aboutsummaryrefslogtreecommitdiff
path: root/drivers
AgeCommit message (Collapse)Author
2010-01-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging-2.6: Staging: hv: fix smp problems in the hyperv core code Staging: et131x: Fix 2.6.33rc1 regression in et131x Staging: asus_oled: fix oops in 2.6.32.2
2010-01-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core-2.6: Revert "sysdev: fix prototype for memory_sysdev_class show/store functions" driver-core: fix devtmpfs crash on s390
2010-01-21Merge git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6Linus Torvalds
* git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb-2.6: USB: isp1362: fix build failure on ARM systems via irq_flags cleanup USB: isp1362: better 64bit printf warning fixes USB: fix usbstorage for 2770:915d delivers no FAT USB: Fix level of isp1760 Reloading ptd error message USB: FHCI: avoid NULL pointer dereference USB: Fix duplicate sysfs problem after device reset. USB: add speed values for USB 3.0 and wireless controllers USB: add missing delay during remote wakeup USB: EHCI & UHCI: fix race between root-hub suspend and port resume USB: EHCI: fix handling of unusual interrupt intervals USB: Don't use GFP_KERNEL while we cannot reset a storage device USB: fix bitmask merge error usb: serial: fix memory leak in generic driver USB: serial: fix USB serial fix kfifo_len locking
2010-01-21Merge branch 'for-linus' of git://git.kernel.dk/linux-2.6-blockLinus Torvalds
* 'for-linus' of git://git.kernel.dk/linux-2.6-block: fs/bio.c: fix shadows sparse warning drbd: The kernel code is now equivalent to out of tree release 8.3.7 drbd: Allow online resizing of DRBD devices while peer not reachable (needs to be explicitly forced) drbd: Don't go into StandAlone mode when authentification failes because of network error drivers/block/drbd/drbd_receiver.c: correct NULL test cfq-iosched: Respect ioprio_class when preempting genhd: overlapping variable definition block: removed unused as_io_context DM: Fix device mapper topology stacking block: bdev_stack_limits wrapper block: Fix discard alignment calculation and printing block: Correct handling of bottom device misaligment drbd: check on CONFIG_LBDAF, not LBD drivers/block/drbd: Correct NULL test drbd: Silenced an assert that could triggered after changing write ordering method drbd: Kconfig fix drbd: Fix for a race between IO and a detach operation [Bugz 262] drbd: Use drbd_crypto_is_hash() instead of an open coded check
2010-01-20e1000e: enhance frame fragment detectionJesse Brandeburg
Originally patched by Neil Horman <nhorman@tuxdriver.com> e1000e could with a jumbo frame enabled interface, and packet split disabled, receive a packet that would overflow a single rx buffer. While in practice very hard to craft a packet that could abuse this, it is possible. this is related to CVE-2009-4538 Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> CC: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-01-20e1000: enhance frame fragment detectionJesse Brandeburg
Originally From: Neil Horman <nhorman@tuxdriver.com> Modified by: Jesse Brandeburg <jesse.brandeburg@intel.com> Hey all- A security discussion was recently given: http://events.ccc.de/congress/2009/Fahrplan//events/3596.en.html And a patch that I submitted awhile back was brought up. Apparently some of their testing revealed that they were able to force a buffer fragment in e1000 in which the trailing fragment was greater than 4 bytes. As a result the fragment check I introduced failed to detect the fragement and a partial invalid frame was passed up into the network stack. I've written this patch to correct it. I'm in the process of testing it now, but it makes good logical sense to me. Effectively it maintains a per-adapter state variable which detects a non-EOP frame, and discards it and subsequent non-EOP frames leading up to _and_ _including_ the next positive-EOP frame (as it is by definition the last fragment). This should prevent any and all partial frames from entering the network stack from e1000. Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-01-20e1000/e1000e/igb/igbvf/ixgb/ixgbe: Fix tests of unsigned in *_tx_map()Roel Kluin
The variable count and i are unsigned so the (<|>=)0 tests do not work. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net>
