firefly-linux-kernel-4.4.55.git
13 years agosupport build uu -> o
黄涛 [Fri, 17 Dec 2010 14:03:17 +0000 (22:03 +0800)]
support build uu -> o

13 years agoupdate recode for codec setting
fang [Fri, 17 Dec 2010 10:09:29 +0000 (18:09 +0800)]
update recode for codec setting

13 years agodefconfig: add camera defconfig
ddl [Fri, 17 Dec 2010 09:52:47 +0000 (17:52 +0800)]
defconfig: add camera defconfig

13 years agoadd rknand write buffer.
zhaoyifeng [Fri, 17 Dec 2010 09:34:46 +0000 (17:34 +0800)]
add rknand write buffer.

13 years agoadd rknand write buffer.
zhaoyifeng [Fri, 17 Dec 2010 09:30:36 +0000 (17:30 +0800)]
add rknand write buffer.

13 years agocamera:add limit ipp scale ratio when work with camera
ddl [Fri, 17 Dec 2010 08:50:31 +0000 (16:50 +0800)]
camera:add limit ipp scale ratio when work with camera

13 years agodisable fb's three buf support
杜坤明 [Fri, 17 Dec 2010 08:58:47 +0000 (16:58 +0800)]
disable fb's three buf support

13 years agoadd three buf support of fb; enhance gpu's mmu table size to 256k
杜坤明 [Fri, 17 Dec 2010 08:56:30 +0000 (16:56 +0800)]
add three buf support of fb; enhance gpu's mmu table size to 256k

13 years agoMerge branch 'develop' of 10.10.10.29:/home/rockchip/kernel into develop
cmc [Fri, 17 Dec 2010 07:06:34 +0000 (15:06 +0800)]
Merge branch 'develop' of 10.10.10.29:/home/rockchip/kernel into develop

13 years agousb2.0 host & usb1.1 host support
yangkai [Fri, 17 Dec 2010 03:12:42 +0000 (11:12 +0800)]
usb2.0 host & usb1.1 host support

13 years agork29: enable cpufreq framework
黄涛 [Fri, 17 Dec 2010 03:01:34 +0000 (11:01 +0800)]
rk29: enable cpufreq framework

13 years agofix interrupt recv bug for spi
cmc [Fri, 17 Dec 2010 02:48:56 +0000 (10:48 +0800)]
fix interrupt recv bug for spi

13 years agoMerge remote branch 'linux-2.6.32.y/master' into develop
黄涛 [Thu, 16 Dec 2010 12:54:24 +0000 (20:54 +0800)]
Merge remote branch 'linux-2.6.32.y/master' into develop

Conflicts:
drivers/i2c/busses/Kconfig
drivers/net/dm9000.c
drivers/net/wireless/libertas/if_sdio1.c
drivers/usb/serial/option.c
net/bluetooth/rfcomm/core.c

13 years agoIPP:fix write register error when IPP operate reset. wy commit
ddl [Thu, 16 Dec 2010 12:02:04 +0000 (20:02 +0800)]
IPP:fix write register error when IPP operate reset.  wy  commit

13 years agocamera and ipp: modify camera driver and ipp driver, camera can work with ipp
ddl [Thu, 16 Dec 2010 11:00:25 +0000 (19:00 +0800)]
camera and ipp: modify camera driver and ipp driver, camera can work with ipp

13 years agocamera:add support const-focus AF firmware for ov5642
ddl [Tue, 14 Dec 2010 10:28:40 +0000 (18:28 +0800)]
camera:add support const-focus AF firmware for ov5642

13 years agoadd pwm vcore macro
hxy [Thu, 16 Dec 2010 10:44:27 +0000 (18:44 +0800)]
add pwm vcore macro

13 years agork29: vpu_mem: fix bug when link inner-process region
陈恒明 [Thu, 16 Dec 2010 08:31:50 +0000 (00:31 -0800)]
rk29: vpu_mem: fix bug when link inner-process region

13 years agoadd ipp driver.
root [Thu, 16 Dec 2010 07:28:05 +0000 (15:28 +0800)]
add ipp driver.

13 years agomodified nand flash driver for new structure
hxy [Thu, 16 Dec 2010 06:30:15 +0000 (14:30 +0800)]
modified nand flash driver for new structure

13 years agoLimit the gpu's dma mem of size
杜坤明 [Thu, 16 Dec 2010 06:21:01 +0000 (14:21 +0800)]
Limit the gpu's dma mem of size

13 years agomodify framebuff 24bit color
root [Wed, 15 Dec 2010 12:08:08 +0000 (20:08 +0800)]
modify framebuff 24bit color

13 years agomodify framebuff to 24bit color
root [Wed, 15 Dec 2010 12:01:38 +0000 (20:01 +0800)]
modify framebuff to 24bit color

13 years agoupdate sdmmc when dma err stop and flush dma
lhh [Wed, 15 Dec 2010 10:10:19 +0000 (18:10 +0800)]
update sdmmc when dma err stop and flush dma

13 years agooff debug input key printk and sdmmc debug
lhh [Wed, 15 Dec 2010 09:21:07 +0000 (17:21 +0800)]
off debug input key printk and sdmmc debug

13 years agork29xx vmac: update function create_multicast_filter and vmac_set_multicast_list
lyx [Wed, 15 Dec 2010 08:18:39 +0000 (00:18 -0800)]
rk29xx vmac: update function create_multicast_filter and vmac_set_multicast_list

