1. 02 May, 2007 10 commits
    • David Miller's avatar
      Fix sparc64 SBUS IOMMU allocator · 169ed0ec
      David Miller authored
      [SPARC64]: Fix SBUS IOMMU allocation code.
      
      There are several IOMMU allocator bugs.  Instead of trying to fix this
      overly complicated code, just mirror the PCI IOMMU arena allocator
      which is very stable and well stress tested.
      
      I tried to make the code as identical as possible so we can switch
      sun4u PCI and SBUS over to a common piece of IOMMU code.  All that
      will be need are two callbacks, one to do a full IOMMU flush and one
      to do a streaming buffer flush.
      
      This patch gets rid of a lot of hangs and mysterious crashes on SBUS
      sparc64 systems, at least for me.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      169ed0ec
    • Hugh Dickins's avatar
      holepunch: fix mmap_sem i_mutex deadlock · 64f586d8
      Hugh Dickins authored
      sys_madvise has down_write of mmap_sem, then madvise_remove calls
      vmtruncate_range which takes i_mutex and i_alloc_sem: no, we can
      easily devise deadlocks from that ordering.
      
      madvise_remove drop mmap_sem while calling vmtruncate_range: luckily,
      since madvise_remove doesn't split or merge vmas, it's easy to handle
      this case with a NULL prev, without restructuring sys_madvise.  (Though
      sad to retake mmap_sem when it's unlikely to be needed, and certainly
      down_read is sufficient for MADV_REMOVE, unlike the other madvices.)
      Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      64f586d8
    • Hugh Dickins's avatar
      holepunch: fix disconnected pages after second truncate · 42988ea6
      Hugh Dickins authored
      shmem_truncate_range has its own truncate_inode_pages_range, to free any
      pages racily instantiated while it was in progress: a SHMEM_PAGEIN flag
      is set when this might have happened.  But holepunching gets no chance
      to clear that flag at the start of vmtruncate_range, so it's always set
      (unless a truncate came just before), so holepunch almost always does
      this second truncate_inode_pages_range.
      
      shmem holepunch has unlikely swap<->file races hereabouts whatever we do
      (without a fuller rework than is fit for this release): I was going to
      skip the second truncate in the punch_hole case, but Miklos points out
      that would make holepunch correctness more vulnerable to swapoff.  So
      keep the second truncate, but follow it by an unmap_mapping_range to
      eliminate the disconnected pages (freed from pagecache while still
      mapped in userspace) that it might have left behind.
      Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      42988ea6
    • Hugh Dickins's avatar
      holepunch: fix shmem_truncate_range punch locking · 32576fd4
      Hugh Dickins authored
      Miklos Szeredi observes that during truncation of shmem page directories,
      info->lock is released to improve latency (after lowering i_size and
      next_index to exclude races); but this is quite wrong for holepunching,
      which receives no such protection from i_size or next_index, and is left
      vulnerable to races with shmem_unuse, shmem_getpage and shmem_writepage.
      
      Hold info->lock throughout when holepunching?  No, any user could prevent
      rescheduling for far too long.  Instead take info->lock just when needed:
      in shmem_free_swp when removing the swap entries, and whenever removing
      a directory page from the level above.  But so long as we remove before
      scanning, we can safely skip taking the lock at the lower levels, except
      at misaligned start and end of the hole.
      Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      32576fd4
    • Hugh Dickins's avatar
      holepunch: fix shmem_truncate_range punching too far · ac66c863
      Hugh Dickins authored
      Miklos Szeredi observes BUG_ON(!entry) in shmem_writepage() triggered
      in rare circumstances, because shmem_truncate_range() erroneously
      removes partially truncated directory pages at the end of the range:
      later reclaim on pages pointing to these removed directories triggers
      the BUG.  Indeed, and it can also cause data loss beyond the hole.
      
      Fix this as in the patch proposed by Miklos, but distinguish between
      "limit" (how far we need to search: ignore truncation's next_index
      optimization in the holepunch case - if there are races it's more
      consistent to act on the whole range specified) and "upper_limit"
      (how far we can free directory pages: generally we must be careful
      to keep partially punched pages, but can relax at end of file -
      i_size being held stable by i_mutex).
      Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      
      ac66c863
    • Avi Kivity's avatar
      KVM: MMU: Fix host memory corruption on i386 with >= 4GB ram · 036bb853
      Avi Kivity authored
      PAGE_MASK is an unsigned long, so using it to mask physical addresses on
      i386 (which are 64-bit wide) leads to truncation.  This can result in
      page->private of unrelated memory pages being modified, with disasterous
      results.
      
