1. 26 Jan, 2012 31 commits
  2. 12 Jan, 2012 9 commits
    • Greg Kroah-Hartman's avatar
      Linux 3.2.1 · b8ed9e5b
      Greg Kroah-Hartman authored
      b8ed9e5b
    • Xi Wang's avatar
      xfs: fix acl count validation in xfs_acl_from_disk() · da777f64
      Xi Wang authored
      commit 093019cf upstream.
      
      Commit fa8b18ed didn't prevent the integer overflow and possible
      memory corruption.  "count" can go negative and bypass the check.
      Signed-off-by: default avatarXi Wang <xi.wang@gmail.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarBen Myers <bpm@sgi.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      da777f64
    • Thilo-Alexander Ginkel's avatar
      usb: cdc-acm: Fix acm_tty_hangup() vs. acm_tty_close() race · f9fd8d62
      Thilo-Alexander Ginkel authored
      [Not upstream as it was fixed differently for 3.3 with a much more
      "intrusive" rework of the driver - gregkh]
      
      There is a race condition involving acm_tty_hangup() and acm_tty_close()
      where hangup() would attempt to access tty->driver_data without proper
      locking and NULL checking after close() has potentially already set it
      to NULL.  One possibility to (sporadically) trigger this behavior is to
      perform a suspend/resume cycle with a running WWAN data connection.
      
      This patch addresses the issue by introducing a NULL check for
      tty->driver_data in acm_tty_hangup() protected by open_mutex and exiting
      gracefully when hangup() is invoked on a device that has already been
      closed.
      Signed-off-by: default avatarThilo-Alexander Ginkel <thilo@ginkel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      f9fd8d62
    • stephen hemminger's avatar
      bonding: fix error handling if slave is busy (v2) · f60d8cd0
      stephen hemminger authored
      commit f7d9821a upstream.
      
      If slave device already has a receive handler registered, then the
      error unwind of bonding device enslave function is broken.
      
      The following will leave a pointer to freed memory in the slave
      device list, causing a later kernel panic.
      # modprobe dummy
      # ip li add dummy0-1 link dummy0 type macvlan
      # modprobe bonding
      # echo +dummy0 >/sys/class/net/bond0/bonding/slaves
      
      The fix is to detach the slave (which removes it from the list)
      in the unwind path.
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Reviewed-by: default avatarNicolas de Pesloüan <nicolas.2p.debian@free.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      f60d8cd0
    • Aurelien Jacobs's avatar
      asix: fix infinite loop in rx_fixup() · 4a75c219
      Aurelien Jacobs authored
      commit 6c15d74d upstream.
      
      At this point if skb->len happens to be 2, the subsequant skb_pull(skb, 4)
      call won't work and the skb->len won't be decreased and won't ever reach 0,
      resulting in an infinite loop.
      
      With an ASIX 88772 under heavy load, without this patch, rx_fixup() reaches
      an infinite loop in less than a minute. With this patch applied,
      no infinite loop even after hours of heavy load.
      Signed-off-by: default avatarAurelien Jacobs <aurel@gnuage.org>
      Cc: Jussi Kivilinna <jussi.kivilinna@mbnet.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4a75c219
    • Ben Hutchings's avatar
      igmp: Avoid zero delay when receiving odd mixture of IGMP queries · 25c413ad
      Ben Hutchings authored
      commit a8c1f65c upstream.
      
      Commit 5b7c8406 ('ipv4: correct IGMP
      behavior on v3 query during v2-compatibility mode') added yet another
      case for query parsing, which can result in max_delay = 0.  Substitute
      a value of 1, as in the usual v3 case.
      Reported-by: default avatarSimon McVittie <smcv@debian.org>
      References: http://bugs.debian.org/654876Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25c413ad
    • Felipe Balbi's avatar
      usb: ch9: fix up MaxStreams helper · d2570fc0
      Felipe Balbi authored
      commit 18b7ede5 upstream.
      
      [ removed the dwc3 portion of the patch as it didn't apply to
      older kernels - gregkh]
      
      According to USB 3.0 Specification Table 9-22, if
      bmAttributes [4:0] are set to zero, it means "no
      streams supported", but the way this helper was
      defined on Linux, we will *always* have one stream
      which might cause several problems.
      
