No functional change, because gtt flushing is a no-op. Still, try
to keep the bookkeeping accurate. The if is still slightly wrong
for with execbuf2 even i915-class hw doesn't always need a fence
reg for gpu access. But that's for somewhen lateron.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Eric Anholt <eric@anholt.net>
Print official names for Pineview and Ironlake, which is Intel
GMA3150 and Intel HD graphics.
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Cache-coherency is maintained by gem. Drop these leftover MI_FLUSH
commands from the userspace code.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Acked-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
I retested this and whatever this papered over, the problem doesn't seem
to exist anymore.
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Eric Anholt <eric@anholt.net>
[anholt: fixed up compile warning]
Signed-off-by: Eric Anholt <eric@anholt.net>
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
Input: usbtouchscreen - extend coordinate range for Generaltouch devices
Input: polldev can cause crash in case when polling disabled
Commit 84b79f8d28 (drm/i915: Fix crash
while aborting hibernation) attempted to fix a regression introduced
by commit cbda12d77e (drm/i915:
implement new pm ops for i915), but it went too far trying to split
the freeze/suspend and resume/thaw parts of the code. As a result,
it introduced another regression, which only is visible on some systems.
Fix the problem by merging i915_drm_suspend() with
i915_drm_freeze() and moving some code from i915_resume()
into i915_drm_thaw(), so that intel_opregion_free() and
intel_opregion_init() are also executed in the freeze and thaw code
paths, respectively.
Signed-off-by: Rafael J. Wysocki <rjw@sisk.pl>
Reported-and-tested-by: Pedro Ribeiro <pedrib@gmail.com>
Tested-by: Tino Keitel <tino.keitel@tikei.de>
Acked-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Tools like powertop want to check the current FBC status and report it
to the user. So add a debugfs file indicating whether FBC is enabled,
and if not, why.
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
At unload time, we need to disable DRPS, but we need to do it correctly
or the GPU will hang and we won't be able to load the module again. So
set the SFCAVM bit so we can properly restore the DRPS config at unload.
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
He Shuang reported an OGLC performance regression introduced in the patch
"enable memory self refresh on 9xx", In that patch, SR on 945 is disabled
everytime when calling intel_mark_busy(), while too much of such operation
will impact performance. Actually disable SR is necessary only when GPU and
Crtc changing from idle to busy. This patch make such optimization.
It fixes upstream bug
http://bugs.freedesktop.org/show_bug.cgi?id=26422
Signed-off-by: Li Peng <peng.li@intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
The ironlake render p-state support includes some rather odd variable
names. Clean them up in order to improve the readability of the code.
Signed-off-by: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
Ironlake (and 965GM, which this patch doesn't support) supports a
hardware performance and power management feature that allows it to
adjust to changes in GPU load over time with software help. The goal
if this is to maximize performance/power for a given workload.
This patch enables that feature, which is also a requirement for
supporting Intelligent Power Sharing, a feature which allows for
dynamic budgeting of power between the CPU and GPU in Arrandale
platforms.
Tested-by: ykzhao <yakui.zhao@intel.com>
[anholt: Resolved against the irq handler loop removal]
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Eric Anholt <eric@anholt.net>
Enabling memory self refresh (SR) on 9xx needs to set additional
register bits. On 945, we need bit 31 of FW_BLC_SELF to enable the
write to self refresh bit and bit 16 to enable the write of self
refresh watermark. On 915, bit 12 of INSTPM is used to enable SR.
SR will take effect when CPU enters C3+ state and its entry/exit
should be automatically controlled by H/W, driver only needs to set
SR enable bits in wm update. But this isn't safe in my test on 945
because GPU is hung. So this patch explicitly enables SR when GPU
is idle, and disables SR when it is busy. In my test on a netbook of
945GSE chipset, it saves about 0.8W idle power.
Signed-off-by: Li Peng <peng.li@intel.com>
[anholt: rebased against 33c5fd121e
by adding disable of INSTPM SR bit on 915GM for two pipe setup]
Signed-off-by: Eric Anholt <eric@anholt.net>
Check the frame control for ieee80211_is_data_qos() is true before
counting the number of tfds can be free, the tfds_in_queue only
increment when ieee80211_is_data_qos() is true before transmit; so it
should only decrement if the type match.
Remove ieee80211_is_data_qos check for frame_ctrl in tx_resp to avoid
invalid information pass from uCode.
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
CC: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
When receive reply_tx and ready to decrement the count for number of
tfds in queue, do error checking to prevent error condition and
tfds_in_queue become negative number.
Signed-off-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
CC: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Generaltouch protocol allows for coordinates in [0, 0xffff] range and
there are devices reporting coordinates as high as 0x7fff so let's update
the driver to reflect that.
Signed-off-by: Roy Yin <yhch@generaltouch.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Relying on overflow/wrap around isn't exact because if you wrap far
enough, you get back to "valid" values.
