Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Commits on Nov 10, 2009
  1. @gregkh

    Linux 2.6.27.39

    gregkh authored
  2. @gregkh

    x86/amd-iommu: Workaround for erratum 63

    Joerg Roedel authored gregkh committed
    commit c5cca14 upstream.
    
    There is an erratum for IOMMU hardware which documents
    undefined behavior when forwarding SMI requests from
    peripherals and the DTE of that peripheral has a sysmgt
    value of 01b. This problem caused weird IO_PAGE_FAULTS in my
    case.
    This patch implements the suggested workaround for that
    erratum into the AMD IOMMU driver.  The erratum is
    documented with number 63.
    
    Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @gregkh

    x86/amd-iommu: Un__init function required on shutdown

    Joerg Roedel authored gregkh committed
    commit ca02071 upstream.
    
    The function iommu_feature_disable is required on system
    shutdown to disable the IOMMU but it is marked as __init.
    This may result in a panic if the memory is reused. This
    patch fixes this bug.
    
    Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @jiribohac @gregkh

    bonding: fix a race condition in calls to slave MII ioctls

    jiribohac authored gregkh committed
    commit d9d5283 upstream.
    
    In mii monitor mode, bond_check_dev_link() calls the the ioctl
    handler of slave devices. It stores the ndo_do_ioctl function
    pointer to a static (!) ioctl variable and later uses it to call the
    handler with the IOCTL macro.
    
    If another thread executes bond_check_dev_link() at the same time
    (even with a different bond, which none of the locks prevent), a
    race condition occurs. If the two racing slaves have different
    drivers, this may result in one driver's ioctl handler being
    called with a pointer to a net_device controlled with a different
    driver, resulting in unpredictable breakage.
    
    Unless I am overlooking something, the "static" must be a
    copy'n'paste error (?).
    
    Signed-off-by: Jiri Bohac <jbohac@suse.cz>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  5. @gregkh

    printk: robustify printk

    Peter Zijlstra authored gregkh committed
    commit b845b51 upstream.
    
    Avoid deadlocks against rq->lock and xtime_lock by deferring the klogd
    wakeup by polling from the timer tick.
    
    Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  6. @gregkh

    NFSv4: The link() operation should return any delegation on the file

    Trond Myklebust authored gregkh committed
    commit 9a3936a upstream.
    
    Otherwise, we have to wait for the server to recall it.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  7. @gregkh

    NFSv4: Fix a problem whereby a buggy server can oops the kernel

    Trond Myklebust authored gregkh committed
    commit d953126 upstream.
    
    We just had a case in which a buggy server occasionally returns the wrong
    attributes during an OPEN call. While the client does catch this sort of
    condition in nfs4_open_done(), and causes the nfs4_atomic_open() to return
    -EISDIR, the logic in nfs_atomic_lookup() is broken, since it causes a
    fallback to an ordinary lookup instead of just returning the error.
    
    When the buggy server then returns a regular file for the fallback lookup,
    the VFS allows the open, and bad things start to happen, since the open
    file doesn't have any associated NFSv4 state.
    
    The fix is firstly to return the EISDIR/ENOTDIR errors immediately, and
    secondly to ensure that we are always careful when dereferencing the
    nfs_open_context state pointer.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  8. @gregkh

    NFSv4: Kill nfs4_renewd_prepare_shutdown()

    Trond Myklebust authored gregkh committed
    commit 3050141 upstream.
    
    The NFSv4 renew daemon is shared between all active super blocks that refer
    to a particular NFS server, so it is wrong to be shutting it down in
    nfs4_kill_super every time a super block is destroyed.
    
    This patch therefore kills nfs4_renewd_prepare_shutdown altogether, and
    leaves it up to nfs4_shutdown_client() to also shut down the renew daemon
    by means of the existing call to nfs4_kill_renewd().
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  9. @gregkh

    nfs: Avoid overrun when copying client IP address string

    Ben Hutchings authored gregkh committed
    commit f4373bf upstream.
    
    As seen in <http://bugs.debian.org/549002>, nfs4_init_client() can
    overrun the source string when copying the client IP address from
    nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr.  Since
    these are both treated as null-terminated strings elsewhere, the copy
    should be done with strlcpy() not memcpy().
    
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  10. @gregkh

    NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE

    Trond Myklebust authored gregkh committed
    commit 52567b0 upstream.
    
    RFC 3530 states that when we recieve the error NFS4ERR_RESOURCE, we are not
    supposed to bump the sequence number on OPEN, LOCK, LOCKU, CLOSE, etc
    operations. The problem is that we map that error into EREMOTEIO in the XDR
    layer, and so the NFSv4 middle-layer routines like seqid_mutating_err(),
    and nfs_increment_seqid() don't recognise it.
    
