When the helper module is removed for a master connection that has a
fulfilled expectation, but has already timed out and got removed from
the hash tables, nf_conntrack_helper_unregister can't find the master
connection to unset the helper, causing a use-after-free when the
expected connection is destroyed and releases the last reference to
the master.

The helper destroy callback was introduced for the PPtP helper to clean
up expectations and expected connections when the master connection
times out, but doing this from destroy_conntrack only works for
unfulfilled expectations since expected connections hold a reference
to the master, preventing its destruction. Move the destroy callback to
the timeout function, which fixes both problems.

Reported/tested by Gabor Burjan <buga@buvoshetes.hu>.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This is a natural extension of the changeset

    [XFRM]: Probe selected algorithm only.

which only removed the probe call for xfrm_user.  This patch does exactly
the same thing for af_key.  In other words, we load the algorithm requested
by the user rather than everything when adding xfrm states in af_key.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

State could become inconsistent in two cases:

1) Userspace disabled FRTO by tuning sysctl when one of the TCP
   flows was in the middle of FRTO algorithm (and then RTO is
   again triggered)

2) SACK reneging occurs during FRTO algorithm

A simple solution is just to abort the previous FRTO when such
obscure condition occurs...
Signed-off-by: NIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The conservative spurious RTO response did not queue CWR even
though the sending rate was lowered. Whenever reduction happens
regardless of reason, CWR should be sent (forgetting to send it
is not very fatal though).

A better approach would be to queue CWR when one of the sending
rate reducing responses (rate-halving one or this conservative
response) is used already at RTO. Doing that would allow CWR to
be sent along with the two new data segments that are sent
during FRTO. However, it's a bit "racy" because userland could
tune the response sysctl to a more aggressive one in between.
Signed-off-by: NIlpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Compiling 2.6.22-rc1 with gcc-3.2.3 for i486 fails with:

  gcc -m32 -Wp,-MD,net/core/.skbuff.o.d  -nostdinc -isystem /home/mikpe/pkgs/linux-x86/gnu/lib/gcc-lib/i486-pc-linux-gnu/3.2.3/include -D__KERNEL__ -Iinclude  -include include/linux/autoconf.h -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs -fno-strict-aliasing -fno-common -O2 -pipe -msoft-float -mregparm=3 -freg-struct-return -mpreferred-stack-boundary=4  -march=i486 -ffreestanding -maccumulate-outgoing-args -DCONFIG_AS_CFI=1  -Iinclude/asm-i386/mach-default -fomit-frame-pointer       -D"KBUILD_STR(s)=#s" -D"KBUILD_BASENAME=KBUILD_STR(skbuff)"  -D"KBUILD_MODNAME=KBUILD_STR(skbuff)" -c -o net/core/skbuff.o net/core/skbuff.c
net/core/skbuff.c:648:1: directives may not be used inside a macro argument
net/core/skbuff.c:647:39: unterminated argument list invoking macro "memcpy"
net/core/skbuff.c: In function `pskb_expand_head':
net/core/skbuff.c:651: `memcpy' undeclared (first use in this function)
net/core/skbuff.c:651: (Each undeclared identifier is reported only once
net/core/skbuff.c:651: for each function it appears in.)
net/core/skbuff.c:651: syntax error before "skb"
make[2]: *** [net/core/skbuff.o] Error 1
make[1]: *** [net/core] Error 2
make: *** [net] Error 2

The patch below implements a simple workaround which is to
clone the offending memcpy() call and specialise it for the
two different scenarios.

Other workarounds are of course possible: e.g. bind the varying
parameter in a local variable, or use a macro or inline function
to perform the varying computation.
Signed-off-by: NMikael Pettersson <mikpe@it.uu.se>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

coverity has spotted a bug in rfkill.c (bug id #1627),
in rfkill_allocate() NULL was returns if the kzalloc() works,
and deref the NULL pointer if it fails,
Signed-off-by: NIvo van Doorn <IvDoorn@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The Mobile IPv6 package (http://www.mobile-ipv6.org/software/) needs
this header file to build the tunnelctl component. The header
already looks sanitized so is safe to export.
Signed-off-by: NDeepak Saxena <dsaxena@mvista.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fix an Oops in the cciss driver caused by system shutdown while a filesystem
on a cciss device is still active.  The cciss_remove_one function only
properly removes the device if the device has been cleanly released by its
users, which is not the case when the pci_driver.shutdown method is called.

