NeilBrown [Tue, 1 Dec 2009 06:30:59 +0000 (17:30 +1100)]
md: revert incorrect fix for read error handling in raid1.
commit 4706b349f was a forward port of a fix that was needed
for SLES10. But in fact it is not needed in mainline because
the earlier commit dd00a99e7a fixes the same problem in a
better way.
Further, this commit introduces a bug in the way it interacts with
the automatic read-error-correction. If, after a read error is
successfully corrected, the same disk is chosen to re-read - the
re-read won't be attempted but an error will be returned instead.
After reverting that commit, there is the possibility that a
read error on a read-only array (where read errors cannot
be corrected as that requires a write) will repeatedly read the same
device and continue to get an error.
So in the "Array is readonly" case, fail the drive immediately on
a read error.
Michael Cree [Tue, 1 Dec 2009 03:44:40 +0000 (22:44 -0500)]
Alpha: Rearrange thread info flags fixing two regressions
The removal of the TIF_NOTIFY_RESUME flag, commit a583f1b54249b
"remove unused TIF_NOTIFY_RESUME flag," resulted in incorrect
setting of the unaligned access control flags by the prctl syscall.
The re-addition of the TIF_NOTIFY_RESUME flag, commit d0420c83f39f
"KEYS: Extend TIF_NOTIFY_RESUME to (almost) all architectures [try #6]"
further caused problems, namely incorrect operands to assembler code
as evidenced by:
AS arch/alpha/kernel/entry.o
arch/alpha/kernel/entry.S: Assembler messages:
arch/alpha/kernel/entry.S:326: Warning: operand out of range
(0x0000000000000406 is not between 0x0000000000000000 and
0x00000000000000ff)
Both regressions fixed by (1) rearranging TIF_NOTIFY_RESUME flag to be
in lower 8 bits of the thread info flags, and (2) making sure that
ALPHA_UAC_SHIFT matches the rearrangement of the thread info flags.
Gernot Hillier [Fri, 27 Nov 2009 12:49:23 +0000 (13:49 +0100)]
USB: Add support for Mobilcom Debitel USB UMTS Surf-Stick to option driver
This patch adds the vendor and device id for the Mobilcom Debitel UMTS surf
stick (a.k.a. 4G Systems XSStick W14, MobiData MBD-200HU, ...).
To see these ids, you need to switch the stick to modem operation first
with the help of usb_modeswitch. This makes it switch from 1c9e:f000 to
1c9e:9603 and thus be recognized by the option driver.
Oliver Neukum [Fri, 27 Nov 2009 14:17:59 +0000 (15:17 +0100)]
USB: work around for EHCI with quirky periodic schedules
a quirky chipset needs periodic schedules to run for a minimum
time before they can be disabled again. This enforces the requirement
with a time stamp and a calculated delay
Daniel Glöckner [Tue, 17 Nov 2009 09:52:57 +0000 (15:22 +0530)]
USB: musb: Fix CPPI IRQs not being signaled
On tx channel abort a cppi interrupt is generated for a short time by
setting the lowest bit of the TCPPICOMPPTR register. It is then reset
immediately by clearing the bit. When the interrupt handler is run,
it does not detect an interrupt in the TCPPIMSKSR or RCPPIMSKSR
registers and thus exits early without writing the TCPPIEOIR register.
It appears that this inhibits further cppi interrupts until the handler
is called by chance, f.ex. from davinci_interrupt().
By moving the unmasking of the interrupt below the writes to
TCPPICOMPPTR, no interrupt is generated and no write to TCPPIEOIR is
necessary.
Daniel Glöckner [Tue, 17 Nov 2009 09:52:56 +0000 (15:22 +0530)]
USB: musb: respect usb_request->zero in control requests
In gadget mode the answer to a control request should be followed by
a zero-length packet if the amount transferred is an exact multiple of
the endpoint's packet size and the requests has its "zero" flag set.
