aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2006-08-22elv_unregister: fix possible crash on module unloadOleg Nesterov
An exiting task or process which didn't do I/O yet have no io context, elv_unregister() should check it is not NULL. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Acked-by: Jens Axboe <axboe@suse.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-08-22Fix possible UDF deadlock and memory corruption (CVE-2006-4145)Jan Kara
UDF code is not really ready to handle extents larger that 1GB. This is the easy way to forbid creating those. Also truncation code did not count with the case when there are no extents in the file and we are extending the file. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-08-22Fix sctp privilege elevation (CVE-2006-3745)Sridhar Samudrala
sctp_make_abort_user() now takes the msg_len along with the msg so that we don't have to recalculate the bytes in iovec. It also uses memcpy_fromiovec() so that we don't go beyond the length allocated. It is good to have this fix even if verify_iovec() is fixed to return error on overflow. Signed-off-by: Sridhar Samudrala <sri@us.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2006-08-21Merge gregkh@master.kernel.org:/home/rmk/linux-2.6-armGreg Kroah-Hartman
2006-08-21Merge branch 'for-linus' of git://brick.kernel.dk/data/git/linux-2.6-blockGreg Kroah-Hartman
2006-08-21[PATCH] cfq_cic_link: fix usage of wrong cfq_io_contextOleg Nesterov
Obviously, cfq_cic_link() shouldn't free a just allocated cfq_io_context? The dead key is from __cic, so drop that. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Jens Axboe <axboe@suse.de>
2006-08-21[PATCH] uninline ioprio_best()Oleg Nesterov
Saves 376 bytes (5 callers) for me. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Jens Axboe <axboe@suse.de>
2006-08-21[PATCH] Fix current_io_context() vs set_task_ioprio() raceOleg Nesterov
I know nothing about io scheduler, but I suspect set_task_ioprio() is not safe. current_io_context() initializes "struct io_context", then sets ->io_context. set_task_ioprio() running on another cpu may see the changes out of order, so ->set_ioprio(ioc) may use io_context which was not initialized properly. Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Jens Axboe <axboe@suse.de>
2006-08-21[PATCH] sys_ioprio_set: minor do_each_thread+break fixOleg Nesterov
From include/linux/sched.h: * Careful: do_each_thread/while_each_thread is a double loop so * 'break' will not work as expected - use goto instead. */ Signed-off-by: Oleg Nesterov <oleg@tv-sign.ru> Signed-off-by: Jens Axboe <axboe@suse.de>
2006-08-20Merge trivial low-risk suspend hotkey bugzilla-5918 into releaseLen Brown
2006-08-18Merge gregkh@master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6Greg Kroah-Hartman
2006-08-18ACPI: relax BAD_MADT_ENTRY check to allow LSAPIC variable length string UIDsStarikovskiy, Alexey Y
ACPI 3.0 appended a variable length UID string to the LAPIC structure as part of support for > 256 processors. So the BAD_MADT_ENTRY() sanity check can no longer compare for equality with a fixed structure length. Signed-off-by: Alexey Y Starikovskiy <alexey.y.starikovskiy@intel.com> Signed-off-by: Len Brown <len.brown@intel.com>
2006-08-18[ARM] 3746/2: Userspace helpers must be Thumb mode interworkableNicolas Pitre
Patch from Nicolas Pitre The userspace helpers in clean/arch/arm/kernel/entry-armv.S are called directly in/from userspace. They need to cope with being called from Thumb code. Patch below uses the bx interworking instruction when CONFIG_ARM_THUMB=y. Based on an earlier patch from Paul Brook <paul@codesourcery.com> Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-08-18Merge branch 'merge' of ↵Greg Kroah-Hartman
git://git.kernel.org/pub/scm/linux/kernel/git/paulus/powerpc
2006-08-18[ARM] 3757/1: Use PROCINFO_INITFUNC in head.SCatalin Marinas
Patch from Catalin Marinas This is instead of a magic number. Signed-off-by: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-08-18[ARM] 3756/1: Assign value for HWCAP_IWMMXTPaul Gortmaker
Patch from Paul Gortmaker Some folks here at Wind River asked me if I'd push this out so that the value was generally agreed upon in advance by all folks interested in working with iWMMXt. Seems simple enough... Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-08-18[ARM] 3755/1: dmabounce: fix return value for find_safe_bufferKevin Hilman
Patch from Kevin Hilman Previous locking changes to dmabounce incorrectly return non-NULL even when buffer not found. Fix it up. Signed-off-by: Kevin Hilman <khilman@mvista.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-08-18[ARM] 3754/1: S3C24XX: tidy arch/arm/mach-s3c2410/MakefileBen Dooks
Patch from Ben Dooks tidy up the makefile by using TABs to indent, and ensure that all items are indented the same. Move the DMA to its own section, ready for the next set of updates Signed-off-by: Ben Dooks <ben-linux@fluff.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-08-18[ARM] 3753/1: S3C24XX: DMA fixesBen Dooks