      Fix by not using PAGE_MASK for physical addresses; instead calculate
      the correct value directly from PAGE_SIZE.  Also fix a similar BUG_ON().
      Acked-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarAvi Kivity <avi@qumranet.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      036bb853
    • Avi Kivity's avatar
      KVM: MMU: Fix guest writes to nonpae pde · 1c4b6343
      Avi Kivity authored
      KVM shadow page tables are always in pae mode, regardless of the guest
      setting.  This means that a guest pde (mapping 4MB of memory) is mapped
      to two shadow pdes (mapping 2MB each).
      
      When the guest writes to a pte or pde, we intercept the write and emulate it.
      We also remove any shadowed mappings corresponding to the write.  Since the
      mmu did not account for the doubling in the number of pdes, it removed the
      wrong entry, resulting in a mismatch between shadow page tables and guest
      page tables, followed shortly by guest memory corruption.
      
      This patch fixes the problem by detecting the special case of writing to
      a non-pae pde and adjusting the address and number of shadow pdes zapped
      accordingly.
      Acked-by: default avatarIngo Molnar <mingo@elte.hu>
      Signed-off-by: default avatarAvi Kivity <avi@qumranet.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      1c4b6343
    • Jiri Kosina's avatar
      HID: zeroing of bytes in output fields is bogus · 68e26a3d
      Jiri Kosina authored
      HID: zeroing of bytes in output fields is bogus
      
      This patch removes bogus zeroing of unused bits in output reports,
      introduced in Simon's patch in commit d4ae650a.
      According to the specification, any sane device should not care
      about values of unused bits.
      
      What is worse, the zeroing is done in a way which is broken and
      might clear certain bits in output reports which are actually
      _used_ - a device that has multiple fields with one value of
      the size 1 bit each might serve as an example of why this is
      bogus - the second call of hid_output_report() would clear the
      first bit of report, which has already been set up previously.
      
      This patch will break LEDs on SpaceNavigator, because this device
      is broken and takes into account the bits which it shouldn't touch.
      The quirk for this particular device will be provided in a separate
      patch.
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      68e26a3d
    • Michael S. Tsirkin's avatar
      IB/mthca: Fix data corruption after FMR unmap on Sinai · d44da5e9
      Michael S. Tsirkin authored
      In mthca_arbel_fmr_unmap(), the high bits of the key are masked off.
      This gets rid of the effect of adjust_key(), which makes sure that
      bits 3 and 23 of the key are equal when the Sinai throughput
      optimization is enabled, and so it may happen that an FMR will end up
      with bits 3 and 23 in the key being different.  This causes data
      corruption, because when enabling the throughput optimization, the
      driver promises the HCA firmware that bits 3 and 23 of all memory keys
      will always be equal.
      
      Fix by re-applying adjust_key() after masking the key.
      
      Thanks to Or Gerlitz for reproducing the problem, and Ariel Shahar for
      help in debug.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@dev.mellanox.co.il>
      Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      d44da5e9
    • NeilBrown's avatar
      knfsd: Use a spinlock to protect sk_info_authunix · bd862252
      NeilBrown authored
      sk_info_authunix is not being protected properly so the object that
      it points to can be cache_put twice, leading to corruption.
      
      We borrow svsk->sk_defer_lock to provide the protection.  We should probably
      rename that lock to have a more generic name - later.
      
      Thanks to Gabriel for reporting this.
      
      Cc: Greg Banks <gnb@melbourne.sgi.com>
      Cc: Gabriel Barazer <gabriel@oxeva.fr>
      Signed-off-by: default avatarNeil Brown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      bd862252
  2. 27 Apr, 2007 3 commits
  3. 26 Apr, 2007 2 commits
  4. 25 Apr, 2007 2 commits
  5. 13 Apr, 2007 23 commits
    • Greg Kroah-Hartman's avatar
      Linux 2.6.20.7 · 89c8f056
      Greg Kroah-Hartman authored
      89c8f056
    • Chuck Ebbert's avatar
      Update libata drive blacklist to the latest from 2.6.21 · 6aadc57b
      Chuck Ebbert authored
      Update libata drive blacklist to the latest from 2.6.21
      
      Removes one duplicate entry from blacklist table, adds several
      entries for drives with broken NCQ.
      
