login
Search
This is the start of the stable review cycle for the 2.6.26.3 release. There are 60 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let us know. If anyone is a maintainer of the proper subsystem, and wants to add a Signed-off-by: line to the patch, please respond with it. These patches are sent out with a number of different people on the Cc: line. If you wish to be a reviewer, please email stable@kernel.org to add your name to the list. If you want to be off the reviewer list, also email us. Responses should be made by Wed, August 20, 17:00:00 UTC. Anything received after that time might be too late. The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.26.3-rc1.gz and the diffstat can be found below. thanks, the -stable release team Makefile | 2 +- arch/ia64/kvm/kvm-ia64.c | 5 +- arch/sparc64/kernel/irq.c | 52 +++++++ arch/sparc64/kernel/kstack.h | 60 ++++++++ arch/sparc64/kernel/process.c | 32 +++-- arch/sparc64/kernel/signal.c | 6 +- arch/sparc64/kernel/stacktrace.c | 11 +- arch/sparc64/kernel/traps.c | 7 +- arch/sparc64/lib/mcount.S | 39 +++++- arch/sparc64/mm/init.c | 11 ++ arch/sparc64/mm/ultra.S | 7 + arch/x86/boot/boot.h | 8 + arch/x86/boot/cpucheck.c | 8 +- arch/x86/boot/main.c | 4 + arch/x86/kernel/cpu/mtrr/generic.c | 2 +- arch/x86/kvm/mmu.c | 1 + arch/x86/kvm/svm.c | 7 +- arch/x86/kvm/vmx.c | 2 + arch/x86/kvm/x86.c | 109 ++++++--------- arch/x86/pci/k8-bus_64.c | 4 +- block/scsi_ioctl.c | 2 +- drivers/char/hw_random/via-rng.c | 8 + ...
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
commit a477097d9c37c1cf289c7f0257dffcfa42d50197 upstream
Halesh says:
Please find the below testcase provide to test mlock.
Test Case :
===========================
#include <sys/resource.h>
#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <errno.h>
#include <stdlib.h>
int main(void)
{
int fd,ret, i = 0;
char *addr, *addr1 = NULL;
unsigned int page_size;
struct rlimit rlim;
if (0 != geteuid())
{
printf("Execute this pgm as root\n");
exit(1);
}
/* create a file */
if ((fd = open("mmap_test.c",O_RDWR|O_CREAT,0755)) == -1)
{
printf("cant create test file\n");
exit(1);
}
page_size = sysconf(_SC_PAGE_SIZE);
/* set the MEMLOCK limit */
rlim.rlim_cur = 2000;
rlim.rlim_max = 2000;
if ((ret = setrlimit(RLIMIT_MEMLOCK,&rlim)) != 0)
{
printf("Cant change limit values\n");
exit(1);
}
addr = 0;
while (1)
{
/* map a page into memory each time*/
if ((addr = (char *) mmap(addr,page_size, PROT_READ |
PROT_WRITE,MAP_SHARED,fd,0)) == MAP_FAILED)
{
printf("cant do mmap on file\n");
exit(1);
}
if (0 == i)
addr1 = addr;
i++;
errno = 0;
/* lock the mapped memory pagewise*/
if ((ret = mlock((char *)addr, 1500)) == -1)
{
printf("errno value is %d\n", errno);
printf("cant lock maped region\n");
exit(1);
}
addr = addr + page_size;
}
}
======================================================
This testcase results in an mlock() failure with errno 14 that is EFAULT,
but it has nowhere been specified that mlock() will return EFAULT. When I
tested the same on older kernels like 2.6.18, I got the correct result i.e
errno 12 (ENOMEM).
I think in source code mlock(2), setting errno ENOMEM has been missed ...2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: James Bottomley <James.Bottomley@HansenPartnership.com> commit 671a99c8eb2f1dde08ac5538d8cd912047c61ddf upstream There are a few kerneloops.org reports like this one: http://www.kerneloops.org/search.php?search=ses_match_to_enclosure That seem to imply we're running off the end of the VPD inquiry data (although at 512 bytes, it should be long enough for just about anything). we should be using correctly sized buffers anyway, so put those in and hope this oops goes away. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/scsi/ses.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) --- a/drivers/scsi/ses.c +++ b/drivers/scsi/ses.c @@ -345,14 +345,14 @@ static int ses_enclosure_find_by_addr(st return 0; } -#define VPD_INQUIRY_SIZE 512 +#define VPD_INQUIRY_SIZE 36 static void ses_match_to_enclosure(struct enclosure_device *edev, struct scsi_device *sdev) { unsigned char *buf = kmalloc(VPD_INQUIRY_SIZE, GFP_KERNEL); unsigned char *desc; - int len; + u16 vpd_len; struct efd efd = { .addr = 0, }; @@ -372,9 +372,19 @@ static void ses_match_to_enclosure(struc VPD_INQUIRY_SIZE, NULL, SES_TIMEOUT, SES_RETRIES)) goto free; - len = (buf[2] << 8) + buf[3]; + vpd_len = (buf[2] << 8) + buf[3]; + kfree(buf); + buf = kmalloc(vpd_len, GFP_KERNEL); + if (!buf) + return; + cmd[3] = vpd_len >> 8; + cmd[4] = vpd_len & 0xff; + if (scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, + vpd_len, NULL, SES_TIMEOUT, SES_RETRIES)) + goto free; + desc = buf + 4; - while (desc < buf + len) { + while (desc < buf + vpd_len) { enum scsi_protocol proto = desc[0] >> 4; u8 code_set = desc[0] & 0x0f; u8 piv = desc[1] & 0x80; -- --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: James Bottomley <James.Bottomley@HansenPartnership.com>
commit e8bac9e0647dd04c83fd0bfe7cdfe2f6dfb100d0 upstream
The class_device->device conversion is causing an oops in revalidate
because it's assuming that the device_for_each_child iterator will only
return struct scsi_device children. The conversion made all former
class_devices children of the device as well, so this assumption is
broken. Fix it.
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/scsi/scsi_transport_spi.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/scsi/scsi_transport_spi.c
+++ b/drivers/scsi/scsi_transport_spi.c
@@ -366,12 +366,14 @@ spi_transport_rd_attr(rti, "%d\n");
spi_transport_rd_attr(pcomp_en, "%d\n");
spi_transport_rd_attr(hold_mcs, "%d\n");
-/* we only care about the first child device so we return 1 */
+/* we only care about the first child device that's a real SCSI device
+ * so we return 1 to terminate the iteration when we find it */
static int child_iter(struct device *dev, void *data)
{
- struct scsi_device *sdev = to_scsi_device(dev);
+ if (!scsi_is_sdev_device(dev))
+ return 0;
- spi_dv_device(sdev);
+ spi_dv_device(to_scsi_device(dev));
return 1;
}
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Tim Wright <timw@splhi.com> commit ad337591f4fd20de6a0ca03d6715267a5c1d2b16 upstream It seems cdrwtool in the udftools has been unusable on "modern" kernels for some time. A Google search reveals many people with the same issue but no solution (cdrwtool fails to format the disk). After spending some time tracking down the issue, it comes down to the following: The udftools still use the older CDROM_SEND_PACKET interface to send things like FORMAT_UNIT through to the drive. They should really be updated, but that's another story. Since most distros are using libata now, the cd or dvd burner appears as a SCSI device, and we wind up in block/scsi_ioctl.c. Here, the code tries to take the "struct cdrom_generic_command" and translate it and stuff it into a "struct sg_io_hdr" structure so it can pass it to the modern sg_io() routine instead. Unfortunately, there is one error, or rather an omission in the translation. The timeout that is passed in in the "struct cdrom_generic_command" is in HZ=100 units, and this is modified and correctly converted to jiffies by use of clock_t_to_jiffies(). However, a little further down, this cgc.timeout value in jiffies is simply copied into the sg_io_hdr timeout, which should be in milliseconds. Since most modern x86 kernels seems to be getting build with HZ=250, the timeout that is passed to sg_io and eventually converted to the timeout_per_command member of the scsi_cmnd structure is now four times too small. Since cdrwtool tries to set the timeout to one hour for the FORMAT_UNIT command, and it takes about 20 minutes to format a 4x CDRW, the SCSI error-handler kicks in after the FORMAT_UNIT completes because it took longer than the incorrectly-calculated timeout. [jejb: fix up whitespace] Signed-off-by: Tim Wright <timw@splhi.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman ...
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: HighPoint Linux Team <linux@highpoint-tech.com>
commit dd07428b44944b42f699408fe31af47977f1e733 upstream
Add PCI device ID for new adapter models.
Signed-off-by: HighPoint Linux Team <linux@highpoint-tech.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/scsi/hptiop.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/scsi/hptiop.c
+++ b/drivers/scsi/hptiop.c
@@ -1249,6 +1249,13 @@ static struct pci_device_id hptiop_id_ta
{ PCI_VDEVICE(TTI, 0x3522), (kernel_ulong_t)&hptiop_itl_ops },
{ PCI_VDEVICE(TTI, 0x3410), (kernel_ulong_t)&hptiop_itl_ops },
{ PCI_VDEVICE(TTI, 0x3540), (kernel_ulong_t)&hptiop_itl_ops },
+ { PCI_VDEVICE(TTI, 0x3530), (kernel_ulong_t)&hptiop_itl_ops },
+ { PCI_VDEVICE(TTI, 0x3560), (kernel_ulong_t)&hptiop_itl_ops },
+ { PCI_VDEVICE(TTI, 0x4322), (kernel_ulong_t)&hptiop_itl_ops },
+ { PCI_VDEVICE(TTI, 0x4210), (kernel_ulong_t)&hptiop_itl_ops },
+ { PCI_VDEVICE(TTI, 0x4211), (kernel_ulong_t)&hptiop_itl_ops },
+ { PCI_VDEVICE(TTI, 0x4310), (kernel_ulong_t)&hptiop_itl_ops },
+ { PCI_VDEVICE(TTI, 0x4311), (kernel_ulong_t)&hptiop_itl_ops },
{ PCI_VDEVICE(TTI, 0x3120), (kernel_ulong_t)&hptiop_mv_ops },
{ PCI_VDEVICE(TTI, 0x3122), (kernel_ulong_t)&hptiop_mv_ops },
{ PCI_VDEVICE(TTI, 0x3020), (kernel_ulong_t)&hptiop_mv_ops },
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ondrej Zajicek <santiago@crfreenet.org>
commit 594a8819774b09ee5bf72d23300489459ff1f882 upstream
commit 20e061fb750d36ec0ffcb2e44ed7dafa9018223b
Author: Ondrej Zajicek <santiago@crfreenet.org>
Date: Mon Apr 28 02:15:18 2008 -0700
fbdev: framebuffer_alloc() fixes
Correct the dev arg of framebuffer_alloc() in arkfb, s3fb and vt8623fb.
causes a null-pointer deref because "info->dev is NULL, info was just
kzallocated".
Signed-off-by: Ondrej Zajicek <santiago@crfreenet.org>
Reported-by: "MadLoisae@gmx.net" <MadLoisae@gmx.net>
Tested-by: "MadLoisae@gmx.net" <MadLoisae@gmx.net>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: "Antonino A. Daplas" <adaplas@pol.net>
Cc: Krzysztof Helt <krzysztof.h1@poczta.fm>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/video/arkfb.c | 18 +++++++++---------
drivers/video/s3fb.c | 18 +++++++++---------
drivers/video/vt8623fb.c | 20 ++++++++++----------
3 files changed, 28 insertions(+), 28 deletions(-)
--- a/drivers/video/arkfb.c
+++ b/drivers/video/arkfb.c
@@ -958,20 +958,20 @@ static int __devinit ark_pci_probe(struc
/* Prepare PCI device */
rc = pci_enable_device(dev);
if (rc < 0) {
- dev_err(info->dev, "cannot enable PCI device\n");
+ dev_err(info->device, "cannot enable PCI device\n");
goto err_enable_device;
}
rc = pci_request_regions(dev, "arkfb");
if (rc < 0) {
- dev_err(info->dev, "cannot reserve framebuffer region\n");
+ dev_err(info->device, "cannot reserve framebuffer region\n");
goto err_request_regions;
}
par->dac = ics5342_init(ark_dac_read_regs, ark_dac_write_regs, info);
if (! par->dac) {
rc = -ENOMEM;
- dev_err(info->dev, "RAMDAC initialization failed\n");
+ dev_err(info->device, "RAMDAC ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Petr Tesarik <ptesarik@suse.cz>
commit 938bb03d188a1e688fb0bcae49788f540193e80a uptream
Aesthetic regards aside, commit e8e7b9eb11c34ee18bde8b7011af41938d1ad667
still leaves a bug in the error message, because it uses the unconverted
big-endian value for printk.
