The trb_in_td() function in the xHCI driver is supposed to translate a
physical transfer buffer request (TRB) into a virtual pointer to the ring
segment that TRB is in.
Unfortunately, a mistake in this function may cause endless loops as the
driver searches through the linked list of ring segments over and over
again. Fix a couple bugs that may lead to loops or bad output:
1. Bail out if we get a NULL pointer when translating the segment's
private structure and the starting DMA address of the segment chunk. If
this happens, we've been handed a starting TRB pointer from a different
ring.
2. Make sure the function works when there's multiple segments in the
ring. In the while loop to search through the ring segments, use the
current segment variable (cur_seg), rather than the starting segment
variable (start_seg) that is passed in.
3. Stop searching the ring if we've run through all the segments in the
ring.
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If the xHCI driver fails during the memory initialization, xhci->ir_set
may not be a valid pointer. Check that it points to valid DMA'able memory
before writing to that address during the memory freeing process.
Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Am Donnerstag, 10. September 2009 15:43:53 schrieb Dietmar Hilbrich:
> Hello,
>
> i have the following problem with the cdc-acm - driver:
>
> I'm using the driver with an "Ericsson F3507G" on a Thinkpad T400.
>
> If a disable the device (with the RFKill-Switch) while it is used by a
> programm like ppp, the driver doesn't seem to correctly clean up the tty,
> even after the program has been closed)
>
> The tty is still active (e.g. there still exists an entry in
> /sys/dev/char/166:0 if ttyACM0 was used) and if a reacticate the device,
> this device entry will be skipped and the Device-Nodes ttyACM1, ttyACM2
> and ttyACM3 will be used.
>
> This problem was introduced with the commit
> 10077d4a66 (before 2.6.31-rc1) and still
> exists in 2.6.31.
>
> I was able the fix this problem with the following patch:
>
> diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c
> index 2bfc41e..0970d2f 100644
> --- a/drivers/usb/class/cdc-acm.c
> +++ b/drivers/usb/class/cdc-acm.c
> @@ -676,6 +676,7 @@ static void acm_tty_hangup(struct tty_struct *tty)
> struct acm *acm = tty->driver_data;
> tty_port_hangup(&acm->port);
> acm_port_down(acm, 0);
> + acm_tty_unregister(acm);
> }
I have the same problem with cdc-acm (I'm using a Samsung SGH-U900): when I
unplug it from the USB port during a PPP connection, the ppp daemon gets the
hangup correctly (and closes the device), but the struct acm corresponding to
the device disconnected is not freed. Hence reconnecting the device results in
creation of /dev/ttyACM(x+1). The same happens when the system is hibernated
during a PPP connection.
This memory leak is due to the fact that when the tty is hung up,
tty_port_close_start() returns always zero, and acm_tty_close() never reaches
the point where acm_tty_unregister() is called.
Here is a fix for this.
Signed-off-by: Francesco Lavra <francescolavra@interfree.it>
Acked-by: Oliver Neukum <oliver@neukum.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
If acm_rx_tasklet() gets called before tty_port_block_til_ready()
returns, then bulk IN urbs may not be sent. This fixes it.
Signed-off-by: Henry Gebhardt <gebhardt@astro.uni-tuebingen.de>
Acked-by: Oliver Neukum <oliver@neukum.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The following patch in the driver is required to avoid USB 1.1 device
failures that may occur due to requests from USB OHCI controllers may
be overwritten if the latency for any pending request by the USB
controller is very long (in the range of milliseconds).
Signed-off-by: Libin Yang <libin.yang@amd.com>
Cc: David Brownell <dbrownell@users.sourceforge.net>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Original discussion:
http://thread.gmane.org/gmane.linux.usb.general/23217/focus=23248
or
http://marc.info/?l=linux-usb&m=125553790714133&w=29a68e39d4a broke carrier handling so that a
cp210x setup which needed the carrier lines set up (non CLOCAL) which did
not make a call which set the termios bits left the lines down even if
CLOCAL was not asserted.
Fix this not by reverting but by adding the proper dtr_rts and
carrier_raised methods. This both sets the modem lines properly and also
implements the correct blocking semantics for the port as required by
POSIX.
Signed-off-by: Alan Cox <alan@linux.intel.com>
Reported-by: Karl Hiramoto <karl@hiramoto.org>
Tested-by: Karl Hiramoto <karl@hiramoto.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Original discussion:
http://thread.gmane.org/gmane.linux.usb.general/23217/focus=23248
or
http://marc.info/?l=linux-usb&m=125553790714133&w=2
The tty_port code inherited a bug common to various drivers it was based
upon. If the tty is opened O_NONBLOCK we do not wait for the carrier to be
raised but we must still raise our modem lines if appropriate.
