Ian Campbell [Fri, 10 Oct 2008 10:27:38 +0000 (11:27 +0100)]
 
xen: do not reserve 2 pages of padding between hypervisor and fixmap.
commit 
5dc64a3442b98eaa0e3730c35fcf00cf962a93e7 upstream.
When reserving space for the hypervisor the Xen paravirt backend adds
an extra two pages (this was carried forward from the 2.6.18-xen tree
which had them "for safety"). Depending on various CONFIG options this
can cause the boot time fixmaps to span multiple PMDs which is not
supported and triggers a WARN in early_ioremap_init().
This was exposed by 
2216d199b1430d1c0affb1498a9ebdbd9c0de439 which
moved the dmi table parsing earlier.
    x86: fix CONFIG_X86_RESERVE_LOW_64K=y
    The bad_bios_dmi_table() quirk never triggered because we do DMI setup
    too late. Move it a bit earlier.
There is no real reason to reserve these two extra pages and the
fixmap already incorporates FIX_HOLE which serves the same
purpose. None of the other callers of reserve_top_address do this.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andreas Herrmann [Fri, 21 Nov 2008 13:49:25 +0000 (14:49 +0100)]
 
CPUFREQ: powernow-k8: ignore out-of-range PstateStatus value
commit 
a266d9f1253a38ec2d5655ebcd6846298b0554f4 upstream.
A workaround for AMD CPU family 11h erratum 311 might cause that the
P-state Status Register shows a "current P-state" which is larger than
the "current P-state limit" in P-state Current Limit Register. For the
wrong P-state value there is no ACPI _PSS object defined and
powernow-k8/cpufreq can't determine the proper CPU frequency for that
state.
As a consequence this can cause a panic during boot (potentially with
all recent kernel versions -- at least I have reproduced it with
various 2.6.27 kernels and with the current .28 series), as an
example:
powernow-k8: Found 1 AMD Turion(tm)X2 Ultra DualCore Mobile ZM-82 processors (2 \
)
powernow-k8:    0 : pstate 0 (2200 MHz)
powernow-k8:    1 : pstate 1 (1100 MHz)
powernow-k8:    2 : pstate 2 (600 MHz)
BUG: unable to handle kernel paging request at 
ffff88086e7528b8
IP: [<
ffffffff80486361>] cpufreq_stats_update+0x4a/0x5f
PGD 202063 PUD 0
Oops: 0002 [#1] SMP
last sysfs file:
CPU 1
Modules linked in:
Pid: 1, comm: swapper Not tainted 2.6.28-rc3-dirty #16
RIP: 0010:[<
ffffffff80486361>]  [<
ffffffff80486361>] cpufreq_stats_update+0x4a/0\
f
Synaptics claims to have extended capabilities, but I'm not able to read them.<6\
6
RAX: 
0000000000000000 RBX: 
0000000000000001 RCX: 
ffff88006e7528c0
RDX: 
00000000ffffffff RSI: 
ffff88006e54af00 RDI: 
ffffffff808f056c
RBP: 
00000000fffee697 R08: 
0000000000000003 R09: 
ffff88006e73f080
R10: 
0000000000000001 R11: 
00000000002191c0 R12: 
ffff88006fb83c10
R13: 
00000000ffffffff R14: 
0000000000000001 R15: 
0000000000000000
FS:  
0000000000000000(0000) GS:
ffff88006fb50740(0000) knlGS:
0000000000000000
Unable to initialize Synaptics hardware.
CS:  0010 DS: 0018 ES: 0018 CR0: 
000000008005003b
CR2: 
ffff88086e7528b8 CR3: 
0000000000201000 CR4: 
00000000000006e0
DR0: 
0000000000000000 DR1: 
0000000000000000 DR2: 
0000000000000000
DR3: 
0000000000000000 DR6: 
00000000ffff0ff0 DR7: 
0000000000000400
Process swapper (pid: 1, threadinfo 
ffff88006fb82000, task 
ffff88006fb816d0)
Stack:
 
ffff88006e74da50 0000000000000000 ffff88006e54af00 ffffffff804863c7
 ffff88006e74da50 0000000000000000 00000000ffffffff 0000000000000000
 ffff88006fb83c10 ffffffff8024b46c ffffffff808f0560 ffff88006fb83c10
Call Trace:
 [<
ffffffff804863c7>] ? cpufreq_stat_notifier_trans+0x51/0x83
 [<
ffffffff8024b46c>] ? notifier_call_chain+0x29/0x4c
 [<
ffffffff8024b561>] ? __srcu_notifier_call_chain+0x46/0x61
 [<
ffffffff8048496d>] ? cpufreq_notify_transition+0x93/0xa9
 [<
ffffffff8021ab8d>] ? powernowk8_target+0x1e8/0x5f3
 [<
ffffffff80486687>] ? cpufreq_governor_performance+0x1b/0x20
 [<
ffffffff80484886>] ? __cpufreq_governor+0x71/0xa8
 [<
ffffffff80484b21>] ? __cpufreq_set_policy+0x101/0x13e
 [<
ffffffff80485bcd>] ? cpufreq_add_dev+0x3f0/0x4cd
 [<
ffffffff8048577a>] ? handle_update+0x0/0x8
 [<
ffffffff803c2062>] ? sysdev_driver_register+0xb6/0x10d
 [<
ffffffff8056592c>] ? powernowk8_init+0x0/0x7e
 [<
ffffffff8048604c>] ? cpufreq_register_driver+0x8f/0x140
 [<
ffffffff80209056>] ? _stext+0x56/0x14f
 [<
ffffffff802c2234>] ? proc_register+0x122/0x17d
 [<
ffffffff802c23a0>] ? create_proc_entry+0x73/0x8a
 [<
ffffffff8025c259>] ? register_irq_proc+0x92/0xaa
 [<
ffffffff8025c2c8>] ? init_irq_proc+0x57/0x69
 [<
ffffffff807fc85f>] ? kernel_init+0x116/0x169
 [<
ffffffff8020cc79>] ? child_rip+0xa/0x11
 [<
ffffffff807fc749>] ? kernel_init+0x0/0x169
 [<
ffffffff8020cc6f>] ? child_rip+0x0/0x11
Code: 05 c5 83 36 00 48 c7 c2 48 5d 86 80 48 8b 04 d8 48 8b 40 08 48 8b 34 02 48\
RIP  [<
ffffffff80486361>] cpufreq_stats_update+0x4a/0x5f
 RSP <
ffff88006fb83b20>
CR2: 
ffff88086e7528b8
---[ end trace 
0678bac75e67a2f7 ]---
Kernel panic - not syncing: Attempted to kill init!
In short, aftereffect of the wrong P-state is that
cpufreq_stats_update() uses "-1" as index for some array in
cpufreq_stats_update (unsigned int cpu)
{
...
     if (stat->time_in_state)
                stat->time_in_state[stat->last_index] =
                        cputime64_add(stat->time_in_state[stat->last_index],
                                      cputime_sub(cur_time, stat->last_time));
...
}
Fortunately, the wrong P-state value is returned only if the core is
in P-state 0. This fix solves the problem by detecting the
out-of-range P-state, ignoring it, and using "0" instead.
Cc: Mark Langsdorf <mark.langsdorf@amd.com>
Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com>
Signed-off-by: Dave Jones <davej@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:10:25 +0000 (13:10 -0700)]
 
PCI: Hotplug core: remove 'name'
commit 
58319b802a614f10f1b5238fbde7a4b2e9a60069 upstream.
Now that the PCI core manages the 'name' for each individual
hotplug driver, and all drivers (except rpaphp) have been converted
to use hotplug_slot_name(), there is no need for the PCI hotplug
core to drag around its own copy of name either.
Cc: kristen.c.accardi@intel.com
Cc: matthew@wil.cx
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:10:20 +0000 (13:10 -0700)]
 
PCI: shcphp: remove 'name' parameter
commit 
66f1705580f796a3f52c092e9dc92cbe5df41dd6 upstream.
We do not need to manage our own name parameter, especially since
the PCI core can change it on our behalf, in the case of duplicate
slot names.
Remove 'name' from shpchp's version of struct slot.
This change also removes the unused struct task_event from the
slot structure.
Cc: kristen.c.accardi@intel.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:10:15 +0000 (13:10 -0700)]
 
PCI: SGI Hotplug: stop managing bss_hotplug_slot->name
commit 
85234ce86dfa62b779faa19a70364a06e3f7fc32 upstream.
We no longer need to manage our version of hotplug_slot->name
since the PCI and hotplug core manage it on our behalf.
Update the sn_hp_slot_private_alloc() interface to fill in
the correct name for us, as that function already has all
the parameters needed to determine the name.
Cc: kristen.c.accardi@intel.com
Cc: jpk@sgi.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:10:10 +0000 (13:10 -0700)]
 
PCI: rpaphp: kmalloc/kfree slot->name directly
commit 
b2132fecca02fa05d509ba4c8c1e51dee6ccd003 upstream.
rpaphp tends to use slot->name directly everywhere, and doesn't
ever need slot->hotplug_slot->name.
struct hotplug_slot->name is going away, so convert rpaphp directly
manipulate its own slot->name everywhere, and don't bother touching
slot->hotplug_slot->name.
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:10:05 +0000 (13:10 -0700)]
 
PCI: pciehp: remove 'name' parameter
commit 
e1acb24f059defdaa0264e925f19cc21b0a3e592 upstream.
We do not need to manage our own name parameter, especially since
the PCI core can change it on our behalf, in the case of duplicate
slot names.
Remove 'name' from pciehp's version of struct slot, and remove
unused 'task_list' as well.
Cc: kristen.c.accardi@intel.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:59 +0000 (13:09 -0700)]
 
PCI: ibmphp: stop managing hotplug_slot->name
commit 
a32615a1a661f83661e8a26c3bc7763f716da8f3 upstream.
We no longer need to manage our version of hotplug_slot->name
since the PCI and hotplug core manage it on our behalf.
Now, we simply advise the PCI core of the name that we would
like, and let the core take care of the rest.
Additionally, slightly rearrange the members of struct slot
so they are naturally aligned to eliminate holes.
Cc: kristen.c.accardi@intel.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:54 +0000 (13:09 -0700)]
 
PCI: fakephp: remove 'name' parameter
commit 
43caae884b5a5e2eacb4879225341cb49700e129 upstream.
Remove 'name' from fakephp's struct dummy_slot, as the PCI core
will now manage our slot name for us.
Cc: kristen.c.accardi@intel.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:49 +0000 (13:09 -0700)]
 
