Signed-off-by: Jose Alberto Reguero <jareguero@telefonica.net>
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

Michael Schimek requested the addition of inverted alpha framebuffer
caps/flags to support such hardware.
'Normal' alpha uses this formula to mix the framebuffer and video:
output = fb pixel * fb alpha + video pixel * (1 - fb alpha)
and the 'inverted' alpha uses this formula:
output = fb pixel * (1 - fb alpha) + video pixel * fb alpha
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

The VIDIOC_CROPCAP ioctl was missing in ivtv.
The handling of output video cropping was wrong. This has now been fixed.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

V4L2_CAP_VIDEO_OUTPUT_POS was initially introduced for 2.6.22 but never
actually used: remove it before the final 2.6.22 is made.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

- fixed the urb allocation part that was not taking into account the current alternate setting
  this fixes usb_submit_urb returning -90 errno in isocIrq.
- fixed usb_submit_urb returning -1 errno in isocIrq (need to ignore usb urb with status==-ENOENT)
Acked-by: Dwaine P. Garden <dwainegarden@rogers.com>
Signed-off-by: Thierry Merle <thierry.merle@free.fr>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

Several people reported unreliable reception with the current driver.
Furthermore, STR and SNR values seem to be inverted.
This fix is based on a patch posted by Hartmut Hackman.
Thanks to Helmut Auer for testing and helping to optimize the patch.
tda826x:
- set baseband cut-off to 19 MHz
tda10086:
- change the parameters of the carrier recovery loop
- toggle register 0x02 between 0x35 (tuning) and 0x00 (locked)
- invert STR and SNR values
Signed-off-by: Oliver Endriss <o.endriss@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

Sliced VBI transfers use PIO instead of DMA. This was done inside the
interrupt handler, but since PIO accesses are very slow this meant that
a lot of time was spent inside the interrupt handler. All PIO copies are
now moved to a workqueue. This should fix various issues with missing time
ticks and remote key hits.
Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

If this mutex_lock_interruptible() does fail due to signal_pending() then the
state of the driver will get trashed in interesting ways, because userspace
cannot and will not retry the close().
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

If the SAA7111 device is powered down, and requires re-initialisation when
the V4L device is opened (as on the NetWinder), the SAA7111 driver gets
completely confused about the current settings.

The problem is centred around the way the driver keeps _two_ cached copies
of the current settings - one of the struct video_picture settings, and one
of the registers.

When the decoder is re-initailised, the cached register settings are
overwritten, as are the values in the hardware registers.  However, the
cached video_picture settings are not.

Resolve this by removing the useless and buggy second level of caching for
video_picture.  Instead, provide a function which updates register values
if and only if the value we are going to write to the register has changed.
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

The recent changes on Kconfig broke compilation when VIDEO_DEV is compiled
as module. On some cases, drivers like VIDEO_BUF are compiled with 'y' option
instead of 'm':

...

Thanks to: Toralf Forster <toralf.foerster@gmx.de> for pointing this issue.
Signed-off-by: Mauro Carvalho Chehab <mchehab@infradead.org>

This bug was caught by LTP testcase fchmod06 on Blackfin platform.

In the manpage of fchmod, "EPERM: The effective UID does not match the
owner of the file, and the process is not privileged (Linux: it does not
have the CAP_FOWNER capability)."

But the ramfs nommu code missed the inode_change_ok POSIX UID/GID
verification. This patch fixed this.
Signed-off-by: Bryan Wu <bryan.wu@analog.com>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* git://git.linux-xtensa.org/kernel/xtensa-feed:
  Xtensa: use asm-generic/fcntl.h
  [XTENSA] Remove non-rt signal handling
  [XTENSA] Move common sections into bss sections
  [XTENSA] clean-up header files
  [XTENSA] Use generic 64-bit division
  [XTENSA] Remove multi-exported symbols from xtensa_ksyms.c
  [XTENSA] fix sources using deprecated assembler directive
  [XTENSA] Spelling fixes in arch/xtensa
  [XTENSA] fix bit operations in bitops.h

* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
  [SPARC64]: Fix SBUS IRQ regression caused by PCI-E driver.
  [SPARC64]: Fix 2 bugs in PCI Sabre bus scanning.

* 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6: (24 commits)
  xfrm: Add security check before flushing SAD/SPD
  [NET_SCHED]: Fix filter double free
  [NET]: Avoid duplicate netlink notification when changing link state
  [UDP]: Revert 2-pass hashing changes.
  [AF_UNIX]: Fix stream recvmsg() race.
  [NETFILTER]: nf_conntrack_amanda: fix textsearch_prepare() error check
  [NETFILTER]: ip_tables: fix compat related crash
  [NETFILTER]: nf_conntrack: fix helper module unload races
  [RTNETLINK]: ifindex 0 does not exist
  [NETLINK]: Mark netlink policies const
  [TCP] tcp_probe: Attach printf attribute properly to printl().
  [TCP]: Use LIMIT_NETDEBUG in tcp_retransmit_timer().
  [NET]: Merge dst_discard_in and dst_discard_out.
  [RFKILL]: Make rfkill->name const
  [IPV4]: Restore old behaviour of default config values
  [IPV4]: Add default config support after inetdev_init
  [IPV4]: Convert IPv4 devconf to an array
  [IPV4]: Only panic if inetdev_init fails for loopback
  [TCP]: Honour sk_bound_dev_if in tcp_v4_send_ack
  [BNX2]: Update version and reldate.
  ...

