aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2008-06-09Revert "PCI: remove default PCI expansion ROM memory allocation"Linus Torvalds
upstream commit: 8d539108560ec121d59eee05160236488266221c This reverts commit 9f8daccaa05c14e5643bdd4faf5aed9cc8e6f11e, which was reported to break X startup (xf86-video-ati-6.8.0). See http://bugs.freedesktop.org/show_bug.cgi?id=15523 for details. Reported-by: Laurence Withers <l@lwithers.me.uk> Cc: Gary Hade <garyhade@us.ibm.com> Cc: Greg KH <greg@kroah.com> Cc: Jan Beulich <jbeulich@novell.com> Cc: "Jun'ichi Nomura" <j-nomura@ce.jp.nec.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Ingo Molnar <mingo@elte.hu> Cc: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> [cebbert@redhat.com: backport, remove first hunk to make port easier] [chrisw@sous-sol.org: add back first hunk] Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09x86: prevent PGE flush from interruption/preemptionIngo Molnar
upstream commit: b1979a5fda7869a790f4fd83fb06c78498d26ba1 CR4 manipulation is not protected against interrupts and preemption, but KVM uses smp_function_call to manipulate the X86_CR4_VMXE bit either from the CPU hotplug code or from the kvm_init call. We need to protect the CR4 manipulation from both interrupts and preemption. Original bug report: http://lkml.org/lkml/2008/5/7/48 Bugzilla entry: http://bugzilla.kernel.org/show_bug.cgi?id=10642 This is not a regression from 2.6.25, it's a long standing and hard to trigger bug. Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09XFS: Fix memory corruption with small buffer readsChristoph Hellwig
upstream commit: 6ab455eeaff6893cd06da33843e840d888cdc04a When we have multiple buffers in a single page for a blocksize == pagesize filesystem we might overwrite the page contents if two callers hit it shortly after each other. To prevent that we need to keep the page locked until I/O is completed and the page marked uptodate. Thanks to Eric Sandeen for triaging this bug and finding a reproducible testcase and Dave Chinner for additional advice. This should fix kernel.org bz #10421. Tested-by: Eric Sandeen <sandeen@sandeen.net> SGI-PV: 981813 SGI-Modid: xfs-linux-melb:xfs-kern:31173a Signed-off-by: Christoph Hellwig <hch@infradead.org> Signed-off-by: David Chinner <dgc@sgi.com> Signed-off-by: Lachlan McIlroy <lachlan@sgi.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09x86: disable TSC for sched_clock() when calibration failedThomas Gleixner
upstream commit: 74dc51a3de06aa516e3b9fdc4017b2aeb38bf44b When the TSC calibration fails then TSC is still used in sched_clock(). Disable it completely in that case. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@kernel.org Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09x86: distangle user disabled TSC from unstableThomas Gleixner
upstream commit: 9ccc906c97e34fd91dc6aaf5b69b52d824386910 tsc_enabled is set to 0 from the command line switch "notsc" and from the mark_tsc_unstable code. Seperate those functionalities and replace tsc_enable with tsc_disable. This makes also the native_sched_clock() decision when to use TSC understandable. Preparatory patch to solve the sched_clock() issue on 32 bit. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09x86: if we cannot calibrate the TSC, we panic.Rusty Russell
upstream commit: 3c2047cd32b1a8c782d7efab72707e7daa251625 The current tsc_init() clears the TSC feature bit if the TSC khz cannot be calculated, causing us to panic in arch/x86/kernel/cpu/bugs.c check_config(). We should simply mark it unstable. Frankly, someone should take an axe to this code. mark_tsc_unstable() not only marks it unstable, but sets tsc_enabled to 0, which seems redundant but is actually important here because means it won't be used by sched_clock() either. Perhaps a tristate enum "UNUSABLE, UNSTABLE, OK" would be clearer, and separate mark_tsc_unstable() and mark_tsc_broken() functions? Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09x86: fix setup of cyc2ns in tsc_64.cThomas Gleixner
upstream commit: b6db80ee1331e7beaeb91b4b3d946dd16c72e388 When the TSC is calibrated against the PIT due to the nonavailability of PMTIMER/HPET or due to SMI interference then the setup of the per CPU cyc2ns variables is skipped. This is unlikely to happen but it would definitely render sched_clock() unusable. This was introduced with commit 53d517cdbaac704352b3d0c10fecb99e0b54572e x86: scale cyc_2_nsec according to CPU frequency Update the per CPU cyc2ns variables in all exit pathes of tsc_calibrate. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Cc: stable@kernel.org Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09IPoIB: Test for NULL broadcast object in ipiob_mcast_join_finish()Jack Morgenstein