PCI: cpqphp: stop managing hotplug_slot->name
commit 
30ac7acd05d1449ac784de144c4b5237be25b0b4 upstream.
We no longer need to manage our version of hotplug_slot->name
since the PCI and hotplug core manage it on our behalf.
Now, we simply advise the PCI core of the name that we would
like, and let the core take care of the rest.
Cc: jbarnes@virtuousgeek.org
Cc: kristen.c.accardi@intel.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:44 +0000 (13:09 -0700)]
 
PCI: cpci_hotplug: stop managing hotplug_slot->name
commit 
d6c479e0b777afcd7a26ca62e122e3f878ccc830 upstream.
We no longer need to manage our version of hotplug_slot->name
since the PCI and hotplug core manage it on our behalf.
Now, we simply advise the PCI core of the name that we would
like, and let the core take care of the rest.
Cc: kristen.c.accardi@intel.com
Cc: scottm@somanetworks.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:39 +0000 (13:09 -0700)]
 
PCI: acpiphp: remove 'name' parameter
commit 
df77cd10078e36e1b89964e5e8c206add399a98d upstream.
We do not need to manage our own name parameter, especially since
the PCI core can change it on our behalf, in the case of duplicate
slot names.
Remove 'name' from acpiphp's version of struct slot.
Cc: kristen.c.accardi@intel.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:34 +0000 (13:09 -0700)]
 
PCI, PCI Hotplug: introduce slot_name helpers
commit 
0ad772ec464d3fcf9d210836b97e654f393606c4 upstream
In preparation for cleaning up the various hotplug drivers
such that they don't have to manage their own 'name' parameters
anymore, we provide the following convenience functions:
	pci_slot_name()
	hotplug_slot_name()
These helpers will be used by individual hotplug drivers.
Cc: kristen.c.accardi@intel.com
Cc: matthew@wil.cx
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:29 +0000 (13:09 -0700)]
 
PCI: prevent duplicate slot names
commit 
5fe6cc60680d29740b85278e17a002fa27b7e642 upstream.
Prevent callers of pci_create_slot() from registering slots with
duplicate names. This condition occurs most often when PCI hotplug
drivers are loaded on platforms with broken firmware that assigns
identical names to multiple slots.
We now rename these duplicate slots on behalf of the user.
If firmware assigns the name N to multiple slots, then:
The first registered slot is assigned N
The second registered slot is assigned N-1
The third registered slot is assigned N-2
etc.
This is the permanent fix mentioned in earlier commits 
d6a9e9b4 and
167e782e (shpchp/pciehp: Rename duplicate slot name...).
We take advantage of the new 'hotplug' parameter in pci_create_slot()
to prevent a slot create/rename race between hotplug drivers and
detection drivers.
	Scenario A:
	hotplug driver                  detection driver
	--------------                  ----------------
	pci_create_slot(hotplug=set)
					pci_create_slot(hotplug=NULL)
The hotplug driver creates the slot with its desired name, and then
releases the semaphore. Now, the detection driver tries to create
the same slot, but it already exists. We don't care about renaming,
so return the existing slot.
	Scenario B:
	hotplug driver                  detection driver
	--------------                  ----------------
					pci_create_slot(hotplug=NULL)
	pci_create_slot(hotplug=set)
The detection driver creates the slot with name "X". Then the hotplug
driver tries to create the same slot, but wants the name "Y" instead.
We detect that we're trying to create the same slot and that we also
want a rename, so rename the slot to "Y" and return.
	Scenario C:
	hotplug driver                  hotplug driver
	--------------                  ----------------
	pci_create_slot(hotplug=set)
					pci_create_slot(hotplug=set)
Two separate hotplug drivers are attempting to claim the slot and
are passing valid hotplug_slot args to pci_create_slot(). We detect
that the slot already has a ->hotplug callback, prevent a rename,
and return -EBUSY.
Cc: jbarnes@virtuousgeek.org
Cc: kristen.c.accardi@intel.com
Cc: matthew@wil.cx
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kenji Kaneshige [Mon, 1 Dec 2008 20:09:24 +0000 (13:09 -0700)]
 
PCI Hotplug: serialize pci_hp_register and pci_hp_deregister
commit 
95cb9093960b6249fdbe7417bf513a1358aaa51a upstream.
Convert the pci_hotplug_slot_list_lock, which only protected the
list of hotplug slots, to a pci_hp_mutex which now protects both
interfaces.
Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:19 +0000 (13:09 -0700)]
 
PCI: update pci_create_slot() to take a 'hotplug' param
commit 
828f37683e6d3ab5912989df0d04201db7ad798e upstream.
Slot detection drivers can co-exist with hotplug drivers. The names
of the detected/claimed slots may be different depending on module
load order.
For legacy reasons, we need to allow hotplug drivers to override
the slot name if a detection driver is loaded first (and they find
the same slots).
Creating and overriding slot names should be an atomic operation,
otherwise you get a locking nightmare as various drivers race to
call pci_create_slot().
pci_create_slot() is already serialized by grabbing the pci_bus_sem.
We update the API and add a 'hotplug' param, which is:
	set if the caller is a hotplug driver
	NULL if the caller is a detection driver
pci_create_slot() does not actually use the 'hotplug' parameter in this
patch. A later patch will add the logic that uses it.
Cc: kristen.c.accardi@intel.com
Cc: matthew@wil.cx
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alex Chiang [Mon, 1 Dec 2008 20:09:14 +0000 (13:09 -0700)]
 
PCI Hotplug core: add 'name' param pci_hp_register interface
commit 
1359f2701b96abd9bb69c1273fb995a093b6409a upstream.
Update pci_hp_register() to take a const char *name parameter.
The motivation for this is to clean up the individual hotplug
drivers so that each one does not have to manage its own name.
The PCI core should be the place where we manage the name.
We update the interface and all callsites first, in a
"no functional change" manner, and clean up the drivers later.
Cc: kristen.c.accardi@intel.com
Acked-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com>
Reviewed-by: Matthew Wilcox <willy@linux.intel.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Cord Walter [Thu, 20 Nov 2008 13:46:57 +0000 (13:46 +0000)]
 
axnet_cs / pcnet_cs: moving PCMCIA_DEVICE_PROD_ID for Netgear FA411
commit 
208fbec5bec1de4fce48aab41efde11ba25ab04c upstream.
Hi,
after noticing that my Netgear FA411 (PCMCIA-NIC) [1] stopped working with
the release of the 2.6.25 kernel (sidux-version), I checked the
respective driver sources and noticed that the pcnet_cs driver bailed
out with "use axnet_cs instead" for the Netgear FA411, but axnet_cs
doesn't claim this ID.
I compiled a kernel with the PCMCIA-ID for the netgear card moved to
axnet_cs from pcnet_cs which worked. I then contacted sidux-kernel
maintainer Stefan Lippers-Hollmann who turned the info into this patch
and integrated it into the kernel:
<http://svn.berlios.de/svnroot/repos/fullstory/linux-sidux-2.6/trunk/debian/patches/features/2.6.27.4_PCMCIA_move-PCMCIA-ID-for-Netgear-FA411-from-pcnet_cs-to-axnet_cs.patch>
This works for me and AFAIK there were no reports of any breakage for
other devices on sidux-support.
This looks like a trivial patch, but since I have very limited
experience with kernel modifications  I might be woefully wrong there.
But if there are no side effects of this patch, is it possible to get it
into the official kernel?
I can provide more detailed information on the affected hardware if
necessary.
-cord
[1]
Socket 1 Device 0:      [axnet_cs]              (bus ID: 1.0)
        Configuration:  state: on
        Product Name:   NETGEAR FA411 Fast Ethernet
        Identification: manf_id: 0x0149 card_id: 0x0411
                        function: 6 (network)
                        prod_id(1): "NETGEAR" (0x9aa79dc3)
                        prod_id(2): "FA411" (0x40fad875)
                        prod_id(3): "Fast Ethernet" (0xb4be14e3)
                        prod_id(4): --- (---)
From: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Date: Sat, 1 Nov 2008 23:53:04 +0000
Subject: PCMCIA: move PCMCIA ID for Netgear FA411 from pcnet_cs to axnet_cs:
Since kernel 2.6.25, commit 
61da96be07ec860e260ca4af0199b9d48d000b80
(pcnet_cs: if AX88190-based card, printk "use axnet_cs instead" message.),
pcnet_cs bails out with "use axnet_cs instead" for the Netgear FA411, but
axnet_cs doesn't claim this ID.
Socket 1 Device 0:      [axnet_cs]              (bus ID: 1.0)
        Configuration:  state: on
        Product Name:   NETGEAR FA411 Fast Ethernet
        Identification: manf_id: 0x0149 card_id: 0x0411
                        function: 6 (network)
                        prod_id(1): "NETGEAR" (0x9aa79dc3)
                        prod_id(2): "FA411" (0x40fad875)
                        prod_id(3): "Fast Ethernet" (0xb4be14e3)
                        prod_id(4): --- (---)
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Signed-off-by: Cord Walter <qord@cwalter.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luis R. Rodriguez [Tue, 2 Dec 2008 20:51:21 +0000 (12:51 -0800)]
 
ath9k: correct expected max RX buffer size
commit 
b4b6cda2298b0c9a0af902312184b775b8867c65 upstream
We should only tell the hardware its capable of DMA'ing
to us only what we asked dev_alloc_skb(). Prior to this
it is possible a large RX'd frame could have corrupted
DMA data but for us but we were saved only because we
were previously also pci_map_single()'ing the same large
value. The issue prior to this though was we were unmapping
a smaller amount which the prior DMA patch fixed.
Signed-off-by: Bennyam Malavazi <Bennyam.Malavazi@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Luis R. Rodriguez [Tue, 2 Dec 2008 20:51:20 +0000 (12:51 -0800)]
 
ath9k: Fix SW-IOMMU bounce buffer starvation
commit 
ca0c7e5101fd4f37fed8e851709f08580b92fbb3 upstream.
This should fix the SW-IOMMU bounce buffer starvation
seen ok kernel.org bugzilla 11811:
http://bugzilla.kernel.org/show_bug.cgi?id=11811
Users on MacBook Pro 3.1/MacBook v2 would see something like:
DMA: Out of SW-IOMMU space for 4224 bytes at device 0000:0b:00.0
Unfortunately its only easy to trigger on MacBook Pro 3.1/MacBook v2
so far so its difficult to debug (even with swiotlb=force).
We were pci_unmap_single()'ing less bytes than what we called
for with pci_map_single() and as such we were starving
the swiotlb from its 64MB amount of bounce buffers. We remain
consistent and now always use sc->rxbufsize for RX. While at
it we update the beacon DMA maps as well to only use the data
portion of the skb, previous to this we were pci_map_single()'ing
more data for beaconing than what we tell the hardware it can use,
therefore pushing more iotlb abuse.
Still not sure why this is so easily triggerable on
MacBook Pro 3.1, it may be the hardware configuration
tends to use more memory > 3GB mark for DMA.
Signed-off-by: Maciej Zenczykowski <zenczykowski@gmail.com>
Signed-off-by: Bennyam Malavazi <Bennyam.Malavazi@atheros.com>
Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Joerg Roedel [Thu, 20 Nov 2008 19:49:56 +0000 (20:49 +0100)]
 
