1. 20 Sep, 2011 8 commits
    • Jeff Layton's avatar
      cifs: fix possible memory corruption in CIFSFindNext · 9438fabb
      Jeff Layton authored
      The name_len variable in CIFSFindNext is a signed int that gets set to
      the resume_name_len in the cifs_search_info. The resume_name_len however
      is unsigned and for some infolevels is populated directly from a 32 bit
      value sent by the server.
      
      If the server sends a very large value for this, then that value could
      look negative when converted to a signed int. That would make that
      value pass the PATH_MAX check later in CIFSFindNext. The name_len would
      then be used as a length value for a memcpy. It would then be treated
      as unsigned again, and the memcpy scribbles over a ton of memory.
      
      Fix this by making the name_len an unsigned value in CIFSFindNext.
      
      Cc: <stable@kernel.org>
      Reported-by: default avatarDarren Lavender <dcl@hppine99.gbr.hp.com>
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
      9438fabb
    • Linus Torvalds's avatar
      Merge branch 'irq-fixes-for-linus' of git://tesla.tglx.de/git/linux-2.6-tip · 9d037a77
      Linus Torvalds authored
      * 'irq-fixes-for-linus' of git://tesla.tglx.de/git/linux-2.6-tip:
        x86, iommu: Mark DMAR IRQ as non-threaded
        genirq: Make irq_shutdown() symmetric vs. irq_startup again
      9d037a77
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://github.com/chrismason/linux · 50f2d407
      Linus Torvalds authored
      * 'for-linus' of git://github.com/chrismason/linux:
        Btrfs: only clear the need lookup flag after the dentry is setup
        BTRFS: Fix lseek return value for error
        Btrfs: don't change inode flag of the dest clone file
        Btrfs: don't make a file partly checksummed through file clone
        Btrfs: fix pages truncation in btrfs_ioctl_clone()
        btrfs: fix d_off in the first dirent
      50f2d407
    • Andiry Xu's avatar
      USB: xHCI: prevent infinite loop when processing MSE event · c2d7b49f
      Andiry Xu authored
      When a xHC host is unable to handle isochronous transfer in the
      interval, it reports a Missed Service Error event and skips some tds.
      
      Currently xhci driver handles MSE event in the following ways:
      
      1. When encounter a MSE event, set ep->skip flag, update event ring
         dequeue pointer and return.
      
      2. When encounter the next event on this ep, the driver will run the
         do-while loop, fetch td from ep's td_list to find the td
         corresponding to this event.  All tds missed are marked as short
         transfer(-EXDEV).
      
      The do-while loop will end in two ways:
      
      1. If the td pointed by the event trb is found;
      
      2. If the ep ring's td_list is empty.
      
      However, if a buggy HW reports some unpredicted event (for example, an
      overrun event following a MSE event while the ep ring is actually not
      empty), the driver will never find the td, and it will loop until the
      td_list is empty.
      
      Unfortunately, the spinlock is dropped when give back a urb in the
      do-while loop.  During the spinlock released period, the class driver
      may still submit urbs and add tds to the td_list.  This may cause
      disaster, since the td_list will never be empty and the loop never ends,
      and the system hangs.
      
      To fix this, count the number of TDs on the ep ring before skipping TDs,
      and quit the loop when skipped that number of tds.  This guarantees the
      do-while loop will end after certain number of cycles, and driver will
      not be trapped in an infinite loop.
      Signed-off-by: default avatarAndiry Xu <andiry.xu@amd.com>
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c2d7b49f
    • Greg KH's avatar
      USB: xhci: Set change bit when warm reset change is set. · 44f4c3ed
      Greg KH authored
      Sometimes, when a USB 3.0 device is disconnected, the Intel Panther
      Point xHCI host controller will report a link state change with the
      state set to "SS.Inactive".  This causes the xHCI host controller to
      issue a warm port reset, which doesn't finish before the USB core times
      out while waiting for it to complete.
      
      When the warm port reset does complete, and the xHC gives back a port
      status change event, the xHCI driver kicks khubd.  However, it fails to
      set the bit indicating there is a change event for that port because the
      logic in xhci-hub.c doesn't check for the warm port reset bit.
      
      After that, the warm port status change bit is never cleared by the USB
      core, and the xHC stops reporting port status change bits.  (The xHCI
      spec says it shouldn't report more port events until all change bits are
      cleared.) This means any port changes when a new device is connected
      will never be reported, and the port will seem "dead" until the xHCI
      driver is unloaded and reloaded, or the computer is rebooted.  Fix this
      by making the xHCI driver set the port change bit when a warm port reset
      change bit is set.
      