Fix this by using a local variable in machine byte order. The result is
correct, more readable, and also produces slightly shorter code on i386.
Signed-off-by: Petr Tesarik <ptesarik@suse.cz>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: <stable@kernel.org>
Acked-by: Borislav Petkov <petkovbb@gmail.com>
[bart: __u32 -> u32]
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/ide/ide-cd.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
--- a/drivers/ide/ide-cd.c
+++ b/drivers/ide/ide-cd.c
@@ -1298,6 +1298,7 @@ static int cdrom_read_capacity(ide_drive
int stat;
struct request req;
+ u32 blocklen;
ide_cd_init_rq(drive, &req);
@@ -1314,23 +1315,24 @@ static int cdrom_read_capacity(ide_drive
/*
* Sanity check the given block size
*/
- switch (capbuf.blocklen) {
- case __constant_cpu_to_be32(512):
- case __constant_cpu_to_be32(1024):
- case __constant_cpu_to_be32(2048):
- case __constant_cpu_to_be32(4096):
+ blocklen = be32_to_cpu(capbuf.blocklen);
+ switch (blocklen) {
+ case 512:
+ case 1024:
+ case 2048:
+ case 4096:
break;
default:
printk(KERN_ERR "%s: weird block size %u\n",
- drive->name, capbuf.blocklen);
+ drive->name, blocklen);
printk(KERN_ERR "%s: default to 2kb block size\n",
drive->name);
- capbuf.blocklen = __constant_cpu_to_be32(2048);
+ blocklen = 2048;
break;
}
*capacity = 1 + be32_to_cpu(capbuf.lba);
- *sectors_per_frame = ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Tom Zanussi <tzanussi@gmail.com>
commit 32194450330be327f3b25bf6b66298bd122599e9 upstream
In relay's current read implementation, if the buffer is completely full
but hasn't triggered the buffer-full condition (i.e. the last write
didn't cross the subbuffer boundary) and the last subbuffer is exactly
full, the subbuffer accounting code erroneously finds nothing available.
This patch fixes the problem.
Signed-off-by: Tom Zanussi <tzanussi@gmail.com>
Cc: Eduard - Gabriel Munteanu <eduard.munteanu@linux360.ro>
Cc: Pekka Enberg <penberg@cs.helsinki.fi>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Mathieu Desnoyers <compudj@krystal.dyndns.org>
Cc: Andrea Righi <righi.andrea@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
kernel/relay.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/kernel/relay.c
+++ b/kernel/relay.c
@@ -832,6 +832,10 @@ static void relay_file_read_consume(stru
size_t n_subbufs = buf->chan->n_subbufs;
size_t read_subbuf;
+ if (buf->subbufs_produced == buf->subbufs_consumed &&
+ buf->offset == buf->bytes_consumed)
+ return;
+
if (buf->bytes_consumed + bytes_consumed > subbuf_size) {
relay_subbufs_consumed(buf->chan, buf->cpu, 1);
buf->bytes_consumed = 0;
@@ -863,6 +867,8 @@ static int relay_file_read_avail(struct
relay_file_read_consume(buf, read_pos, 0);
+ consumed = buf->subbufs_consumed;
+
if (unlikely(buf->offset > subbuf_size)) {
if (produced == consumed)
return 0;
@@ -881,8 +887,12 @@ static int relay_file_read_avail(struct
if (consumed > produced)
produced += n_subbufs * subbuf_size;
- if (consumed == produced)
+ if (consumed == produced) {
+ if (buf->offset == subbuf_size &&
+ buf->subbufs_produced > ...2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Oleg Nesterov <oleg@tv-sign.ru> commit 54da1174922cddd4be83d5a364b2e0fdd693f513 upstream do_schedule_next_timer() sets info->si_overrun = timr->it_overrun_last, this discards the already accumulated overruns. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Mark McLoughlin <markmc@redhat.com> Cc: Oliver Pinter <oliver.pntr@gmail.com> Cc: Roland McGrath <roland@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- kernel/posix-timers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/posix-timers.c +++ b/kernel/posix-timers.c @@ -289,7 +289,7 @@ void do_schedule_next_timer(struct sigin else schedule_next_timer(timr); - info->si_overrun = timr->it_overrun_last; + info->si_overrun += timr->it_overrun_last; } if (timr) -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Oleg Nesterov <oleg@tv-sign.ru> commit ba661292a2bc6ddd305a212b0526e5dc22195fe7 upstream The bug was reported and analysed by Mark McLoughlin <markmc@redhat.com>, the patch is based on his and Roland's suggestions. posix_timer_event() always rewrites the pre-allocated siginfo before sending the signal. Most of the written info is the same all the time, but memset(0) is very wrong. If ->sigq is queued we can race with collect_signal() which can fail to find this siginfo looking at .si_signo, or copy_siginfo() can copy the wrong .si_code/si_tid/etc. In short, sys_timer_settime() can in fact stop the active timer, or the user can receive the siginfo with the wrong .si_xxx values. Move "memset(->info, 0)" from posix_timer_event() to alloc_posix_timer(), change send_sigqueue() to set .si_overrun = 0 when ->sigq is not queued. It would be nice to move the whole sigq->info initialization from send to create path, but this is not easy to do without uglifying timer_create() further. As Roland rightly pointed out, we need more cleanups/fixes here, see the "FIXME" comment in the patch. Hopefully this patch makes sense anyway, and it can mask the most bad implications. Reported-by: Mark McLoughlin <markmc@redhat.com> Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Cc: Mark McLoughlin <markmc@redhat.com> Cc: Oliver Pinter <oliver.pntr@gmail.com> Cc: Roland McGrath <roland@redhat.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- kernel/posix-timers.c | 17 +++++++++++++---- kernel/signal.c | 1 + 2 files changed, 14 insertions(+), 4 deletions(-) --- a/kernel/posix-timers.c +++ b/kernel/posix-timers.c @@ -296,14 +296,22 @@ void do_schedule_next_timer(struct sigin unlock_timer(timr, flags); } -int posix_timer_event(struct k_itimer *timr,int ...
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: David Miller <davem@davemloft.net> commit 969830b2fedf8336c41d6195f49d250b1e166ff8 upstream Some chips appear to have the 2D engine hang during screen redraw, typically in a sequence of copyarea operations. This appear to be solved by adding a flush of the engine destination pixel cache and waiting for the engine to be idle before issuing the accel operation. The performance impact seems to be fairly small. Here is a trace on an RV370 (PCI device ID 0x5b64), it records the RBBM_STATUS register, then the source x/y, destination x/y, and width/height used for the copy: ---------------------------------------- radeonfb_prim_copyarea: STATUS[00000140] src[210:70] dst[210:60] wh[a0:10] radeonfb_prim_copyarea: STATUS[00000140] src[2b8:70] dst[2b8:60] wh[88:10] radeonfb_prim_copyarea: STATUS[00000140] src[348:70] dst[348:60] wh[40:10] radeonfb_prim_copyarea: STATUS[80020140] src[390:70] dst[390:60] wh[88:10] radeonfb_prim_copyarea: STATUS[8002613f] src[40:80] dst[40:70] wh[28:10] radeonfb_prim_copyarea: STATUS[80026139] src[a8:80] dst[a8:70] wh[38:10] radeonfb_prim_copyarea: STATUS[80026133] src[e8:80] dst[e8:70] wh[80:10] radeonfb_prim_copyarea: STATUS[8002612d] src[170:80] dst[170:70] wh[30:10] radeonfb_prim_copyarea: STATUS[80026127] src[1a8:80] dst[1a8:70] wh[8:10] radeonfb_prim_copyarea: STATUS[80026121] src[1b8:80] dst[1b8:70] wh[88:10] radeonfb_prim_copyarea: STATUS[8002611b] src[248:80] dst[248:70] wh[68:10] ---------------------------------------- When things are going fine the copies complete before the next ROP is even issued, but all of a sudden the 2D unit becomes active (bit 17 in RBBM_STATUS) and the FIFO retry (bit 13) and FIFO pipeline busy (bit 14) are set as well. The FIFO begins to backup until it becomes full. What happens next is the radeon_fifo_wait() times out, and we access the chip illegally leading to a bus error which usually wedges the box. ...
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Jean Delvare <khali@linux-fr.org> commit 5ede40f87957c6ededf9284c8339722a97b9dfb6 upstream I broke an error path with d03c21ec0be7787ff6b75dcf56c0e96209ccbfbd, sorry about that. The machine will crash if the i2c_attach_client() or maven_init_client() calls fail, although nobody has yet reported this happening. Signed-off-by: Jean Delvare <khali@linux-fr.org> Acked-by: Krzysztof Helt <krzysztof.h1@wp.pl> Cc: Petr Vandrovec <VANDROVE@vc.cvut.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/video/matrox/matroxfb_maven.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/video/matrox/matroxfb_maven.c +++ b/drivers/video/matrox/matroxfb_maven.c @@ -1266,7 +1266,7 @@ static int maven_detect_client(struct i2 ERROR4:; i2c_detach_client(new_client); ERROR3:; - kfree(new_client); + kfree(data); ERROR0:; return err; } -- --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Tollef Fog Heen <tfheen@err.no>
commit 8c809681ba0289afd0ed7bbb63679a0568dd441d upstream
USB ID 4348:5523 is handled by the ch341 driver. Remove it from the
pl2023 driver.
Reverts 002e8f2c80c6be76bb312940bc278fc10b2b2487.