2010-01-20USB: isp1362: fix build failure on ARM systems via irq_flags cleanupLothar Wassmann
There was some left over #ifdef ARM logic that is outdated but no one really noticed. So instead of relying on this tricky logic, properly load and utilize the platform irq_flags resources. Reported-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: isp1362: better 64bit printf warning fixesLothar Wassmann
Some hosts that treat the return value of sizeof differently from unsigned long might still hit warnings. So use %zu for sizeof() values. This is a better version of the previous commit b0a9cf297e58721933. Signed-off-by: Lothar Wassmann <LW@KARO-electronics.de> Signed-off-by: Mike Frysinger <vapier@gentoo.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: fix usbstorage for 2770:915d delivers no FATRyan May
Resolves kernel.org bug 14914. Remove entry for 2770:915d (usb digital camera with mass storage support) from unusual_devs.h. The fix triggered by the entry causes the file system on the camera to be completely inaccessible (no partition table, the device is not mountable). The patch works, but let me clarify a few things about it. All the patch does is remove the entry for this device from the drivers/usb/storage/unusual_devs.h, which is supposed to help with a problem with the device's reported size (I think). I'm pretty sure it was originally added for a reason, so I'm not sure removing it won't cause other problems to reappear. Also, I should note that this unusual_devs.h entry was present (and activating workarounds) in 2.6.29, but in that version everything works fine. Starting with 2.6.30, things no longer work. Signed-off-by: Ryan May <rmay31@gmail.com> Cc: Rohan Hart <rohan.hart17@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: Fix level of isp1760 Reloading ptd error messageColin Tuckley
This error message is not actually an error, it's an information message. It is triggered when a transfer which ended in a NAQ is retried successfully by the hardware. Signed-off-by: Colin Tuckley <colin.tuckley@arm.com> Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Cc: Catalin Marinas <catalin.marinas@arm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: FHCI: avoid NULL pointer dereferenceAlexander Beregalov
Assign fhci only if usb is not NULL. Signed-off-by: Alexander Beregalov <a.beregalov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: Fix duplicate sysfs problem after device reset.Sarah Sharp
Borislav Petkov reports issues with duplicate sysfs endpoint files after a resume from a hibernate. It turns out that the code to support alternate settings under xHCI has issues when a device with a non-default alternate setting is reset during the hibernate: [ 427.681810] Restarting tasks ... [ 427.681995] hub 1-0:1.0: state 7 ports 6 chg 0004 evt 0000 [ 427.682019] usb usb3: usb resume [ 427.682030] ohci_hcd 0000:00:12.0: wakeup root hub [ 427.682191] hub 1-0:1.0: port 2, status 0501, change 0000, 480 Mb/s [ 427.682205] usb 1-2: usb wakeup-resume [ 427.682226] usb 1-2: finish reset-resume [ 427.682886] done. [ 427.734658] ehci_hcd 0000:00:12.2: port 2 high speed [ 427.734663] ehci_hcd 0000:00:12.2: GetStatus port 2 status 001005 POWER sig=se0 PE CONNECT [ 427.746682] hub 3-0:1.0: hub_reset_resume [ 427.746693] hub 3-0:1.0: trying to enable port power on non-switchable hub [ 427.786715] usb 1-2: reset high speed USB device using ehci_hcd and address 2 [ 427.839653] ehci_hcd 0000:00:12.2: port 2 high speed [ 427.839666] ehci_hcd 0000:00:12.2: GetStatus port 2 status 001005 POWER sig=se0 PE CONNECT [ 427.847717] ohci_hcd 0000:00:12.0: GetStatus roothub.portstatus [1] = 0x00010100 CSC PPS [ 427.915497] hub 1-2:1.0: remove_intf_ep_devs: if: ffff88022f9e8800 ->ep_devs_created: 1 [ 427.915774] hub 1-2:1.0: remove_intf_ep_devs: bNumEndpoints: 1 [ 427.915934] hub 1-2:1.0: if: ffff88022f9e8800: endpoint devs removed. [ 427.916158] hub 1-2:1.0: create_intf_ep_devs: if: ffff88022f9e8800 ->ep_devs_created: 0, ->unregistering: 0 [ 427.916434] hub 1-2:1.0: create_intf_ep_devs: bNumEndpoints: 1 [ 427.916609] ep_81: create, parent hub [ 427.916632] ------------[ cut here ]------------ [ 427.916644] WARNING: at fs/sysfs/dir.c:477 sysfs_add_one+0x82/0x96() [ 