summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* [SCSI] fix use-after-free in scsi_init_io()James Bottomley2010-09-091-1/+1
| | | | | | | | | we're using a pointer through a freed command to reset the request, which has shown up as an oops with slab poisoning: Reported-by: Tejun Heo <tj@kernel.org> Reported-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] sd: fix medium-removal bugAlan Stern2010-09-071-1/+1
| | | | | | | | | | | | Commit 409f3499a2cfcd1e9c2857c53af7fcce069f027f (scsi/sd: remove big kernel lock) introduced a bug in the sd_release routine. Medium removal should be allowed when the number of open file references drops to 0, not when it becomes non-zero. This patch (as1414) adjusts the test to fix the bug. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] qla2xxx: Update version number to 8.03.04-k0.Madhuranath Iyengar2010-09-051-2/+2
| | | | | Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] qla2xxx: Check for empty slot in request queue before posting Command ↵Giridhar Malavali2010-09-051-0/+13
| | | | | | | | | | | type 6 request. For ISP82xx, the check for empty slot in request queue before posting command type 6 request was missing. This could lead to request queue entry corruptions causing IO timeouts. Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] qla2xxx: Cover UNDERRUN case where SCSI status is set.Lalit Chandivade2010-09-051-3/+4
| | | | | | | | | Currently, if target sets the SCSI Status (with Check condition) and there is no FCP residual bit set then driver does not check for dropped frame. This could lead to data corruption. Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] qla2xxx: Correctly set fw hung and complete only waiting mbx.Giridhar Malavali2010-09-051-8/+12
| | | | | | | | | The fw_hung flag should be set ir-respective of if there is a mbx command pending or not. Also the complete should be called if there is a mbx waiting. Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] qla2xxx: Reset seconds_since_last_heartbeat correctly.Lalit Chandivade2010-09-051-1/+2
| | | | | | | | | The seconds_since_last_heartbeat should be checked for consecutive heartbeat checks. Currently it could happen that seconds_since_last_heartbeat gets set to max (2 seconds) for non-consecutive heartbeat checks. Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] qla2xxx: make rport deletions explicit during vport removalArun Easi2010-09-051-1/+0
| | | | | Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] qla2xxx: Fix vport delete issuesArun Easi2010-09-057-36/+207
| | | | | Signed-off-by: Giridhar Malavali <giridhar.malavali@qlogic.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] sd, sym53c8xx: Remove warnings after vsprintf %pV introducation.David Miller2010-09-022-9/+7
| | | | | | | | | | | | | GCC warns about empty printf format strings, and after the addition of %pV these existing such cases in the scsi driver layer were exposed enough for the compiler to start seeing them. Based almost entirely upon a patch by Joe Perches. [jejb: fix up sym53c8xx msg] Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] Fix warning: zero-length gnu_printf format stringJean Sacren2010-09-021-3/+3
| | | | | | | | | warning: zero-length gnu_printf format string Fix the above warning by inserting a space into the literal string. Signed-off-by: Jean Sacren <sakiwit@gmail.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] hpsa: disable doorbell reset on reset_devicesStephen M. Cameron2010-09-021-0/+6
| | | | | | | | | | | | | | | The doorbell reset initially appears to work correctly, the controller resets, comes up, some i/o can even be done, but on at least some Smart Arrays in some servers, it eventually causes a subsequent controller lockup due to some kind of PCIe error, and kdump can end up leaving the root filesystem in an unbootable state. For this reason, until the problem is fixed, or at least isolated to certain hardware enough to be avoided, the doorbell reset should not be used at all. Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] be2iscsi: Fix for Login failureJayamohan Kallickal2010-09-022-4/+3
| | | | | | | | | | The current code in tree has problems with Login. This patch fixes the Login Failure . Signed-off-by: Jayamohan Kallickal <jayamohank@serverengines.com> [mnc: Can't believe I missed that.] Reviewed-by: Mike Christie <michaelc@cs.wisc.edu> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* [SCSI] fix bio.bi_rw handlingJiri Slaby2010-09-021-1/+1
