This is the start of the stable review cycle for the 2.6.26.8 release.
There are 23 patches in this series, all will be posted as a response to
this one. If anyone has any issues with these being applied, please let
us know. If anyone is a maintainer of the proper subsystem, and wants
to add a Signed-off-by: line to the patch, please respond with it.
These patches are sent out with a number of different people on the Cc:
line. If you wish to be a reviewer, please email [email protected] to
add your name to the list. If you want to be off the reviewer list,
also email us.
Responses should be made by Monday, November 10, 20:00:00 UTC. Anything
received after that time might be too late.
The whole patch series can be found in one patch at:
kernel.org/pub/linux/kernel/v2.6/stable-review/patch-2.6.26.8-rc1.gz
and the diffstat can be found below.
thanks,
greg k-h
----------------
Makefile | 2
arch/sparc64/kernel/trampoline.S | 18 ++-
drivers/acpi/button.c | 3
drivers/acpi/dock.c | 5 -
drivers/acpi/video.c | 123 ++++++++++++++-----------
drivers/edac/cell_edac.c | 2
drivers/gpio/gpiolib.c | 2
drivers/i2c/busses/scx200_i2c.c | 1
drivers/media/dvb/frontends/s5h1411.c | 35 +++++--
drivers/media/video/pvrusb2/pvrusb2-encoder.c | 4
drivers/net/wireless/libertas/scan.c | 4
drivers/scsi/qla2xxx/qla_gs.c | 6 +
fs/ext2/dir.c | 60 +++++++-----
fs/ext3/dir.c | 10 +-
fs/ext4/dir.c | 11 +-
include/linux/sched.h | 4
include/math-emu/op-common.h | 17 ++-
include/net/scm.h | 5 -
net/core/dev.c | 27 +----
net/core/rtnetlink.c | 2
net/core/scm.c | 24 ++++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2
net/ipv4/netfilter/nf_nat_snmp_basic.c | 1
net/ipv6/tcp_ipv6.c | 2
net/netfilter/xt_iprange.c | 8 -
security/commoncap.c | 6 -
sound/core/control.c | 4
27 files changed, 247 insertions(+), 141 deletions(-)
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: David Brownell <[email protected]>
commit 978ccaa8ea5d8c7bf6b676209f2fc126eae6355b upstream
We can get the following oops from gpio_get_value_cansleep() when a GPIO
controller doesn't provide a get() callback:
Unable to handle kernel paging request for instruction fetch
Faulting instruction address: 0x00000000
Oops: Kernel access of bad area, sig: 11 [#1]
[...]
NIP [00000000] 0x0
LR [c0182fb0] gpio_get_value_cansleep+0x40/0x50
Call Trace:
[c7b79e80] [c0183f28] gpio_value_show+0x5c/0x94
[c7b79ea0] [c01a584c] dev_attr_show+0x30/0x7c
[c7b79eb0] [c00d6b48] fill_read_buffer+0x68/0xe0
[c7b79ed0] [c00d6c54] sysfs_read_file+0x94/0xbc
[c7b79ef0] [c008f24c] vfs_read+0xb4/0x16c
[c7b79f10] [c008f580] sys_read+0x4c/0x90
[c7b79f40] [c0013a14] ret_from_syscall+0x0/0x38
It's OK to request the value of *any* GPIO; most GPIOs are bidirectional,
so configuring them as outputs just enables an output driver and doesn't
disable the input logic.
So the problem is that gpio_get_value_cansleep() isn't making the same
sanity check that gpio_get_value() does: making sure this GPIO isn't one
of the atypical "no input logic" cases.
Reported-by: Anton Vorontsov <[email protected]>
Signed-off-by: David Brownell <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/gpio/gpiolib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpiolib.c
+++ b/drivers/gpio/gpiolib.c
@@ -517,7 +517,7 @@ int gpio_get_value_cansleep(unsigned gpi
might_sleep_if(extra_checks);
chip = gpio_to_chip(gpio);
- return chip->get(chip, gpio - chip->base);
+ return chip->get ? chip->get(chip, gpio - chip->base) : 0;
}
EXPORT_SYMBOL_GPL(gpio_get_value_cansleep);
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: David Miller <[email protected]>
commit f8d570a4745835f2238a33b537218a1bb03fc671 and
3b53fbf4314594fa04544b02b2fc6e607912da18 upstream (because once wasn't
good enough...)
__scm_destroy() walks the list of file descriptors in the scm_fp_list
pointed to by the scm_cookie argument.
Those, in turn, can close sockets and invoke __scm_destroy() again.
There is nothing which limits how deeply this can occur.
The idea for how to fix this is from Linus. Basically, we do all of
the fput()s at the top level by collecting all of the scm_fp_list
objects hit by an fput(). Inside of the initial __scm_destroy() we
keep running the list until it is empty.
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/linux/sched.h | 4 +++-
include/net/scm.h | 5 +++--
net/core/scm.c | 24 +++++++++++++++++++++---
3 files changed, 27 insertions(+), 6 deletions(-)
--- a/include/linux/sched.h
+++ b/include/linux/sched.h
@@ -1288,7 +1288,9 @@ struct task_struct {
atomic_t fs_excl; /* holding fs exclusive resources */
struct rcu_head rcu;
- /*
+ struct list_head *scm_work_list;
+
+/*
* cache last used pipe for splice
*/
struct pipe_inode_info *splice_pipe;
--- a/include/net/scm.h
+++ b/include/net/scm.h
@@ -14,8 +14,9 @@
struct scm_fp_list
{
- int count;
- struct file *fp[SCM_MAX_FD];
+ struct list_head list;
+ int count;
+ struct file *fp[SCM_MAX_FD];
};
struct scm_cookie
--- a/net/core/scm.c
+++ b/net/core/scm.c
@@ -75,6 +75,7 @@ static int scm_fp_copy(struct cmsghdr *c
if (!fpl)
return -ENOMEM;
*fplp = fpl;
+ INIT_LIST_HEAD(&fpl->list);
fpl->count = 0;
}
fpp = &fpl->fp[fpl->count];
@@ -106,9 +107,25 @@ void __scm_destroy(struct scm_cookie *sc
if (fpl) {
scm->fp = NULL;
- for (i=fpl->count-1; i>=0; i--)
- fput(fpl->fp[i]);
- kfree(fpl);
+ if (current->scm_work_list) {
+ list_add_tail(&fpl->list, current->scm_work_list);
+ } else {
+ LIST_HEAD(work_list);
+
+ current->scm_work_list = &work_list;
+
+ list_add(&fpl->list, &work_list);
+ while (!list_empty(&work_list)) {
+ fpl = list_first_entry(&work_list, struct scm_fp_list, list);
+
+ list_del(&fpl->list);
+ for (i=fpl->count-1; i>=0; i--)
+ fput(fpl->fp[i]);
+ kfree(fpl);
+ }
+
+ current->scm_work_list = NULL;
+ }
}
}
@@ -284,6 +301,7 @@ struct scm_fp_list *scm_fp_dup(struct sc
new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL);
if (new_fpl) {
+ INIT_LIST_HEAD(&new_fpl->list);
for (i=fpl->count-1; i>=0; i--)
get_file(fpl->fp[i]);
memcpy(new_fpl, fpl, sizeof(*fpl));
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Andrew Vasquez <[email protected]>
commit 031e134e5f95233d80fb1b62fdaf5e1be587597c upstream
Firmware does not have the facilities to issue management server
IOCBs.
