openwrt/staging/blogic.git
13 years agoaf_packet: prevent information leak
Eric Dumazet [Tue, 7 Jun 2011 05:42:06 +0000 (22:42 -0700)]
af_packet: prevent information leak

In 2.6.27, commit 393e52e33c6c2 (packet: deliver VLAN TCI to userspace)
added a small information leak.

Add padding field and make sure its zeroed before copy to user.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoirda: iriap: Use seperate lockdep class for irias_objects->hb_spinlock
David S. Miller [Tue, 7 Jun 2011 00:00:35 +0000 (17:00 -0700)]
irda: iriap: Use seperate lockdep class for irias_objects->hb_spinlock

The SEQ output functions grab the obj->attrib->hb_spinlock lock of
sub-objects found in the hash traversal.  These locks are in a different
realm than the one used for the irias_objects hash table itself.

So put the latter into it's own lockdep class.

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet: Rework netdev_drivername() to avoid warning.
David S. Miller [Mon, 6 Jun 2011 23:41:33 +0000 (16:41 -0700)]
net: Rework netdev_drivername() to avoid warning.

This interface uses a temporary buffer, but for no real reason.
And now can generate warnings like:

net/sched/sch_generic.c: In function dev_watchdog
net/sched/sch_generic.c:254:10: warning: unused variable drivername

Just return driver->name directly or "".

Reported-by: Connor Hansen <cmdkhh@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet/ipv6: check for mistakenly passed in non-AF_INET6 sockaddrs
Marcus Meissner [Mon, 6 Jun 2011 06:00:07 +0000 (06:00 +0000)]
net/ipv6: check for mistakenly passed in non-AF_INET6 sockaddrs

Same check as for IPv4, also do for IPv6.

(If you passed in a IPv4 sockaddr_in here, the sizeof check
 in the line before would have triggered already though.)

Signed-off-by: Marcus Meissner <meissner@suse.de>
Cc: Reinhard Max <max@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville...
David S. Miller [Mon, 6 Jun 2011 20:25:36 +0000 (13:25 -0700)]
Merge branch 'for-davem' of git://git./linux/kernel/git/linville/wireless-2.6

13 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
John W. Linville [Mon, 6 Jun 2011 17:58:21 +0000 (13:58 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6 into for-davem

13 years agoMerge branch 'pablo/nf-2.6-updates' of git://1984.lsi.us.es/net-2.6
David S. Miller [Mon, 6 Jun 2011 00:14:04 +0000 (17:14 -0700)]
Merge branch 'pablo/nf-2.6-updates' of git://1984.lsi.us.es/net-2.6

13 years agonet: fix smc91x.c device tree support
Grant Likely [Fri, 3 Jun 2011 21:31:27 +0000 (21:31 +0000)]
net: fix smc91x.c device tree support

Fix missing semicolon at end of smc91x.c match tabledevice driver.
Also remove unnecessary #ifdef around of_match_table pointer.

Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonetfilter: use unsigned variables for packet lengths in ip[6]_queue.
Dave Jones [Sat, 28 May 2011 00:36:51 +0000 (20:36 -0400)]
netfilter: use unsigned variables for packet lengths in ip[6]_queue.

Netlink message lengths can't be negative, so use unsigned variables.

Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: nf_conntrack: fix ct refcount leak in l4proto->error()
Pablo Neira Ayuso [Thu, 2 Jun 2011 13:08:45 +0000 (15:08 +0200)]
netfilter: nf_conntrack: fix ct refcount leak in l4proto->error()

This patch fixes a refcount leak of ct objects that may occur if
l4proto->error() assigns one conntrack object to one skbuff. In
that case, we have to skip further processing in nf_conntrack_in().

With this patch, we can also fix wrong return values (-NF_ACCEPT)
for special cases in ICMP[v6] that should not bump the invalid/error
statistic counters.

Reported-by: Zoltan Menyhart <Zoltan.Menyhart@bull.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: nf_nat: fix crash in nf_nat_csum
Julian Anastasov [Sun, 29 May 2011 20:42:29 +0000 (23:42 +0300)]
netfilter: nf_nat: fix crash in nf_nat_csum

Fix crash in nf_nat_csum when mangling packets
in OUTPUT hook where skb->dev is not defined, it is set
later before POSTROUTING. Problem happens for CHECKSUM_NONE.
We can check device from rt but using CHECKSUM_PARTIAL
should be safe (skb_checksum_help).

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: ipset: Use the stored first cidr value instead of '1'
Jozsef Kadlecsik [Wed, 1 Jun 2011 21:35:49 +0000 (23:35 +0200)]
netfilter: ipset: Use the stored first cidr value instead of '1'

The stored cidr values are tried one after anoter. The boolean
condition evaluated to '1' instead of the first stored cidr or
the default host cidr.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: ipset: Fix return code for destroy when sets are in use
Jozsef Kadlecsik [Wed, 1 Jun 2011 21:35:48 +0000 (23:35 +0200)]
netfilter: ipset: Fix return code for destroy when sets are in use

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agoipvs: restore support for iptables SNAT
Julian Anastasov [Thu, 2 Jun 2011 00:09:54 +0000 (09:09 +0900)]
ipvs: restore support for iptables SNAT

Fix the IPVS priority in LOCAL_IN hook,
so that SNAT target in POSTROUTING is supported for IPVS
traffic as in 2.6.36 where it worked depending on
module load order.

Before 2.6.37 we used priority 100 in LOCAL_IN to
process remote requests. We used the same priority as
iptables SNAT and if IPVS handlers are installed before
SNAT handlers we supported SNAT in POSTROUTING for the IPVS
traffic. If SNAT is installed before IPVS, the netfilter
handlers are before IPVS and netfilter checks the NAT
table twice for the IPVS requests: once in LOCAL_IN where
IPS_SRC_NAT_DONE is set and second time in POSTROUTING
where the SNAT rules are ignored because IPS_SRC_NAT_DONE
was already set in LOCAL_IN.

But in 2.6.37 we changed the IPVS priority for
LOCAL_IN with the goal to be unique (101) forgetting the
fact that for IPVS traffic we should not walk both
LOCAL_IN and POSTROUTING nat tables.

So, change the priority for processing remote
IPVS requests from 101 to 99, i.e. before NAT_SRC (100)
because we prefer to support SNAT in POSTROUTING
instead of LOCAL_IN. It also moves the priority for
IPVS replies from 99 to 98. Use constants instead of
magic numbers at these places.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agonetfilter: add more values to enum ip_conntrack_info
Eric Dumazet [Thu, 19 May 2011 13:44:27 +0000 (15:44 +0200)]
netfilter: add more values to enum ip_conntrack_info

Following error is raised (and other similar ones) :

net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’:
net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’
not in enumerated type ‘enum ip_conntrack_info’

gcc barfs on adding two enum values and getting a not enumerated
result :

case IP_CT_RELATED+IP_CT_IS_REPLY:

Add missing enum values

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: David Miller <davem@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
13 years agobonding: reset queue mapping prior to transmission to physical device (v5)
Neil Horman [Fri, 3 Jun 2011 10:35:52 +0000 (10:35 +0000)]
bonding: reset queue mapping prior to transmission to physical device (v5)

The bonding driver is multiqueue enabled, in which each queue represents a slave
to enable optional steering of output frames to given slaves against the default
output policy.  However, it needs to reset the skb->queue_mapping prior to
queuing to the physical device or the physical slave (if it is multiqueue) could
wind up transmitting on an unintended tx queue

Change Notes:
v2) Based on first pass review, updated the patch to restore the origional queue
mapping that was found in bond_select_queue, rather than simply resetting to
zero.  This preserves the value of queue_mapping when it was set on receive in
the forwarding case which is desireable.

v3) Fixed spelling an casting error in skb->cb

v4) fixed to store raw queue_mapping to avoid double decrement

v5) Eric D requested that ->cb access be wrapped in a macro.