| | | | | | | | | | | | Return of the bi_rw tests is no longer bool after commit 74450be1. So testing against constants doesn't make sense anymore. Fix this bug in osd_req_read by removing "== 1" in test. This is not a problem now, where REQ_WRITE is 1, but this can change in the future and we don't want to rely on that. Signed-off-by: Jiri Slaby <jslaby@suse.cz> Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* Linux 2.6.36-rc3v2.6.36-rc3Linus Torvalds2010-08-291-1/+1
|
* Merge branch 'for-linus' of ↵Linus Torvalds2010-08-295-26/+50
|\ | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ieee1394/linux1394-2.6: firewire: ohci: work around VIA and NEC PHY packet reception bug firewire: core: do not use del_timer_sync() in interrupt context firewire: net: fix unicast reception RCODE in failure paths firewire: sbp2: fix stall with "Unsolicited response" firewire: sbp2: fix memory leak in sbp2_cancel_orbs or at send error ieee1394: Adjust confusing if indentation
| * firewire: ohci: work around VIA and NEC PHY packet reception bugStefan Richter2010-08-291-1/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | VIA VT6306, VIA VT6308, and NEC OrangeLink controllers do not write packet event codes for received PHY packets (or perhaps write evt_no_status, hard to tell). Work around it by overwriting the packet's ACK by ack_complete, so that upper layers that listen to PHY packet reception get to see these packets. (Also tested: TI TSB82AA2, TI TSB43AB22/A, TI XIO2213A, Agere FW643, JMicron JMB381 --- these do not exhibit this bug.) Clemens proposed a quirks flag for that, IOW whitelist known misbehaving controllers for this workaround. Though to me it seems harmless enough to enable for all controllers. The log_ar_at_event() debug log will continue to show the original status from the DMA unit. Reported-by: Clemens Ladisch <clemens@ladisch.de> (VT6308) Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
| * firewire: core: do not use del_timer_sync() in interrupt contextClemens Ladisch2010-08-191-3/+10
| | | | | | | | | | | | | | | | | | | | | | | | | | Because we might be in interrupt context, replace del_timer_sync() with del_timer(). If the timer is already running, we know that it will clean up the transaction, so we do not need to do any further processing in the normal transaction handler. Many thanks to Yong Zhang for diagnosing this. Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de> Signed-off-by: Clemens Ladisch <clemens@ladisch.de> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
| * firewire: net: fix unicast reception RCODE in failure pathsStefan Richter2010-08-191-13/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The incoming request hander fwnet_receive_packet() expects subsequent datagram handling code to return non-zero on errors. However, almost none of the failure paths did so. Fix them all. (This error reporting is used to send and RCODE_CONFLICT_ERROR to the sender node in such failure cases. Two modes of failure exist: Out of memory, or firewire-net is unaware of any peer node to which a fragment or an ARP packet belongs. However, it is unclear whether a sender can actually make use of such information. A Linux peer apparently can't. Maybe it should all be simplified to void functions.) Reported-by: Julia Lawall <julia@diku.dk> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
| * firewire: sbp2: fix stall with "Unsolicited response"Stefan Richter2010-08-191-3/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix I/O stalls with some 4-bay RAID enclosures which are based on OXUF936QSE: - Onnto dataTale RSM4QO, old firmware (not anymore with current firmware), - inXtron Hydra Super-S LCM, old as well as current firmware when used in RAID-5 mode, perhaps also in other RAID modes. The stalls happen during heavy or moderate disk traffic in periods that are a multiple of 5 minutes, roughly twice per hour. They are caused by the target responding too late to an ORB_Pointer register write: The target responds after Split_Timeout, hence firewire-core cancels the transaction, and firewire-sbp2 fails the SCSI request. The SCSI core retries the request, that fails again (and again), hence SCSI core calls firewire-sbp2's abort handler (and even the Management_Agent register write in the abort handler has the transaction timeout problem). During all that, the process which issued the I/O is stalled in I/O wait state. Meanwhile, the target actually acts on the first failed SCSI request: It responds to the ORB_Pointer write later (seen in the kernel log as "firewire_core: Unsolicited response") and also finishes the SCSI request with proper status (seen in the kernel log as "firewire_sbp2: status write for unknown orb"). So let's just ignore RCODE_CANCELLED in the transaction callback and wait for the target to complete the ORB nevertheless. This requires a small modification is sbp2_cancel_orbs(); it now needs to call orb->callback() regardless whether fw_cancel_transaction() found the transaction unfinished or finished. A different solution is to increase Split_Timeout on the local node. (Tested: 2000ms timeout; maybe 1000ms or something like that works too. 200ms is insufficient. Standard is 100ms.) However, I rather not do this because any software on any node could change the Split_Timeout to something unsuitable. Or such a large Split_Timeout may be undesirable for other purposes. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
| * firewire: sbp2: fix memory leak in sbp2_cancel_orbs or at send errorStefan Richter2010-08-191-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an ORB was canceled (Command ORB i.e. SCSI request timed out, or Management ORB timed out), or there was a send error in the initial transaction, we missed to drop one of the ORB's references and thus leaked memory. Background: In total, we hold 3 references to each Operation Request Block: - 1 during sbp2_scsi_queuecommand() or sbp2_send_management_orb() respectively, - 1 for the duration of the write transaction to the ORB_Pointer or Management_Agent register of the target, - 1 for as long as the ORB stays within the lu->orb_list, until the ORB is unlinked from the list and the orb->callback was executed. The latter one of these 3 references is finished - normally by sbp2_status_write() when the target wrote status for a pending ORB, - or by sbp2_cancel_orbs() in case of an ORB time-out, - or by complete_transaction() in case of a send error. Of them, the latter two lacked the kref_put. Add the missing kref_put()s. Add comments to the gets and puts of references for transaction callbacks and ORB callbacks so that it is easier to see what is supposed to happen. Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
| * ieee1394: Adjust confusing if indentationJulia Lawall2010-08-051-1/+1
| | | | | | | | | | | | | | Indent the branch of an if. Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
* | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2010-08-2815-72/+98
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: net/ipv4: Eliminate kstrdup memory leak net/caif/cfrfml.c: use asm/unaligned.h ax25: missplaced sock_put(sk) qlge: reset the chip before freeing the buffers l2tp: test for ethernet header in l2tp_eth_dev_recv() tcp: select(writefds) don't hang up when a peer close connection tcp: fix three tcp sysctls tuning tcp: Combat per-cpu skew in orphan tests. pxa168_eth: silence gcc warnings pxa168_eth: update call to phy_mii_ioctl() pxa168_eth: fix error handling in prope pxa168_eth: remove unneeded null check phylib: Fix race between returning phydev and calling adjust_link caif-driver: add HAS_DMA dependency 3c59x: Fix deadlock between boomerang_interrupt and boomerang_start_tx qlcnic: fix poll implementation netxen: fix poll implementation bridge: netfilter: fix a memory leak
| * | net/ipv4: Eliminate kstrdup memory leakJulia Lawall2010-08-271-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The string clone is only used as a temporary copy of the argument val within the while loop, and so it should be freed before leaving the function. The call to strsep, however, modifies clone, so a pointer to the front of the string is kept in saved_clone, to make it possible to free it. The sematic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r exists@ local idexpression x; expression E; identifier l; statement S; @@ *x= \(kasprintf\|kstrdup\)(...); ... if (x == NULL) S ... when != kfree(x) when != E = x if (...) { <... when != kfree(x) * goto l; ...