- 07 Mar, 2011 40 commits
-
-
Greg Kroah-Hartman authored
-
Ian Campbell authored
commit d11327ad upstream. NETDEV_NOTIFY_PEER is an explicit request by the driver to send a link notification while NETDEV_UP/NETDEV_CHANGEADDR generate link notifications as a sort of side effect. In the later cases the sysctl option is present because link notification events can have undesired effects e.g. if the link is flapping. I don't think this applies in the case of an explicit request from a driver. This patch makes NETDEV_NOTIFY_PEER unconditional, if preferred we could add a new sysctl for this case which defaults to on. This change causes Xen post-migration ARP notifications (which cause switches to relearn their MAC tables etc) to be sent by default. Signed-off-by:
Ian Campbell <ian.campbell@citrix.com> Signed-off-by:
David S. Miller <davem@davemloft.net> [reported to solve hyperv live migration problem - gkh] Cc: Haiyang Zhang <haiyangz@microsoft.com> Cc: Mike Surcouf <mike@surcouf.co.uk> Cc: Hank Janssen <hjanssen@microsoft.com> Signed-off-by:
Greg Kroah-Hartman <gregkh@suse.de>
-
David Howells authored
commit 1362fa07 upstream. When a DNS resolver key is instantiated with an error indication, attempts to read that key will result in an oops because user_read() is expecting there to be a payload - and there isn't one [CVE-2011-1076]. Give the DNS resolver key its own read handler that returns the error cached in key->type_data.x[0] as an error rather than crashing. Also make the kenter() at the beginning of dns_resolver_instantiate() limit the amount of data it prints, since the data is not necessarily NUL-terminated. The buggy code was added in: commit 4a2d7892 Author: Wang Lei <wang840925@gmail.com> Date: Wed Aug 11 09:37:58 2010 +0100 Subject: DNS: If the DNS server returns an error, allow that to be cached [ver #2] This can trivially be reproduced by any user with the following program compiled with -lkeyutils: #include <stdlib.h> #include <keyutils.h> #include <err.h> static char payload[] = "#dnserror=6"; int main() { key_serial_t key; key = add_key("dns_resolver", "a", payload, sizeof(payload), KEY_SPEC_SESSION_KEYRING); if (key == -1) err(1, "add_key"); if (keyctl_read(key, NULL, 0) == -1) err(1, "read_key"); return 0; } What should happen is that keyctl_read() reports error 6 (ENXIO) to the user: dns-break: read_key: No such device or address but instead the kernel oopses. This cannot be reproduced with the 'keyutils add' or 'keyutils padd' commands as both of those cut the data down below the NUL termination that must be included in the data. Without this dns_resolver_instantiate() will return -EINVAL and the key will not be instantiated such that it can be read. The oops looks like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [<ffffffff811b99f7>] user_read+0x4f/0x8f PGD 3bdf8067 PUD 385b9067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:19.0/irq CPU 0 Modules linked in: Pid: 2150, comm: dns-break Not tainted 2.6.38-rc7-cachefs+ #468 /DG965RY RIP: 0010:[<ffffffff811b99f7>] [<ffffffff811b99f7>] user_read+0x4f/0x8f RSP: 0018:ffff88003bf47f08 EFLAGS: 00010246 RAX: 0000000000000001 RBX: ffff88003b5ea378 RCX: ffffffff81972368 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003b5ea378 RBP: ffff88003bf47f28 R08: ffff88003be56620 R09: 0000000000000000 R10: 0000000000000395 R11: 0000000000000002 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffffffffffffffa1 FS: 00007feab5751700(0000) GS:ffff88003e000000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000003de40000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process dns-break (pid: 2150, threadinfo ffff88003bf46000, task ffff88003be56090) Stack: ffff88003b5ea378 ffff88003b5ea3a0 0000000000000000 0000000000000000 ffff88003bf47f68 ffffffff811b708e ffff88003c442bc8 0000000000000000 00000000004005a0 00007fffba368060 0000000000000000 0000000000000000 Call Trace: [<ffffffff811b708e>] keyctl_read_key+0xac/0xcf [<ffffffff811b7c07>] sys_keyctl+0x75/0xb6 [<ffffffff81001f7b>] system_call_fastpath+0x16/0x1b Code: 75 1f 48 83 7b 28 00 75 18 c6 05 58 2b fb 00 01 be bb 00 00 00 48 c7 c7 76 1c 75 81 e8 13 c2 e9 ff 4c 8b b3 e0 00 00 00 4d 85 ed <41> 0f b7 5e 10 74 2d 4d 85 e4 74 28 e8 98 79 ee ff 49 39 dd 48 RIP [<ffffffff811b99f7>] user_read+0x4f/0x8f RSP <ffff88003bf47f08> CR2: 0000000000000010 Signed-off-by:
David Howells <dhowells@redhat.com> Acked-by:
Jeff Layton <jlayton@redhat.com> cc: Wang Lei <wang840925@gmail.com> Signed-off-by:
James Morris <jmorris@namei.org> Signed-off-by:
-
Bruce Allan authored
commit 4def99bb upstream. When support for 82577/82578 was added[1] in 2.6.31, PHY wakeup was in- advertently enabled (even though it does not function properly) on ICH10 LOMs. This patch makes it so that the ICH10 LOMs use MAC wakeup instead as was done with the initial support for those devices (i.e. 82567LM-3, 82567LF-3 and 82567V-4). [1] commit a4f58f54 Reported-by:
Aurelien Jarno <aurelien@aurel32.net> Signed-off-by:
Bruce Allan <bruce.w.allan@intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by:
-
Gerrit Renker authored
commit 720dc34b upstream. This fixes a bug in the order of dccp_rcv_state_process() that still permitted reception even after closing the socket. A Reset after close thus causes a NULL pointer dereference by not preventing operations on an already torn-down socket. dccp_v4_do_rcv() | | state other than OPEN v dccp_rcv_state_process() | | DCCP_PKT_RESET v dccp_rcv_reset() | v dccp_time_wait() WARNING: at net/ipv4/inet_timewait_sock.c:141 __inet_twsk_hashdance+0x48/0x128() Modules linked in: arc4 ecb carl9170 rt2870sta(C) mac80211 r8712u(C) crc_ccitt ah [<c0038850>] (unwind_backtrace+0x0/0xec) from [<c0055364>] (warn_slowpath_common) [<c0055364>] (warn_slowpath_common+0x4c/0x64) from [<c0055398>] (warn_slowpath_n) [<c0055398>] (warn_slowpath_null+0x1c/0x24) from [<c02b72d0>] (__inet_twsk_hashd) [<c02b72d0>] (__inet_twsk_hashdance+0x48/0x128) from [<c031caa0>] (dccp_time_wai) [<c031caa0>] (dccp_time_wait+0x40/0xc8) from [<c031c15c>] (dccp_rcv_state_proces) [<c031c15c>] (dccp_rcv_state_process+0x120/0x538) from [<c032609c>] (dccp_v4_do_) [<c032609c>] (dccp_v4_do_rcv+0x11c/0x14c) from [<c0286594>] (release_sock+0xac/0) [<c0286594>] (release_sock+0xac/0x110) from [<c031fd34>] (dccp_close+0x28c/0x380) [<c031fd34>] (dccp_close+0x28c/0x380) from [<c02d9a78>] (inet_release+0x64/0x70) The fix is by testing the socket state first. Receiving a packet in Closed state now also produces the required "No connection" Reset reply of RFC 4340, 8.3.1. Reported-and-tested-by:
Johan Hovold <jhovold@gmail.com> Signed-off-by:
Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by:
-
Stanislaw Gruszka authored
commit ba04c7c9 upstream. For some time is known that ASPM is causing troubles on r8169, i.e. make device randomly stop working without any errors in dmesg. Currently Tomi Leppikangas reports that system with r8169 device hangs with MCE errors when ASPM is enabled: https://bugzilla.redhat.com/show_bug.cgi?id=642861#c4 Lets disable ASPM for r8169 devices at all, to avoid problems with r8169 PCIe devices at least for some users. Reported-by:
Tomi Leppikangas <tomi.leppikangas@gmail.com> Signed-off-by:
Stanislaw Gruszka <sgruszka@redhat.com> Signed-off-by:
-
Jan Puk authored
commit c86664e5 upstream. "AirLive X.USB now works perfectly under a Linux environment!" Signed-off-by:
Christian Lamparter <chunkeey@googlemail.com> Signed-off-by:
John W. Linville <linville@tuxdriver.com> Signed-off-by:
-
Ryusuke Konishi authored
