opensuse:kernel.git
11 years agoLinux 2.6.16.51-rc1
Adrian Bunk [Fri, 4 May 2007 22:04:12 +0000 (00:04 +0200)]
Linux 2.6.16.51-rc1

11 years ago[X.25]: Add missing sock_put in x25_receive_data
Andrew Hendry [Fri, 4 May 2007 22:00:25 +0000 (00:00 +0200)]
[X.25]: Add missing sock_put in x25_receive_data

__x25_find_socket does a sock_hold.
This adds a missing sock_put in x25_receive_data.

Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function
Jaroslav Kysela [Fri, 4 May 2007 21:59:07 +0000 (23:59 +0200)]
[NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function

The clusterip_config_find_get() already increases entries reference
counter, so there is no reason to do it twice in checkentry() callback.

This causes the config to be freed before it is removed from the list,
resulting in a crash when adding the next rule.

Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agox86_64: ACPI_CPU_FREQ must select CPU_FREQ_TABLE
Adrian Bunk [Fri, 4 May 2007 21:48:45 +0000 (23:48 +0200)]
x86_64: ACPI_CPU_FREQ must select CPU_FREQ_TABLE

Fix a compile error reported by Michel Lespinasse.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agohwmon/w83627ehf: Don't redefine REGION_OFFSET
Jean Delvare [Thu, 3 May 2007 23:35:12 +0000 (01:35 +0200)]
hwmon/w83627ehf: Don't redefine REGION_OFFSET

On ia64, kernel headers define REGION_OFFSET so we can't use that.
Reported by Andrew Morton.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NETFILTER]: ip_nat_proto_gre: do not modify/corrupt GREv0 packets through NAT
Jorge Boncompte [Thu, 3 May 2007 23:00:32 +0000 (01:00 +0200)]
[NETFILTER]: ip_nat_proto_gre: do not modify/corrupt GREv0 packets through NAT

While porting some changes of the 2.6.21-rc7 pptp/proto_gre conntrack
and nat modules to a 2.4.32 kernel I noticed that the gre_key function
returns a wrong pointer to the GRE key of a version 0 packet thus
corrupting the packet payload.

The intended behaviour for GREv0 packets is to act like
ip_conntrack_proto_generic/ip_nat_proto_unknown so I have ripped the
offending functions (not used anymore) and modified the
ip_nat_proto_gre modules to not touch version 0 (non PPTP) packets.

Signed-off-by: Jorge Boncompte <jorge@dti2.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoholepunch: fix mmap_sem i_mutex deadlock
Hugh Dickins [Thu, 3 May 2007 22:54:25 +0000 (00:54 +0200)]
holepunch: fix mmap_sem i_mutex deadlock

sys_madvise has down_write of mmap_sem, then madvise_remove calls
vmtruncate_range which takes i_mutex and i_alloc_sem: no, we can
easily devise deadlocks from that ordering.

madvise_remove drop mmap_sem while calling vmtruncate_range: luckily,
since madvise_remove doesn't split or merge vmas, it's easy to handle
this case with a NULL prev, without restructuring sys_madvise.  (Though
sad to retake mmap_sem when it's unlikely to be needed, and certainly
down_read is sufficient for MADV_REMOVE, unlike the other madvices.)

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoholepunch: fix disconnected pages after second truncate
Hugh Dickins [Thu, 3 May 2007 22:53:54 +0000 (00:53 +0200)]
holepunch: fix disconnected pages after second truncate

shmem_truncate_range has its own truncate_inode_pages_range, to free any
pages racily instantiated while it was in progress: a SHMEM_PAGEIN flag
is set when this might have happened.  But holepunching gets no chance
to clear that flag at the start of vmtruncate_range, so it's always set
(unless a truncate came just before), so holepunch almost always does
this second truncate_inode_pages_range.

shmem holepunch has unlikely swap<->file races hereabouts whatever we do
(without a fuller rework than is fit for this release): I was going to
skip the second truncate in the punch_hole case, but Miklos points out
that would make holepunch correctness more vulnerable to swapoff.  So
keep the second truncate, but follow it by an unmap_mapping_range to
eliminate the disconnected pages (freed from pagecache while still
mapped in userspace) that it might have left behind.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoholepunch: fix shmem_truncate_range punch locking
Hugh Dickins [Thu, 3 May 2007 22:52:56 +0000 (00:52 +0200)]
holepunch: fix shmem_truncate_range punch locking

Miklos Szeredi observes that during truncation of shmem page directories,
info->lock is released to improve latency (after lowering i_size and
next_index to exclude races); but this is quite wrong for holepunching,
which receives no such protection from i_size or next_index, and is left
vulnerable to races with shmem_unuse, shmem_getpage and shmem_writepage.

Hold info->lock throughout when holepunching?  No, any user could prevent
rescheduling for far too long.  Instead take info->lock just when needed:
in shmem_free_swp when removing the swap entries, and whenever removing
a directory page from the level above.  But so long as we remove before
scanning, we can safely skip taking the lock at the lower levels, except
at misaligned start and end of the hole.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoholepunch: fix shmem_truncate_range punching too far
Hugh Dickins [Thu, 3 May 2007 22:52:18 +0000 (00:52 +0200)]
holepunch: fix shmem_truncate_range punching too far

Miklos Szeredi observes BUG_ON(!entry) in shmem_writepage() triggered
in rare circumstances, because shmem_truncate_range() erroneously
removes partially truncated directory pages at the end of the range:
later reclaim on pages pointing to these removed directories triggers
the BUG.  Indeed, and it can also cause data loss beyond the hole.

Fix this as in the patch proposed by Miklos, but distinguish between
"limit" (how far we need to search: ignore truncation's next_index
optimization in the holepunch case - if there are races it's more
consistent to act on the whole range specified) and "upper_limit"
(how far we can free directory pages: generally we must be careful
to keep partially punched pages, but can relax at end of file -
i_size being held stable by i_mutex).

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoLinux 2.6.16.50
Adrian Bunk [Thu, 3 May 2007 21:49:52 +0000 (23:49 +0200)]
Linux 2.6.16.50

11 years agoLinux 2.6.16.50-rc1
Adrian Bunk [Tue, 1 May 2007 03:44:08 +0000 (05:44 +0200)]
Linux 2.6.16.50-rc1

11 years ago[IPV6]: Disallow RH0 by default (CVE-2007-2242)
Adrian Bunk [Mon, 30 Apr 2007 23:31:47 +0000 (01:31 +0200)]
[IPV6]: Disallow RH0 by default (CVE-2007-2242)

A security issue is emerging.  Disallow Routing Header Type 0 by default
as we have been doing for IPv4.