Signed-off-by: Andrew Vasquez <[email protected]>
Signed-off-by: James Bottomley <[email protected]>
Cc: Ferenc Wagner <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/scsi/qla2xxx/qla_gs.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/scsi/qla2xxx/qla_gs.c
+++ b/drivers/scsi/qla2xxx/qla_gs.c
@@ -1661,6 +1661,12 @@ qla2x00_fdmi_register(scsi_qla_host_t *h
{
int rval;
+ if (IS_QLA2100(ha) || IS_QLA2200(ha)) {
+ DEBUG2(printk("scsi(%ld): FDMI unsupported on "
+ "ISP2100/ISP2200.\n", ha->host_no));
+ return QLA_SUCCESS;
+ }
+
rval = qla2x00_mgmt_svr_login(ha);
if (rval)
return rval;
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Eric Sandeen <[email protected]>
This is a trivial backport of the following upstream commits:
- bd39597cbd42a784105a04010100e27267481c67 (ext2)
- cdbf6dba28e8e6268c8420857696309470009fd9 (ext3)
- 9d9f177572d9e4eba0f2e18523b44f90dd51fe74 (ext4)
This addresses CVE-2008-3528
ext[234]: Avoid printk floods in the face of directory corruption
Note: some people thinks this represents a security bug, since it
might make the system go away while it is printing a large number of
console messages, especially if a serial console is involved. Hence,
it has been assigned CVE-2008-3528, but it requires that the attacker
either has physical access to your machine to insert a USB disk with a
corrupted filesystem image (at which point why not just hit the power
button), or is otherwise able to convince the system administrator to
mount an arbitrary filesystem image (at which point why not just
include a setuid shell or world-writable hard disk device file or some
such). Me, I think they're just being silly. --tytso
Signed-off-by: Eric Sandeen <[email protected]>
Signed-off-by: "Theodore Ts'o" <[email protected]>
Cc: [email protected]
Cc: Eugene Teo <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
fs/ext2/dir.c | 60 +++++++++++++++++++++++++++++++++-------------------------
fs/ext3/dir.c | 10 ++++++---
fs/ext4/dir.c | 11 +++++++---
3 files changed, 50 insertions(+), 31 deletions(-)
--- a/fs/ext2/dir.c
+++ b/fs/ext2/dir.c
@@ -103,7 +103,7 @@ static int ext2_commit_chunk(struct page
return err;
}
-static void ext2_check_page(struct page *page)
+static void ext2_check_page(struct page *page, int quiet)
{
struct inode *dir = page->mapping->host;
struct super_block *sb = dir->i_sb;
@@ -146,10 +146,10 @@ out:
/* Too bad, we had an error */
Ebadsize:
- ext2_error(sb, "ext2_check_page",
- "size of directory #%lu is not a multiple of chunk size",
- dir->i_ino
- );
+ if (!quiet)
+ ext2_error(sb, __func__,
+ "size of directory #%lu is not a multiple "
+ "of chunk size", dir->i_ino);
goto fail;
Eshort:
error = "rec_len is smaller than minimal";
@@ -166,32 +166,36 @@ Espan:
Einumber:
error = "inode out of bounds";
bad_entry:
- ext2_error (sb, "ext2_check_page", "bad entry in directory #%lu: %s - "
- "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
- dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
- (unsigned long) le32_to_cpu(p->inode),
- rec_len, p->name_len);
+ if (!quiet)
+ ext2_error(sb, __func__, "bad entry in directory #%lu: : %s - "
+ "offset=%lu, inode=%lu, rec_len=%d, name_len=%d",
+ dir->i_ino, error, (page->index<<PAGE_CACHE_SHIFT)+offs,
+ (unsigned long) le32_to_cpu(p->inode),
+ rec_len, p->name_len);
goto fail;
Eend:
- p = (ext2_dirent *)(kaddr + offs);
- ext2_error (sb, "ext2_check_page",
- "entry in directory #%lu spans the page boundary"
- "offset=%lu, inode=%lu",
- dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
- (unsigned long) le32_to_cpu(p->inode));
+ if (!quiet) {
+ p = (ext2_dirent *)(kaddr + offs);
+ ext2_error(sb, "ext2_check_page",
+ "entry in directory #%lu spans the page boundary"
+ "offset=%lu, inode=%lu",
+ dir->i_ino, (page->index<<PAGE_CACHE_SHIFT)+offs,
+ (unsigned long) le32_to_cpu(p->inode));
+ }
fail:
SetPageChecked(page);
SetPageError(page);
}
-static struct page * ext2_get_page(struct inode *dir, unsigned long n)
+static struct page * ext2_get_page(struct inode *dir, unsigned long n,
+ int quiet)
{
struct address_space *mapping = dir->i_mapping;
struct page *page = read_mapping_page(mapping, n, NULL);
if (!IS_ERR(page)) {
kmap(page);
if (!PageChecked(page))
- ext2_check_page(page);
+ ext2_check_page(page, quiet);
if (PageError(page))
goto fail;
}
@@ -292,7 +296,7 @@ ext2_readdir (struct file * filp, void *
for ( ; n < npages; n++, offset = 0) {
char *kaddr, *limit;
ext2_dirent *de;
- struct page *page = ext2_get_page(inode, n);
+ struct page *page = ext2_get_page(inode, n, 0);
if (IS_ERR(page)) {
ext2_error(sb, __func__,
@@ -361,6 +365,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
struct page *page = NULL;
struct ext2_inode_info *ei = EXT2_I(dir);
ext2_dirent * de;
+ int dir_has_error = 0;
if (npages == 0)
goto out;
@@ -374,7 +379,7 @@ struct ext2_dir_entry_2 * ext2_find_entr
n = start;
do {
char *kaddr;
- page = ext2_get_page(dir, n);
+ page = ext2_get_page(dir, n, dir_has_error);
if (!IS_ERR(page)) {
kaddr = page_address(page);
de = (ext2_dirent *) kaddr;
@@ -391,7 +396,9 @@ struct ext2_dir_entry_2 * ext2_find_entr
de = ext2_next_entry(de);
}
ext2_put_page(page);
- }
+ } else
+ dir_has_error = 1;
+
if (++n >= npages)
n = 0;
/* next page is past the blocks we've got */
@@ -414,7 +421,7 @@ found:
struct ext2_dir_entry_2 * ext2_dotdot (struct inode *dir, struct page **p)
{
- struct page *page = ext2_get_page(dir, 0);
+ struct page *page = ext2_get_page(dir, 0, 0);
ext2_dirent *de = NULL;
if (!IS_ERR(page)) {
@@ -487,7 +494,7 @@ int ext2_add_link (struct dentry *dentry
for (n = 0; n <= npages; n++) {
char *dir_end;
- page = ext2_get_page(dir, n);
+ page = ext2_get_page(dir, n, 0);
err = PTR_ERR(page);
if (IS_ERR(page))
goto out;
@@ -655,14 +662,17 @@ int ext2_empty_dir (struct inode * inode
{
struct page *page = NULL;
unsigned long i, npages = dir_pages(inode);
+ int dir_has_error = 0;
for (i = 0; i < npages; i++) {
char *kaddr;
ext2_dirent * de;
- page = ext2_get_page(inode, i);
+ page = ext2_get_page(inode, i, dir_has_error);
- if (IS_ERR(page))
+ if (IS_ERR(page)) {
+ dir_has_error = 1;
continue;
+ }
kaddr = page_address(page);