Signed-off-by: Tollef Fog Heen <tfheen@err.no>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/serial/pl2303.c | 1 -
drivers/usb/serial/pl2303.h | 4 ----
2 files changed, 5 deletions(-)
--- a/drivers/usb/serial/pl2303.c
+++ b/drivers/usb/serial/pl2303.c
@@ -89,7 +89,6 @@ static struct usb_device_id id_table []
{ USB_DEVICE(ALCOR_VENDOR_ID, ALCOR_PRODUCT_ID) },
{ USB_DEVICE(WS002IN_VENDOR_ID, WS002IN_PRODUCT_ID) },
{ USB_DEVICE(COREGA_VENDOR_ID, COREGA_PRODUCT_ID) },
- { USB_DEVICE(HL340_VENDOR_ID, HL340_PRODUCT_ID) },
{ USB_DEVICE(YCCABLE_VENDOR_ID, YCCABLE_PRODUCT_ID) },
{ } /* Terminating entry */
};
--- a/drivers/usb/serial/pl2303.h
+++ b/drivers/usb/serial/pl2303.h
@@ -107,10 +107,6 @@
#define COREGA_VENDOR_ID 0x07aa
#define COREGA_PRODUCT_ID 0x002a
-/* HL HL-340 (ID: 4348:5523) */
-#define HL340_VENDOR_ID 0x4348
-#define HL340_PRODUCT_ID 0x5523
-
/* Y.C. Cable U.S.A., Inc - USB to RS-232 */
#define YCCABLE_VENDOR_ID 0x05ad
#define YCCABLE_PRODUCT_ID 0x0fba
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Alan Stern <stern@rowland.harvard.edu> commit 1a21175a615ed346e8043f5e9d60a672266b84b4 upstream This patch (as1122) fixes a bug: When an interface is unregistered, its children (sysfs files and endpoint devices) are unregistered after it instead of before. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Tested-by: Kay Sievers <kay.sievers@vrfy.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/usb/core/message.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/usb/core/message.c +++ b/drivers/usb/core/message.c @@ -1091,8 +1091,8 @@ void usb_disable_device(struct usb_devic continue; dev_dbg(&dev->dev, "unregistering interface %s\n", interface->dev.bus_id); - device_del(&interface->dev); usb_remove_sysfs_intf_files(interface); + device_del(&interface->dev); } /* Now that the interfaces are unbound, nobody should -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Alan Stern <stern@rowland.harvard.edu> commit 368ee6469c327364ea10082a348f91c1f5ba47f7 upstream This patch (as1115) adds unusual_devs entries with the IGNORE_RESIDE flag for the iRiver T10 and the Simple Tech/Datafab CF+SM card reader. Apparently these devices provide reasonable residue values for READ and WRITE operations, but not for others like INQUIRY or READ CAPACITY. This fixes the iRiver T10 problem reported in Bugzilla #11125. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/usb/storage/unusual_devs.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -1187,6 +1187,13 @@ UNUSUAL_DEV( 0x07c4, 0xa400, 0x0000, 0x US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_FIX_INQUIRY ), +/* Reported by Rauch Wolke <rauchwolke@gmx.net> */ +UNUSUAL_DEV( 0x07c4, 0xa4a5, 0x0000, 0xffff, + "Simple Tech/Datafab", + "CF+SM Reader", + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_IGNORE_RESIDUE ), + /* Casio QV 2x00/3x00/4000/8000 digital still cameras are not conformant * to the USB storage specification in two ways: * - They tell us they are using transport protocol CBI. In reality they @@ -1758,6 +1765,13 @@ UNUSUAL_DEV( 0x2770, 0x915d, 0x0010, 0x US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_FIX_CAPACITY ), +/* Reported by Andrey Rahmatullin <wrar@altlinux.org> */ +UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100, + "iRiver", + "MP3 T10", + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_IGNORE_RESIDUE ), + /* * David Härdeman <david@2gen.com> * The key makes the SCSI stack print confusing (but harmless) messages -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Dave Jones <davej@redhat.com> commit b9a097f26e55968cbc52e30a4a2e73d32d7604ce upstream usb-storage: quirk around v1.11 firmware on Nikon D40 https://bugzilla.redhat.com/show_bug.cgi?id=454028 Just as in earlier firmware versions, we need to perform this quirk for the latest version too. Speculatively do the entry for the D80 too, as they seem to have the same firmware problems historically. Signed-off-by: Dave Jones <davej@redhat.com> Cc: Johannes Berg <johannes@sipsolutions.net> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/usb/storage/unusual_devs.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/drivers/usb/storage/unusual_devs.h +++ b/drivers/usb/storage/unusual_devs.h @@ -358,14 +358,14 @@ UNUSUAL_DEV( 0x04b0, 0x040f, 0x0100, 0x US_FL_FIX_CAPACITY), /* Reported by Emil Larsson <emil@swip.net> */ -UNUSUAL_DEV( 0x04b0, 0x0411, 0x0100, 0x0110, +UNUSUAL_DEV( 0x04b0, 0x0411, 0x0100, 0x0111, "NIKON", "NIKON DSC D80", US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_FIX_CAPACITY), /* Reported by Ortwin Glueck <odi@odi.ch> */ -UNUSUAL_DEV( 0x04b0, 0x0413, 0x0110, 0x0110, +UNUSUAL_DEV( 0x04b0, 0x0413, 0x0110, 0x0111, "NIKON", "NIKON DSC D40", US_SC_DEVICE, US_PR_DEVICE, NULL, -- --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 0282b7f2a874e72c18fcd5a112ccf67f71ba7f5c upstream
This patch (as1121) fixes a bug in the USB serial core. When a device
is unregistered, the core will give back its minors -- even if the
device hasn't been assigned any!
The patch reserves the highest minor value (255) to mean that no minor
was assigned. It also removes some dead code and does a small style
fixup.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/serial/usb-serial.c | 7 +++----
include/linux/usb/serial.h | 3 ++-
2 files changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/usb/serial/usb-serial.c
+++ b/drivers/usb/serial/usb-serial.c
@@ -119,9 +119,6 @@ static void return_serial(struct usb_ser
dbg("%s", __func__);
- if (serial == NULL)
- return;
-
for (i = 0; i < serial->num_ports; ++i) {
serial_table[serial->minor + i] = NULL;
}
@@ -140,7 +137,8 @@ static void destroy_serial(struct kref *
serial->type->shutdown(serial);
/* return the minor range that this device had */
- return_serial(serial);
+ if (serial->minor != SERIAL_TTY_NO_MINOR)
+ return_serial(serial);
for (i = 0; i < serial->num_ports; ++i)
serial->port[i]->open_count = 0;
@@ -562,6 +560,7 @@ static struct usb_serial * create_serial
serial->interface = interface;
kref_init(&serial->kref);
mutex_init(&serial->disc_mutex);
+ serial->minor = SERIAL_TTY_NO_MINOR;
return serial;
}
--- a/include/linux/usb/serial.h
+++ b/include/linux/usb/serial.h
@@ -17,7 +17,8 @@
#include <linux/mutex.h>
#define SERIAL_TTY_MAJOR 188 /* Nice legal number now */
-#define SERIAL_TTY_MINORS 255 /* loads of devices :) */
+#define SERIAL_TTY_MINORS 254 /* loads of devices :) */
+#define SERIAL_TTY_NO_MINOR 255 /* No minor was assigned */
/* The maximum number of ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Frederik Kriewitz <frederik@kriewitz.eu>
commit a00c3cadc2bf50b3c925acdb3d0e5789b1650498 upstream
The Patch adds support for Luminance Stellaris Evaluation/Development
Kits (FTDI 2232C based).
The PIDs were missing.
Successfully tested with a Stellaris LM3S8962 Evaluation kit.
Signed-off-by: Frederik Kriewitz <frederik@kriewitz.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/serial/ftdi_sio.c | 4 ++++
drivers/usb/serial/ftdi_sio.h | 5 +++++
2 files changed, 9 insertions(+)
--- a/drivers/usb/serial/ftdi_sio.c
+++ b/drivers/usb/serial/ftdi_sio.c
@@ -636,6 +636,10 @@ static struct usb_device_id id_table_com
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
{ USB_DEVICE(FTDI_VID, FTDI_OOCDLINK_PID),
.driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE(FTDI_VID, LMI_LM3S_DEVEL_BOARD_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
{ USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) },
{ USB_DEVICE(FTDI_VID, FTDI_REU_TINY_PID) },
{ }, /* Optional parameter entry */
--- a/drivers/usb/serial/ftdi_sio.h
+++ b/drivers/usb/serial/ftdi_sio.h
@@ -815,6 +815,11 @@
#define OLIMEX_VID 0x15BA
#define OLIMEX_ARM_USB_OCD_PID 0x0003
+/* Luminary Micro Stellaris Boards, VID = FTDI_VID */
+/* FTDI 2332C Dual channel device, side A=245 FIFO (JTAG), Side B=RS232 UART */
+#define LMI_LM3S_DEVEL_BOARD_PID 0xbcd8
+#define LMI_LM3S_EVAL_BOARD_PID 0xbcd9
+
/* www.elsterelectricity.com Elster Unicom III Optical Probe */
#define FTDI_ELSTER_UNICOM_PID 0xE700 /* Product Id */
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Andre Schenk <andre@melior.s.bawue.de> commit b5894a500127fce1db1309db5f9ca8b77a2ac266 upstream USB product id registration for the ELV HS485 USB adapter (www.elv.de) to their home automation bus system. Applies to 2.6.26. Signed-off-by: Andre Schenk <andre@melior.s.bawue.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/usb/serial/ftdi_sio.c | 1 + drivers/usb/serial/ftdi_sio.h | 1 + 2 files changed, 2 insertions(+) --- a/drivers/usb/serial/ftdi_sio.c +++ b/drivers/usb/serial/ftdi_sio.c @@ -553,6 +553,7 @@ static struct usb_device_id id_table_com { USB_DEVICE(FTDI_VID, FTDI_ELV_FHZ1300PC_PID) }, { USB_DEVICE(FTDI_VID, FTDI_ELV_EM1010PC_PID) }, { USB_DEVICE(FTDI_VID, FTDI_ELV_WS500_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_ELV_HS485_PID) }, { USB_DEVICE(FTDI_VID, LINX_SDMUSBQSS_PID) }, { USB_DEVICE(FTDI_VID, LINX_MASTERDEVEL2_PID) }, { USB_DEVICE(FTDI_VID, LINX_FUTURE_0_PID) }, --- a/drivers/usb/serial/ftdi_sio.h +++ b/drivers/usb/serial/ftdi_sio.h @@ -524,6 +524,7 @@ #define FTDI_ELV_WS300PC_PID 0xE0F6 /* PC-Wetterstation (WS 300 PC) */ #define FTDI_ELV_FHZ1300PC_PID 0xE0E8 /* FHZ 1300 PC */ #define FTDI_ELV_WS500_PID 0xE0E9 /* PC-Wetterstation (WS 500) */ +#define FTDI_ELV_HS485_PID 0xE0EA /* USB to RS-485 adapter */ #define FTDI_ELV_EM1010PC_PID 0xE0EF /* Engery monitor EM 1010 PC */ /* -- --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Sven Wegener <sven.wegener@stealer.net>
commit 8ab19ea36c5c5340ff598e4d15fc084eb65671dc upstream
There is a slight chance for a deadlock in the estimator code. We can't call
del_timer_sync() while holding our lock, as the timer might be active and
spinning for the lock on another cpu. Work around this issue by using
try_to_del_timer_sync() and releasing the lock. We could actually delete the
timer outside of our lock, as the add and kill functions are only every called
from userspace via [gs]etsockopt() and are serialized by a mutex, but better
make this explicit.
Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv4/ipvs/ip_vs_est.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/ipv4/ipvs/ip_vs_est.c
+++ b/net/ipv4/ipvs/ip_vs_est.c
@@ -172,8 +172,11 @@ void ip_vs_kill_estimator(struct ip_vs_s
kfree(est);
killed++;
}
- if (killed && est_list == NULL)
- del_timer_sync(&est_timer);
+ while (killed && !est_list && try_to_del_timer_sync(&est_timer) < 0) {
+ write_unlock_bh(&est_lock);
+ cpu_relax();
+ write_lock_bh(&est_lock);
+ }
write_unlock_bh(&est_lock);
}
--
--
Hi, I am comfortable with this change for both 2.6.25-stable and 2.6.26-stable. An arguably cleaner though more invasive fix, which will likely go into 2.6.28 is to use init and cleanup fuctions for the estimators as the empty case can actually only occur during the unload of IPVS. See "ipvs: Create init functions for estimator code", which was posted by Sven to netdev & lvs-devel, and is currently living in horms/lvs-2.6.git on git.kernel.org. --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Carlos Corbacho <carlos@strangeworlds.co.uk>
commit 5c742b45dd5fbbb6cf74d3378341704f4b23c5e8 upstream
In the old acer_acpi, I discovered that on some of the newer AMW0 laptops
that supported the WMID methods, they don't work properly for setting the
wireless and bluetooth values.
So for the AMW0 V2 laptops, we want to use both the 'old' AMW0 and the
'new' WMID methods for setting wireless & bluetooth to guarantee we always
enable it.
This was fixed in acer_acpi some time ago, but I forgot to port the patch
over to acer-wmi when it was merged.
(Without this patch, early AMW0 V2 laptops such as the Aspire 5040 won't
work with acer-wmi, where-as they did with the old acer_acpi).
AK: fix compilation
Signed-off-by: Carlos Corbacho <carlos@strangeworlds.co.uk>
Signed-off-by: Andi Kleen <ak@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/misc/acer-wmi.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/drivers/misc/acer-wmi.c
+++ b/drivers/misc/acer-wmi.c
@@ -742,11 +742,30 @@ static acpi_status get_u32(u32 *value, u
static acpi_status set_u32(u32 value, u32 cap)
{
+ acpi_status status;
+
if (interface->capability & cap) {
switch (interface->type) {
case ACER_AMW0:
return AMW0_set_u32(value, cap, interface);
case ACER_AMW0_V2:
+ if (cap == ACER_CAP_MAILLED)
+ return AMW0_set_u32(value, cap, interface);
+
+ /*
+ * On some models, some WMID methods don't toggle
+ * properly. For those cases, we want to run the AMW0
+ * method afterwards to be certain we've really toggled
+ * the device state.
+ */
+ if (cap == ACER_CAP_WIRELESS ||
+ cap == ACER_CAP_BLUETOOTH) {
+ status = WMID_set_u32(value, cap, interface);
+ if (ACPI_FAILURE(status))
+ return status;
+
+ return AMW0_set_u32(value, cap, interface);
+ }
case ACER_WMID:
return ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Steve French <sfrench@us.ibm.com>
commit ad661334b8ae421154b121ee6ad3b56807adbf11 upstream
In looking at network named pipe support on cifs, I noticed that
Dave Howell's iget patch:
iget: stop CIFS from using iget() and read_inode()
broke mounts to IPC$ (the interprocess communication share), and don't
handle the error case (when getting info on the root inode fails).
