aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAge
* drm: fix leak of uninitialized data to userspaceVegard Nossum2008-12-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | ...so drm_getunique() is trying to copy some uninitialized data to userspace. The ECX register contains the number of words that are left to copy -- so there are 5 * 4 = 20 bytes left. The offset of the first uninitialized byte (counting from the start of the string) is also 20 (i.e. 0xf65d2294&((1 << 5)-1) == 20). So somebody tried to copy 40 bytes when the string was only 19 long. In drm_set_busid() we have this code: dev->unique_len = 40; dev->unique = drm_alloc(dev->unique_len + 1, DRM_MEM_DRIVER); ... len = snprintf(dev->unique, dev->unique_len, pci:%04x:%02x:%02x.%d", ...so it seems that dev->unique is never updated to reflect the actual length of the string. The remaining bytes (20 in this case) are random uninitialized bytes that are copied into userspace. This patch fixes the problem by setting dev->unique_len after the snprintf(). airlied- I've had to fix this up to store the alloced size so we have it for drm_free later. Reported-by: Sitsofe Wheeler <sitsofe@yahoo.com> Signed-off-by: Vegard Nossum <vegardno@thuin.ifi.uio.no> Signed-off-by: Dave Airlie <airlied@redhat.com>
* drm: move to kref per-master structures.Dave Airlie2008-12-29
| | | | | | | | | | | | | | | | This is step one towards having multiple masters sharing a drm device in order to get fast-user-switching to work. It splits out the information associated with the drm master into a separate kref counted structure, and allocates this when a master opens the device node. It also allows the current master to abdicate (say while VT switched), and a new master to take over the hardware. It moves the Intel and radeon drivers to using the sarea from within the new master structures. Signed-off-by: Dave Airlie <airlied@redhat.com>
* drm: cleanup exit path for module unloadDave Airlie2008-12-29
| | | | | | | | The current sub-module unload exit path is a mess, it tries to abuse the idr. Just keep a list of devices per driver struct and free them in-order on rmmod. Signed-off-by: Dave Airlie <airlied@redhat.com>
* Linux 2.6.28v2.6.28Linus Torvalds2008-12-24
| | | | Happy holidays..
* Merge branch 'for_linus' of ↵Linus Torvalds2008-12-24
|\ | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6 * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-2.6: V4L/DVB (9920): em28xx: fix NULL pointer dereference in call to VIDIOC_INT_RESET command V4L/DVB (9908a): MAINTAINERS: mark linux-uvc-devel as subscribers only V4L/DVB (9906): v4l2-compat: test for unlocked_ioctl as well. V4L/DVB (9885): drivers/media Kconfig's: fix bugzilla #12204 V4L/DVB (9875): gspca - main: Fix vidioc_s_jpegcomp locking. V4L/DVB (9781): [PATCH] Cablestar 2 I2C retries (fix CableStar2 support) V4L/DVB (9780): dib0700: Stop repeating after user stops pushing button
| * V4L/DVB (9920): em28xx: fix NULL pointer dereference in call to ↵Devin Heitmueller2008-12-23
| | | | | | | | | | | | | | | | | | | | VIDIOC_INT_RESET command Fix a NULL pointer dereference that would occur if the video decoder tied to the em28xx supports the VIDIOC_INT_RESET call (for example: the cx25840 driver) Signed-off-by: Devin Heitmueller <dheitmueller@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
| * V4L/DVB (9908a): MAINTAINERS: mark linux-uvc-devel as subscribers onlyJiri Slaby2008-12-17
| | | | | | | | | | | | | | | | | | | | | | Posting to linux-uvc-devel is restricted to members. You can subscribe to the list at ... MAINTAINERS | 2 +- Signed-off-by: Jiri Slaby <jirislaby@gmail.com> Acked-by: Laurent Pinchart <laurent.pinchart@skynet.be> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
| * V4L/DVB (9906): v4l2-compat: test for unlocked_ioctl as well.Hans Verkuil2008-12-16
| | | | | | | | | | | | | | | | | | The v4l_compat_ioctl32() function only tested for the presence of the ioctl op, not for unlocked_ioctl. So it would always return an error when used with drivers that use unlocked_ioctl instead of ioctl. Signed-off-by: Hans Verkuil <hverkuil@xs4all.nl> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
