sound/usb/pcm.c::snd_usb_pcm_check_knot() fails to check the return value
from kmalloc() and may end up dereferencing a null pointer.
The patch below (compile tested only) should take care of that little
problem.
Signed-off-by: Jesper Juhl <jj@chaosbits.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
This fixes an erroneous use of LSB first in the U300 machine, the
PL022 used in U300 is a standard ARM core that doesn't support this
bit so it should never have been set.
Cc: Kevin Wells <wellsk40@gmail.com>OA
Signed-off-by: Linus Walleij <linus.walleij@stericsson.com>
Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
We were forgetting to set up proper return value in success path causing
ir_getkeycode() to fail intermittently:
drivers/media/IR/ir-keytable.c: In function 'ir_getkeycode':
drivers/media/IR/ir-keytable.c:363: warning: 'retval' may be used
uninitialized in this function
Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* 'i2c-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jdelvare/staging:
i2c-i801: Add PCI idents for Patsburg 'IDF' SMBus controllers
i2c-i801: Handle multiple instances instead of keeping global state
i2c-i801: Add Intel Patsburg device ID
i2c: Drop unused I2C_CLASS_TV flags
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: appletouch - remove extra KERN_DEBUG use from dprintk
Input: bu21013_ts - fix null dereference in error handling
Input: ad7879 - prevent invalid finger data reports
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-misc-2.6: (70 commits)
[SCSI] pmcraid: add support for set timestamp command and other fixes
[SCSI] pmcraid: remove duplicate struct member
[SCSI] qla4xxx: Fix cmd check in qla4xxx_cmd_wait
[SCSI] megaraid_sas: Version and documentation update
[SCSI] megaraid_sas: Add three times Online controller reset
[SCSI] megaraid_sas: Add input parameter for max_sectors
[SCSI] megaraid_sas: support devices update flag
[SCSI] libosd: write/read_sg_kern API
[SCSI] libosd: Support for scatter gather write/read commands
[SCSI] libosd: Free resources in reverse order of allocation
[SCSI] libosd: Fix bug in attr_page handling
[SCSI] lpfc 8.3.18: Update lpfc driver version to 8.3.18
[SCSI] lpfc 8.3.18: Add new WQE support
[SCSI] lpfc 8.3.18: Fix critical errors
[SCSI] lpfc 8.3.18: Adapter Shutdown and Unregistration cleanup
[SCSI] lpfc 8.3.18: Add logic to detect last devloss timeout
[SCSI] lpfc 8.3.18: Add support of received ELS commands
[SCSI] lpfc 8.3.18: FC/FCoE Discovery fixes
[SCSI] ipr: add definitions for a new adapter
[SCSI] bfa: fix comments for c files
...
* 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
genirq: Fix up irq_node() for irq_data changes.
genirq: Add single IRQ reservation helper
genirq: Warn if enable_irq is called before irq is set up
* 'core-locking-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
semaphore: Remove mutex emulation
staging: Final semaphore cleanup
jbd2: Convert jbd2_slab_create_sem to mutex
hpfs: Convert sbi->hpfs_creation_de to mutex
Fix up trivial change/delete conflicts with deleted 'dream' drivers
(drivers/staging/dream/camera/{mt9d112.c,mt9p012_fox.c,mt9t013.c,s5k3e2fx.c})
These are the extra 'Integrated Device Function' SMBus controllers found
on the Patsburg chipset. Mention the absence of slave mode support.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
It's poor form to keep driver state in global variables rather than
per-instance. It never really mattered in practice when there was only
one controller on the chipset, but the latest chipsets do have more
than one controller, so now we care.
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Add support for the Intel Patsburg PCH SMBus Controller.
Signed-off-by: Seth Heasley <seth.heasley@intel.com>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
While validating the configuration em_ops is already set, thus the
individual destroy functions are called, but the ematch data has
not been allocated and associated with the ematch yet.
Signed-off-by: Thomas Graf <tgraf@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Its now illegal to call netif_stop_queue() before register_netdev()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Amit Kumar Salecha <amit.salecha@qlogic.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Its now illegal to call netif_stop_queue() before register_netdev()
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Now when the SH-Mobile ARM platforms have been converted
to use device name it is possible to remove "clk" from
struct sh_timer_config.
