Robin Holt [Wed, 20 Oct 2010 02:03:37 +0000 (02:03 +0000)]
Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.
[ Upstream fixed this in a different way as parts of the commits:
8d987e5c7510 (net: avoid limits overflow)
a9febbb4bd13 (sysctl: min/max bounds are optional)
27b3d80a7b6a (sysctl: fix min/max handling in __do_proc_doulongvec_minmax())
-DaveM ]
On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and
sysctl_sctp_mem[2] can integer overflow. Set limit such that they are
maximized without overflowing.
Signed-off-by: Robin Holt <holt@sgi.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: Willy Tarreau <w@1wt.eu>
Cc: linux-kernel@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-sctp@vger.kernel.org
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jarek Poplawski [Tue, 19 Oct 2010 00:06:36 +0000 (00:06 +0000)]
gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New: linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic)
[ Upstream commit
0d1fe1111c667e9c713d7efc7ae468a605f236a4 ]
The rx_recycle queue is global per device but can be accesed by many
napi handlers at the same time, so it needs full skb_queue primitives
(with locking). Otherwise, various crashes caused by broken skbs are
possible.
This patch resolves, at least partly, bugzilla bug 19692. (Because of
some doubts that there could be still something around which is hard
to reproduce my proposal is to leave this bug opened for a month.)
Fixes commit:
0fd56bb5be6455d0d42241e65aed057244665e5e ("gianfar: Add
support for skb recycling")
Reported-by: emin ak <eminak71@gmail.com>
Tested-by: emin ak <eminak71@gmail.com>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
CC: Andy Fleming <afleming@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Antonio Ospite [Tue, 5 Oct 2010 15:20:17 +0000 (17:20 +0200)]
HID: hidraw, fix a NULL pointer dereference in hidraw_write
commit
e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 upstream.
BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
IP: [<
ffffffffa0f0a625>] hidraw_write+0x3b/0x116 [hid]
[...]
This is reproducible by disconnecting the device while userspace writes
to dev node in a loop and doesn't check return values in order to exit
the loop.
Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Antonio Ospite [Tue, 5 Oct 2010 15:20:16 +0000 (17:20 +0200)]
HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
commit
d20d5ffab92f00188f360c44c791a5ffb988247c upstream.
BUG: unable to handle kernel NULL pointer dereference at
0000000000000028
IP: [<
ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
[...]
This is reproducible by disconnecting the device while userspace does
ioctl in a loop and doesn't check return values in order to exit the
loop.
Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jeff Mahoney [Tue, 31 Aug 2010 13:21:42 +0000 (13:21 +0000)]
net sched: fix kernel leak in act_police
commit
0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e upstream.
While reviewing commit
1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
audited other users of tc_action_ops->dump for information leaks.
That commit covered almost all of them but act_police still had a leak.
opt.limit and opt.capab aren't zeroed out before the structure is
passed out.
This patch uses the C99 initializers to zero everything unused out.
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Larry Finger [Sat, 13 Nov 2010 19:01:56 +0000 (13:01 -0600)]
staging: rtl8187se: Change panic to warn when RF switch turned off
commit
f36d83a8cb7224f45fdfa1129a616dff56479a09 upstream.
This driver issues a kernel panic over conditions that do not
justify such drastic action. Change these to log entries with
a stack dump.
This patch fixes the system crash reported in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:18:33 +0000 (11:18 -0800)]
Staging: frontier: fix up some sysfs attribute permissions
commit
3bad28ec006ad6ab2bca4e5103860b75391e3c9d and
2a767fda5d0d8dcff465724dfad6ee131489b3f2 upstream merged together.
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Taht <d@teklibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
James Jones [Tue, 23 Nov 2010 23:21:37 +0000 (00:21 +0100)]
ARM: 6482/2: Fix find_next_zero_bit and related assembly
commit
0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream.
The find_next_bit, find_first_bit, find_next_zero_bit
and find_first_zero_bit functions were not properly
clamping to the maxbit argument at the bit level. They
were instead only checking maxbit at the byte level.
To fix this, add a compare and a conditional move
instruction to the end of the common bit-within-the-
byte code used by all the functions and be sure not to
clobber the maxbit argument before it is used.
Reviewed-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: James Jones <jajones@nvidia.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Will Deacon [Fri, 19 Nov 2010 12:18:31 +0000 (13:18 +0100)]
ARM: 6489/1: thumb2: fix incorrect optimisation in usracc
commit
1142b71d85894dcff1466dd6c871ea3c89e0352c upstream.
Commit
8b592783 added a Thumb-2 variant of usracc which, when it is
called with \rept=2, calls usraccoff once with an offset of 0 and
secondly with a hard-coded offset of 4 in order to avoid incrementing
the pointer again. If \inc != 4 then we will store the data to the wrong
offset from \ptr. Luckily, the only caller that passes \rept=2 to this
function is __clear_user so we haven't been actively corrupting user data.
This patch fixes usracc to pass \inc instead of #4 to usraccoff
when it is called a second time.
Reported-by: Tony Thompson <tony.thompson@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Pekka Enberg [Mon, 8 Nov 2010 19:29:07 +0000 (21:29 +0200)]
perf_events: Fix perf_counter_mmap() hook in mprotect()
commit
63bfd7384b119409685a17d5c58f0b56e5dc03da upstream.
As pointed out by Linus, commit
dab5855 ("perf_counter: Add mmap event hooks to
mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
merging. Fix the problem by moving perf_event_mmap() hook to
mprotect_fixup().
Note: there's another successful return path from mprotect_fixup() if old
flags equal to new flags. We don't, however, need to call
perf_event_mmap() there because 'perf' already knows the VMA is
executable.
Reported-by: Dave Jones <davej@redhat.com>
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Tue, 23 Nov 2010 11:02:13 +0000 (11:02 +0000)]
DECnet: don't leak uninitialized stack byte
commit
3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.
A single uninitialized padding byte is leaked to userspace.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Steven J. Magnani [Wed, 24 Nov 2010 20:56:54 +0000 (12:56 -0800)]
nommu: yield CPU while disposing VM
commit
04c3496152394d17e3bc2316f9731ee3e8a026bc upstream.
Depending on processor speed, page size, and the amount of memory a
process is allowed to amass, cleanup of a large VM may freeze the system
for many seconds. This can result in a watchdog timeout.
Make sure other tasks receive some service when cleaning up large VMs.
Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Cc: Greg Ungerer <gerg@snapgear.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Uwe Kleine-König [Wed, 24 Nov 2010 20:57:14 +0000 (12:57 -0800)]
backlight: grab ops_lock before testing bd->ops
commit
d1d73578e053b981c3611e5a211534290d24a5eb upstream.
According to the comment describing ops_lock in the definition of struct
backlight_device and when comparing with other functions in backlight.c
the mutex must be hold when checking ops to be non-NULL.
Fixes a problem added by
c835ee7f4154992e6 ("backlight: Add suspend/resume
support to the backlight core") in Jan 2009.
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Will Newton [Wed, 24 Nov 2010 20:56:55 +0000 (12:56 -0800)]
uml: disable winch irq before freeing handler data
commit
69e83dad5207f8f03c9699e57e1febb114383cb8 upstream.
Disable the winch irq early to make sure we don't take an interrupt part
way through the freeing of the handler data, resulting in a crash on
shutdown:
winch_interrupt : read failed, errno = 9
fd 13 is losing SIGWINCH support
------------[ cut here ]------------
WARNING: at lib/list_debug.c:48 list_del+0xc6/0x100()
list_del corruption, next is LIST_POISON1 (
00100100)
082578c8: [<
081fd77f>] dump_stack+0x22/0x24
082578e0: [<
0807a18a>] warn_slowpath_common+0x5a/0x80
08257908: [<
0807a23e>] warn_slowpath_fmt+0x2e/0x30
08257920: [<
08172196>] list_del+0xc6/0x100
08257940: [<
08060244>] free_winch+0x14/0x80
08257958: [<
080606fb>] winch_interrupt+0xdb/0xe0
08257978: [<
080a65b5>] handle_IRQ_event+0x35/0xe0
08257998: [<
080a8717>] handle_edge_irq+0xb7/0x170
082579bc: [<
08059bc4>] do_IRQ+0x34/0x50
082579d4: [<
08059e1b>] sigio_handler+0x5b/0x80
082579ec: [<
0806a374>] sig_handler_common+0x44/0xb0
08257a68: [<
0806a538>] sig_handler+0x38/0x50
08257a78: [<
0806a77c>] handle_signal+0x5c/0xa0
08257a9c: [<
0806be28>] hard_handler+0x18/0x20
08257aac: [<
00c14400>] 0xc14400
Signed-off-by: Will Newton <will.newton@gmail.com>
Acked-by: WANG Cong <xiyou.wangcong@gmail.com>
Cc: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nelson Elhage [Thu, 2 Dec 2010 22:31:21 +0000 (14:31 -0800)]
do_exit(): make sure that we run with get_fs() == USER_DS
commit
33dd94ae1ccbfb7bf0fb6c692bc3d1c4269e6177 upstream.
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.
This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.
A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.
Let's just stick it in do_exit instead.
[akpm@linux-foundation.org: update code comment]
Signed-off-by: Nelson Elhage <nelhage@ksplice.com>
Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ken Sumrall [Wed, 24 Nov 2010 20:57:00 +0000 (12:57 -0800)]
fuse: fix attributes after open(O_TRUNC)
commit
a0822c55779d9319939eac69f00bb729ea9d23da upstream.
The attribute cache for a file was not being cleared when a file is opened
with O_TRUNC.
If the filesystem's open operation truncates the file ("atomic_o_trunc"
feature flag is set) then the kernel should invalidate the cached st_mtime
and st_ctime attributes.
Also i_size should be explicitly be set to zero as it is used sometimes
without refreshing the cache.