de = (ext2_dirent *)kaddr;
--- a/fs/ext3/dir.c
+++ b/fs/ext3/dir.c
@@ -102,6 +102,7 @@ static int ext3_readdir(struct file * fi
int err;
struct inode *inode = filp->f_path.dentry->d_inode;
int ret = 0;
+ int dir_has_error = 0;
sb = inode->i_sb;
@@ -148,9 +149,12 @@ static int ext3_readdir(struct file * fi
* of recovering data when there's a bad sector
*/
if (!bh) {
- ext3_error (sb, "ext3_readdir",
- "directory #%lu contains a hole at offset %lu",
- inode->i_ino, (unsigned long)filp->f_pos);
+ if (!dir_has_error) {
+ ext3_error(sb, __func__, "directory #%lu "
+ "contains a hole at offset %lld",
+ inode->i_ino, filp->f_pos);
+ dir_has_error = 1;
+ }
/* corrupt size? Maybe no more blocks to read */
if (filp->f_pos > inode->i_blocks << 9)
break;
--- a/fs/ext4/dir.c
+++ b/fs/ext4/dir.c
@@ -102,6 +102,7 @@ static int ext4_readdir(struct file * fi
int err;
struct inode *inode = filp->f_path.dentry->d_inode;
int ret = 0;
+ int dir_has_error = 0;
sb = inode->i_sb;
@@ -147,9 +148,13 @@ static int ext4_readdir(struct file * fi
* of recovering data when there's a bad sector
*/
if (!bh) {
- ext4_error (sb, "ext4_readdir",
- "directory #%lu contains a hole at offset %lu",
- inode->i_ino, (unsigned long)filp->f_pos);
+ if (!dir_has_error) {
+ ext4_error(sb, __func__, "directory #%lu "
+ "contains a hole at offset %Lu",
+ inode->i_ino,
+ (unsigned long long) filp->f_pos);
+ dir_has_error = 1;
+ }
/* corrupt size? Maybe no more blocks to read */
if (filp->f_pos > inode->i_blocks << 9)
break;
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Benjamin Herrenschmidt <[email protected]>
commit 3b274f44d2ca05f719fe39947b6a5293a2dbd8fd upstream
The cell_edac driver is setting the edac_mode field of the csrow's to an
incorrect value, causing the sysfs show routine for that field to go out
of an array bound and Oopsing the kernel when used.
Signed-off-by: Benjamin Herrenschmidt <[email protected]>
Signed-off-by: Doug Thompson <[email protected]>
Signed-off-by: Andrew Morton <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/edac/cell_edac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/edac/cell_edac.c
+++ b/drivers/edac/cell_edac.c
@@ -141,7 +141,7 @@ static void __devinit cell_edac_init_csr
csrow->nr_pages = (r.end - r.start + 1) >> PAGE_SHIFT;
csrow->last_page = csrow->first_page + csrow->nr_pages - 1;
csrow->mtype = MEM_XDR;
- csrow->edac_mode = EDAC_FLAG_EC | EDAC_FLAG_SECDED;
+ csrow->edac_mode = EDAC_SECDED;
dev_dbg(mci->dev,
"Initialized on node %d, chanmask=0x%x,"
" first_page=0x%lx, nr_pages=0x%x\n",
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Serge Hallyn <[email protected]>
commit 3318a386e4ca68c76e0294363d29bdc46fcad670 upstream
While Linux doesn't honor setuid on scripts. However, it mistakenly
behaves differently for file capabilities.
This patch fixes that behavior by making sure that get_file_caps()
begins with empty bprm->caps_*. That way when a script is loaded,
its bprm->caps_* may be filled when binfmt_misc calls prepare_binprm(),
but they will be cleared again when binfmt_elf calls prepare_binprm()
next to read the interpreter's file capabilities.
Signed-off-by: Serge Hallyn <[email protected]>
Acked-by: David Howells <[email protected]>
Acked-by: Andrew G. Morgan <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
security/commoncap.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -247,10 +247,10 @@ static int get_file_caps(struct linux_bi
struct vfs_cap_data vcaps;
struct inode *inode;
- if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID) {
- bprm_clear_caps(bprm);
+ bprm_clear_caps(bprm);
+
+ if (bprm->file->f_vfsmnt->mnt_flags & MNT_NOSUID)
return 0;
- }
dentry = dget(bprm->file->f_dentry);
inode = dentry->d_inode;
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Takashi Iwai <[email protected]>
commit d8009882e9f5e1a76986c741f071edd2ad760c97 upstream
The lock used in snd_ctl_dev_disconnect() should be card->ctl_files_rwlock
for protection of card->ctl_files entries, instead of card->controls_rwsem.
Reported-by: Vegard Nossum <[email protected]>
Signed-off-by: Takashi Iwai <[email protected]>
Signed-off-by: Jaroslav Kysela <[email protected]>
Cc: Chris Wedgwood <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
sound/core/control.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/sound/core/control.c
+++ b/sound/core/control.c
@@ -1426,12 +1426,12 @@ static int snd_ctl_dev_disconnect(struct
cardnum = card->number;
snd_assert(cardnum >= 0 && cardnum < SNDRV_CARDS, return -ENXIO);
- down_read(&card->controls_rwsem);
+ read_lock(&card->ctl_files_rwlock);
list_for_each_entry(ctl, &card->ctl_files, list) {
wake_up(&ctl->change_sleep);
kill_fasync(&ctl->fasync, SIGIO, POLL_ERR);
}
- up_read(&card->controls_rwsem);
+ read_unlock(&card->ctl_files_rwlock);
if ((err = snd_unregister_device(SNDRV_DEVICE_TYPE_CONTROL,
card, -1)) < 0)
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Johannes Berg <[email protected]>
commit 48735d8d8bd701b1e0cd3d49c21e5e385ddcb077 upstream
If somebody sends an invalid beacon/probe response, that can trash the
whole BSS descriptor. The descriptor is, luckily, large enough so that
it cannot scribble past the end of it; it's well above 400 bytes long.
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/net/wireless/libertas/scan.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/wireless/libertas/scan.c
+++ b/drivers/net/wireless/libertas/scan.c
@@ -598,8 +598,8 @@ static int lbs_process_bss(struct bss_de
switch (elem->id) {
case MFIE_TYPE_SSID:
- bss->ssid_len = elem->len;
- memcpy(bss->ssid, elem->data, elem->len);
+ bss->ssid_len = min_t(int, 32, elem->len);
+ memcpy(bss->ssid, elem->data, bss->ssid_len);
lbs_deb_scan("got SSID IE: '%s', len %u\n",
escape_essid(bss->ssid, bss->ssid_len),
bss->ssid_len);
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Guillem Jover <[email protected]>
upstream commit df316e939100e789b3c5d4d102619ccf5834bd00
Currently not always an EV_SYN event is reported to userland
after the EV_SW SW_LID event has been sent. This is easy to verify
by using “input-events” from input-utils and just closing and opening
the lid.
