summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* [APPLETALK]: Fix a remotely triggerable crashJean Delvare2007-04-051-2/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we receive an AppleTalk frame shorter than what its header says, we still attempt to verify its checksum, and trip on the BUG_ON() at the end of function atalk_sum_skb() because of the length mismatch. This has security implications because this can be triggered by simply sending a specially crafted ethernet frame to a target victim, effectively crashing that host. Thus this qualifies, I think, as a remote DoS. Here is the frame I used to trigger the crash, in npg format: <Appletalk Killer> { # Ethernet header ----- XX XX XX XX XX XX # Destination MAC 00 00 00 00 00 00 # Source MAC 00 1D # Length # LLC header ----- AA AA 03 08 00 07 80 9B # Appletalk # Appletalk header ----- 00 1B # Packet length (invalid) 00 01 # Fake checksum 00 00 00 00 # Destination and source networks 00 00 00 00 # Destination and source nodes and ports # Payload ----- 0C 0D 0E 0F 10 11 12 13 14 } The destination MAC address must be set to those of the victim. The severity is mitigated by two requirements: * The target host must have the appletalk kernel module loaded. I suspect this isn't so frequent. * AppleTalk frames are non-IP, thus I guess they can only travel on local networks. I am no network expert though, maybe it is possible to somehow encapsulate AppleTalk packets over IP. The bug has been reported back in June 2004: http://bugzilla.kernel.org/show_bug.cgi?id=2979 But it wasn't investigated, and was closed in July 2006 as both reporters had vanished meanwhile. This code was new in kernel 2.6.0-test5: http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commitdiff;h=7ab442d7e0a76402c12553ee256f756097cae2d2 And not modified since then, so we can assume that vanilla kernels 2.6.0-test5 and later, and distribution kernels based thereon, are affected. Note that I still do not know for sure what triggered the bug in the real-world cases. The frame could have been corrupted by the kernel if we have a bug hiding somewhere. But more likely, we are receiving the faulty frame from the network. Signed-off-by: Jean Delvare <jdelvare@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* [PATCH] ia64: desc_empty thinko/typo fixMaciej Zenczykowski2007-04-051-1/+1
| | | | | | | | Just a one-byter for an ia64 thinko/typo - already fixed for i386 and x86_64. Acked-by: Tony Luck <tony.luck@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] Fix build error on zs serial driverYoichi Yuasa2007-04-051-1/+0
| | | | | | | | | | drivers/tc/zs.c:73:24: error: asm/dec/tc.h: No such file or directory Signed-off-by: Yoichi Yuasa <yoichi_yuasa@tripeaks.co.jp> Acked-by: Maciej W. Rozycki <macro@linux-mips.org> Cc: Ralf Baechle <ralf@linux-mips.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] fix jiffies clocksource inittimejohn stultz2007-04-051-1/+1
| | | | | | | | | | | | | | | | | | | | | | | In debugging a problem w/ the -rt tree, I noticed that on systems that mark the tsc as unstable before it is registered, the TSC would still be selected and used for a short period of time. Digging in it looks to be a result of the mix of the clocksource list changes and my clocksource initialization changes. With the -rt tree, using a bad TSC, even for a short period of time can results in a hang at boot. I was not able to reproduce this hang w/ mainline, but I'm not completely certain that someone won't trip on it. This patch resolves the issue by initializing the jiffies clocksource earlier so a bad TSC won't get selected just because nothing else is yet registered. Signed-off-by: John Stultz <johnstul@us.ibm.com> Acked-by: Thomas Gleixner <tglx@linutronix.de> Cc: Ingo Molnar <mingo@elte.hu> Cc: Andi Kleen <ak@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] cciss: add init of drv->cylinders back to cciss_geometry_inquiryMike Miller (OS Dev)2007-04-051-0/+1
| | | | | | | | | This patch adds initialization of drv->cylinders back into the failing case in cciss_geometry_inquiry. I inadvertently removed it in one my 2TB updates. Signed-off-by: Mike Miller <mike.miller@hp.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] remove protection of LANANA-reserved majorsAndrew Morton2007-04-054-20/+0
