24 May, 2011
22 commits
-
Commit c23a103f0d9c2560c6839ed366feebec4cd5e556 wrongly introduced
references to the unified firmware file "phanfw.bin", which is not
supported by netxen in 2.6.32. The driver reports this filename when
loading firmware from flash, and includes a MODULE_FIRMWARE hint for
the filename even though it will never use it.Signed-off-by: Ben Hutchings
Signed-off-by: Greg Kroah-Hartman -
commit ebde6f8acba92abfc203585198a54f47e83e2cd0 upstream.
During initialization of vmxnet3, the state of LRO
gets out of sync with netdev->features.This leads to very poor TCP performance in a IP forwarding
setup and is hitting many VMware users.Simplified call sequence:
1. vmxnet3_declare_features() initializes "adapter->lro" to true.2. The kernel automatically disables LRO if IP forwarding is enabled,
so vmxnet3_set_flags() gets called. This also updates netdev->features.3. Now vmxnet3_setup_driver_shared() is called. "adapter->lro" is still
set to true and LRO gets enabled again, even though
netdev->features shows it's disabled.Fix it by updating "adapter->lro", too.
The private vmxnet3 adapter flags are scheduled for removal
in net-next, see commit a0d2730c9571aeba793cb5d3009094ee1d8fda35
"net: vmxnet3: convert to hw_features".Patch applies to 2.6.37 / 2.6.38 and 2.6.39-rc6.
Please CC: comments.
Signed-off-by: Thomas Jarosch
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit 98cb7e4413d189cd2b54daf993a4667d9788c0bb upstream.
The ioc->sgl[i].iov_len value is supplied by the ioctl caller, and can be
zero in some cases. Assume that's valid and continue without error.Fixes (multiple individual reports of the same problem for quite a while):
http://marc.info/?l=linux-ide&m=128941801715301
http://bugs.debian.org/604627
http://www.mail-archive.com/linux-poweredge@dell.com/msg02575.htmlmegasas: Failed to alloc kernel SGL buffer for IOCTL
and
[ 69.162538] ------------[ cut here ]------------
[ 69.162806] kernel BUG at /build/buildd/linux-2.6.32/lib/swiotlb.c:368!
[ 69.163134] invalid opcode: 0000 [#1] SMP
[ 69.163570] last sysfs file: /sys/devices/system/cpu/cpu3/cache/index2/shared_cpu_map
[ 69.163975] CPU 0
[ 69.164227] Modules linked in: fbcon tileblit font bitblit softcursor vga16fb vgastate ioatdma radeon ttm drm_kms_helper shpchp drm i2c_algo_bit lp parport floppy pata_jmicron megaraid_sas igb dca
[ 69.167419] Pid: 1206, comm: smartctl Tainted: G W 2.6.32-25-server #45-Ubuntu X8DTN
[ 69.167843] RIP: 0010:[] [] map_single+0x255/0x260
[ 69.168370] RSP: 0018:ffff88081c0ebc58 EFLAGS: 00010246
[ 69.168655] RAX: 000000000003bffc RBX: 00000000ffffffff RCX: 0000000000000002
[ 69.169000] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88001dffe000
[ 69.169346] RBP: ffff88081c0ebcb8 R08: 0000000000000000 R09: ffff880000030840
[ 69.169691] R10: 0000000000100000 R11: 0000000000000000 R12: 0000000000000000
[ 69.170036] R13: 00000000ffffffff R14: 0000000000000001 R15: 0000000000200000
[ 69.170382] FS: 00007fb8de189720(0000) GS:ffff88001de00000(0000) knlGS:0000000000000000
[ 69.170794] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 69.171094] CR2: 00007fb8dd59237c CR3: 000000081a790000 CR4: 00000000000006f0
[ 69.171439] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 69.171784] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 69.172130] Process smartctl (pid: 1206, threadinfo ffff88081c0ea000, task ffff88081a760000)
[ 69.194513] Stack:
[ 69.205788] 0000000000000034 00000002817e3390 0000000000000000 ffff88081c0ebe00
[ 69.217739] 0000000000000000 000000000003bffc 0000000000000000 0000000000000000
