1
Commit Graph

233641 Commits

Author SHA1 Message Date
Tejun Heo
e7407d1619 block: bd_link_disk_holder() should hold on to holder_dir
The new implementation of bd_link_disk_holder() added by 49731baa41
(block: restore multiple bd_link_disk_holder() support) didn't get an
extra reference for the holder_dir kobject of the slave bdev; however,
bdev kills holder_dir on removal, not release, so if the slave bdev is
removed while there are holder links, the holder_dir will be destroyed
while there still are holder links, which leads to oops later when
bd_unlink_disk_order() tries to remove those links.

Make bd_link_disk_holder() grab an extra reference for the slave's
holder_dir and put it in bd_unlink_disk_holder().

Signed-off-by: Tejun Heo <tj@kernel.org>
Reported-by: "Hawrylewicz Czarnowski, Przemyslaw" <przemyslaw.hawrylewicz.czarnowski@intel.com>
Tested-by: "Hawrylewicz Czarnowski, Przemyslaw" <przemyslaw.hawrylewicz.czarnowski@intel.com>
Cc: Neil Brown <neilb@suse.de>
Cc: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-02-24 08:55:55 -08:00
Miklos Szeredi
8074b26f67 mm: fix refcounting in swapon
Grab a reference to bdev before calling blkdev_get(), which expects
the refcount to be already incremented and either returns success or
decrements the refcount and returns an error.

The bug was introduced by e525fd89 (block: make blkdev_get/put()
handle exclusive access), which didn't take into account this behavior
of blkdev_get().

Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-02-24 08:55:01 -08:00
Miklos Szeredi
3c522cedb5 block: fix refcounting in BLKBSZSET
Adam Kovari and others reported that disconnecting an USB drive with
an ntfs-3g filesystem would cause "kernel BUG at fs/inode.c:1421!" to
be triggered.

The BUG could be traced back to ioctl(BLKBSZSET), which would
erroneously decrement the refcount on the bdev.  This is because
blkdev_get() expects the refcount to be already incremented and either
returns success or decrements the refcount and returns an error.

The bug was introduced by e525fd89 (block: make blkdev_get/put()
handle exclusive access), which didn't take into account this behavior
of blkdev_get().

This fixes
  https://bugzilla.kernel.org/show_bug.cgi?id=29202
(and likely 29792 too)

Reported-by: Adam Kovari <kovariadam@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-02-24 08:54:21 -08:00
Linus Torvalds
dcace5ac85 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  Unlock vfsmount_lock in do_umount
2011-02-24 08:39:46 -08:00
J. R. Okajima
bf9faa2aa3 Unlock vfsmount_lock in do_umount
By the commit
	b3e19d9 2011-01-07 fs: scale mntget/mntput
vfsmount_lock was introduced around testing mnt_count.
Fix the mis-typed 'unlock'

Signed-off-by: J. R. Okajima <hooanon05@yahoo.co.jp>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2011-02-24 02:10:57 -05:00
Hugh Dickins
a3e8cc643d mm: fix possible cause of a page_mapped BUG
Robert Swiecki reported a BUG_ON(page_mapped) from a fuzzer, punching
a hole with madvise(,, MADV_REMOVE).  That path is under mutex, and
cannot be explained by lack of serialization in unmap_mapping_range().

Reviewing the code, I found one place where vm_truncate_count handling
should have been updated, when I switched at the last minute from one
way of managing the restart_addr to another: mremap move changes the
virtual addresses, so it ought to adjust the restart_addr.

But rather than exporting the notion of restart_addr from memory.c, or
converting to restart_pgoff throughout, simply reset vm_truncate_count
to 0 to force a rescan if mremap move races with preempted truncation.

We have no confirmation that this fixes Robert's BUG,
but it is a fix that's worth making anyway.

Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-02-23 21:55:06 -08:00
Miklos Szeredi
2aa15890f3 mm: prevent concurrent unmap_mapping_range() on the same inode
Michael Leun reported that running parallel opens on a fuse filesystem
can trigger a "kernel BUG at mm/truncate.c:475"

Gurudas Pai reported the same bug on NFS.

The reason is, unmap_mapping_range() is not prepared for more than
one concurrent invocation per inode.  For example:

  thread1: going through a big range, stops in the middle of a vma and
     stores the restart address in vm_truncate_count.

  thread2: comes in with a small (e.g. single page) unmap request on
     the same vma, somewhere before restart_address, finds that the
     vma was already unmapped up to the restart address and happily
     returns without doing anything.

