1. 20 May, 2010 6 commits
    • Eric Lescouet's avatar
      USB: split hub.h into ch11.h and merge-in hcd.h · d20db4b4
      Eric Lescouet authored
      Base on inputs from Alan Stern, split the hub.h header into:
      - new ch11.h header (most of it) containing constants and
        structures from chapter 11 of the USB 2.0 spec.
      - a small remaining part being merged into hcd.h.
      Signed-of-by: default avatarEric Lescouet <eric@lescouet.org>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d20db4b4
    • Eric Lescouet's avatar
      USB: make hub.h public (drivers dependency) · d65d7e7e
      Eric Lescouet authored
      The usbcore headers: hcd.h and hub.h are shared between usbcore,
      HCDs and a couple of other drivers (e.g. USBIP modules).
      So, it makes sense to move them into a more public location and
      to cleanup dependency of those modules on kernel internal headers.
      This patch moves hub.h from drivers/usb/core into include/linux/usb/
      Signed-of-by: default avatarEric Lescouet <eric@lescouet.org>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d65d7e7e
    • Eric Lescouet's avatar
      USB: make hcd.h public (drivers dependency) · 27729aad
      Eric Lescouet authored
      The usbcore headers: hcd.h and hub.h are shared between usbcore,
      HCDs and a couple of other drivers (e.g. USBIP modules).
      So, it makes sense to move them into a more public location and
      to cleanup dependency of those modules on kernel internal headers.
      This patch moves hcd.h from drivers/usb/core into include/linux/usb/
      Signed-of-by: default avatarEric Lescouet <eric@lescouet.org>
      Cc: Alan Stern <stern@rowland.harvard.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      27729aad
    • Sarah Sharp's avatar
      USB: xhci: Fix check for room on the ring. · 44ebd037
      Sarah Sharp authored
      The length of the scatter gather list a driver can enqueue is limited by
      the bus' sg_tablesize to 62 entries.  Each entry will be described by at
      least one transfer request block (TRB).  If the entry's buffer crosses a
      64KB boundary, then that entry will have to be described by two or more
      TRBs.  So even if the USB device driver respects sg_tablesize, the whole
      scatter list may take more than 62 TRBs to describe, and won't fit on
      the ring.
      
      Don't assume that an empty ring means there is enough room on the
      transfer ring.  The old code would unconditionally queue this too-large
      transfer, and over write the beginning of the transfer.  This would mean
      the cycle bit was unchanged in those overwritten transfers, causing the
      hardware to think it didn't own the TRBs, and the host would seem to
      hang.
      
      Now drivers may see submit_urb() fail with -ENOMEM if the transfers are
      too big to fit on the ring.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      44ebd037
    • Sarah Sharp's avatar
      USB: xhci: Limit bus sg_tablesize to 62 TRBs. · bc88d2eb
      Sarah Sharp authored
      When a scatter-gather list is enqueued to the xHCI driver, it translates
      each entry into a transfer request block (TRB).  Only 63 TRBs can be
      used per ring segment, and there must be one additional TRB reserved to
      make sure the hardware does not think the ring is empty (so the enqueue
      pointer doesn't equal the dequeue pointer).  Limit the bus sg_tablesize
      to 62 TRBs.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      bc88d2eb
    • Sarah Sharp's avatar
      USB: xhci: Fix issue with set interface after stall. · 1624ae1c
      Sarah Sharp authored
      When the USB core installs a new interface, it unconditionally clears the
      halts on all the endpoints on the new interface.  Usually the xHCI host
      needs to know when an endpoint is reset, so it can change its internal
      endpoint state.  In this case, it doesn't care, because the endpoints were
      never halted in the first place.
      
      To avoid issuing a redundant Reset Endpoint command, the xHCI driver looks
      at xhci_virt_ep->stopped_td to determine if the endpoint was actually
      halted.  However, the functions that handle the stall never set that
      variable to NULL after it dealt with the stall.  So if an endpoint stalled
      and a Reset Endpoint command completed, and then the class driver tried to
      install a new alternate setting, the xHCI driver would access the old
      xhci_virt_ep->stopped_td pointer.  A similar problem occurs if the
      endpoint has been stopped to cancel a transfer.
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      1624ae1c
  2. 16 May, 2010 6 commits
  3. 15 May, 2010 17 commits
  4. 14 May, 2010 11 commits
    • H. Peter Anvin's avatar
      x86, mrst: Don't blindly access extended config space · e9b1d5d0
      H. Peter Anvin authored
      Do not blindly access extended configuration space unless we actively
      know we're on a Moorestown platform.  The fixed-size BAR capability
      lives in the extended configuration space, and thus is not applicable
      if the configuration space isn't appropriately sized.
      