427.916649] Hardware name: System Product Name [ 427.916653] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:12.2/usb1/1-2/1-2:1.0/ep_81' [ 427.916658] Modules linked in: binfmt_misc kvm_amd kvm powernow_k8 cpufreq_ondemand cpufreq_powersave cpufreq_userspace freq_table cpufreq_conservative ipv6 vfat fat +8250_pnp 8250 pcspkr ohci_hcd serial_core k10temp edac_core [ 427.916694] Pid: 278, comm: khubd Not tainted 2.6.33-rc2-00187-g08d869a-dirty #13 [ 427.916699] Call Trace: The problem is caused by a mismatch between the USB core's view of the device state and the USB device and xHCI host's view of the device state. After the device reset and re-configuration, the device and the xHCI host think they are using alternate setting 0 of all interfaces. However, the USB core keeps track of the old state, which may include non-zero alternate settings. It uses intf->cur_altsetting to keep the endpoint sysfs files for the old state across the reset. The bandwidth allocation functions need to know what the xHCI host thinks the current alternate settings are, so original patch set intf->cur_altsetting to the alternate setting 0. This caused duplicate endpoint files to be created. The solution is to not set intf->cur_altsetting before calling usb_set_interface() in usb_reset_and_verify_device(). Instead, we add a new flag to struct usb_interface to tell usb_hcd_alloc_bandwidth() to use alternate setting 0 as the currently installed alternate setting. Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Tested-by: Borislav Petkov <petkovbb@googlemail.com> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: add speed values for USB 3.0 and wireless controllersGreg Kroah-Hartman
These controllers say "unknown" for their speed in sysfs, which obviously isn't correct. Reported-by: Kurt Garloff <garloff@novell.com> Cc: Sarah Sharp <sarah.a.sharp@linux.intel.com> Cc: David Vrabel <david.vrabel@csr.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: add missing delay during remote wakeupAlan Stern
This patch (as1330) fixes a bug in khbud's handling of remote wakeups. When a device sends a remote-wakeup request, the parent hub (or the host controller driver, for directly attached devices) begins the resume sequence and notifies khubd when the sequence finishes. At this point the port's SUSPEND feature is automatically turned off. However the device needs an additional 10-ms resume-recovery time (TRSMRCY in the USB spec). Khubd does not wait for this delay if the SUSPEND feature is off, and as a result some devices fail to behave properly following a remote wakeup. This patch adds the missing delay to the remote-wakeup path. It also extends the resume-signalling delay used by ehci-hcd and uhci-hcd from 20 ms (the value in the spec) to 25 ms (the value we use for non-remote-wakeup resumes). The extra time appears to help some devices. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@kernel.org> Cc: Rickard Bellini <rickard.bellini@ericsson.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: EHCI & UHCI: fix race between root-hub suspend and port resumeAlan Stern
This patch (as1321) fixes a problem with EHCI and UHCI root-hub suspends: If the suspend occurs while a port is trying to resume, the resume doesn't finish and simply gets lost. When remote wakeup is enabled, this is undesirable behavior. The patch checks first to see if any port resumes are in progress, and if they are then it fails the root-hub suspend with -EBUSY. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: EHCI: fix handling of unusual interrupt intervalsAlan Stern
This patch (as1320) fixes two problems related to interrupt-URB scheduling in ehci-hcd. URBs with an interval of 2 or 4 microframes aren't handled. For the time being, the patch reduces to interval to 1 uframe. URBs are constrained to have an interval no larger than 1024 frames by usb_submit_urb(). But some EHCI controllers allow use of a schedule as short as 256 frames; for these controllers we may have to decrease the interval to the actual schedule length. The second problem isn't very significant since few devices expose interrupt endpoints with an interval larger than 256 frames. But the first problem is critical; it will prevent the kernel from working with devices having interrupt intervals of 2 or 4 uframes. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@kernel.org> Tested-by: Glynn Farrow <farrowg@sg.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: Don't use GFP_KERNEL while we cannot reset a storage deviceOliver Neukum