[ 69.241250] 0000000000000000 00000000ffffffff ffff88081c5b4080 ffff88081c0ebe00
[ 69.277310] Call Trace:
[ 69.289278] [] swiotlb_alloc_coherent+0xec/0x130
[ 69.301118] [] x86_swiotlb_alloc_coherent+0x61/0x70
[ 69.313045] [] megasas_mgmt_fw_ioctl+0x1ae/0x690 [megaraid_sas]
[ 69.336399] [] megasas_mgmt_ioctl_fw+0x198/0x240 [megaraid_sas]
[ 69.359346] [] megasas_mgmt_ioctl+0x35/0x50 [megaraid_sas]
[ 69.370902] [] vfs_ioctl+0x22/0xa0
[ 69.382322] [] ? alloc_fd+0x10a/0x150
[ 69.393622] [] do_vfs_ioctl+0x81/0x410
[ 69.404696] [] ? do_page_fault+0x153/0x3b0
[ 69.415761] [] sys_ioctl+0x81/0xa0
[ 69.426640] [] system_call_fastpath+0x16/0x1b
[ 69.437491] Code: fe ff ff 48 8b 3d 74 38 76 00 41 bf 00 00 20 00 e8 51 f5 d7 ff 83 e0 ff 48 05 ff 07 00 00 48 c1 e8 0b 48 89 45 c8 e9 13 fe ff ff 0b eb fe 0f 1f 80 00 00 00 00 55 48 89 e5 48 83 ec 20 4c 89
[ 69.478216] RIP [] map_single+0x255/0x260
[ 69.489668] RSP
[ 69.500975] ---[ end trace 6a2181b634e2abc7 ]---Reported-by: Bokhan Artem
Reported by: Marc-Christian Petersen
Signed-off-by: Bjørn Mork
Cc: Michael Benz
Signed-off-by: James Bottomley
Signed-off-by: Greg Kroah-Hartman -
commit d9a5ac9ef306eb5cc874f285185a15c303c50009 upstream.
b may be added to a list, but is not removed before being freed
in the case of an error. This is done in the corresponding
deallocation function, so the code here has been changed to
follow that.The sematic match that finds this problem is as follows:
(http://coccinelle.lip6.fr/)//
@@
expression E,E1,E2;
identifier l;
@@*list_add(&E->l,E1);
... when != E1
when != list_del(&E->l)
when != list_del_init(&E->l)
when != E = E2
*kfree(E);//Signed-off-by: Julia Lawall
Cc: Borislav Petkov
Cc: Robert Richter
Cc: Yinghai Lu
Cc: Andreas Herrmann
Link: http://lkml.kernel.org/r/1305294731-12127-1-git-send-email-julia@diku.dk
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman -
commit e503f9e4b092e2349a9477a333543de8f3c7f5d9 upstream.
This patch fixes a bug reported by a customer, who found
that many unreasonable error interrupts reported on all
non-boot CPUs (APs) during the system boot stage.According to Chapter 10 of Intel Software Developer Manual
Volume 3A, Local APIC may signal an illegal vector error when
an LVT entry is set as an illegal vector value (0~15) under
FIXED delivery mode (bits 8-11 is 0), regardless of whether
the mask bit is set or an interrupt actually happen. These
errors are seen as error interrupts.The initial value of thermal LVT entries on all APs always reads
0x10000 because APs are woken up by BSP issuing INIT-SIPI-SIPI
sequence to them and LVT registers are reset to 0s except for
the mask bits which are set to 1s when APs receive INIT IPI.When the BIOS takes over the thermal throttling interrupt,
the LVT thermal deliver mode should be SMI and it is required
from the kernel to keep AP's LVT thermal monitoring register
programmed as such as well.This issue happens when BIOS does not take over thermal throttling
interrupt, AP's LVT thermal monitor register will be restored to
0x10000 which means vector 0 and fixed deliver mode, so all APs will
signal illegal vector error interrupts.This patch check if interrupt delivery mode is not fixed mode before
restoring AP's LVT thermal monitor register.Signed-off-by: Youquan Song
Acked-by: Suresh Siddha
Acked-by: Yong Wang
Cc: hpa@linux.intel.com
Cc: joe@perches.com
Cc: jbaron@redhat.com
Cc: trenn@suse.de
Cc: kent.liu@intel.com
Cc: chaohong.guo@intel.com
Link: http://lkml.kernel.org/r/1303402963-17738-1-git-send-email-youquan.song@intel.com
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman -
commit 07f4beb0b5bbfaf36a64aa00d59e670ec578a95a upstream.