Thanks to Gunter who noted a typo in a debug line in the original
version of this patch.
CC: David Howells <dhowells@redhat.com>
CC: Gunter Kukkukk <linux@kukkukk.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/cifs/inode.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/cifs/inode.c
+++ b/fs/cifs/inode.c
@@ -649,6 +649,7 @@ struct inode *cifs_iget(struct super_blo
inode->i_fop = &simple_dir_operations;
inode->i_uid = cifs_sb->mnt_uid;
inode->i_gid = cifs_sb->mnt_gid;
+ } else if (rc) {
_FreeXid(xid);
iget_failed(inode);
return ERR_PTR(rc);
--
--
From: Steve French <sfrench@us.ibm.com>
commit 2c731afb0d4ba16018b400c75665fbdb8feb2175 upstream
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/cifs/cifsfs.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/cifs/cifsfs.c
+++ b/fs/cifs/cifsfs.c
@@ -175,6 +175,8 @@ out_no_root:
if (inode)
iput(inode);
+ cifs_umount(sb, cifs_sb);
+
out_mount_failed:
if (cifs_sb) {
#ifdef CONFIG_CIFS_DFS_UPCALL
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Florian Westphal <fw@strlen.de> [ Upstream commit 16df845f4566bc252f3e09db12f5c2f22cb44226 ] ecn_ok is not initialized when a connection is established by cookies. The cookie syn-ack never sets ECN, so ecn_ok must be set to 0. Spotted using ns-3/network simulation cradle simulator and valgrind. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- net/ipv4/syncookies.c | 1 + net/ipv6/syncookies.c | 1 + 2 files changed, 2 insertions(+) --- a/net/ipv4/syncookies.c +++ b/net/ipv4/syncookies.c @@ -301,6 +301,7 @@ struct sock *cookie_v4_check(struct sock ireq->rmt_port = th->source; ireq->loc_addr = ip_hdr(skb)->daddr; ireq->rmt_addr = ip_hdr(skb)->saddr; + ireq->ecn_ok = 0; ireq->snd_wscale = tcp_opt.snd_wscale; ireq->rcv_wscale = tcp_opt.rcv_wscale; ireq->sack_ok = tcp_opt.sack_ok; --- a/net/ipv6/syncookies.c +++ b/net/ipv6/syncookies.c @@ -223,6 +223,7 @@ struct sock *cookie_v6_check(struct sock req->expires = 0UL; req->retrans = 0; + ireq->ecn_ok = 0; ireq->snd_wscale = tcp_opt.snd_wscale; ireq->rcv_wscale = tcp_opt.rcv_wscale; ireq->sack_ok = tcp_opt.sack_ok; -- --
From: Stephen Hemminger <shemminger@vyatta.com>
[ Upstream commit 697f8d0348a652593d195a13dd1067d9df911a82 ]
The rationale is:
* use u32 consistently
* no need to do LCG on values from (better) get_random_bytes
* use more data from get_random_bytes for secondary seeding
* don't reduce state space on srandom32()
* enforce state variable initialization restrictions
Note: the second paper has a version of random32() with even longer period
and a version of random64() if needed.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
lib/random32.c | 48 +++++++++++++++++++++++++++---------------------
1 file changed, 27 insertions(+), 21 deletions(-)
--- a/lib/random32.c
+++ b/lib/random32.c
@@ -56,23 +56,12 @@ static u32 __random32(struct rnd_state *
return (state->s1 ^ state->s2 ^ state->s3);
}
-static void __set_random32(struct rnd_state *state, unsigned long s)
+/*
+ * Handle minimum values for seeds
+ */
+static inline u32 __seed(u32 x, u32 m)
{
- if (s == 0)
- s = 1; /* default seed is 1 */
-
-#define LCG(n) (69069 * n)
- state->s1 = LCG(s);
- state->s2 = LCG(state->s1);
- state->s3 = LCG(state->s2);
-
- /* "warm it up" */
- __random32(state);
- __random32(state);
- __random32(state);
- __random32(state);
- __random32(state);
- __random32(state);
+ return (x < m) ? x + m : x;
}
/**
@@ -107,7 +96,7 @@ void srandom32(u32 entropy)
*/
for_each_possible_cpu (i) {
struct rnd_state *state = &per_cpu(net_rand_state, i);
- __set_random32(state, state->s1 ^ entropy);
+ state->s1 = __seed(state->s1 ^ entropy, 1);
}
}
EXPORT_SYMBOL(srandom32);
@@ -122,7 +111,19 @@ static int __init random32_init(void)
for_each_possible_cpu(i) {
struct rnd_state *state = &per_cpu(net_rand_state,i);
- __set_random32(state, i + jiffies);
+
+#define ...From: Wei Yongjun <yjwei@cn.fujitsu.com>
[ Upstream commit 77e2f14f71d68d05945f1d30ca55b5194d6ab1ce ]
SCTP used ip6_xmit() to send fragments after received ICMP packet too
big message. But while send packet used ip6_xmit, the skb->local_df is
not initialized. So when skb if enter ip6_fragment(), the following
code will discard the skb.
ip6_fragment(...)
{
if (!skb->local_df) {
...
return -EMSGSIZE;
}
...
}
SCTP do the following step:
1. send packet ip6_xmit(skb, ipfragok=0)
2. received ICMP packet too big message
3. if PMTUD_ENABLE: ip6_xmit(skb, ipfragok=1)
This patch fixed the problem by set local_df if ipfragok is true.
Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/ipv6/ip6_output.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/ipv6/ip6_output.c
+++ b/net/ipv6/ip6_output.c
@@ -231,6 +231,10 @@ int ip6_xmit(struct sock *sk, struct sk_
skb_reset_network_header(skb);
hdr = ipv6_hdr(skb);
+ /* Allow local fragmentation. */
+ if (ipfragok)
+ skb->local_df = 1;
+
/*
* Fill in the IPv6 header
*/
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Arnaldo Carvalho de Melo <acme@redhat.com> commit 3e8a0a559c66ee9e7468195691a56fefc3589740 upstream Thanks to Eugene Teo for reporting this problem. Signed-off-by: Eugene Teo <eugeneteo@kernel.sg> Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Signed-off-by: Gerrit Renker <gerrit@erg.abdn.ac.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- net/dccp/proto.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/net/dccp/proto.c +++ b/net/dccp/proto.c @@ -476,6 +476,11 @@ static int dccp_setsockopt_change(struct if (copy_from_user(&opt, optval, sizeof(opt))) return -EFAULT; + /* + * rfc4340: 6.1. Change Options + */ + if (opt.dccpsf_len < 1) + return -EINVAL; val = kmalloc(opt.dccpsf_len, GFP_KERNEL); if (!val) -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Mikael Pettersson <mikpe@it.uu.se> [ Upstream commit d72609e17fd93bb2f7e0f7e1bdc70b6d20e43843 ] Correct sparc64's implementation of FUTEX_OP_ANDN to do a bitwise negate of the oparg parameter before applying the AND operation. All other archs that support FUTEX_OP_ANDN either negate oparg explicitly (frv, ia64, mips, sh, x86), or do so indirectly by using an and-not instruction (powerpc). Since sparc64 has and-not, I chose to use that solution. I've not found any use of FUTEX_OP_ANDN in glibc so the impact of this bug is probably minor. But other user-space components may try to use it so it should still get fixed. Signed-off-by: Mikael Pettersson <mikpe@it.uu.se> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- include/asm-sparc64/futex.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/include/asm-sparc64/futex.h +++ b/include/asm-sparc64/futex.h @@ -59,7 +59,7 @@ static inline int futex_atomic_op_inuser __futex_cas_op("or\t%2, %4, %1", ret, oldval, uaddr, oparg); break; case FUTEX_OP_ANDN: - __futex_cas_op("and\t%2, %4, %1", ret, oldval, uaddr, oparg); + __futex_cas_op("andn\t%2, %4, %1", ret, oldval, uaddr, oparg); break; case FUTEX_OP_XOR: __futex_cas_op("xor\t%2, %4, %1", ret, oldval, uaddr, oparg); -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: David S. Miller <davem@davemloft.net> [ Upstream commit 17b6f586b8e27914b36c9ed7f3e4d289e6274a80 ] We were picking %i7 out of the wrong register window stack slot. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- arch/sparc64/kernel/process.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/sparc64/kernel/process.c +++ b/arch/sparc64/kernel/process.c @@ -320,7 +320,7 @@ static void __global_reg_self(struct thr rw = (struct reg_window *) (regs->u_regs[UREG_FP] + STACK_BIAS); - global_reg_snapshot[this_cpu].i7 = rw->ins[6]; + global_reg_snapshot[this_cpu].i7 = rw->ins[7]; } else global_reg_snapshot[this_cpu].i7 = 0; -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: David S. Miller <davem@davemloft.net> [ Upstream commit 0a4949c4414af2eb91414bcd8e2a8ac3706f7dde ] That's the userland thread register, so we should never try to change it like this. Based upon glibc bug nptl/6577 and suggestions by Jakub Jelinek. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- arch/sparc64/kernel/signal.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/arch/sparc64/kernel/signal.c +++ b/arch/sparc64/kernel/signal.c @@ -2,7 +2,7 @@ * arch/sparc64/kernel/signal.c * * Copyright (C) 1991, 1992 Linus Torvalds - * Copyright (C) 1995 David S. Miller (davem@caip.rutgers.edu) + * Copyright (C) 1995, 2008 David S. Miller (davem@davemloft.net) * Copyright (C) 1996 Miguel de Icaza (miguel@nuclecu.unam.mx) * Copyright (C) 1997 Eddie C. Dost (ecd@skynet.be) * Copyright (C) 1997,1998 Jakub Jelinek (jj@sunsite.mff.cuni.cz) @@ -89,7 +89,9 @@ asmlinkage void sparc64_set_context(stru err |= __get_user(regs->u_regs[UREG_G4], (&(*grp)[MC_G4])); err |= __get_user(regs->u_regs[UREG_G5], (&(*grp)[MC_G5])); err |= __get_user(regs->u_regs[UREG_G6], (&(*grp)[MC_G6])); - err |= __get_user(regs->u_regs[UREG_G7], (&(*grp)[MC_G7])); + + /* Skip %g7 as that's the thread register in userspace. */ + err |= __get_user(regs->u_regs[UREG_I0], (&(*grp)[MC_O0])); err |= __get_user(regs->u_regs[UREG_I1], (&(*grp)[MC_O1])); err |= __get_user(regs->u_regs[UREG_I2], (&(*grp)[MC_O2])); -- --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Marcelo Tosatti <mtosatti@redhat.com>
(cherry picked from commit 98899aa0e0bf5de05850082be0eb837058c09ea5)
The segment base is always a linear address, so translate before
accessing guest memory.
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@qumranet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/kvm/x86.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3207,6 +3207,7 @@ static void get_segment_descritptor_dtab
static int load_guest_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector,
struct desc_struct *seg_desc)
{
+ gpa_t gpa;
struct descriptor_table dtable;
u16 index = selector >> 3;
@@ -3216,13 +3217,16 @@ static int load_guest_segment_descriptor
kvm_queue_exception_e(vcpu, GP_VECTOR, selector & 0xfffc);
return 1;
}
- return kvm_read_guest(vcpu->kvm, dtable.base + index * 8, seg_desc, 8);
+ gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, dtable.base);
+ gpa += index * 8;
+ return kvm_read_guest(vcpu->kvm, gpa, seg_desc, 8);
}
/* allowed just for 8 bytes segments */
static int save_guest_segment_descriptor(struct kvm_vcpu *vcpu, u16 selector,
struct desc_struct *seg_desc)
{
+ gpa_t gpa;
struct descriptor_table dtable;
u16 index = selector >> 3;
@@ -3230,7 +3234,9 @@ static int save_guest_segment_descriptor
if (dtable.limit < index * 8 + 7)
return 1;
- return kvm_write_guest(vcpu->kvm, dtable.base + index * 8, seg_desc, 8);
+ gpa = vcpu->arch.mmu.gva_to_gpa(vcpu, dtable.base);
+ gpa += index * 8;
+ return kvm_write_guest(vcpu->kvm, gpa, seg_desc, 8);
}
static u32 get_tss_base_addr(struct kvm_vcpu *vcpu,
@@ -3242,7 +3248,7 @@ static u32 get_tss_base_addr(struct kvm_
base_addr |= (seg_desc->base1 << 16);
base_addr |= (seg_desc->base2 << 24);
- return ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Marcelo Tosatti <mtosatti@redhat.com>
(cherry-picked from commit 34198bf8426276a2ce1e97056a0f02d43637e5ae)
There is no guarantee that the old TSS descriptor in the GDT contains
the proper base address. This is the case for Windows installation's
reboot-via-triplefault.