Memory allocations with GFP_KERNEL can cause IO to a storage device which can fail resulting in a need to reset the device. Therefore GFP_KERNEL cannot be safely used between usb_lock_device() and usb_unlock_device(). Replace by GFP_NOIO. Signed-off-by: Oliver Neukum <oliver@neukum.org> Cc: stable <stable@kernel.org> Cc: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: fix bitmask merge errorAlan Stern
This patch adds a mask bit which was mistakenly omitted from the as1311 patch (usb-storage: add BAD_SENSE flag). Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20usb: serial: fix memory leak in generic driverJohan Hovold
Fix a regression introduced by commit 715b1dc01fe44537e8fce9566e4bb48d6821d84b ("USB: usb_debug, usb_generic_serial: implement multi urb write"). URB transfer buffer was never freed when using multi-urb writes. Currently the only driver enabling multi-urb writes is usb_debug. Signed-off-by: Johan Hovold <jhovold@gmail.com> Cc: Greg KH <greg@kroah.com> Acked-by: Jason Wessel <jason.wessel@windriver.com> Cc: stable <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20USB: serial: fix USB serial fix kfifo_len lockingStefani Seibold
This patch fix a possible race bug in drivers/usb/serial/generic with the new kfifo API. Please apply it to the 2.6.33-rc* tree. Signed-off-by: Stefani Seibold <stefani@seibold.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20Staging: hv: fix smp problems in the hyperv core codeGreg Kroah-Hartman
This fixes a number of SMP problems that were in the hyperv core code. Patch originally written by K. Y. Srinivasan <ksrinivasan@novell.com> but forward ported to the latest in-kernel code and tweaked slightly by me. Novell, Inc. hereby disclaims all copyright in any derivative work copyright associated with this patch. Signed-off-by: K. Y. Srinivasan <ksrinivasan@novell.com> Cc: Hank Janssen <hjanssen@microsoft.com> Cc: Haiyang Zhang <haiyangz@microsoft.com>. Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20Staging: et131x: Fix 2.6.33rc1 regression in et131xAlan Cox
et131x: Fix 12bit wrapping From: Alan Cox <alan@linux.intel.com> The 12bit wrap logic conversion is wrong and this shows up for some memory sizes and layouts of card. Patch it up for now, once the kernel view of status is cleaned up it'll become two variables and a lot saner. Signed-off-by: Alan Cox <alan@linux.intel.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20Staging: asus_oled: fix oops in 2.6.32.2Eugeni Dodonov
After updating to 2.6.32 kernel, I started experiencing Oopses caused by the asus_oled module. After quick investigation, I wrapped this simple patch which fixes an Oops in by asus_oled module on 2.6.32.2 kernel, caused by incorrect usage of strict_strtoul function call within set_enabled and set_disabled functions. This can be triggered by simple running the userspace client for asus_old (e.g., 'asusoled -e' or 'asusoled -d'). Signed-off-by: Eugeni Dodonov <eugeni@mandriva.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20tty: fix race in tty_fasyncGreg Kroah-Hartman
We need to keep the lock held over the call to __f_setown() to prevent a PID race. Thanks to Al Viro for pointing out the problem, and to Travis for making us look here in the first place. Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Al Viro <viro@ZenIV.linux.org.uk> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Tavis Ormandy <taviso@google.com> Cc: Jeff Dike <jdike@addtoit.com> Cc: Julien Tinnes <jln@google.com> Cc: Matt Mackall <mpm@selenic.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20serial: serial_cs: oxsemi quirk breaks resumePavel Machek
Quirk is applied on all cards with given manfid (is it that correct?). Unfortunately, that quirk breaks resume on zaurus with billionton bluetooth card inserted: c950ctrl is 0 and outb() faults. I believe it is simply not a multiport card. (info->multi == 1). ... ... confirmed by printks. Signed-off-by: Pavel Machek <pavel@ucw.cz> Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20serial: imx: bit &/| confusionRoel Kluin
