linux-toradex.git/drivers, branch v2.6.16.44 Linux kernel for Apalis and Colibri modules pwc-uncompress.c shouldn't #include <asm/current.h> 2007-03-14T21:25:08+00:00 Hugh Dickins hugh@veritas.com 2007-03-14T21:25:08+00:00 955d349bbe2e784b5422e1341ad17829f95bc9fa Fix a compile error on powerpc. Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Fix a compile error on powerpc.

Signed-off-by: Adrian Bunk <bunk@stusta.de>
Fix buffer overflow in Omnikey CardMan 4040 driver (CVE-2007-0005) 2007-03-11T06:39:14+00:00 Marcel Holtmann marcel@holtmann.org 2007-03-11T06:39:14+00:00 dfe67217aea3eb4ecbab736903f6ecee3458b8a8 Based on a patch from Don Howard <dhoward@redhat.com> When calling write() with a buffer larger than 512 bytes, the driver's write buffer overflows, allowing to overwrite the EIP and execute arbitrary code with kernel privileges. In read(), there exists a similar problem, but coming from the device. A malicous or buggy device sending more than 512 bytes can overflow of the driver's read buffer, with the same effects as above. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Based on a patch from Don Howard <dhoward@redhat.com>

When calling write() with a buffer larger than 512 bytes, the
driver's write buffer overflows, allowing to overwrite the EIP and
execute arbitrary code with kernel privileges.

In read(), there exists a similar problem, but coming from the device.
A malicous or buggy device sending more than 512 bytes can overflow
of the driver's read buffer, with the same effects as above.

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
IB/mthca: Fix off-by-one in FMR handling on memfree 2007-03-11T06:37:12+00:00 Michael S. Tsirkin mst@mellanox.co.il 2007-03-11T06:37:12+00:00 59d2b001518d200ba99d213e41c892f5fe750d07 From: Michael S. Tsirkin <mst@mellanox.co.il> mthca_table_find() will return the wrong address when the table entry being searched for is exactly at the beginning of a sglist entry (other than the first), because it uses >= when it should use >. Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K. The current code will return first entry + 4K when we really want the second entry. In particular this means mapping an FMR on a memfree HCA may end up writing the page table into the wrong place, leading to memory corruption and also causing the HCA to use an incorrect address translation table. Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
From: Michael S. Tsirkin <mst@mellanox.co.il>

mthca_table_find() will return the wrong address when the table entry
being searched for is exactly at the beginning of a sglist entry
(other than the first), because it uses >= when it should use >.

Example: assume we have 2 entries in scatterlist, 4K each, offset is 4K.
The current code will return first entry + 4K when we really want
the second entry.

In particular this means mapping an FMR on a memfree HCA may end up
writing the page table into the wrong place, leading to memory
corruption and also causing the HCA to use an incorrect address
translation table.

Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
IPoIB: Rejoin all multicast groups after a port event 2007-03-11T06:36:27+00:00 Eli Cohen eli@mellanox.co.il 2007-03-11T06:36:27+00:00 4b3c56f0239d50fff032d3ff53f7b7509d10b53b When ipoib_ib_dev_flush() is called because of a port event, the driver needs to rejoin all multicast groups, since the flush will call ipoib_mcast_dev_flush() (via ipoib_ib_dev_down()). Otherwise no (non-broadcast) multicast groups will be rejoined until the networking core calls ->set_multicast_list again, and so multicast reception will be broken for potentially a long time. Signed-off-by: Eli Cohen <eli@mellanox.co.il> Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
When ipoib_ib_dev_flush() is called because of a port event, the
driver needs to rejoin all multicast groups, since the flush will call
ipoib_mcast_dev_flush() (via ipoib_ib_dev_down()).  Otherwise no
(non-broadcast) multicast groups will be rejoined until the networking
core calls ->set_multicast_list again, and so multicast reception will
be broken for potentially a long time.

Signed-off-by: Eli Cohen <eli@mellanox.co.il>
Signed-off-by: Michael S. Tsirkin <mst@mellanox.co.il>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
IB/mthca: Use mmiowb after doorbell ring 2007-03-11T06:35:15+00:00 Arthur Kepner akepner@sgi.com 2007-03-11T06:35:15+00:00 11bb9d392c1d5b63e2b9a0c8cc8a64cf49808757 We discovered a problem when running IPoIB applications on multiple CPUs on an Altix system. Many messages such as: ib_mthca 0002:01:00.0: SQ 000014 full (19941644 head, 19941707 tail, 64 max, 0 nreq) appear in syslog, and the driver wedges up. Apparently this is because writes to the doorbells from different CPUs reach the device out of order. The following patch adds mmiowb() calls after doorbell rings to ensure the doorbell writes are ordered. Signed-off-by: Arthur Kepner <akepner@sgi.com> Signed-off-by: Roland Dreier <rolandd@cisco.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
We discovered a problem when running IPoIB applications on multiple
CPUs on an Altix system. Many messages such as:

ib_mthca 0002:01:00.0: SQ 000014 full (19941644 head, 19941707 tail, 64 max, 0 nreq)

appear in syslog, and the driver wedges up.