    The fix is to defer the mapping until after the middle layers have
    processed the error.
    
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  11. @gregkh

    nfs: Panic when commit fails

    Terry Loftin authored gregkh committed
    commit a8b40bc upstream.
    
    Actually pass the NFS_FILE_SYNC option to the server to avoid a
    Panic in nfs_direct_write_complete() when a commit fails.
    
    At the end of an nfs write, if the nfs commit fails, all the writes
    will be rescheduled.  They are supposed to be rescheduled as NFS_FILE_SYNC
    writes, but the rpc_task structure is not completely intialized and so
    the option is not passed.  When the rescheduled writes complete, the
    return indicates that they are NFS_UNSTABLE and we try to do another
    commit.  This leads to a Panic because the commit data structure pointer
    was set to null in the initial (failed) commit attempt.
    
    Signed-off-by: Terry Loftin <terry.loftin@hp.com>
    Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  12. @sameo @gregkh

    irda: Add irda_skb_cb qdisc related padding

    sameo authored gregkh committed
    commit 69c30e1 upstream.
    
    We need to pad irda_skb_cb in order to keep it safe accross dev_queue_xmit()
    calls. This is some ugly and temporary hack triggered by recent qisc code
    changes.
    Even though it fixes bugzilla.kernel.org bug #11795, it will be replaced by a
    proper fix before 2.6.29 is released.
    
    Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  13. @gregkh

    KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID (CVE-2009-3638)

    Avi Kivity authored gregkh committed
    commit 6a54435 upstream.
    
    The number of entries is multiplied by the entry size, which can
    overflow on 32-bit hosts.  Bound the entry count instead.
    
    Reported-by: David Wagner <daw@cs.berkeley.edu>
    Signed-off-by: Avi Kivity <avi@redhat.com>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  14. @gregkh

    netlink: fix typo in initialization (CVE-2009-3612)

    Jiri Pirko authored gregkh committed
    commit ad61df9 upstream.
    
    Commit 9ef1d4c ("[NETLINK]: Missing
    initializations in dumped data") introduced a typo in
    initialization. This patch fixes this.
    
    Signed-off-by: Jiri Pirko <jpirko@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  15. @gregkh

    appletalk: Fix skb leak when ipddp interface is not loaded (CVE-2009-…

    Arnaldo Carvalho de Melo authored gregkh committed
    …2903)
    
    commit ffcfb8d upstream
    
    appletalk: Fix skb leak when ipddp interface is not loaded
    
    [ backport to 2.6.27 : Chuck Ebbert <cebbert@redhat.com ]
    
    And also do a better job of returning proper NET_{RX,XMIT}_ values.
    
    Based on a patch and suggestions by Mark Smith.
    
    This fixes CVE-2009-2903
    
    Reported-by: Mark Smith <lk-netdev@lk-netdev.nosense.org>
    Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  16. @gregkh

    AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621)

    Tomoki Sekiyama authored gregkh committed
    commit 77238f2 upstream.
    
    I found a deadlock bug in UNIX domain socket, which makes able to DoS
    attack against the local machine by non-root users.
    
    How to reproduce:
    1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct
        namespace(*), and shutdown(2) it.
     2. Repeat connect(2)ing to the listening socket from the other sockets
        until the connection backlog is full-filled.
     3. connect(2) takes the CPU forever. If every core is taken, the
        system hangs.
    
    PoC code: (Run as many times as cores on SMP machines.)
    
    int main(void)
    {
    	int ret;
    	int csd;
    	int lsd;
    	struct sockaddr_un sun;
    
    	/* make an abstruct name address (*) */
    	memset(&sun, 0, sizeof(sun));
    	sun.sun_family = PF_UNIX;
    	sprintf(&sun.sun_path[1], "%d", getpid());
    
    	/* create the listening socket and shutdown */
    	lsd = socket(AF_UNIX, SOCK_STREAM, 0);
    	bind(lsd, (struct sockaddr *)&sun, sizeof(sun));
    	listen(lsd, 1);
    	shutdown(lsd, SHUT_RDWR);
    
    	/* connect loop */
    	alarm(15); /* forcely exit the loop after 15 sec */
    	for (;;) {
    		csd = socket(AF_UNIX, SOCK_STREAM, 0);
    		ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun));
    		if (-1 == ret) {
    			perror("connect()");
    			break;
    		}
    		puts("Connection OK");
    	}
    	return 0;
    }
    
    (*) Make sun_path[0] = 0 to use the abstruct namespace.
        If a file-based socket is used, the system doesn't deadlock because
        of context switches in the file system layer.
    