This patch adds a new cciss_shutdown function to better match the pattern
used by various SCSI drivers: deactivate device interrupts and flush caches.
It also alters the cciss_remove_one function to match and readds the
__devexit annotation that was removed when cciss_remove_one was serving as
the pci_driver.shutdown method.
Signed-off-by: NGerald Britton <gbritton@alum.mit.edu>
Acked-by: NMike Miller <mike.miller@hp.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

A number of items in the i386 boot documentation have been either
vague, outdated or hard to read.  This text revision adds several more
examples, including a memory map for a modern kernel load.  It also
adds a field-by-field detailed description of the setup header, and a
bootloader ID for Qemu.
Signed-off-by: NH. Peter Anvin <hpa@zytor.com>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  [CRYPTO] tcrypt: Add missing error check
  [CRYPTO] padlock: Make CRYPTO_DEV_PADLOCK a tristate again

1 is a power of two, therefore roundup_pow_of_two(1) should return 1. It does
in case the argument is a variable but in case it's a constant it behaves
wrong and returns 0. Probably nobody ever did it so this was never noticed.
Signed-off-by: NRolf Eike Beer <eike-kernel@sf-tec.de>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The timerfd was using the unlocked waitqueue operations, but it was
using a different lock, so poll_wait() would race with it.

This makes timerfd directly use the waitqueue lock.
Signed-off-by: NDavide Libenzi <davidel@xmailserver.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The eventfd was using the unlocked waitqueue operations, but it was
using a different lock, so poll_wait() would race with it.

This makes eventfd directly use the waitqueue lock.
Signed-off-by: NDavide Libenzi <davidel@xmailserver.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

* 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc: (32 commits)
  [POWERPC] Remove build warnings in windfarm_core
  [POWERPC] Pass per-file CFLAGs for platform specific op codes
  [POWERPC] Correct #endif comment
  [POWERPC] Fix ppc_rtas_progress_show()
  [POWERPC] Fix sed command lines for zlib source construction
  [POWERPC] Specify GNUTARGET on $(AR) invocations
  [POWERPC] Make sure device node type/name is not NULL on hot-added nodes
  [POWERPC] Small fixes for the Ebony device tree
  [POWERPC] Fix warning on UP
  [POWERPC] cell_defconfig: Disable cpufreq and pmi
  [POWERPC] Fix IO space on PCI buses created from of_platform
  [POWERPC] Add spinlock to request_phb_iospace()
  [POWERPC] Fix make rules for treeImage.initrd
  [POWERPC] Remove warning in mpic.c
  [POWERPC] Update pasemi_defconfig
  [POWERPC] pasemi: CONFIG_GENERIC_TBSYNC no longer needed
  [POWERPC] Update iseries_defconfig
  [POWERPC] Wire up some more syscalls
  [POWERPC] Fix bug adding properties with flatdevtree.c's ft_set_prop()
  [POWERPC] Remove fixup_bigphys_addr() for arch/powerpc to avoid link error
  ...

* master.kernel.org:/pub/scm/linux/kernel/git/davem/sparc-2.6:
  [SPARC64]: Fix sched_clock() et al.

* master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6:
  [IPV4]: Remove IPVS icmp hack from route.c for now.
  [IPV4]: Correct rp_filter help text.
  [TCP]: TCP_CONG_YEAH requires TCP_CONG_VEGAS
  [TCP] slow start: Make comments and code logic clearer.
  [BLUETOOTH]: Fix locking in hci_sock_dev_event().
  [NET]: Fix BMSR_100{HALF,FULL}2 defines in linux/mii.h
  [NET]: lockdep classes in register_netdevice

The slab manipulation functions should not be triggered by slabs that
are unresovable in the subset of slabs selected on the command line.
Signed-off-by: NChristoph Lameter <clameter@sgi.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

As pointed out by Jarek Poplawski, the patch

	[WORKQUEUE]: cancel_delayed_work: use del_timer() instead of del_timer_sync()
	commit: 071b6386

was wrong, it was merged by mistake after that.