This is a minor fix, but what is currently there is essentially wrong.
In do_page_fault, if the faulting address from user code happens to be
in kernel address space (int *p = (int*)-1; p = 0xbed;)  then the
do_page_fault handler will jump over the local_irq_enable with the

  goto bad_area_nosemaphore;

But the first line there sees this is user code and goes through the
process of sending a signal to send SIGSEGV to the user task. This whole
time interrupts are disabled and the task can not be preempted by a
higher priority task.

This patch always enables interrupts in the user path of the
bad_area_nosemaphore.
Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

* master.kernel.org:/home/rmk/linux-2.6-arm:
  [ARM] pxa: fix pxa27x keyboard driver
  [ARM] Fix 4417/1: Serial: Fix AMBA drivers locking
  [ARM] 4421/1: AT91: Value of _KEY fields.
  [ARM] Solve buggy smp_processor_id() usage
  [ARM] 4422/1: Fix default value handling in gpio_direction_output (PXA)
  [ARM] 4419/1: AT91: SAM9 USB clocks check for suspending
  [ARM] 4418/1: AT91: Number of programmable clocks differs
  [ARM] 4392/2: Do not corrupt the SP register in compressed/head.S

* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
  [MIPS] Fix warning by moving do_default_vi into CONFIG_CPU_MIPSR2_SRS
  [MIPS] Fix some minor typoes in arch/mips/Kconfig.
  [MIPS] Remove prototype for deleted function qemu_handle_int
  [MIPS] Fix some system calls with long long arguments
  [MIPS] Make dma_map_sg handle sg elements which are longer than one page
  [MIPS] Drop __ARCH_WANT_SYS_FADVISE64
  [MIPS] Fix VGA corruption on RM300C
  [MIPS] RM300: Fix MMIO problems by marking the PCI INT ACK region busy
  [MIPS] EMMA2RH: remove dead KGDB code
  [MIPS] Remove duplicate fpu enable hazard code.
  [MIPS] Atlas, Malta, SEAD: Remove scroll from interrupt handler.

In file included from /usr/src/linux-2.6-2/net/ipv4/ip_input.c:118:

  include2/asm/system.h:245: error: parse error before "__cmpxchg_32"
  include2/asm/system.h:245: error: parse error before '*' token
  include2/asm/system.h:245: warning: type defaults to `int' in declaration of `__cmpxchg_32'
  include2/asm/system.h:245: warning: function declaration isn't a prototype
  include2/asm/system.h:245: warning: data definition has no type or storage class
Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

We used to access the 64-bit IRQ IMAP and ICLR registers of bus
controllers 4-bytes in and as a 32-bit register word, since only the
low 32-bits were relevant.  This seemed like a good idea at the time.

But the PCI-E controller requires full 8-byte 64-bit access to
these registers, so we switched over to accessing them fully.

SBUS was not adjusted properly, which broke interrupts completely.
Signed-off-by: David S. Miller <davem@davemloft.net>

If we are on hummingbird, bus runs at 66MHZ.

pbm->pci_bus should be setup with the result of pci_scan_one_pbm()
or else we deref NULL pointers in the error interrupt handlers.
Signed-off-by: David S. Miller <davem@davemloft.net>

Currently we check for permission before deleting entries from SAD and
SPD, (see security_xfrm_policy_delete() security_xfrm_state_delete())
However we are not checking for authorization when flushing the SPD and
the SAD completely. It was perhaps missed in the original security hooks
patch.

This patch adds a security check when flushing entries from the SAD and
SPD.  It runs the entire database and checks each entry for a denial.
If the process attempting the flush is unable to remove all of the
entries a denial is logged the the flush function returns an error
without removing anything.

This is particularly useful when a process may need to create or delete
its own xfrm entries used for things like labeled networking but that
same process should not be able to delete other entries or flush the
entire database.

Signed-off-by: Joy Latten<latten@austin.ibm.com>
Signed-off-by: Eric Paris <eparis@parisplace.org>
Signed-off-by: James Morris <jmorris@namei.org>

cbq and atm destroy their filters twice when destroying inner classes
during qdisc destruction.
Reported-and-tested-by: Strobl Anton <a.strobl@aws-it.at>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

When changing the link state from userspace not affecting any other
flags. Two duplicate notification are being sent, once as action
in the NETDEV_UP/NETDEV_DOWN notification chain and a second time
when comparing old and new device flags after the change has been
completed. Although harmless, the duplicates should be avoided.
Signed-off-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>

This reverts changesets:

6aaf47fa
b7b5f487
de34ed91
fc038410

There are still some correctness issues recently
discovered which do not have a known fix that doesn't
involve doing a full hash table scan on port bind.