x86: always define DECLARE_PCI_UNMAP* macros
commit 
b627c8b17ccacba38c975bc0f69a49fc4e5261c9 upstream.
Impact: fix boot crash on AMD IOMMU if CONFIG_GART_IOMMU is off
Currently these macros evaluate to a no-op except the kernel is compiled
with GART or Calgary support. But we also need these macros when we have
SWIOTLB, VT-d or AMD IOMMU in the kernel. Since we always compile at
least with SWIOTLB we can define these macros always.
This patch is also for stable backport for the same reason the SWIOTLB
default selection patch is.
Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Philipp Kohlbecher [Sun, 16 Nov 2008 11:11:01 +0000 (12:11 +0100)]
 
x86: more general identifier for Phoenix BIOS
commit 
0af40a4b1050c050e62eb1dc30b82d5ab22bf221 upstream.
Impact: widen the reach of the low-memory-protect DMI quirk
Phoenix BIOSes variously identify their vendor as "Phoenix Technologies,
LTD" or "Phoenix Technologies LTD" (without the comma.)
This patch makes the identification string in the bad_bios_dmi_table
more general (following a suggestion by Ingo Molnar), so that both
versions are handled.
Again, the patched file compiles cleanly and the patch has been tested
successfully on my machine.
Signed-off-by: Philipp Kohlbecher <xt28@gmx.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Takashi Iwai [Mon, 1 Dec 2008 21:13:49 +0000 (13:13 -0800)]
 
parport_serial: fix array overflow
commit 
36be47d6d8d98f54b6c4f891e9f54fb2bf554584 upstream.
The netmos_9xx5_combo type assumes that PCI SSID provides always the
correct value for the number of parallel and serial ports, but there are
indeed broken devices with wrong numbers, which may result in Oops.
This patch simply adds the check of the array range.
Reference: Novell bnc#447067
	https://bugzilla.novell.com/show_bug.cgi?id=447067
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Manfred Spraul [Mon, 1 Dec 2008 21:14:02 +0000 (13:14 -0800)]
 
lib/idr.c: fix rcu related race with idr_find
commit 
6ff2d39b91aec3dcae951afa982059e3dd9b49dc upstream.
2nd part of the fixes needed for
http://bugzilla.kernel.org/show_bug.cgi?id=11796.
When the idr tree is either grown or shrunk, then the update to the number
of layers and the top pointer were not atomic.  This race caused crashes.
The attached patch fixes that by replicating the layers counter in each
layer, thus idr_find doesn't need idp->layers anymore.
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Clement Calmels <cboulte@gmail.com>
Cc: Nadia Derbey <Nadia.Derbey@bull.net>
Cc: Pierre Peiffer <peifferp@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Matthew Garrett [Tue, 11 Nov 2008 14:40:42 +0000 (09:40 -0500)]
 
Input: atkbd - add keymap quirk for Inventec Symphony systems
commit 
a8215b81cc31cf267506bc6a4a4bfe93f4ca1652 upstream.
The Zepto 6615WD laptop (rebranded Inventec Symphony system) needs a
key release quirk for its volume keys to work. The attached patch adds
the quirk to the atkbd driver.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=460237
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Adel Gadllah <adel.gadllah@gmail.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Gregor Jasny [Thu, 23 Oct 2008 12:55:22 +0000 (09:55 -0300)]
 
V4L/DVB (9352): Add some missing compat32 ioctls
commit 
c7f09db6852d85e7f76322815051aad1c88d08cf upstream.
This patch adds the missing compat ioctls that are needed to
operate Skype in combination with libv4l and a MJPEG only camera.
If you think it's trivial enough please submit it to -stable, too.
Signed-off-by: Gregor Jasny <gjasny@web.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Doug Chapman [Wed, 5 Nov 2008 22:57:52 +0000 (17:57 -0500)]
 
IA64: fix boot panic caused by offline CPUs
commit 
62ee0540f5e5a804b79cae8b3c0185a85f02436b upstream.
This fixes a regression introduced by 
2c6e6db41f01b6b4eb98809350827c9678996698
"Minimize per_cpu reservations."  That patch incorrectly used information about
what CPUs are possible that was not yet initialized by ACPI.  The end result
was that per_cpu structures for offline CPUs were not initialized causing a
NULL pointer reference.
Since we cannot do the full acpi_boot_init() call any earlier, the simplest
fix is to just parse the MADT for SAPIC entries early to find the CPU
info.  This should also allow for some cleanup of the code added by the
"Minimize per_cpu reservations".  This patch just fixes the regressions, the
cleanup will come in a later patch.
Signed-off-by: Doug Chapman <doug.chapman@hp.com>
Signed-off-by: Alex Chiang <achiang@hp.com>
CC: Robin Holt <holt@sgi.com>
Signed-off-by: Tony Luck <tony.luck@intel.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Al Viro [Sat, 15 Nov 2008 01:15:43 +0000 (01:15 +0000)]
 
Fix inotify watch removal/umount races
commit 
8f7b0ba1c853919b85b54774775f567f30006107 upstream.
Inotify watch removals suck violently.
To kick the watch out we need (in this order) inode->inotify_mutex and
ih->mutex.  That's fine if we have a hold on inode; however, for all
other cases we need to make damn sure we don't race with umount.  We can
*NOT* just grab a reference to a watch - inotify_unmount_inodes() will
happily sail past it and we'll end with reference to inode potentially
outliving its superblock.
Ideally we just want to grab an active reference to superblock if we
can; that will make sure we won't go into inotify_umount_inodes() until
we are done.  Cleanup is just deactivate_super().
However, that leaves a messy case - what if we *are* racing with
umount() and active references to superblock can't be acquired anymore?
We can bump ->s_count, grab ->s_umount, which will almost certainly wait
until the superblock is shut down and the watch in question is pining
for fjords.  That's fine, but there is a problem - we might have hit the
window between ->s_active getting to 0 / ->s_count - below S_BIAS (i.e.
the moment when superblock is past the point of no return and is heading
for shutdown) and the moment when deactivate_super() acquires
->s_umount.
We could just do drop_super() yield() and retry, but that's rather
antisocial and this stuff is luser-triggerable.  OTOH, having grabbed
->s_umount and having found that we'd got there first (i.e.  that
->s_root is non-NULL) we know that we won't race with
inotify_umount_inodes().
So we could grab a reference to watch and do the rest as above, just
with drop_super() instead of deactivate_super(), right? Wrong.  We had
to drop ih->mutex before we could grab ->s_umount.  So the watch
could've been gone already.
That still can be dealt with - we need to save watch->wd, do idr_find()
and compare its result with our pointer.  If they match, we either have
the damn thing still alive or we'd lost not one but two races at once,
the watch had been killed and a new one got created with the same ->wd
at the same address.  That couldn't have happened in inotify_destroy(),
but inotify_rm_wd() could run into that.  Still, "new one got created"
is not a problem - we have every right to kill it or leave it alone,
whatever's more convenient.
So we can use idr_find(...) == watch && watch->inode->i_sb == sb as
"grab it and kill it" check.  If it's been our original watch, we are
fine, if it's a newcomer - nevermind, just pretend that we'd won the
race and kill the fscker anyway; we are safe since we know that its
superblock won't be going away.
And yes, this is far beyond mere "not very pretty"; so's the entire
concept of inotify to start with.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Greg KH <greg@kroah.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Davide Libenzi [Mon, 1 Dec 2008 21:13:55 +0000 (13:13 -0800)]
 
epoll: introduce resource usage limits
commit 
7ef9964e6d1b911b78709f144000aacadd0ebc21 upstream.
It has been thought that the per-user file descriptors limit would also
limit the resources that a normal user can request via the epoll
interface.  Vegard Nossum reported a very simple program (a modified
version attached) that can make a normal user to request a pretty large
amount of kernel memory, well within the its maximum number of fds.  To
solve such problem, default limits are now imposed, and /proc based
configuration has been introduced.  A new directory has been created,
named /proc/sys/fs/epoll/ and inside there, there are two configuration
points:
  max_user_instances = Maximum number of devices - per user
  max_user_watches   = Maximum number of "watched" fds - per user
The current default for "max_user_watches" limits the memory used by epoll
to store "watches", to 1/32 of the amount of the low RAM.  As example, a
256MB 32bit machine, will have "max_user_watches" set to roughly 90000.
That should be enough to not break existing heavy epoll users.  The
default value for "max_user_instances" is set to 128, that should be
enough too.
This also changes the userspace, because a new error code can now come out
from EPOLL_CTL_ADD (-ENOSPC).  The EMFILE from epoll_create() was already
listed, so that should be ok.
[akpm@linux-foundation.org: use get_current_user()]
Signed-off-by: Davide Libenzi <davidel@xmailserver.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Cyrill Gorcunov <gorcunov@gmail.com>
Reported-by: Vegard Nossum <vegardno@ifi.uio.no>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Helge Deller [Wed, 26 Nov 2008 20:46:22 +0000 (12:46 -0800)]
 
parisc: fix kernel crash when unwinding a userspace process
commit 
7a3f5134a8f5bd7fa38b5645eef05e8a4eb62951 upstream.
Any user on existing parisc 32- and 64bit-kernels can easily crash
the kernel and as such enforce a DSO.
A simple testcase is available here:
        http://gsyprf10.external.hp.com/~deller/crash.tgz
The problem is introduced by the fact, that the handle_interruption()
crash handler calls the show_regs() function, which in turn tries to
unwind the stack by calling parisc_show_stack().  Since the stack contains
userspace addresses, a try to unwind the stack is dangerous and useless
and leads to the crash.
The fix is trivial: For userspace processes
a) avoid to unwind the stack, and
b) avoid to resolve userspace addresses to kernel symbol names.
While touching this code, I converted print_symbol() to %pS
printk formats and made parisc_show_stack() static.
An initial patch for this was written by Kyle McMartin back in August:
http://marc.info/?l=linux-parisc&m=
121805168830283&w=2
Compile and run-tested with a 64bit parisc kernel.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: Grant Grundler <grundler@parisc-linux.org>
Cc: Matthew Wilcox <matthew@wil.cx>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Kyle McMartin <kyle@mcmartin.ca>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nadia Derbey [Wed, 19 Nov 2008 23:36:08 +0000 (15:36 -0800)]
 
