aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-11-06x86: fix /dev/mem mmap breakage when PAT is disabledRavikiran G Thirumalai
commit 9e41bff2708e420e61e6b89a54c15232857069b1 upstream Impact: allow /dev/mem mmaps on non-PAT CPUs/platforms Fix mmap to /dev/mem when CONFIG_X86_PAT is off and CONFIG_STRICT_DEVMEM is off mmap to /dev/mem on kernel memory has been failing since the introduction of PAT (CONFIG_STRICT_DEVMEM=n case). Seems like the check to avoid cache aliasing with PAT is kicking in even when PAT is disabled. The bug seems to have crept in 2.6.26. This patch makes sure that the mmap to regular kernel memory succeeds if CONFIG_STRICT_DEVMEM=n and PAT is disabled, and the checks to avoid cache aliasing still happens if PAT is enabled. Signed-off-by: Ravikiran Thirumalai <kiran@scalex86.org> Tested-by: Tim Sirianni <tim@scalemp.com> Acked-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06kbuild: mkspec - fix build rpmEvgeniy Manachkin
commit 46dca86cb93db80992a45e4b55737ff2b2f61cd0 upstream Date: Wed, 15 Oct 2008 23:37:26 +0600 Subject: kbuild: mkspec - fix build rpm This is patch to fix incorrect mkspec script to make rpm correctly at 2.6.27 vanilla kernel. This is regression in 2.6.27. 2.6.26 make rpm work good. In 2.6.27 'make rpm' say error from rpmbuild "Many unpacked files (*.fw)." Signed-off-by: Evgeniy Manachkin <sfstudio@mail.ru> Acked-by: Alan Cox <alan@redhat.com> Signed-off-by: Sam Ravnborg <sam@ravnborg.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06ALSA: hda - Add reboot notifierTakashi Iwai
commit 0cbf00980f0fc4cc064a15ab3dfce19b5fae9130 upstream The current snd-hda-intel driver seems blocking the power-off on some devices like eeepc. Although this is likely a BIOS problem, we can add a workaround by disabling IRQ lines before power-off operation. This patch adds the reboot notifier to achieve it. The detailed problem description is found in bug#11889: http://bugme.linux-foundation.org/show_bug.cgi?id=11889 Tested-by: Luiz Fernando N. Capitulino <lcapitulino@mandriva.com.br> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06USB: fix crash when URBs are unlinked after the device is goneAlan Stern
commit cde217a556ec552d28ac9e136c5a94684a69ae94 upstream This patch (as1151) protects usbcore against drivers that try to unlink an URB after the URB's device or bus have been removed. The core does not currently check for this, and certain drivers can cause a crash if they are running while an HCD is unloaded. Certainly it would be best to fix the guilty drivers. But a little defensive programming doesn't hurt, especially since it appears that quite a few drivers need to be fixed. The patch prevents the problem by grabbing a reference to the device while an unlink is in progress and using a new spinlock to synchronize unlinks with device removal. (There's no need to acquire a reference to the bus as well, since the device structure itself keeps a reference to the bus.) In addition, the kerneldoc is updated to indicate that URBs should not be unlinked after the disconnect method returns. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06ipmi: add MODULE_ALIAS to load ipmi_devintf with ipmi_siScott James Remnant
commit 6c89161b10f5771ee0b51ada0fce0e8835e72ade upstream The ipmi_devintf module contains the userspace interface for IPMI devices, yet will not be loaded automatically with a system interface handler driver. Add a MODULE_ALIAS for the "platform:ipmi_si" MODALIAS exported by the ipmi_si driver, so that userspace knows of the recommendation. Signed-off-by: Scott James Remnant <scott@ubuntu.com> Cc: Tim Gardner <tcanonical@tpi.com> Cc: Corey Minyard <minyard@acm.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06sysfs: Fix return values for sysdev_store_{ulong, int}Andi Kleen
commit 4e318d7c6c9dd5cdae48bcf61558bbc0c09b12ac upstream SYSFS: Fix return values for sysdev_store_{ulong,int} Always return the full size instead of the consumed length of the string in sysdev_store_{ulong,int} This avoids EINVAL errors in some echo versions. Signed-off-by: Andi Kleen <ak@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06S390: Fix sysdev class file creation.Heiko Carstens
commit da5aae7036692fa8d03da1b705c76fd750ed9e38 upstream Use sysdev_class_create_file() to create create sysdev class attributes instead of sysfs_create_file(). Using sysfs_create_file() wasn't a very good idea since the show and store functions have a different amount of parameters for sysfs files and sysdev class files. In particular the pointer to the buffer is the last argument and therefore accesses to random memory regions happened. Still worked surprisingly well until we got a kernel panic. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06SCSI: sd: Fix handling of NO_SENSE check conditionJamie Wellnitz