Since UCR1_UARTEN is defined 1, the port was always treated as enabled. Signed-off-by: Roel Kluin <roel.kluin@gmail.com> Cc: Alan Cox <alan@linux.intel.com> Acked-by: Oskar Schirmer <os@emlix.com> Cc: Sascha Hauer <s.hauer@pengutronix.de> Cc: Fabian Godehardt <fg@emlix.com> Cc: Daniel Glöckner <dg@emlix.com> Cc: Russell King <rmk@arm.linux.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20serial: Fix crash if the minimum rate of the device is > 9600 baudAlan Cox
In that situation if the old rate is invalid and the new rate is invalid and the chip cannot do 9600 baud we report zero, which makes all the drivers explode. Instead force the rate based on min/max Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20serial-core: resume serial hardware with no_console_suspendStanislav Brabec
Perform a tricky suspend/resume even with no_console_suspend. With no_console_suspend, kernel skips serial port suspend/resume and the serial hardware may remain in undefined state after resume. It actually happens on devices that don't have BIOS that handle serial initialization. It makes impossible to use serial console after resume. Devices affected by this problem include: Sharp Zaurus devices Several PXA based ARM embedded boards The patch does: - Save the hardware state - Perform buffer flush in time of its suspend call - Tell the driver that port is suspended - But still accept new data - And keep console hardware in state that allows to send them It allows to capture late console messages without breaking console after resume. This is just a resend of a patch discussed in these threads, as the patch was not yet applied. "Possible suspend/resume regression in .32-rc?" (Nov 1-5, 2009, ARM list, later LKML) "serial-core: resume serial hardware with no_console_suspend" (Sep 15-Oct 18, 2009, LKML & ARM lists) Signed-off-by: Stanislav Brabec <sbrabec@suse.cz> Tested-by: Haojian Zhuang <haojian.zhuang@gmail.com> Tested-by: Daniel Mack <daniel@caiaq.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20serial: 8250_pnp: use wildcard for serial Wacom tabletsMatthew Garrett
Wacom claims that the WACF namespace will always be devoted to serial Wacom tablets. Remove the existing entries and add a wildcard to avoid having to update the kernel every time they add a new device. Signed-off-by: Ping Cheng <pingc@wacom.com> Signed-off-by: Matthew Garrett <mjg@redhat.com> Tested-by: Ping Cheng <pingc@wacom.com> Cc: Alan Cox <alan@lxorguk.ukuu.org.uk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20nozomi: quick fix for the close/close bugAlan Cox
Nozomi goes wrong if you get the sequence open open close [stuff] close which turns out to occur on some ppp type setups. This is a quick patch up for the problem. It's not really fixing Nozomi which completely fails to implement tty open/close semantics and all the other needed stuff. Doing it right is a rather more invasive patch set and not one that will backport. Signed-off-by: Alan Cox <alan@linux.intel.com> Cc: stable <stable@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20Revert "sysdev: fix prototype for memory_sysdev_class show/store functions"Greg Kroah-Hartman
This reverts commit 8ff410daa009c4b44be445ded5b0cec00abc0426 It should not have been sent to Linus's tree yet, as it depends on changes that are queued up in my driver-core for the .34 kernel merge. Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: Andi Kleen <andi@firstfloor.org> Cc: "Zheng, Shaohui" <shaohui.zheng@intel.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Linus Torvalds Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-20driver-core: fix devtmpfs crash on s390Heiko Carstens