Signed-off-by: Ken Sumrall <ksumrall@android.com>
Cc: Anfei <anfei.zhou@gmail.com>
Cc: "Anand V. Avati" <avati@gluster.com>
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Len Brown [Tue, 28 Sep 2010 21:51:51 +0000 (17:51 -0400)]
ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355
commit
7a1d602f5fc35d14907b7da98d5627acb69589d1 upstream.
https://bugzilla.kernel.org/show_bug.cgi?id=12641
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Zhang Rui [Tue, 12 Oct 2010 01:09:37 +0000 (09:09 +0800)]
acpi-cpufreq: fix a memleak when unloading driver
commit
dab5fff14df2cd16eb1ad4c02e83915e1063fece upstream.
We didn't free per_cpu(acfreq_data, cpu)->freq_table
when acpi_freq driver is unloaded.
Resulting in the following messages in /sys/kernel/debug/kmemleak:
unreferenced object 0xf6450e80 (size 64):
comm "modprobe", pid 1066, jiffies
4294677317 (age 19290.453s)
hex dump (first 32 bytes):
00 00 00 00 e8 a2 24 00 01 00 00 00 00 9f 24 00 ......$.......$.
02 00 00 00 00 6a 18 00 03 00 00 00 00 35 0c 00 .....j.......5..
backtrace:
[<
c123ba97>] kmemleak_alloc+0x27/0x50
[<
c109f96f>] __kmalloc+0xcf/0x110
[<
f9da97ee>] acpi_cpufreq_cpu_init+0x1ee/0x4e4 [acpi_cpufreq]
[<
c11cd8d2>] cpufreq_add_dev+0x142/0x3a0
[<
c11920b7>] sysdev_driver_register+0x97/0x110
[<
c11cce56>] cpufreq_register_driver+0x86/0x140
[<
f9dad080>] 0xf9dad080
[<
c1001130>] do_one_initcall+0x30/0x160
[<
c10626e9>] sys_init_module+0x99/0x1e0
[<
c1002d97>] sysenter_do_call+0x12/0x26
[<
ffffffff>] 0xffffffff
https://bugzilla.kernel.org/show_bug.cgi?id=15807#c21
Tested-by: Toralf Forster <toralf.foerster@gmx.de>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Len Brown <len.brown@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jacques Viviers [Wed, 24 Nov 2010 09:56:38 +0000 (11:56 +0200)]
USB: serial: ftdi_sio: Vardaan USB RS422/485 converter PID added
commit
6fdbad8021151a9e93af8159a6232c8f26415c09 upstream.
Add the PID for the Vardaan Enterprises VEUSB422R3 USB to RS422/485
converter. It uses the same chip as the FTDI_8U232AM_PID 0x6001.
This should also work with the stable branches for:
2.6.31, 2.6.32, 2.6.33, 2.6.34, 2.6.35, 2.6.36
Signed-off-by: Jacques Viviers <jacques.viviers@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Michael Stuermer [Wed, 17 Nov 2010 23:45:43 +0000 (00:45 +0100)]
USB: ftdi_sio: Add ID for RT Systems USB-29B radio cable
commit
28942bb6a9dd4e2ed793675e515cfb8297ed355b upstream.
Another variant of the RT Systems programming cable for ham radios.
Signed-off-by: Michael Stuermer <ms@mallorn.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:36:44 +0000 (11:36 -0800)]
USB: misc: usbsevseg: fix up some sysfs attribute permissions
commit
e24d7ace4e822debcb78386bf279c9aba4d7fbd1 upstream.
They should not be writable by any user.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Harrison Metzger <harrisonmetz@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:34:26 +0000 (11:34 -0800)]
USB: misc: trancevibrator: fix up a sysfs attribute permission
commit
d489a4b3926bad571d404ca6508f6744b9602776 upstream.
It should not be writable by any user.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Sam Hocevar <sam@zoy.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Johan Hovold [Sun, 12 Sep 2010 14:31:45 +0000 (16:31 +0200)]
USB: ftdi_sio: revert "USB: ftdi_sio: fix DTR/RTS line modes"
commit
677aeafe19e88c282af74564048243ccabb1c590 upstream.
This reverts commit
6a1a82df91fa0eb1cc76069a9efe5714d087eccd.
RTS and DTR should not be modified based on CRTSCTS when calling
set_termios.
Modem control lines are raised at port open by the tty layer and should stay
raised regardless of whether hardware flow control is enabled or not.
This is in conformance with the way serial ports work today and many
applications depend on this behaviour to be able to talk to hardware
implementing hardware flow control (without the applications actually using
it).
Hardware which expects different behaviour on these lines can always
use TIOCMSET/TIOCMBI[SC] after port open to change them.
Reported-by: Daniel Mack <daniel@caiaq.de>
Reported-by: Dave Mielke <dave@mielke.cc>
Signed-off-by: Johan Hovold <jhovold@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:35:49 +0000 (11:35 -0800)]
USB: misc: usbled: fix up some sysfs attribute permissions
commit
48f115470e68d443436b76b22dad63ffbffd6b97 upstream.
They should not be writable by any user.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:32:38 +0000 (11:32 -0800)]
USB: misc: cypress_cy7c63: fix up some sysfs attribute permissions
commit
c990600d340641150f7270470a64bd99a5c0b225 upstream.
They should not be writable by any user.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Oliver Bock <bock@tfh-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:11:45 +0000 (11:11 -0800)]
USB: atm: ueagle-atm: fix up some permissions on the sysfs files
commit
e502ac5e1eca99d7dc3f12b2a6780ccbca674858 upstream.
Some of the sysfs files had the incorrect permissions. Some didn't make
sense at all (writable for a file that you could not write to?)
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Matthieu Castet <castet.matthieu@free.fr>
Cc: Stanislaw Gruszka <stf_xl@wp.pl>
Cc: Damien Bergamini <damien.bergamini@free.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 15 Nov 2010 19:17:52 +0000 (11:17 -0800)]
USB: storage: sierra_ms: fix sysfs file attribute
commit
d9624e75f6ad94d8a0718c1fafa89186d271a78c upstream.
A non-writable sysfs file shouldn't have writable attributes.
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Kevin Lloyd <klloyd@sierrawireless.com>
Cc: Matthew Dharm <mdharm-usb@one-eyed-alien.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Alan Stern [Tue, 16 Nov 2010 15:57:37 +0000 (10:57 -0500)]
USB: EHCI: fix obscure race in ehci_endpoint_disable
commit
02e2c51ba3e80acde600721ea784c3ef84da5ea1 upstream.
This patch (as1435) fixes an obscure and unlikely race in ehci-hcd.
When an async URB is unlinked, the corresponding QH is removed from
the async list. If the QH's endpoint is then disabled while the URB
is being given back, ehci_endpoint_disable() won't find the QH on the
async list, causing it to believe that the QH has been lost. This
will lead to a memory leak at best and quite possibly to an oops.
The solution is to trust usbcore not to lose track of endpoints. If
the QH isn't on the async list then it doesn't need to be taken off
the list, but the driver should still wait for the QH to become IDLE
before disabling it.
In theory this fixes Bugzilla #20182. In fact the race is so rare
that it's not possible to tell whether the bug is still present.
However, adding delays and making other changes to force the race
seems to show that the patch works.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Reported-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
CC: David Brownell <david-b@pacbell.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:28 +0000 (17:41 +0300)]
usb: core: fix information leak to userland
commit
886ccd4520064408ce5876cfe00554ce52ecf4a7 upstream.
Structure usbdevfs_connectinfo is copied to userland with padding byted
after "slow" field uninitialized. It leads to leaking of contents of
kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:31 +0000 (17:41 +0300)]
usb: misc: iowarrior: fix information leak to userland
commit
eca67aaeebd6e5d22b0d991af1dd0424dc703bfb upstream.
Structure iowarrior_info is copied to userland with padding byted
between "serial" and "revision" fields uninitialized. It leads to
leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Kees Cook <kees.cook@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vasiliy Kulikov [Sat, 6 Nov 2010 14:41:35 +0000 (17:41 +0300)]
usb: misc: sisusbvga: fix information leak to userland
commit
5dc92cf1d0b4b0debbd2e333b83f9746c103533d upstream.
Structure sisusb_info is copied to userland with "sisusb_reserved" field
uninitialized. It leads to leaking of contents of kernel stack memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
ma rui [Mon, 1 Nov 2010 03:32:18 +0000 (11:32 +0800)]
USB: option: fix when the driver is loaded incorrectly for some Huawei devices.
commit
58c0d9d70109bd7e82bdb9517007311a48499960 upstream.
When huawei datacard with PID 0x14AC is insterted into Linux system, the
present kernel will load the "option" driver to all the interfaces. But
actually, some interfaces run as other function and do not need "option"
driver.
In this path, we modify the id_tables, when the PID is 0x14ac ,VID is
0x12d1, Only when the interface's Class is 0xff,Subclass is 0xff, Pro is
0xff, it does need "option" driver.
Signed-off-by: ma rui <m00150988@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Sebastien Bourdeauducq [Wed, 3 Nov 2010 10:54:12 +0000 (11:54 +0100)]
USB: ftdi_sio: add device IDs for Milkymist One JTAG/serial
commit
7fea0f714ffb3f303d4b66933af2df2f5584c9bf upstream.
Add the USB IDs for the Milkymist One FTDI-based JTAG/serial adapter
(http://projects.qi-hardware.com/index.php/p/mmone-jtag-serial-cable/)
to the ftdi_sio driver and disable the first serial channel (used as
JTAG from userspace).
Signed-off-by: Sebastien Bourdeauducq <sebastien@milkymist.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Josh Wu [Tue, 16 Nov 2010 10:51:32 +0000 (11:51 +0100)]
USB: gadget: AT91: fix typo in atmel_usba_udc driver
commit
b48809518631880207796b4aab0fc39c2f036754 upstream.
compile fix for bug introduced by
969affff547027)
Signed-off-by: Josh Wu <josh.wu@atmel.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Peter Jones [Wed, 22 Sep 2010 20:05:04 +0000 (13:05 -0700)]
efifb: check that the base address is plausible on pci systems
commit
85a00d9bbfb4704fbf368944b1cb9fed8f1598c5 upstream.