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Jay Vosburgh <fubar@us.ibm.com>
CC: Andy Gospodarek <andy@greyhouse.net>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: Jay Vosburgh <fubar@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoqlcnic: Avoid double free of skb in tx path
Sucheta Chakraborty [Fri, 3 Jun 2011 05:52:18 +0000 (05:52 +0000)]
qlcnic: Avoid double free of skb in tx path

buffer->skb should be marked NULL to avoid double free of the skb.

Signed-off-by: Sucheta Chakraborty <sucheta.chakraborty@qlogic.com>
Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoqlcnic: Fix bug in FW queue dump
Anirban Chakraborty [Thu, 2 Jun 2011 12:42:21 +0000 (12:42 +0000)]
qlcnic: Fix bug in FW queue dump

Due to a change in FW template, a bug was introduced in dump queue entries. This is
fixed by reinitializing queue address before looping for each que dump operation.

Signed-off-by: Anirban Chakraborty <anirban.chakraborty@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agofix return values of l2tp_dfs_seq_open()
Al Viro [Sun, 5 Jun 2011 00:54:03 +0000 (00:54 +0000)]
fix return values of l2tp_dfs_seq_open()

More fallout from struct net lifetime rules review: PTR_ERR() is *already*
negative and failing ->open() should return negatives on failure.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoget_net_ns_by_fd() oopses if proc_ns_fget() returns an error
Al Viro [Sun, 5 Jun 2011 00:37:35 +0000 (00:37 +0000)]
get_net_ns_by_fd() oopses if proc_ns_fget() returns an error

BTW, looking through the code related to struct net lifetime rules has
caught something else:

struct net *get_net_ns_by_fd(int fd)
{
        ...
        file = proc_ns_fget(fd);
        if (!file)
                goto out;

        ei = PROC_I(file->f_dentry->d_inode);

while in proc_ns_fget() we have two return ERR_PTR(...) and not a single
path that would return NULL.  The other caller of proc_ns_fget() treats
ERR_PTR() correctly...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6
Linus Torvalds [Sat, 4 Jun 2011 14:19:51 +0000 (23:19 +0900)]
Merge git://git./linux/kernel/git/jejb/scsi-rc-fixes-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
  [SCSI] Fix oops caused by queue refcounting failure

13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
Linus Torvalds [Sat, 4 Jun 2011 14:16:00 +0000 (23:16 +0900)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (40 commits)
  tg3: Fix tg3_skb_error_unmap()
  net: tracepoint of net_dev_xmit sees freed skb and causes panic
  drivers/net/can/flexcan.c: add missing clk_put
  net: dm9000: Get the chip in a known good state before enabling interrupts
  drivers/net/davinci_emac.c: add missing clk_put
  af-packet: Add flag to distinguish VID 0 from no-vlan.
  caif: Fix race when conditionally taking rtnl lock
  usbnet/cdc_ncm: add missing .reset_resume hook
  vlan: fix typo in vlan_dev_hard_start_xmit()
  net/ipv4: Check for mistakenly passed in non-IPv4 address
  iwl4965: correctly validate temperature value
  bluetooth l2cap: fix locking in l2cap_global_chan_by_psm
  ath9k: fix two more bugs in tx power
  cfg80211: don't drop p2p probe responses
  Revert "net: fix section mismatches"
  drivers/net/usb/catc.c: Fix potential deadlock in catc_ctrl_run()
  sctp: stop pending timers and purge queues when peer restart asoc
  drivers/net: ks8842 Fix crash on received packet when in PIO mode.
  ip_options_compile: properly handle unaligned pointer
  iwlagn: fix incorrect PCI subsystem id for 6150 devices
  ...

13 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-block
Linus Torvalds [Fri, 3 Jun 2011 23:11:26 +0000 (08:11 +0900)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-block

* 'for-linus' of git://git.kernel.dk/linux-block:
  block: Use hlist_entry() for io_context.cic_list.first
  cfq-iosched: Remove bogus check in queue_fail path
  xen/blkback: potential null dereference in error handling
  xen/blkback: don't call vbd_size() if bd_disk is NULL
  block: blkdev_get() should access ->bd_disk only after success
  CFQ: Fix typo and remove unnecessary semicolon
  block: remove unwanted semicolons
  Revert "block: Remove extra discard_alignment from hd_struct."
  nbd: adjust 'max_part' according to part_shift
  nbd: limit module parameters to a sane value
  nbd: pass MSG_* flags to kernel_recvmsg()
  block: improve the bio_add_page() and bio_add_pc_page() descriptions

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier...
Linus Torvalds [Fri, 3 Jun 2011 23:04:10 +0000 (08:04 +0900)]
Merge branch 'for-linus' of git://git./linux/kernel/git/vapier/blackfin

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin:
  Blackfin: strncpy: fix handling of zero lengths

13 years agoMerge branch 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux...
Linus Torvalds [Fri, 3 Jun 2011 23:03:16 +0000 (08:03 +0900)]
Merge branch 'stable' of git://git./linux/kernel/git/cmetcalf/linux-tile

* 'stable' of git://git.kernel.org/pub/scm/linux/kernel/git/cmetcalf/linux-tile:
  asm-generic/unistd.h: support sendmmsg syscall
  tile: enable CONFIG_BUGVERBOSE

13 years agoMerge branch 'linux-next' of git://git.infradead.org/ubifs-2.6
Linus Torvalds [Fri, 3 Jun 2011 22:59:32 +0000 (07:59 +0900)]
Merge branch 'linux-next' of git://git.infradead.org/ubifs-2.6

* 'linux-next' of git://git.infradead.org/ubifs-2.6:
  UBIFS: fix-up free space earlier
  UBIFS: intialize LPT earlier
  UBIFS: assert no fixup when writing a node
  UBIFS: fix clean znode counter corruption in error cases
  UBIFS: fix memory leak on error path
  UBIFS: fix shrinker object count reports
  UBIFS: fix recovery broken by the previous recovery fix
  UBIFS: amend ubifs_recover_leb interface
  UBIFS: introduce a "grouped" journal head flag
  UBIFS: supress false error messages

13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt...
Linus Torvalds [Fri, 3 Jun 2011 22:58:48 +0000 (07:58 +0900)]
Merge branch 'for-linus' of git://git./linux/kernel/git/rostedt/linux-2.6-ktest

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-2.6-ktest:
  ktest: Ignore unset values of the minconfig in config_bisect
  ktest: Fix result of rebooting the kernel
  ktest: Fix off-by-one in config bisect result

13 years agoMerge branch 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Fri, 3 Jun 2011 22:53:23 +0000 (07:53 +0900)]
Merge branch 'rmobile-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'rmobile-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  ARM: mach-shmobile: add DMAC clock definitions on SH7372
  ARM: arch-shmobile: support SDHI card detection on mackerel, using a GPIO
  sh_mobile_meram: MERAM platform data for LCDC

13 years agoMerge branch 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Fri, 3 Jun 2011 22:04:25 +0000 (07:04 +0900)]
Merge branch 'sh-fixes-for-linus' of git://git./linux/kernel/git/lethal/sh-2.6

* 'sh-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lethal/sh-2.6:
  dmaengine: shdma: fix a regression: initialise DMA channels for memcpy
  dmaengine: shdma: Fix up fallout from runtime PM changes.
  Revert "clocksource: sh_cmt: Runtime PM support"
  Revert "clocksource: sh_tmu: Runtime PM support"
  sh: Fix up asm-generic/ptrace.h fallout.
  sh64: Move from P1SEG to CAC_ADDR for consistent sync.
  sh64: asm/pgtable.h needs asm/mmu.h
  sh: asm/tlb.h needs linux/swap.h
  sh: mark DMA slave ID 0 as invalid
  sh: Update shmin to reflect PIO dependency.
  sh: arch/sh/kernel/process_32.c needs linux/prefetch.h.
  sh: add MMCIF runtime PM support on ecovec
  sh: switch ap325rxa to dynamically manage the platform camera

13 years agoRevert "ASoC: Update cx20442 for TTY API change"
Linus Torvalds [Fri, 3 Jun 2011 22:00:50 +0000 (07:00 +0900)]
Revert "ASoC: Update cx20442 for TTY API change"

This reverts commit ed0bd2333cffc3d856db9beb829543c1dfc00982.

