summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2007-11-16Linux 2.6.23.8v2.6.23.8Greg Kroah-Hartman
2007-11-16wait_task_stopped: Check p->exit_state instead of TASK_TRACED (CVE-2007-5500)Roland McGrath
patch a3474224e6a01924be40a8255636ea5522c1023a in mainline The original meaning of the old test (p->state > TASK_STOPPED) was "not dead", since it was before TASK_TRACED existed and before the state/exit_state split. It was a wrong correction in commit 14bf01bb0599c89fc7f426d20353b76e12555308 to make this test for TASK_TRACED instead. It should have been changed when TASK_TRACED was introducted and again when exit_state was introduced. Signed-off-by: Roland McGrath <roland@redhat.com> Cc: Oleg Nesterov <oleg@tv-sign.ru> Cc: Alexey Dobriyan <adobriyan@sw.ru> Cc: Kees Cook <kees@ubuntu.com> Acked-by: Scott James Remnant <scott@ubuntu.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16TCP: Make sure write_queue_from does not begin with NULL ptr (CVE-2007-5501)Ilpo Järvinen
patch 96a2d41a3e495734b63bff4e5dd0112741b93b38 in mainline. NULL ptr can be returned from tcp_write_queue_head to cached_skb and then assigned to skb if packets_out was zero. Without this, system is vulnerable to a carefully crafted ACKs which obviously is remotely triggerable. Besides, there's very little that needs to be done in sacktag if there weren't any packets outstanding, just skipping the rest doesn't hurt. Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi> Signed-off-by: David S. Miller <davem@davemloft.net>
2007-11-16Linux 2.6.23.7v2.6.23.7Greg Kroah-Hartman
2007-11-16NFS: Fix a writeback race...Trond Myklebust
patch 61e930a904966cc37e0a3404276f0b73037e57ca in mainline This patch fixes a regression that was introduced by commit 44dd151d5c21234cc534c47d7382f5c28c3143cd We cannot zero the user page in nfs_mark_uptodate() any more, since a) We'd be modifying the page without holding the page lock b) We can race with other updates of the page, most notably because of the call to nfs_wb_page() in nfs_writepage_setup(). Instead, we do the zeroing in nfs_update_request() if we see that we're creating a request that might potentially be marked as up to date. Thanks to Olivier Paquet for reporting the bug and providing a test-case. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ocfs2: fix write() performance regressionMark Fasheh
patch 4e9563fd55ff4479f2b118d0757d121dd0cfc39c in mainline. ocfs2: fix write() performance regression On file systems which don't support sparse files, Ocfs2_map_page_blocks() was reading blocks on appending writes. This caused write performance to suffer dramatically. Fix this by detecting an appending write on a nonsparse fs and skipping the read. Signed-off-by: Mark Fasheh <mark.fasheh@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16minixfs: limit minixfs printks on corrupted dir i_size (CVE-2006-6058)Eric Sandeen
patch f44ec6f3f89889a469773b1fd894f8fcc07c29cf upstream. This attempts to address CVE-2006-6058 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6058 first reported at http://projects.info-pull.com/mokb/MOKB-17-11-2006.html Essentially a corrupted minix dir inode reporting a very large i_size will loop for a very long time in minix_readdir, minix_find_entry, etc, because on EIO they just move on to try the next page. This is under the BKL, printk-storming as well. This can lock up the machine for a very long time. Simply ratelimiting the printks gets things back under control. Make the message a bit more informative while we're here. Signed-off-by: Eric Sandeen <sandeen@redhat.com> Cc: Bodo Eggert <7eggert@gmx.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16Linux 2.6.23.6v2.6.23.6Greg Kroah-Hartman
2007-11-16ACPI: suspend: Wrong order of GPE restore.Alexey Starikovskiy
commit 1dbc1fda5d8ca907f320b806005d4a447977d26a in mainline. ACPI: suspend: Wrong order of GPE restore. acpi_leave_sleep_state() should have correct list of wake and runtime GPEs, which is available only after disable_wakeup_device() is called. [cebbert@redhat.com: backport to 2.6.23] Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de> Acked-by: Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by: Len Brown <len.brown@intel.com> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ACPI: sleep: Fix GPE suspend cleanupAlexey Starikovskiy