Apparently this is because writes to the doorbells from different CPUs
reach the device out of order. The following patch adds mmiowb() calls
after doorbell rings to ensure the doorbell writes are ordered.

Signed-off-by: Arthur Kepner <akepner@sgi.com>
Signed-off-by: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
dvb-core: fix bug in CRC-32 checking on 64-bit systems 2007-03-09T07:32:38+00:00 Ang Way Chuang wcang@nrg.cs.usm.my 2007-03-09T07:32:38+00:00 90aab35b1626fce37326ea18cc54d7ff5ffa5ab6 CRC-32 checking during ULE decapsulation always failed on x86_64 systems due to the size of a variable used to store CRC. This bug was discovered on Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such problem. This patch has been tested on 64-bit system as well as 32-bit system. Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
CRC-32 checking during ULE decapsulation always failed on x86_64 systems due
to the size of a variable used to store CRC. This bug was discovered on
Fedora Core 6 with kernel-2.6.18-1.2849. The i386 counterpart has no such
problem. This patch has been tested on 64-bit system as well as 32-bit system.

Signed-off-by: Ang Way Chuang <wcang@nrg.cs.usm.my>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
DVB: cxusb: fix firmware patch for big endian systems 2007-03-08T07:41:19+00:00 Jin-Bong lee jinbong.lee@samsung.com 2007-03-08T07:41:19+00:00 8cf5c27708b395705f9878e3b444dd9378e14f60 Without this patch, the device will not be detected after firmware download on big endian systems. Signed-off-by: Jin-Bong lee <jinbong.lee@samsung.com> Signed-off-by: Michael Krufky <mkrufky@linuxtv.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Without this patch, the device will not be detected after firmware download
on big endian systems.

Signed-off-by: Jin-Bong lee <jinbong.lee@samsung.com>
Signed-off-by: Michael Krufky <mkrufky@linuxtv.org>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
[SPARC64] bbc_i2c: Fix kenvctrld eating %100 cpu. 2007-03-08T07:36:44+00:00 David S. Miller davem@davemloft.net 2007-03-08T07:36:44+00:00 e61f6a0e0627eeaaaae5cef83f877e77f64cc607 Based almost entirely upon a patch by Joerg Friedrich Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
Based almost entirely upon a patch by Joerg Friedrich

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
video/aty/mach64_ct.c: fix bogus delay loop 2007-03-08T07:17:20+00:00 David S. Miller davem@davemloft.net 2007-03-08T07:17:20+00:00 2d3bc628ad9b9c883f94a2d5a9ad48b0a95101a3 CT based mach64 cards were reported to hang on sparc64 boxes when compiled with gcc-4.1.x and later. Looking at this piece of code, it's no surprise. A critical delay was implemented as an empty for() loop, and gcc 4.0.x and previous did not optimize it away, so we did get a delay. But gcc-4.1.x and later can optimize it away, and we get crashes. Use a real udelay() to fix this. Fix verified on SunBlade100. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
CT based mach64 cards were reported to hang on sparc64 boxes when
compiled with gcc-4.1.x and later.

Looking at this piece of code, it's no surprise.  A critical
delay was implemented as an empty for() loop, and gcc 4.0.x
and previous did not optimize it away, so we did get a delay.

But gcc-4.1.x and later can optimize it away, and we get crashes.

Use a real udelay() to fix this.  Fix verified on SunBlade100.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
modify 3c589_cs to be SMP safe 2007-03-08T07:13:04+00:00 Komuro komurojun-mbn@nifty.com 2007-03-08T07:13:04+00:00 1a6b8d666d090d821cbc9c07d788ac85639d74c8 1. EL3WINDOW is always 1 when lock is not held. 2. The second argument of el3_interrupt is 'void *dev_id', not 'struct el3_private *lp'. Adrian Bunk: backported to 2.6.16 Signed-off-by: Komuro <komurojun-mbn@nifty.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> 
1. EL3WINDOW is always 1 when lock is not held.

2. The second argument of el3_interrupt is 'void *dev_id',
not 'struct el3_private *lp'.

Adrian Bunk:
backported to 2.6.16

Signed-off-by: Komuro <komurojun-mbn@nifty.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>