Switch branches/tags
Commits on Nov 26, 2010
  1. clone next3 from ext3 of kernel

    snapshot pacthes apply on top of this code base
    and can be applied on top of ext3 clones from kernels 2.6.31-2.6.35
    amir73il committed Nov 26, 2010
Commits on Nov 22, 2010
  1. Linux

    gregkh committed Nov 22, 2010
  2. KVM: x86 emulator: fix regression with cmpxchg8b on i386 hosts

    commit 16518d5 upstream.
    operand::val and operand::orig_val are 32-bit on i386, whereas cmpxchg8b
    operands are 64-bit.
    Fix by adding val64 and orig_val64 union members to struct operand, and
    using them where needed.
    Signed-off-by: Avi Kivity <>
    Signed-off-by: Marcelo Tosatti <>
    Signed-off-by: Greg Kroah-Hartman <>
    Avi Kivity committed with gregkh Aug 26, 2010
  3. isdn: avoid calling tty_ldisc_flush() in atomic context

    commit bc10f96 upstream.
    Remove the call to tty_ldisc_flush() from the RESULT_NO_CARRIER
    branch of isdn_tty_modem_result(), as already proposed in commit
    This avoids a "sleeping function called from invalid context" BUG
    when the hardware driver calls the statcallb() callback with
    command==ISDN_STAT_DHUP in atomic context, which in turn calls
    isdn_tty_modem_result(RESULT_NO_CARRIER, ~), and from there,
    tty_ldisc_flush() which may sleep.
    Signed-off-by: Tilman Schmidt <>
    Signed-off-by: David S. Miller <>
    Cc: Arnd Bergmann <>
    Signed-off-by: Greg Kroah-Hartman <>
    tilmanschmidt committed with gregkh Jul 5, 2010
  4. sgi-xp: incoming XPC channel messages can come in after the channel's…

    … partition structures have been torn down
    commit 0935897 upstream.
    Under some workloads, some channel messages have been observed being
    delayed on the sending side past the point where the receiving side has
    been able to tear down its partition structures.
    This condition is already detected in xpc_handle_activate_IRQ_uv(), but
    that information is not given to xpc_handle_activate_mq_msg_uv().  As a
    result, xpc_handle_activate_mq_msg_uv() assumes the structures still exist
    and references them, causing a NULL-pointer deref.
    Signed-off-by: Robin Holt <>
    Signed-off-by: Andrew Morton <>
    Signed-off-by: Linus Torvalds <>
    Signed-off-by: Greg Kroah-Hartman <>
    Robin Holt committed with gregkh Oct 26, 2010
  5. ARM: cns3xxx: Fixup the missing second parameter to addruart macro to…

    … allow them to build.
    It can't be merged into Linus' tree because this file has already been
    changed in incompatible ways.
    Fixup the missing second parameter to addruart macro to allow them to build,
    according to to commit 0e17226.
    Enabling DEBUG in head.S would cause:
    rch/arm/boot/compressed/head.S: Assembler messages:
    arch/arm/boot/compressed/head.S:1037: Error: too many positional arguments
    arch/arm/boot/compressed/head.S:1055: Error: too many positional arguments
    Signed-off-by: Mac Lin <>
    Acked-by: Russell King <>
    Signed-off-by: Greg Kroah-Hartman <>
    mkl0301 committed with gregkh Nov 14, 2010
  6. secmark: do not return early if there was no error

    commit 15714f7 upstream.
    Commit 4a5a5c7 attempted to pass decent error messages back to userspace for
    netfilter errors.  In xt_SECMARK.c however the patch screwed up and returned
    on 0 (aka no error) early and didn't finish setting up secmark.  This results
    in a kernel BUG if you use SECMARK.
    Signed-off-by: Eric Paris <>
    Acked-by: Paul Moore <>
    Signed-off-by: James Morris <>
    Signed-off-by: Greg Kroah-Hartman <>
    eparis committed with gregkh Oct 12, 2010
  7. xfrm4: strip ECN bits from tos field

    [ Upstream commit 94e2238 ]
    otherwise ECT(1) bit will get interpreted as RTO_ONLINK
    and routing will fail with XfrmOutBundleGenError.
    Signed-off-by: Ulrich Weber <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Ulrich Weber committed with gregkh Sep 22, 2010
  8. net/core: Allow tagged VLAN packets to flow through VETH devices.