13 years agoclose win0 when no addr
zyw [Wed, 15 Dec 2010 06:55:50 +0000 (14:55 +0800)]
close win0 when no addr

13 years agoupdata gpu driver & lcdc priority
杜坤明 [Wed, 15 Dec 2010 04:02:08 +0000 (12:02 +0800)]
updata gpu driver & lcdc priority

13 years agork29: clock: 临时将core电压调高到1.4v,提高系统稳定性
黄涛 [Wed, 15 Dec 2010 01:43:43 +0000 (09:43 +0800)]
rk29: clock: 临时将core电压调高到1.4v,提高系统稳定性

13 years agofix p1003 irq
sakura [Tue, 14 Dec 2010 10:31:29 +0000 (18:31 +0800)]
fix p1003 irq

13 years agofix p1003 irq
sakura [Tue, 14 Dec 2010 10:16:28 +0000 (18:16 +0800)]
fix p1003 irq

13 years agofix p1003 irq
sakura [Tue, 14 Dec 2010 10:13:38 +0000 (18:13 +0800)]
fix p1003 irq

13 years agowifi: add wifi virtual card detect support
lbt [Tue, 14 Dec 2010 06:22:47 +0000 (14:22 +0800)]
wifi: add wifi virtual card detect support

13 years agork29: vpu_mem: add /proc/vpu_mem module
陈恒明 [Tue, 14 Dec 2010 06:20:01 +0000 (22:20 -0800)]
rk29: vpu_mem: add /proc/vpu_mem module

13 years agork29: clock: add hdmi support
黄涛 [Tue, 14 Dec 2010 06:04:55 +0000 (14:04 +0800)]
rk29: clock: add hdmi support

13 years agoadd rk29xx vmac driver
lyx [Tue, 14 Dec 2010 04:43:35 +0000 (20:43 -0800)]
add rk29xx vmac driver

13 years agoremove vpu_mem warning
陈恒明 [Tue, 14 Dec 2010 02:34:56 +0000 (18:34 -0800)]
remove vpu_mem warning

13 years agocamera: add auto focus function for ov5642
ddl [Mon, 13 Dec 2010 12:33:48 +0000 (20:33 +0800)]
camera: add auto focus function for ov5642

13 years agoopen rk29 sdmmc for dma use
lhh [Mon, 13 Dec 2010 12:35:53 +0000 (20:35 +0800)]
open rk29 sdmmc for dma use

13 years agochange freq of gpu to 312M
杜坤明 [Mon, 13 Dec 2010 08:47:31 +0000 (16:47 +0800)]
change freq of gpu to 312M

13 years agomodify fb for switch to hdmi
zyw [Mon, 13 Dec 2010 04:57:33 +0000 (12:57 +0800)]
modify fb for switch to hdmi

13 years agomodify fb win1 buf alloc
zyw [Mon, 13 Dec 2010 04:42:51 +0000 (12:42 +0800)]
modify fb win1 buf alloc

13 years agowifi: 1. use dma transfer for sdmmc1 controller
lbt [Sun, 12 Dec 2010 10:31:11 +0000 (18:31 +0800)]
wifi: 1. use dma transfer for sdmmc1 controller
      2. optimization for bcm4329 Makefile

13 years agork29sdk: defconfig add wm8900
黄涛 [Sat, 11 Dec 2010 04:29:00 +0000 (12:29 +0800)]
rk29sdk: defconfig add wm8900

13 years agoadd delay more sdmmc
lhh [Sat, 11 Dec 2010 04:18:23 +0000 (12:18 +0800)]
add delay more sdmmc

13 years agono battery ic set and sdmmc timeout add more
lhh [Sat, 11 Dec 2010 03:48:24 +0000 (11:48 +0800)]
no battery ic set and sdmmc timeout add more

13 years agork29: L2 cache设置变更。根据IC部的建议,810~972频率,data ram latency设为6 cycles
黄涛 [Fri, 10 Dec 2010 10:05:40 +0000 (18:05 +0800)]
rk29: L2 cache设置变更。根据IC部的建议,810~972频率,data ram latency设为6 cycles

13 years agork29: timer: use periph sync timer
黄涛 [Fri, 10 Dec 2010 08:34:24 +0000 (16:34 +0800)]
rk29: timer: use periph sync timer

13 years agomodify lcd freq
zyw [Fri, 10 Dec 2010 08:31:04 +0000 (16:31 +0800)]
modify lcd freq

13 years agoupdata rk29 battery for ti
lhh [Fri, 10 Dec 2010 07:42:40 +0000 (15:42 +0800)]
updata rk29 battery for ti

13 years agork29: add L2 cache setup
黄涛 [Fri, 10 Dec 2010 07:11:32 +0000 (15:11 +0800)]
rk29: add L2 cache setup

13 years agoclock: fix aclk_periph parent setup
黄涛 [Fri, 10 Dec 2010 07:05:05 +0000 (15:05 +0800)]
clock: fix aclk_periph parent setup

13 years agoMerge branch 'develop' of lhh@10.10.10.29:/home/rockchip/kernel into develop
lhh [Fri, 10 Dec 2010 06:24:03 +0000 (14:24 +0800)]
Merge branch 'develop' of lhh@10.10.10.29:/home/rockchip/kernel into develop

13 years agoupdate rk29 sdmmc
lhh [Fri, 10 Dec 2010 06:23:18 +0000 (14:23 +0800)]
update rk29 sdmmc

13 years agork29sdk: 支持内存大小配置,默认512MiB
黄涛 [Fri, 10 Dec 2010 05:17:42 +0000 (13:17 +0800)]
rk29sdk: 支持内存大小配置,默认512MiB