upstream commit: e1d50dce5af77cb6d33555af70e2b8748dd84009 We saw a kernel oops in our regression testing when a multicast "join finish" occurred just after the interface was -- this is <https://bugs.openfabrics.org/show_bug.cgi?id=1040>. The test randomly causes the HCA physical port to go down then up. The cause of this is that ipoib_mcast_join_finish() processing happen just after ipoib_mcast_dev_flush() was invoked (in which case the broadcast pointer is NULL). This patch tests for and handles the case where priv->broadcast is NULL. Cc: <stable@kernel.org> Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09x86: don't read maxlvt before checking if APIC is mappedChuck Ebbert
upstream commit: 2584a82deed7196f48066f1b1a7fad4ec5bea961 A check for unmapped apic was added before reading maxlvt but the early read of maxlvt wasn't removed. Signed-off-by: Chuck Ebbert <cebbert@redhat.com> Cc: Andi Kleen <ak@suse.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09types.h: don't expose struct ustat to userspacemaximilian attems
upstream commit: 6c7c6afbb8c0e60d32a563cae7c6889211e9d9d8 <linux/types.h> can't be used together with <sys/ustat.h> because they both define struct ustat: $ cat test.c #include <sys/ustat.h> #include <linux/types.h> $ gcc -c test.c In file included from test.c:2: /usr/include/linux/types.h:165: error: redefinition of 'struct ustat' has been reported a while ago to debian, but seems to have been lost in cat fighting: http://bugs.debian.org/429064 Signed-off-by: maximilian attems <max@stro.at> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09cgroups: remove node_ prefix_from ns subsystemCedric Le Goater
upstream commit: 5c02b575780d0d785815a1e7b79a98edddee895a This is a slight change in the namespace cgroup subsystem api. The change is that previously when cgroup_clone() was called (currently only from the unshare path in ns_proxy cgroup, you'd get a new group named "node_$pid" whereas now you'll get a group named after just your pid.) The only users who would notice it are those who are using the ns_proxy cgroup subsystem to auto-create cgroups when namespaces are unshared - something of an experimental feature, which I think really needs more complete container/namespace support in order to be useful. I suspect the only users are Cedric and Serge, or maybe a few others on containers@lists.linux-foundation.org. And in fact it would only be noticed by the users who make the assumption about how the name is generated, rather than getting it from the /proc/<pid>/cgroups file for the process in question. Whether the change is actually needed or not I'm fairly agnostic on, but I guess it is more elegant to just use the pid as the new group name rather than adding a fairly arbitrary "node_" prefix on the front. [menage@google.com: provided changelog] Signed-off-by: Cedric Le Goater <clg@fr.ibm.com> Cc: "Paul Menage" <menage@google.com> Cc: "Serge E. Hallyn" <serue@us.ibm.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09usb-serial: Use ftdi_sio driver for RATOC REX-USB60FAtsushi Nemoto
upstream commit: 26ab705396b65a469233a8327ecb51b8aebb6be0 This patch reverts 57833ea6b95a3995149f1f6d1a8d8862ab7a0ba2 ("usb-serial: pl2303: add support for RATOC REX-USB60F") and adds support for the device to ftdi_sio driver. Cc: Akira Tsukamoto <akirat@rd.scei.sony.co.jp> Signed-off-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: add TELIT HDSPA UC864-E modem to option driverGreg Kroah-Hartman
upstream commit: ee53b0ca0153b4f944cb142b5e65c96a1860d765 This adds the Telit UC864-E HDSPA modem support to the option driver. This lets their customers comply with the GPL instead of having to use a binary driver from the manufacturer. Cc: Simon Kissel <kissel@viprinet.com> Cc: Nico Erfurth <ne@nicoerfurth.de> Cc: Andrea Ghezzo <TS-EMEA@telit.com> Cc: Dietmar Staps <Dietmar.Staps@telit.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09CIFS: Fix UNC path prefix on QueryUnixPathInfo to have correct slashSteve French
upstream commit: 076d8423a98659a92837b07aa494cb74bfefe77c When a share was in DFS and the server was Unix/Linux, we were sending paths of the form \\server\share/dir/file rather than //server/share/dir/file There was some discussion between me and jra over whether we should use /server/share/dir/file as MS sometimes says - but the documentation for this claims it should be doubleslash for this type of UNC-like path format and that works, so leaving it as doubleslash but converting the \ to / in the the //server/share portion. This gets Samba to now correctly return STATUS_PATH_NOT_COVERED when it is supposed to (Windows already did since the direction of the slash was not an issue for them). Still need another minor change to fully enable DFS (need to finish some chages to SMBGetDFSRefer Signed-off-by: Steve French <sfrench@us.ibm.com> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-06-09i386: fix asm constraint in do_IRQ()Jan Beulich
upstream commit: 5065dbafc299507f16731434e95b91dadff03006 i386: fix asm constraint in do_IRQ() Two prior changes resulted in the "ecx" clobber being lost. Signed-off-by: Jan Beulich <jbeulich@novell.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-06-09x86: user_regset_view table fix for ia32 on 64-bitRoland McGrath