commit 10dab22664914505dcb804d9ad09cad6bc94d349 upstream The current handling of NO_SENSE check condition is the same as RECOVERED_ERROR, and assumes that in both cases, the I/O was fully transferred. We have seen cases of arrays returning with NO_SENSE (no error), but the I/O was not completely transferred, thus residual set. Thus, rather than return good_bytes as the entire transfer, set good_bytes to 0, so that the midlayer then applies the residual in calculating the transfer, and for sd, will fail the I/O and fall into a retry path. Signed-off-by: Jamie Wellnitz <Jamie.Wellnitz@emulex.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-11-06agp: Fix stolen memory counting on G4X.Eric Anholt
commit 82e14a6215cbc9804ecc35281e973c6c8ce22fe7 upstream On the GM45, the amount of stolen memory mapped to the GTT was underestimated, even though we had 508KB more available since the GTT doesn't take from stolen memory. On the non-GM45 G4X, we overestimated how much stolen was mapped to the GTT by 4KB, resulting in GPU page faults when that page was accessed. This update requires a corresponding update to xf86-video-intel to work correctly. Signed-off-by: Eric Anholt <eric@anholt.net> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25Linux 2.6.27.4v2.6.27.4Greg Kroah-Hartman
2008-10-25V4L/DVB (9300): pvrusb2: Fix deadlock problemMike Isely
commit c82732a42896364296599b0f73f01c5e3fd781ae upstream Fix deadlock problem in 2.6.27 caused by new USB core behavior in response to a USB device reset request. With older kernels, the USB device reset was "in line"; the reset simply took place and the driver retained its association with the hardware. However now this reset triggers a disconnect, and worse still the disconnect callback happens in the context of the caller who asked for the device reset. This results in an attempt by the pvrusb2 driver to recursively take a mutex it already has, which deadlocks the driver's worker thread. (Even if the disconnect callback were to happen on a different thread we'd still have problems however - because while the driver should survive and correctly disconnect / reconnect, it will then trigger another device reset during the repeated initialization, which will then cause another disconect, etc, forever.) The fix here is simply to not attempt the device reset (it was of marginal value anyway). Signed-off-by: Mike Isely <isely@pobox.com> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Mike Krufky <mkrufky@linuxtv.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25PCI hotplug: cpqphp: fix kernel NULL pointer dereferenceKenji Kaneshige
commit d2174c3c07adad88dd9ba37a731e0b00b746822a upstream The following patch fixes the regression in 2.6.27 that causes kernel NULL pointer dereference at cpqphp driver probe time. This patch should be backported to the .27 stable series. Seems to have been introduced by f46753c5e354b857b20ab8e0fe7b2579831dc369. The root cause of this problem seems that cpqphp driver calls pci_hp_register() wrongly. In current implementation, cpqphp driver passes 'ctrl->pci_dev->subordinate' as a second parameter for pci_hp_register(). But because hotplug slots and it's hotplug controller (exists as a pci funcion) are on the same bus, it should be 'ctrl->pci_dev->bus' instead. Tested-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Kenji Kaneshige <kaneshige.kenji@jp.fujitsu.com> Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25SCSI: scsi_dh: add Dell product information into rdac device handlerYanqing_Liu@Dell.com
commit 650849d71ca05d55a1553fe42fb21af9dce5612b upstream. Add Dell Powervault storage arrays into device list of rdac device handler. Signed-off-by: Yanqing Liu <yanqing_liu@dell.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Cc: shyam iyer <shyam_iyer@dell.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25proc: fix vma display mismatch between /proc/pid/{maps,smaps}Joe Korty