Since we reverted the TTY API change, we should revert the ASoC update
to it too.

Cc: Mark Brown <broonie@opensource.wolfsonmicro.com>
Cc: Liam Girdwood <lrg@ti.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoRevert "tty: make receive_buf() return the amout of bytes received"
Linus Torvalds [Fri, 3 Jun 2011 21:33:24 +0000 (06:33 +0900)]
Revert "tty: make receive_buf() return the amout of bytes received"

This reverts commit b1c43f82c5aa265442f82dba31ce985ebb7aa71c.

It was broken in so many ways, and results in random odd pty issues.

It re-introduced the buggy schedule_work() in flush_to_ldisc() that can
cause endless work-loops (see commit a5660b41af6a: "tty: fix endless
work loop when the buffer fills up").

It also used an "unsigned int" return value fo the ->receive_buf()
function, but then made multiple functions return a negative error code,
and didn't actually check for the error in the caller.

And it didn't actually work at all.  BenH bisected down odd tty behavior
to it:
  "It looks like the patch is causing some major malfunctions of the X
   server for me, possibly related to PTYs.  For example, cat'ing a
   large file in a gnome terminal hangs the kernel for -minutes- in a
   loop of what looks like flush_to_ldisc/workqueue code, (some ftrace
   data in the quoted bits further down).

   ...

   Some more data: It -looks- like what happens is that the
   flush_to_ldisc work queue entry constantly re-queues itself (because
   the PTY is full ?) and the workqueue thread will basically loop
   forver calling it without ever scheduling, thus starving the consumer
   process that could have emptied the PTY."

which is pretty much exactly the problem we fixed in a5660b41af6a.

Milton Miller pointed out the 'unsigned int' issue.

Reported-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Reported-by: Milton Miller <miltonm@bga.com>
Cc: Stefan Bigler <stefan.bigler@keymile.com>
Cc: Toby Gray <toby.gray@realvnc.com>
Cc: Felipe Balbi <balbi@ti.com>
Cc: Greg Kroah-Hartman <gregkh@suse.de>
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMerge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wirel...
John W. Linville [Fri, 3 Jun 2011 18:31:50 +0000 (14:31 -0400)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6 into for-davem

13 years agolibertas_sdio: handle spurious interrupts
Daniel Drake [Thu, 2 Jun 2011 23:13:26 +0000 (00:13 +0100)]
libertas_sdio: handle spurious interrupts

Commit 06e8935febe687e2a561707d4c7ca4245d261dbe adds an IRQ handling
optimization for single-function SDIO cards like this one, but at the
same time exposes a small hardware bug.

During hardware init, an interrupt is generated with (apparently) no
source. Previously, mmc threw this interrupt away, but now (due to the
optimization), the mmc layer passes this onto libertas, before it is ready
(and before it has enabled interrupts), causing a crash.

Work around this hardware bug by registering the IRQ handler later and
making it capable of handling interrupts with no cause. The change that
makes the IRQ handler registration happen later actually eliminates
the spurious interrupt as well.

Signed-off-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agomac80211: call dev_alloc_name before copying name to sdata
Thadeu Lima de Souza Cascardo [Thu, 2 Jun 2011 20:28:37 +0000 (17:28 -0300)]
mac80211: call dev_alloc_name before copying name to sdata

This partially reverts 1c5cae815d19ffe02bdfda1260949ef2b1806171, because
the netdev name is copied into sdata->name, which is used for debugging
messages, for example. Otherwise, we get messages like this:

wlan%d: authenticated

Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com>
Cc: Jiri Pirko <jpirko@redhat.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Johannes Berg <johannes@sipsolutions.net>
Cc: "John W. Linville" <linville@tuxdriver.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoiwlagn: fix channel switch locking
Stanislaw Gruszka [Thu, 2 Jun 2011 16:17:15 +0000 (18:17 +0200)]
iwlagn: fix channel switch locking

We use priv->mutex to avoid race conditions between iwl_chswitch_done()
and iwlagn_mac_channel_switch(), when marking channel switch in
progress. But iwl_chswitch_done() can be called in atomic context
from iwl_rx_csa() or with mutex already taken from iwlagn_commit_rxon().

These bugs were introduced by:

commit 79d07325502e73508f917475bc1617b60979dd94
Author: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Date:   Thu May 6 08:54:11 2010 -0700

    iwlwifi: support channel switch offload in driver

To fix remove mutex from iwl_chswitch_done() and use atomic bitops for
marking channel switch pending.

Also remove iwl2030_hw_channel_switch() since 2000 series adapters are
2.4GHz only devices.

Cc: stable@kernel.org # 2.6.36+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath5k: Disable fast channel switching by default
Nick Kossifidis [Thu, 2 Jun 2011 00:09:48 +0000 (03:09 +0300)]
ath5k: Disable fast channel switching by default

Disable fast channel change by default on AR2413/AR5413 due to
some bug reports (it still works for me but it's better to be safe).
Add a module parameter "fastchanswitch" in case anyone wants to enable
it and play with it.

Signed-off-by: Nick Kossifidis <mickflemm@gmail.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agossb: fix PCI(e) driver regression causing oops on PCI cards
Rafał Miłecki [Wed, 1 Jun 2011 09:01:11 +0000 (11:01 +0200)]
ssb: fix PCI(e) driver regression causing oops on PCI cards

We were incorrectly executing PCIe specific workarounds on PCI cards.
This resulted in:
Machine check in kernel mode.
Caused by (from SRR1=149030): Transfer error ack signal
Oops: Machine check, sig: 7 [#1]

Reported-by: Andreas Schwab <schwab@linux-m68k.org>
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoUBIFS: fix-up free space earlier
Ben Gardiner [Mon, 30 May 2011 18:56:16 +0000 (14:56 -0400)]
UBIFS: fix-up free space earlier

The free space fixup is currently initiated during mount after the call to
ubifs_write_master() which results in a write to PEBs; this has been observed
with the patch 'assert no fixup when writing a node' applied:

Move the free space fixup on mount to before the calls to
ubifs_recover_inl_heads() and ubifs_write_master(). This results in no
assertions with the previously mentioned patch applied.

Artem: tweaked the patch a bit

Signed-off-by: Ben Gardiner <bengardiner@nanometrics>
Reviewed-by: Matthew L. Creech <mlcreech@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoUBIFS: intialize LPT earlier
Ben Gardiner [Mon, 30 May 2011 18:56:15 +0000 (14:56 -0400)]
UBIFS: intialize LPT earlier

The current 'mount_ubifs()' implementation does not initialize the LPT until the
the master node is marked dirty. Move the LPT initialization to before marking
the master node dirty. This is a preparation for the next patch which will move
the free-space-fixup check to before marking the master node dirty, because we
have to fix-up the free space before doing any writes.