| | | | | | | | | | | | | Revert all this. It can cause device-mapper to receive a different major from earlier kernels and it turns out that the Amanda backup program (via GNU tar, apparently) checks major numbers on files when performing incremental backups. Which is a bit broken of Amanda (or tar), but this feature isn't important enough to justify the churn. Cc: Ingo Molnar <mingo@elte.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] swsusp: fix memory shrinkerRafael J. Wysocki2007-04-051-1/+1
| | | | | | | | | | | | | | | Fix a bug in the swsusp's memory shrinker that causes some systems using highmem to refuse to suspend to disk if image_size is set above 1/2 of available RAM. Special thanks to Jiri Slaby for reporting the problem and assistance in debugging it. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Cc: Jiri Slaby <jirislaby@gmail.com> Cc: Pavel Machek <pavel@ucw.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] net/sunrpc/svcsock.c: fix a checkAdrian Bunk2007-04-051-2/+2
| | | | | | | | | | | | | | The return value of kernel_recvmsg() should be assigned to "err", not compared with the random value of a never initialized "err" (and the "< 0" check wrongly always returned false since == comparisons never have a result < 0). Spotted by the Coverity checker. Signed-off-by: Adrian Bunk <bunk@stusta.de> Acked-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] md: avoid a deadlock when removing a device from an md array via sysfsNeilBrown2007-04-052-1/+16
| | | | | | | | | | | | | | | | | A device can be removed from an md array via e.g. echo remove > /sys/block/md3/md/dev-sde/state This will try to remove the 'dev-sde' subtree which will deadlock since commit e7b0d26a86943370c04d6833c6edba2a72a6e240 With this patch we run the kobject_del via schedule_work so as to avoid the deadlock. Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* [PATCH] kernel/time.c: add missing symbol exportsThomas Bittermann2007-04-051-0/+2
| | | | | | | | | | | | | | | | | | This patch adds 2 missing symbol exports: jiffies_to_timeval() and timeval_to_jiffies(). The (not yet merged) dm-raid4-5 module will need them, and they used to be indirectly exported by virtue of being inline functions. Commit 8b9365d753d9870bb6451504c13570b81923228f ("[PATCH] Uninline jiffies.h functions") uninlined them, and thus modules now need them explicitly exported to use them. Signed-off-by: Thomas Bittermann <t.bittermann@online.de> Acked-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Ingo Molnar <mingo@elte.hu> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: john stultz <johnstul@us.ibm.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Merge branch 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6Linus Torvalds2007-04-042-2/+10
|\ | | | | | | | | | | * 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6: [S390] cio: Fix handling of interrupt for csch(). [S390] page_mkclean data corruption.
| * [S390] cio: Fix handling of interrupt for csch().Cornelia Huck2007-04-041-0/+8
| | | | | | | | | | | | | | | | | | Wipe internal irb if the clear function bit is set before accumulating bits from the irb in order to follow hardware behaviour. Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
| * [S390] page_mkclean data corruption.Martin Schwidefsky2007-04-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The git commit c2fda5fed81eea077363b285b66eafce20dfd45a which added the page_test_and_clear_dirty call to page_mkclean and the git commit 7658cc289288b8ae7dd2c2224549a048431222b3 which fixes the "nasty and subtle race in shared mmap'ed page writeback" problem in clear_page_dirty_for_io cause data corruption on s390. The effect of the two changes is that for every call to clear_page_dirty_for_io a page_test_and_clear_dirty is done. If the per page dirty bit is set set_page_dirty is called. Strangly clear_page_dirty_for_io is called for not-uptodate pages, e.g. over this call-chain: [<000000000007c0f2>] clear_page_dirty_for_io+0x12a/0x130 [<000000000007c494>] generic_writepages+0x258/0x3e0 [<000000000007c692>] do_writepages+0x76/0x7c [<00000000000c7a26>] __writeback_single_inode+0xba/0x3e4 [<00000000000c831a>] sync_sb_inodes+0x23e/0x398 [<00000000000c8802>] writeback_inodes+0x12e/0x140 [<000000000007b9ee>] wb_kupdate+0xd2/0x178 [<000000000007cca2>] pdflush+0x162/0x23c The bad news now is that page_test_and_clear_dirty might claim that a not-uptodate page is dirty since SetPageUptodate which resets the per page dirty bit has not yet been called. The page writeback that follows clobbers the data on disk. The simplest solution to this problem is to move the call to page_test_and_clear_dirty under the "if (page_mapped(page))". If a file backed page is mapped it is uptodate. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
