The usbfs driver manages a list of completed asynchronous URBs.  But
it is too eager to free the entries on this list: destroy_async() gets
called whenever an interface is unbound or a device is removed, and it
deallocates the outstanding struct async entries for all URBs on that
interface or device.  This is wrong; the user program should be able
to reap an URB any time after it has completed, regardless of whether
or not the interface is still bound or the device is still present.

This patch (as1222) moves the code for deallocating the completed list
entries from destroy_async() to usbdev_release().  The outstanding
entries won't be freed until the user program has closed the device
file, thereby eliminating any possibility that the remaining URBs
might still be reaped.

This fixes a bug in which a program can hang in the USBDEVFS_REAPURB
ioctl when the device is unplugged.
Reported-and-tested-by: NMartin Poupe <martin.poupe@upek.com>
Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
Cc: stable <stable@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

The driver already supports the 1 protocol support, so just add it to
the MODULE_DEVICE_TABLE entry so it properly picks up these devices.

Thanks to Jouni Rynö for pointing this out.
Reported-by: NJouni Ryno <Jouni.Ryno@fmi.fi>
Cc: stable <stable@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

open() will never succeed, as we always return -ENODEV.  Fix this
obvious bug.

Thanks to Jouni Ryno for reporting it.
Reported-by: NJouni Ryno <Jouni.Ryno@fmi.fi>
Cc: stable <stable@kernel.org>
Signed-off-by: NGreg Kroah-Hartman <gregkh@suse.de>

The following oops has been reported when dm-crypt runs over a loop device.

...
[   70.381058] Process loop0 (pid: 4268, ti=cf3b2000 task=cf1cc1f0 task.ti=cf3b2000)
...
[   70.381058] Call Trace:
[   70.381058]  [<d0d76601>] ? crypt_dec_pending+0x5e/0x62 [dm_crypt]
[   70.381058]  [<d0d767b8>] ? crypt_endio+0xa2/0xaa [dm_crypt]
[   70.381058]  [<d0d76716>] ? crypt_endio+0x0/0xaa [dm_crypt]
[   70.381058]  [<c01a2f24>] ? bio_endio+0x2b/0x2e
[   70.381058]  [<d0806530>] ? dec_pending+0x224/0x23b [dm_mod]
[   70.381058]  [<d08066e4>] ? clone_endio+0x79/0xa4 [dm_mod]
[   70.381058]  [<d080666b>] ? clone_endio+0x0/0xa4 [dm_mod]
[   70.381058]  [<c01a2f24>] ? bio_endio+0x2b/0x2e
[   70.381058]  [<c02bad86>] ? loop_thread+0x380/0x3b7
[   70.381058]  [<c02ba8a1>] ? do_lo_send_aops+0x0/0x165
[   70.381058]  [<c013754f>] ? autoremove_wake_function+0x0/0x33
[   70.381058]  [<c02baa06>] ? loop_thread+0x0/0x3b7

When a table is being replaced, it waits for I/O to complete
before destroying the mempool, but the endio function doesn't
call mempool_free() until after completing the bio.

Fix it by swapping the order of those two operations.

The same problem occurs in dm.c with md referenced after dec_pending.
Again, we swap the order.

Cc: stable@kernel.org
Signed-off-by: NMilan Broz <mbroz@redhat.com>
Signed-off-by: NAlasdair G Kergon <agk@redhat.com>

In the async encryption-complete function (kcryptd_async_done), the
crypto_async_request passed in may be different from the one passed to
crypto_ablkcipher_encrypt/decrypt.  Only crypto_async_request->data is
guaranteed to be same as the one passed in.  The current
kcryptd_async_done uses the passed-in crypto_async_request directly
which may cause the AES-NI-based AES algorithm implementation to panic.

This patch fixes this bug by only using crypto_async_request->data,
which points to dm_crypt_request, the crypto_async_request passed in.
The original data (convert_context) is gotten from dm_crypt_request.

[mbroz@redhat.com: reworked]
Cc: stable@kernel.org
Signed-off-by: NHuang Ying <ying.huang@intel.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NMilan Broz <mbroz@redhat.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NAlasdair G Kergon <agk@redhat.com>

dm-io calls bio_get_nr_vecs to get the maximum number of pages to use
for a given device.  It allocates one additional bio_vec to use
internally but failed to respect BIO_MAX_PAGES, so fix this.

This was the likely cause of:
  https://bugzilla.redhat.com/show_bug.cgi?id=173153

Cc: stable@kernel.org
Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
Signed-off-by: NAlasdair G Kergon <agk@redhat.com>

Fix an error introduced in dm-table-rework-reference-counting.patch.

