Commit Graph

180636 Commits

Author SHA1 Message Date
Hugh Daschbach
b248df30fc [SCSI] libfc: Don't assume response request present.
Fix NULL pointer dereference crash occurs in fc_lport_bsg_request()
for bsg requests that do not contain a response request.
Specifically, FC_BSG_HST_ADD_RPORT and FC_BSG_HST_DEL_RPORT bsg
requests are not guaranteed to include a response request.

Signed-off-by: Hugh Daschbach <hdasch@broadcom.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
2010-02-17 09:57:01 -06:00
Hugh Daschbach
3b709150b7 [SCSI] libfc: Fix e_d_tov ns -> ms scaling factor in PLOGI response.
Both PLOGI and RTV response processing conditionally scale e_d_tov,
but use different scaling factors.  The scaling factor is correct in
RTV response processing.  Bring PLOGI e_d_tov scaling in line with RTV
common service parameter inspection.

Signed-off-by: Hugh Daschbach <hdasch@broadcom.com>
Acked-by: Joe Eykholt <jeykholt@cisco.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
2010-02-17 09:56:59 -06:00
Vasu Dev
10897ae71d [SCSI] libfc: call ddp setup for only FCP reads to avoid accessing junk fsp pointer
Adds check to call fc_fcp_ddp_setup for only FCP read cmds to avoid
accessing junk fsp pointer at least in ESX since non FCP frame had
junk fsp value, though fsp is implicitly initialized to null
by __alloc_skb but with this patch no more relying on fsp
initialized to null value and hitting junk fsp ptr access.

Removes fsp pointer checking in fc_fcp_ddp_setup as this is not
needed any more since its only caller for FCP read will always
have a valid fsp.

Reported by: Frank Zhang <frank_1.zhang@intel.com>
Reported by: Rob Love <robert.w.love@intel.com>
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
2010-02-17 09:56:57 -06:00
Mike Christie
fee099b278 [SCSI] iscsi_tcp regression: remove bogus warn on in write path
An empty r2tqueue is a valid state. It just means that we have
processed all that there was to do. This patch removes the WARN_ON
that was added when the kfifo changes were merged.

Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
2010-02-17 09:55:22 -06:00
Linus Torvalds
b0483e78e5 Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty-2.6:
  serial: 8250: add serial transmitter fully empty test
2010-02-16 16:56:21 -08:00
Linus Torvalds
18688218d1 Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
  USB: gadget: fix EEM gadget CRC usage
  USB: otg Kconfig: let USB_OTG_UTILS select USB_ULPI option
  USB: g_multi: fix CONFIG_USB_G_MULTI_RNDIS usage
  kfifo: Don't use integer as NULL pointer
  USB: FHCI: Fix build after kfifo rework
  kfifo: Make kfifo_initialized work after kfifo_free
  USB: serial: add usbid for dell wwan card to sierra.c
  USB: SIS USB2VGA DRIVER: support KAIREN's USB VGA adaptor USB20SVGA-MB-PLUS
  USB: ehci: phy low power mode bug fixing
  USB: s3c-hsotg: Export usb_gadget_register_driver()
  USB: r8a66597-udc: Prototype IS_ERR() and PTR_ERR()
  USB: ftdi_sio: add device IDs (several ELV, one Mindstorms NXT)
  USB: storage: Remove unneeded SC/PR from unusual_devs.h
  USB: ftdi_sio: new device id for papouch AD4USB
  USB: usbfs: properly clean up the as structure on error paths
  USB: usbfs: only copy the actual data received
2010-02-16 16:55:39 -08:00
Linus Torvalds
1ed10aa8e9 Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6:
  class: Free the class private data in class_release
  sysfs: sysfs_sd_setattr set iattrs unconditionally
2010-02-16 16:55:13 -08:00
Linus Torvalds
5d67767047 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (22 commits)
  be2net: set proper value to version field in req hdr
  xfrm: Fix xfrm_state_clone leak
  ipcomp: Avoid duplicate calls to ipcomp_destroy
  ethtool: allow non-admin user to read GRO settings.
  ixgbe: fix WOL register setup for 82599
  ixgbe: Fix - Do not allow Rx FC on 82598 at 1G due to errata
  sfc: Fix SFE4002 initialisation
  mac80211: fix handling of null-rate control in rate_control_get_rate
  inet: Remove bogus IGMPv3 report handling
  iwlwifi: fix AMSDU Rx after paged Rx patch
  tcp: fix ICMP-RTO war
  via-velocity: Fix races on shared interrupts
  via-velocity: Take spinlock on set coalesce
  via-velocity: Remove unused IRQ status parameter from rx_srv and tx_srv
  rtl8187: Add new device ID
  iwmc3200wifi: Test of wrong pointer after kzalloc in iwm_mlme_update_bss_table()
  ath9k: Fix sequence numbers for PAE frames
  mac80211: fix deferred hardware scan requests
  iwlwifi: Fix to set correct ht configuration
  mac80211: Fix probe request filtering in IBSS mode
  ...
2010-02-16 16:52:04 -08:00
Dick Hollenbeck
bca476139d serial: 8250: add serial transmitter fully empty test
When controlling an industrial radio modem it can be necessary to
manipulate the handshake lines in order to control the radio modem's
transmitter, from userspace.