Signed-off-by: Guillem Jover <[email protected]>
Acked-by: Dmitry Torokhov <[email protected]>
Signed-off-by: Len Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/acpi/button.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/acpi/button.c
+++ b/drivers/acpi/button.c
@@ -262,6 +262,7 @@ static int acpi_lid_send_state(struct ac
return -ENODEV;
/* input layer checks if event is redundant */
input_report_switch(button->input, SW_LID, !state);
+ input_sync(button->input);
return 0;
}
@@ -285,8 +286,8 @@ static void acpi_button_notify(acpi_hand
input_report_key(input, keycode, 1);
input_sync(input);
input_report_key(input, keycode, 0);
+ input_sync(input);
}
- input_sync(input);
acpi_bus_generate_proc_event(button->device, event,
++button->pushed);
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Boris Dores <[email protected]>
commit 3f93d1adca658201c64251c43a147cc79d468c3f upstream.
V4L: pvrusb2: Keep MPEG PTSs from drifting away
This change was empirically figured out by Boris Dores after
empirically comparing against behavior in the Windows driver.
Signed-off-by: Mike Isely <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Michael Krufky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/video/pvrusb2/pvrusb2-encoder.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/media/video/pvrusb2/pvrusb2-encoder.c
+++ b/drivers/media/video/pvrusb2/pvrusb2-encoder.c
@@ -403,6 +403,10 @@ static int pvr2_encoder_prep_config(stru
ret |= pvr2_encoder_vcmd(hdw, CX2341X_ENC_MISC,4, 0,3,0,0);
ret |= pvr2_encoder_vcmd(hdw, CX2341X_ENC_MISC,4,15,0,0,0);
+ /* prevent the PTSs from slowly drifting away in the generated
+ MPEG stream */
+ ret |= pvr2_encoder_vcmd(hdw, CX2341X_ENC_MISC, 2, 4, 1);
+
return ret;
}
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Steven Toth <[email protected]>
commit 1af46b450fa49c57d73764d66f267335ccd807e2 upstream.
DVB: s5h1411: bugfix: Setting serial or parallel mode could destroy bits
Adding a serialmode function to read/and/or/write the register for safety.
Signed-off-by: Steven Toth <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Michael Krufky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/dvb/frontends/s5h1411.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/drivers/media/dvb/frontends/s5h1411.c
+++ b/drivers/media/dvb/frontends/s5h1411.c
@@ -472,6 +472,20 @@ static int s5h1411_set_spectralinversion
return s5h1411_writereg(state, S5H1411_I2C_TOP_ADDR, 0x24, val);
}
+static int s5h1411_set_serialmode(struct dvb_frontend *fe, int serial)
+{
+ struct s5h1411_state *state = fe->demodulator_priv;
+ u16 val;
+
+ dprintk("%s(%d)\n", __func__, serial);
+ val = s5h1411_readreg(state, S5H1411_I2C_TOP_ADDR, 0xbd) & ~0x100;
+
+ if (serial == 1)
+ val |= 0x100;
+
+ return s5h1411_writereg(state, S5H1411_I2C_TOP_ADDR, 0xbd, val);
+}
+
static int s5h1411_enable_modulation(struct dvb_frontend *fe,
fe_modulation_t m)
{
@@ -612,10 +626,10 @@ static int s5h1411_init(struct dvb_front
if (state->config->output_mode == S5H1411_SERIAL_OUTPUT)
/* Serial */
- s5h1411_writereg(state, S5H1411_I2C_TOP_ADDR, 0xbd, 0x1101);
+ s5h1411_set_serialmode(fe, 1);
else
/* Parallel */
- s5h1411_writereg(state, S5H1411_I2C_TOP_ADDR, 0xbd, 0x1001);
+ s5h1411_set_serialmode(fe, 0);
s5h1411_set_spectralinversion(fe, state->config->inversion);
s5h1411_set_if_freq(fe, state->config->vsb_if);
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Lennart Sorensen <[email protected]>
commit 4a029abee0f1d69cb0445657d6fa5a38597bd17d upstream
The scx200_i2c driver is missing the .class parameter, which means no
i2c drivers are willing to probe for devices on the bus and attach to
them.
Signed-off-by: Len Sorensen <[email protected]>
Signed-off-by: Jean Delvare <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/i2c/busses/scx200_i2c.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/i2c/busses/scx200_i2c.c
+++ b/drivers/i2c/busses/scx200_i2c.c
@@ -81,6 +81,7 @@ static struct i2c_algo_bit_data scx200_i
static struct i2c_adapter scx200_i2c_ops = {
.owner = THIS_MODULE,
+ .class = I2C_CLASS_HWMON,
.id = I2C_HW_B_SCX200,
.algo_data = &scx200_i2c_data,
.name = "NatSemi SCx200 I2C",
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Devin Heitmueller <[email protected]>
commit 11fc9a4a440112b5afc1a99d86ba92d70205a688 upstream.
DVB: s5h1411: Power down s5h1411 when not in use
Power down the s5h1411 demodulator when not in use
(on the Pinnacle 801e, this brings idle power from
123ma down to 84ma).
Signed-off-by: Devin Heitmueller <[email protected]>
Acked-by: Steven Toth <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Michael Krufky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/dvb/frontends/s5h1411.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/drivers/media/dvb/frontends/s5h1411.c
+++ b/drivers/media/dvb/frontends/s5h1411.c
@@ -549,7 +549,7 @@ static int s5h1411_set_gpio(struct dvb_f
return s5h1411_writereg(state, S5H1411_I2C_TOP_ADDR, 0xe0, val);
}
-static int s5h1411_sleep(struct dvb_frontend *fe, int enable)
+static int s5h1411_set_powerstate(struct dvb_frontend *fe, int enable)
{
struct s5h1411_state *state = fe->demodulator_priv;
@@ -565,6 +565,11 @@ static int s5h1411_sleep(struct dvb_fron
return 0;
}
+static int s5h1411_sleep(struct dvb_frontend *fe)
+{
+ return s5h1411_set_powerstate(fe, 1);
+}
+
static int s5h1411_register_reset(struct dvb_frontend *fe)
{
struct s5h1411_state *state = fe->demodulator_priv;
@@ -614,7 +619,7 @@ static int s5h1411_init(struct dvb_front
dprintk("%s()\n", __func__);
- s5h1411_sleep(fe, 0);
+ s5h1411_set_powerstate(fe, 0);
s5h1411_register_reset(fe);
for (i = 0; i < ARRAY_SIZE(init_tab); i++)
@@ -878,6 +883,7 @@ static struct dvb_frontend_ops s5h1411_o
},
.init = s5h1411_init,
+ .sleep = s5h1411_sleep,
.i2c_gate_ctrl = s5h1411_i2c_gate_ctrl,
.set_frontend = s5h1411_set_frontend,
.get_frontend = s5h1411_get_frontend,
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Kumar Gala <[email protected]>
[ Upstream commit 930cc144a043ff95e56b6888fa51c618b33f89e7 ]
I'm trying to move the powerpc math-emu code to use the include/math-emu bits.
In doing so I've been using TestFloat to see how good or bad we are
doing. For the most part the current math-emu code that PPC uses has
a number of issues that the code in include/math-emu seems to solve
(plus bugs we've had for ever that no one every realized).