    [ Upstream commit d2ed817 ]
    When there are VLANs on a VETH device, the packets being transmitted
    through the VETH device may be 4 bytes bigger than MTU.  A check
    in dev_forward_skb did not take this into account and so dropped
    these packets.
    This patch is needed at least as far back as and should
    be considered for -stable.
    Signed-off-by: Ben Greear <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    greearb committed with gregkh Oct 21, 2010
  9. net: add a recursion limit in xmit path

    [ Upstream commits 745e20f and
      11a766c ]
    As tunnel devices are going to be lockless, we need to make sure a
    misconfigured machine wont enter an infinite loop.
    Add a percpu variable, and limit to three the number of stacked xmits.
    Reported-by: Jesse Gross <>
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Eric Dumazet committed with gregkh Sep 29, 2010
  10. Revert d88dca7

    [ Upstream commit db5a753 ]
    TIPC needs to have its endianess issues fixed.  Unfortunately, the format of a
    subscriber message is passed in directly from user space, so requiring this
    message to be in network byte order breaks user space ABI.  Revert this change
    until such time as we can determine how to do this in a backwards compatible
    Signed-off-by: Neil Horman <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Neil Horman committed with gregkh Oct 21, 2010
  11. Revert c6537d6

    [ Upstream commit 8c97443 ]
    Backout the tipc changes to the flags int he subscription message.  These
    changees, while reasonable on the surface, interefere with user space ABI
    compatibility which is a no-no.  This was part of the changes to fix the
    endianess issues in the TIPC protocol, which would be really nice to do but we
    need to do so in a way that is backwards compatible with user space.
    Signed-off-by: Neil Horman <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Neil Horman committed with gregkh Oct 21, 2010
  12. net-2.6: SYN retransmits: Add new parameter to retransmits_timed_out()

    [ Upstream commit 4d22f7d ]
    Fixes kernel Bugzilla Bug 18952
    This patch adds a syn_set parameter to the retransmits_timed_out()
    routine and updates its callers. If not set, TCP_RTO_MIN is taken
    as the calculation basis as before. If set, TCP_TIMEOUT_INIT is
    used instead, so that sysctl_syn_retries represents the actual
    amount of SYN retransmissions in case no SYNACKs are received when
    establishing a new connection.
    Signed-off-by: Damian Lukowski <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Damian Lukowski committed with gregkh Sep 28, 2010
  13. tcp: Fix race in tcp_poll

    [ Upstream commit a4d2580 ]
    If a RST comes in immediately after checking sk->sk_err, tcp_poll will
    return POLLIN but not POLLOUT.  Fix this by checking sk->sk_err at the end
    of tcp_poll.  Additionally, ensure the correct order of operations on SMP
    machines with memory barriers.
    Signed-off-by: Tom Marshall <>
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    tdm committed with gregkh Sep 20, 2010
  14. Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integ…

    …er overflows.
    On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and
    sysctl_sctp_mem[2] can integer overflow.  Set limit such that they are
    maximized without overflowing.
    Signed-off-by: Robin Holt <>
    To: "David S. Miller" <>
    Cc: Willy Tarreau <>
    Cc: Alexey Kuznetsov <>
    Cc: "Pekka Savola (ipv6)" <>
    Cc: James Morris <>
    Cc: Hideaki YOSHIFUJI <>
    Cc: Patrick McHardy <>
    Cc: Vlad Yasevich <>
    Cc: Sridhar Samudrala <>
    Signed-off-by: Greg Kroah-Hartman <> committed with gregkh Oct 20, 2010
  15. net: Fix the condition passed to sk_wait_event()

