oops when starting a raid0 array
This loop that sets up the hash_table has problems.
Careful examination will show that the last time through, everything but
the first line is pointless. This is because all it does is change 'cur'
and 'size' and neither of these are used after the loop. This should ring
warning bells... That last time through the loop,
size += conf->strip_zone[cur].size
can index off the end of the strip_zone array. Depending on what it finds
there, it might exit the loop cleanly, or it might spin going further and
further beyond the array until it hits an unmapped address.
This patch rearranges the code so that the last, pointless, iteration of
the loop never happens. i.e. the one statement of the last loop that is
needed is moved the the end of the previous loop - or to before the loop
starts - and the loop counter starts from 1 instead of 0.
Cc: "Don Dupuis" <dondster@gmail.com> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
NeilBrown [Tue, 23 May 2006 05:35:25 +0000 (22:35 -0700)]
[PATCH] knfsd: Fix two problems that can cause rmmod nfsd to die
Both cause the 'entries' count in the export cache to be non-zero at module
removal time, so unregistering that cache fails and results in an oops.
1/ exp_pseudoroot (used for NFSv4 only) leaks a reference to an export
entry.
2/ sunrpc_cache_update doesn't increment the entries count when it adds
an entry.
Thanks to "david m. richter" <richterd@citi.umich.edu> for triggering the
problem and finding one of the bugs.
Cc: "david m. richter" <richterd@citi.umich.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
David S. Miller [Tue, 23 May 2006 09:07:22 +0000 (02:07 -0700)]
[SPARC64]: Respect gfp_t argument to dma_alloc_coherent().
Using asm-generic/dma-mapping.h does not work because pushing
the call down to pci_alloc_coherent() causes the gfp_t argument
of dma_alloc_coherent() to be ignored.
Fix this by implementing things directly, and adding a gfp_t
argument we can use in the internal call down to the PCI DMA
implementation of pci_alloc_coherent().
This fixes massive memory corruption when using the sound driver
layer, which passes things like __GFP_COMP down into these
routines and (correctly) expects that to work.
Signed-off-by: David S. Miller <davem@davemloft.net>
Patrick McHardy [Mon, 22 May 2006 23:55:14 +0000 (16:55 -0700)]
[NETFILTER]: SNMP NAT: fix memory corruption
Fix memory corruption caused by snmp_trap_decode:
- When snmp_trap_decode fails before the id and address are allocated,
the pointers contain random memory, but are freed by the caller
(snmp_parse_mangle).
- When snmp_trap_decode fails after allocating just the ID, it tries
to free both address and ID, but the address pointer still contains
random memory. The caller frees both ID and random memory again.
- When snmp_trap_decode fails after allocating both, it frees both,
and the callers frees both again.
The corruption can be triggered remotely when the ip_nat_snmp_basic
module is loaded and traffic on port 161 or 162 is NATed.
Found by multiple testcases of the trap-app and trap-enc groups of the
PROTOS c06-snmpv1 testsuite.
Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Andrew Morton [Sat, 20 May 2006 22:00:36 +0000 (15:00 -0700)]
[PATCH] ad1848 section fix
WARNING: sound/oss/ad1848.o - Section mismatch: reference to .init.data:ad1848_isapnp_list from .text between 'ad1848_init_generic' (at offset 0x46f0) and 'kmalloc'
WARNING: sound/oss/ad1848.o - Section mismatch: reference to .init.data:ad1848_isapnp_list from .text between 'ad1848_init_generic' (at offset 0x46f8) and 'kmalloc'
WARNING: sound/oss/ad1848.o - Section mismatch: reference to .init.data:ad1848_isapnp_list from .text between 'ad1848_init_generic' (at offset 0x4818) and 'kmalloc'
Also,
sound/oss/ad1848.c: In function `ad1848_init':
sound/oss/ad1848.c:2029: warning: cast to pointer from integer of different size
sound/oss/ad1848.c: In function `ad1848_unload':
sound/oss/ad1848.c:2178: warning: cast to pointer from integer of different size
sound/oss/ad1848.c: In function `adintr':
sound/oss/ad1848.c:2207: warning: cast from pointer to integer of different size
Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>