commit 1f465f4e475454b8bb590846c50a9d16e8046f3d upstream The user_regset_view table for the 32-bit regsets on the 64-bit build had the wrong sizes for the FP regsets. This bug had no user-visible effect (just on kernel modules using the user_regset interfaces and the like). But the fix is trivial and risk-free. Signed-off-by: Roland McGrath <roland@redhat.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09i2c/max6875: Really prevent 24RF08 corruptionJean Delvare
commit 70455e790391dac85d9b483a9e286a40df1ecc7f in upstream i2c-core takes care of the possible corruption of 24RF08 chips for quite some times, so device drivers no longer need to do it. And they really should not, as applying the prevention twice voids it. I thought that I had fixed all drivers long ago but apparently I had missed that one. Signed-off-by: Jean Delvare <khali@linux-fr.org> Cc: Ben Gardner <bgardner@wabtec.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09i2c-nforce2: Disable the second SMBus channel on the DFI Lanparty NF4 ExpertJean Delvare
commit 08851d6eb4eeb0894f4d095dfdf8ab61c435ad57 in upstream There is a strange chip at 0x2e on the second SMBus channel of the DFI Lanparty NF4 Expert motherboard. Accessing the chip reboots the system. As there's nothing interesting on this SMBus channel, the easiest and safest thing to do is to disable it on that board. This is a better fix to bug #5889 than the it87 driver update that was done originally: http://bugzilla.kernel.org/show_bug.cgi?id=5889 Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: fix build errors in ohci-omap.c and ohci-sm501.cGreg Kroah-Hartman
This fixes the build errors previously caused by 45fa78357eab3287b5c39f2d983b91150b3f4bd8 This makes the code mirror what went into Linus's tree previously. Reported-by: Randy Dunlap <rdunlap@xenotime.net> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09memory_hotplug: always initialize pageblock bitmapHeiko Carstens
commit 76cdd58e558669366adfaded436fda01b30cce3e upstream Trying to online a new memory section that was added via memory hotplug sometimes results in crashes when the new pages are added via __free_page. Reason for that is that the pageblock bitmap isn't initialized and hence contains random stuff. That means that get_pageblock_migratetype() returns also random stuff and therefore list_add(&page->lru, &zone->free_area[order].free_list[migratetype]); in __free_one_page() tries to do a list_add to something that isn't even necessarily a list. This happens since 86051ca5eaf5e560113ec7673462804c54284456 ("mm: fix usemap initialization") which makes sure that the pageblock bitmap gets only initialized for pages present in a zone. Unfortunately for hot-added memory the zones "grow" after the memmap and the pageblock memmap have been initialized. Which means that the new pages have an unitialized bitmap. To solve this the calls to grow_zone_span() and grow_pgdat_span() are moved to __add_zone() just before the initialization happens. The patch also moves the two functions since __add_zone() is the only caller and I didn't want to add a forward declaration. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Cc: Andy Whitcroft <apw@shadowen.org> Cc: Dave Hansen <haveblue@us.ibm.com> Cc: Gerald Schaefer <gerald.schaefer@de.ibm.com> Cc: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> Cc: Yasunori Goto <y-goto@jp.fujitsu.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09libata: force hardreset if link is in powersave modeTejun Heo
Inhibiting link PM mode doesn't bring the link back online if it's already in powersave mode. If SRST is used in these cases, libata EH thinks that the link is offline and fails detection. Force hardreset if link is in powersave mode. Signed-off-by: Tejun Heo <htejun@gmail.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09ext3/4: fix uninitialized bs in ext3/4_xattr_set_handle()Tiger Yang
commit 7e01c8e5420b6c7f9d85d34c15d8c7a15c9fc720 upstream This fix the uninitialized bs when we try to replace a xattr entry in ibody with the new value which require more than free space. This situation only happens we format ext3/4 with inode size more than 128 and we have put xattr entries both in ibody and block. The consequences about this bug is we will lost the xattr block which pointed by i_file_acl with all xattr entires in it. We will alloc a new xattr block and put that large value entry in it. The old xattr block will become orphan block. Signed-off-by: Tiger Yang <tiger.yang@oracle.com> Cc: <linux-ext4@vger.kernel.org> Cc: Andreas Gruenbacher <agruen@suse.de> Acked-by: Andreas Dilger <adilger@sun.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: add Telstra NextG CDMA id to option driverGreg Kroah-Hartman
commit 23cacd65f65956426bbca25964a68c174db83a31 upstream As reported by Magnus Boman <captain.magnus@opensuse.org> Cc: Magnus Boman <captain.magnus@opensuse.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: do not handle device 1410:5010 in 'option' driverEugeniy Meshcheryakov