[ backport of 7c88db0cb589df980acfb2f73c3595a0653004ec to 2.7.27.3 by Joe Korty <joe.korty@ccur.com ] proc: fix vma display mismatch between /proc/pid/{maps,smaps} Commit 4752c369789250eafcd7813e11c8fb689235b0d2 aka "maps4: simplify interdependence of maps and smaps" broke /proc/pid/smaps, causing it to display some vmas twice and other vmas not at all. For example: grep .- /proc/1/smaps >/tmp/smaps; diff /proc/1/maps /tmp/smaps 1 25d24 2 < 7fd7e23aa000-7fd7e23ac000 rw-p 7fd7e23aa000 00:00 0 3 28a28 4 > ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] The bug has something to do with setting m->version before all the seq_printf's have been performed. show_map was doing this correctly, but show_smap was doing this in the middle of its seq_printf sequence. This patch arranges things so that the setting of m->version in show_smap is also done at the end of its seq_printf sequence. Testing: in addition to the above grep test, for each process I summed up the 'Rss' fields of /proc/pid/smaps and compared that to the 'VmRSS' field of /proc/pid/status. All matched except for Xorg (which has a /dev/mem mapping which Rss accounts for but VmRSS does not). This result gives us some confidence that neither /proc/pid/maps nor /proc/pid/smaps are any longer skipping or double-counting vmas. Signed-off-by: Joe Korty <joe.korty@ccur.com> Cc: Matt Mackall <mpm@selenic.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
2008-10-25ACPI suspend: Always use the 32-bit waking vectorRafael J. Wysocki
commit a6629105dd03d370fcb31e97bddf223fa4bb651e upstream. According to the ACPI specification 2.0c and later, the 64-bit waking vector should be cleared and the 32-bit waking vector should be used, unless we want the wake-up code to be called by the BIOS in Protected Mode. Moreover, some systems (for example HP dv5-1004nr) are known to fail to resume if the 64-bit waking vector is used. Therefore, modify the code to clear the 64-bit waking vector, for FACS version 1 or greater, and set the 32-bit one before suspend. http://bugzilla.kernel.org/show_bug.cgi?id=11368 Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25ACPI suspend: Blacklist HP xw4600 Workstation for old code orderingRafael J. Wysocki
commit 4fb507b6b764195bb7821cf2baa988f6eb677d30 upstream HP xw4600 Workstation is known to require the "old" (ie. compatible with ACPI 1.0) suspend code ordering, so blacklist it for this purpose. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Tested-by: John Brown <john.brown3@hp.com> Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25ACPI Suspend: Enable ACPI during resume if SCI_EN is not setRafael J. Wysocki
commit d0c71fe7ebc180f1b7bc7da1d39a07fc19eec768 upstream. On some machines, like for example MSI Wind U100, the BIOS doesn't enable ACPI before returning control to the OS, which sometimes causes resume to fail. This is against the ACPI specification, which clearly states that "When the platform is waking from an S1, S2 or S3 state, OSPM assumes the hardware is already in the ACPI mode and will not issue an ACPI_ENABLE", but it won't hurt to check the SCI_EN bit and enable ACPI during resume from S3 if this bit is not set. Fortunately, we already have acpi_enable() for that, so use it in the resume code path, before executing _BFS, in analogy with the resume-from-hibernation code path. NOTE: We aren't supposed to set SCI_EN directly, because it's owned by the hardware. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Len Brown <len.brown@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25hvc_console: Fix free_irq in spinlocked sectionChristian Borntraeger
commit eef2622a9fcfa964073333ea72c7c9cd20ad45e6 upstream hvc_console: Fix free_irq in spinlocked section commit 611e097d7707741a336a0677d9d69bec40f29f3d Author: Christian Borntraeger <borntraeger@de.ibm.com> hvc_console: rework setup to replace irq functions with callbacks introduced a spinlock recursion problem. The notifier_del is called with a lock held, and in turns calls free_irq which then complains when manipulating procfs. This fixes it by moving the call to the notifier to outside of the locked section. Signed-off-by: Christian Borntraeger<borntraeger@de.ibm.com> Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25anon_vma_prepare: properly lock even newly allocated entriesLinus Torvalds
commit d9d332e0874f46b91d8ac4604b68ee42b8a7a2c6 upstream The anon_vma code is very subtle, and we end up doing optimistic lookups of anon_vmas under RCU in page_lock_anon_vma() with no locking. Other CPU's can also see the newly allocated entry immediately after we've exposed it by setting "vma->anon_vma" to the new value. We protect against the anon_vma being destroyed by having the SLAB marked as SLAB_DESTROY_BY_RCU, so the RCU lookup can depend on the allocation not being destroyed - but it might still be free'd and re-allocated here to a new vma. As a result, we should not do the anon_vma list ops on a newly allocated vma without proper locking. Acked-by: Nick Piggin <npiggin@suse.de> Acked-by: Hugh Dickins <hugh@veritas.com> Acked-by: Peter Zijlstra <a.p.zijlstra@chello.nl> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25netfilter: restore lost ifdef guarding defrag exceptionPatrick McHardy