      A better solution would be to make the USB core handle warm port reset
      in differently, merging the current code with the standard port reset
      code that does an incremental backoff on the timeout, and tries to
      complete the port reset two more times before giving up.  That more
      complicated fix will be merged next window, and this fix will be
      backported to stable.
      
      This should be backported to kernels as old as 3.0, since that was the
      first kernel with commit a11496eb ("xHCI: warm reset support").
      Signed-off-by: default avatarSarah Sharp <sarah.a.sharp@linux.intel.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      44f4c3ed
    • Randy Dunlap's avatar
      staging: fix comedi build when ISA_DMA_API is enabled but COMEDI_PCI is not enabled · c19cc78e
      Randy Dunlap authored
      Fix build when CONFIG_ISA_DMA_API is enabled but
      CONFIG_COMEDI_PCI[_DRIVERS] is not enabled.
      
      Fixes these build errors:
      
        drivers/staging/comedi/drivers/ni_labpc.c: In function 'labpc_ai_cmd':
        drivers/staging/comedi/drivers/ni_labpc.c:1351: error: implicit declaration of function 'labpc_suggest_transfer_size'
        drivers/staging/comedi/drivers/ni_labpc.c: At top level:
        drivers/staging/comedi/drivers/ni_labpc.c:1802: error: conflicting types for 'labpc_suggest_transfer_size'
        drivers/staging/comedi/drivers/ni_labpc.c:1351: note: previous implicit declaration of 'labpc_suggest_transfer_size' was here
      Signed-off-by: default avatarRandy Dunlap <rdunlap@xenotime.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c19cc78e
    • Linus Torvalds's avatar
      Make taskstats round statistics down to nearest 1k bytes/events · 58c3c3aa
      Linus Torvalds authored
      Even with just the interface limited to admin, there really is little to
      reason to give byte-per-byte counts for taskstats.  So round it down to
      something less intrusive.
      Acked-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      58c3c3aa
    • Linus Torvalds's avatar
      Make TASKSTATS require root access · 1a51410a
      Linus Torvalds authored
      Ok, this isn't optimal, since it means that 'iotop' needs admin
      capabilities, and we may have to work on this some more.  But at the
      same time it is very much not acceptable to let anybody just read
      anybody elses IO statistics quite at this level.
      
      Use of the GENL_ADMIN_PERM suggested by Johannes Berg as an alternative
      to checking the capabilities by hand.
      Reported-by: default avatarVasiliy Kulikov <segoon@openwall.com>
      Cc: Johannes Berg <johannes.berg@intel.com>
      Acked-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1a51410a
  2. 19 Sep, 2011 6 commits
  3. 18 Sep, 2011 10 commits
  4. 17 Sep, 2011 3 commits
  5. 16 Sep, 2011 13 commits
    • Nicholas Bellinger's avatar
      iscsi-target: Fix sendpage breakage with proper padding+DataDigest iovec offsets · 40b05497
      Nicholas Bellinger authored
      This patch fixes a bug in the iscsit_fe_sendpage_sg() transmit codepath that
      was originally introduced with the v3.1 iscsi-target merge that incorrectly
      uses hardcoded cmd->iov_data_count values to determine cmd->iov_data[] offsets
      for extra outgoing padding and DataDigest payload vectors.
      
      This code is obviously incorrect for the DataDigest enabled case with sendpage
      offload, and this fix ensures correct operation for padding + DataDigest,
      padding only, and DataDigest only cases.  The bug was introduced during a
      pre-merge change in iscsit_fe_sendpage_sg() to natively use struct scatterlist
      instead of the legacy v3.0 struct se_mem logic.
      
      Cc: Andy Grover <agrover@redhat.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      40b05497
    • Daniel Mack's avatar
      can: ti_hecc: include linux/io.h · 34b8686d
      Daniel Mack authored
      This fixes a build breakage for OMAP3 boards.
      Signed-off-by: default avatarDaniel Mack <zonque@gmail.com>
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: netdev@vger.kernel.org
      Acked-by: default avatarWolfgang Grandegger <wg@grandegger.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      34b8686d
    • Andi Kleen's avatar
      IRDA: Fix global type conflicts in net/irda/irsysctl.c v2 · 9566042e
      Andi Kleen authored
      The externs here didn't agree with the declarations in qos.c.
      
      Better would be probably to move this into a header, but since it's
      common practice to have naked externs with sysctls I left it for now.
      