This patch prevents the request from being immediately removed from the
queue when a control IN transfer ends on a full packet and "zero" is set.
The next time ep0_txstate is entered, a zero-length packet is queued and
the request is removed as fifo_count is 0.
Thomas Dahlmann [Tue, 17 Nov 2009 22:18:27 +0000 (14:18 -0800)]
usb: amd5536udc: fixed shared interrupt bug and warning oops
- fixed shared interrupt bug reported by Vadim Lobanov
- fixed possible warning oops on driver unload when connected
- prevent interrupt flood in PIO mode ("modprobe amd5536udc use_dma=0")
when using gadget ether
USB: ftdi_sio: Keep going when write errors are encountered.
The use of urb->actual_length to update tx_outstanding_bytes
implicitly assumes that the number of bytes actually written is the
same as the number of bytes we tried to write. On error that
assumption is violated so just use transfer_buffer_length the number
of bytes we intended to write to the device.
If an error occurs we need to fall through and call
usb_serial_port_softint to wake up processes waiting in
tty_wait_until_sent.
Sergei Shtylyov [Wed, 18 Nov 2009 19:51:18 +0000 (22:51 +0300)]
USB: musb_gadget: fix STALL handling
The driver incorrectly cancels the mass-storage device CSW request
(which leads to device reset) due to giving back URB at the head of
endpoint's queue after sending each STALL handshake; stop doing that
and start checking for the queue being non-empty before stalling an
endpoint and disallowing stall in such case in musb_gadget_set_halt()
like the other gadget drivers do.
Moreover, the driver starts Rx request despite of the endpoint being
halted -- fix this by moving the SendStall bit check from musb_g_rx()
to rxstate(). And we also sometimes get into rxstate() with DMA still
active after clearing an endpoint's halt (not clear why), so bail out
in this case, similarly to what txstate() does...
While at it, also do the following changes :
- in musb_gadget_set_halt(), remove pointless Tx FIFO flushing (the
driver does not allow stalling with non-empty Tx FIFO anyway);
- in rxstate(), stop pointlessly zeroing the 'csr' variable;
- in musb_gadget_set_halt(), move the 'done' label to a more proper
place;
- in musb_g_rx(), eliminate the 'done' label completely...
Alan Stern [Wed, 18 Nov 2009 16:37:15 +0000 (11:37 -0500)]
USB: EHCI: don't send Clear-TT-Buffer following a STALL
This patch (as1304) fixes a regression in ehci-hcd. Evidently some
hubs don't handle Clear-TT-Buffer requests correctly, so we should
avoid sending them when they don't appear to be absolutely necessary.
The reported symptom is that output on a downstream audio device cuts
out because the hub stops relaying isochronous packets.
The patch prevents Clear-TT-Buffer requests from being sent following
a STALL handshake. In theory a STALL indicates either that the
downstream device sent a STALL or that no matching TT buffer could be
found. In either case, the transfer is completed and the TT buffer
does not remain busy, so it doesn't need to be cleared.
Also, the patch fixes a minor flaw in the code that actually sends the
Clear-TT-Buffer requests. Although the pipe direction isn't really
used for control transfers, it should be a Send rather than a Receive.
Haiyang Zhang [Fri, 20 Nov 2009 16:29:17 +0000 (16:29 +0000)]
Staging: hv: Fix vmbus event handler bug
The flag ENABLE_POLLING is always enabled in original Makefile, but
accidently removed during porting to mainline kernel. The patch fixes
this bug which can cause stalled network communication. Credit needs to
go to Eric Sesterhenn <[email protected]> For pointing out a
typo in the original code as well.
Michal Simek [Tue, 24 Nov 2009 10:22:41 +0000 (10:22 +0000)]
tty/of_serial: add missing ns16550a id
Many boards have a bug-free ns16550 compatible serial port, which we should
register as PORT_16550A. This introduces a new value "ns16550a" for the
compatible property of of_serial to let a firmware choose that model instead
of using the crippled PORT_16550 mode.
* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: gcm - fix another complete call in complete fuction
crypto: padlock-aes - Use the correct mask when checking whether copying is required
* git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6:
[CIFS] Fix sparse warning
[CIFS] Duplicate data on appending to some Samba servers
[CIFS] fix oops in cifs_lookup during net boot
Linus Torvalds [Mon, 30 Nov 2009 22:50:44 +0000 (14:50 -0800)]
Merge branch 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging
* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
at24: Use timeout also for read
i2c: Fix userspace_device list corruption
MAINTAINERS: Add missing i2c files
i2c/tsl2550: Fix lux value in extended mode
Linus Torvalds [Mon, 30 Nov 2009 22:50:01 +0000 (14:50 -0800)]
Merge branch 'for-linus' of master.kernel.org:/home/rmk/linux-2.6-arm
* 'for-linus' of master.kernel.org:/home/rmk/linux-2.6-arm:
[ARM] Update mach-types
ARM: 5793/1: ARM: Check put_user fail in do_signal when enable OABI_COMPAT
MAINTAINERS: add maintainer information for AMBA primecell drivers
[ARM] pxa/spitz: fix compile regression on spitz
ARM: PNX4008: i2c-pnx: use the same dev_id for request_irq and free_irq
[ARM] pxa/cpufreq: fix index assignments for end marker
ARM: PNX4008: fix watchdog device driver name
[ARM] kmap: fix build errors with DEBUG_HIGHMEM enabled
Becky Bruce [Mon, 23 Nov 2009 12:28:53 +0000 (12:28 +0000)]
powerpc: Fix DEBUG_HIGHMEM build break from d4515646699
Code was added to mm/higmem.c that depends on several
kmap types that powerpc does not support. We add dummy
invalid definitions for KM_NMI, KM_NM_PTE, and KM_IRQ_PTE.
According to list discussion, this fix should not be needed
anymore starting with 2.6.33. The code is commented to this
effect so hopefully we will remember to remove this.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc-2.6:
sunsu: Use sunserial_console_termios() in sunsu_console_setup().
sunsu: Pass true 'ignore_line' to console match when RSC or LOM console.
serial: suncore: Fix RSC/LOM handling in sunserial_console_termios().
serial: suncore: Add 'ignore_line' argument to sunserial_console_match().
sunsu: Fix detection of SU ports which are RSC console or control.
sunsab: Do not set sunsab_reg.cons right before registering minors.
sparc64: Fix definition of VMEMMAP_SIZE.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (42 commits)
b44: Fix wedge when using netconsole.
wan: cosa: drop chan->wsem on error path
ep93xx-eth: check for zero MAC address on probe, not on device open
NET: smc91x: Fix irq flags
smsc9420: prevent BUG() if ethtool is called with interface down
r8169: restore mac addr in rtl8169_remove_one and rtl_shutdown
ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
e100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failure
sctp: on T3_RTX retransmit all the in-flight chunks
pktgen: Fix netdevice unregister
macvlan: fix gso_max_size setting
rfkill: fix miscdev ops
ath9k: set ps_default as false
hso: fix soft-lockup
hso: fix debug routines
pktgen: Fix device name compares
stmmac: do not fail when the timer cannot be used.
stmmac: fixed a compilation error when use the external timer
netfilter: xt_limit: fix invalid return code in limit_mt_check()
Au1x00: fix crash when trying register_netdev()
...
