When an interface with promisc/allmulti bit is taken down,
the mac80211 state can become confused. This fixes it by
making mac80211 keep track of all *active* interfaces that
have the promisc/allmulti bit set in the sdata, we sync
the interface bit into sdata at set_multicast_list() time
so this works.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
I recently experienced unexplainable behaviour with the b43
driver when I had broken firmware uploaded. The cause may have
been that promisc mode was not correctly enabled or disabled
and this bug may have been the cause.
Note how the values are compared later in the function so
just doing the & will result in the wrong thing being
compared and the test being false almost always.
Signed-off-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
When checking the states passed in, mlx4_qp_modify() accidentally checks
cur_state twice rather than checking cur_state and new_state. Fix this
to make sure that both values are in-bounds.
Since these values may be passed in from userspace, this bug results in
userspace being able to trigger an oops.
Signed-off-by: Jack Morgenstein <jackm@dev.mellanox.co.il>
Cc: stable <stable@kernel.org>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
The error codes for ib_post_send(), ib_post_recv(), and ib_post_srq_recv()
were inconsistent. Use EINVAL for too many SGEs and ENOMEM for too many
WRs.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
The wrong offset was being returned to libipathverbs so that when
ibv_modify_srq() calls mmap(), it always fails.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
This patch fixes the code which frees the partially allocated QP
resources if there was an error while creating the QP. In particular,
the QPN wasn't deallocated and the QP wasn't removed from the hash
table.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Check value ranges in ctl callbacks properly. This fixes the unexpected
crash due to wrong value assignment.
Also, remove invalid comments in the last patch.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
The wrong offset was being returned to libipathverbs so that when
ibv_resize_cq() calls mmap(), it always fails.
Signed-off-by: Ralph Campbell <ralph.campbell@qlogic.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Fix the calculation of the private_data pointer in the CS4270 driver.
Signed-off-by: Timur Tabi <timur@freescale.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Reported by Ingo Molnar,
when booting an allyesconfig bzImage kernel the bootup hangs in the
portman2x4 driver (on a box that does not have this hardware), at:
Pid: 1, comm: swapper
EIP: 0060:[<c02f763c>] CPU: 0
EIP is at parport_pc_read_status+0x4/0x8
EFLAGS: 00000202 Not tainted (2.6.23-rc9 #904)
EAX: f7e57a7f EBX: 00000010 ECX: c2b808c0 EDX: 00000379
ESI: f7cb8230 EDI: 00000010 EBP: f7cb8230 DS: 007b ES: 007b FS: 0000
CR0: 8005003b CR2: fff9c000 CR3: 007ec000 CR4: 00000690
DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
DR6: ffff0ff0 DR7: 00000400
[<c04613de>] portman_flush_input+0xde/0x12c
[<c0461a24>] snd_portman_probe+0x368/0x484
[<c02fbb8c>] __device_attach+0x0/0x8
[<c02fce68>] platform_drv_probe+0xc/0x10
[<c02fba6c>] driver_probe_device+0x74/0x194
[<c0587174>] klist_next+0x38/0x70
[<c02fbb8c>] __device_attach+0x0/0x8
[<c02faea1>] bus_for_each_drv+0x35/0x68
[<c02fbc22>] device_attach+0x72/0x78
the reason is due to an inconsistent error return code of 1 or 2, while
snd_portman_probe only realizes negative error codes.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
The driver assigns the write proc callback to read wrongly.
Fixed now.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
The Samsung S3C24xx uses new architecture file layout in the post 2.6.23
kernel. This patch fixes include path for the s3c2443-ac97.c.
Signed-off-by: Krzysztof Helt <krzysztof.h1@wp.pl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Volume knob controls with STAC codecs seem to cause problems with some
devices. Volumes change very slowly or silent suddenly. It's likely
due to conflict between the software and the hardware volume knob
setup.
Since we'll have a virtual master control in future, it's safer to
remove this control completely right now.
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
When connection tracking entry (nf_conn) is about to copy itself it can
have some of its extension users (like nat) as being already freed and
thus not required to be copied.
Actually looking at this function I suspect it was copied from
nf_nat_setup_info() and thus bug was introduced.
Report and testing from David <david@unsolicited.net>.
[ Patrick McHardy states:
I now understand whats happening:
- new connection is allocated without helper
- connection is REDIRECTed to localhost
- nf_nat_setup_info adds NAT extension, but doesn't initialize it yet
- nf_conntrack_alter_reply performs a helper lookup based on the
new tuple, finds the SIP helper and allocates a helper extension,
causing reallocation because of too little space
- nf_nat_move_storage is called with the uninitialized nat extension
So your fix is entirely correct, thanks a lot :) ]
Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
On 64-bit systems sizeof(struct ifreq) is 8 bytes larger than
sizeof(struct iwreq).
For GET calls, the wireless extension code copies back into userspace
using sizeof(struct ifreq) but userspace and elsewhere only allocates
a "struct iwreq". Thus, this copy writes past the end of the iwreq
object and corrupts whatever sits after it in memory.
Fix the copy_to_user() length.
This particularly hurts the compat case because the wireless compat
code uses compat_alloc_userspace() and right after this allocated
buffer is the current bottom of the user stack, and that's what gets
overwritten by the copy_to_user() call.
Signed-off-by: David S. Miller <davem@davemloft.net>
Make sure all subchannel handling is done on the slow path workqueue
so that we don't have races between an old subchannel unregistering
and a new subchannel with the same name registering.
Signed-off-by: Cornelia Huck <cornelia.huck@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Before we're getting short on memory detection fixes here is the next
one: if neither sclp nor diag260 report the storage size the detection
loop will return immediately without detecting anything. Fix this by
breaking the detection loop only if the memory end is known.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
The iucv is the only user of the various functions that are used to bring
parts of cpus up and down. Its the only allocpercpu user that will do
I/O on per cpu objects (which is difficult to do with virtually mapped memory).