This version already includes a fix for the original patch.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NETLINK]: Infinite recursion in netlink (CVE-2007-1861)
Adrian Bunk [Mon, 30 Apr 2007 23:11:29 +0000 (01:11 +0200)]
[NETLINK]: Infinite recursion in netlink (CVE-2007-1861)

Reply to NETLINK_FIB_LOOKUP messages were misrouted back to kernel,
which resulted in infinite recursion and stack overflow.

The bug is present in all kernel versions since the feature appeared.

The patch also makes some minimal cleanup:

1. Return something consistent (-ENOENT) when fib table is missing
2. Do not crash when queue is empty (does not happen, but yet)
3. Put result of lookup

Sergey Vlasov:
Oops fix

Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Signed-off-by: Sergey Vlasov <vsu@altlinux.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoChar: icom, mark __init as __devinit
Jiri Slaby [Wed, 25 Apr 2007 23:35:22 +0000 (01:35 +0200)]
Char: icom, mark __init as __devinit

Two functions are called from __devinit context, but they are marked as
__init. Fix this.

Signed-off-by: Jiri Slaby <jirislaby@gmail.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoaio: remove bare user-triggerable error printk
Zach Brown [Wed, 25 Apr 2007 22:47:15 +0000 (00:47 +0200)]
aio: remove bare user-triggerable error printk

The user can generate console output if they cause do_mmap() to fail
during sys_io_setup().  This was seen in a regression test that does
exactly that by spinning calling mmap() until it gets -ENOMEM before
calling io_setup().

We don't need this printk at all, just remove it.

Signed-off-by: Zach Brown <zach.brown@oracle.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agomca_nmi_hook() can be called at any point
Al Viro [Wed, 25 Apr 2007 22:43:52 +0000 (00:43 +0200)]
mca_nmi_hook() can be called at any point

... and having it __init is a bad idea.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoIrDA: irttp_dup spin_lock initialisation
Guennadi Liakhovetski [Wed, 25 Apr 2007 19:57:52 +0000 (21:57 +0200)]
IrDA: irttp_dup spin_lock initialisation

Without this initialization one gets

kernel BUG at kernel/rtmutex_common.h:80!

Signed-off-by: G. Liakhovetski <gl@dsa-ac.de>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoIrDA: Incorrect TTP header reservation
Jeet Chaudhuri [Wed, 25 Apr 2007 19:53:20 +0000 (21:53 +0200)]
IrDA: Incorrect TTP header reservation

We must reserve SAR + MAX_HEADER bytes for IrLMP to fit in.
This fixes an oops reported (and fixed) by Jeet Chaudhuri, when max_sdu_size
is greater than 0.

Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agox86 microcode: don't check the size
Shaohua Li [Mon, 23 Apr 2007 23:25:26 +0000 (01:25 +0200)]
x86 microcode: don't check the size

IA32 manual says if micorcode update's size is 0, then the size is
default size (2048 bytes). But this doesn't suggest all microcode
update's size should be above 2048 bytes to me. We actually had a
microcode update whose size is 1024 bytes. The patch just removed the
check.

Backported by Daniel Drake.

Signed-off-by: Daniel Drake <dsd@gentoo.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoLinux 2.6.16.49
Adrian Bunk [Sun, 22 Apr 2007 22:59:58 +0000 (00:59 +0200)]
Linux 2.6.16.49

11 years agoLinux 2.6.16.49-rc1
Adrian Bunk [Fri, 20 Apr 2007 22:20:44 +0000 (00:20 +0200)]
Linux 2.6.16.49-rc1

11 years agotty_io: fix race in master pty close/slave pty close path
Aristeu Sergio Rozanski Filho [Fri, 20 Apr 2007 22:18:01 +0000 (00:18 +0200)]
tty_io: fix race in master pty close/slave pty close path

This patch fixes a possible race that leads to double freeing an idr index.
 When the master begin to close, release_dev() is called and then
pty_close() is called:

        if (tty->driver->close)
                tty->driver->close(tty, filp);

This is done without helding any locks other than BKL.  Inside pty_close(),
being a master close, the devpts entry will be removed:

#ifdef CONFIG_UNIX98_PTYS
                if (tty->driver == ptm_driver)
                        devpts_pty_kill(tty->index);
#endif

But devpts_pty_kill() will call get_node() that may sleep while waiting for
&devpts_root->d_inode->i_sem.  When this happens and the slave is being
opened, tty_open() just found the driver and index:

        driver = get_tty_driver(device, &index);
        if (!driver) {
                mutex_unlock(&tty_mutex);
                return -ENODEV;
        }

This part of the code is already protected under tty_mute.  The problem is
that the slave close already got an index.  Then init_dev() is called and
blocks waiting for the same &devpts_root->d_inode->i_sem.

When the master close resumes, it removes the devpts entry, and the
relation between idr index and the tty is gone.  The master then sleeps
waiting for the tty_mutex on release_dev().

Slave open resumes and found no tty for that index.  As result, a NULL tty
is returned and init_dev() doesn't flow to fast_track:

        /* check whether we're reopening an existing tty */
        if (driver->flags & TTY_DRIVER_DEVPTS_MEM) {
                tty = devpts_get_tty(idx);
                if (tty && driver->subtype == PTY_TYPE_MASTER)
                        tty = tty->link;
        } else {
                tty = driver->ttys[idx];
        }
        if (tty) goto fast_track;

The result of this, is that a new tty will be created and init_dev() returns
sucessfull. After returning, tty_mutex is dropped and master close may resume.

Master close finds it's the only use and both sides are closing, then releases
the tty and the index. At this point, the idr index is free, but slave still
has it.

Slave open then calls pty_open() and finds that tty->link->count is 0,
because there's no master and returns error.  Then tty_open() calls
release_dev() which executes without any warning, as it was a case of last
slave close when the master is already closed (master->count == 0,
slave->count == 1).  The tty is then released with the already released idr
index.

This normally would only issue a warning on idr_remove() but in case of a
customer's critical application, it's never too simple:

thread1: opens master, gets index X
thread1: begin closing master
thread2: begin opening slave with index X
thread1: finishes closing master, index X released
thread3: opens master, gets index X, just released
thread2: fails opening slave, releases index X         <----
thread4: opens master, gets index X, init_dev() then find an already in use
         and healthy tty and fails

If no more indexes are released, ptmx_open() will keep failing, as the
first free index available is X, and it will make init_dev() fail because
you're trying to "reopen a master" which isn't valid.

The patch notices when this race happens and make init_dev() fail
imediately.  The init_dev() function is called with tty_mutex held, so it's
safe to continue with tty till the end of function because release_dev()
won't make any further changes without grabbing the tty_mutex.

