[patch 00/49] 2.6.27.5 stable review - Kernel

This is a discussion on [patch 00/49] 2.6.27.5 stable review - Kernel ; 2.6.27-stable review patch. If anyone has any objections, please let us know. ------------------ From: Emmanuel Grumbach commit c90a74bae10dc2a4677d1bd06b6400db229d3e1e upstream This patch disables power save upon association and enables it back after association. This allows to associate to AP on a ...

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast
Results 21 to 40 of 43

Thread: [patch 00/49] 2.6.27.5 stable review

  1. [patch 29/49] iwlwifi: allow association on radar channel in power save

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Emmanuel Grumbach

    commit c90a74bae10dc2a4677d1bd06b6400db229d3e1e upstream

    This patch disables power save upon association and enables it back
    after association. This allows to associate to AP on a radar channel
    if power save is enabled.

    Radar and passive channels are not allowed for TX (required for association)
    unless RX is received but PS may close the radio and no RX will be received
    effectively failing association.

    Signed-off-by: Emmanuel Grumbach
    Signed-off-by: Mohamed Abbas
    Signed-off-by: Tomas Winkler
    Signed-off-by: Zhu Yi
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/wireless/iwlwifi/iwl-agn.c | 24 +++++++++++++++----
    drivers/net/wireless/iwlwifi/iwl-dev.h | 1
    drivers/net/wireless/iwlwifi/iwl-power.c | 39 ++++++++++++++++++++++++++++++-
    drivers/net/wireless/iwlwifi/iwl-power.h | 4 ++-
    4 files changed, 61 insertions(+), 7 deletions(-)

    --- a/drivers/net/wireless/iwlwifi/iwl-agn.c
    +++ b/drivers/net/wireless/iwlwifi/iwl-agn.c
    @@ -2486,6 +2486,7 @@ static void iwl4965_post_associate(struc
    if (!priv->vif || !priv->is_open)
    return;

    + iwl_power_cancel_timeout(priv);
    iwl_scan_cancel_timeout(priv, 200);

    conf = ieee80211_get_hw_conf(priv->hw);
    @@ -2550,10 +2551,6 @@ static void iwl4965_post_associate(struc
    break;
    }

    - /* Enable Rx differential gain and sensitivity calibrations */
    - iwl_chain_noise_reset(priv);
    - priv->start_calib = 1;
    -
    if (priv->iw_mode == IEEE80211_IF_TYPE_IBSS)
    priv->assoc_station_added = 1;

    @@ -2561,7 +2558,12 @@ static void iwl4965_post_associate(struc
    iwl_activate_qos(priv, 0);
    spin_unlock_irqrestore(&priv->lock, flags);

    - iwl_power_update_mode(priv, 0);
    + iwl_power_enable_management(priv);
    +
    + /* Enable Rx differential gain and sensitivity calibrations */
    + iwl_chain_noise_reset(priv);
    + priv->start_calib = 1;
    +
    /* we have just associated, don't start scan too early */
    priv->next_scan_jiffies = jiffies + IWL_DELAY_NEXT_SCAN;
    }
    @@ -3548,6 +3550,16 @@ static void iwl4965_mac_reset_tsf(struct
    /* Per mac80211.h: This is only used in IBSS mode... */
    if (priv->iw_mode != IEEE80211_IF_TYPE_IBSS) {

    + /* switch to CAM during association period.
    + * the ucode will block any association/authentication
    + * frome during assiciation period if it can not hear
    + * the AP because of PM. the timer enable PM back is
    + * association do not complete
    + */
    + if (priv->hw->conf.channel->flags & (IEEE80211_CHAN_PASSIVE_SCAN |
    + IEEE80211_CHAN_RADAR))
    + iwl_power_disable_management(priv, 3000);
    +
    IWL_DEBUG_MAC80211("leave - not in IBSS\n");
    mutex_unlock(&priv->mutex);
    return;
    @@ -4085,6 +4097,7 @@ static void iwl_setup_deferred_work(stru
    /* FIXME : remove when resolved PENDING */
    INIT_WORK(&priv->scan_completed, iwl_bg_scan_completed);
    iwl_setup_scan_deferred_work(priv);
    + iwl_setup_power_deferred_work(priv);

    if (priv->cfg->ops->lib->setup_deferred_work)
    priv->cfg->ops->lib->setup_deferred_work(priv);
    @@ -4104,6 +4117,7 @@ static void iwl_cancel_deferred_work(str

    cancel_delayed_work_sync(&priv->init_alive_start);
    cancel_delayed_work(&priv->scan_check);
    + cancel_delayed_work_sync(&priv->set_power_save);
    cancel_delayed_work(&priv->alive_start);
    cancel_work_sync(&priv->beacon_update);
    del_timer_sync(&priv->statistics_periodic);
    --- a/drivers/net/wireless/iwlwifi/iwl-dev.h
    +++ b/drivers/net/wireless/iwlwifi/iwl-dev.h
    @@ -1047,6 +1047,7 @@ struct iwl_priv {

    struct tasklet_struct irq_tasklet;

    + struct delayed_work set_power_save;
    struct delayed_work init_alive_start;
    struct delayed_work alive_start;
    struct delayed_work scan_check;
    --- a/drivers/net/wireless/iwlwifi/iwl-power.c
    +++ b/drivers/net/wireless/iwlwifi/iwl-power.c
    @@ -324,7 +324,7 @@ EXPORT_SYMBOL(iwl_power_update_mode);
    * this will be usefull for rate scale to disable PM during heavy
    * Tx/Rx activities
    */
    -int iwl_power_disable_management(struct iwl_priv *priv)
    +int iwl_power_disable_management(struct iwl_priv *priv, u32 ms)
    {
    u16 prev_mode;
    int ret = 0;
    @@ -337,6 +337,11 @@ int iwl_power_disable_management(struct
    ret = iwl_power_update_mode(priv, 0);
    priv->power_data.power_disabled = 1;
    priv->power_data.user_power_setting = prev_mode;
    + cancel_delayed_work(&priv->set_power_save);
    + if (ms)
    + queue_delayed_work(priv->workqueue, &priv->set_power_save,
    + msecs_to_jiffies(ms));
    +

    return ret;
    }
    @@ -431,3 +436,35 @@ int iwl_power_temperature_change(struct
    return ret;
    }
    EXPORT_SYMBOL(iwl_power_temperature_change);
    +
    +static void iwl_bg_set_power_save(struct work_struct *work)
    +{
    + struct iwl_priv *priv = container_of(work,
    + struct iwl_priv, set_power_save.work);
    + IWL_DEBUG(IWL_DL_STATE, "update power\n");
    +
    + if (test_bit(STATUS_EXIT_PENDING, &priv->status))
    + return;
    +
    + mutex_lock(&priv->mutex);
    +
    + /* on starting association we disable power managment
    + * until association, if association failed then this
    + * timer will expire and enable PM again.
    + */
    + if (!iwl_is_associated(priv))
    + iwl_power_enable_management(priv);
    +
    + mutex_unlock(&priv->mutex);
    +}
    +void iwl_setup_power_deferred_work(struct iwl_priv *priv)
    +{
    + INIT_DELAYED_WORK(&priv->set_power_save, iwl_bg_set_power_save);
    +}
    +EXPORT_SYMBOL(iwl_setup_power_deferred_work);
    +
    +void iwl_power_cancel_timeout(struct iwl_priv *priv)
    +{
    + cancel_delayed_work(&priv->set_power_save);
    +}
    +EXPORT_SYMBOL(iwl_power_cancel_timeout);
    --- a/drivers/net/wireless/iwlwifi/iwl-power.h
    +++ b/drivers/net/wireless/iwlwifi/iwl-power.h
    @@ -78,8 +78,10 @@ struct iwl_power_mgr {
    u8 power_disabled; /* flag to disable using power saving level */
    };

    +void iwl_setup_power_deferred_work(struct iwl_priv *priv);
    +void iwl_power_cancel_timeout(struct iwl_priv *priv);
    int iwl_power_update_mode(struct iwl_priv *priv, u8 refresh);
    -int iwl_power_disable_management(struct iwl_priv *priv);
    +int iwl_power_disable_management(struct iwl_priv *priv, u32 ms);
    int iwl_power_enable_management(struct iwl_priv *priv);
    int iwl_power_set_user_mode(struct iwl_priv *priv, u16 mode);
    int iwl_power_set_system_mode(struct iwl_priv *priv, u16 mode);

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  2. [patch 24/49] I/OAT: fix channel resources free for not allocated channels

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Maciej Sosnowski

    commit c3d4f44f50b65b0b0290e357f8739cfb3f4bcaca upstream

    If the ioatdma driver is loaded but not used it does not allocate descriptors.
    Before it frees channel resources it should first be sure
    that they have been previously allocated.

    Signed-off-by: Maciej Sosnowski
    Tested-by: Tom Picard
    Signed-off-by: Dan Williams
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/dma/ioat_dma.c | 7 +++++++
    1 file changed, 7 insertions(+)

    --- a/drivers/dma/ioat_dma.c
    +++ b/drivers/dma/ioat_dma.c
    @@ -801,6 +801,12 @@ static void ioat_dma_free_chan_resources
    struct ioat_desc_sw *desc, *_desc;
    int in_use_descs = 0;

    + /* Before freeing channel resources first check
    + * if they have been previously allocated for this channel.
    + */
    + if (ioat_chan->desccount == 0)
    + return;
    +
    tasklet_disable(&ioat_chan->cleanup_task);
    ioat_dma_memcpy_cleanup(ioat_chan);

    @@ -863,6 +869,7 @@ static void ioat_dma_free_chan_resources
    ioat_chan->last_completion = ioat_chan->completion_addr = 0;
    ioat_chan->pending = 0;
    ioat_chan->dmacount = 0;
    + ioat_chan->desccount = 0;
    ioat_chan->watchdog_completion = 0;
    ioat_chan->last_compl_desc_addr_hw = 0;
    ioat_chan->watchdog_tcp_cookie =

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  3. [patch 22/49] r8169: fix RxMissed register access

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Francois Romieu

    Upstream as 523a609496dbc3897e530db2a2f27650d125ea00

    - the register is defined for the 8169 chipset only and there is
    no 8169 beyond RTL_GIGA_MAC_VER_06.
    - only the lower 3 bytes of the register are valid

    Fixes:
    1. http://bugzilla.kernel.org/show_bug.cgi?id=10180
    2. http://bugzilla.kernel.org/show_bug.cgi?id=11062 (bits of)

    Tested by Hermann Gausterer and Adam Huffman.