* | [PATCH] net: Ignore sysfs network device rename bugs.Eric W. Biederman2007-04-041-7/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The generic networking code ensures that no two networking devices have the same name, so there is no time except when sysfs has implementation bugs that device_rename when called from dev_change_name will fail. The current error handling for errors from device_rename in dev_change_name is wrong and results in an unusable and unrecoverable network device if device_rename is happens to return an error. This patch removes the buggy error handling. Which confines the mess when device_rename hits a problem to sysfs, instead of propagating it the rest of the network stack. Making linux a little more robust. Without this patch you can observe what happens when sysfs has a bug when CONFIG_SYSFS_DEPRECATED is not set and you attempt to rename a real network device to a name like (broken_parity_status, device, modalias, power, resource2, subsystem_vendor, class, driver, irq, msi_bus, resource, subsystem, uevent, config, enable, local_cpus, numa_node, resource0, subsystem_device, vendor) Greg has a patch that fixes the sysfs bugs but he doesn't trust it for a 2.6.21 timeframe. This patch which just ignores errors should be safe and it keeps the system from going completely wacky. Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | [PATCH] SLAB: Mention slab name when listing corrupt objectsDavid Howells2007-04-041-2/+2
| | | | | | | | | | | | | | | | | | Mention the slab name when listing corrupt objects. Although the function that released the memory is mentioned, that is frequently ambiguous as such functions often release several pieces of memory. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | Merge branch 'upstream-linus' of ↵Linus Torvalds2007-04-045-15/+49
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev * 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev: libata: Limit ATAPI DMA to R/W commands only for TORiSAN DVD drives (take 3) libata: Limit max sector to 128 for TORiSAN DVD drives (take 3) libata: Clear tf before doing request sense (take 3) libata: reorder HSM_ST_FIRST for easier decoding (take 3) libata bugfix: preserve LBA bit for HDIO_DRIVE_TASK 2.6.21 fix lba48 bug in libata fill_result_tf()
| * | libata: Limit ATAPI DMA to R/W commands only for TORiSAN DVD drives (take 3)Albert Lee2007-04-042-1/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | patch 4/4: Limit ATAPI DMA to R/W commands only for TORiSAN DRD-N216 DVD-ROM drives (http://bugzilla.kernel.org/show_bug.cgi?id=6710) Signed-off-by: Albert Lee <albertcc@tw.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | libata: Limit max sector to 128 for TORiSAN DVD drives (take 3)Albert Lee2007-04-043-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | patch 3/4: The TORiSAN drive locks up when max sector == 256. Limit max sector to 128 for the TORiSAN DRD-N216 drives. (http://bugzilla.kernel.org/show_bug.cgi?id=6710) Signed-off-by: Albert Lee <albertcc@tw.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | libata: Clear tf before doing request sense (take 3)Albert Lee2007-04-041-11/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | patch 2/4: Clear tf before doing request sense. This fixes the AOpen 56X/AKH timeout problem. (http://bugzilla.kernel.org/show_bug.cgi?id=8244) Signed-off-by: Albert Lee <albertcc@tw.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | libata: reorder HSM_ST_FIRST for easier decoding (take 3)Albert Lee2007-04-041-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | patch 1/4: Reorder HSM_ST_FIRST, such that the task state transition is easier decoded with human eyes. Signed-off-by: Albert Lee <albertcc@tw.ibm.