Reported-by: Thorsten Pohlmann <pohlmann@tetronik.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Wim Van Sebroeck <wim@iguana.be>
Cc: stable <stable@kernel.org>
* 'v4l_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6:
V4L/DVB: bttv: Move I2C IR initialization
V4L/DVB: Video : pwc : Fix regression in pwc_set_shutter_speed caused by bad constant => sizeof conversion.
soc-camera: mt9t112: modify exiting conditions from standby mode
V4L/DVB: cxusb: Select all required frontend and tuner modules
V4L/DVB: dvb: l64781.ko broken with gcc 4.5
* master.kernel.org:/home/rmk/linux-2.6-arm:
ARM: allow alignment fault mode to be configured at kernel boot
ARM: Update mach-types
ARM: 5951/1: ARM: fix documentation of the PrimeCell bus
ARM: 5950/1: ARM: Fix build error for arm1026ej-s processor
MAINTAINERS: fix my e-mail and status for Gemini and FA526
Gemini: wrong registers used to set reg_level in gpio_set_irq_type()
ARM: 5944/1: scsi: fix timer setup in fas216.c
ARM: 5938/1: ARM: L2: export outer_cache_fns
When polled input device is opened and closed and there are no other
users of polled device, the workqueue is created and destroyed in
every open / close operation. It is probable that at some point
dynamic allocation of internal parts of the workqueue cause changes to the
workqueue.
When a work is queued to the workqueue the work struct contains pointers
to the workqueue data. If the workqueue has been changed and the work
has never been queued to the new workqueue, work-struct contains pointers
to the non-existing workqueue. This will cause crash at the work
cancellation during device close since cancellation of a work assumes
that the workqueue exists.
To prevent that, work struct is cleaned up at device close. This keeps
work struct clean for the next use.
Signed-off-by: Samu Onkalo <samu.p.onkalo@nokia.com>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
* git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6:
[SCSI] megaraid_sas: fix for 32bit apps
[SCSI] fcoe: Only rmmod fcoe.ko if there are no active connections
[SCSI] libfcoe: Send port LKA every FIP_VN_KA_PERIOD secs.
[SCSI] libfc: Don't assume response request present.
[SCSI] libfc: Fix e_d_tov ns -> ms scaling factor in PLOGI response.
[SCSI] libfc: call ddp setup for only FCP reads to avoid accessing junk fsp pointer
[SCSI] iscsi_tcp regression: remove bogus warn on in write path
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6:
sfc: SFE4002/SFN4112F: Widen temperature and voltage tolerances
sfc: Fix sign of efx_mcdi_poll_reboot() error in efx_mcdi_poll()
net-sysfs: Use rtnl_trylock in wireless sysfs methods.
net: Fix sysctl restarts...
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm/radeon: bump the UMS driver version number to indicate rv740 fix
drm/radeon/kms: free fence IB if it wasn't emited at IB free time
drm/ttm: fix caching problem on non-PAT systems.
drm/radeon/rv740: fix backend setup
drm/radeon/kms: fix shared ddc detection
drm/radeon/kms/rs600: add connector quirk
vgaarb: fix "target=default" passing
The temperature and voltage limits currently set on these boards are
too conservative and will cause the driver to stop the net device
erroneously in some systems.
Based on a review of the chip datasheets and advice from the designer
of these boards:
- Raise the maximum board temperatures to the specified maximum ambient
temperatures for their PHYs plus the expected temperature bias of the
board
- Raise the maximum controller temperature to 90 degrees
- Lower the minimum temperatures to 0 degrees
- Widen the voltage tolerances to at least +/- 10%
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
efx_mcdi_poll() uses positive error numbers, matching the MCDI
protocol. It must negate the result of efx_mcdi_poll_reboot() which
returns the usual negative error numbers.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This lets UMS userspace know the rv740 fix is in. For KMS we can
consider the kernel release to be the v2.0.0 release so we don't need the
bump there.
Signed-off-by: Dave Airlie <airlied@redhat.com>
If at IB free time fence wasn't emited that means the IB wasn't
scheduled because an error occured somewhere, thus we can free
then fence and mark the IB as free.
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
http://bugzilla.kernel.org/show_bug.cgi?id=15328
This fixes a serious regression on AGP/non-PAT systems, where
pages were ending up in the wrong state and slowing down the
whole system.
[airlied: taken this from the bug as the other option is to revert
the change which caused it].
Tested-by: John W. Linville (in bug).
Signed-off-by: Dave Airlie <airlied@redhat.com>
This patch fixes occlusion queries and rendering errors
on rv740 boards. Hardcoding the backend map is not an optimal
solution, but a better fix is being worked on.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Just compare the i2c id since the i2c structs
may be slighly different.
Fixes fdo bug 26616.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
rs600 board lists DVI port as HDMI.
Fixes fdo bug 26605
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Commit 77c1ff3982 fixed the userspace
pointer dereference, but introduced another bug pointed out by Eugene Teo
in RH bug #564264. Instead of comparing the point we were at in the string,
we instead compared the beginning of the string to "default".
Signed-off-by: Kyle McMartin <kyle@redhat.com>
Reported-by: Eugene Teo <eteo@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
It looks like this patch -
commit 7b2519afa1
Author: Yang, Bo <Bo.Yang@lsi.com>
Date: Tue Oct 6 14:52:20 2009 -0600
[SCSI] megaraid_sas: fix 64 bit sense pointer truncation
has caused a problem for 32bit programs with 64bit os -
http://bugzilla.kernel.org/show_bug.cgi?id=15001
fix by converting the user space 32bit pointer to a 64 bit one when
needed.