    Signed-off-by: Francois Romieu
    Cc: Edward Hsu
    Signed-off-by: Jeff Garzik
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/r8169.c | 25 ++++++++++++++-----------
    1 file changed, 14 insertions(+), 11 deletions(-)

    --- a/drivers/net/r8169.c
    +++ b/drivers/net/r8169.c
    @@ -2092,8 +2092,6 @@ static void rtl_hw_start_8168(struct net

    RTL_R8(IntrMask);

    - RTL_W32(RxMissed, 0);
    -
    rtl_set_rx_mode(dev);

    RTL_W8(ChipCmd, CmdTxEnb | CmdRxEnb);
    @@ -2136,8 +2134,6 @@ static void rtl_hw_start_8101(struct net

    RTL_R8(IntrMask);

    - RTL_W32(RxMissed, 0);
    -
    rtl_set_rx_mode(dev);

    RTL_W8(ChipCmd, CmdTxEnb | CmdRxEnb);
    @@ -2915,6 +2911,17 @@ static int rtl8169_poll(struct napi_stru
    return work_done;
    }

    +static void rtl8169_rx_missed(struct net_device *dev, void __iomem *ioaddr)
    +{
    + struct rtl8169_private *tp = netdev_priv(dev);
    +
    + if (tp->mac_version > RTL_GIGA_MAC_VER_06)
    + return;
    +
    + dev->stats.rx_missed_errors += (RTL_R32(RxMissed) & 0xffffff);
    + RTL_W32(RxMissed, 0);
    +}
    +
    static void rtl8169_down(struct net_device *dev)
    {
    struct rtl8169_private *tp = netdev_priv(dev);
    @@ -2932,9 +2939,7 @@ core_down:

    rtl8169_asic_down(ioaddr);

    - /* Update the error counts. */
    - dev->stats.rx_missed_errors += RTL_R32(RxMissed);
    - RTL_W32(RxMissed, 0);
    + rtl8169_rx_missed(dev, ioaddr);

    spin_unlock_irq(&tp->lock);

    @@ -3056,8 +3061,7 @@ static struct net_device_stats *rtl8169_

    if (netif_running(dev)) {
    spin_lock_irqsave(&tp->lock, flags);
    - dev->stats.rx_missed_errors += RTL_R32(RxMissed);
    - RTL_W32(RxMissed, 0);
    + rtl8169_rx_missed(dev, ioaddr);
    spin_unlock_irqrestore(&tp->lock, flags);
    }

    @@ -3082,8 +3086,7 @@ static int rtl8169_suspend(struct pci_de

    rtl8169_asic_down(ioaddr);

    - dev->stats.rx_missed_errors += RTL_R32(RxMissed);
    - RTL_W32(RxMissed, 0);
    + rtl8169_rx_missed(dev, ioaddr);

    spin_unlock_irq(&tp->lock);


    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  4. [patch 21/49] r8169: get ethtool settings through the generic mii helper

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Francois Romieu

    Upstream as ccdffb9a88b2907b159538d7bfd6256621db4f84 (post 2.6.27).

    It avoids to report unsupported link capabilities with
    the fast-ethernet only 8101/8102.

    Signed-off-by: Francois Romieu
    Tested-by: Martin Capitanio
    Fixed-by: Ivan Vecera
    Cc: Edward Hsu
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/r8169.c | 97 ++++++++++++++++++++++++----------------------------
    1 file changed, 45 insertions(+), 52 deletions(-)

    --- a/drivers/net/r8169.c
    +++ b/drivers/net/r8169.c
    @@ -370,8 +370,9 @@ struct ring_info {
    };

    enum features {
    - RTL_FEATURE_WOL = (1 << 0),
    - RTL_FEATURE_MSI = (1 << 1),
    + RTL_FEATURE_WOL = (1 << 0),
    + RTL_FEATURE_MSI = (1 << 1),
    + RTL_FEATURE_GMII = (1 << 2),
    };

    struct rtl8169_private {
    @@ -406,13 +407,15 @@ struct rtl8169_private {
    struct vlan_group *vlgrp;
    #endif
    int (*set_speed)(struct net_device *, u8 autoneg, u16 speed, u8 duplex);
    - void (*get_settings)(struct net_device *, struct ethtool_cmd *);
    + int (*get_settings)(struct net_device *, struct ethtool_cmd *);
    void (*phy_reset_enable)(void __iomem *);
    void (*hw_start)(struct net_device *);
    unsigned int (*phy_reset_pending)(void __iomem *);
    unsigned int (*link_ok)(void __iomem *);
    struct delayed_work task;
    unsigned features;
    +
    + struct mii_if_info mii;
    };

    MODULE_AUTHOR("Realtek and the Linux r8169 crew ");
    @@ -482,6 +485,23 @@ static int mdio_read(void __iomem *ioadd
    return value;
    }

    +static void rtl_mdio_write(struct net_device *dev, int phy_id, int location,
    + int val)
    +{
    + struct rtl8169_private *tp = netdev_priv(dev);
    + void __iomem *ioaddr = tp->mmio_addr;
    +
    + mdio_write(ioaddr, location, val);
    +}
    +
    +static int rtl_mdio_read(struct net_device *dev, int phy_id, int location)
    +{
    + struct rtl8169_private *tp = netdev_priv(dev);
    + void __iomem *ioaddr = tp->mmio_addr;
    +
    + return mdio_read(ioaddr, location);
    +}
    +
    static void rtl8169_irq_mask_and_ack(void __iomem *ioaddr)
    {
    RTL_W16(IntrMask, 0x0000);
    @@ -850,7 +870,7 @@ static int rtl8169_rx_vlan_skb(struct rt

    #endif

    -static void rtl8169_gset_tbi(struct net_device *dev, struct ethtool_cmd *cmd)
    +static int rtl8169_gset_tbi(struct net_device *dev, struct ethtool_cmd *cmd)
    {
    struct rtl8169_private *tp = netdev_priv(dev);
    void __iomem *ioaddr = tp->mmio_addr;
    @@ -867,65 +887,29 @@ static void rtl8169_gset_tbi(struct net_

    cmd->speed = SPEED_1000;
    cmd->duplex = DUPLEX_FULL; /* Always set */
    +
    + return 0;
    }

    -static void rtl8169_gset_xmii(struct net_device *dev, struct ethtool_cmd *cmd)
    +static int rtl8169_gset_xmii(struct net_device *dev, struct ethtool_cmd *cmd)
    {
    struct rtl8169_private *tp = netdev_priv(dev);
    - void __iomem *ioaddr = tp->mmio_addr;
    - u8 status;
    -
    - cmd->supported = SUPPORTED_10baseT_Half |
    - SUPPORTED_10baseT_Full |
    - SUPPORTED_100baseT_Half |
    - SUPPORTED_100baseT_Full |
    - SUPPORTED_1000baseT_Full |
    - SUPPORTED_Autoneg |
    - SUPPORTED_TP;
    -
    - cmd->autoneg = 1;
    - cmd->advertising = ADVERTISED_TP | ADVERTISED_Autoneg;
    -
    - if (tp->phy_auto_nego_reg & ADVERTISE_10HALF)
    - cmd->advertising |= ADVERTISED_10baseT_Half;
    - if (tp->phy_auto_nego_reg & ADVERTISE_10FULL)
    - cmd->advertising |= ADVERTISED_10baseT_Full;
    - if (tp->phy_auto_nego_reg & ADVERTISE_100HALF)
    - cmd->advertising |= ADVERTISED_100baseT_Half;
    - if (tp->phy_auto_nego_reg & ADVERTISE_100FULL)
    - cmd->advertising |= ADVERTISED_100baseT_Full;
    - if (tp->phy_1000_ctrl_reg & ADVERTISE_1000FULL)
    - cmd->advertising |= ADVERTISED_1000baseT_Full;
    -
    - status = RTL_R8(PHYstatus);
    -
    - if (status & _1000bpsF)
    - cmd->speed = SPEED_1000;
    - else if (status & _100bps)
    - cmd->speed = SPEED_100;
    - else if (status & _10bps)
    - cmd->speed = SPEED_10;
    -
    - if (status & TxFlowCtrl)
    - cmd->advertising |= ADVERTISED_Asym_Pause;
    - if (status & RxFlowCtrl)
    - cmd->advertising |= ADVERTISED_Pause;

    - cmd->duplex = ((status & _1000bpsF) || (status & FullDup)) ?
    - DUPLEX_FULL : DUPLEX_HALF;
    + return mii_ethtool_gset(&tp->mii, cmd);
    }

    static int rtl8169_get_settings(struct net_device *dev, struct ethtool_cmd *cmd)
    {
    struct rtl8169_private *tp = netdev_priv(dev);
    unsigned long flags;
    + int rc;

    spin_lock_irqsave(&tp->lock, flags);