      Cc: samuel@sortiz.org
      Signed-off-by: default avatarAndi Kleen <ak@linux.intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9566042e
    • dpward's avatar
      net: Handle different key sizes between address families in flow cache · aa1c366e
      dpward authored
      With the conversion of struct flowi to a union of AF-specific structs, some
      operations on the flow cache need to account for the exact size of the key.
      Signed-off-by: default avatarDavid Ward <david.ward@ll.mit.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa1c366e
    • David Ward's avatar
      net: Align AF-specific flowi structs to long · 728871bc
      David Ward authored
      AF-specific flowi structs are now passed to flow_key_compare, which must
      also be aligned to a long.
      Signed-off-by: default avatarDavid Ward <david.ward@ll.mit.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      728871bc
    • Yan, Zheng's avatar
      ipv4: Fix fib_info->fib_metrics leak · 19c1ea14
      Yan, Zheng authored
      Commit 4670994d(net,rcu: convert call_rcu(fc_rport_free_rcu) to
      kfree_rcu()) introduced a memory leak. This patch reverts it.
      Signed-off-by: default avatarZheng Yan <zheng.z.yan@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      19c1ea14
    • Eric Dumazet's avatar
      caif: fix a potential NULL dereference · 4fb66b82
      Eric Dumazet authored
      Commit bd30ce4b (caif: Use RCU instead of spin-lock in caif_dev.c)
      added a potential NULL dereference in case alloc_percpu() fails.
      
      caif_device_alloc() can also use GFP_KERNEL instead of GFP_ATOMIC.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Sjur Brændeland <sjur.brandeland@stericsson.com>
      Acked-by: default avatarSjur Brændeland <sjur.brandeland@stericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4fb66b82
    • Max Matveev's avatar
      sctp: deal with multiple COOKIE_ECHO chunks · d5ccd496
      Max Matveev authored
      Attempt to reduce the number of IP packets emitted in response to single
      SCTP packet (2e3216cd) introduced a complication - if a packet contains
      two COOKIE_ECHO chunks and nothing else then SCTP state machine corks the
      socket while processing first COOKIE_ECHO and then loses the association
      and forgets to uncork the socket. To deal with the issue add new SCTP
      command which can be used to set association explictly. Use this new
      command when processing second COOKIE_ECHO chunk to restore the context
      for SCTP state machine.
      Signed-off-by: default avatarMax Matveev <makc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d5ccd496
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://github.com/dtor/input · 279b1e0f
      Linus Torvalds authored
      * 'for-linus' of git://github.com/dtor/input:
        Input: wacom - fix touch parsing on newer Bamboos
        Input: bcm5974 - add MacBookAir4,1 trackpad support
        Input: wacom - add POINTER and DIRECT device properties
        Input: adp5588-keys - remove incorrect modalias
        Input: cm109 - fix checking return value of usb_control_msg
        Input: wacom - advertise BTN_TOOL_PEN and BTN_STYLUS for PenPartner
        Input: wacom - remove pressure for touch devices
      279b1e0f
    • Ming Lei's avatar
      firewire: ohci: add no MSI quirk for O2Micro controller · f39aa30d
      Ming Lei authored
      This fixes https://bugs.launchpad.net/ubuntu/+source/linux/+bug/801719 .
      
      An O2Micro PCI Express FireWire controller,
      "FireWire (IEEE 1394) [0c00]: O2 Micro, Inc. Device [1217:11f7] (rev 05)"
      which is a combination device together with an SDHCI controller and some
      sort of storage controller, misses SBP-2 status writes from an attached
      FireWire HDD.  This problem goes away if MSI is disabled for this
      FireWire controller.
      
      The device reportedly does not require QUIRK_CYCLE_TIMER.
      Signed-off-by: default avatarMing Lei <ming.lei@canonical.com>
      Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (amended changelog)
      Cc: <stable@kernel.org>
      f39aa30d
    • Nicholas Bellinger's avatar
      iscsi-target: Disable markers + remove dangerous local scope array usage · 2ff017f5
      Nicholas Bellinger authored
      This patch makes iscsi-target explictly disable OFMarker=Yes and IFMarker=yes
      parameter key usage during iscsi login by setting IFMarkInt_Reject and
      OFMarkInt_Reject values in iscsi_enforce_integrity_rules() to effectively
      disable iscsi marker usage.  With this patch, an initiator proposer asking
      to enable either marker parameter keys will be issued a 'No' response, and
      the target sets OFMarkInt + IFMarkInt parameter key response to 'Irrelevant'.
      