> * return ...; } // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | net/caif/cfrfml.c: use asm/unaligned.hJeff Mahoney2010-08-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | caif does not build on ia64 starting with 2.6.32-rc1. Using asm/unaligned.h instead of linux/unaligned/le_byteshift.h fixes the issue. include/linux/unaligned/le_byteshift.h:40:50: error: redefinition of 'get_unaligned_le16' include/linux/unaligned/le_byteshift.h:45:50: error: redefinition of 'get_unaligned_le32' include/linux/unaligned/le_byteshift.h:50:50: error: redefinition of 'get_unaligned_le64' include/linux/unaligned/le_byteshift.h:55:51: error: redefinition of 'put_unaligned_le16' include/linux/unaligned/le_byteshift.h:60:51: error: redefinition of 'put_unaligned_le32' include/linux/unaligned/le_byteshift.h:65:51: error: redefinition of 'put_unaligned_le64' include/linux/unaligned/le_struct.h:31:51: note: previous definition of 'put_unaligned_le64' was here Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | ax25: missplaced sock_put(sk)Bernard Pidoux F6BVP2010-08-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | This patch moves a missplaced sock_put(sk) after bh_unlock_sock(sk) like in other parts of AX25 driver. Signed-off-by: Bernard Pidoux <f6bvp@free.fr> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | qlge: reset the chip before freeing the buffersBreno Leitao2010-08-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Qlge is freeing the buffers before stopping the card DMA, and this can cause some severe error, as a EEH event on PPC. This patch just stop the card and then free the resources. Signed-off-by: Breno Leitao <leitao@linux.vnet.ibm.com> Signed-off-by: Ron Mercer <ron.mercer@qlogic.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | l2tp: test for ethernet header in l2tp_eth_dev_recv()Eric Dumazet2010-08-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | close https://bugzilla.kernel.org/show_bug.cgi?id=16529 Before calling dev_forward_skb(), we should make sure skb head contains at least an ethernet header, even if length included in upper layer said so. Use pskb_may_pull() to make sure this ethernet header is present in skb head. Reported-by: Thomas Heil <heil@terminal-consulting.de> Reported-by: Ian Campbell <Ian.Campbell@eu.citrix.com> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | tcp: select(writefds) don't hang up when a peer close connectionKOSAKI Motohiro2010-08-251-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This issue come from ruby language community. Below test program hang up when only run on Linux. % uname -mrsv Linux 2.6.26-2-486 #1 Sat Dec 26 08:37:39 UTC 2009 i686 % ruby -rsocket -ve ' BasicSocket.do_not_reverse_lookup = true serv = TCPServer.open("127.0.0.1", 0) s1 = TCPSocket.open("127.0.0.1", serv.addr[1]) s2 = serv.accept s2.close s1.write("a") rescue p $! s1.write("a") rescue p $! Thread.new { s1.write("a") }.join' ruby 1.9.3dev (2010-07-06 trunk 28554) [i686-linux] #<Errno::EPIPE: Broken pipe> [Hang Here] FreeBSD, Solaris, Mac doesn't. because Ruby's write() method call select() internally. and tcp_poll has a bug. SUS defined 'ready for writing' of select() as following. | A descriptor shall be considered ready for writing when a call to an output | function with O_NONBLOCK clear would not block, whether or not the function | would transfer data successfully. That said, EPIPE situation is clearly one of 'ready for writing'. We don't have read-side issue because tcp_poll() already has read side shutdown care. | if (sk->sk_shutdown & RCV_SHUTDOWN) | mask |= POLLIN | POLLRDNORM | POLLRDHUP; So, Let's insert same logic in write side. - reference url http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/31065 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/31068 Signed-off-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | tcp: fix three tcp sysctls tuningEric Dumazet2010-08-251-17/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As discovered by Anton Blanchard, current code to autotune tcp_death_row.sysctl_max_tw_buckets, sysctl_tcp_max_orphans and sysctl_max_syn_backlog makes little sense. The bigger a page is, the less tcp_max_orphans is : 4096 on a 512GB machine in Anton's case. (tcp_hashinfo.bhash_size * sizeof(struct inet_bind_hashbucket)) is much bigger if spinlock debugging is on. Its wrong to select bigger limits in this case (where kernel structures are also bigger) bhash_size max is 65536, and we get this value even for small machines. A better ground is to use size of ehash table, this also makes code shorter and more obvious. Based on a patch from Anton, and another from David. Reported-and-tested-by: Anton Blanchard <anton@samba.org> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | tcp: Combat per-cpu skew in orphan tests.David S. Miller2010-08-253-12/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As reported by Anton Blanchard when we use percpu_counter_read_positive() to make our orphan socket limit checks, the check can be off by up to num_cpus_online() * batch (which is 32 by default) which on a 128 cpu machine can be as large as the default orphan limit itself. Fix this by doing the full expensive sum check if the optimized check triggers. Reported-by: Anton Blanchard <anton@samba.org> Signed-off-by: David S. Miller <davem@davemloft.net> Acked-by: Eric Dumazet <eric.dumazet@gmail.com>