| * V4L/DVB (9885): drivers/media Kconfig's: fix bugzilla #12204Mauro Carvalho Chehab2008-12-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When the tuner modules were moved to common/tuners, a separate customize option were added for tuners. However, the automatic selection of the tuners were still using the older option. This causes that the automatic selection to fail, if DVB_FE_CUSTOMISE is selected. Also, since those tuners are now under MEDIA_TUNER_CUSTOMIZE menu, if you unset MEDIA_TUNER_CUSTOMIZE, you can't manually select the tuners. This patch fixes this error by replacing DVB_FE_CUSTOMISE by MEDIA_TUNER_CUSTOMIZE on all places were a tuner is selected. The patch were generated by this small script: for i in `find drivers/media -name Kconfig`; do cat $i|perl -ne 's/(MEDIA_TUNER.*)DVB_FE_CUSTOMISE/\1MEDIA_TUNER_CUSTOMIZE/; print $_' >a mv a $i done Also, manually reordered the tuner entries. Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
| * V4L/DVB (9875): gspca - main: Fix vidioc_s_jpegcomp locking.Jim Paris2008-12-16
| | | | | | | | | | | | Signed-off-by: Jim Paris <jim@jtan.com> Signed-off-by: Jean-Francois Moine <moinejf@free.fr> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
| * V4L/DVB (9781): [PATCH] Cablestar 2 I2C retries (fix CableStar2 support)Antti Seppälä2008-12-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | At some point the Flexcop driver was changed to support newer Flexcop cards. These modifications however broke the detection of Cablestar 2 DVB-C cards. The reason is that the earlier version of the driver used to retry unsuccessful i2c operations. The demodulator of Cablestar 2 cards (stv0297) seems to be very dependent on these retries and adding them back fixes Cablestar detection. This patch restores this behaviour for the CableStar2. Signed-off-by: Antti Seppälä <a.seppala@gmail.com> Signed-off-by: Patrick Boettcher <pb@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
| * V4L/DVB (9780): dib0700: Stop repeating after user stops pushing buttonDevin Heitmueller2008-12-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A user noticed that there would continue to be 4-6 keypresses even after the user stopped holding down the button. This was because we were not reading the bulk pipe faster than the firmware was injecting information, which would result in a backlog. Make the query interval faster, and increase the number of cycles before we start repeating to compensate. Thanks to Knud Poulsen <knud.poulsen@nokia.com> for pointing this out. Signed-off-by: Devin Heitmueller <devin.heitmueller@gmail.com> Signed-off-by: Patrick Boettcher <pb@linuxtv.org> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
* | Merge branch 'x86-fixes-for-linus' of ↵Linus Torvalds2008-12-24
|\ \ | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86: disable X86_PTRACE_BTS
| * | x86: disable X86_PTRACE_BTSIngo Molnar2008-12-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | there's a new ptrace arch level feature in .28: config X86_PTRACE_BTS bool "Branch Trace Store" it has broken fork() handling: the old DS area gets copied over into a new task without clearing it. Fixes exist but they came too late: c5dee61: x86, bts: memory accounting bf53de9: x86, bts: add fork and exit handling and are queued up for v2.6.29. This shows that the facility is still not tested well enough to release into a stable kernel - disable it for now and reactivate in .29. In .29 the hardware-branch-tracer will use the DS/BTS facilities too - hopefully resulting in better code. Signed-off-by: Ingo Molnar <mingo@elte.hu>
* | | Merge branch 'for-linus' of ↵Linus Torvalds2008-12-24
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6 * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound-2.6: ALSA: hda - Add missing terminators in patch_sigmatel.c
| * | | ALSA: hda - Add missing terminators in patch_sigmatel.cHerton Ronaldo Krzesinski2008-12-24
| | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Herton Ronaldo Krzesinski <herton@mandriva.com.br> Cc: stable@kernel.org Signed-off-by: Takashi Iwai <tiwai@suse.de>
* | | | parisc: disable UP-optimized flush_tlb_mmKyle McMartin2008-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | flush_tlb_mm's "optimized" uniprocessor case of allocating a new context for userspace is exposing a race where we can suddely return to a syscall with the protection id and space id out of sync, trapping on the next userspace access. Debugged-by: James Bottomley <James.Bottomley@HansenPartnership.com> Tested-by: Helge Deller <deller@gmx.de> Signed-off-by: Kyle McMartin <kyle@mcmartin.ca> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | | Merge branch 'drm-fixes' of ↵Linus Torvalds2008-12-23
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6 * 'drm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/airlied/drm-2.6: drm/radeon: fix correctness of irq_enabled check for radeon.