Without the patch, on some machines it's possible get easily idr warnings
like this one:

idr_remove called for id=15 which is not allocated.
 [<c02555b9>] idr_remove+0x139/0x170
 [<c02a1b62>] release_mem+0x182/0x230
 [<c02a28e7>] release_dev+0x4b7/0x700
 [<c02a0ea7>] tty_ldisc_enable+0x27/0x30
 [<c02a1e64>] init_dev+0x254/0x580
 [<c02a0d64>] check_tty_count+0x14/0xb0
 [<c02a4f05>] tty_open+0x1c5/0x340
 [<c02a4d40>] tty_open+0x0/0x340
 [<c017388f>] chrdev_open+0xaf/0x180
 [<c017c2ac>] open_namei+0x8c/0x760
 [<c01737e0>] chrdev_open+0x0/0x180
 [<c0167bc9>] __dentry_open+0xc9/0x210
 [<c0167e2c>] do_filp_open+0x5c/0x70
 [<c0167a91>] get_unused_fd+0x61/0xd0
 [<c0167e93>] do_sys_open+0x53/0x100
 [<c0167f97>] sys_open+0x27/0x30
 [<c010303b>] syscall_call+0x7/0xb

using this test application available on:
 http://www.ruivo.org/~aris/pty_sodomizer.c

Signed-off-by: Aristeu Sergio Rozanski Filho <aris@ruivo.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoelevator: move clearing of unplug flag earlier
Linas Vepstas [Fri, 20 Apr 2007 22:13:30 +0000 (00:13 +0200)]
elevator: move clearing of unplug flag earlier

A flag was recently added to the elevator code to avoid
performing an unplug when reuests are being re-queued.
The goal of this flag was to avoid a deep recursion that
can occur when re-queueing requests after a SCSI device/host
reset.  See http://lkml.org/lkml/2006/5/17/254

However, that fix added the flag near the bottom of a case
statement, where an earlier break (in an if statement) could
transport one out of the case, without setting the flag.
This patch sets the flag earlier in the case statement.

I re-discovered the deep recursion recently during testing;
I was told that it was a known problem, and the fix to it was
in the kernel I was testing. Indeed it was ... but it didn't
fix the bug. With the patch below, I no longer see the bug.

Signed-off by: Linas Vepstas <linas@austin.ibm.com>
Signed-off-by: Jens Axboe <axboe@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agostart_kernel: test if irq's got enabled early, barf, and disable them again
Ard van Breemen [Fri, 20 Apr 2007 22:10:28 +0000 (00:10 +0200)]
start_kernel: test if irq's got enabled early, barf, and disable them again

The calls made by parse_parms to other initialization code might enable
interrupts again way too early.

Having interrupts on this early can make systems PANIC when they initialize
the IRQ controllers (which happens later in the code).  This patch detects
that irq's are enabled again, barfs about it and disables them again as a
safety net.

[akpm@osdl.org: cleanups]
Signed-off-by: Ard van Breemen <ard@telegraafnet.nl>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[IrDA]: Correctly handling socket error
Olaf Kirch [Thu, 19 Apr 2007 23:45:09 +0000 (01:45 +0200)]
[IrDA]: Correctly handling socket error

This patch fixes an oops first reported in mid 2006 - see
http://lkml.org/lkml/2006/8/29/358 The cause of this bug report is that
when an error is signalled on the socket, irda_recvmsg_stream returns
without removing a local wait_queue variable from the socket's sk_sleep
queue. This causes havoc further down the road.

In response to this problem, a patch was made that invoked sock_orphan on
the socket when receiving a disconnect indication. This is not a good fix,
as this sets sk_sleep to NULL, causing applications sleeping in recvmsg
(and other places) to oops.

Signed-off-by: Olaf Kirch <olaf.kirch@oracle.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agohwmon/w83627ehf: Fix the fan5 clock divider write
Jean Delvare [Thu, 19 Apr 2007 23:43:12 +0000 (01:43 +0200)]
hwmon/w83627ehf: Fix the fan5 clock divider write

Users have been complaining about the w83627ehf driver flooding their logs
with debug messages like:

w83627ehf 9191-0a10: Increasing fan 4 clock divider from 64 to 128

or:

w83627ehf 9191-0290: Increasing fan 4 clock divider from 4 to 8

The reason is that we failed to actually write the LSB of the encoded clock
divider value for that fan, causing the next read to report the same old value
again and again.

Additionally, the fan number was improperly reported, making the bug harder to
find.

Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NET]: Fix UDP checksum issue in net poll mode.
Aubrey Li [Thu, 19 Apr 2007 23:40:19 +0000 (01:40 +0200)]
[NET]: Fix UDP checksum issue in net poll mode.

In net poll mode, the current checksum function doesn't consider the
kind of packet which is padded to reach a specific minimum length. I
believe that's the problem causing my test case failed. The following
patch fixed this issue.

Signed-off-by: Aubrey Li <aubreylee@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[SPARC64]: Fix inline directive in pci_iommu.c
Tom Callaway [Thu, 19 Apr 2007 23:38:57 +0000 (01:38 +0200)]
[SPARC64]: Fix inline directive in pci_iommu.c

While building a test kernel for the new esp driver (against
git-current), I hit this bug. Trivial fix, put the inline declaration
in the right place. :)

Signed-off-by: Tom Callaway <tcallawa@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[SPARC64]: Fix arg passing to compat_sys_ipc().
David S. Miller [Thu, 19 Apr 2007 23:37:37 +0000 (01:37 +0200)]
[SPARC64]: Fix arg passing to compat_sys_ipc().

Do not sign extend args using the sys32_ipc stub, that is
buggy and unnecessary.

Based upon an excellent report by Mikael Pettersson.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[SPARC64]: Fix SBUS IOMMU allocation code.
David S. Miller [Thu, 19 Apr 2007 23:35:52 +0000 (01:35 +0200)]
[SPARC64]: Fix SBUS IOMMU allocation code.

There are several IOMMU allocator bugs.  Instead of trying to fix this
overly complicated code, just mirror the PCI IOMMU arena allocator
which is very stable and well stress tested.

I tried to make the code as identical as possible so we can switch
sun4u PCI and SBUS over to a common piece of IOMMU code.  All that
will be need are two callbacks, one to do a full IOMMU flush and one
to do a streaming buffer flush.

This patch gets rid of a lot of hangs and mysterious crashes on SBUS
sparc64 systems, at least for me.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[SCSI] QLOGICPTI: Do not unmap DMA unless we actually mapped something.
David S. Miller [Thu, 19 Apr 2007 23:31:17 +0000 (01:31 +0200)]
[SCSI] QLOGICPTI: Do not unmap DMA unless we actually mapped something.