Linus Torvalds [Mon, 30 Nov 2009 21:58:23 +0000 (13:58 -0800)]
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6:
firewire: ohci: pass correct iso xmit timestamps to core
firewire: ohci: Make cycleMatch ISO transmission work
Linus Torvalds [Mon, 30 Nov 2009 21:57:03 +0000 (13:57 -0800)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-block
* 'for-linus' of git://git.kernel.dk/linux-2.6-block:
cciss: make device attrs static
Thaw refrigerated bdi flusher threads before invoking kthread_stop on them
Linus Torvalds [Mon, 30 Nov 2009 21:56:21 +0000 (13:56 -0800)]
Merge branch 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
acerhdf: return temperature in milidegree instead of degree
thinkpad-acpi: fix detection of old ThinkPads
thinkpad-acpi: fix sign of ERESTARTSYS return
ACPI: Add Thinkpad T400, T500 to OSI(Linux) white-list
ACPICA: Silence the warning about _BIF returning the buffer
ACPI: DMI init_set_sci_en_on_resume for HP-Compaq C700
Linus Torvalds [Mon, 30 Nov 2009 21:54:10 +0000 (13:54 -0800)]
Merge branch 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm/fb: fix FBIOGET/PUT_VSCREENINFO pixel clock handling
drm: make sure page protections are updated after changing vm_flags
drm/radeon/kms: Report vga connector is connected according to ddc_probe
drm: mm always protect change to unused_nodes with unused_lock spinlock
drm/radeon/kms: Disable TV load detect on RS400,RC410,RS480
drm/radeon/kms: read back register before writing in IIO.
drm/radeon/kms: fix handling of d1/d2 vga
drm: work around EDIDs with bad htotal/vtotal values
drm/radeon/kms: resume AGP by calling init.
Linus Torvalds [Mon, 30 Nov 2009 21:53:14 +0000 (13:53 -0800)]
Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus
* 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus:
Staging: octeon-ethernet: Assign proper MAC addresses.
Staging: Octeon: Use symbolic values for irq numbers.
MIPS: Octeon: Fix compile error in drivers/staging/octeon/ethernet-mdio.c
David Woodhouse [Mon, 30 Nov 2009 09:06:40 +0000 (09:06 +0000)]
jffs2: Fix memory corruption in jffs2_read_inode_range()
In 2.6.23 kernel, commit a32ea1e1f925399e0d81ca3f7394a44a6dafa12c
("Fix read/truncate race") fixed a race in the generic code, and as a
side effect, now do_generic_file_read() can ask us to readpage() past
the i_size. This seems to be correctly handled by the block routines
(e.g. block_read_full_page() fills the page with zeroes in case if
somebody is trying to read past the last inode's block).
JFFS2 doesn't handle this; it assumes that it won't be asked to read
pages which don't exist -- and thus that there will be at least _one_
valid 'frag' on the page it's being asked to read. It will fill any
holes with the following memset:
When the 'closest smaller match' returned by jffs2_lookup_node_frag() is
actually on a previous page and ends before 'offset', that results in:
memset(buf, 0, <huge unsigned negative>);
Hopefully, in most cases the corruption is fatal, and quickly causing
random oopses, like this:
[email protected]:~/ltp-fs-20090531# ./testcases/kernel/fs/ftest/ftest01
Unable to handle kernel paging request for data at address 0x00000008
Faulting instruction address: 0xc01cd980
Oops: Kernel access of bad area, sig: 11 [#1]
[...]
NIP [c01cd980] rb_insert_color+0x38/0x184
LR [c0043978] enqueue_hrtimer+0x88/0xc4
Call Trace:
[c6c63b60] [c004f9a8] tick_sched_timer+0xa0/0xe4 (unreliable)
[c6c63b80] [c0043978] enqueue_hrtimer+0x88/0xc4
[c6c63b90] [c0043a48] __run_hrtimer+0x94/0xbc
[c6c63bb0] [c0044628] hrtimer_interrupt+0x140/0x2b8
[c6c63c10] [c000f8e8] timer_interrupt+0x13c/0x254
[c6c63c30] [c001352c] ret_from_except+0x0/0x14
--- Exception: 901 at memset+0x38/0x5c
LR = jffs2_read_inode_range+0x144/0x17c
[c6c63cf0] [00000000] (null) (unreliable)
This patch fixes the issue, plus fixes all LTP tests on NAND/UBI with
JFFS2 filesystem that were failing since 2.6.23 (seems like the bug
above also broke the truncation).