And its the only use of allocpercpu where a GFP_DMA allocation is done.
Remove the allocpercpu calls from iucv and code the allocation and freeing
manually. After this patch it is possible to remove a large part of
the allocpercpu API.
Signed-off-by: Christoph Lameter <clameter@sgi.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Don't perform a sigp store-status-at-address on smp_send_stop().
It will overwrite the lowcores of other cpus and destroys valueable
debug informations.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
page_mkclean used to call page_clear_dirty for every given page. This
is different to all other architectures, where the dirty bit in the
PTEs is only resetted, if page_mapping() returns a non-NULL pointer.
We can move the page_test_dirty/page_clear_dirty sequence into the
2nd if to avoid unnecessary iske/sske sequences, which are expensive.
This change also helps kvm for s390 as the host must transfer the
dirty bit into the guest status bits. By moving the page_clear_dirty
operation into the 2nd if, the vm will only call page_clear_dirty
for pages where it walks the mapping anyway. There it calls
ptep_clear_flush for writable ptes, so we can transfer the dirty bit
to the guest.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
When returning from IRQ handling and TIF_NEED_RESCHED is set we must
call preempt_schedule_irq() instead of schedule().
Otherwise the BKL might be unlocked in schedule() and therfore
everything that relies on the BKL is broken.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Remove binary sysctls that never worked due to missing strategy functions.
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: Gerald Schaefer <geraldsc@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Remove binary sysctls that never worked due to missing strategy functions.
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Current support for TRACE_IRQFLAGS and lockdep_sys_exit is broken.
IRQ flag tracing is broken for program checks. Even worse is that
the newly introduced calls to lockdep_sys_exit are in the critical
section code which is not supposed to call any C functions. In
addition the checks if locks are still held are also done when
returning to kernel code which is broken as well.
Fix all this by disabling interrupts and machine checks at the
exit paths and then do the appropriate checks and calls.
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
When doing an magic sysrq reboot on s390 the following bug message
appears:
SysRq : Resetting
BUG: sleeping function called from invalid context at include/asm/semaphore.h:61
in_atomic():1, irqs_disabled():0
07000000004002a8 000000000fe6bc48 0000000000000002 0000000000000000
000000000fe6bce8 000000000fe6bc60 000000000fe6bc60 000000000012a79a
0000000000000000 07000000004002a8 0000000000000006 0000000000000000
0000000000000000 000000000fe6bc48 000000000000000d 000000000fe6bcb8
00000000004000c8 0000000000103234 000000000fe6bc48 000000000fe6bc90
Call Trace:
(¬<00000000001031b2>| show_trace+0x12e/0x148)
¬<000000000011ffca>| __might_sleep+0x10a/0x118
¬<0000000000129fba>| acquire_console_sem+0x92/0xf4
¬<000000000012a2ca>| console_unblank+0xc2/0xc8
¬<0000000000107bb4>| machine_restart+0x54/0x6c
¬<000000000028e806>| sysrq_handle_reboot+0x26/0x30
¬<000000000028e52a>| __handle_sysrq+0xa6/0x180
¬<0000000000140134>| run_workqueue+0xcc/0x18c
¬<000000000014029a>| worker_thread+0xa6/0x108
¬<00000000001458e4>| kthread+0x64/0x9c
¬<0000000000106f0e>| kernel_thread_starter+0x6/0xc
¬<0000000000106f08>| kernel_thread_starter+0x0/0xc
The only reason for doing a console_unblank on s390 is to flush the
log buffer. We have to check for in_atomic before doing a
console_unblank as the console is otherwise filled with an unrelated
bug message.
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Modify the sense id channel program to allow device sensing of pav
alias devices which belong to a base device with ungrouped paths.
Signed-off-by: Peter Oberparleiter <peter.oberparleiter@de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
My changes to _tlbie to fix 4xx unfortunately broke 8xx build in a
couple of places. This fixes it.
Spotted by Olof Johansson.
Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Vitaly Bordug <vitb@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@samba.org>
From: "Sam Jansen" <sjansen@google.com>
sysctl_tcp_congestion_control seems to have a bug that prevents it
from actually calling the tcp_set_default_congestion_control
function. This is not so apparent because it does not return an error
and generally the /proc interface is used to configure the default TCP
congestion control algorithm. This is present in 2.6.18 onwards and
probably earlier, though I have not inspected 2.6.15--2.6.17.
sysctl_tcp_congestion_control calls sysctl_string and expects a successful
return code of 0. In such a case it actually sets the congestion control
algorithm with tcp_set_default_congestion_control. Otherwise, it returns the
value returned by sysctl_string. This was correct in 2.6.14, as sysctl_string
returned 0 on success. However, sysctl_string was updated to return 1 on
success around about 2.6.15 and sysctl_tcp_congestion_control was not updated.
Even though sysctl_tcp_congestion_control returns 1, do_sysctl_strategy
converts this return code to '0', so the caller never notices the error.
Signed-off-by: David S. Miller <davem@davemloft.net>
When the abstraction functions got added, conversion here was
made incorrectly. As a result, the skb may end up pointing
to skb which got included to the probe skb and then was freed.
For it to trigger, however, skb_transmit must fail sending as
well.
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
The pktgen_output_ipsec() function can unlock this lock twice
due to merged error and plain paths. Remove one of the calls
to spin_unlock.
Other possible solution would be to place "return 0" right
after the first unlock, but at this place the err is known
to be 0, so these solutions are the same except for this one
makes the code shorter.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>