Another scenario would be two big unmap requests, both having to
restart the unmapping and each one setting vm_truncate_count to its
own value.  This could go on forever without any of them being able to
finish.

Truncate and hole punching already serialize with i_mutex.  Other
callers of unmap_mapping_range() do not, and it's difficult to get
i_mutex protection for all callers.  In particular ->d_revalidate(),
which calls invalidate_inode_pages2_range() in fuse, may be called
with or without i_mutex.

This patch adds a new mutex to 'struct address_space' to prevent
running multiple concurrent unmap_mapping_range() on the same mapping.

[ We'll hopefully get rid of all this with the upcoming mm
  preemptibility series by Peter Zijlstra, the "mm: Remove i_mmap_mutex
  lockbreak" patch in particular.  But that is for 2.6.39 ]

Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Reported-by: Michael Leun <lkml20101129@newton.leun.net>
Reported-by: Gurudas Pai <gurudas.pai@oracle.com>
Tested-by: Gurudas Pai <gurudas.pai@oracle.com>
Acked-by: Hugh Dickins <hughd@google.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-02-23 19:52:52 -08:00
Linus Torvalds
78794b2cde Revert "Bluetooth: Enable USB autosuspend by default on btusb"
This reverts commit 556ea928f7.

Jeff Chua reports that it can cause some bluetooth devices (he mentions
an Bluetooth Intermec scanner) to just stop responding after a while
with messages like

  [ 4533.361959] btusb 8-1:1.0: no reset_resume for driver btusb?
  [ 4533.361964] btusb 8-1:1.1: no reset_resume for driver btusb?

from the kernel. See also

  https://bugzilla.kernel.org/show_bug.cgi?id=26182

for other reports.

Reported-by: Jeff Chua <jeff.chua.linux@gmail.com>
Reported-by: Andrew Meakovski <meako@bigmir.net>
Reported-by: Jim Faulkner <jfaulkne@ccs.neu.edu>
Acked-by: Greg KH <gregkh@suse.de>
Acked-by: Matthew Garrett <mjg@redhat.com>
Acked-by: Gustavo F. Padovan <padovan@profusion.mobi>
Cc: stable@kernel.org (for 2.6.37)
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-02-23 19:42:03 -08:00
Linus Torvalds
ef3242859f Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (33 commits)
  Added support for usb ethernet (0x0fe6, 0x9700)
  r8169: fix RTL8168DP power off issue.
  r8169: correct settings of rtl8102e.
  r8169: fix incorrect args to oob notify.
  DM9000B: Fix PHY power for network down/up
  DM9000B: Fix reg_save after spin_lock in dm9000_timeout
  net_sched: long word align struct qdisc_skb_cb data
  sfc: lower stack usage in efx_ethtool_self_test
  bridge: Use IPv6 link-local address for multicast listener queries
  bridge: Fix MLD queries' ethernet source address
  bridge: Allow mcast snooping for transient link local addresses too
  ipv6: Add IPv6 multicast address flag defines
  bridge: Add missing ntohs()s for MLDv2 report parsing
  bridge: Fix IPv6 multicast snooping by correcting offset in MLDv2 report
  bridge: Fix IPv6 multicast snooping by storing correct protocol type
  p54pci: update receive dma buffers before and after processing
  fix cfg80211_wext_siwfreq lock ordering...
  rt2x00: Fix WPA TKIP Michael MIC failures.
  ath5k: Fix fast channel switching
  tcp: undo_retrans counter fixes
  ...
2011-02-23 16:02:00 -08:00
Linus Torvalds
b5f7376eb3 Merge branch 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
  amd64-agp: fix crash at second module load
  drm/radeon: fix regression with AA resolve checking
  drm: drop commented out code and preceding comment
  drm/vblank: Enable precise vblank timestamps for interlaced and doublescan modes.
  drm/vblank: Use memory barriers optimized for atomic_t instead of generics.
  drm/vblank: Use abs64(diff_ns) for s64 diff_ns instead of abs(diff_ns)
  drm/radeon/kms: align height of fb allocation.
  Revert "drm/radeon/kms: switch back to min->max pll post divider iteration"
2011-02-23 15:51:26 -08:00
David S. Miller
518d020a18 Merge branch 'r8169-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/romieu/netdev-2.6 2011-02-23 15:03:11 -08:00
Linus Torvalds
57949e8006 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
  Input: serio/gameport - use 'long' system workqueue
  Input: synaptics - document 0x0c query
  Input: tegra-kbc - add function keymap
2011-02-23 14:44:25 -08:00
Linus Torvalds
13d1ea9a20 Merge branch 'for-linus' of git://oss.sgi.com/xfs/xfs
* 'for-linus' of git://oss.sgi.com/xfs/xfs:
  xfs: check if device support discard in xfs_ioc_trim()
  xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
2011-02-23 14:44:02 -08:00
Shahar Havivi
67158cebde Added support for usb ethernet (0x0fe6, 0x9700)
The device is very similar to (0x0fe6, 0x8101),
And works well with dm9601 driver.