[jejb: fix up some 64 bit warnings]
Signed-off-by: Tomas Henzl <thenzl@redhat.com>
Cc: Bo Yang <Bo.Yang@lsi.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
The HT extension channel settings require priv->staging_rxon.channel to be
accurate. However, iwl_set_rxon_ht was being called before iwl_set_rxon_channel
and thus HT40 could be broken unless another call to iwl_mac_config came in.
This problem was recently introduced by "iwlwifi: Fix to set correct ht
configuration"
The particular setting in which I noticed this was monitor mode:
iwconfig wlan0 mode monitor
ifconfig wlan0 up
./iw wlan0 set channel 64 HT40-
#./iw wlan0 set channel 64 HT40-
tcpdump -i wlan0 -y IEEE802_11_RADIO
would only catch HT40 packets if I issued the IW command twice.
From visual inspection, iwl_set_rxon_channel does not depend on
iwl_set_rxon_ht, so simply swapping them should be safe and fixes this problem.
Signed-off-by: Daniel Halperin <dhalperi@cs.washington.edu>
Acked-by: Wey-Yi Guy <wey-yi.w.guy@intel.com>
Signed-off-by: Reinette Chatre <reinette.chatre@intel.com>
CC: stable@kernel.org
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Earlier, Ingo Molnar posted a patch to make it so that the kernel would avoid
reading _PPC on his broken T60. Unfortunately, it seems that with Thomas
Renninger's patch last July to eliminate _PPC evaluations when the processor
driver loads, the kernel never actually reads _PPC at all! This is problematic
if you happen to boot your non-T60 computer in a state where the BIOS _wants_
_PPC to be something other than zero.
So, put the _PPC evaluation back into acpi_processor_get_performance_info if
ignore_ppc isn't 1.
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Set the backlight to use the current brightness when loaded, rather than
always resetting the backlight to maximum brightness.
Fixes kernel bugzilla #14207
Signed-off-by: Carlos Corbacho <carlos@strangeworlds.co.uk>
Reported-by: Denis Mukhin <denis_mukhin@yahoo.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Move I2C IR initialization from just after I2C bus setup to right
before non-I2C IR initialization. This avoids the case where an I2C IR
device is blocking audio support (at least the PV951 suffers from
this). It is also more logical to group IR support together,
regardless of the connectivity.
This fixes bug #15184:
http://bugzilla.kernel.org/show_bug.cgi?id=15184
Signed-off-by: Jean Delvare <khali@linux-fr.org>
CC: stable@kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Regression was caused by my commit 6b35ca0d3d
which determined message size using sizeof rather than hardcoded constants.
Unfortunately pwc_set_shutter_speed reuses a 2 byte buffer for a one byte
message too so the sizeof was bogus in this case.
All other uses of sizeof checked and are ok.
Acked-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Cc: stable@kernel.org
Signed-off-by: Martin Fuzzey <mfuzzey@gmail.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
This polling is needed if camera is in standby mode, but current exiting
condition is inverted.
Signed-off-by: Kuninori Morimoto <morimoto.kuninori@renesas.com>
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
cxusb uses the atbm8830 and lgs8gxx (not lgs8gl5) frontends and the
max2165 tuner, so it needs to select them.
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: stable@kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
I'm trying to fix it on the GCC side (PR43007), but the module is
quite stupid in using ULL constants to operate on u32 values:
static int apply_frontend_param (struct dvb_frontend* fe, struct
dvb_frontend_parameters *param)
{
...
static const u32 ppm = 8000;
u32 spi_bias;
...
spi_bias *= 1000ULL;
spi_bias /= 1000ULL + ppm/1000;
which causes current GCC 4.5 to emit calls to __udivdi3 for i?86 again.
This patch fixes this issue.
Signed-off-by: Richard Guenther <rguenther@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
CC: stable@kernel.org
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
mod_timer() takes an absolute time and not a delay as its argument.
Cc: <stable@kernel.org>
Signed-off-by: Guennadi Liakhovetski <g.liakhovetski@gmx.de>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
* 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6:
ACPI: fix "acpi=ht" boot option
ACPI, i915: blacklist Clevo M5x0N bad_lid state
ACPI: fix High cpu temperature with 2.6.32
ACPI: dock: properly initialize local struct dock_station in dock_add()
ACPI: remove Asus P2B-DS from acpi=ht blacklist
thinkpad-acpi: wrong thermal attribute_group removed in thermal_exit()
ACPI: acpi_bus_{scan,bus,add}: return -ENODEV if no device was found
ACPI: Add NULL pointer check in acpi_bus_start
ACPI: processor: only evaluate _PDC once per processor
ACPI: processor: add kernel command line support for early _PDC eval
* 'drm-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6:
drm/radeon/kms: fix bo's fence association
drm/radeon/kms: fix indirect buffer management V2
drm/edid: Fix interlaced detailed timings to be frame size, not field.
drm/vmwgfx: Use fb handover mechanism instead of stealth mode.
drm/radeon/kms: use udelay for short delays
drm/nouveau: Force TV encoder DPMS reinit after resume.
drm/nouveau: use mutex for vbios lock
633aae2 "Input: i8042 - switch to using dev_pm_ops" removed handling
for PMSG_THAW, since we do not need to do anything during freeze and
thus it was thougt that thaw is not needed as well. However, there is
a period when interrupts are kept off, and if key happens to be pressed
during that time KBC becomes jammed. To avoid the jam we simply need
to poll KBC once during thaw.
Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
We broke "acpi=ht" in 2.6.32 by disabling MADT parsing
for acpi=disabled. e5b8fc6ac1
This also broke systems which invoked acpi=ht via DMI blacklist.
acpi=ht is a really ugly hack,
but restore it for those that still use it.
http://bugzilla.kernel.org/show_bug.cgi?id=14886
Signed-off-by: Len Brown <len.brown@intel.com>
* 'for-airlied' of git://git.freedesktop.org/git/nouveau/linux-2.6:
drm/nouveau: Force TV encoder DPMS reinit after resume.
drm/nouveau: use mutex for vbios lock
Previous code did associate fence to bo before the fence was emited
and it also didn't lock protected access to ttm sync_obj member.
Both of this flaw leads to possible race between different code
path. This patch fix this by associating fence only once the fence
is emitted and properly lock protect access to sync_obj member of
ttm.
Fix:
https://bugs.freedesktop.org/show_bug.cgi?id=26438
and likely similar others bugs
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
There is 3 different distinct states for an indirect buffer (IB) :
1- free with no fence
2- free with a fence
3- non free (fence doesn't matter)
Previous code mixed case 2 & 3 in a single one leading to possible
catastrophique failure. This patch rework the handling and properly
separate each case. So when you get ib we set the ib as non free and
fence status doesn't matter. Fence become active (ie has a meaning
for the ib code) once the ib is scheduled or free. This patch also
get rid of the alloc bitmap as it was overkill, we know go through
IB pool list like in a ring buffer as the oldest IB is the first
one the will be free.
Fix :
https://bugs.freedesktop.org/show_bug.cgi?id=26438
and likely other bugs.
V2 remove the scheduled list, it's useless now, fix free ib scanning
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
When the vmwgfx module is loaded on top of vesafb, it would operate in
stealth mode in parallel with vesafb, evicting VRAM on dropmaster.
Change that to use the vesafb handover mechanism, like other drmfb drivers.
Signed-off-by: Thomas Hellstrom <thellstrom@vmware.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
For usec delays use udelay instead of scheduling, this should
allow reclocking to happen faster. This also was the cause
of reported 33s delays at bootup on certain systems.
fixes: freedesktop.org bug 25506
Cc: stable@kernel.org
Signed-off-by: Dave Airlie <airlied@redhat.com>
Get rid of _location and use _start/_end also simplify the
computation of vram_start|end & gtt_start|end. For R1XX-R2XX
we place VRAM at the same address of PCI aperture, those GPU
shouldn't have much memory and seems to behave better when
setup that way. For R3XX and newer we place VRAM at 0. For
R6XX-R7XX AGP we place VRAM before or after AGP aperture this
might limit to limit the VRAM size but it's very unlikely.
For IGP we don't change the VRAM placement.
Tested on (compiz,quake3,suspend/resume):
PCI/PCIE:RV280,R420,RV515,RV570,RV610,RV710
AGP:RV100,RV280,R420,RV350,RV620(RPB*),RV730
IGP:RS480(RPB*),RS690,RS780(RPB*),RS880
RPB: resume previously broken
V2 correct commit message to reflect more accurately the bug
and move VRAM placement to 0 for most of the GPU to avoid
limiting VRAM.
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
r200 cards have dma engine which can be used to tranfer data
between vram and system memory.
r300 dma engine registers match r200 dma engine. Enabling
dma copy for r200 is simple as hooking r200 asic to already
existing function r300_copy_dma.
Rename r300_dma_copy to r200_dma_copyto reflect that supports
starts from r200 cards.
v2: Created a new asic object for r200 cards.
Signed-off-by: Pauli Nieminen <suokkos@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Setting global asic structure to point to different function
would cause problem in system where is multiple r300 cards
with different bus type.
r300_asic_pcie is just copy from r300_asic with gart tlb
functions replaced with pcie versions.
Signed-off-by: Pauli Nieminen <suokkos@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
r6xx/r7xx use the rs600 variant. This old one just
confuses things.
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
We should stop audio-state-reading timer before we turn off engine
Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
drivers/gpu/drm/radeon/r600_cs.c: In function ‘r600_cs_track_check’:
drivers/gpu/drm/radeon/r600_cs.c:166: warning: ‘bpe’ may be used uninitialized in this function
drivers/gpu/drm/radeon/r600_cs.c:166: note: ‘bpe’ was declared here
drivers/gpu/drm/radeon/r600_cs.c: In function ‘r600_cs_parse’:
drivers/gpu/drm/radeon/r600_cs.c:938: warning: ‘bpe’ may be used uninitialized in this function
drivers/gpu/drm/radeon/r600_cs.c:938: note: ‘bpe’ was declared here
Signed-off-by: Alex Deucher <alexdeucher@gmail.com>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Currently we're gracefully tearing down each active connection
when fcoe.ko is removed. We shouldn't allow the user to destroy
connections by removing the module. We should force the user to
destroy each connection and then the module can be removed.
This patch makes it so a refrerence count on the module is taken
each time a fcoe_interface is created. The reference count
is dropped when the fcoe_interface is destroyed. This makes it
so that module_exit() doesn't get called unless all fcoe_interfaces
have been destroyed.