From the changelog:

	after this patch:
		...
		delayed_work_timer_fn->__queue_work() in progress.

		The latter doesn't differ from the caller's POV,

it does make a difference if the caller calls flush_workqueue() after
cancel_delayed_work(), in that case flush_workqueue() can miss this
work_struct.
Signed-off-by: NOleg Nesterov <oleg@tv-sign.ru>
Cc: Jarek Poplawski <jarkao2@o2.pl>
Cc: David Howells <dhowells@redhat.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Revert: 2d771cd8

This is dangerous if enabled and a better solution to the
problem is being worked on.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The return value of crypto_hash_final isn't checked in test_hash_cycles.
This patch corrects this.  Thanks to Eric Sesterhenn for reporting this.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

SPARC64_NSEC_PER_CYC_SHIFT was set too high.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This reverts commit c8fdd247.

It turns out the kernel was correct, and the gcc complaint was a gcc
bug.  The preferred stack boundary is expressed not in bytes, but in the
the log2() of the preferred boundary, so "-mpreferred-stack-boundary=2"
is in fact exactly what we want, but a gcc that is compiled for x86-64
will consider it an error (because the 64-bit calling sequence says that
the stack should be 16-byte aligned) even if we are then using "-m32" to
generate 32-bit code.
Noted-by: NMikulas Patocka <mikulas@artax.karlin.mff.cuni.cz>
Cc: Jan Hubicka <jh@suse.cz>
Acked-by: NAndi Kleen <ak@suse.de>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

Turning it into a boolean was unnecessary and caused ALGAPI to be
pinned down as a boolean to.  This patch makes it a tristate again.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

* git://git.linux-nfs.org/pub/linux/nfs-2.6:
  SUNRPC: Fix sparse warnings
  NLM: Fix sparse warnings
  NFS: Fix more sparse warnings
  NFS: Fix some 'sparse' warnings...
  SUNRPC: remove dead variable 'rpciod_running'
  NFS4: Fix incorrect use of sizeof() in fs/nfs/nfs4xdr.c
  NFS: use zero_user_page
  NLM: don't use CLONE_SIGHAND in nlmclnt_recovery
  NLM: Fix locking client timeouts...

* 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik/libata-dev:
  sata_via: pcim_iomap_regions() conversion missed BAR5
  libata: remove libata.spindown_compat
  sata_nv: fix fallout of devres conversion
  drivers/ata: remove the wildcard from sata_nv driver

pcim_iomap_regions() conversion missed BAR5.  Fix it.
Signed-off-by: NTejun Heo <htejun@gmail.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

With STANDBYDOWN tracking added, libata.spindown_compat isn't
necessary anymore.  If userspace shutdown(8) issues STANDBYNOW, libata
warns.  If userspace shutdown(8) doesn't issue STANDBYNOW, libata does
the right thing.  Userspace can tell whether kernel supports spindown
by testing whether sysfs node manage_start_stop exists as before.
Signed-off-by: NTejun Heo <htejun@gmail.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

As with all other drivers, sata_nv's hpriv is allocated with
devm_kzalloc() and there's no need to free it explicitly.  Kill
nv_remove_one() which incorrectly used kfree() instead of devm_kfree()
and use ata_pci_remove_one() directly.

Original fix is from Peer Chen.
Signed-off-by: NTejun Heo <htejun@gmail.com>
Cc: Peer Chen <pchen@nvidia.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

Because nvidia SATA controllers onward base on AHCI, so wildcard in sata_nv
driver is unnecessary.  Also the wildcard sometimes cause sata_nv driver to
be loaded for AHCI controllers,which is not as expected.
Signed-off-by: NPeer Chen <pchen@nvidia.com>
Cc: Tejun Heo <htejun@gmail.com>
Cc: Jeff Garzik <jeff@garzik.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

pci_enable_msi failure is a normal event so we should not print any error.
Going over the code I spotted a missing pci_disable_msi() leak when irq
allocation fails. The whole code also needed a cleanup, so I combined the
two different calls to pci_request_irq into a single call making this
look a lot better. All #ifdef CONFIG_PCI_MSI's have been removed.