The first cpu which switches from periodic to oneshot mode switches
also the broadcast device into oneshot mode. The broadcast device
serves as a backup for per cpu timers which stop in deeper
C-states. To avoid starvation of the cpus which might be in idle and
depend on broadcast mode it marks the other cpus as broadcast active
and sets the brodcast expiry value of those cpus to the next tick.The oneshot mode broadcast bit for the other cpus is sticky and gets
only cleared when those cpus exit idle. If a cpu was not idle while
the bit got set in consequence the bit prevents that the broadcast
device is armed on behalf of that cpu when it enters idle for the
first time after it switched to oneshot mode.In most cases that goes unnoticed as one of the other cpus has usually
a timer pending which keeps the broadcast device armed with a short
timeout. Now if the only cpu which has a short timer active has the
bit set then the broadcast device will not be armed on behalf of that
cpu and will fire way after the expected timer expiry. In the case of
Christians bug report it took ~145 seconds which is about half of the
wrap around time of HPET (the limit for that device) due to the fact
that all other cpus had no timers armed which expired before the 145
seconds timeframe.The solution is simply to clear the broadcast active bit
unconditionally when a cpu switches to oneshot mode after the first
cpu switched the broadcast device over. It's not idle at that point
otherwise it would not be executing that code.[ I fundamentally hate that broadcast crap. Why the heck thought some
folks that when going into deep idle it's a brilliant concept to
switch off the last device which brings the cpu back from that
state? ]Thanks to Christian for providing all the valuable debug information!
Reported-and-tested-by: Christian Hoffmann
Cc: John Stultz
Link: http://lkml.kernel.org/r/%3Calpine.LFD.2.02.1105161105170.3078%40ionos%3E
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman -
commit e05b2efb82596905ebfe88e8612ee81dec9b6592 upstream.
Christian Hoffmann reported that the command line clocksource override
with acpi_pm timer fails:Kernel command line: clocksource=acpi_pm
hpet clockevent registered
Switching to clocksource hpet
Override clocksource acpi_pm is not HRT compatible.
Cannot switch while in HRT/NOHZ mode.The watchdog code is what enables CLOCK_SOURCE_VALID_FOR_HRES, but we
actually end up selecting the clocksource before we enqueue it into
the watchdog list, so that's why we see the warning and fail to switch
to acpi_pm timer as requested. That's particularly bad when we want to
debug timekeeping related problems in early boot.Put the selection call last.
Reported-by: Christian Hoffmann
Signed-off-by: John Stultz
Link: http://lkml.kernel.org/r/%3C1304558210.2943.24.camel%40work-vm%3E
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman -
commit 14fb57dccb6e1defe9f89a66f548fcb24c374c1d upstream.
Trying to enable the local APIC timer on early K8 revisions
uncovers a number of other issues with it, in conjunction with
the C1E enter path on AMD. Fixing those causes much more churn
and troubles than the benefit of using that timer brings so
don't enable it on K8 at all, falling back to the original
functionality the kernel had wrt to that.Reported-and-bisected-by: Nick Bowler
Cc: Boris Ostrovsky
Cc: Andreas Herrmann
Cc: Greg Kroah-Hartman
Cc: Hans Rosenfeld
Cc: Nick Bowler
Cc: Joerg-Volker-Peetz
Signed-off-by: Borislav Petkov
Link: http://lkml.kernel.org/r/1305636919-31165-3-git-send-email-bp@amd64.org
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman -
commit 328935e6348c6a7cb34798a68c326f4b8372e68a upstream.
This reverts commit e20a2d205c05cef6b5783df339a7d54adeb50962, as it crashes
certain boxes with specific AMD CPU models.Moving the lower endpoint of the Erratum 400 check to accomodate
earlier K8 revisions (A-E) opens a can of worms which is simply
not worth to fix properly by tweaking the errata checking
framework:* missing IntPenging MSR on revisions < CG cause #GP:
http://marc.info/?l=linux-kernel&m=130541471818831
* makes earlier revisions use the LAPIC timer instead of the C1E
idle routine which switches to HPET, thus not waking up in
deeper C-states:http://lkml.org/lkml/2011/4/24/20
Therefore, leave the original boundary starting with K8-revF.
Signed-off-by: Ingo Molnar
Signed-off-by: Greg Kroah-Hartman -
commit 221d1d797202984cb874e3ed9f1388593d34ee22 upstream.