sysvipc: fix the ipc structures initialization
commit 
e00b4ff7ebf098b11b11be403921c1cf41d9e321 upstream.
A problem was found while reviewing the code after Bugzilla bug
http://bugzilla.kernel.org/show_bug.cgi?id=11796.
In ipc_addid(), the newly allocated ipc structure is inserted into the
ipcs tree (i.e made visible to readers) without locking it.  This is not
correct since its initialization continues after it has been inserted in
the tree.
This patch moves the ipc structure lock initialization + locking before
the actual insertion.
Signed-off-by: Nadia Derbey <Nadia.Derbey@bull.net>
Reported-by: Clement Calmels <cboulte@gmail.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Arjan van de Ven [Wed, 19 Nov 2008 23:36:19 +0000 (15:36 -0800)]
 
lib/scatterlist.c: fix kunmap() argument in sg_miter_stop()
commit 
f652c521e0bec2e70cf123f47e80117a7e6ed139 upstream.
kunmap() takes as argument the struct page that orginally got kmap()'d,
however the sg_miter_stop() function passed it the kernel virtual address
instead, resulting in weird stuff.
Somehow I ended up fixing this bug by accident while looking for a bug in
the same area.
Reported-by: kerneloops.org
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Arjan van de Ven <arjan@linux.intel.com>
Cc: Hugh Dickins <hugh@veritas.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jarkko Nikula [Wed, 19 Nov 2008 23:36:17 +0000 (15:36 -0800)]
 
gpiolib: extend gpio label column width in debugfs file
commit 
6e8ba729b6332f2a75572e02480936d2b51665aa upstream.
There are already various drivers having bigger label than 12 bytes.  Most
of them fit well under 20 bytes but make column width exact so that
oversized labels don't mess up output alignment.
Signed-off-by: Jarkko Nikula <jarkko.nikula@nokia.com>
Acked-by: David Brownell <david-b@pacbell.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Clemens Ladisch [Wed, 19 Nov 2008 23:36:10 +0000 (15:36 -0800)]
 
fbdev: clean the penguin's dirty feet
commit 
cf7ee554f3a324e98181b0ea249d9d5be3a0acb8 upstream.
When booting in a direct color mode, the penguin has dirty feet, i.e.,
some pixels have the wrong color.  This is caused by
fb_set_logo_directpalette() which does not initialize the last 32 palette
entries.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Acked-by: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ned Forrester [Wed, 19 Nov 2008 23:36:21 +0000 (15:36 -0800)]
 
pxa2xx_spi: bugfix full duplex dma data corruption
commit 
393df744e056ba24e9531d0657d09fc3c7c0dd22 upstream.
Fixes a data corruption bug in pxa2xx_spi.c when operating in full duplex
mode with DMA and using buffers that overlap.
SPI transmit and receive buffers are allowed to be the same or to overlap.
 However, this driver fails if such overlap is attempted in DMA mode
because it maps the rx and tx buffers in the wrong order.  By mapping
DMA_FROM_DEVICE (read) before DMA_TO_DEVICE (write), it invalidates the
cache before flushing it, thus discarding data which should have been
transmitted.
The patch corrects the order of mapping.  This bug exists in all versions
of pxa2xx_spi.c; similar bugs are in the drivers for two other SPI
controllers (au1500, imx).
A version of this patch has been tested on kernel 2.6.20 using
verification of loopback data with: random transfer length, random
bits-per-word, random positive offsets (both larger and smaller than
transfer length) between the start of the rx and tx buffers, and varying
clock rates.
Signed-off-by: Ned Forrester <nforrester@whoi.edu>
Cc: Vernon Sauder <vernoninhand@gmail.com>
Cc: J. Scott Merritt <merrij3@rpi.edu>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michael Halcrow [Wed, 19 Nov 2008 23:36:28 +0000 (15:36 -0800)]
 
eCryptfs: Allocate up to two scatterlists for crypto ops on keys
commit 
ac97b9f9a2d0b83488e0bbcb8517b229d5c9b142 upstream.
I have received some reports of out-of-memory errors on some older AMD
architectures.  These errors are what I would expect to see if
crypt_stat->key were split between two separate pages.  eCryptfs should
not assume that any of the memory sent through virt_to_scatterlist() is
all contained in a single page, and so this patch allocates two
scatterlist structs instead of one when processing keys.  I have received
confirmation from one person affected by this bug that this patch resolves
the issue for him, and so I am submitting it for inclusion in a future
stable release.
Note that virt_to_scatterlist() runs sg_init_table() on the scatterlist
structs passed to it, so the calls to sg_init_table() in
decrypt_passphrase_encrypted_session_key() are redundant.
Signed-off-by: Michael Halcrow <mhalcrow@us.ibm.com>
Reported-by: Paulo J. S. Silva <pjssilva@ime.usp.br>
Cc: "Leon Woestenberg" <leon.woestenberg@gmail.com>
Cc: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Li Zefan [Wed, 19 Nov 2008 23:36:48 +0000 (15:36 -0800)]
 
cgroups: fix a serious bug in cgroupstats
commit 
33d283bef23132c48195eafc21449f8ba88fce6b upstream.
Try this, and you'll get oops immediately:
 # cd Documentation/accounting/
 # gcc -o getdelays getdelays.c
 # mount -t cgroup -o debug xxx /mnt
 # ./getdelays -C /mnt/tasks
Because a normal file's dentry->d_fsdata is a pointer to struct cftype,
not struct cgroup.
After the patch, it returns EINVAL if we try to get cgroupstats
from a normal file.
Cc: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Acked-by: Paul Menage <menage@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Li Zefan [Tue, 18 Nov 2008 06:02:03 +0000 (14:02 +0800)]
 
cpuset: fix regression when failed to generate sched domains
commit 
700018e0a77b4113172257fcdaa1c58e27a5074f upstream.
Impact: properly rebuild sched-domains on kmalloc() failure
When cpuset failed to generate sched domains due to kmalloc()
failure, the scheduler should fallback to the single partition
'fallback_doms' and rebuild sched domains, but now it only
destroys but not rebuilds sched domains.
The regression was introduced by:
| commit 
dfb512ec4834116124da61d6c1ee10fd0aa32bd6
| Author: Max Krasnyansky <maxk@qualcomm.com>
| Date:   Fri Aug 29 13:11:41 2008 -0700
|
|    sched: arch_reinit_sched_domains() must destroy domains to force rebuild
After the above commit, partition_sched_domains(0, NULL, NULL) will
only destroy sched domains and partition_sched_domains(1, NULL, NULL)
will create the default sched domain.
Signed-off-by: Li Zefan <lizf@cn.fujitsu.com>
Cc: Max Krasnyansky <maxk@qualcomm.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
J. K. Cliburn [Tue, 11 Nov 2008 22:21:48 +0000 (16:21 -0600)]
 
atl1e: fix broken multicast by removing unnecessary crc inversion
commit 
7ee0fddfe05f105d3346aa8774695e7130697836 upstream.
Inverting the crc after calling ether_crc_le() is unnecessary and breaks
multicast. Remove it.
Tested-by: David Madore <david.madore@ens.fr>
Signed-off-by: Jay Cliburn <jcliburn@gmail.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Shane Huang [Tue, 25 Nov 2008 07:12:33 +0000 (15:12 +0800)]
 
USB: fix SB600 USB subsystem hang bug
commit 
0a99e8ac430a27825bd055719765fd0d65cd797f upstream.
This patch is required for all AMD SB600 revisions to avoid USB subsystem hang
symptom. The USB subsystem hang symptom is observed when the system has
multiple USB devices connected to it. In some cases a USB hub may be required
to observe this symptom.
Reported in bugzilla as #11599, the similar patch for SB700 old revision is:
commit 
b09bc6cbae4dd3a2d35722668ef2c502a7b8b093
Reported-by: raffaele <ralfconn@tele2.it>
Tested-by: Roman Mamedov <roman@rm.pp.ru>
Signed-off-by: Shane Huang <shane.huang@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Andiry Xu [Fri, 14 Nov 2008 03:42:29 +0000 (11:42 +0800)]
 
USB: fix SB700 usb subsystem hang bug
commit 
b09bc6cbae4dd3a2d35722668ef2c502a7b8b093 upstream.
This patch is required for AMD SB700 south bridge revision A12 and A13 to avoid
USB subsystem hang symptom. The USB subsystem hang symptom is observed when the
system has multiple USB devices connected to it. In some cases a USB hub may be
required to observe this symptom.
This patch works around the problem by correcting the internal register setting
that will help by changing the behavior of the internal logic to avoid the
USB subsystem hang issue. The change in the behavior of the logic does not
impact the normal operation of the USB subsystem.
Reported-by: Volker Armin Hemmann <volker.armin.hemmann@tu-clausthal.de>
Tested-by: Volker Armin Hemmann <volker.armin.hemmann@tu-clausthal.de>
Signed-off-by: Andiry Xu <andiry.xu@amd.com>
Signed-off-by: Libin Yang <libin.yang@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Pete Zaitcev [Fri, 14 Nov 2008 16:47:41 +0000 (09:47 -0700)]
 
USB: usbmon: fix read(2)
commit 
f1c0a2a3aff53698f4855968d576464041d49b39 upstream.
There's a bug in the usbmon binary reader: When using read() to fetch
the packets and a packet's data is partially read, the next read call
will once again return up to len_cap bytes of data. The b_read counter
is not regarded when determining the remaining chunk size.
So, when dumping USB data with "cat /dev/usbmon0 > usbmon.trace" while
reading from a USB storage device and analyzing the dump file
afterwards it will get out of sync after a couple of packets.
Signed-off-by: Ingo van Lil <inguin@gmx.de>
Signed-off-by: Pete Zaitcev <zaitcev@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Brownell [Sun, 16 Nov 2008 03:53:21 +0000 (19:53 -0800)]
 
USB: gadget rndis: stop windows self-immolation
commit 
9c264521a9f836541c122b00f505cfd60cc5bbb5 upstream.
Somewhere in the conversion of the RNDIS gadget code to the new
framework, the descriptor of its data interface seems to have
been copied from the CDC Ethernet driver.  Unfortunately that
means it got a nonzero altsetting ... which is incorrect.  Issue
uncovered by Richard Röjfors <richard.rojfors@endian.se>.
This patch fixes that problem, and resolves at least some cases
of Windows XP bluescreening itself.
Tested-by: Richard Röjfors <richard.rojfors@endian.se>.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Richard Röjfors [Sun, 16 Nov 2008 03:53:24 +0000 (19:53 -0800)]
 