commit cdafc37a7b727b75ced65e31e47dafbd8b70f97f upstream This device is not a serial port, but a virtual CD-ROM device. For example with my Novatel MC950D: lsusb -v -d 1410:5010 | grep InterfaceClass bInterfaceClass 8 Mass Storage After some time (ca. 5min) or if virtual CD is ejected, device id changes to 1410:4400: % lsusb -v -d 1410:4400 | grep InterfaceClass bInterfaceClass 255 Vendor Specific Class bInterfaceClass 255 Vendor Specific Class Variable name says that 0x5010 is a Novatel U727, but searching in internet shows, that this device also provides virtual CD that should be ejected before use. Product id for serial port in this case is 0x4100. Signed-off-by: Eugeniy Meshcheryakov <eugen@debian.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: add Zoom Telephonics Model 3095F V.92 USB Mini External modem to cdc-acmIain McFarlane
commit 6149ed5e3a6207595bd7362af7724d64f44af216 upstream The patch below is a necessary workaround to support the Zoom Telephonics Model 3095F V.92 USB Mini External modem, which fails to initialise properly during normal probing thus: May 3 22:53:00 imcfarla kernel: drivers/usb/class/cdc-acm.c: Zero length descriptor references May 3 22:53:00 imcfarla kernel: cdc_acm: probe of 5-2:1.0 failed with error -22 Adding the patch below causes the probing section to be skipped, and the modem then initialises correctly. Signed-off-by: Iain McFarlane <iain@imcfarla.homelinux.net> Acked-by: Oliver Neukum <oneukum@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: option: add new Dell 5520 HSDPA variantDan Williams
commit 96cb15cf977356d9d3117dd88f3fe187d6024f4b upstream New variant of the 5520 found by Luke Sheldrick. Signed-off-by: Dan Williams <dcbw@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: unusual_devs: Add support for GI 0401 SD-Card interfaceFilip Aben
commit e7c6f80fd733218aa1e79efa5d9ece9f76966160 upstream Enables the SD-Card interface on the GI 0401 HSUPA card from Option. The unusual_devs.h entry is necessary because the device descriptor is vendor-specific. That prevents usb-storage from binding to it as an interface driver. This revised patch adds a small comment explaining why and reduces the rev range. T: Bus=02 Lev=01 Prnt=01 Port=06 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1 P: Vendor=0af0 ProdID=7401 Rev= 0.00 S: Manufacturer=Option N.V. S: Product=Globetrotter HSUPA Modem C:* #Ifs=10 Cfg#= 1 Atr=80 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 0 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 1 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 1 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 2 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 2 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 3 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 3 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 4 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 4 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 5 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 5 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 6 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 6 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 7 Alt= 0 #EPs= 0 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#= 7 Alt= 1 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 8 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=89(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=8a(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 9 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Filip Aben <f.aben@option.com> Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09USB: remove PICDEM FS USB demo (04d8:000c) device from ldusbXiaofan Chen
commit 5fc89390f74ac42165db477793fb30f6a200e79c upstream Date: Tue, 13 May 2008 21:52:00 +0800 Subject: USB: remove PICDEM FS USB demo (04d8:000c) device from ldusb Microchip has changed the PICDEM FS USB demo device (0x04d8:000c) to use bulk transfer and not interrupt transfer. So I've updated the libusb based program here (Post #31). http://forum.microchip.com/tm.aspx?m=106426&mpage=2 So I believe that the in-kernel ldusb driver will no longer work with the demo firmware. It should be removed. Signed-off-by: Xiaofan Chen <xiaofanc@gmail.com> Cc: Michael Hund <MHund@LD-Didactic.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-09POWERPC Bolt in SLB entry for kernel stack on secondary cpusPaul Mackerras