Anyways, I've come across a case that we are flagging underflow and
inexact because we think we have a denormalized result from a double
precision divide:
000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE
soft: 001.0000000000000 ..... syst: 001.0000000000000 ...ux
What it looks like is the results out of FP_DIV_D are:
D:
sign: 0
mantissa: 01000000 00000000
exp: -1023 (0)
The problem seems like we aren't normalizing the result and bumping the exp.
Now that I'm digging into this a bit I'm thinking my issue has to do with
the fix DaveM put in place from back in Aug 2007 (commit
405849610fd96b4f34cd1875c4c033228fea6c0f):
[MATH-EMU]: Fix underflow exception reporting.
2) we ended up rounding back up to normal (this is the case where
we set the exponent to 1 and set the fraction to zero), this
should set inexact too
...
Another example, "0x0.0000000000001p-1022 / 16.0", should signal both
inexact and underflow. The cpu implementations and ieee1754
literature is very clear about this. This is case #2 above.
Here is the distilled glibc test case from Jakub Jelinek which prompted that
commit:
--------------------
#include <float.h>
#include <fenv.h>
#include <stdio.h>
volatile double d = DBL_MIN;
volatile double e = 0x0.0000000000001p-1022;
volatile double f = 16.0;
int
main (void)
{
printf ("%x\n", fetestexcept (FE_UNDERFLOW));
d /= f;
printf ("%x\n", fetestexcept (FE_UNDERFLOW));
e /= f;
printf ("%x\n", fetestexcept (FE_UNDERFLOW));
return 0;
}
--------------------
It looks like the case I have we are exact before rounding, but think it
looks like the rounding case since it appears as if "overflow is set".
000.FFFFFFFFFFFFF / 3FE.FFFFFFFFFFFFE = 001.0000000000000
I think the following adds the check for my case and still works for the
issue your commit was trying to resolve.
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
include/math-emu/op-common.h | 17 +++++++++++++----
1 file changed, 13 insertions(+), 4 deletions(-)
--- a/include/math-emu/op-common.h
+++ b/include/math-emu/op-common.h
@@ -139,18 +139,27 @@ do { \
if (X##_e <= _FP_WFRACBITS_##fs) \
{ \
_FP_FRAC_SRS_##wc(X, X##_e, _FP_WFRACBITS_##fs); \
- _FP_ROUND(wc, X); \
if (_FP_FRAC_HIGH_##fs(X) \
& (_FP_OVERFLOW_##fs >> 1)) \
{ \
X##_e = 1; \
_FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \
- FP_SET_EXCEPTION(FP_EX_INEXACT); \
} \
else \
{ \
- X##_e = 0; \
- _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \
+ _FP_ROUND(wc, X); \
+ if (_FP_FRAC_HIGH_##fs(X) \
+ & (_FP_OVERFLOW_##fs >> 1)) \
+ { \
+ X##_e = 1; \
+ _FP_FRAC_SET_##wc(X, _FP_ZEROFRAC_##wc); \
+ FP_SET_EXCEPTION(FP_EX_INEXACT); \
+ } \
+ else \
+ { \
+ X##_e = 0; \
+ _FP_FRAC_SRL_##wc(X, _FP_WORKBITS); \
+ } \
} \
if ((FP_CUR_EXCEPTIONS & FP_EX_INEXACT) || \
(FP_TRAPPING_EXCEPTIONS & FP_EX_UNDERFLOW)) \
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ilpo J?rvinen <[email protected]>
[ Upstream commit 53b125779fb0b29e5b316bf3dc7d199e6dcea567 ]
More breakage :-), part of timestamps just were previously
overwritten.
Signed-off-by: Ilpo J?rvinen <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv6/tcp_ipv6.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1147,7 +1147,7 @@ static void tcp_v6_send_ack(struct tcp_t
*topt++ = htonl((TCPOPT_NOP << 24) | (TCPOPT_NOP << 16) |
(TCPOPT_TIMESTAMP << 8) | TCPOLEN_TIMESTAMP);
*topt++ = htonl(tcp_time_stamp);
- *topt = htonl(ts);
+ *topt++ = htonl(ts);
}
#ifdef CONFIG_TCP_MD5SIG
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Herbert Xu <[email protected]>
[ Upstream commit 58ec3b4db9eb5a28e3aec5f407a54e28f7039c19 ]
Benjamin Thery tracked down a bug that explains many instances
of the error
unregister_netdevice: waiting for %s to become free. Usage count = %d
It turns out that netdev_run_todo can dead-lock with itself if
a second instance of it is run in a thread that will then free
a reference to the device waited on by the first instance.
The problem is really quite silly. We were trying to create
parallelism where none was required. As netdev_run_todo always
follows a RTNL section, and that todo tasks can only be added
with the RTNL held, by definition you should only need to wait
for the very ones that you've added and be done with it.
There is no need for a second mutex or spinlock.
This is exactly what the following patch does.
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/core/dev.c | 27 ++++++---------------------
net/core/rtnetlink.c | 2 +-
2 files changed, 7 insertions(+), 22 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3624,14 +3624,11 @@ static int dev_new_index(struct net *net
}
/* Delayed registration/unregisteration */
-static DEFINE_SPINLOCK(net_todo_list_lock);
static LIST_HEAD(net_todo_list);
static void net_set_todo(struct net_device *dev)
{
- spin_lock(&net_todo_list_lock);
list_add_tail(&dev->todo_list, &net_todo_list);
- spin_unlock(&net_todo_list_lock);
}
static void rollback_registered(struct net_device *dev)
@@ -3941,33 +3938,24 @@ static void netdev_wait_allrefs(struct n
* free_netdev(y1);
* free_netdev(y2);
*
- * We are invoked by rtnl_unlock() after it drops the semaphore.
+ * We are invoked by rtnl_unlock().
* This allows us to deal with problems:
* 1) We can delete sysfs objects which invoke hotplug
* without deadlocking with linkwatch via keventd.
* 2) Since we run with the RTNL semaphore not held, we can sleep
* safely in order to wait for the netdev refcnt to drop to zero.
+ *
+ * We must not return until all unregister events added during
+ * the interval the lock was held have been completed.
*/
-static DEFINE_MUTEX(net_todo_run_mutex);
void netdev_run_todo(void)
{
struct list_head list;
- /* Need to guard against multiple cpu's getting out of order. */
- mutex_lock(&net_todo_run_mutex);
-
- /* Not safe to do outside the semaphore. We must not return
- * until all unregister events invoked by the local processor
- * have been completed (either by this todo run, or one on
- * another cpu).
- */
- if (list_empty(&net_todo_list))
- goto out;
-
/* Snapshot list, allow later requests */
- spin_lock(&net_todo_list_lock);
list_replace_init(&net_todo_list, &list);
- spin_unlock(&net_todo_list_lock);
+
+ __rtnl_unlock();
while (!list_empty(&list)) {
struct net_device *dev
@@ -3997,9 +3985,6 @@ void netdev_run_todo(void)
/* Free network device */
kobject_put(&dev->dev.kobj);
}
-
-out:
- mutex_unlock(&net_todo_run_mutex);
}
static struct net_device_stats *internal_stats(struct net_device *dev)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -73,7 +73,7 @@ void __rtnl_unlock(void)
void rtnl_unlock(void)
{
- mutex_unlock(&rtnl_mutex);
+ /* This fellow will unlock it for us. */
netdev_run_todo();
}
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Devin Heitmueller <[email protected]>
commit f0d041e50bc6c8a677922d72b010f80af9b23b18 upstream.