On Mon, Jan 18, 2010 at 05:26:20PM +0530, Sachin Sant wrote: > Hello Heiko, > > Today while trying to boot next-20100118 i came across > the following Oops : > > Brought up 4 CPUs > Unable to handle kernel pointer dereference at virtual kernel address 0000000000 > 543000 > Oops: 0004 #1 SMP > Modules linked in: > CPU: 0 Not tainted 2.6.33-rc4-autotest-next-20100118-5-default #1 > Process swapper (pid: 1, task: 00000000fd792038, ksp: 00000000fd797a30) > Krnl PSW : 0704200180000000 00000000001eb0b8 (shmem_parse_options+0xc0/0x328) > R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3 > Krnl GPRS: 000000000054388a 000000000000003d 0000000000543836 000000000000003d > 0000000000000000 0000000000483f28 0000000000536112 00000000fd797d00 > 00000000fd4ba100 0000000000000100 0000000000483978 0000000000543832 > 0000000000000000 0000000000465958 00000000001eb0b0 00000000fd797c58 > Krnl Code: 00000000001eb0aa: c0e5000994f1 brasl %r14,31da8c > 00000000001eb0b0: b9020022 ltgr %r2,%r2 > 00000000001eb0b4: a784010b brc 8,1eb2ca > >00000000001eb0b8: 92002000 mvi 0(%r2),0 > 00000000001eb0bc: a7080000 lhi %r0,0 > 00000000001eb0c0: 41902001 la %r9,1(%r2) > 00000000001eb0c4: b9040016 lgr %r1,%r6 > 00000000001eb0c8: b904002b lgr %r2,%r11 > Call Trace: > (<00000000fd797c50> 0xfd797c50) > <00000000001eb5da> shmem_fill_super+0x13a/0x25c > <0000000000228cfa> get_sb_single+0xbe/0xdc > <000000000034ffc0> dev_get_sb+0x2c/0x38 > <000000000066c602> devtmpfs_init+0x46/0xc0 > <000000000066c53e> driver_init+0x22/0x60 > <000000000064d40a> kernel_init+0x24e/0x3d0 > <000000000010a7ea> kernel_thread_starter+0x6/0xc > <000000000010a7e4> kernel_thread_starter+0x0/0xc > > I never tried to boot a kernel with DEVTMPFS enabled on a s390 box. > So am wondering if this is supported or not ? If you think this > is supported i will send a mail to community on this. There is nothing arch specific to devtmpfs. This part crashes because the kernel tries to modify the data read-only section which is write protected on s390. Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com> Acked-by: Kay Sievers <kay.sievers@vrfy.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-01-21drm/radeon: r6xx/r7xx possible security issue, system ram accessJerome Glisse
This patch workaround a possible security issue which can allow user to abuse drm on r6xx/r7xx hw to access any system ram memory. This patch doesn't break userspace, it detect "valid" old use of CB_COLOR[0-7]_FRAG & CB_COLOR[0-7]_TILE registers and overwritte the address these registers are pointing to with the one of the last color buffer. This workaround will work for old mesa & xf86-video-ati and any old user which did use similar register programming pattern as those (we expect that there is no others user of those ioctl except possibly a malicious one). This patch add a warning if it detects such usage, warning encourage people to update their mesa & xf86-video-ati. New userspace will submit proper relocation. Fix for xf86-video-ati / mesa (this kernel patch is enough to prevent abuse, fix for userspace are to set proper cs stream and avoid kernel warning) : http://cgit.freedesktop.org/xorg/driver/xf86-video-ati/commit/?id=95d63e408cc88b6934bec84a0b1ef94dfe8bee7b http://cgit.freedesktop.org/mesa/mesa/commit/?id=46dc6fd3ed5ef96cda53641a97bc68c3bc104a9f Abusing this register to perform system ram memory is not easy, here is outline on how it could be achieve. First attacker must have access to the drm device and be able to submit command stream throught cs ioctl. Then attacker must build a proper command stream for r6xx/r7xx hw which will abuse the FRAG or TILE buffer to overwrite the GPU GART which is in VRAM. To achieve so attacker as to setup CB_COLOR[0-7]_FRAG or CB_COLOR[0-7]_TILE to point to the GPU GART, then it has to find a way to write predictable value into those buffer (with little cleverness i believe this can be done but this is an hard task). Once attacker have such program it can overwritte GPU GART to program GPU gart to point anywhere in system memory. It then can reusse same method as he used to reprogram GART to overwritte the system ram through the GART mapping. In the process the attacker has to be carefull to not overwritte any sensitive area of the GART table, like ring or IB gart entry as it will more then likely lead to GPU lockup. Bottom line is that i think it's very hard to use this flaw to get system ram access but in theory one can achieve so. Side note: I am not aware of anyone ever using the GPU as an attack vector, nevertheless we take great care in the opensource driver to try to detect and forbid malicious use of GPU. I don't think the closed source driver are as cautious as we are. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms: r600/r700 don't test ib if ib initialization failsJerome Glisse