This is upstream as commit 3b5750644b2ffa2a76fdfe7b4e00e4af2ecf3539. This fixes a regression reported by Kamalesh Bulabel where a POWER4 machine would crash because of an SLB miss at a point where the SLB miss exception was unrecoverable. This regression is tracked at: http://bugzilla.kernel.org/show_bug.cgi?id=10082 SLB misses at such points shouldn't happen because the kernel stack is the only memory accessed other than things in the first segment of the linear mapping (which is mapped at all times by entry 0 of the SLB). The context switch code ensures that SLB entry 2 covers the kernel stack, if it is not already covered by entry 0. None of entries 0 to 2 are ever replaced by the SLB miss handler. Where this went wrong is that the context switch code assumes it doesn't have to write to SLB entry 2 if the new kernel stack is in the same segment as the old kernel stack, since entry 2 should already be correct. However, when we start up a secondary cpu, it calls slb_initialize, which doesn't set up entry 2. This is correct for the boot cpu, where we will be using a stack in the kernel BSS at this point (i.e. init_thread_union), but not necessarily for secondary cpus, whose initial stack can be allocated anywhere. This doesn't cause any immediate problem since the SLB miss handler will just create an SLB entry somewhere else to cover the initial stack. In fact it's possible for the cpu to go quite a long time without SLB entry 2 being valid. Eventually, though, the entry created by the SLB miss handler will get overwritten by some other entry, and if the next access to the stack is at an unrecoverable point, we get the crash. This fixes the problem by making slb_initialize create a suitable entry for the kernel stack, if we are on a secondary cpu and the stack isn't covered by SLB entry 0. This requires initializing the get_paca()->kstack field earlier, so I do that in smp_create_idle where the current field is initialized. This also abstracts a bit of the computation that mk_esid_data in slb.c does so that it can be used in slb_initialize. Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Chris Wright <chrisw@sous-sol.org>
2008-06-06Linux 2.6.25.5v2.6.25.5Chris Wright
2008-06-06asn1: additional sanity checking during BER decoding (CVE-2008-1673)Chris Wright
upstream commit: ddb2c43594f22843e9f3153da151deaba1a834c5 - Don't trust a length which is greater than the working buffer. An invalid length could cause overflow when calculating buffer size for decoding oid. - An oid length of zero is invalid and allows for an off-by-one error when decoding oid because the first subid actually encodes first 2 subids. - A primitive encoding may not have an indefinite length. Thanks to Wei Wang from McAfee for report. Cc: Steven French <sfrench@us.ibm.com> Cc: stable@kernel.org Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Chris Wright <chrisw@sous-sol.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-05-15Linux 2.6.25.4v2.6.25.4Greg Kroah-Hartman
2008-05-15md: fix raid5 'repair' operationsDan Williams
commit c8894419acf5e56851de9741c5047bebd78acd1f upstream Date: Mon, 12 May 2008 14:02:12 -0700 Subject: md: fix raid5 'repair' operations commit bd2ab67030e9116f1e4aae1289220255412b37fd "md: close a livelock window in handle_parity_checks5" introduced a bug in handling 'repair' operations. After a repair operation completes we clear the state bits tracking this operation. However, they are cleared too early and this results in the code deciding to re-run the parity check operation. Since we have done the repair in memory the second check does not find a mismatch and thus does not do a writeback. Test results: $ echo repair > /sys/block/md0/md/sync_action $ cat /sys/block/md0/md/mismatch_cnt 51072 $ echo repair > /sys/block/md0/md/sync_action $ cat /sys/block/md0/md/mismatch_cnt 0 (also fix incorrect indentation) Tested-by: George Spelvin <linux@horizon.com> Acked-by: NeilBrown <neilb@suse.de> Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15rtc: rtc_time_to_tm: use unsigned arithmeticMaciej W. Rozycki
commit 945185a69daa457c4c5e46e47f4afad7dcea734f upstream Date: Mon, 12 May 2008 14:02:24 -0700 Subject: rtc: rtc_time_to_tm: use unsigned arithmetic The input argument to rtc_time_to_tm() is unsigned as well as are members of the output structure. However signed arithmetic is used within for calculations leading to incorrect results for input values outside the signed positive range. If this happens the time of day returned is out of range. Found the problem when fiddling with the RTC and the driver where year was set to an unexpectedly large value like 2070, e.g.: rtc0: setting system clock to 2070-01-01 1193046:71582832:26 UTC (3155760954) while it should be: rtc0: setting system clock to 2070-01-01 00:15:54 UTC (3155760954) Changing types to unsigned fixes the problem. [akpm@linux-foundation.org: remove old-fashioned `register' keyword] Signed-off-by: Maciej W. Rozycki <macro@linux-mips.org> Cc: Alessandro Zummo <a.zummo@towertech.it> Cc: David Brownell <david-b@pacbell.net> Cc: Dmitri Vorobiev <dmitri.vorobiev@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15SCSI: aha152x: fix init suspiciously returned 1, it should follow 0/-E ↵James Bottomley
convention commit ad2fa42d044b98469449880474a9662fb689f7f9 upstream Reported-by: Frank de Jong <frapex@xs4all.nl> > [1.] One line summary of the problem: > linux-2.6.25.3, aha152x'->init suspiciously returned 1, it should > follow 0/-E convention. The module / driver works okay. Unloading the > module is impossible. The driver is apparently returning 0 on failure and 1 on success. That's a bit unfortunate. Fix it by altering to -ENODEV and 0. Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15SCSI: aha152x: Fix oops on module removalJames Bottomley