Some Apple machines have identical DMI data but different memory
configurations for the video. Given that, check that the address in our
table is actually within the range of a PCI BAR on a VGA device in the
machine.
This also fixes up the return value from set_system(), which has always
been wrong, but never resulted in bad behavior since there's only ever
been one matching entry in the dmi table.
The patch
1) stops people's machines from crashing when we get their display wrong,
which seems to be unfortunately inevitable,
2) allows us to support identical dmi data with differing video memory
configurations
This also adds me as the efifb maintainer, since I've effectively been
acting as such for quite some time.
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Darrick J. Wong [Tue, 16 Nov 2010 17:13:41 +0000 (09:13 -0800)]
PCI: fix offset check for sysfs mmapped files
commit
8c05cd08a7504b855c265263e84af61aabafa329 upstream.
I just loaded 2.6.37-rc2 on my machines, and I noticed that X no longer starts.
Running an strace of the X server shows that it's doing this:
open("/sys/bus/pci/devices/0000:07:00.0/resource0", O_RDWR) = 10
mmap(NULL,
16777216, PROT_READ|PROT_WRITE, MAP_SHARED, 10, 0) = -1 EINVAL (Invalid argument)
This code seems to be asking for a shared read/write mapping of 16MB worth of
BAR0 starting at file offset 0, and letting the kernel assign a starting
address. Unfortunately, this -EINVAL causes X not to start. Looking into
dmesg, there's a complaint like so:
process "Xorg" tried to map 0x01000000 bytes at page 0x00000000 on 0000:07:00.0 BAR 0 (start 0x
96000000, size 0x
1000000)
...with the following code in pci_mmap_fits:
pci_start = (mmap_api == PCI_MMAP_SYSFS) ?
pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0;
if (start >= pci_start && start < pci_start + size &&
start + nr <= pci_start + size)
It looks like the logic here is set up such that when the mmap call comes via
sysfs, the check in pci_mmap_fits wants vma->vm_pgoff to be between the
resource's start and end address, and the end of the vma to be no farther than
the end. However, the sysfs PCI resource files always start at offset zero,
which means that this test always fails for programs that mmap the sysfs files.
Given the comment in the original commit
3b519e4ea618b6943a82931630872907f9ac2c2b, I _think_ the old procfs files
require that the file offset be equal to the resource's base address when
mmapping.
I think what we want here is for pci_start to be 0 when mmap_api ==
PCI_MMAP_PROCFS. The following patch makes that change, after which the Matrox
and Mach64 X drivers work again.
Acked-by: Martin Wilck <martin.wilck@ts.fujitsu.com>
Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Martin Wilck [Wed, 10 Nov 2010 10:03:21 +0000 (11:03 +0100)]
PCI: fix size checks for mmap() on /proc/bus/pci files
commit
3b519e4ea618b6943a82931630872907f9ac2c2b upstream.
The checks for valid mmaps of PCI resources made through /proc/bus/pci files
that were introduced in
9eff02e2042f96fb2aedd02e032eca1c5333d767 have several
problems:
1. mmap() calls on /proc/bus/pci files are made with real file offsets > 0,
whereas under /sys/bus/pci/devices, the start of the resource corresponds
to offset 0. This may lead to false negatives in pci_mmap_fits(), which
implicitly assumes the /sys/bus/pci/devices layout.
2. The loop in proc_bus_pci_mmap doesn't skip empty resouces. This leads
to false positives, because pci_mmap_fits() doesn't treat empty resources
correctly (the calculated size is 1 << (8*sizeof(resource_size_t)-PAGE_SHIFT)
in this case!).
3. If a user maps resources with BAR > 0, pci_mmap_fits will emit bogus
WARNINGS for the first resources that don't fit until the correct one is found.
On many controllers the first 2-4 BARs are used, and the others are empty.
In this case, an mmap attempt will first fail on the non-empty BARs
(including the "right" BAR because of 1.) and emit bogus WARNINGS because
of 3., and finally succeed on the first empty BAR because of 2.
This is certainly not the intended behaviour.
This patch addresses all 3 issues.
Updated with an enum type for the additional parameter for pci_mmap_fits().
Signed-off-by: Martin Wilck <martin.wilck@ts.fujitsu.com>
Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tejun Heo [Mon, 1 Nov 2010 10:39:19 +0000 (11:39 +0100)]
libata: fix NULL sdev dereference race in atapi_qc_complete()
commit
2a5f07b5ec098edc69e05fdd2f35d3fbb1235723 upstream.
SCSI commands may be issued between __scsi_add_device() and dev->sdev
assignment, so it's unsafe for ata_qc_complete() to dereference
dev->sdev->locked without checking whether it's NULL or not. Fix it.
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Douglas Gilbert [Mon, 1 Feb 2010 18:11:38 +0000 (13:11 -0500)]
libata-scsi passthru: fix bug which truncated LBA48 return values
commit
bc496ed00ab1411d3efaf295b72e0c9eb343e1a3 upstream.
Fix assignment which overwrote SAT ATA PASS-THROUGH command EXTEND
bit setting (ATA_TFLAG_LBA48)
Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Cc: Kerin Millar <kerframil@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Francisco Jerez [Tue, 21 Sep 2010 00:15:15 +0000 (02:15 +0200)]
drm/ttm: Clear the ghost cpu_writers flag on ttm_buffer_object_transfer.
commit
0fbecd400dd0a82d465b3086f209681e8c54cb0f upstream.
It makes sense for a BO to move after a process has requested
exclusive RW access on it (e.g. because the BO used to be located in
unmappable VRAM and we intercepted the CPU access from the fault
handler).
If we let the ghost object inherit cpu_writers from the original
object, ttm_bo_release_list() will raise a kernel BUG when the ghost
object is destroyed. This can be reproduced with the nouveau driver on
nv5x.
Reported-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Reviewed-by: Jerome Glisse <jglisse@redhat.com>
Tested-by: Marcin Slusarz <marcin.slusarz@gmail.com>
Signed-off-by: Francisco Jerez <currojerez@riseup.net>
Signed-off-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jens Axboe [Wed, 10 Nov 2010 13:36:25 +0000 (14:36 +0100)]
bio: take care not overflow page count when mapping/copying user data
commit
cb4644cac4a2797afc847e6c92736664d4b0ea34 upstream.
If the iovec is being set up in a way that causes uaddr + PAGE_SIZE
to overflow, we could end up attempting to map a huge number of
pages. Check for this invalid input type.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dave Hansen [Thu, 11 Nov 2010 22:05:15 +0000 (14:05 -0800)]
mm/vfs: revalidate page->mapping in do_generic_file_read()
commit
8d056cb965b8fb7c53c564abf28b1962d1061cd3 upstream.
70 hours into some stress tests of a 2.6.32-based enterprise kernel, we
ran into a NULL dereference in here:
int block_is_partially_uptodate(struct page *page, read_descriptor_t *desc,
unsigned long from)
{
----> struct inode *inode = page->mapping->host;
It looks like page->mapping was the culprit. (xmon trace is below).
After closer examination, I realized that do_generic_file_read() does a
find_get_page(), and eventually locks the page before calling
block_is_partially_uptodate(). However, it doesn't revalidate the
page->mapping after the page is locked. So, there's a small window
between the find_get_page() and ->is_partially_uptodate() where the page
could get truncated and page->mapping cleared.
We _have_ a reference, so it can't get reclaimed, but it certainly
can be truncated.
I think the correct thing is to check page->mapping after the
trylock_page(), and jump out if it got truncated. This patch has been
running in the test environment for a month or so now, and we have not
seen this bug pop up again.