This patch leaves the removal of interfaces in the module_exit
routine so that if the user does a 'rmmod -f' we'll clean everything
up before removing the module.
The module_put line was put before the out_putdev goto line because
we should only be decrementing the reference count if a
fcoe_interface is actually destroyed. If we can't find the netdev
or the fcoe_interface then it's assumed that something else has
destroyed the fcoe_interface and it would have decremented the
reference count at that time.
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
libfcoe module doesnt send port keep alive every
FIP_VN_KA_PERIOD due to improper assignment of timeout value.
Update the port_ka_time appropriately by incrementing it by
FIP_VN_KA_PERIOD in fcoe_ctlr_timeout(), so that the link_work
is scheduled to send the port LKA.
Signed-off-by: Bhanu Gollapudi <bprakash@broadcom.com>
Acked-by: Joe Eykholt <jeykholt@cisco.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Fix NULL pointer dereference crash occurs in fc_lport_bsg_request()
for bsg requests that do not contain a response request.
Specifically, FC_BSG_HST_ADD_RPORT and FC_BSG_HST_DEL_RPORT bsg
requests are not guaranteed to include a response request.
Signed-off-by: Hugh Daschbach <hdasch@broadcom.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Both PLOGI and RTV response processing conditionally scale e_d_tov,
but use different scaling factors. The scaling factor is correct in
RTV response processing. Bring PLOGI e_d_tov scaling in line with RTV
common service parameter inspection.
Signed-off-by: Hugh Daschbach <hdasch@broadcom.com>
Acked-by: Joe Eykholt <jeykholt@cisco.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Adds check to call fc_fcp_ddp_setup for only FCP read cmds to avoid
accessing junk fsp pointer at least in ESX since non FCP frame had
junk fsp value, though fsp is implicitly initialized to null
by __alloc_skb but with this patch no more relying on fsp
initialized to null value and hitting junk fsp ptr access.
Removes fsp pointer checking in fc_fcp_ddp_setup as this is not
needed any more since its only caller for FCP read will always
have a valid fsp.
Reported by: Frank Zhang <frank_1.zhang@intel.com>
Reported by: Rob Love <robert.w.love@intel.com>
Signed-off-by: Vasu Dev <vasu.dev@intel.com>
Signed-off-by: Robert Love <robert.w.love@intel.com>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
An empty r2tqueue is a valid state. It just means that we have
processed all that there was to do. This patch removes the WARN_ON
that was added when the kfifo changes were merged.
Signed-off-by: Mike Christie <michaelc@cs.wisc.edu>
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6:
USB: gadget: fix EEM gadget CRC usage
USB: otg Kconfig: let USB_OTG_UTILS select USB_ULPI option
USB: g_multi: fix CONFIG_USB_G_MULTI_RNDIS usage
kfifo: Don't use integer as NULL pointer
USB: FHCI: Fix build after kfifo rework
kfifo: Make kfifo_initialized work after kfifo_free
USB: serial: add usbid for dell wwan card to sierra.c
USB: SIS USB2VGA DRIVER: support KAIREN's USB VGA adaptor USB20SVGA-MB-PLUS
USB: ehci: phy low power mode bug fixing
USB: s3c-hsotg: Export usb_gadget_register_driver()
USB: r8a66597-udc: Prototype IS_ERR() and PTR_ERR()
USB: ftdi_sio: add device IDs (several ELV, one Mindstorms NXT)
USB: storage: Remove unneeded SC/PR from unusual_devs.h
USB: ftdi_sio: new device id for papouch AD4USB
USB: usbfs: properly clean up the as structure on error paths
USB: usbfs: only copy the actual data received
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6:
class: Free the class private data in class_release
sysfs: sysfs_sd_setattr set iattrs unconditionally
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: (22 commits)
be2net: set proper value to version field in req hdr
xfrm: Fix xfrm_state_clone leak
ipcomp: Avoid duplicate calls to ipcomp_destroy
ethtool: allow non-admin user to read GRO settings.
ixgbe: fix WOL register setup for 82599
ixgbe: Fix - Do not allow Rx FC on 82598 at 1G due to errata
sfc: Fix SFE4002 initialisation
mac80211: fix handling of null-rate control in rate_control_get_rate
inet: Remove bogus IGMPv3 report handling
iwlwifi: fix AMSDU Rx after paged Rx patch
tcp: fix ICMP-RTO war
via-velocity: Fix races on shared interrupts
via-velocity: Take spinlock on set coalesce
via-velocity: Remove unused IRQ status parameter from rx_srv and tx_srv
rtl8187: Add new device ID
iwmc3200wifi: Test of wrong pointer after kzalloc in iwm_mlme_update_bss_table()
ath9k: Fix sequence numbers for PAE frames
mac80211: fix deferred hardware scan requests
iwlwifi: Fix to set correct ht configuration
mac80211: Fix probe request filtering in IBSS mode
...
When controlling an industrial radio modem it can be necessary to
manipulate the handshake lines in order to control the radio modem's
transmitter, from userspace.
The transmitter should not be turned off before all characters have been
transmitted. serial8250_tx_empty() was reporting that all characters were
transmitted before they actually were.