netfilter: restore lost #ifdef guarding defrag exception Upstream commit 38f7ac3eb: Nir Tzachar <nir.tzachar@gmail.com> reported a warning when sending fragments over loopback with NAT: [ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155() The reason is that defragmentation is skipped for already tracked connections. This is wrong in combination with NAT and ip_conntrack actually had some ifdefs to avoid this behaviour when NAT is compiled in. The entire "optimization" may seem a bit silly, for now simply restoring the lost #ifdef is the easiest solution until we can come up with something better. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25netfilter: snmp nat leaks memory in case of failureIlpo Järvinen
netfilter: snmp nat leaks memory in case of failure Upstream commit 311670f3e: Signed-off-by: Ilpo Jarvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: Patrick McHardy <kaber@trash.net>
2008-10-25netfilter: xt_iprange: fix range inversion matchAlexey Dobriyan
netfilter: xt_iprange: fix range inversion match Upstream commit 6def1eb48: Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1! Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Acked-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25ext[234]: Avoid printk floods in the face of directory corruption ↵Eric Sandeen
(CVE-2008-3528) This is a trivial backport of the following upstream commits: - bd39597cbd42a784105a04010100e27267481c67 (ext2) - cdbf6dba28e8e6268c8420857696309470009fd9 (ext3) - 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4) This addresses CVE-2008-3528 ext[234]: Avoid printk floods in the face of directory corruption Note: some people thinks this represents a security bug, since it might make the system go away while it is printing a large number of console messages, especially if a serial console is involved. Hence, it has been assigned CVE-2008-3528, but it requires that the attacker either has physical access to your machine to insert a USB disk with a corrupted filesystem image (at which point why not just hit the power button), or is otherwise able to convince the system administrator to mount an arbitrary filesystem image (at which point why not just include a setuid shell or world-writable hard disk device file or some such). Me, I think they're just being silly. --tytso Signed-off-by: Eric Sandeen <sandeen@redhat.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Cc: linux-ext4@vger.kernel.org Cc: Eugene Teo <eugeneteo@kernel.sg> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25CIFS: fix saving of resume key before CIFSFindNextJeff Layton
commit a364bc0b37f14ffd66c1f982af42990a9d77fa43 upstream We recently fixed the cifs readdir code so that it saves the resume key before calling CIFSFindNext. Unfortunately, this assumes that we have just done a CIFSFindFirst (or FindNext) and have resume info to save. This isn't necessarily the case. Fix the code to save resume info if we had to reinitiate the search, and after a FindNext. This fixes connectathon basic test6 against NetApp filers. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25amd_iommu: fix nasty bug that caused ILLEGAL_DEVICE_TABLE_ENTRY errorsAndreas Herrmann
commit f609891f428e1c20e270e7c350daf8c93cc459d7 upstream We are on 64-bit so better use u64 instead of u32 to deal with addresses: static void __init iommu_set_device_table(struct amd_iommu *iommu) { u64 entry; ... entry = virt_to_phys(amd_iommu_dev_table); ... (I am wondering why gcc 4.2.x did not warn about the assignment between u32 and unsigned long.) Cc: iommu@lists.linux-foundation.org Signed-off-by: Andreas Herrmann <andreas.herrmann3@amd.com> Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> Signed-off-by: David Woodhouse <David.Woodhouse@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25dm snapshot: fix primary_pe raceMikulas Patocka