Artem: massaged the patch and commit message.

Signed-off-by: Ben Gardiner <bengardiner@nanometrics.ca>
Reviewed-by: Matthew L. Creech <mlcreech@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoUBIFS: assert no fixup when writing a node
Ben Gardiner [Mon, 30 May 2011 18:56:14 +0000 (14:56 -0400)]
UBIFS: assert no fixup when writing a node

The current free space fixup can result in some writing to the UBI volume
when the space_fixup flag is set.

To catch instances where UBIFS is writing to the NAND while the space_fixup
flag is set, add an assert to ubifs_write_node().

Artem: tweaked the patch, added similar assertion to the write buffer
       write path.

Signed-off-by: Ben Gardiner <bengardiner@nanometrics.ca>
Reviewed-by: Matthew L. Creech <mlcreech@gmail.com>
Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoUBIFS: fix clean znode counter corruption in error cases
Artem Bityutskiy [Tue, 31 May 2011 11:26:07 +0000 (14:26 +0300)]
UBIFS: fix clean znode counter corruption in error cases

UBIFS maintains per-filesystem and global clean znode counters
('c->clean_zn_cnt' and 'ubifs_clean_zn_cnt'). It is important to maintain
correct values there since the shrinker relies on 'ubifs_clean_zn_cnt'.

However, in case of failures during commit the counters were corrupted. E.g.,
if a failure happens in the middle of 'write_index()', then some nodes in the
commit list ('c->cnext') are marked as clean, and some are marked as dirty. And
the 'ubifs_destroy_tnc_subtree()' frees does not retrun correct count, and we
end up with non-zero 'c->clean_zn_cnt' when unmounting. This means that if we
have 2 file-sytem and one of them fails, and we unmount it,
'ubifs_clean_zn_cnt' stays incorrect and confuses the shrinker.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoUBIFS: fix memory leak on error path
Artem Bityutskiy [Tue, 31 May 2011 05:40:40 +0000 (08:40 +0300)]
UBIFS: fix memory leak on error path

UBIFS leaks memory on error path in 'ubifs_jnl_update()' in case of write
failure because it forgets to free the 'struct ubifs_dent_node *dent' object.
Although the object is small, the alignment can make it large - e.g., 2KiB
if the min. I/O unit is 2KiB.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Cc: stable@kernel.org
13 years agoUBIFS: fix shrinker object count reports
Artem Bityutskiy [Tue, 31 May 2011 04:03:21 +0000 (07:03 +0300)]
UBIFS: fix shrinker object count reports

Sometimes VM asks the shrinker to return amount of objects it can shrink,
and we return the ubifs_clean_zn_cnt in that case. However, it is possible
that this counter is negative for a short period of time, due to the way
UBIFS TNC code updates it. And I can observe the following warnings sometimes:

shrink_slab: ubifs_shrinker+0x0/0x2b7 [ubifs] negative objects to delete nr=-8541616642706119788

This patch makes sure UBIFS never returns negative count of objects.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Cc: stable@kernel.org
13 years agoBlackfin: strncpy: fix handling of zero lengths
Steven Miao [Wed, 1 Jun 2011 07:52:41 +0000 (15:52 +0800)]
Blackfin: strncpy: fix handling of zero lengths

The jump to 4f will cause the NUL padding loop to run at least one time,
so if string length is zero just jump to the end.  Otherwise we wrongly
write one NUL byte when size==0.

Signed-off-by: Steven Miao <realmz6@gmail.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
13 years agotg3: Fix tg3_skb_error_unmap()
Matt Carlson [Thu, 2 Jun 2011 13:01:39 +0000 (13:01 +0000)]
tg3: Fix tg3_skb_error_unmap()

This function attempts to free one fragment beyond the number of
fragments that were actually mapped.  This patch brings back the limit
to the correct spot.

Signed-off-by: Matt Carlson <mcarlson@broadcom.com>
Tested-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet: tracepoint of net_dev_xmit sees freed skb and causes panic
Koki Sanagi [Mon, 30 May 2011 21:48:34 +0000 (21:48 +0000)]
net: tracepoint of net_dev_xmit sees freed skb and causes panic

Because there is a possibility that skb is kfree_skb()ed and zero cleared
after ndo_start_xmit, we should not see the contents of skb like skb->len and
skb->dev->name after ndo_start_xmit. But trace_net_dev_xmit does that
and causes panic by NULL pointer dereference.
This patch fixes trace_net_dev_xmit not to see the contents of skb directly.

If you want to reproduce this panic,

1. Get tracepoint of net_dev_xmit on
2. Create 2 guests on KVM
2. Make 2 guests use virtio_net
4. Execute netperf from one to another for a long time as a network burden
5. host will panic(It takes about 30 minutes)

Signed-off-by: Koki Sanagi <sanagi.koki@jp.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoasm-generic/unistd.h: support sendmmsg syscall
Chris Metcalf [Thu, 2 Jun 2011 18:21:45 +0000 (14:21 -0400)]
asm-generic/unistd.h: support sendmmsg syscall

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
13 years agoktest: Ignore unset values of the minconfig in config_bisect
Steven Rostedt [Thu, 2 Jun 2011 03:27:19 +0000 (23:27 -0400)]
ktest: Ignore unset values of the minconfig in config_bisect

By ignoring the unset values of the minconfig in deciding
what to test in the config_bisect can cause the problem
config from being tested too.

Just do not test the configs that are set in the minconfig.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
13 years agoktest: Fix result of rebooting the kernel
Steven Rostedt [Thu, 2 Jun 2011 03:25:13 +0000 (23:25 -0400)]
ktest: Fix result of rebooting the kernel

The command that is called that reboots the kernel may fail
but the return code is not passed back to the ktest.pl script.
This is because a ';' is used between the two commands and
if the second command fails, only the first command's return
code is returned. Using a '&&' between the two commands fixes
this.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
13 years agoktest: Fix off-by-one in config bisect result
Steven Rostedt [Thu, 2 Jun 2011 03:22:30 +0000 (23:22 -0400)]
ktest: Fix off-by-one in config bisect result

Because in perl the array size returned by $#arr, is the last
index and not the actually size of the array, we end the config
bisect early, thinking there is only one config left when there
are in fact two. Thus the result has a 50% chance of picking
the correct config that caused the problem.

Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
13 years agoMerge branch 'for-jens/xen-blkback.fixes' of git://git.kernel.org/pub/scm/linux/kerne...
Jens Axboe [Thu, 2 Jun 2011 11:14:15 +0000 (13:14 +0200)]
Merge branch 'for-jens/xen-blkback.fixes' of git://git./linux/kernel/git/konrad/xen into for-linus

13 years agoblock: Use hlist_entry() for io_context.cic_list.first
Paul Bolle [Thu, 2 Jun 2011 11:05:02 +0000 (13:05 +0200)]
block: Use hlist_entry() for io_context.cic_list.first

list_entry() and hlist_entry() are both simply aliases for
container_of(), but since io_context.cic_list.first is an hlist_node one
should at least use the correct alias.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
13 years agocfq-iosched: Remove bogus check in queue_fail path
Paul Bolle [Thu, 2 Jun 2011 11:05:02 +0000 (13:05 +0200)]
cfq-iosched: Remove bogus check in queue_fail path

queue_fail can only be reached if cic is NULL, so its check for cic must
be bogus.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
13 years ago[SCSI] Fix oops caused by queue refcounting failure
James Bottomley [Wed, 25 May 2011 20:52:14 +0000 (15:52 -0500)]
[SCSI] Fix oops caused by queue refcounting failure

In certain circumstances, we can get an oops from a torn down device.
Most notably this is from CD roms trying to call scsi_ioctl.  The root
cause of the problem is the fact that after scsi_remove_device() has
been called, the queue is fully torn down.  This is actually wrong
since the queue can be used until the sdev release function is called.
Therefore, we add an extra reference to the queue which is released in
sdev->release, so the queue always exists.