===
Discovered in parallel with more testing and analysis by Kees Schoenmakers
as follows:
I ran into an NetMos 9835 serial pci board which behaves a little
different than the standard. This type of expansion board is very common.
"Standard" 8250 compatible devices clear the 'UART_LST_TEMT" bit together
with the "UART_LSR_THRE" bit when writing data to the device.
The NetMos device does it slightly different
I believe that the TEMT bit is coupled to the shift register. The problem
is that after writing data to the device and very quickly after that one
does call serial8250_tx_empty, it returns the wrong information.
My patch makes the test more robust (and solves the problem) and it does
not affect the already correct devices.
Alan:
We may yet need to quirk this but now we know which chips we have a
way to do that should we find this breaks some other 8250 clone with
dodgy THRE.
Signed-off-by: Dick Hollenbeck <dick@softplc.com>
Signed-off-by: Alan Cox <alan@linux.intel.com>
Cc: Kees Schoenmakers <k.schoenmakers@sigmae.nl>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Fix a memory leak by freeing the memory allocated in __class_register
for the class private data.
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Acked-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
eem_wrap() is sending a sentinel CRC, but it didn't indicate that to
the host, it should zero bit 14 (bmCRC) in the EEM packet header,
instead of setting it.
Also remove a redundant crc calculation in eem_unwrap().
Signed-off-by: Steve Longerbeam <stevel@netspectrum.com>
Acked-by: Brian Niebuhr <bniebuhr@efjohnson.com>
Acked-by: David Brownell <dbrownell@users.sourceforge.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
With CONFIG_USB_ULPI=y, CONFIG_USB<=m, CONFIG_PCI=n and
CONFIG_USB_OTG_UTILS=n, which is the default used for mx31moboard,
the build for all mx3 platforms fails because drivers/usb/otg/ulpi.c
where otg_ulpi_create is defined is not compiled.
Build error:
arch/arm/mach-mx3/built-in.o: In function `mxc_board_init':
kzmarm11.c:(.init.text+0x73c): undefined reference to `otg_ulpi_create'
kzmarm11.c:(.init.text+0x1020): undefined reference to `otg_ulpi_create'
This isn't a strong dependency as drivers/usb/otg/ulpi.c doesn't
use functions defined in drivers/usb/otg/otg.o and is only needed
to get ulpi.o linked into the kernel image.
Signed-off-by: Valentin Longchamp <valentin.longchamp@epfl.ch>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
g_multi used CONFIG_USB_ETH_RNDIS to check if RNDIS option was requested
where it should check for CONFIG_USB_G_MULTI_RNDIS. As a result, RNDIS
was never present in g_multi regardless of configuration.
This fixes changes made in commit 396cda90d2.
Signed-off-by: Michal Nazarewicz <m.nazarewicz@samsung.com>
Cc: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
After kfifo rework FHCI fails to build:
CC drivers/usb/host/fhci-tds.o
drivers/usb/host/fhci-tds.c: In function 'fhci_ep0_free':
drivers/usb/host/fhci-tds.c:108: error: used struct type value where scalar is required
drivers/usb/host/fhci-tds.c:118: error: used struct type value where scalar is required
drivers/usb/host/fhci-tds.c:128: error: used struct type value where scalar is required
This is because kfifos are no longer pointers in the ep struct.
So, instead of checking the pointers, we should now check if kfifo
is initialized.
Reported-by: Josh Boyer <jwboyer@gmail.com>
Signed-off-by: Anton Vorontsov <avorontsov@ru.mvista.com>
Acked-by: Stefani Seibold <stefani@seibold.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch adds support for Dell Computer Corp. Wireless 5720 VZW Mobile
Broadband (EVDO Rev-A) Minicard GPS Port. I stole the name from lsusb,
but my card does not have a GPS on it (at least not that I can make
function). I'm sure the patch is whitespace damaged but the one line
addition should be fairly straightforward nonetheless.
Tested-by: Rick Farina <sidhayn@gmail.com>
Signed-off-by: Rick Farina <sidhayn@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch adds the USB product ID of KAIREN's USB VGA Adaptor,
USB20SVGA-MB-PLUS, to sisusbvga work with it.
Signed-off-by: Tanaka Akira <akr@fsij.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
1. There are two msleep calls inside two spin lock sections, need to unlock
and lock again after msleep.
2. Save a extra status reg setting.
Signed-off-by: Alek Du <alek.du@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
USB gadget controller drivers normally export their driver registration
function, allowing modular builds of the individual gadget drivers so
do so for s3c-hsotg, fixing builds.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
The build of r8a66597-udc was failing on ARM since IS_ERR() and
PTR_ERR() weren't protyped. Presumably err.h is being pulled in by
another header on other platforms.
Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com>
Acked-by: Yoshihiro Shimoda <shimoda.yoshihiro@renesas.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
- add FTDI device IDs for several ELV devices and NXTCam of Lego Mindstorms NXT
- add hopefully helpful new_id comment
- remove less helpful "Due to many user requests for multiple ELV devices we enable
them by default." comment (we simply add _all_ known devices - an
enduser shouldn't have to fiddle with obscure module parameters...).
- add myself to DRIVER_AUTHOR
The missing NXTCam ID has been found at
http://www.unixboard.de/vb3/showthread.php?t=44155
, ELV devices taken from ELV Windows .inf file.