commit 7c5f78b9d7f21937e46c26db82976df4b459c95c upstream Fix a race condition with primary_pe ref_count handling. put_pending_exception runs under dm_snapshot->lock, it does atomic_dec_and_test on primary_pe->ref_count, and later does atomic_read primary_pe->ref_count. __origin_write does atomic_dec_and_test on primary_pe->ref_count without holding dm_snapshot->lock. This opens the following race condition: Assume two CPUs, CPU1 is executing put_pending_exception (and holding dm_snapshot->lock). CPU2 is executing __origin_write in parallel. primary_pe->ref_count == 2. CPU1: if (primary_pe && atomic_dec_and_test(&primary_pe->ref_count)) origin_bios = bio_list_get(&primary_pe->origin_bios); .. decrements primary_pe->ref_count to 1. Doesn't load origin_bios CPU2: if (first && atomic_dec_and_test(&primary_pe->ref_count)) { flush_bios(bio_list_get(&primary_pe->origin_bios)); free_pending_exception(primary_pe); /* If we got here, pe_queue is necessarily empty. */ return r; } .. decrements primary_pe->ref_count to 0, submits pending bios, frees primary_pe. CPU1: if (!primary_pe || primary_pe != pe) free_pending_exception(pe); .. this has no effect. if (primary_pe && !atomic_read(&primary_pe->ref_count)) free_pending_exception(primary_pe); .. sees ref_count == 0 (written by CPU 2), does double free !! This bug can happen only if someone is simultaneously writing to both the origin and the snapshot. If someone is writing only to the origin, __origin_write will submit kcopyd request after it decrements primary_pe->ref_count (so it can't happen that the finished copy races with primary_pe->ref_count decrementation). If someone is writing only to the snapshot, __origin_write isn't invoked at all and the race can't happen. The race happens when someone writes to the snapshot --- this creates pending_exception with primary_pe == NULL and starts copying. Then, someone writes to the same chunk in the snapshot, and __origin_write races with termination of already submitted request in pending_complete (that calls put_pending_exception). This race may be reason for bugs: http://bugzilla.kernel.org/show_bug.cgi?id=11636 https://bugzilla.redhat.com/show_bug.cgi?id=465825 The patch fixes the code to make sure that: 1. If atomic_dec_and_test(&primary_pe->ref_count) returns false, the process must no longer dereference primary_pe (because someone else may free it under us). 2. If atomic_dec_and_test(&primary_pe->ref_count) returns true, the process is responsible for freeing primary_pe. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25dm kcopyd: avoid queue shuffleKazuo Ito
commit b673c3a8192e28f13e2050a4b82c1986be92cc15 upstream Write throughput to LVM snapshot origin volume is an order of magnitude slower than those to LV without snapshots or snapshot target volumes, especially in the case of sequential writes with O_SYNC on. The following patch originally written by Kevin Jamieson and Jan Blunck and slightly modified for the current RCs by myself tries to improve the performance by modifying the behaviour of kcopyd, so that it pushes back an I/O job to the head of the job queue instead of the tail as process_jobs() currently does when it has to wait for free pages. This way, write requests aren't shuffled to cause extra seeks. I tested the patch against 2.6.27-rc5 and got the following results. The test is a dd command writing to snapshot origin followed by fsync to the file just created/updated. A couple of filesystem benchmarks gave me similar results in case of sequential writes, while random writes didn't suffer much. dd if=/dev/zero of=<somewhere on snapshot origin> bs=4096 count=... [conv=notrunc when updating] 1) linux 2.6.27-rc5 without the patch, write to snapshot origin, average throughput (MB/s) 10M 100M 1000M create,dd 511.46 610.72 11.81 create,dd+fsync 7.10 6.77 8.13 update,dd 431.63 917.41 12.75 update,dd+fsync 7.79 7.43 8.12 compared with write throughput to LV without any snapshots, all dd+fsync and 1000 MiB writes perform very poorly. 10M 100M 1000M create,dd 555.03 608.98 123.29 create,dd+fsync 114.27 72.78 76.65 update,dd 152.34 1267.27 124.04 update,dd+fsync 130.56 77.81 77.84 2) linux 2.6.27-rc5 with the patch, write to snapshot origin, average throughput (MB/s) 10M 100M 1000M create,dd 537.06 589.44 46.21 create,dd+fsync 31.63 29.19 29.23 update,dd 487.59 897.65 37.76 update,dd+fsync 34.12 30.07 26.85 Although still not on par with plain LV performance - cannot be avoided because it's copy on write anyway - this simple patch successfully improves throughtput of dd+fsync while not affecting the rest. Signed-off-by: Jan Blunck <jblunck@suse.de> Signed-off-by: Kazuo Ito <ito.kazuo@oss.ntt.co.jp> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25USB: Speedtouch: add pre_reset and post_reset routinesAlan Stern
commit 8fc7aeab3851ed8c3ecf28901ca2c6f0400955c7 upstream This patch (as1150) fixes a problem in the speedtch driver. When it resets the modem during probe it will be unbound from the other interfaces it has claimed, because it doesn't define a pre_reset and a post_reset method. The patch defines "do-nothing" methods. This fixes Bugzilla #11767. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25USB: fix memory leak in cdc-acmOliver Neukum