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | libata bugfix: preserve LBA bit for HDIO_DRIVE_TASKMark Lord2007-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | Preserve the LBA bit in the DevSel/Head register for HDIO_DRIVE_TASK. Signed-off-by: Mark Lord <mlord@pobox.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | 2.6.21 fix lba48 bug in libata fill_result_tf()Mark Lord2007-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Current 2.6.21 libata does the following: void ata_tf_read(struct ata_port *ap, struct ata_taskfile *tf) { struct ata_ioports *ioaddr = &ap->ioaddr; tf->command = ata_check_status(ap); ... if (tf->flags & ATA_TFLAG_LBA48) { iowrite8(tf->ctl | ATA_HOB, ioaddr->ctl_addr); tf->hob_feature = ioread8(ioaddr->error_addr); ... } } ... static void fill_result_tf(struct ata_queued_cmd *qc) { struct ata_port *ap = qc->ap; ap->ops->tf_read(ap, &qc->result_tf); qc->result_tf.flags = qc->tf.flags; } Based on this, those last two statements fill_result_tf() appear to me to be in the wrong order, in that the tf->flags are uninitialized at the point where tf_read() is invoked. So for lba48 commands, tf_read() won't be reading back the full lba48 register contents.. Correct? This patch corrects fill_result_tf() so that the flags get copied to result_tf before they are used by tf_read(). Signed-off-by: Mark Lord <mlord@pobox.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
* | | [PATCH] libata: add NCQ blacklist entries from Silicon Image Windows driver (v2)Robert Hancock2007-04-041-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds some NCQ blacklist entries taken from the Silicon Image 3124/3132 Windows driver .inf files. There are some confirming reports of problems with these drives under Linux (for example http://lkml.org/lkml/2007/3/4/178) so let's disable NCQ on these drives. [ I'm personally starting to wonder whether we shouldn't disable NCQ by default, and perhaps have a white-list. There seems to be a *lot* of drives that do this wrong.. - Linus ] Signed-off-by: Robert Hancock <hancockr@shaw.ca> Acked-by: Tejun Heo <htejun@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | Merge branch 'upstream-linus' of ↵Linus Torvalds2007-04-0411-46/+89
|\ \ \ | |_|/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6 * 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/netdev-2.6: r8169: fix suspend/resume for down interface r8169: issue request_irq after the private data are completely initialized b44: fix IFF_ALLMULTI handling of CAM slots cxgb3 - Firwmare update cxgb3 - Tighten xgmac workaround cxgb3 - detect NIC only adapters cxgb3 - Safeguard TCAM size usage
| * | r8169: fix suspend/resume for down interfaceFrancois Romieu2007-04-041-6/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The PM hooks are no-op if the r8169 interface is down (i.e. !IFF_UP). However, as the chipset is enabled, the device will not work after a suspend/resume cycle. The patch always issue the required PCI suspend sequence and removes the module unload/reload workaround. Signed-off-by: Arnaud Patard <apatard@mandriva.com> Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | r8169: issue request_irq after the private data are completely initializedFrancois Romieu2007-04-041-15/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The irq handler schedules a NAPI poll request unconditionally as soon as the status register is not clean. It has been there - and wrong - for ages but a recent timing change made it apparently easier to trigger. Signed-off-by: Francois Romieu <romieu@fr.zoreil.com> Cc: Jay Cliburn <jacliburn@bellsouth.net> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | b44: fix IFF_ALLMULTI handling of CAM slotsBill Helfinstine2007-04-041-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If you set the IFF_ALLMULTI flag on a b44 device, or if you join more than B44_MCAST_TABLE_SIZE multicast groups, the device will stop receiving unicast messages. This is because the __b44_set_mac_addr call sets the zeroth CAM entry to the MAC address of the device, and then the loop at line 1722 proceeds to overwrite it unless the value of i is set by the __b44_load_mcast call. However, when IFF_ALLMULTI is set, that call is bypassed, leaving i set to zero. Fixed by starting the loop at 1 to make it skip the CAM entry for the MAC address. Signed-off-by: Bill Helfinstine <bhelf@flitterfly.whirpon.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | cxgb3 - Firwmare updateDivy Le Ray2007-04-042-3/+6