patch is 9c1c6a1ba786d58bd03e27ee49f89a5685e8e07b in mainline. ACPI: sleep: Fix GPE suspend cleanup Commit 9b039330808b83acac3597535da26f47ad1862ce removed acpi_gpe_sleep_prepare(), the only function used at S5 transition Add call to generic acpi_enable_wake_device(). Reference: https://bugzilla.novell.com/show_bug.cgi?id=299882 Signed-off-by: Alexey Starikovskiy <astarikovskiy@suse.de> Acked-by: Rafael J. Wysocki <rjw@sisk.pl> Signed-off-by: Len Brown <len.brown@intel.com> Cc: Chuck Ebbert <cebbert@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16libata: backport ATA_FLAG_NO_SRST and ATA_FLAG_ASSUME_ATA, part 2Tejun Heo
Differs from mainline, but the functionality is already there. P5W-DH Deluxe has ICH7R which doesn't have PMP support but SIMG 4726 hardwired to the second port of AHCI controller at PCI device 1f.2. The 4726 doesn't work as PMP but as a storage processor which can do hardware RAID on downstream ports. When no device is attached to the downstream port of the 4726, pseudo ATA device for configuration appears. Unfortunately, ATA emulation on the device is very lousy and causes long hang during boot. This patch implements workaround for the board. If the mainboard is P5W-DH Deluxe (matched using DMI), only hardreset is used on the second port of AHCI controller @ 1f.2 and the hardreset doesn't depend on receiving the first FIS and just proceed to IDENTIFY. This workaround fixes bugzilla #8923. http://bugzilla.kernel.org/show_bug.cgi?id=8923 Signed-off-by: Tejun Heo <htejun@gmail.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16libata: backport ATA_FLAG_NO_SRST and ATA_FLAG_ASSUME_ATATejun Heo
Differs from mainline, but the functionality is already there. Backport ATA_FLAG_NO_SRST and ATA_FLAG_ASSUME_ATA. These are originally link flags (ATA_LFLAG_*) but link abstraction doesn't exist on 2.6.23, so make it port flags. This is for the following workaround for ASUS P5W DH Deluxe. These new flags don't introduce any behavior change unless set and nobody sets them yet. Signed-off-by: Tejun Heo <htejun@gmail.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16libata: add HTS542525K9SA00 to NCQ blacklistTejun Heo
patch e14cbfa630cd3ab2631ee21b718b290928f47868 in mainline. Another one doing spurious NCQ completions. Blacklist it. Signed-off-by: Tejun Heo <htejun@gmail.com> Cc: Luca Tettamanti <kronos.it@gmail.com> Signed-off-by: Jeff Garzik <jeff@garzik.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16radeon: set the address to access the GART table on the CPU side correctlyDave Airlie
Upstream as 7fc86860cf73e060ab8ed9763010dfe5b5389b1c This code relied on the CPU and GPU address for the aperture being the same, On some r5xx hardware I was playing with I noticed that this isn't always true. This fixes issues seen on some r400 cards. (bugs.freedesktop.org 9957) Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16Char: moxa, fix and optimise empty timerJiri Slaby
patch c43422053bea7a5ce09f18d0c50a606fe1a549f4 in mainline. moxa, fix and optimise empty timer don't wait and delete empty timer in empty timer function. Also fire next empty timer at rounded jiffies to save power. This fixes a lockup, because we wait for ourselves to finish forever. (i.e. sync called from the timer itself). Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16Char: rocket, fix dynamic_dev ttyJiri Slaby
patch ac6aec2f5683588361ab408cb3346b08c66bdfbe in mainline. - register_device unconditionally (non-pci dependent) to have also isa devices in /dev - unregister devices on module removal - don't set TTY_DRIVER_DYNAMIC_DEV twice (removed the one dependent on some macro) This is the substantial part of the patch and the previous point is for not checking which devices to unregister and which not (simply register and unregister all found no matter on which bus they are plugged). Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Cc: Ferenc Wagner <wferi@niif.hu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16hptiop: avoid buffer overflow when returning sense dataHighPoint Linux Team
patch 0fec02c93f60fb44ba3a24a0d3e4a52521d34d3f in mainline. avoid buffer overflow when returning sense data. With current adapter firmware the driver is working but future firmware updates may return sense data larger than 96 bytes, causing overflow on scp->sense_buffer and a kernel crash. This fix should be backported to earlier kernels. Signed-off-by: HighPoint Linux Team <linux@highpoint-tech.com> Signed-off-by: James Bottomley <James.Bottomley@steeleye.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ide: Fix cs5535 driver accessing beyond array boundaryBenjamin Herrenschmidt