Signed-off-by: Shahar Havivi <shaharh@redhat.com>
Acked-by: Peter Korsgaard <jacmet@sunsite.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23 14:32:28 -08:00
Hayes Wang
5d2e19572a r8169: fix RTL8168DP power off issue.
- fix the RTL8111DP turn off the power when DASH is enabled.
- RTL_GIGA_MAC_VER_27 must wait for tx finish before reset.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
2011-02-23 23:31:17 +01:00
Hayes Wang
d24e9aafe5 r8169: correct settings of rtl8102e.
Adjust and remove certain settings of RTL8102E which are for previous chips.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Acked-off-by: Francois Romieu <romieu@fr.zoreil.com>
2011-02-23 23:31:03 +01:00
Hayes Wang
fac5b3caa1 r8169: fix incorrect args to oob notify.
It results in the wrong point address and influences RTL8168DP.

Signed-off-by: Hayes Wang <hayeswang@realtek.com>
Acked-by: Francois Romieu <romieu@fr.zoreil.com>
2011-02-23 23:30:30 +01:00
Henry Nestler
108f518cc4 DM9000B: Fix PHY power for network down/up
DM9000 revision B needs 1 ms delay after PHY power-on.
PHY must be powered on by writing 0 into register DM9000_GPR before
all other settings will change (see Davicom spec and example code).

Remember, that register DM9000_GPR was not changed by reset sequence.

Without this fix the FIFO is out of sync and sends wrong data after
sequence of "ifconfig ethX down ; ifconfig ethX up".

Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23 14:29:50 -08:00
Henry Nestler
8dde924217 DM9000B: Fix reg_save after spin_lock in dm9000_timeout
The spin_lock should hold before reading register.

Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23 14:29:49 -08:00
Eric Dumazet
9e924cf407 net_sched: long word align struct qdisc_skb_cb data
netem_skb_cb() does :

return (struct netem_skb_cb *)qdisc_skb_cb(skb)->data;

Unfortunatly struct qdisc_skb_cb data is not long word aligned, so
access to psched_time_t time_to_send uses a non aligned access.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-23 14:17:02 -08:00
Dmitry Torokhov
1d64b655dc Input: serio/gameport - use 'long' system workqueue
Commit 8ee294cd9d converted serio
subsystem event handling from using a dedicated thread to using
common workqueue. Unfortunately, this regressed our boot times,
due to the fact that serio jobs take long time to execute. While
the new concurrency managed workqueue code manages long-playing
works just fine and schedules additional workers as needed, such
works wreck havoc among remaining users of flush_scheduled_work().

To solve this problem let's move serio/gameport works from system_wq
to system_long_wq which nobody tries to flush.

Reported-and-tested-by: Hernando Torque <pantherchen@versanet.de>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
2011-02-23 08:53:07 -08:00
Dmitry Torokhov
9bb794ae05 Input: synaptics - document 0x0c query
Since Synaptics technical writers department is a bit slow releasing updated
Synaptics interface guide, let's add some new bits (with their blessing)
to the code so that they don't get lost.

Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
2011-02-23 08:53:01 -08:00
Jesper Nilsson
f19e0eec8b Drop redundant __param section for CRISv32.
The __param section is already brought in by RODATA above.

Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2011-02-23 08:00:47 -08:00
Florian Mickler
49495d44df amd64-agp: fix crash at second module load
The module forgot to sometimes unregister some resources.

This fixes Bug #22882.