commit 64976a0387835a7ac61bbe2a99b27ccae34eac5d upstream Reported-by: Frank de Jong <frapex@xs4all.nl> > after trying to unload the module: > BUG: unable to handle kernel paging request at 00100100 > IP: [<fb9ff667>] :aha152x:aha152x_exit+0x47/0x6a > *pde = 00000000 > Oops: 0000 [#1] PREEMPT SMP > Modules linked in: aha152x(-) w83781d hwmon_vid tun ne 8390 bonding > usb_storage snd_usb_audio snd_usb_lib snd_rawmidi pwc snd_seq_device > compat_ioctl32 snd_hwdep videodev v4l1_compat 3c59x mii intel_agp > agpgart snd_pcm_oss snd_pcm snd_timer snd_page_alloc snd_mixer_oss snd > > Pid: 2837, comm: rmmod Not tainted (2.6.25.3 #1) > EIP: 0060:[<fb9ff667>] EFLAGS: 00210212 CPU: 0 > EIP is at aha152x_exit+0x47/0x6a [aha152x] > EAX: 00000001 EBX: 000ffdc4 ECX: f7c517a8 EDX: 00000001 > ESI: 00000000 EDI: 00000003 EBP: e7880000 ESP: e7881f58 > DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 > Process rmmod (pid: 2837, ti=e7880000 task=f27eb580 task.ti=e7880000) > Stack: fba03700 c01419d2 31616861 00783235 e795ee70 c0157709 b7f24000 e79ae000 > c0158271 ffffffff b7f25000 e79ae004 e795e370 b7f25000 e795e37c e795e370 > 009ae000 fba03700 00000880 e7881fa8 00000000 bf93ec20 bf93ec20 c0102faa > Call Trace: > [<c01419d2>] sys_delete_module+0x112/0x1a0 > [<c0157709>] remove_vma+0x39/0x50 > [<c0158271>] do_munmap+0x181/0x1f0 > [<c0102faa>] sysenter_past_esp+0x5f/0x85 > [<c0490000>] rsc_parse+0x0/0x3c0 The problem is that the driver calls aha152x_release() under a list_for_each_entry(). Unfortunately, aha152x_release() deletes from the list in question. Fix this by using list_for_each_entry_safe(). Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15SCSI: libiscsi regression in 2.6.25: fix setting of recv timerMike Christie
commit c8611f975403dd20e6503aff8aded5dcb718f75b upstream If the ping tmo is longer than the recv tmo then we could miss a window where we were supposed to check the recv tmo. This happens because the ping code will set the next timeout for the ping timeout, and if the ping executes quickly there will be a long chunk of time before the timer wakes up again. This patch has the ping processing code kick off a recv tmo check when getting a nop in response to our ping. Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15SCSI: libiscsi regression in 2.6.25: fix nop timer handlingMike Christie
commit 4cf1043593db6a337f10e006c23c69e5fc93e722 upstream The following patch fixes a bug in the iscsi nop processing. The target sends iscsi nops to ping the initiator and the initiator has to send nops to reply and can send nops to ping the target. In 2.6.25 we moved the nop processing to the kernel to handle problems when the userspace daemon is not up, but the target is pinging us, and to handle when scsi commands timeout, but the transport may be the cause (we can send a nop to check the transport). When we added this code we added a bug where if the transport timer wakes at the exact same time we are supposed to check for a nop timeout we drop the session instead of checking the transport. This patch checks if a iscsi ping is outstanding and if the ping has timed out, to determine if we need to signal a connection problem. Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15SCSI: qla1280: Fix queue depth problemJeremy Higdon
commit af5741c6de4f4a1d8608b0f00867c77cb7123635 upstream The qla1280 driver was ANDing the output value of mailbox register 0 with (1 << target-number) to determine whether to enable queueing on the target in question. But mailbox register 0 has the status code for the mailbox command (in this case, Set Target Parameters). Potential values are: /* * ISP mailbox command complete status codes */ So clearly that is in error. I can't think what the author of that line was looking for in a mailbox register, so I just eliminated the AND. flag is used later in the function, and I think that the later usage was also wrong, though it was used to set values that aren't used. Oh well, an overhaul of this driver is not what I want to do now -- just a bugfix. After the fix, I found that my disks were getting a queue depth of 255, which is far too many. Most SCSI disks are limited to 32 or 64. In any case, there's no point, queueing up a bunch of commands to the adapter that will just result in queue full or starve other targets from being issued commands due to running out of internal memory. So I dropped default queue depth to 32 (from which 1 is subtracted elsewhere, giving net of 31). I tested with a Seagate ST336753LC, and results look good, so I'm satisfied with this patch. Signed-off-by: Jeremy Higdon <jeremy@sgi.com> Acked-by: Jes Sorensen <jes@sgi.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15r8169: fix oops in r8169_get_mac_versionIvan Vecera