    [ Upstream commit 482964e ]
    This patch fixes the condition (3rd arg) passed to sk_wait_event() in
    sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
    causes the following soft lockup in tcp_sendmsg() when the global tcp
    memory pool has exhausted.
    >>> snip <<<
    localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
    localhost kernel: CPU 3:
    localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200]  [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
    localhost kernel:
    localhost kernel: Call Trace:
    localhost kernel:  [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
    localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
    localhost kernel:  [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
    localhost kernel:  [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
    localhost kernel:  [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
    localhost kernel:  [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
    localhost kernel:  [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
    localhost kernel:  [vfs_write+0x185/0x190] vfs_write+0x185/0x190
    localhost kernel:  [sys_write+0x50/0x90] sys_write+0x50/0x90
    localhost kernel:  [system_call+0x7e/0x83] system_call+0x7e/0x83
    >>> snip <<<
    What is happening is, that the sk_wait_event() condition passed from
    sk_stream_wait_memory() evaluates to true for the case of tcp global memory
    exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
    which causes sk_wait_event() to *not* call schedule_timeout().
    Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
    This causes the caller to again try allocation, which again fails and again
    calls sk_stream_wait_memory(), and so on.
    [ Bug introduced by commit c1cbe4b
      ("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
    Signed-off-by: Nagendra Singh Tomar <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Nagendra Tomar committed with gregkh Oct 2, 2010
  16. rose: Fix signedness issues wrt. digi count.

    [ Upstream commit 9828e6e ]
    Just use explicit casts, since we really can't change the
    types of structures exported to userspace which have been
    around for 15 years or so.
    Reported-by: Dan Rosenberg <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    davem330 committed with gregkh Sep 20, 2010
  17. r6040: Fix multicast filter some more

    [ Upstream commit e226930 ]
    This code has been broken forever, but in several different and
    creative ways.
    So far as I can work out, the R6040 MAC filter has 4 exact-match
    entries, the first of which the driver uses for its assigned unicast
    address, plus a 64-entry hash-based filter for multicast addresses
    (maybe unicast as well?).
    The original version of this code would write the first 4 multicast
    addresses as exact-match entries from offset 1 (bug #1: there is no
    entry 4 so this could write to some PHY registers).  It would fill the
    remainder of the exact-match entries with the broadcast address (bug #2:
    this would overwrite the last used entry).  If more than 4 multicast
    addresses were configured, it would set up the hash table, write some
    random crap to the MAC control register (bug #3) and finally walk off
    the end of the list when filling the exact-match entries (bug #4).
    All of this seems to be pointless, since it sets the promiscuous bit
    when the interface is made promiscuous or if >4 multicast addresses
    are enabled, and never clears it (bug #5, masking bug #2).
    The recent(ish) changes to the multicast list fixed bug #4, but
    completely removed the limit on iteration over the exact-match entries
    (bug #6).
    Bug #4 was reported as
    <> and more recently
    as <>.  Florian Fainelli attempted to fix
    these in commit 3bcf822, but that
    actually dealt with bugs #1-3, bug #4 having been fixed in mainline at
    that point.
    That commit fixes the most important current bug #6.
    Signed-off-by: Ben Hutchings <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    bwhacks committed with gregkh Oct 14, 2010
  18. Phonet: Correct header retrieval after pskb_may_pull

    [ Upstream commit a91e7d4 ]
    Retrieve the header after doing pskb_may_pull since, pskb_may_pull
    could change the buffer structure.
    This is based on the comment given by Eric Dumazet on Phonet
    Pipe controller patch for a similar problem.
    Signed-off-by: Kumar Sanghvi <>
    Acked-by: Linus Walleij <>
    Acked-by: Eric Dumazet <>
    Acked-by: Rémi Denis-Courmont <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Kumar Sanghvi committed with gregkh Sep 27, 2010
  19. qlcnic: dont set skb->truesize

    [ Upstream commit 8df8fd2 ]
    skb->truesize is set in core network.
    Dont change it unless dealing with fragments.
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Eric Dumazet committed with gregkh Sep 20, 2010
  20. netxen: dont set skb->truesize

    [ Upstream commit 7e96dc7 ]
    skb->truesize is set in core network.
    Dont change it unless dealing with fragments.
    Signed-off-by: Eric Dumazet <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Eric Dumazet committed with gregkh Sep 21, 2010
  21. net: Fix IPv6 PMTU disc. w/ asymmetric routes