Signed-off-by: Magnus Damm <damm@opensource.se>
Signed-off-by: Paul Mundt <lethal@linux-sh.org>
This one was only used for a nasty hack in nfsd, which has recently
been removed.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The caller allocated it, the caller should free it.
The only issue so far is that we could change the flp pointer even on an
error return if the fl_change callback failed. But we can simply move
the flp assignment after the fl_change invocation, as the callers don't
care about the flp return value if the setlease call failed.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Commit ffe8018c34 ("initramfs: fix initramfs size calculation") broke
32-bit big-endian arches like (on ARAnyM):
VFS: Cannot open root device "hda1" or unknown-block(3,1)
Please append a correct "root=" boot option; here are the available partitions:
fe80 1059408 nfhd8 (driver?)
fe81 921600 nfhd8p1 00000000-0000-0000-0000-000000000nfhd8p1
fe82 137807 nfhd8p2 00000000-0000-0000-0000-000000000nfhd8p2
0200 3280 fd0 (driver?)
0201 3280 fd1 (driver?)
0300 1059408 hda driver: ide-gd
0301 921600 hda1 00000000-0000-0000-0000-000000000hda1
0302 137807 hda2 00000000-0000-0000-0000-000000000hda2
Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(3,1)
As pointed out by Kerstin Jonsson <kerstin.jonsson@ericsson.com>, this
is due to CONFIG_32BIT not being defined, so the initramfs size field is
done as a 64-bit quad. On little-endian (like x86) this doesn matter,
but on a big-endian machine the 32-bit reads will see the (zero) high
bits.
Only mips, s390, and score set CONFIG_32BIT for 32-bit builds, so fix it for
all other 32-bit arches by inverting the logic and testing for CONFIG_64BIT,
which should be defined on all 64-bit arches.
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
[ I think we should just make it "u64" on all architectures and get
rid of the whole #ifdef CONFIG_xxBIT - Linus ]
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
isdn: mISDN: socket: fix information leak to userland
netdev: can: Change mail address of Hans J. Koch
pcnet_cs: add new_id
net: Truncate recvfrom and sendto length to INT_MAX.
RDS: Let rds_message_alloc_sgs() return NULL
RDS: Copy rds_iovecs into kernel memory instead of rereading from userspace
RDS: Clean up error handling in rds_cmsg_rdma_args
RDS: Return -EINVAL if rds_rdma_pages returns an error
net: fix rds_iovec page count overflow
can: pch_can: fix section mismatch warning by using a whitelisted name
can: pch_can: fix sparse warning
netxen_nic: Fix the tx queue manipulation bug in netxen_nic_probe
ip_gre: fix fallback tunnel setup
vmxnet: trivial annotation of protocol constant
vmxnet3: remove unnecessary byteswapping in BAR writing macros
ipv6/udp: report SndbufErrors and RcvbufErrors
phy/marvell: rename 88ec048 to 88e1318s and fix mscr1 addr
The NFSv4 server was initializing the dp->dl_flock pointer by the
somewhat ridiculous method of a locks_copy_lock callback.
Now that setlease uses the passed-in lock instead of doing a copy,
dl_flock no longer gets set, resulting in the lock leaking on delegation
release, and later possible hangs (among other problems).
So, initialize dl_flock and get rid of the callback.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
We modified setlease to require the caller to allocate the new lease in
the case of creating a new lease, but forgot to fix up the filesystem
methods.
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Steve French <sfrench@samba.org>
Cc: Trond Myklebust <Trond.Myklebust@netapp.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
We're depending on setlease to free the passed-in lease on failure.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Removing a lock shouldn't require any allocations; a failure due to
ENOMEM leaves the caller with a choice between retrying or giving up and
leaking an unused lease.
Next we should split the other lease calls into add and delete cases.
I wanted to start with just the bugfix.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
The input-large-scancode patches changed the binary search in
drivers/media/IR/ir-keytable.c to use unsigned integers, but
signed integers are actually necessary for the algorithm to work.