Signed-off-by: Andreas Mohr <andi@lisas.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
This patch removes the subclass and protocol entries from a Microtech
entry in unusual_devs.h. This was reported by <ryck@pacbell.net>.
Greg, please apply.
Signed-off-by: Phil Dibowitz <phil@ipom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
added new device pid (PAPOUCH_AD4USB_PID) to ftdi_sio.h and ftdi_sio.c
AD4USB measuring converter is a 4-input A/D converter which enables the
user to measure to four current inputs ranging from 0(4) to 20 mA or
voltage between 0 and 10 V. The measured values are then transferred to
a superior system in digital form. The AD4USB communicates via USB.
Powered is also via USB. datasheet in english is here:
http://www.papouch.com/shop/scripts/pdf/ad4usb_en.pdf
Signed-off-by: Radek Liboska <liboska@uochb.cas.cz>
I notice that the processcompl_compat() function seems to be leaking the
'struct async *as' in the error paths.
I think that the calling convention is fundamentally buggered. The
caller is the one that did the "reap_as()" to get the as thing, the
caller should be the one to free it too.
Freeing it in the caller also means that it very clearly always gets
freed, and avoids the need for any "free in the error case too".
From: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Marcus Meissner <meissner@suse.de>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
We need to only copy the data received by the device to userspace, not
the whole kernel buffer, which can contain "stale" data.
Thanks to Marcus Meissner for pointing this out and testing the fix.
Reported-by: Marcus Meissner <meissner@suse.de>
Tested-by: Marcus Meissner <meissner@suse.de>
Cc: Alan Stern <stern@rowland.harvard.edu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: stable <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Before sending a command to the ASIC, set version properly.
This is necessary for the ARM firmware to send correct data to the driver.
This also fixes a bug in certain skews of the ASIC where the statistics
are misreported.
Signed-off-by: Ajit Khaparde <ajitk@serverengines.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The fence start is for compatibility with UMS X Servers before fence
management. KMS X Servers only started doing tiling after fence
management appeared.
Signed-off-by: Eric Anholt <eric@anholt.net>
As we need more and more controls within MCHBAR for memory config and
power management, this trys to keep MCHBAR enabled from driver load and
only tear down in driver unload.
Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Eric Anholt <eric@anholt.net>
With the introduction of the hang-check, we can safely expect that
i915_wait_request() will always return even when the GPU hangs, and so
do not need to open code the wait in order to manually check for the
hang. Also we do not need to always evict all buffers, so only flush
the GPU (and wait for it to idle) for KMS, but continue to evict for UMS.
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Eric Anholt <eric@anholt.net>
Revert commit d2bb7df8ca at Greg's request.
Author: Milan Broz <mbroz@redhat.com>
Date: Thu Dec 10 23:51:53 2009 +0000
dm: sysfs add empty release function to avoid debug warning
This patch just removes an unnecessary warning:
kobject: 'dm': does not have a release() function,
it is broken and must be fixed.
The kobject is embedded in mapped device struct, so
code does not need to release memory explicitly here.
Cc: Greg KH <gregkh@suse.de>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
This patch fixes the problem that system may stall if target's ->map_rq
returns DM_MAPIO_REQUEUE in map_request().
E.g. stall happens on 1 CPU box when a dm-mpath device with queue_if_no_path
bounces between all-paths-down and paths-up on I/O load.
When target's ->map_rq returns DM_MAPIO_REQUEUE, map_request() requeues
the request and returns to dm_request_fn(). Then, dm_request_fn()
doesn't exit the I/O dispatching loop and continues processing
the requeued request again.
This map and requeue loop can be done with interrupt disabled,
so 1 CPU system can be stalled if this situation happens.
For example, commands below can stall my 1 CPU box within 1 minute or so:
# dmsetup table mp
mp: 0 2097152 multipath 1 queue_if_no_path 0 1 1 service-time 0 1 2 8:144 1 1
# while true; do dd if=/dev/mapper/mp of=/dev/null bs=1M count=100; done &
# while true; do \
> dmsetup message mp 0 "fail_path 8:144" \
> dmsetup suspend --noflush mp \
> dmsetup resume mp \
> dmsetup message mp 0 "reinstate_path 8:144" \
> done
To fix the problem above, this patch changes dm_request_fn() to exit
the I/O dispatching loop once if a request is requeued in map_request().
Signed-off-by: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Cc: stable@kernel.org
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
When suspending a failed mirror, bios are completed by mirror_end_io() and
__rh_lookup() in dm_rh_dec() returns NULL where a non-NULL return value is
required by design. Fix this by not changing the state of the recovery failed
region from DM_RH_RECOVERING to DM_RH_NOSYNC in dm_rh_recovery_end().
Issue
On 2.6.33-rc1 kernel, I hit the bug when I suspended the failed
mirror by dmsetup command.
BUG: unable to handle kernel NULL pointer dereference at 00000020
IP: [<f94f38e2>] dm_rh_dec+0x35/0xa1 [dm_region_hash]
...