Patch from Ben Dooks A number of small issues with the S3C24XX DMA have cropped up, which this patch fixes. These are: - check wether we can load another buff in start - update state handling in s3c2410_dma_lastxfer - only reload in irq if channel is not idle - more informative timeout errors (add source) - do not call request_irq() with irqs locked - added waitforstop function The patch also adds a S3C2410_DMAOP_STARTED for the occasions when the driver wants to ensure that the DMA system load state is resynced after loading. Signed-off-by: Ben Dooks <ben-linux@fluff.org> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
2006-08-17[BRIDGE]: Disable SG/GSO if TX checksum is offHerbert Xu
When the bridge recomputes features, it does not maintain the constraint that SG/GSO must be off if TX checksum is off. This patch adds that constraint. On a completely unrelated note, I've also added TSO6 and TSO_ECN feature bits if GSO is enabled on the underlying device through the new NETIF_F_GSO_SOFTWARE macro. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[NETFILTER]: ip_tables: fix table locking in ipt_do_tablePatrick McHardy
table->private might change because of ruleset changes, don't use it without holding the lock. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[NETFILTER]: ctnetlink: fix deadlock in table dumpingPatrick McHardy
ip_conntrack_put must not be called while holding ip_conntrack_lock since destroy_conntrack takes it again. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-18[POWERPC] Fix the mpc8641_hpcn.dts file.Jon Loeliger
Add 'linux,phandle' entry to i8259@4d0 node. Signed-off-by: Zhang Wei <wei.zhang@freescale.com> Signed-off-by: Jon Loeliger <jdl@freescale.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-18[POWERPC] Offer PCI as a CONFIG choice for PPC_86xx.Jon Loeliger
Also fix 80-column run-over. Signed-off-by: Jon Loeliger <jdl@freescale.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-18[POWERPC] Add MPC8641 HPCN Device Tree Source file.Jon Loeliger
As per list discussion, let's add device tree source files under powerpc/boot/dts. If nothing else, it is a starting point. Signed-off-by: Jon Loeliger <jdl@freescale.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-18[POWERPC] Convert to mac-address for ethernet MAC address data.Jon Loeliger
Also accept "local-mac-address". However the old "address" is now obsolete, but accepted for backwards compatibility. It should be removed after all device trees have been converted to use "mac-address". Signed-off-by: Jon Loeliger <jdl@freescale.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-17[IPV4]: severe locking bug in fib_semantics.cAlexey Kuznetsov
Found in 2.4 by Yixin Pan <yxpan@hotmail.com>. > When I read fib_semantics.c of Linux-2.4.32, write_lock(&fib_info_lock) = > is used in fib_release_info() instead of write_lock_bh(&fib_info_lock). = > Is the following case possible: a BH interrupts fib_release_info() while = > holding the write lock, and calls ip_check_fib_default() which calls = > read_lock(&fib_info_lock), and spin forever. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[MCAST]: Fix filter leak on device removal.David L Stevens
This fixes source filter leakage when a device is removed and a process leaves the group thereafter. This also includes corresponding fixes for IPv6 multicast source filters on device removal. Signed-off-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[NET]: Disallow whitespace in network device names.David S. Miller
It causes way too much trouble and confusion in userspace. Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[PPP]: handle kmalloc failures and convert to using kzallocPanagiotis Issaris
The PPP code contains two kmalloc()s followed by memset()s without handling a possible memory allocation failure. (Suggested by Joe Perches). And furthermore, conversions from kmalloc+memset to kzalloc. [akpm@osdl.org: fix error-path leak] [akpm@osdl.org: cleanups] [paulus@samba.org: don't add useless printk and cardmap_destroy calls] Signed-off-by: Panagiotis Issaris <takis@issaris.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Paul Mackerras <paulus@samba.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[PKT_SCHED] cls_u32: Fix typo.Ralf Hildebrandt
Signed-off-by: Ralf Hildebrandt <Ralf.Hildebrandt@charite.de> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[ATM]: Compile error on ARMKevin Hilman
atm_proc_exit() is declared as __exit, and thus in .exit.text. On some architectures (ARM) .exit.text is discarded at compile time, and since atm_proc_exit() is called by some other __init functions, it results in a link error. Signed-off-by: Kevin Hilman <khilman@mvista.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[BNX2]: Convert to netdev_alloc_skb()Michael Chan
Convert dev_alloc_skb() to netdev_alloc_skb() and increase default rx ring size to 255. The old ring size of 100 was too small. Update version to 1.4.44. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[BNX2]: Fix tx race condition.Michael Chan