Reported-by: Parag Warudkar <parag.lkml@gmail.com>
Cc: stable@kernel.org
Signed-off-by: James Bottomley <jbottomley@parallels.com>
13 years agodrivers/net/can/flexcan.c: add missing clk_put
Julia Lawall [Wed, 1 Jun 2011 19:48:50 +0000 (19:48 +0000)]
drivers/net/can/flexcan.c: add missing clk_put

The failed_get label is used after the call to clk_get has succeeded, so it
should be moved up above the call to clk_put.

The failed_req labels doesn't do anything different than failed_get, so
delete it.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@r exists@
expression e1,e2;
statement S;
@@

e1 = clk_get@p1(...);
... when != e1 = e2
    when != clk_put(e1)
    when any
if (...) { ... when != clk_put(e1)
               when != if (...) { ... clk_put(e1) ... }
* return@p3 ...;
 } else S
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoARM: mach-shmobile: add DMAC clock definitions on SH7372
Guennadi Liakhovetski [Wed, 1 Jun 2011 07:32:07 +0000 (07:32 +0000)]
ARM: mach-shmobile: add DMAC clock definitions on SH7372

These definitions are needed to let the runtime PM subsystem turn off
DMAC clocks, when it is suspended by the driver.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
13 years agodmaengine: shdma: fix a regression: initialise DMA channels for memcpy
Guennadi Liakhovetski [Tue, 31 May 2011 09:25:16 +0000 (09:25 +0000)]
dmaengine: shdma: fix a regression: initialise DMA channels for memcpy

A recent patch has introduced a regression, where repeating a memcpy
DMA test with shdma module unloading between them skips the DMA channel
configuration. Fix this regression by always configuring the channel
during its allocation.

Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
13 years agonet: dm9000: Get the chip in a known good state before enabling interrupts
Mark Brown [Wed, 1 Jun 2011 10:18:09 +0000 (10:18 +0000)]
net: dm9000: Get the chip in a known good state before enabling interrupts

Currently the DM9000 driver requests the primary interrupt before it
resets the chip and puts it into a known good state. This means that if
the chip is asserting interrupt for some reason we can end up with a
screaming IRQ that the interrupt handler is unable to deal with. Avoid
this by only requesting the interrupt after we've reset the chip so we
know what state it's in.

This started manifesting itself on one of my boards in the past month or
so, I suspect as a result of some core infrastructure changes removing
some form of mitigation against bad behaviour here, even when things boot
it seems that the new code brings the interface up more quickly.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agodrivers/net/davinci_emac.c: add missing clk_put
Julia Lawall [Wed, 1 Jun 2011 07:10:10 +0000 (07:10 +0000)]
drivers/net/davinci_emac.c: add missing clk_put

Go to existing error handling code at the end of the function that calls
clk_put.

A simplified version of the semantic match that finds this problem is as
follows: (http://coccinelle.lip6.fr/)

// <smpl>
@r exists@
expression e1,e2;
statement S;
@@

e1 = clk_get@p1(...);
... when != e1 = e2
    when != clk_put(e1)
    when any
if (...) { ... when != clk_put(e1)
               when != if (...) { ... clk_put(e1) ... }
* return@p3 ...;
 } else S
// </smpl>

Signed-off-by: Julia Lawall <julia@diku.dk>
Acked-by: Kevin Hilman <khilman@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoaf-packet: Add flag to distinguish VID 0 from no-vlan.
Ben Greear [Wed, 1 Jun 2011 06:49:10 +0000 (06:49 +0000)]
af-packet: Add flag to distinguish VID 0 from no-vlan.

Currently, user-space cannot determine if a 0 tcp_vlan_tci
means there is no VLAN tag or the VLAN ID was zero.

Add flag to make this explicit.  User-space can check for
TP_STATUS_VLAN_VALID || tp_vlan_tci > 0, which will be backwards
compatible. Older could would have just checked for tp_vlan_tci,
so it will work no worse than before.

Signed-off-by: Ben Greear <greearb@candelatech.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agocaif: Fix race when conditionally taking rtnl lock
sjur.brandeland@stericsson.com [Wed, 1 Jun 2011 00:55:37 +0000 (00:55 +0000)]
caif: Fix race when conditionally taking rtnl lock

Take the RTNL lock unconditionally when calling dev_close.
Taking the lock conditionally may cause race conditions.

Signed-off-by: Sjur Brændeland <sjur.brandeland@stericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agousbnet/cdc_ncm: add missing .reset_resume hook
Stefan Metzmacher [Wed, 1 Jun 2011 02:01:41 +0000 (02:01 +0000)]
usbnet/cdc_ncm: add missing .reset_resume hook

This avoids messages like this after suspend:

   cdc_ncm 2-1.4:1.6: no reset_resume for driver cdc_ncm?
   cdc_ncm 2-1.4:1.7: no reset_resume for driver cdc_ncm?
   cdc_ncm 2-1.4:1.6: usb0: unregister 'cdc_ncm' usb-0000:00:1d.0-1.4, CDC NCM

This is important for the Ericsson F5521gw GSM/UMTS modem.
Otherwise modemmanager looses the fact that the cdc_ncm and cdc_acm devices
belong together.

The cdc_ether module does the same.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agovlan: fix typo in vlan_dev_hard_start_xmit()
Wei Yongjun [Tue, 31 May 2011 22:53:19 +0000 (22:53 +0000)]
vlan: fix typo in vlan_dev_hard_start_xmit()

commit 4af429d29b341bb1735f04c2fb960178ed5d52e7 (vlan: lockless
transmit path) have a typo in vlan_dev_hard_start_xmit(), using
u64_stats_update_begin() to end the stat update, it should be
u64_stats_update_end().

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Reviewed-by: WANG Cong <xiyou.wangcong@gmail.com>
Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agonet/ipv4: Check for mistakenly passed in non-IPv4 address
Marcus Meissner [Thu, 2 Jun 2011 04:05:22 +0000 (21:05 -0700)]
net/ipv4: Check for mistakenly passed in non-IPv4 address

Check against mistakenly passing in IPv6 addresses (which would result
in an INADDR_ANY bind) or similar incompatible sockaddrs.

Signed-off-by: Marcus Meissner <meissner@suse.de>
Cc: Reinhard Max <max@suse.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agoRevert "mm: fail GFP_DMA allocations when ZONE_DMA is not configured"
Linus Torvalds [Wed, 1 Jun 2011 21:11:24 +0000 (06:11 +0900)]
Revert "mm: fail GFP_DMA allocations when ZONE_DMA is not configured"

This reverts commit a197b59ae6e8bee56fcef37ea2482dc08414e2ac.

As rmk says:
 "Commit a197b59ae6e8 (mm: fail GFP_DMA allocations when ZONE_DMA is not
  configured) is causing regressions on ARM with various drivers which
  use GFP_DMA.

  The behaviour up until now has been to silently ignore that flag when
  CONFIG_ZONE_DMA is not enabled, and to allocate from the normal zone.
  However, as a result of the above commit, such allocations now fail
  which causes drivers to fail.  These are regressions compared to the
  previous kernel version."

so just revert it.