If ib initialization failed don't try to test ib as it will result in an oops (accessing NULL ib buffer ptr). Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms: Forbid creation of framebuffer with no valid GEM objectJerome Glisse
This will avoid oops if at later point the fb is use. Trying to create a framebuffer with no valid GEM object is bogus and should be forbidden as this patch does. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms: r600 handle irq vector ring overflowJerome Glisse
In some rare case i faced an irq overflow quickly followed by a GPU lockup (hard hang) this patch try to deal with irq vector ring overflow, so far haven't been able to reproduce it with the patch. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms: r600/r700 don't process IRQ if not initializedJerome Glisse
In some rare case the wptr returned from the hw wasn't 0 and leaded to trick r600_process_irq that their were irq to process. Add a check to bail out if irq hasn't been initialized this will avoid oops provoqued by the rare wptr != 0 on initialization. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms: r600/r700 disable irq at suspendJerome Glisse
To avoid hw doing anythings after we disabled PCIE GART, fully disable IRQ at suspend. Also cleanup a bit the ih structure and process function. Signed-off-by: Jerome Glisse <jglisse@redhat.com> Reviewed-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms/r4xx: cleanup atom pathAlex Deucher
most of radeon_legacy_atom_set_surface() is taken care of in atombios_set_base(), so remove the duplicate setup and move the remaining bits (DISP_MERGE setup and FP2 sync) to atombios_crtc.c where they are used. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms: fix atombios_crtc_set_baseAlex Deucher
Make it call the proper backend depending on the GPU family. Right now r4xx cards with atombios modesetting enabled were using the avivo crtc base code. This also allows us to add support for new asics more easily. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms/atom: upstream parser updatesAlex Deucher
Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms/atom: fix some parser bugsAlex Deucher
- add support for inline src params - fix shift_left/shift_right and shl/shr ops shift_* ops use inline src params, shl/r use full params - fix mask op (uses inline params) Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms: fix hardcoded mmio size in register functionsAlex Deucher
newer asics have large mmio apertures Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms/r100: fix bug in CS parserAlex Deucher
The first dword of PACKET3_3D_DRAW_IMMD maps to SE_VTX_FMT so the vertex size is part of the draw packet. This patch fixes a possible case where you have a command buffer that does not contain SE_VTX_FMT register write, but does contain PACKET3_3D_DRAW_IMMD. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms/r200: fix bug in CS parserAndrew Randrianasulu
Add missing vertex shader regs for r200. fixed fdo bug 26061 agd5f: use official reg names Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-21drm/radeon/kms/r200: fix bug in CS parserAndrew Randrianasulu
The checks for CUBE and 3D textures were inverted. fixes fdo bug 24159 agd5f: added comments for clarity. Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@linux.ie>
2010-01-20libata: retry FS IOs even if it has failed with AC_ERR_INVALIDTejun Heo
libata currently doesn't retry if a command fails with AC_ERR_INVALID assuming that retrying won't get it any further even if retried. However, a failure may be classified as invalid through hardware glitch (incorrect reading of the error register or firmware bug) and there isn't whole lot to gain by not retrying as actually invalid commands will be failed immediately. Also, commands serving FS IOs are extremely unlikely to be invalid. Retry FS IOs even if it's marked invalid. Transient and incorrect invalid failure was seen while debugging firmware related issue on Samsung n130 on bko#14314. http://bugzilla.kernel.org/show_bug.cgi?id=14314 Signed-off-by: Tejun Heo <tj@kernel.org> Reported-by: Johannes Stezenbach <js@sig21.net> Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
2010-01-20Merge branch 'bugzilla-14954' into releaseLen Brown
2010-01-20Merge branch 'misc' into releaseLen Brown