When there is failure after table initialization, we need to use
dm_table_destroy, not dm_table_put, to free the table.

dm_table_put may be used only after dm_table_get.

Cc: Kiyoshi Ueda <k-ueda@ct.jp.nec.com>
Signed-off-by: NMikulas Patocka <mpatocka@redhat.com>
Reviewed-by: NJonathan Brassow <jbrassow@redhat.com>
Reviewed-by: NAlasdair G Kergon <agk@redhat.com>
Signed-off-by: NAlasdair G Kergon <agk@redhat.com>

When renaming a mapped device validate the length of the new name.

The rename ioctl accepted any correctly-terminated string enclosed
within the data passed from userspace.  The other ioctls enforce a
size limit of DM_NAME_LEN.  If the name is changed and becomes longer
than that, the device can no longer be addressed by name.

Fix it by properly checking for device name length (including
terminating zero).

Cc: stable@kernel.org
Signed-off-by: NMilan Broz <mbroz@redhat.com>
Reviewed-by: NJonathan Brassow <jbrassow@redhat.com>
Reviewed-by: NAlasdair G Kergon <agk@redhat.com>
Signed-off-by: NAlasdair G Kergon <agk@redhat.com>

Impact: help prevent extinction of species

The Tasmanian Devil is a shy iconic Australian creature named for its
spine-chilling screech.  It is threatened with extinction due to a
scientifically interesting but horrific transmissible facial cancer.

This one is standing in for Tux for one release using the far less-known
Devil Facial Tux Disguise.

	Save The Tasmanian Devil http://tassiedevil.com.auSigned-off-by: NLinux.conf.au Hobart Team <contact@marchsouth.org>
Signed-off-by: NRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

include/linux/pci-acpi.h:74:

typedef u32                 acpi_status;

result is unsigned, so an error returned by acpi_bus_register_driver()
will not be noticed.
Signed-off-by: NRoel Kluin <roel.kluin@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLen Brown <len.brown@intel.com>

Looking at the source, there seems to be a missing * to match my DMI
string.  I mean for newer IBM and Lenovo's laptops you match either one
of the following:
MODULE_ALIAS("dmi:bvnIBM:*:svnIBM:*:pvrThinkPad*:rvnIBM:*");
MODULE_ALIAS("dmi:bvnLENOVO:*:svnLENOVO:*:pvrThinkPad*:rvnLENOVO:*");

While for older Thinkpads, you do this (for instance):
IBM_BIOS_MODULE_ALIAS("1[0,3,6,8,A-G,I,K,M-P,S,T]");

with IBM_BIOS_MODULE_ALIAS being MODULE_ALIAS("dmi:bvnIBM:bvr" __type "ET??WW")

Note there's no * terminating the string.  As result, udev doesn't load
anything because modprobe cannot find anything matching this (my
machine actually):

udevtest: run: '/sbin/modprobe dmi:bvnIBM:bvr1IET71WW(2.10):bd06/16/2006:svnIBM:pn236621U:pvrNotAv
Signed-off-by: NMathieu Chouquet-Stringer <mchouque@free.fr>
Acked-by: NHenrique de Moraes Holschuh <hmh@hmh.eng.br>
Signed-off-by: NLen Brown <len.brown@intel.com>

This driver has been around and used long enough that we can drop the
'experimental'.
Signed-off-by: NCarlos Corbacho <carlos@strangeworlds.co.uk>
Signed-off-by: NLen Brown <len.brown@intel.com>

ACPI-WMI isn't experimental anymore, and there are other drivers that now
depend on it that aren't either.
Signed-off-by: NCarlos Corbacho <carlos@strangeworlds.co.uk>
Signed-off-by: NLen Brown <len.brown@intel.com>

This is acer_rfkill_exit() from drivers/platform/x86/acer-wmi.c.

The code frees wireless_rfkill->data again instead of
bluetooth_rfkill->data.