commit 72746ac6 upstream. According to the report from Jiro SEKIBA titled "regression in 2.6.37?" (Message-Id: <8739n8vs1f.wl%jir@sekiba.com>), on 2.6.37 and later kernels, lscp command no longer displays "i" flag on checkpoints that snapshot operations or garbage collection created. This is a regression of nilfs2 checkpointing function, and it's critical since it broke behavior of a part of nilfs2 applications. For instance, snapshot manager of TimeBrowse gets to create meaningless snapshots continuously; snapshot creation triggers another checkpoint, but applications cannot distinguish whether the new checkpoint contains meaningful changes or not without the i-flag. This patch fixes the regression and brings that application behavior back to normal. Reported-by:
Jiro SEKIBA <jir@unicus.jp> Signed-off-by:
Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp> Tested-by:
-
Christian Lamparter authored
commit 2b799a6b upstream. Reported-by: Mark Davis Signed-off-by:
-
Sujith Manoharan authored
commit 2c27392d upstream. The stream length/tag fields have to be in little endian format. Fixing this makes the driver work on big-endian platforms. Tested-by: raghunathan.kailasanathan@wipro.com Signed-off-by:
Sujith Manoharan <Sujith.Manoharan@atheros.com> Signed-off-by:
-
Petr Uzel authored
commit fd51469f upstream. Following steps lead to deadlock in kernel: dd if=/dev/zero of=img bs=512 count=1000 losetup -f img mkfs.ext2 /dev/loop0 mount -t ext2 -o loop /dev/loop0 mnt umount mnt/ Stacktrace: [<c102ec04>] irq_exit+0x36/0x59 [<c101502c>] smp_apic_timer_interrupt+0x6b/0x75 [<c127f639>] apic_timer_interrupt+0x31/0x38 [<c101df88>] mutex_spin_on_owner+0x54/0x5b [<fe2250e9>] lo_release+0x12/0x67 [loop] [<c10c4eae>] __blkdev_put+0x7c/0x10c [<c10a4da5>] fput+0xd5/0x1aa [<fe2250cf>] loop_clr_fd+0x1a9/0x1b1 [loop] [<fe225110>] lo_release+0x39/0x67 [loop] [<c10c4eae>] __blkdev_put+0x7c/0x10c [<c10a59d9>] deactivate_locked_super+0x17/0x36 [<c10b6f37>] sys_umount+0x27e/0x2a5 [<c10b6f69>] sys_oldumount+0xb/0xe [<c1002897>] sysenter_do_call+0x12/0x26 [<ffffffff>] 0xffffffff Regression since 2a48fc0a, which introduced the private loop_mutex as part of the BKL removal process. As per [1], the mutex can be safely removed. [1] http://www.gossamer-threads.com/lists/linux/kernel/1341930 Addresses: https://bugzilla.novell.com/show_bug.cgi?id=669394 Addresses: https://bugzilla.kernel.org/show_bug.cgi?id=29172 Signed-off-by:
Petr Uzel <petr.uzel@suse.cz> Reviewed-by:
Nikanth Karthikesan <knikanth@suse.de> Acked-by:
Arnd Bergmann <arnd@arndb.de> Signed-off-by:
Jens Axboe <jaxboe@fusionio.com> Signed-off-by:
-
Tejun Heo authored
commit 255bb490 upstream. blk-flush decomposes a flush into sequence of multiple requests. On completion of a request, the next one is queued; however, block layer must not implicitly call into q->request_fn() directly from completion path. This makes the queue behave unexpectedly when seen from the drivers and violates the assumption that q->request_fn() is called with process context + queue_lock. This patch makes blk-flush the following two changes to make sure q->request_fn() is not called directly from request completion path. - blk_flush_complete_seq_end_io() now asks __blk_run_queue() to always use kblockd instead of calling directly into q->request_fn(). - queue_next_fseq() uses ELEVATOR_INSERT_REQUEUE instead of ELEVATOR_INSERT_FRONT so that elv_insert() doesn't try to unplug the request queue directly. Reported by Jan in the following threads. http://thread.gmane.org/gmane.linux.ide/48778 http://thread.gmane.org/gmane.linux.ide/48786 stable: applicable to v2.6.37. Signed-off-by:
Tejun Heo <tj@kernel.org> Reported-by:
Jan Beulich <JBeulich@novell.com> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by:
-
Tejun Heo authored