xmon info:
1f:mon> e
cpu 0x1f: Vector: 300 (Data Access) at [
c0000002ae36f770]
pc:
c0000000001e7a6c: .block_is_partially_uptodate+0xc/0x100
lr:
c000000000142944: .generic_file_aio_read+0x1e4/0x770
sp:
c0000002ae36f9f0
msr:
8000000000009032
dar: 0
dsisr:
40000000
current = 0xc000000378f99e30
paca = 0xc000000000f66300
pid = 21946, comm = bash
1f:mon> r
R00 =
0025c0500000006d R16 =
0000000000000000
R01 =
c0000002ae36f9f0 R17 =
c000000362cd3af0
R02 =
c000000000e8cd80 R18 =
ffffffffffffffff
R03 =
c0000000031d0f88 R19 =
0000000000000001
R04 =
c0000002ae36fa68 R20 =
c0000003bb97b8a0
R05 =
0000000000000000 R21 =
c0000002ae36fa68
R06 =
0000000000000000 R22 =
0000000000000000
R07 =
0000000000000001 R23 =
c0000002ae36fbb0
R08 =
0000000000000002 R24 =
0000000000000000
R09 =
0000000000000000 R25 =
c000000362cd3a80
R10 =
0000000000000000 R26 =
0000000000000002
R11 =
c0000000001e7b60 R27 =
0000000000000000
R12 =
0000000042000484 R28 =
0000000000000001
R13 =
c000000000f66300 R29 =
c0000003bb97b9b8
R14 =
0000000000000001 R30 =
c000000000e28a08
R15 =
000000000000ffff R31 =
c0000000031d0f88
pc =
c0000000001e7a6c .block_is_partially_uptodate+0xc/0x100
lr =
c000000000142944 .generic_file_aio_read+0x1e4/0x770
msr =
8000000000009032 cr =
22000488
ctr =
c0000000001e7a60 xer =
0000000020000000 trap = 300
dar =
0000000000000000 dsisr =
40000000
1f:mon> t
[link register ]
c000000000142944 .generic_file_aio_read+0x1e4/0x770
[
c0000002ae36f9f0]
c000000000142a14 .generic_file_aio_read+0x2b4/0x770 (unreliable)
[
c0000002ae36fb40]
c0000000001b03e4 .do_sync_read+0xd4/0x160
[
c0000002ae36fce0]
c0000000001b153c .vfs_read+0xec/0x1f0
[
c0000002ae36fd80]
c0000000001b1768 .SyS_read+0x58/0xb0
[
c0000002ae36fe30]
c00000000000852c syscall_exit+0x0/0x40
--- Exception: c00 (System Call) at
00000080a840bc54
SP (
fffca15df30) is in userspace
1f:mon> di
c0000000001e7a6c
c0000000001e7a6c e9290000 ld r9,0(r9)
c0000000001e7a70 418200c0 beq
c0000000001e7b30 # .block_is_partially_uptodate+0xd0/0x100
c0000000001e7a74 e9440008 ld r10,8(r4)
c0000000001e7a78 78a80020 clrldi r8,r5,32
c0000000001e7a7c 3c000001 lis r0,1
c0000000001e7a80 812900a8 lwz r9,168(r9)
c0000000001e7a84 39600001 li r11,1
c0000000001e7a88 7c080050 subf r0,r8,r0
c0000000001e7a8c 7f805040 cmplw cr7,r0,r10
c0000000001e7a90 7d6b4830 slw r11,r11,r9
c0000000001e7a94 796b0020 clrldi r11,r11,32
c0000000001e7a98 419d00a8 bgt cr7,
c0000000001e7b40 # .block_is_partially_uptodate+0xe0/0x100
c0000000001e7a9c 7fa55840 cmpld cr7,r5,r11
c0000000001e7aa0 7d004214 add r8,r0,r8
c0000000001e7aa4 79080020 clrldi r8,r8,32
c0000000001e7aa8 419c0078 blt cr7,
c0000000001e7b20 # .block_is_partially_uptodate+0xc0/0x100
Signed-off-by: Dave Hansen <dave@linux.vnet.ibm.com>
Reviewed-by: Minchan Kim <minchan.kim@gmail.com>
Reviewed-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Rik van Riel <riel@redhat.com>
Cc: <arunabal@in.ibm.com>
Cc: <sbest@us.ibm.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Minchan Kim <minchan.kim@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ken Chen [Thu, 11 Nov 2010 22:05:16 +0000 (14:05 -0800)]
latencytop: fix per task accumulator
commit
38715258aa2e8cd94bd4aafadc544e5104efd551 upstream.
Per task latencytop accumulator prematurely terminates due to erroneous
placement of latency_record_count. It should be incremented whenever a
new record is allocated instead of increment on every latencytop event.
Also fix search iterator to only search known record events instead of
blindly searching all pre-allocated space.
Signed-off-by: Ken Chen <kenchen@google.com>
Reviewed-by: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eric Dumazet [Thu, 28 Oct 2010 10:34:21 +0000 (12:34 +0200)]
netfilter: nf_conntrack: allow nf_ct_alloc_hashtable() to get highmem pages
commit
6b1686a71e3158d3c5f125260effce171cc7852b upstream.
commit
ea781f197d6a8 (use SLAB_DESTROY_BY_RCU and get rid of call_rcu())
did a mistake in __vmalloc() call in nf_ct_alloc_hashtable().
I forgot to add __GFP_HIGHMEM, so pages were taken from LOWMEM only.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Daniel T Chen [Thu, 2 Dec 2010 00:16:07 +0000 (19:16 -0500)]
ALSA: hda: Use "alienware" model quirk for another SSID
commit
0defe09ca70daccdc83abd9c3c24cd89ae6a1141 upstream.
BugLink: https://launchpad.net/bugs/683695
The original reporter states that headphone jacks do not appear to
work. Upon inspecting his codec dump, and upon further testing, it is
confirmed that the "alienware" model quirk is correct.
Reported-and-tested-by: Cody Thierauf
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
David Henningsson [Wed, 24 Nov 2010 13:17:47 +0000 (14:17 +0100)]
ALSA: HDA: Add an extra DAC for Realtek ALC887-VD
commit
cc1c452e509aefc28f7ad2deed75bc69d4f915f7 upstream.
The patch enables ALC887-VD to use the DAC at nid 0x26,
which makes it possible to use this DAC for e g Headphone
volume.
Signed-off-by: David Henningsson <david.henningsson@canonical.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Daniel T Chen [Mon, 1 Nov 2010 05:14:51 +0000 (01:14 -0400)]
ALSA: ac97: Apply quirk for Dell Latitude D610 binding Master and Headphone controls
commit
0613a59456980161d0cd468bae6c63d772743102 upstream.
BugLink: https://launchpad.net/bugs/669279
The original reporter states: "The Master mixer does not change the
volume from the headphone output (which is affected by the headphone
mixer). Instead it only seems to control the on-board speaker volume.
This confuses PulseAudio greatly as the Master channel is merged into
the volume mix."
Fix this symptom by applying the hp_only quirk for the reporter's SSID.
The fix is applicable to all stable kernels.
Reported-and-tested-by: Ben Gamari <bgamari@gmail.com>
Signed-off-by: Daniel T Chen <crimsun@ubuntu.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Clemens Ladisch [Mon, 25 Oct 2010 09:42:20 +0000 (11:42 +0200)]
firewire: ohci: fix race in AR split packet handling
commit
a1f805e5e73a8fe166b71c6592d3837df0cd5e2e upstream.
When handling an AR buffer that has been completely filled, we assumed
that its descriptor will not be read by the controller and can be
overwritten. However, when the last received packet happens to end at
the end of the buffer, the controller might not yet have moved on to the
next buffer and might read the branch address later. If we overwrite
and free the page before that, the DMA context will either go dead
because of an invalid Z value, or go off into some random memory.
To fix this, ensure that the descriptor does not get overwritten by
using only the actual buffer instead of the entire page for reassembling
the split packet. Furthermore, to avoid freeing the page too early,
move on to the next buffer only when some data in it guarantees that the
controller has moved on.
This should eliminate the remaining firewire-net problems.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Clemens Ladisch [Mon, 25 Oct 2010 09:41:53 +0000 (11:41 +0200)]
firewire: ohci: fix buffer overflow in AR split packet handling
commit
85f7ffd5d2b320f73912b15fe8cef34bae297daf upstream.
When the controller had to split a received asynchronous packet into two
buffers, the driver tries to reassemble it by copying both parts into
the first page. However, if size + rest > PAGE_SIZE, i.e., if the yet
unhandled packets before the split packet, the split packet itself, and
any received packets after the split packet are together larger than one
page, then the memory after the first page would get overwritten.
To fix this, do not try to copy the data of all unhandled packets at
once, but copy the possibly needed data every time when handling
a packet.
This gets rid of most of the infamous crashes and data corruptions when
using firewire-net.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Tested-by: Maxim Levitsky <maximlevitsky@gmail.com>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Richter [Fri, 19 Feb 2010 20:00:02 +0000 (21:00 +0100)]
firewire: core: fix an information leak
commit
137d9ebfdbaa45c01f9f0f6d5121ae6f1eb942bd upstream.
If a device exposes a sparsely populated configuration ROM,
firewire-core's sysfs interface and character device file interface
showed random data in the gaps between config ROM blocks. Fix this by
zero-initialization of the config ROM reader's scratch buffer.
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Stefan Richter [Wed, 7 Apr 2010 06:30:50 +0000 (08:30 +0200)]
firewire: cdev: fix information leak
commit
9cac00b8f0079d5d3d54ec4dae453d58dec30e7c upstream.
A userspace client got to see uninitialized stack-allocated memory if it
specified an _IOC_READ type of ioctl and an argument size larger than
expected by firewire-core's ioctl handlers (but not larger than the
core's union ioctl_arg).
Fix this by clearing the requested buffer size to zero, but only at _IOR
ioctls. This way, there is almost no runtime penalty to legitimate
ioctls. The only legitimate _IOR is FW_CDEV_IOC_GET_CYCLE_TIMER with 12
or 16 bytes to memset.
[Another way to fix this would be strict checking of argument size (and
possibly direction) vs. command number. However, we then need a lookup
table, and we need to allow for slight size deviations in case of 32bit
userland on 64bit kernel.]
Reported-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
[ Backported to 2.6.32 firewire core -maks ]
Signed-off-by: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ben Hutchings [Mon, 29 Nov 2010 15:00:15 +0000 (13:00 -0200)]
KVM: VMX: Fix host userspace gsbase corruption
commit
c8770e7ba63bb5dd8fe5f9d251275a8fa717fb78 upstream.
We now use load_gs_index() to load gs safely; unfortunately this also
changes MSR_KERNEL_GS_BASE, which we managed separately. This resulted
in confusion and breakage running 32-bit host userspace on a 64-bit kernel.
Fix by
- saving guest MSR_KERNEL_GS_BASE before we we reload the host's gs
- doing the host save/load unconditionally, instead of only when in guest
long mode
Things can be cleaned up further, but this is the minmal fix for now.
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
[bwh: Backport to 2.6.32]
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vasiliy Kulikov [Mon, 29 Nov 2010 15:00:14 +0000 (13:00 -0200)]
KVM: x86: fix information leak to userland
commit
97e69aa62f8b5d338d6cff49be09e37cc1262838 upstream.
Structures kvm_vcpu_events, kvm_debugregs, kvm_pit_state2 and
kvm_clock_data are copied to userland with some padding and reserved
fields unitialized. It leads to leaking of contents of kernel stack
memory. We have to initialize them to zero.
In patch v1 Jan Kiszka suggested to fill reserved fields with zeros
instead of memset'ting the whole struct. It makes sense as these
fields are explicitly marked as padding. No more fields need zeroing.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Gleb Natapov [Wed, 10 Nov 2010 10:08:12 +0000 (12:08 +0200)]
KVM: VMX: fix vmx null pointer dereference on debug register access
There is a bug in KVM that can be used to crash a host on Intel
machines. If emulator is tricked into emulating mov to/from DR instruction
it causes NULL pointer dereference on VMX since kvm_x86_ops->(set|get)_dr
are not initialized. Recently this is not exploitable from guest
userspace, but malicious guest kernel can trigger it easily.