    - tp->get_settings(dev, cmd);
    + rc = tp->get_settings(dev, cmd);

    spin_unlock_irqrestore(&tp->lock, flags);
    - return 0;
    + return rc;
    }

    static void rtl8169_get_regs(struct net_device *dev, struct ethtool_regs *regs,
    @@ -1513,7 +1497,7 @@ static const struct rtl_cfg_info {
    unsigned int align;
    u16 intr_event;
    u16 napi_event;
    - unsigned msi;
    + unsigned features;
    } rtl_cfg_infos [] = {
    [RTL_CFG_0] = {
    .hw_start = rtl_hw_start_8169,
    @@ -1522,7 +1506,7 @@ static const struct rtl_cfg_info {
    .intr_event = SYSErr | LinkChg | RxOverflow |
    RxFIFOOver | TxErr | TxOK | RxOK | RxErr,
    .napi_event = RxFIFOOver | TxErr | TxOK | RxOK | RxOverflow,
    - .msi = 0
    + .features = RTL_FEATURE_GMII
    },
    [RTL_CFG_1] = {
    .hw_start = rtl_hw_start_8168,
    @@ -1531,7 +1515,7 @@ static const struct rtl_cfg_info {
    .intr_event = SYSErr | LinkChg | RxOverflow |
    TxErr | TxOK | RxOK | RxErr,
    .napi_event = TxErr | TxOK | RxOK | RxOverflow,
    - .msi = RTL_FEATURE_MSI
    + .features = RTL_FEATURE_GMII | RTL_FEATURE_MSI
    },
    [RTL_CFG_2] = {
    .hw_start = rtl_hw_start_8101,
    @@ -1540,7 +1524,7 @@ static const struct rtl_cfg_info {
    .intr_event = SYSErr | LinkChg | RxOverflow | PCSTimeout |
    RxFIFOOver | TxErr | TxOK | RxOK | RxErr,
    .napi_event = RxFIFOOver | TxErr | TxOK | RxOK | RxOverflow,
    - .msi = RTL_FEATURE_MSI
    + .features = RTL_FEATURE_MSI
    }
    };

    @@ -1552,7 +1536,7 @@ static unsigned rtl_try_msi(struct pci_d
    u8 cfg2;

    cfg2 = RTL_R8(Config2) & ~MSIEnable;
    - if (cfg->msi) {
    + if (cfg->features & RTL_FEATURE_MSI) {
    if (pci_enable_msi(pdev)) {
    dev_info(&pdev->dev, "no MSI. Back to INTx.\n");
    } else {
    @@ -1578,6 +1562,7 @@ rtl8169_init_one(struct pci_dev *pdev, c
    const struct rtl_cfg_info *cfg = rtl_cfg_infos + ent->driver_data;
    const unsigned int region = cfg->region;
    struct rtl8169_private *tp;
    + struct mii_if_info *mii;
    struct net_device *dev;
    void __iomem *ioaddr;
    unsigned int i;
    @@ -1602,6 +1587,14 @@ rtl8169_init_one(struct pci_dev *pdev, c
    tp->pci_dev = pdev;
    tp->msg_enable = netif_msg_init(debug.msg_enable, R8169_MSG_DEFAULT);

    + mii = &tp->mii;
    + mii->dev = dev;
    + mii->mdio_read = rtl_mdio_read;
    + mii->mdio_write = rtl_mdio_write;
    + mii->phy_id_mask = 0x1f;
    + mii->reg_num_mask = 0x1f;
    + mii->supports_gmii = !!(cfg->features & RTL_FEATURE_GMII);
    +
    /* enable device (incl. PCI PM wakeup and hotplug setup) */
    rc = pci_enable_device(pdev);
    if (rc < 0) {

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  5. [patch 09/49] hugetlbfs: handle pages higher order than MAX_ORDER

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Andy Whitcroft

    commit 69d177c2fc702d402b17fdca2190d5a7e3ca55c5 upstream

    When working with hugepages, hugetlbfs assumes that those hugepages are
    smaller than MAX_ORDER. Specifically it assumes that the mem_map is
    contigious and uses that to optimise access to the elements of the mem_map
    that represent the hugepage. Gigantic pages (such as 16GB pages on
    powerpc) by definition are of greater order than MAX_ORDER (larger than
    MAX_ORDER_NR_PAGES in size). This means that we can no longer make use of
    the buddy alloctor guarentees for the contiguity of the mem_map, which
    ensures that the mem_map is at least contigious for maximmally aligned
    areas of MAX_ORDER_NR_PAGES pages.

    This patch adds new mem_map accessors and iterator helpers which handle
    any discontiguity at MAX_ORDER_NR_PAGES boundaries. It then uses these to
    implement gigantic page versions of copy_huge_page and clear_huge_page,
    and to allow follow_hugetlb_page handle gigantic pages.

    Signed-off-by: Andy Whitcroft
    Cc: Jon Tollefson
    Cc: Mel Gorman
    Cc: Nick Piggin
    Cc: Christoph Lameter
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds

    ---
    mm/hugetlb.c | 37 ++++++++++++++++++++++++++++++++++++-
    mm/internal.h | 28 ++++++++++++++++++++++++++++
    2 files changed, 64 insertions(+), 1 deletion(-)

    --- a/mm/hugetlb.c
    +++ b/mm/hugetlb.c
    @@ -353,11 +353,26 @@ static int vma_has_reserves(struct vm_ar
    return 0;
    }

    +static void clear_gigantic_page(struct page *page,
    + unsigned long addr, unsigned long sz)
    +{
    + int i;
    + struct page *p = page;
    +
    + might_sleep();
    + for (i = 0; i < sz/PAGE_SIZE; i++, p = mem_map_next(p, page, i)) {
    + cond_resched();
    + clear_user_highpage(p, addr + i * PAGE_SIZE);
    + }
    +}
    static void clear_huge_page(struct page *page,
    unsigned long addr, unsigned long sz)
    {
    int i;

    + if (unlikely(sz > MAX_ORDER_NR_PAGES))
    + return clear_gigantic_page(page, addr, sz);
    +
    might_sleep();
    for (i = 0; i < sz/PAGE_SIZE; i++) {
    cond_resched();
    @@ -365,12 +380,32 @@ static void clear_huge_page(struct page
    }
    }

    +static void copy_gigantic_page(struct page *dst, struct page *src,
    + unsigned long addr, struct vm_area_struct *vma)
    +{
    + int i;
    + struct hstate *h = hstate_vma(vma);
    + struct page *dst_base = dst;
    + struct page *src_base = src;
    + might_sleep();
    + for (i = 0; i < pages_per_huge_page(h); ) {
    + cond_resched();
    + copy_user_highpage(dst, src, addr + i*PAGE_SIZE, vma);
    +
    + i++;
    + dst = mem_map_next(dst, dst_base, i);
    + src = mem_map_next(src, src_base, i);
    + }
    +}
    static void copy_huge_page(struct page *dst, struct page *src,
    unsigned long addr, struct vm_area_struct *vma)
    {
    int i;
    struct hstate *h = hstate_vma(vma);

    + if (unlikely(pages_per_huge_page(h) > MAX_ORDER_NR_PAGES))
    + return copy_gigantic_page(dst, src, addr, vma);
    +
    might_sleep();
    for (i = 0; i < pages_per_huge_page(h); i++) {
    cond_resched();
    @@ -2113,7 +2148,7 @@ int follow_hugetlb_page(struct mm_struct
    same_page:
    if (pages) {
    get_page(page);
    - pages[i] = page + pfn_offset;
    + pages[i] = mem_map_offset(page, pfn_offset);
    }

    if (vmas)
    --- a/mm/internal.h
    +++ b/mm/internal.h
    @@ -54,6 +54,34 @@ static inline unsigned long page_order(s
    }

    /*
    + * Return the mem_map entry representing the 'offset' subpage within
    + * the maximally aligned gigantic page 'base'. Handle any discontiguity
    + * in the mem_map at MAX_ORDER_NR_PAGES boundaries.
    + */
    +static inline struct page *mem_map_offset(struct page *base, int offset)
    +{
    + if (unlikely(offset >= MAX_ORDER_NR_PAGES))
    + return pfn_to_page(page_to_pfn(base) + offset);
    + return base + offset;
    +}
    +
    +/*
    + * Iterator over all subpages withing the maximally aligned gigantic
    + * page 'base'. Handle any discontiguity in the mem_map.
    + */
    +static inline struct page *mem_map_next(struct page *iter,
    + struct page *base, int offset)
    +{
    + if (unlikely((offset & (MAX_ORDER_NR_PAGES - 1)) == 0)) {
    + unsigned long pfn = page_to_pfn(base) + offset;
    + if (!pfn_valid(pfn))
    + return NULL;
    + return pfn_to_page(pfn);
    + }
    + return iter + 1;
    +}
    +
    +/*
    * FLATMEM and DISCONTIGMEM configurations use alloc_bootmem_node,
    * so all functions starting at paging_init should be marked __init
    * in those cases. SPARSEMEM, however, allows for memory hotplug,

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  6. [patch 13/49] md: linear: Fix a division by zero bug for very small arrays.

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Andre Noll

    commit f1cd14ae52985634d0389e934eba25b5ecf24565 upstream

    Date: Thu, 6 Nov 2008 19:41:24 +1100
    Subject: [patch 13/49] md: linear: Fix a division by zero bug for very small arrays.

    We currently oops with a divide error on starting a linear software
    raid array consisting of at least two very small (< 500K) devices.

    The bug is caused by the calculation of the hash table size which
    tries to compute sector_div(sz, base) with "base" being zero due to
    the small size of the component devices of the array.

    Fix this by requiring the hash spacing to be at least one which
    implies that also "base" is non-zero.

    This bug has existed since about 2.6.14.

    Signed-off-by: Andre Noll
    Signed-off-by: NeilBrown
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/md/linear.c | 2 ++
    1 file changed, 2 insertions(+)

    --- a/drivers/md/linear.c
    +++ b/drivers/md/linear.c
    @@ -157,6 +157,8 @@ static linear_conf_t *linear_conf(mddev_

    min_spacing = conf->array_sectors / 2;
    sector_div(min_spacing, PAGE_SIZE/sizeof(struct dev_info *));
    + if (min_spacing == 0)
    + min_spacing = 1;

    /* min_spacing is the minimum spacing that will fit the hash
    * table in one PAGE. This may be much smaller than needed.

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  7. [patch 34/49] iwlwifi: generic init calibrations framework

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Tomas Winkler

    commit 6e21f2c109edd746a10e08186484bae8168cdd0c upstream

    This patch allows variable number of init calibrations and allows
    addition new HW.

    This patch also fixes critical bug. Only last calibration result
    was applied. On reception of one calibration result all the calibration
    was freed.