13 years agork29 l1 cache lize size is 64 bytes
黄涛 [Fri, 10 Dec 2010 04:49:51 +0000 (12:49 +0800)]
rk29 l1 cache lize size is 64 bytes

13 years agoLinux 2.6.32.27
Greg Kroah-Hartman [Thu, 9 Dec 2010 21:29:45 +0000 (13:29 -0800)]
Linux 2.6.32.27

13 years agox86: uv: xpc NULL deref when mesq becomes empty
Robin Holt [Wed, 16 Dec 2009 00:47:57 +0000 (16:47 -0800)]
x86: uv: xpc NULL deref when mesq becomes empty

commit 15b87d67ff3dc042bee42f991858d6b121b3b3ca upstream.

Under heavy load conditions, our set of xpc messages may become exhausted.
 The code handles this correctly with the exception of the management code
which hits a NULL pointer dereference.

Signed-off-by: Robin Holt <holt@sgi.com>
Cc: Jack Steiner <steiner@sgi.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoX86: uv: xpc_make_first_contact hang due to not accepting ACTIVE state
Robin Holt [Wed, 16 Dec 2009 00:47:58 +0000 (16:47 -0800)]
X86: uv: xpc_make_first_contact hang due to not accepting ACTIVE state

commit dbd2918ec65c35f36bb102c88eafe87be0552f6f upstream.

Many times while the initial connection is being made, the contacted
partition will send back both the ACTIVATING and the ACTIVE
remote_act_state changes in very close succescion.  The 1/4 second delay
in the make first contact loop is large enough to nearly always miss the
ACTIVATING state change.

Since either state indicates the remote partition has acknowledged our
state change, accept either.

Signed-off-by: Robin Holt <holt@sgi.com>
Cc: Jack Steiner <steiner@sgi.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86: uv: XPC receive message reuse triggers invalid BUG_ON()
Robin Holt [Wed, 16 Dec 2009 00:47:59 +0000 (16:47 -0800)]
x86: uv: XPC receive message reuse triggers invalid BUG_ON()

commit 046d6c563b1c6226bbf0f84e5b2413ad8ab921a1 upstream.

This was a difficult bug to trip.  XPC was in the middle of sending an
acknowledgement for a received message.

In xpc_received_payload_uv():
.
        ret = xpc_send_gru_msg(ch->sn.uv.cached_notify_gru_mq_desc, msg,
                               sizeof(struct xpc_notify_mq_msghdr_uv));
        if (ret != xpSuccess)
                XPC_DEACTIVATE_PARTITION(&xpc_partitions[ch->partid], ret);

        msg->hdr.msg_slot_number += ch->remote_nentries;

at the point in xpc_send_gru_msg() where the hardware has dispatched the
acknowledgement, the remote side is able to reuse the message structure
and send a message with a different slot number.  This problem is made
worse by interrupts.

The adjustment of msg_slot_number and the BUG_ON in
xpc_handle_notify_mq_msg_uv() which verifies the msg_slot_number is
consistent are only used for debug purposes.  Since a fix for this that
preserves the debug functionality would either have to infringe upon the
payload or allocate another structure just for debug, I decided to remove
it entirely.

Signed-off-by: Robin Holt <holt@sgi.com>
Cc: Jack Steiner <steiner@sgi.com>
Cc: Ingo Molnar <mingo@elte.hu>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoUV - XPC: pass nasid instead of nid to gru_create_message_queue
Robin Holt [Wed, 16 Dec 2009 00:48:00 +0000 (16:48 -0800)]
UV - XPC: pass nasid instead of nid to gru_create_message_queue

commit 57e6d258b1e41cd7ceb26fa43ce116939d8440b1 upstream.

Currently, the UV xpc code is passing nid to the gru_create_message_queue
instead of nasid as it expects.

Signed-off-by: Robin Holt <holt@sgi.com>
Signed-off-by: Jack Steiner <steiner@sgi.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet sched: fix some kernel memory leaks
Eric Dumazet [Mon, 16 Aug 2010 20:04:22 +0000 (20:04 +0000)]
net sched: fix some kernel memory leaks

commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8 upstream.

We leak at least 32bits of kernel memory to user land in tc dump,
because we dont init all fields (capab ?) of the dumped structure.

Use C99 initializers so that holes and non explicit fields are zeroed.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoact_nat: use stack variable
Changli Gao [Tue, 29 Jun 2010 23:07:09 +0000 (23:07 +0000)]
act_nat: use stack variable

commit 504f85c9d05f7c605306e808f0d835fe11bfd18d upstream.

act_nat: use stack variable

structure tc_nat isn't too big for stack, so we can put it in stack.

Signed-off-by: Changli Gao <xiaosuo@gmail.com>
Cc: dann frazier <dannf@debian.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonmi: fix clock comparator revalidation
Heiko Carstens [Thu, 25 Nov 2010 08:52:45 +0000 (09:52 +0100)]
nmi: fix clock comparator revalidation

commit e8129c642155616d9e2160a75f103e127c8c3708 upstream.

On each machine check all registers are revalidated. The save area for
the clock comparator however only contains the upper most seven bytes
of the former contents, if valid.
Therefore the machine check handler uses a store clock instruction to
get the current time and writes that to the clock comparator register
which in turn will generate an immediate timer interrupt.
However within the lowcore the expected time of the next timer
interrupt is stored. If the interrupt happens before that time the
handler won't be called. In turn the clock comparator won't be
reprogrammed and therefore the interrupt condition stays pending which
causes an interrupt loop until the expected time is reached.