      This fixes booting certain VMware configurations with CONFIG_MRST=y.
      
      Moorestown will add a fake PCI-X 266 capability to advertise the
      presence of extended configuration space.
      Reported-and-tested-by: default avatarPetr Vandrovec <petr@vandrovec.name>
      Signed-off-by: default avatarH. Peter Anvin <hpa@linux.intel.com>
      Acked-by: default avatarJacob Pan <jacob.jun.pan@intel.com>
      Acked-by: default avatarJesse Barnes <jbarnes@virtuousgeek.org>
      LKML-Reference: <AANLkTiltKUa3TrKR1M51eGw8FLNoQJSLT0k0_K5X3-OJ@mail.gmail.com>
      e9b1d5d0
    • Linus Torvalds's avatar
      Merge branch 'x86-fixes-for-linus' of... · ef0e9180
      Linus Torvalds authored
      Merge branch 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
      
      * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
        x86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments
        x86, k8: Fix build error when K8_NB is disabled
        x86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRs
        x86: Fix fake apicid to node mapping for numa emulation
      ef0e9180
    • Frank Arnold's avatar
      x86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments · 7f284d3c
      Frank Arnold authored
      When running a quest kernel on xen we get:
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
      IP: [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x2ca/0x3df
      PGD 0
      Oops: 0000 [#1] SMP
      last sysfs file:
      CPU 0
      Modules linked in:
      
      Pid: 0, comm: swapper Tainted: G        W  2.6.34-rc3 #1 /HVM domU
      RIP: 0010:[<ffffffff8142f2fb>]  [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x
      2ca/0x3df
      RSP: 0018:ffff880002203e08  EFLAGS: 00010046
      RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000060
      RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000000
      RBP: ffff880002203ed8 R08: 00000000000017c0 R09: ffff880002203e38
      R10: ffff8800023d5d40 R11: ffffffff81a01e28 R12: ffff880187e6f5c0
      R13: ffff880002203e34 R14: ffff880002203e58 R15: ffff880002203e68
      FS:  0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      CR2: 0000000000000038 CR3: 0000000001a3c000 CR4: 00000000000006f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process swapper (pid: 0, threadinfo ffffffff81a00000, task ffffffff81a44020)
      Stack:
       ffffffff810d7ecb ffff880002203e20 ffffffff81059140 ffff880002203e30
      <0> ffffffff810d7ec9 0000000002203e40 000000000050d140 ffff880002203e70
      <0> 0000000002008140 0000000000000086 ffff880040020140 ffffffff81068b8b
      Call Trace:
       <IRQ>
       [<ffffffff810d7ecb>] ? sync_supers_timer_fn+0x0/0x1c
       [<ffffffff81059140>] ? mod_timer+0x23/0x25
       [<ffffffff810d7ec9>] ? arm_supers_timer+0x34/0x36
       [<ffffffff81068b8b>] ? hrtimer_get_next_event+0xa7/0xc3
       [<ffffffff81058e85>] ? get_next_timer_interrupt+0x19a/0x20d
       [<ffffffff8142fa23>] get_cpu_leaves+0x5c/0x232
       [<ffffffff8106a7b1>] ? sched_clock_local+0x1c/0x82
       [<ffffffff8106a9a0>] ? sched_clock_tick+0x75/0x7a
       [<ffffffff8107748c>] generic_smp_call_function_single_interrupt+0xae/0xd0
       [<ffffffff8101f6ef>] smp_call_function_single_interrupt+0x18/0x27
       [<ffffffff8100a773>] call_function_single_interrupt+0x13/0x20
       <EOI>
       [<ffffffff8143c468>] ? notifier_call_chain+0x14/0x63
       [<ffffffff810295c6>] ? native_safe_halt+0xc/0xd
       [<ffffffff810114eb>] ? default_idle+0x36/0x53
       [<ffffffff81008c22>] cpu_idle+0xaa/0xe4
       [<ffffffff81423a9a>] rest_init+0x7e/0x80
       [<ffffffff81b10dd2>] start_kernel+0x40e/0x419
       [<ffffffff81b102c8>] x86_64_start_reservations+0xb3/0xb7
       [<ffffffff81b103c4>] x86_64_start_kernel+0xf8/0x107
      Code: 14 d5 40 ff ae 81 8b 14 02 31 c0 3b 15 47 1c 8b 00 7d 0e 48 8b 05 36 1c 8b
       00 48 63 d2 48 8b 04 d0 c7 85 5c ff ff ff 00 00 00 00 <8b> 70 38 48 8d 8d 5c ff
       ff ff 48 8b 78 10 ba c4 01 00 00 e8 eb
      RIP  [<ffffffff8142f2fb>] cpuid4_cache_lookup_regs+0x2ca/0x3df
       RSP <ffff880002203e08>
      CR2: 0000000000000038
      ---[ end trace a7919e7f17c0a726 ]---
      
      The L3 cache index disable feature of AMD CPUs has to be disabled if the
      kernel is running as guest on top of a hypervisor because northbridge
      devices are not available to the guest. Currently, this fixes a boot
      crash on top of Xen. In the future this will become an issue on KVM as
      well.
      