The is_path_accessible check uses a QPathInfo call, which isn't
supported by ancient win9x era servers. Fall back to an older
SMBQueryInfo call if it fails with the magic error codes.Reported-and-Tested-by: Sandro Bonazzola
Signed-off-by: Jeff Layton
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit cf7e032fc87d59c475df26c4d40bf45d401b2adb upstream.
Changeset b6114794a1c394534659f4a17420e48cf23aa922 ("zorro8390: convert to
net_device_ops") broke zorro8390 by adding 8390.o to the link. That
meant that lib8390.c was included twice, once in zorro8390.c and once in
8390.c, subject to different macros. This patch reverts that by
avoiding the wrappers in 8390.c.Fix based on commits 217cbfa856dc1cbc2890781626c4032d9e3ec59f ("mac8390:
fix regression caused during net_device_ops conversion") and
4e0168fa4842e27795a75b205a510f25b62181d9 ("mac8390: fix build with
NET_POLL_CONTROLLER").Reported-by: Christian T. Steigies
Suggested-by: Finn Thain
Signed-off-by: Geert Uytterhoeven
Tested-by: Christian T. Steigies
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit 2ae1b8b35faba31a59b153cbad07f9c15de99740 upstream.
We occasionally see list corruption using libertas.
While we haven't been able to diagnose this precisely, we have spotted
a possible cause: cmdpendingq is generally modified with driver_lock
held. However, there are a couple of points where this is not the case.Fix up those operations to execute under the lock, it seems like
the correct thing to do and will hopefully improve the situation.Signed-off-by: Paul Fox
Signed-off-by: Daniel Drake
Acked-by: Dan Williams
Signed-off-by: John W. Linville
Signed-off-by: Greg Kroah-Hartman -
commit 0b25e0157dfa236a0629c16c8ad6f222f633f682 upstream.
Changeset 5618f0d1193d6b051da9b59b0e32ad24397f06a4 ("hydra: convert to
net_device_ops") broke hydra by adding 8390.o to the link. That
meant that lib8390.c was included twice, once in hydra.c and once in
8390.c, subject to different macros. This patch reverts that by
avoiding the wrappers in 8390.c.Fix based on commits 217cbfa856dc1cbc2890781626c4032d9e3ec59f ("mac8390:
fix regression caused during net_device_ops conversion") and
4e0168fa4842e27795a75b205a510f25b62181d9 ("mac8390: fix build with
NET_POLL_CONTROLLER").Signed-off-by: Geert Uytterhoeven
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit 2592a7354092afd304a8c067319b15ab1e441e35 upstream.
Changeset dcd39c90290297f6e6ed8a04bb20da7ac2b043c5 ("ne-h8300: convert to
net_device_ops") broke ne-h8300 by adding 8390.o to the link. That
meant that lib8390.c was included twice, once in ne-h8300.c and once in
8390.c, subject to different macros. This patch reverts that by
avoiding the wrappers in 8390.c.Fix based on commits 217cbfa856dc1cbc2890781626c4032d9e3ec59f ("mac8390:
fix regression caused during net_device_ops conversion") and
4e0168fa4842e27795a75b205a510f25b62181d9 ("mac8390: fix build with
NET_POLL_CONTROLLER").Signed-off-by: Geert Uytterhoeven
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit 057bef938896e6266ae24ec4266d24792d27c29a upstream.
TTY layer expects 0 if the ldisc->open operation succeeded.
Signed-off-by : Matvejchikov Ilya
Acked-by: Oliver Hartkopp
Acked-by: Alan Cox
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit dcbe14b91a920657ff3a9ba0efb7c5b5562f956a upstream.
Currently EHEA reports to ethtool as supporting 10M, 100M, 1G and
10G and connected to FIBRE independent of the hardware configuration.