commit a496c64f1363ec4d67ebdc1e1f619ad6372a574c upstream This fixes a memory leak on disconnect in cdc-acm Thanks to 施金前 for finding it. Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25USB: don't rebind drivers after failed resume or resetAlan Stern
commit 6c6409459a18a825ce12ecb003d5686af61f7a2f upstream This patch (as1152) may help prevent some problems associated with the new policy of unbinding drivers that don't support suspend/resume or pre_reset/post_reset. If for any reason the resume or reset fails, and the device is logically disconnected, there's no point in trying to rebind the driver. So the patch checks for success before carrying out the unbind/rebind. There was a report from one user that this fixed a problem he was experiencing, but the details never became fully clear. In any case, adding these tests can't hurt. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25USB: cdc-wdm: make module autoload workOliver Neukum
commit aa5380b904e7f896db0931320160bdea93e41f6a upstream this fixes an omission that led to no alias being computed for the cdc-wdm module. Signed-off-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25sched: fix the wrong mask_lenMiao Xie
commit c851c8676bd7ae456e9b3af8e6bb2c434eddcc75 upstream If NR_CPUS isn't a multiple of 32, we get a truncated string of sched domains by catting /proc/schedstat. This is caused by the wrong mask_len. This patch fixes it. Signed-off-by: Miao Xie <miaox@cn.fujitsu.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25x86 ACPI: fix breakage of resume on 64-bit UP systems with SMP kernelRafael J. Wysocki
commit 3038edabf48f01421c621cb77a712b446d3a5d67 upstream x86 ACPI: Fix breakage of resume on 64-bit UP systems with SMP kernel We are now using per CPU GDT tables in head_64.S and the original early_gdt_descr.address is invalidated after boot by setup_per_cpu_areas(). This breaks resume from suspend to RAM on x86_64 UP systems using SMP kernels, because this part of head_64.S is also executed during the resume and the invalid GDT address causes the system to crash. It doesn't break on 'true' SMP systems, because early_gdt_descr.address is modified every time native_cpu_up() runs. However, during resume it should point to the GDT of the boot CPU rather than to another CPU's GDT. For this reason, during suspend to RAM always make early_gdt_descr.address point to the boot CPU's GDT. This fixes http://bugzilla.kernel.org/show_bug.cgi?id=11568, which is a regression from 2.6.26. Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl> Acked-by: Pavel Machek <pavel@suse.cz> Signed-off-by: Ingo Molnar <mingo@elte.hu> Reported-and-tested-by: Andy Wettstein <ajw1980@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25edac cell: fix incorrect edac_modeBenjamin Herrenschmidt
commit 3b274f44d2ca05f719fe39947b6a5293a2dbd8fd upstream The cell_edac driver is setting the edac_mode field of the csrow's to an incorrect value, causing the sysfs show routine for that field to go out of an array bound and Oopsing the kernel when used. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Doug Thompson <dougthompson@xmission.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-25gpiolib: fix oops in gpio_get_value_cansleep()David Brownell
commit 978ccaa8ea5d8c7bf6b676209f2fc126eae6355b upstream We can get the following oops from gpio_get_value_cansleep() when a GPIO controller doesn't provide a get() callback: Unable to handle kernel paging request for instruction fetch Faulting instruction address: 0x00000000 Oops: Kernel access of bad area, sig: 11 [#1] [...] NIP [00000000] 0x0 LR [c0182fb0] gpio_get_value_cansleep+0x40/0x50 Call Trace: [c7b79e80] [c0183f28] gpio_value_show+0x5c/0x94 [c7b79ea0] [c01a584c] dev_attr_show+0x30/0x7c [c7b79eb0] [c00d6b48] fill_read_buffer+0x68/0xe0 [c7b79ed0] [c00d6c54] sysfs_read_file+0x94/0xbc [c7b79ef0] [c008f24c] vfs_read+0xb4/0x16c [c7b79f10] [c008f580] sys_read+0x4c/0x90 [c7b79f40] [c0013a14] ret_from_syscall+0x0/0x38 It's OK to request the value of *any* GPIO; most GPIOs are bidirectional, so configuring them as outputs just enables an output driver and doesn't disable the input logic. So the problem is that gpio_get_value_cansleep() isn't making the same sanity check that gpio_get_value() does: making sure this GPIO isn't one of the atypical "no input logic" cases. Reported-by: Anton Vorontsov <avorontsov@ru.mvista.com> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22Linux 2.6.27.3v2.6.27.3Greg Kroah-Hartman