    Signed-off-by: Tomas Winkler
    Signed-off-by: Emmanuel Grumbach
    Signed-off-by: Zhu Yi
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/wireless/iwlwifi/iwl-5000-hw.h | 7 +++
    drivers/net/wireless/iwlwifi/iwl-5000.c | 63 ++++-------------------------
    drivers/net/wireless/iwlwifi/iwl-calib.c | 60 +++++++++++++++++++++++++++
    drivers/net/wireless/iwlwifi/iwl-core.c | 19 --------
    drivers/net/wireless/iwlwifi/iwl-core.h | 8 +++
    drivers/net/wireless/iwlwifi/iwl-dev.h | 14 ++----
    6 files changed, 90 insertions(+), 81 deletions(-)

    --- a/drivers/net/wireless/iwlwifi/iwl-5000.c
    +++ b/drivers/net/wireless/iwlwifi/iwl-5000.c
    @@ -445,48 +445,6 @@ static int iwl5000_send_Xtal_calib(struc
    sizeof(cal_cmd), &cal_cmd);
    }

    -static int iwl5000_send_calib_results(struct iwl_priv *priv)
    -{
    - int ret = 0;
    -
    - struct iwl_host_cmd hcmd = {
    - .id = REPLY_PHY_CALIBRATION_CMD,
    - .meta.flags = CMD_SIZE_HUGE,
    - };
    -
    - if (priv->calib_results.lo_res) {
    - hcmd.len = priv->calib_results.lo_res_len;
    - hcmd.data = priv->calib_results.lo_res;
    - ret = iwl_send_cmd_sync(priv, &hcmd);
    -
    - if (ret)
    - goto err;
    - }
    -
    - if (priv->calib_results.tx_iq_res) {
    - hcmd.len = priv->calib_results.tx_iq_res_len;
    - hcmd.data = priv->calib_results.tx_iq_res;
    - ret = iwl_send_cmd_sync(priv, &hcmd);
    -
    - if (ret)
    - goto err;
    - }
    -
    - if (priv->calib_results.tx_iq_perd_res) {
    - hcmd.len = priv->calib_results.tx_iq_perd_res_len;
    - hcmd.data = priv->calib_results.tx_iq_perd_res;
    - ret = iwl_send_cmd_sync(priv, &hcmd);
    -
    - if (ret)
    - goto err;
    - }
    -
    - return 0;
    -err:
    - IWL_ERROR("Error %d\n", ret);
    - return ret;
    -}
    -
    static int iwl5000_send_calib_cfg(struct iwl_priv *priv)
    {
    struct iwl5000_calib_cfg_cmd calib_cfg_cmd;
    @@ -511,33 +469,30 @@ static void iwl5000_rx_calib_result(stru
    struct iwl_rx_packet *pkt = (void *)rxb->skb->data;
    struct iwl5000_calib_hdr *hdr = (struct iwl5000_calib_hdr *)pkt->u.raw;
    int len = le32_to_cpu(pkt->len) & FH_RSCSR_FRAME_SIZE_MSK;
    -
    - iwl_free_calib_results(priv);
    + int index;

    /* reduce the size of the length field itself */
    len -= 4;

    + /* Define the order in which the results will be sent to the runtime
    + * uCode. iwl_send_calib_results sends them in a row according to their
    + * index. We sort them here */
    switch (hdr->op_code) {
    case IWL5000_PHY_CALIBRATE_LO_CMD:
    - priv->calib_results.lo_res = kzalloc(len, GFP_ATOMIC);
    - priv->calib_results.lo_res_len = len;
    - memcpy(priv->calib_results.lo_res, pkt->u.raw, len);
    + index = IWL5000_CALIB_LO;
    break;
    case IWL5000_PHY_CALIBRATE_TX_IQ_CMD:
    - priv->calib_results.tx_iq_res = kzalloc(len, GFP_ATOMIC);
    - priv->calib_results.tx_iq_res_len = len;
    - memcpy(priv->calib_results.tx_iq_res, pkt->u.raw, len);
    + index = IWL5000_CALIB_TX_IQ;
    break;
    case IWL5000_PHY_CALIBRATE_TX_IQ_PERD_CMD:
    - priv->calib_results.tx_iq_perd_res = kzalloc(len, GFP_ATOMIC);
    - priv->calib_results.tx_iq_perd_res_len = len;
    - memcpy(priv->calib_results.tx_iq_perd_res, pkt->u.raw, len);
    + index = IWL5000_CALIB_TX_IQ_PERD;
    break;
    default:
    IWL_ERROR("Unknown calibration notification %d\n",
    hdr->op_code);
    return;
    }
    + iwl_calib_set(&priv->calib_results[index], pkt->u.raw, len);
    }

    static void iwl5000_rx_calib_complete(struct iwl_priv *priv,
    @@ -832,7 +787,7 @@ static int iwl5000_alive_notify(struct i
    iwl5000_send_Xtal_calib(priv);

    if (priv->ucode_type == UCODE_RT)
    - iwl5000_send_calib_results(priv);
    + iwl_send_calib_results(priv);

    return 0;
    }
    --- a/drivers/net/wireless/iwlwifi/iwl-5000-hw.h
    +++ b/drivers/net/wireless/iwlwifi/iwl-5000-hw.h
    @@ -129,6 +129,13 @@ struct iwl5000_shared {
    __le32 padding2;
    } __attribute__ ((packed));

    +/* calibrations defined for 5000 */
    +/* defines the order in which results should be sent to the runtime uCode */
    +enum iwl5000_calib {
    + IWL5000_CALIB_LO,
    + IWL5000_CALIB_TX_IQ,
    + IWL5000_CALIB_TX_IQ_PERD,
    +};

    #endif /* __iwl_5000_hw_h__ */

    --- a/drivers/net/wireless/iwlwifi/iwl-calib.c
    +++ b/drivers/net/wireless/iwlwifi/iwl-calib.c
    @@ -66,6 +66,66 @@
    #include "iwl-core.h"
    #include "iwl-calib.h"

    +/************************************************** ***************************
    + * INIT calibrations framework
    + ************************************************** ***************************/
    +
    + int iwl_send_calib_results(struct iwl_priv *priv)
    +{
    + int ret = 0;
    + int i = 0;
    +
    + struct iwl_host_cmd hcmd = {
    + .id = REPLY_PHY_CALIBRATION_CMD,
    + .meta.flags = CMD_SIZE_HUGE,
    + };
    +
    + for (i = 0; i < IWL_CALIB_MAX; i++)
    + if (priv->calib_results[i].buf) {
    + hcmd.len = priv->calib_results[i].buf_len;
    + hcmd.data = priv->calib_results[i].buf;
    + ret = iwl_send_cmd_sync(priv, &hcmd);
    + if (ret)
    + goto err;
    + }
    +
    + return 0;
    +err:
    + IWL_ERROR("Error %d iteration %d\n", ret, i);
    + return ret;
    +}
    +EXPORT_SYMBOL(iwl_send_calib_results);
    +
    +int iwl_calib_set(struct iwl_calib_result *res, const u8 *buf, int len)
    +{
    + if (res->buf_len != len) {
    + kfree(res->buf);
    + res->buf = kzalloc(len, GFP_ATOMIC);
    + }
    + if (unlikely(res->buf == NULL))
    + return -ENOMEM;
    +
    + res->buf_len = len;
    + memcpy(res->buf, buf, len);
    + return 0;
    +}
    +EXPORT_SYMBOL(iwl_calib_set);
    +
    +void iwl_calib_free_results(struct iwl_priv *priv)
    +{
    + int i;
    +
    + for (i = 0; i < IWL_CALIB_MAX; i++) {
    + kfree(priv->calib_results[i].buf);
    + priv->calib_results[i].buf = NULL;
    + priv->calib_results[i].buf_len = 0;
    + }
    +}
    +
    +/************************************************** ***************************
    + * RUNTIME calibrations framework
    + ************************************************** ***************************/
    +
    /* "false alarms" are signals that our DSP tries to lock onto,
    * but then determines that they are either noise, or transmissions
    * from a distant wireless network (also "noise", really) that get
    --- a/drivers/net/wireless/iwlwifi/iwl-core.c
    +++ b/drivers/net/wireless/iwlwifi/iwl-core.c
    @@ -956,22 +956,6 @@ err:
    }
    EXPORT_SYMBOL(iwl_init_drv);

    -void iwl_free_calib_results(struct iwl_priv *priv)
    -{
    - kfree(priv->calib_results.lo_res);
    - priv->calib_results.lo_res = NULL;
    - priv->calib_results.lo_res_len = 0;
    -
    - kfree(priv->calib_results.tx_iq_res);
    - priv->calib_results.tx_iq_res = NULL;
    - priv->calib_results.tx_iq_res_len = 0;
    -
    - kfree(priv->calib_results.tx_iq_perd_res);
    - priv->calib_results.tx_iq_perd_res = NULL;
    - priv->calib_results.tx_iq_perd_res_len = 0;
    -}
    -EXPORT_SYMBOL(iwl_free_calib_results);
    -
    int iwl_set_tx_power(struct iwl_priv *priv, s8 tx_power, bool force)
    {
    int ret = 0;
    @@ -999,10 +983,9 @@ int iwl_set_tx_power(struct iwl_priv *pr
    }
    EXPORT_SYMBOL(iwl_set_tx_power);

    -
    void iwl_uninit_drv(struct iwl_priv *priv)
    {
    - iwl_free_calib_results(priv);
    + iwl_calib_free_results(priv);
    iwlcore_free_geos(priv);
    iwl_free_channel_map(priv);
    kfree(priv->scan);
    --- a/drivers/net/wireless/iwlwifi/iwl-core.h
    +++ b/drivers/net/wireless/iwlwifi/iwl-core.h
    @@ -186,7 +186,6 @@ struct ieee80211_hw *iwl_alloc_all(struc
    void iwl_hw_detect(struct iwl_priv *priv);

    void iwl_clear_stations_table(struct iwl_priv *priv);
    -void iwl_free_calib_results(struct iwl_priv *priv);
    void iwl_reset_qos(struct iwl_priv *priv);
    void iwl_set_rxon_chain(struct iwl_priv *priv);
    int iwl_set_rxon_channel(struct iwl_priv *priv,
    @@ -291,6 +290,13 @@ int iwl_scan_initiate(struct iwl_priv *p
    void iwl_setup_rx_scan_handlers(struct iwl_priv *priv);
    void iwl_setup_scan_deferred_work(struct iwl_priv *priv);