    [ Upstream commit ae878ae ]
    Signed-off-by: Maciej Żenczykowski <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    zenczykowski committed with gregkh Oct 3, 2010
  22. ipv6: fix refcnt problem related to POSTDAD state

    [ Upstream commit 801715f95be37b865af83b9909ad93da141a9306 ]
    After running this bonding setup script
        modprobe bonding miimon=100 mode=0 max_bonds=1
        ifconfig bond0
        ifenslave bond0 eth1
        ifenslave bond0 eth3
    on s390 with qeth-driven slaves, modprobe -r fails with this message
        unregister_netdevice: waiting for bond0 to become free. Usage count = 1
    due to twice detection of duplicate address.
    Problem is caused by a missing decrease of ifp->refcnt in addrconf_dad_failure.
    An extra call of in6_ifa_put(ifp) solves it.
    Problem has been introduced with commit f2344a1.
    Signed-off-by: Ursula Braun <>
    Cc: David S. Miller <>
    Cc: Herbert Xu <>
    Acked-by: Herbert Xu <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Ursula Braun committed with gregkh Oct 24, 2010
  23. ip: fix truesize mismatch in ip fragmentation

    [ Upstream commit 3d13008 ]
    Special care should be taken when slow path is hit in ip_fragment() :
    When walking through frags, we transfert truesize ownership from skb to
    frags. Then if we hit a slow_path condition, we must undo this or risk
    uncharging frags->truesize twice, and in the end, having negative socket
    sk_wmem_alloc counter, or even freeing socket sooner than expected.
    Many thanks to Nick Bowler, who provided a very clean bug report and
    test program.
    Thanks to Jarek for reviewing my first patch and providing a V2
    While Nick bisection pointed to commit 2b85a34 (net: No more
    expensive sock_hold()/sock_put() on each tx), underlying bug is older
    A side effect is to extend work done in commit b2722b1
    (ip_fragment: also adjust skb->truesize for packets not owned by a
    socket) to ipv6 as well.
    Reported-and-bisected-by: Nick Bowler <>
    Tested-by: Nick Bowler <>
    Signed-off-by: Eric Dumazet <>
    CC: Jarek Poplawski <>
    CC: Patrick McHardy <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Eric Dumazet committed with gregkh Sep 21, 2010
  24. gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New:…

    … linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic)
    [ Upstream commit 0d1fe1111c667e9c713d7efc7ae468a605f236a4 ]
    The rx_recycle queue is global per device but can be accesed by many
    napi handlers at the same time, so it needs full skb_queue primitives
    (with locking). Otherwise, various crashes caused by broken skbs are
    This patch resolves, at least partly, bugzilla bug 19692. (Because of
    some doubts that there could be still something around which is hard
    to reproduce my proposal is to leave this bug opened for a month.)
    Fixes commit: 0fd56bb ("gianfar: Add
    support for skb recycling")
    Reported-by: emin ak <>
    Tested-by: emin ak <>
    Signed-off-by: Jarek Poplawski <>
    CC: Andy Fleming <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Jarek Poplawski committed with gregkh Oct 19, 2010
  25. gianfar: fix double lock typo

    [ Upstream commit 9756403 ]
    This should be a _restore() instead of a _save().
    Signed-off-by: Dan Carpenter <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    error27 committed with gregkh Oct 13, 2010
  26. net: clear heap allocations for privileged ethtool actions

    [ Upstream commit b00916b ]
    Several other ethtool functions leave heap uncleared (potentially) by
    drivers. Some interfaces appear safe (eeprom, etc), in that the sizes
    are well controlled. In some situations (e.g. unchecked error conditions),
    the heap will remain unchanged in areas before copying back to userspace.
    Note that these are less of an issue since these all require CAP_NET_ADMIN.
    Signed-off-by: Kees Cook <>
    Acked-by: Ben Hutchings <>
    Signed-off-by: David S. Miller <>
    Signed-off-by: Greg Kroah-Hartman <>
    Kees Cook committed with gregkh Oct 11, 2010
  27. Fix regressions in scsi_internal_device_block