On NOHZ machines this can result in unresponsive machines since the
time of the next expected interrupted can be a couple of days in the
future.

To fix this just revalidate the clock comparator register with the
expected value.
In addition the special handling for udelay must be changed as well.

Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: Limit socket I/O iovec total length to INT_MAX.
David S. Miller [Thu, 28 Oct 2010 18:41:55 +0000 (11:41 -0700)]
net: Limit socket I/O iovec total length to INT_MAX.

commit 8acfe468b0384e834a303f08ebc4953d72fb690a upstream.

This helps protect us from overflow issues down in the
individual protocol sendmsg/recvmsg handlers.  Once
we hit INT_MAX we truncate out the rest of the iovec
by setting the iov_len members to zero.

This works because:

1) For SOCK_STREAM and SOCK_SEQPACKET sockets, partial
   writes are allowed and the application will just continue
   with another write to send the rest of the data.

2) For datagram oriented sockets, where there must be a
   one-to-one correspondance between write() calls and
   packets on the wire, INT_MAX is going to be far larger
   than the packet size limit the protocol is going to
   check for and signal with -EMSGSIZE.

Based upon a patch by Linus Torvalds.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet: Truncate recvfrom and sendto length to INT_MAX.
Linus Torvalds [Sat, 30 Oct 2010 23:43:10 +0000 (16:43 -0700)]
net: Truncate recvfrom and sendto length to INT_MAX.

commit 253eacc070b114c2ec1f81b067d2fed7305467b0 upstream.

Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agords: Integer overflow in RDS cmsg handling
Dan Rosenberg [Wed, 17 Nov 2010 06:37:16 +0000 (06:37 +0000)]
rds: Integer overflow in RDS cmsg handling

commit 218854af84038d828a32f061858b1902ed2beec6 upstream.

In rds_cmsg_rdma_args(), the user-provided args->nr_local value is
restricted to less than UINT_MAX.  This seems to need a tighter upper
bound, since the calculation of total iov_size can overflow, resulting
in a small sock_kmalloc() allocation.  This would probably just result
in walking off the heap and crashing when calling rds_rdma_pages() with
a high count value.  If it somehow doesn't crash here, then memory
corruption could occur soon after.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoeconet: fix CVE-2010-3850
Phil Blundell [Wed, 24 Nov 2010 19:49:53 +0000 (11:49 -0800)]
econet: fix CVE-2010-3850

commit 16c41745c7b92a243d0874f534c1655196c64b74 upstream.

Add missing check for capable(CAP_NET_ADMIN) in SIOCSIFADDR operation.

Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoeconet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849
Phil Blundell [Wed, 24 Nov 2010 19:49:19 +0000 (11:49 -0800)]
econet: disallow NULL remote addr for sendmsg(), fixes CVE-2010-3849

commit fa0e846494792e722d817b9d3d625a4ef4896c96 upstream.

Later parts of econet_sendmsg() rely on saddr != NULL, so return early
with EINVAL if NULL was passed otherwise an oops may occur.

Signed-off-by: Phil Blundell <philb@gnu.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86-32: Fix dummy trampoline-related inline stubs
H. Peter Anvin [Wed, 18 Aug 2010 18:42:23 +0000 (11:42 -0700)]
x86-32: Fix dummy trampoline-related inline stubs

commit 8848a91068c018bc91f597038a0f41462a0f88a4 upstream.

Fix dummy inline stubs for trampoline-related functions when no
trampolines exist (until we get rid of the no-trampoline case
entirely.)

Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Joerg Roedel <joerg.roedel@amd.com>
Cc: Borislav Petkov <borislav.petkov@amd.com>
LKML-Reference: <4C6C294D.3030404@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline
Hugh Dickins [Wed, 25 Aug 2010 05:44:12 +0000 (22:44 -0700)]
x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline

commit b7d460897739e02f186425b7276e3fdb1595cea7 upstream.

rc2 kernel crashes when booting second cpu on this CONFIG_VMSPLIT_2G_OPT
laptop: whereas cloning from kernel to low mappings pgd range does need
to limit by both KERNEL_PGD_PTRS and KERNEL_PGD_BOUNDARY, cloning kernel
pgd range itself must not be limited by the smaller KERNEL_PGD_BOUNDARY.

Signed-off-by: Hugh Dickins <hughd@google.com>
LKML-Reference: <alpine.LSU.2.00.1008242235120.2515@sister.anvils>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Cc: Joerg Roedel <joerg.roedel@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86-32: Separate 1:1 pagetables from swapper_pg_dir
Joerg Roedel [Mon, 16 Aug 2010 12:38:33 +0000 (14:38 +0200)]
x86-32: Separate 1:1 pagetables from swapper_pg_dir

commit fd89a137924e0710078c3ae855e7cec1c43cb845 upstream.

This patch fixes machine crashes which occur when heavily exercising the
CPU hotplug codepaths on a 32-bit kernel. These crashes are caused by
AMD Erratum 383 and result in a fatal machine check exception. Here's
the scenario:

1. On 32-bit, the swapper_pg_dir page table is used as the initial page
table for booting a secondary CPU.

2. To make this work, swapper_pg_dir needs a direct mapping of physical
memory in it (the low mappings). By adding those low, large page (2M)
mappings (PAE kernel), we create the necessary conditions for Erratum
383 to occur.