Fix a subtle race condition between bnx2_start_xmit() and bnx2_tx_int() similar to the one in tg3 discovered by Herbert Xu: CPU0 CPU1 bnx2_start_xmit() if (tx_ring_full) { tx_lock bnx2_tx() if (!netif_queue_stopped) netif_stop_queue() if (!tx_ring_full) update_tx_ring netif_wake_queue() tx_unlock } Even though tx_ring is updated before the if statement in bnx2_tx_int() in program order, it can be re-ordered by the CPU as shown above. This scenario can cause the tx queue to be stopped forever if bnx2_tx_int() has just freed up the entire tx_ring. The possibility of this happening should be very rare though. The following changes are made, very much identical to the tg3 fix: 1. Add memory barrier to fix the above race condition. 2. Eliminate the private tx_lock altogether and rely solely on netif_tx_lock. This eliminates one spinlock in bnx2_start_xmit() when the ring is full. 3. Because of 2, use netif_tx_lock in bnx2_tx_int() before calling netif_wake_queue(). 4. Add memory barrier to bnx2_tx_avail(). 5. Add bp->tx_wake_thresh which is set to half the tx ring size. 6. Check for the full wake queue condition before getting netif_tx_lock in tg3_tx(). This reduces the number of unnecessary spinlocks when the tx ring is full in a steady-state condition. Signed-off-by: Michael Chan <mchan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[NET]: Terminology in ip-sysctl.txtJan "Yenya" Kasprzak
this minor patch fixes the description of net.ipv4.tcp_mem sysctl in ip-sysctl.txt - the headline names the values "min, pressure, max", while the description uses the "low, pressure, high" values. Both tcp_rmem and tcp_wmem descriptions use the "min, pressure, max" values, so I have changed the tcp_mem to match this and not vice versa. Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[IPV4]: Possible leak of multicast source filter sctructureMichal Ruzicka
There is a leak of a socket's multicast source filter list structure on closing a socket with a multicast source filter set on an interface that does not exist any more. Signed-off-by: Michal Ruzicka <michal.ruzicka@comstar.cz> Acked-by: David L Stevens <dlstevens@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[IPV6] lockdep: annotate __icmpv6_socketIngo Molnar
Split off __icmpv6_socket's sk->sk_dst_lock class, because it gets used from softirqs, which is safe for __icmpv6_sockets (because they never get directly used via userspace syscalls), but unsafe for normal sockets. Has no effect on non-lockdep kernels. Signed-off-by: Ingo Molnar <mingo@elte.hu> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[NETFILTER]: xt_physdev build fixAndrew Morton
It needs netfilter_bridge.h for brnf_deferred_hooks Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[NET]: Fix potential stack overflow in net/core/utils.cSuresh Siddha
On High end systems (1024 or so cpus) this can potentially cause stack overflow. Fix the stack usage. Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-17[VLAN]: Make sure bonding packet drop checks get done in hwaccel RX path.David S. Miller
Since __vlan_hwaccel_rx() is essentially bypassing the netif_receive_skb() call that would have occurred if we did the VLAN decapsulation in software, we are missing the skb_bond() call and the assosciated checks it does. Export those checks via an inline function, skb_bond_should_drop(), and use this in __vlan_hwaccel_rx(). Signed-off-by: David S. Miller <davem@davemloft.net>
2006-08-18[POWERPC] powerpc: Clear HID0 attention enable on PPC970 at boot timeOlof Johansson
Clear HID0[en_attn] at CPU init time on PPC970. Closes CVE-2006-4093. Signed-off-by: Olof Johansson <olof@lixom.net> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-17[POWERPC] Fix irq radix tree remapping typoBenjamin Herrenschmidt
The code for using the radix tree for reverse mapping of interrupts has a typo that causes it to create incorrect mappings if the software and hardware numbers happen to be different. This would, among others, cause the IDE interrupt to fail on js20's. This fixes it. Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-17[POWERPC] kprobes: Fix possible system crash during out-of-line single-steppingAnanth N Mavinakayanahalli
- On archs that have no-exec support, we vmalloc() a executable scratch area of PAGE_SIZE and divide it up into an array of slots of maximum instruction size for that arch - On a kprobe registration, the original instruction is copied to the first available free slot, so if multiple kprobes are registered, chances are, they get contiguous slots - On POWER4, due to not having coherent icaches, we could hit a situation where a probe that is registered on one processor, is hit immediately on another. This second processor could have fetched the stream of text from the out-of-line single-stepping area *before* the probe registration completed, possibly due to an earlier (and a different) kprobe hit and hence would see stale data at the slot. Executing such an arbitrary instruction lead to a problem as reported in LTC bugzilla 23555. The correct solution is to call flush_icache_range() as soon as the instruction is copied for out-of-line single-stepping, so the correct instruction is seen on all processors. Thanks to Will Schmidt who tracked this down. Signed-off-by: Ananth N Mavinakayanahalli <ananth@in.ibm.com> Acked-by: Will Schmidt <will_schmidt@vnet.ibm.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-17[POWERPC] Make crash.c work on 32-bit and 64-bitMichael Ellerman