(There is a second question here about whether we should do so if CLOCAL is
set but that can wait)
Signed-off-by: Alan Cox <alan@linux.intel.com>
Reported-by: Karl Hiramoto <karl@hiramoto.org>
Tested-by: Karl Hiramoto <karl@hiramoto.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Current calculation does not take into account any changes to M2 divisor, and
thus when we change VDD2 OPP, dpll3_m2x2 rate does not change. Fixed by
re-routing dpll3_m2x2 parent to dpll3_m2.
Signed-off-by: Tero Kristo <tero.kristo@nokia.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Fix the freqsel value computation. Use n instead of (n+1)
The formula in the TRM uses a zero-based N, hence the (n+1); however
at this point in the clock34xx.c code, N is one-based.
Hayati Bayrakdar <h-bayrakdar@ti.com> and Nishanth Menon <nm@ti.com> helped
track down this bug.
Signed-off-by: Rajendra Nayak <rnayak@ti.com>
Signed-off-by: Paul Walmsley <paul@pwsan.com>
[paul@pwsan.com: modified commit message]
Cc: Hayati Bayrakdar <h-bayrakdar@ti.com>
Cc: Nishanth Menon <nm@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
[SCSI] bfa: declare MODULE_FIRMWARE
[SCSI] gdth: Prevent negative offsets in ioctl CVE-2009-3080
[SCSI] libsas: do not set res = 0 in sas_ex_discover_dev()
[SCSI] Fix incorrect reporting of host protection capabilities
[SCSI] pmcraid: Fix ppc64 driver build for using cpu_to_le32 on U8 data type
[SCSI] ipr: add workaround for MSI interrupts on P7
[SCSI] scsi_transport_fc: Fix WARN message for FC passthru failure paths
[SCSI] bfa: fix test in bfad_os_fc_host_init()
* master.kernel.org:/home/rmk/linux-2.6-arm:
[ARM] pxa: ensure mfp is in correct range in mfp_{read,write}
[ARM] pxa/hx4700: fix hx4700 touchscreen pressure values
ARM: 5787/1: U300 COH 901 331 fixes
ARM: Fix warning in sa1100-flash.c
[ARM] Kirkwood: disable propagation of mbus error to the CPU local bus
[ARM] pxa: fix incorrect mfp_to_gpio() conversion
[ARM] pxa/colibri: fix AC97 ifdefs and add missing include
[ARM] pxa: fix missing underscores in mfp-pxa910.h
[ARM] pxa: fix interrupts number calculation when CONFIG_PXA_HAVE_ISA_IRQS=y
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/lrg/voltage-2.6:
dereferencing freed memory regulator_fixed_voltage_remove()
regulator: Fix check of unsigned return value and transmit errors in wm831x_gp_ldo_get_mode()
regulator: Handle missing constraints in _regulator_disable()
* 'for-linus' of git://git.o-hand.com/linux-rpurdie-leds:
leds-gpio: fix possible crash on OF device unbinding
backlight: Fix backlight limiting on spitz/corgi devices
backlight: lcd - Fix wrong sizeof
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6:
ALSA: ice1724 - make some bitfields unsigned
ALSA: hda - Dell Studio 1557 hd-audio quirk
ALSA: ice1724 - Fix section mismatch in prodigy_hd2_resume()
ALSA: hda - Add another Nvidia HDMI codec id (10de:0005)
ALSA: hda: Use model=mb5 for MacBookPro 5,2
* 'hostprogs-wmissing-prototypes' of git://git.kernel.org/pub/scm/linux/kernel/git/josh/linux-misc:
Makefile: Add -Wmising-prototypes to HOSTCFLAGS
oss: Mark loadhex static in hex2hex.c
dtc: Mark various internal functions static
dtc: Set "noinput" in the lexer to avoid an unused function
drm: radeon: Mark several functions static in mkregtable
arch/sparc/boot/*.c: Mark various internal functions static
arch/powerpc/boot/addRamDisk.c: Mark several internal functions static
arch/alpha/boot/tools/objstrip.c: Mark "usage" static
Documentation/vm/page-types.c: Declare checked_open static
genksyms: Mark is_reserved_word static
kconfig: Mark various internal functions static
kconfig: Make zconf.y work with current bison
These values were only introduced during this release cycle, so it is
still early enough to get them right.
alpha uses the same values that are in asm-generic/fcntl.h, so just
remove them.
parisc uses the values interchanged for no apparent reason, so remove
them to give us consistency across all architectures.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Access to log items on the AIL is generally protected by m_ail_lock;
this is particularly needed when we're getting or setting the 64-bit
li_lsn on a 32-bit platform. This patch fixes a couple places where we
were accessing the log item after dropping the AIL lock on 32-bit
machines.