3. Other CPUs which do not participate in the off- and onlining game may
use swapper_pg_dir while the low mappings are present (when leave_mm is
called). For all steps below, the CPU referred to is a CPU that is using
swapper_pg_dir, and not the CPU which is being onlined.

4. The presence of the low mappings in swapper_pg_dir can result
in TLB entries for addresses below __PAGE_OFFSET to be established
speculatively. These TLB entries are marked global and large.

5. When the CPU with such TLB entry switches to another page table, this
TLB entry remains because it is global.

6. The process then generates an access to an address covered by the
above TLB entry but there is a permission mismatch - the TLB entry
covers a large global page not accessible to userspace.

7. Due to this permission mismatch a new 4kb, user TLB entry gets
established. Further, Erratum 383 provides for a small window of time
where both TLB entries are present. This results in an uncorrectable
machine check exception signalling a TLB multimatch which panics the
machine.

There are two ways to fix this issue:

        1. Always do a global TLB flush when a new cr3 is loaded and the
        old page table was swapper_pg_dir. I consider this a hack hard
        to understand and with performance implications

        2. Do not use swapper_pg_dir to boot secondary CPUs like 64-bit
        does.

This patch implements solution 2. It introduces a trampoline_pg_dir
which has the same layout as swapper_pg_dir with low_mappings. This page
table is used as the initial page table of the booting CPU. Later in the
bringup process, it switches to swapper_pg_dir and does a global TLB
flush. This fixes the crashes in our test cases.

-v2: switch to swapper_pg_dir right after entering start_secondary() so
that we are able to access percpu data which might not be mapped in the
trampoline page table.

Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
LKML-Reference: <20100816123833.GB28147@aftab>
Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocrypto: padlock - Fix AES-CBC handling on odd-block-sized input
Herbert Xu [Thu, 4 Nov 2010 18:38:39 +0000 (14:38 -0400)]
crypto: padlock - Fix AES-CBC handling on odd-block-sized input

commit c054a076a1bd4731820a9c4d638b13d5c9bf5935 upstream.

On certain VIA chipsets AES-CBC requires the input/output to be
a multiple of 64 bytes.  We had a workaround for this but it was
buggy as it sent the whole input for processing when it is meant
to only send the initial number of blocks which makes the rest
a multiple of 64 bytes.

As expected this causes memory corruption whenever the workaround
kicks in.

Reported-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox25: Prevent crashing when parsing bad X.25 facilities
Dan Rosenberg [Fri, 12 Nov 2010 20:44:42 +0000 (12:44 -0800)]
x25: Prevent crashing when parsing bad X.25 facilities

commit 5ef41308f94dcbb3b7afc56cdef1c2ba53fa5d2f upstream.

Now with improved comma support.

On parsing malformed X.25 facilities, decrementing the remaining length
may cause it to underflow.  Since the length is an unsigned integer,
this will result in the loop continuing until the kernel crashes.

This patch adds checks to ensure decrementing the remaining length does
not cause it to wrap around.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoV4L/DVB: ivtvfb: prevent reading uninitialized stack memory
Dan Rosenberg [Wed, 15 Sep 2010 21:44:22 +0000 (18:44 -0300)]
V4L/DVB: ivtvfb: prevent reading uninitialized stack memory

commit 405707985594169cfd0b1d97d29fcb4b4c6f2ac9 upstream.

The FBIOGET_VBLANK device ioctl allows unprivileged users to read 16
bytes of uninitialized stack memory, because the "reserved" member of
the fb_vblank struct declared on the stack is not altered or zeroed
before being copied back to the user.  This patch takes care of it.

Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com>
Signed-off-by: Andy Walls <awalls@md.metrocast.net>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agocan-bcm: fix minor heap overflow
Oliver Hartkopp [Wed, 10 Nov 2010 12:10:30 +0000 (12:10 +0000)]
can-bcm: fix minor heap overflow

commit 0597d1b99fcfc2c0eada09a698f85ed413d4ba84 upstream.

On 64-bit platforms the ASCII representation of a pointer may be up to 17
bytes long. This patch increases the length of the buffer accordingly.

http://marc.info/?l=linux-netdev&m=128872251418192&w=2

Reported-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
CC: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agomemory corruption in X.25 facilities parsing
andrew hendry [Wed, 3 Nov 2010 12:54:53 +0000 (12:54 +0000)]
memory corruption in X.25 facilities parsing

commit a6331d6f9a4298173b413cf99a40cc86a9d92c37 upstream.

Signed-of-by: Andrew Hendry <andrew.hendry@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
John Hughes [Thu, 8 Apr 2010 04:29:25 +0000 (21:29 -0700)]
x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.

commit f5eb917b861828da18dc28854308068c66d1449a upstream.

Here is a patch to stop X.25 examining fields beyond the end of the packet.

For example, when a simple CALL ACCEPTED was received:

10 10 0f

x25_parse_facilities was attempting to decode the FACILITIES field, but this
packet contains no facilities field.

Signed-off-by: John Hughes <john@calva.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoInput: i8042 - add Sony VAIO VPCZ122GX to nomux list
Dmitry Torokhov [Thu, 4 Nov 2010 16:12:44 +0000 (09:12 -0700)]
Input: i8042 - add Sony VAIO VPCZ122GX to nomux list

[Note that the mainline will not have this particular fix but rather
will blacklist entire VAIO line based off DMI board name. For stable
I am being a bit more cautious and blacklist one particular product.]