However, when connected to FIBRE the only supported speed is 10G
full-duplex, and the other speeds and modes are only supported
when connected to twisted pair.Signed-off-by: Kleber Sacilotto de Souza
Acked-by: Breno Leitao
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
Currently with 2.6.32-longterm, its possible for time() to occasionally
return values one second earlier then the previous time() call.This happens because update_xtime_cache() does:
xtime_cache = xtime;
timespec_add_ns(&xtime_cache, nsec);Its possible that xtime is 1sec,999msecs, and nsecs is 1ms, resulting in
a xtime_cache that is 2sec,0ms.get_seconds() (which is used by sys_time()) does not take the
xtime_lock, which is ok as the xtime.tv_sec value is a long and can be
atomically read safely.The problem occurs the next call to update_xtime_cache() if xtime has
not increased:
/* This sets xtime_cache back to 1sec, 999msec */
xtime_cache = xtime;
/* get_seconds, calls here, and sees a 1second inconsistency */
timespec_add_ns(&xtime_cache, nsec);In order to resolve this, we could add locking to get_seconds(), but it
needs to be lock free, as it is called from the machine check handler,
opening a possible deadlock.So instead, this patch introduces an intermediate value for the
calculations, so that we only assign xtime_cache once with the correct
time, using ACCESS_ONCE to make sure the compiler doesn't optimize out
any intermediate values.The xtime_cache manipulations were removed with 2.6.35, so that kernel
and later do not need this change.In 2.6.33 and 2.6.34 the logarithmic accumulation should make it so
xtime is updated each tick, so it is unlikely that two updates to
xtime_cache could occur while the difference between xtime and
xtime_cache crosses the second boundary. However, the paranoid might
want to pull this into 2.6.33/34-longterm just to be sure.Thanks to Stephen for helping finally narrow down the root cause and
many hours of help with testing and validation. Also thanks to Max,
Andi, Eric and Paul for review of earlier attempts and helping clarify
what is possible with regard to out of order execution.Acked-by: Eric Dumazet
Signed-off-by: John Stultz
Signed-off-by: Greg Kroah-Hartman -
commit 4906e50b37e6f6c264e7ee4237343eb2b7f8d16d upstream.
While password processing we can get out of options array bound if
the next character after array is delimiter. The patch adds a check
if we reach the end.Signed-off-by: Pavel Shilovsky
Reviewed-by: Jeff Layton
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman -
commit a294865978b701e4d0d90135672749531b9a900d upstream.
A length of zero (after subtracting two for the type and len fields) for
the DCCPO_{CHANGE,CONFIRM}_{L,R} options will cause an underflow due to
the subtraction. The subsequent code may read past the end of the
options value buffer when parsing. I'm unsure of what the consequences
of this might be, but it's probably not good.Signed-off-by: Dan Rosenberg
Acked-by: Gerrit Renker
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit fa039d5f6b126fbd65eefa05db2f67e44df8f121 upstream.
Otherwise corrupted EFI partition tables can cause total confusion.
Signed-off-by: Timo Warns
Signed-off-by: Linus Torvalds
Signed-off-by: Greg Kroah-Hartman -
commit fcda7f4578bbf9717444ca6da8a421d21489d078 upstream.
It's possible that when we go to decode the string area in the
SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at
that point will mean that it can go "negative" and wrap. Check for a
bytes_remaining value of 0, and don't try to decode the string area if
that's the case.Reported-and-Acked-by: David Howells
Signed-off-by: Jeff Layton
Signed-off-by: Steve French
Signed-off-by: Greg Kroah-Hartman
10 May, 2011
18 commits
-
commit c055f5b2614b4f758ae6cc86733f31fa4c2c5844 upstream.
The recent commit closing the race window in device teardown:
commit 86cbfb5607d4b81b1a993ff689bbd2addd5d3a9b
Author: James Bottomley
Date: Fri Apr 22 10:39:59 2011 -0500[SCSI] put stricter guards on queue dead checks
is causing a potential NULL deref in scsi_run_queue() because the
q->queuedata may already be NULL by the time this function is called.
Since we shouldn't be running a queue that is being torn down, simply
add a NULL check in scsi_run_queue() to forestall this.Tested-by: Jim Schutt
Signed-off-by: James Bottomley
Signed-off-by: Greg Kroah-Hartman -
commit 10022a6c66e199d8f61d9044543f38785713cbbd upstream.
v2: added space after 'if' according code style.