patch 15d8061bf02aa299b2447f7a22fd18b4a503ea9d in mainline. The cs5535 uses an incorrect construct to access the other drive of a pair, causing it to access beyond an array boundary on the secondary interface. This fixes it by using the new ide_get_paired_drive() helper instead. Bart: patch description fixes Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Andrew Morton <akpm@osdl.org> Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ide: Fix siimage driver accessing beyond array boundaryBenjamin Herrenschmidt
patch a87a87ccdc541e0a0cc8c7d01a365be8d9153a7b in mainline. The siimage uses an incorrect construct to access the other drive of a pair, causing it to access beyond an array boundary on the secondary interface. This fixes it by using the new ide_get_paired_drive() helper instead. Bart: patch description fixes Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Andrew Morton <akpm@osdl.org> Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ide: Add ide_get_paired_drive() helperBenjamin Herrenschmidt
patch 1b678347121001c3c230c6eccfdf9f65c3ec1a4e in mainline. This adds a helper to get to the "other" drive on a pair connected to a given hwif. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Cc: Andrew Morton <akpm@osdl.org> Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ide: fix serverworks.c UDMA regressionTony Battersby
patch 0c824b51b338c808de650b440ba5f9f4a725f7fc in mainline. The patch described by the following excerpt from ChangeLog-2.6.22 makes it impossible to use UDMA on a Tyan S2707 motherboard (SvrWks CSB5): commit 2d5eaa6dd744a641e75503232a01f52d0768884c Author: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Date: Thu May 10 00:01:08 2007 +0200 ide: rework the code for selecting the best DMA transfer mode (v3) ... This one-line patch against 2.6.23 fixes the problem. Signed-off-by: Tony Battersby <tonyb@cybernetics.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16i4l: fix random freezes with AVM B1 driversKarsten Keil
patch 9713d9e650045f7f2afd81d58a068827be306993 in mainline. This fix the same issue which was debbuged for the C4 controller for the B1 versions. The capilib_ function modify or traverse a linked list without locking. This patch extends the existing locking to the calls of these function to prevent access to a list which is in the middle of a modification. Signed-off-by: Karsten Keil <kkeil@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16i4l: Fix random hard freeze with AVM c4 cardKarsten Keil
patch 1ccfd63367c1a6aaf8b33943f18856dde85f2f0b in mainline. The patch - Includes the call to capilib_data_b3_req in the spinlock. This routine in turn calls the offending mq_enqueue routine that triggered the freeze if not locked. This should also fix other indicators of incosistent capilib_msgidqueue list, that trigger messages like: Oct 5 03:05:57 BERL0 kernel: kcapi: msgid 3019 ncci 0x30301 not on queue that we saw several times a day (usually several in a row). - Fixes all occurrences of c4_dispatch_tx to be called with active spinlock, there were some instances where no lock was active. Mostly these are in very infrequently called routines, so the additional performance penalty is minimal. Signed-off-by: Karsten Keil <kkeil@suse.de> Signed-off-by: Rainer Brestan <rainer.brestan@frequentis.com> Signed-off-by: Ralf Schlatterbeck <rsc@runtux.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ALSA: hda-codec - Add array terminator for dmic in STAC codecTakashi Iwai
patch f6e9852ad05fa28301c83d4e2b082620de010358 in mainline. [ALSA] hda-codec - Add array terminator for dmic in STAC codec Reported by Jan-Marek Glogowski. The dmic array is passed to snd_hda_parse_pin_def_config() and should be zero-terminated. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16USB: usbserial - fix potential deadlock between write() and IRQJiri Kosina
patch acd2a847e7fee7df11817f67dba75a2802793e5d in mainline. USB: usbserial - fix potential deadlock between write() and IRQ usb_serial_generic_write() doesn't disable interrupts when taking port->lock, and could therefore deadlock with usb_serial_generic_read_bulk_callback() being called from interrupt, taking the same lock. Fix it. Signed-off-by: Jiri Kosina <jkosina@suse.cz> Acked-by: Larry Finger <larry.finger@lwfinger.net> Cc: Marcin Slusarz <marcin.slusarz@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16USB: add URB_FREE_BUFFER to permissible flagsOliver Neukum