The transmitter should not be turned off before all characters have been
transmitted.  serial8250_tx_empty() was reporting that all characters were
transmitted before they actually were.

===

Discovered in parallel with more testing and analysis by Kees Schoenmakers
as follows:

I ran into an NetMos 9835 serial pci board which behaves a little
different than the standard.  This type of expansion board is very common.

"Standard" 8250 compatible devices clear the 'UART_LST_TEMT" bit together
with the "UART_LSR_THRE" bit when writing data to the device.

The NetMos device does it slightly different

I believe that the TEMT bit is coupled to the shift register.  The problem
is that after writing data to the device and very quickly after that one
does call serial8250_tx_empty, it returns the wrong information.

My patch makes the test more robust (and solves the problem) and it does
not affect the already correct devices.

Alan:

  We may yet need to quirk this but now we know which chips we have a
  way to do that should we find this breaks some other 8250 clone with
  dodgy THRE.

Signed-off-by: Dick Hollenbeck <dick@softplc.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: Kees Schoenmakers <k.schoenmakers@sigmae.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:55:51 -08:00
Laurent Pinchart
18d19c9645 class: Free the class private data in class_release
Fix a memory leak by freeing the memory allocated in __class_register
for the class private data.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:43:00 -08:00
Eric W. Biederman
7c0ff870d1 sysfs: sysfs_sd_setattr set iattrs unconditionally
There is currently a bug in sysfs_sd_setattr inherited from
sysfs_setattr in 2.6.32 where the first time we set the attributes
on a sysfs file we allocate backing store but do not set the
backing store attributes.  Resulting in overly restrictive
permissions on sysfs files.

The fix is to simply modify the code so that it always executes
when we update the sysfs attributes, as we did in 2.6.31 and earlier.

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Tested-by: Jean Delvare <khali@linux-fr.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:42:42 -08:00
Brian Niebuhr
31e5d4abce USB: gadget: fix EEM gadget CRC usage
eem_wrap() is sending a sentinel CRC, but it didn't indicate that to
the host, it should zero bit 14 (bmCRC) in the EEM packet header,
instead of setting it.

Also remove a redundant crc calculation in eem_unwrap().


Signed-off-by: Steve Longerbeam <stevel@netspectrum.com>
Acked-by: Brian Niebuhr <bniebuhr@efjohnson.com>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:10 -08:00
Valentin Longchamp
dd091c7b32 USB: otg Kconfig: let USB_OTG_UTILS select USB_ULPI option
With CONFIG_USB_ULPI=y, CONFIG_USB<=m, CONFIG_PCI=n and
CONFIG_USB_OTG_UTILS=n, which is the default used for mx31moboard,
the build for all mx3 platforms fails because drivers/usb/otg/ulpi.c
where otg_ulpi_create is defined is not compiled.