    +/************************************************** *****************************
    + * Calibrations - implemented in iwl-calib.c
    + ************************************************** ****************************/
    +int iwl_send_calib_results(struct iwl_priv *priv);
    +int iwl_calib_set(struct iwl_calib_result *res, const u8 *buf, int len);
    +void iwl_calib_free_results(struct iwl_priv *priv);
    +
    /************************************************** ***
    * S e n d i n g H o s t C o m m a n d s *
    ************************************************** ***/
    --- a/drivers/net/wireless/iwlwifi/iwl-dev.h
    +++ b/drivers/net/wireless/iwlwifi/iwl-dev.h
    @@ -745,13 +745,10 @@ struct statistics_general_data {
    u32 beacon_energy_c;
    };

    -struct iwl_calib_results {
    - void *tx_iq_res;
    - void *tx_iq_perd_res;
    - void *lo_res;
    - u32 tx_iq_res_len;
    - u32 tx_iq_perd_res_len;
    - u32 lo_res_len;
    +/* Opaque calibration results */
    +struct iwl_calib_result {
    + void *buf;
    + size_t buf_len;
    };

    enum ucode_type {
    @@ -813,6 +810,7 @@ enum {


    #define IWL_MAX_NUM_QUEUES 20 /* FIXME: do dynamic allocation */
    +#define IWL_CALIB_MAX 3

    struct iwl_priv {

    @@ -857,7 +855,7 @@ struct iwl_priv {
    s32 last_temperature;

    /* init calibration results */
    - struct iwl_calib_results calib_results;
    + struct iwl_calib_result calib_results[IWL_CALIB_MAX];

    /* Scan related variables */
    unsigned long last_scan_jiffies;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  8. [patch 18/49] MTD: Fix cfi_send_gen_cmd handling of x16 devices in x8 mode (v4)


    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Eric W. Biederman

    commit 467622ef2acb01986eab37ef96c3632b3ea35999 upstream

    For "unlock" cycles to 16bit devices in 8bit compatibility mode we need
    to use the byte addresses 0xaaa and 0x555. These effectively match
    the word address 0x555 and 0x2aa, except the latter has its low bit set.

    Most chips don't care about the value of the 'A-1' pin in x8 mode,
    but some -- like the ST M29W320D -- do. So we need to be careful to
    set it where appropriate.

    cfi_send_gen_cmd is only ever passed addresses where the low byte
    is 0x00, 0x55 or 0xaa. Of those, only addresses ending 0xaa are
    affected by this patch, by masking in the extra low bit when the device
    is known to be in compatibility mode.

    [dwmw2: Do it only when (cmd_ofs & 0xff) == 0xaa]
    v4: Fix stupid typo in cfi_build_cmd_addr that failed to compile
    I'm writing this patch way to late at night.
    v3: Bring all of the work back into cfi_build_cmd_addr
    including calling of map_bankwidth(map) and cfi_interleave(cfi)
    So every caller doesn't need to.
    v2: Only modified the address if we our device_type is larger than our
    bus width.

    Signed-off-by: Eric W. Biederman
    Signed-off-by: David Woodhouse
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/mtd/chips/cfi_cmdset_0002.c | 13 -------------
    drivers/mtd/chips/jedec_probe.c | 10 ++++------
    include/linux/mtd/cfi.h | 22 +++++++++++++++++++---
    3 files changed, 23 insertions(+), 22 deletions(-)

    --- a/drivers/mtd/chips/cfi_cmdset_0002.c
    +++ b/drivers/mtd/chips/cfi_cmdset_0002.c
    @@ -362,19 +362,6 @@ struct mtd_info *cfi_cmdset_0002(struct
    /* Set the default CFI lock/unlock addresses */
    cfi->addr_unlock1 = 0x555;
    cfi->addr_unlock2 = 0x2aa;
    - /* Modify the unlock address if we are in compatibility mode */
    - if ( /* x16 in x8 mode */
    - ((cfi->device_type == CFI_DEVICETYPE_X8) &&
    - (cfi->cfiq->InterfaceDesc ==
    - CFI_INTERFACE_X8_BY_X16_ASYNC)) ||
    - /* x32 in x16 mode */
    - ((cfi->device_type == CFI_DEVICETYPE_X16) &&
    - (cfi->cfiq->InterfaceDesc ==
    - CFI_INTERFACE_X16_BY_X32_ASYNC)))
    - {
    - cfi->addr_unlock1 = 0xaaa;
    - cfi->addr_unlock2 = 0x555;
    - }

    } /* CFI mode */
    else if (cfi->cfi_mode == CFI_MODE_JEDEC) {
    --- a/drivers/mtd/chips/jedec_probe.c
    +++ b/drivers/mtd/chips/jedec_probe.c
    @@ -1808,9 +1808,7 @@ static inline u32 jedec_read_mfr(struct
    * several first banks can contain 0x7f instead of actual ID
    */
    do {
    - uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8),
    - cfi_interleave(cfi),
    - cfi->device_type);
    + uint32_t ofs = cfi_build_cmd_addr(0 + (bank << 8), map, cfi);
    mask = (1 << (cfi->device_type * 8)) - 1;
    result = map_read(map, base + ofs);
    bank++;
    @@ -1824,7 +1822,7 @@ static inline u32 jedec_read_id(struct m
    {
    map_word result;
    unsigned long mask;
    - u32 ofs = cfi_build_cmd_addr(1, cfi_interleave(cfi), cfi->device_type);
    + u32 ofs = cfi_build_cmd_addr(1, map, cfi);
    mask = (1 << (cfi->device_type * 8)) -1;
    result = map_read(map, base + ofs);
    return result.x[0] & mask;
    @@ -2067,8 +2065,8 @@ static int jedec_probe_chip(struct map_i

    }
    /* Ensure the unlock addresses we try stay inside the map */
    - probe_offset1 = cfi_build_cmd_addr(cfi->addr_unlock1, cfi_interleave(cfi), cfi->device_type);
    - probe_offset2 = cfi_build_cmd_addr(cfi->addr_unlock2, cfi_interleave(cfi), cfi->device_type);
    + probe_offset1 = cfi_build_cmd_addr(cfi->addr_unlock1, map, cfi);
    + probe_offset2 = cfi_build_cmd_addr(cfi->addr_unlock2, map, cfi);
    if ( ((base + probe_offset1 + map_bankwidth(map)) >= map->size) ||
    ((base + probe_offset2 + map_bankwidth(map)) >= map->size))
    goto retry;
    --- a/include/linux/mtd/cfi.h
    +++ b/include/linux/mtd/cfi.h
    @@ -281,9 +281,25 @@ struct cfi_private {
    /*
    * Returns the command address according to the given geometry.
    */
    -static inline uint32_t cfi_build_cmd_addr(uint32_t cmd_ofs, int interleave, int type)
    +static inline uint32_t cfi_build_cmd_addr(uint32_t cmd_ofs,
    + struct map_info *map, struct cfi_private *cfi)
    {
    - return (cmd_ofs * type) * interleave;
    + unsigned bankwidth = map_bankwidth(map);
    + unsigned interleave = cfi_interleave(cfi);
    + unsigned type = cfi->device_type;
    + uint32_t addr;
    +
    + addr = (cmd_ofs * type) * interleave;
    +
    + /* Modify the unlock address if we are in compatiblity mode.
    + * For 16bit devices on 8 bit busses
    + * and 32bit devices on 16 bit busses
    + * set the low bit of the alternating bit sequence of the address.
    + */
    + if (((type * interleave) > bankwidth) && ((uint8_t)cmd_ofs == 0xaa))
    + addr |= (type >> 1)*interleave;
    +
    + return addr;
    }

    /*
    @@ -429,7 +445,7 @@ static inline uint32_t cfi_send_gen_cmd(
    int type, map_word *prev_val)
    {
    map_word val;
    - uint32_t addr = base + cfi_build_cmd_addr(cmd_addr, cfi_interleave(cfi), type);
    + uint32_t addr = base + cfi_build_cmd_addr(cmd_addr, map, cfi);

    val = cfi_build_cmd(cmd, map, cfi);


    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  9. [patch 42/49] libata: fix last_reset timestamp handling

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Tejun Heo

    commit 19b723218bde79c60a394a3caee9eb156ac2d356 upstream

    ehc->last_reset is used to ensure that resets are not issued too
    close to each other. It's initialized to jiffies minus one minute
    on EH entry. However, when new links are initialized after PMP is
    probed, new links have zero for this timestamp resulting in long wait
    depending on the current jiffies.

    This patch makes last_set considered iff ATA_EHI_DID_RESET is set, in
    which case last_reset is always initialized. As an added precaution,
    WARN_ON() is added so that warning is printed if last_reset is
    in future.

    This problem is spotted and debugged by Shane Huang.