Compile tested with both CONFIG_PCI_MSI enabled and disabled.
Signed-off-by: NAuke Kok <auke-jan.h.kok@intel.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

pci_enable_msi calls can fail for normal operational reasons. Driver
should not print an error message in that case. Fix a leak that leaves
msi enabled if pci_request_irq fails. We can remove CONFIG_PCI_MSI
ifdefs alltogether
Signed-off-by: NAuke Kok <auke-jan.h.kok@intel.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

NetXen: Fix for driver on System-p
This patch will fix a ping issue on system-p

Signed-off by: Milan Bag <mbag@netxen.com>
Signed-off by: Adhiraj Joshi <adhiraj@netxen.com>
Signed-by: NMithlesh Thukral <mithlesh@netxen.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

Spidernet was the driver I original did all the node-aware netdevice
allocation for, but after a year it still hasn't hit mainline.
Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NLinas Vepstas <linas@austin.ibm.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

The hardware must not see that is given ownership of a buffer until it is
completely written, and when the driver receives ownership of a buffer,
it must ensure that any other reads to the buffer reflect its final
state.  Thus, I/O barriers are added where required.

Without this patch, I have observed GCC reordering the setting of
bdp->length and bdp->status in gfar_new_skb.  Hardware reordering
was also theoretically possible.
Signed-off-by: NScott Wood <scottwood@freescale.com>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

Fix link speed detection change.
Thanks to Stefan Roese <sr@denx.de> for finding this bug.

CC: Stefan Roese <sr@denx.de>
Signed-off-by: NEugene Surovegin <ebs@ebshome.net>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

Original patch is from Jeff Haran  <jharan@brocade.com> with my minor style
fixes. His comments follow:

The first problem was in the function that configures the PHY for
autonegotiation, genmii_setup_aneg(). The original code does a
read/modify/write of the autonegotiation advertizement register (reg 4),
followed by a read/modify/write of the control register (reg 0). While
the original code follows the proper procedure as per reading the IEEE
specs, what I found is that on at least one PHY model (National DP83843)
the read of the control register comes back with the soft reset bit set
(bit 15). Because of the read/modify/write operation, this causes the
write to write a 1 back to the reset bit, which initiates a software
reset of the PHY. This software reset causes the PHY to return to its
power up state which advertizes all modes of operation, thus negating
the write to the autoneg advertizement register. The modification is to
spin reading the control register until the soft reset bit is clear
before doing the modify/write.
The second problem was in the function that configures the PHY for
forced operation, genmii_setup_forced(). The original code initiates a
software reset operation via a write of a 1 to bit 15 of the control
register (reg 0), but then proceeds to do a second write to that same
register without waiting until that reset bit is cleared by the PHY
itself (which according to the IEEE specs indicates that the PHY reset
is complete). This is a violation of how one is supposed to use this
software reset feature of these PHYs and I believe was the cause of
mysterious, difficult to reproduce link failures that we've observed on
some of our systems that use this driver. The fix is to modify the
function so that it spins waiting for the reset bit to clear after doing
the soft reset and before doing the subsequent write.
Signed-off-by: NJeff Haran <jharan@brocade.com>
CC: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: NEugene Surovegin <ebs@ebshome.net>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

Fix "Section mismatch" warnings
Signed-off-by: NEugene Surovegin <ebs@ebshome.net>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

Signed-off-by: NChristoph Hellwig <hch@lst.de>
Signed-off-by: NJeff Garzik <jeff@garzik.org>

Do some memory barrier changes for safety/perfomance:
Don't need read after update to index, mmiowb() followed by read at end
of irq is sufficient.
Signed-off-by: NStephn Hemminger <shemminger@linux-foundation.org>
Signed-off-by: NJeff Garzik <jeff@garzik.org>