DVB: s5h1411: Perform s5h1411 soft reset after tuning
If you instruct the tuner to change frequencies, it can take up to 2500ms to
get a demod lock. By performing a soft reset after the tuning call (which
is consistent with how the Pinnacle 801e Windows driver behaves), you get
a demod lock inside of 300ms
Signed-off-by: Devin Heitmueller <[email protected]>
Signed-off-by: Michael Krufky <[email protected]>
Acked-by: Steven Toth <[email protected]>
Signed-off-by: Mauro Carvalho Chehab <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/media/dvb/frontends/s5h1411.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/media/dvb/frontends/s5h1411.c
+++ b/drivers/media/dvb/frontends/s5h1411.c
@@ -588,9 +588,6 @@ static int s5h1411_set_frontend(struct d
s5h1411_enable_modulation(fe, p->u.vsb.modulation);
- /* Allow the demod to settle */
- msleep(100);
-
if (fe->ops.tuner_ops.set_params) {
if (fe->ops.i2c_gate_ctrl)
fe->ops.i2c_gate_ctrl(fe, 1);
@@ -601,6 +598,10 @@ static int s5h1411_set_frontend(struct d
fe->ops.i2c_gate_ctrl(fe, 0);
}
+ /* Issue a reset to the demod so it knows to resync against the
+ newly tuned frequency */
+ s5h1411_softreset(fe);
+
return 0;
}
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Shaohua Li <[email protected]>
commit 8b59560a3baf2e7c24e0fb92ea5d09eca92805db upstream.
ACPI: dock: avoid check _STA method
In some BIOSes, every _STA method call will send a notification again,
this cause freeze. And in some BIOSes, it appears _STA should be called
after _DCK. This tries to avoid calls _STA, and still keep the device
present check.
http://bugzilla.kernel.org/show_bug.cgi?id=10431
Signed-off-by: Shaohua Li <[email protected]>
Signed-off-by: Len Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/acpi/dock.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/acpi/dock.c
+++ b/drivers/acpi/dock.c
@@ -599,14 +599,17 @@ static int handle_eject_request(struct d
static void dock_notify(acpi_handle handle, u32 event, void *data)
{
struct dock_station *ds = data;
+ struct acpi_device *tmp;
switch (event) {
case ACPI_NOTIFY_BUS_CHECK:
- if (!dock_in_progress(ds) && dock_present(ds)) {
+ if (!dock_in_progress(ds) && acpi_bus_get_device(ds->handle,
+ &tmp)) {
begin_dock(ds);
dock(ds);
if (!dock_present(ds)) {
printk(KERN_ERR PREFIX "Unable to dock!\n");
+ complete_dock(ds);
break;
}
atomic_notifier_call_chain(&dock_notifier_list,
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Andrea Shepard <[email protected]>
[ Upstream commit e0037df3852b4b60edbe01f70f4968e4a9fdb272 ]
Make arch/sparc64/kernel/trampoline.S in 2.6.27.1 lock prom_entry_lock
when calling the PROM. This prevents a race condition that I observed
causing a hang on startup on a 12-CPU E4500.
I am not subscribed to this list, so please CC me on replies.
Signed-off-by: Andrea Shepard <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
arch/sparc64/kernel/trampoline.S | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/arch/sparc64/kernel/trampoline.S
+++ b/arch/sparc64/kernel/trampoline.S
@@ -328,6 +328,12 @@ after_lock_tlb:
wrpr %g0, 0, %wstate
+ sethi %hi(prom_entry_lock), %g2
+1: ldstub [%g2 + %lo(prom_entry_lock)], %g1
+ membar #StoreLoad | #StoreStore
+ brnz,pn %g1, 1b
+ nop
+
/* As a hack, put &init_thread_union into %g6.
* prom_world() loads from here to restore the %asi
* register.
@@ -337,7 +343,7 @@ after_lock_tlb:
sethi %hi(is_sun4v), %o0
lduw [%o0 + %lo(is_sun4v)], %o0
- brz,pt %o0, 1f
+ brz,pt %o0, 2f
nop
TRAP_LOAD_TRAP_BLOCK(%g2, %g3)
@@ -369,10 +375,10 @@ after_lock_tlb:
call %o1
add %sp, (2047 + 128), %o0
- ba,pt %xcc, 2f
+ ba,pt %xcc, 3f
nop
-1: sethi %hi(sparc64_ttable_tl0), %o0
+2: sethi %hi(sparc64_ttable_tl0), %o0
set prom_set_trap_table_name, %g2
stx %g2, [%sp + 2047 + 128 + 0x00]
mov 1, %g2
@@ -386,7 +392,11 @@ after_lock_tlb:
call %o1
add %sp, (2047 + 128), %o0
-2: ldx [%l0], %g6
+3: sethi %hi(prom_entry_lock), %g2
+ stb %g0, [%g2 + %lo(prom_entry_lock)]
+ membar #StoreStore | #StoreLoad
+
+ ldx [%l0], %g6
ldx [%g6 + TI_TASK], %g4
mov 1, %g5
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Julia Jomantaite <[email protected]>
upstream commit 469778c1740fcf3113498b6fdf4559bdec25c58f
Thanks to Arjan for spotting this
http://www.kerneloops.org/search.php?search=acpi_video_switch_brightness
and suggesting it for .stable
Fix use of uninitialized device->brightness.
Signed-off-by: Julia Jomantaite <[email protected]>
Signed-off-by: Andi Kleen <[email protected]>
Acked-by: Zhang Rui <[email protected]>
Signed-off-by: Len Brown <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
drivers/acpi/video.c | 123 ++++++++++++++++++++++++++++++---------------------
1 file changed, 73 insertions(+), 50 deletions(-)
--- a/drivers/acpi/video.c
+++ b/drivers/acpi/video.c
@@ -631,6 +631,76 @@ acpi_video_bus_DOS(struct acpi_video_bus
* device : video output device (LCD, CRT, ..)
*
* Return Value:
+ * Maximum brightness level
+ *
+ * Allocate and initialize device->brightness.
+ */
+
+static int
+acpi_video_init_brightness(struct acpi_video_device *device)
+{
+ union acpi_object *obj = NULL;
+ int i, max_level = 0, count = 0;
+ union acpi_object *o;
+ struct acpi_video_device_brightness *br = NULL;
+
+ if (!ACPI_SUCCESS(acpi_video_device_lcd_query_levels(device, &obj))) {
+ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Could not query available "
+ "LCD brightness level\n"));
+ goto out;
+ }
+
+ if (obj->package.count < 2)
+ goto out;
+
+ br = kzalloc(sizeof(*br), GFP_KERNEL);
+ if (!br) {
+ printk(KERN_ERR "can't allocate memory\n");
+ goto out;
+ }
+
+ br->levels = kmalloc(obj->package.count * sizeof *(br->levels),
+ GFP_KERNEL);
+ if (!br->levels)
+ goto out_free;
+
+ for (i = 0; i < obj->package.count; i++) {
+ o = (union acpi_object *)&obj->package.elements[i];
+ if (o->type != ACPI_TYPE_INTEGER) {
+ printk(KERN_ERR PREFIX "Invalid data\n");
+ continue;
+ }
+ br->levels[count] = (u32) o->integer.value;
+
+ if (br->levels[count] > max_level)
+ max_level = br->levels[count];
+ count++;
+ }
+
+ if (count < 2)
+ goto out_free_levels;
+
+ br->count = count;
+ device->brightness = br;
+ ACPI_DEBUG_PRINT((ACPI_DB_INFO, "found %d brightness levels\n", count));
+ kfree(obj);
+ return max_level;
+
+out_free_levels:
+ kfree(br->levels);
+out_free:
+ kfree(br);
+out:
+ device->brightness = NULL;
+ kfree(obj);
+ return 0;
+}
+
+/*
+ * Arg:
+ * device : video output device (LCD, CRT, ..)