Use guest registers instead. Also translate the address properly.
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@qumranet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/kvm/x86.c | 93 +++++++++++++++++------------------------------------
1 file changed, 30 insertions(+), 63 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3251,54 +3251,6 @@ static u32 get_tss_base_addr(struct kvm_
return vcpu->arch.mmu.gva_to_gpa(vcpu, base_addr);
}
-static int load_tss_segment32(struct kvm_vcpu *vcpu,
- struct desc_struct *seg_desc,
- struct tss_segment_32 *tss)
-{
- u32 base_addr;
-
- base_addr = get_tss_base_addr(vcpu, seg_desc);
-
- return kvm_read_guest(vcpu->kvm, base_addr, tss,
- sizeof(struct tss_segment_32));
-}
-
-static int save_tss_segment32(struct kvm_vcpu *vcpu,
- struct desc_struct *seg_desc,
- struct tss_segment_32 *tss)
-{
- u32 base_addr;
-
- base_addr = get_tss_base_addr(vcpu, seg_desc);
-
- return kvm_write_guest(vcpu->kvm, base_addr, tss,
- sizeof(struct tss_segment_32));
-}
-
-static int load_tss_segment16(struct kvm_vcpu *vcpu,
- struct desc_struct *seg_desc,
- struct tss_segment_16 *tss)
-{
- u32 base_addr;
-
- base_addr = get_tss_base_addr(vcpu, seg_desc);
-
- return kvm_read_guest(vcpu->kvm, base_addr, tss,
- sizeof(struct tss_segment_16));
-}
-
-static int save_tss_segment16(struct kvm_vcpu *vcpu,
- struct desc_struct *seg_desc,
- struct tss_segment_16 *tss)
-{
- u32 ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Avi Kivity <avi@qumranet.com>
(cherry-picked from commit 577bdc496614ced56d999bbb425e85adf2386490)
When an event (such as an interrupt) is injected, and the stack is
shadowed (and therefore write protected), the guest will exit. The
current code will see that the stack is shadowed and emulate a few
instructions, each time postponing the injection. Eventually the
injection may succeed, but at that time the guest may be unwilling
to accept the interrupt (for example, the TPR may have changed).
This occurs every once in a while during a Windows 2008 boot.
Fix by unshadowing the fault address if the fault was due to an event
injection.
Signed-off-by: Avi Kivity <avi@qumranet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/kvm/mmu.c | 1 +
arch/x86/kvm/svm.c | 7 ++++++-
arch/x86/kvm/vmx.c | 2 ++
3 files changed, 9 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -1792,6 +1792,7 @@ int kvm_mmu_unprotect_page_virt(struct k
spin_unlock(&vcpu->kvm->mmu_lock);
return r;
}
+EXPORT_SYMBOL_GPL(kvm_mmu_unprotect_page_virt);
void __kvm_mmu_free_some_pages(struct kvm_vcpu *vcpu)
{
--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -1007,13 +1007,18 @@ static int pf_interception(struct vcpu_s
struct kvm *kvm = svm->vcpu.kvm;
u64 fault_address;
u32 error_code;
+ bool event_injection = false;
if (!irqchip_in_kernel(kvm) &&
- is_external_interrupt(exit_int_info))
+ is_external_interrupt(exit_int_info)) {
+ event_injection = true;
push_irq(&svm->vcpu, exit_int_info & SVM_EVTINJ_VEC_MASK);
+ }
fault_address = svm->vmcb->control.exit_info_2;
error_code = svm->vmcb->control.exit_info_1;
+ if (event_injection)
+ kvm_mmu_unprotect_page_virt(&svm->vcpu, fault_address);
return kvm_mmu_page_fault(&svm->vcpu, fault_address, error_code);
}
--- ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Marcelo Tosatti <mtosatti@redhat.com>
(cherry picked from commit c93cd3a58845012df2d658fecd0ac99f7008d753)
If 'g' is one then limit is 4kb granular.
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Avi Kivity <avi@qumranet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/kvm/x86.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3168,6 +3168,10 @@ static void seg_desct_to_kvm_desct(struc
kvm_desct->base |= seg_desc->base2 << 24;
kvm_desct->limit = seg_desc->limit0;
kvm_desct->limit |= seg_desc->limit << 16;
+ if (seg_desc->g) {
+ kvm_desct->limit <<= 12;
+ kvm_desct->limit |= 0xfff;
+ }
kvm_desct->selector = selector;
kvm_desct->type = seg_desc->type;
kvm_desct->present = seg_desc->p;
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Julia Lawall <julia@diku.dk> (cherry picked from commit cab7a1eeeb007be309cd99cf14407261a72d2418) There is a call to local_irq_restore in the normal exit case, so it would seem that there should be one on an error return as well. The semantic patch that finds this problem is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @@ expression l; expression E,E1,E2; @@ local_irq_save(l); ... when != local_irq_restore(l) when != spin_unlock_irqrestore(E,l) when any when strict ( if (...) { ... when != local_irq_restore(l) when != spin_unlock_irqrestore(E1,l) + local_irq_restore(l); return ...; } | if (...) + {local_irq_restore(l); return ...; + } | spin_unlock_irqrestore(E2,l); | local_irq_restore(l); ) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Avi Kivity <avi@qumranet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- arch/ia64/kvm/kvm-ia64.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- a/arch/ia64/kvm/kvm-ia64.c +++ b/arch/ia64/kvm/kvm-ia64.c @@ -125,9 +125,9 @@ void kvm_arch_hardware_enable(void *garb PAGE_KERNEL)); local_irq_save(saved_psr); slot = ia64_itr_entry(0x3, KVM_VMM_BASE, pte, KVM_VMM_SHIFT); + local_irq_restore(saved_psr); if (slot < 0) return; - local_irq_restore(saved_psr); spin_lock(&vp_lock); status = ia64_pal_vp_init_env(kvm_vsa_base ? @@ -160,9 +160,9 @@ void kvm_arch_hardware_disable(void *gar local_irq_save(saved_psr); slot = ia64_itr_entry(0x3, KVM_VMM_BASE, pte, KVM_VMM_SHIFT); + local_irq_restore(saved_psr); if (slot < 0) return; - local_irq_restore(saved_psr); status = ia64_pal_vp_exit_env(host_iva); if (status) @@ -1258,6 +1258,7 @@ static int vti_vcpu_setup(struct kvm_vcp uninit: kvm_vcpu_uninit(vcpu); fail: + local_irq_restore(psr); return r; ...
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Marcus Sundberg <marcus@ingate.com>
commit 77332894c21165404496c56763d7df6c15c4bb09 upstream
The magic write to register 0x82 will often cause PCI config space on
my 8168 (PCI ID 10ec:8168, revision 2. mounted in an LG P300 laptop)
to be filled with ones during driver load, and thus breaking NIC
operation until reboot. If it does not happen on first driver load it
can easily be reproduced by unloading and loading the driver a few
times.
The magic write was added long ago by this commit:
Author: François Romieu <romieu@fr.zoreil.com>
Date: Sat Jan 10 06:00:46 2004 -0500
[netdrvr r8169] Merge of changes done by Realtek to rtl8169_init_one():
- phy capability settings allows lower or equal capability as suggested
in Realtek's changes;
- I/O voodoo;
- no need to s/mdio_write/RTL8169_WRITE_GMII_REG/;
- s/rtl8169_hw_PHY_config/rtl8169_hw_phy_config/;
- rtl8169_hw_phy_config(): ad-hoc struct "phy_magic" to limit duplication
of code (yep, the u16 -> int conversions should work as expected);
- variable renames and whitepace changes ignored.
As the 8168 wasn't supported by that version this patch simply removes
the bogus write from mac versions <= RTL_GIGA_MAC_VER_06.
[The change above makes sense for the 8101/8102 too -- Ueimor]
Signed-off-by: Marcus Sundberg <marcus@ingate.com>
Signed-off-by: Francois Romieu <romieu@fr.zoreil.com>
Cc: Karsten Keil <kkeil@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/net/r8169.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/net/r8169.c
+++ b/drivers/net/r8169.c
@@ -1438,8 +1438,10 @@ static void rtl8169_init_phy(struct net_
rtl_hw_phy_config(dev);
- dprintk("Set MAC Reg C+CR Offset 0x82h = 0x01h\n");
- RTL_W8(0x82, 0x01);
+ if (tp->mac_version <= RTL_GIGA_MAC_VER_06) {
+ dprintk("Set MAC Reg C+CR Offset ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Timur Tabi <timur@freescale.com>
Upstream-commid-id: be41e941d5f1a48bde7f44d09d56e8d2605f98e1
The Freescale MPC8610 SSI device has the option of using one clock for both
transmit and receive (synchronous mode), or independent clocks (asynchronous).
The SSI driver, however, programs the SSI into synchronous mode and then
tries to program the clock registers independently. The result is that the wrong
sample size is usually generated during recording.
This patch fixes the discrepancy by restricting the sample rate and sample size
of the playback and capture streams. The SSI driver remembers which stream
is opened first. When a second stream is opened, that stream is constrained
to the same sample rate and size as the first stream.
A future version of this driver will lift the sample size restriction.
Supporting independent sample rates is more difficult, because only certain
codecs provide dual independent clocks.
Signed-off-by: Timur Tabi <timur@freescale.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
sound/soc/fsl/fsl_dma.c | 7 +++-
sound/soc/fsl/fsl_ssi.c | 74 +++++++++++++++++++++++++++++++++++++++++-------
2 files changed, 70 insertions(+), 11 deletions(-)
--- a/sound/soc/fsl/fsl_dma.c
+++ b/sound/soc/fsl/fsl_dma.c
@@ -132,12 +132,17 @@ struct fsl_dma_private {
* Since each link descriptor has a 32-bit byte count field, we set
* period_bytes_max to the largest 32-bit number. We also have no maximum
* number of periods.
+ *
+ * Note that we specify SNDRV_PCM_INFO_JOINT_DUPLEX here, but only because a
+ * limitation in the SSI driver requires the sample rates for playback and
+ * capture to be the same.
*/
static const struct snd_pcm_hardware fsl_dma_hardware = {
.info = SNDRV_PCM_INFO_INTERLEAVED |
SNDRV_PCM_INFO_MMAP |
- ...2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Hans Verkuil <hverkuil@xs4all.nl> Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b25b791b13... Fix a NULL pointer dereference that happened when calling i2c_new_probed_device on one of the addresses for which we use byte reads instead of quick write for detection purpose (that is: 0x30-0x37 and 0x50-0x5f). Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/i2c/i2c-core.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/drivers/i2c/i2c-core.c +++ b/drivers/i2c/i2c-core.c @@ -1196,9 +1196,11 @@ i2c_new_probed_device(struct i2c_adapter if ((addr_list[i] & ~0x07) == 0x30 || (addr_list[i] & ~0x0f) == 0x50 || !i2c_check_functionality(adap, I2C_FUNC_SMBUS_QUICK)) { + union i2c_smbus_data data; + if (i2c_smbus_xfer(adap, addr_list[i], 0, I2C_SMBUS_READ, 0, - I2C_SMBUS_BYTE, NULL) >= 0) + I2C_SMBUS_BYTE, &data) >= 0) break; } else { if (i2c_smbus_xfer(adap, addr_list[i], 0, -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Jean Delvare <khali@linux-fr.org> Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8d24f8dcb7... In kernel 2.6.26, the ability to select I2C algorithm drivers manually was removed, as all in-kernel drivers do that automatically. However there were some complaints that it was a problem for out-of-tree I2C bus drivers. In order to address these complaints, let's allow manual selection of these drivers again, but still hide them by default for better general user experience. This closes bug #11140: http://bugzilla.kernel.org/show_bug.cgi?id=11140 Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/i2c/Kconfig | 14 ++++++++++++++ drivers/i2c/algos/Kconfig | 11 ++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) --- a/drivers/i2c/algos/Kconfig +++ b/drivers/i2c/algos/Kconfig @@ -2,15 +2,20 @@ # I2C algorithm drivers configuration # +menu "I2C Algorithms" + depends on !I2C_HELPER_AUTO + config I2C_ALGOBIT - tristate + tristate "I2C bit-banging interfaces" config I2C_ALGOPCF - tristate + tristate "I2C PCF 8584 interfaces" config I2C_ALGOPCA - tristate + tristate "I2C PCA 9564 interfaces" config I2C_ALGO_SGI tristate depends on SGI_IP22 || SGI_IP32 || X86_VISWS + +endmenu --- a/drivers/i2c/Kconfig +++ b/drivers/i2c/Kconfig @@ -38,6 +38,20 @@ config I2C_CHARDEV This support is also available as a module. If so, the module will be called i2c-dev. +config I2C_HELPER_AUTO + bool "Autoselect pertinent helper modules" + default y + help + Some I2C bus drivers require so-called "I2C algorithm" modules + to work. These are basically software-only abstractions of generic + I2C interfaces. This option will autoselect them so that you don't + have to ...