Trying to query/activate active multiplexing mode on this VAIO makes
both keyboard and touchpad inoperable. Futher kernels will blacklist
entire VAIO line, however here we blacklist just one particular model.

Reported-by: Jesse Barnes <jbarnes@virtuousgeek.org>
Signed-off-by: Dmitry Torokhov <dtor@mail.ru>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoV4L/DVB (13154): uvcvideo: Handle garbage at the end of streaming interface descriptors
Laurent Pinchart [Thu, 8 Oct 2009 22:38:10 +0000 (19:38 -0300)]
V4L/DVB (13154): uvcvideo: Handle garbage at the end of streaming interface descriptors

commit c4ed8c66d79d707d89fe732ff5b97739edf1ba62 upstream.

At least one 5986:0241 webcam model includes vendor-specific descriptors
at the end of its streaming interface descriptors. Print an information
UVC_TRACE_DESCR message and try to continue parsing the descriptors
rather than bailing out with an error.

Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoefifb: support the EFI framebuffer on more Apple hardware
Luke Macken [Wed, 22 Sep 2010 20:05:04 +0000 (13:05 -0700)]
efifb: support the EFI framebuffer on more Apple hardware

commit a5757c2a474a15f87e5baa9a4caacc31cde2bae6 upstream.

Enable the EFI framebuffer on 14 more Macs, including the iMac11,1
iMac10,1 iMac8,1 Macmini3,1 Macmini4,1 MacBook5,1 MacBook6,1 MacBook7,1
MacBookPro2,2 MacBookPro5,2 MacBookPro5,3 MacBookPro6,1 MacBookPro6,2 and
MacBookPro7,1

Information gathered from various user submissions.

    https://bugzilla.redhat.com/show_bug.cgi?id=528232
    http://ubuntuforums.org/showthread.php?t=1557326

[akpm@linux-foundation.org: coding-style fixes]
Signed-off-by: Luke Macken <lmacken@redhat.com>
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agodrivers/video/efifb.c: support framebuffer for NVIDIA 9400M in MacBook Pro 5,1
Thomas Gerlach [Fri, 23 Apr 2010 17:17:50 +0000 (13:17 -0400)]
drivers/video/efifb.c: support framebuffer for NVIDIA 9400M in MacBook Pro 5,1

commit 8a3bdfe6cd841880a5d849c40f90093b3817f6e0 upstream.

Description of patch:
---------------------

This is a patch for the EFI framebuffer driver to enable the framebuffer
of the NVIDIA 9400M as found in MacBook Pro (MBP) 5,1 and up.  The
framebuffer of the NVIDIA graphic cards are located at the following
addresses in memory:

9400M:    0xC0010000
9600M GT: 0xB0030000

The patch delivered right here only provides the memory location of the
framebuffer of the 9400M device.  The 9600M GT is not covered.  It is
assumed that the 9400M is used when powered up the MBP.

The information which device is currently powered and in use is stored in
the 64 bytes large EFI variable "gpu-power-prefs".  More specifically,
byte 0x3B indicates whether 9600M GT (0x00) or 9400M (0x01) is online.

The PCI bus IDs are the following:
9400M:    PCI 03:00:00
9600M GT: PCI 02:00:00

The EFI variables can be easily read-out and manipulated with "rEFIt", an
MBP specific bootloader tool.  For more information on how handle rEFIt
and EFI variables please consult "http://refit.sourceforge.net" and
"http://ubuntuforums.org/archive/index.php/t-1076879.html".

IMPORTANT NOTE: The information on how to activate the 9400M device given
at "ubuntuforums.org" is not correct, since it states

gpu-power-prefs[0x3B] = 0x00 -> 9400M (PCI 02:00:00)
gpu-power-prefs[0x3B] = 0x01 -> 9600M GT (PCI 03:00:00)

Actually, the assignment of the values and the PCI bus IDs are swapped.

Suggestions:
------------

To cover framebuffers of both 9400M and 9600M GT, I would suggest to
implement a conditional on "gpu-power-prefs".  Depending on the value of
byte 0x3B, the according framebuffer is selected.  However, this requires
kernel access to the EFI variables.

[akpm@linux-foundation.org: rename optname, per Peter Jones]
Signed-off-by: Thomas Gerlach <t.m.gerlach@freenet.de>
Acked-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, UV: Fix initialization of max_pnode
Jack Steiner [Fri, 10 Sep 2010 15:08:08 +0000 (10:08 -0500)]
x86, UV: Fix initialization of max_pnode

commit 36ac4b987bea9a95217e1af552252f275ca7fc44 upstream.

Fix calculation of "max_pnode" for systems where the the highest
blade has neither cpus or memory. (And, yes, although rare this
does occur).

Signed-off-by: Jack Steiner <steiner@sgi.com>
LKML-Reference: <20100910150808.GA19802@sgi.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agox86, UV: Delete unneeded boot messages
Jack Steiner [Wed, 17 Mar 2010 15:40:38 +0000 (10:40 -0500)]
x86, UV: Delete unneeded boot messages

commit 2acebe9ecb2b77876e87a1480729cfb2db4570dd upstream.

SGI:UV: Delete extra boot messages that describe the system
topology. These messages are no longer useful.

Signed-off-by: Jack Steiner <steiner@sgi.com>
LKML-Reference: <20100317154038.GA29346@sgi.com>
Signed-off-by: Ingo Molnar <mingo@elte.hu>
Cc: maximilian attems <max@stro.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosparc: Prevent no-handler signal syscall restart recursion.
David S. Miller [Wed, 22 Sep 2010 05:30:13 +0000 (22:30 -0700)]
sparc: Prevent no-handler signal syscall restart recursion.