USB: gadget rndis: send notifications
commit 
ff3495052af48f7a2bf7961b131dc9e161dae19c upstream.
It turns out that atomic_inc_return() returns the *new* value
not the original one, so the logic in rndis_response_available()
kept the first RNDIS response notification from getting out.
This prevented interoperation with MS-Windows (but not Linux).
Fix this to make RNDIS behave again.
Signed-off-by: Richard Röjfors <richard.rojfors@endian.se>
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Thu, 20 Nov 2008 23:02:37 +0000 (15:02 -0800)]
 
Linux 2.6.27.7
Alexey Starikovskiy [Tue, 11 Nov 2008 09:54:11 +0000 (12:54 +0300)]
 
ACPI: EC: Don't do transaction from GPE handler in poll mode.
commit 
8517934ef6aaa28d6e055b98df65b31cedbd1372 upstream.
Referencies: http://bugzilla.kernel.org/show_bug.cgi?id=12004
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alexey Starikovskiy [Sun, 9 Nov 2008 16:01:06 +0000 (19:01 +0300)]
 
ACPI: EC: lower interrupt storm treshold
commit 
06cf7d3c7af902939cd1754abcafb2464060cba8 upstream.
http://bugzilla.kernel.org/show_bug.cgi?id=11892
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alexey Starikovskiy [Tue, 11 Nov 2008 22:40:19 +0000 (01:40 +0300)]
 
ACPI: EC: restart failed command
commit 
a2f93aeadf97e870ff385030633a73e21146815d upstream.
Restart current transaction if we recieved unexpected GPEs instead
of needed ones.
http://bugzilla.kernel.org/show_bug.cgi?id=11896
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alexey Starikovskiy [Sat, 8 Nov 2008 18:42:30 +0000 (21:42 +0300)]
 
ACPI: EC: wait for last write gpe
commit 
dd15f8c42af09031e27da5b4d697ce925511f2e1 upstream.
There is a possibility that EC might break if next command is
issued within 1 us after write or burst-disable command.
Suggestd-by: Zhao Yakui <yakui.zhao@intel.com>
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alexey Starikovskiy [Mon, 27 Oct 2008 21:35:30 +0000 (00:35 +0300)]
 
ACPI: EC: revert msleep patch
commit 
1cfe62c8010ac56e1bd3827e30386a87cc2f3594 upstream.
With the better solution for EC interrupt storm issue,
there is no need to use msleep over udelay.
References:
	http://bugzilla.kernel.org/show_bug.cgi?id=11810
	http://bugzilla.kernel.org/show_bug.cgi?id=10724
Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Wed, 29 Oct 2008 19:16:58 +0000 (15:16 -0400)]
 
USB: don't register endpoints for interfaces that are going away
commit 
352d026338378b1f13f044e33c1047da6e470056 upstream.
This patch (as1155) fixes a bug in usbcore.  When interfaces are
deleted, either because the device was disconnected or because of a
configuration change, the extra attribute files and child endpoint
devices may get left behind.  This is because the core removes them
before calling device_del().  But during device_del(), after the
driver is unbound the core will reinstall altsetting 0 and recreate
those extra attributes and children.
The patch prevents this by adding a flag to record when the interface
is in the midst of being unregistered.  When the flag is set, the
attribute files and child devices will not be created.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Wed, 12 Nov 2008 22:04:53 +0000 (17:04 -0500)]
 
USB: EHCI: fix handling of dead controllers
commit 
67b2e029743a52670d77864723b4d0d40f7733b5 upstream.
This patch (as1165) makes a few small changes in the logic used by
ehci-hcd when it encounters a controller error:
	Instead of printing out the masked status, it prints the
	original status as read directly from the hardware.
	It doesn't check for the STS_HALT status bit before taking
	action.  The mere fact that the STS_FATAL bit is set means
	that something bad has happened and the controller needs to
	be reset.  With the old code this test could never succeed
	because the STS_HALT bit was masked out from the status.
I anticipate that this will prevent the occasional "irq X: nobody cared"
problem people encounter when their EHCI controllers die.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: David Brownell <david-b@pacbell.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Wed, 12 Nov 2008 22:02:57 +0000 (17:02 -0500)]
 
USB: EHCI: fix divide-by-zero bug
commit 
372dd6e8ed924e876f3beb598721e813ad7fa323 upstream.
This patch (as1164) fixes a bug in the EHCI scheduler.  The interval
value it uses is already in linear format, not logarithmically coded.
The existing code can sometimes crash the system by trying to divide
by zero.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Cc: David Brownell <david-b@pacbell.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Brandon Philips [Thu, 6 Nov 2008 19:19:11 +0000 (11:19 -0800)]
 
USB: cdc-acm.c: fix recursive lock in acm_start_wb error path
commit 
ad0b65efd12d020b046cde8d6f474e37bb98dd73 upstream.
Fixes an obvious bug in cdc-acm by avoiding a recursive lock on
acm_start_wb()'s error path. Should apply towards 2.6.27 stable and
2.6.28.
=============================================
[ INFO: possible recursive locking detected ]
2.6.27-2-pae #109
---------------------------------------------
python/31449 is trying to acquire lock:
 (&acm->write_lock){++..}, at: [<
f89a0348>] acm_start_wb+0x5c/0x7b [cdc_acm]
but task is already holding lock:
 (&acm->write_lock){++..}, at: [<
f89a04fb>] acm_tty_write+0xe1/0x167 [cdc_acm]
other info that might help us debug this:
2 locks held by python/31449:
 #0:  (&tty->atomic_write_lock){--..}, at: [<
c0260fae>] tty_write_lock+0x14/0x3b
 #1:  (&acm->write_lock){++..}, at: [<
f89a04fb>] acm_tty_write+0xe1/0x167 [cdc_acm]
stack backtrace:
Pid: 31449, comm: python Not tainted 2.6.27-2-pae #109
 [<
c030f42f>] ? printk+0xf/0x18
 [<
c0149f33>] __lock_acquire+0xc7b/0x1316
 [<
c014a63e>] lock_acquire+0x70/0x97
 [<
f89a0348>] ? acm_start_wb+0x5c/0x7b [cdc_acm]
 [<
c0312109>] _spin_lock_irqsave+0x37/0x47
 [<
f89a0348>] ? acm_start_wb+0x5c/0x7b [cdc_acm]
 [<
f89a0348>] acm_start_wb+0x5c/0x7b [cdc_acm]
 [<
f89a055d>] acm_tty_write+0x143/0x167 [cdc_acm]
 [<
c0262a98>] write_chan+0x1cd/0x297
 [<
c012527e>] ? default_wake_function+0x0/0xd
 [<
c026111e>] tty_write+0x149/0x1b9
 [<
c02628cb>] ? write_chan+0x0/0x297
 [<
c01912c5>] ? rw_verify_area+0x76/0x98
 [<
c0260fd5>] ? tty_write+0x0/0x1b9
 [<
c01919ba>] vfs_write+0x8c/0x136
 [<
c0191afd>] sys_write+0x3b/0x60
 [<
c0103beb>] sysenter_do_call+0x12/0x3f
 =======================
Signed-off-by: Brandon Philips <bphilips@suse.de>
Cc: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Geoff Levand [Fri, 31 Oct 2008 20:52:54 +0000 (13:52 -0700)]
 
USB: Fix PS3 USB shutdown problems
commit 
ddcb01ff9bf49c4dbbb058423559f7bc90b89374 upstream.
Add ehci_shutdown() or ohci_shutdown() calls to the USB
PS3 bus glue.  ehci_shutdown() and ohci_shutdown() do some
controller specific cleanups not done by usb_remove_hcd().
Fixes errors on shutdown or reboot similar to these:
  ps3-ehci-driver sb_07: HC died; cleaning up
  irq 51: nobody cared (try booting with the "irqpoll" option)
Related bugzilla reports:
  http://bugzilla.kernel.org/show_bug.cgi?id=11819
  http://bugzilla.terrasoftsolutions.com/show_bug.cgi?id=317
Signed-off-by: Geoff Levand <geoffrey.levand@am.sony.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Tue, 4 Nov 2008 16:33:35 +0000 (11:33 -0500)]
 
USB: unusual_devs entry for Argosy USB mass-storage interface
commit 
8010e06cc90367b4d3fba3b0ec3ced32360ac890 upstream.
This patch (as1162) adds an unusual_devs entry for Argosy's USB-IDE
interface.  This fixes Bugzilla #11843.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Luciano Rocha <luciano@eurotux.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Brownell [Wed, 12 Nov 2008 19:35:13 +0000 (11:35 -0800)]
 
USB: gadget: cdc-acm deadlock fix
commit 
e50ae572b33646656fa7037541613834dcadedfb upstream.
This fixes a deadlock appearing with some USB peripheral drivers
when running CDC ACM gadget code.
The newish (2.6.27) CDC ACM event notification mechanism sends
messages (IN to the host) which are short enough to fit in most
FIFOs.  That means that with some peripheral controller drivers
(evidently not the ones used to verify the notification code!!)
the completion callback can be issued before queue() returns.
The deadlock would come because the completion callback and the
event-issuing code shared a spinlock.  Fix is trivial:  drop
that lock while queueing the message.
Signed-off-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Sebastian Andrzej Siewior [Sun, 2 Nov 2008 14:25:42 +0000 (15:25 +0100)]
 