* git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-2.6-fscache: (31 commits)
FS-Cache: Provide nop fscache_stat_d() if CONFIG_FSCACHE_STATS=n
SLOW_WORK: Fix GFS2 to #include <linux/module.h> before using THIS_MODULE
SLOW_WORK: Fix CIFS to pass THIS_MODULE to slow_work_register_user()
CacheFiles: Don't log lookup/create failing with ENOBUFS
CacheFiles: Catch an overly long wait for an old active object
CacheFiles: Better showing of debugging information in active object problems
CacheFiles: Mark parent directory locks as I_MUTEX_PARENT to keep lockdep happy
CacheFiles: Handle truncate unlocking the page we're reading
CacheFiles: Don't write a full page if there's only a partial page to cache
FS-Cache: Actually requeue an object when requested
FS-Cache: Start processing an object's operations on that object's death
FS-Cache: Make sure FSCACHE_COOKIE_LOOKING_UP cleared on lookup failure
FS-Cache: Add a retirement stat counter
FS-Cache: Handle pages pending storage that get evicted under OOM conditions
FS-Cache: Handle read request vs lookup, creation or other cache failure
FS-Cache: Don't delete pending pages from the page-store tracking tree
FS-Cache: Fix lock misorder in fscache_write_op()
FS-Cache: The object-available state can't rely on the cookie to be available
FS-Cache: Permit cache retrieval ops to be interrupted in the initial wait phase
FS-Cache: Use radix tree preload correctly in tracking of pages to be stored
...
x = \(kmalloc\|kcalloc\|kzalloc\)(...);
... when != x == NULL
when != x != NULL
when != (x || ...)
(
kfree(x)
f(...,C,...,x,...)
|
*f(...,x,...)
|
*x->f
)
// </smpl>
Johannes Berg [Sun, 22 Nov 2009 11:28:41 +0000 (12:28 +0100)]
mac80211: fix spurious delBA handling
Lennert Buytenhek noticed that delBA handling in mac80211
was broken and has remotely triggerable problems, some of
which are due to some code shuffling I did that ended up
changing the order in which things were done -- this was
mac80211: A-MPDU Tx add delBA from recipient support
The first problem is that I moved a BUG_ON before various
checks -- thereby making it possible to hit. As the comment
indicates, the BUG_ON can be removed since the ampdu_action
callback must already exist when the state is != IDLE.
The second problem isn't easily exploitable but there's a
race condition due to unconditionally setting the state to
OPERATIONAL when a delBA frame is received, even when no
aggregation session was ever initiated. All the drivers
accept stopping the session even then, but that opens a
race window where crashes could happen before the driver
accepts it. Right now, a WARN_ON may happen with non-HT
drivers, while the race opens only for HT drivers.
For this case, there are two things necessary to fix it:
1) don't process spurious delBA frames, and be more careful
about the session state; don't drop the lock
2) HT drivers need to be prepared to handle a session stop
even before the session was really started -- this is
true for all drivers (that support aggregation) but
iwlwifi which can be fixed easily. The other HT drivers
(ath9k and ar9170) are behaving properly already.
Johannes Berg [Fri, 20 Nov 2009 08:15:51 +0000 (09:15 +0100)]
mac80211: fix two remote exploits
Lennert Buytenhek noticed a remotely triggerable problem
in mac80211, which is due to some code shuffling I did
that ended up changing the order in which things were
done -- this was in
Florian Fainelli [Sat, 28 Nov 2009 13:57:00 +0000 (13:57 +0000)]
ep93xx-eth: check for zero MAC address on probe, not on device open
If we happen to have registered the driver without passing
a MAC address, we will print a zero MAC address and register
the interface with this invalid address, this is confusin. This
patch moves the checking of a valid ethernet address and the
generation of a random one down from the open function to
the probe function.
smc91x.h defines SMC_IRQ_FLAGS to be -1 when it wants the interrupt
flags to be taken from the resource structure. However, d280ead
changed this to checking for non-zero resource flags.
