- 12 May, 2010 40 commits
-
-
Borislav Petkov authored
commit 35d824b2 upstream. Correct two mishaps which prevented reporting error type (CECC vs UECC) and extended error description. Signed-off-by:
Borislav Petkov <borislav.petkov@amd.com> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
Hans de Goede authored
commit 0250ecec upstream. Hans de Goede identified a bug in p54p_check_tx_ring: there are two ring indices. 1 => tx data and 3 => tx management. But the old code had a constant "1" and this resulted in spurious dma unmapping failures. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=583623Bug-Identified-by:
Hans de Goede <hdegoede@redhat.com> Signed-off-by:
Christian Lamparter <chunkeey@googlemail.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
Peter Korsgaard authored
commit e9162ab1 upstream. Use correct bit positions in DM_SHARED_CTRL register for writes. Michael Planes recently encountered a 'KY-RS9600 USB-LAN converter', which came with a driver CD containing a Linux driver. This driver turns out to be a copy of dm9601.c with symbols renamed and my copyright stripped. That aside, it did contain 1 functional change in dm_write_shared_word(), and after checking the datasheet the original value was indeed wrong (read versus write bits). On Michaels HW, this change bumps receive speed from ~30KB/s to ~900KB/s. On other devices the difference is less spectacular, but still significant (~30%). Reported-by:
Michael Planes <michael.planes@free.fr> Signed-off-by:
Peter Korsgaard <jacmet@sunsite.dk> Signed-off-by:
David S. Miller <davem@davemloft.net> Signed-off-by:
-
Richard Kennedy authored
commit a534dbe9 upstream. blk_rq_timed_out_timer() relied on blk_add_timer() never returning a timer value of zero, but commit 7838c15b removed the code that bumped this value when it was zero. Therefore when jiffies is near wrap we could get unlucky & not set the timeout value correctly. This patch uses a flag to indicate that the timeout value was set and so handles jiffies wrap correctly, and it keeps all the logic in one function so should be easier to maintain in the future. Signed-off-by:
Richard Kennedy <richard@rsk.demon.co.uk> Signed-off-by:
Jens Axboe <jens.axboe@oracle.com> Signed-off-by:
-
Ping Cheng authored
commit d9901660 upstream. Add Fujitsu Wacom 1FGT Tablet PC device Signed-off-by:
Ping Cheng <pingc@wacom.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
-
Dan Williams authored
commit 5157b4aa upstream. The raid6 recovery code should immediately drop back to the optimized synchronous path when a p+q dma resource is not available. Otherwise we run the non-optimized/multi-pass async code in sync mode. Verified with raid6test (NDISKS=255) Applies to kernels >= 2.6.32. Acked-by:
NeilBrown <neilb@suse.de> Reported-by:
H. Peter Anvin <hpa@zytor.com> Signed-off-by:
Dan Williams <dan.j.williams@intel.com> Signed-off-by:
-
Tejun Heo authored
commit 048c8520 upstream. perf_event_open() kfrees event after init failure which doesn't release all resources allocated by perf_event_alloc(). Use free_event() instead. Signed-off-by:
Tejun Heo <tj@kernel.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Paul Mackerras <paulus@au1.ibm.com> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> LKML-Reference: <4BDBE237.1040809@kernel.org> Signed-off-by:
Ingo Molnar <mingo@elte.hu> Signed-off-by:
-
Jean Delvare authored
commit b1d4b390 upstream. Some FSC hardware monitoring chips (Syleus at least) doesn't like quick writes we typically use to probe for I2C chips. Use a regular byte read instead for the address they live at (0x73). These are the only known chips living at this address on PC systems. For clarity, this fix should not be needed for kernels 2.6.30 and later, as we started instantiating the hwmon devices explicitly based on DMI data. Still, this fix is valuable in the following two cases: * Support for recent FSC chips on older kernels. The DMI-based device instantiation is more difficult to backport than the device support itself. * Case where the DMI-based device instantiation fails, whatever the reason. We fall back to probing in that case, so it should work. This fixes kernel bug #15634: https://bugzilla.kernel.org/show_bug.cgi?id=15634Signed-off-by:
Jean Delvare <khali@linux-fr.org> Acked-by:
-
Stephen Hemminger authored