USB: remove optional bus bindings in isp1760, fixing runtime warning
commit 
ff30bf1ca4b548c0928dae6bfce89458b95e5bf4 upstream.
Roland Reported the following:
| kmem_cache_create: duplicate cache isp1760_qtd
| Pid: 461, comm: modprobe Tainted: G        W  2.6.28-rc2-git3-default #4
| Call Trace:
|  [<
c017540e>] kmem_cache_create+0xc9/0x3a3
|  [<
c0159a8d>] free_pages_bulk+0x16c/0x1c9
|  [<
f165c05f>] isp1760_init+0x0/0xb [isp1760]
|  [<
f165c018>] init_kmem_once+0x18/0x5f [isp1760]
|  [<
f165c064>] isp1760_init+0x5/0xb [isp1760]
|  [<
c010113d>] _stext+0x4d/0x148
|  [<
c0142936>] load_module+0x12cd/0x142e
|  [<
c01743c4>] kmem_cache_destroy+0x0/0xd7
|  [<
c0142b1e>] sys_init_module+0x87/0x176
|  [<
c01039eb>] sysenter_do_call+0x12/0x2f
The reason, is that ret is initialized with ENODEV instead of 0 _or_
the kmem cache is not freed in error case with no bus binding.
The difference between OF+PCI and OF only is
| 15148     804      32   15984    3e70 isp1760-of-pci.o
| 13748     676       8   14432    3860 isp1760-of.o
about 1.5 KiB.
Until there is a checkbox where the user *must* select atleast one item,
and may select multiple entries I don't make it selectable anymore.
Having a driver which can't be used under any circumstances is broken
anyway and I've seen distros shipping it that way.
Reported-by: Roland Kletzing <devzero@web.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mikulas Patocka [Thu, 13 Nov 2008 23:38:52 +0000 (23:38 +0000)]
 
dm raid1: flush workqueue before destruction
commit 
18776c7316545482a02bfaa2629a2aa1afc48357 upstream.
We queue work on keventd queue --- so this queue must be flushed in the
destructor. Otherwise, keventd could access mirror_set after it was freed.
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Miquel van Smoorenburg [Tue, 4 Nov 2008 23:09:12 +0000 (00:09 +0100)]
 
SCSI: dpt_i2o: fix transferred data length for scsi_set_resid()
commit 
df81d2371aeca0f7474f197a3090830899016e39 upstream.
dpt_i2o.c::adpt_i2o_to_scsi() reads the value at (reply+5) which
should contain the length in bytes of the transferred data. This
would be correct if reply was a u32 *. However it is a void * here,
so we need to read the value at (reply+20) instead.
The value at (reply+5) is usually 0xff0000, which is apparently
'large enough' and didn't cause any trouble until 2.6.27 where
commit 
427e59f09fdba387547106de7bab980b7fff77be
Author: James Bottomley <James.Bottomley@HansenPartnership.com>
Date:   Sat Mar 8 18:24:17 2008 -0600
    [SCSI] make use of the residue value
caused this to become visible through e.g. iostat -x .
Signed-off-by: Miquel van Smoorenburg <mikevs@xs4all.net>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Lalit Chandivade [Fri, 24 Oct 2008 22:13:44 +0000 (15:13 -0700)]
 
SCSI: qla2xxx: Correct Atmel flash-part handling.
commit 
821b3996001508e872582dcafc7575021f122728 upstream.
Use correct block size (4K) for erase command 0x20 for Atmel
Flash. Use dword addresses for determining sector boundary.
Signed-off-by: Lalit Chandivade <lalit.chandivade@qlogic.com>
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Shyam Sundar [Fri, 24 Oct 2008 22:13:46 +0000 (15:13 -0700)]
 
SCSI: qla2xxx: Do not honour max_vports from firmware for 2G ISPs and below.
commit 
680d7db88ace53c673e1c437c9b6abcc053e8d6f upstream.
For 23XX ISPs, max_vports may return an invalid value.
Do not honour it.
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michael Reed [Fri, 24 Oct 2008 22:13:47 +0000 (15:13 -0700)]
 
SCSI: qla2xxx: Return a FAILED status when abort mailbox-command fails.
commit 
5bff55db3dc4d659f46b4d2fce2f61c1964c2762 upstream.
Mike Reed noted
(https://bugzilla.novell.com/show_bug.cgi?id=421330) that the
driver was incorrectly returning a SUCCESS status if the driver's
request to the firmware to abort a command failed.  By doing so,
the mid-layer believed, incorrectly, that the command has
completed and has been returned (ultimately clearing
scsi_cmnd.request_buffer) yet the driver still has the command.
What should correctly happen is a mid-layer escalation
(device-reset, etc.) of recovery during which the driver will
eventually return the outstanding commands to the mid-layer.
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Geert Uytterhoeven [Fri, 14 Nov 2008 07:10:19 +0000 (08:10 +0100)]
 
m68k: Fix off-by-one in m68k_setup_user_interrupt()
commit 
27123cbc264de89ce6951b1b4c84c223eb0f1702 upstream.
commit 
69961c375288bdab7604e0bb1c8d22999bb8a347 ("[PATCH] m68k/Atari:
Interrupt updates") added a BUG_ON() with an incorrect upper bound
comparison, which causes an early crash on VME boards, where IRQ_USER is
8, cnt is 192 and NR_IRQS is 200.
Reported-by: Stephen N Chivers <schivers@csc.com.au>
Tested-by: Kars de Jong <jongk@linux-m68k.org>
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Zhao Yakui [Mon, 11 Aug 2008 05:40:22 +0000 (13:40 +0800)]
 
ACPI : Load device driver according to the status of acpi device
commit 
39a0ad871000d2a016a4fa113a6e53d22aabf25d upstream.
According to ACPI spec when the status of some device is not present
but functional, the device is valid and the children of this device
should be enumerated. It means that the device should be added to
linux acpi device tree. But the device driver for this device should not
be loaded.
    The detailed info can be found in the section 6.3.7 of ACPI 3.0b spec.
    _STA may return bit 0 clear (not present) with bit 3 set (device is
functional). This case is used to indicate a valid device for which no
device driver should be loaded (for example, a bridge device.).
Children of this device may be present and valid. OS should continue
enumeration below a device whose _STA returns this bit combination
http://bugzilla.kernel.org/show_bug.cgi?id=3358
Signed-off-by: Zhao Yakui <yakui.zhao@intel.com>
Signed-off-by: Li Shaohua <shaohua.li@intel.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Holger Macht <hmacht@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Heiko Carstens [Fri, 14 Nov 2008 17:18:07 +0000 (18:18 +0100)]
 
S390: cpu topology: fix locking
commit 
74af283102b358b0da545460d0d176f473e110f6 upstream.
cpu_coregroup_map used to grab a mutex on s390 since it was only
called from process context.
Since 
c7c22e4d5c1fdebfac4dba76de7d0338c2b0d832 "block: add support
for IO CPU affinity" this is not true anymore.
It now also gets called from softirq context.
To prevent possible deadlocks change this in architecture code and
use a spinlock instead of a mutex.
Cc: Jens Axboe <jens.axboe@oracle.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mauro Carvalho Chehab [Fri, 14 Nov 2008 13:46:59 +0000 (10:46 -0300)]
 
V4L/DVB (9624): CVE-2008-5033: fix OOPS on tvaudio when controlling bass/treble
commit 
01a1a3cc1e3fbe718bd06a2a5d4d1a2d0fb4d7d9 upstream.
This bug were supposed to be fixed by 
5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1,
where a call to NULL happens.
Not all tvaudio chips allow controlling bass/treble. So, the driver
has a table with a flag to indicate if the chip does support it.
Unfortunately, the handling of this logic were broken for a very long
time (probably since the first module version). Due to that, an OOPS
were generated for devices that don't support bass/treble.
This were the resulting OOPS message before the patch, with debug messages
enabled:
tvaudio' 1-005b: VIDIOC_S_CTRL
BUG: unable to handle kernel NULL pointer dereference at 
00000000
IP: [<
00000000>]
*pde = 
22fda067 *pte = 
00000000
Oops: 0000 [#1] SMP
Modules linked in: snd_hda_intel snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq snd_seq_device
snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_hwdep snd soundcore tuner_simple tuner_types tea5767 tuner
tvaudio bttv bridgebnep rfcomm l2cap bluetooth it87 hwmon_vid hwmon fuse sunrpc ipt_REJECT
nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack
ip6table_filter ip6_tables x_tables ipv6 dm_mirrordm_multipath dm_mod configfs videodev v4l1_compat
ir_common 8139cp compat_ioctl32 v4l2_common 8139too videobuf_dma_sg videobuf_core mii btcx_risc tveeprom
i915 button snd_page_alloc serio_raw drm pcspkr i2c_algo_bit i2c_i801 i2c_core iTCO_wdt
iTCO_vendor_support sr_mod cdrom sg ata_generic pata_acpi ata_piix libata sd_mod scsi_mod ext3 jbdmbcache
uhci_hcd ohci_hcd ehci_hcd [last unloaded: soundcore]
Pid: 15413, comm: qv4l2 Not tainted (2.6.25.14-108.fc9.i686 #1)
EIP: 0060:[<
00000000>] EFLAGS: 
00210246 CPU: 0
EIP is at 0x0
EAX: 
00008000 EBX: 
ebd21600 ECX: 
e2fd9ec4 EDX: 
00200046
ESI: 
f8c0f0c4 EDI: 
f8c0f0c4 EBP: 
e2fd9d50 ESP: 
e2fd9d2c
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process qv4l2 (pid: 15413, ti=
e2fd9000 task=
ebe44000 task.ti=
e2fd9000)
Stack: 
f8c0c6ae e2ff2a00 00000d00 e2fd9ec4 ebc4e000 e2fd9d5c f8c0c448 00000000
       f899c12a e2fd9d5c f899c154 e2fd9d68 e2fd9d80 c0560185 e2fd9d88 f8f3e1d8
       f8f3e1dc ebc4e034 f8f3e18c e2fd9ec4 00000000 e2fd9d90 f899c286 c008561c
Call Trace:
 [<
f8c0c6ae>] ? chip_command+0x266/0x4b6 [tvaudio]
 [<
f8c0c448>] ? chip_command+0x0/0x4b6 [tvaudio]
 [<
f899c12a>] ? i2c_cmd+0x0/0x2f [i2c_core]
 [<
f899c154>] ? i2c_cmd+0x2a/0x2f [i2c_core]
 [<
c0560185>] ? device_for_each_child+0x21/0x49
 [<
f899c286>] ? i2c_clients_command+0x1c/0x1e [i2c_core]
 [<
f8f283d8>] ? bttv_call_i2c_clients+0x14/0x16 [bttv]
 [<
f8f23601>] ? bttv_s_ctrl+0x1bc/0x313 [bttv]
 [<
f8f23445>] ? bttv_s_ctrl+0x0/0x313 [bttv]
 [<
f8b6096d>] ? __video_do_ioctl+0x1f84/0x3726 [videodev]
 [<
c05abb4e>] ? sock_aio_write+0x100/0x10d
 [<
c041b23e>] ? kmap_atomic_prot+0x1dd/0x1df
 [<
c043a0c9>] ? enqueue_hrtimer+0xc2/0xcd
 [<
c04f4fa4>] ? copy_from_user+0x39/0x121
 [<
f8b622b9>] ? __video_ioctl2+0x1aa/0x24a [videodev]
 [<
c04054fd>] ? do_notify_resume+0x768/0x795
 [<
c043c0f7>] ? getnstimeofday+0x34/0xd1
 [<
c0437b77>] ? autoremove_wake_function+0x0/0x33
 [<
f8b62368>] ? video_ioctl2+0xf/0x13 [videodev]
 [<
c048c6f0>] ? vfs_ioctl+0x50/0x69
 [<
c048c942>] ? do_vfs_ioctl+0x239/0x24c
 [<
c048c995>] ? sys_ioctl+0x40/0x5b
 [<
c0405bf2>] ? syscall_call+0x7/0xb
 [<
c0620000>] ? cpuid4_cache_sysfs_exit+0x3d/0x69
 =======================
Code:  Bad EIP value.
EIP: [<
00000000>] 0x0 SS:ESP 0068:
e2fd9d2c
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Al Viro [Sun, 16 Nov 2008 22:19:10 +0000 (22:19 +0000)]
 