We only map DMA when cmd->request_bufflen is non-zero for non-sg
buffers, we thus should make the same check when unmapping.

Based upon a report from Pasi Pirhonen.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoLinux 2.6.16.48
Adrian Bunk [Sun, 15 Apr 2007 20:16:49 +0000 (22:16 +0200)]
Linux 2.6.16.48

11 years agoLinux 2.6.16.48-rc1
Adrian Bunk [Fri, 13 Apr 2007 19:51:12 +0000 (21:51 +0200)]
Linux 2.6.16.48-rc1

11 years ago[NET_SCHED]: cls_tcindex: fix compatibility breakage
Patrick McHardy [Fri, 13 Apr 2007 19:34:16 +0000 (21:34 +0200)]
[NET_SCHED]: cls_tcindex: fix compatibility breakage

Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed
to expect and use a u16 value in 2.6.11, which broke compatibility on
big endian machines. Change back to use int.

Reported by Ole Reinartz <ole.reinartz@gmx.de>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[IPSEC]: Reject packets within replay window but outside the bit mask
Herbert Xu [Fri, 13 Apr 2007 19:32:53 +0000 (21:32 +0200)]
[IPSEC]: Reject packets within replay window but outside the bit mask

Up until this point we've accepted replay window settings greater than
32 but our bit mask can only accomodate 32 packets.  Thus any packet
with a sequence number within the window but outside the bit mask would
be accepted.

This patch causes those packets to be rejected instead.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS.
John Heffner [Fri, 13 Apr 2007 19:31:34 +0000 (21:31 +0200)]
[TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS.

Signed-off-by: John Heffner <jheffner@psc.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[IPv6]: Fix incorrect length check in rawv6_sendmsg()
YOSHIFUJI Hideaki [Fri, 13 Apr 2007 19:30:03 +0000 (21:30 +0200)]
[IPv6]: Fix incorrect length check in rawv6_sendmsg()

In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says:

> From: Sridhar Samudrala <sri@us.ibm.com>
> Date: Thu, 29 Mar 2007 14:17:28 -0700
>
> > The check for length in rawv6_sendmsg() is incorrect.
> > As len is an unsigned int, (len < 0) will never be TRUE.
> > I think checking for IPV6_MAXPLEN(65535) is better.
> >
> > Is it possible to send ipv6 jumbo packets using raw
> > sockets? If so, we can remove this check.
>
> I don't see why such a limitation against jumbo would exist,
> does anyone else?
>
> Thanks for catching this Sridhar.  A good compiler should simply
> fail to compile "if (x < 0)" when 'x' is an unsigned type, don't
> you think :-)

Dave, we use "int" for returning value,
so we should fix this anyway, IMHO;
we should not allow len > INT_MAX.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Acked-by: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NET_SCHED]: cls_basic: fix memory leak in basic_destroy
Patrick McHardy [Fri, 13 Apr 2007 19:28:27 +0000 (21:28 +0200)]
[NET_SCHED]: cls_basic: fix memory leak in basic_destroy

tp->root is not freed on destruction.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoV4L/DVB: Pluto2: fix incorrect TSCR register setting
Andreas Oberritter [Fri, 13 Apr 2007 19:21:28 +0000 (21:21 +0200)]
V4L/DVB: Pluto2: fix incorrect TSCR register setting

The ADEF bits in the TSCR register have different meanings in read and
write mode. For this reason ADEF has to be reset on every
read-modify-write operation.
This patch introduces a special write function for this register, which
takes care of it.

Thanks to Holger Magnussen for pointing my nose at this problem.

Signed-off-by: Andreas Oberritter <obi@linuxtv.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoV4L: saa7146: Fix allocation of clipping memory
Oliver Endriss [Fri, 13 Apr 2007 19:23:49 +0000 (21:23 +0200)]
V4L: saa7146: Fix allocation of clipping memory

Olaf Hering pointed out that SAA7146_CLIPPING_MEM would become
very large for PAGE_SIZE > 4K.

In fact, the number of clipping windows is limited to 16,
and calculate_clipping_registers_rect() does not use more
than 256 bytes. SAA7146_CLIPPING_MEM adjusted accordingly.

(cherry picked from commit 7a7cd1920969dd9da4e0d99aab573b3eba24c799)

Thanks-to: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Oliver Endriss <o.endriss@gmx.de>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoV4L: radio: Fix error in Kbuild file
Trent Piepho [Fri, 13 Apr 2007 19:23:11 +0000 (21:23 +0200)]
V4L: radio: Fix error in Kbuild file

All the radio drivers need video_dev, but they were depending on
VIDEO_DEV!=n.  That meant that one could try to compile the driver into
the kernel when VIDEO_DEV=m, which will not work.  If video_dev is a
module, then the radio drivers must be modules too.

(cherry picked from commit b10fece583fdfdb3d2f29b0da3896ec58b8fe122)

Signed-off-by: Trent Piepho <xyzzy@speakeasy.org>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoV4L: tveeprom: autodetect LG TAPC G701D as tuner type 37
Michael Krufky [Fri, 13 Apr 2007 19:18:10 +0000 (21:18 +0200)]
V4L: tveeprom: autodetect LG TAPC G701D as tuner type 37

Autodetect LG TAPC G701D as tuner type 37, fixing
mis-detected tuners in some Hauppauge tv tuner cards.

Thanks to Adonis Papas, for pointing this out.

(cherry picked from commit 1323fbda1343f50f198bc8bd6d1d59c8b7fc45bf)

Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agosky2: turn on clocks when doing resume
Stephen Hemminger [Fri, 13 Apr 2007 18:34:00 +0000 (20:34 +0200)]
sky2: turn on clocks when doing resume

Some of these chips are disabled until clock is enabled.
This fixes:
     http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=404107

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agosky2: turn carrier off when down
Stephen Hemminger [Fri, 13 Apr 2007 18:32:35 +0000 (20:32 +0200)]
sky2: turn carrier off when down

Driver needs to turn off carrier when down.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoskge: turn carrier off when down
Stephen Hemminger [Fri, 13 Apr 2007 18:31:50 +0000 (20:31 +0200)]
skge: turn carrier off when down

Driver needs to turn off carrier when down, otherwise it can
confuse bonding and bridging and looks like carrier is on immediately
when it is brought back up.

Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoi386: fix file_read_actor() and pipe_read() for original i386 systems
Thomas Gleixner [Fri, 13 Apr 2007 18:45:17 +0000 (20:45 +0200)]
i386: fix file_read_actor() and pipe_read() for original i386 systems

The __copy_to_user_inatomic() calls in file_read_actor() and pipe_read()
are broken on original i386 machines, where WP-works-ok == false, as
__copy_to_user_inatomic() on such systems calls functions which might
sleep and/or contain cond_resched() calls inside of a kmap_atomic()
region.

The original check for WP-works-ok was in access_ok(), but got moved
during the 2.5 series to fix a race vs. swap.

Return the number of bytes to copy in the case where we are in an atomic
region, so the non atomic code pathes in file_read_actor() and
pipe_read() are taken.

This could be optimized to avoid the kmap_atomicby moving the check for
WP-works-ok into fault_in_pages_writeable(), but this is more intrusive
and can be done later.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agor8169: issue request_irq after the private data are completely initialized
Francois Romieu [Fri, 13 Apr 2007 20:57:48 +0000 (22:57 +0200)]
r8169: issue request_irq after the private data are completely initialized

The irq handler schedules a NAPI poll request unconditionally as soon as
the status register is not clean. It has been there - and wrong - for
ages but a recent timing change made it apparently easier to trigger.

Adrian Bunk:
backported to 2.6.16

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agor8169: fix suspend/resume for down interface
Francois Romieu [Fri, 13 Apr 2007 18:19:50 +0000 (20:19 +0200)]
r8169: fix suspend/resume for down interface

The PM hooks are no-op if the r8169 interface is down (i.e. !IFF_UP).
However, as the chipset is enabled, the device will not work after a
suspend/resume cycle. The patch always issue the required PCI suspend
sequence and removes the module unload/reload workaround.

Signed-off-by: Arnaud Patard <apatard@mandriva.com>
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agor8169: fix a race between PCI probe and dev_open
Francois Romieu [Fri, 13 Apr 2007 18:18:38 +0000 (20:18 +0200)]
r8169: fix a race between PCI probe and dev_open

Initialize the timer with the rest of the private-struct.

Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: usbnet driver bugfix
David Brownell [Fri, 13 Apr 2007 18:16:21 +0000 (20:16 +0200)]
USB: usbnet driver bugfix

The attached fixes an oops in the usbnet driver. The same patch is
in 2.6.21-rc1, but that one has many whitespace changes. This is much
smaller.

Signed-off-by: David Brownell <david-b@pacbell.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoLinux 2.6.16.47
Adrian Bunk [Fri, 13 Apr 2007 14:47:54 +0000 (16:47 +0200)]
Linux 2.6.16.47

11 years agoLinux 2.6.16.47-rc1
Adrian Bunk [Tue, 10 Apr 2007 21:07:31 +0000 (23:07 +0200)]
Linux 2.6.16.47-rc1

11 years agoAPPLETALK: Fix a remotely triggerable crash (CVE-2007-1357)
Jean Delvare [Tue, 10 Apr 2007 21:06:06 +0000 (23:06 +0200)]
APPLETALK: Fix a remotely triggerable crash (CVE-2007-1357)

When we receive an AppleTalk frame shorter than what its header says,
we still attempt to verify its checksum, and trip on the BUG_ON() at
the end of function atalk_sum_skb() because of the length mismatch.

This has security implications because this can be triggered by simply
sending a specially crafted ethernet frame to a target victim,
effectively crashing that host. Thus this qualifies, I think, as a
remote DoS. Here is the frame I used to trigger the crash, in npg
format:

<Appletalk Killer>
{
# Ethernet header -----

  XX XX XX XX XX XX  # Destination MAC
  00 00 00 00 00 00  # Source MAC
  00 1D              # Length

# LLC header -----

  AA AA 03
  08 00 07 80 9B  # Appletalk

# Appletalk header -----

  00 1B        # Packet length (invalid)
  00 01        # Fake checksum
  00 00 00 00  # Destination and source networks
  00 00 00 00  # Destination and source nodes and ports

# Payload -----

  0C 0D 0E 0F 10 11 12 13
  14
}

The destination MAC address must be set to those of the victim.

The severity is mitigated by two requirements:
* The target host must have the appletalk kernel module loaded. I
  suspect this isn't so frequent.
* AppleTalk frames are non-IP, thus I guess they can only travel on
  local networks. I am no network expert though, maybe it is possible
  to somehow encapsulate AppleTalk packets over IP.

The bug has been reported back in June 2004:
  http://bugzilla.kernel.org/show_bug.cgi?id=2979
But it wasn't investigated, and was closed in July 2006 as both
reporters had vanished meanwhile.

This code was new in kernel 2.6.0-test5:
  http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2
And not modified since then, so we can assume that vanilla kernels
2.6.0-test5 and later, and distribution kernels based thereon, are
affected.

Note that I still do not know for sure what triggered the bug in the
real-world cases. The frame could have been corrupted by the kernel if
we have a bug hiding somewhere. But more likely, we are receiving the
faulty frame from the network.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agosiimage: PIO1/2 taskfile transfer overclocking fix
Sergei Shtylyov [Sun, 8 Apr 2007 23:16:18 +0000 (01:16 +0200)]
siimage: PIO1/2 taskfile transfer overclocking fix

Fix two typos found by SiI680A documentation check.  They caused the taskfile
transfer overclocking:

- in PIO mode 1 as 0x2283 must be used for both data and taskfile transfers;

- in PIO mode 2 as data and taskfile timings are swapped when writing to the
  MMIO regs.

Fix coding style and trailing whitespace in enclosing statements while at it...

Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agohrtimer: prevent overrun DoS in hrtimer_forward()
Thomas Gleixner [Sun, 8 Apr 2007 23:04:23 +0000 (01:04 +0200)]
hrtimer: prevent overrun DoS in hrtimer_forward()

hrtimer_forward() does not check for the possible overflow of
timer->expires. This can happen on 64 bit machines with large interval
values and results currently in an endless loop in the softirq because
the expiry value becomes negative and therefor the timer is expired all
the time.

Check for this condition and set the expiry value to the max. expiry
time in the future.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agofix MTIME_SEC_MAX on 32-bit
Thomas Gleixner [Sun, 8 Apr 2007 22:54:30 +0000 (00:54 +0200)]
fix MTIME_SEC_MAX on 32-bit

The maximum seconds value we can handle on 32bit is LONG_MAX.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoprevent timespec/timeval to ktime_t overflow
Thomas Gleixner [Sun, 8 Apr 2007 22:03:30 +0000 (00:03 +0200)]
prevent timespec/timeval to ktime_t overflow

Frank v.  Waveren pointed out that on 64bit machines the timespec to
ktime_t conversion might overflow.  This is also true for timeval to
time_t conversions.  This breaks a "sleep inf" on 64bit machines.