[ Upstream commit c27852597829128a9c9d96d79ec454a83c6b0da5 ]

Explicitly clear the "in-syscall" bit when we have no signal
handler and back up the program counters to back up the system
call.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosparc: Don't mask signal when we can't setup signal frame.
David S. Miller [Wed, 22 Sep 2010 04:41:12 +0000 (21:41 -0700)]
sparc: Don't mask signal when we can't setup signal frame.

[ Upstream commit 392c21802ee3aa85cee0e703105f797a8a7b9416 ]

Don't invoke the signal handler tracehook in that situation
either.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agosparc64: Fix race in signal instruction flushing.
David S. Miller [Tue, 21 Sep 2010 06:24:52 +0000 (23:24 -0700)]
sparc64: Fix race in signal instruction flushing.

[ Upstream commit 05c5e7698bdc54b3079a3517d86077f49ebcc788 ]

If another cpu does a very wide munmap() on the signal frame area,
it can tear down the page table hierarchy from underneath us.

Borrow an idea from the 64-bit fault path's get_user_insn(), and
disable cross call interrupts during the page table traversal
to lock them in place while we operate.

Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoLimit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.
Robin Holt [Wed, 20 Oct 2010 02:03:37 +0000 (02:03 +0000)]
Limit sysctl_tcp_mem and sysctl_udp_mem initializers to prevent integer overflows.

[ Upstream fixed this in a different way as parts of the commits:
8d987e5c7510 (net: avoid limits overflow)
a9febbb4bd13 (sysctl: min/max bounds are optional)
27b3d80a7b6a (sysctl: fix min/max handling in __do_proc_doulongvec_minmax())
 -DaveM ]

On a 16TB x86_64 machine, sysctl_tcp_mem[2], sysctl_udp_mem[2], and
sysctl_sctp_mem[2] can integer overflow.  Set limit such that they are
maximized without overflowing.

Signed-off-by: Robin Holt <holt@sgi.com>
To: "David S. Miller" <davem@davemloft.net>
Cc: Willy Tarreau <w@1wt.eu>
Cc: linux-kernel@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-sctp@vger.kernel.org
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: "Pekka Savola (ipv6)" <pekkas@netcore.fi>
Cc: James Morris <jmorris@namei.org>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: Patrick McHardy <kaber@trash.net>
Cc: Vlad Yasevich <vladislav.yasevich@hp.com>
Cc: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agogianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New: linux-2.6.36...
Jarek Poplawski [Tue, 19 Oct 2010 00:06:36 +0000 (00:06 +0000)]
gianfar: Fix crashes on RX path (Was Re: [Bugme-new] [Bug 19692] New: linux-2.6.36-rc5 crash with gianfar ethernet at full line rate traffic)

[ Upstream commit 0d1fe1111c667e9c713d7efc7ae468a605f236a4 ]

The rx_recycle queue is global per device but can be accesed by many
napi handlers at the same time, so it needs full skb_queue primitives
(with locking). Otherwise, various crashes caused by broken skbs are
possible.

This patch resolves, at least partly, bugzilla bug 19692. (Because of
some doubts that there could be still something around which is hard
to reproduce my proposal is to leave this bug opened for a month.)

Fixes commit: 0fd56bb5be6455d0d42241e65aed057244665e5e ("gianfar: Add
support for skb recycling")

Reported-by: emin ak <eminak71@gmail.com>
Tested-by: emin ak <eminak71@gmail.com>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
CC: Andy Fleming <afleming@freescale.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: hidraw, fix a NULL pointer dereference in hidraw_write
Antonio Ospite [Tue, 5 Oct 2010 15:20:17 +0000 (17:20 +0200)]
HID: hidraw, fix a NULL pointer dereference in hidraw_write

commit e42dee9a99a3ecd32b5c027e8f7411fb5bc11eb6 upstream.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffffa0f0a625>] hidraw_write+0x3b/0x116 [hid]
[...]

This is reproducible by disconnecting the device while userspace writes
to dev node in a loop and doesn't check return values in order to exit
the loop.

Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoHID: hidraw, fix a NULL pointer dereference in hidraw_ioctl
Antonio Ospite [Tue, 5 Oct 2010 15:20:16 +0000 (17:20 +0200)]
HID: hidraw, fix a NULL pointer dereference in hidraw_ioctl

commit d20d5ffab92f00188f360c44c791a5ffb988247c upstream.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
IP: [<ffffffffa02c66b4>] hidraw_ioctl+0xfc/0x32c [hid]
[...]

This is reproducible by disconnecting the device while userspace does
ioctl in a loop and doesn't check return values in order to exit the
loop.

Signed-off-by: Antonio Ospite <ospite@studenti.unina.it>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonet sched: fix kernel leak in act_police
Jeff Mahoney [Tue, 31 Aug 2010 13:21:42 +0000 (13:21 +0000)]
net sched: fix kernel leak in act_police

commit 0f04cfd098fb81fded74e78ea1a1b86cc6c6c31e upstream.

While reviewing commit 1c40be12f7d8ca1d387510d39787b12e512a7ce8, I
 audited other users of tc_action_ops->dump for information leaks.

 That commit covered almost all of them but act_police still had a leak.

 opt.limit and opt.capab aren't zeroed out before the structure is
 passed out.

 This patch uses the C99 initializers to zero everything unused out.

Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Acked-by: Jeff Mahoney <jeffm@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agostaging: rtl8187se: Change panic to warn when RF switch turned off
Larry Finger [Sat, 13 Nov 2010 19:01:56 +0000 (13:01 -0600)]
staging: rtl8187se: Change panic to warn when RF switch turned off

commit f36d83a8cb7224f45fdfa1129a616dff56479a09 upstream.

This driver issues a kernel panic over conditions that do not
justify such drastic action. Change these to log entries with
a stack dump.

This patch fixes the system crash reported in
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/674285.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
Reported-and-Tested-by: Robie Basik <rb-oss-3@justgohome.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoStaging: frontier: fix up some sysfs attribute permissions
Greg Kroah-Hartman [Tue, 16 Nov 2010 19:18:33 +0000 (11:18 -0800)]
Staging: frontier: fix up some sysfs attribute permissions

commit 3bad28ec006ad6ab2bca4e5103860b75391e3c9d and
2a767fda5d0d8dcff465724dfad6ee131489b3f2 upstream merged together.

They should not be writable by any user

Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: David Taht <d@teklibre.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6482/2: Fix find_next_zero_bit and related assembly
James Jones [Tue, 23 Nov 2010 23:21:37 +0000 (00:21 +0100)]
ARM: 6482/2: Fix find_next_zero_bit and related assembly

commit 0e91ec0c06d2cd15071a6021c94840a50e6671aa upstream.

The find_next_bit, find_first_bit, find_next_zero_bit
and find_first_zero_bit functions were not properly
clamping to the maxbit argument at the bit level. They
were instead only checking maxbit at the byte level.
To fix this, add a compare and a conditional move
instruction to the end of the common bit-within-the-
byte code used by all the functions and be sure not to
clobber the maxbit argument before it is used.

Reviewed-by: Nicolas Pitre <nicolas.pitre@linaro.org>
Tested-by: Stephen Warren <swarren@nvidia.com>
Signed-off-by: James Jones <jajones@nvidia.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoARM: 6489/1: thumb2: fix incorrect optimisation in usracc
Will Deacon [Fri, 19 Nov 2010 12:18:31 +0000 (13:18 +0100)]
ARM: 6489/1: thumb2: fix incorrect optimisation in usracc

commit 1142b71d85894dcff1466dd6c871ea3c89e0352c upstream.

Commit 8b592783 added a Thumb-2 variant of usracc which, when it is
called with \rept=2, calls usraccoff once with an offset of 0 and
secondly with a hard-coded offset of 4 in order to avoid incrementing
the pointer again. If \inc != 4 then we will store the data to the wrong
offset from \ptr. Luckily, the only caller that passes \rept=2 to this
function is __clear_user so we haven't been actively corrupting user data.

This patch fixes usracc to pass \inc instead of #4 to usraccoff
when it is called a second time.

Reported-by: Tony Thompson <tony.thompson@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoperf_events: Fix perf_counter_mmap() hook in mprotect()
Pekka Enberg [Mon, 8 Nov 2010 19:29:07 +0000 (21:29 +0200)]
perf_events: Fix perf_counter_mmap() hook in mprotect()

commit 63bfd7384b119409685a17d5c58f0b56e5dc03da upstream.

As pointed out by Linus, commit dab5855 ("perf_counter: Add mmap event hooks to
mprotect()") is fundamentally wrong as mprotect_fixup() can free 'vma' due to
merging. Fix the problem by moving perf_event_mmap() hook to
mprotect_fixup().

Note: there's another successful return path from mprotect_fixup() if old
flags equal to new flags. We don't, however, need to call
perf_event_mmap() there because 'perf' already knows the VMA is
executable.

Reported-by: Dave Jones <davej@redhat.com>
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ingo Molnar <mingo@elte.hu>
Reviewed-by: Peter Zijlstra <a.p.zijlstra@chello.nl>
Signed-off-by: Pekka Enberg <penberg@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agoDECnet: don't leak uninitialized stack byte
Dan Rosenberg [Tue, 23 Nov 2010 11:02:13 +0000 (11:02 +0000)]
DECnet: don't leak uninitialized stack byte

commit 3c6f27bf33052ea6ba9d82369fb460726fb779c0 upstream.

A single uninitialized padding byte is leaked to userspace.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agonommu: yield CPU while disposing VM
Steven J. Magnani [Wed, 24 Nov 2010 20:56:54 +0000 (12:56 -0800)]
nommu: yield CPU while disposing VM

commit 04c3496152394d17e3bc2316f9731ee3e8a026bc upstream.

Depending on processor speed, page size, and the amount of memory a
process is allowed to amass, cleanup of a large VM may freeze the system
for many seconds.  This can result in a watchdog timeout.

Make sure other tasks receive some service when cleaning up large VMs.

Signed-off-by: Steven J. Magnani <steve@digidescorp.com>
Cc: Greg Ungerer <gerg@snapgear.com>
Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
13 years agobacklight: grab ops_lock before testing bd->ops
Uwe Kleine-König [Wed, 24 Nov 2010 20:57:14 +0000 (12:57 -0800)]
backlight: grab ops_lock before testing bd->ops

commit d1d73578e053b981c3611e5a211534290d24a5eb upstream.

According to the comment describing ops_lock in the definition of struct
backlight_device and when comparing with other functions in backlight.c
the mutex must be hold when checking ops to be non-NULL.

Fixes a problem added by c835ee7f4154992e6 ("backlight: Add suspend/resume
support to the backlight core") in Jan 2009.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Acked-by: Richard Purdie <rpurdie@linux.intel.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>