Fix broken ownership of /proc/sys/ files
commit 
5c06fe772da43db63b053addcd2c267f76d0be91 upstream.
D'oh...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reported-and-tested-by: Peter Palfrader <peter@palfrader.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eric Dumazet [Tue, 11 Nov 2008 05:43:08 +0000 (21:43 -0800)]
 
net: fix /proc/net/snmp as memory corruptor
commit 
b971e7ac834e9f4bda96d5a96ae9abccd01c1dd8 upstream.
icmpmsg_put() can happily corrupt kernel memory, using a static
table and forgetting to reset an array index in a loop.
Remove the static array since its not safe without proper locking.
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Matthew Garrett [Wed, 29 Oct 2008 21:01:03 +0000 (14:01 -0700)]
 
sony-laptop: ignore missing _DIS method on pic device
commit 
6158d3a2323835546c7cf83a170316fa77b726e0 upstream.
At least the Vaio VGN-Z540N doesn't have this method, so let's not fail
to suspend just because it doesn't exist.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Mattia Dongili <malattia@linux.it>
Cc: Len Brown <lenb@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Steve Conklin <sconklin@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Francois Romieu [Sat, 13 Sep 2008 13:04:38 +0000 (15:04 +0200)]
 
r8169: select MII in Kconfig
commit 
b73724921d906d1642f9f6d054079c6b095903fe upstream.
drivers/built-in.o: In function `rtl8169_gset_xmii':
r8169.c:(.text+0x82259): undefined reference to `mii_ethtool_gset'
Signed-off-by: Hugh Dickins <hugh@veritas.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Edward Hsu <edward_hsu@realtek.com.tw>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Gerald Schaefer [Thu, 6 Nov 2008 20:53:36 +0000 (12:53 -0800)]
 
memory hotplug: fix page_zone() calculation in test_pages_isolated()
commit 
a70dcb969f64e2fa98c24f47854f20bf02ff0092 upstream.
My last bugfix here (adding zone->lock) introduced a new problem: Using
page_zone(pfn_to_page(pfn)) to get the zone after the for() loop is wrong.
 pfn will then be >= end_pfn, which may be in a different zone or not
present at all.  This may lead to an addressing exception in page_zone()
or spin_lock_irqsave().
Now I use __first_valid_page() again after the loop to find a valid page
for page_zone().
Signed-off-by: Gerald Schaefer <gerald.schaefer@de.ibm.com>
Acked-by: Nathan Fontenot <nfont@austin.ibm.com>
Reviewed-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Elvis Pranskevichus [Wed, 10 Sep 2008 14:19:13 +0000 (10:19 -0400)]
 
Input: ALPS - add signature for DualPoint found in Dell Latitude E6500
commit 
0d46ed1c747edfe6476961d4d9f732ceb7a29074 upstream.
Signed-off-by: Elvis Pranskevichus <el@prans.net>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kumar Gala [Tue, 28 Oct 2008 18:01:39 +0000 (18:01 +0000)]
 
powerpc/mpic: Fix regression caused by change of default IRQ affinity
commit 
3c10c9c45e290022ca7d2aa1ad33a0b6ed767520 upstream.
The Freescale implementation of MPIC only allows a single CPU destination
for non-IPI interrupts.  We add a flag to the mpic_init to distinquish
these variants of MPIC.  We pull in the irq_choose_cpu from sparc64 to
select a single CPU as the destination of the interrupt.
This is to deal with the fact that the default smp affinity was
changed by commit 
18404756765c713a0be4eb1082920c04822ce588 ("genirq:
Expose default irq affinity mask (take 3)") to be all CPUs.
Signed-off-by: Kumar Gala <galak@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
FUJITA Tomonori [Wed, 12 Nov 2008 06:03:54 +0000 (11:33 +0530)]
 
block: fix nr_phys_segments miscalculation bug
commit 
8677142710516d986d932d6f1fba7be8382c1fec upstream
backported by Nikanth Karthikesan <knikanth@suse.de> to the 2.6.27.y tree.
block: fix nr_phys_segments miscalculation bug
This fixes the bug reported by Nikanth Karthikesan <knikanth@suse.de>:
http://lkml.org/lkml/2008/10/2/203
The root cause of the bug is that blk_phys_contig_segment
miscalculates q->max_segment_size.
blk_phys_contig_segment checks:
req->biotail->bi_size + next_req->bio->bi_size > q->max_segment_size
But blk_recalc_rq_segments might expect that req->biotail and the
previous bio in the req are supposed be merged into one
segment. blk_recalc_rq_segments might also expect that next_req->bio
and the next bio in the next_req are supposed be merged into one
segment. In such case, we merge two requests that can't be merged
here. Later, blk_rq_map_sg gives more segments than it should.
We need to keep track of segment size in blk_recalc_rq_segments and
use it to see if two requests can be merged. This patch implements it
in the similar way that we used to do for hw merging (virtual
merging).
Signed-off-by: FUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Cc: Nikanth Karthikesan <knikanth@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jonathan McDowell [Sat, 13 Sep 2008 16:08:31 +0000 (17:08 +0100)]
 
kbuild: Fixup deb-pkg target to generate separate firmware deb
commit 
bf1b36445dc868cbbde194aa1dd87e38fe24cf16 upstream.
The below is a simplistic fix for "make deb-pkg"; it splits the
firmware out to a linux-firmware-image package and adds an
(unversioned) Suggests to the linux package for this firmware.
Signed-Off-By: Jonathan McDowell <noodles@earth.li>
Acked-by: Frans Pop <elendil@planet.nl>
Signed-off-by: Sam Ravnborg <sam@ravnborg.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Bob Jolliffe [Wed, 12 Nov 2008 20:16:59 +0000 (20:16 +0000)]
 
rtl8187 : support for Sitecom WL-168 0001 v4
commit 
f3c769185a28b7947d97b3552a977102c1fac3f2 upstream.
the Sitecom 0001 v4 with product id 0x0df6:0028, uses Realtek's
RTL8187B and work fine with new 2.6.27 driver.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ivan Kuten [Tue, 11 Nov 2008 01:39:25 +0000 (19:39 -0600)]
 
rtl8187: Add Abocom USB ID
commit 
8f7c41d4cec91cdbfa89b4a77d5a628938875366 upstream.
Signed-off-by: Ivan Kuten <ivan.kuten@promwad.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Adam Litke [Wed, 12 Nov 2008 21:24:56 +0000 (13:24 -0800)]
 
hugetlb: make unmap_ref_private multi-size-aware
commit 
7526674de0c921e7f1e9b6f71a1f9d832557b554 upstream.
Oops.  Part of the hugetlb private reservation code was not fully
converted to use hstates.
When a huge page must be unmapped from VMAs due to a failed COW,
HPAGE_SIZE is used in the call to unmap_hugepage_range() regardless of
the page size being used.  This works if the VMA is using the default
huge page size.  Otherwise we might unmap too much, too little, or
trigger a BUG_ON.  Rare but serious -- fix it.
Signed-off-by: Adam Litke <agl@us.ibm.com>
Cc: Jon Tollefson <kniht@linux.vnet.ibm.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Jenkins [Sat, 1 Nov 2008 11:05:26 +0000 (11:05 +0000)]
 
ACPI: EC: make kernel messages more useful when GPE storm is detected
commit 
f8248434e6a11d7cd314281be3b39bbcf82fc243 upstream.
Make sure we can tell if the GPE storm workaround gets activated,
and avoid flooding the logs afterwards.
http://bugzilla.kernel.org/show_bug.cgi?id=11841
"plenty of line "ACPI: EC: non-query interrupt received,
 switching to interrupt mode" in dmesg"
Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Acked-by: Alexey Starikovskiy <astarikovskiy@suse.de>
Signed-off-by: Len Brown <len.brown@intel.com>
Cc: Rafael J. Wysocki <rjw@sisk.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Peter Gruber [Tue, 28 Oct 2008 03:59:36 +0000 (23:59 -0400)]
 
ACPI: avoid empty file name in sysfs
commit 
4feba70a2c1a1a0c96909f657f48b2e11e682370 upstream.
Since commit 
bc45b1d39a925b56796bebf8a397a0491489d85c acpi tables are
allowed to have an empty signature and /sys/firmware/acpi/tables uses the
signature as filename.  Applications using naive recursion through /sys
loop forever.  A possible solution would be: (replacing the zero length
filename with the string "NULL")
http://bugzilla.kernel.org/show_bug.cgi?id=11539
Acked-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Johannes Berg [Wed, 12 Nov 2008 21:54:22 +0000 (16:54 -0500)]
 
hostap: pad the skb->cb usage in lieu of a proper fix
commit 
f7cd168645dda3e9067f24fabbfa787f9a237488 upstream.
Like mac80211 did, this driver makes 'clever' use of skb->cb to pass
information along with an skb as it is requeued from the virtual device
to the physical wireless device.  Unfortunately, that trick no longer
works...
Unlike mac80211, code complexity and driver apathy makes this hack
the best option we have in the short run.  Hopefully someone will
eventually be motivated to code a proper fix before all the effected
hardware dies.
(Above text by me.  Johannes officially disavows all knowledge of this
hack. -- JWL)
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Darrick J. Wong [Wed, 12 Nov 2008 21:25:00 +0000 (13:25 -0800)]
 
Fix platform drivers that crash on suspend/resume
commit 
fe2d5ffc74a1de6a31e9fd65b65cce72d881edf7 upstream.
It turns out that if one registers a struct platform_device, the
platform device code expects that platform_device.device->driver points
to a struct driver inside a struct platform_driver.
This is not the case with the ipmi-si, ipmi-msghandler and ibmaem
drivers, which causes the suspend/resume hook functions to jump off into
nowhere, causing a crash.  Make this assumption hold true for these
three drivers.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Corey Minyard <cminyard@mvista.com>
Cc: Jean Delvare <khali@linux-fr.org>
Cc: Kay Sievers <kay.sievers@vrfy.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nicolas Pitre [Sat, 8 Nov 2008 20:15:53 +0000 (21:15 +0100)]
 