commit 1654e741 upstream. __blk_run_queue() automatically either calls q->request_fn() directly or schedules kblockd depending on whether the function is recursed. blk-flush implementation needs to be able to explicitly choose kblockd. Add @force_kblockd. All the current users are converted to specify %false for the parameter and this patch doesn't introduce any behavior change. stable: This is prerequisite for fixing ide oops caused by the new blk-flush implementation. Signed-off-by:
-
Vivek Goyal authored
commit 450adcbe upstream. o Dominik Klein reported a system hang issue while doing some blkio throttling testing. https://lkml.org/lkml/2011/2/24/173 o Some tracing revealed that CFQ was not dispatching any more jobs as queue unplug was not happening. And queue unplug was not happening because unplug work was not being called as there was one throttling work on same cpu which as not finished yet. And throttling work had not finished as it was tyring to dispatch a bio to CFQ but all the request descriptors were consume to it was put to sleep. o So basically it is a cyclic dependecny between CFQ unplug work and throtl dispatch work. Tejun suggested that use separate workqueue for such cases. o This patch uses a separate workqueue for throttle related work and does not rely on kblockd workqueue anymore. Reported-by:
Dominik Klein <dk@in-telegence.net> Signed-off-by:
Vivek Goyal <vgoyal@redhat.com> Acked-by:
-
Jan Niehusmann authored
commit 6927faf3 upstream. On a Thinkpad x61s, I noticed some memory corruption when plugging/unplugging the external VGA connection. The symptoms are that 4 bytes at the beginning of a page get overwritten by zeroes. The address of the corruption varies when rebooting the machine, but stays constant while it's running (so it's possible to repeatedly write some data and then corrupt it again by plugging the cable). Further investigation revealed that the corrupted address is (dev_priv->status_page_dmah->busaddr & 0xffffffff), ie. the beginning of the hardware status page of the i965 graphics card, cut to 32 bits. So it seems that for some memory access, the hardware uses only 32 bit addressing. If the hardware status page is located >4GB, this corrupts unrelated memory. Signed-off-by:
Jan Niehusmann <jan@gondor.com> Acked-by:
Daniel Vetter <daniel.vetter@ffwll.ch> Signed-off-by:
Chris Wilson <chris@chris-wilson.co.uk> Signed-off-by:
-
Matt Carlson authored
commit ed199fac upstream. If management firmware is present and the device is down, the firmware will assume control of the phy. If a phy access were allowed from the host, it will collide with firmware phy accesses, resulting in unpredictable behavior. This patch fixes the problem by disallowing phy accesses during the problematic condition. Signed-off-by:
Matt Carlson <mcarlson@broadcom.com> Reviewed-by:
Michael Chan <mchan@broadcom.com> Signed-off-by:
-
Daniel J Blueman authored
commit 4f919a3b upstream. I previously managed to reproduce a hang while scanning wireless channels (reproducible with airodump-ng hopping channels); subsequent lockdep instrumentation revealed a lock ordering issue. Without knowing the design intent, it looks like the locks should be taken in reverse order; please comment. ======================================================= [ INFO: possible circular locking dependency detected ] 2.6.38-rc5-341cd #4 ------------------------------------------------------- airodump-ng/15445 is trying to acquire lock: (&rdev->devlist_mtx){+.+.+.}, at: [<ffffffff816b1266>] cfg80211_wext_siwfreq+0xc6/0x100 but task is already holding lock: (&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>] cfg80211_wext_siwfreq+0xbc/0x100 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&wdev->mtx){+.+.+.