    Why this happens:
     Error checks between unix_socket_connect() and unix_wait_for_peer() are
     inconsistent. The former calls the latter to wait until the backlog is
     processed. Despite the latter returns without doing anything when the
     socket is shutdown, the former doesn't check the shutdown state and
     just retries calling the latter forever.
    
    Patch:
     The patch below adds shutdown check into unix_socket_connect(), so
     connect(2) to the shutdown socket will return -ECONREFUSED.
    
    Signed-off-by: Tomoki Sekiyama <tomoki.sekiyama.qu@hitachi.com>
    Signed-off-by: Masanori Yoshida <masanori.yoshida.tv@hitachi.com>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
  17. @gregkh

    x86-64: Fix register leak in 32-bit syscall audting

    Jan Beulich authored gregkh committed
    commit 8176674 upstream.
    
    Restoring %ebp after the call to audit_syscall_exit() is not
    only unnecessary (because the register didn't get clobbered),
    but in the sysenter case wasn't even doing the right thing: It
    loaded %ebp from a location below the top of stack (RBP <
    ARGOFFSET), i.e. arbitrary kernel data got passed back to user
    mode in the register.
    
    Signed-off-by: Jan Beulich <jbeulich@novell.com>
    Acked-by: Roland McGrath <roland@redhat.com>
    LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com>
    Signed-off-by: Ingo Molnar <mingo@elte.hu>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  18. @gregkh

    tty: Mark generic_serial users as BROKEN

    Alan Cox authored gregkh committed
    commit 4121459 upstream.
    
    There isn't much else I can do with these. I can find no hardware for any
    of them and no users. The code is broken.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  19. @lenb @gregkh

    Revert "ACPI: Attach the ACPI device to the ACPI handle as early as p…

    lenb authored gregkh committed
    …ossible"
    
    commit f61f925 upstream.
    
    This reverts commit eab4b64.
    
    http://bugzilla.kernel.org/show_bug.cgi?id=13002
    
    Signed-off-by: Len Brown <len.brown@intel.com>
    Cc: Chuck Ebbert <cebbert@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  20. @gregkh

    ray_cs: Fix copy_from_user handling

    Alan Cox authored gregkh committed
    commit 575c9ed upstream.
    
    I've not touched the other stuff here but the word "locking" comes to mind.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  21. @kosaki @gregkh

    mbind(): fix leak of never putback pages

    kosaki authored gregkh committed
    commit ab8a3e1 upstream.
    
    If mbind() receives an invalid address, do_mbind leaks a page.  The
    following test program detects this leak.
    
    This patch fixes it.
    
    migrate_efault.c
    =======================================
     #include <numaif.h>
     #include <numa.h>
     #include <sys/mman.h>
     #include <stdio.h>
     #include <unistd.h>
     #include <stdlib.h>
     #include <string.h>
    
    static unsigned long pagesize;
    
    static void* make_hole_mapping(void)
    {
    
    	void* addr;
    
    	addr = mmap(NULL, pagesize*3, PROT_READ|PROT_WRITE,
    		    MAP_ANON|MAP_PRIVATE, 0, 0);
    	if (addr == MAP_FAILED)
    		return NULL;
    
    	/* make page populate */
    	memset(addr, 0, pagesize*3);
    
    	/* make memory hole */
    	munmap(addr+pagesize, pagesize);
    
    	return addr;
    }
    
    int main(int argc, char** argv)
    {
    	void* addr;
    	int ch;
    	int node;
    	struct bitmask *nmask = numa_allocate_nodemask();
    	int err;
    	int node_set = 0;
    
    	while ((ch = getopt(argc, argv, "n:")) != -1){
    		switch (ch){
    		case 'n':
    			node = strtol(optarg, NULL, 0);
    			numa_bitmask_setbit(nmask, node);
    			node_set = 1;
    			break;
    		default:
    			;
    		}
    	}
    	argc -= optind;
    	argv += optind;
    
    	if (!node_set)
    		numa_bitmask_setbit(nmask, 0);
    
    	pagesize = getpagesize();
    
    	addr = make_hole_mapping();
    
    	err = mbind(addr, pagesize*3, MPOL_BIND, nmask->maskp, nmask->size, MPOL_MF_MOVE_ALL);
    	if (err)
    		perror("mbind ");
    
    	return 0;
    }
    =======================================
    
    Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
    Acked-by: Christoph Lameter <cl@linux-foundation.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  22. @dwmw2 @gregkh

    libertas if_usb: Fix crash on 64-bit machines

    dwmw2 authored gregkh committed
    commit e9024a0 upstream.
    