      [diff between 2.6.20 and 2.6.21-rc6, with one entry removed
       that required new libata features]
      Signed-off-by: default avatarChuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      6aadc57b
    • Brian Pomerantz's avatar
      fix page leak during core dump · 8d6b7510
      Brian Pomerantz authored
      When the dump cannot occur most likely because of a full file system and
      the page to be written is the zero page, the call to page_cache_release()
      is missed.
      Signed-off-by: default avatarBrian Pomerantz <bapper@mvista.com>
      Cc: Hugh Dickins <hugh@veritas.com>
      Cc: Nick Piggin <nickpiggin@yahoo.com.au>
      Cc: David Howells <dhowells@redhat.com>
      Cc: <stable@kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      8d6b7510
    • Andrew Morton's avatar
      revert "retries in ext4_prepare_write() violate ordering requirements" · c83d476c
      Andrew Morton authored
      Revert b46be050.  Same reasoning as for ext3.
      
      Cc: Kirill Korotaev <dev@openvz.org>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Ken Chen <kenneth.w.chen@intel.com>
      Cc: Andrey Savochkin <saw@sw.ru>
      Cc: <linux-ext4@vger.kernel.org>
      Cc: Dmitriy Monakhov <dmonakhov@openvz.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      c83d476c
    • Andrew Morton's avatar
      revert "retries in ext3_prepare_write() violate ordering requirements" · 5dc1802f
      Andrew Morton authored
      Revert e92a4d59.
      
      Dmitry points out
      
      "When we block_prepare_write() failed while ext3_prepare_write() we jump to
       "failure" label and call ext3_prepare_failure() witch search last mapped bh
       and invoke commit_write untill it.  This is wrong!!  because some bh from
       begining to the last mapped bh may be not uptodate.  As a result we commit to
       disk not uptodate page content witch contains garbage from previous usage."
      
      and
      
      "Unexpected file size increasing."
      
         Call trace the same as it was in first issue but result is different. 
         For example we have file with i_size is zero.  we want write two blocks ,
         but fs has only one free block.
      
         ->ext3_prepare_write(...from == 0, to == 2048)
           retry:
           ->block_prepare_write() == -ENOSPC# we failed but allocated one block here.
           ->ext3_prepare_failure()
             ->commit_write( from == 0, to == 1024) # after this i_size becomes 1024 :)
           if (ret == -ENOSPC && ext3_should_retry_alloc(inode->i_sb, &retries))
              goto retry;
      
         Finally when all retries will be spended ext3_prepare_failure return
         -ENOSPC, but i_size was increased and later block trimm procedures can't
         help here.
      
      We don't appear to have the horsepower to fix these issues, so let's put
      things back the way they were for now.
      
      Cc: Kirill Korotaev <dev@openvz.org>
      Cc: Ingo Molnar <mingo@elte.hu>
      Cc: Ken Chen <kenneth.w.chen@intel.com>
      Cc: Andrey Savochkin <saw@sw.ru>
      Cc: <linux-ext4@vger.kernel.org>
      Cc: Dmitriy Monakhov <dmonakhov@openvz.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      
      5dc1802f
    • Albert Lee's avatar
      libata: Clear tf before doing request sense (take 3) · 0ece095b
      Albert Lee authored
      libata: Clear tf before doing request sense (take 3)
      
      patch 2/4:
        Clear tf before doing request sense.
      
      This fixes the AOpen 56X/AKH timeout problem.
      (http://bugzilla.kernel.org/show_bug.cgi?id=8244)
      Signed-off-by: default avatarAlbert Lee <albertcc@tw.ibm.com>
      Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0ece095b
    • Mark Lord's avatar
      fix lba48 bug in libata fill_result_tf() · 4e169f6c
      Mark Lord authored
      2.6.21 fix lba48 bug in libata fill_result_tf()
      
      Current 2.6.21 libata does the following:
      
      void ata_tf_read(struct ata_port *ap, struct ata_taskfile *tf)
      {
              struct ata_ioports *ioaddr = &ap->ioaddr;
      
              tf->command = ata_check_status(ap);
      	...
              if (tf->flags & ATA_TFLAG_LBA48) {
                      iowrite8(tf->ctl | ATA_HOB, ioaddr->ctl_addr);
                      tf->hob_feature = ioread8(ioaddr->error_addr);
                      ...
              }
      }
      ...
      static void fill_result_tf(struct ata_queued_cmd *qc)
      {
              struct ata_port *ap = qc->ap;
      
              ap->ops->tf_read(ap, &qc->result_tf);
              qc->result_tf.flags = qc->tf.flags;
      }
      
      Based on this, those last two statements fill_result_tf()
      appear to me to be in the wrong order, in that the tf->flags
      are uninitialized at the point where tf_read() is invoked.
      So for lba48 commands, tf_read() won't be reading back the
      full lba48 register contents..
      