Build error:
arch/arm/mach-mx3/built-in.o: In function `mxc_board_init':
kzmarm11.c:(.init.text+0x73c): undefined reference to `otg_ulpi_create'
kzmarm11.c:(.init.text+0x1020): undefined reference to `otg_ulpi_create'

This isn't a strong dependency as drivers/usb/otg/ulpi.c doesn't
use functions defined in drivers/usb/otg/otg.o and is only needed
to get ulpi.o linked into the kernel image.

Signed-off-by: Valentin Longchamp <valentin.longchamp@epfl.ch>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:09 -08:00
Michal Nazarewicz
dbe4a99d84 USB: g_multi: fix CONFIG_USB_G_MULTI_RNDIS usage
g_multi used CONFIG_USB_ETH_RNDIS to check if RNDIS option was requested
where it should check for CONFIG_USB_G_MULTI_RNDIS.  As a result, RNDIS
was never present in g_multi regardless of configuration.

This fixes changes made in commit 396cda90d2.

Signed-off-by: Michal Nazarewicz <m.nazarewicz@samsung.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:08 -08:00
Anton Vorontsov
5a5e0f4c70 kfifo: Don't use integer as NULL pointer
This patch fixes following sparse warnings:

include/linux/kfifo.h:127:25: warning: Using plain integer as NULL pointer
kernel/kfifo.c:83:21: warning: Using plain integer as NULL pointer

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Acked-by: Stefani Seibold <stefani@seibold.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:08 -08:00
Anton Vorontsov
4c743d0ae6 USB: FHCI: Fix build after kfifo rework
After kfifo rework FHCI fails to build:

  CC      drivers/usb/host/fhci-tds.o
drivers/usb/host/fhci-tds.c: In function 'fhci_ep0_free':
drivers/usb/host/fhci-tds.c:108: error: used struct type value where scalar is required
drivers/usb/host/fhci-tds.c:118: error: used struct type value where scalar is required
drivers/usb/host/fhci-tds.c:128: error: used struct type value where scalar is required

This is because kfifos are no longer pointers in the ep struct.
So, instead of checking the pointers, we should now check if kfifo
is initialized.

Reported-by: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Acked-by: Stefani Seibold <stefani@seibold.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:07 -08:00
Anton Vorontsov
1a02d59aba kfifo: Make kfifo_initialized work after kfifo_free
After kfifo rework it's no longer possible to reliably know if kfifo is
usable, since after kfifo_free(), kfifo_initialized() would still return
true. The correct behaviour is needed for at least FHCI USB driver.

This patch fixes the issue by resetting the kfifo to zero values (the
same approach is used in kfifo_alloc() if allocation failed).

Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Acked-by: Stefani Seibold <stefani@seibold.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:06 -08:00
Richard Farina
1ebca9dad5 USB: serial: add usbid for dell wwan card to sierra.c
This patch adds support for Dell Computer Corp. Wireless 5720 VZW Mobile
Broadband (EVDO Rev-A) Minicard GPS Port.  I stole the name from lsusb,
but my card does not have a GPS on it (at least not that I can make
function). I'm sure the patch is whitespace damaged but the one line
addition should be fairly straightforward nonetheless.

Tested-by: Rick Farina <sidhayn@gmail.com>
Signed-off-by: Rick Farina <sidhayn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:06 -08:00
Tanaka Akira
bbcb8bbad5 USB: SIS USB2VGA DRIVER: support KAIREN's USB VGA adaptor USB20SVGA-MB-PLUS
This patch adds the USB product ID of KAIREN's USB VGA Adaptor,
USB20SVGA-MB-PLUS, to sisusbvga work with it.

