When IPv6 connection tracking splits up a defragmented packet into
its original fragments, the packets are taken from a list and are
passed to the network stack with skb->next still set. This causes
dev_hard_start_xmit to treat them as GSO fragments, resulting in
a use after free when connection tracking handles the next fragment.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
If a QP being queried is in the RESET state, don't execute the
QUERY_QP firmware command (because it will fail).
Signed-off-by: Dotan Barak <dotanb@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Here is a patch for ehca to use proper flag, ie. GFP_ATOMIC
resp. GFP_KERNEL, when calling get_zeroed_page() to prevent "Bug:
scheduling while atomic...". This error does not cause a kernel panic
but makes ipoib un-usable afterwards. It is reproducible on
2.6.20-rc4 if one does ifconfig down during a flood ping test. I have
not observed this error in earlier releases incl. 2.6.20-rc1.
This error occurs when a qp event/irq is received and ehca event
handler allocates a control block/page to obtain HCA error data block.
Use of GFP_ATOMIC when in interrupt context prevents this issue.
Signed-off-by Hoang-Nam Nguyen <hnguyen@de.ibm.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
* 'linus' of master.kernel.org:/pub/scm/linux/kernel/git/perex/alsa:
[ALSA] version 1.0.14rc1
[ALSA] usbaudio - Fix kobject_add() error at reconnection
[ALSA] usb: usbmixer error path fix
[ALSA] _snd_cmipci_uswitch_put doesn't set zero flags
[ALSA] hda-codec - Fix NULL dereference in generic hda code
[ALSA] hda_intel: ALSA HD Audio patch for Intel ICH9
[ALSA] usb-audio: work around wrong frequency in CM6501 descriptors
[ALSA] Fix potential NULL pointer dereference in echoaudio midi
[ALSA] Audio: Add nvidia HD Audio controllers of MCP67 support to hda_intel.c
* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
[TCP]: Fix iov_len calculation in tcp_v4_send_ack().
[NETFILTER]: nf_conntrack_netbios_ns: fix uninitialized member in expectation
[TG3]: Add PHY workaround for 5755M.
[BNX2]: Update version and reldate.
[BNX2]: Fix bug in bnx2_nvram_write().
[BNX2]: Fix 5709 Serdes detection.
[BNX2]: Don't apply CRC PHY workaround to 5709.
NetLabel: correct CIPSO tag handling when adding new DOI definitions
NetLabel: correct locking in selinux_netlbl_socket_setsid()
[Bluetooth] Correct SCO buffer for Broadcom based Dell laptops
[Bluetooth] Correct SCO buffer for Broadcom based HP laptops
[Bluetooth] Correct SCO buffer size for another ThinkPad laptop
[Bluetooth] Handle device registration failures
[Bluetooth] Fix uninitialized return value for RFCOMM sendmsg()
[Bluetooth] More checks if DLC is still attached to the TTY
[Bluetooth] Add packet size checks for CAPI messages
[X25]: Trivial, SOCK_DEBUG's in x25_facilities missing newlines
[INET]: Fix incorrect "inet_sock->is_icsk" assignment.
* 'merge' of master.kernel.org:/pub/scm/linux/kernel/git/paulus/powerpc:
[POWERPC] Fix bugs in the hypervisor call stats code
[POWERPC] Fix corruption in hcall9
[POWERPC] iSeries: fix setup initcall
[POWERPC] iSeries: fix viopath initialisation
[POWERPC] iSeries: fix lpevents initialisation
[POWERPC] iSeries: fix proc/iSeries initialisation
[POWERPC] iSeries: fix mf proc initialisation
[POWERPC] disable PReP and EFIKA during make oldconfig
[POWERPC] Fix mpc52xx serial driver to work for arch/ppc again
[POWERPC] Don't include powerpc/sysdev/rom.o for arch/ppc builds
[POWERPC] Fix mpc52xx fdt to use correct device_type for sound devices
[POWERPC] 52xx: Don't use device_initcall to probe of_platform_bus
[POWERPC] Add legacy iSeries to ppc64_defconfig
[POWERPC] Update ppc64_defconfig
[POWERPC] Fix manual assembly WARN_ON() in enter_rtas().