This was found using a code checker (http://repo.or.cz/w/smatch.git/).
Signed-off-by: NDan Carpenter <error27@gmail.com>
Signed-off-by: NCarlos Corbacho <carlos@strangeworlds.co.uk>
Signed-off-by: NLen Brown <len.brown@intel.com>

"I hate `select' and will gleefully leap on any s/select/depends/ patch,
whether it works or not :)"
  Andrew Morton

select INPUT is not needed here, because if someone doesn't want INPUT,
he won't want these drivers either.
Signed-off-by: NCorentin Chary <corentincj@iksaif.net>
Signed-off-by: NLen Brown <len.brown@intel.com>

Like thinkpad_acpi or eeepc-laptop, asus-laptop will
now use "select" instead of "depends on"
for LEDS_CLASS, NEW_LEDS and BACKLIGHT_CLASS_DEVICE
Signed-off-by: NCorentin Chary <corentincj@iksaif.net>
Signed-off-by: NLen Brown <len.brown@intel.com>

Restore acpi_generate_proc_event() for backward
compatibility with old acpi scripts.
Signed-off-by: NCorentin Chary <corentincj@iksaif.net>
Signed-off-by: NLen Brown <len.brown@intel.com>

Restore acpi_generate_proc_event() for backward
compatibility with old acpi scripts.
Signed-off-by: NCorentin Chary <corentincj@iksaif.net>
Signed-off-by: NLen Brown <len.brown@intel.com>

It is hardly (if ever) possible but in case of broken _PXM entry we could
reach out of pxm_to_node_map array bounds in acpi_map_pxm_to_node() call.
Signed-off-by: NCyrill Gorcunov <gorcunov@openvz.org>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLen Brown <len.brown@intel.com>

There was a misplaced status test (two consequent tests without a
statement in between) in acpi_bus_init for ages.  Remove it, since the
function which should be checked (acpi_os_initialize1) has BUG_ONs on
failure paths.
Signed-off-by: NJiri Slaby <jirislaby@gmail.com>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLen Brown <len.brown@intel.com>

This is a supplement of commit 65df7847.
http://bugzilla.kernel.org/show_bug.cgi?id=12798Signed-off-by: NZhang Rui <rui.zhang@intel.com>
Signed-off-by: NLen Brown <len.brown@intel.com>

This reverts commit 5ec5d38a.
because it caused spurious dmesg warmings.
We'll implement the check for off-limit ports
in a more clever way in the future.

http://bugzilla.kernel.org/show_bug.cgi?id=12758Signed-off-by: NLen Brown <len.brown@intel.com>

Switch the Asus Pundit P1-AH2 (M2N8L motherboard) to the old ACPI 1.0
sleep ordering by default.  Without this it will not suspend/resume
correctly.
Signed-off-by: NAndy Whitcroft <apw@canonical.com>
Tested-by: NDustin Kirkland <kirkland@canonical.com>
Signed-off-by: NLen Brown <len.brown@intel.com>

It fails on the following systems:
- RTL8169sc/8110sc (XID 18000000)
  reported by Tim Durack <tdurack@gmail.com> (x86)
- RTL8169sb/8110sb (XID 10000000)
  reported by Mikael Pettersson <mikpe@it.uu.se> (ARM)

The patch appeared to work on x86 for the following systems:
RTL8169sb/8110sb 10000000 PCI   (EXT)
RTL8110s         04000000 PCI   (EXT)
RTL8102e         24a00000 PCI-E (LOM)
RTL8168c/8111c   3c2000c0 PCI-E (LOM)
RTL8168b/8111b   38000000 PCI-E (LOM)
RTL8168b/8111b   38000000 PCI-E (EXT)

The patch exposes two problems:
1) while not completely wrong, mac addresses are not read correctly
   from the EEPROM
2) the MAC address registers are not correctly set
Signed-off-by: NFrancois Romieu <romieu@fr.zoreil.com>
Tested-by: NMikael Pettersson <mikpe@it.uu.se>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

It shortens the code and fixes the current pci_unmap leak with
padded skb reported by Dave Jones.
Signed-off-by: NFrancois Romieu <romieu@fr.zoreil.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

CC      drivers/parisc/sba_iommu.o
drivers/parisc/sba_iommu.c:1373: error: expected identifier or '('
before '}' token
make[2]: *** [drivers/parisc/sba_iommu.o] Error 1
make[1]: *** [drivers/parisc] Error 2
make: *** [drivers] Error 2

Don't know how this has gone missed for so long... clearly I need
to do builds on my C8000 more often.
Signed-off-by: NKyle McMartin <kyle@mcmartin.ca>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>

The L0s workaround should be moved into a pci quirk and so it is not
necessary in the driver.  This update removes the L0s workaround from the
igb driver.

This was the second half of the PCI quirk patch that Matthew Wilcox did
not pick up when he picked up the quirk patch.
Signed-off-by: NAlexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The SystemACE driver does not handle an empty CF slot gracefully. An
empty CF slot ends up hanging the system. This patch adds a check for
the CF state and stops trying to process requests if the slot is empty.
Signed-off-by: NGrant Likely <grant.likely@secretlab.ca>
Signed-off-by: NJens Axboe <jens.axboe@oracle.com>

Remove flash size check which made sense only for ancient
boards with 1MB flash. The check is based on values read
from specific locations and fails with firmware size changes.