Signed-off-by: Tanaka Akira <akr@fsij.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:05 -08:00
Alek Du
b9df794258 USB: ehci: phy low power mode bug fixing
1. There are two msleep calls inside two spin lock sections, need to unlock
   and lock again after msleep.
2. Save a extra status reg setting.

Signed-off-by: Alek Du <alek.du@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:04 -08:00
Mark Brown
6feb63b69f USB: s3c-hsotg: Export usb_gadget_register_driver()
USB gadget controller drivers normally export their driver registration
function, allowing modular builds of the individual gadget drivers so
do so for s3c-hsotg, fixing builds.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:04 -08:00
Mark Brown
ae3a07924f USB: r8a66597-udc: Prototype IS_ERR() and PTR_ERR()
The build of r8a66597-udc was failing on ARM since IS_ERR() and
PTR_ERR() weren't protyped.  Presumably err.h is being pulled in by
another header on other platforms.

Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Acked-by: Yoshihiro Shimoda <shimoda.yoshihiro@renesas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:03 -08:00
Andreas Mohr
65e1ec6751 USB: ftdi_sio: add device IDs (several ELV, one Mindstorms NXT)
- add FTDI device IDs for several ELV devices and NXTCam of Lego Mindstorms NXT
- add hopefully helpful new_id comment
- remove less helpful "Due to many user requests for multiple ELV devices we enable
  them by default." comment (we simply add _all_ known devices - an
  enduser shouldn't have to fiddle with obscure module parameters...).
- add myself to DRIVER_AUTHOR

The missing NXTCam ID has been found at
http://www.unixboard.de/vb3/showthread.php?t=44155
, ELV devices taken from ELV Windows .inf file.

Signed-off-by: Andreas Mohr <andi@lisas.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:03 -08:00
Phil Dibowitz
39232b3d80 USB: storage: Remove unneeded SC/PR from unusual_devs.h
This patch removes the subclass and protocol entries from a Microtech
entry in unusual_devs.h. This was reported by <ryck@pacbell.net>.

Greg, please apply.

Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:03 -08:00
Radek Liboska
a7787e508a USB: ftdi_sio: new device id for papouch AD4USB
added new device pid (PAPOUCH_AD4USB_PID) to ftdi_sio.h and ftdi_sio.c

AD4USB measuring converter is a 4-input A/D converter which enables the
user to measure to four current inputs ranging from 0(4) to 20 mA or
voltage between 0 and 10 V. The measured values are then transferred to
a superior system in digital form. The AD4USB communicates via USB.
Powered is also via USB.  datasheet in english is here:
http://www.papouch.com/shop/scripts/pdf/ad4usb_en.pdf


Signed-off-by: Radek Liboska <liboska@uochb.cas.cz>
2010-02-16 15:11:02 -08:00
Linus Torvalds
ddeee0b2ee USB: usbfs: properly clean up the as structure on error paths
I notice that the processcompl_compat() function seems to be leaking the
'struct async *as' in the error paths. 

I think that the calling convention is fundamentally buggered. The
caller is the one that did the "reap_as()" to get the as thing, the
caller should be the one to free it too. 

Freeing it in the caller also means that it very clearly always gets
freed, and avoids the need for any "free in the error case too".

From: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Marcus Meissner <meissner@suse.de>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:02 -08:00
Greg KH
d4a4683ca0 USB: usbfs: only copy the actual data received
We need to only copy the data received by the device to userspace, not
the whole kernel buffer, which can contain "stale" data.

Thanks to Marcus Meissner for pointing this out and testing the fix.

Reported-by: Marcus Meissner <meissner@suse.de>
Tested-by: Marcus Meissner <meissner@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-02-16 15:11:01 -08:00
Ajit Khaparde
07793d33b4 be2net: set proper value to version field in req hdr
Before sending a command to the ASIC, set version properly.
This is necessary for the ARM firmware to send correct data to the driver.
This also fixes a bug in certain skews of the ASIC where the statistics
are misreported.