patch 0b28baaf74ca04be2e0cc4d4dd2bbc801697f744 in mainline. URB_FREE_BUFFER needs to be allowed in the sanity checks to use drivers that use that flag. Signed-off-by: Oliver Neukum <oneukum@suse.de> Acked-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16USB: mutual exclusion for EHCI init and port resetsAlan Stern
patch 32fe01985aa2cb2562f6fc171e526e279abe10db in mainline. This patch (as999) fixes a problem that sometimes shows up when host controller driver modules are loaded in the wrong order. If ehci-hcd happens to initialize an EHCI controller while the companion OHCI or UHCI controller is in the middle of a port reset, the reset can fail and the companion may get very confused. The patch adds an rw-semaphore and uses it to keep EHCI initialization and port resets mutually exclusive. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Acked-by: David Brownell <david-b@pacbell.net> Cc: David Miller <davem@davemloft.net> Cc: Dely L Sy <dely.l.sy@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16usb-gadget-ether: prevent oops caused by error interrupt raceBenedikt Spranger
patch 5395353e0c8272fe73ac914acd7e4add0da2bef0 in mainline. Fix a longstanding race in the Ethernet gadget driver, which can cause an oops on device disconnect. The fix is just to make the TX path check whether its freelist is empty. That check is otherwise not necessary, since the queue is always stopped when that list empties (and restarted when request completion puts an entry back on that freelist). The race window starts when the network code decides to transmit a packet, and ends when hard_start_xmit() grabs the freelist lock. When disconnect() is called inside that window, it shuts down the TX queue and breaks the otherwise-solid assumption that packets are never sent through a TX queue that's stopped. Signed-off-by: Benedikt Spranger <bene@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: David Brownell <dbrownell@users.sourceforge.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16USB: remove USB_QUIRK_NO_AUTOSUSPENDAlan Stern
patch a691efa9888e71232dfb4088fb8a8304ffc7b0f9 in mainline. This patch (as995) cleans up the remains of the former NO_AUTOSUSPEND quirk. Since autosuspend is disabled by default, we will let userspace worry about which devices can safely be suspended. Thus the lengthy series of quirk entries is no longer needed, and neither is the quirk ID. I suppose someone might eventually run across a hub that can't be suspended; let's ignore the possibility for now. The patch also cleans up the hasty way in which autosuspend gets disabled. Setting udev->autosuspend_delay to -1 wasn't quite right, because the value is always supposed to be a multiple of HZ. It's better to leave the delay value alone and set autosuspend_disabled, which is what the quirk routine used to do. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16MSI: Use correct data offset for 32-bit MSI in read_msi_msg()Roland Dreier
patch cbf5d9e6b9bcf03291cbb51db144b3e2773a8a2d in mainline. While reading the MSI code trying to find a reason why MSI wouldn't work for devices that have a 32-bit MSI address capability, I noticed that read_msi_msg() seems to read the message data from the wrong offset in this case. Signed-off-by: Roland Dreier <roland@digitalvampire.org> Acked-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16md: raid5: fix clearing of biofill operationsDan Williams
raid5: fix clearing of biofill operations This is the correct merge of the two upstream patches for this issue (it was mis-merged...) ops_complete_biofill() runs outside of spin_lock(&sh->lock) and clears the 'pending' and 'ack' bits. Since the test_and_ack_op() macro only checks against 'complete' it can get an inconsistent snapshot of pending work. Move the clearing of these bits to handle_stripe5(), under the lock. Signed-off-by: Dan Williams <dan.j.williams@intel.com> Tested-by: Joel Bertrand <joel.bertrand@systella.fr> Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16md: fix an unsigned compare to allow creation of bitmaps with v1.0 metadataNeilBrown
patch 85bfb4da8cad483a4e550ec89060d05a4daf895b in mainline. As page->index is unsigned, this all becomes an unsigned comparison, which almost always returns an error. Signed-off-by: Neil Brown <neilb@suse.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16dm: fix thaw_bdevJun'ichi Nomura