While a timespec/timeval with tx.sec = MAX_LONG is valid by specification
the internal representation of ktime_t is based on nanoseconds.  The
conversion of seconds to nanoseconds overflows for seconds values >=
(MAX_LONG / NSEC_PER_SEC).

Check the seconds argument to the conversion and limit it to the maximum
time which can be represented by ktime_t.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoieee1394: video1394: DMA fix
David Moore [Sun, 8 Apr 2007 21:54:41 +0000 (23:54 +0200)]
ieee1394: video1394: DMA fix

This together with the phys_to_virt fix in lib/swiotlb.c::swiotlb_sync_sg
fixes video1394 DMA on machines with DMA bounce buffers, especially Intel
x86-64 machines with > 3GB RAM.

Signed-off-by: David Moore <dcm@acm.org>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoFix reparenting to the same thread group. (take 2)
Eric W. Biederman [Sun, 8 Apr 2007 21:47:24 +0000 (23:47 +0200)]
Fix reparenting to the same thread group. (take 2)

This patch fixes the case when we reparent to a different thread in the
same thread group.  This modifies the code so that we do not send
signals and do not change the signal to send to SIGCHLD unless we have
change the thread group of our parents.  It also suppresses sending
pdeath_sig in this cas as well since the result of geppid doesn't
change.

Thanks to Oleg for spotting my bug of only fixing this for non-ptraced
tasks.

This fixes the issues identified by Albert Cahalan in thread
http://lkml.org/lkml/2006/12/21/22

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agotcp: fix cubic scaling error
Stephen Hemminger [Sun, 8 Apr 2007 21:45:04 +0000 (23:45 +0200)]
tcp: fix cubic scaling error

Doug Leith observed a discrepancy between the version of CUBIC described
in the papers and the version in 2.6.18. A math error related to scaling
causes Cubic to grow too slowly.

Patch is from "Sangtae Ha" <sha2@ncsu.edu>. I validated that
it does fix the problems.

See the following to show behavior over 500ms 100 Mbit link.

Sender (2.6.19-rc3) ---  Bridge (2.6.18-rt7) ------- Receiver (2.6.19-rc3)
                    1G      [netem]           100M

        http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-orig.png
        http://developer.osdl.org/shemminger/tcp/2.6.19-rc3/cubic-fix.png

Signed-off-by: Stephen Hemminger <shemminger@osdl.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[netdrvr] tulip, de2104x: fix typo: s/__sparc_/__sparc__/
Jeff Garzik [Wed, 4 Apr 2007 21:45:53 +0000 (23:45 +0200)]
[netdrvr] tulip, de2104x: fix typo: s/__sparc_/__sparc__/

Noticed by Doug Nazar (via David Miller).

Signed-off-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agob44: src_desc->addr is little-endian
Al Viro [Wed, 4 Apr 2007 21:32:02 +0000 (23:32 +0200)]
b44: src_desc->addr is little-endian

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoide-floppy: Fix unformatted media crash
Alan Cox [Wed, 4 Apr 2007 19:34:22 +0000 (21:34 +0200)]
ide-floppy: Fix unformatted media crash

A ZIP or similar with unformatted media will cause crashes when attempts
are made to read/write it in some cases. This is because bs_factor is
zero and we divide by it causing an oops.

As the size of a non-accessible/non-existant media is really a bit of a
zen question it doesn't matter if non-existant media is 512 bytes per
sector or zero. Setting it to 1 causes us to generate 512 bytes/sector
accesses and error properly.

Based on a fix found lurking in an ancient bugzilla entry since about 2004 (ugghhh)

Signed-off-by: Alan Cox <alan@redhat.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[IFB]: Fix crash on input device removal
Patrick McHardy [Tue, 3 Apr 2007 02:03:55 +0000 (04:03 +0200)]
[IFB]: Fix crash on input device removal

The input_device pointer is not refcounted, which means the device may
disappear while packets are queued, causing a crash when ifb passes packets
with a stale skb->dev pointer to netif_rx().

Fix by storing the interface index instead and do a lookup where neccessary.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[VIDEO] ffb: Fix two DAC handling bugs.
David S. Miller [Mon, 2 Apr 2007 23:50:31 +0000 (01:50 +0200)]
[VIDEO] ffb: Fix two DAC handling bugs.

The determination of whether the DAC has inverted cursor logic is
broken, import the version checks the X.org driver uses to fix this.

Next, when we change the timing generator, borrow code from X.org that
does 10 NOP reads of the timing generator register afterwards to make
sure the video-enable transition occurs cleanly.

Finally, use macros for the DAC registers and fields in order to
provide documentation for the next person who reads this code.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoLinux 2.6.16.46
Adrian Bunk [Sat, 31 Mar 2007 20:21:00 +0000 (22:21 +0200)]
Linux 2.6.16.46

11 years agoLinux 2.6.16.46-rc1
Adrian Bunk [Wed, 28 Mar 2007 20:43:59 +0000 (22:43 +0200)]
Linux 2.6.16.46-rc1

11 years ago[ALSA] ca0106 - Add missing sysfs device assignment
Takashi Iwai [Wed, 28 Mar 2007 20:40:35 +0000 (22:40 +0200)]
[ALSA] ca0106 - Add missing sysfs device assignment

Added the missing device assignment before creating sysfs tree.
This caused the insufficient device permissions.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[ALSA] cs4281 - Fix the check of right channel
Takashi Iwai [Wed, 28 Mar 2007 20:39:55 +0000 (22:39 +0200)]
[ALSA] cs4281 - Fix the check of right channel

Fix the check of right channel in mixer volume put callback.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[ALSA] Dereference after free in snd_hwdep_release()
Florin Malita [Wed, 28 Mar 2007 20:38:55 +0000 (22:38 +0200)]
[ALSA] Dereference after free in snd_hwdep_release()

snd_card_file_remove() may free hw->card so we can't dereference
hw->card->module after that.
Coverity ID 1420.

Signed-off-by: Florin Malita <fmalita@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[ALSA] cmipci - Fix a typo in 'PC Speaker Playback Switch' control
Takashi Iwai [Wed, 28 Mar 2007 20:36:35 +0000 (22:36 +0200)]
[ALSA] cmipci - Fix a typo in 'PC Speaker Playback Switch' control

Fixed a typo in  'PC Speaker Playback Switch' control name.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[ALSA] fix NULL pointer dereference in sound/synth/emux/soundfont.c
Eric Sesterhenn [Wed, 28 Mar 2007 20:35:52 +0000 (22:35 +0200)]
[ALSA] fix NULL pointer dereference in sound/synth/emux/soundfont.c

this is about coverity id #100.
It seems the if statement is negated, since the else branch calls
remove_info() with sflist->currsf as a parameter where it gets
dereferenced.

Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[ALSA] Fix invalid assignment of PCI revision
Takashi Iwai [Wed, 28 Mar 2007 20:32:32 +0000 (22:32 +0200)]
[ALSA] Fix invalid assignment of PCI revision

Fix the type of PCI revision to char from int and avoid invalid
assignment with pointer cast.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[ALSA] hda-intel - Don't try to probe invalid codecs
Takashi Iwai [Wed, 28 Mar 2007 20:29:24 +0000 (22:29 +0200)]
[ALSA] hda-intel - Don't try to probe invalid codecs

Fix the max number of codecs detected by HD-intel (and compatible)
controllers.

ATI controllers may have up to 4 codecs while ICH up to 3.
Now max codecs is defined according to the driver type, either 3 or 4.
Currently 4 is set only to ATI chips.  Other might need the same
change, too.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[ALSA] hda-codec - Don't return error at initialization of modem codec
Takashi Iwai [Wed, 28 Mar 2007 20:28:59 +0000 (22:28 +0200)]
[ALSA] hda-codec - Don't return error at initialization of modem codec

Some modem codec seem to fail in the initialization, and this
stopped loading of the whole module although the audio is OK.
Since it's usually a non-fatal issue, the driver tries to proceed
to initialize now.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agousb-audio: work around wrong frequency in CM6501 descriptors
Clemens Ladisch [Wed, 28 Mar 2007 20:28:33 +0000 (22:28 +0200)]
usb-audio: work around wrong frequency in CM6501 descriptors

The C-Media CM6501 chip's descriptors say that altsetting 5 supports
48 kHz, but it actually plays at 96 kHz.

Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agosound/pci/au88x0/au88x0.c: ioremap balanced with iounmap
Amol Lad [Wed, 28 Mar 2007 20:27:42 +0000 (22:27 +0200)]
sound/pci/au88x0/au88x0.c: ioremap balanced with iounmap

Signed-off-by: Amol Lad <amol@verismonetworks.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index.
YOSHIFUJI Hideaki [Wed, 28 Mar 2007 20:04:44 +0000 (22:04 +0200)]
[IPV6] HASHTABLES: Use appropriate seed for caluculating ehash index.

Tetsuo Handa <handat@pm.nttdata.co.jp> told me that connect(2) with TCPv6
socket almost always took a few minutes to return when we did not have any
ports available in the range of net.ipv4.ip_local_port_range.

The reason was that we used incorrect seed for calculating index of
hash when we check established sockets in __inet6_check_established().

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[PPP]: Don't leak an sk_buff on interface destruction.
Guennadi Liakhovetski [Wed, 28 Mar 2007 20:00:29 +0000 (22:00 +0200)]
[PPP]: Don't leak an sk_buff on interface destruction.

Signed-off-by: Guennadi Liakhovetski <gl@dsa-ac.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NET_SCHED]: Fix ingress locking
Patrick McHardy [Wed, 28 Mar 2007 19:58:20 +0000 (21:58 +0200)]
[NET_SCHED]: Fix ingress locking

Ingress queueing uses a seperate lock for serializing enqueue operations,
but fails to properly protect itself against concurrent changes to the
qdisc tree. Use queue_lock for now since the real fix it quite intrusive.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NET_SCHED]: cls_basic: fix NULL pointer dereference
Patrick McHardy [Wed, 28 Mar 2007 19:56:42 +0000 (21:56 +0200)]
[NET_SCHED]: cls_basic: fix NULL pointer dereference

cls_basic doesn't allocate tp->root before it is linked into the
active classifier list, resulting in a NULL pointer dereference
when packets hit the classifier before its ->change function is
called.

Reported by Chris Madden <chris@reflexsecurity.com>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: RAZR v3i unusual_devs
Pete Zaitcev [Wed, 28 Mar 2007 19:45:16 +0000 (21:45 +0200)]
USB: RAZR v3i unusual_devs

This adds an unusual_devs entry for the Motorola RAZR 3vi.

Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB storage: Nokia 6288 unusual_devs entry
Andrew Nayenko [Wed, 28 Mar 2007 19:44:39 +0000 (21:44 +0200)]
USB storage: Nokia 6288 unusual_devs entry

This patch adds an usual_devs entry for the Nokia 6288.

Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB Storage: US_FL_IGNORE_RESIDUE needed for Aiptek MP3 Player
Dylan Taft [Wed, 28 Mar 2007 19:43:59 +0000 (21:43 +0200)]
USB Storage: US_FL_IGNORE_RESIDUE needed for Aiptek MP3 Player

Device will not work as a mass storage device without US_FL_IGNORE_RESIDUE.

I bought this mp3 player that takes SD cards here

http://www.aiptek.com/Merchant2/merchant.mvc?Screen=PROD&Product_Code=AX4&Category_Code=MP3&Store_Code=AS

Signed-off-by: Dylan Taft <d13f00l@gmail.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: unusual_devs.h for Sony floppy
Luiz Fernando N. Capitulino [Wed, 28 Mar 2007 19:42:29 +0000 (21:42 +0200)]
USB: unusual_devs.h for Sony floppy

This patch increases the range for 0x054c:0x002c devices to make
the following Sony USB floppy to work:

T:  Bus=02 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#=  6 Spd=12  MxCh= 0
D:  Ver= 1.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
P:  Vendor=054c ProdID=002c Rev=20.00
S:  Manufacturer=SONY
S:  Product=USB Floppy
C:* #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA
I:  If#= 0 Alt= 0 #EPs= 3 Cls=08(stor.) Sub=04 Prot=00 Driver=usb-storage
E:  Ad=82(I) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=01(O) Atr=02(Bulk) MxPS=  64 Ivl=0ms
E:  Ad=83(I) Atr=03(Int.) MxPS=   2 Ivl=127ms

Signed-off-by: Marcelo Ricardo Leitner <mrl@mandriva.com>
Signed-off-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[NET_SCHED]: Fix endless loops caused by inaccurate qlen counters
Patrick McHardy [Wed, 28 Mar 2007 19:31:36 +0000 (21:31 +0200)]
[NET_SCHED]: Fix endless loops caused by inaccurate qlen counters

There are multiple problems related to qlen adjustment that can lead
to an upper qdisc getting out of sync with the real number of packets
queued, leading to endless dequeueing attempts by the upper layer code.

All qdiscs must maintain an accurate q.qlen counter. There are basically
two groups of operations affecting the qlen: operations that propagate
down the tree (enqueue, dequeue, requeue, drop, reset) beginning at the
root qdisc and operations only affecting a subtree or single qdisc
(change, graft, delete class). Since qlen changes during operations from
the second group don't propagate to ancestor qdiscs, their qlen values
become desynchronized.