| * | pxa168_eth: silence gcc warningsDan Carpenter2010-08-241-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Casting "pep->tx_desc_dma" to to a struct tx_desc pointer makes gcc complain: drivers/net/pxa168_eth.c:657: warning: cast to pointer from integer of different size Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | pxa168_eth: update call to phy_mii_ioctl()Dan Carpenter2010-08-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | The phy_mii_ioctl() function changed recently. It now takes a struct ifreq pointer directly. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | pxa168_eth: fix error handling in propeDan Carpenter2010-08-241-22/+22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A couple issues here: * Some resources weren't released. * If alloc_etherdev() failed it would have caused a NULL dereference because "pep" would be null when we checked "if (pep->clk)". * Also it's better to propagate the error codes from mdiobus_register() instead of just returning -ENOMEM. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | pxa168_eth: remove unneeded null checkDan Carpenter2010-08-241-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | "pep->pd" isn't checked consistently in this function. For example it's dereferenced unconditionally on the next line after the end of the if condition. This function is only called from pxa168_eth_probe() and pep->pd is always non-NULL so I removed the check. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | phylib: Fix race between returning phydev and calling adjust_linkAnton Vorontsov2010-08-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It is possible that phylib will call adjust_link before returning from {,of_}phy_connect(), which may cause the following [very rare, though] oops upon reopening the device: Unable to handle kernel paging request for data at address 0x0000024c Oops: Kernel access of bad area, sig: 11 [#1] PREEMPT SMP NR_CPUS=2 LTT NESTING LEVEL : 0 P1021 RDB Modules linked in: NIP: c0345dac LR: c0345dac CTR: c0345d84 TASK = dffab6b0[30] 'events/0' THREAD: c0d24000 CPU: 0 [...] NIP [c0345dac] adjust_link+0x28/0x19c LR [c0345dac] adjust_link+0x28/0x19c Call Trace: [c0d25f00] [000045e1] 0x45e1 (unreliable) [c0d25f30] [c036c158] phy_state_machine+0x3ac/0x554 [...] Here is why. Drivers store phydev in their private structures, e.g. gianfar driver: static int init_phy(struct net_device *dev) { ... priv->phydev = of_phy_connect(...); ... } So that adjust_link could retrieve it back: static void adjust_link(struct net_device *dev) { ... struct phy_device *phydev = priv->phydev; ... } If the device has been opened before, then phydev->state is set to PHY_HALTED (or undefined if the driver didn't call phy_stop()). Now, phy_connect starts the PHY state machine before returning phydev to the driver: phy_start_machine(phydev, NULL); if (phydev->irq > 0) phy_start_interrupts(phydev); return phydev; The time between 'phy_start_machine()' and 'return phydev' is undefined. The start machine routine delays execution for 1 second, which is enough for most cases. But under heavy load, or if you're unlucky, it is quite possible that PHY state machine will execute before phy_connect() returns, and so adjust_link callback will try to dereference phydev, which is not yet ready. To fix the issue, simply initialize the PHY's state to PHY_READY during phy_attach(). This will ensure that phylib won't call adjust_link before phy_start(). Signed-off-by: Anton Vorontsov <avorontsov@mvista.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | caif-driver: add HAS_DMA dependencyHeiko Carstens2010-08-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fix this error on an s390 allyesconfig build: linux-2.6/drivers/net/caif/caif_spi.c:98: undefined reference to `dma_free_coherent' Cc: Sjur Braendeland <sjur.brandeland@stericsson.com> Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | 3c59x: Fix deadlock between boomerang_interrupt and boomerang_start_txNeil Horman2010-08-241-1/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If netconsole is in use, there is a possibility for deadlock in 3c59x between boomerang_interrupt and boomerang_start_xmit. Both routines take the vp->lock, and if netconsole is in use, a pr_* call from the boomerang_interrupt routine will result in the netconsole code attempting to trnasmit an skb, which can try to take the same spin lock, resulting in deadlock. The fix is pretty straightforward. This patch allocats a bit in the 3c59x private structure to indicate that its handling an interrupt. If we get into the transmit routine and that bit is set, we can be sure that we have recursed and will deadlock if we continue, so instead we just return NETDEV_TX_BUSY, so the stack requeues the skb to try again later. Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | qlcnic: fix poll implementationYinglin Luan2010-08-231-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | Function qlcnic_intr has pointer to qlcnic_host_sds_ring as second parameter not pointer to qlcnic_adapter. Signed-off-by: Yinglin Luan <synmyth@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | netxen: fix poll implementationYinglin Luan2010-08-231-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | Function netxen_intr has pointer to nx_host_sds_ring as second parameter not pointer to netxen_adapter. Signed-off-by: Yinglin Luan <synmyth@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | bridge: netfilter: fix a memory leakChangli Gao2010-08-231-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | nf_bridge_alloc() always reset the skb->nf_bridge, so we should always put the old one. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Bart De Schuymer <bdschuym@pandora.be> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | Merge branch 'for-linus' of ↵Linus Torvalds2010-08-2813-581/+0
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/vapier/blackfin: Blackfin: bf52x/bf54x boards: drop unused nand page size Blackfin: punt duplicate SPORT MMR defines
| * | | Blackfin: bf52x/bf54x boards: drop unused nand page sizeBarry Song2010-08-275-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Now that the driver for the Blackfin on-chip NFC no longer uses/respects the page_size from the platform resources (figures out the needs on the fly), drop it from the platform resources. This fixes some build errors since the defines no longer exists. Signed-off-by: Barry Song <barry.song@analog.com> Signed-off-by: Mike Frysinger <vapier@gentoo.org>
| * | | Blackfin: punt duplicate SPORT MMR definesMike Frysinger2010-08-278-576/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The common bfin_sport.h header now has unified definitions of these, so stop polluting the global namespace. Signed-off-by: Mike Frysinger <vapier@gentoo.org>
* | | | Merge branch 'for-linus' of ↵Linus Torvalds2010-08-285-4/+14
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: pcm: add more format names sound: oss: fix uninitialized spinlock ALSA: asihpi - Return hw error directly from oustream_write. ASoC: soc-core: fix debugfs_pop_time file permissions ALSA: hda - Add Sony VAIO quirk for ALC269
| * \ \ \ Merge branch 'fix/asoc' into for-linusTakashi Iwai2010-08-281-1/+1
| |\ \ \ \
| | * | | | ASoC: soc-core: fix debugfs_pop_time file permissionsAxel Lin2010-08-271-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | I think this is a typo, debugfs_pop_time should not be executable. Signed-off-by: Axel Lin <axel.lin@gmail.com> Acked-by: Liam Girdwood <lrg@slimloogic.co.uk> Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
| * | | | | Merge branch 'fix/hda' into for-linusTakashi Iwai2010-08-281-0/+1
| |\ \ \ \ \
| | * | | | | ALSA: hda - Add Sony VAIO quirk for ALC269David Henningsson2010-08-261-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The attached patch enables playback on a Sony VAIO machine. BugLink: http://launchpad.net/bugs/618271 Signed-off-by: David Henningsson <david.henningsson@canonical.com> Cc: <stable@kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de>
| * | | | | | ALSA: pcm: add more format namesDan Carpenter2010-08-281-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | There were some new formats added in commit 15c0cee6c809 "ALSA: pcm: Define G723 3-bit and 5-bit formats". That commit increased SNDRV_PCM_FORMAT_LAST as well. My concern is that there are a couple places which do: for (i = 0; i < SNDRV_PCM_FORMAT_LAST; i++) { if (dummy->pcm_hw.formats & (1ULL << i)) snd_iprintf(buffer, " %s", snd_pcm_format_name(i)); } I haven't tested these but it looks like if "i" were equal to SNDRV_PCM_FORMAT_G723_24 or higher then we might read past the end of the array. Signed-off-by: Dan Carpenter <error27@gmail.com> Signed-off-by: Takashi Iwai <tiwai@suse.de>
OpenPOWER on IntegriCloud