2008-10-22security: avoid calling a NULL function pointer in drivers/video/tvaudio.cArjan van de Ven
commit 5ba2f67afb02c5302b2898949ed6fc3b3d37dcf1 upstream NULL function pointers are very bad security wise. This one got caught by kerneloops.org quite a few times, so it's happening in the field.... Fix is simple, check the function pointer for NULL, like 6 other places in the same function are already doing. Signed-off-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStickMichael Krufky
(cherry picked from commit 3dfbe31f09fb1da5f17437fd384cdfb6114765d9) DVB: sms1xxx: support two new revisions of the Hauppauge WinTV MiniStick Autodetect 2040:5520 and 2040:5530 as Hauppauge WinTV MiniStick Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22DVB: au0828: add support for another USB id for Hauppauge HVR950QMichael Krufky
(cherry picked from commit a636da6bab3307fc8c6e6a22a63b0b25ba0687be) DVB: au0828: add support for another USB id for Hauppauge HVR950Q Add autodetection support for a new revision of the Hauppauge HVR950Q (2040:721e) Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22drm/i915: fix ioremap of a user address for non-root (CVE-2008-3831)Matthias Hopf
commit 4b40893918203ee1a1f6a114316c2a19c072e9bd upstream Olaf Kirch noticed that the i915_set_status_page() function of the i915 kernel driver calls ioremap with an address offset that is supplied by userspace via ioctl. The function zeroes the mapped memory via memset and tells the hardware about the address. Turns out that access to that ioctl is not restricted to root so users could probably exploit that to do nasty things. We haven't tried to write actual exploit code though. It only affects the Intel G33 series and newer. Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22usb: musb_hdrc build fixesDavid Brownell
commit c767c1c6f1febbd1351cc152bba6e37889322d17 upstream Minor musb_hdrc updates: - so it'll build on DaVinci, given relevant platform updates; * remove support for an un-shipped OTG prototype * rely on gpiolib framework conversion for the I2C GPIOs * the <asm/arch/hdrc_cnf.h> mechanism has been removed - catch comments up to the recent removal of the per-SOC header with the silicon configuration data; - and remove two inappropriate "inline" declarations which just bloat host side code. There are still some more <asm/arch/XYZ.h> ==> <mach/XYZ.h> changes needed in this driver, catching up to the relocation of most of the include/asm-arm/arch-* contents. Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Felipe Balbi <felipe.balbi@nokia.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22usb gadget: cdc ethernet notification bugfixDavid Brownell
commit 29bac7b7661bbbdbbd32bc1e6cedca22f260da7f upstream Bugfix for the new CDC Ethernet code: as part of activating the network interface's USB link, make sure its link management code knows whether the interface is open or not. Without this fix, the link won't work right when it's brought up before the link is active ... because the initial notification it sends will have the wrong link state (down, not up). Makes it hard to bridge these links (on the host side), among other things. Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22USB: EHCI: log a warning if ehci-hcd is not loaded firstAlan Stern
commit 9beeee6584b9aa4f9192055512411484a2a624df upstream This patch (as1139) adds a warning to the system log whenever ehci-hcd is loaded after ohci-hcd or uhci-hcd. Nowadays most distributions are pretty good about not doing this; maybe the warning will help convince anyone still doing it wrong. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22USB: Fix s3c2410_udc usb speed handlingYauhen Kharuzhy
commit f9e9cff613b8239ce9159735aa662c9c85b478bf upstream The new composite framework revealed a weakness in the s3c2410_udc driver gadget register function. Instead of checking if speed asked for was USB_LOW_SPEED upon usb_gadget_register() to deny service, it checked only for USB_FULL_SPEED, thus denying service to usb high speed capable gadgets (like g_ether). Signed-off-by: Yauhen Kharuzhy <jekhor@gmail.com> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22USB: OHCI: fix endless polling behaviorAlan Stern