      With markers disabled during iscsi login, this patch removes the problematic
      on-stack local-scope array for marker intervals in iscsit_do_rx_data() +
      iscsit_do_tx_data(), and other related marker code in iscsi_target_util.c.
      This fixes a potentional stack smashing scenario with small range markers
      enabled and a large MRDSL as reported by DanC here:
      
      [bug report] target: stack can be smashed
      http://www.spinics.net/lists/target-devel/msg00453.htmlReported-by: default avatarDan Carpenter <error27@gmail.com>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      2ff017f5
    • Nicholas Bellinger's avatar
      target: Skip non hex characters for VPD=0x83 NAA IEEE Registered Extended · 784eb99e
      Nicholas Bellinger authored
      This patch adds target_parse_naa_6h_vendor_specific() to address a bug where the
      conversion of PRODUCT SERIAL NUMBER to use hex2bin() in target_emulate_evpd_83()
      was not doing proper isxdigit() checking.  This conversion of the vpd_unit_serial
      configifs attribute is done while generating a VPD=0x83 NAA IEEE Registered
      Extended DESIGNATOR format's 100 bits of unique VENDOR SPECIFIC IDENTIFIER +
      VENDOR SPECIFIC IDENTIFIER EXTENSION area.
      
      This patch allows vpd_unit_serial (VPD=0x80) and the T10 Vendor ID DESIGNATOR
      format (VPD=0x83) to continue to use free-form variable length ASCII values,
      and now skips any non hex characters for fixed length NAA IEEE Registered Extended
      DESIGNATOR format (VPD=0x83) requring the binary conversion.
      
      This was originally reported by Martin after the v3.1-rc1 change to use hex2bin()
      in commit 11650b85 where the use of non hex
      characters in vpd_unit_serial generated different values than the original
      v3.0 internal hex -> binary code.  This v3.1 change caused a problem with
      filesystems who write a NAA DESIGNATOR onto it's ondisk metadata, and this patch
      will (again) change existing values to ensure that non hex characters are not
      included in the fixed length NAA DESIGNATOR.
      
      Note this patch still expects vpd_unit_serial to be set via existing userspace
      methods of uuid generation, and does not do strict formatting via configfs input.
      
      The original bug report and thread can be found here:
      
      NAA breakage
      http://www.spinics.net/lists/target-devel/msg00477.html
      
      The v3.1-rc1 formatting of VPD=0x83 w/o this patch:
      
      VPD INQUIRY: Device Identification page
        Designation descriptor number 1, descriptor length: 20
          designator_type: NAA,  code_set: Binary
          associated with the addressed logical unit
            NAA 6, IEEE Company_id: 0x1405
            Vendor Specific Identifier: 0xffde35ebf
            Vendor Specific Identifier Extension: 0x3092f498ffa820f9
            [0x6001405ffde35ebf3092f498ffa820f9]
        Designation descriptor number 2, descriptor length: 56
          designator_type: T10 vendor identification,  code_set: ASCII
          associated with the addressed logical unit
            vendor id: LIO-ORG
            vendor specific: IBLOCK:ffde35ec-3092-4980-a820-917636ca54f1
      
      The v3.1-final formatting of VPD=0x83 w/ this patch:
      
      VPD INQUIRY: Device Identification page
        Designation descriptor number 1, descriptor length: 20
          designator_type: NAA,  code_set: Binary
          associated with the addressed logical unit
            NAA 6, IEEE Company_id: 0x1405
            Vendor Specific Identifier: 0xffde35ec3
            Vendor Specific Identifier Extension: 0x924980a82091763
            [0x6001405ffde35ec30924980a82091763]
        Designation descriptor number 2, descriptor length: 56
          designator_type: T10 vendor identification,  code_set: ASCII
          associated with the addressed logical unit
            vendor id: LIO-ORG
            vendor specific: IBLOCK:ffde35ec-3092-4980-a820-917636ca54f1
      
      (v2: Fix parsing code to dereference + check for string terminator instead
           of null pointer to ensure a zeroed payload for vpd_unit_serial less
           than 100 bits of NAA DESIGNATOR VENDOR SPECIFIC area.  Also, remove
           the unnecessary bitwise assignment)
      Reported-by: default avatarMartin Svec <martin.svec@zoner.cz>
      Signed-off-by: default avatarNicholas Bellinger <nab@linux-iscsi.org>
      784eb99e
    • Anton Blanchard's avatar
      ibmveth: Fix checksum offload failure handling · fb82fd20
      Anton Blanchard authored
      Fix a number of issues in ibmveth_set_csum_offload:
      
      - set_attr6 and clr_attr6 may be used uninitialised
      
      - We store the result of the IPV4 checksum change in ret but overwrite
        it in a couple of places before checking it again later. Add ret4
        to make it obvious what we are doing.
      
      - We weren't clearing the NETIF_F_IP_CSUM and NETIF_F_IPV6_CSUM flags
        if the enable of that hypervisor feature failed.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fb82fd20