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Timur Tabi <timur@freescale.com> Upstream-commit-id: bf9c8c9ddef7ef761ae9747349175adad0ef16ce If an OSS application calls SNDCTL_DSP_SYNC, then ALSA will call the driver's _hw_params and _prepare functions again. On the Freescale MPC8610 DMA ASoC driver, this caused the DMA controller to be unneccessarily re-programmed, and apparently it doesn't like that. The DMA will then not operate when instructed. This patch relocates much of the DMA programming to fsl_dma_open(), which is called only once. Signed-off-by: Timur Tabi <timur@freescale.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- sound/soc/fsl/fsl_dma.c | 235 +++++++++++++++++++++++++----------------------- 1 file changed, 124 insertions(+), 111 deletions(-) --- a/sound/soc/fsl/fsl_dma.c +++ b/sound/soc/fsl/fsl_dma.c @@ -327,14 +327,75 @@ static int fsl_dma_new(struct snd_card * * fsl_dma_open: open a new substream. * * Each substream has its own DMA buffer. + * + * ALSA divides the DMA buffer into N periods. We create NUM_DMA_LINKS link + * descriptors that ping-pong from one period to the next. For example, if + * there are six periods and two link descriptors, this is how they look + * before playback starts: + * + * The last link descriptor + * ____________ points back to the first + * | | + * V | + * ___ ___ | + * | |->| |->| + * |___| |___| + * | | + * | | + * V V + * _________________________________________ + * | | | | | | | The DMA buffer is + * | | | | | | | divided into 6 parts + * |______|______|______|______|______|______| + * + * and here's how they look after the first period is finished playing: + * + * ____________ + * | | + * V | + * ___ ___ | + * | |->| |->| + * ...
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Yinghai Lu <yhlu.kernel@gmail.com>
commit 8004dd965b13b01a96def054d420f6df7ff22d53 upstream.
there is a typo in the mask value, need to remove that extra 0,
to avoid 4bit clearing.
Signed-off-by: Yinghal Lu <yhlu.kernel@gmail.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Cc: maximilian attems <max@stro.at>
Cc: Peter Palfrader <weasel@debian.org>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/kernel/cpu/mtrr/generic.c | 2 +-
arch/x86/pci/k8-bus_64.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/arch/x86/kernel/cpu/mtrr/generic.c
+++ b/arch/x86/kernel/cpu/mtrr/generic.c
@@ -219,7 +219,7 @@ void __init get_mtrr_state(void)
tom2 = hi;
tom2 <<= 32;
tom2 |= lo;
- tom2 &= 0xffffff8000000ULL;
+ tom2 &= 0xffffff800000ULL;
}
if (mtrr_show) {
int high_width;
--- a/arch/x86/pci/k8-bus_64.c
+++ b/arch/x86/pci/k8-bus_64.c
@@ -384,7 +384,7 @@ static int __init early_fill_mp_bus_info
/* need to take out [0, TOM) for RAM*/
address = MSR_K8_TOP_MEM1;
rdmsrl(address, val);
- end = (val & 0xffffff8000000ULL);
+ end = (val & 0xffffff800000ULL);
printk(KERN_INFO "TOM: %016lx aka %ldM\n", end, end>>20);
if (end < (1ULL<<32))
update_range(range, 0, end - 1);
@@ -478,7 +478,7 @@ static int __init early_fill_mp_bus_info
/* TOP_MEM2 */
address = MSR_K8_TOP_MEM2;
rdmsrl(address, val);
- end = (val & 0xffffff8000000ULL);
+ end = (val & 0xffffff800000ULL);
printk(KERN_INFO "TOM2: %016lx aka %ldM\n", end, end>>20);
update_range(range, 1ULL<<32, end - 1);
}
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
commit 84e0f3f6c1e26588fdcb9f1b0f99d0275229bc99 upstream
The driver of ITE8212 in pass-through mode (it8212.noraid=1 on cmndline)
attempts to use the field `.dma_host_set' of the struct ide_dma_ops in
`ide_config_drive_speed' which is set to NULL by default.
So give a value to all fields of the struct ide_dma_ops.
Signed-off-by: Dimitri Gorokhovik <dimitri.gorokhovik@free.fr>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/ide/pci/it821x.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/ide/pci/it821x.c
+++ b/drivers/ide/pci/it821x.c
@@ -512,8 +512,14 @@ static void __devinit it821x_quirkproc(i
}
static struct ide_dma_ops it821x_pass_through_dma_ops = {
+ .dma_host_set = ide_dma_host_set,
+ .dma_setup = ide_dma_setup,
+ .dma_exec_cmd = ide_dma_exec_cmd,
.dma_start = it821x_dma_start,
.dma_end = it821x_dma_end,
+ .dma_test_irq = ide_dma_test_irq,
+ .dma_timeout = ide_dma_timeout,
+ .dma_lost_irq = ide_dma_lost_irq,
};
/**
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Jan Beulich <jbeulich@novell.com> commit 04e1e0cccade330ab3715ce59234f7e3b087e246 upstream. Signed-off-by: Steve French <sfrench@us.ibm.com> Cc: Eugene Teo <eteo@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- fs/cifs/asn1.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/fs/cifs/asn1.c +++ b/fs/cifs/asn1.c @@ -400,7 +400,7 @@ asn1_oid_decode(struct asn1_ctx *ctx, size = eoc - ctx->pointer + 1; /* first subid actually encodes first two subids */ - if (size < 2 || size > ULONG_MAX/sizeof(unsigned long)) + if (size < 2 || size > UINT_MAX/sizeof(unsigned long)) return 0; *oid = kmalloc(size * sizeof(unsigned long), GFP_ATOMIC); -- --
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: David Miller <davem@davemloft.net> Commit efc491814308f89d5ef6c4fe19ae4552a67d4132 upstream radeon: misc corrections I have a new PCI-E radeon RV380 series card (PCI device ID 5b64) that hangs in my sparc64 boxes when the init scripts set the font. The problem goes away if I disable acceleration. I haven't figured out that bug yet, but along the way I found some corrections to make based upon some auditing. 1) The RB2D_DC_FLUSH_ALL value used by the kernel fb driver and the XORG video driver differ. I've made the kernel match what XORG is using. 2) In radeonfb_engine_reset() we have top-level code structure that roughly looks like: if (family is 300, 350, or V350) do this; else do that; ... if (family is NOT 300, OR family is NOT 350, OR family is NOT V350) do another thing; this last conditional makes no sense, is always true, and obviously was likely meant to be "family is NOT 300, 350, or V350". So I've made the code match the intent. Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Tested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/video/aty/radeon_accel.c | 4 ++-- include/video/radeon.h | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) --- a/drivers/video/aty/radeon_accel.c +++ b/drivers/video/aty/radeon_accel.c @@ -249,8 +249,8 @@ void radeonfb_engine_reset(struct radeon INREG(HOST_PATH_CNTL); OUTREG(HOST_PATH_CNTL, host_path_cntl); - if (rinfo->family != CHIP_FAMILY_R300 || - rinfo->family != CHIP_FAMILY_R350 || + if (rinfo->family != CHIP_FAMILY_R300 && + rinfo->family != CHIP_FAMILY_R350 && ...
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
upstream commit is 24307ffabd5b39bad443641f54b12ee2ba7a38ac
Based on sparse comments in OpenFirmware code
(no Cx5510/Cx5520 datasheet here).
This fixes 2.6.26 regression reported by TAKADA
and caused by addition of warm-plug support.
Tested-by: TAKADA Yoshihito <takada@mbf.nifty.com>
Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/ide/pci/cs5520.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/ide/pci/cs5520.c
+++ b/drivers/ide/pci/cs5520.c
@@ -123,6 +123,7 @@ static const struct ide_dma_ops cs5520_d
#define DECLARE_CS_DEV(name_str) \
{ \
.name = name_str, \
+ .enablebits = { {0x60, 0x01, 0x01}, {0x60, 0x02, 0x02} }, \
.port_ops = &cs5520_port_ops, \
.dma_ops = &cs5520_dma_ops, \
.host_flags = IDE_HFLAG_ISA_PORTS | \
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Larry Finger <Larry.Finger@lwfinger.net> With the rtl8187 driver, the config routine is not protected against access before a previous call has completed. When this happens, the TX loopback that is needed to change channels may cause the chip to be locked with a reset needed to restore communications. This patch entered mainline as commit 7dcdd073bf78bb6958bbc12a1a47754a0f3c4721. The problem was found by Herton Ronaldo Krzesinski <herton@mandriva.com.br>, who also suggested this type of fix. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Acked-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br> Acked-by: Hin-Tak Leung <htl10@users.sourceforge.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- drivers/net/wireless/rtl8187.h | 4 ++++ drivers/net/wireless/rtl8187_dev.c | 3 +++ 2 files changed, 7 insertions(+) --- a/drivers/net/wireless/rtl8187_dev.c +++ b/drivers/net/wireless/rtl8187_dev.c @@ -580,6 +580,7 @@ static int rtl8187_config(struct ieee802 struct rtl8187_priv *priv = dev->priv; u32 reg; + mutex_lock(&priv->conf_mutex); reg = rtl818x_ioread32(priv, &priv->map->TX_CONF); /* Enable TX loopback on MAC level to avoid TX during channel * changes, as this has be seen to causes problems and the @@ -610,6 +611,7 @@ static int rtl8187_config(struct ieee802 rtl818x_iowrite16(priv, &priv->map->ATIMTR_INTERVAL, 100); rtl818x_iowrite16(priv, &priv->map->BEACON_INTERVAL, 100); rtl818x_iowrite16(priv, &priv->map->BEACON_INTERVAL_TIME, 100); + mutex_unlock(&priv->conf_mutex); return 0; } @@ -814,6 +816,7 @@ static int __devinit rtl8187_probe(struc printk(KERN_ERR "rtl8187: Cannot register device\n"); goto err_free_dev; } + mutex_init(&priv->conf_mutex); printk(KERN_INFO "%s: hwaddr %s, rtl8187 V%d + %s\n", ...
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: David S. Miller <davem@davemloft.net>
[ Upstream commit 433c5f706856689be25928a99636e724fb3ea7cf ]
Bug reported by Alexander Beregalov.