| | | | | | | | | | | | | | | | | | | | | | | | Introduce FW micro version. Bump up FW version to 3.3.0 Signed-off-by: Divy Le Ray <divy@chelsio.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | cxgb3 - Tighten xgmac workaroundDivy Le Ray2007-04-043-4/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Run the watchdog task when the link is up. Flush the XGMAC Tx FIFO when the link drops. Also remove a statistics update that should have gone in the previous modification of xgmac.c. Signed-off-by: Divy Le Ray <divy@chelsio.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | cxgb3 - detect NIC only adaptersDivy Le Ray2007-04-045-14/+29
| | | | | | | | | | | | | | | | | | | | | | | | Differentiate NIC only adapters from RNICs. Initialize offload capabilities for RNICs only. Signed-off-by: Divy Le Ray <divy@chelsio.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
| * | cxgb3 - Safeguard TCAM size usageDivy Le Ray2007-04-043-3/+11
| |/ | | | | | | | | | | | | Ensure that the TCAM active region size is at least 16. Signed-off-by: Divy Le Ray <divy@chelsio.com> Signed-off-by: Jeff Garzik <jeff@garzik.org>
* / [PATCH] msi: synchronously mask and unmask msi-x irqs.Eric W. Biederman2007-04-031-0/+1
|/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a simplified and actually more comprehensive form of a bug fix from Mitch Williams <mitch.a.williams@intel.com>. When we mask or unmask a msi-x irqs the writes may be posted because we are writing to memory mapped region. This means the mask and unmask don't happen immediately but at some unspecified time in the future. Which is out of sync with how the mask/unmask logic work for ioapic irqs. The practical result is that we get very subtle and hard to track down irq migration bugs. This patch performs a read flush after writes to the MSI-X table for mask and unmask operations. Since the SMP affinity is set while the interrupt is masked, and since it's unmasked immediately after, no additional flushes are required in the various affinity setting routines. The testing by Mitch Williams on his especially problematic system should still be valid as I have only simplified the code, not changed the functionality. We currently have 7 drivers: cciss, mthca, cxgb3, forceth, s2io, pcie/portdrv_core, and qla2xxx in 2.6.21 that are affected by this problem when the hardware they driver is plugged into the right slot. Given the difficulty of reproducing this bug and tracing it down to anything that even remotely resembles a cause, even if people are being affected we aren't likely to see many meaningful bug reports, and the people who see this bug aren't likely to be able to reproduce this bug in a timely fashion. So it is best to get this problem fixed as soon as we can so people don't have problems. Then if people do have a kernel message stating "No irq for vector" we will know it is yet another novel cause that needs a complete new investigation. Cc: Greg KH <greg@kroah.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Acked-by: Mitch Williams <mitch.a.williams@intel.com> Acked-by: "Siddha, Suresh B" <suresh.b.siddha@intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6Linus Torvalds2007-04-033-3/+3
|\ | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6: [SCSI]: Fix scsi_send_eh_cmnd scatterlist handling [SPARC]: Add unsigned to unused bit field in a.out.h