| * | | | drm/radeon: fix correctness of irq_enabled check for radeon.Dave Airlie2008-12-22
| |/ / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This check was introduced with the logic the wrong way around. Fixes regression: http://bugzilla.kernel.org/show_bug.cgi?id=12216 Tested-by: François Valenduc <francois.valenduc@tvcablenet.be> Signed-off-by: Dave Airlie <airlied@redhat.com>
* | | | edac: fix edac core deadlock when removing a deviceHarry Ciao2008-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When deleting an edac device, we have to wait for its edac_dev.work to be completed before deleting the whole edac_dev structure. Since we have no idea which work in current edac_poller's workqueue is the work we are conerned about, we wait for all work in the edac_poller's workqueue to be proceseed. This is done via flush_cpu_workqueue() which inserts a wq_barrier into the tail of the workqueue and then sleeping on the completion of this wq_barrier. The edac_poller will wake up sleepers when it is found. EDAC core creates only one kernel worker thread, edac_poller, to run the works of all current edac devices. They share the same callback function of edac_device_workq_function(), which would grab the mutex of device_ctls_mutex first before it checks the device. This is exactly where edac_poller and rmmod would have a great chance to deadlock. In below call trace of rmmod > ... > edac_device_del_device > edac_device_workq_teardown > flush_workqueue > flush_cpu_workqueue, device_ctls_mutex would have already been grabbed by edac_device_del_device(). So, on one hand rmmod would sleep on the completion of a wq_barrier, holding device_ctls_mutex; on the other hand edac_poller would be blocked on the same mutex when it's running any one of works of existing edac evices(Note, this edac_dev.work is likely to be totally irrelevant to the one that is being removed right now)and never would have a chance to run the work of above wq_barrier to wake rmmod up. edac_device_workq_teardown() should not be called within the critical region of device_ctls_mutex. Just like is done in edac_pci_del_device() and edac_mc_del_mc(), where edac_pci_workq_teardown() and edac_mc_workq_teardown() are called after related mutex are released. Moreover, an edac_dev.work should check first if it is being removed. If this is the case, then it should bail out immediately. Since not all of existing edac devices are to be removed, this "shutting flag" should be contained to edac device being removed. The current edac_dev.op_state can be used to serve this purpose. The original deadlock problem and the solution have been witnessed and tested on actual hardware. Without the solution, rmmod an edac driver would result in below deadlock: root@localhost:/root> rmmod mv64x60_edac EDAC DEBUG: mv64x60_dma_err_remove() EDAC DEBUG: edac_device_del_device() EDAC DEBUG: find_edac_device_by_dev() (hang for a moment) INFO: task edac-poller:2030 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. edac-poller D 00000000 0 2030 2 Call Trace: [df159dc0] [c0071e3c] free_hot_cold_page+0x17c/0x304 (unreliable) [df159e80] [c000a024] __switch_to+0x6c/0xa0 [df159ea0] [c03587d8] schedule+0x2f4/0x4d8 [df159f00] [c03598a8] __mutex_lock_slowpath+0xa0/0x174 [df159f40] [e1030434] edac_device_workq_function+0x28/0xd8 [edac_core] [df159f60] [c003beb4] run_workqueue+0x114/0x218 [df159f90] [c003c674] worker_thread+0x5c/0xc8 [df159fd0] [c004106c] kthread+0x5c/0xa0 [df159ff0] [c0013538] original_kernel_thread+0x44/0x60 INFO: task rmmod:2062 blocked for more than 120 seconds. "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. rmmod D 0ff2c9fc 0 2062 1839 Call Trace: [df119c00] [c0437a74] 0xc0437a74 (unreliable) [df119cc0] [c000a024] __switch_to+0x6c/0xa0 [df119ce0] [c03587d8] schedule+0x2f4/0x4d8 [df119d40] [c03591dc] schedule_timeout+0xb0/0xf4 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | | cgroups: avoid accessing uninitialized data in failure pathLi Zefan2008-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If cgroup_get_rootdir() failed, free_cg_links() will be called in the failure path, but tmp_cg_links hasn't been initialized at that time. I introduced this bug in the 2.6.27 merge window. Signed-off-by: Li Zefan <lizf@cn.fujitsu.