This can result in a partially-zeroed log->l_tail_lsn if
xfs_trans_ail_delete is racing with xfs_trans_ail_update, and in at
least some cases, this can leave the l_tail_lsn with a zero cycle
number, which means xlog_space_left will think the log is full (unless
CONFIG_XFS_DEBUG is set, in which case we'll trip an ASSERT), leading to
processes stuck forever in xlog_grant_log_space.
Thanks to Adrian VanderSpek for first spotting the race potential and to
Dave Chinner for debug assistance.
Signed-off-by: Nathaniel W. Turner <nate@houseofnate.net>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
Hi,
I was hit by a bug in linux 2.6.31 when XFS is not able to recover the
log after a crash if fs was mounted with quotas. Gory details in XFS
bugzilla: http://oss.sgi.com/bugzilla/show_bug.cgi?id=855.
It looks like wrong struct is used in buffer length check, and the following
patch should fix the problem.
xfs_dqblk_t has a size of 104+32 bytes, while xfs_disk_dquot_t is 104 bytes
long, and this is exactly what I see in system logs - "XFS: dquot too small
(104) in xlog_recover_do_dquot_trans."
Signed-off-by: Jan Rekorajski <baggins@sith.mimuw.edu.pl>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
Vaio type G laptop doesn't work with the current quirk setup.
After some tests, it turned out that it should be model=auto as default.
Reported-by: Mattia Dongili <malattia@linux.it>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Disable the master volume control in the PCM2702 chipset.
The datasheet documents two independent channel volume controls, one
master mute control and one master volume control. All controls are
fully functional except for the master volume control, which returns
USB stalls on all GET requests.
Signed-off-by: Javier Kohen <jkohen@users.sourceforge.net>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
In case register_netdevice() returns an error, and a new vlan_group
was allocated and inserted in vlan_group_hash[] we call
vlan_group_free() without deleting group from hash table. Future
lookups can give infinite loops or crashes.
We must delete the vlan_group using RCU safe procedure.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When we've merged skb's with page frags, and subsequently receive
a trailer skb (< MSS) that is not completely non-linear (this can
occur on Intel NICs if the packet size falls below the threshold),
GRO ends up producing an illegal GSO skb with a frag_list.
This is harmless unless the skb is then forwarded through an
interface that requires software GSO, whereupon the GSO code
will BUG.
This patch detects this case in GRO and avoids merging the
trailer skb.
Reported-by: Mark Wagner <mwagner@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
We need to look for the 'shared-pins' property to get
this right.
Based upon a patch by Hermann Lauer.
Signed-off-by: David S. Miller <davem@davemloft.net>
This fixes the following warning:
WARNING: drivers/net/phy/built-in.o(.devexit.text+0x70): Section mismatch in reference from the function .mdio_gpio_bus_destroy() to the function .devinit.text:.mdio_gpio_bus_deinit()
The function __devexit .mdio_gpio_bus_destroy() references
a function __devinit .mdio_gpio_bus_deinit().
This is often seen when error handling in the exit function
uses functionality in the init path.
The fix is often to remove the __devinit annotation of
.mdio_gpio_bus_deinit() so it may be used outside an init section.
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
PPP does not correctly call pskb_may_pull() on all necessary receive paths
before reading the PPP protocol, thus causing PPP to report seemingly
random 'unsupported protocols' and eventually trigger BUG_ON(skb->len <
skb->data_len) in skb_pull_rcsum() when receiving multilink protocol in
non-linear skbs.
ppp_receive_nonmp_frame() does not call pskb_may_pull() before reading the
protocol number. For the non-mp receive path this is not a problem, as
this check is done in ppp_receive_frame(). For the mp receive path,
ppp_mp_reconstruct() usually copies the data into a new linear skb.
However, in the case where the frame is made up of a single mp fragment,
the mp header is pulled and the existing skb used. This skb was then
passed to ppp_receive_nonmp_frame() without checking if the encapsulated
protocol header could safely be read.
Signed-off-by: Ben McKeegan <ben@netservers.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
After commmit 4b77b0a2ba EEH breaks
after the second error, since it calls pci_restore_state()
but it returns 0, since pci->state_saved is false.