[Patch updated to 2.6.38-rc3 by Randy Dunlap.]
Tested-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Florian Mickler <florian@mickler.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-02-23 18:29:17 +10:00
Linus Torvalds
4a508dd259 Merge branch 'for-2639-rc4/i2c-fixes' of git://git.fluff.org/bjdooks/linux
* 'for-2639-rc4/i2c-fixes' of git://git.fluff.org/bjdooks/linux:
  i2c-omap: fixup commit cb527ede1b whitespace
  i2c-omap: Double clear of ARDY status in IRQ handler
  i2c-omap: fix build for !CONFIG_SUSPEND
  i2c-omap: fix static suspend vs. runtime suspend
  i2c-stu300: make sure adapter-name is terminated
2011-02-22 17:13:16 -08:00
Linus Torvalds
c6ad121784 Merge branch 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6
* 'usb-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
  Revert "USB: Reset USB 3.0 devices on (re)discovery"
  USB: musb: omap2430: fix kernel panic on reboot
  sierra: add new ID for Airprime/Sierra USB IP modem
  USB: serial/usb_wwan, fix tty NULL dereference
  USB: Reset USB 3.0 devices on (re)discovery
  USB: Add quirk for Samsung Android phone modem
  USB: Add Samsung SGH-I500/Android modem ID switch to visor driver
  USB: add quirks entry for Keytouch QWERTY Panel
  usb: musb: omap2430: fix kernel panic on reboot
  usb: musb: fix build breakage
2011-02-22 17:11:10 -08:00
Ben Dooks
a5a595cc36 i2c-omap: fixup commit cb527ede1b whitespace
Fixup the whitespace error noticed in cb527ede1b

Signed-off-by: Ben Dooks <ben-linux@fluff.org>
2011-02-23 00:43:55 +00:00
Richard woodruff
cb527ede1b i2c-omap: Double clear of ARDY status in IRQ handler
This errata occurs when the ARDY interrupt generation is enabled.
At the begining of every new transaction the ARDY interrupt is cleared.

On continuous i2c transactions where after clearing the ARDY bit from
I2C_STAT register (clearing the interrupt), the IRQ line is reasserted and the
I2C_STAT[ARDY] bit set again on 1. In fact, the ARDY status bit is not cleared
at the write access to I2C_STAT[ARDY] and only the IRQ line is deasserted and
then reasserted. This is not captured in the usual errata documents.

The workaround is to have a double clear of ARDY status in irq handler.

Signed-off-by: Richard woodruff <r-woodruff2@ti.com>
Signed-off-by: Keerthy <j-keerthy@ti.com>
Signed-off-by: Ben Dooks <ben-linux@fluff.org>
2011-02-23 00:42:36 +00:00
Balaji T K
f72487e7a1 i2c-omap: fix build for !CONFIG_SUSPEND
fix the build break when !CONFIG_SUSPEND

drivers/i2c/busses/i2c-omap.c:1173: error: lvalue required as unary '&' operand
make[3]: *** [drivers/i2c/busses/i2c-omap.o] Error 1
make[2]: *** [drivers/i2c/busses] Error 2
make[1]: *** [drivers/i2c] Error 2
make: *** [drivers] Error 2

Signed-off-by: Balaji T K <balajitk@ti.com>
Signed-off-by: Ben Dooks <ben-linux@fluff.org>
2011-02-23 00:39:45 +00:00
Dave Airlie
45e4039c3a drm/radeon: fix regression with AA resolve checking
Some userspaces can emit a whole packet without disabling AA resolve
by the looks of it, so we have to deal with them.

Signed-off-by: Dave Airlie <airlied@redhat.com>
Tested-by: Jorg Otte <jrg.otte@googlemail.com>
2011-02-23 10:14:00 +10:00
Paul Bolle
40f2a2fabb drm: drop commented out code and preceding comment
r100_gpu_init() was dropped in 90aca4d ("drm/radeon/kms: simplify &
improve GPU reset V2") but here it was only commented out.

Signed-off-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-02-23 10:10:10 +10:00
Mario Kleiner
9be6f8a978 drm/vblank: Enable precise vblank timestamps for interlaced and doublescan modes.
Testing showed the current code can already handle doublescan
video modes just fine. A trivial tweak makes it work for interlaced
scanout as well.

Tested and shown to be precise on Radeon rv530, r600 and
Intel 945-GME.