patch ae9da83f6d800fe1f3b23bfbc8f7222ad1c5bb74 in mainline. This patch fixes a bd_mount_sem counter corruption bug in device-mapper. thaw_bdev() should be called only when freeze_bdev() was called for the device. Otherwise, thaw_bdev() will up bd_mount_sem and corrupt the semaphore counter. struct block_device with the corrupted semaphore may remain in slab cache and be reused later. Attached patch will fix it by calling unlock_fs() instead. unlock_fs() will determine whether it should call thaw_bdev() by checking the device is frozen or not. Easy reproducer is: #!/bin/sh while [ 1 ]; do dmsetup --notable create a dmsetup --nolockfs suspend a dmsetup remove a done It's not easy to see the effect of corrupted semaphore. So I have tested with putting printk below in bdev_alloc_inode(): if (atomic_read(&ei->bdev.bd_mount_sem.count) != 1) printk(KERN_DEBUG "Incorrect semaphore count = %d (%p)\n", atomic_read(&ei->bdev.bd_mount_sem.count), &ei->bdev); Without the patch, I saw something like: Incorrect semaphore count = 17 (f2ab91c0) With the patch, the message didn't appear. The bug was introduced in 2.6.16 with this bug fix: commit d9dde59ba03095e526640988c0fedd75e93bc8b7 Date: Fri Feb 24 13:04:24 2006 -0800 [PATCH] dm: missing bdput/thaw_bdev at removal Need to unfreeze and release bdev otherwise the bdev inode with inconsistent state is reused later and cause problem. and backported to 2.6.15.5. It occurs only in free_dev(), which is called only when the dm device is removed. The buggy code is executed only if md->suspended_bdev is non-NULL and that can happen only when the device was suspended without noflush. Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16dm delay: fix statusMilan Broz
patch 79662d1ea37392651f2cff08626cab6a40ba3adc in mainline. Fix missing space in dm-delay target status output if separate read and write delay are configured. Signed-off-by: Milan Broz <mbroz@redhat.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16libata: sync NCQ blacklist with upstreamTejun Heo
Synchronize NCQ blacklist with the current upstream. Based on changes already in Linus's 2.6.24-rc kernel tree. Signed-off-by: Tejun Heo <htejun@gmail.com> Cc: Jeff Garzik <jeff@garzik.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ALSA: hdsp - Fix zero divisionTakashi Iwai
patch 2a3988f6d2c5be9d02463097775d1c66a8290527 in mainline. Fix zero-division bug in the calculation dds offset. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Jaroslav Kysela <perex@perex.cz> Cc: Maarten Bressers <mbressers@gmail.com> Cc: gentoo kernel <kernel@gentoo.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ALSA: emu10k1 - Fix memory corruptionTakashi Iwai
patch 7583cb51a1e276591f57a2fae05489c878f8ef54 from mainline. [ALSA] emu10k1 - Fix memory corruption The number of mixer elements for SPDIF control don't match with the actual array size (3). This may result in a memory corruption that overwrites the i2c_capture_source field (ALSA bug#3095). Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ALSA: Fix build error without CONFIG_HAS_DMATakashi Iwai
patch 8f11551b1798170dcffdd28475075ca4f1c6c990 in mainline [ALSA] Fix build error without CONFIG_HAS_DMA The recent change of include/asm-generic/dma-mapping-broken.h breaks the build without CONFIG_HAS_DMA. This patch is an ad hoc fix. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ALSA: fix selector unit bug affecting some USB speakerphonesRuss Cox
patch 38977e96cb32e658716e11a05ec7f1fc4618e0f3 in mainline. [ALSA] fix selector unit bug affecting some USB speakerphones Following the suggestion in this thread: https://bugs.launchpad.net/ubuntu/+source/alsa-lib/+bug/26683 the correct upper bound on desc[0] is 5 + num_ins not 6 + num_ins, because the index used later is 5+i, not 6+i. This change makes my Vosky Chatterbox speakerphone work. Apparently it also helps with the Minivox MV100. Signed-off-by: Russ Cox <rsc@swtch.com> Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16ALSA: hda-codec - Avoid zero NID in line_out_pins[] of STAC codecsTakashi Iwai
patch c480f79bdca58923e605ff5e4698cfe1779bae70 in mainline [ALSA] hda-codec - Avoid zero NID in line_out_pins[] of STAC codecs The STAC codes adds line_out_pins[] for shared mic/line-inputs accordingly. But, the current code may give a hole with NID=0 in some setting, which results in an error at probe. This patch fixes the problem. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16IB/mthca: Use mmiowb() to avoid firmware commands getting jumbled upRoland Dreier