    commit 986fe6c upstream.
    Deleting a SCSI device on a blocked fc_remote_port (before
    fast_io_fail_tmo fires) results in a hanging thread:
      0 schedule+1108 [0x5cac48]
      1 schedule_timeout+528 [0x5cb7fc]
      2 wait_for_common+266 [0x5ca6be]
      3 blk_execute_rq+160 [0x354054]
      4 scsi_execute+324 [0x3b7ef4]
      5 scsi_execute_req+162 [0x3b80ca]
      6 sd_sync_cache+138 [0x3cf662]
      7 sd_shutdown+138 [0x3cf91a]
      8 sd_remove+112 [0x3cfe4c]
      9 __device_release_driver+124 [0x3a08b8]
    10 device_release_driver+60 [0x3a0a5c]
    11 bus_remove_device+266 [0x39fa76]
    12 device_del+340 [0x39d818]
    13 __scsi_remove_device+204 [0x3bcc48]
    14 scsi_remove_device+66 [0x3bcc8e]
    15 sysfs_schedule_callback_work+50 [0x260d66]
    16 worker_thread+622 [0x162326]
    17 kthread+160 [0x1680b0]
    18 kernel_thread_starter+6 [0x10aaea]
    During the delete, the SCSI device is in moved to SDEV_CANCEL.  When
    the FC transport class later calls scsi_target_unblock, this has no
    effect, since scsi_internal_device_unblock ignores SCSI devics in this
    It looks like all these are regressions caused by:
    [SCSI] limit state transitions in scsi_internal_device_unblock
    Fix by rejecting offline and cancel in the state transition.
    Signed-off-by: Christof Schmitt <>
    [jejb: Original patch by Christof Schmitt, modified by Mike Christie]
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    Mike Christie committed with gregkh Oct 6, 2010
  28. Fix race when removing SCSI devices

    commit 546ae79 upstream.
    Removing SCSI devices through
    echo 1 > /sys/bus/scsi/devices/ ... /delete
    while the FC transport class removes the SCSI target can lead to an
    Unable to handle kernel pointer dereference at virtual kernel address 00000000b6815000
    Modules linked in: sunrpc qeth_l3 binfmt_misc dm_multipath scsi_dh dm_mod ipv6 qeth ccwgroup [last unloaded: scsi_wait_scan]
    CPU: 1 Not tainted #1
    Process fc_wq_0 (pid: 861, task: 00000000b7331240, ksp: 00000000b735bac0)
    Krnl PSW : 0704200180000000 00000000003ff6e4 (__scsi_remove_device+0x24/0xd0)
               R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
    Krnl GPRS: 0000000000000001 0000000000000000 00000000b6815000 00000000bc24a8c0
               00000000003ff7c8 000000000056dbb8 0000000000000002 0000000000835d80
               ffffffff00000000 0000000000001000 00000000b6815000 00000000bc24a7f0
               00000000b68151a0 00000000b6815000 00000000b735bc20 00000000b735bbf8
    Krnl Code: 00000000003ff6d6: a7840001            brc 8,3ff6d8
               00000000003ff6da: a7fbffd8            aghi %r15,-40
               00000000003ff6de: e3e0f0980024        stg %r14,152(%r15)
              >00000000003ff6e4: e31021200004        lg %r1,288(%r2)
               00000000003ff6ea: a71f0000            cghi    %r1,0
               00000000003ff6ee: a7a40011            brc 10,3ff710
               00000000003ff6f2: a7390003            lghi    %r3,3
               00000000003ff6f6: c0e5ffffc8b1        brasl %r14,3f8858
    Call Trace:
    ([<0000000000001000>] 0x1000)
     [<00000000003ff7d2>] scsi_remove_device+0x42/0x54
     [<00000000003ff8ba>] __scsi_remove_target+0xca/0xfc
     [<00000000003ff99a>] __remove_child+0x3a/0x48
     [<00000000003e3246>] device_for_each_child+0x72/0xbc
     [<00000000003ff93a>] scsi_remove_target+0x4e/0x74
     [<0000000000406586>] fc_rport_final_delete+0xb2/0x23c
     [<000000000015d080>] worker_thread+0x200/0x344
     [<000000000016330c>] kthread+0xa0/0xa8
     [<0000000000106c1a>] kernel_thread_starter+0x6/0xc
     [<0000000000106c14>] kernel_thread_starter+0x0/0xc
    INFO: lockdep is turned off.
    Last Breaking-Event-Address:
     [<00000000003ff7cc>] scsi_remove_device+0x3c/0x54
    The function __scsi_remove_target iterates through the SCSI devices on
    the host, but it drops the host_lock before calling
    scsi_remove_device. When the SCSI device is deleted from another
    thread, the pointer to the SCSI device in scsi_remove_device can
    become invalid. Fix this by getting a reference to the SCSI device
    before dropping the host_lock to keep the SCSI device alive for the
    call to scsi_remove_device.
    Signed-off-by: Christof Schmitt <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    Christof Schmitt committed with gregkh Oct 6, 2010
  29. gdth: integer overflow in ioctl