Signed-off-by: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-16 14:53:25 -08:00
Herbert Xu
553f9118ab xfrm: Fix xfrm_state_clone leak
xfrm_state_clone calls kfree instead of xfrm_state_put to free
a failed state.  Depending on the state of the failed state, it
can cause leaks to things like module references.

All states should be freed by xfrm_state_put past the point of
xfrm_init_state.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-16 14:53:24 -08:00
Herbert Xu
10e7454ed7 ipcomp: Avoid duplicate calls to ipcomp_destroy
When ipcomp_tunnel_attach fails we will call ipcomp_destroy twice.
This may lead to double-frees on certain structures.

As there is no reason to explicitly call ipcomp_destroy, this patch
removes it from ipcomp*.c and lets the standard xfrm_state destruction
take place.

This is based on the discovery and patch by Alexey Dobriyan.

Tested-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-16 14:53:24 -08:00
stephen hemminger
1cab819b5e ethtool: allow non-admin user to read GRO settings.
Looks like an oversight in GRO design.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-16 14:53:23 -08:00
Linus Torvalds
8862627254 Merge git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm
* git://git.kernel.org/pub/scm/linux/kernel/git/agk/linux-2.6-dm:
  dm: sysfs revert add empty release function to avoid debug warning
  dm mpath: fix stall when requeueing io
  dm raid1: fix null pointer dereference in suspend
  dm raid1: fail writes if errors are not handled and log fails
  dm log: userspace fix overhead_size calcuations
  dm snapshot: persistent annotate work_queue as on stack
  dm stripe: avoid divide by zero with invalid stripe count
2010-02-16 12:22:15 -08:00
Linus Torvalds
5ae1d95568 Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/aegl/linux-2.6:
  [IA64] preserve personality flag bits across exec
2010-02-16 11:59:01 -08:00
Alasdair G Kergon
9307f6b19a dm: sysfs revert add empty release function to avoid debug warning
Revert commit d2bb7df8ca at Greg's request.

    Author: Milan Broz <mbroz@redhat.com>
    Date:   Thu Dec 10 23:51:53 2009 +0000

    dm: sysfs add empty release function to avoid debug warning

    This patch just removes an unnecessary warning:
     kobject: 'dm': does not have a release() function,
     it is broken and must be fixed.

    The kobject is embedded in mapped device struct, so
    code does not need to release memory explicitly here.

Cc: Greg KH <gregkh@suse.de>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2010-02-16 18:43:04 +00:00
Kiyoshi Ueda
9eef87da2a dm mpath: fix stall when requeueing io
This patch fixes the problem that system may stall if target's ->map_rq
returns DM_MAPIO_REQUEUE in map_request().
E.g. stall happens on 1 CPU box when a dm-mpath device with queue_if_no_path
     bounces between all-paths-down and paths-up on I/O load.

When target's ->map_rq returns DM_MAPIO_REQUEUE, map_request() requeues
the request and returns to dm_request_fn().  Then, dm_request_fn()
doesn't exit the I/O dispatching loop and continues processing
the requeued request again.
This map and requeue loop can be done with interrupt disabled,
so 1 CPU system can be stalled if this situation happens.

For example, commands below can stall my 1 CPU box within 1 minute or so:
  # dmsetup table mp
  mp: 0 2097152 multipath 1 queue_if_no_path 0 1 1 service-time 0 1 2 8:144 1 1
  # while true; do dd if=/dev/mapper/mp of=/dev/null bs=1M count=100; done &
  # while true; do \
  > dmsetup message mp 0 "fail_path 8:144" \
  > dmsetup suspend --noflush mp \
  > dmsetup resume mp \
  > dmsetup message mp 0 "reinstate_path 8:144" \
  > done

To fix the problem above, this patch changes dm_request_fn() to exit
the I/O dispatching loop once if a request is requeued in map_request().