+ *
+ * Return Value:
* None
*
* Find out all required AML methods defined under the output
@@ -640,10 +710,7 @@ acpi_video_bus_DOS(struct acpi_video_bus
static void acpi_video_device_find_cap(struct acpi_video_device *device)
{
acpi_handle h_dummy1;
- int i;
u32 max_level = 0;
- union acpi_object *obj = NULL;
- struct acpi_video_device_brightness *br = NULL;
memset(&device->cap, 0, sizeof(device->cap));
@@ -672,53 +739,7 @@ static void acpi_video_device_find_cap(s
device->cap._DSS = 1;
}
- if (ACPI_SUCCESS(acpi_video_device_lcd_query_levels(device, &obj))) {
-
- if (obj->package.count >= 2) {
- int count = 0;
- union acpi_object *o;
-
- br = kzalloc(sizeof(*br), GFP_KERNEL);
- if (!br) {
- printk(KERN_ERR "can't allocate memory\n");
- } else {
- br->levels = kmalloc(obj->package.count *
- sizeof *(br->levels), GFP_KERNEL);
- if (!br->levels)
- goto out;
-
- for (i = 0; i < obj->package.count; i++) {
- o = (union acpi_object *)&obj->package.
- elements[i];
- if (o->type != ACPI_TYPE_INTEGER) {
- printk(KERN_ERR PREFIX "Invalid data\n");
- continue;
- }
- br->levels[count] = (u32) o->integer.value;
-
- if (br->levels[count] > max_level)
- max_level = br->levels[count];
- count++;
- }
- out:
- if (count < 2) {
- kfree(br->levels);
- kfree(br);
- } else {
- br->count = count;
- device->brightness = br;
- ACPI_DEBUG_PRINT((ACPI_DB_INFO,
- "found %d brightness levels\n",
- count));
- }
- }
- }
-
- } else {
- ACPI_DEBUG_PRINT((ACPI_DB_INFO, "Could not query available LCD brightness level\n"));
- }
-
- kfree(obj);
+ max_level = acpi_video_init_brightness(device);
if (device->cap._BCL && device->cap._BCM && max_level > 0) {
int result;
@@ -1705,6 +1726,8 @@ static void
acpi_video_switch_brightness(struct acpi_video_device *device, int event)
{
unsigned long level_current, level_next;
+ if (!device->brightness)
+ return;
acpi_video_device_lcd_get_level_current(device, &level_current);
level_next = acpi_video_get_next_level(device, level_current, event);
acpi_video_device_lcd_set_level(device, level_next);
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alexey Dobriyan <[email protected]>
netfilter: xt_iprange: fix range inversion match
Upstream commit 6def1eb48:
Inverted IPv4 v1 and IPv6 v0 matches don't match anything since 2.6.25-rc1!
Signed-off-by: Alexey Dobriyan <[email protected]>
Acked-by: Jan Engelhardt <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/netfilter/xt_iprange.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/netfilter/xt_iprange.c
+++ b/net/netfilter/xt_iprange.c
@@ -67,7 +67,7 @@ iprange_mt4(const struct sk_buff *skb, c
if (info->flags & IPRANGE_SRC) {
m = ntohl(iph->saddr) < ntohl(info->src_min.ip);
m |= ntohl(iph->saddr) > ntohl(info->src_max.ip);
- m ^= info->flags & IPRANGE_SRC_INV;
+ m ^= !!(info->flags & IPRANGE_SRC_INV);
if (m) {
pr_debug("src IP " NIPQUAD_FMT " NOT in range %s"
NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -81,7 +81,7 @@ iprange_mt4(const struct sk_buff *skb, c
if (info->flags & IPRANGE_DST) {
m = ntohl(iph->daddr) < ntohl(info->dst_min.ip);
m |= ntohl(iph->daddr) > ntohl(info->dst_max.ip);
- m ^= info->flags & IPRANGE_DST_INV;
+ m ^= !!(info->flags & IPRANGE_DST_INV);
if (m) {
pr_debug("dst IP " NIPQUAD_FMT " NOT in range %s"
NIPQUAD_FMT "-" NIPQUAD_FMT "\n",
@@ -123,14 +123,14 @@ iprange_mt6(const struct sk_buff *skb, c
if (info->flags & IPRANGE_SRC) {
m = iprange_ipv6_sub(&iph->saddr, &info->src_min.in6) < 0;
m |= iprange_ipv6_sub(&iph->saddr, &info->src_max.in6) > 0;
- m ^= info->flags & IPRANGE_SRC_INV;
+ m ^= !!(info->flags & IPRANGE_SRC_INV);
if (m)
return false;
}
if (info->flags & IPRANGE_DST) {
m = iprange_ipv6_sub(&iph->daddr, &info->dst_min.in6) < 0;
m |= iprange_ipv6_sub(&iph->daddr, &info->dst_max.in6) > 0;
- m ^= info->flags & IPRANGE_DST_INV;
+ m ^= !!(info->flags & IPRANGE_DST_INV);
if (m)
return false;
}
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Ilpo J?rvinen <[email protected]>
netfilter: snmp nat leaks memory in case of failure
Upstream commit 311670f3e:
Signed-off-by: Ilpo Jarvinen <[email protected]>
Signed-off-by: Patrick McHardy <[email protected]>
---
net/ipv4/netfilter/nf_nat_snmp_basic.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/netfilter/nf_nat_snmp_basic.c
+++ b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -742,6 +742,7 @@ static unsigned char snmp_object_decode(
*obj = kmalloc(sizeof(struct snmp_object) + len,
GFP_ATOMIC);
if (*obj == NULL) {
+ kfree(p);
kfree(id);
if (net_ratelimit())
printk("OOM in bsalg (%d)\n", __LINE__);
--
2.6.26-stable review patch. If anyone has any objections, please let us know.
------------------
From: Patrick McHardy <[email protected]>
netfilter: restore lost #ifdef guarding defrag exception
Upstream commit 38f7ac3eb:
Nir Tzachar <[email protected]> reported a warning when sending
fragments over loopback with NAT:
[ 6658.338121] WARNING: at net/ipv4/netfilter/nf_nat_standalone.c:89 nf_nat_fn+0x33/0x155()
The reason is that defragmentation is skipped for already tracked connections.
This is wrong in combination with NAT and ip_conntrack actually had some ifdefs
to avoid this behaviour when NAT is compiled in.
The entire "optimization" may seem a bit silly, for now simply restoring the
lost #ifdef is the easiest solution until we can come up with something better.