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Cc: Paul Menage <menage@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | | cgroups: suppress bogus warning messagesSharyathi Nagesh2008-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Remove spurious warning messages that are thrown onto the console during cgroup operations. Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by: Sharyathi Nagesh <sharyathi@in.ibm.com> Acked-by: Serge E. Hallyn <serge@hallyn.com> Cc: Paul Menage <menage@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | | w1: fix slave selection on big-endian systemsEvgeniy Polyakov2008-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During test of the w1-gpio driver i found that in "w1.c:679 w1_slave_found()" the device id is converted to little-endian with "cpu_to_le64()", but its not converted back to cpu format in "w1_io.c:293 w1_reset_select_slave()". Based on a patch created by Andreas Hummel. [akpm@linux-foundation.org: remove unneeded cast] Reported-by: Andreas Hummel <andi_hummel@gmx.de> Signed-off-by: Evgeniy Polyakov <zbr@ioremap.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | | rtc: rtc-isl1208: reject invalid datesChris Elston2008-12-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch for the rtc-isl1208 driver makes it reject invalid dates. Signed-off-by: Chris Elston <celston@katalix.com> [a.zummo@towertech.it: added comment explaining the check] Signed-off-by: Alessandro Zummo <a.zummo@towertech.it> Cc: Hebert Valerio Riedel <hvr@gnu.org> Cc: David Brownell <david-b@pacbell.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | | Merge branch 'release' of ↵Linus Torvalds2008-12-22
|\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6 * 'release' of git://git.kernel.org/pub/scm/linux/kernel/git/lenb/linux-acpi-2.6: ACPI: don't cond_resched() when irqs_disabled() ACPI: fix 2.6.28 acpi.debug_level regression
| * | | | ACPI: don't cond_resched() when irqs_disabled()Wu Fengguang2008-12-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The ACPI interpreter usually runs with irqs enabled. However, during suspend/resume it runs with irqs disabled to evaluate _GTS/_BFS, as well as by irqrouter_resume() which evaluates _CRS, _PRS, _SRS. http://bugzilla.kernel.org/show_bug.cgi?id=12252 Signed-off-by: Wu Fengguang <wfg@linux.intel.com> Signed-off-by: Len Brown <len.brown@intel.com>
| * | | | ACPI: fix 2.6.28 acpi.debug_level regressionBjorn Helgaas2008-12-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | acpi_early_init() was changed to over-write the cmdline param, making it really inconvenient to set debug flags at boot-time. Also, This sets the default level to "info", which is what all the ACPI drivers use. So to enable messages from drivers, you only have to supply the "layer" (a.k.a. "component"). For non-"info" ACPI core and ACPI interpreter messages, you have to supply both level and layer masks, as before. Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com> Signed-off-by: Len Brown <len.brown@intel.com>
* | | | | Merge git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6Linus Torvalds2008-12-22
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/bart/ide-2.6: drivers/ide/{cs5530.c,sc1200.c}: Move a dereference below a NULL test
| * | | | | drivers/ide/{cs5530.c,sc1200.c}: Move a dereference below a NULL testJulia Lawall2008-12-22
| | |/ / / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In each case, if the NULL test is necessary, then the dereference should be moved below the NULL test. The semantic patch that makes this change is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @@ type T; expression E; identifier i,fld; statement S; @@ - T i = E->fld; + T i; ... when != E when != i if (E == NULL) S + i = E->fld; // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> Signed-off-by: Bartlomiej Zolnierkiewicz <bzolnier@gmail.com>
* | | | | Merge branch 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linusLinus Torvalds2008-12-22
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * 'upstream' of git://ftp.linux-mips.org/pub/scm/upstream-linus: MIPS: MIPS64R2: Fix buggy __arch_swab64 MIPS: Fix preprocessor warnings flaged by GCC 4.4