We can get here with a NULL socket argument passed from userspace,
so we need to handle it accordingly.Thanks to Dave Jones pointing at this issue in net/can/bcm.c
Signed-off-by: Oliver Hartkopp
Signed-off-by: David S. Miller
Cc: Chuck Ebbert
Signed-off-by: Greg Kroah-Hartman -
(backported from commit 28e4639adf0c9f26f6bb56149b7ab547bf33bb95)
If preempted after kvmclock values are updated, but before hardware
virtualization is entered, the last tsc time as read by the guest is
never set. It underflows the next time kvmclock is updated if there
has not yet been a successful entry / exit into hardware virt.Fix this by simply setting last_tsc to the newly read tsc value so
that any computed nsec advance of kvmclock is nulled.Signed-off-by: Zachary Amsden
Signed-off-by: Marcelo TosattiBugLink: http://bugs.launchpad.net/bugs/714335
Signed-off-by: Serge E. Hallyn
Reviewed-by: Stefan Bader
Signed-off-by: Greg Kroah-Hartman -
(backported from commit 1d5f066e0b63271b67eac6d3752f8aa96adcbddb)
Kernel time, which advances in discrete steps may progress much slower
than TSC. As a result, when kvmclock is adjusted to a new base, the
apparent time to the guest, which runs at a much higher, nsec scaled
rate based on the current TSC, may have already been observed to have
a larger value (kernel_ns + scaled tsc) than the value to which we are
setting it (kernel_ns + 0).We must instead compute the clock as potentially observed by the guest
for kernel_ns to make sure it does not go backwards.Signed-off-by: Zachary Amsden
Signed-off-by: Marcelo TosattiBugLink: http://bugs.launchpad.net/bugs/714335
Signed-off-by: Serge E. Hallyn
Reviewed-by: Stefan Bader
Signed-off-by: Greg Kroah-Hartman -
(cherry-picked from commit 347bb4448c2155eb2310923ccaa4be5677649003)
The scale_delta function for shift / multiply with 31-bit
precision moves to a common header so it can be used by both
kernel and kvm module.Signed-off-by: Zachary Amsden
Signed-off-by: Marcelo TosattiBugLink: http://bugs.launchpad.net/bugs/714335
Signed-off-by: Serge E. Hallyn
Signed-off-by: Greg Kroah-Hartman -
commit b25026981aecde3685dd0e45ad980fff9f528daa upstream.
Since
commit a120e912eb51e347f36c71b60a1d13af74d30e83
Author: Stanislaw Gruszka
Date: Fri Feb 19 15:47:33 2010 -0800iwlwifi: sanity check before counting number of tfds can be free
we use skb->data after calling ieee80211_tx_status_irqsafe(), which
could free skb instantly.On current kernels I do not observe practical problems related with
bug, but on 2.6.35.y it cause random system hangs when stressing
wireless link.Signed-off-by: Stanislaw Gruszka
Acked-by: Wey-Yi Guy
Signed-off-by: John W. Linville
Signed-off-by: Greg Kroah-Hartman -
commit ec95d35a6bd0047f05fe8a21e6c52f8bb418da55 upstream.
MUSB is a non-standard host implementation which
can handle all speeds with the same core. We need
to set has_tt flag after commit
d199c96d41d80a567493e12b8e96ea056a1350c1 (USB: prevent
buggy hubs from crashing the USB stack) in order for
MUSB HCD to continue working.Signed-off-by: Felipe Balbi
Cc: Alan Stern
Tested-by: Michael Jones
Tested-by: Alexander Holler
Signed-off-by: Greg Kroah-Hartman -
commit 729a6a300e628a48cf12bac93a964a535e83cd1d upstream.
ata_pio_sectors() expects buffer for each sector to be contained in a
single page; otherwise, it ends up overrunning the first page. This
is achieved by setting queue DMA alignment. If sector_size is smaller
than PAGE_SIZE and all buffers are sector_size aligned, buffer for
each sector is always contained in a single page.This wasn't applied to ATAPI devices but IDENTIFY_PACKET is executed
as ATA_PROT_PIO and thus uses ata_pio_sectors(). Newer versions of
udev issue IDENTIFY_PACKET with unaligned buffer triggering the
problem and causing oops.This patch fixes the problem by setting sdev->sector_size to
ATA_SECT_SIZE on ATATPI devices and always setting DMA alignment to
sector_size. While at it, add a warning for the unlikely but still
possible scenario where sector_size is larger than PAGE_SIZE, in which
case the alignment wouldn't be enough.Signed-off-by: Tejun Heo
Reported-by: John Stanley
Tested-by: John Stanley
Signed-off-by: Jeff Garzik
Signed-off-by: Jonathan Liu
Signed-off-by: Greg Kroah-Hartman -
commit e476a5a41ad67d0e2b4a652820c49a3923eb936b upstream.
Fix unbalanced call to sdio_release_host() on the error path.
Signed-off-by: Guennadi Liakhovetski
Acked-by: Larry Finger
Signed-off-by: John W. Linville
Signed-off-by: Greg Kroah-Hartman
Signed-off-by: Andi Kleen
Signed-off-by: Greg Kroah-Hartman -
commit 46814e08d80f87449b5adb3d549a3cae6f9f8148 upstream.