commit 21e197f231343201368338603cb0909a13961bac upstream. r8169_get_mac_version crashes when it meets an unknown MAC due to tp->pci_dev not being set. Initialize it early. Signed-off-by: Ivan Vecera <ivecera@redhat.com> Acked-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15r8169: fix past rtl_chip_info array size for unknown chipsetsRoel Kluin
commit cee60c377de6d9d10f0a2876794149bd79a15020 upstream. 'i' is unsigned. Signed-off-by: Roel Kluin <12o3l@tiscali.nl> Acked-by: Francois Romieu <romieu@fr.zoreil.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15USB: airprime: unlock mutex instead of trying to lock it againLeonardo Chiquitto
commit 21ae1dd1d4948968ad2d923c5e104d38fb35b4e4 upstream The following patch fixes a [probable] copy & paste mistake in airprime.c. Instead of unlocking an acquired mutex, the actual code tries to lock it again. Signed-off-by: Leonardo Chiquitto <lchiquitto@novell.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15sparc32: Don't twiddle PT_DTRACE in exec.David S. Miller
[ Upstream commit: c07c6053c41f736711ed856aa377007078c7c396 ] That bit isn't used on this platform. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15sparc: Fix debugger syscall restart interactions.David S. Miller
[ This is a 2.6.25 backport of upstream changeset 28e6103665301ce60634e8a77f0b657c6cc099de with sparc32 build fixes from Robert Reif ] So, forever, we've had this ptrace_signal_deliver implementation which tries to handle all of the nasties that can occur when the debugger looks at a process about to take a signal. It's meant to address all of these issues inside of the kernel so that the debugger need not be mindful of such things. Problem is, this doesn't work. The idea was that we should do the syscall restart business first, so that the debugger captures that state. Otherwise, if the debugger for example saves the child's state, makes the child execute something else, then restores the saved state, we won't handle the syscall restart properly because we lose the "we're in a syscall" state. The code here worked for most cases, but if the debugger actually passes the signal through to the child unaltered, it's possible that we would do a syscall restart when we shouldn't have. In particular this breaks the case of debugging a process under a gdb which is being debugged by yet another gdb. gdb uses sigsuspend to wait for SIGCHLD of the inferior, but if gdb itself is being debugged by a top-level gdb we get a ptrace_stop(). The top-level gdb does a PTRACE_CONT with SIGCHLD to let the inferior gdb see the signal. But ptrace_signal_deliver() assumed the debugger would cancel out the signal and therefore did a syscall restart, because the return error was ERESTARTNOHAND. Fix this by simply making ptrace_signal_deliver() a nop, and providing a way for the debugger to control system call restarting properly: 1) Report a "in syscall" software bit in regs->{tstate,psr}. It is set early on in trap entry to a system call and is fully visible to the debugger via ptrace() and regsets. 2) Test this bit right before doing a syscall restart. We have to do a final recheck right after get_signal_to_deliver() in case the debugger cleared the bit during ptrace_stop(). 3) Clear the bit in trap return so we don't accidently try to set that bit in the real register. As a result we also get a ptrace_{is,clear}_syscall() for sparc32 just like sparc64 has. M68K has this same exact bug, and is now the only other user of the ptrace_signal_deliver hook. It needs to be fixed in the same exact way as sparc. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15sparc: Fix mremap address range validation.David S. Miller
Just like mmap, we need to validate address ranges regardless of MAP_FIXED. sparc{,64}_mmap_check()'s flag argument is unused, remove. Based upon a report and preliminary patch by Jan Lieskovsky <jlieskov@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15sparc: Fix ptrace() detach.David S. Miller
[ Upstream commit: 986bef854fab44012df678a5b51817d5274d3ca1 ] Forever we had a PTRACE_SUNOS_DETACH which was unconditionally recognized, regardless of the personality of the process. Unfortunately, this value is what ended up in the GLIBC sys/ptrace.h header file on sparc as PTRACE_DETACH and PT_DETACH. So continue to recognize this old value. Luckily, it doesn't conflict with anything we actually care about. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15i2c-piix4: Blacklist two mainboardsJean Delvare
commit c2fc54fcd340cbee47510aa84c346aab3440ba09 upstream We had a report that running sensors-detect on a Sapphire AM2RD790 motherbord killed the CPU. While the exact cause is still unknown, I'd rather play it safe and prevent any access to the SMBus on that machine by not letting the i2c-piix4 driver attach to the SMBus host device on that machine. Also blacklist a similar board made by DFI. Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15x86: sysfs cpu?/topology is empty in 2.6.25 (32-bit Intel system)Vaidyanathan Srinivasan