| * | | | | MIPS: MIPS64R2: Fix buggy __arch_swab64David Daney2008-12-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The way the code is written it was assuming dshd has the function of a hypothetical dshw instruction ... Signed-off-by: David Daney <ddaney@caviumnetworks.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
| * | | | | MIPS: Fix preprocessor warnings flaged by GCC 4.4David Daney2008-12-22
| |/ / / / | | | | | | | | | | | | | | | | | | | | Signed-off-by: David Daney <ddaney@caviumnetworks.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
* | | | | Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6Linus Torvalds2008-12-22
|\ \ \ \ \ | |/ / / / |/| | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6: ppp: fix segfaults introduced by netdev_priv changes net: Fix module refcount leak in kernel_accept()
| * | | | ppp: fix segfaults introduced by netdev_priv changesJames Chapman2008-12-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch fixes a segfault in ppp_shutdown_interface() and ppp_destroy_interface() when a PPP connection is closed. I bisected the problem to the following commit: commit c8019bf3aff653cceb64f66489fc299ee5957b57 Author: Wang Chen <wangchen@cn.fujitsu.com> Date: Thu Nov 20 04:24:17 2008 -0800 netdevice ppp: Convert directly reference of netdev->priv 1. Use netdev_priv(dev) to replace dev->priv. 2. Alloc netdev's private data by alloc_netdev(). Signed-off-by: Wang Chen <wangchen@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net> The original ppp_generic code treated the netdev and struct ppp as independent data structures which were freed separately. In moving the ppp struct into the netdev, it is now possible for the private data to be freed before the call to ppp_shutdown_interface(), which is bad. The kfree(ppp) in ppp_destroy_interface() is also wrong; presumably ppp hasn't worked since the above commit. The following patch fixes both problems. Signed-off-by: James Chapman <jchapman@katalix.com> Reviewed-by: Wang Chen <wangchen@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
| * | | | net: Fix module refcount leak in kernel_accept()Wei Yongjun2008-12-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The kernel_accept() does not hold the module refcount of newsock->ops->owner, so we need __module_get(newsock->ops->owner) code after call kernel_accept() by hand. In sunrpc, the module refcount is missing to hold. So this cause kernel panic. Used following script to reproduct: while [ 1 ]; do mount -t nfs4 192.168.0.19:/ /mnt touch /mnt/file umount /mnt lsmod | grep ipv6 done This patch fixed the problem by add __module_get(newsock->ops->owner) to kernel_accept(). So we do not need to used __module_get(newsock->ops->owner) in every place when used kernel_accept(). Signed-off-by: Wei Yongjun <yjwei@cn.fujitsu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | | | | Null pointer deref with hrtimer_try_to_cancel()Thomas Gleixner2008-12-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact: Prevent kernel crash with posix timer clockid CLOCK_MONOTONIC_RAW commit 2d42244ae71d6c7b0884b5664cf2eda30fb2ae68 (clocksource: introduce CLOCK_MONOTONIC_RAW) introduced a new clockid, which is only available to read out the raw not NTP adjusted system time. The above commit did not prevent that a posix timer can be created with that clockid. The timer_create() syscall succeeds and initializes the timer to a non existing hrtimer base. When the timer is deleted either by timer_delete() or by the exit() cleanup the kernel crashes. Prevent the creation of timers for CLOCK_MONOTONIC_RAW by setting the posix clock function to no_timer_create which returns an error code. Reported-and-tested-by: Eric Sesterhenn <snakebyte@gmx.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Oleg Nesterov <oleg@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
* | | | | Merge branch 'for-linus' of ↵Linus Torvalds2008-12-20
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ericvh/v9fs: fs/9p: change simple_strtol to simple_strtoul 9p: convert d_iname references to d_name.name 9p: Remove potentially bad parameter from function entry debug print.