Signed-off-by: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Cc: stable@kernel.org
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2010-02-16 18:43:01 +00:00
Takahiro Yasui
558569aa9d dm raid1: fix null pointer dereference in suspend
When suspending a failed mirror, bios are completed by mirror_end_io() and
__rh_lookup() in dm_rh_dec() returns NULL where a non-NULL return value is
required by design.  Fix this by not changing the state of the recovery failed
region from DM_RH_RECOVERING to DM_RH_NOSYNC in dm_rh_recovery_end().

Issue

On 2.6.33-rc1 kernel, I hit the bug when I suspended the failed
mirror by dmsetup command.

BUG: unable to handle kernel NULL pointer dereference at 00000020
IP: [<f94f38e2>] dm_rh_dec+0x35/0xa1 [dm_region_hash]
...
EIP: 0060:[<f94f38e2>] EFLAGS: 00010046 CPU: 0
EIP is at dm_rh_dec+0x35/0xa1 [dm_region_hash]
EAX: 00000286 EBX: 00000000 ECX: 00000286 EDX: 00000000
ESI: eff79eac EDI: eff79e80 EBP: f6915cd4 ESP: f6915cc4
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process dmsetup (pid: 2849, ti=f6914000 task=eff03e80 task.ti=f6914000)
 ...
Call Trace:
 [<f9530af6>] ? mirror_end_io+0x53/0x1b1 [dm_mirror]
 [<f9413104>] ? clone_endio+0x4d/0xa2 [dm_mod]
 [<f9530aa3>] ? mirror_end_io+0x0/0x1b1 [dm_mirror]
 [<f94130b7>] ? clone_endio+0x0/0xa2 [dm_mod]
 [<c02d6bcb>] ? bio_endio+0x28/0x2b
 [<f952f303>] ? hold_bio+0x2d/0x62 [dm_mirror]
 [<f952f942>] ? mirror_presuspend+0xeb/0xf7 [dm_mirror]
 [<c02aa3e2>] ? vmap_page_range+0xb/0xd
 [<f9414c8d>] ? suspend_targets+0x2d/0x3b [dm_mod]
 [<f9414ca9>] ? dm_table_presuspend_targets+0xe/0x10 [dm_mod]
 [<f941456f>] ? dm_suspend+0x4d/0x150 [dm_mod]
 [<f941767d>] ? dev_suspend+0x55/0x18a [dm_mod]
 [<c0343762>] ? _copy_from_user+0x42/0x56
 [<f9417fb0>] ? dm_ctl_ioctl+0x22c/0x281 [dm_mod]
 [<f9417628>] ? dev_suspend+0x0/0x18a [dm_mod]
 [<f9417d84>] ? dm_ctl_ioctl+0x0/0x281 [dm_mod]
 [<c02c3c4b>] ? vfs_ioctl+0x22/0x85
 [<c02c422c>] ? do_vfs_ioctl+0x4cb/0x516
 [<c02c42b7>] ? sys_ioctl+0x40/0x5a
 [<c0202858>] ? sysenter_do_call+0x12/0x28

Analysis

When recovery process of a region failed, dm_rh_recovery_end() function
changes the state of the region from RM_RH_RECOVERING to DM_RH_NOSYNC.
When recovery_complete() is executed between dm_rh_update_states() and
dm_writes() in do_mirror(), bios are processed with the region state,
DM_RH_NOSYNC. However, the region data is freed without checking its
pending count when dm_rh_update_states() is called next time.

When bios are finished by mirror_end_io(), __rh_lookup() in dm_rh_dec()
returns NULL even though a valid return value are expected.

Solution

Remove the state change of the recovery failed region from DM_RH_RECOVERING
to DM_RH_NOSYNC in dm_rh_recovery_end(). We can remove the state change
because:

  - If the region data has been released by dm_rh_update_states(),
    a new region data is created with the state of DM_RH_NOSYNC, and
    bios are processed according to the DM_RH_NOSYNC state.