commit 546d9e10 upstream. This patch makes the HyperV network device use the same naming scheme as other virtual drivers (Xen, KVM). In an ideal world, userspace tools would not care what the name is, but some users and applications do care. Vyatta CLI is one of the tools that does depend on what the name is. Signed-off-by:
Stephen Hemminger <shemminger@vyatta.com> Cc: Hank Janssen <hjanssen@microsoft.com> Signed-off-by:
-
Cyrill Gorcunov authored
commit fa8ad025 upstream. Don't assign NULL too early Signed-off-by:
Cyrill Gorcunov <gorcunov@openvz.org> Cc: Hank Janssen <hjanssen@microsoft.com> Cc: Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by:
-
Haiyang Zhang authored
commit 95beae90 upstream. Fix a bug affecting IPv6 Added the multicast flag for proper IPv6 function. Reported-by:
Toshikazu Sakai <toshikas@microsoft.com> Signed-off-by:
Hank Janssen <hjanssen@microsoft.com> Signed-off-by:
Haiyang Zhang <haiyangz@microsoft.com> Signed-off-by:
-
Chuck Lever authored
commit 356e76b8 upstream. NFSv4 mounts ignore the rsize and wsize mount options, and always use the default transfer size for both. This seems to be because all NFSv4 mounts are now cloned, and the cloning logic doesn't copy the rsize and wsize settings from the parent nfs_server. I tested Fedora's 2.6.32.11-99 and it seems to have this problem as well, so I'm guessing that .33, .32, and perhaps older kernels have this issue as well. Signed-off-by:
Chuck Lever <chuck.lever@oracle.com> Signed-off-by:
Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by:
-
Al Viro authored
commit d9e80b7d upstream. If dentry found stale happens to be a root of disconnected tree, we can't d_drop() it; its d_hash is actually part of s_anon and d_drop() would simply hide it from shrink_dcache_for_umount(), leading to all sorts of fun, including busy inodes on umount and oopsen after that. Bug had been there since at least 2006 (commit c636eb already has it), so it's definitely -stable fodder. Signed-off-by:
Al Viro <viro@zeniv.linux.org.uk> Signed-off-by:
-
Mark Langsdorf authored
commit b810e94c upstream. With F10, model 10, all valid frequencies are in the ACPI _PST table. Signed-off-by:
Mark Langsdorf <mark.langsdorf@amd.com> LKML-Reference: <1270065406-1814-6-git-send-email-bp@amd64.org> Signed-off-by:
Thomas Renninger <trenn@suse.de> Signed-off-by:
-
Joel Becker authored
commit a36d515c upstream. When asked for a partial read of the LVB in a dlmfs file, we can accidentally calculate a negative count. Reported-by:
Dan Carpenter <error27@gmail.com> Signed-off-by:
Joel Becker <joel.becker@oracle.com> Signed-off-by:
-
Joel Becker authored
commit a42ab8e1 upstream. Online resize writes out the new superblock and its backups directly. The metaecc data wasn't being recomputed. Let's do that directly. Signed-off-by:
Mark Fasheh <mfasheh@suse.com> Signed-off-by:
-
Dan Carpenter authored
commit 0350cb07 upstream. If "handle" is non null at the end of the function then we assume it's a valid pointer and pass it to ocfs2_commit_trans(); Signed-off-by:
-
Tao Ma authored
commit c21a534e upstream. In reflink we update the id info on the disk but forgot to update the corresponding information in the VFS inode. Update them accordingly when we want to preserve the attributes. Reported-by:
Jeff Liu <jeff.liu@oracle.com> Signed-off-by:
Tao Ma <tao.ma@oracle.com> Signed-off-by:
-
Jerome Marchand authored
commit 3835541d upstream. Correct the file_operations struct in fdinfo entry of tid_base_stuff[]. Presently /proc/*/task/*/fdinfo contains symlinks to opened files like /proc/*/fd/. Signed-off-by:
Jerome Marchand <jmarchan@redhat.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Miklos Szeredi <mszeredi@suse.cz> Cc: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by:
-
Sarah Sharp authored