      Check if northbridge devices are present and do not enable the feature
      if there are none.
      
      [ hpa: backported to 2.6.34 ]
      Signed-off-by: default avatarFrank Arnold <frank.arnold@amd.com>
      LKML-Reference: <1271945222-5283-3-git-send-email-bp@amd64.org>
      Acked-by: default avatarBorislav Petkov <borislav.petkov@amd.com>
      Signed-off-by: default avatarH. Peter Anvin <hpa@zytor.com>
      Cc: <stable@kernel.org>
      7f284d3c
    • Borislav Petkov's avatar
      x86, k8: Fix build error when K8_NB is disabled · ade029e2
      Borislav Petkov authored
      K8_NB depends on PCI and when the last is disabled (allnoconfig) we fail
      at the final linking stage due to missing exported num_k8_northbridges.
      Add a header stub for that.
      Signed-off-by: default avatarBorislav Petkov <borislav.petkov@amd.com>
      LKML-Reference: <20100503183036.GJ26107@aftab>
      Signed-off-by: default avatarH. Peter Anvin <hpa@zytor.com>
      Cc: <stable@kernel.org>
      ade029e2
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.infradead.org/users/eparis/notify · 4fc4c3ce
      Linus Torvalds authored
      * 'for-linus' of git://git.infradead.org/users/eparis/notify:
        inotify: don't leak user struct on inotify release
        inotify: race use after free/double free in inotify inode marks
        inotify: clean up the inotify_add_watch out path
        Inotify: undefined reference to `anon_inode_getfd'
      
      Manual merge to remove duplicate "select ANON_INODES" from Kconfig file
      4fc4c3ce
    • Linus Torvalds's avatar
      Merge branch 'davinci-fixes-for-linus-2' of... · 97b2073f
      Linus Torvalds authored
      Merge branch 'davinci-fixes-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-davinci
      
      * 'davinci-fixes-for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-davinci:
        DA830: fix USB 2.0 clock entry
      97b2073f
    • Sergei Shtylyov's avatar
      DA830: fix USB 2.0 clock entry · b9af5ddf
      Sergei Shtylyov authored
      DA8xx OHCI driver fails to load due to failing clk_get() call for the USB 2.0
      clock. Arrange matching USB 2.0 clock by the clock name instead of the device.
      (Adding another CLK() entry for "ohci.0" device won't do -- in the future I'll
      also have to enable USB 2.0 clock to configure CPPI 4.1 module, in which case
      I won't have any device at all.)
      Signed-off-by: default avatarSergei Shtylyov <sshtylyov@ru.mvista.com>
      Signed-off-by: default avatarKevin Hilman <khilman@deeprootsystems.com>
      b9af5ddf
    • Pavel Emelyanov's avatar
      inotify: don't leak user struct on inotify release · b3b38d84
      Pavel Emelyanov authored
      inotify_new_group() receives a get_uid-ed user_struct and saves the
      reference on group->inotify_data.user.  The problem is that free_uid() is
      never called on it.
      
      Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify
      using fsnotify) after 2.6.30.
      Signed-off-by: default avatarPavel Emelyanov <xemul@openvz.org>
      Eric Paris <eparis@parisplace.org>
      Cc: <stable@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      b3b38d84
    • Eric Paris's avatar
      inotify: race use after free/double free in inotify inode marks · e0873344
      Eric Paris authored
      There is a race in the inotify add/rm watch code.  A task can find and
      remove a mark which doesn't have all of it's references.  This can
      result in a use after free/double free situation.
      
      Task A					Task B
      ------------				-----------
      inotify_new_watch()
       allocate a mark (refcnt == 1)
       add it to the idr
      					inotify_rm_watch()
      					 inotify_remove_from_idr()
      					  fsnotify_put_mark()
      					      refcnt hits 0, free
       take reference because we are on idr
       [at this point it is a use after free]
       [time goes on]
       refcnt may hit 0 again, double free
      
      The fix is to take the reference BEFORE the object can be found in the
      idr.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Cc: <stable@kernel.org>
      e0873344
    • Eric Paris's avatar
      inotify: clean up the inotify_add_watch out path · 3dbc6fb6
      Eric Paris authored
      inotify_add_watch explictly frees the unused inode mark, but it can just
      use the generic code.  Just do that.
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      3dbc6fb6
    • Linus Torvalds's avatar