  - If the region data has not been released by dm_rh_update_states(),
    a state of the region is DM_RH_RECOVERING and bios are put in the
    delayed_bio list.

The flag change from DM_RH_RECOVERING to DM_RH_NOSYNC in dm_rh_recovery_end()
was added in the following commit:
  dm raid1: handle resync failures
  author  Jonathan Brassow <jbrassow@redhat.com>
    Thu, 12 Jul 2007 16:29:04 +0000 (17:29 +0100)
  http://git.kernel.org/linus/f44db678edcc6f4c2779ac43f63f0b9dfa28b724

Signed-off-by: Takahiro Yasui <tyasui@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2010-02-16 18:42:58 +00:00
Mikulas Patocka
5528d17de1 dm raid1: fail writes if errors are not handled and log fails
If the mirror log fails when the handle_errors option was not selected
and there is no remaining valid mirror leg, writes return success even
though they weren't actually written to any device.  This patch
completes them with EIO instead.

This code path is taken:
do_writes:
	bio_list_merge(&ms->failures, &sync);
do_failures:
	if (!get_valid_mirror(ms)) (false)
	else if (errors_handled(ms)) (false)
	else bio_endio(bio, 0);

The logic in do_failures is based on presuming that the write was already
tried: if it succeeded at least on one leg (without handle_errors) it
is reported as success.

Reference: https://bugzilla.redhat.com/show_bug.cgi?id=555197

Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2010-02-16 18:42:55 +00:00
Jonathan Brassow
ebfd32bba9 dm log: userspace fix overhead_size calcuations
This patch fixes two bugs that revolve around the miscalculation and
misuse of the variable 'overhead_size'.  'overhead_size' is the size of
the various header structures used during communication.

The first bug is the use of 'sizeof' with the pointer of a structure
instead of the structure itself - resulting in the wrong size being
computed.  This is then used in a check to see if the payload
(data_size) would be to large for the preallocated structure.  Since the
bug produces a smaller value for the overhead, it was possible for the
structure to be breached.  (Although the current users of the code do
not currently send enough data to trigger this bug.)

The second bug is that the 'overhead_size' value is used to compute how
much of the preallocated space should be cleared before populating it
with fresh data.  This should have simply been 'sizeof(struct cn_msg)'
not overhead_size.  The fact that 'overhead_size' was computed
incorrectly made this problem "less bad" - leaving only a pointer's
worth of space at the end uncleared.  Thus, this bug was never producing
a bad result, but still needs to be fixed - especially now that the
value is computed correctly.

Cc: stable@kernel.org
Signed-off-by: Jonathan Brassow <jbrassow@redhat.com
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2010-02-16 18:42:53 +00:00
Mike Snitzer
55f67f2ded dm snapshot: persistent annotate work_queue as on stack
chunk_io() declares its 'struct mdata_req' on the stack and then
initializes its 'struct work_struct' member.  Annotate the
initialization of this workqueue with INIT_WORK_ON_STACK to suppress a
debugobjects warning seen when CONFIG_DEBUG_OBJECTS_WORK is enabled.

Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2010-02-16 18:42:51 +00:00
Nikanth Karthikesan
781248c1b5 dm stripe: avoid divide by zero with invalid stripe count
If a table containing zero as stripe count is passed into stripe_ctr
the code attempts to divide by zero.

This patch changes DM_TABLE_LOAD to return -EINVAL if the stripe count
is zero.