Requested-by: Russell King <linux@arm.linux.org.uk>
Acked-by: Andrew Morton <akpm@linux-foundation.org>
Cc: David Rientjes <rientjes@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoMerge git://git.infradead.org/iommu-2.6
Linus Torvalds [Wed, 1 Jun 2011 20:48:50 +0000 (05:48 +0900)]
Merge git://git.infradead.org/iommu-2.6

* git://git.infradead.org/iommu-2.6:
  intel-iommu: Fix off-by-one in RMRR setup
  intel-iommu: Add domain check in domain_remove_one_dev_info
  intel-iommu: Remove Host Bridge devices from identity mapping
  intel-iommu: Use coherent DMA mask when requested
  intel-iommu: Dont cache iova above 32bit
  intel-iommu: Speed up processing of the identity_mapping function
  intel-iommu: Check for identity mapping candidate using system dma mask
  intel-iommu: Only unlink device domains from iommu
  intel-iommu: Enable super page (2MiB, 1GiB, etc.) support
  intel-iommu: Flush unmaps at domain_exit
  intel-iommu: Remove obsolete comment from detect_intel_iommu
  intel-iommu: fix VT-d PMR disable for TXT on S3 resume

13 years agoblock: fix mismerge of the DISK_EVENT_MEDIA_CHANGE removal
Linus Torvalds [Wed, 1 Jun 2011 20:29:19 +0000 (05:29 +0900)]
block: fix mismerge of the DISK_EVENT_MEDIA_CHANGE removal

Jens' back-merge commit 698567f3fa79 ("Merge commit 'v2.6.39' into
for-2.6.40/core") was incorrectly done, and re-introduced the
DISK_EVENT_MEDIA_CHANGE lines that had been removed earlier in commits

 - 9fd097b14918 ("block: unexport DISK_EVENT_MEDIA_CHANGE for
   legacy/fringe drivers")

 - 7eec77a1816a ("ide: unexport DISK_EVENT_MEDIA_CHANGE for ide-gd
   and ide-cd")

because of conflicts with the "g->flags" updates near-by by commit
d4dc210f69bc ("block: don't block events on excl write for non-optical
devices")

As a result, we re-introduced the hanging behavior due to infinite disk
media change reports.

Tssk, tssk, people! Don't do back-merges at all, and *definitely* don't
do them to hide merge conflicts from me - especially as I'm likely
better at merging them than you are, since I do so many merges.

Reported-by: Steven Rostedt <rostedt@goodmis.org>
Cc: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agotile: enable CONFIG_BUGVERBOSE
Chris Metcalf [Wed, 1 Jun 2011 20:06:04 +0000 (16:06 -0400)]
tile: enable CONFIG_BUGVERBOSE

Trivial config change to enable backtraces on panic.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
13 years agoiwl4965: correctly validate temperature value
Stanislaw Gruszka [Wed, 1 Jun 2011 15:17:57 +0000 (17:17 +0200)]
iwl4965: correctly validate temperature value

In some cases we can read wrong temperature value. If after that
temperature value will not be updated to good one, we badly configure
tx power parameters and device is unable to send a data.

Resolves:
https://bugzilla.kernel.org/show_bug.cgi?id=35932

Cc: stable@kernel.org # 2.6.39+
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agobluetooth l2cap: fix locking in l2cap_global_chan_by_psm
Johannes Berg [Wed, 1 Jun 2011 06:29:54 +0000 (08:29 +0200)]
bluetooth l2cap: fix locking in l2cap_global_chan_by_psm

read_lock() ... read_unlock_bh() is clearly bogus.
This was broken by

commit 23691d75cdc69c3b285211b4d77746aa20a17d18
Author: Gustavo F. Padovan <padovan@profusion.mobi>
Date:   Wed Apr 27 18:26:32 2011 -0300

    Bluetooth: Remove l2cap_sk_list

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoath9k: fix two more bugs in tx power
Daniel Halperin [Tue, 31 May 2011 18:59:30 +0000 (11:59 -0700)]
ath9k: fix two more bugs in tx power

This is the same fix as

   commit 841051602e3fa18ea468fe5a177aa92b6eb44b56
   Author: Matteo Croce <technoboy85@gmail.com>
   Date:   Fri Dec 3 02:25:08 2010 +0100

   The ath9k driver subtracts 3 dBm to the txpower as with two radios the
   signal power is doubled.
   The resulting value is assigned in an u16 which overflows and makes
   the card work at full power.

in two more places. I grepped the ath tree and didn't find any others.

Cc: stable@kernel.org
Signed-off-by: Daniel Halperin <dhalperi@cs.washington.edu>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agocfg80211: don't drop p2p probe responses
Eliad Peller [Sun, 29 May 2011 12:53:20 +0000 (15:53 +0300)]
cfg80211: don't drop p2p probe responses

Commit 0a35d36 ("cfg80211: Use capability info to detect mesh beacons")
assumed that probe response with both ESS and IBSS bits cleared
means that the frame was sent by a mesh sta.

However, these capabilities are also being used in the p2p_find phase,
and the mesh-validation broke it.

Rename the WLAN_CAPABILITY_IS_MBSS macro, and verify that mesh ies
exist before assuming this frame was sent by a mesh sta.

Signed-off-by: Eliad Peller <eliad@wizery.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
13 years agoxen/blkback: potential null dereference in error handling
Dan Carpenter [Fri, 27 May 2011 06:27:16 +0000 (09:27 +0300)]
xen/blkback: potential null dereference in error handling

blkbk->pending_pages can be NULL here so I added a check for it.

Signed-off-by: Dan Carpenter <error27@gmail.com>
[v1: Redid the loop a bit]
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
13 years agoxen/blkback: don't call vbd_size() if bd_disk is NULL
Laszlo Ersek [Wed, 25 May 2011 10:24:25 +0000 (12:24 +0200)]
xen/blkback: don't call vbd_size() if bd_disk is NULL

...because vbd_size() dereferences bd_disk if bd_part is NULL.

Signed-off-by: Laszlo Ersek<lersek@redhat.com>
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
13 years agoMerge git://git.infradead.org/mtd-2.6
Linus Torvalds [Wed, 1 Jun 2011 12:47:39 +0000 (21:47 +0900)]
Merge git://git.infradead.org/mtd-2.6

* git://git.infradead.org/mtd-2.6:
  mtd: fix physmap.h warnings

13 years agointel-iommu: Fix off-by-one in RMRR setup
David Woodhouse [Mon, 30 May 2011 23:22:52 +0000 (00:22 +0100)]
intel-iommu: Fix off-by-one in RMRR setup

We were mapping an extra byte (and hence usually an extra page):
iommu_prepare_identity_map() expects to be given an 'end' argument which
is the last byte to be mapped; not the first byte *not* to be mapped.

Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Add domain check in domain_remove_one_dev_info
Mike Habeck [Sat, 28 May 2011 18:15:07 +0000 (13:15 -0500)]
intel-iommu: Add domain check in domain_remove_one_dev_info

The comment in domain_remove_one_dev_info() states "No need to compare
PCI domain; it has to be the same". But for the si_domain that isn't
going to be true, as it consists of all the PCI devices that are
identity mapped thus multiple PCI domains can be in si_domain.  The
code needs to validate the PCI domain too.

Signed-off-by: Mike Habeck <habeck@sgi.com>
Signed-off-by: Mike Travis <travis@sgi.com>
Cc: stable@kernel.org
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Remove Host Bridge devices from identity mapping
Mike Travis [Sat, 28 May 2011 18:15:06 +0000 (13:15 -0500)]
intel-iommu: Remove Host Bridge devices from identity mapping

When using the 1:1 (identity) PCI DMA remapping, PCI Host Bridge devices
that do not use the IOMMU causes a kernel panic.  Fix that by not
inserting those devices into the si_domain.