Signed-off-by: David Härdeman <david@hardeman.nu>
Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Structure mISDN_devinfo is copied to userland with the field "name"
that has the last elements unitialized. It leads to leaking of
contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
My old mail address doesn't exist anymore. This changes all occurrences
to my new address.
Signed-off-by: Hans J. Koch <hjk@hansjkoch.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
pcnet_cs:
add new_id: "corega Ether CF-TD" 10Base-T PCMCIA card.
Signed-off-by: Ken Kawasaki <ken_kawasaki@spring.nifty.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Even with the previous fix, we still are reading the iovecs once
to determine SGs needed, and then again later on. Preallocating
space for sg lists as part of rds_message seemed like a good idea
but it might be better to not do this. While working to redo that
code, this patch attempts to protect against userspace rewriting
the rds_iovec array between the first and second accesses.
The consequences of this would be either a too-small or too-large
sg list array. Too large is not an issue. This patch changes all
callers of message_alloc_sgs to handle running out of preallocated
sgs, and fail gracefully.
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change rds_rdma_pages to take a passed-in rds_iovec array instead
of doing copy_from_user itself.
Change rds_cmsg_rdma_args to copy rds_iovec array once only. This
eliminates the possibility of userspace changing it after our
sanity checks.
Implement stack-based storage for small numbers of iovecs, based
on net/socket.c, to save an alloc in the extremely common case.
Although this patch reduces iovec copies in cmsg_rdma_args to 1,
we still do another one in rds_rdma_extra_size. Getting rid of
that one will be trickier, so it'll be a separate patch.
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We don't need to set ret = 0 at the end -- it's initialized to 0.
Also, don't increment s_send_rdma stat if we're exiting with an
error.
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
rds_cmsg_rdma_args would still return success even if rds_rdma_pages
returned an error (or overflowed).
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
As reported by Thomas Pollet, the rdma page counting can overflow. We
get the rdma sizes in 64-bit unsigned entities, but then limit it to
UINT_MAX bytes and shift them down to pages (so with a possible "+1" for
an unaligned address).
So each individual page count fits comfortably in an 'unsigned int' (not
even close to overflowing into signed), but as they are added up, they
might end up resulting in a signed return value. Which would be wrong.
Catch the case of tot_pages turning negative, and return the appropriate
error code.
Reported-by: Thomas Pollet <thomas.pollet@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Andy Grover <andy.grover@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes the following section mismatch warning:
WARNING: drivers/net/can/pch_can.o(.data+0x18):
Section mismatch in reference from the variable pch_can_pcidev
to the variable .devinit.rodata:pch_pci_tbl
The variable pch_can_pcidev references
the variable __devinitconst pch_pci_tbl
This is actually a false positive which is fixed by giving the offending
variable a whitelisted name, it's renamed to "pch_can_pci_driver".
This makes sense because the variable is of the type "struct pci_driver".
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch fixes the following sparse warning:
drivers/net/can/pch_can.c:231:26: warning: incorrect type in argument 1 (different address spaces)
drivers/net/can/pch_can.c:231:26: expected unsigned int [usertype] *addr
drivers/net/can/pch_can.c:231:26: got unsigned int [noderef] <asn:2>*<noident>
Let pch_can_bit_{set,clear} first parameter be a void __iomem pointer.
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
We should not stop the egress queue during probe because it is wrong.
Signed-off-by: Denis Kirjanov <dkirjanov@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Before making the fallback tunnel visible to lookups, we should make
sure it is completely setup, once ipgre_tunnel_init() had been called
and tstats per_cpu pointer allocated.
move rcu_assign_pointer(ign->tunnels_wc[0], tunnel); from
ipgre_fb_tunnel_init() to ipgre_init_net()
Based on a patch from Pavel Emelyanov
Reported-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Noticed by sparse:
drivers/net/vmxnet3/vmxnet3_drv.c:876:38: warning: cast from restricted __be16
drivers/net/vmxnet3/vmxnet3_drv.c:876:38: warning: cast from restricted __be16
drivers/net/vmxnet3/vmxnet3_drv.c:876:24: warning: restricted __be16 degrades to integer
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
readl/writel swap to little-endian internally.