commit 9238f25d upstream. For periodic endpoints, we must let the xHCI hardware know the maximum payload an endpoint can transfer in one service interval. The xHCI specification refers to this as the Maximum Endpoint Service Interval Time Payload (Max ESIT Payload). This is used by the hardware for bandwidth management and scheduling of packets. For SuperSpeed endpoints, the maximum is calculated by multiplying the max packet size by the number of bursts and the number of opportunities to transfer within a service interval (the Mult field of the SuperSpeed Endpoint companion descriptor). Devices advertise this in the wBytesPerInterval field of their SuperSpeed Endpoint Companion Descriptor. For high speed devices, this is taken by multiplying the max packet size by the "number of additional transaction opportunities per microframe" (the high bits of the wMaxPacketSize field in the endpoint descriptor). For FS/LS devices, this is just the max packet size. The other thing we must set in the endpoint context is the Average TRB Length. This is supposed to be the average of the total bytes in the transfer descriptor (TD), divided by the number of transfer request blocks (TRBs) it takes to describe the TD. This gives the host controller an indication of whether the driver will be enqueuing a scatter gather list with many entries comprised of small buffers, or one contiguous buffer. It also takes into account the number of extra TRBs you need for every TD. This includes No-op TRBs and Link TRBs used to link ring segments together. Some drivers may choose to chain an Event Data TRB on the end of every TD, thus increasing the average number of TRBs per TD. The Linux xHCI driver does not use Event Data TRBs. In theory, if there was an API to allow drivers to state what their bandwidth requirements are, we could set this field accurately. For now, we set it to the same number as the Max ESIT payload. The Average TRB Length should also be set for bulk and control endpoints, but I have no idea how to guess what it should be. Signed-off-by:
Sarah Sharp <sarah.a.sharp@linux.intel.com> Signed-off-by:
-
Sarah Sharp authored
commit 1cf62246 upstream. A SuperSpeed interrupt or isochronous endpoint can define the number of "burst transactions" it can handle in a service interval. This is indicated by the "Mult" bits in the bmAttributes of the SuperSpeed Endpoint Companion Descriptor. For example, if it has a max packet size of 1024, a max burst of 11, and a mult of 3, the host may send 33 1024-byte packets in one service interval. We must tell the xHCI host controller the number of multiple service opportunities (mults) the device can handle when the endpoint is installed. We do that by setting the Mult field of the Endpoint Context before a configure endpoint command is sent down. The Mult field is invalid for control or bulk SuperSpeed endpoints. Signed-off-by:
-
Alan Stern authored
commit fcf7d214 upstream. This patch (as1371) fixes a small bug in ohci-hcd. The HCD already knows how many ports the controller has; there's no need to go looking at the root hub's usb_device structure to find out. Especially since the root hub's maxchild value is set correctly only while the root hub is bound to the hub driver. Signed-off-by:
Alan Stern <stern@rowland.harvard.edu> Signed-off-by:
-
Alan Stern authored
commit 62f9cfa3 upstream. This patch (as1372) fixes a bug in the routine that chooses the default configuration to install when a new USB device is detected. The algorithm is supposed to look for a config whose first interface is for a non-vendor-specific class. But the way it's currently written, it will also accept a config with no interfaces at all, which is not very useful. (Believe it or not, such things do exist.) Signed-off-by:
Andrew Victor <avictor.za@gmail.com> Signed-off-by:
-
Dan Carpenter authored
commit fa7fe7af upstream. There is a typo here. We should be testing "*dentry" which was just assigned instead of "dentry". This could result in dereferencing an ERR_PTR inside either usbfs_mkdir() or usbfs_create(). Signed-off-by:
-
William Lightning authored
commit cfbaa393 upstream. Signed-off-by:
William Lightning <kassah@gmail.com> Signed-off-by:
-
Alan Stern authored
This is a backport of commit 5f677f1d. Some of the functionality had to be removed, but it should still fix the webcam problem. This patch (as1363b) changes the way USB remote wakeup is handled during system sleeps. It won't be enabled unless an interface driver specifically needs it. Also, it won't be enabled during the FREEZE or QUIESCE phases of hibernation, when the system doesn't respond to wakeup events anyway. This will fix problems people have reported with certain USB webcams that generate wakeup requests when they shouldn't, and as a result cause system suspends to fail. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/515109Signed-off-by:
-
Eric Lescouet authored
commit d01f42a2 upstream. When detaching a port from the client side (usbip --detach 0), the event thread, on the server side, is going to deadlock. The "eh" server thread is getting USBIP_EH_RESET event and calls: -> stub_device_reset() -> usb_reset_device() the USB framework is then calling back _in the same "eh" thread_ : -> stub_disconnect() -> usbip_stop_eh() -> wait_for_completion() the "eh" thread is being asleep forever, waiting for its own completion. This patch checks if "eh" is the current thread, in usbip_stop_eh(). Signed-off-by:
Eric Lescouet <eric@lescouet.org> Signed-off-by:
-
David Howells authored
commit 03449cd9 upstream. The request_key() system call and request_key_and_link() should make a link from an existing key to the destination keyring (if supplied), not just from a new key to the destination keyring. This can be tested by: ring=`keyctl newring fred @s` keyctl request2 user debug:a a keyctl request user debug:a $ring keyctl list $ring If it says: keyring is empty then it didn't work. If it shows something like: 1 key in keyring: 1070462727: --alswrv 0 0 user: debug:a then it did. request_key() system call is meant to recursively search all your keyrings for the key you desire, and, optionally, if it doesn't exist, call out to userspace to create one for you. If request_key() finds or creates a key, it should, optionally, create a link to that key from the destination keyring specified. Therefore, if, after a successful call to request_key() with a desination keyring specified, you see the destination keyring empty, the code didn't work correctly. If you see the found key in the keyring, then it did - which is what the patch is required for. Signed-off-by:
David Howells <dhowells@redhat.com> Cc: James Morris <jmorris@namei.org> Signed-off-by:
-
Neil Brown authored
commit 2bc3c117 upstream. When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to. So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page. We never encountered thsi in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that. Signed-off-by:
J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by:
-
Jeff Mahoney authored
commit fb2162df upstream. Commit 48b32a35 ("reiserfs: use generic xattr handlers") introduced a problem that causes corruption when extended attributes are replaced with a smaller value. The issue is that the reiserfs_setattr to shrink the xattr file was moved from before the write to after the write. The root issue has always been in the reiserfs xattr code, but was papered over by the fact that in the shrink case, the file would just be expanded again while the xattr was written. The end result is that the last 8 bytes of xattr data are lost. This patch fixes it to use new_size. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=14826Signed-off-by:
Jeff Mahoney <jeffm@suse.com> Reported-by:
Christian Kujau <lists@nerdbynature.de> Tested-by:
-
Jeff Mahoney authored
commit cac36f70 upstream. Commit 677c9b2e ("reiserfs: remove privroot hiding in lookup") removed the magic from the lookup code to hide the .reiserfs_priv directory since it was getting loaded at mount-time instead. The intent was that the entry would be hidden from the user via a poisoned d_compare, but this was faulty. This introduced a security issue where unprivileged users could access and modify extended attributes or ACLs belonging to other users, including root. This patch resolves the issue by properly hiding .reiserfs_priv. This was the intent of the xattr poisoning code, but it appears to have never worked as expected. This is fixed by using d_revalidate instead of d_compare. This patch makes -oexpose_privroot a no-op. I'm fine leaving it this way. The effort involved in working out the corner cases wrt permissions and caching outweigh the benefit of the feature. Signed-off-by:
Edward Shishkin <edward.shishkin@gmail.com> Reported-by:
Matt McCutchen <matt@mattmccutchen.net> Tested-by:
-
Mel Gorman authored