Signed-off-by: Mike Travis <travis@sgi.com>
Reviewed-by: Mike Habeck <habeck@sgi.com>
Cc: stable@kernel.org
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Use coherent DMA mask when requested
Mike Travis [Sat, 28 May 2011 18:15:05 +0000 (13:15 -0500)]
intel-iommu: Use coherent DMA mask when requested

The __intel_map_single function is not honoring the passed in DMA mask.
This results in not using the coherent DMA mask when called from
intel_alloc_coherent().

Signed-off-by: Mike Travis <travis@sgi.com>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Reviewed-by: Mike Habeck <habeck@sgi.com>
Cc: stable@kernel.org
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Dont cache iova above 32bit
Chris Wright [Sat, 28 May 2011 18:15:04 +0000 (13:15 -0500)]
intel-iommu: Dont cache iova above 32bit

Mike Travis and Mike Habeck reported an issue where iova allocation
would return a range that was larger than a device's dma mask.

https://lkml.org/lkml/2011/3/29/423

The dmar initialization code will reserve all PCI MMIO regions and copy
those reservations into a domain specific iova tree.  It is possible for
one of those regions to be above the dma mask of a device.  It is typical
to allocate iovas with a 32bit mask (despite device's dma mask possibly
being larger) and cache the result until it exhausts the lower 32bit
address space.  Freeing the iova range that is >= the last iova in the
lower 32bit range when there is still an iova above the 32bit range will
corrupt the cached iova by pointing it to a region that is above 32bit.
If that region is also larger than the device's dma mask, a subsequent
allocation will return an unusable iova and cause dma failure.

Simply don't cache an iova that is above the 32bit caching boundary.

Reported-by: Mike Travis <travis@sgi.com>
Reported-by: Mike Habeck <habeck@sgi.com>
Cc: stable@kernel.org
Acked-by: Mike Travis <travis@sgi.com>
Tested-by: Mike Habeck <habeck@sgi.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Speed up processing of the identity_mapping function
Mike Travis [Sat, 28 May 2011 18:15:03 +0000 (13:15 -0500)]
intel-iommu: Speed up processing of the identity_mapping function

When there are a large count of PCI devices, and the pass through
option for iommu is set, much time is spent in the identity_mapping
function hunting though the iommu domains to check if a specific
device is "identity mapped".

Speed up the function by checking the cached info to see if
it's mapped to the static identity domain.

Signed-off-by: Mike Travis <travis@sgi.com>
Reviewed-by: Mike Habeck <habeck@sgi.com>
Cc: stable@kernel.org
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Check for identity mapping candidate using system dma mask
Chris Wright [Sat, 28 May 2011 18:15:02 +0000 (13:15 -0500)]
intel-iommu: Check for identity mapping candidate using system dma mask

The identity mapping code appears to make the assumption that if the
devices dma_mask is greater than 32bits the device can use identity
mapping.  But that is not true: take the case where we have a 40bit
device in a 44bit architecture. The device can potentially receive a
physical address that it will truncate and cause incorrect addresses
to be used.

Instead check to see if the device's dma_mask is large enough
to address the system's dma_mask.

Signed-off-by: Mike Travis <travis@sgi.com>
Reviewed-by: Mike Habeck <habeck@sgi.com>
Cc: stable@kernel.org
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Only unlink device domains from iommu
Alex Williamson [Tue, 24 May 2011 16:19:04 +0000 (12:19 -0400)]
intel-iommu: Only unlink device domains from iommu

Commit a97590e5 added unlinking domains from iommus to reciprocate the
iommu from domains unlinking that was already done.  We actually want
to only do this for device domains and never for the static
identity map domain or VM domains.  The SI domain is special and
never freed, while VM domain->id lives in their own special address
space, separate from iommu->domain_ids.

In the current code, a VM can get domain->id zero, then mark that
domain unused when unbound from pci-stub.  This leads to DMAR
write faults when the device is re-bound to the host driver.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Cc: stable@kernel.org
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agointel-iommu: Enable super page (2MiB, 1GiB, etc.) support
Youquan Song [Wed, 25 May 2011 18:13:49 +0000 (19:13 +0100)]
intel-iommu: Enable super page (2MiB, 1GiB, etc.) support

There are no externally-visible changes with this. In the loop in the
internal __domain_mapping() function, we simply detect if we are mapping:
  - size >= 2MiB, and
  - virtual address aligned to 2MiB, and
  - physical address aligned to 2MiB, and
  - on hardware that supports superpages.

(and likewise for larger superpages).

We automatically use a superpage for such mappings. We never have to
worry about *breaking* superpages, since we trust that we will always
*unmap* the same range that was mapped. So all we need to do is ensure
that dma_pte_clear_range() will also cope with superpages.

Adjust pfn_to_dma_pte() to take a superpage 'level' as an argument, so
it can return a PTE at the appropriate level rather than always
extending the page tables all the way down to level 1. Again, this is
simplified by the fact that we should never encounter existing small
pages when we're creating a mapping; any old mapping that used the same
virtual range will have been entirely removed and its obsolete page
tables freed.

Provide an 'intel_iommu=sp_off' argument on the command line as a
chicken bit. Not that it should ever be required.

==

The original commit seen in the iommu-2.6.git was Youquan's
implementation (and completion) of my own half-baked code which I'd
typed into an email. Followed by half a dozen subsequent 'fixes'.

I've taken the unusual step of rewriting history and collapsing the
original commits in order to keep the main history simpler, and make
life easier for the people who are going to have to backport this to
older kernels. And also so I can give it a more coherent commit comment
which (hopefully) gives a better explanation of what's going on.

The original sequence of commits leading to identical code was:

Youquan Song (3):
      intel-iommu: super page support
      intel-iommu: Fix superpage alignment calculation error
      intel-iommu: Fix superpage level calculation error in dma_pfn_level_pte()

David Woodhouse (4):
      intel-iommu: Precalculate superpage support for dmar_domain
      intel-iommu: Fix hardware_largepage_caps()
      intel-iommu: Fix inappropriate use of superpages in __domain_mapping()
      intel-iommu: Fix phys_pfn in __domain_mapping for sglist pages

Signed-off-by: Youquan Song <youquan.song@intel.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agomtd: fix physmap.h warnings
Randy Dunlap [Mon, 23 May 2011 18:37:09 +0000 (11:37 -0700)]
mtd: fix physmap.h warnings

Fix build warnings in physmap.h:

include/linux/mtd/physmap.h:25: warning: 'struct platform_device' declared inside parameter list
include/linux/mtd/physmap.h:25: warning: its scope is only this definition or declaration, which is probably not what you want
include/linux/mtd/physmap.h:26: warning: 'struct platform_device' declared inside parameter list
include/linux/mtd/physmap.h:27: warning: 'struct platform_device' declared inside parameter list

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
13 years agoUBIFS: fix recovery broken by the previous recovery fix
Artem Bityutskiy [Thu, 26 May 2011 05:58:19 +0000 (08:58 +0300)]
UBIFS: fix recovery broken by the previous recovery fix

Unfortunately, the recovery fix d1606a59b6be4ea392eabd40d1250aa1eeb19efb
(UBIFS: fix extremely rare mount failure) broke recovery. This commit make
UBIFS drop the last min. I/O unit in all journal heads, but this is needed only
for the GC head. And this does not work for non-GC heads. For example, if
suppose we have min. I/O units A and B, and A contains a valid node X, which
was fsynced, and then a group of nodes Y which spans the rest of A and B. In
this case we'll drop not only Y, but also X, which is obviously incorrect.