    Signed-off-by: Tejun Heo
    Cc: Shane Huang
    Signed-off-by: Jeff Garzik
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/ata/libata-eh.c | 21 +++++++++++----------
    1 file changed, 11 insertions(+), 10 deletions(-)

    --- a/drivers/ata/libata-eh.c
    +++ b/drivers/ata/libata-eh.c
    @@ -604,9 +604,6 @@ void ata_scsi_error(struct Scsi_Host *ho
    if (ata_ncq_enabled(dev))
    ehc->saved_ncq_enabled |= 1 << devno;
    }
    -
    - /* set last reset timestamp to some time in the past */
    - ehc->last_reset = jiffies - 60 * HZ;
    }

    ap->pflags |= ATA_PFLAG_EH_IN_PROGRESS;
    @@ -2209,17 +2206,21 @@ int ata_eh_reset(struct ata_link *link,
    if (link->flags & ATA_LFLAG_NO_SRST)
    softreset = NULL;

    - now = jiffies;
    - deadline = ata_deadline(ehc->last_reset, ATA_EH_RESET_COOL_DOWN);
    - if (time_before(now, deadline))
    - schedule_timeout_uninterruptible(deadline - now);
    + /* make sure each reset attemp is at least COOL_DOWN apart */
    + if (ehc->i.flags & ATA_EHI_DID_RESET) {
    + now = jiffies;
    + WARN_ON(time_after(ehc->last_reset, now));
    + deadline = ata_deadline(ehc->last_reset,
    + ATA_EH_RESET_COOL_DOWN);
    + if (time_before(now, deadline))
    + schedule_timeout_uninterruptible(deadline - now);
    + }

    spin_lock_irqsave(ap->lock, flags);
    ap->pflags |= ATA_PFLAG_RESETTING;
    spin_unlock_irqrestore(ap->lock, flags);

    ata_eh_about_to_do(link, NULL, ATA_EH_RESET);
    - ehc->last_reset = jiffies;

    ata_link_for_each_dev(dev, link) {
    /* If we issue an SRST then an ATA drive (not ATAPI)
    @@ -2285,7 +2286,6 @@ int ata_eh_reset(struct ata_link *link,
    /*
    * Perform reset
    */
    - ehc->last_reset = jiffies;
    if (ata_is_host_link(link))
    ata_eh_freeze_port(ap);

    @@ -2297,6 +2297,7 @@ int ata_eh_reset(struct ata_link *link,
    reset == softreset ? "soft" : "hard");

    /* mark that this EH session started with reset */
    + ehc->last_reset = jiffies;
    if (reset == hardreset)
    ehc->i.flags |= ATA_EHI_DID_HARDRESET;
    else
    @@ -2404,7 +2405,7 @@ int ata_eh_reset(struct ata_link *link,

    /* reset successful, schedule revalidation */
    ata_eh_done(link, NULL, ATA_EH_RESET);
    - ehc->last_reset = jiffies;
    + ehc->last_reset = jiffies; /* update to completion time */
    ehc->i.action |= ATA_EH_REVALIDATE;

    rc = 0;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  10. [patch 49/49] HID: fix incorrent length condition in hidraw_write()

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Jiri Kosina

    upstream commit 2b107d629dc0c35de606bb7b010b829cd247a93a

    From: Jiri Kosina

    The bound check on the buffer length

    if (count > HID_MIN_BUFFER_SIZE)

    is of course incorrent, the proper check is

    if (count > HID_MAX_BUFFER_SIZE)

    Fix it.

    Reported-by: Jerry Ryle
    Signed-off-by: Jiri Kosina
    Cc: Paul Stoffregen
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/hid/hidraw.c | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    --- a/drivers/hid/hidraw.c
    +++ b/drivers/hid/hidraw.c
    @@ -113,7 +113,7 @@ static ssize_t hidraw_write(struct file
    if (!dev->hid_output_raw_report)
    return -ENODEV;

    - if (count > HID_MIN_BUFFER_SIZE) {
    + if (count > HID_MAX_BUFFER_SIZE) {
    printk(KERN_WARNING "hidraw: pid %d passed too large report\n",
    task_pid_nr(current));
    return -EINVAL;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  11. [patch 45/49] mmc: increase SD write timeout for crappy cards

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Pierre Ossman

    commit 493890e75d98810a3470b4aae23be628ee5e9667 upstream.

    It seems that some cards are slightly out of spec and occasionally
    will not be able to complete a write in the alloted 250 ms [1].
    Incease the timeout slightly to allow even these cards to function
    properly.

    [1] http://lkml.org/lkml/2008/9/23/390

    Signed-off-by: Pierre Ossman
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/mmc/core/core.c | 6 +++++-
    1 file changed, 5 insertions(+), 1 deletion(-)

    --- a/drivers/mmc/core/core.c
    +++ b/drivers/mmc/core/core.c
    @@ -280,7 +280,11 @@ void mmc_set_data_timeout(struct mmc_dat
    (card->host->ios.clock / 1000);

    if (data->flags & MMC_DATA_WRITE)
    - limit_us = 250000;
    + /*
    + * The limit is really 250 ms, but that is
    + * insufficient for some crappy cards.
    + */
    + limit_us = 300000;
    else
    limit_us = 100000;


    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  12. [patch 36/49] iwl3945: fix deadlock on suspend

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Zhu Yi

    commit d54bc4e3fc5c56600a13c9ebc0a7e1077ac05d59 upstream.

    This patch fixes iwl3945 deadlock during suspend by moving notify_mac out
    of iwl3945 mutex. This is a portion of the same fix for iwlwifi by Tomas.

    Signed-off-by: Zhu Yi
    Signed-off-by: Tomas Winkler
    Signed-off-by: Reinette Chatre
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/wireless/iwlwifi/iwl3945-base.c | 2 +-
    1 file changed, 1 insertion(+), 1 deletion(-)

    --- a/drivers/net/wireless/iwlwifi/iwl3945-base.c
    +++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c
    @@ -5761,7 +5761,6 @@ static void iwl3945_alive_start(struct i
    if (priv->error_recovering)
    iwl3945_error_recovery(priv);

    - ieee80211_notify_mac(priv->hw, IEEE80211_NOTIFY_RE_ASSOC);
    return;

    restart:
    @@ -6006,6 +6005,7 @@ static void iwl3945_bg_alive_start(struc
    mutex_lock(&priv->mutex);
    iwl3945_alive_start(priv);
    mutex_unlock(&priv->mutex);
    + ieee80211_notify_mac(priv->hw, IEEE80211_NOTIFY_RE_ASSOC);
    }

    static void iwl3945_bg_rf_kill(struct work_struct *work)

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  13. [patch 40/49] ARM: 5300/1: fixup spitz reset during boot

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Dmitry Baryshkov

    commit 69fc7eed5f56bce15b239e5110de2575a6970df4 upstream

    Some machines don't have the pullup/down on their reset
    pin, so configuring the reset generating pin as input makes
    them reset immediately. Fix that by making reset pin direction
    configurable.

    This fixes the boot problem on Sharp Zaurus c3000

    Signed-off-by: Dmitry Baryshkov
    Signed-off-by: Russell King
    Signed-off-by: Pavel Machek
    Signed-off-by: Greg Kroah-Hartman

    ---
    arch/arm/mach-pxa/include/mach/reset.h | 9 ++++++---
    arch/arm/mach-pxa/reset.c | 9 ++++++---
    arch/arm/mach-pxa/spitz.c | 2 +-
    arch/arm/mach-pxa/tosa.c | 2 +-
    4 files changed, 14 insertions(+), 8 deletions(-)

    --- a/arch/arm/mach-pxa/include/mach/reset.h
    +++ b/arch/arm/mach-pxa/include/mach/reset.h
    @@ -10,9 +10,12 @@
    extern unsigned int reset_status;
    extern void clear_reset_status(unsigned int mask);

    -/*
    - * register GPIO as reset generator
    +/**
    + * init_gpio_reset() - register GPIO as reset generator
    + *
    + * @gpio - gpio nr
    + * @output - set gpio as out/low instead of input during normal work
    */
    -extern int init_gpio_reset(int gpio);
    +extern int init_gpio_reset(int gpio, int output);

    #endif /* __ASM_ARCH_RESET_H */
    --- a/arch/arm/mach-pxa/reset.c
    +++ b/arch/arm/mach-pxa/reset.c
    @@ -20,7 +20,7 @@ static void do_hw_reset(void);

    static int reset_gpio = -1;

    -int init_gpio_reset(int gpio)
    +int init_gpio_reset(int gpio, int output)
    {
    int rc;

    @@ -30,9 +30,12 @@ int init_gpio_reset(int gpio)
    goto out;
    }

    - rc = gpio_direction_input(gpio);
    + if (output)
    + rc = gpio_direction_output(gpio, 0);
    + else
    + rc = gpio_direction_input(gpio);
    if (rc) {
    - printk(KERN_ERR "Can't configure reset_gpio for input\n");
    + printk(KERN_ERR "Can't configure reset_gpio\n");
    gpio_free(gpio);
    goto out;
    }
    --- a/arch/arm/mach-pxa/spitz.c
    +++ b/arch/arm/mach-pxa/spitz.c
    @@ -548,7 +548,7 @@ static void spitz_restart(char mode)

    static void __init common_init(void)
    {
    - init_gpio_reset(SPITZ_GPIO_ON_RESET);
    + init_gpio_reset(SPITZ_GPIO_ON_RESET, 1);
    pm_power_off = spitz_poweroff;
    arm_pm_restart = spitz_restart;

    --- a/arch/arm/mach-pxa/tosa.c
    +++ b/arch/arm/mach-pxa/tosa.c
    @@ -781,7 +781,7 @@ static void __init tosa_init(void)
    gpio_set_wake(MFP_PIN_GPIO1, 1);
    /* We can't pass to gpio-keys since it will drop the Reset altfunc */

    - init_gpio_reset(TOSA_GPIO_ON_RESET);
    + init_gpio_reset(TOSA_GPIO_ON_RESET, 0);

    pm_power_off = tosa_poweroff;
    arm_pm_restart = tosa_restart;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  14. [patch 38/49] cpqarry: fix return value of cpqarray_init()

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Andrey Borzenkov

    commit 2197d18ded232ef6eef63cce57b6b21eddf1b7b6 upstream.

    As reported by Dick Gevers on Compaq ProLiant:

    Oct 13 18:06:51 dvgcpl kernel: Compaq SMART2 Driver (v 2.6.0)
    Oct 13 18:06:51 dvgcpl kernel: sys_init_module: 'cpqarray'->init
    suspiciously returned 1, it should follow 0/-E convention
    Oct 13 18:06:51 dvgcpl kernel: sys_init_module: loading module anyway...
    Oct 13 18:06:51 dvgcpl kernel: Pid: 315, comm: modprobe Not tainted
    2.6.27-desktop-0.rc8.2mnb #1
    Oct 13 18:06:51 dvgcpl kernel: [] ? printk+0x18/0x1e
    Oct 13 18:06:51 dvgcpl kernel: [] sys_init_module+0x155/0x1c0
    Oct 13 18:06:51 dvgcpl kernel: [] syscall_call+0x7/0xb
    Oct 13 18:06:51 dvgcpl kernel: =======================

    Make it return 0 on success and -ENODEV if no array was found.