    On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas
    usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting
    crashes. Fix that by using skb->data instead.
    
    This highlights a problem with usb_fill_bulk_urb(). It doesn't notice
    when dma_map_single() fails and return the error to its caller as it
    should. In fact it _can't_ currently return the error, since it returns
    void.
    
    So this problem was showing up only at unmap time, after we'd already
    suffered memory corruption by doing DMA to a bogus address.
    
    Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
    Acked-by: David S. Miller <davem@davemloft.net>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  23. @gregkh

    libata: fix internal command failure handling

    Tejun Heo authored gregkh committed
    commit f4b31db upstream.
    
    When an internal command fails, it should be failed directly without
    invoking EH.  In the original implemetation, this was accomplished by
    letting internal command bypass failure handling in ata_qc_complete().
    However, later changes added post-successful-completion handling to
    that code path and the success path is no longer adequate as internal
    command failure path.  One of the visible problems is that internal
    command failure due to timeout or other freeze conditions would
    spuriously trigger WARN_ON_ONCE() in the success path.
    
    This patch updates failure path such that internal command failure
    handling is contained there.
    
    Signed-off-by: Tejun Heo <tj@kernel.org>
    Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24. @dtor @gregkh

    Input: synaptics - add another Protege M300 to rate blacklist

    dtor authored gregkh committed
    commit 5f5eeff upstream.
    
    Apparently some of Toshiba Protege M300 identify themselves as
    "Portable PC" in DMI so we need to add that to the DMI table as
    well. We need DMI data so we can automatically lower Synaptics
    reporting rate from 80 to 40 pps to avoid over-taxing their
    keyboard controllers.
    
    Tested-by: Rod Davison <roddavison@gmail.com>
    Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  25. @gregkh

    hfsplus: refuse to mount volumes larger than 2TB

    Ben Hutchings authored gregkh committed
    commit 5c36fe3 upstream.
    
    As found in <http://bugs.debian.org/550010>, hfsplus is using type u32
    rather than sector_t for some sector number calculations.
    
    In particular, hfsplus_get_block() does:
    
            u32 ablock, dblock, mask;
    ...
            map_bh(bh_result, sb, (dblock << HFSPLUS_SB(sb).fs_shift) + HFSPLUS_SB(sb).blockoffset + (iblock & mask));
    
    I am not confident that I can find and fix all cases where a sector number
    may be truncated.  For now, avoid data loss by refusing to mount HFS+
    volumes with more than 2^32 sectors (2TB).
    
    [akpm@linux-foundation.org: fix 32 and 64-bit issues]
    Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
    Cc: Eric Sesterhenn <snakebyte@gmx.de>
    Cc: Roman Zippel <zippel@linux-m68k.org>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  26. @gregkh

    fs: pipe.c null pointer dereference

    Earl Chew authored gregkh committed
    commit ad39602 upstream.
    
    This patch fixes a null pointer exception in pipe_rdwr_open() which
    generates the stack trace:
    
    > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP:
    >  [<ffffffff802899a5>] pipe_rdwr_open+0x35/0x70
    >  [<ffffffff8028125c>] __dentry_open+0x13c/0x230
    >  [<ffffffff8028143d>] do_filp_open+0x2d/0x40
    >  [<ffffffff802814aa>] do_sys_open+0x5a/0x100
    >  [<ffffffff8021faf3>] sysenter_do_call+0x1b/0x67
    
    The failure mode is triggered by an attempt to open an anonymous
    pipe via /proc/pid/fd/* as exemplified by this script:
    
    =============================================================
    while : ; do
       { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
       PID=$!
       OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
            { read PID REST ; echo $PID; } )
       OUT="${OUT%% *}"
       DELAY=$((RANDOM * 1000 / 32768))
       usleep $((DELAY * 1000 + RANDOM % 1000 ))
       echo n > /proc/$OUT/fd/1                 # Trigger defect
    done
    =============================================================
    
    Note that the failure window is quite small and I could only
    reliably reproduce the defect by inserting a small delay
    in pipe_rdwr_open(). For example:
    
     static int
     pipe_rdwr_open(struct inode *inode, struct file *filp)
     {
           msleep(100);
           mutex_lock(&inode->i_mutex);
    
    Although the defect was observed in pipe_rdwr_open(), I think it
    makes sense to replicate the change through all the pipe_*_open()
    functions.
    