Before we dereference the stack frame or try to peek at the
pt_regs magic value, make sure the entire object is within
the kernel stack bounds.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/sparc64/kernel/stacktrace.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/arch/sparc64/kernel/stacktrace.c
+++ b/arch/sparc64/kernel/stacktrace.c
@@ -25,13 +25,15 @@ void save_stack_trace(struct stack_trace
/* Bogus frame pointer? */
if (fp < (thread_base + sizeof(struct thread_info)) ||
- fp >= (thread_base + THREAD_SIZE))
+ fp > (thread_base + THREAD_SIZE - sizeof(struct sparc_stackf)))
break;
sf = (struct sparc_stackf *) fp;
regs = (struct pt_regs *) (sf + 1);
- if ((regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
+ if (((unsigned long)regs <=
+ (thread_base + THREAD_SIZE - sizeof(*regs))) &&
+ (regs->magic & ~0x1ff) == PT_REGS_MAGIC) {
if (!(regs->tstate & TSTATE_PRIV))
break;
pc = regs->tpc;
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ [ Upstream commit c7498081a6f5d96c9f3243b6b5e020352903bfd2 ] The calls down into prom_printf() when we detect an overflowed stack can recurse again since the overflow stack will be "below" the current kernel stack limit. Prevent this by just returning straight if we are on the stack overflow safe stack already. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> --- arch/sparc64/lib/mcount.S | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) --- a/arch/sparc64/lib/mcount.S +++ b/arch/sparc64/lib/mcount.S @@ -45,12 +45,23 @@ _mcount: sub %g3, STACK_BIAS, %g3 cmp %sp, %g3 bg,pt %xcc, 1f - sethi %hi(panicstring), %g3 + nop + /* If we are already on ovstack, don't hop onto it + * again, we are already trying to output the stack overflow + * message. + */ sethi %hi(ovstack), %g7 ! cant move to panic stack fast enough or %g7, %lo(ovstack), %g7 - add %g7, OVSTACKSIZE, %g7 + add %g7, OVSTACKSIZE, %g3 + sub %g3, STACK_BIAS + 192, %g3 sub %g7, STACK_BIAS, %g7 - mov %g7, %sp + cmp %sp, %g7 + blu,pn %xcc, 2f + cmp %sp, %g3 + bleu,pn %xcc, 1f + nop +2: mov %g3, %sp + sethi %hi(panicstring), %g3 call prom_printf or %g3, %lo(panicstring), %o0 call prom_halt -- --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: David S. Miller <davem@davemloft.net>
[ Upstream commit 5afe27380bc42454254c9c83c045240249c15e35 ]
Record one more level of stack frame program counter.
Particularly when lockdep and all sorts of spinlock debugging is
enabled, figuring out the caller of spin_lock() is difficult when the
cpu is stuck on the lock.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/sparc64/kernel/process.c | 35 +++++++++++++++++++++++++++++------
arch/sparc64/mm/ultra.S | 7 +++++++
include/asm-sparc64/ptrace.h | 8 ++++----
3 files changed, 40 insertions(+), 10 deletions(-)
--- a/arch/sparc64/kernel/process.c
+++ b/arch/sparc64/kernel/process.c
@@ -305,6 +305,19 @@ void show_regs(struct pt_regs *regs)
struct global_reg_snapshot global_reg_snapshot[NR_CPUS];
static DEFINE_SPINLOCK(global_reg_snapshot_lock);
+static bool kstack_valid(struct thread_info *tp, struct reg_window *rw)
+{
+ unsigned long thread_base, fp;
+
+ thread_base = (unsigned long) tp;
+ fp = (unsigned long) rw;
+
+ if (fp < (thread_base + sizeof(struct thread_info)) ||
+ fp >= (thread_base + THREAD_SIZE))
+ return false;
+ return true;
+}
+
static void __global_reg_self(struct thread_info *tp, struct pt_regs *regs,
int this_cpu)
{
@@ -316,14 +329,22 @@ static void __global_reg_self(struct thr
global_reg_snapshot[this_cpu].o7 = regs->u_regs[UREG_I7];
if (regs->tstate & TSTATE_PRIV) {
+ struct thread_info *tp = current_thread_info();
struct reg_window *rw;
rw = (struct reg_window *)
(regs->u_regs[UREG_FP] + STACK_BIAS);
- global_reg_snapshot[this_cpu].i7 = rw->ins[7];
- } else
+ if (kstack_valid(tp, rw)) {
+ global_reg_snapshot[this_cpu].i7 = rw->ins[7];
+ rw = (struct reg_window *)
+ (rw->ins[6] + STACK_BIAS);
+ if (kstack_valid(tp, ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: David S. Miller <davem@davemloft.net>
[ Upstream commit 4f70f7a91bffdcc39f088748dc678953eb9a3fbd ]
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/sparc64/kernel/irq.c | 52 ++++++++++++++++++++++++++++++++++
arch/sparc64/kernel/kstack.h | 58 +++++++++++++++++++++++++++++++++++++++
arch/sparc64/kernel/process.c | 27 ++++--------------
arch/sparc64/kernel/stacktrace.c | 10 ++----
arch/sparc64/kernel/traps.c | 7 ++--
arch/sparc64/lib/mcount.S | 22 ++++++++++++++
arch/sparc64/mm/init.c | 11 +++++++
include/asm-sparc64/irq.h | 4 ++
8 files changed, 161 insertions(+), 30 deletions(-)
--- a/arch/sparc64/kernel/irq.c
+++ b/arch/sparc64/kernel/irq.c
@@ -682,10 +682,32 @@ void ack_bad_irq(unsigned int virt_irq)
ino, virt_irq);
}
+void *hardirq_stack[NR_CPUS];
+void *softirq_stack[NR_CPUS];
+
+static __attribute__((always_inline)) void *set_hardirq_stack(void)
+{
+ void *orig_sp, *sp = hardirq_stack[smp_processor_id()];
+
+ __asm__ __volatile__("mov %%sp, %0" : "=r" (orig_sp));
+ if (orig_sp < sp ||
+ orig_sp > (sp + THREAD_SIZE)) {
+ sp += THREAD_SIZE - 192 - STACK_BIAS;
+ __asm__ __volatile__("mov %0, %%sp" : : "r" (sp));
+ }
+
+ return orig_sp;
+}
+static __attribute__((always_inline)) void restore_hardirq_stack(void *orig_sp)
+{
+ __asm__ __volatile__("mov %0, %%sp" : : "r" (orig_sp));
+}
+
void handler_irq(int irq, struct pt_regs *regs)
{
unsigned long pstate, bucket_pa;
struct pt_regs *old_regs;
+ void *orig_sp;
clear_softint(1 << irq);
@@ -703,6 +725,8 @@ void handler_irq(int irq, struct pt_regs
"i" (PSTATE_IE)
: "memory");
+ orig_sp = set_hardirq_stack();
+
while (bucket_pa) {
struct irq_desc *desc;
unsigned long next_pa;
@@ -719,10 +743,38 @@ void ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: David S. Miller <davem@davemloft.net>
[ Upstream commit 6f63e781eaf6a741fc65f773017154b20ed4ce3b ]
Things like lockdep can try to do stack backtraces before
the irqstack blocks have been setup. So don't try to match
their ranges so early on.
Also, remove unused variable in save_stack_trace().
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/sparc64/kernel/kstack.h | 38 ++++++++++++++++++++------------------
arch/sparc64/kernel/stacktrace.c | 3 +--
2 files changed, 21 insertions(+), 20 deletions(-)
--- a/arch/sparc64/kernel/kstack.h
+++ b/arch/sparc64/kernel/kstack.h
@@ -15,15 +15,16 @@ static inline bool kstack_valid(struct t
sp <= (base + THREAD_SIZE - sizeof(struct sparc_stackf)))
return true;
- base = (unsigned long) hardirq_stack[tp->cpu];
- if (sp >= base &&
- sp <= (base + THREAD_SIZE - sizeof(struct sparc_stackf)))
- return true;
- base = (unsigned long) softirq_stack[tp->cpu];
- if (sp >= base &&
- sp <= (base + THREAD_SIZE - sizeof(struct sparc_stackf)))
- return true;
-
+ if (hardirq_stack[tp->cpu]) {
+ base = (unsigned long) hardirq_stack[tp->cpu];
+ if (sp >= base &&
+ sp <= (base + THREAD_SIZE - sizeof(struct sparc_stackf)))
+ return true;
+ base = (unsigned long) softirq_stack[tp->cpu];
+ if (sp >= base &&
+ sp <= (base + THREAD_SIZE - sizeof(struct sparc_stackf)))
+ return true;
+ }
return false;
}
@@ -37,15 +38,16 @@ static inline bool kstack_is_trap_frame(
addr <= (base + THREAD_SIZE - sizeof(*regs)))
goto check_magic;
- base = (unsigned long) hardirq_stack[tp->cpu];
- if (addr >= base &&
- addr <= (base + THREAD_SIZE - sizeof(*regs)))
- goto check_magic;
- base = (unsigned long) softirq_stack[tp->cpu];
- if (addr >= base &&
- addr <= (base + THREAD_SIZE - sizeof(*regs)))
- goto ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jan Beulich <jbeulich@novell.com>
commit 7bc069c6bc4ede519a7116be1b9e149a1dbf787a upstream
The masked difference is what needs to be compared against 1, rather
than the difference of masked values (which can be negative).
Signed-off-by: Jan Beulich <jbeulich@novell.com>
Acked-by: Nick Piggin <npiggin@suse.de>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
include/asm-x86/spinlock.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/asm-x86/spinlock.h
+++ b/include/asm-x86/spinlock.h
@@ -65,7 +65,7 @@ static inline int __raw_spin_is_contende
{
int tmp = ACCESS_ONCE(lock->slock);
- return (((tmp >> 8) & 0xff) - (tmp & 0xff)) > 1;
+ return (((tmp >> 8) - tmp) & 0xff) > 1;
}
static __always_inline void __raw_spin_lock(raw_spinlock_t *lock)
@@ -129,7 +129,7 @@ static inline int __raw_spin_is_contende
{
int tmp = ACCESS_ONCE(lock->slock);
- return (((tmp >> 16) & 0xffff) - (tmp & 0xffff)) > 1;
+ return (((tmp >> 16) - tmp) & 0xffff) > 1;
}
static __always_inline void __raw_spin_lock(raw_spinlock_t *lock)
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Joerg Roedel <joro@8bytes.org>
commit 7b27718bdb1b70166383dec91391df5534d449ee upstream
yesterday I tried to reactivate my old 486 box and wanted to install a
current Linux with latest kernel on it. But it turned out that the
latest kernel does not boot because the machine crashes early in the
setup code.
After some debugging it turned out that the problem is the query_ist()
function. If this interrupt with that function is called the machine
simply locks up. It looks like a BIOS bug. Looking for a workaround for
this problem I wrote the attached patch. It checks for the CPUID
instruction and if it is not implemented it does not call the speedstep
BIOS function. As far as I know speedstep should be available since some
Pentium earliest.
Alan Cox observed that it's available since the Pentium II, so cpuid
levels 4 and 5 can be excluded altogether.
which, with a small modification to fix a build error with it the
resulting kernel boots on my machine.
Signed-off-by: Joerg Roedel <joro@8bytes.org>
Signed-off-by: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
arch/x86/boot/boot.h | 8 ++++++++
arch/x86/boot/cpucheck.c | 8 +-------
arch/x86/boot/main.c | 4 ++++
3 files changed, 13 insertions(+), 7 deletions(-)
--- a/arch/x86/boot/boot.h
+++ b/arch/x86/boot/boot.h
@@ -25,6 +25,8 @@
#include <asm/boot.h>
#include <asm/setup.h>
+#define NCAPINTS 8
+
/* Useful macros */
#define BUILD_BUG_ON(condition) ((void)sizeof(char[1 - 2*!!(condition)]))
@@ -242,6 +244,12 @@ int cmdline_find_option(const char *opti
int cmdline_find_option_bool(const char *option);
/* cpu.c, cpucheck.c */
+struct cpu_features {
+ int level; /* Family, or 64 for x86-64 */
+ int model;
+ u32 flags[NCAPINTS];
+};
+extern struct cpu_features cpu;
int check_cpu(int ...Greg KH wrote: 2.6.26-stable review patch. If anyone has any objections, please let us know. No objection here. Acked-by: H. Peter Anvin <hpa@zytor.com> --
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Seokmann Ju <seokmann.ju@qlogic.com>
[ Upstream commit 5f3a9a207f1fccde476dd31b4c63ead2967d934f ]
Signed-off-by: Seokmann Ju <seokmann.ju@qlogic.com>
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/scsi/qla2xxx/qla_attr.c | 31 +++++++++++++++++++++++
drivers/scsi/qla2xxx/qla_def.h | 1
drivers/scsi/qla2xxx/qla_gbl.h | 2 +
drivers/scsi/qla2xxx/qla_init.c | 16 +++---------
drivers/scsi/qla2xxx/qla_os.c | 53 ++++++++++++++++++++++++++++++----------
5 files changed, 78 insertions(+), 25 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -994,6 +994,33 @@ qla2x00_set_rport_loss_tmo(struct fc_rpo
rport->dev_loss_tmo = ha->port_down_retry_count + 5;
}
+static void
+qla2x00_dev_loss_tmo_callbk(struct fc_rport *rport)
+{
+ struct Scsi_Host *host = rport_to_shost(rport);
+ fc_port_t *fcport = *(fc_port_t **)rport->dd_data;
+
+ qla2x00_abort_fcport_cmds(fcport);
+
+ /*
+ * Transport has effectively 'deleted' the rport, clear
+ * all local references.