[POWERPC] Avoid calling get_irq_server() with a real, not virtual irq.
[POWERPC] Fix unbalanced uses of of_node_put
[POWERPC] Fix bogus BUG_ON() in in hugetlb_get_unmapped_area()
* 'for-linus' of git://git390.osdl.marist.edu/pub/scm/linux-2.6:
[S390] locking problem with __cpcmd.
[S390] don't call handle_mm_fault() if in an atomic context.
[S390] Fix vmalloc area size calculation.
[S390] Fix cpu hotplug (missing 'online' attribute).
[S390] cio: use barrier() in stsch_reset.
[S390] memory detection misses 128k.
The sis96x SMBus PCI device depends on two different quirks to run
in a specific order. Apart from being fragile, this was found to
actually break on (at least) recent FC4, FC5, and FC6 kernels. This
patch fixes the quirks so that they work without relying on the
compiler and/or linker to put them in any specific order.
http://lists.lm-sensors.org/pipermail/lm-sensors/2006-April/015962.htmlhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189719
I tested this patch.
Signed-off-by: Mark M. Hoffman <mhoffman@lightlink.com>
Cc: Andrew Morton <akpm@osdl.org>
Cc: Adrian Bunk <bunk@stusta.de>
Cc: Greg K-H <greg@kroah.com>
Cc: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
DRIVER_DESC macro is wrong in drivers/hid/hid-core.c. Its value
is legacy from original usb+hid code and clashes with current
usbhid implementation. Fix it.
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Changeset 740b5706b9 moved the protecting
spinlock from __cpcmd to cpcmd. Therefore vmcp can no longer use __cpcmd,
instead we have to use cpcmd.
Signed-off-by: Christian Borntraeger <cborntra@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
There are several places in the futex code where a spin_lock is held
and still uaccesses happen. Deadlocks are avoided by increasing the
preempt count. The pagefault handler will then not take any locks
but will immediately search the fixup tables.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
setup_memory_end() uses VMALLOC_END instead of VMALLOC_END_INIT to
calculate the maximum supported size of physical memory. Since
VMALLOC_END is zero, this will cause a crash on 31 bit systems.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
72486f1f8f inverts the logic if an
'online' attribute in /sys/devices/system/cpu/cpuX should appear.
So we end up with no hotpluggable cpus at all...
Set the hotpluggable value to one to make sure the online
attribute appears again.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Use barrier() in stsch_reset() instead of duplicating the stsch()
inline assembly and adding "memory" to the clobberlist.
Pointed out by Chuck Ebbert.
Real fix would be to add a fixup section to the stsch() and extend the
basic program check handler so it searches the exception tables in case
of a program check.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Fix a memory leak problem in the memory detection routines. A memory leak
of 128k occurs when we have a contiguous memory with mixed access-mode
(read or write) ranges.
Signed-off-by: Hongjie Yang <hongjie@us.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
This fixes the ftp stalls present in the current kernels.
All credit goes to Komuro <komurojun-mbn@nifty.com> for tracking
this down. The patch is untested but it looks *cough* obviously
correct.
Signed-off-by: Craig Schlenter <craig@codefountain.com>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
->helper is uninitialized in the expectation registered by the netbios_ns
helper and it later copied to the expected connection, which causes invalid
memory dereferences when trying to call the helper.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Some PHY trim values need to be fine-tuned on 5755M to be
IEEE-compliant.
Update version to 3.72.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The bug was a bogus pointer being passed to kfree(). The pointer was
incremented in the write loop and then passed to kfree().
The fix is to use align_buf to save the original address.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
5709 has a new register to detect copper/fiber PHYs.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The workaround is only needed on 5706/5708 and cannot be applied on
5709.