commit 5c3a121d52b30a1e53cdaa802fa1965fcd243164 upstream System topology on intel based system needs to be exported for non-numa case as well. All parts of asm-i386/topology.h has come under #ifdef CONFIG_NUMA after the merge to asm-x86/topology.h /sys/devices/system/cpu/cpu?/topology/* is populated based on ENABLE_TOPO_DEFINES The sysfs cpu topology is not being populated on my dual socket dual core xeon 5160 processor based (x86 32 bit) system. CONFIG_NUMA is not set in my case yet the topology is relevant and useful. irqbalance daemon application depends on topology to build the cpus and package list and it fails on Fedora9 beta since the sysfs topology was not being populated in the 2.6.25 kernel. I am not sure if it was intentional to not define ENABLE_TOPO_DEFINES for non-numa systems. This fix has been tested on the above mentioned dual core, dual socket system. Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15ata_piix: verify SIDPR access before enabling itTejun Heo
commit cb6716c879ecf49e2af344926c6a476821812061 upstream On certain configurations (certain macbooks), even though all the conditions for SIDPR access described in the datasheet are met, actually reading those registers just returns 0 and have no effect on write. Verify SIDPR is actually working before enabling it. This is reported by Ryan Roth in bz#10512. Signed-off-by: Tejun Heo <htejun@gmail.com> Cc: Ryan Roth <ryan.roth@ch2m.com> Signed-off-by: Jeff Garzik <jgarzik@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2008-05-15{nfnetlink, ip, ip6}_queue: fix skb_over_panic when enlarging packetsArnaud Ebalard
[NETFILTER]: {nfnetlink,ip,ip6}_queue: fix skb_over_panic when enlarging packets From: Arnaud Ebalard <arno@natisbad.org> Upstream commit 9a732ed6d: While reinjecting *bigger* modified versions of IPv6 packets using libnetfilter_queue, things work fine on a 2.6.24 kernel (2.6.22 too) but I get the following on recents kernels (2.6.25, trace below is against today's net-2.6 git tree): skb_over_panic: text:c04fddb0 len:696 put:632 head:f7592c00 data:f7592c00 tail:0xf7592eb8 end:0xf7592e80 dev:eth0 ------------[ cut here ]------------ invalid opcode: 0000 [#1] PREEMPT Process sendd (pid: 3657, ti=f6014000 task=f77c31d0 task.ti=f6014000) Stack: c071e638 c04fddb0 000002b8 00000278 f7592c00 f7592c00 f7592eb8 f7592e80 f763c000 f6bc5200 f7592c40 f6015c34 c04cdbfc f6bc5200 00000278 f6015c60 c04fddb0 00000020 f72a10c0 f751b420 00000001 0000000a 000002b8 c065582c Call Trace: [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0 [<c04cdbfc>] ? skb_put+0x3c/0x40 [<c04fddb0>] ? nfqnl_recv_verdict+0x1c0/0x2e0 [<c04fd115>] ? nfnetlink_rcv_msg+0xf5/0x160 [<c04fd03e>] ? nfnetlink_rcv_msg+0x1e/0x160 [<c04fd020>] ? nfnetlink_rcv_msg+0x0/0x160 [<c04f8ed7>] ? netlink_rcv_skb+0x77/0xa0 [<c04fcefc>] ? nfnetlink_rcv+0x1c/0x30 [<c04f8c73>] ? netlink_unicast+0x243/0x2b0 [<c04cfaba>] ? memcpy_fromiovec+0x4a/0x70 [<c04f9406>] ? netlink_sendmsg+0x1c6/0x270 [<c04c8244>] ? sock_sendmsg+0xc4/0xf0 [<c011970d>] ? set_next_entity+0x1d/0x50 [<c0133a80>] ? autoremove_wake_function+0x0/0x40 [<c0118f9e>] ? __wake_up_common+0x3e/0x70 [<c0342fbf>] ? n_tty_receive_buf+0x34f/0x1280 [<c011d308>] ? __wake_up+0x68/0x70 [<c02cea47>] ? copy_from_user+0x37/0x70 [<c04cfd7c>] ? verify_iovec+0x2c/0x90 [<c04c837a>] ? sys_sendmsg+0x10a/0x230 [<c011967a>] ? __dequeue_entity+0x2a/0xa0 [<c011970d>] ? set_next_entity+0x1d/0x50 [<c0345397>] ? pty_write+0x47/0x60 [<c033d59b>] ? tty_default_put_char+0x1b/0x20 [<c011d2e9>] ? __wake_up+0x49/0x70 [<c033df99>] ? tty_ldisc_deref+0x39/0x90 [<c033ff20>] ? tty_write+0x1a0/0x1b0 [<c04c93af>] ? sys_socketcall+0x7f/0x260 [<c0102ff9>] ? sysenter_past_esp+0x6a/0x91 [<c05f0000>] ? snd_intel8x0m_probe+0x270/0x6e0 ======================= Code: 00 00 89 5c 24 14 8b 98 9c 00 00 00 89 54 24 0c 89 5c 24 10 8b 40 50 89 4c 24 04 c7 04 24 38 e6 71 c0 89 44 24 08 e8 c4 46 c5 ff <0f> 0b eb fe 55 89 e5 56 89 d6 53 89 c3 83 ec 0c 8b 40 50 39 d0 EIP: [<c04ccdfc>] skb_over_panic+0x5c/0x60 SS:ESP 0068:f6015bf8 Looking at the code, I ended up in nfq_mangle() function (called by nfqnl_recv_verdict()) which performs a call to skb_copy_expand() due to the increased size of data passed to the function. AFAICT, it should ask for 'diff' instead of 'diff - skb_tailroom(e->skb)'. Because the resulting sk_buff has not enough space to support the skb_put(skb, diff) call a few lines later, this results in the call to skb_over_panic(). The patch below asks for allocation of a copy with enough space for mangled packet and the same amount of headroom as old sk_buff. While looking at how the regression appeared (e2b58a67), I noticed the same pattern in ipq_mangle_ipv6() and ipq_mangle_ipv4(). The patch corrects those locations too. Tested with bigger reinjected IPv6 packets (nfqnl_mangle() path), things are ok (2.6.25 and today's net-2.6 git tree). Signed-off-by: Arnaud Ebalard <arno@natisbad.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>