| * [SCSI]: Fix scsi_send_eh_cmnd scatterlist handlingDavid S. Miller2007-04-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes a regression caused by commit: 2dc611de5a3fd955cd0298c50691d4c05046db97 The sense buffer code in scsi_send_eh_cmnd was changed to use alloc_page() and a scatter list, but the sense data copy was not updated to match so what we actually get in the sense buffer is total grabage starting with the kernel address of the struct page we got. Basically the stack frame of scsi_send_eh_cmd() is what ends up in the sense buffer. Depending upon how pointers look on a given platform, you can end up getting sr_ioctl.c errors when you mount a cdrom. If the CDROM gives a check condition for GPCMD_GET_CONFIGURATION issued by drivers/cdrom/cdrom.c:cdrom_mmc_profile(), sr_ioctl will spit out this error message in sr_do_ioctl() with the way pointers are on sparc64: default: printk(KERN_ERR "%s: CDROM (ioctl) error, command: ", cd->cdi.name); __scsi_print_command(cgc->cmd); scsi_print_sense_hdr("sr", &sshdr); err = -EIO; This is the error Tom Callaway reported in: http://marc.info/?l=linux-sparc&m=117407453208101&w=2 Anyways, fix this by using page_address(sgl.page) which is OK because we know this is low-mem due to GFP_ATOMIC. Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Christoph Hellwig <hch@lst.de>
| * [SPARC]: Add unsigned to unused bit field in a.out.hRobert Reif2007-04-022-2/+2
| | | | | | | | | | | | | | | | | | Add unsigned to unused bit field in a.out.h to make sparse happy. [ I took care of the sparc64 side as well -DaveM ] Signed-off-by: Robert Reif <reif@earthlink.net> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2007-04-036-22/+24
|\ \ | |/ |/| | | | | | | | | | | | | * master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: [TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS. [BNX2]: Fix nvram write logic. [IPv6]: Fix incorrect length check in rawv6_sendmsg() [NET_SCHED]: cls_basic: fix memory leak in basic_destroy [NET]: Change "not found" return value for rule lookup
| * [TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS.John Heffner2007-04-021-0/+3
| | | | | | | | | | Signed-off-by: John Heffner <jheffner@psc.edu> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [BNX2]: Fix nvram write logic.Michael Chan2007-04-021-18/+16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The nvram dword alignment logic was broken when writing less than 4 bytes on a non-aligned offset. It was missing logic to round the length to 4 bytes. The page erase code is also moved so that it is only called when using non-buffered flash for better code clarity. Update version to 1.5.7. Based on initial patch from Tony Cureington <tony.cureington@hp.com>. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [IPv6]: Fix incorrect length check in rawv6_sendmsg()YOSHIFUJI Hideaki2007-04-022-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says: > From: Sridhar Samudrala <sri@us.ibm.com> > Date: Thu, 29 Mar 2007 14:17:28 -0700 > > > The check for length in rawv6_sendmsg() is incorrect. > > As len is an unsigned int, (len < 0) will never be TRUE. > > I think checking for IPV6_MAXPLEN(65535) is better. > > > > Is it possible to send ipv6 jumbo packets using raw > > sockets? If so, we can remove this check. > > I don't see why such a limitation against jumbo would exist, > does anyone else? > > Thanks for catching this Sridhar. A good compiler should simply > fail to compile "if (x < 0)" when 'x' is an unsigned type, don't > you think :-) Dave, we use "int" for returning value, so we should fix this anyway, IMHO; we should not allow len > INT_MAX. Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org> Acked-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET_SCHED]: cls_basic: fix memory leak in basic_destroyPatrick McHardy2007-04-021-0/+1
| | | | | | | | | | | | | | tp->root is not freed on destruction. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
| * [NET]: Change "not found" return value for rule lookupSteven Whitehouse2007-04-021-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This changes the "not found" error return for the lookup function to -ESRCH so that it can be distinguished from the case where a rule or route resulting in -ENETUNREACH has been found during the search. It fixes a bug where if DECnet was compiled with routing support, but no routes were added to the routing table, it was failing to fall back to endnode routing. Signed-off-by: Steven Whitehouse <swhiteho@redhat.com> Signed-off-by: Patrick Caulfield <pcaulfie@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | Merge branch 'master' of ↵Linus Torvalds2007-04-022-9/+15
|\ \ | |/ |/| | | | | | | | | | | ssh://master.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb * 'master' of ssh://master.kernel.org/pub/scm/linux/kernel/git/mchehab/v4l-dvb: V4L/DVB (5496): Pluto2: fix incorrect TSCR register setting V4L/DVB (5495): Tda10086: fix DiSEqC message length