+ */
+ spin_lock_irq(host->host_lock);
+ fcport->rport = NULL;
+ *((fc_port_t **)rport->dd_data) = NULL;
+ spin_unlock_irq(host->host_lock);
+}
+
+static void
+qla2x00_terminate_rport_io(struct fc_rport *rport)
+{
+ fc_port_t *fcport = *(fc_port_t **)rport->dd_data;
+
+ qla2x00_abort_fcport_cmds(fcport);
+ scsi_target_unblock(&rport->dev);
+}
+
static int
qla2x00_issue_lip(struct Scsi_Host *shost)
{
@@ -1253,6 +1280,8 @@ struct fc_function_template qla2xxx_tran
.show_rport_dev_loss_tmo = 1,
.issue_fc_host_lip = qla2x00_issue_lip,
+ .dev_loss_tmo_callbk = qla2x00_dev_loss_tmo_callbk,
+ .terminate_rport_io = qla2x00_terminate_rport_io,
.get_fc_host_stats = qla2x00_get_fc_host_stats,
...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Andrew Vasquez <andrew.vasquez@qlogic.com>
[ Upstream commit 85821c906cf3563a00a3d98fa380a2581a7a5ff1 ]
As there's no point in adding a fixed-fudge value (originally 5
seconds), honor the user settings only. We also remove the
driver's dead-callback get_rport_dev_loss_tmo function
(qla2x00_get_rport_loss_tmo()).
Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/scsi/qla2xxx/qla_attr.c | 20 ++------------------
drivers/scsi/qla2xxx/qla_os.c | 2 +-
2 files changed, 3 insertions(+), 19 deletions(-)
--- a/drivers/scsi/qla2xxx/qla_attr.c
+++ b/drivers/scsi/qla2xxx/qla_attr.c
@@ -972,26 +972,12 @@ qla2x00_get_starget_port_id(struct scsi_
}
static void
-qla2x00_get_rport_loss_tmo(struct fc_rport *rport)
-{
- struct Scsi_Host *host = rport_to_shost(rport);
- scsi_qla_host_t *ha = shost_priv(host);
-
- rport->dev_loss_tmo = ha->port_down_retry_count + 5;
-}
-
-static void
qla2x00_set_rport_loss_tmo(struct fc_rport *rport, uint32_t timeout)
{
- struct Scsi_Host *host = rport_to_shost(rport);
- scsi_qla_host_t *ha = shost_priv(host);
-
if (timeout)
- ha->port_down_retry_count = timeout;
+ rport->dev_loss_tmo = timeout;
else
- ha->port_down_retry_count = 1;
-
- rport->dev_loss_tmo = ha->port_down_retry_count + 5;
+ rport->dev_loss_tmo = 1;
}
static void
@@ -1275,7 +1261,6 @@ struct fc_function_template qla2xxx_tran
.get_starget_port_id = qla2x00_get_starget_port_id,
.show_starget_port_id = 1,
- .get_rport_dev_loss_tmo = qla2x00_get_rport_loss_tmo,
.set_rport_dev_loss_tmo = qla2x00_set_rport_loss_tmo,
.show_rport_dev_loss_tmo = 1,
@@ -1320,7 +1305,6 @@ struct fc_function_template qla2xxx_tran
.get_starget_port_id = qla2x00_get_starget_port_id,
.show_starget_port_id = ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit f756cbd458ab71c996a069cb3928fb1e2d7cd9cc upstream.
This patch (as1110) reverts an earlier patch meant to help with
Wireless USB host controllers. These controllers can have bulk
maxpacket values larger than 512, which puts unusual constraints on
the sizes of scatter-gather list elements. However it turns out that
the block layer does not provide the support we need to enforce these
constraints; merely changing the DMA alignment mask doesn't help.
Hence there's no reason to keep the original patch. The Wireless USB
problem will have to be solved a different way.
In addition, there is a reason to get rid of the earlier patch. By
dereferencing a pointer stored in the ep_in array of struct
usb_device, the current code risks an invalid memory access when it
runs concurrently with device removal. The members of that array are
cleared before the driver's disconnect method is called, so it should
not try to use them.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/storage/scsiglue.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/drivers/usb/storage/scsiglue.c
+++ b/drivers/usb/storage/scsiglue.c
@@ -73,7 +73,6 @@ static const char* host_info(struct Scsi
static int slave_alloc (struct scsi_device *sdev)
{
struct us_data *us = host_to_us(sdev->host);
- struct usb_host_endpoint *bulk_in_ep;
/*
* Set the INQUIRY transfer length to 36. We don't use any of
@@ -82,16 +81,22 @@ static int slave_alloc (struct scsi_devi
*/
sdev->inquiry_len = 36;
- /* Scatter-gather buffers (all but the last) must have a length
- * divisible by the bulk maxpacket size. Otherwise a data packet
- * would end up being short, causing a premature end to the data
- * transfer. We'll use the maxpacket value ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alan Stern <stern@rowland.harvard.edu>
commit 59f4ff2ecff4cef36378928cec891785b402e80c upstream
This patch (as1119b) will help to reduce the clutter of usb-storage's
unusual_devs file by automatically detecting some devices that need
the IGNORE_RESIDUE flag. The idea is that devices should never return
a non-zero residue for an INQUIRY or a READ CAPACITY command unless
they failed to transfer all the requested data. So if one of these
commands transfers a standard amount of data but there is a positive
residue, we know that the residue is bogus and we can set the flag.
This fixes the problems reported in Bugzilla #11125.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Tested-by: Matthew Frost <artusemrys@sbcglobal.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/usb/storage/transport.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/usb/storage/transport.c
+++ b/drivers/usb/storage/transport.c
@@ -1034,8 +1034,21 @@ int usb_stor_Bulk_transport(struct scsi_
/* try to compute the actual residue, based on how much data
* was really transferred and what the device tells us */
- if (residue) {
- if (!(us->flags & US_FL_IGNORE_RESIDUE)) {
+ if (residue && !(us->flags & US_FL_IGNORE_RESIDUE)) {
+
+ /* Heuristically detect devices that generate bogus residues
+ * by seeing what happens with INQUIRY and READ CAPACITY
+ * commands.
+ */
+ if (bcs->Status == US_BULK_STAT_OK &&
+ scsi_get_resid(srb) == 0 &&
+ ((srb->cmnd[0] == INQUIRY &&
+ transfer_length == 36) ||
+ (srb->cmnd[0] == READ_CAPACITY &&
+ transfer_length == 8))) {
+ us->flags |= US_FL_IGNORE_RESIDUE;
+
+ } else {
residue = min(residue, transfer_length);
scsi_set_resid(srb, max(scsi_get_resid(srb),
(int) residue));
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Jeff Layton <jlayton@redhat.com>
commit 66b8bd3c405389213de1d6ba6c2565990f62004f upstream
[CIFS] properly account for new user= field in SPNEGO upcall string allocation
...it doesn't look like it's being accounted for at the moment. Also
try to reorganize the calculation to make it a little more evident
what each piece means.
This should probably go to the stable series as well...
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Steve French <sfrench@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/cifs/cifs_spnego.c | 18 +++++++++++-------
1 file changed, 11 insertions(+), 7 deletions(-)
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
@@ -66,8 +66,8 @@ struct key_type cifs_spnego_key_type = {
.describe = user_describe,
};
-#define MAX_VER_STR_LEN 9 /* length of longest version string e.g.
- strlen(";ver=0xFF") */
+#define MAX_VER_STR_LEN 8 /* length of longest version string e.g.
+ strlen("ver=0xFF") */
#define MAX_MECH_STR_LEN 13 /* length of longest security mechanism name, eg
in future could have strlen(";sec=ntlmsspi") */
#define MAX_IPV6_ADDR_LEN 42 /* eg FEDC:BA98:7654:3210:FEDC:BA98:7654:3210/60 */
@@ -81,11 +81,15 @@ cifs_get_spnego_key(struct cifsSesInfo *
struct key *spnego_key;
const char *hostname = server->hostname;
- /* BB: come up with better scheme for determining length */
- /* length of fields (with semicolons): ver=0xyz ipv4= ipaddress host=
- hostname sec=mechanism uid=0x uid */
- desc_len = MAX_VER_STR_LEN + 5 + MAX_IPV6_ADDR_LEN + 1 + 6 +
- strlen(hostname) + MAX_MECH_STR_LEN + 8 + (sizeof(uid_t) * 2);
+ /* length of fields (with semicolons): ver=0xyz ip4=ipaddress
+ host=hostname sec=mechanism uid=0xFF user=username */
+ desc_len = MAX_VER_STR_LEN +
+ 6 /* len of "host=" */ + strlen(hostname) +
+ 5 /* len of ";ipv4=" */ + ...2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Dean Hildebrand <seattleplus@gmail.com>
commit 35405f256de924be56ea5edaca4cdc627f1bb0f8 upstream
BCM5706S wont work correctly unless VPD length truncated to 128
Signed-off-by: Dean Hildebrand <dhildeb@us.ibm.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
drivers/pci/quirks.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/pci/quirks.c
+++ b/drivers/pci/quirks.c
@@ -1683,9 +1683,14 @@ DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_VI
*/
static void __devinit quirk_brcm_570x_limit_vpd(struct pci_dev *dev)
{
- /* Only disable the VPD capability for 5706, 5708, and 5709 rev. A */
+ /*
+ * Only disable the VPD capability for 5706, 5706S, 5708,
+ * 5708S and 5709 rev. A
+ */
if ((dev->device == PCI_DEVICE_ID_NX2_5706) ||
+ (dev->device == PCI_DEVICE_ID_NX2_5706S) ||
(dev->device == PCI_DEVICE_ID_NX2_5708) ||
+ (dev->device == PCI_DEVICE_ID_NX2_5708S) ||
((dev->device == PCI_DEVICE_ID_NX2_5709) &&
(dev->revision & 0xf0) == 0x0)) {
if (dev->vpd)
--
--
2.6.26-stable review patch. If anyone has any objections, please let us know. ------------------ From: Suresh Siddha <suresh.b.siddha@intel.com> crypto: padlock - fix VIA PadLock instruction usage with irq_ts_save/restore() [ Upstream commit: e49140120c88eb99db1a9172d9ac224c0f2bbdd2 ] Wolfgang Walter reported this oops on his via C3 using padlock for AES-encryption: ################################################################## BUG: unable to handle kernel NULL pointer dereference at 000001f0 IP: [<c01028c5>] __switch_to+0x30/0x117 *pde = 00000000 Oops: 0002 [#1] PREEMPT Modules linked in: Pid: 2071, comm: sleep Not tainted (2.6.26 #11) EIP: 0060:[<c01028c5>] EFLAGS: 00010002 CPU: 0 EIP is at __switch_to+0x30/0x117 EAX: 00000000 EBX: c0493300 ECX: dc48dd00 EDX: c0493300 ESI: dc48dd00 EDI: c0493530 EBP: c04cff8c ESP: c04cff7c DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068 Process sleep (pid: 2071, ti=c04ce000 task=dc48dd00 task.ti=d2fe6000) Stack: dc48df30 c0493300 00000000 00000000 d2fe7f44 c03b5b43 c04cffc8 00000046 c0131856 0000005a dc472d3c c0493300 c0493470 d983ae00 00002696 00000000 c0239f54 00000000 c04c4000 c04cffd8 c01025fe c04f3740 00049800 c04cffe0 Call Trace: [<c03b5b43>] ? schedule+0x285/0x2ff [<c0131856>] ? pm_qos_requirement+0x3c/0x53 [<c0239f54>] ? acpi_processor_idle+0x0/0x434 [<c01025fe>] ? cpu_idle+0x73/0x7f [<c03a4dcd>] ? rest_init+0x61/0x63 ======================= Wolfgang also found out that adding kernel_fpu_begin() and kernel_fpu_end() around the padlock instructions fix the oops. Suresh wrote: These padlock instructions though don't use/touch SSE registers, but it behaves similar to other SSE instructions. For example, it might cause DNA faults when cr0.ts is set. While this is a spurious DNA trap, it might cause oops with the recent fpu code changes. This is the code sequence that is probably causing this problem: a) new app is getting exec'd and it is somewhere in between start_thread() and flush_old_exec() in ...