CVE-2010-0435
On upstream bug was fixed differently around 2.6.34.
Signed-off-by: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Avi Kivity <avi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jiri Slaby [Wed, 24 Nov 2010 23:27:54 +0000 (00:27 +0100)]
TTY: ldisc, fix open flag handling
commit
7f90cfc505d613f4faf096e0d84ffe99208057d9 upstream.
When a concrete ldisc open fails in tty_ldisc_open, we forget to clear
TTY_LDISC_OPEN. This causes a false warning on the next ldisc open:
WARNING: at drivers/char/tty_ldisc.c:445 tty_ldisc_open+0x26/0x38()
Hardware name: System Product Name
Modules linked in: ...
Pid: 5251, comm: a.out Tainted: G W 2.6.32-5-686 #1
Call Trace:
[<
c1030321>] ? warn_slowpath_common+0x5e/0x8a
[<
c1030357>] ? warn_slowpath_null+0xa/0xc
[<
c119311c>] ? tty_ldisc_open+0x26/0x38
[<
c11936c5>] ? tty_set_ldisc+0x218/0x304
...
So clear the bit when failing...
Introduced in
c65c9bc3efa (tty: rewrite the ldisc locking) back in
2.6.31-rc1.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Cc: Alan Cox <alan@linux.intel.com>
Reported-by: Sergey Lapin <slapin@ossfans.org>
Tested-by: Sergey Lapin <slapin@ossfans.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Philippe Rétornaz [Wed, 27 Oct 2010 15:13:21 +0000 (17:13 +0200)]
tty_ldisc: Fix BUG() on hangup
commit
1c95ba1e1de7edffc0c4e275e147f1a9eb1f81ae upstream.
A kernel BUG when bluetooth rfcomm connection drop while the associated
serial port is open is sometime triggered.
It seems that the line discipline can disappear between the
tty_ldisc_put and tty_ldisc_get. This patch fall back to the N_TTY line
discipline if the previous discipline is not available anymore.
Signed-off-by: Philippe Retornaz <philippe.retornaz@epfl.ch>
Acked-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jiri Slaby [Sun, 31 Oct 2010 22:17:51 +0000 (23:17 +0100)]
TTY: restore tty_ldisc_wait_idle
commit
100eeae2c5ce23b4db93ff320ee330ef1d740151 upstream.
It was removed in
65b770468e98 (tty-ldisc: turn ldisc user count into
a proper refcount), but we need to wait for last user to quit the
ldisc before we close it in tty_set_ldisc.
Otherwise weird things start to happen. There might be processes
waiting in tty_read->n_tty_read on tty->read_wait for input to appear
and at that moment, a change of ldisc is fatal. n_tty_close is called,
it frees read_buf and the waiting process is still in the middle of
reading and goes nuts after it is woken.
Previously we prevented close to happen when others are in ldisc ops
by tty_ldisc_wait_idle in tty_set_ldisc. But the commit above removed
that. So revoke the change and test whether there is 1 user (=we), and
allow the close then.
We can do that without ldisc/tty locks, because nobody else can open
the device due to TTY_LDISC_CHANGING bit set, so we in fact wait for
everybody to leave.
I don't understand why tty_ldisc_lock would be needed either when the
counter is an atomic variable, so this is a lockless
tty_ldisc_wait_idle.
On the other hand, if we fail to wait (timeout or signal), we have to
reenable the halted ldiscs, so we take ldisc lock and reuse the setup
path at the end of tty_set_ldisc.
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Tested-by: Sebastian Andrzej Siewior <bigeasy@breakpoint.cc>
LKML-Reference: <
20101031104136.GA511@Chamillionaire.breakpoint.cc>
LKML-Reference: <
1287669539-22644-1-git-send-email-jslaby@suse.cz>
Cc: Alan Cox <alan@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jiri Olsa [Mon, 8 Nov 2010 18:01:47 +0000 (19:01 +0100)]
tty: prevent DOS in the flush_to_ldisc
commit
e045fec48970df84647a47930fcf7a22ff7229c0 upstream.
There's a small window inside the flush_to_ldisc function,
where the tty is unlocked and calling ldisc's receive_buf
function. If in this window new buffer is added to the tty,
the processing might never leave the flush_to_ldisc function.
This scenario will hog the cpu, causing other tty processing
starving, and making it impossible to interface the computer
via tty.
I was able to exploit this via pty interface by sending only
control characters to the master input, causing the flush_to_ldisc
to be scheduled, but never actually generate any output.
To reproduce, please run multiple instances of following code.
- SNIP
#define _XOPEN_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
int main(int argc, char **argv)
{
int i, slave, master = getpt();
char buf[8192];
sprintf(buf, "%s", ptsname(master));
grantpt(master);
unlockpt(master);
slave = open(buf, O_RDWR);
if (slave < 0) {
perror("open slave failed");
return 1;
}
for(i = 0; i < sizeof(buf); i++)
buf[i] = rand() % 32;
while(1) {
write(master, buf, sizeof(buf));
}
return 0;
}
- SNIP
The attached patch (based on -next tree) fixes this by checking on the
tty buffer tail. Once it's reached, the current work is rescheduled
and another could run.
Signed-off-by: Jiri Olsa <jolsa@redhat.com>
Acked-by: Alan Cox <alan@lxorguk.ukuu.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Prarit Bhargava [Thu, 12 Nov 2009 18:09:31 +0000 (13:09 -0500)]
x86: AMD Northbridge: Verify NB's node is online
commit
303fc0870f8fbfabe260c5c32b18e53458d597ea upstream.
Fix panic seen on some IBM and HP systems on 2.6.32-rc6:
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
ffffffff8120bf3f>] find_next_bit+0x77/0x9c
[...]
[<
ffffffff8120bbde>] cpumask_next_and+0x2e/0x3b
[<
ffffffff81225c62>] pci_device_probe+0x8e/0xf5
[<
ffffffff812b9be6>] ? driver_sysfs_add+0x47/0x6c
[<
ffffffff812b9da5>] driver_probe_device+0xd9/0x1f9
[<
ffffffff812b9f1d>] __driver_attach+0x58/0x7c
[<
ffffffff812b9ec5>] ? __driver_attach+0x0/0x7c
[<
ffffffff812b9298>] bus_for_each_dev+0x54/0x89
[<
ffffffff812b9b4f>] driver_attach+0x19/0x1b
[<
ffffffff812b97ae>] bus_add_driver+0xd3/0x23d
[<
ffffffff812ba1e7>] driver_register+0x98/0x109
[<
ffffffff81225ed0>] __pci_register_driver+0x63/0xd3
[<
ffffffff81072776>] ? up_read+0x26/0x2a
[<
ffffffffa0081000>] ? k8temp_init+0x0/0x20 [k8temp]
[<
ffffffffa008101e>] k8temp_init+0x1e/0x20 [k8temp]
[<
ffffffff8100a073>] do_one_initcall+0x6d/0x185
[<
ffffffff8108d765>] sys_init_module+0xd3/0x236
[<
ffffffff81011ac2>] system_call_fastpath+0x16/0x1b
I put in a printk and commented out the set_dev_node()
call when and got this output:
quirk_amd_nb_node: current numa_node = 0x0, would set to val & 7 = 0x0
quirk_amd_nb_node: current numa_node = 0x0, would set to val & 7 = 0x1
quirk_amd_nb_node: current numa_node = 0x0, would set to val & 7 = 0x2
quirk_amd_nb_node: current numa_node = 0x0, would set to val & 7 = 0x3
I.e. the issue appears to be that the HW has set val to a valid
value, however, the system is only configured for a single
node -- 0, the others are offline.
Check to see if the node is actually online before setting
the numa node for an AMD northbridge in quirk_amd_nb_node().
Signed-off-by: Prarit Bhargava <prarit@redhat.com>
Cc: bhavna.sarathy@amd.com
Cc: jbarnes@virtuousgeek.org
Cc: andreas.herrmann3@amd.com
LKML-Reference: <
20091112180933.12532.98685.sendpatchset@prarit.bos.redhat.com>
[ v2: clean up the code and add comments ]
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Justin Maggard [Wed, 24 Nov 2010 05:36:17 +0000 (16:36 +1100)]
md: fix return value of rdev_size_change()
commit
c26a44ed1e552aaa1d4ceb71842002d235fe98d7 upstream.
When trying to grow an array by enlarging component devices,
rdev_size_store() expects the return value of rdev_size_change() to be
in sectors, but the actual value is returned in KBs.
This functionality was broken by commit
dd8ac336c13fd8afdb082ebacb1cddd5cf727889
so this patch is suitable for any kernel since 2.6.30.
Signed-off-by: Justin Maggard <jmaggard10@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
NeilBrown [Wed, 24 Nov 2010 05:39:46 +0000 (16:39 +1100)]
md/raid1: really fix recovery looping when single good device fails.
commit
8f9e0ee38f75d4740daa9e42c8af628d33d19a02 upstream.
Commit
4044ba58dd15cb01797c4fd034f39ef4a75f7cc3 supposedly fixed a
problem where if a raid1 with just one good device gets a read-error
during recovery, the recovery would abort and immediately restart in
an infinite loop.
However it depended on raid1_remove_disk removing the spare device
from the array. But that does not happen in this case. So add a test
so that in the 'recovery_disabled' case, the device will be removed.
This suitable for any kernel since 2.6.29 which is when
recovery_disabled was introduced.
Reported-by: Sebastian Färber <faerber@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tyler Hicks [Thu, 23 Sep 2010 07:35:04 +0000 (02:35 -0500)]
eCryptfs: Clear LOOKUP_OPEN flag when creating lower file
commit
2e21b3f124eceb6ab5a07c8a061adce14ac94e14 upstream.
eCryptfs was passing the LOOKUP_OPEN flag through to the lower file
system, even though ecryptfs_create() doesn't support the flag. A valid
filp for the lower filesystem could be returned in the nameidata if the
lower file system's create() function supported LOOKUP_OPEN, possibly
resulting in unencrypted writes to the lower file.