Unfortunately, this means that on some platforms, we end up passing
'-1' to request_irq rather than the desired result. Combine the two
conditions into one so that the IRQ flags are taken from the resource
if either SMC_IRQ_FLAGS is -1 or the resource flags specify an
interrupt trigger.
This restores network on at least the Versatile platform.
smsc9420: prevent BUG() if ethtool is called with interface down
This patch fixes a null pointer dereference BUG() if ethtool is used on
an smsc9420 interface while it is down, because the phy_dev is only
allocated while the interface is up.
Ivan Vecera [Mon, 30 Nov 2009 07:12:52 +0000 (23:12 -0800)]
r8169: restore mac addr in rtl8169_remove_one and rtl_shutdown
The newer chipsets (all PCI-E) are known that they need full power cycle
(AC or battery removal) to reset MAC address to a hardwired one. Previous
patch to address this problem loads the original MAC address from EEPROM.
But it brought other problem for which it is necessary to introduce a new
module parameter.
However, it might suffice to restore the initial MAC address before
shutdown/reboot/kexec and when removing the module.
David Ford [Mon, 30 Nov 2009 07:02:22 +0000 (23:02 -0800)]
ipv4: additional update of dev_net(dev) to struct *net in ip_fragment.c, NULL ptr OOPS
ipv4 ip_frag_reasm(), fully replace 'dev_net(dev)' with 'net', defined
previously patched into 2.6.29.
Between 2.6.28.10 and 2.6.29, net/ipv4/ip_fragment.c was patched,
changing from dev_net(dev) to container_of(...). Unfortunately the goto
section (out_fail) on oversized packets inside ip_frag_reasm() didn't
get touched up as well. Oversized IP packets cause a NULL pointer
dereference and immediate hang.
I discovered this running openvasd and my previous email on this is
titled: NULL pointer dereference at 2.6.32-rc8:net/ipv4/ip_fragment.c:566
Roger Oksanen [Mon, 30 Nov 2009 01:17:29 +0000 (17:17 -0800)]
e100: Use pci pool to work around GFP_ATOMIC order 5 memory allocation failure
pci_alloc_consistent uses GFP_ATOMIC allocation that may fail on some systems
with limited memory (Bug #14265). pci_pool_alloc allows waiting with
GFP_KERNEL.
Avi Kivity [Sun, 29 Nov 2009 14:34:48 +0000 (16:34 +0200)]
core: Fix user return notifier on fork()
fork() clones all thread_info flags, including
TIF_USER_RETURN_NOTIFY; if the new task is first scheduled on a cpu
which doesn't have user return notifiers set, this causes user
return notifiers to trigger without any way of clearing itself.
This is easy to trigger with a forky workload on the host in
parallel with kvm, resulting in a cpu in an endless loop on the
verge of returning to userspace.
Fix by dropping the TIF_USER_RETURN_NOTIFY immediately after fork.
Alan Stern [Wed, 25 Nov 2009 00:06:37 +0000 (01:06 +0100)]
PM: fix irq enable/disable in runtime PM code
This patch (as1305) fixes a bug in the irq-enable settings and removes
some related overhead in the runtime PM code.
In __pm_runtime_resume(), within the scope of the original
spin_lock_irq(), we know that irqs are disabled. There's no
reason to go through a pair of enable/disable cycles when
acquiring and releasing the parent's lock.
In __pm_runtime_set_status(), irqs are already disabled when
the parent's lock is acquired, and they must remain disabled
when it is released.
sctp: on T3_RTX retransmit all the in-flight chunks
When retransmitting due to T3 timeout, retransmit all the
in-flight chunks for the corresponding transport/path, including
chunks sent less then 1 rto ago.