      Correct?
      
      This patch corrects fill_result_tf() so that the flags
      get copied to result_tf before they are used by tf_read().
      Signed-off-by: default avatarMark Lord <mlord@pobox.com>
      Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      4e169f6c
    • Conke Hu's avatar
      ahci.c: walkaround for SB600 SATA internal error issue · c23bbe59
      Conke Hu authored
      ahci.c: walkaround for SB600 SATA internal error issue
      
         There is a HW issue in ATI SB600 SATA that PxSERR.E should not be
      set on some conditions, for example, when there is no media in SATA
      CD/DVD drive or media is not ready, AHCI controller fails to execute
      ATAPI commands and reports PORT_IRQ_TF_ERR, but ATI SB600 SATA
      controller sets PxSERR.E at the
      same time, which is not necessary.
          This patch is just to ignore the INTERNAL ERROR in such case.
      Without this patch, ahci error handler will report many errors as
      below:
          ----------- cut from dmesg -----------
      ata9: soft resetting port
      ata9: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
      ata9.00: configured for UDMA/33
      ata9: EH complete
      ata9.00: exception Emask 0x40 SAct 0x0 SErr 0x800 action 0x2
      ata9.00: (irq_stat 0x40000001)
      ata9.00: cmd a0/00:00:00:00:20/00:00:00:00:00/a0 tag 0 cdb 0x0 data 0
              res 51/24:03:00:00:20/00:00:00:00:00/a0 Emask 0x40 (internal error)
      ata9: soft resetting port
      ata9: SATA link up 1.5 Gbps (SStatus 113 SControl 300)
      ata9.00: configured for UDMA/33
      ata9: EH complete
      ata9.00: exception Emask 0x40 SAct 0x0 SErr 0x800 action 0x2
      ata9.00: (irq_stat 0x40000001)
      ata9.00: cmd a0/01:00:00:00:00/00:00:00:00:00/a0 tag 0 cdb 0x43 data 12 in
              res 51/24:03:00:00:00/00:00:00:00:00/a0 Emask 0x40 (internal error)
          -------- end cut ---------
      Signed-off-by: default avatarConke Hu <conke.hu@amd.com>
      Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      c23bbe59
    • Mark Lord's avatar
      libata bugfix: preserve LBA bit for HDIO_DRIVE_TASK · 0cecc9af
      Mark Lord authored
      libata bugfix: preserve LBA bit for HDIO_DRIVE_TASK
      
      Preserve the LBA bit in the DevSel/Head register for HDIO_DRIVE_TASK.
      Signed-off-by: default avatarMark Lord <mlord@pobox.com>
      Signed-off-by: default avatarJeff Garzik <jeff@garzik.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0cecc9af
    • John W. Linville's avatar
      softmac: avoid assert in ieee80211softmac_wx_get_rate · 3c163bc0
      John W. Linville authored
      [PATCH] softmac: avoid assert in ieee80211softmac_wx_get_rate
      
      Unconfigured bcm43xx device can hit an assert() during wx_get_rate
      queries.  This is because bcm43xx calls ieee80211softmac_start late
      (i.e. during open instead of probe).
      
         bcm43xx_net_open ->
            bcm43xx_init_board ->
               bcm43xx_select_wireless_core ->
                  ieee80211softmac_start
      
      Fix is to check that device is running before completing
      ieee80211softmac_wx_get_rate.
      Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      3c163bc0
    • Neil Brown's avatar
      knfsd: allow nfsd READDIR to return 64bit cookies · b95c2d9a
      Neil Brown authored
      From Neil Brown <neilb@suse.de>
      
      [PATCH] knfsd: allow nfsd READDIR to return 64bit cookies
      
      ->readdir passes lofft_t offsets (used as nfs cookies) to
      nfs3svc_encode_entry{,_plus}, but when they pass it on to encode_entry it
      becomes an 'off_t', which isn't good.
      