ARM: 5329/1: Feroceon: fix feroceon_l2_inv_range
commit 
72bc2b1ad62f4d2f0a51b35829093d41f55accce upstream.
Same fix as commit 
c7cf72dcadb: when 'start' and 'end' are less than a
cacheline apart and 'start' is unaligned we are done after cleaning and
invalidating the first cacheline.
Signed-off-by: Nicolas Pitre <nico@marvell.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eilon Greenstein [Tue, 4 Nov 2008 00:46:40 +0000 (16:46 -0800)]
 
bnx2x: Calling netif_carrier_off at the end of the probe
commit 
12b56ea89e70d4b04f2f5199750310e82894ebbd upstream.
netif_carrier_off was called too early at the probe. In case of failure
or simply bad timing, this can cause a fatal error since linkwatch_event
might run too soon.
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Alex Chiang <achiang@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eilon Greenstein [Tue, 4 Nov 2008 00:46:19 +0000 (16:46 -0800)]
 
bnx2x: PCI configuration bug on big-endian
commit 
7d96567ac0527703cf1b80043fc0ebd7f21a10ad upstream.
The current code read nothing but zeros on big-endian (wrong part of the
32bits). This caused poor performance on big-endian machines. Though this
issue did not cause the system to crash, the performance is significantly
better with the fix so I view it as critical bug fix.
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Alex Chiang <achiang@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eilon Greenstein [Tue, 4 Nov 2008 00:45:55 +0000 (16:45 -0800)]
 
bnx2x: Removing the PMF indication when unloading
commit 
9a0354405feb0f8bd460349a93db05e4cca8d166 upstream.
When the PMF flag is set, the driver can access the HW freely. When the
driver is unloaded, it should not access the HW. The problem caused fatal
errors when "ethtool -i" was called after the calling instance was unloaded
and another instance was already loaded
Signed-off-by: Eilon Greenstein <eilong@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Alex Chiang <achiang@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Elias Oltmanns [Wed, 12 Nov 2008 10:30:10 +0000 (11:30 +0100)]
 
ath5k: Fix reset sequence for AR5212 in general and RF5111 in particular
commit 
7d19267b8d1e12c0baebf9be96e04cddffe63f67 upstream
Take care to handle register 0xa228 exactly as in the HAL released by
Atheros. This change is required to make ath5k work again on my system
since commit 
2203d6be (ath5k: Misc hw_reset updates), thus fixing a
regression in 2.6.27 and therefore hopefully eligible for inclusion into
a stable release.
v2: Only overwrite initial register values on later revisions of AR5212
    chips.
v3: Use standard macros to manipulate the register.
Signed-off-by: Elias Oltmanns <eo@nebensachen.de>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Elias Oltmanns [Wed, 12 Nov 2008 10:28:39 +0000 (11:28 +0100)]
 
ath5k: fix suspend-related oops on rmmod
Cumulative patch backporting the following two commits from upstream:
commit 
8bdd5b9c6bd53add260756b6673a0545fbdbba21 upstream
Author: Bob Copeland <me@bobcopeland.com>
Based on a patch by Elias Oltmanns, we call ath5k_init in resume even
if we didn't previously open the device.  Besides starting up the
device unnecessarily, this also causes an oops on rmmod because
mac80211 will not invoke ath5k_stop and softirqs are left running after
the module has been unloaded.  Add a new state bit, ATH_STAT_STARTED,
to indicate that we have been started up.
commit 
bc1b32d6bdd2d6f3fbee9a7c01c9b099f11c579c upstream
Author: Elias Oltmanns <eo@nebensachen.de>
After a s2ram / resume cycle, resetting the key cache does not work
unless it is deferred until after the hardware has been reinitialised by
a call to ath5k_hw_reset(). This fixes a regression introduced by
"ath5k: fix suspend-related oops on rmmod".
Reported-by: Toralf Förster <toralf.foerster@gmx.de>
Signed-off-by: Elias Oltmanns <eo@nebensachen.de>
Signed-off-by: Bob Copeland <me@bobcopeland.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
John W. Linville [Thu, 30 Oct 2008 18:12:21 +0000 (14:12 -0400)]
 
iwlagn: avoid sleep in softirq context
commit 
964d2777438bf7687324243d38ade538d9bbfe3c upstream.
__ieee80211_tasklet_handler -> __ieee80211_rx ->
	__ieee80211_rx_handle_packet -> ieee80211_invoke_rx_handlers ->
	ieee80211_rx_h_decrypt -> ieee80211_crypto_tkip_decrypt ->
	ieee80211_tkip_decrypt_data -> iwl4965_mac_update_tkip_key ->
	iwl_scan_cancel_timeout -> msleep
Ooops!
Avoid the sleep by changing iwl_scan_cancel_timeout with
iwl_scan_cancel and simply returning on failure if the scan persists.
This will cause hardware decryption to fail and we'll handle a few more
frames with software decryption.
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Cc: Holger Macht <hmacht@novell.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Williams [Sat, 27 Sep 2008 02:01:20 +0000 (19:01 -0700)]
 
touch_mnt_namespace when the mount flags change
commit 
0e55a7cca4b66f625d67b292f80b6a976e77c51b upstream
Daemons that need to be launched while the rootfs is read-only can now
poll /proc/mounts to be notified when their O_RDWR requests may no
longer end in EROFS.
Cc: Kay Sievers <kay.sievers@vrfy.org>
Cc: Neil Brown <neilb@suse.de>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Thu, 13 Nov 2008 17:56:21 +0000 (09:56 -0800)]
 
Linux 2.6.27.6
Jiri Kosina [Tue, 11 Nov 2008 22:45:38 +0000 (23:45 +0100)]
 
HID: fix incorrent length condition in hidraw_write()
upstream commit 
2b107d629dc0c35de606bb7b010b829cd247a93a
From: Jiri Kosina <jkosina@suse.cz>
The bound check on the buffer length
	if (count > HID_MIN_BUFFER_SIZE)
is of course incorrent, the proper check is
	if (count > HID_MAX_BUFFER_SIZE)
Fix it.
Reported-by: Jerry Ryle <jerry@mindtribe.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Paul Stoffregen <paul@pjrc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eric Sesterhenn [Thu, 16 Oct 2008 05:04:11 +0000 (22:04 -0700)]
 
hfs: fix namelength memory corruption (CVE-2008-5025)
commit 
d38b7aa7fc3371b52d036748028db50b585ade2e upstream
Fix a stack corruption caused by a corrupted hfs filesystem.  If the
catalog name length is corrupted the memcpy overwrites the catalog btree
structure.  Since the field is limited to HFS_NAMELEN bytes in the
structure and the file format, we throw an error if it is too long.
Cc: Roman Zippel <zippel@linux-m68k.org>
Signed-off-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Pierre Ossman [Sun, 26 Oct 2008 11:37:25 +0000 (12:37 +0100)]
 
mmc: increase SD write timeout for crappy cards
commit 
493890e75d98810a3470b4aae23be628ee5e9667 upstream.
It seems that some cards are slightly out of spec and occasionally
will not be able to complete a write in the alloted 250 ms [1].
Incease the timeout slightly to allow even these cards to function
properly.
[1] http://lkml.org/lkml/2008/9/23/390
Signed-off-by: Pierre Ossman <drzeus@drzeus.cx>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Rafael J. Wysocki [Sat, 8 Nov 2008 12:53:33 +0000 (13:53 +0100)]
 
Fix __pfn_to_page(pfn) for CONFIG_DISCONTIGMEM=y
commit 
c5d712433ff57a66d8fb79a57a4fc7a7c3467b97 upstream
Fix the __pfn_to_page(pfn) macro so that it doesn't evaluate its
argument twice in the CONFIG_DISCONTIGMEM=y case, because 'pfn' may
be a result of a funtion call having side effects.
For example, the hibernation code applies pfn_to_page(pfn) to the
result of a function returning the pfn corresponding to the next set
bit in a bitmap and the current bit position is modified on each
call.  This leads to "interesting" failures for CONFIG_DISCONTIGMEM=y
due to the current behavior of __pfn_to_page(pfn).
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Acked-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Matthew Ranostay [Wed, 5 Nov 2008 07:40:59 +0000 (08:40 +0100)]
 
ALSA: hda: make a STAC_DELL_EQ option
commit 
6b3ab21ef1ac15db4b053ce0ba8eae0ef9361c8a upstream.
Add support for explicitly enabling the EQ distortion hack for
systems without software biquad support.
Signed-off-by: Matthew Ranostay <mranostay@embeddedalley.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tejun Heo [Tue, 4 Nov 2008 08:08:40 +0000 (17:08 +0900)]
 
libata: fix last_reset timestamp handling
commit 
19b723218bde79c60a394a3caee9eb156ac2d356 upstream
ehc->last_reset is used to ensure that resets are not issued too
close to each other.  It's initialized to jiffies minus one minute
on EH entry.  However, when new links are initialized after PMP is
probed, new links have zero for this timestamp resulting in long wait
depending on the current jiffies.
This patch makes last_set considered iff ATA_EHI_DID_RESET is set, in
which case last_reset is always initialized.  As an added precaution,
WARN_ON() is added so that warning is printed if last_reset is
in future.
This problem is spotted and debugged by Shane Huang.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Shane Huang <Shane.Huang@amd.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Howells [Mon, 10 Nov 2008 19:00:05 +0000 (19:00 +0000)]
 
KEYS: Make request key instantiate the per-user keyrings
commit 
1f8f5cf6e4f038552a3e47b66085452c08556d71 upstream
Make request_key() instantiate the per-user keyrings so that it doesn't oops
if it needs to get hold of the user session keyring because there isn't a
session keyring in place.
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Steve French <smfrench@gmail.com>
Tested-by: Rutger Nijlunsing <rutger.nijlunsing@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dmitry Baryshkov [Thu, 9 Oct 2008 15:58:13 +0000 (16:58 +0100)]
 
ARM: 5300/1: fixup spitz reset during boot
commit 
69fc7eed5f56bce15b239e5110de2575a6970df4 upstream
Some machines don't have the pullup/down on their reset
pin, so configuring the reset generating pin as input makes
them reset immediately. Fix that by making reset pin direction
configurable.
This fixes the boot problem on Sharp Zaurus c3000
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Pavel Machek <pavel@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>