This patch adds a function to propagate qlen changes up the qdisc tree,
optionally calling a callback function to perform qdisc-internal
maintenance when the child qdisc is deactivated, and converts all
qdiscs to use this where necessary.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agomm: fix madvise infinine loop
Nick Piggin [Wed, 28 Mar 2007 19:29:38 +0000 (21:29 +0200)]
mm: fix madvise infinine loop

madvise(MADV_REMOVE) can go into an infinite loop or cause an oops if the
call covers a region from the start of a vma, and extending past that vma.

Signed-off-by: Nick Piggin <npiggin@suse.de>
Acked-by: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years ago[SERIAL] Fix oops when removing suspended serial port
Russell King [Wed, 28 Mar 2007 19:28:32 +0000 (21:28 +0200)]
[SERIAL] Fix oops when removing suspended serial port

A serial card might have been removed when the system is resumed.
This results in a suspended port being shut down, which results in
the ports shutdown method being called twice in a row.  This causes
BUGs.  Avoid this by tracking the suspended state separately from
the initialised state.

Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoieee1394: dv1394: fix CardBus card ejection
Stefan Richter [Mon, 26 Mar 2007 22:49:40 +0000 (00:49 +0200)]
ieee1394: dv1394: fix CardBus card ejection

Fix NULL pointer dereference on hot ejection of a FireWire card while
dv1394 was loaded.  http://bugzilla.kernel.org/show_bug.cgi?id=7121

Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agomd: fix /proc/mdstat refcounting
Akinbou Mita [Mon, 26 Mar 2007 21:43:10 +0000 (23:43 +0200)]
md: fix /proc/mdstat refcounting

I have seen mdadm oops after successfully unloading md module.

This patch privents from unloading md module while
mdadm is polling /proc/mdstat.

Signed-off-by: Akinbou Mita <akinobu.mita@gmail.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agofix read past end of array in md/linear.c
Andy Isaacson [Mon, 26 Mar 2007 21:42:40 +0000 (23:42 +0200)]
fix read past end of array in md/linear.c

When iterating through an array, one must be careful to test one's index
variable rather than another similarly-named variable.

The loop will read off the end of conf->disks[] in the following
(pathological) case:

% dd bs=1 seek=840716287 if=/dev/zero of=d1 count=1
% for i in 2 3 4; do dd if=/dev/zero of=d$i bs=1k count=$(($i+150)); done
% ./vmlinux ubd0=root ubd1=d1 ubd2=d2 ubd3=d3 ubd4=d4
# mdadm -C /dev/md0 --level=linear --raid-devices=4 /dev/ubd[1234]

adding some printks, I saw this:
[42949374.960000] hash_spacing = 821120
[42949374.960000] cnt          = 4
[42949374.960000] min_spacing  = 801
[42949374.960000] j=0 size=820928 sz=820928
[42949374.960000] i=0 sz=820928 hash_spacing=820928
[42949374.960000] j=1 size=64 sz=64
[42949374.960000] j=2 size=64 sz=128
[42949374.960000] j=3 size=64 sz=192
[42949374.960000] j=4 size=1515870810 sz=1515871002

Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agomd: pass down BIO_RW_SYNC in raid{1,10}
Lars Ellenberg [Mon, 26 Mar 2007 21:41:58 +0000 (23:41 +0200)]
md: pass down BIO_RW_SYNC in raid{1,10}

md raidX make_request functions strip off the BIO_RW_SYNC flag, thus
introducing additional latency.

Fixing this in raid1 and raid10 seems to be straightforward enough.

For our particular usage case in DRBD, passing this flag improved some
initialization time from ~5 minutes to ~5 seconds.

Signed-off-by: Lars Ellenberg <lars@linbit.com>
Acked-by: NeilBrown <neilb@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agomd: Fix bug where spares don't always get rebuilt properly when they become live
Neil Brown [Mon, 26 Mar 2007 21:41:22 +0000 (23:41 +0200)]
md: Fix bug where spares don't always get rebuilt properly when they become live

If save_raid_disk is >= 0, then the device could be a device that is
already in sync that is being re-added.  So we need to default this
value to -1.

Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoMD: Fix problem where hot-added drives are not resynced.
Neil Brown [Mon, 26 Mar 2007 21:40:42 +0000 (23:40 +0200)]
MD: Fix problem where hot-added drives are not resynced.

If a drive is added with HOT_ADD_DISK rather than ADD_NEW_DISK,
saved_raid_disk isn't initialised properly, and the drive can be
included in the array without a resync.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: unusual_devs update for Sony P990i phone
Alan Stern [Mon, 26 Mar 2007 21:35:49 +0000 (23:35 +0200)]
USB: unusual_devs update for Sony P990i phone

This patch (as846) adds the IGNORE_RESIDUE flag to the unusual_devs
entry for Sony-Ericsson's P990i phone.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: unusual_devs entry for Sony DSC-H5
Lars Jacob [Mon, 26 Mar 2007 21:30:19 +0000 (23:30 +0200)]
USB: unusual_devs entry for Sony DSC-H5

This patch (as749) extends the unusual_devs entry for the Sony DSC-T1 and
T5 to cover the H5 as well.

Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: unusual_devs.h entry for nokia 6233
Manuel Osdoba [Sun, 25 Mar 2007 01:25:00 +0000 (03:25 +0200)]
USB: unusual_devs.h entry for nokia 6233

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: unusual_devs.h for 0x046b:ff40
Pete Zaitcev [Sun, 25 Mar 2007 01:24:11 +0000 (03:24 +0200)]
USB: unusual_devs.h for 0x046b:ff40

American Megatrends did something wrong in their floppy emulator. It breaks
with both kinds of MODE SENSE which our stack sends. Alan and I tried a few
tweaks, and got LUNs sensed right, but US_FL_NO_WP_DETECT is still needed.

I set the firmware bracket to 1.00 exactly, in case AMI or Sun fix it with a
firmware update. Hey, you never know.

Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
11 years agoUSB: Fix UCR-61S2B unusual_dev entry
Phil Dibowitz [Sun, 25 Mar 2007 01:23:20 +0000 (03:23 +0200)]
USB: Fix UCR-61S2B unusual_dev entry

Recently this entry's bcd scope was narrowed so as not to falsly apply
to bcd's other than 0x0110. But while it breaks those of a larger bcd,
it is still needed for those of a smaller bcd - so this changes the
lower bcd limit to 0x0000.

Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Adrian Bunk <bunk@stusta.de>