To compile kexec on 32-bit we need a few more bits and pieces. Rather than add empty definitions, we can make crash.c work on 32-bit, with only a couple of kludges. Signed-off-by: Michael Ellerman <michael@ellerman.id.au> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-17[POWERPC] Move some kexec logic into machine_kexec.cMichael Ellerman
We're missing a few functions for kexec to compile on 32-bit. There's nothing really 64-bit specific about the 64-bit versions, so make them generic rather than adding empty definitions for 32-bit. Signed-off-by: Michael Ellerman <michael@ellerman.id.au> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-17[POWERPC] update {g5,iseries,pseries}_defconfigsWill Schmidt
Updating the defconfigs for iseries, pseries, and G5. Sticking with the defaults, with the following exceptions: I've turned off HW_RANDOM for all three configs. For G5, I've enabled SND_AOA and friends as modules; this includes the FABRIC_LAYOUT, ONYX, TAS, TOONIE and SOUNDBUS* config options. Signed-off-by: Will Schmidt <will_schmidt@vnet.ibm.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-17[POWERPC] Make secondary CPUs call into kdump on reset exceptionDavid Wilder
In the case of a system hang, the user will invoke soft-reset to initiate the kdump boot. If xmon is enabled, the CPU(s) enter into the xmon debugger. Unfortunately, the secondary CPU(s) will return to the hung state when they exit from the debugger (returned from die() -> system_reset_exception()). This causes a problem in kdump since the hung CPU(s) will not respond to the IPI sent from kdump. This patch fixes the issue by calling crash_kexec_secondary() directly from system_reset_exception() without returning to the previous state. These secondary CPUs wait 5ms until the kdump boot is started by the primary CPU. In the case we exited from the debugger to "recover" (command 'x' in xmon) the primary and the secondary CPUs will all return from die() -> system_reset_exception() ->crash_kexec_secondary() wait 5ms, then return to the previous state. A kdump boot is not started in this case. Signed-off-by: Haren Myneni <haren@us.ibm.com> Signed-off-by: David Wilder <dwilder@us.ibm.com> Signed-off-by: Paul Mackerras <paulus@samba.org>
2006-08-16ACPI: avoid irqrouter_resume might_sleep oops on resume from S4Len Brown
__might_sleep+0x8e/0x93 acpi_os_wait_semaphore+0x50/0xa3 acpi_ut_acquire_mutex+0x28/0x6a acpi_ns_get_node+0x46/0x88 acpi_ns_evaluate+0x2d/0xfc acpi_rs_set_srs_method_data+0xc5/0xe1 acpi_set_current_resources+0x31/0x3f acpi_pci_link_set+0xfc/0x1a5 irqrouter_resume+0x48/0x5f and __might_sleep+0x8e/0x93 kmem_cache_alloc+0x2a/0x8f acpi_evaluate_integer+0x32/0x96 acpi_bus_get_status+0x30/0x84 acpi_pci_link_set+0x12a/0x1a5 irqrouter_resume+0x48/0x5f http://bugzilla.kernel.org/show_bug.cgi?id=6810 Signed-off-by: Len Brown <len.brown@intel.com>
2006-08-16ACPI: hotkey.c fixes, fix for potential crash of hotkey.cHandle X
While going through the code, I found out some memory leaks and potential crashes in drivers/acpi/hotkey.c Please find the patch to fix them. This patch does the following, 1. Fixes memory leaks in error paths of hotkey_write_config 2. Fixes freeing unallocated pointers in the error paths of hotkey_write_config 3. Uses a loop instead of linear searching for parsing the userspace input in get_params 4. Uses array of char * instead of passing 4 pointer parameters explicitly into the init_{poll_}hotkey_* static functions Signed-off-by: Andrew Morton <akpm@osdl.org> Acked-by: Luming Yu <luming.yu@intel.com> Signed-off-by: Len Brown <len.brown@intel.com>
2006-08-16ACPI: Handle BIOS that resumes from S3 to suspend routine rather than resume ↵William Morrrow
vector A BIOS has been found that resumes from S3 to the routine that invoked suspend, ignoring the resume vector. This appears to the OS as a failed S3 attempt. This same system suspend/resume's properly with Windows. It is possible to invoke the protected mode register restore routine (which would normally restore the sysenter registers) when the BIOS returns from S3. This has no effect on a correctly running system and repairs the damage from the deviant BIOS. Signed-off-by: William Morrow <william.morrow@amd.com> Signed-off-by: Jordan Crouse <jordan.crouse@amd.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Len Brown <len.brown@intel.com>