My conversion of tehuti to use request_firmware() was confused about
the filename of the firmware blob. Change the driver to match the
blob.Signed-off-by: Ben Hutchings
Signed-off-by: Andy Gospodarek
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
commit a55ab496ea9c820b7192c15ef1fbf3291edfe638 upstream.
When writing a disc on certain lite-on dvd-writers (also rebadged
as optiarc/LG/...) connected to a vt6420, the ATAPI CDB ends
up in the datastream and on the disc, causing silent corruption.
Delaying between sending the CDB and starting DMA seems to
prevent this.I do not know if there are burners that do not suffer from
this, but the patch should be safe for those as well.There are many reports of this issue, but AFAICT no solution was
found before. For example:
http://lkml.indiana.edu/hypermail/linux/kernel/0802.3/0561.htmlSigned-off-by: Bart Hartgers
Signed-off-by: Jeff Garzik
[bwh: Remove version bump for 2.6.32]
Signed-off-by: Greg Kroah-Hartman -
commit 75f64dd54a185150ebfc45e99351c890d4a2252f upstream.
HW crypto in rt2500usb does not seem to support keys with different ciphers,
which breaks TKIP+AES mode. Fall back to software encryption to fix it.This should fix long-standing problems with rt2500usb and WPA, such as:
http://rt2x00.serialmonkey.com/phpBB/viewtopic.php?f=4&t=4834
https://bugzilla.redhat.com/show_bug.cgi?id=484888Also tested that it does not break WEP, TKIP-only and AES-only modes.
Signed-off-by: Ondrej Zary
Acked-by: Gertjan van Wingerde
Signed-off-by: John W. Linville
[bwh: Adjust context for 2.6.32]
Signed-off-by: Greg Kroah-Hartman -
commit 4d9ef89dee13e964ea8b064d82ff55cf36209237 upstream.
The dts-installed variable is initialised using a wildcard path that
will be expanded relative to the build directory. Use the existing
variable dtstree to generate an absolute wildcard path that will work
when building in a separate directory.Reported-by: Gerhard Pircher
Signed-off-by: Ben Hutchings
Tested-by: Gerhard Pircher [against 2.6.32]
Signed-off-by: Benjamin Herrenschmidt
Signed-off-by: Greg Kroah-Hartman -
[bwh: This is only applicable to 2.6.32. Phonet was fixed upstream to
work with multiple net namespaces.]This should really fix the OOPS when doing:
unshare(CLONE_NEWNET);
exit(0);while the phonet module is loaded.
Signed-off-by: Rémi Denis-Courmont
Signed-off-by: Greg Kroah-Hartman -
commit ee9c5cfad29c8a13199962614b9b16f1c4137ac9 upstream.
niu_get_ethtool_tcam_all() assumes that its output buffer is the right
size, and warns before returning if it is not. However, the output
buffer size is under user control and ETHTOOL_GRXCLSRLALL is an
unprivileged ethtool command. Therefore this is at least a local
denial-of-service vulnerability.Change it to check before writing each entry and to return an error if
the buffer is already full.Compile-tested only.
Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller
[Adjusted to apply to 2.6.32 by dann frazier ]
Signed-off-by: Greg Kroah-Hartman -
commit bb789d01620e5d36081b22edb6fb71cf55ff043c upstream.
scsi_dma_map() returns -1 if an error occurred (zero means that the
command has no data). So the following current code can't catch an
error:sges_left = scsi_dma_map(scmd);
if (!sges_left) {
sdev_printk(KERN_ERR, scmd->device, "pci_map_sg"
" failed: request for %d bytes!\n", scsi_bufflen(scmd));
return -ENOMEM;
}Signed-off-by: FUJITA Tomonori
Acked-by: "Kashyap Desai"
Signed-off-by: James Bottomley
Signed-off-by: Greg Kroah-Hartman -
commit 3b9c6c11f519718d618f5d7c9508daf78b207f6f upstream.
This only matters for ISA devices with a 24-bit DMA limit or for devices
with a 32-bit DMA limit on systems with ZONE_DMA32 enabled. The latter
currently only affects 32-bit PCI cards on Sibyte-based systems with more
than 1GB RAM installed.Signed-off-by: Ralf Baechle
Signed-off-by: Greg Kroah-Hartman