}: [<ffffffff810a79d6>] lock_acquire+0xc6/0x280 [<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0 [<ffffffff81696080>] cfg80211_netdev_notifier_call+0x430/0x5f0 [<ffffffff8109351b>] notifier_call_chain+0x8b/0x100 [<ffffffff810935b1>] raw_notifier_call_chain+0x11/0x20 [<ffffffff81576d92>] call_netdevice_notifiers+0x32/0x60 [<ffffffff815771a4>] __dev_notify_flags+0x34/0x80 [<ffffffff81577230>] dev_change_flags+0x40/0x70 [<ffffffff8158587c>] do_setlink+0x1fc/0x8d0 [<ffffffff81586042>] rtnl_setlink+0xf2/0x140 [<ffffffff81586923>] rtnetlink_rcv_msg+0x163/0x270 [<ffffffff8159d741>] netlink_rcv_skb+0xa1/0xd0 [<ffffffff815867b0>] rtnetlink_rcv+0x20/0x30 [<ffffffff8159d39a>] netlink_unicast+0x2ba/0x300 [<ffffffff8159dd57>] netlink_sendmsg+0x267/0x3e0 [<ffffffff8155e364>] sock_sendmsg+0xe4/0x110 [<ffffffff8155f3a3>] sys_sendmsg+0x253/0x3b0 [<ffffffff81003192>] system_call_fastpath+0x16/0x1b -> #0 (&rdev->devlist_mtx){+.+.+.}: [<ffffffff810a7222>] __lock_acquire+0x1622/0x1d10 [<ffffffff810a79d6>] lock_acquire+0xc6/0x280 [<ffffffff816d6bce>] mutex_lock_nested+0x6e/0x4b0 [<ffffffff816b1266>] cfg80211_wext_siwfreq+0xc6/0x100 [<ffffffff816b2fad>] ioctl_standard_call+0x5d/0xd0 [<ffffffff816b3223>] T.808+0x163/0x170 [<ffffffff816b326a>] wext_handle_ioctl+0x3a/0x90 [<ffffffff815798d2>] dev_ioctl+0x6f2/0x830 [<ffffffff8155cf3d>] sock_ioctl+0xfd/0x290 [<ffffffff8117dffd>] do_vfs_ioctl+0x9d/0x590 [<ffffffff8117e53a>] sys_ioctl+0x4a/0x80 [<ffffffff81003192>] system_call_fastpath+0x16/0x1b other info that might help us debug this: 2 locks held by airodump-ng/15445: #0: (rtnl_mutex){+.+.+.}, at: [<ffffffff81586782>] rtnl_lock+0x12/0x20 #1: (&wdev->mtx){+.+.+.}, at: [<ffffffff816b125c>] cfg80211_wext_siwfreq+0xbc/0x100 stack backtrace: Pid: 15445, comm: airodump-ng Not tainted 2.6.38-rc5-341cd #4 Call Trace: [<ffffffff810a3f0a>] ? print_circular_bug+0xfa/0x100 [<ffffffff810a7222>] ? __lock_acquire+0x1622/0x1d10 [<ffffffff810a1f99>] ? trace_hardirqs_off_caller+0x29/0xc0 [<ffffffff810a79d6>] ? lock_acquire+0xc6/0x280 [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100 [<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90 [<ffffffff816d6bce>] ? mutex_lock_nested+0x6e/0x4b0 [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100 [<ffffffff810a31d7>] ? mark_held_locks+0x67/0x90 [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100 [<ffffffff816b1266>] ? cfg80211_wext_siwfreq+0xc6/0x100 [<ffffffff816b2fad>] ? ioctl_standard_call+0x5d/0xd0 [<ffffffff8157818b>] ? __dev_get_by_name+0x9b/0xc0 [<ffffffff816b2f50>] ? ioctl_standard_call+0x0/0xd0 [<ffffffff816b3223>] ? T.808+0x163/0x170 [<ffffffff8112ddf2>] ? might_fault+0x72/0xd0 [<ffffffff816b326a>] ? wext_handle_ioctl+0x3a/0x90 [<ffffffff8112de3b>] ? might_fault+0xbb/0xd0 [<ffffffff815798d2>] ? dev_ioctl+0x6f2/0x830 [<ffffffff810a1bae>] ? put_lock_stats+0xe/0x40 [<ffffffff810a1c8c>] ? lock_release_holdtime+0xac/0x150 [<ffffffff8155cf3d>] ? sock_ioctl+0xfd/0x290 [<ffffffff8117dffd>] ? do_vfs_ioctl+0x9d/0x590 [<ffffffff8116c8ff>] ? fget_light+0x1df/0x3c0 [<ffffffff8117e53a>] ? sys_ioctl+0x4a/0x80 [<ffffffff81003192>] ? system_call_fastpath+0x16/0x1b Signed-off-by:
Daniel J Blueman <daniel.blueman@gmail.com> Acked-by:
Johannes Berg <johannes@sipsolutions.net> Signed-off-by:
-
Ian Abbott authored
commit 3c323c01 upstream. As mentioned by W. Trevor King on the devel@linuxdriverproject.org list on "Thu, 27 Jan 2011 18:52:15 -0500", "Message-ID: <20110127235214.GA5107@thialfi.dhcp.drexel.edu>", the ni_pcimio module is missing module metadata, including a license. This patch adds module metadata to all the NI comedi driver modules. It also removes a duplicate MODULE_LICENSE("GPL") line from the "mite" module. Signed-off-by:
Ian Abbott <abbotti@mev.co.uk> Cc: W. Trevor King <wking@drexel.edu> Signed-off-by:
-
Bruce Allan authored