However, this is only a potential problem in filesystems (FUSE, NFS,
CIFS, CEPH, 9p) that eCryptfs isn't known to support today.
https://bugs.launchpad.net/ecryptfs/+bug/641703
Reported-by: Kevin Buhr
Signed-off-by: Tyler Hicks <tyhicks@linux.vnet.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Florian Tobias Schandinat [Wed, 22 Sep 2010 02:33:52 +0000 (02:33 +0000)]
viafb: use proper register for colour when doing fill ops
commit
efd4f6398dc92b5bf392670df862f42a19f34cf2 upstream.
The colour was written to a wrong register for fillrect operations.
This sometimes caused empty console space (for example after 'clear')
to have a different colour than desired. Fix this by writing to the
correct register.
Many thanks to Daniel Drake and Jon Nettleton for pointing out this
issue and pointing me in the right direction for the fix.
Fixes http://dev.laptop.org/ticket/9323
Signed-off-by: Florian Tobias Schandinat <FlorianSchandinat@gmx.de>
Cc: Joseph Chan <JosephChan@via.com.tw>
Cc: Daniel Drake <dsd@laptop.org>
Cc: Jon Nettleton <jon.nettleton@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Graham Gower [Wed, 27 Oct 2010 22:33:00 +0000 (15:33 -0700)]
drivers/char/vt_ioctl.c: fix VT_OPENQRY error value
commit
1e0ad2881d50becaeea70ec696a80afeadf944d2 upstream.
When all VT's are in use, VT_OPENQRY casts -1 to unsigned char before
returning it to userspace as an int. VT255 is not the next available
console.
Signed-off-by: Graham Gower <graham.gower@gmail.com>
Cc: Greg KH <greg@kroah.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ben Hutchings [Fri, 22 Oct 2010 04:38:26 +0000 (04:38 +0000)]
net: NETIF_F_HW_CSUM does not imply FCoE CRC offload
commit
66c68bcc489fadd4f5e8839e966e3a366e50d1d5 upstream.
NETIF_F_HW_CSUM indicates the ability to update an TCP/IP-style 16-bit
checksum with the checksum of an arbitrary part of the packet data,
whereas the FCoE CRC is something entirely different.
Signed-off-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Thu, 30 Sep 2010 22:15:31 +0000 (15:15 -0700)]
sys_semctl: fix kernel stack leakage
commit
982f7c2b2e6a28f8f266e075d92e19c0dd4c6e56 upstream.
The semctl syscall has several code paths that lead to the leakage of
uninitialized kernel stack memory (namely the IPC_INFO, SEM_INFO,
IPC_STAT, and SEM_STAT commands) during the use of the older, obsolete
version of the semid_ds struct.
The copy_semid_to_user() function declares a semid_ds struct on the stack
and copies it back to the user without initializing or zeroing the
"sem_base", "sem_pending", "sem_pending_last", and "undo" pointers,
allowing the leakage of 16 bytes of kernel stack memory.
The code is still reachable on 32-bit systems - when calling semctl()
newer glibc's automatically OR the IPC command with the IPC_64 flag, but
invoking the syscall directly allows users to use the older versions of
the struct.
Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Vasiliy Kulikov [Sat, 30 Oct 2010 14:22:49 +0000 (18:22 +0400)]
ipc: shm: fix information leak to userland
commit
3af54c9bd9e6f14f896aac1bb0e8405ae0bc7a44 upstream.
The shmid_ds structure is copied to userland with shm_unused{,2,3}
fields unitialized. It leads to leaking of contents of kernel stack
memory.
Signed-off-by: Vasiliy Kulikov <segooon@gmail.com>
Acked-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Dan Rosenberg [Wed, 27 Oct 2010 22:34:17 +0000 (15:34 -0700)]
ipc: initialize structure memory to zero for compat functions
commit
03145beb455cf5c20a761e8451e30b8a74ba58d9 upstream.
This takes care of leaking uninitialized kernel stack memory to
userspace from non-zeroed fields in structs in compat ipc functions.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jeremy Fitzhardinge [Mon, 29 Nov 2010 22:16:53 +0000 (14:16 -0800)]
xen: don't bother to stop other cpus on shutdown/reboot
commit
31e323cca9d5c8afd372976c35a5d46192f540d1 upstream.
Xen will shoot all the VCPUs when we do a shutdown hypercall, so there's
no need to do it manually.
In any case it will fail because all the IPI irqs have been pulled
down by this point, so the cross-CPU calls will simply hang forever.
Until change
76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce the function calls
were not synchronously waited for, so this wasn't apparent. However after
that change the calls became synchronous leading to a hang on shutdown
on multi-VCPU guests.
Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com>
Cc: Alok Kataria <akataria@vmware.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Ian Campbell [Fri, 8 Oct 2010 15:59:12 +0000 (16:59 +0100)]
xen: ensure that all event channels start off bound to VCPU 0
commit
b0097adeec27e30223c989561ab0f7aa60d1fe93 upstream.
All event channels startbound to VCPU 0 so ensure that cpu_evtchn_mask
is initialised to reflect this. Otherwise there is a race after registering an
event channel but before the affinity is explicitly set where the event channel
can be delivered. If this happens then the event channel remains pending in the
L1 (evtchn_pending) array but is cleared in L2 (evtchn_pending_sel), this means
the event channel cannot be reraised until another event channel happens to
trigger the same L2 entry on that VCPU.
sizeof(cpu_evtchn_mask(0))==sizeof(unsigned long*) which is not correct, and
causes only the first 32 or 64 event channels (depending on architecture) to be
initially bound to VCPU0. Use sizeof(struct cpu_evtchn_s) instead.
Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
Cc: Jeremy Fitzhardinge <jeremy@goop.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Robin@sgi.com [Wed, 24 Nov 2010 20:56:59 +0000 (12:56 -0800)]
sgi-xpc: XPC fails to discover partitions with all nasids above 128
commit
c22c7aeff69796f46ae0fcec141538e28f50b24e upstream.
UV hardware defines 256 memory protection regions versus the baseline 64
with increasing size for the SN2 ia64. This was overlooked when XPC was
modified to accomodate both UV and SN2.
Without this patch, a user could reconfigure their existing system and
suddenly disable cross-partition communications with no indication of what
has gone wrong. It also prevents larger configurations from using
cross-partition communication.
Signed-off-by: Robin Holt <holt@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Daniel Klaffenbach [Sat, 20 Nov 2010 03:25:21 +0000 (21:25 -0600)]
ssb: b43-pci-bridge: Add new vendor for BCM4318
commit
1d8638d4038eb8709edc80e37a0bbb77253d86e9 upstream.
Add new vendor for Broadcom 4318.
Signed-off-by: Daniel Klaffenbach <danielklaffenbach@gmail.com>
Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tejun Heo [Tue, 22 Jun 2010 10:27:26 +0000 (12:27 +0200)]
ata_generic: implement ATA_GEN_* flags and force enable DMA on MBP 7,1
commit
1529c69adce1e95f7ae72f0441590c226bbac7fc upstream.
IDE mode of MCP89 on MBP 7,1 doesn't set DMA enable bits in the BMDMA
status register. Make the following changes to work around the problem.
* Instead of using hard coded 1 in id->driver_data as class code
match, use ATA_GEN_CLASS_MATCH and carry the matched id in
host->private_data.
* Instead of matching PCI_VENDOR_ID_CENATEK, use ATA_GEN_FORCE_DMA
flag in id instead.
* Add ATA_GEN_FORCE_DMA to the id entry of MBP 7,1.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Peer Chen <pchen@nvidia.com>
Reported-by: Anders Østhus <grapz666@gmail.com>
Reported-by: Andreas Graf <andreas_graf@csgraf.de>
Reported-by: Benoit Gschwind <gschwind@gnu-log.net>
Reported-by: Damien Cassou <damien.cassou@gmail.com>
Reported-by: tixetsal@juno.com
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Cc: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Tejun Heo [Thu, 17 Jun 2010 09:42:22 +0000 (11:42 +0200)]
ahci,ata_generic: let ata_generic handle new MBP w/ MCP89
commit
c6353b4520788e34098bbf61c73fb9618ca7fdd6 upstream.
For yet unknown reason, MCP89 on MBP 7,1 doesn't work w/ ahci under
linux but the controller doesn't require explicit mode setting and
works fine with ata_generic. Make ahci ignore the controller on MBP
7,1 and let ata_generic take it for now.
Reported in bko#15923.
https://bugzilla.kernel.org/show_bug.cgi?id=15923
NVIDIA is investigating why ahci mode doesn't work.
Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Peer Chen <pchen@nvidia.com>
Reported-by: Anders Østhus <grapz666@gmail.com>
Reported-by: Andreas Graf <andreas_graf@csgraf.de>
Reported-by: Benoit Gschwind <gschwind@gnu-log.net>
Reported-by: Damien Cassou <damien.cassou@gmail.com>
Reported-by: tixetsal@juno.com
Signed-off-by: Jeff Garzik <jgarzik@redhat.com>
Cc: Nobuhiro Iwamatsu <iwamatsu@nigauri.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
KAMEZAWA Hiroyuki [Tue, 26 Oct 2010 21:22:08 +0000 (14:22 -0700)]
mm: fix is_mem_section_removable() page_order BUG_ON check
commit
572438f9b52236bd8938b1647cc15e027d27ef55 upstream.
page_order() is called by memory hotplug's user interface to check the
section is removable or not. (is_mem_section_removable())
It calls page_order() withoug holding zone->lock.
So, even if the caller does
if (PageBuddy(page))
ret = page_order(page) ...
The caller may hit BUG_ON().
For fixing this, there are 2 choices.
1. add zone->lock.