    commit f63ae56 upstream.
    gdth_ioctl_alloc() takes the size variable as an int.
    copy_from_user() takes the size variable as an unsigned long.
    gen.data_len and gen.sense_len are unsigned longs.
    On x86_64 longs are 64 bit and ints are 32 bit.
    We could pass in a very large number and the allocation would truncate
    the size to 32 bits and allocate a small buffer.  Then when we do the
    copy_from_user(), it would result in a memory corruption.
    Signed-off-by: Dan Carpenter <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    error27 committed with gregkh Oct 8, 2010
  30. libsas: fix NCQ mixing with non-NCQ

    commit f0ad30d upstream.
    Some cards (like mvsas) have issue troubles if non-NCQ commands are
    mixed with NCQ ones.  Fix this by using the libata default NCQ check
    routine which waits until all NCQ commands are complete before issuing
    a non-NCQ one.  The impact to cards (like aic94xx) which don't need
    this logic should be minimal
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    davidmilburn committed with gregkh Sep 3, 2010
  31. sd name space exhaustion causes system hang

    commit 1a03ae0 upstream.
    Following a site power outage which re-enabled all the ports on my FC
    switches, my system subsequently booted with far too many luns!  I had
    let it run hoping it would make multi-user.  It didn't.  :(  It hung solid
    after exhausting the last sd device, sdzzz, and attempting to create sdaaaa
    and beyond.  I was unable to get a dump.
    Discovered using a based system.
    correct this by detecting when the last index is utilized and failing
    the sd probe of the device.  Patch applies to scsi-misc-2.6.
    Signed-off-by: Michael Reed <>
    Signed-off-by: James Bottomley <>
    Signed-off-by: Greg Kroah-Hartman <>
    Michael Reed committed with gregkh Sep 20, 2010
  32. asus-laptop: fix gps rfkill

    commit 23f45c3 upstream.
    The GPS rfkill crappy code. The ops_data argument wasn't
    set, and was totally misused. The fix have been tested
    on an Asus R2H.
    Signed-off-by: Corentin Chary <>
    Signed-off-by: Matthew Garrett <>
    Signed-off-by: Greg Kroah-Hartman <>
    iksaif committed with gregkh Aug 24, 2010
  33. USB: accept some invalid ep0-maxpacket values

    commit 56626a7 upstream.
    A few devices (such as the RCA VR5220 voice recorder) are so
    non-compliant with the USB spec that they have invalid maxpacket sizes
    for endpoint 0.  Nevertheless, as long as we can safely use them, we
    may as well do so.
    This patch (as1432) softens our acceptance criterion by allowing
    high-speed devices to have ep0-maxpacket sizes other than 64.  A
    warning is printed in the system log when this happens, and the
    existing error message is clarified.
    Signed-off-by: Alan Stern <>
    Reported-by: James <>
    Signed-off-by: Greg Kroah-Hartman <>
    AlanStern committed with gregkh Oct 14, 2010
  34. usb: r8a66597-hcd: Change mistake of the outsw function

    commit ac9dfe9 upstream.
    Some functions changed by 1c98347.
    However, There was a change mistake of the function (outsw).
    Signed-off-by: Nobuhiro Iwamatsu <>
    CC: Paul Mundt <>
    Acked-by: Yoshihiro Shimoda <>
    Signed-off-by: Greg Kroah-Hartman <>
    Nobuhiro Iwamatsu committed with gregkh Oct 14, 2010