commit 23be7468 upstream. If a futex key happens to be located within a huge page mapped MAP_PRIVATE, get_futex_key() can go into an infinite loop waiting for a page->mapping that will never exist. See https://bugzilla.redhat.com/show_bug.cgi?id=552257 for more details about the problem. This patch makes page->mapping a poisoned value that includes PAGE_MAPPING_ANON mapped MAP_PRIVATE. This is enough for futex to continue but because of PAGE_MAPPING_ANON, the poisoned value is not dereferenced or used by futex. No other part of the VM should be dereferencing the page->mapping of a hugetlbfs page as its page cache is not on the LRU. This patch fixes the problem with the test case described in the bugzilla. [akpm@linux-foundation.org: mel cant spel] Signed-off-by:
Mel Gorman <mel@csn.ul.ie> Acked-by:
Peter Zijlstra <peterz@infradead.org> Acked-by:
Darren Hart <darren@dvhart.com> Signed-off-by:
-
Avi Kivity authored
commit a29815a3 upstream. The list macros use LIST_POISON1 and LIST_POISON2 as undereferencable pointers in order to trap erronous use of freed list_heads. Unfortunately userspace can arrange for those pointers to actually be dereferencable, potentially turning an oops to an expolit. To avoid this allow architectures (currently x86_64 only) to override the default values for these pointers with truly-undereferencable values. This is easy on x86_64 as the virtual address space is large and contains areas that cannot be mapped. Other 64-bit architectures will likely find similar unmapped ranges. [ingo: switch to 0xdead000000000000 as the unmapped area] [ingo: add comments, cleanup] [jaswinder: eliminate sparse warnings] Acked-by:
Jaswinder Singh Rajput <jaswinderrajput@gmail.com> Signed-off-by:
Avi Kivity <avi@redhat.com> Signed-off-by:
-
Changli Gao authored
commit e59464c7 upstream. memset() is called with the wrong address and the kernel panics. Signed-off-by:
Changli Gao <xiaosuo@gmail.com> Cc: Patrick McHardy <kaber@trash.net> Acked-by:
David Rientjes <rientjes@google.com> Signed-off-by:
-
Johannes Berg authored
commit b4bb5c3f upstream. When the addba timer expires but has no work to do, it should not affect the state machine. If it does, TX will not see the successfully established and we can also crash trying to re-establish the session. Signed-off-by:
Johannes Berg <johannes@sipsolutions.net> Signed-off-by:
-
Andrea Arcangeli authored
commit 93d5c9be upstream. If a signal is pending (task being killed by sigkill) __mem_cgroup_try_charge will write NULL into &mem, and css_put will oops on null pointer dereference. BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0 PGD a5d89067 PUD a5d8a067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading CPU 0 Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode] Pid: 5299, comm: largepages Tainted: G W 2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M. RIP: 0010:[<ffffffff810fc6cc>] [<ffffffff810fc6cc>] mem_cgroup_prepare_migration+0x7c/0xc0 [nishimura@mxp.nes.nec.co.jp: fix merge issues] Signed-off-by:
Andrea Arcangeli <aarcange@redhat.com> Acked-by:
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Balbir Singh <balbir@in.ibm.com> Signed-off-by:
Daisuke Nishimura <nishimura@mxp.nes.nec.co.jp> Signed-off-by:
-
Ian Dall authored
commit 9a6a1ecd upstream. Fix regression caused by commit 507e2fba ("w1: w1 temp calculation overflow fix") whereby negative temperatures for the DS18B20 are not converted properly. When the temperature exceeds 32767 milli-degrees the temperature overflows to -32768 millidegrees. These are both well within the -55 - +125 degree range for the sensor. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=12646Signed-of-by:
Ian Dall <ian@beware.dropbear.id.au> Cc: Evgeniy Polyakov <johnpol@2ka.mipt.ru> Tested-by:
Karsten Elfenbein <kelfe@gmx.de> Signed-off-by:
-
Jeff Garzik authored
libata: ensure NCQ error result taskfile is fully initialized before returning it via qc->result_tf. commit a09bf4cd upstream. Signed-off-by:
Jeff Garzik <jgarzik@redhat.com> Signed-off-by:
-
Tejun Heo authored
commit fa41efda upstream. blk_abort_request() expectes queue lock to be held by the caller. Grab it before calling the function. Lack of this synchronization led to infinite loop on corrupt q->timeout_list. Signed-off-by:
-
NeilBrown authored
commit 6e3b96ed upstream. Previous patch changes stripe and chunk_number to sector_t but mistakenly did not update all of the divisions to use sector_dev(). This patch changes all the those divisions (actually the '%' operator) to sector_div. Signed-off-by:
Stefan Lippers-Hollmann <s.l-h@gmx.de> Signed-off-by:
-