This patch fixes the issue and additionally makes recovery to drop last min.
I/O unit only for the GC head, and leave things as they have been for ages for
the other heads - this is safer.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoUBIFS: amend ubifs_recover_leb interface
Artem Bityutskiy [Thu, 26 May 2011 05:36:52 +0000 (08:36 +0300)]
UBIFS: amend ubifs_recover_leb interface

Instead of passing "grouped" parameter to 'ubifs_recover_leb()' which tells
whether the nodes are grouped in the LEB to recover, pass the journal head
number and let 'ubifs_recover_leb()' look at the journal head's 'grouped' flag.

This patch is a preparation to a further fix where we'll need to know the
journal head number for other purposes.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoUBIFS: introduce a "grouped" journal head flag
Artem Bityutskiy [Thu, 26 May 2011 05:26:05 +0000 (08:26 +0300)]
UBIFS: introduce a "grouped" journal head flag

Journal heads are different in a way how UBIFS writes nodes there. All normal
journal heads receive grouped nodes, while the GC journal heads receives
ungrouped nodes. This patch adds a 'grouped' flag to 'struct ubifs_jhead' which
describes this property.

This patch is a preparation to a further recovery fix.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoUBIFS: supress false error messages
Artem Bityutskiy [Thu, 26 May 2011 03:51:48 +0000 (06:51 +0300)]
UBIFS: supress false error messages

Commit ab51afe05273741f72383529ef488aa1ea598ec6 was a good clean-up, but
it introduced a regression - now UBIFS prints scary error messages during
recovery on all corrupted nodes, even though the corruptions are expected
(due to a power cut). This patch fixes the issue.

Additionally fix a typo in a commentary introduced by the same commit.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
13 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris...
Linus Torvalds [Wed, 1 Jun 2011 07:35:37 +0000 (16:35 +0900)]
Merge branch 'for-linus' of git://git./linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
  AppArmor: fix oops in apparmor_setprocattr

13 years agokgdbts: only use new asm-generic/ptrace.h api when needed
Mike Frysinger [Sat, 28 May 2011 14:04:25 +0000 (10:04 -0400)]
kgdbts: only use new asm-generic/ptrace.h api when needed

The new instruction_pointer_set helper is defined for people who have
converted to asm-generic/ptrace.h, so don't use it generally unless
the arch needs it (in which case it has been converted).  This should
fix building of kgdb tests for arches not yet converted.

Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Acked-by: Stephen Rothwell <sfr@canb.auug.org.au>
Cc: Jason Wessel <jason.wessel@windriver.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
13 years agoblock: blkdev_get() should access ->bd_disk only after success
Tejun Heo [Wed, 1 Jun 2011 06:27:41 +0000 (08:27 +0200)]
block: blkdev_get() should access ->bd_disk only after success

d4dc210f69 (block: don't block events on excl write for non-optical
devices) added dereferencing of bdev->bd_disk to test
GENHD_FL_BLOCK_EVENTS_ON_EXCL_WRITE; however, bdev->bd_disk can be
%NULL if open failed which can lead to an oops.

Test the flag after testing open was successful, not before.

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: David Miller <davem@davemloft.net>
Tested-by: David Miller <davem@davemloft.net>
Cc: stable@kernel.org
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
13 years agoAppArmor: fix oops in apparmor_setprocattr
Kees Cook [Tue, 31 May 2011 18:31:41 +0000 (11:31 -0700)]
AppArmor: fix oops in apparmor_setprocattr

When invalid parameters are passed to apparmor_setprocattr a NULL deref
oops occurs when it tries to record an audit message. This is because
it is passing NULL for the profile parameter for aa_audit. But aa_audit
now requires that the profile passed is not NULL.

Fix this by passing the current profile on the task that is trying to
setprocattr.

Signed-off-by: Kees Cook <kees@ubuntu.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Cc: stable@kernel.org
Signed-off-by: James Morris <jmorris@namei.org>
13 years agoRevert "net: fix section mismatches"
David S. Miller [Wed, 1 Jun 2011 02:27:48 +0000 (19:27 -0700)]
Revert "net: fix section mismatches"

This reverts commit e5cb966c0838e4da43a3b0751bdcac7fe719f7b4.

It causes new build regressions with gcc-4.2 which is
pretty common on non-x86 platforms.

Reported-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agodrivers/net/usb/catc.c: Fix potential deadlock in catc_ctrl_run()
Alexey Khoroshilov [Mon, 30 May 2011 07:06:24 +0000 (07:06 +0000)]
drivers/net/usb/catc.c: Fix potential deadlock in catc_ctrl_run()

catc_ctrl_run() calls usb_submit_urb() with GFP_KERNEL, while it is called from
catc_ctrl_async() and catc_ctrl_done() with catc->ctrl_lock spinlock held.

The patch replaces GFP_KERNEL with GFP_ATOMIC.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agosctp: stop pending timers and purge queues when peer restart asoc
Wei Yongjun [Sun, 29 May 2011 23:23:36 +0000 (23:23 +0000)]
sctp: stop pending timers and purge queues when peer restart asoc

If the peer restart the asoc, we should not only fail any unsent/unacked
data, but also stop the T3-rtx, SACK, T4-rto timers, and teardown ASCONF
queues.

Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
13 years agodrivers/net: ks8842 Fix crash on received packet when in PIO mode.
Dennis Aberilla [Sun, 29 May 2011 11:46:54 +0000 (11:46 +0000)]
drivers/net: ks8842 Fix crash on received packet when in PIO mode.

This patch fixes a driver crash during packet reception due to not enough
bytes allocated in the skb. Since the loop reads out 4 bytes at a time, we
need to allow for up to 3 bytes of slack space.

Signed-off-by: Dennis Aberilla <denzzzhome@yahoo.com>
Signed-off-by: David S. Miller <davem@zippy.davemloft.net>
13 years agoip_options_compile: properly handle unaligned pointer
Chris Metcalf [Sun, 29 May 2011 10:55:44 +0000 (10:55 +0000)]
ip_options_compile: properly handle unaligned pointer

The current code takes an unaligned pointer and does htonl() on it to
make it big-endian, then does a memcpy().  The problem is that the
compiler decides that since the pointer is to a __be32, it is legal
to optimize the copy into a processor word store.  However, on an
architecture that does not handled unaligned writes in kernel space,
this produces an unaligned exception fault.

The solution is to track the pointer as a "char *" (which removes a bunch
of unpleasant casts in any case), and then just use put_unaligned_be32()
to write the value to memory.

Signed-off-by: Chris Metcalf <cmetcalf@tilera.com>
Signed-off-by: David S. Miller <davem@zippy.davemloft.net>
13 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus
Linus Torvalds [Tue, 31 May 2011 21:45:08 +0000 (06:45 +0900)]
Merge git://git./linux/kernel/git/rusty/linux-2.6-for-linus

* git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux-2.6-for-linus:
  virtio_net: delay TX callbacks
  virtio: add api for delayed callbacks
  virtio_test: support event index
  vhost: support event index
  virtio_ring: support event idx feature
  virtio ring: inline function to check for events
  virtio: event index interface
  virtio: add full three-clause BSD text to headers.
  virtio balloon: kill tell-host-first logic
  virtio console: don't manually set or finalize VIRTIO_CONSOLE_F_MULTIPORT.
  drivers, block: virtio_blk: Replace cryptic number with the macro
  virtio_blk: allow re-reading config space at runtime
  lguest: remove support for VIRTIO_F_NOTIFY_ON_EMPTY.
  lguest: fix up compilation after move
  lguest: fix timer interrupt setup

13 years agoMerge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6
Linus Torvalds [Tue, 31 May 2011 21:44:10 +0000 (06:44 +0900)]
Merge branch 'release' of git://git./linux/kernel/git/aegl/linux-2.6

* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
  [IA64] wire up sendmmsg() syscall for Itanium