    Reported-by: Dick Gevers
    Signed-off-by: Andrey Borzenkov
    Cc: Jens Axboe
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/block/cpqarray.c | 7 ++++++-
    1 file changed, 6 insertions(+), 1 deletion(-)

    --- a/drivers/block/cpqarray.c
    +++ b/drivers/block/cpqarray.c
    @@ -567,7 +567,12 @@ static int __init cpqarray_init(void)
    num_cntlrs_reg++;
    }

    - return(num_cntlrs_reg);
    + if (num_cntlrs_reg)
    + return 0;
    + else {
    + pci_unregister_driver(&cpqarray_pci_driver);
    + return -ENODEV;
    + }
    }

    /* Function to find the first free pointer into our hba[] array */

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  15. Re: [patch 00/49] 2.6.27.5 stable review

    Greg KH wrote:

    > This is the start of the stable review cycle for the 2.6.27.5 release.
    > There are 49 patches in this series, all will be posted as a response to
    > this one.



    Hmm , again 2.6.27.5 ? I guess you mean 2.6.27.6 ?
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  16. [patch 37/49] iwl3945: do not send scan command if channel count zero

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Reinette Chatre

    commit 14b5433606289dbc5b6fd70ced11462f80e95003 upstream.

    Do not send scan command if no channels to scan.

    This avoids a Microcode error as reported in:
    http://www.intellinuxwireless.org/bu...ug.cgi?id=1650
    http://bugzilla.kernel.org/show_bug.cgi?id=11806
    http://marc.info/?l=linux-wireless&m...7145211886&w=2

    Signed-off-by: Reinette Chatre
    Signed-off-by: John W. Linville
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/net/wireless/iwlwifi/iwl3945-base.c | 5 +++++
    1 file changed, 5 insertions(+)

    --- a/drivers/net/wireless/iwlwifi/iwl3945-base.c
    +++ b/drivers/net/wireless/iwlwifi/iwl3945-base.c
    @@ -6259,6 +6259,11 @@ static void iwl3945_bg_request_scan(stru
    direct_mask,
    (void *)&scan->data[le16_to_cpu(scan->tx_cmd.len)]);

    + if (scan->channel_count == 0) {
    + IWL_DEBUG_SCAN("channel count %d\n", scan->channel_count);
    + goto done;
    + }
    +
    cmd.len += le16_to_cpu(scan->tx_cmd.len) +
    scan->channel_count * sizeof(struct iwl3945_scan_channel);
    cmd.data = scan;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  17. [patch 46/49] hfsplus: fix Buffer overflow with a corrupted image (CVE-2008-4933)

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Eric Sesterhenn

    commit efc7ffcb4237f8cb9938909041c4ed38f6e1bf40 upstream

    When an hfsplus image gets corrupted it might happen that the catalog
    namelength field gets b0rked. If we mount such an image the memcpy() in
    hfsplus_cat_build_key_uni() writes more than the 255 that fit in the name
    field. Depending on the size of the overwritten data, we either only get
    memory corruption or also trigger an oops like this:

    [ 221.628020] BUG: unable to handle kernel paging request at c82b0000
    [ 221.629066] IP: [] hfsplus_find_cat+0x10d/0x151
    [ 221.629066] *pde = 0ea29163 *pte = 082b0160
    [ 221.629066] Oops: 0002 [#1] PREEMPT DEBUG_PAGEALLOC
    [ 221.629066] Modules linked in:
    [ 221.629066]
    [ 221.629066] Pid: 4845, comm: mount Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #28)
    [ 221.629066] EIP: 0060:[] EFLAGS: 00010206 CPU: 0
    [ 221.629066] EIP is at hfsplus_find_cat+0x10d/0x151
    [ 221.629066] EAX: 00000029 EBX: 00016210 ECX: 000042c2 EDX: 00000002
    [ 221.629066] ESI: c82d70ca EDI: c82b0000 EBP: c82d1bcc ESP: c82d199c
    [ 221.629066] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
    [ 221.629066] Process mount (pid: 4845, ti=c82d1000 task=c8224060 task.ti=c82d1000)
    [ 221.629066] Stack: c080b3c4 c82aa8f8 c82d19c2 00016210 c080b3be c82d1bd4 c82aa8f0 00000300
    [ 221.629066] 01000000 750008b1 74006e00 74006900 65006c00 c82d6400 c013bd35 c8224060
    [ 221.629066] 00000036 00000046 c82d19f0 00000082 c8224548 c8224060 00000036 c0d653cc
    [ 221.629066] Call Trace:
    [ 221.629066] [] ? trace_hardirqs_off+0xb/0xd
    [ 221.629066] [] ? trace_hardirqs_off_caller+0x14/0x9b
    [ 221.629066] [] ? trace_hardirqs_off+0xb/0xd
    [ 221.629066] [] ? trace_hardirqs_off_caller+0x14/0x9b
    [ 221.629066] [] ? trace_hardirqs_off+0xb/0xd
    [ 221.629066] [] ? native_sched_clock+0x82/0x96
    [ 221.629066] [] ? __kernel_text_address+0x1b/0x27
    [ 221.629066] [] ? dump_trace+0xca/0xd6
    [ 221.629066] [] ? save_stack_address+0x0/0x2c
    [ 221.629066] [] ? save_stack_trace+0x1c/0x3a
    [ 221.629066] [] ? save_trace+0x37/0x8d
    [ 221.629066] [] ? add_lock_to_list+0x67/0x8d
    [ 221.629066] [] ? validate_chain+0x8a4/0x9f4
    [ 221.629066] [] ? down+0xc/0x2f
    [ 221.629066] [] ? __lock_acquire+0x68a/0x6e0
    [ 221.629066] [] ? trace_hardirqs_off+0xb/0xd
    [ 221.629066] [] ? trace_hardirqs_off_caller+0x14/0x9b
    [ 221.629066] [] ? trace_hardirqs_off+0xb/0xd
    [ 221.629066] [] ? native_sched_clock+0x82/0x96
    [ 221.629066] [] ? mark_held_locks+0x43/0x5a
    [ 221.629066] [] ? trace_hardirqs_on+0xb/0xd
    [ 221.629066] [] ? trace_hardirqs_on_caller+0xf4/0x12f
    [ 221.629066] [] ? _spin_unlock_irqrestore+0x42/0x58
    [ 221.629066] [] ? down+0x2b/0x2f
    [ 221.629066] [] ? hfsplus_iget+0xa0/0x154
    [ 221.629066] [] ? hfsplus_fill_super+0x280/0x447
    [ 221.629066] [] ? native_sched_clock+0x82/0x96
    [ 221.629066] [] ? trace_hardirqs_off_caller+0x14/0x9b
    [ 221.629066] [] ? trace_hardirqs_off_caller+0x14/0x9b
    [ 221.629066] [] ? __lock_acquire+0x68a/0x6e0
    [ 221.629066] [] ? string+0x2b/0x74
    [ 221.629066] [] ? vsnprintf+0x2e9/0x512
    [ 221.629066] [] ? dump_trace+0xca/0xd6
    [ 221.629066] [] ? save_stack_trace+0x1c/0x3a
    [ 221.629066] [] ? save_stack_trace+0x1c/0x3a
    [ 221.629066] [] ? save_trace+0x37/0x8d
    [ 221.629066] [] ? add_lock_to_list+0x67/0x8d
    [ 221.629066] [] ? validate_chain+0x8a4/0x9f4
    [ 221.629066] [] ? up+0xc/0x2f
    [ 221.629066] [] ? __lock_acquire+0x68a/0x6e0
    [ 221.629066] [] ? trace_hardirqs_off+0xb/0xd
    [ 221.629066] [] ? trace_hardirqs_off_caller+0x14/0x9b
    [ 221.629066] [] ? trace_hardirqs_off+0xb/0xd
    [ 221.629066] [] ? native_sched_clock+0x82/0x96
    [ 221.629066] [] ? snprintf+0x1b/0x1d
    [ 221.629066] [] ? disk_name+0x25/0x67
    [ 221.629066] [] ? get_sb_bdev+0xcd/0x10b
    [ 221.629066] [] ? kstrdup+0x2a/0x4c
    [ 221.629066] [] ? hfsplus_get_sb+0x13/0x15
    [ 221.629066] [] ? hfsplus_fill_super+0x0/0x447
    [ 221.629066] [] ? vfs_kern_mount+0x3b/0x76
    [ 221.629066] [] ? do_kern_mount+0x32/0xba
    [ 221.629066] [] ? do_new_mount+0x46/0x74
    [ 221.629066] [] ? do_mount+0x175/0x193
    [ 221.629066] [] ? trace_hardirqs_on_caller+0xf4/0x12f
    [ 221.629066] [] ? __get_free_pages+0x1e/0x24
    [ 221.629066] [] ? lock_kernel+0x19/0x8c
    [ 221.629066] [] ? sys_mount+0x51/0x9b
    [ 221.629066] [] ? sys_mount+0x64/0x9b
    [ 221.629066] [] ? sysenter_do_call+0x12/0x31
    [ 221.629066] =======================
    [ 221.629066] Code: 89 c2 c1 e2 08 c1 e8 08 09 c2 8b 85 e8 fd ff ff 66 89 50 06 89 c7 53 83 c7 08 56 57 68 c4 b3 80 c0 e8 8c 5c ef ff 89 d9 c1 e9 02 a5 89 d9 83 e1 03 74 02 f3 a4 83 c3 06 8b 95 e8 fd ff ff 0f
    [ 221.629066] EIP: [] hfsplus_find_cat+0x10d/0x151 SS:ESP 0068:c82d199c
    [ 221.629066] ---[ end trace e417a1d67f0d0066 ]---

    Since hfsplus_cat_build_key_uni() returns void and only has one callsite,
    the check is performed at the callsite.