commit 664dc878 upstream. During init, reading the 2 PHY ID registers back-to-back in the default fast mode could return invalid data (all F's) and in slow mode could return data to the second read the data from the first read. To resolve the issue in fast mode, set to slow mode before any PHY accesses; to resolve the issue in slow mode, put in a delay for every 82579 PHY access. Since this PHY is currently only paired with the pch2lan MAC and the PHY type is not known before the first PHY access which can fail this way, check for this based on MAC-type. Signed-off-by:
Jeff Pieper <jeffrey.e.pieper@intel.com> Signed-off-by:
Brandon Philips <bphilips@suse.de> Signed-off-by:
-
Mel Gorman authored
commit b44129b3 upstream. reduce_pgdat_percpu_threshold() and restore_pgdat_percpu_threshold() exist to adjust the per-cpu vmstat thresholds while kswapd is awake to avoid errors due to counter drift. The functions duplicate some code so this patch replaces them with a single set_pgdat_percpu_threshold() that takes a callback function to calculate the desired threshold as a parameter. [akpm@linux-foundation.org: readability tweak] [kosaki.motohiro@jp.fujitsu.com: set_pgdat_percpu_threshold(): don't use for_each_online_cpu] Signed-off-by:
Mel Gorman <mel@csn.ul.ie> Reviewed-by:
Christoph Lameter <cl@linux.com> Reviewed-by:
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Signed-off-by:
KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by:
Andrew Morton <akpm@linux-foundation.org> Signed-off-by:
Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by:
-
Josh Hunt authored
commit e8a80c6f upstream. vfs_rename_other() does not lock renamed inode with i_mutex. Thus changing i_nlink in a non-atomic manner (which happens in ext2_rename()) can corrupt it as reported and analyzed by Josh. In fact, there is no good reason to mess with i_nlink of the moved file. We did it presumably to simulate linking into the new directory and unlinking from an old one. But the practical effect of this is disputable because fsck can possibly treat file as being properly linked into both directories without writing any error which is confusing. So we just stop increment-decrement games with i_nlink which also fixes the corruption. CC: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by:
Josh Hunt <johunt@akamai.com> Signed-off-by:
Jan Kara <jack@suse.cz> Signed-off-by:
-
Thomas Gleixner authored
commit 3a142a06 upstream. When the per cpu timer is marked CLOCK_EVT_FEAT_C3STOP, then we only can switch into oneshot mode, when the backup broadcast device supports oneshot mode as well. Otherwise we would try to switch the broadcast device into an unsupported mode unconditionally. This went unnoticed so far as the current available broadcast devices support oneshot mode. Seth unearthed this problem while debugging and working around an hpet related BIOS wreckage. Add the necessary check to tick_is_oneshot_available(). Reported-and-tested-by:
Seth Forshee <seth.forshee@canonical.com> Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> LKML-Reference: <alpine.LFD.2.00.1102252231200.2701@localhost6.localdomain6> Signed-off-by:
-
Miklos Szeredi authored
commit 5a18ec17 upstream. Single threaded NTFS-3G could get stuck if a delayed RELEASE reply triggered a DESTROY request via path_put(). Fix this by a) making RELEASE requests synchronous, whenever possible, on fuseblk filesystems b) if not possible (triggered by an asynchronous read/write) then do the path_put() in a separate thread with schedule_work(). Reported-by:
Oliver Neukum <oneukum@suse.de> Signed-off-by:
Miklos Szeredi <mszeredi@suse.cz> Signed-off-by:
-
Dmitry Eremin-Solenikov authored
commit 4bfc4e25 upstream. Correct names for pxa AC97 DAI are pxa2xx-ac97 and pxa2xx-ac97-aux. Fix that for all PXA platforms. Signed-off-by:
Dmitry Eremin-Solenikov <dbaryshkov@gmail.com> Acked-by:
Liam Girdwood <lrg@slimlogic.co.uk> Signed-off-by:
Mark Brown <broonie@opensource.wolfsonmicro.com> Signed-off-by:
-
Eric Bénard authored
commit 43c63188 upstream. commit f0fba2ad included a mistake on the name of the platform in the snd_soc_dai_link structure. Signed-off-by:
Eric Bénard <eric@eukrea.com> Acked-by:
-
Yu-Chen Cho authored
commit e9036e33 upstream. Add the btusb.c blacklist [0489:e02c] for Atheros AR5BBU12 BT and add to ath3k.c supported this device. Signed-off-by:
Yu-Chen Cho <acho@novell.com> Signed-off-by:
Gustavo F. Padovan <padovan@profusion.mobi> Signed-off-by:
-
Oliver Neukum authored
commit 8efdd0cd upstream. Quirky dongles sometimes do not use the iso interface which causes a crash with runtime PM Signed-off-by:
-
Yu-Chen Cho authored
commit 509e7861 upstream. Add the btusb.c blacklist [03f0:311d] for Atheros AR9285 Malbec BT and add to ath3k.c ath3-1.fw (md5:1211fa34c09e10ba48381586b7c3883d) supported this device. Signed-off-by:
-
Don Zickus authored
commit 299c5696 upstream. A customer of ours, complained that when setting the reset vector back to 0, it trashed other data and hung their box. They noticed when only 4 bytes were set to 0 instead of 8, everything worked correctly. Mathew pointed out: | | We're supposed to be resetting trampoline_phys_low and | trampoline_phys_high here, which are two 16-bit values. | Writing 64 bits is definitely going to overwrite space | that we're not supposed to be touching. | So limit the area modified to u32. Signed-off-by:
Don Zickus <dzickus@redhat.com> Acked-by:
Matthew Garrett <mjg@redhat.com> LKML-Reference: <1297139100-424-1-git-send-email-dzickus@redhat.com> Signed-off-by:
Ingo Molnar <mingo@elte.hu> Signed-off-by:
-
Jochen Friedrich authored
commit 9063f1f1 upstream. Call input_set_abs_params instead of manually setting absbit only. This fixes this oops: Unable to handle kernel NULL pointer dereference at virtual address 00000024 Internal error: Oops: 41b67017 [#1] CPU: 0 Not tainted (2.6.37 #4) pc : [<c016d1fc>] lr : [<00000000>] psr: 20000093 sp : c19e5f30 ip : c19e5e6c fp : c19e5f58 r10: 00000000 r9 : c19e4000 r8 : 00000003 r7 : 000001e4 r6 : 00000001 r5 : c1854400 r4 : 00000003 r3 : 00000018 r2 : 00000018 r1 : 00000018 r0 : c185447c Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel Control: c1b6717f Table: c1b6717f DAC: 00000017 Stack: (0xc19e5f30 to 0xc19e6000) 5f20: 00000003 00000003 c1854400 00000013 5f40: 00000001 000001e4 000001c5 c19e5f80 c19e5f5c c016d5e8 c016cf5c 000001e4 5f60: c1854400 c18b5860 00000000 00000171 000001e4 c19e5fc4 c19e5f84 c01559a4 5f80: c016d584 c18b5868 00000000 c1bb5c40 c0035afc c18b5868 c18b5868 c1a55d54 5fa0: c18b5860 c0155750 00000013 00000000 00000000 00000000 c19e5ff4 c19e5fc8 5fc0: c0050174 c015575c 00000000 c18b5860 00000000 c19e5fd4 c19e5fd4 c1a55d54 5fe0: c00500f0 c003b464 00000000 c19e5ff8 c003b464 c00500fc 04000400 04000400 Backtrace: Function entered at [<c016cf50>] from [<c016d5e8>] Function entered at [<c016d578>] from [<c01559a4>] r8:000001e4 r7:00000171 r6:00000000 r5:c18b5860 r4:c1854400 Function entered at [<c0155750>] from [<c0050174>] Function entered at [<c00500f0>] from [<c003b464>] r6:c003b464 r5:c00500f0 r4:c1a55d54 Code: e59520fc e1a03286 e0433186 e0822003 (e592000c) >>PC; c016d1fc <input_handle_event+2ac/5a0> <===== Trace; c016cf50 <input_handle_event+0/5a0> Trace; c016d5e8 <input_event+70/88> Trace; c016d578 <input_event+0/88> Trace; c01559a4 <ucb1x00_thread+254/2dc> Trace; c0155750 <ucb1x00_thread+0/2dc> Trace; c0050174 <kthread+84/8c> Trace; c00500f0 <kthread+0/8c> Trace; c003b464 <do_exit+0/624> Signed-off-by:
Jochen Friedrich <jochen@scram.de> Signed-off-by:
Samuel Ortiz <sameo@linux.intel.com> Signed-off-by:
-
vwadekar@nvidia.com authored
commit 4b57018d upstream. tps6586 does not support burst writes. i2c writes have to be 1 byte at a time. Signed-off-by:
Varun Wadekar <vwadekar@nvidia.com> Signed-off-by:
-
Vasiliy Kulikov authored
commit 2949ad50 upstream. File position is not controlled, it may lead to overwrites of arbitrary kernel memory. Also the code may kfree() the same pointer multiple times. One more flaw is still present: if multiple processes open the file then all 3 static variables are shared, leading to various race conditions. They should be moved to file->private_data. Signed-off-by:
Vasiliy Kulikov <segoon@openwall.com> Reviewed-by:
WANG Cong <xiyou.wangcong@gmail.com> Reviewed-by:
Eugene Teo <eugeneteo@kernel.org> Signed-off-by:
Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by:
-
Dave Airlie authored
commit 19227561 upstream. This fixes CVE-2011-1013. Reported-by: Matthiew Herrb (OpenBSD X.org team) Signed-off-by:
Dave Airlie <airlied@redhat.com> Signed-off-by:
-
Tristan Ye authored
commit acf3bb00 upstream. Current refcounttree codes actually didn't writeback the new pages out in write-back mode, due to a bug of always passing a ZERO number of clusters to 'ocfs2_cow_sync_writeback', the patch tries to pass a proper one in. Signed-off-by:
Tristan Ye <tristan.ye@oracle.com> Signed-off-by:
Joel Becker <jlbec@evilplan.org> Signed-off-by:
-
Mark Fasheh authored
commit 52c303c5 upstream. Commit 2c442719 added some checks for proper heartbeat mode when the o2cb stack is running. Unfortunately, it didn't take into account that a userpsace stack could be running. Fix this by only doing the check if o2cb is in use. This patch allows userspace stacks to mount the fs again. Signed-off-by:
Mark Fasheh <mfasheh@suse.com> Signed-off-by:
-
David Henningsson authored
commit ebbd224c upstream. These two Dell machines have been reported working well with the ideapad model. BugLink: http://bugs.launchpad.net/bugs/723676 Tested-by:
David Chen <david.chen@canonical.com> Signed-off-by:
David Henningsson <david.henningsson@canonical.com> Signed-off-by:
Takashi Iwai <tiwai@suse.de> Signed-off-by:
-
David Henningsson authored
commit 30649676 upstream. This typo caused some microphone inputs not to be correctly initialized on VIA codecs. Reported-By:
Mark Goldstein <goldstein.mark@gmail.com> Signed-off-by:
-
Takashi Iwai authored
commit 382225e6 upstream. When a USB audio device is disconnected, snd_usb_audio_disconnect() kills all audio URBs. At the same time, the application, after being notified of the disconnection, might close the device, in which case ALSA calls the .hw_free callback, which should free the URBs too. Commit de1b8b93 "[ALSA] Fix hang-up at disconnection of usb-audio" prevented snd_usb_hw_free() from freeing the URBs to avoid a hang that resulted from this race, but this introduced another race because the URB callbacks could now be executed after snd_usb_hw_free() has returned, and try to access already freed data. Fix the first race by introducing a mutex to serialize the disconnect callback and all PCM callbacks that manage URBs (hw_free and hw_params). Reported-and-tested-by:
Pierre-Louis Bossart <pierre-louis.bossart@intel.com> [CL: also serialize hw_params callback] Signed-off-by:
Clemens Ladisch <clemens@ladisch.de> Signed-off-by:
-
David Henningsson authored
commit 6da8b516 upstream. Conexant 506e/20590 has the same graph as the rest of the 5066 family. BugLink: http://bugs.launchpad.net/bugs/723672 Signed-off-by:
-
Felipe Balbi authored
commit ec95d35a upstream. MUSB is a non-standard host implementation which can handle all speeds with the same core. We need to set has_tt flag after commit d199c96d (USB: prevent buggy hubs from crashing the USB stack) in order for MUSB HCD to continue working. Signed-off-by:
Felipe Balbi <balbi@ti.com> Cc: Alan Stern <stern@rowland.harvard.edu> Tested-by:
Michael Jones <michael.jones@matrix-vision.de> Tested-by:
Alexander Holler <holler@ahsoftware.de> Signed-off-by:
-