      So filesystems that returned 64bit offsets would lose.
      Signed-off-by: default avatarNeil Brown <neilb@suse.de>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      b95c2d9a
    • Suleiman Souhlal's avatar
      ide: use correct IDE error recovery · 92ada370
      Suleiman Souhlal authored
      ide: use correct IDE error recovery
      
      IDE error recovery is using IDLE IMMEDIATE if the drive is busy or has DRQ set.
      This violates the ATA spec (can only send IDLEÂ IMMEDIATE when drive is not
      busy) and really hoses up some drives (modern drives will not be able to
      recover using this error handling).  The correct thing to do is issue a SRST
      followed by a SET FEATURES command.  This is what Western Digital recommends
      for error recovery and what Western Digital says Windows does.  It also does
      not violate the ATA spec as far as I can tell.
      
      Bart:
      * port the patch over the current tree
      * undo the recalibration code removal
      * send SET FEATURES command after checking for good drive status
      * don't check whether the current request is of REQ_TYPE_ATA_{CMD,TASK}
        type because we need to send SET FEATURES before handling any requests
      * some pre-ATA4 drives require INITIALIZE DEVICE PARAMETERS command before
        other commands (except IDENTIFY) so send SET FEATURES only if there are
        no pending drive->special requests
      * update comments and patch description
      * any bugs introduced by this patch are mine and not Suleiman's :-)
      Signed-off-by: default avatarSuleiman Souhlal <suleiman@google.com>
      Acked-by: default avatarAlan Cox <alan@redhat.com>
      Cc: Chuck Ebbert <cebbert@redhat.com>
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <bzolnier@gmail.com>
      92ada370
    • David Miller's avatar
      Fix TCP slow_start_after_idle sysctl · 8b256a36
      David Miller authored
      [TCP]: slow_start_after_idle should influence cwnd validation too
      
      For the cases that slow_start_after_idle are meant to deal
      with, it is almost a certainty that the congestion window
      tests will think the connection is application limited and
      we'll thus decrease the cwnd there too.  This defeats the
      whole point of setting slow_start_after_idle to zero.
      
      So test it there too.
      
      We do not cancel out the entire tcp_cwnd_validate() function
      so that if the sysctl is changed we still have the validation
      state maintained.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      8b256a36
    • Patrick McHardy's avatar
      Fix tcindex classifier ABI borkage... · fa520f76
      Patrick McHardy authored
      [NET_SCHED]: cls_tcindex: fix compatibility breakage
      
      Userspace uses an integer for TCA_TCINDEX_SHIFT, the kernel was changed
      to expect and use a u16 value in 2.6.11, which broke compatibility on
      big endian machines. Change back to use int.
      
      Reported by Ole Reinartz <ole.reinartz@gmx.de>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      fa520f76
    • Herbert Xu's avatar
      Fix IPSEC replay window handling · c823d26e
      Herbert Xu authored
      [IPSEC]: Reject packets within replay window but outside the bit mask
      
      Up until this point we've accepted replay window settings greater than
      32 but our bit mask can only accomodate 32 packets.  Thus any packet
      with a sequence number within the window but outside the bit mask would
      be accepted.
      
      This patch causes those packets to be rejected instead.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      c823d26e
    • John Heffner's avatar
      Fix TCP receiver side SWS handling. · 12da1b6a
      John Heffner authored
      [TCP]: Do receiver-side SWS avoidance for rcvbuf < MSS.
      Signed-off-by: default avatarJohn Heffner <jheffner@psc.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      12da1b6a
    • David Miller's avatar
      Fix scsi sense handling · 0b3a1a38
      David Miller authored
      [SCSI]: Fix scsi_send_eh_cmnd scatterlist handling
      
      This fixes a regression caused by commit:
      
      2dc611de
      
      The sense buffer code in scsi_send_eh_cmnd was changed to use
      alloc_page() and a scatter list, but the sense data copy was not
      updated to match so what we actually get in the sense buffer is total
      grabage starting with the kernel address of the struct page we got.
      Basically the stack frame of scsi_send_eh_cmd() is what ends up
      in the sense buffer.
      