| * V4L/DVB (5496): Pluto2: fix incorrect TSCR register settingAndreas Oberritter2007-04-021-8/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | The ADEF bits in the TSCR register have different meanings in read and write mode. For this reason ADEF has to be reset on every read-modify-write operation. This patch introduces a special write function for this register, which takes care of it. Thanks to Holger Magnussen for pointing my nose at this problem. Signed-off-by: Andreas Oberritter <obi@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
| * V4L/DVB (5495): Tda10086: fix DiSEqC message lengthAndreas Oberritter2007-04-021-1/+1
| | | | | | | | | | | | | | | | Setting the message length to zero means to send one byte, so you need a subtraction instead of an addition. Signed-off-by: Andreas Oberritter <obi@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>
* | Merge branch 'for-linus' of git://one.firstfloor.org/home/andi/git/linux-2.6Linus Torvalds2007-04-028-89/+257
|\ \ | | | | | | | | | | | | | | | | | | | | | * 'for-linus' of git://one.firstfloor.org/home/andi/git/linux-2.6: [PATCH] x86: Don't probe for DDC on VBE1.2 [PATCH] x86-64: Increase NMI watchdog probing timeout [PATCH] x86-64: Let oprofile reserve MSR on all CPUs [PATCH] x86-64: Disable local APIC timer use on AMD systems with C1E
| * | [PATCH] x86: Don't probe for DDC on VBE1.2Zwane Mwaikambo2007-04-022-0/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | VBE1.2 doesn't support function 15h (DDC) resulting in a 'hang' whilst uncompressing kernel with some video cards. Make sure we check VBE version before fiddling around with DDC. http://bugzilla.kernel.org/show_bug.cgi?id=1458 Opened: 2003-10-30 09:12 Last update: 2007-02-13 22:03 Much thanks to Tobias Hain for help in testing and investigating the bug. Tested on; i386, Chips & Technologies 65548 VESA VBE 1.2 CONFIG_VIDEO_SELECT=Y CONFIG_FIRMWARE_EDID=Y Untested on x86_64. Signed-off-by: Zwane Mwaikambo <zwane@infradead.org> Signed-off-by: Andi Kleen <ak@suse.de>
| * | [PATCH] x86-64: Increase NMI watchdog probing timeoutAndi Kleen2007-04-022-2/+2
| | | | | | | | | | | | | | | | | | A 4 core Opteron needs longer than 10 ticks for this. Signed-off-by: Andi Kleen <ak@suse.de>
| * | [PATCH] x86-64: Let oprofile reserve MSR on all CPUsAndi Kleen2007-04-022-58/+187
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The MSR reservation is per CPU and oprofile would only allocate them on the CPU it was initialized on. Change this to handle all CPUs. This also fixes a warning about unprotected use of smp_processor_id() in preemptible kernels. Signed-off-by: Andi Kleen <ak@suse.de>
| * | [PATCH] x86-64: Disable local APIC timer use on AMD systems with C1EAndi Kleen2007-04-024-29/+40
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | AMD dual core laptops with C1E do not run the APIC timer correctly when they go idle. Previously the code assumed this only happened on C2 or deeper. But not all of these systems report support C2. Use a AMD supplied snippet to detect C1E being enabled and then disable local apic timer use. This supercedes an earlier workaround using DMI detection of specific systems. Thanks to Mark Langsdorf for the detection snippet. Signed-off-by: Andi Kleen <ak@suse.de>
* | [PATCH] i386: fix file_read_actor() and pipe_read() for original i386 systemsThomas Gleixner2007-04-021-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The __copy_to_user_inatomic() calls in file_read_actor() and pipe_read() are broken on original i386 machines, where WP-works-ok == false, as __copy_to_user_inatomic() on such systems calls functions which might sleep and/or contain cond_resched() calls inside of a kmap_atomic() region. The original check for WP-works-ok was in access_ok(), but got moved during the 2.5 series to fix a race vs. swap. Return the number of bytes to copy in the case where we are in an atomic region, so the non atomic code pathes in file_read_actor() and pipe_read() are taken. This could be optimized to avoid the kmap_atomicby moving the check for WP-works-ok into fault_in_pages_writeable(), but this is more intrusive and can be done later. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>