Signed-off-by: Mario Kleiner <mario.kleiner@tuebingen.mpg.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-02-23 10:08:49 +10:00
Mario Kleiner
bc21512835 drm/vblank: Use memory barriers optimized for atomic_t instead of generics.
Documentation/atomic_ops.txt tells us that there are memory
barriers optimized for atomic_inc and other atomic_t ops.

Use these instead of smp_wmb(), and also to make the required
memory barriers around vblank counter increments more explicit.

Signed-off-by: Mario Kleiner <mario.kleiner@tuebingen.mpg.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-02-23 10:08:46 +10:00
Mario Kleiner
c4cc383915 drm/vblank: Use abs64(diff_ns) for s64 diff_ns instead of abs(diff_ns)
Use of abs() wrongly wrapped diff_ns to 32 bit, which gives a 1/4000
probability of a missed vblank increment at each vblank irq reenable
if the kms driver doesn't support high precision vblank timestamping.
Not a big deal in practice, but let's make it nice.

Signed-off-by: Mario Kleiner <mario.kleiner@tuebingen.mpg.de>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-02-23 10:08:41 +10:00
Dave Airlie
e40b6fc837 drm/radeon/kms: align height of fb allocation.
this aligns the height of the fb allocation so it doesn't trip
over the size checks later when we use this from userspace to
copy the buffer at X start.

Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-02-23 10:08:17 +10:00
Alex Deucher
bd6a60afeb Revert "drm/radeon/kms: switch back to min->max pll post divider iteration"
This reverts commit a6f9761743.

Remove this commit as it is no longer necessary. The relevant bugs
were fixed properly in:
drm/radeon/kms: hopefully fix pll issues for real (v3)
5b40ddf888
drm/radeon/kms: add missing frac fb div flag for dce4+
9f4283f49f

This commit also broke certain ~5 Mhz modes on old arcade monitors,
so reverting this commit fixes:
https://bugzilla.kernel.org/show_bug.cgi?id=29502

Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
2011-02-23 10:07:24 +10:00
Kevin Hilman
adf6e07922 i2c-omap: fix static suspend vs. runtime suspend
When runtime PM is enabled, each OMAP i2c device is suspended after
each i2c xfer.  However, there are two cases when the static suspend
methods must be used to ensure the devices are suspended:

1) runtime PM is disabled, either at compile time or dynamically
    via /sys/devices/.../power/control.
2) an i2c client driver uses i2c during it's suspend callback, thus
   leaving the i2c driver active (NOTE: runtime suspend transitions are
   disabled during system suspend, so i2c activity during system
   suspend will runtime resume the device, but not runtime (re)suspend it.)

Since the actual work to suspend the device is handled by the
subsytem, call the bus methods to take care of it.

NOTE: This takes care of a known suspend problem on OMAP3 where the
TWL RTC driver does i2c xfers during its suspend path leaving the i2c
driver in an active state (since runtime suspend transistions are
disabled.)

Signed-off-by: Kevin Hilman <khilman@ti.com>
Signed-off-by: Ben Dooks <ben-linux@fluff.org>
2011-02-22 23:53:44 +00:00
Wolfram Sang
f10820e495 i2c-stu300: make sure adapter-name is terminated
Use strlcpy instead of strncpy.

Signed-off-by: Wolfram Sang <w.sang@pengutronix.de>
Cc: Linus Walleij <linus.walleij@stericsson.com>
Cc: Ben Dooks <ben-linux@fluff.org>
Signed-off-by: Ben Dooks <ben-linux@fluff.org>
2011-02-22 23:53:44 +00:00
Lukas Czerner
be715140b5 xfs: check if device support discard in xfs_ioc_trim()
Right now we, are relying on the fact that when we attempt to
actually do the discard, blkdev_issue_discar() returns -EOPNOTSUPP
and the user is informed that the device does not support discard.

However, in the case where the we do not hit any suitable free
extent to trim in FITRIM code, it will finish without any error.
This is very confusing, because it seems that FITRIM was successful
even though the device does not actually supports discard.