This prevents driver from getting right mac addresses.
Signed-off-by: NDhananjay Phadke <dhananjay@netxen.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

When mv643xx_eth_open() is called to up an interface, port_start()
will first re-program the unicast address filter, and then
re-initialise the PORT_CONFIG register, but that will disable unicast
promiscuous mode if it was enabled by the unicast address filter setup.

This isn't a problem on ifconfig up, as ->set_rx_mode() will be called
shortly afterwards which will program the filters again, but it does
trigger when changing the MTU, which calls mv643xx_eth_stop() and then
mv643xx_eth_open() by hand to repopulate the receive rings with skbuffs
of the new size.

Swap the initialisation of the PORT_START register and the call to
the unicast filter setup function to fix this.
Signed-off-by: NLennert Buytenhek <buytenh@marvell.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The EMAC variant in the 405EX and 405EXr chips needs the "440EP" type clock
control workaround to avoid lockups of the Rx side during reset.
Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
Tested-by: NFelix Radensky <felix@embedded-sol.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Multiple unicast address support appears to have been broken with the
change to support net_device_ops.  This a regression from 2.6.28 to 2.6.29.

I'm not 100% on whether ndo_set_multicast_list can be NULL after this
or not.  If ndo_set_rx_mode is set everything _should_ be using it.
Signed-off-by: NChris Leech <christopher.leech@intel.com>
Acked-by: NPeter P Waskiewicz Jr <peter.p.waskiewicz.jr@intel.com>
Signed-off-by: NJeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

From: Dave Jones <davej@redhat.com>

The dma-debug changes caught that this driver uses the
wrong DMA mapping length when skb_padto() does something.

With suggestions from Eric Dumazet.
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

dma_map_sg could return a value different to 'nents' argument of
dma_map_sg so the ide stack needs to save it for the later usage
(e.g. for_each_sg).

The ide stack also needs to save the original sg_nents value for
pci_unmap_sg.
Signed-off-by: NFUJITA Tomonori <fujita.tomonori@lab.ntt.co.jp>
[bart: backport to Linus' tree]
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@gmail.com>

since it fails the virt_to_page() translation check with DEBUG_VIRTUAL
enabled.
Signed-off-by: NBorislav Petkov <petkovbb@gmail.com>
[bart: backport to Linus' tree]
Signed-off-by: NBartlomiej Zolnierkiewicz <bzolnier@gmail.com>

Samsung DB-P70 somehow botched the first ICH9 SATA port.  The board
doesn't expose the first port but somehow SStatus reports link online
while failing SRST protocol leading to repeated probe failures and
thus long boot delay.

Because the BIOS doesn't carry any identifying DMI information, the
port can't be blacklisted safely.  Fortunately, the controller does
have subsystem vendor and ID set.  It's unclear whether the subsystem
IDs are used only for the board but it can be safely worked around by
disabling SIDPR access and just using SRST works around the problem.
Even when the workaround is triggered on an unaffected board the only
side effect will be missing SCR access.
Signed-off-by: NTejun Heo <tj@kernel.org>
Reported-by: NJoseph Jang <josephjang@gmail.com>
Reported-by: NJonghyon Sohn <mrsohn@gmail.com>
Signed-off-by: NJeff Garzik <jgarzik@redhat.com>

libata keeps a shadow copy of the ATA CTL register (which is write only),
and only writes to the hardware when the required value doesn't match
the shadow. However this copy wasn't being maintained when performing
reset functions. This could cause problems for the first operation after
a reset when the correct value might not be written to the CTL register.

This problem was observed when hotplugging a drive: the identify command
was being issued with interrupts enabled, when they should have been
disabled.
Signed-off-by: NStuart Menefy <stuart.menefy@st.com>
Signed-off-by: NJeff Garzik <jgarzik@redhat.com>

Fix a (rare) race condition in mv_interrupt() when using MSI.

The value of hpriv->main_irq_mask_addr can change on on the fly,
and without this patch we could end up writing back a stale copy
to the hardware.
Signed-off-by: NMark Lord <mlord@pobox.com>
Signed-off-by: NJeff Garzik <jgarzik@redhat.com>

With some asic configurations xmit of frames smaller than 60 bytes may
fail.
Signed-off-by: NRon Mercer <ron.mercer@qlogic.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Moving netif_napi_del() up the call chain so it will get called from all
exit points.
Signed-off-by: NRon Mercer <ron.mercer@qlogic.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>