    Signed-off-by: Eric Sesterhenn
    Reviewed-by: Pekka Enberg
    Cc: Roman Zippel
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    ---
    fs/hfsplus/catalog.c | 5 +++++
    1 file changed, 5 insertions(+)

    --- a/fs/hfsplus/catalog.c
    +++ b/fs/hfsplus/catalog.c
    @@ -168,6 +168,11 @@ int hfsplus_find_cat(struct super_block
    return -EIO;
    }

    + if (be16_to_cpu(tmp.thread.nodeName.length) > 255) {
    + printk(KERN_ERR "hfs: catalog name length corrupted\n");
    + return -EIO;
    + }
    +
    hfsplus_cat_build_key_uni(fd->search_key, be32_to_cpu(tmp.thread.parentID),
    &tmp.thread.nodeName);
    return hfs_brec_find(fd);

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  18. [patch 48/49] hfs: fix namelength memory corruption (CVE-2008-5025)

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Eric Sesterhenn

    commit d38b7aa7fc3371b52d036748028db50b585ade2e upstream

    Fix a stack corruption caused by a corrupted hfs filesystem. If the
    catalog name length is corrupted the memcpy overwrites the catalog btree
    structure. Since the field is limited to HFS_NAMELEN bytes in the
    structure and the file format, we throw an error if it is too long.

    Cc: Roman Zippel
    Signed-off-by: Eric Sesterhenn
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    ---
    fs/hfs/catalog.c | 4 ++++
    1 file changed, 4 insertions(+)

    --- a/fs/hfs/catalog.c
    +++ b/fs/hfs/catalog.c
    @@ -190,6 +190,10 @@ int hfs_cat_find_brec(struct super_block

    fd->search_key->cat.ParID = rec.thread.ParID;
    len = fd->search_key->cat.CName.len = rec.thread.CName.len;
    + if (len > HFS_NAMELEN) {
    + printk(KERN_ERR "hfs: bad catalog namelength\n");
    + return -EIO;
    + }
    memcpy(fd->search_key->cat.CName.name, rec.thread.CName.name, len);
    return hfs_brec_find(fd);
    }

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  19. [patch 47/49] hfsplus: check read_mapping_page() return value (CVE-2008-4934)

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Eric Sesterhenn

    commit 649f1ee6c705aab644035a7998d7b574193a598a upstream.

    While testing more corrupted images with hfsplus, i came across
    one which triggered the following bug:

    [15840.675016] BUG: unable to handle kernel paging request at fffffffb
    [15840.675016] IP: [] kmap+0x15/0x56
    [15840.675016] *pde = 00008067 *pte = 00000000
    [15840.675016] Oops: 0000 [#1] PREEMPT DEBUG_PAGEALLOC
    [15840.675016] Modules linked in:
    [15840.675016]
    [15840.675016] Pid: 11575, comm: ln Not tainted (2.6.27-rc4-00123-gd3ee1b4-dirty #29)
    [15840.675016] EIP: 0060:[] EFLAGS: 00010202 CPU: 0
    [15840.675016] EIP is at kmap+0x15/0x56
    [15840.675016] EAX: 00000246 EBX: fffffffb ECX: 00000000 EDX: cab919c0
    [15840.675016] ESI: 000007dd EDI: cab0bcf4 EBP: cab0bc98 ESP: cab0bc94
    [15840.675016] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
    [15840.675016] Process ln (pid: 11575, ti=cab0b000 task=cab919c0 task.ti=cab0b000)
    [15840.675016] Stack: 00000000 cab0bcdc c0231cfb 00000000 cab0bce0 00000800 ca9290c0 fffffffb
    [15840.675016] cab145d0 cab919c0 cab15998 22222222 22222222 22222222 00000001 cab15960
    [15840.675016] 000007dd cab0bcf4 cab0bd04 c022cb3a cab0bcf4 cab15a6c ca9290c0 00000000
    [15840.675016] Call Trace:
    [15840.675016] [] ? hfsplus_block_allocate+0x6f/0x2d3
    [15840.675016] [] ? hfsplus_file_extend+0xc4/0x1db
    [15840.675016] [] ? hfsplus_get_block+0x8c/0x19d
    [15840.675016] [] ? sub_preempt_count+0x9d/0xab
    [15840.675016] [] ? __block_prepare_write+0x147/0x311
    [15840.675016] [] ? __grab_cache_page+0x52/0x73
    [15840.675016] [] ? block_write_begin+0x79/0xd5
    [15840.675016] [] ? hfsplus_get_block+0x0/0x19d
    [15840.675016] [] ? cont_write_begin+0x27f/0x2af
    [15840.675016] [] ? hfsplus_get_block+0x0/0x19d
    [15840.675016] [] ? tick_program_event+0x28/0x4c
    [15840.675016] [] ? trace_hardirqs_off+0xb/0xd
    [15840.675016] [] ? hfsplus_write_begin+0x2d/0x32
    [15840.675016] [] ? hfsplus_get_block+0x0/0x19d
    [15840.675016] [] ? pagecache_write_begin+0x33/0x107
    [15840.675016] [] ? __page_symlink+0x3c/0xae
    [15840.675016] [] ? __mark_inode_dirty+0x12f/0x137
    [15840.675016] [] ? page_symlink+0x19/0x1e
    [15840.675016] [] ? hfsplus_symlink+0x41/0xa6
    [15840.675016] [] ? vfs_symlink+0x99/0x101
    [15840.675016] [] ? sys_symlinkat+0x6b/0xad
    [15840.675016] [] ? sys_symlink+0x10/0x12
    [15840.675016] [] ? sysenter_do_call+0x12/0x31
    [15840.675016] =======================
    [15840.675016] Code: 00 00 75 10 83 3d 88 2f ec c0 02 75 07 89 d0 e8 12 56 05 00 5d c3 55 ba 06 00 00 00 89 e5 53 89 c3 b8 3d eb 7e c0 e8 16 74 00 00 <8b> 03 c1 e8 1e 69 c0 d8 02 00 00 05 b8 69 8e c0 2b 80 c4 02 00
    [15840.675016] EIP: [] kmap+0x15/0x56 SS:ESP 0068:cab0bc94
    [15840.675016] ---[ end trace 4fea40dad6b70e5f ]---

    This happens because the return value of read_mapping_page() is passed on
    to kmap unchecked. The bug is triggered after the first
    read_mapping_page() in hfsplus_block_allocate(), this patch fixes all
    three usages in this functions but leaves the ones further down in the
    file unchanged.

    Signed-off-by: Eric Sesterhenn
    Cc: Roman Zippel
    Signed-off-by: Andrew Morton
    Signed-off-by: Linus Torvalds
    Signed-off-by: Greg Kroah-Hartman

    ---
    fs/hfsplus/bitmap.c | 12 ++++++++++++
    1 file changed, 12 insertions(+)

    --- a/fs/hfsplus/bitmap.c
    +++ b/fs/hfsplus/bitmap.c
    @@ -32,6 +32,10 @@ int hfsplus_block_allocate(struct super_
    mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
    mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;
    page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL);
    + if (IS_ERR(page)) {
    + start = size;
    + goto out;
    + }
    pptr = kmap(page);
    curr = pptr + (offset & (PAGE_CACHE_BITS - 1)) / 32;
    i = offset % 32;
    @@ -73,6 +77,10 @@ int hfsplus_block_allocate(struct super_
    break;
    page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
    NULL);
    + if (IS_ERR(page)) {
    + start = size;
    + goto out;
    + }
    curr = pptr = kmap(page);
    if ((size ^ offset) / PAGE_CACHE_BITS)
    end = pptr + PAGE_CACHE_BITS / 32;
    @@ -120,6 +128,10 @@ found:
    offset += PAGE_CACHE_BITS;
    page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS,
    NULL);
    + if (IS_ERR(page)) {
    + start = size;
    + goto out;
    + }
    pptr = kmap(page);
    curr = pptr;
    end = pptr + PAGE_CACHE_BITS / 32;

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

  20. [patch 39/49] ACPI: dock: avoid check _STA method

    2.6.27-stable review patch. If anyone has any objections, please let us know.

    ------------------

    From: Shaohua Li

    commit 8b59560a3baf2e7c24e0fb92ea5d09eca92805db upstream.

    In some BIOSes, every _STA method call will send a notification again,
    this cause freeze. And in some BIOSes, it appears _STA should be called
    after _DCK. This tries to avoid calls _STA, and still keep the device
    present check.

    http://bugzilla.kernel.org/show_bug.cgi?id=10431

    Signed-off-by: Shaohua Li
    Signed-off-by: Len Brown
    Signed-off-by: Greg Kroah-Hartman

    ---
    drivers/acpi/dock.c | 5 ++++-
    1 file changed, 4 insertions(+), 1 deletion(-)

    --- a/drivers/acpi/dock.c
    +++ b/drivers/acpi/dock.c
    @@ -604,14 +604,17 @@ static int handle_eject_request(struct d
    static void dock_notify(acpi_handle handle, u32 event, void *data)
    {
    struct dock_station *ds = data;
    + struct acpi_device *tmp;

    switch (event) {
    case ACPI_NOTIFY_BUS_CHECK:
    - if (!dock_in_progress(ds) && dock_present(ds)) {
    + if (!dock_in_progress(ds) && acpi_bus_get_device(ds->handle,
    + &tmp)) {
    begin_dock(ds);
    dock(ds);
    if (!dock_present(ds)) {
    printk(KERN_ERR PREFIX "Unable to dock!\n");
    + complete_dock(ds);
    break;
    }
    atomic_notifier_call_chain(&dock_notifier_list,

    --
    --
    To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
    the body of a message to majordomo@vger.kernel.org
    More majordomo info at http://vger.kernel.org/majordomo-info.html
    Please read the FAQ at http://www.tux.org/lkml/

+ Reply to Thread
Page 2 of 3 FirstFirst 1 2 3 LastLast