    The core of the change is to verify that inode->i_pipe has not
    been released before attempting to manipulate it. If inode->i_pipe
    is no longer present, return ENOENT to indicate so.
    
    The comment about potentially using atomic_t for i_pipe->readers
    and i_pipe->writers has also been removed because it is no longer
    relevant in this context. The inode->i_mutex lock must be used so
    that inode->i_pipe can be dealt with correctly.
    
    Signed-off-by: Earl Chew <earl_chew@agilent.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  27. @gregkh

    Driver core: fix driver_register() return value

    Stas Sergeev authored gregkh committed
    commit 39acbc1 upstream.
    
    In this patch:
    http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=16dc42e018c2868211b4928f20a957c0c216126c
    the check was added for another driver to already claim the same device
    on the same bus. But the returned error code was wrong: to modprobe, the
    -EEXIST means that _this_ driver is already installed. It therefore
    doesn't produce the needed error message when _another_ driver is trying
    to register for the same device.  Returning -EBUSY fixes the problem.
    
    Signed-off-by: Stas Sergeev <stsp@aknet.ru>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  28. @OGAWAHirofumi @gregkh

    dpt_i2o: Fix typo of EINVAL

    OGAWAHirofumi authored gregkh committed
    commit aefba41 upstream.
    
    Commit ef7562b ("dpt_i2o: Fix up
    copy*user") had a silly typo: EINVAL should be -EINVAL.
    
    Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
    Cc: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  29. @gregkh

    dpt_i2o: Fix up copy*user

    Alan Cox authored gregkh committed
    commit ef7562b upstream.
    
    Signed-off-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  30. @lwfinger @gregkh

    b43: Fix Bugzilla #14181 and the bug from the previous 'fix'

    lwfinger authored gregkh committed
    commit d50bae3 upstream.
    
    "b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported
    in Bugzilla No. 14181; however, it introduced a new bug. Whenever the
    radio switch was turned off, it was necessary to unload and reload
    the driver for it to recognize the switch again.
    
    This patch fixes both the original bug in #14181 and the bug introduced by
    the previous patch. It must be stated, however, that if there is a BCM4306/3
    with an rfkill switch (not yet proven), then the driver will need an
    unload/reload cycle to turn the device back on.
    
    Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  31. @ozbenh @gregkh

    8250_pci: add IBM Saturn serial card

    ozbenh authored gregkh committed
    commit c68d2b1 upstream.
    
    The IBM Saturn serial card has only one port. Without that fixup,
    the kernel thinks it has two, which confuses userland setup and
    admin tools as well.
    
    [akpm@linux-foundation.org: fix pci-ids.h layout]
    Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Acked-by: Alan Cox <alan@linux.intel.com>
    Cc: Michael Reed <mreed10@us.ibm.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Acked-by: Alan Cox <alan@linux.intel.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Commits on Oct 22, 2009
  1. @gregkh

    Linux 2.6.27.38

    gregkh authored
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  2. @jhovold @gregkh

    USB: digi_acceleport: Fix broken unthrottle.

    jhovold authored gregkh committed
    commit ba6b702 upstream.
    
    This patch fixes a regression introduced in
    39892da.
    
    Signed-off-by: Johan Hovold <jhovold@gmail.com>
    Acked-by: Oliver Neukum <oliver@neukum.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  3. @gregkh

    SCSI: Fix protection scsi_data_buffer leak

    Martin K. Petersen authored gregkh committed
    commit b4c2554 upstream.
    
    We would leak a scsi_data_buffer if the free_list command was of the
    protected variety.
    
    Reported-by: Boaz Harrosh <bharrosh@panasas.com>
    Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
    Signed-off-by: James Bottomley <James.Bottomley@suse.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  4. @gregkh

    usb-serial: fix crash when sub-driver updates firmware

    Alan Stern authored gregkh committed
    commit 0a3c854 upstream.
    
    This patch (as1244) fixes a crash in usb-serial that occurs when a
    sub-driver returns a positive value from its attach method, indicating
    that new firmware was loaded and the device will disconnect and
    reconnect.  The usb-serial core then skips the step of registering the
    port devices; when the disconnect occurs, the attempt to unregister
    the ports fails dramatically.
    
    This problem shows up with Keyspan devices and it might affect others
    as well.
    
    When the attach method returns a positive value, the patch sets
    num_ports to 0.  This tells usb_serial_disconnect() not to try
    unregistering any of the ports; instead they are cleaned up by
    destroy_serial().
    
    Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
    Tested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Something went wrong with that request. Please try again.