Upstream as 76d7cc0345a037e8eea426f8abc710abd22946dd Firmware commands are sent to the HCA by writing multiple words to a command register block. Access to this block of registers is serialized with a mutex. However, on large SGI systems, problems were seen with multiple CPUs issuing FW commands at the same time, because the writes to the register block may be reordered within the system interconnect and reach the HCA in a different order than they were issued (even with the mutex). Fix this by adding an mmiowb() before dropping the mutex. Tested-by: Arthur Kepner <akepner@sgi.com> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16IB/uverbs: Fix checking of userspace object ownershipRoland Dreier
Upstream as cbfb50e6e2e9c580848c0f51d37c24cdfb1cb704 Commit 9ead190b ("IB/uverbs: Don't serialize with ib_uverbs_idr_mutex") rewrote how userspace objects are looked up in the uverbs module's idrs, and introduced a severe bug in the process: there is no checking that an operation is being performed by the right process any more. Fix this by adding the missing check of uobj->context in __idr_get_uobj(). Apparently everyone is being very careful to only touch their own objects, because this bug was introduced in June 2006 in 2.6.18, and has gone undetected until now. Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16hwmon/lm87: Disable VID when it should beJean Delvare
Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=889af3d5d9586db795a06c619e416b4baee11da8 A stupid bit shifting bug caused the VID value to be always exported even when the hardware is configured for something different. Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16hwmon/lm87: Fix a division by zeroJean Delvare
Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=b965d4b7f614522170af6a7e450be0333792ccd2 Missing parentheses in the definition of FAN_FROM_REG cause a division by zero for a specific register value. Signed-off-by: Jean Delvare <khali@linux-fr.org> Acked-by: Hans de Goede <j.w.r.degoede@hhs.nl> Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16hwmon/w83627hf: Don't assume bank 0Jean Delvare
Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=d58df9cd788e6fb4962e1c8d5ba7b8b95d639a44 The bank switching code assumes that the bank selector is set to 0 when the driver is loaded. This might not be the case. This is exactly the same bug as was fixed in the w83627ehf driver two months ago: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=0956895aa6f8dc6a33210967252fd7787652537d In practice, this bug was causing the sensor thermal types to be improperly reported for my W83627THF the first time I was loading the w83627hf driver. From the driver history, I'd say that it has been broken since September 2005 (when we stopped resetting the chip by default at driver load.) Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16hwmon/w83627hf: Fix setting fan min right after driver loadJean Delvare
Already in Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=c09c5184a26158da32801e89d5849d774605f0dd We need to read the fan clock dividers at initialization time, otherwise the code in store_fan_min() may use uninitialized values. That's pretty much the same bug and same fix as for the w83627ehf driver last month. Signed-off-by: Jean Delvare <khali@linux-fr.org> Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16i915: fix vbl swap allocation size.Dave Airlie
This is upstream as 54583bf4efda79388fc13163e35c016c8bc5de81 Oops... Signed-off-by: Dave Airlie <airlied@linux.ie> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16POWERPC: Fix platinumfb framebufferBenjamin Herrenschmidt
Patch 4c2a54b09ba35a409afc34bd331a57a994921664 in mailine. Current kernels have a non-working platinumfb due to some resource management issues. This fixes it. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2007-11-16Linux 2.6.23.5v2.6.23.5Greg Kroah-Hartman
2007-11-16zd1211rw, fix oops when ejecting install mediaMarc Pignat
patch e0579d576cb894a4cf3c5af04fbf38e8c1281738 in mainline. The disconnect function can dereference the net_device structure when it is never allocated. This is the case when ejecting the device installer. Signed-off-by: Marc Pignat <marc.pignat@hevs.ch> Acked-by: Daniel Drake <dsd@gentoo.org> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>