      For example on DWC3, we would tell the controller
      endpoint has streams enabled and yet start transfers
      with Stream ID set to 0, which would goof up the host
      side.
      
      While doing that, convert the macro to an inline
      function due to the different checks we now need.
      Signed-off-by: default avatarFelipe Balbi <balbi@ti.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d2570fc0
    • Hans de Goede's avatar
      xhci: Properly handle COMP_2ND_BW_ERR · 5b511b78
      Hans de Goede authored
      commit 71d85724 upstream.
      
      I encountered a result of COMP_2ND_BW_ERR while improving how the pwc
      webcam driver handles not having the full usb1 bandwidth available to
      itself.
      
      I created the following test setup, a NEC xhci controller with a
      single TT USB 2 hub plugged into it, with a usb keyboard and a pwc webcam
      plugged into the usb2 hub. This caused the following to show up in dmesg
      when trying to stream from the pwc camera at its highest alt setting:
      
      xhci_hcd 0000:01:00.0: ERROR: unexpected command completion code 0x23.
      usb 6-2.1: Not enough bandwidth for altsetting 9
      
      And usb_set_interface returned -EINVAL, which caused my pwc code to not
      do the right thing as it expected -ENOSPC.
      
      This patch makes the xhci driver properly handle COMP_2ND_BW_ERR and makes
      usb_set_interface return -ENOSPC as expected.
      
      This should be backported to stable kernels as old as 2.6.32.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      5b511b78
    • Clemens Ladisch's avatar
      usb: fix number of mapped SG DMA entries · 4781ace0
      Clemens Ladisch authored
      commit bc677d5b upstream.
      
      Add a new field num_mapped_sgs to struct urb so that we have a place to
      store the number of mapped entries and can also retain the original
      value of entries in num_sgs.  Previously, usb_hcd_map_urb_for_dma()
      would overwrite this with the number of mapped entries, which would
      break dma_unmap_sg() because it requires the original number of entries.
      
      This fixes warnings like the following when using USB storage devices:
       ------------[ cut here ]------------
       WARNING: at lib/dma-debug.c:902 check_unmap+0x4e4/0x695()
       ehci_hcd 0000:00:12.2: DMA-API: device driver frees DMA sg list with different entry count [map count=4] [unmap count=1]
       Modules linked in: ohci_hcd ehci_hcd
       Pid: 0, comm: kworker/0:1 Not tainted 3.2.0-rc2+ #319
       Call Trace:
        <IRQ>  [<ffffffff81036d3b>] warn_slowpath_common+0x80/0x98
        [<ffffffff81036de7>] warn_slowpath_fmt+0x41/0x43
        [<ffffffff811fa5ae>] check_unmap+0x4e4/0x695
        [<ffffffff8105e92c>] ? trace_hardirqs_off+0xd/0xf
        [<ffffffff8147208b>] ? _raw_spin_unlock_irqrestore+0x33/0x50
        [<ffffffff811fa84a>] debug_dma_unmap_sg+0xeb/0x117
        [<ffffffff8137b02f>] usb_hcd_unmap_urb_for_dma+0x71/0x188
        [<ffffffff8137b166>] unmap_urb_for_dma+0x20/0x22
        [<ffffffff8137b1c5>] usb_hcd_giveback_urb+0x5d/0xc0
        [<ffffffffa0000d02>] ehci_urb_done+0xf7/0x10c [ehci_hcd]
        [<ffffffffa0001140>] qh_completions+0x429/0x4bd [ehci_hcd]
        [<ffffffffa000340a>] ehci_work+0x95/0x9c0 [ehci_hcd]
        ...
       ---[ end trace f29ac88a5a48c580 ]---
       Mapped at:
        [<ffffffff811faac4>] debug_dma_map_sg+0x45/0x139
        [<ffffffff8137bc0b>] usb_hcd_map_urb_for_dma+0x22e/0x478
        [<ffffffff8137c494>] usb_hcd_submit_urb+0x63f/0x6fa
        [<ffffffff8137d01c>] usb_submit_urb+0x2c7/0x2de
        [<ffffffff8137dcd4>] usb_sg_wait+0x55/0x161
      Signed-off-by: default avatarClemens Ladisch <clemens@ladisch.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      4781ace0