This is the correct behaviour according to rfc4960 section 6.3.3
E3 and
"Note: Any DATA chunks that were sent to the address for which the
T3-rtx timer expired but did not fit in one MTU (rule E3 above)
should be marked for retransmission and sent as soon as cwnd
allows (normally, when a SACK arrives). ".
This fixes problems when more then one path is present and the T3
retransmission of the first chunk that timeouts stops the T3 timer
for the initial active path, leaving all the other in-flight
chunks waiting forever or until a new chunk is transmitted on the
same path and timeouts (and this will happen only if the cwnd
allows sending new chunks, but since cwnd was dropped to MTU by
the timeout => it will wait until the first heartbeat).
Example: 10 packets in flight, sent at 0.1 s intervals on the
primary path. The primary path is down and the first packet
timeouts. The first packet is retransmitted on another path, the
T3 timer for the primary path is stopped and cwnd is set to MTU.
All the other 9 in-flight packets will not be retransmitted
(unless more new packets are sent on the primary path which depend
on cwnd allowing it, and even in this case the 9 packets will be
retransmitted only after a new packet timeouts which even in the
best case would be more then RTO).
p.s The problem is not only when multiple paths are there. It
can happen in a single homed environment. If the application
stops sending data, it possible to have a hung association.
Alan Cox [Thu, 26 Nov 2009 15:22:11 +0000 (12:22 -0300)]
V4L/DVB (13530): Fix wrong parameter order in memset
Edwin Török found the following:
In function ‘memset’,
inlined from ‘ir_input_init’ at drivers/media/common/ir-functions.c:67:
/home/edwin/builds/linux-2.6/arch/x86/include/asm/string_64.h:61:
warning: call to ‘__warn_memset_zero_len’ declared with attribute
warning: memset used with constant zero length parameter; this could be
due to transposed parameters
memset(ir->ir_codes, sizeof(ir->ir_codes), 0);
In actual practice the only caller I can find happens to already have cleared
the buffer before calling ir_input_init.
V4L/DVB (13412): SMS_SIANO_MDTV should depend on HAS_DMA
When building for Sun 3:
drivers/built-in.o: In function `smscore_unregister_device':
drivers/media/dvb/siano/smscoreapi.c:723: undefined reference to `dma_free_coherent'
drivers/built-in.o: In function `smscore_register_device':
drivers/media/dvb/siano/smscoreapi.c:365: undefined reference to `dma_alloc_coherent'
Csaba Henk [Fri, 27 Nov 2009 14:00:14 +0000 (19:30 +0530)]
fuse: reject O_DIRECT flag also in fuse_create
The comment in fuse_open about O_DIRECT:
"VFS checks this, but only _after_ ->open()"
also holds for fuse_create, however, the same kind of check was missing there.
As an impact of this bug, open(newfile, O_RDWR|O_CREAT|O_DIRECT) fails, but a
stub newfile will remain if the fuse server handled the implied FUSE_CREATE
request appropriately.
Other impact: in the above situation ima_file_free() will complain to open/free
imbalance if CONFIG_IMA is set.
The vpif_config struct was renamed to vpif_display_config, but there
is still a stray vpif_config *config pointer in vpif_display.c, preventing
it from compiling.
V4L/DVB (13344): soc-camera: properly initialise the device object when reusing
Commit ef373189f62413803b7b816c972fc154c488cdc0 "fix use-after-free Oops,
resulting from a driver-core API change" fixed the Oops, but didn't correct
missing device object initialisation. This patch makes unloading and reloading
of soc-camera host- and client-drivers possible again.
Alexey Kuznetsov [Tue, 17 Nov 2009 22:10:11 +0000 (14:10 -0800)]
[SCSI] fix crash when disconnecting usb storage
__scsi_remove_device() in scsi_forget_host() is executed out of scan_mutex
and races with scsi_destroy_sdev() <- scsi_sysfs_add_devices() <-
scsi_finish_async_scan(). The result is use after free and/or double
free, oops.