Signed-off-by: Harvey Harrison <harvey.harrison@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
commit a18135eb93 (Add UDP_MIB_{SND,RCV}BUFERRORS handling.)
forgot to make the necessary changes in net/ipv6/proc.c to report
additional counters in /proc/net/snmp6
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If the controller is storing a split packet and therefore changing
d->res_count to zero between the two reads by the driver, we end up with
an end pointer that is not at a packet boundary, and therefore overflow
the buffer when handling the split packet.
To fix this, read the field once, atomically. The compiler usually
merges the two reads anyway, but for correctness, we have to enforce it.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Freeing an AR buffer page just to allocate a new page immediately
afterwards is not only a pointless effort but also dangerous because
the allocation can fail, which would result in an oops later.
Split ar_context_add_page() into two functions so that we can reuse
the old page directly.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
When handling an AR buffer that has been completely filled, we assumed
that its descriptor will not be read by the controller and can be
overwritten. However, when the last received packet happens to end at
the end of the buffer, the controller might not yet have moved on to the
next buffer and might read the branch address later. If we overwrite
and free the page before that, the DMA context will either go dead
because of an invalid Z value, or go off into some random memory.
To fix this, ensure that the descriptor does not get overwritten by
using only the actual buffer instead of the entire page for reassembling
the split packet. Furthermore, to avoid freeing the page too early,
move on to the next buffer only when some data in it guarantees that the
controller has moved on.
This should eliminate the remaining firewire-net problems.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: 2.6.22-2.6.36 <stable@kernel.org>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
When the controller had to split a received asynchronous packet into two
buffers, the driver tries to reassemble it by copying both parts into
the first page. However, if size + rest > PAGE_SIZE, i.e., if the yet
unhandled packets before the split packet, the split packet itself, and
any received packets after the split packet are together larger than one
page, then the memory after the first page would get overwritten.
To fix this, do not try to copy the data of all unhandled packets at
once, but copy the possibly needed data every time when handling
a packet.
This gets rid of most of the infamous crashes and data corruptions when
using firewire-net.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Cc: 2.6.22-2.6.36 <stable@kernel.org>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de> (cast PAGE_SIZE to size_t)
* 'for-linus' of git://git.infradead.org/users/eparis/notify: (22 commits)
Ensure FMODE_NONOTIFY is not set by userspace
make fanotify_read() restartable across signals
fsnotify: remove alignment padding from fsnotify_mark on 64 bit builds
fs/notify/fanotify/fanotify_user.c: fix warnings
fanotify: Fix FAN_CLOSE comments
fanotify: do not recalculate the mask if the ignored mask changed
fanotify: ignore events on directories unless specifically requested
fsnotify: rename FS_IN_ISDIR to FS_ISDIR
fanotify: do not send events for irregular files
fanotify: limit number of listeners per user
fanotify: allow userspace to override max marks
fanotify: limit the number of marks in a single fanotify group
fanotify: allow userspace to override max queue depth
fsnotify: implement a default maximum queue depth
fanotify: ignore fanotify ignore marks if open writers
fanotify: allow userspace to flush all marks
fsnotify: call fsnotify_parent in perm events
fsnotify: correctly handle return codes from listeners
fanotify: use __aligned_u64 in fanotify userspace metadata
fanotify: implement fanotify listener ordering
...
* 'perf-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
jump label: Add work around to i386 gcc asm goto bug
x86, ftrace: Use safe noops, drop trap test
jump_label: Fix unaligned traps on sparc.
jump label: Make arch_jump_label_text_poke_early() optional
jump label: Fix error with preempt disable holding mutex
oprofile: Remove deprecated use of flush_scheduled_work()
oprofile: Fix the hang while taking the cpu offline
jump label: Fix deadlock b/w jump_label_mutex vs. text_mutex
jump label: Fix module __init section race
* 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip:
x86: Check irq_remapped instead of remapping_enabled in destroy_irq()
In fsnotify_open() ensure that FMODE_NONOTIFY is never set by userspace.
Also always call fsnotify_parent and fsnotify.
Signed-off-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Signed-off-by: Eric Paris <eparis@redhat.com>