We now get the following error messages:
  device-mapper: table: 253:0: striped: Invalid stripe count
  device-mapper: ioctl: error adding target to table

Signed-off-by: Nikanth Karthikesan <knikanth@suse.de>
Cc: stable@kernel.org
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
2010-02-16 18:42:47 +00:00
Oleg Nesterov
11557b24fd x86: ELF_PLAT_INIT() shouldn't worry about TIF_IA32
The 64-bit version of ELF_PLAT_INIT() clears TIF_IA32, but at this point
it has already been cleared by SET_PERSONALITY == set_personality_64bit.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-02-16 08:51:49 -08:00
Oleg Nesterov
1252f238db x86: set_personality_ia32() misses force_personality32
05d43ed8a "x86: get rid of the insane TIF_ABI_PENDING bit" forgot about
force_personality32.  Fix.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-02-16 08:50:28 -08:00
Don Skidmore
e86bff0eda ixgbe: fix WOL register setup for 82599
We need to have the WUS register set to all 1's in order for the hardware
to be capable of ever waking up.  Set it here in the ixgbe_probe().

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-15 21:52:02 -08:00
Don Skidmore
a626e8478b ixgbe: Fix - Do not allow Rx FC on 82598 at 1G due to errata
The 82598 has an erratum that receipt of pause frames at 1G
could lead to a Tx Hang.  To avoid this this patch disables
Rx FC while at 1G speed for all 82598 parts.

Signed-off-by: Don Skidmore <donald.c.skidmore@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2010-02-15 21:51:56 -08:00
Linus Torvalds
0813e22d4e Merge git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable
* git://git.kernel.org/pub/scm/linux/kernel/git/mason/btrfs-unstable:
  Btrfs: btrfs_mark_extent_written uses the wrong slot
2010-02-15 19:56:21 -08:00
Linus Torvalds
382640b337 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
  firewire: ohci: retransmit isochronous transmit packets on cycle loss
  firewire: net: fix panic in fwnet_write_complete
2010-02-15 19:54:54 -08:00
Linus Torvalds
d277993f78 Merge branch 'fix/hda' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6
* 'fix/hda' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
  ALSA: hda - Correct ASUA blacklist for MSI brokenness
2010-02-15 19:54:18 -08:00
Chuck Lever
65d269538a NFS: Too many GETATTR and ACCESS calls after direct I/O
The cached read and write paths initialize fattr->time_start in their
setup procedures.  The value of fattr->time_start is propagated to
read_cache_jiffies by nfs_update_inode().  Subsequent calls to
nfs_attribute_timeout() will then use a good time stamp when
computing the attribute cache timeout, and squelch unneeded GETATTR
calls.

Since the direct I/O paths erroneously leave the inode's
fattr->time_start field set to zero, read_cache_jiffies for that inode
is set to zero after any direct read or write operation.  This
triggers an otw GETATTR or ACCESS call to update the file's attribute
and access caches properly, even when the NFS READ or WRITE replies
have usable post-op attributes.

Make sure the direct read and write setup code performs the same fattr
initialization as the cached I/O paths to prevent unnecessary GETATTR
calls.

This was likely introduced by commit 0e574af1 in 2.6.15, which appears
to add new nfs_fattr_init() call sites in the cached read and write
paths, but not in the equivalent places in fs/nfs/direct.c.  A
subsequent commit in the same series, 33801147, introduces the
fattr->time_start field.

Interestingly, the direct write reschedule path already has a call to
nfs_fattr_init() in the right place.

Reported-by: Quentin Barnes <qbarnes@yahoo-inc.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: stable@kernel.org
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2010-02-15 19:53:43 -08:00
Linus Torvalds
7d0bab9dfe Merge branch 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip
* 'timers-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
  hrtimer, softirq: Fix hrtimer->softirq trampoline
2010-02-15 19:52:12 -08:00
Linus Torvalds
0aa2ca9ae1 Merge branch 'reiserfs/kill-bkl' of git://git.kernel.org/pub/scm/linux/kernel/git/frederic/random-tracing
* 'reiserfs/kill-bkl' of git://git.kernel.org/pub/scm/linux/kernel/git/frederic/random-tracing:
  reiserfs: Fix softlockup while waiting on an inode
2010-02-15 19:51:45 -08:00