Signed-off-by: Michael Chan <mchan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The current netlbl_cipsov4_add_common() function has two problems which are
fixed with this patch. The first is an off-by-one bug where it is possibile to
overflow the doi_def->tags[] array. The second is a bug where the same
doi_def->tags[] array was not always fully initialized, which caused sporadic
failures.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
The spinlock protecting the update of the "sksec->nlbl_state" variable is not
currently softirq safe which can lead to problems. This patch fixes this by
changing the spin_{un}lock() functions into spin_{un}lock_bh() functions.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
The SCO buffer size values on Dell laptops with a Bluetooth chip from
Broadcom are wrong. The USB Bluetooth driver has to set a quirk to
correct the SCO buffer size values.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The SCO buffer size values on HP laptops with a Bluetooth chip from
Broadcom are wrong. The USB Bluetooth driver has to set a quirk to
correct the SCO buffer size values.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The ThinkPad R60E uses a Broadcom based Bluetooth chip and even this
version needs the quirk to correct the SCO buffer size values.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
In the case the device registration for a new Bluetooth low-level
connection fails there is no need to unregister it when the temporary
data structure has been removed.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
When calling send() with a zero length parameter on a RFCOMM socket
it returns a positive value. In this rare case the variable err is
used uninitialized and unfortunately its value is returned.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
If the DLC device is no longer attached to the TTY device, then return
errors or default values for various callbacks of the TTY layer.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
With malformed packets it might be possible to overwrite internal
CMTP and CAPI data structures. This patch adds additional length
checks to prevent these kinds of remote attacks.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Trivial. Newlines missing on the SOCK_DEBUG's for X.25 facility
negotiation.
Signed-off-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The inet_create() and inet6_create() functions incorrectly set the
inet_sock->is_icsk field. Both functions assume that the is_icsk field is
large enough to hold at least a INET_PROTOSW_ICSK value when it is actually
only a single bit. This patch corrects the assignment by doing a boolean
comparison whose result will safely fit into a single bit field.
Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixed the error from kobject_add() at reconnection the usb audio device.
This happens when an app keeps opening a device while the device is
replugged, due to the confliction of the internal bookkept index and
the really empty slot.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Without the patch below namelist[0] will not be freed in case
of kmalloc error.
Signed-off-by: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Playing with spdif output on cmipci i've noticed the SPDO5V option does
not change appropriate bits the register.
The _snd_cmipci_uswitch_put checks the change in flags in wrong way.
If 'active' state of an option corresponds to a _zero_ bits in a hw
register then function fails. The SPDO5V is the sample.
In the most cases 'active' state of option is set through an non-zerio
bits in a register. This case works fine.
The fix attached.
Unfortunately i was unable to change spdif output voltage anyway.
Although the register changes right at least.
From: Timofei V. Bondarenko <tim@ipi.ac.ru>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
This patch adds the Intel ICH9 HD Audio controller DID's for ALSA.
Signed-off-by: Jason Gaston <jason.d.gaston@intel.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
The C-Media CM6501 chip's descriptors say that altsetting 5 supports
48 kHz, but it actually plays at 96 kHz.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Fix races between the timer handler and the close function.
Signed-off-by: Giuliano Pochini <pochini@shiny.it>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
Add the support for HD audio controllers of MCP51,MCP55,MCP61,MCP65 & MCP67.
Signed-off-by: Peer Chen <pchen@nvidia.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@suse.cz>
[PATCH 4/5] s390: iucv Kconfig help description changes
From: Ursula Braun <braunu@de.ibm.com>
remove text from help description which does not
apply anymore for 2.6 kernel series.
Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
- qeth device functions were not callable
in atomic context due to usage of wait_event_xxx operations in qeth.
"schedule while atomic" message appeared and kernel dumped when
removing slave from bond device.
Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
- packet socket support is not complete.
Recvfrom a packet socket does not fill the sockaddr_ll structure.
device function hard_header_parse is not implemented.
For layer 2 mode and layer 3 mode with fake_ll turned on, we have
the information to fill sockaddr_ll.
Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
From: Ursula Braun <braunu@de.ibm.com>
- VLAN header reordering did not work on packets
received through qeth interface in layer 2 mode.
This caused dhcpcd not to work with VLAN devices.
- set qeth performance statistics initally inactive
Signed-off-by: Frank Pavlic <fpavlic@de.ibm.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>
This patch contains a fix that implements proper communication with the
sideband management unit. Also, it makes sure that the speed is
correctly set for gigabit phys in the case where sideband mgmt unit
initialized the phy. Refer to bug #7684 for more details.
Signed-Off-By: Ayaz Abdulla <aabdulla@nvidia.com>
Signed-off-by: Jeff Garzik <jeff@garzik.org>