So, this patch just call pci_save_state() after pci_restore_state().
Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com>
Acked-by: Peter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Panasonic CF-72 uses 6-byte protocol and does not need to be tied
to a particular port.
Signed-off-by: Abner Holsinger <9zabner@gmail.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Commit b7802c5c1e ("Input: psmouse - use boolean type") caused the
synaptics_hardware variable to be completely useless, as it is
constantly set to 'true' throughout the whole psmouse_extensions().
This was caused by the following hunk in the commit in question
- int synaptics_hardware = 0;
+ bool synaptics_hardware = true;
which is wrong and causes driver to issue extra reset when falling
back to bare PS/2 protocol.
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Interpretation of 'row' and 'col' got reversed in matrix keymap
framework. Also last element '0', present in keymap array, is no
more needed.
Correcting zoom2 keyboard keymap accordingly.
Signed-off-by: Vimal Singh <vimalsingh@ti.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Ensure we do not read/write outside array boundaries with a negative index.
Signed-off-by: Roel Kluin <roel.kluin@gmail.com>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
hx4700 touchscreen events were being dropped in ads7846_rx() because their
pressure values consistently exceeded the platform maximum of 512; a sample
of 256 pressure values were in the range 531 to 815. Doubling the platform
maximum to 1024 allows hx4700 touchscreen events to pass the test.
Signed-off-by: Paul Parsons <lost.distance@yahoo.com>
Signed-off-by: Eric Miao <eric.y.miao@gmail.com>
This will fix some small issues with the COH 901 331 RTC driver:
- Interrupt is disabled after alarm so that we don't fire
multiple interrupts.
- We return 0 from the coh901331_alarm_irq_enable() ridding
a compile warning.
- We alter the name in the U300 device registry to match that
of the driver so they sucessfully resolve.
Signed-off-by: Linus Walleij <linus.walleij@stericsson.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
drivers/mtd/maps/sa1100-flash.c: In function 'sa1100_probe_subdev':
drivers/mtd/maps/sa1100-flash.c:214: warning: format '%d' expects type 'int', but argument 3 has type 'uint64_t'
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
at91sam9g20ek rev. C and onwards embed two SD/MMC slots. This patch modify the
previous dual slot board definition to match the official rev. C board. It also
allows the use of at91_mci SD/MMC driver in addition to the atmel-mci one.
Some pins have been re-affected from leds or Ethernet phy IRQ to the SD/MMC
slot A. This lead to a modification of those definitions.
Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Acked-by: Andrew Victor <linux@maxim.org.za>
Fix the commit ec06aedd44 that intended to turn off querying for server inode
numbers when server doesn't consistently support inode numbers. Presumably
the commit didn't actually clear the CIFS_MOUNT_SERVER_INUM flag, perhaps a
typo.
Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de>
Acked-by: Jeff Layton <jlayton@redhat.com>
Cc: Stable <stable@kernel.org>
Signed-off-by: Steve French <sfrench@us.ibm.com>
The flow of the complete function (xxx_done) in gcm.c is as follow:
void complete(struct crypto_async_request *areq, int err)
{
struct aead_request *req = areq->data;
if (!err) {
err = async_next_step();
if (err == -EINPROGRESS || err == -EBUSY)
return;
}
complete_for_next_step(areq, err);
}
But *areq may be destroyed in async_next_step(), this makes
complete_for_next_step() can not work properly. To fix this, one of
following methods is used for each complete function.
- Add a __complete() for each complete(), which accept struct
aead_request *req instead of areq, so avoid using areq after it is
destroyed.
- Expand complete_for_next_step().
The fixing method is based on the idea of Herbert Xu.
Signed-off-by: Huang Ying <ying.huang@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Don't dereference drvdata after it has been freed.
regards,
dan carpenter
Signed-off-by: Dan Carpenter <error27@gmail.com>
Acked-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Liam Girdwood <lrg@slimlogic.co.uk>
If there are leds present in the OF tree, but the GPIOs for (some) of
them are unavailable, led_data doesn't get populated with correct
devices. Then, on device unbinding, one can crash the kernel.
Workaround this by setting led->gpio to invalid value early.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
On spitz (& similar) machines, if battery is running low, backlight
needs
to be limited to lower step. Unfortunately, current code uses &= for
limiting, turning backlight off completely for some backlight settings.
Fix that.
Signed-off-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>
Which is why I have always preferred sizeof(struct foo) over
sizeof(var).
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Richard Purdie <rpurdie@linux.intel.com>