2. remove BUG_ON().
is_mem_section_removable() is used for some "advice" and doesn't need to
be 100% accurate. This is_removable() can be called via user program..
We don't want to take this important lock for long by user's request. So,
this patch removes BUG_ON().
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Acked-by: Wu Fengguang <fengguang.wu@intel.com>
Acked-by: Michal Hocko <mhocko@suse.cz>
Acked-by: Mel Gorman <mel@csn.ul.ie>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
KAMEZAWA Hiroyuki [Tue, 26 Oct 2010 21:21:10 +0000 (14:21 -0700)]
mm: fix return value of scan_lru_pages in memory unplug
commit
f8f72ad5396987e05a42cf7eff826fb2a15ff148 upstream.
scan_lru_pages returns pfn. So, it's type should be "unsigned long"
not "int".
Note: I guess this has been work until now because memory hotplug tester's
machine has not very big memory....
physical address < 32bit << PAGE_SHIFT.
Reported-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jean Delvare [Thu, 28 Oct 2010 18:31:50 +0000 (20:31 +0200)]
hwmon: (lm85) Fix ADT7468 frequency table
commit
fa7a5797e57d2ed71f9a6fb44f0ae42c2d7b74b7 upstream.
The ADT7468 uses the same frequency table as the ADT7463.
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Cc: Darrick J. Wong <djwong@us.ibm.com>
Acked-by: Guenter Roeck <guenter.roeck@ericsson.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Eric Dumazet [Wed, 27 Oct 2010 17:33:43 +0000 (19:33 +0200)]
numa: fix slab_node(MPOL_BIND)
commit
800416f799e0723635ac2d720ad4449917a1481c upstream.
When a node contains only HighMem memory, slab_node(MPOL_BIND)
dereferences a NULL pointer.
[ This code seems to go back all the way to commit
19770b32609b: "mm:
filter based on a nodemask as well as a gfp_mask". Which was back in
April 2008, and it got merged into 2.6.26. - Linus ]
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Mel Gorman <mel@csn.ul.ie>
Cc: Christoph Lameter <cl@linux.com>
Cc: Lee Schermerhorn <lee.schermerhorn@hp.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Richard Weinberger [Tue, 26 Oct 2010 21:21:13 +0000 (14:21 -0700)]
um: fix global timer issue when using CONFIG_NO_HZ
commit
482db6df1746c4fa7d64a2441d4cb2610249c679 upstream.
This fixes a issue which was introduced by
fe2cc53e ("uml: track and make
up lost ticks").
timeval_to_ns() returns long long and not int. Due to that UML's timer
did not work properlt and caused timer freezes.
Signed-off-by: Richard Weinberger <richard@nod.at>
Acked-by: Pekka Enberg <penberg@kernel.org>
Cc: Jeff Dike <jdike@addtoit.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Richard Weinberger [Tue, 26 Oct 2010 21:21:16 +0000 (14:21 -0700)]
um: remove PAGE_SIZE alignment in linker script causing kernel segfault.
commit
6915e04f8847bea16d0890f559694ad8eedd026c upstream.
The linker script cleanup that I did in commit
5d150a97f93 ("um: Clean up
linker script using standard macros.") (2.6.32) accidentally introduced an
ALIGN(PAGE_SIZE) when converting to use INIT_TEXT_SECTION; Richard
Weinberger reported that this causes the kernel to segfault with
CONFIG_STATIC_LINK=y.
I'm not certain why this extra alignment is a problem, but it seems likely
it is because previously
__init_begin = _stext = _text = _sinittext
and with the extra ALIGN(PAGE_SIZE), _sinittext becomes different from the
rest. So there is likely a bug here where something is assuming that
_sinittext is the same as one of those other symbols. But reverting the
accidental change fixes the regression, so it seems worth committing that
now.
Signed-off-by: Tim Abbott <tabbott@ksplice.com>
Reported-by: Richard Weinberger <richard@nod.at>
Cc: Jeff Dike <jdike@addtoit.com>
Tested by: Antoine Martin <antoine@nagafix.co.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Masanori ITOH [Tue, 26 Oct 2010 21:21:20 +0000 (14:21 -0700)]
percpu: fix list_head init bug in __percpu_counter_init()
commit
8474b591faf3bb0a1e08a60d21d6baac498f15e4 upstream.
WARNING: at lib/list_debug.c:26 __list_add+0x3f/0x81()
Hardware name: Express5800/B120a [N8400-085]
list_add corruption. next->prev should be prev (
ffffffff81a7ea00), but was
dead000000200200. (next=
ffff88080b872d58).
Modules linked in: aoe ipt_MASQUERADE iptable_nat nf_nat autofs4 sunrpc bridge 8021q garp stp llc ipv6 cpufreq_ondemand acpi_cpufreq freq_table dm_round_robin dm_multipath kvm_intel kvm uinput lpfc scsi_transport_fc igb ioatdma scsi_tgt i2c_i801 i2c_core dca iTCO_wdt iTCO_vendor_support pcspkr shpchp megaraid_sas [last unloaded: aoe]
Pid: 54, comm: events/3 Tainted: G W 2.6.34-vanilla1 #1
Call Trace:
[<
ffffffff8104bd77>] warn_slowpath_common+0x7c/0x94
[<
ffffffff8104bde6>] warn_slowpath_fmt+0x41/0x43
[<
ffffffff8120fd2e>] __list_add+0x3f/0x81
[<
ffffffff81212a12>] __percpu_counter_init+0x59/0x6b
[<
ffffffff810d8499>] bdi_init+0x118/0x17e
[<
ffffffff811f2c50>] blk_alloc_queue_node+0x79/0x143
[<
ffffffff811f2d2b>] blk_alloc_queue+0x11/0x13
[<
ffffffffa02a931d>] aoeblk_gdalloc+0x8e/0x1c9 [aoe]
[<
ffffffffa02aa655>] aoecmd_sleepwork+0x25/0xa8 [aoe]
[<
ffffffff8106186c>] worker_thread+0x1a9/0x237
[<
ffffffffa02aa630>] ? aoecmd_sleepwork+0x0/0xa8 [aoe]
[<
ffffffff81065827>] ? autoremove_wake_function+0x0/0x39
[<
ffffffff810616c3>] ? worker_thread+0x0/0x237
[<
ffffffff810653ad>] kthread+0x7f/0x87
[<
ffffffff8100aa24>] kernel_thread_helper+0x4/0x10
[<
ffffffff8106532e>] ? kthread+0x0/0x87
[<
ffffffff8100aa20>] ? kernel_thread_helper+0x0/0x10
It's because there is no initialization code for a list_head contained in
the struct backing_dev_info under CONFIG_HOTPLUG_CPU, and the bug comes up
when block device drivers calling blk_alloc_queue() are used. In case of
me, I got them by using aoe.
Signed-off-by: Masanori Itoh <itoumsn@nttdata.co.jp>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Richard A. Smith [Sat, 25 Sep 2010 18:19:26 +0000 (19:19 +0100)]
olpc_battery: Fix endian neutral breakage for s16 values
commit
7cfbb29466633e6ecdc14f76a693c8478c2b22af upstream.
When the driver was updated to be endian neutral (
8e9c7716c)
the signed part of the s16 values was lost. This is because be16_to_cpu()
returns an unsigned value. This patch casts the values back to a s16
number prior to the the implicit cast up to an int.
Signed-off-by: Richard A. Smith <richard@laptop.org>
Signed-off-by: Daniel Drake <dsd@laptop.org>
Signed-off-by: Anton Vorontsov <cbouatmailru@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jiri Slaby [Tue, 26 Oct 2010 21:22:11 +0000 (14:22 -0700)]
hpet: unmap unused I/O space
commit
a56d5318716d120e040294bb258901ba89fb9c90 upstream.
When the initialization code in hpet finds a memory resource and does not
find an IRQ, it does not unmap the memory resource previously mapped.
There are buggy BIOSes which report resources exactly like this and what
is worse the memory region bases point to normal RAM. This normally would
not matter since the space is not touched. But when PAT is turned on,
ioremap causes the page to be uncached and sets this bit in page->flags.
Then when the page is about to be used by the allocator, it is reported
as:
BUG: Bad page state in process md5sum pfn:3ed00
page:
ffffea0000dbd800 count:0 mapcount:0 mapping:(null) index:0x0
page flags: 0x20000001000000(uncached)
Pid: 7956, comm: md5sum Not tainted 2.6.34-12-desktop #1
Call Trace:
[<
ffffffff810df851>] bad_page+0xb1/0x100
[<
ffffffff810dfa45>] prep_new_page+0x1a5/0x1c0
[<
ffffffff810dfe01>] get_page_from_freelist+0x3a1/0x640
[<
ffffffff810e01af>] __alloc_pages_nodemask+0x10f/0x6b0
...
In this particular case:
1) HPET returns
3ed00000 as memory region base, but it is not in
reserved ranges reported by the BIOS (excerpt):
BIOS-e820:
0000000000100000 -
00000000af6cf000 (usable)
BIOS-e820:
00000000af6cf000 -
00000000afdcf000 (reserved)
2) there is no IRQ resource reported by HPET method. On the other
hand, the Intel HPET specs (1.0a) says (3.2.5.1):
_CRS (
// Report 1K of memory consumed by this Timer Block
memory range consumed
// Optional: only used if BIOS allocates Interrupts [1]
IRQs consumed
)
[1] For case where Timer Block is configured to consume IRQ0/IRQ8 AND
Legacy 8254/Legacy RTC hardware still exists, the device objects
associated with 8254 & RTC devices should not report IRQ0/IRQ8 as
"consumed resources".
So in theory we should check whether if it is the case and use those
interrupts instead.
Anyway the address reported by the BIOS here is bogus, so non-presence
of IRQ doesn't mean the "optional" part in point 2).
Since I got no reply previously, fix this by simply unmapping the space
when IRQ is not found and memory region was mapped previously. It would
be probably more safe to walk the resources again and unmap appropriately
depending on type. But as we now use only ioremap for both 2 memory
resource types, it is not necessarily needed right now.