| * | | | | fs/9p: change simple_strtol to simple_strtoulJulia Lawall2008-12-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since v9ses->uid is unsigned, it would seem better to use simple_strtoul that simple_strtol. A simplified version of the semantic patch that makes this change is as follows: (http://www.emn.fr/x-info/coccinelle/) // <smpl> @r2@ long e; position p; @@ e = simple_strtol@p(...) @@ position p != r2.p; type T; T e; @@ e = - simple_strtol@p + simple_strtoul (...) // </smpl> Signed-off-by: Julia Lawall <julia@diku.dk> Acked-by: Eric Van Hensbergen <ericvh@gmail.com>
| * | | | | 9p: convert d_iname references to d_name.nameWu Fengguang2008-12-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | d_iname is rubbish for long file names. Use d_name.name in printks instead. Signed-off-by: Wu Fengguang <wfg@linux.intel.com> Acked-by: Eric Van Hensbergen <ericvh@gmail.com>
| * | | | | 9p: Remove potentially bad parameter from function entry debug print.Duane Griffin2008-12-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Signed-off-by: Duane Griffin <duaneg@dghda.com> Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
* | | | | | Merge branch 'x86-fixes-for-linus' of ↵Linus Torvalds2008-12-20
|\ \ \ \ \ \ | |/ / / / / |/| | | / / | | |_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip * 'x86-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/linux-2.6-tip: x86: fix resume (S2R) broken by Intel microcode module, on A110L x86 gart: don't complain if no AMD GART found AMD IOMMU: panic if completion wait loop fails AMD IOMMU: set cmd buffer pointers to zero manually x86: re-enable MCE on secondary CPUS after suspend/resume AMD IOMMU: allocate rlookup_table with __GFP_ZERO
| * | | | x86: fix resume (S2R) broken by Intel microcode module, on A110LDmitry Adamushko2008-12-20
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact: fix deadlock This is in response to the following bug report: Bug-Entry : http://bugzilla.kernel.org/show_bug.cgi?id=12100 Subject : resume (S2R) broken by Intel microcode module, on A110L Submitter : Andreas Mohr <andi@lisas.de> Date : 2008-11-25 08:48 (19 days old) Handled-By : Dmitry Adamushko <dmitry.adamushko@gmail.com> [ The deadlock scenario has been discovered by Andreas Mohr ] I think I might have a logical explanation why the system: (http://bugzilla.kernel.org/show_bug.cgi?id=12100) might hang upon resuming, OTOH it should have likely hanged each and every time. (1) possible deadlock in microcode_resume_cpu() if either 'if' section is taken; (2) now, I don't see it in spec. and can't experimentally verify it (newer ucodes don't seem to be available for my Core2duo)... but logically-wise, I'd think that when read upon resuming, the 'microcode revision' (MSR 0x8B) should be back to its original one (we need to reload ucode anyway so it doesn't seem logical if a cpu doesn't drop the version)... if so, the comparison with memcmp() for the full 'struct cpu_signature' is wrong... and that's how one of the aforementioned 'if' sections might have been triggered - leading to a deadlock. Obviously, in my tests I simulated loading/resuming with the ucode of the same version (just to see that the file is loaded/re-loaded upon resuming) so this issue has never popped up. I'd appreciate if someone with an appropriate system might give a try to the 2nd patch (titled "fix a comparison && deadlock..."). In any case, the deadlock situation is a must-have fix. Reported-by: Andreas Mohr <andi@lisas.de> Signed-off-by: Dmitry Adamushko <dmitry.adamushko@gmail.com> Tested-by: Andreas Mohr <andi@lisas.de> Signed-off-by: Ingo Molnar <mingo@elte.hu> Cc: <stable@kernel.org> Signed-off-by: Ingo Molnar <mingo@elte.hu>