Solution: Check for the discard support before attempt to search for
free extents.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Signed-off-by: Alex Elder <aelder@sgi.com>
2011-02-22 15:08:44 -06:00
Dan Rosenberg
3a3675b7f2 xfs: prevent leaking uninitialized stack memory in FSGEOMETRY_V1
The FSGEOMETRY_V1 ioctl (and its compat equivalent) calls out to
xfs_fs_geometry() with a version number of 3.  This code path does not
fill in the logsunit member of the passed xfs_fsop_geom_t, leading to
the leaking of four bytes of uninitialized stack data to potentially
unprivileged callers.

v2 switches to memset() to avoid future issues if structure members
change, on suggestion of Dave Chinner.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Reviewed-by: Eugene Teo <eugeneteo@kernel.org>
Signed-off-by: Alex Elder <aelder@sgi.com>
2011-02-22 15:06:47 -06:00
David S. Miller
d3bd1b4c89 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-2.6 2011-02-22 11:53:05 -08:00
Eric Dumazet
28801f351f sfc: lower stack usage in efx_ethtool_self_test
drivers/net/sfc/ethtool.c: In function ‘efx_ethtool_self_test’:
drivers/net/sfc/ethtool.c:613: warning: the frame size of 1200 bytes
is larger than 1024 bytes

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:12:01 -08:00
Linus Lüssing
fe29ec41aa bridge: Use IPv6 link-local address for multicast listener queries
Currently the bridge multicast snooping feature periodically issues
IPv6 general multicast listener queries to sense the absence of a
listener.

For this, it uses :: as its source address - however RFC 2710 requires:
"To be valid, the Query message MUST come from a link-local IPv6 Source
Address". Current Linux kernel versions seem to follow this requirement
and ignore our bogus MLD queries.

With this commit a link local address from the bridge interface is being
used to issue the MLD query, resulting in other Linux devices which are
multicast listeners in the network to respond with a MLD response (which
was not the case before).

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:07:29 -08:00
Linus Lüssing
36cff5a10c bridge: Fix MLD queries' ethernet source address
Map the IPv6 header's destination multicast address to an ethernet
source address instead of the MLD queries multicast address.

For instance for a general MLD query (multicast address in the MLD query
set to ::), this would wrongly be mapped to 33:33:00:00:00:00, although
an MLD queries destination MAC should always be 33:33:00:00:00:01 which
matches the IPv6 header's multicast destination ff02::1.

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:07:28 -08:00
Linus Lüssing
e4de9f9e83 bridge: Allow mcast snooping for transient link local addresses too
Currently the multicast bridge snooping support is not active for
link local multicast. I assume this has been done to leave
important multicast data untouched, like IPv6 Neighborhood Discovery.

In larger, bridged, local networks it could however be desirable to
optimize for instance local multicast audio/video streaming too.

With the transient flag in IPv6 multicast addresses we have an easy
way to optimize such multimedia traffic without tempering with the
high priority multicast data from well-known addresses.

This patch alters the multicast bridge snooping for IPv6, to take
effect for transient multicast addresses instead of non-link-local
addresses.

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:07:28 -08:00
Linus Lüssing
5ced133961 ipv6: Add IPv6 multicast address flag defines
This commit adds the missing IPv6 multicast address flag defines to
complement the already existing multicast address scope defines and to
be able to check these flags nicely in the future.

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:07:27 -08:00
Linus Lüssing
d41db9f3f7 bridge: Add missing ntohs()s for MLDv2 report parsing
The nsrcs number is 2 Byte wide, therefore we need to call ntohs()
before using it.

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:07:27 -08:00
Linus Lüssing
649e984d00 bridge: Fix IPv6 multicast snooping by correcting offset in MLDv2 report
We actually want a pointer to the grec_nsrcr and not the following
field. Otherwise we can get very high values for *nsrcs as the first two
bytes of the IPv6 multicast address are being used instead, leading to
a failing pskb_may_pull() which results in MLDv2 reports not being
parsed.

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:07:26 -08:00
Linus Lüssing
9cc6e0c4c4 bridge: Fix IPv6 multicast snooping by storing correct protocol type
The protocol type for IPv6 entries in the hash table for multicast
bridge snooping is falsely set to ETH_P_IP, marking it as an IPv4
address, instead of setting it to ETH_P_IPV6, which results in negative
look-ups in the hash table later.

Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-02-22 10:07:26 -08:00
Linus Torvalds
d8204a37ba Merge branch 'urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6
* 'urgent' of git://git.kernel.org/pub/scm/linux/kernel/git/brodo/pcmcia-2.6:
  pcmcia: re-enable Zoomed Video support
  cm4000_cs: Fix undefined ops warning
  pcmcia vs. MECR on pxa25x/sa1111
  drivers/char/pcmcia/ipwireless/main.c: Convert release_resource to release_region/release_mem_region
2011-02-22 09:26:54 -08:00