The fix is simple, move scsi_forget_host() under scan_mutex.
scsi_forget_host() is just sequence of __scsi_remove_device(). All
another calls of __scsi_remove_device() are made under scan_mutex. So
that it is safe.
James Bottomley [Thu, 19 Nov 2009 22:48:29 +0000 (17:48 -0500)]
[SCSI] fix async scan add/remove race resulting in an oops
Async scanning introduced a very wide window where the SCSI device is
up and running but has not yet been added to sysfs. We delay the
adding until all scans have completed to retain the same ordering as
sync scanning.
This delay in visibility causes an oops if a device is removed before
we make it visible because the SCSI removal routines have an inbuilt
assumption that if a device is in SDEV_RUNNING state, it must be
visible (which is not necessarily true in the async scanning case).
Fix this by introducing an additional is_visible flag which we can use
to condition the tear down so we do the right thing for running but
not yet made visible.
sd_dif.c was not updated to return -EILSEQ, leading to error handling
failures in applications which provide their own integrity metadata (as
opposed to being protected by the block layer functions).
Wolfram Sang [Thu, 26 Nov 2009 08:22:33 +0000 (09:22 +0100)]
at24: Use timeout also for read
Writes may take some time on EEPROMs, so for consecutive writes, we already
have a loop waiting for the EEPROM to become ready. Use such a loop for reads,
too, in case somebody wants to immediately read after a write. Detailed bug
report and test case can be found here:
Jean Delvare [Thu, 26 Nov 2009 08:22:33 +0000 (09:22 +0100)]
i2c: Fix userspace_device list corruption
Fix userspace_device list corruption. The corruption was caused by
clients not being removed when adapters with such clients were
themselves removed. Something like the following would trigger it
(assuming i2c-stub gets adapter number 3):
According to the TAOS Application Note 'Controlling a Backlight with
the TSL2550 Ambient Light Sensor' (page 14), the actual lux value in
extended mode should be obtained multiplying the calculated lux value
by 5.
Keysyms stored in key_map[] are not simply K() values, but U(K()) values,
as can be seen in the KDSKBENT ioctl handler. The kernel-generated
braille keysyms thus need a U() call too.
Hemant Pedanekar [Wed, 25 Nov 2009 23:04:54 +0000 (15:04 -0800)]
ide: fix ioctl to pass requested transfer mode to ide_find_dma_mode instead of UDMA6
Currently, ide_cmd_ioctl when invoked for setting DMA transfer mode calls
ide_find_dma_mode with requested mode as XFER_UDMA_6. This prevents setting DMA
mode to any other value than the default (maximum) supported by the device (or
UDMA6, if supported) irrespective of the actual requested transfer mode and
returns error.
For example, setting mode to UDMA2 using hdparm, where UDMA4 is the default
transfer mode gives following error:
# ./hdparm -d1 -Xudma2 /dev/hda
/dev/hda:hda: UDMA/66 mode selected
setting using_dma to 1 (on)
hda: UDMA/66 mode selected
setting xfermode to 66 (UltraDMA mode2)
HDIO_DRIVE_CMD(setxfermode) failed: Invalid argument
using_dma = 1 (on)
Zhenyu Wang [Wed, 11 Nov 2009 02:30:50 +0000 (02:30 +0000)]
drm/i915: Fix CRT hotplug detect by checking really no channels attached
For CRT hotplug detect status, we have four test results as blue
channel only, green channel only, both blue and green channel, and
no channel attached. Origin code only marks both blue and green channel
case as connected, but ignore other possible connected states. This one
trys to detect CRT by checking no channel attached case instead.
Graf Yang [Mon, 21 Sep 2009 11:51:31 +0000 (11:51 +0000)]
Blackfin: fix SMP build error in start_thread()
Commit d5ce528c8e46fa5afb9 (Blackfin: convert irq/process to asm-generic)
incorrectly merged the smp and non-smp cases of start_thread() causing the
L1 stack to be setup on the SMP port instead of the UP port.
projects / linux.git / log