EIP: 0060:[<f94f38e2>] EFLAGS: 00010046 CPU: 0
EIP is at dm_rh_dec+0x35/0xa1 [dm_region_hash]
EAX: 00000286 EBX: 00000000 ECX: 00000286 EDX: 00000000
ESI: eff79eac EDI: eff79e80 EBP: f6915cd4 ESP: f6915cc4
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process dmsetup (pid: 2849, ti=f6914000 task=eff03e80 task.ti=f6914000)
...
Call Trace:
[<f9530af6>] ? mirror_end_io+0x53/0x1b1 [dm_mirror]
[<f9413104>] ? clone_endio+0x4d/0xa2 [dm_mod]
[<f9530aa3>] ? mirror_end_io+0x0/0x1b1 [dm_mirror]
[<f94130b7>] ? clone_endio+0x0/0xa2 [dm_mod]
[<c02d6bcb>] ? bio_endio+0x28/0x2b
[<f952f303>] ? hold_bio+0x2d/0x62 [dm_mirror]
[<f952f942>] ? mirror_presuspend+0xeb/0xf7 [dm_mirror]
[<c02aa3e2>] ? vmap_page_range+0xb/0xd
[<f9414c8d>] ? suspend_targets+0x2d/0x3b [dm_mod]
[<f9414ca9>] ? dm_table_presuspend_targets+0xe/0x10 [dm_mod]
[<f941456f>] ? dm_suspend+0x4d/0x150 [dm_mod]
[<f941767d>] ? dev_suspend+0x55/0x18a [dm_mod]
[<c0343762>] ? _copy_from_user+0x42/0x56
[<f9417fb0>] ? dm_ctl_ioctl+0x22c/0x281 [dm_mod]
[<f9417628>] ? dev_suspend+0x0/0x18a [dm_mod]
[<f9417d84>] ? dm_ctl_ioctl+0x0/0x281 [dm_mod]
[<c02c3c4b>] ? vfs_ioctl+0x22/0x85
[<c02c422c>] ? do_vfs_ioctl+0x4cb/0x516
[<c02c42b7>] ? sys_ioctl+0x40/0x5a
[<c0202858>] ? sysenter_do_call+0x12/0x28
Analysis
When recovery process of a region failed, dm_rh_recovery_end() function
changes the state of the region from RM_RH_RECOVERING to DM_RH_NOSYNC.
When recovery_complete() is executed between dm_rh_update_states() and
dm_writes() in do_mirror(), bios are processed with the region state,
DM_RH_NOSYNC. However, the region data is freed without checking its
pending count when dm_rh_update_states() is called next time.
When bios are finished by mirror_end_io(), __rh_lookup() in dm_rh_dec()
returns NULL even though a valid return value are expected.
Solution
Remove the state change of the recovery failed region from DM_RH_RECOVERING
to DM_RH_NOSYNC in dm_rh_recovery_end(). We can remove the state change
because:
- If the region data has been released by dm_rh_update_states(),
a new region data is created with the state of DM_RH_NOSYNC, and
bios are processed according to the DM_RH_NOSYNC state.
- If the region data has not been released by dm_rh_update_states(),
a state of the region is DM_RH_RECOVERING and bios are put in the
delayed_bio list.
The flag change from DM_RH_RECOVERING to DM_RH_NOSYNC in dm_rh_recovery_end()
was added in the following commit:
dm raid1: handle resync failures
author Jonathan Brassow <jbrassow@redhat.com>
Thu, 12 Jul 2007 16:29:04 +0000 (17:29 +0100)
http://git.kernel.org/linus/f44db678edcc6f4c2779ac43f63f0b9dfa28b724
Signed-off-by: Takahiro Yasui <tyasui@redhat.com>
Reviewed-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
If the mirror log fails when the handle_errors option was not selected
and there is no remaining valid mirror leg, writes return success even
though they weren't actually written to any device. This patch
completes them with EIO instead.
This code path is taken:
do_writes:
bio_list_merge(&ms->failures, &sync);
do_failures:
if (!get_valid_mirror(ms)) (false)
else if (errors_handled(ms)) (false)
else bio_endio(bio, 0);
The logic in do_failures is based on presuming that the write was already
tried: if it succeeded at least on one leg (without handle_errors) it
is reported as success.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=555197
Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
Signed-off-by: Alasdair G Kergon <agk@redhat.com>
This patch fixes two bugs that revolve around the miscalculation and
misuse of the variable 'overhead_size'. 'overhead_size' is the size of
the various header structures used during communication.
The first bug is the use of 'sizeof' with the pointer of a structure
instead of the structure itself - resulting in the wrong size being
computed. This is then used in a check to see if the payload
(data_size) would be to large for the preallocated structure. Since the
bug produces a smaller value for the overhead, it was possible for the
structure to be breached. (Although the current users of the code do
not currently send enough data to trigger this bug.)
The second bug is that the 'overhead_size' value is used to compute how
much of the preallocated space should be cleared before populating it
with fresh data. This should have simply been 'sizeof(struct cn_msg)'
not overhead_size. The fact that 'overhead_size' was computed
incorrectly made this problem "less bad" - leaving only a pointer's
worth of space at the end uncleared. Thus, this bug was never producing
a bad result, but still needs to be fixed - especially now that the
value is computed correctly.
Cc: stable@kernel.org
Signed-off-by: Jonathan Brassow <jbrassow@redhat.com
Signed-off-by: Alasdair G Kergon <agk@redhat.com>