      Depending upon how pointers look on a given platform, you can
      end up getting sr_ioctl.c errors when you mount a cdrom.  If
      the CDROM gives a check condition for GPCMD_GET_CONFIGURATION issued
      by drivers/cdrom/cdrom.c:cdrom_mmc_profile(), sr_ioctl will
      spit out this error message in sr_do_ioctl() with the way pointers
      are on sparc64:
      
      		default:
      			printk(KERN_ERR "%s: CDROM (ioctl) error, command: ", cd->cdi.name);
      			__scsi_print_command(cgc->cmd);
      			scsi_print_sense_hdr("sr", &sshdr);
      			err = -EIO;
      
      This is the error Tom Callaway reported in:
      
      http://marc.info/?l=linux-sparc&m=117407453208101&w=2
      
      Anyways, fix this by using page_address(sgl.page) which is OK
      because we know this is low-mem due to GFP_ATOMIC.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Acked-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      0b3a1a38
    • YOSHIFUJI Hideaki's avatar
      Fix length validation in rawv6_sendmsg() · cda778fc
      YOSHIFUJI Hideaki authored
      [IPv6]: Fix incorrect length check in rawv6_sendmsg()
      
      In article <20070329.142644.70222545.davem@davemloft.net> (at Thu, 29 Mar 2007 14:26:44 -0700 (PDT)), David Miller <davem@davemloft.net> says:
      
      > From: Sridhar Samudrala <sri@us.ibm.com>
      > Date: Thu, 29 Mar 2007 14:17:28 -0700
      >
      > > The check for length in rawv6_sendmsg() is incorrect.
      > > As len is an unsigned int, (len < 0) will never be TRUE.
      > > I think checking for IPV6_MAXPLEN(65535) is better.
      > >
      > > Is it possible to send ipv6 jumbo packets using raw
      > > sockets? If so, we can remove this check.
      >
      > I don't see why such a limitation against jumbo would exist,
      > does anyone else?
      >
      > Thanks for catching this Sridhar.  A good compiler should simply
      > fail to compile "if (x < 0)" when 'x' is an unsigned type, don't
      > you think :-)
      
      Dave, we use "int" for returning value,
      so we should fix this anyway, IMHO;
      we should not allow len > INT_MAX.
      Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
      Acked-by: default avatarSridhar Samudrala <sri@us.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      cda778fc
    • Patrick McHardy's avatar
      Fix IFB net driver input device crashes · 1e3769dc
      Patrick McHardy authored
      [IFB]: Fix crash on input device removal
      
      The input_device pointer is not refcounted, which means the device may
      disappear while packets are queued, causing a crash when ifb passes packets
      with a stale skb->dev pointer to netif_rx().
      
      Fix by storing the interface index instead and do a lookup where neccessary.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Acked-by: default avatarJamal Hadi Salim <hadi@cyberus.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      1e3769dc
    • Patrick McHardy's avatar
      NETFILTER: ipt_CLUSTERIP: fix oops in checkentry function · 9e45b2f0
      Patrick McHardy authored
      [NETFILTER]: ipt_CLUSTERIP: fix oops in checkentry function
      
      The clusterip_config_find_get() already increases entries reference
      counter, so there is no reason to do it twice in checkentry() callback.
      
      This causes the config to be freed before it is removed from the list,
      resulting in a crash when adding the next rule.
      Signed-off-by: default avatarJaroslav Kysela <perex@suse.cz>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      
      9e45b2f0
    • Francois Romieu's avatar
      8139too: RTNL and flush_scheduled_work deadlock · 8e6697b5
      Francois Romieu authored
      Your usual dont-flush_scheduled_work-with-RTNL-held stuff.
      
      It is a bit different here since the thread runs permanently
      or is only occasionally kicked for recovery depending on the
      hardware revision.
      Signed-off-by: default avatarFrancois Romieu <romieu@fr.zoreil.com>
      Cc: Ben Greear <greearb@candelatech.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      8e6697b5
    • Neil Brown's avatar
      Fix calculation for size of filemap_attr array in md/bitmap. · 2d6a4239
      Neil Brown authored
      If 'num_pages' were ever 1 more than a multiple of 8 (32bit platforms)
      for of 16 (64 bit platforms). filemap_attr would be allocated one
      'unsigned long' shorter than required.  We need a round-up in there.
      Signed-off-by: default avatarNeil Brown <neilb@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      2d6a4239
    • Adam Kropelin's avatar
      HID: Do not discard truncated input reports · 2031c519
      Adam Kropelin authored
      HID: Do not discard truncated input reports
      
      Truncated reports should not be discarded since it prevents buggy
      devices from communicating with userspace.
      
      Prior to the regession introduced in 2.6.20, a shorter-than-expected
      report in hid_input_report() was passed thru after having the missing
      bytes cleared. This behavior was established over a few patches in the
      2.6.early-teens days, including commit
      cd610457.
      
      This patch restores the previous behavior and fixes the regression.
      Signed-off-by: default avatarAdam Kropelin <akropel1@rochester.rr.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      2031c519