| * | | | Merge branch 'iommu-fixes-2.6.28' of ↵Ingo Molnar2008-12-18
| |\ \ \ \ | | | | | | | | | | | | | | | | | | git://git.kernel.org/pub/scm/linux/kernel/git/joro/linux-2.6-iommu into x86/urgent
| | * | | | AMD IOMMU: panic if completion wait loop failsJoerg Roedel2008-12-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact: prevents data corruption after a failed completion wait loop Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
| | * | | | AMD IOMMU: set cmd buffer pointers to zero manuallyJoerg Roedel2008-12-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact: set cmd buffer head and tail pointers to zero in case nobody else did Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
| * | | | | x86 gart: don't complain if no AMD GART foundBjorn Helgaas2008-12-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact: remove annoying bootup printk It's perfectly normal for no AMD GART to be present, e.g., if you have Intel CPUs. None of the other iommu_init() functions makes noise when it finds nothing. Signed-off-by: Bjorn Helgaas <bjorn.helgaas@hp.com> Acked-by: Joerg Roedel <joerg.roedel@amd.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
| * | | | | x86: re-enable MCE on secondary CPUS after suspend/resumeAndi Kleen2008-12-16
| |/ / / / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact: fix disabled MCE after resume Don't prevent multiple initialization of MCEs. Back from early prehistory mcheck_init() has a reentry check. Presumably that was needed in very old kernels to prevent it entering twice. But as Andreas points out this prevents CPU hotplug (and therefore resume) to correctly reinitialize MCEs when a AP boots again after being offlined. Just drop the check. Reported-by: Andreas Herrmann <andreas.herrmann3@amd.com> Signed-off-by: Andi Kleen <ak@linux.intel.com> Tested-by: Andreas Herrmann <andreas.herrmann3@amd.com> Signed-off-by: Ingo Molnar <mingo@elte.hu>
| * | | | AMD IOMMU: allocate rlookup_table with __GFP_ZEROJoerg Roedel2008-12-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Impact: fix bug which can lead to panic in prealloc_protection_domains() Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
* | | | | Merge git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6Linus Torvalds2008-12-19
|\ \ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi-rc-fixes-2.6: [SCSI] mpt fusion: clear list of outstanding commands on host reset [SCSI] scsi_lib: only call scsi_unprep_request() under queue lock [SCSI] ibmvstgt: move crq_queue_create to the end of initialization [SCSI] libiscsi REGRESSION: fix passthrough support with older iscsi tools [SCSI] aacraid: disable Dell Percraid quirk on Adaptec 2200S and 2120S
| * | | | | [SCSI] mpt fusion: clear list of outstanding commands on host resetJames Bottomley2008-12-16
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A bug in the fusion driver was exposed by the switch to block timeout. Basically, drivers are supposed to terminate commands once error handling begins on them. The fusion apparently wasn't doing this. Under the old timeout regime, completions on terminated commands would by and large get ignored because of the way command timeouts used to work. The new block timers are very intolerant to this, though, becuase the request gets cleaned and freed. Fixes: http://bugzilla.kernel.org/show_bug.cgi?id=12195 Reported-by: Alex Shi <alex.shi@intel.com> Tested-by: Ming Lin <ming.m.lin@intel.com> Cc: Eric Moore <Eric.Moore@lsi.com> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>