So revert for now.
Signed-off-by: David S. Miller <davem@davemloft.net>

A recv() on an AF_UNIX, SOCK_STREAM socket can race with a
send()+close() on the peer, causing recv() to return zero, even though
the sent data should be received.

This happens if the send() and the close() is performed between
skb_dequeue() and checking sk->sk_shutdown in unix_stream_recvmsg():

process A  skb_dequeue() returns NULL, there's no data in the socket queue
process B  new data is inserted onto the queue by unix_stream_sendmsg()
process B  sk->sk_shutdown is set to SHUTDOWN_MASK by unix_release_sock()
process A  sk->sk_shutdown is checked, unix_release_sock() returns zero

I'm surprised nobody noticed this, it's not hard to trigger.  Maybe
it's just (un)luck with the timing.

It's possible to work around this bug in userspace, by retrying the
recv() once in case of a zero return value.
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>

The return value from textsearch_prepare() needs to be checked
by IS_ERR(). Because it returns error code as a pointer.

Cc: "Brian J. Murrell" <netfilter@interlinx.bc.ca>
Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

check_compat_entry_size_and_hooks iterates over the matches and calls
compat_check_calc_match, which loads the match and calculates the
compat offsets, but unlike the non-compat version, doesn't call
->checkentry yet. On error however it calls cleanup_matches, which in
turn calls ->destroy, which can result in crashes if the destroy
function (validly) expects to only get called after the checkentry
function.

Add a compat_release_match function that only drops the module reference
on error and rename compat_check_calc_match to compat_find_calc_match to
reflect the fact that it doesn't call the checkentry function.

Reported by Jan Engelhardt <jengelh@linux01.gwdg.de>
Signed-off-by: Dmitry Mishin <dim@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

When a helper module is unloaded all conntracks refering to it have their
helper pointer NULLed out, leading to lots of races. In most places this
can be fixed by proper use of RCU (they do already check for != NULL,
but in a racy way), additionally nf_conntrack_expect_related needs to
bail out when no helper is present.

Also remove two paranoid BUG_ONs in nf_conntrack_proto_gre that are racy
and not worth fixing.
Signed-off-by: Patrick McHarrdy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

ifindex == 0 does not exist and implies we should do a lookup by name if
one was given.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

GCC doesn't like the way Stephen initially did it:

net/ipv4/tcp_probe.c:83: warning: empty declaration
Signed-off-by: David S. Miller <davem@davemloft.net>

LIMIT_NETDEBUG allows the admin to disable some warning messages (echo 0
 >/proc/sys/net/core/warnings).

The "TCP: Treason uncloaked!" message can use this facility.
Signed-off-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Denis Cheng <crquan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

The rfkill name can be made const safely,
this makes the compiler happy when drivers make
it point to some const string used elsewhere.
Signed-off-by: Ivo van Doorn <IvDoorn@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

Previously inet devices were only constructed when addresses are added
(or rarely in ipmr).  Therefore the default config values they get are
the ones at the time of these operations.

Now that we're creating inet devices earlier, this changes the
behaviour of default config values in an incompatible way (see bug
#8519).

This patch creates a compromise by setting the default values at the
same point as before but only for those that have not been explicitly
set by the user since the inet device's creation.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

Previously once inetdev_init has been called on a device any changes
made to ipv4_devconf_dflt would have no effect on that device's
configuration.

This creates a problem since we have moved the point where
inetdev_init is called from when an address is added to where the
device is registered.

This patch is the first half of a set that tries to mimic the old
behaviour while still calling inetdev_init.

It propagates any changes to ipv4_devconf_dflt to those devices that
have not had the corresponding attribute set.

The next patch will forcibly set all values at the point where
inetdev_init was previously called.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

This patch converts the ipv4_devconf config members (everything except
sysctl) to an array.  This allows easier manipulation which will be
needed later on to provide better management of default config values.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

When I made the inetdev_init call work on all devices I incorrectly
left in the panic call as well.  It is obviously undesirable to
panic on an allocation failure for a normal network device.  This
patch moves the panic call under the loopback if clause.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>

A time_wait socket inherits sk_bound_dev_if from the original socket,
but it is not used when sending ACK packets using ip_send_reply.

Fix by passing the oif to ip_send_reply in struct ip_reply_arg and
use it for output routing.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

Update to version 1.5.11.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Acked-by: Jeff Garzik <jeff@garzik.org>
Signed-off-by: David S. Miller <davem@davemloft.net>