Signed-off-by: Patrick McHardy <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -150,10 +150,12 @@ static unsigned int ipv4_conntrack_defra
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
+#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
/* Previously seen (loopback)? Ignore. Do this before
fragment check. */
if (skb->nfct)
return NF_ACCEPT;
+#endif
/* Gather fragments. */
if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
--
Greg KH wrote:
Please change the description of the bug to:
"A very large directory with many read failures (either due to storage
problems, or due to invalid size & blocks from corruption) will generate
a printk storm as the filesystem continues to try to read all the
blocks. This flood of messages can tie up the box until it is complete -
which may be a very long time, especially for very large corrupted values.
This is fixed by only reporting the corruption once each time we try to
read the directory."
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commitdiff;h=bd39597
Thanks, Eugene
On Mon, Nov 10, 2008 at 10:42:20AM +0800, Eugene Teo wrote:
> Greg KH wrote:
>
> Please change the description of the bug to:
>
> "A very large directory with many read failures (either due to storage
> problems, or due to invalid size & blocks from corruption) will generate
> a printk storm as the filesystem continues to try to read all the
> blocks. This flood of messages can tie up the box until it is complete -
> which may be a very long time, especially for very large corrupted values.
>
> This is fixed by only reporting the corruption once each time we try to
> read the directory."
>
> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commitdiff;h=bd39597
Hm, why would I change the description to be different from what the
developer asked it to be? It references the specific changeset you
point to above already. I'm inclined to stick with the text that the
developer asked to be used (especially as this is a combined 3
changesets into one patch).
Same thing goes for the 2.6.26-stable patch as well.
thanks,
greg k-h
Greg KH wrote:
> On Mon, Nov 10, 2008 at 10:42:20AM +0800, Eugene Teo wrote:
>> Greg KH wrote:
>>
>> Please change the description of the bug to:
>>
>> "A very large directory with many read failures (either due to storage
>> problems, or due to invalid size & blocks from corruption) will generate
>> a printk storm as the filesystem continues to try to read all the
>> blocks. This flood of messages can tie up the box until it is complete -
>> which may be a very long time, especially for very large corrupted values.
>>
>> This is fixed by only reporting the corruption once each time we try to
>> read the directory."
>>
>> http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.27.y.git;a=commitdiff;h=bd39597
>
> Hm, why would I change the description to be different from what the
> developer asked it to be? It references the specific changeset you
> point to above already. I'm inclined to stick with the text that the
> developer asked to be used (especially as this is a combined 3
> changesets into one patch).
There were 3 changesets upstream, one for each fs; I copied the
changelog from the ext4 changeset because it's the patch that I
originally authored, and combined it with the ext2 & ext3 changes as well.
The upstream ext4 changelog happened to contain some color commentary
from Ted; the ext2 & ext3 changelogs did not.
I don't really give a damn what the stable changelog says, and
personally my feelings won't be hurt with either text, I'll just be
happy to have the bug fixed in -stable.
Thanks,
-Eric
On Fri 07. Nov - 15:16:06, Greg KH wrote:
> 2.6.26-stable review patch. If anyone has any objections, please let us know.
Objecting. This will only work in conjunction with
commit 39a0ad871000d2a016a4fa113a6e53d22aabf25d
Author: Zhao Yakui <[email protected]>
Date: Mon Aug 11 13:40:22 2008 +0800
ACPI : Load device driver according to the status of acpi device
Otherwise a device struct already exists although the device is not
present.
Regards,
Holger
>
> ------------------
>
> From: Shaohua Li <[email protected]>
>
> commit 8b59560a3baf2e7c24e0fb92ea5d09eca92805db upstream.
>
> ACPI: dock: avoid check _STA method
>
> In some BIOSes, every _STA method call will send a notification again,
> this cause freeze. And in some BIOSes, it appears _STA should be called
> after _DCK. This tries to avoid calls _STA, and still keep the device
> present check.
>
> http://bugzilla.kernel.org/show_bug.cgi?id=10431
>
> Signed-off-by: Shaohua Li <[email protected]>
> Signed-off-by: Len Brown <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
>
> ---
> drivers/acpi/dock.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> --- a/drivers/acpi/dock.c
> +++ b/drivers/acpi/dock.c
> @@ -599,14 +599,17 @@ static int handle_eject_request(struct d
> static void dock_notify(acpi_handle handle, u32 event, void *data)
> {
> struct dock_station *ds = data;
> + struct acpi_device *tmp;
>
> switch (event) {
> case ACPI_NOTIFY_BUS_CHECK:
> - if (!dock_in_progress(ds) && dock_present(ds)) {
> + if (!dock_in_progress(ds) && acpi_bus_get_device(ds->handle,
> + &tmp)) {
> begin_dock(ds);
> dock(ds);
> if (!dock_present(ds)) {
> printk(KERN_ERR PREFIX "Unable to dock!\n");
> + complete_dock(ds);
> break;
> }
> atomic_notifier_call_chain(&dock_notifier_list,
>
On Tue, Nov 11, 2008 at 01:16:07PM +0100, Holger Macht wrote:
> On Fri 07. Nov - 15:16:06, Greg KH wrote:
> > 2.6.26-stable review patch. If anyone has any objections, please let us know.
>
> Objecting. This will only work in conjunction with
>
> commit 39a0ad871000d2a016a4fa113a6e53d22aabf25d
> Author: Zhao Yakui <[email protected]>
> Date: Mon Aug 11 13:40:22 2008 +0800
>
> ACPI : Load device driver according to the status of acpi device
>
> Otherwise a device struct already exists although the device is not
> present.
So do you feel we should also add this patch to the 2.6.27-stable tree
to solve this issue?
thanks,
greg k-h
On Thu 13. Nov - 13:23:05, Greg KH wrote:
> On Tue, Nov 11, 2008 at 01:16:07PM +0100, Holger Macht wrote:
> > On Fri 07. Nov - 15:16:06, Greg KH wrote:
> > > 2.6.26-stable review patch. If anyone has any objections, please let us know.
> >
> > Objecting. This will only work in conjunction with
> >
> > commit 39a0ad871000d2a016a4fa113a6e53d22aabf25d
> > Author: Zhao Yakui <[email protected]>
> > Date: Mon Aug 11 13:40:22 2008 +0800
> >
> > ACPI : Load device driver according to the status of acpi device
> >
> > Otherwise a device struct already exists although the device is not
> > present.
>
> So do you feel we should also add this patch to the 2.6.27-stable tree
> to solve this issue?
Yes, I think so.
Regards,
Holger
On Mon, Nov 17, 2008 at 12:36:02AM +0100, Holger Macht wrote:
> On Thu 13. Nov - 13:23:05, Greg KH wrote:
> > On Tue, Nov 11, 2008 at 01:16:07PM +0100, Holger Macht wrote:
> > > On Fri 07. Nov - 15:16:06, Greg KH wrote:
> > > > 2.6.26-stable review patch. If anyone has any objections, please let us know.
> > >
> > > Objecting. This will only work in conjunction with
> > >
> > > commit 39a0ad871000d2a016a4fa113a6e53d22aabf25d
> > > Author: Zhao Yakui <[email protected]>
> > > Date: Mon Aug 11 13:40:22 2008 +0800
> > >
> > > ACPI : Load device driver according to the status of acpi device
> > >
> > > Otherwise a device struct already exists although the device is not
> > > present.
> >
> > So do you feel we should also add this patch to the 2.6.27-stable tree
> > to solve this issue?
>
> Yes, I think so.
Ok, thanks, I've queued it up now.
greg k-h