commit 71b7497c078a97e2afb774ad7c1f8ff5bdda8a60 upstream This patch (as1149) fixes an obscure problem in OHCI polling. In the current code, if the RHSC interrupt status flag turns on at a time when RHSC interrupts are disabled, it will remain on forever: The interrupt handler is the only place where RHSC status gets turned back off; The interrupt handler won't turn RHSC status off because it doesn't turn off status flags if the corresponding interrupt isn't enabled; RHSC interrupts will never get enabled because ohci_root_hub_state_changes() doesn't reenable RHSC if RHSC status is on! As a result we will continue polling indefinitely instead of reverting to interrupt-driven operation, and the root hub will not autosuspend. This particular sequence of events is not at all unusual; in fact plugging a USB device into an OHCI controller will usually cause it to occur. Of course, this is a bug. The proper thing to do is to turn off RHSC status just before reading the actual port status values. That way either a port status change will be detected (if it occurs before the status read) or it will turn RHSC back on. Possibly both, but that won't hurt anything. We can still check for systems in which RHSC is totally broken, by re-reading RHSC after clearing it and before reading the port statuses. (This re-read has to be done anyway, to post the earlier write.) If RHSC is on but no port-change statuses are set, then we know that RHSC is broken and we can avoid re-enabling it. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22OHCI: Allow broken controllers to auto-stopAlan Stern
commit 4a511bc3f5829bc18428bcf11c25417a79d09396 upstream This patch (as1134) attempts to improve the way we handle OHCI controllers with broken Root Hub Status Change interrupt support. In these controllers the RHSC interrupt bit essentially never turns off, making RHSC interrupts useless -- they have to remain permanently disabled. Such controllers should still be allowed to turn off their root hubs when no devices are attached. Polling for new connections can continue while the root hub is suspended. The patch implements this feature. (It won't have much effect unless CONFIG_PM is enabled and CONFIG_USB_SUSPEND is disabled, but since the overhead is very small we may as well do it.) Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22ath9k: fix oops on trying to hold the wrong spinlockLuis R. Rodriguez
commit a477e4e6d48d3ac7c7a75bad40585cb391e5c237 upstream We were trying to hold the wrong spinlock due to a typo on IEEE80211_BAR_CTL_TID_S's definition. We use this to compute the tid number and then hold this this tid number's spinlock. Tested-by: Steven Noonan <steven@uplinklabs.net> Signed-off-by: Vasanthakumar Thiagarajan <vasanth@atheros.com> Signed-off-by: Sujith <Sujith.Manoharan@atheros.com> Signed-off-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22xfs: fix remount rw with unrecognized optionsChristoph Hellwig
commit 6c5e51dae2c37127e00be392f40842e08077e96a upstream When we skip unrecognized options in xfs_fs_remount we should just break out of the switch and not return because otherwise we may skip clearing the xfs-internal read-only flag. This will only show up on some operations like touch because most read-only checks are done by the VFS which thinks this filesystem is r/w. Eventually we should replace the XFS read-only flag with a helper that always checks the VFS flag to make sure they can never get out of sync. Bug reported and fix verified by Marcel Beister on #xfs. Bug fix verified by updated xfstests/189. Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Eric Sandeen <sandeen@sandeen.net> Signed-off-by: Timothy Shimmin <tes@sgi.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22md: Fix rdev_size_store with size == 0Chris Webb
commit 7d3c6f8717ee6c2bf6cba5fa0bda3b28fbda6015 upstream Fix rdev_size_store with size == 0. size == 0 means to use the largest size allowed by the underlying device and is used when modifying an active array. This fixes a regression introduced by commit d7027458d68b2f1752a28016dcf2ffd0a7e8f567 Signed-off-by: Chris Webb <chris@arachsys.com> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-10-22ath9k/mac80211: disallow fragmentation in ath9k, report to userspaceJohannes Berg
commit 4233df6b748193d45f79fb7448991a473061a65d upstream As I've reported, ath9k currently fails utterly when fragmentation is enabled. This makes ath9k "support" hardware fragmentation by not supporting fragmentation at all to avoid the double-free issue. The patch also changes mac80211 to report errors from the driver operation to userspace. That hack in ath9k should be removed once the rate control algorithm it has is fixed, and we can at that time consider removing the hw fragmentation support entirely since it's not used by any driver. Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>