Addresses https://bugzilla.novell.com/show_bug.cgi?id=629908
Reported-by: Olaf Hering <olaf@aepfle.de>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Acked-by: Clemens Ladisch <clemens@ladisch.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Clemens Ladisch [Tue, 26 Oct 2010 21:22:13 +0000 (14:22 -0700)]
hpet: fix unwanted interrupt due to stale irq status bit
commit
96e9694df446d1154ec2f4fdba8908588b9cba38 upstream.
Jaswinder Singh Rajput wrote:
> By executing Documentation/timers/hpet_example.c
>
> for polling, I requested for 3 iterations but it seems iteration work
> for only 2 as first expired time is always very small.
>
> # ./hpet_example poll /dev/hpet 10 3
> -hpet: executing poll
> hpet_poll: info.hi_flags 0x0
> hpet_poll: expired time = 0x13
> hpet_poll: revents = 0x1
> hpet_poll: data 0x1
> hpet_poll: expired time = 0x1868c
> hpet_poll: revents = 0x1
> hpet_poll: data 0x1
> hpet_poll: expired time = 0x18645
> hpet_poll: revents = 0x1
> hpet_poll: data 0x1
Clearing the HPET interrupt enable bit disables interrupt generation
but does not disable the timer, so the interrupt status bit will still
be set when the timer elapses. If another interrupt arrives before
the timer has been correctly programmed (due to some other device on
the same interrupt line, or CONFIG_DEBUG_SHIRQ), this results in an
extra unwanted interrupt event because the status bit is likely to be
set from comparator matches that happened before the device was opened.
Therefore, we have to ensure that the interrupt status bit is and
stays cleared until we actually program the timer.
Signed-off-by: Clemens Ladisch <clemens@ladisch.de>
Reported-by: Jaswinder Singh Rajput <jaswinderlinux@gmail.com>
Cc: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: john stultz <johnstul@us.ibm.com>
Cc: Bob Picco <bpicco@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:23:33 +0000 (11:23 -0800)]
Staging: line6: fix up some sysfs attribute permissions
commit
2018845b6a169f75341f8e68ad1089cb6697cf24 and
2018845b6a169f75341f8e68ad1089cb6697cf24 upstream merged together as it
had to be backported by hand.
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Markus Grabner <grabner@icg.tugraz.at>
Cc: Mariusz Kozlowski <m.kozlowski@tuxland.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Thu, 18 Nov 2010 19:21:04 +0000 (11:21 -0800)]
Staging: asus_oled: fix up my fixup for some sysfs attribute permissions
commit
515b4987ccd097cdf5416530b05fdf9e01afe95a upstream.
They should be writable by root, not readable.
Doh, stupid me with the wrong flags.
Reported-by: Jonathan Cameron <jic23@cam.ac.uk>
Cc: Jakub Schmidtke <sjakub@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:17:01 +0000 (11:17 -0800)]
Staging: asus_oled: fix up some sysfs attribute permissions
commit
590b0b9754bd8928926bae7194b6da7ead9bda3b upstream.
They should not be writable by any user
Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Jakub Schmidtke <sjakub@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Kees Cook [Thu, 7 Oct 2010 10:03:48 +0000 (10:03 +0000)]
net: clear heap allocation for ETHTOOL_GRXCLSRLALL
commit
ae6df5f96a51818d6376da5307d773baeece4014 upstream.
Calling ETHTOOL_GRXCLSRLALL with a large rule_cnt will allocate kernel
heap without clearing it. For the one driver (niu) that implements it,
it will leave the unused portion of heap unchanged and copy the full
contents back to userspace.
Signed-off-by: Kees Cook <kees.cook@canonical.com>
Acked-by: Ben Hutchings <bhutchings@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Thomas Backlund [Thu, 21 Oct 2010 10:19:10 +0000 (13:19 +0300)]
microblaze: Fix build with make 3.82
commit
b843e4ec01991a386a9e0e9030703524446e03da upstream.
When running make headers_install_all on x86_64 and make 3.82 I hit this:
arch/microblaze/Makefile:80: *** mixed implicit and normal rules. Stop.
make: *** [headers_install_all] Error 2
So split the rules to satisfy make 3.82.
Signed-off-by: Thomas Backlund <tmb@mandriva.org>
Signed-off-by: Michal Simek <monstr@monstr.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Nobuhiro Iwamatsu [Sun, 24 Oct 2010 16:16:57 +0000 (18:16 +0200)]
i2c-pca-platform: Change device name of request_irq
commit
323584436db0cb05286425d4dfd9516fce88487f upstream.
i2c->adap.name shouldn't be used in request_irq.
Instead the driver name "i2c-pca-platform" should be used.
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro.iwamatsu.yj@renesas.com>
Acked-by: Wolfram Sang <w.sang@pengutronix.de>
Signed-off-by: Jean Delvare <khali@linux-fr.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Samuel Ortiz [Tue, 5 Oct 2010 23:03:12 +0000 (01:03 +0200)]
irda: Fix heap memory corruption in iriap.c
commit
37f9fc452d138dfc4da2ee1ce5ae85094efc3606 upstream.
While parsing the GetValuebyClass command frame, we could potentially write
passed the skb->data pointer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Samuel Ortiz [Sun, 10 Oct 2010 23:17:56 +0000 (01:17 +0200)]
irda: Fix parameter extraction stack overflow
commit
efc463eb508798da4243625b08c7396462cabf9f upstream.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Samuel Ortiz <samuel@sortiz.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Guo-Fu Tseng [Mon, 18 Oct 2010 14:10:40 +0000 (14:10 +0000)]
jme: Fix PHY power-off error
commit
c8a8684d5cfb0f110a962c93586630c0bf91ebc1 upstream.
Adding phy_on in opposition to phy_off.
Signed-off-by: Guo-Fu Tseng <cooldavid@cooldavid.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jens Axboe [Fri, 29 Oct 2010 14:10:18 +0000 (08:10 -0600)]
block: check for proper length of iov entries in blk_rq_map_user_iov()
commit
9284bcf4e335e5f18a8bc7b26461c33ab60d0689 upstream.
Ensure that we pass down properly validated iov segments before
calling into the mapping or copy functions.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jens Axboe [Fri, 29 Oct 2010 17:31:42 +0000 (11:31 -0600)]
block: take care not to overflow when calculating total iov length
commit
9f864c80913467312c7b8690e41fb5ebd1b50e92 upstream.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Jens Axboe [Fri, 29 Oct 2010 17:46:56 +0000 (11:46 -0600)]
block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
commit
f3f63c1c28bc861a931fac283b5bc3585efb8967 upstream.
Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Martin K. Petersen [Wed, 13 Oct 2010 19:18:03 +0000 (21:18 +0200)]
block: Ensure physical block size is unsigned int
commit
892b6f90db81cccb723d5d92f4fddc2d68b206e1 upstream.
Physical block size was declared unsigned int to accomodate the maximum
size reported by READ CAPACITY(16). Make sure we use the right type in
the related functions.
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Acked-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Jens Axboe <jaxboe@fusionio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Greg Kroah-Hartman [Mon, 22 Nov 2010 18:48:20 +0000 (10:48 -0800)]
Linux 2.6.32.26
Robin Holt [Tue, 26 Oct 2010 21:21:15 +0000 (14:21 -0700)]
sgi-xp: incoming XPC channel messages can come in after the channel's partition structures have been torn down
commit
09358972bff5ce99de496bbba97c85d417b3c054 upstream.
Under some workloads, some channel messages have been observed being
delayed on the sending side past the point where the receiving side has
been able to tear down its partition structures.
This condition is already detected in xpc_handle_activate_IRQ_uv(), but
that information is not given to xpc_handle_activate_mq_msg_uv(). As a
result, xpc_handle_activate_mq_msg_uv() assumes the structures still exist
and references them, causing a NULL-pointer deref.
Signed-off-by: Robin Holt <holt@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Mike Christie [Wed, 6 Oct 2010 08:10:59 +0000 (03:10 -0500)]
Fix regressions in scsi_internal_device_block
commit
986fe6c7f50974e871b8ab5a800f5310ea25b361 upstream.
Deleting a SCSI device on a blocked fc_remote_port (before
fast_io_fail_tmo fires) results in a hanging thread:
STACK:
0 schedule+1108 [0x5cac48]
1 schedule_timeout+528 [0x5cb7fc]
2 wait_for_common+266 [0x5ca6be]
3 blk_execute_rq+160 [0x354054]
4 scsi_execute+324 [0x3b7ef4]
5 scsi_execute_req+162 [0x3b80ca]
6 sd_sync_cache+138 [0x3cf662]
7 sd_shutdown+138 [0x3cf91a]
8 sd_remove+112 [0x3cfe4c]
9 __device_release_driver+124 [0x3a08b8]
10 device_release_driver+60 [0x3a0a5c]
11 bus_remove_device+266 [0x39fa76]
12 device_del+340 [0x39d818]
13 __scsi_remove_device+204 [0x3bcc48]
14 scsi_remove_device+66 [0x3bcc8e]
15 sysfs_schedule_callback_work+50 [0x260d66]
16 worker_thread+622 [0x162326]
17 kthread+160 [0x1680b0]
18 kernel_thread_starter+6 [0x10aaea]
During the delete, the SCSI device is in moved to SDEV_CANCEL. When
the FC transport class later calls scsi_target_unblock, this has no
effect, since scsi_internal_device_unblock ignores SCSI devics in this
state.
It looks like all these are regressions caused by:
5c10e63c943b4c67561ddc6bf61e01d4141f881f
[SCSI] limit state transitions in scsi_internal_device_unblock
Fix by rejecting offline and cancel in the state transition.
Signed-off-by: Christof Schmitt <christof.schmitt@de.ibm.com>
[jejb: Original patch by Christof Schmitt, modified by Mike Christie]
Signed-off-by: James Bottomley <James.Bottomley@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>